/
0x5-osint
190 lines (164 loc) · 5.37 KB
/
0x5-osint
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
-----------------------------------------------------------------
osint
6:55 p.m.
Thursday, November 28, 2019, Toronto, ON
------------------------------------------------------------------
#1 recon:
passive: use social media like LI,gmail, etc
active: traffic against site (nmap, nikto, etc)
location imaging: drones, satellite images, building layouts (badge readers, security, break areas, fencing)
job info: employee (name, title, job title, phone #, manager) -- profile/topology
pictures (badge photos, desk photos, computer photos, etc)
[[web/host recon]]
target validation: whois, nslookup, dnsrecon
finding subdomains: google fu, dig, nmap, sublist3r, bluto, crt.sh, etc
fingerprinting: nmap, wappalyzer, whatweb, builtwith, netcat(to get the headers of the site)
databreaches: haveibeenpwned, + etc
active: using nmap etc
[[round 1]]
riddler.io
findsubdomains.com>spyse.com
certdb.com/api-documentation
bugcrowd-->choose prgam
hunter.io-->find pattern in name
google> site:tesla.com -www filetype:pdf
~$ theharvester (built in kali)
netcraft
crt.sh
#-----------------------------------------t-0-0-l-z-----------------------------------------------------------------------------
# zmap/masscan - fast/new scanner for iPv4
# mmkatz -post exploit tool (extract pwds + ntlm hashes)
# canvas comm.(immunity) -exploit fwork, like cobaltstrike,
# innuendo comm.(immunity) - postexploit implant fwork
# binwalk - analyze firmware images + serach hardcoded pwds, apikeys,etc
# tor - anonymity/not encryption
# cain/able - pwd cracker/snip voip/mitm against rdp, etc (windows only)
# ncrack((creator of nmap))- bforce pwds for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet
# oclhashcat - hash db>pwd
# aircrack-ng - wireless nwork attacks
# sqlmap - detect sqlinj + dump db info + inject w/ shell access
# set (social engineer tk)-client side attack (create phish email, send, exploit)
# evilgrade - mitm attck via fake upgrade (over 63 fakeupdates)
# sslstrip - attacks httpS + replaces unencrypted connection favicon with padlock for brownie poointz!
# ettercap - tools for mitm attck(from inj>xploit)
# metasploit - xploit dev+pentest tool(both server/client attcks+meterpreter(custom payload)+armitage point n click attcks)
#-----------------------------------------------------------------------------------------------------------------------------
wappalyzer - use to get site info, w/o sharingip
#2 scanning/enumeration:
tcp (connection-oriented):
-http,ftp, telnet,
-has handshake
-uses apps tht needs high reliability
udp (connection-less):dns,dhcp,snmp
-no handshake
-used on apps tht needs fast connections
#-------------------------N-M-A-P-----------------------------------------
#
# nmap -T4
# T1:T5 (speeds-t1 slow - t5 fast : faster might miss / migt get detected)
# -A (all, enables OS/version detection, script scan, tracert, much info as possible)
# -P (port range, 1-65,535k, otherwise will search thru commmon 1k)
#
# nmap -sU -T4 10.88.111.10
#
# udp is rlly slow(need to use it for oscp,htb,etc)
#
#---------------------------------M-E-T-A-S-P-L-O-I-T-----------------
#
# ls /usr/share/nmap/scripts
# ^all scripts available via nmap
#
# eternal blue
# smd-vuln-ms17-010.nse
# enumeration is the most !!
#
# check for ciphers first
#
# nmap -p 443 --script=all #runs all scripts in the folder + time consume)
# nmap -p 443 --script=ssl-enum-ciphers rbc[.]com
#
# CDE5-3998-F178-FBDE-0EFB
#
#
# msploit(msfconsole):
# -5 modules?
# -auxiliary (enumeration/scaning)
# -xploit
# -post-x
#
# >msfconsole (exes msploit
# >search portscan (looks for modules)
# >use auxiliary/scanner/portscan/tcp (specific scanner for syn packets)
# >options (more requirements)
# >set ports 1-65535 (change ports)
# >set rhosts 192.168.0.1
# >run (or >exploit)
#
# >use auxiliary (lists all)
# >search tomcat (lists xploits)
# >search apache
# >search eternalblue
#
#
# (rhost = 1 target)
# (rhosts= a range of targets)
#
# webapp assessment vs pentest
# e.g, vulnerabilites(xss,csrf) < exploit (sql inj, cred stuff, pwd spray)
#
#--------------------------------------------N-I-K-T-O--------------------------------
# webserver vulns (missing headers, xss etc)
#
# $ nikto -h https://example.com
#
#
#
#
#
#----------------B-U-R-P-S-U-I-T-E------------
# invest $400 to get the pro edition - webapp vulns
# need nessus+burpsuite=~2900 (cobaltstrike=~7k)
#
# first congifure browser settings to manual proxy > 127.0.0.1 port 8080 (accept all protocols)
# proxy tab > intercept on > fwd x 10
# target tab > r.clk main domain > add to scope
# filter > show only in scope
# right click scope domain > scan (pro version)
# scan details > crawl/audit+crawl>audit only
# default resource pool > 10 (default) or 1
#
#
#
#
#----------------K-I-O-P-T-R-I-X------------------------------
#
download kioptrix1
apt get install unrar
unrar -e
<a>discovering the -range of this network (192.168.0.10) try to findhost
<b> /etc/init.d/nessusd start
----sudo !!
<c>https://hostname:8834
list usrs:
/opt/nessus/sbin/nessuscli lsuser
1.run nessus basic scan
2.run nmap (nmap -A -T4 -Pn -p22,80,111,139,443,32768 10.88.xxx.x)
*up arrow to get update*
**rpcbind is open wen 139 samba smdb is open
7:20:8
#
#
#
#
#
#
#
#
#-------------------------------------------
#3 gaining access:
#4 maintaining access:
#5 covering tracks:
6:50:45 / 15:11:37
--
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
https://booksite.elsevier.com/9781597499576/chapters.php