-
Scapy fundamentals Commands for the interactive scapy interpreter: conf.iface shows the currently used interface conf.iface='tun0' sets the interface to use ls shows all protocols ls(TCP) shows all known headers for a given protocol lsc shows build-in functions Details about a packet p: p shows general information p.summary() shows also general information p.show() shows each field and…
-
Network packet manipulation shell and library for Python. (Github)
-
A Ettercap successor, written in Go. Basic commands: Passive ARP probing: net.recon on net.recon off Active probing: net.probe on net.probe off Sniffing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoofing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoofing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…
-
Shellter kann add a reverse shell payload into a exe file.
-
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
-
With Medusa Doesn’t seem to work with virtual hosts! medusa -h 10.11.1.49 -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/~Public -T 2 With ncrack Doesn’t seem to work with virtual hosts! ncrack -vv --user bethany -P Dog_Names_normalized.txt http://10.11.1.49:9505 -m http:path=/~Public/ With metasploit Use module auxiliary/scanner/http/http_login Virtual hosts If Host headers are not supported: More
-
Download: https://github.com/droope/droopescan droopescan scan drupal -u http://$target/ -t 32 Or just install via pip pip install droopescan
-
tcpdump Get incoming ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Daten anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…
-
See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
-
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
-
https://github.com/diego-treitos/linux-smart-enumeration This script will show relevant information about the security of the local Linux system. Quick install Details from the manual It has 3 levels of verbosity so you can control how much information you see. In the default level you should see the highly important security flaws in the system. The level 1 (./lse.sh -l1)…
-
Note that FTP doesn’t show hidden files! Try in Windows e.g “cd ProgramData”. Enumeration With nmap. Scans a network for ftp servers which allow anonymous access. nmap -v -p21 --script=ftp-anon.nse 10.11.1.1-254 FTP relays The FTP specification defines FTP relays. One FTP server can say to another FTP server to send files to another third-party server.…
-
Like OSXcollector, but for Windows. Collects information on a host for later analyzation. https://www.fireeye.com/services/freeware/redline.html
-
osxcollector http://yelp.github.io/osxcollector/ Stand alone python script. Execute it on a Mac which should be analysed. It creates an archive with “everything” interessting which the victim can hand over an expert. See redline for Windows
-
Sniffing and live content filtering. Operation modes: Unified: sniffs all packets from one interface. Packets for an attack host are ending here, but are directly forwarded after receiving Bridget: Forwards traffic from one interface to another. Absolutely secret because there is really no one “between the cable” Usage ettercap OPTIONS TARGET1 TARGET2 Targets are defined as MAC/IPv4s/IPv6s/PORT…
-
Passive OS fingerprinting http://tools.kali.org/information-gathering/p0f
-
Distributed port scanning. Install dnmap_client on many machines and install one dnsmap_server. The server controls the clients to split port scans. http://tools.kali.org/information-gathering/dnmap
-
Active Information Gathering tool. See http://tools.kali.org/information-gathering/dmitry
-
Analyses SSL https://github.com/nabla-c0d3/sslyze python ‑m sslyze –regular URL
-
Enumeration Github wpscan --url $target Maybe an API token could be useful — then, the WordPress Vulnerability Database is used. Login brute force hydra -l thinc -P best110.txt 10.11.1.234 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' Check users: http://spectra.htb/main/?author=1 http://spectra.htb/main/?author=2 … Most beautiful wordpress plugin XSS injection If there is a way to inject code somewhere (e.g. via a plugin)…
-
Web server scanner ./nikto.pl ‑host <IP> scans a host and creates a report with details and possible vulnerabilities. Interesting parameters: -evasion [12345678AB] (see options) -mutate (see options) -Pause -Save -T (see options)