See the Impacket site for a short description of all tools. Tip: On Kali, use the command impacket-* Enumeration without authentication Determine the system architecture getArch.py -target $target Returns the listening RPC interface IDs. ifmap.py $target 135rpcdump.py $target Enumeration with half authentication Scenario: You have credentials for one AD user. Then, try to get all users for…
Overview Tomcat usually listens on the following ports: 8080 — HTTP 8005 — Port for shutting down the Tomcat server; not interesting here 8009 — Same functions as the HTTP port, but via the Apache JServ protocol AJP. AJP is basically HTTP in a compressed/binary form. Checklist Check if /manager is accessible. Default credentials are tomcat / s3cret or…
In Oracle SQL, a SID (Service Identifier) is basically a database. Enumeration Get general information tnscmd10g -h $target Try to get a SID: tnscmd10g status-p 1521 -h $target Another tool: Oracle Scanner oscanner -s $target -P 1521 Metasploit module scanner/oracle/tnslsnr_version Brute force SID hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 $target oracle-sid nmap --script oracle-sid-brute -p 1521 $target Brute…
General tools Imaging tools dd, of course. Note that it makes sense to set the proper block size (sometimes 4k, but most hard drives are using 512), so that, when an error occued, the exact sector is shown which can afterwards be skipped. dd if=/dev/sda of=/external/file.md5 bs=512 ewfacquire sudo ewfacquire /dev/sda Advantages: aff4 advanced forensic…
General After beeing root, do the following to gain additional information. Copy / break /etc/shadow or SAM Investigate all /home directories and /root ls -lahR /home/ Are there SSH keys? Investigate all databases and get / break their users and passwords Check cronjobs/-tabs Enumerate programs and determine where credentials could be. Enumerate the user’s mail Enumerate WWW directories…
Check also IDEs like IntelliJ, Visual Studio, Eclipse, …
Accessing in Linux: impacket-mssqlclient Administrator:password@$target -windows-auth Default databases are: Enumeration Determine version nmap -p 445 --script ms-sql-info $target Via metasploit auxiliary/scanner/mssql/mssql_ping Via Impacket mssqlinstance.py $target Login brute force scanner/mssql/mssql_login When an account is known, enumerate for vulnerabilities auxiliary/admin/mssql/mssql_enum Exploitation Execute commands auxiliary/admin/mssql/mssql_exec Get shell windows/mssql/mssql_payload Tools Command line sqsh -U sa -P $password -S $target:1433 From PowerShell sqlcmd -S…
See https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 as a base64 cheat sheet. The classic (base64 combines the bytes of the text and separates 6 bit (2^6 = 64) and maps each 6 bit to a character. “=” means “two byte missing”. For example, if the combined strings have 2 bit “left” (41.…), then (A==) echo Hi | base64 -d Convert hex…
From SANS660: “Fuzzing is not an attack; it is a fault-testing technique.” Types are: Instrumented Fuzzing: “Monitoring” a system to learn how normal inputs look like. No pre-knowledge of the system needed. Intelligent utation: A protocol grammar which defines paths through all the code. Inputs are mutated according to the grammar. Tools https://tools.kali.org/vulnerability-analysis/sfuzz See https://en.kali.tools/all/?category=fuzzer Sulley…
Enumeration Multiple
GZ If the file cannot be extracted gzip: log.gz: unexpected end of file use zcat index.gz
Vulnerability scanner: https://github.com/steverobbins/magescan
Show tables .tables Show columns / schema from a table PRAGMA table_info(users)
General commands Show available Docker images docker images Show running Docker instances docker ps Run an instance in foreground (debug logs are visible) docker run -p 8080:80/tcp --name bolt11 aerth/boltcms:latest Run an instance in the background docker run -p 8000 --name <name> -d -t <imagename> Open shell into an instance docker exec -it <container_name> /bin/bash…
Fingerprintjs2 collects a vast amount of browser configurations. Victims could be brought to visit a site which contains this JS which sends the information back to the attacker. See OSCP 414ff
The Windows registry is a central data storage for the operation system as well as for applications. It’s a key-value storage in a tree structure. A hive is a set of keys and their values. The root hives are: Short Long Content Source file HKCR HKEY_CLASSES_ROOT Information about file types and properties HKCC HKEY_CURRRENT_CONFIG Information about…
Checklist A domain of a DC consists out of the following elements: An object in AD may have a set of ACE Access Control Entries which is called ACL Access Control List. An object’s ACE can be retrieved in PS with Get-ObjectAcl [-Identity| $object. The SCM Service Control Manager contains a database of installed services…
ext3/ext4 Design principles: Information about the file system General information fsstat /dev/sda1 Information of an inode (2 = root directory): istat /dev/sda1 2 Get the partitions of an image mmls server.img mmls shows the start offset of each partition. Show details of the partition which starts at 4096: fsstat -o 4096 server.img Show all files of a…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';