akde/infosec

Information security is ultimately about managing risk


  • Detect SNMP-devices: nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt onesixtyone Brute force of com­mu­ni­ty strings against IPs. The fol­low­ing exam­ple tries to log in into SMTP devis­es via a giv­en IP and giv­en com­mu­ni­ty names. echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254);do echo 10.11.1.$ip;done…


  • Enumeration Mandatory


  • Note: 139 = Net­BIOS is a ses­sion lay­er pro­to­col and ser­vice and dif­fer­ent from 445 SMB. Enumeration Mandatory If you have no cre­den­tials yet: If you have already user credentials: On Windows Optional


  • Enumeration Mandatory Get a list of reg­is­tered pro­grams via rpcbind/v2 (pre­vi­ous portmap­per!):rpcinfo -p $target Get a list of reg­is­tered pro­grams via rpcbind/3:rpcinfo -s $target If suc­cess­ful: Con­nect with the RPC con­sole:rpcclient -U "" $target Enu­mer­ate with the queries on the RPC pro­to­col post. Optional Try to brute-force accounts (no lock here!) Try oth­er enu­mer­a­tion tools from the…


  • Enumeration Mandatory Show users and process­es from known ports:ident-user-enum $target 139 445 … <- add all known ports here


  • Enumeration Mandatory Check if the tar­get expos­es open shares:showmount -e $target If there are some, try to mount them. If you can mount them, check if you can write files and set the s flag. (If in export no_root_squash is defined.) If yes, cre­ate a new file with a suid bit. Optional Try to use anoth­er NFS…


  • Enumeration Tools ker­brutepython3 /opt/kerbrute/kerbrute.py -domain thinc.local -users /usr/share/seclists/Usernames/Names/names.txt -dc-ip $target Alter­na­tive https://github.com/ropnop/kerbrute msf> use auxiliary/gather/kerberos_enumusers Per­form ASRE­PRoast


  • Manual enumeration Subdomain enumeration Put usu­al domain names (Seclists!) and iter­ate them with the bash $ for ip in $(cat list.txt); do host $ip.domain.com; done IP enumeration Enu­mer­ate an IP range to find domains $ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found" Zone transfer Per­form a DNS zone…


  • Enumeration Mandatory Grab the banner. Tools Pata­tor (brute force)


  • Notes If the serv­er needs old cryp­to, use -oKexAlgorithms=+diffie-hellman-group1-sha1 OpenSSH 7.7. allows to enu­mer­ate exist­ing users. It could be pos­si­ble on Win­dows 10 ssh-agent to extract the keys. Keys Get fin­ger­prints nmap -p22 --script ssh-hostkey $target Get hostkeys nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target Extract fin­ger­prints from exist­ing key file: ssh-keygen -E md5 -lf /tmp/found_keyssh-keygen -E sha1…


  • Enumeration Mandatory Try to access ssh ‑v $target Optional Reuse exist­ing credentials Brute-force with exist­ing user­names (Pass­word-spray­ing) Try ssh-audit $target Try known user­naes with user­name as pass­word or oth­er found strings. Privilege Escalation Find .ssh direc­to­ry on the file sys­tem and check all files within. Check sshd_config file. Check SSH ver­sion for exploits.


  • Enumeration Check the certificate Per­form SSL-Scan Go to Check­list 80 HTTP Optional if vul­ner­a­ble against heart­bleed, use msf> use openssl_heartbleed. Don’t for­get to use set ACTION KEYS or sim­i­lar (see info)


  • Enumeration Mandatory Check anony­mous login Try to cre­ate AND upload a file:  mkdir test put /tmp/test test Check login with at least the fol­low­ing credentials:  admin / admin admin / password Optional Down­load every­thing with wget and look for .dot files! Check login with new­ly found users Brute-force login Make sure to check admin / admin and oth­er usu­al com­bi­na­tions…


  • Each instal­la­tion has the fol­low­ing direc­to­ry structure: /document root /_vti_bin shtml.exe /_vti_adm admin.exe /_vti_aut author.exe The shtml.exe is for exe­cut­ing web brows­er guest’s code for a web page. author.exe and admin.exe not. Tools Spar­ty: Front­page Secu­ri­ty Audit tool.


  • Enumeration Mandatory Open the site in a Brows­er. Maybe a CUPS inter­face is available. Per­formnmap -p 631 $target --script cups-info Try the PRET Print­er Exploita­tion Toolk­it is use­ful for print­er hack­ing. See also HTB Laser (ippsec)python pret.py $target pcl


  • Check­out a repo: svn checkout svn://... Show log svn log Show infos svn info Show all branches svn ls svn://$victim --verbose The first num­ber from the pre­vi­ous com­mand shows the revi­sion. To see the con­tent of a repo for anoth­er revi­sion, add the r flag: svn ls svn://$victim --verbose -r 1 svn ls svn://$victim --verbose -r 2…


  • This site con­tains links to tools / tech­niques which can run in the back­ground dur­ing an engagement. Linux Windows


  • respon­der: Lis­ten with respon­der on a net­work and wait for AD sys­tems to ask for a DC. This can reveal a NTLM hash. (Source) Start respon­der on the own system: sudo responder -I tun0 --wpad Con­nect from the tar­get sys­tem to this sys­tem via smb. In the Win­dows explor­er, or in the com­mand line via dir…


  • Pass­word spray­ing: Try a few pass­words against a large set of users. Manual for u in Administrator Guest krbtgt DefaultAccount ryan marko sunita abigail marcus sally fred angela felicia gustavo ulf stevie claire paulo steve annette annika per claude melanie zach simon naoki; do rpcclient -W MEGABANK -U $u 10.10.10.169; done; With Pow­er­Shell Down­load Domain­Pass­word­Spray and…


  • Main con­cepts: Ten­ant The “space” which an orga­ni­za­tion “rents”. Has a name. Users Groups Appli­ca­tions Iden­ti­ty model  Cloud only Accounts are only in for­eign sys­tems (“cloud”) Syn­chro­nized Accounts are cre­at­ed and man­aged on-premise and syn­chro­nized to for­eign sys­tems (“cloud”) Fed­er­at­ed Accounts are cre­at­ed, man­aged and authen­tifi­cat­ed on-premise; for­eign sys­tems (“cloud”) are also check­ing againts a on-premise system.…


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';