akde/infosec

Information security is ultimately about managing risk


  • Auf dem Client: root@raspberrypi:/etc/apt# cat apt.conf Acquire::http::Proxy "http://10.10.14.38:3128"; Auf dem Proxy:


  • Cross-compiling for 32/64 bit systems sudo apt-get install gcc-multlib gcc ‑m32 datei.c Tipp: Add ‑sta­t­ic for a sta­t­ic binary. Note that you need to install pack­ets for the tar­get plat­form, e.g. apt install gcc-i686-linux-gnu. Cross-compiling for Windows Install the pack­ages like apt install gcc-mingw-w64. Then use x86_64-w64-mingw32-gcc execute.c -o execute.exe. Disable security features You can…


  • Brute force is pos­si­ble with nmap: # nmap --script vnc-brute -p 5900 localhost For TightVNC, use vncp­wd to break pass­words. A pass­word can be obtained via reg query HKLM\Software\TightVNC\Server\ /v Password


  • 1. Manual enumeration id pwd uname -a // are there kernel exploits? cat /etc/hosts cat /etc/passwd ls -lah /etc/passwd cat /etc/group cat /etc/fstab cat /etc/crontab df cd /home && ls ... // or execute ls -lahR /home/ cd /root && ls ... netstat -antup ps aux sudo -l su // if passwords are already known…


  • Mit distc­cd kann man ent­fer­nt compilieren.


  • Tools to detect nmap ‑O nmap-chronos Tools to detect and validate p0f JS to list brows­er char­ac­ter­is­tics which could send back to an attack­er via an AJAX request: /itsec/wp-content/uploads/2021/05/browser_detection.html Tools to impersonate Against browser/JS-based fin­ger­print­ing: Just tam­per with val­ues from the brows­er in about:config.


  • Enumeration Mandatory Optional On Windows


  • After­wards: See Ana­lyz­ing memory Linux Prozess memory dump Find out which mem­o­ry seg­ments are used by an appli­ca­tion via its PID: cat /proc/<pid>/maps Dump the used mem­o­ry from an appli­ca­tion: (cred­it) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…


  • https://github.com/Tib3rius/AutoRecon Mul­ti recon tool for broad scanning


  • Down­load: https://github.com/droope/droopescan droopescan scan drupal -u http://$target/ -t 32 Or just install via pip pip install droopescan


  • Weevely https://tools.kali.org/maintaining-access/weevely Erzeugt PHP-Skript auf Serv­er, mit dem man eine Shell wieder bekom­men kann. Various scripts Shelter (win32) Dynam­ic shell injec­tion tool into nor­mal Win­dows binaries. https://tools.kali.org/maintaining-access/shellter Create own (normal) shell HTTPTunnel Needs PHP; cre­ates file on a serv­er which acts as SSH proxy. Nishang Col­lec­tion of Pow­er­Shell scripts for back­doors and more. Kali:/usr/share/nishang dns2tcp Cre­ates a TCP…


  • https://tools.kali.org/exploitation-tools/commix Cre­at­ed SQL injec­tions on the fly.


  • Crawling Before using brute force, con­sid­er just crawling: Directory enumeration Hints: General search nikto -host $victim gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 60 gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 gobuster dir -u http://$target/ -p socks5://127.0.0.1:9991 -w…


  • Union-based injections Blind SQL injections If no out­put is giv­en from a state­ment, try to use time-based approaches. Fuzzing Enumerating in inserts Assum­ing the INSERT state­ment is INSERT INTO $tablename (email,name) VALUES ("email", "name"); Then try a tim­ing attack to deter­mine if a cer­tain val­ue is in a field: INSERT INTO newsletter (name,email) VALUES ('name', ' '…


  • General objectives Organizing template Web ressources Tools Notes


  • List with a ton of one-lin­er web servers in var­i­ous languages HTTP python -m SimpleHTTPServer 8000 python3 -m http.server 8000 HTTPS ruby -r webrick/https -e ' WEBrick::HTTPServer.new( Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertName: [%w[CN localhost]]).start'


  • (!) See also Pass­word spray­ing to check a obtained pass­word against usernames. Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher some­thing on the fly. Wordlist optimization If there is a pass­word pol­i­cy known: Check password policy In Win­dows, type net accounts to get infor­ma­tions about account lock­ing, lock­out threash­olds etc. Cloud-based performance cracking See NPK Default passwords Hashcat Am…


  • Dis­plays all avail­able net­work shares: showmount -e $target Nor­mal mount mount -t nfs $target:/home /mnt Mount­ing with nfspy — with the hide option, it mounts and unmounts for the serv­er so the vic­tim can­not see the new con­nec­tion via showmount. nfspy -o server=192.168.1.124:/home,hide,allow_other,ro,intr /mnt Mount via SSH ssh -N -L 3049:localhost:2049 user@hostname mount -t nfs -o port=3049…


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';