NTML infos nmap -p 23 --script telnet-ntlm-info $target Brute-force nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=5s $target hydra -P passwords.txt -L users.txt $target telnet -V hydra -C users_and_passwords.txt $target telnet -V
Local file inclusion and Wrappers General: If you try to read PHP and nothing returns — use a base64 return! Remote file inclusion PHP deserialization If a program accepts a serialized object which uses a magic method, then… TODO, see here
Logon on another system with a NTLM hash Scenario: Then, use mimikatz to inject another user’s NTLM hash into the secret storage: Steal another user’s session Scenario: Then, with the use of mimikatz: privilege::debugsekurlsa::tickets /export This exports available tickets into the working directory (suffix .kirbi). Then, choose one file/ticket from the correct user and service. For…
Windows creates and stores credentials in the Local Security Authority Subsystem Service LSASS in the memory. On the filesystem, the sam database stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDebugPrivilege so that we are able to communicate with other processes. privilege:debug Try to elevate privileges to obtain SYSTEM user privileges:…
BloodHound analyzes and present Active Directory Data. SharpHound is the data collector which runs on a compromised AD system. On the target: On the own system:
Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) information like full names, group memberships, etc.…
Collection of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enumerates all users. Get-NetUser Enumerate all users which does not require Kerberos preauth. Get-NetUser -PreauthNotRequired Returns…
Generic analysis tools Extract macros with oledump Use oledump.py to extract macros. List the file contents: python oledump.py $file Example from an output: ... 7: M 16267 'Macros/VBA/NewMacros' 8: m 932 'Macros/VBA/ThisDocument' ... To show details from a document part use the first number and execute python oledump.py -s $no $file But to extract Macros,…
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
See the Impacket site for a short description of all tools. Tip: On Kali, use the command impacket-* Enumeration without authentication Determine the system architecture getArch.py -target $target Returns the listening RPC interface IDs. ifmap.py $target 135rpcdump.py $target Enumeration with half authentication Scenario: You have credentials for one AD user. Then, try to get all users for…
Overview Tomcat usually listens on the following ports: 8080 — HTTP 8005 — Port for shutting down the Tomcat server; not interesting here 8009 — Same functions as the HTTP port, but via the Apache JServ protocol AJP. AJP is basically HTTP in a compressed/binary form. Checklist Check if /manager is accessible. Default credentials are tomcat / s3cret or…
In Oracle SQL, a SID (Service Identifier) is basically a database. Enumeration Get general information tnscmd10g -h $target Try to get a SID: tnscmd10g status-p 1521 -h $target Another tool: Oracle Scanner oscanner -s $target -P 1521 Metasploit module scanner/oracle/tnslsnr_version Brute force SID hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 $target oracle-sid nmap --script oracle-sid-brute -p 1521 $target Brute…
General tools Imaging tools dd, of course. Note that it makes sense to set the proper block size (sometimes 4k, but most hard drives are using 512), so that, when an error occued, the exact sector is shown which can afterwards be skipped. dd if=/dev/sda of=/external/file.md5 bs=512 ewfacquire sudo ewfacquire /dev/sda Advantages: aff4 advanced forensic…
General After beeing root, do the following to gain additional information. Copy / break /etc/shadow or SAM Investigate all /home directories and /root ls -lahR /home/ Are there SSH keys? Investigate all databases and get / break their users and passwords Check cronjobs/-tabs Enumerate programs and determine where credentials could be. Enumerate the user’s mail Enumerate WWW directories…
Check also IDEs like IntelliJ, Visual Studio, Eclipse, …
Accessing in Linux: impacket-mssqlclient Administrator:password@$target -windows-auth Default databases are: Enumeration Determine version nmap -p 445 --script ms-sql-info $target Via metasploit auxiliary/scanner/mssql/mssql_ping Via Impacket mssqlinstance.py $target Login brute force scanner/mssql/mssql_login When an account is known, enumerate for vulnerabilities auxiliary/admin/mssql/mssql_enum Exploitation Execute commands auxiliary/admin/mssql/mssql_exec Get shell windows/mssql/mssql_payload Tools Command line sqsh -U sa -P $password -S $target:1433 From PowerShell sqlcmd -S…
See https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 as a base64 cheat sheet. The classic (base64 combines the bytes of the text and separates 6 bit (2^6 = 64) and maps each 6 bit to a character. “=” means “two byte missing”. For example, if the combined strings have 2 bit “left” (41.…), then (A==) echo Hi | base64 -d Convert hex…
From SANS660: “Fuzzing is not an attack; it is a fault-testing technique.” Types are: Instrumented Fuzzing: “Monitoring” a system to learn how normal inputs look like. No pre-knowledge of the system needed. Intelligent utation: A protocol grammar which defines paths through all the code. Inputs are mutated according to the grammar. Tools https://tools.kali.org/vulnerability-analysis/sfuzz See https://en.kali.tools/all/?category=fuzzer Sulley…
Enumeration Multiple
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';