-
Notifications
You must be signed in to change notification settings - Fork 0
/
myfu.txt
610 lines (477 loc) · 38.9 KB
/
myfu.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
# disable ubuntu updateÂ
sudo killall update-notifier
sudo mv /usr/bin/update-notifier /usr/bin/update-notifier.real
echo -e '#!/bin/bash\nwhile :; do /bin/sleep 86400; done' | sudo tee /usr/bin/update-notifier
sudo chmod 755 /usr/bin/update-notifier
You should disable the automatic Kali updates because IDS usually check for that.
The story begins when the attacker was tipped off to an Internet accessible server (sensu.instagram.com). The attacker did not have to take any of the normal recon steps. Normally an attack would need to try to identify sub-domains and IP addresses owned by the business. To find sub-domains, they can try making a domain transfer (AXFR) request, or brute-forcing them. Both these techniques can be accomplished with Bluto. That tool's wordlist doesn't have "sensu" as a possible sub-domain, nor did other tools I looked at. An attacker's sub-domain wordlist should also contain other likely server names associated with common tools such as "nagios", "jenkins", "hudson", "git", etc.
https://summitroute.com/blog/2015/12/24/instagram_bounty_case_study_for_defense/
# Search office documents for PII
# CC with SSN no dash ( high false positive )
find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b|\b[0-9]{9}\b"
# CC with SSN dash ( low false positive only match ###-##-#### not any 8digi number )
find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b"
(Nice regex. Your cc search can be improved by incorporating the Luhn algorithm to detect valid CC #’s and reduce false-positives. There are also a couple of foreign-issued CC’s that have a slightly different pattern.)
# example PII search CC and SSN with dashes and max results 10 per file
find . -maxdepth 6 -size -100000k -type f -exec egrep --max-count 10 -A 2 -B 2 -Hia "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b" '{}' \;
# head all files for passwords gonig 6 deep ( peeking into all files not just small ones .. )
find . -maxdepth 6 -type f -exec head -c 100000 '{}' \; |egrep -Hia -A 4 -B 4 passw
# find passwords 6 deep and less then 1m adding padding so you can see username/hostname info before or after the password field ..
find . -maxdepth 6 -size -100000k -type f -exec egrep -A 4 -B 4 -Hia passw '{}' \;
# can't read ? what is wrong with you ??? find readable files...
find . -readable -type f
# do a quick tree dump 3 levels deep of folders
find . -maxdepth 3 \( -path /opt -o -path /proc -o -path /tmp \) -prune -o -type d
#Useful UDP Ports - Not TCP Ports - use -top-ports 1000 for that, or scan all 65535 ports, or see below
631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69,5353,111,49154,1701,998,996,997,999,3283,49153,1812,136,2222,2049,32768,5060,1025,1433,3456,80,20031,1026,7,1646,1645,1089,1090,1091,1541,4000,5050,5051,11001,20000,34962,34963,34964,34980,44818,45678,47808,50020,50021,55000,55001,55002,55003,5555
java -Xmx1024M -XX:MaxPermSize=1G -jar ~/Documents/Tools/burpsuite_pro_v1.6.39.jar &
perl -pi -e 's/;/\n/g' d; cat d | sort -V | uniq > dsrt.txt
#todo: add cut command from nmap -sL list generation
When running john, all you need to use new wordlists is cd to the directory with the wordlists (in txt format, like rockyou.txt) and run something like the following: john --wordlist=cain.txt --fork=4 logs/*.txt --rules
No need to add them to the /usr/share/john directory and john.conf.
nmap --max-retries 2 helps speed things up
Name progress files with .progress, it makes it easier for naming.
SMB is 135-139, 445. smb-enum-domains takes less time, smb-enum-shares much longer. Before running smb-enum-shares.nse, parse out positive domain listings from smb-enum-domains and feed them into smb-enum-shares. Also specify -p 135-139,445 to speed things up a bit.
https://countuponsecurity.files.wordpress.com/2015/06/jtr-cheat-sheet.pdf
consider generating a wordlist with american english words with numbers appended
Todo: new kali - configure java applet in browsers, also make sure to install necessary addons for Burp FF/Iceweasel Profile
#EyeWitness Usage
chmod +x EyeWitness.py
./EyeWitness.py --all-protocols --timeout 20 -x ~/Documents/Target.xml
#
#copy to clipboard in terminal
xclip -i inputfile.txt -selection c
#scroll up in screen
Ctrl-A, Escape. Then Return or Escape 2X to get back to typing.
#screen
screen -L for logging, screen -S to create a name for the screen
screen -L -S new_name
Ctrl-A K to end session
#new perl nessus compiler requires these modules
XML::TreePP
o Data::Dumper
o Math::Round
o Excel::Writer::XLSX
PAR::Dist
o Data::Table
o Excel::Writer::XLSX::Chart
o Getopt::Std
#melcara perl script usage
perl parse_nessus_xml.v22.pl -f merged_report.nessus
#Validation of Nessus findings
enum4linux + nmblookup + smbclient for snmp-flagged and 139/445 hosts and smb null sessions
rdp-sec-check.pl in ~/Applications, for Terminal Services.
nmbscan in ~/Applications/nmbscan-tool/nmbscan for scanning shares of a NetBIOS network and detecting windows hosts
nmap --script ssl-cert,ssl-enum-ciphers -p 443,1413,3389,465,993,995 -oA cipher_check 144.74.201.0/24 for ssl cert checks
you can also use openssl s_client -connect <IP>
rpcclient for smb null session
nbtscan - Windows only - scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. - port 137 - done on all
snmpwalk for public snmp servers
remember smtp is for mail (port 25)
smb null sessions - rpcclient and msfconsole - use auxiliary/scanner/smb/pipe_auditor
#Mount NFS in Kali
apt-get install nfs-common portmap -y
(Random init scripts will not get started, thanks to Kali policy).
mount -t nfs 127.0.0.1:/path/to/share new_folder
#Parse IPs that reply to pings out of nmap plain ping scan, straight into useful list.
nmap -sn -PS 192.168.1.1/24 -oG - | awk '/Up$/{print $2}' > 192.168.1.up
#Exploitation
Let's say a machine with a critical SMB exploit isn't getting popped. Try running psexec module in Metasploit against it. Use administrator:password as uname/pw, and set workgroup. in Meterpreter, run:
sysinfo
getuid
getsystem
hashdump
load mimikatz
msv
kerberos
run post/windows/gather/enum and tab the rest
post/windows/gather/smart_hashdump
#more wordlists-
http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists/?redirect
https://hashes.org/crackers.php
#Enable sound (keyword:alsa) in Kali Linux
systemctl --user enable pulseaudio
#DNS Server Cache snooping - or see HTML page
https://www.neowin.net/forum/topic/1272202-dns-bind-vulnerability-remediation/
##package Nessus Parser into executable
pp -M JSON -M PAR::Dist -M URI::Escape -M LWP::UserAgent -M HTTP::Cookies -M Data::Dump -M Data::Dumper -M XML::Hash::XS -M XML::TreePP -M MIME::Base64 -M Math::Round -M Excel::Writer::XLSX -M Excel::Writer::XLSX::Chart -M Excel::Writer::XLSX::Chart::Pie -M Data::Table -M Getopt::Std parse_nessus_xml.v22.pl
Generating grub configuration file ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-4.9.0-kali2-amd64
Found initrd image: /boot/initrd.img-4.9.0-kali2-amd64
Found linux image: /boot/vmlinuz-4.9.0-kali1-amd64
Found initrd image: /boot/initrd.img-4.9.0-kali1-amd64
Found linux image: /boot/vmlinuz-4.6.0-kali1-amd64
Found initrd image: /boot/initrd.img-4.6.0-kali1-amd64
done
#decrypting cookies
10:18 < flawseeker> megan35, atom128, zong22. Maybe it can help
#youtube-dl
sudo youtube-dl --extract-audio --audio-format mp3 -c --restrict-filenames https://www.youtube.com/watch?v=gkzXd53yWMA > /dev/null 2>&1 &
#nikto
nikto.pl -h nikto_hosts_file.txt -Display VPE -F htm -output nikto_all_scan_2.html
#grep inside folder/directory
grep -nr "Wireless channel to scan" .
#Parsing degenerate scan results (nmap -sL)
nmap -n -sL 192.168.1.1/24 | grep 'Nmap scan report for' | cut -f 5 -d ' ' > ips.txt
#listen for incoming ICMP packets
tcpdump ip proto \\icmp
1216 ps | grep nfspy
1217 ps
1218 ps -e
1219 kill 18546
1220 cd /
1221 ls
1222 ls -l
1223 ls -of
1224 lsof
#nfs mounting
nfspy -o server=192.168.1.1:/images,hide,allow_other /path/to/special/directory/mountpoint
#Java Deserializtion
ysoserial
https://github.com/getcode2git/exserial.git
PowerSploit has SimpleHTTPServer I think
loubia.py from https://github.com/metalnas/loubia for Weblogic
#airodump-ng 5ghz all frequencies. It hops in 20mhz sections and will see stuff on channel 165.
airodump-ng -C 5035-5825 wlan0mon
#airodump-ng 2.4ghz all bands
airodump-ng --channel 1-14 wlan0mon
#wireshark filter probe response
Twlan.fc.type_subtype eq 5.
#Sublime Text
Format as XML? Package Control, Install Package, indentXML, then go to Selection - Format - Indent XML/JSON
#Starting eth0
ifconfig eth0 down
ifconfig eth0 <desired ip> netmask <netmask> up
route add default gw <gateway>
Testing Heartbleed
---------------
If you're running Ubuntu and want to test Heartbleed you'll need to downgrade to a vulnerable
version of OpenSSL. That can be done by:
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/openssl_1.0.1-4ubuntu5.11_i386.deb
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/libssl-dev_1.0.1-4ubuntu5.11_i386.deb
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/libssl-doc_1.0.1-4ubuntu5.11_all.deb
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436465/+files/libssl1.0.0_1.0.1-4ubuntu5.11_i386.deb
sudo dpkg -i libssl1.0.0_1.0.1-4ubuntu5.11_i386.deb
sudo dpkg --install libssl1.0.0_1.0.1-4ubuntu5.11_i386.deb \
libssl-dev_1.0.1-4ubuntu5.11_i386.deb \
libssl-doc_1.0.1-4ubuntu5.11_all.deb \
openssl_1.0.1-4ubuntu5.11_i386.deb
Then use wpa_supplicant to connect to hostapd-wpe -c
ls -l /etc/NetworkManager/system-connections/ then remove entries (ProbeRequests)
Download free version of MS product - use virtual lab. Guided lessons.
aircrack-ng --bssid E8:04:62:F6:ED:C0 -e "SSID-Name" ~/Tools/wifite2/hs/handshake_identified_ESSID_MACADDRESS.cap -w ~/Tools/Wordlists/rockyou.txt
aireplay-ng -0 5 -b bssid_mac -c client_mac -c channel interface
#Common HTTP Ports for EyeWitness
--add-http-ports 80,8080,8008,8888,8081,280,591,593,2480,4444,4445,4567,5000,5104,5800,5988,5989,7001,8042,8280,8281,8530,8887,9080,9981,11371,16080
--add-https-ports 443,8443,981,1311,7000,7002,8243,8531,8888,9443,12043,12443,18091,18092
######
D) Start the gpsd daemon running
------------------------------------------------
Arguments:
-G to listen on all addresses rather than only localhost
-n to start reading the GPS device immediately, not waiting for a client call
-F to specify the control socket to use
sudo gpsd /dev/ttyUSB0 -G -n -F /var/run/gpsd.sock
Note that you have to be careful when using this start command that you specify
the correct tty device. In my case the GPS has switched between ttyUSB0 and ttyUSB1...
E) Check its state
--------------------------------------------------
gpspipe -r -n 10
{"class":"VERSION","release":"3.16","rev":"3.16","proto_major":3,"proto_minor":11}
{"class":"DEVICES","devices":[{"class":"DEVICE","path":"/dev/ttyUSB1","driver":"SiRF","activated":"2016-03-08T13:56:21.583Z","flags":1,"native":1,"bps":4800,"parity":"N","stopbits":1,"cycle":1.00}]}
{"class":"WATCH","enable":true,"json":false,"nmea":true,"raw":0,"scaled":false,"timing":false,"split24":false,"pps":false}
$GPGSV,2,1,07,30,19,093,18,13,56,171,33,10,14,334,25,20,16,237,28*7D
$GPGSV,2,2,07,28,58,076,28,24,30,270,21,15,59,259,27*42
$GPZDA,135622.00,08,03,2016,00,00*69
$GPGGA,135622,5924.2698,N,01749.1051,E,1,07,2.20,27.62,M,26.432,M,,*75
$GPRMC,135622,A,5924.2698,N,01749.1051,E,0.0000,0.000,080316,,*21
$GPGSA,A,3,30,13,10,20,28,24,15,,,,,,1.9,2.2,1.5*34
$GPZDA,135623.00,08,03,2016,00,00*68
or
cgps -s
##########
#nmap parsing
cat 172.17_19_connect_version_scan.gnmap | awk '{printf "%s\t", $2;
for (i=4;i<=NF;i++) {
split($i,a,"/");
if (a[2]=="open") printf ",%s",a[1];}
print ""}' | sed -e 's/,//' > parsed.txt
# du disk usage sort
du -k * | sort -nr | cut -f2 | xargs -d '\n' du -sh
figure out how to visualize just connected clients to a target ESSID and/or BSSID
#easy decode in bash
alias urldecode='python -c "import sys, urllib as ul; print ul.unquote_plus(sys.argv[1])"'
#A stop job is running for Session c2 of user
It appears you can reduce the timeout in /etc/systemd/system.conf:
DefaultTimeoutStartSec=10s
DefaultTimeoutStopSec=10s
#vmware,tools,kali,kali.org
https://docs.kali.org/general-use/install-vmware-tools-kali-guest
- then run mount-shared-folders each time
On a Windows VM the shared folder is under Network
#metasploit, nmap, importing
https://www.redspin.com/it-security-blog/2011/09/importing-and-working-with-nmap-scans-in-metasploit-framework-4/
# Old versions of Firefox addons
https://addons.mozilla.org/en-US/firefox/addon/web-developer/versions/
## Current TCP Ports list
0,7,21,22,23,25,42,53,67,69,80,110,119,123,135,139,161,162,280,389,443,445,591,593,636,873,993,995,981,1234,1389,1433,1521,1522,8445,8443,8080,8008,8000,9443,2480,4444,4445,4567,5000,5104,5800,5988,5989,6666,7001,8042,8280,8281,8530,8887,9080,9981,11371,16080,6600,7000,7002,50000,50001,8243,8531,12043,12443,18091,18092,3306,3389,5800,5900,5901,5902,5988,5989
#release ip address linux
dhclient -r -v
#count port occurrence (but only when each port is separated by something other than a newline, like a space)
cat ports.txt | tr ' ' '\n' | sort | uniq -c | awk '{print $2"@"$1}' > ports_count.txt
#Nmap top 1000 tcp ports (with port 80)
1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389
#Nmap top 1000 UDP ports
2-3,7,9,13,17,19-23,37-38,42,49,53,67-69,80,88,111-113,120,123,135-139,158,161-162,177,192,199,207,217,363,389,402,407,427,434,443,445,464,497,500,502,512-515,517-518,520,539,559,593,623,626,631,639,643,657,664,682-689,764,767,772-776,780-782,786,789,800,814,826,829,838,902-903,944,959,965,983,989-990,996-1001,1007-1008,1012-1014,1019-1051,1053-1060,1064-1070,1072,1080-1081,1087-1088,1090,1100-1101,1105,1124,1200,1214,1234,1346,1419,1433-1434,1455,1457,1484-1485,1524,1645-1646,1701,1718-1719,1761,1782,1804,1812-1813,1885-1886,1900-1901,1993,2000,2002,2048-2049,2051,2148,2160-2161,2222-2223,2343,2345,2362,2967,3052,3130,3283,3296,3343,3389,3401,3456-3457,3659,3664,3702-3703,4000,4008,4045,4444,4500,4666,4672,5000-5003,5010,5050,5060,5093,5351,5353,5355,5500,5555,5632,6000-6002,6004,6050,6346-6347,6970-6971,7000,7938,8000-8001,8010,8181,8193,8900,9000-9001,9020,9103,9199-9200,9370,9876-9877,9950,10000,10080,11487,16086,16402,16420,16430,16433,16449,16498,16503,16545,16548,16573,16674,16680,16697,16700,16708,16711,16739,16766,16779,16786,16816,16829,16832,16838-16839,16862,16896,16912,16918-16919,16938-16939,16947-16948,16970,16972,16974,17006,17018,17077,17091,17101,17146,17184-17185,17205,17207,17219,17236-17237,17282,17302,17321,17331-17332,17338,17359,17417,17423-17424,17455,17459,17468,17487,17490,17494,17505,17533,17549,17573,17580,17585,17592,17605,17615-17616,17629,17638,17663,17673-17674,17683,17726,17754,17762,17787,17814,17823-17824,17836,17845,17888,17939,17946,17989,18004,18081,18113,18134,18156,18228,18234,18250,18255,18258,18319,18331,18360,18373,18449,18485,18543,18582,18605,18617,18666,18669,18676,18683,18807,18818,18821,18830,18832,18835,18869,18883,18888,18958,18980,18985,18987,18991,18994,18996,19017,19022,19039,19047,19075,19096,19120,19130,19140-19141,19154,19161,19165,19181,19193,19197,19222,19227,19273,19283,19294,19315,19322,19332,19374,19415,19482,19489,19500,19503-19504,19541,19600,19605,19616,19624-19625,19632,19639,19647,19650,19660,19662-19663,19682-19683,19687,19695,19707,19717-19719,19722,19728,19789,19792,19933,19935-19936,19956,19995,19998,20003-20004,20019,20031,20082,20117,20120,20126,20129,20146,20154,20164,20206,20217,20249,20262,20279,20288,20309,20313,20326,20359-20360,20366,20380,20389,20409,20411,20423-20425,20445,20449,20464-20465,20518,20522,20525,20540,20560,20665,20678-20679,20710,20717,20742,20752,20762,20791,20817,20842,20848,20851,20865,20872,20876,20884,20919,21000,21016,21060,21083,21104,21111,21131,21167,21186,21206-21207,21212,21247,21261,21282,21298,21303,21318,21320,21333,21344,21354,21358,21360,21364,21366,21383,21405,21454,21468,21476,21514,21524-21525,21556,21566,21568,21576,21609,21621,21625,21644,21649,21655,21663,21674,21698,21702,21710,21742,21780,21784,21800,21803,21834,21842,21847,21868,21898,21902,21923,21948,21967,22029,22043,22045,22053,22055,22105,22109,22123-22124,22341,22692,22695,22739,22799,22846,22914,22986,22996,23040,23176,23354,23531,23557,23608,23679,23781,23965,23980,24007,24279,24511,24594,24606,24644,24854,24910,25003,25157,25240,25280,25337,25375,25462,25541,25546,25709,25931,26407,26415,26720,26872,26966,27015,27195,27444,27473,27482,27707,27892,27899,28122,28369,28465,28493,28543,28547,28641,28840,28973,29078,29243,29256,29810,29823,29977,30263,30303,30365,30544,30656,30697,30704,30718,30975,31059,31073,31109,31189,31195,31335,31337,31365,31625,31681,31731,31891,32345,32385,32528,32768-32780,32798,32815,32818,32931,33030,33249,33281,33354-33355,33459,33717,33744,33866,33872,34038,34079,34125,34358,34422,34433,34555,34570,34577-34580,34758,34796,34855,34861-34862,34892,35438,35702,35777,35794,36108,36206,36384,36458,36489,36669,36778,36893,36945,37144,37212,37393,37444,37602,37761,37783,37813,37843,38037,38063,38293,38412,38498,38615,39213,39217,39632,39683,39714,39723,39888,40019,40116,40441,40539,40622,40708,40711,40724,40732,40805,40847,40866,40915,41058,41081,41308,41370,41446,41524,41638,41702,41774,41896,41967,41971,42056,42172,42313,42431,42434,42508,42557,42577,42627,42639,43094,43195,43370,43514,43686,43824,43967,44101,44160,44179,44185,44190,44253,44334,44508,44923,44946,44968,45247,45380,45441,45685,45722,45818,45928,46093,46532,46836,47624,47765,47772,47808,47915,47981,48078,48189,48255,48455,48489,48761,49152-49163,49165-49182,49184-49202,49204-49205,49207-49216,49220,49222,49226,49259,49262,49306,49350,49360,49393,49396,49503,49640,49968,50099,50164,50497,50612,50708,50919,51255,51456,51554,51586,51690,51717,51905,51972,52144,52225,52503,53006,53037,53571,53589,53838,54094,54114,54281,54321,54711,54807,54925,55043,55544,55587,56141,57172,57409-57410,57813,57843,57958,57977,58002,58075,58178,58419,58631,58640,58797,59193,59207,59765,59846,60172,60381,60423,61024,61142,61319,61322,61370,61412,61481,61550,61685,61961,62154,62287,62575,62677,62699,62958,63420,63555,64080,64481,64513,64590,64727,65024
#!/bin/bash
#echo "Usage: ./mon_mode.sh wlan1|wlan0"
ip link set $1 down
echo "\nip link set $1 down"
iw dev $1 set type monitor
echo "\niw dev $1 set type monitor"
ip link set $1 up
echo "\nip link set $1 up"
# 2.4 ghz channels
1 2412
2 2417
3 2422
4 2427
5 2432
6 2437
7 2442
8 2447
9 2452
10 2457
11 2462
12 2467
13 2472
14 2484
# 5 ghz channels
7 5035 5030–5040
8 5040 5030–5050
9 5045 5040–5050
11 5055 5050–5060
12 5060 5050–5070
16 5080 5070–5090
34 5170 Unknown
36 5180 5170–5190
38 5190 5170–5210
40 5200 5190–5210
42 5210 5170–5250
44 5220 5210–5230
46 5230 5210–5250
48 5240 5230–5250
50 5250 5170–5330
52 5260 5250–5270
54 5270 5250–5290
56 5280 5270–5290
58 5290 5250–5330
60 5300 5290–5310
62 5310 5290–5330
64 5320 5310–5330
100 5500 5490–551
102 5510 5490–553
104 5520 5510–553
106 5530 5490–557
108 5540 5530–555
110 5550 5530–557
112 5560 5550–557
114 5570 5490–565
116 5580 5570–559
118 5590 5570–561
120 5600 5590–561
122 5610 5570–565
124 5620 5610–563
126 5630 5610–565
128 5640 5630–565
132 5660 5650–567
134 5670 5650–569
136 5680 5670–569
138 5690 5650–573
140 5700 5690–571
142 5710 5690–573
144 5720 5710–573
149 5745 5735–575
151 5755 5735–577
153 5765 5755–577
155 5775 5735–581
157 5785 5775–579
159 5795 5775–581
161 5805 5795–581
165 5825 5815–583
sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other,nonempty
sudo mount -t cifs //192.168.1.0/share /mnt/mountpoint/ -o user=,password=
#recursively add file extension to all files
Alternative command without an explicit loop (man find):
find . -type f -exec mv '{}' '{}'.jpg \;
Explanation: this recursively finds all files (-type f) starting from the current directory (.) and applies the move command (mv) to each of them. Note also the quotes around {}, so that filenames with spaces (and even newlines...) are properly handled.
#smb-enum-users nmap
nmap -n -Pn -p445 --open --script=smb-enum-users --script-args=smbnoguest 1.1.1.1
General:
Cheatsheets - Penetration Testing/Security Cheatsheets - https://github.com/liorvh/Cheatsheets-1
awesome-pentest - penetration testing resources - https://github.com/Hack-with-Github/Awesome-Hacking
Red-Team-Infrastructure-Wiki - Red Team infrastructure hardening resources - https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
Infosec_Reference - Information Security Reference - https://github.com/rmusser01/Infosec_Reference
Web Services:
JettyBleed - Jetty HttpParser Error Remote Memory Disclosure - https://github.com/AppSecConsulting/Pentest-Tools
clusterd - Jboss/Coldfusion/WebLogic/Railo/Tomcat/Axis2/Glassfish - https://github.com/hatRiot/clusterd
xsser - From XSS to RCE wordpress/joomla - https://github.com/Varbaek/xsser
Java-Deserialization-Exploit - weaponizes ysoserial code to gain a remote shell - https://github.com/njfox/Java-Deserialization-Exploit
CMSmap - CMS scanner - https://github.com/Dionach/CMSmap
wordpress-exploit-framework - penetration testing of WordPress - https://github.com/rastating/wordpress-exploit-framework
joomlol - Joomla User-Agent/X-Forwarded-For RCE - https://github.com/compoterhacker/joomlol
joomlavs - Joomla vulnerability scanner - https://github.com/rastating/joomlavs
mongoaudit - MongoDB auditing and pentesting tool - https://github.com/stampery/mongoaudit
davscan - Fingerprints servers, finds exploits, scans WebDAV - https://github.com/Graph-X/davscan
Web Applications:
HandyHeaderHacker - Examine HTTP response headers for common security issues - https://github.com/vpnguy/HandyHeaderHacker
OpenDoor - OWASP Directory Access scanner - https://github.com/stanislav-web/OpenDoor
ASH-Keylogger - simple keylogger application for XSS attack - https://github.com/AnonymousSecurityHackers/ASH-Keylogger
tbhm - The Bug Hunters Methodology - https://github.com/jhaddix/tbhm
commix - command injection - https://github.com/commixproject/commix
NoSQLMap - Mongo database and NoSQL - https://github.com/tcstool/NoSQLMap
xsshunter - Second order XSS - https://github.com/mandatoryprogrammer/xsshunter
Burp Extensions:
backslash-powered-scanner - unknown classes of injection vulnerabilities - https://github.com/PortSwigger/backslash-powered-scanner
BurpSmartBuster - content discovery plugin - https://github.com/pathetiq/BurpSmartBuster
ActiveScanPlusPlus - extends Burp Suite's active and passive scanning capabilities - https://github.com/albinowax/ActiveScanPlusPlus
Local privilege escalation:
yodo - become root via limited sudo permissions - https://github.com/b3rito/yodo
Pa-th-zuzu - Checks for PATH substitution vulnerabilities - https://github.com/ShotokanZH/Pa-th-zuzu
sudo-snooper - acts like the original sudo binary to fool users - https://github.com/xorond/sudo-snooper
RottenPotato - local privilege escalation from service account - https://github.com/foxglovesec/RottenPotato
UACMe - Windows AutoElevate backdoor - https://github.com/hfiref0x/UACME
Invoke-LoginPrompt - Invokes a Windows Security Login Prompt - https://github.com/enigma0x3/Invoke-LoginPrompt
Exploits-Pack - Exploits for getting local root on Linux - https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
windows-privesc-check - Standalone Executable - https://github.com/pentestmonkey/windows-privesc-check
unix-privesc-check - simple privilege escalation vectors - https://github.com/pentestmonkey/unix-privesc-check
LinEnum - local Linux Enumeration & Privilege Escalation Checks - https://github.com/rebootuser/LinEnum
cowcron - Cronbased Dirty Cow Exploit - https://github.com/securifera/cowcron
WindowsExploits - Precompiled Windows exploits - https://github.com/abatchy17/WindowsExploits
Privilege-Escalation - common local exploits and enumeration scripts - https://github.com/AusJock/Privilege-Escalation
Unix-Privilege-Escalation-Exploits-Pack - https://github.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack
Sherlock - PowerShell script to quickly find missing software patches - https://github.com/rasta-mouse/Sherlock
GTFOBins - list of Unix binaries that can be exploited to bypass system security restrictions - https://github.com/GTFOBins/GTFOBins.github.io
Phishing:
eyephish - find similar looking domain names - https://github.com/phar/eyephish
luckystrike - A PowerShell based utility for the creation of malicious Office macro documents - https://github.com/Shellntel/luckystrike
phishery - Basic Auth Credential Harvester with a Word Document Template URL Injector - https://github.com/ryhanson/phishery
WordSteal - steal NTLM hashes - https://github.com/0x090x0/WordSteal
ReelPhish - Real-Time Two-Factor Phishing Tool - https://github.com/fireeye/ReelPhish
Open Source Intelligence:
truffleHog - Searches through git repositories for high entropy strings - https://github.com/dxa4481/truffleHog
Altdns - Subdomain discovery - https://github.com/infosec-au/altdns
github-dorks - reveal sensitive personal and/or organizational information - https://github.com/techgaun/github-dorks
gitrob - find sensitive information - https://github.com/michenriksen/gitrob
Bluto - DNS Recon , Email Enumeration - https://github.com/darryllane/Bluto
SimplyEmail - Email recon - https://github.com/killswitch-GUI/SimplyEmail
Sublist3r - Fast subdomains enumeration tool for penetration testers - https://github.com/aboul3la/Sublist3r
snitch - information gathering via dorks - https://github.com/Smaash/snitch
RTA - scan all company's online facing assets - https://github.com/flipkart-incubator/RTA
InSpy - LinkedIn enumeration tool - https://github.com/gojhonny/InSpy
LinkedInt - LinkedIn scraper for reconnaissance - https://github.com/mdsecactivebreach/LinkedInt
Post-exploitation:
MailSniper - searching through email in a Microsoft Exchange - https://github.com/dafthack/MailSniper
Windows-Exploit-Suggester - patch levels against vulnerability database - https://github.com/GDSSecurity/Windows-Exploit-Suggester
dnscat2-powershell - A Powershell client for dnscat2, an encrypted DNS command and control tool - https://github.com/lukebaggett/dnscat2-powershell
lazykatz - xtract credentials from remote targets protected with AV - https://github.com/bhdresh/lazykatz
nps - Not PowerShell - https://github.com/Ben0xA/nps
Invoke-Vnc - Powershell VNC injector - https://github.com/artkond/Invoke-Vnc
spraywmi - mass spraying Unicorn PowerShell injection - https://github.com/trustedsec/spraywmi
redsnarf - for retrieving hashes and credentials from Windows workstations - https://github.com/nccgroup/redsnarf
HostRecon - situational awareness - https://github.com/dafthack/HostRecon
mimipenguin - login password from the current linux user - https://github.com/huntergregal/mimipenguin
rpivot - socks4 reverse proxy for penetration testing - https://github.com/artkond/rpivot
Looting:
cookie_stealer - steal cookies from firefox cookies database -https://github.com/rash2kool/cookie_stealer
Wifi-Dumper - dump the wifi profiles and cleartext passwords of the connected access points - https://github.com/Viralmaniar/Wifi-Dumper
WebLogicPasswordDecryptor - decrypt WebLogic passwords - https://github.com/NetSPI/WebLogicPasswordDecryptor
jenkins-decrypt - Credentials dumper for Jenkins - https://github.com/tweksteen/jenkins-decrypt
mimikittenz - ReadProcessMemory() in order to extract plain-text passwords - https://github.com/putterpanda/mimikittenz
LaZagne - Credentials recovery project - https://github.com/AlessandroZ/LaZagne
SessionGopher - extract WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop - https://github.com/fireeye/SessionGopher
BrowserGather - Fileless web browser information extraction - https://github.com/sekirkity/BrowserGather
windows_sshagent_extract - extract private keys from Windows 10's built in ssh-agent service - https://github.com/ropnop/windows_sshagent_extract
Network Hunting:
Sticky-Keys-Slayer - Scans for accessibility tools backdoors via RDP - https://github.com/linuz/Sticky-Keys-Slayer
DomainPasswordSpray - password spray attack against users of a domain - https://github.com/dafthack/DomainPasswordSpray
BloodHound - reveal relationships within an Active Directory - https://github.com/adaptivethreat/BloodHound
APT2 - An Automated Penetration Testing Toolkit - https://github.com/MooseDojo/apt2
CredNinja - identify if credentials are valid - https://github.com/Raikia/CredNinja
EyeWitness - take screenshots of websites - https://github.com/ChrisTruncer/EyeWitness
gowitness - a golang, web screenshot utility - https://github.com/sensepost/gowitness
PowerUpSQL - PowerShell Toolkit for Attacking SQL Server - https://github.com/NetSPI/PowerUpSQL
sparta - scanning and enumeration - https://github.com/SECFORCE/sparta
Sn1per - Automated Pentest Recon Scanner - https://github.com/1N3/Sn1per
PCredz - This tool extracts creds from a pcap file or from a live interface - https://github.com/lgandx/PCredz
ridrelay - Enumerate usernames on a domain where you have no creds - https://github.com/skorov/ridrelay
Wireless:
air-hammer - WPA Enterprise horizontal brute-force - https://github.com/Wh1t3Rh1n0/air-hammer
mana - toolkit for wifi rogue AP attacks - https://github.com/sensepost/mana
crEAP - Harvesting Users on Enterprise Wireless Networks - https://github.com/Shellntel/scripts
wifiphisher - phishing attacks against Wi-Fi clients - https://github.com/sophron/wifiphisher
Man in the Middle:
mitmproxy - An interactive TLS-capable intercepting HTTP proxy - https://github.com/mitmproxy/mitmproxy
bettercap - bettercap - https://github.com/evilsocket/bettercap
MITMf - Framework for Man-In-The-Middle attacks - https://github.com/byt3bl33d3r/MITMf
Gifts/Responder - Responder for old python - https://github.com/Gifts/Responder
mitm6 - pwning IPv4 via IPv6 - https://github.com/fox-it/mitm6
shelljack - man-in-the-middle pseudoterminal injection - https://github.com/emptymonkey/shelljack
Physical:
Brutal - Payload for teensy - https://github.com/Screetsec/Brutal
poisontap - Exploits locked/password protected computers over USB - https://github.com/samyk/poisontap
OverThruster - HID attack payload generator for Arduinos - https://github.com/RedLectroid/OverThruster
Paensy - An attacker-oriented library for the Teensy 3.1 microcontroller - https://github.com/Ozuru/Paensy
Kautilya - Payloads for a Human Interface Device - https://github.com/samratashok/Kautilya
Payloads:
JavaReverseTCPShell - Spawns a reverse TCP shell in Java - https://github.com/quantumvm/JavaReverseTCPShell
splunk_shells - Splunk with reverse and bind shells - https://github.com/TBGSecurity/splunk_shells
pyshell - shellify Your HTTP Command Injection - https://github.com/praetorian-inc/pyshell
RobotsDisallowed - harvest of the Disallowed directories - https://github.com/danielmiessler/RobotsDisallowed
SecLists - collection of multiple types of lists - https://github.com/danielmiessler/SecLists
Probable-Wordlists - Wordlists sorted by probability - https://github.com/berzerk0/Probable-Wordlists
ARCANUS - payload generator/handler. - https://github.com/EgeBalci/ARCANUS
Winpayloads - Undetectable Windows Payload Generation - https://github.com/nccgroup/Winpayloads
weevely3 - Weaponized web shell - https://github.com/epinna/weevely3
fuzzdb - Dictionary of attack patterns - https://github.com/fuzzdb-project/fuzzdb
payloads - web attack payloads - https://github.com/foospidy/payloads
HERCULES - payload generator that can bypass antivirus - https://github.com/EgeBalci/HERCULES
Insanity-Framework - Generate Payloads - https://github.com/4w4k3/Insanity-Framework
Brosec - An interactive reference tool for payloads - https://github.com/gabemarshall/Brosec
MacroShop - delivering payloads via Office Macros - https://github.com/khr0x40sh/MacroShop
Demiguise - HTA encryption tool - https://github.com/nccgroup/demiguise
ClickOnceGenerator - Quick Malicious ClickOnceGenerator - https://github.com/Mr-Un1k0d3r/ClickOnceGenerator
PayloadsAllTheThings - A list of useful payloads - https://github.com/swisskyrepo/PayloadsAllTheThings
Apple:
MMeTokenDecrypt - Decrypts and extracts iCloud and MMe authorization tokens - https://github.com/manwhoami/MMeTokenDecrypt
OSXChromeDecrypt - Decrypt Google Chrome and Chromium Passwords on Mac OS X - https://github.com/manwhoami/OSXChromeDecrypt
EggShell - iOS and OS X Surveillance Tool - https://github.com/neoneggplant/EggShell
bonjour-browser - command line tool to browse for Bonjour - https://github.com/watson/bonjour-browser
logKext - open source keylogger for Mac OS X - https://github.com/SlEePlEs5/logKext
OSXAuditor - OS X computer forensics tool - https://github.com/jipegit/OSXAuditor
davegrohl - Password Cracker for OS X - https://github.com/octomagon/davegrohl
chainbreaker - Mac OS X Keychain Forensic Tool - https://github.com/n0fate/chainbreaker
FiveOnceInYourLife - Local osx dialog box phishing - https://github.com/fuzzynop/FiveOnceInYourLife
ARD-Inspector - ecrypt the Apple Remote Desktop database - https://github.com/ygini/ARD-Inspector
keychaindump - reading OS X keychain passwords - https://github.com/juuso/keychaindump
Bella - python, post-exploitation, data mining tool - https://github.com/manwhoami/Bella
EvilOSX - pure python, post-exploitation, RAT - https://github.com/Marten4n6/EvilOSX
Captive Portals:
cpscam - Bypass captive portals by impersonating inactive users - https://github.com/codewatchorg/cpscam
Passwords:
pipal - password analyser - https://github.com/digininja/pipal
wordsmith - assist with creating tailored wordlists - https://github.com/skahwah/wordsmith
Obfuscation:
ObfuscatedEmpire - fork of Empire with Invoke-Obfuscation integrated directly in - https://github.com/cobbr/ObfuscatedEmpire
obfuscate_launcher - Simple script for obfuscating payload launchers - https://github.com/jamcut/obfuscate_launcher
Invoke-CradleCrafter - Download Cradle Generator & Obfuscator - https://github.com/danielbohannon/Invoke-CradleCrafter
Invoke-Obfuscation - PowerShell Obfuscator - https://github.com/danielbohannon/Invoke-Obfuscation
nps_payload - payloads for basic intrusion detection avoidance - https://github.com/trustedsec/nps_payload
#ssh verification
nmap --script ssh2-enum-algos -p22 1.1.1.1 -n -Pn
#log msfconsole
spool /root/.msf4/logs/console.log
#signing is not required on the smb server
nmap --script smb-security-mode.nse -p445 127.0.0.1
sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1