Geek @ Hong Kong

A bunch of notes.

Penetration Testing Notes - to be update, a bit mess

About this notes

“The mechanic, who wishes to do his work well, must first sharpen his tools.” - the Analects of Confucius · Wei Linggong

Finally find a good place to store the notes in one single place and easy for me to reference. Here, I put every notes I have in this one place for a normal network penetration test. Also, to prepare OSCP and OSCE, hope you also find this convenience during the test.

Windows

Samba

SAMBA: http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html subterfuge for internal network pentest (MITM) msfconsole /pentest/exploits/set/set /pentest/exploits/fasttrack/fast-track.py easy-creds ; #Man in the middle, arpspoofing and more /pentest/exploits/isr-evilgrade/evilgrade ; #Upgrade with exploits /pentest/sniffers/ghost-phisher/ghost.py ; #Phsing with arpspoofing, dns spoofing, etc. /opt/scripts ; #Convenience scripts #Internal testing: Press s -> ./discover.sh (Best framework yet) /pentest/exploits/websploit/websploit ; #Exploits on web (Autopwn and more)

Turn on remote desktop by commands

(may not work properly)

Imagine that you’ve managed to connect to a Windows 2003 server via the command line, but that it isn’t running Remote Desktop. Sounds a little odd I know, but as a dedicated user of Metasploit this will happen to you, believe me. It took some time to work out how to enable the Remote Desktop functionality from the command line. No amount of Googling seemed to provide a solution, so I’ve got one for you here. You’re going to need to gain access to an Administrative (or better System) shell on the server. I’ll describe how this might look elsewhere on this site, but let’s assume that you’ve done this. I also show you how to add a new user here. . Let’s just check whether Remote Desktop Services are available:

c:\ net start

(output cut for brevity) Good. So the Terminal Services service is started. However, this supports the desktop running locally on the server as well as remote connectivity. So let’s check whether the service is listening on port 3389:

c:\ netstat -an

(output cut for brevity) Right, so we’ve confirmed that it’s not listening. We need to enable the remote connectivity portion of the service and restart it. If we had access to the desktop (rendering this article pointless) then we could go to Control Panel -> System -> Remote and turn on Remote Desktop. The command line equivalent is as follows:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d “0x0”

After this we need to kill the existing Terminal Server process. This isn’t trivial because, as I said before, it’s actually propping up the live desktop on the server. We hunt out the task ID of the process:

tasklist /svc findstr /C:TermService

Now. This is important. If - and only if - the svchost.exe only lists TermService you can proceed. If there is more than one entry following it, then you’ll break things. The only way to safely get RDP running will be to reboot the server. Hey, if you’re authorised to do this, then go for it.

taskkill /F /PID [from previous] net start “Terminal Services”

Finally, let’s see whether we managed to get RDP listening:

c:\ netstat -an

(output cut for brevity)

Networking

Scanning

Steps to start openvas: openvassd && openvasmd && openvasad && gsad –http-only &&firefox http://127.0.0.1:9392/login/login.html Steps to start nessus: service nessusd start && firefox https://127.0.0.1:8834/ nessus: merge-nessus

  • parse_nessus_xml.v21 -> parse to perl
  • Sample report for graphs check-registry; #Do registry checking for SAINT / Nessus credential scan #Web scanners made by me scott-web-assessment-server scott-web-assessment-start ####Trustwave Spiderlab stuff#### Trustwave Responder, capture many protocol’s passwords? https://github.com/SpiderLabs/Responder.git Beef+ HTTP + arpspoof https://github.com/SpiderLabs/beef_injection_framework.git Thinket automatic session take over tool https://github.com/SpiderLabs/thicknet.git Flash tool: https://github.com/SpiderLabs/deblaze.git Monitor network session: https://github.com/SpiderLabs/ackack.git

Mount NFS

service state start
mkdir /mnt/nfs
mount -t nfs targetIP:/home /mnt/nfs

VO-IP

/pentest/voip/frogger.sh; # Detect vlan /pentest/voip/isme_v0.6/isme.pl; # Scans IP phones Some sip tools inside metasploit https://github.com/fozavci/viproy-voipkit

Add vlan to do internal pentest on linux:

vconfig add eth0 11

Database

Oracle hacking

http://www.ethicalhacker.net/content/view/363/24/ http://www.ethicalhacker.net/content/view/399/24/

TOR

checkout pytor hosts tor-new-identity tor-scan-hosts Note: nmap files will be located in ~/

Passwords

Password used in this VM: =========================================================== generate random passwords: openssl rand -base64 6

Generate passwords

ways to crack pwd https://labs.mwrinfosecurity.com/blog/2015/09/25/a-practical-guide-to-cracking-password-hashes/#fn6 password-toolkit /pentest/passwords/password-toolkit/LAUNCH_TOOLKIT.sh gen-password.sh ; #Generate password /pentest/passwords/captcha ; #Scripts to crack Captchas /pentest/passwords/captcha-userenum_0.1.py http://stackoverflow.com/questions/2363490/limit-characters-tesseract-is-looking-for tesseract image.tif outputbase nobatch digits Generate creditcards: gen-creditcard Local file password retrieval: https://github.com/lightos/LaZagne Similar to other gen-password: https://github.com/lightos/PassGen

Windows credential editor: Try it when getting windows control:

/pentest/exploits/framework/tools/wce /pentest/passwords/mimikatz/ ; #As a compliment to wce, a german tool to get passwords from current users

Password and hash cracking

/media/share/passwords/findmyhash/findmyhash.py /media/share/passwords/john/john-x86-64 /pentest/passwords/keimpx ; #This one check password across the windows network through SMB /pentest/passwords/Codetective ; #Check / detect password used /pentest/passwords/iCrackhash ; #Same as previous

Web app

nosqlmap pwn captcha: http://cintruder.sourceforge.net/ (looks good) http://caca.zoy.org/wiki/PWNtcha (Known)

webscan: (Drupal, other frameworks…) CMSMap java -jar TestSSLServer.jar sslxxx

file inclusion attack: https://github.com/lightos/Panoptic

** A useful command I forget 100 times **

ls | xargs -n 1 sh -c 'echo $0'

Out of topic

Wifi

Crack wpa password: python /pentest/wireless/fern-wifi-cracker/execute.py airmon-ng start wlan0 airodump-ng -i mon0 wash reaver /usr/local/bin/AP-packet-capture ;#Man in the middle sniffer with wireless AP setup (Require USB wifi receiver) /pentest/sniffers/fakeap-pwn ways to intercept the traffics: https://thesprawl.org/research/ios-data-interception/ Mallory DNS hijacking: ./dnschef.py –interface 0.0.0.0 –fakeip 192.168.1.100 –fakedomains *.google.com

Internet recon

  • dnsmap + dmistry dns tools, bruteforce / gooogle
  • dnstrail
  • Bluto
  • URLCrazy

Unclassified

Unclassified =========================================================== Pulsar network fuzzer Note for latest pentest stuff: https://forum.bugcrowd.com/t/researcher-resources-tools/167 Malware Analysis https://github.com/RPISEC/Malware

https://github.com/b3mb4m/shellsploit-framework install cmsmap, Lynis, impacket, serpico pip install pwntools pip install captson upgrade

PHP -open_basedir, diable_function, safe_mode To access aws aws-scout-2

android: https://hackerlists.com/android-reverse-engineering-tools/

Reverse Engineers book: http://beginners.re/

Project Zero group: http://googleprojectzero.blogspot.hk/2016/01/raising-dead.html

Books to download; Violent Python

Dataflow in the tor network: https://github.com/unchartedsoftware/torflow

Fuzzing: Boofuzz https://github.com/OpenRCE/sulley Web hacks for study: http://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2015/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+WhitehatSecurityBlog+%28WhiteHat+Security+Blog%29

another pentest course: https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testing

http://www.darknet.org.uk/2016/01/mitmf-man-middle-attack-framework/

Malware analysis course: https://github.com/RPISEC/Malware http://fumalwareanalysis.blogspot.hk/p/malware-analysis-tutorials-reverse.html?m=1 https://github.com/rshipp/awesome-malware-analysis/blob/master/README.md https://wiremask.eu/articles/free-reverse-engineering-tools/

Similar to SpiderLab’s product for priviledge escalation: Hotpotato: https://github.com/foxglovesec/Potato Privilege escalation: Hot Potato

Summaries from darknet: http://www.darknet.org.uk/2016/01/a-look-back-at-2015-tools-news-highlights/ http://www.darknet.org.uk/2015/01/look-back-2014-tools-news-highlights/

Nice android training materials: https://github.com/rednaga/training/tree/master/DEFCON23 http://androidcracking.blogspot.hk/ https://github.com/CalebFenton

yasca Yet another source code scanner

Best cheatsheet ever: https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502/8

process dump: http://split-code.com/index.html

Jigsaw social engineer tool: https://github.com/pentestgeek/jigsaw

VPN Server: Softethen VPN manager looks good etherape: Nice to see network transaction

different platform of mobile reverse engineering: su-a-cyder https://github.com/mi3security/su-a-cyder https://www.owasp.org/images/c/cd/Cracking_the_Mobile_Application_Code.pdf Installed: introspy-analyzer and idb

powerpoint presentation with html: https://github.com/hakimel/

Try patator to replace medusa

Webstats: builtwith.com

ZARF github network hacking toolkit

Sales point: http://www.zoomstart.com/12-5-principles-of-sales-greatness-from-the-little-red-book-of-selling/

Book summary: http://www.summary.com/subscription/

25 Startup toolkits helping business http://www.entrepreneur.com/article/245756

Y Combinator startup course http://www.startupschool.org/

Programming resources http://buzzorange.com/techorange/2015/05/07/data/

press s -> pentest (Discovery) download: http://cdn.oreillystatic.com/oreilly/booksamplers/packt/9781783288311_Sample.pdf access to: http://www.evilzone.org/ kali tool for web app scan: http://chousensha.github.io/blog/2014/09/24/kali-tools-catalog-web-applications/

Another bruteforce tool: patator.py

Cisco: ike-scan Best pentest IDE: faraday https://github.com/infobyte/faraday

gen-creditcard (VISA, visa) webview (the tools to capture web with given nmap result) warvox’s make doesn’t work… study cortana Study warvox within metasploit for VoIP stuff! Clearup /media/share, ~ and /mnt/…/client karmisky framework? msf browser auto-pwn? ipv6 cracking sapyto? beef <–> phishing? also update exploitdb through US proxy? mantra -> Web application browser extension Using OWTF! enhance metasploit with different scripts included: Web app scan removal of tracks (MSSQL, events, and etc.) Different custom build from git or famous pentesters. git clone https://github.com/darkoperator/Metasploit-Plugins.git git clone Carn0valxyz ?/pentest/sniffers/fakeap-pwn integrate canvas and core impact to this vm. Integrate https://github.com/thomhastings/os-scripts Try smb_relay in metasploit, seems good http://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python ike-scan…… Web scanning on PHP 5.X + Apache -> exploit #2 on packet storms Linux priviledge escalation: [0] https://github.com/PenturaLabs/Linux_Exploit_Suggester [1] https://code.google.com/p/unix-privesc-check/

http://crypo.in.ua/tools/

https://github.com/leebaird/discover https://github.com/KyxRecon/Autocrawler-v1.0 https://github.com/chrismaddalena/ODIN (Observe, Detect, and Investigate Networks) https://github.com/stryngs/scripts https://github.com/skamsie/Domain-Status-Checker Awesome learning: https://github.com/TheRemoteLab/awesome-learning

https://www.vagrantup.com/ Copy prod env to local env

XPATH injection: xcat, xxxpwn /pentest/web/citrix ; # Enumerate Citrix hosts python /pentest/web/ssl-proxy.py; Proxy tunnel http to https, don’t know how it run… If the prepare-payload not work, use this one: https://github.com/inquisb/shellcodeexec WEb PHP shell: http://epinna.github.io/Weevely/ Upload shell for different languages: http://sourceforge.net/projects/laudanum/files/laudanum-1.0/ One liner reverse shell: http://bernardodamele.blogspot.hk/2011/09/reverse-shells-one-liners.html /opt/gateway-finder ;# Find any host that do IP forwardding!

Mobile testing VM: http://sourceforge.net/projects/mobisec/

sharepoint scan: http://sourceforge.net/projects/spscan/files/?source=navbar

Reporting idea: GeoIP api: (Free) http://www.telize.com/

awesome shits

https://github.com/joubertredrat/awesome-devops

https://github.com/kahun/awesome-sysadmin

https://github.com/devsecops/awesome-devsecops

https://github.com/FallibleInc/security-guide-for-developers