Penetration Testing Notes - to be update, a bit mess
About this notes
“The mechanic, who wishes to do his work well, must first sharpen his tools.” - the Analects of Confucius · Wei Linggong
Finally find a good place to store the notes in one single place and easy for me to reference. Here, I put every notes I have in this one place for a normal network penetration test. Also, to prepare OSCP and OSCE, hope you also find this convenience during the test.
Windows
Samba
SAMBA: http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html subterfuge for internal network pentest (MITM) msfconsole /pentest/exploits/set/set /pentest/exploits/fasttrack/fast-track.py easy-creds ; #Man in the middle, arpspoofing and more /pentest/exploits/isr-evilgrade/evilgrade ; #Upgrade with exploits /pentest/sniffers/ghost-phisher/ghost.py ; #Phsing with arpspoofing, dns spoofing, etc. /opt/scripts ; #Convenience scripts #Internal testing: Press s -> ./discover.sh (Best framework yet) /pentest/exploits/websploit/websploit ; #Exploits on web (Autopwn and more)
Turn on remote desktop by commands
(may not work properly)
Imagine that you’ve managed to connect to a Windows 2003 server via the command line, but that it isn’t running Remote Desktop. Sounds a little odd I know, but as a dedicated user of Metasploit this will happen to you, believe me. It took some time to work out how to enable the Remote Desktop functionality from the command line. No amount of Googling seemed to provide a solution, so I’ve got one for you here. You’re going to need to gain access to an Administrative (or better System) shell on the server. I’ll describe how this might look elsewhere on this site, but let’s assume that you’ve done this. I also show you how to add a new user here. . Let’s just check whether Remote Desktop Services are available:
c:\ net start
(output cut for brevity) Good. So the Terminal Services service is started. However, this supports the desktop running locally on the server as well as remote connectivity. So let’s check whether the service is listening on port 3389:
c:\ netstat -an
(output cut for brevity) Right, so we’ve confirmed that it’s not listening. We need to enable the remote connectivity portion of the service and restart it. If we had access to the desktop (rendering this article pointless) then we could go to Control Panel -> System -> Remote and turn on Remote Desktop. The command line equivalent is as follows:
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d “0x0”
After this we need to kill the existing Terminal Server process. This isn’t trivial because, as I said before, it’s actually propping up the live desktop on the server. We hunt out the task ID of the process:
tasklist /svc | findstr /C:TermService |
Now. This is important. If - and only if - the svchost.exe only lists TermService you can proceed. If there is more than one entry following it, then you’ll break things. The only way to safely get RDP running will be to reboot the server. Hey, if you’re authorised to do this, then go for it.
taskkill /F /PID [from previous] net start “Terminal Services”
Finally, let’s see whether we managed to get RDP listening:
c:\ netstat -an
(output cut for brevity)
Networking
Scanning
Steps to start openvas: openvassd && openvasmd && openvasad && gsad –http-only &&firefox http://127.0.0.1:9392/login/login.html Steps to start nessus: service nessusd start && firefox https://127.0.0.1:8834/ nessus: merge-nessus
- parse_nessus_xml.v21 -> parse to perl
- Sample report for graphs check-registry; #Do registry checking for SAINT / Nessus credential scan #Web scanners made by me scott-web-assessment-server scott-web-assessment-start ####Trustwave Spiderlab stuff#### Trustwave Responder, capture many protocol’s passwords? https://github.com/SpiderLabs/Responder.git Beef+ HTTP + arpspoof https://github.com/SpiderLabs/beef_injection_framework.git Thinket automatic session take over tool https://github.com/SpiderLabs/thicknet.git Flash tool: https://github.com/SpiderLabs/deblaze.git Monitor network session: https://github.com/SpiderLabs/ackack.git
Mount NFS
VO-IP
/pentest/voip/frogger.sh; # Detect vlan /pentest/voip/isme_v0.6/isme.pl; # Scans IP phones Some sip tools inside metasploit https://github.com/fozavci/viproy-voipkit
Add vlan to do internal pentest on linux:
vconfig add eth0 11
Database
Oracle hacking
http://www.ethicalhacker.net/content/view/363/24/ http://www.ethicalhacker.net/content/view/399/24/
TOR
checkout pytor hosts tor-new-identity tor-scan-hosts Note: nmap files will be located in ~/
Passwords
Password used in this VM: =========================================================== generate random passwords: openssl rand -base64 6
Generate passwords
ways to crack pwd https://labs.mwrinfosecurity.com/blog/2015/09/25/a-practical-guide-to-cracking-password-hashes/#fn6 password-toolkit /pentest/passwords/password-toolkit/LAUNCH_TOOLKIT.sh gen-password.sh ; #Generate password /pentest/passwords/captcha ; #Scripts to crack Captchas /pentest/passwords/captcha-userenum_0.1.py http://stackoverflow.com/questions/2363490/limit-characters-tesseract-is-looking-for tesseract image.tif outputbase nobatch digits Generate creditcards: gen-creditcard Local file password retrieval: https://github.com/lightos/LaZagne Similar to other gen-password: https://github.com/lightos/PassGen
Windows credential editor: Try it when getting windows control:
/pentest/exploits/framework/tools/wce /pentest/passwords/mimikatz/ ; #As a compliment to wce, a german tool to get passwords from current users
Password and hash cracking
/media/share/passwords/findmyhash/findmyhash.py /media/share/passwords/john/john-x86-64 /pentest/passwords/keimpx ; #This one check password across the windows network through SMB /pentest/passwords/Codetective ; #Check / detect password used /pentest/passwords/iCrackhash ; #Same as previous
Web app
nosqlmap pwn captcha: http://cintruder.sourceforge.net/ (looks good) http://caca.zoy.org/wiki/PWNtcha (Known)
webscan: (Drupal, other frameworks…) CMSMap java -jar TestSSLServer.jar sslxxx
file inclusion attack: https://github.com/lightos/Panoptic
** A useful command I forget 100 times **
Out of topic
Wifi
Crack wpa password: python /pentest/wireless/fern-wifi-cracker/execute.py airmon-ng start wlan0 airodump-ng -i mon0 wash reaver /usr/local/bin/AP-packet-capture ;#Man in the middle sniffer with wireless AP setup (Require USB wifi receiver) /pentest/sniffers/fakeap-pwn ways to intercept the traffics: https://thesprawl.org/research/ios-data-interception/ Mallory DNS hijacking: ./dnschef.py –interface 0.0.0.0 –fakeip 192.168.1.100 –fakedomains *.google.com
Internet recon
- dnsmap + dmistry dns tools, bruteforce / gooogle
- dnstrail
- Bluto
- URLCrazy
Unclassified
Unclassified =========================================================== Pulsar network fuzzer Note for latest pentest stuff: https://forum.bugcrowd.com/t/researcher-resources-tools/167 Malware Analysis https://github.com/RPISEC/Malware
https://github.com/b3mb4m/shellsploit-framework install cmsmap, Lynis, impacket, serpico pip install pwntools pip install captson upgrade
PHP -open_basedir, diable_function, safe_mode To access aws aws-scout-2
android: https://hackerlists.com/android-reverse-engineering-tools/
Reverse Engineers book: http://beginners.re/
Project Zero group: http://googleprojectzero.blogspot.hk/2016/01/raising-dead.html
Books to download; Violent Python
Dataflow in the tor network: https://github.com/unchartedsoftware/torflow
Fuzzing: Boofuzz https://github.com/OpenRCE/sulley Web hacks for study: http://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2015/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+WhitehatSecurityBlog+%28WhiteHat+Security+Blog%29
another pentest course: https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testing
http://www.darknet.org.uk/2016/01/mitmf-man-middle-attack-framework/
Malware analysis course: https://github.com/RPISEC/Malware http://fumalwareanalysis.blogspot.hk/p/malware-analysis-tutorials-reverse.html?m=1 https://github.com/rshipp/awesome-malware-analysis/blob/master/README.md https://wiremask.eu/articles/free-reverse-engineering-tools/
Similar to SpiderLab’s product for priviledge escalation: Hotpotato: https://github.com/foxglovesec/Potato Privilege escalation: Hot Potato
Summaries from darknet: http://www.darknet.org.uk/2016/01/a-look-back-at-2015-tools-news-highlights/ http://www.darknet.org.uk/2015/01/look-back-2014-tools-news-highlights/
Nice android training materials: https://github.com/rednaga/training/tree/master/DEFCON23 http://androidcracking.blogspot.hk/ https://github.com/CalebFenton
yasca Yet another source code scanner
Best cheatsheet ever: https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502/8
process dump: http://split-code.com/index.html
Jigsaw social engineer tool: https://github.com/pentestgeek/jigsaw
VPN Server: Softethen VPN manager looks good etherape: Nice to see network transaction
different platform of mobile reverse engineering: su-a-cyder https://github.com/mi3security/su-a-cyder https://www.owasp.org/images/c/cd/Cracking_the_Mobile_Application_Code.pdf Installed: introspy-analyzer and idb
powerpoint presentation with html: https://github.com/hakimel/
Try patator to replace medusa
Webstats: builtwith.com
ZARF github network hacking toolkit
Sales point: http://www.zoomstart.com/12-5-principles-of-sales-greatness-from-the-little-red-book-of-selling/
Book summary: http://www.summary.com/subscription/
25 Startup toolkits helping business http://www.entrepreneur.com/article/245756
Y Combinator startup course http://www.startupschool.org/
Programming resources http://buzzorange.com/techorange/2015/05/07/data/
press s -> pentest (Discovery) download: http://cdn.oreillystatic.com/oreilly/booksamplers/packt/9781783288311_Sample.pdf access to: http://www.evilzone.org/ kali tool for web app scan: http://chousensha.github.io/blog/2014/09/24/kali-tools-catalog-web-applications/
Another bruteforce tool: patator.py
Cisco: ike-scan Best pentest IDE: faraday https://github.com/infobyte/faraday
gen-creditcard (VISA, visa) webview (the tools to capture web with given nmap result) warvox’s make doesn’t work… study cortana Study warvox within metasploit for VoIP stuff! Clearup /media/share, ~ and /mnt/…/client karmisky framework? msf browser auto-pwn? ipv6 cracking sapyto? beef <–> phishing? also update exploitdb through US proxy? mantra -> Web application browser extension Using OWTF! enhance metasploit with different scripts included: Web app scan removal of tracks (MSSQL, events, and etc.) Different custom build from git or famous pentesters. git clone https://github.com/darkoperator/Metasploit-Plugins.git git clone Carn0valxyz ?/pentest/sniffers/fakeap-pwn integrate canvas and core impact to this vm. Integrate https://github.com/thomhastings/os-scripts Try smb_relay in metasploit, seems good http://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python ike-scan…… Web scanning on PHP 5.X + Apache -> exploit #2 on packet storms Linux priviledge escalation: [0] https://github.com/PenturaLabs/Linux_Exploit_Suggester [1] https://code.google.com/p/unix-privesc-check/
http://crypo.in.ua/tools/
https://github.com/leebaird/discover https://github.com/KyxRecon/Autocrawler-v1.0 https://github.com/chrismaddalena/ODIN (Observe, Detect, and Investigate Networks) https://github.com/stryngs/scripts https://github.com/skamsie/Domain-Status-Checker Awesome learning: https://github.com/TheRemoteLab/awesome-learning
https://www.vagrantup.com/ Copy prod env to local env
XPATH injection: xcat, xxxpwn /pentest/web/citrix ; # Enumerate Citrix hosts python /pentest/web/ssl-proxy.py; Proxy tunnel http to https, don’t know how it run… If the prepare-payload not work, use this one: https://github.com/inquisb/shellcodeexec WEb PHP shell: http://epinna.github.io/Weevely/ Upload shell for different languages: http://sourceforge.net/projects/laudanum/files/laudanum-1.0/ One liner reverse shell: http://bernardodamele.blogspot.hk/2011/09/reverse-shells-one-liners.html /opt/gateway-finder ;# Find any host that do IP forwardding!
Mobile testing VM: http://sourceforge.net/projects/mobisec/
sharepoint scan: http://sourceforge.net/projects/spscan/files/?source=navbar
Reporting idea: GeoIP api: (Free) http://www.telize.com/
awesome shits
https://github.com/joubertredrat/awesome-devops
https://github.com/kahun/awesome-sysadmin
https://github.com/devsecops/awesome-devsecops
https://github.com/FallibleInc/security-guide-for-developers