1) Through sudo find out executable applications:
$ sudo -l
After that, pinpoit the resolution at https://gtfobins.github.io/
2) Seek SUID and SGID:
$ find / -perm -4000 -o -perm -2000 -type f 2>/dev/null
Exploitation is located at https://gtfobins.github.io/#+suid
HackBar (Hacking tools)
https://addons.mozilla.org/en-US/firefox/addon/hackbar-free/
Cookie Quick Manager (Manipulate Cookies)
https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/
FoxyProxy (Easily switch Proxy settings)
https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
User Agent String Switcher (Change Browser's User Agent property)
https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/
Wappalyzer (Find out targets' platforms)
https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
1) Manual Discovery
whois (whois tryhackme.com)
nslookup (nslookup -type=MX tryhackme.com 8.8.4.4)
dig (dig @8.8.4.4 tryhackme.com MX)
2) Automated Discovery
gobuster (gobuster dns -d DOMAIN -w /usr/share/seclists/Discovery/DNS/namelist.txt)
3) OSINT
DNS Dumpster (https://dnsdumpster.com/)
Shodan (https://www.shodan.io/)
1) Manual Discovery
Robots.txt
Sitemap.xml
Favicon (https://wiki.owasp.org/index.php/OWASP_favicon_database)
HTTP Header (curl $URL -v)
2) OSINT
Google Hacking
Wappalyzer (https://www.wappalyzer.com/)
WayBackMachine (https://archive.org/web/)
GitHub
S3 Bucket
3) Automated Discovery
Seclists
ffuf (ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://URL/FUZZ)
dirb (dirb http://URL/ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt)
gobuster (gobuster dir -u http://URL/ -w /usr/share/seclists/Discovery/Web-Content/common.txt)
Check the status of wireless adapters:
# iw dev
Turn Managed Mode into Monitor Mode assume the wireless adapter is named wlan1:
# ip link set wlan1 down
# iw wlan1 set monitor control
# ip link set wlan1 up
Turn back to Managed Mode:
# ip link set wlan1 down
# iw wlan1 set type managed
# ip link set wlan1 up
1) Check News related to the company (Use labels)
2) Check Security Advisories sent by US-CERT etc. (Use libraries)
3) Check changes of regulations (such as FFIEC, DFS 500, GLBA, OCC, SWIFT, CHIPS FEDLINE, ISO27001/27002, NIST SP800, FIPS 140-2, PCI-DSS)
4) New vulnerabilities (Use libraries and CVE/Bugtraq)
5) New threats (Use libraries)
6) Data Leakage Investigation (Use Spider and keywords to Dark Web and dark markets)
7) Reputation Investigation (Use Spider and keywords to check forums)
8) Phishing website Investigation
9) Crawl Hacker forums for the company's confidential data
10) Google Hacking to check if there is any web-based backdoor sitting in the company's website
11) Third Party Passive Vulnerability Scan's results (Use Shodan, ZoomEye)
12) Third Party Web Security Scan (Use www.immuniweb.com/websec, ssl lab)
13) Blacklist/SPAM List checking (Use IP ranges and domains)
14) Check if the company's IP addresses are in Botnet lists
15) Check if the company's emails have been compromised (Use https://haveibeenpwned.com/ and https://hacked-emails.com/)
16) Check DNS records (Use domains and IP ranges)
17) Honeypot/Sandbox Analysis
18) Suspicious Traffic Analysis
19) APT groups research (Use ATT&CK, FireEye APT Group, CyberMonitor@GitHub): specify those APTs' targets (e.g. industries and geographies), and see if your organization hits their target scopes
20) IOC search, analysis, and apply (to SIEM, NIDPS, Firewall, Anti-Virus, Anti-SPAM, etc.)
21) Action Plan
Show all supporting decryption formats:
root@kali:~# john --list=formats
Crack Windows passwords:
root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT ./windows.txt
Crack ZIP passwords:
root@kali:~# zip2john ./nmap.zip > ./nmap_zip_hash.txt ; john --wordlist=/usr/share/wordlists/rockyou.txt --format=PKZIP ./nmap_zip_hash.txt
#dig @10.50.96.5 foocampus.com -t AXFR +nocookie
#host -t axfr foocampus.com 10.50.96.5
Hash Identifier:
https://hashes.com/en/decrypt/hash
Hash Online Cracker:
https://crackstation.net/
Offline Cracker:
https://www.openwall.com/john/
1) Open a CMD, go to the suspicious sample's folder, and type:
> certutil -hashfile suspicious_file.exe MD5
> certutil -hashfile suspicious_file.exe SHA256
2) Record the hashes shown in the output of those two commands above.
3) Open a web browser, go to https://www.virustotal.com/gui/home/search, and search the above-mentioned hashes.
https://github.com/Yara-Rules/rules
https://github.com/advanced-threat-research/Yara-Rules
https://github.com/reversinglabs/reversinglabs-yara-rules
https://github.com/bartblaze/Yara-rules/tree/master/rules
More references could be found at https://github.com/InQuest/awesome-yara#rules
blocklist.de List (http://lists.blocklist.de/
VOIPBL Publicly Accessible PBX List (http://www.voipbl.org/update)
CleanTalk Spam List (https://iplists.firehol.org/
Browser Add-on:
Foxy Proxy
Cookie Editor
Builtwith
Proxy:
Burp Suite
Zap
Fuzzer:
wfuzz
Directory Buster:
dirbuster
Domain Enumeration:
knockpy
sublist3r
Directory:
SecLists
Spider:
Scrapy
Encoder/Decoder:
Cyber Chef
CMS Detection:
WhatCMS (https://whatcms.org/)
SQL Injection:
sqlmap
Web Vulnerability Scan:
Striker
P.S.: There is a backup of AutoPwn at https://github.com/d3m0n4l3x/tools/blob/master/db_autopwn.rb
1) Install/Upgrade Metasploit Framework:
# cd ~
# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
2) Download and install db_autopwn plugin:
# git clone https://github.com/hahwul/metasploit-autopwn
# cd metasploit-autopwn
# cp ./db_autopwn.rb /opt/metasploit-framework/embedded/framework/plugins/
3) Start Metasploit's database, namely PostGreSQL:
# systemctl start postgresql
4) Create a user, test1, in the database:
# su postgres
$ cd ~
$ createuser test1 -P
5) Create a database object named msf_db, owned by the user, test1:
$ createdb --owner=test1 msf_db
6) Connect to the database in Msfconsole by the root:
$ exit
# /opt/metasploit-framework/bin/msfconsole
msfconsole> db_connect test1:test1@127.0.0.1/msf_db
7) Check the status of the database's connection:
msfconsole> db_status
8) Scan the target first (assume the target is 192.168.0.1):
msfconsole> db_nmap 192.168.0.1
9) Load db_autopwn:
msfconsole> load db_autopwn
10) Automatically attack the target:
msfconsole> db_autopwn -t -p -e 192.168.1.1
[Generate a Resource script]
# msfconsole
msfconsole> ...
msfconsole> makerc demonalex.rc
[Resource Script Location]
# cd /opt/metasploit-framework/embedded/framework/scripts/resource/
# ll
[Read and Launch a script in Shell]
# cat /opt/metasploit-framework/embedded/framework/scripts/resource/demonalex.rc
# msfconsole -r /opt/metasploit-framework/embedded/framework/scripts/resource/demonalex.rc
[Read and Launch a script in Msfconsol]
msfconsole> more demonalex.rc
msfconsole> resource demonalex.rc
#cd ~
#curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
#/opt/metasploit-framework/bin/msfconsole
Reference:
https://github.com/microsoft/CSS-Exchange/tree/main/Security
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://www.exploit-db.com/exploits/49663
PS: The NMAP script, http-vuln-exchange.nse, has been created by Microsoft Senior Threat Intelligence Analyst Kevin Beaumont to identify those Microsoft Exchange servers vulnerable to the recent Exchange vulnerabilities including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
# cd /usr/share/nmap/scripts
# wget https://raw.githubusercontent.com/GossiTheDog/scanning/main/http-vuln-exchange.nse
# nmap TARGET_IP -p 443 —script http-vuln-exchange
https://dlptest.com/
http://dataleaktest.com/
https://www.dlp-test.com/
https://www.dlptest.net/
#Credit Card Number Identification:
alert tcp any any <> any any (pcre:”/4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;msg:”VISA card number detected in cleartext”;content:”visa”;nocase;sid:9000000;rev:1;)
alert tcp any any <> any any (pcre:”/5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;msg:”MasterCard number detected text”;content:”mastercard”;nocase;sid:9000001;rev:1;)
alert tcp any any <> any any (pcre:”/6011(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;msg:”Discover card number detected text”;content:”discover”;nocase;sid:9000002;rev:1;)
alert tcp any any <> any any (pcre:”/3d{3}(s|-)?d{6}(s|-)?d{5}/”;msg:”American Express card number text”;content:”amex”;nocase;sid:9000003;rev:1;)
#Idenfiy Social Security Number:
alert tcp any any <> any any (pcre:”/d{3}(s|-)?d{2}(s|-)?d{4}/”;msg:”Social Security Number is found”;content:”ssn”;nocase;sid:9000004;rev:1;)
Reference: https://cheatography.com/albertx/cheat-sheets/openssl/
Installation:
# apt-get update
# apt-get install openssl
Generating Key-ring:
The following example is to generate a 4096 bit private key and export it to a key file:
# openssl genrsa -out ./private-key.key 4096
Or generate a password-protected private key as such:
# openssl genrsa -aes256 -out ./private-key.key 4096
The public key could be generated upon the key-ring as shown below:
# openssl rsa -in ./private-key.key -RSAPublicKey_out -out ./pubic-key.key
Add/Remove Password-Protected function on a private key:
Adding Password-Protected function could be done as follows:
# openssl rsa -aes256 -in ./private-key.key -out ./private-key.encrypted.key
And Removing Password-Protected function is done as shown below:
# openssl rsa -in ./private-key.encrypted.key -out ./private-key.key
Creating Certificate Signing Request (CSR):
Creating a Certificate Signing Request (CSR) by using an existing private key:
# openssl req -new -key ./private-key.key -out ./request.csr
Read the CSR file:
# openssl req -text -noout -in ./request.csr
Read the public key from the CSR file:
# openssl req -pubkey -noout -in ./request.csr
Sign a certificate through Certificate Signing Request (CSR):
# openssl ca -in ./request.csr -out ./certificate.crt -config ./CA/config/openssl.cnf
Read the information sitting in the certificate:
# openssl x509 -text -noout -in ./certificate.crt
Extract the public key from the certificate:
# openssl x509 -pubkey -noout -in ./cert.crt
Generating Key-ring and Self-Signed Certificate concurrently:
# openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/certs/key.pem -x509 -days 365 -out /etc/ssl/certs/certificate.pem
Or:
# openssl req -newkey rsa:2048 -nodes -keyout ./private-key.key -x509 -days 365 -out ./cert.crt
Identifying Key-ring and Certificate:
Utilize MD5 hash function to identify all files:
# openssl dgst -md5 ./* 2>/dev/null
Combine Private Key and Certificate into PKCS #12 format file:
# openssl pkcs12 -export -out ./cert_key.p12 -inkey ./private-key.key -in ./certificate.crt
