Less-common options (or ones that I forget), and other useful tips.
- Output file:
-O <filename> - SSL certs accepted without checking (less dropped GET requests):
--no-check-certificate
- use a proxy (great for Burp/ZAP):
-x <IP_addr> - Set HTTP Method (POST/PUT/TRACE etc.):
-X POST - Data in request body (for non-GET requests):
-d "name=andy&password=pa55w0rd"
-d "{\"name\":\"Mark\"}
-d @POST-data.txt - Form data:
-F user[fname]=Andy -F user[lname]=Tyler - File upload via form:
-F user[photo]=@path/to/image.jpg - User-Agent:
-A "Example-UA" - Set Cookie:
-b "cookie1=true" - Set Headers:
-H "Accept: application/json"
- Inverse search:
-v - Case-insensitive:
-i
- Locate SUID/SGID files:
-perm +6000 -type f
-perm +6000 -user root -type f
(2000 = SGID, 4000 = SUID, 6000 = SUID+SGID) - Search by name:
-name *.log - Run commands on each item:
-exec grep 'password' {} \;
- Connect to SSL-encrypted port (e.g. POP3-secure) - Netcat-like:
openssl s_client -connect 192.168.1.146:993 -crlf
- Encode string as base64:
echo -n "B64==" | base64 -d - Decode base64 string:
echo -n "string to decode" | base64 -d - Decode base64-encoded binary:
cat b64file | base64 -d > outputfile.bin
- Decode Hex strings as ASCII (reverse + plain format):
echo -n 767581 | xxd -p -r
- Decode Hex strings in \xHH format:
-e "\x76\x75\x81" - Suppress newline after string (useful for hashing strings etc.)
-n
- Pull data from a file:
cut -d: -f1,7 /etc/passwd
- Set a width:
-w 2
- Translate one string to another:
$ tr "<charset1>" "<charset2>" - Strip specific chars from a file/string:
-d "<char_to_delete>"
- Replace characters in a file:
cat filename | sed 's/password/hash/g'
cat filename | sed 's/[ABCDE]/*/g' - Replace files and save the changes:
sed -i 's/admin/hacker/g' accounts.txt
- Print fields with formatting:
awk '{print $3 "\t" $4}' data.txt - Print fields, specifying Field Separator:
awk -F: '{ print $1,$5 }' /etc/passwd - Print fields where line matches the regex:
awk '/hacker/ {print $5,$6,$7,$8}' accounts.txt - Print lines where length is greater than 10chars:
awk 'length($0) > 10' longlines.txt - Count line with an iterator:
awk '/a/{++cnt} END {print "Count = ", cnt}' data.txt - IF statement for contents of fields:
cat /etc/shadow | awk -F: -FS: '{if($2 = "!") print $0}'
- List quantity of repetitions:
-c
- Sort a list for duplicates and count them - sorting by most frequent:
cat list1.txt list2.txt | sort | uniq -c | sort -nr | less
$ python -m SimpleHTTPServer 1234
$ python3 -m http.server 1234
$ php -S 0.0.0.0:1234
$ nc -l -p 1234 < file.txt
- Cookies Manager + - for tweaking cookie values
- Firebug - for advanced website tampering
- Foxyproxy Standard - for quick switching between web proxies like Burp/ZAP
- Live-HTTP-Headers - for monitoring/resending HTTP requests
- PassiveRecon - for passively gathering tonnes of data on the current domain
- Shodan Plugin - queries website IP against Shodan data and displays open ports and links to the Shodan page
- User-Agent-Switcher - for tweaking the User-Agent Header
- Wappalyzer - for displaying scripts/libraries/server-side software
- NoRedirect - for blocking 301/302 page redirects (hello admin pages)
- TamperData - for resending requests and Verb Tampering (when you can't use Burp/ZAP)
- Poster - for sending HTTP requests from GET/POST/PUT/DELETE etc.
- Web Developer - great for tweaking form-data and playing around with web content/page-settings
- Vulners Web Scanner - queries framework and software data against vuln database (does not send site details)
$ firefox https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus https://addons.mozilla.org/en-US/firefox/addon/firebug https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard https://addons.mozilla.org/en-US/firefox/addon/live-http-headers https://addons.mozilla.org/en-US/firefox/addon/passiverecon https://addons.mozilla.org/en-US/firefox/addon/shodan_io https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher https://addons.mozilla.org/en-US/firefox/addon/wappalyzer https://addons.mozilla.org/en-US/firefox/addon/noredirect https://addons.mozilla.org/en-US/firefox/addon/tamper-data https://addons.mozilla.org/en-US/firefox/addon/poster/ https://addons.mozilla.org/en-US/firefox/addon/web-developer https://addons.mozilla.org/en-US/firefox/addon/vulners-web-scanner
This is a breakdown of some useful attack vectors that will get you started on 95% of targets in a pentest.
| Port | Service |
|---|---|
| 21/tcp | ftp |
| 22/tcp | ssh* |
| 23/tcp | telnet |
| 25/tcp | smtp |
| 53/tcp | dns |
| 80/tcp | http |
| 110/tcp | pop3 |
| 111/tcp | rpcbind (?) |
| 135/tcp | msrpc (?) |
| 139/tcp | netbios-ssn |
| 143/tcp | imap |
| 443/tcp | https* |
| 445/tcp | microsoft-ds |
| 993/tcp | imaps |
| 995/tcp | pop3s |
| 1723/tcp | pptp |
| 3306/tcp | mysql |
| 3389/tcp | ms-wbt-server (?) |
| 5900/tcp | vnc |
| 8080/tcp | http-proxy |
*Encrypted ports
Make sure you check all ports on TCP and UDP.
Your friend here is unicornscan - this is also leveraged by onetwopunch.sh (https://github.com/superkojiman/onetwopunch).
Use version detection in nmap (-sV) to grab banners and detect more enumeration data - which can lead to identifying weaknesses and exploits.
For any given port/service the most effective 'way in' for a Pentester can be achieved by following a structured analysis approach.
Check for a weakness per category and then proceed to the next until you find a way in:
- Can you already interact with the open port?
- Inherent weaknesses
- Weak configurations
- Basic credential checks
- Known exploits
- Complex credential checks
- New exploits
Basic:
- No credentials
- Default credentials
- Bypassable credentials
- Guessable credentials (common lists)
- Reused credentials
Complex:
- Brute-forceable credentials
- Crackable credentials (wordlists and rules)
Purpose: Transfer of files using a remote, browsable directory
vsftpd
| C | I | A |
|---|---|---|
| X | X | 0 |
- Username enumeration
- File exposure/access:
~/.sshor other config files~/.bash_historyor other log files- source code
- File upload
- ftp
$ ftp <ip_addr>
- netcat
nc <ip_addr> <port>
- hydra - brute-force login
- Enumerate usernames
- Brute-force login
- Anonymous FTP - read files
- Anonymous FTP - write files
- Lack of bruteforce prevention
- Often unpatched
- Unencrypted communication
- FTPd service running as Admin on Windows systems
- CVEs:
vsftpdCVEs:- others
- MitM (if local)
- anonymous:<:blank:>
- anonymous:<any_email_addr>
Purpose: Remote shell access via encrypted connection
openssh
| C | I | A |
|---|---|---|
| X | X | 0 |
- Username enumeration
- RCE
- File exposure/access
- File upload
- ssh
$ ssh <ip_addr> <port>$ ssh username@<ip_addr> <port>
- openssl
$ openssl s_client -connect <ip_addr>:<port> -crlf
- hydra - bruteforce login attacks
- Brute-force login
- Enumerate usernames
- Weak creds
- Shared creds
- Lack of bruteforce prevention
- CVEs:
opensshdCVEs:- others
- none
Purpose: Unencrypted remote shell access
telnettelnetd
| C | I | A |
|---|---|---|
| X | X | 0 |
- Username enumeration
- RCE
- Sensitive file exposure
- File upload
- telnet
$ telnet <ip_addr>
- netcat
$nc <ip_addr> <port>
- hydra - brute-force login
- Brute-force login
- Break out of served software - if unprotected
- MitM (if local)
- none
Purpose: Transfer of files using a remote, browsable directory
vsftpd
| C | I | A |
|---|---|---|
| X | X | 0 |
- Username enumeration
- ftp
$ ftp <ip_addr>
- Access sensitive files:
~/.sshor other config files
- Anonymous FTP - read files
- MitM (if local)
- CVEs:
this_programCVEs:
- admin:<blank>
25 53 80 110 111 135 139 143 443 445 993 995 1723 3306 3389 5900 8080
IMAP/POP3 data: http://www.suburbancomputer.com/tips_email.htm https://donsutherland.org/crib/imap