Unlike how the media portrays hackers in the media, we're not actually supposed to know everything from the brain. A massive part of it is research skills and I personally believe that the problem solving is more important than memorising all the different commands in linux. That's not only impossible but it also misses the point of what makes hacking fun.
That all said, it would be handy to have my toolbox ready for CTF/Pentesting so that I'd just go for the execution of my ideas right away.
Tier 0.
Meow
Enumeration- extracts information from a system
Tools | Description
ping | tests if connection is established
sudo nmap -sV {ip address} | checks which ports are open
telnet {ip address} | connects to remote computer
common login names | admin, administrator, root
ls | lists everything
cat | reads the file
Fawn
Tools | Description
sudo apt install ftp -y | installs FTP where client can remote to server to transfer files
ftp -h | display services available
ftp port | 21
ftp {ip address} | connects to
anonymous | login username without pw on ftp
help | views commands available
cd | change drive
get | downloads file to current directory
Dancing
SMB- server message block allows client to work on the same file while FTP just transfers
share- SMB enabled storage
Tools | Description
-sV | service/version info
smbclient | enumerates content from share
sudo apt-get install smbclient | installs the script
smbclient -L {target ip} | enumerates target share
-h / --help | switches that finds capability of the script
ADMIN$ | admin shares hidden in the network
C$ | admin share for C:\ disk volume where OS is hosted
IPC$ | inter-process communication share. Used for comms, not part of file system
WorkShares | custom shares
$ smbclient \\\\{target IP}\\ADMIN$ | sample attempt to get into the service
$ smbclient \\\\{target IP}\\C$ | sample attempt to get into the service
smb: \> | means that shell is now interacting with the service
exit | exits the smb shell
Redeemer
Redis- opensource NoSQL key-value data store used as databse, cache and message broker. Stored on the server side.
CLI- command line interface
Database- stored in the server's RAM for fast access. Redis writes database contents to disk at varying intervals to persist as backup for fault tolerance.
keyspace section- provides statistics on the main dictionary of each database
Under #Keyspace, this suggests that only one database exists with index 0.
Tools | Description
nmap -p- -sV {target ip} | enumerates ports
sudo apt install redis-tools | downloads redis cli utility
redis-cli --help | receives switches of the script
-h <hostname> | specifiy hostname
redis-cli -h {target IP} | connects to the redis server
info | enumerates the redis server
select 0 | selects index number of the database
keys * | lists all the keys present in the database
get <key> | views the values stored for a corresponding key
e.g. get temp
Explosion
Tools | Description
xfreerdp | free rdp
sudo apt-get install freerdp2-x11 | install xfreerdp
/v:{target IP} | specifies the target IP of the host we would like to connect to, uses the username and testing guest login capabilities
/cert:ignore | specifies to the scripts that all security certificate usage should be ignored.
/u:Administrator : specifies the login username to be "Administrator".
/v:{target IP} | specifies the target IP of the host we would like to connect to
e.g. xfreerdp /v:{target IP} /cert:ignore /u: Administrator
Preignition
Tools | Description
gobuster | finds hidden content on the webserver via brute-forcing URLs on the search bar
directory busting | method to avoid manually guessing URLs through the search bar
sudo apt install golang-go | installs go
go install github.com/OJ/gobuster/v3@latest | installs gobuster
alternative that compiles the tool from source code:
sudo git clone https://github/OJ/gobuster.git
cd gobuster
go get && go build
go install
gobuster -h | tool's help page
dir | specificy we are using the directory busting mode of the tool
-w | specify a wordlist, a collection of common directory names that are typically used for sites
-u | specify the target's IP address
sudo gobuster dir -w /usr/share/wordlists/dirb/common.txt -u {target IP}
Ffuf | alternative to gobuster
admin admin | credentials to try when it's a fresh install and no brute-forcing tools
-x php | specifies certail file types
Preignition
Tools | Description
Databases are a collection of organised information that can be easily accessed, managed and updated
nmap -p- --min-rate=1000 -sV {target IP} | scans ports
--min-rate | this is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher
MongoDB is a document-oriented NoSQL database. Instead of using tables and rows like in traditional relational databases, MongoDB makes use of collections and documents. Key-value pairs! schema-less too.. which means dynamic size and content
curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.7.tgz | downloads the tar archive file
tar xvf mongodb-linux-x86_64-3.4.7.tgz | extracts the contents of the tar file
cd mongodb-linux-x86_64-3.4.7/bin | navigate to the location where the mongo binary is present
./mongo mongodb://{target IP}:27017 | connects to MongoDB server running on remote host as an anonymous user
show dbs; | lists the databases present on the MongoDB server use
use sensitive_information; | enumeration for particular database in the list
show collections; | lists down the collections stored in the database
db.flag.find().pretty(); | dumps the contents of the collection
Synced
Tools | Description
rsync is preferred over FTP when only some changes made to a few files and not to transfer every file every single time.
rsync [OPTION] ... [USER@]HOST::SRC [DEST]
rsync --list-only {target_IP}:: | list the files instead of copying them
shares | these are shared directories
rsync --list-only {target_IP}::public | lists the files inside the public
rsync {target_IP}::public/flag.txt flag.txt | copy/sync this file to our local machine.
cat flag.txt | we can use this now that we're in the correct directory
none | credential anonymous for rsync
Comments
Post a Comment