Skip to main content

Posts

Showing posts from December, 2019

SNMP - Port 161 Enum

Basic info About SNMP Ports - 161,162,10161,10162/udp SNMP is a based on UDP, stateless protocol --> susceptible to IP spoofing and replay attacks. SNMP1, SNMP2, SNMP2C --> can be locally irrupted over a local network. SNMP is a UDP protocol & UDP scanning that UDP requires a matching port and payload or it won't respond. This means we have to get the community string correct or we won't get any sort of a response. In-case, when a response is received, it contains the community string, and the scanner can identify the valid community string. MIB-values 1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software's Installed & Hotfixes 1.3.6.1.2.1.6.13.1.3 TCP Local Ports 1.3.6.1.2.1.1.1 System Description OID and MIB Hierarchy - the way MIB-Values are created Enum via NMAP #Run SNMP Nmap Scripts nmap -sCUV -p161 ...

SMTP - Port 25 Enumeration

Basic info About SMTP Commands PIPELINING – Pipelining Sends batches of SMTP commands without waiting for a response from the SMTP Server to individual comments. SIZE – SIZE extension has two purposes:      To give the server an estimate of the size of a message before the message is transmitted.      To warn the client that messages above a certain size will not be accepted. ETRN – allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow integration with dial-up mail servers. 8BITMIME – is a way for SMTP servers that support it to transmit email using 8-bit character sets in a standards-compliant way that won’t break old servers. DSN – DSN (Delivery Status Notification) is an extension to SMTP email delivery that can notify senders about the status of their message’s delivery. STARTTLS – StartTLS is mainly used as a protocol extension for communicatio...

Unzip a file in Windows CMD

C:\Temp\     --> is the unzipped location c:\FolderName\batch.zip    --> change this @echo off setlocal cd /d %~dp0 Call :UnZipFile " C:\Temp\" "c:\FolderName\batch.zip " exit /b :UnZipFile <ExtractTo> <newzipfile> set vbs="%temp%\_.vbs" if exist %vbs% del /f /q %vbs% >%vbs%  echo Set fso = CreateObject("Scripting.FileSystemObject") >>%vbs% echo If NOT fso.FolderExists(%1) Then >>%vbs% echo fso.CreateFolder(%1) >>%vbs% echo End If >>%vbs% echo set objShell = CreateObject("Shell.Application") >>%vbs% echo set FilesInZip=objShell.NameSpace(%2).items >>%vbs% echo objShell.NameSpace(%1).CopyHere(FilesInZip) >>%vbs% echo Set fso = Nothing >>%vbs% echo Set objShell = Nothing cscript //nologo %vbs% if exist %vbs% del /f /q %vbs%

SSH Commands

hydra $ip -s 22 ssh -l <user> -P big_wordlist.txt kali linux > ssh -i privatekey thrasivoulos@fe80::0250:56ff:feaa:4146%tun0 puttygen 10.10.10.107-alice_my_private_key.ppk -O private-openssh -o alice.pem ssh -D 1080 -L 6801:127.0.0.1:5801 -L 6901:127.0.0.1:5901 charix@10.10.10.84 ssh -D 1080 -L 6801:127.0.0.1:5801 -L 6901:127.0.0.1:5901 yuhi@10.10.10.77 ssh -D <local host>:1010 -p 22 user@<remote host> ssh -D <local proxy port> -p <remote port> <target> ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host> ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com ssh -f -N -R 2222:<local host>:22 root@<remote host> ssh -i alice.pem alice1978@10.10.10.107 ssh -i alice.pem alice1978@10.10.10.107 \\ bob8791 ssh -i dead0b5b829ea2e3d22f47a7cbde17a6-23269 drno@10.10.10.124 bash ssh -i frank-key frank@10.10.10.34 ssh -i id_hype hype@10.10.10.79 ssh -i id_rsa orestis@brainfunk.h...

Web Page Enum - Port 80,443

Hello Minna-san, this post covers some basic Checks to be carried out while Penetration Testing web application, though it doesn't cover the exploitation part  yet.  Simple Web Page Enum Checklist Scan All the Ports via Nmap Web Servers can be Found on any port nmap -Pn -p- 10.10.10.10 Check robots.txt Run nikto, dirb, dirsearch.py --> check large dictionaries nikto -h 10.10.10.10 dirb http://10.10.10.10 dirsearch.py -u http://10.10.10.10 -e * CUPP -i Try to use all kinds of HTTP methods - GET,POST, PUT Try with curl -X put --upload-file <filename> <web server address> Check for login pages, if found any - try to login with default creds. Send it to burp intruder/Turbo Intruder and brute force it Check the CMS of the Application if its wordpress/ Drupal/ joomla run their specific scanners - wpscan, drupscan Try to login with default credentials - Use intruder / wpscan search for vulnerable plugins use CEWL to generate a list of passwords/usernames and emai...

Private Key to Hash to Password

home/david/.ssh/id_rsa.pub -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7 HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN 6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1 Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6 i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so uDi6fXyvABX+e...