Skip to main content


Showing posts from July, 2022

Installing and Configuring Arch Linux

We are going to Install Arch Linux from Scratch Download Arch ISO from official website Use it via VirutalBox or VMware - give around 2GB of ram & 16gb of disk space Start the VM #Check Internet Access ping #Set Time & Date timedatectl set-ntp true Creating a Partition #Check the partitions fdisk -l #Create partition using cfdisk cfdisk #Create a partition, allocate space & select it as bootable --> Create --> exit #you can choose to create a swap space if required to hibernate.  #Creating File System, i choose /dev/sda2 as that's where i am looking to install the file system mkfs.ext4 /dev/sda2 #Creating Swap Memory mkswap /dev/sda1 #Mount the drives mount /dev/sda2 /mnt swapon /dev/sda1 Installing Required Tools pacman -Sy pacman -S archlinux-keyring pacstrap -i /mnt base base-devel linux-lts linux-firmware dhcpcd vim nano iputils netctl networkmanager grub Adding drive UUID to fstab genfstab -U /mnt >> /mnt/etc/fstab cat /mnt/etc/fstab arch-...

Compress & Decompress - Encode & Decode

 Commands for easy file transfer  tar I guess tar compress is better than zip #Compress tar -czvf filename.tar file.txt #Decompress tar -xvf compressed.tar 7z #Compress/archive the file 7z a filename.7z file.txt #Compress as a zip archive - zip, gzip, bzip2 7z a -tzip file.txt #Extract the contents of 7z 7z e filename.7z zip #Compress zip file.txt zip -9 file.txt #Compress recursively zip –m file.txt -r #Decompress unzip Base64 Linux #encode base64 filename.txt cat filename.txt | base64 > file #Decode base64 -d filename.txt Windows #Encode certutil.exe -encode .\ output.txt #Decode certutil.exe -decode .\a.txt #Decoding on Linux sed '/-----BEGIN CERTIFICATE-----/d;/-----END CERTIFICATE-----/d' output.txt | base64 -d > unzip Copying Large Files from Linux via Terminal tar -czvf filename.tar file.txt zip -9 file.txt cat file.txt | base64 > ne...

LDAP Enumeration - Ports 389,636,3268,3269

LDAP - Port 389 or LDAP SSL on Port 636 Nmap Scan map -n -sV --script "ldap* and not brute" -p389,636,3268,3269 nmap -sC -Pn -p389,636,3268,3269 #DUMP Everything from LDAP - Anonymous ldeep ldap -a -d STEINS.local -s ldap:// all dump #Dump as an Authenticated User ldeep ldap -u Administrator -p 'password' -d steins.local -s ldap:// all dump Basic LDAP Search Commands #Get FULL Domain Name and it's contexts ldapsearch -x -h -s base namingcontexts ldapsearch -H ldap:// -x -s base namingcontexts #Dump accessible data from ldap ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt #Dumping passwords using LDAP: ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ldapsearch -x -h -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ...

TCPDUMP Cheatsheet

  TCPDUMP Usage tcpdump is by default installed on most of the linux machine, you can run it by "sudo tcpdump" • Protocol : ether, ip, ip6, arp, rarp, tcp, udp: protocol type • Type : host [host]: Only give me packets to or from that host net [network]: Only packets for a given network port [portnum]: Only packets for that port portrange [start-end]: Only packets in that range of ports • Direction : src: Only give me packets from that host or port dst : Only give me packets to that host • Use "and" or "or" to combine these together • Use "not" to negate -n Host IP addresses and port numbers instead of names -i interface Sniff on a particular interface (-D lists interfaces) -v Be verbose (show TTL, IP ID, Total Length, IP options, and so on) -w Dump packets to a file (use -r to read file later) -x Print hex -X Print hex and ASCII -A Print ASCII #View the traffic from all interfaces on host or port 443 sudo tcpdump -s 0 -i any host 10.1...

Postgres Pentest - Port 5432

nmap Scanning nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn #make sure to check for vulnerable versions Bruteforcing Postgres Creds #Using Metasploit use auxiliary/scanner/postgres/postgres_login #using Hydra hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt postgres Default Username & Passwords: ● postgres : postgres ● postgres : password ● postgres : admin ● admin : admin ● admin : password root : root #or for a better wordlist cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt . cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt cat postgres-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt Accessing remote Postgresql server psql -h -U USERNAME psql -h <host> -U <username> -d <database> ...

DNS Enumeration - Port 53

  #Find the DNS server nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 #DNS Server Processes Unauthoritative Recursive Queries nmap -Pn -p 53 -sU --script dns-recursion #DNS Server Cache Snooping Remote Information Disclosure nmap -Pn -sU -sV -p 53 --script dns-cache-snoop #DNS Enum via Metasploit auxiliary/gather/enum_dns auxiliary/scanner/dns/dns_amp # DNS Enum nslookup >SERVER # Give the ip address of the server to find its hostname > name = host02.test.domain. dig axfr host02.test.domain @ Finding SPF Records -all (Hard Fail) : Strict rejection of emails from unauthorized servers. ~all (Soft Fail) : Flag or mark emails from unauthorized servers as suspicious. +all (Allow All) : Allows emails from any server, effectively disabling SPF checks...