Skip to main content

Posts

Showing posts from July, 2022

Installing and Configuring Arch Linux

We are going to Install Arch Linux from Scratch Download Arch ISO from official website Use it via VirutalBox or VMware - give around 2GB of ram & 16gb of disk space Start the VM #Check Internet Access ping archlinux.org #Set Time & Date timedatectl set-ntp true Creating a Partition #Check the partitions fdisk -l #Create partition using cfdisk cfdisk #Create a partition, allocate space & select it as bootable --> Create --> exit #you can choose to create a swap space if required to hibernate.  #Creating File System, i choose /dev/sda2 as that's where i am looking to install the file system mkfs.ext4 /dev/sda2 #Creating Swap Memory mkswap /dev/sda1 #Mount the drives mount /dev/sda2 /mnt swapon /dev/sda1 Installing Required Tools pacman -Sy pacman -S archlinux-keyring pacstrap -i /mnt base base-devel linux-lts linux-firmware dhcpcd vim nano iputils netctl networkmanager grub Adding drive UUID to fstab genfstab -U /mnt >> /mnt/etc/fstab cat /mnt/etc/fstab arch-...

Compress & Decompress - Encode & Decode

 Commands for easy file transfer  tar I guess tar compress is better than zip #Compress tar -czvf filename.tar file.txt #Decompress tar -xvf compressed.tar 7z #Compress/archive the file 7z a filename.7z file.txt #Compress as a zip archive - zip, gzip, bzip2 7z a -tzip filename.zip file.txt #Extract the contents of 7z 7z e filename.7z zip #Compress zip filename.zip file.txt zip -9 filename.zip file.txt #Compress recursively zip –m filename.zip file.txt -r #Decompress unzip filename.zip Base64 Linux #encode base64 filename.txt cat filename.txt | base64 > file #Decode base64 -d filename.txt Windows #Encode certutil.exe -encode .\b.zip output.txt #Decode certutil.exe -decode .\a.txt output.zip #Decoding on Linux sed '/-----BEGIN CERTIFICATE-----/d;/-----END CERTIFICATE-----/d' output.txt | base64 -d > b.zip unzip b.zip Copying Large Files from Linux via Terminal tar -czvf filename.tar file.txt zip -9 filename.zip file.txt cat file.txt | base64 > ne...

LDAP Enumeration - Ports 389,636,3268,3269

LDAP - Port 389 or LDAP SSL on Port 636 Nmap Scan map -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 nmap -sC -Pn -p389,636,3268,3269 10.10.10.10 #DUMP Everything from LDAP - Anonymous ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump #Dump as an Authenticated User ldeep ldap -u Administrator -p 'password' -d steins.local -s ldap://10.0.0.1 all dump Basic LDAP Search Commands #Get FULL Domain Name and it's contexts ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Dump accessible data from ldap ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt #Dumping passwords using LDAP: ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ...

TCPDUMP Cheatsheet

  TCPDUMP Usage tcpdump is by default installed on most of the linux machine, you can run it by "sudo tcpdump" • Protocol : ether, ip, ip6, arp, rarp, tcp, udp: protocol type • Type : host [host]: Only give me packets to or from that host net [network]: Only packets for a given network port [portnum]: Only packets for that port portrange [start-end]: Only packets in that range of ports • Direction : src: Only give me packets from that host or port dst : Only give me packets to that host • Use "and" or "or" to combine these together • Use "not" to negate -n Host IP addresses and port numbers instead of names -i interface Sniff on a particular interface (-D lists interfaces) -v Be verbose (show TTL, IP ID, Total Length, IP options, and so on) -w Dump packets to a file (use -r to read file later) -x Print hex -X Print hex and ASCII -A Print ASCII #View the traffic from all interfaces on host 10.10.10.10 or port 443 sudo tcpdump -s 0 -i any host 10.1...

Postgres Pentest - Port 5432

nmap Scanning nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 #make sure to check for vulnerable versions Bruteforcing Postgres Creds #Using Metasploit use auxiliary/scanner/postgres/postgres_login #using Hydra hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres Default Username & Passwords: ● postgres : postgres ● postgres : password ● postgres : admin ● admin : admin ● admin : password root : root #or for a better wordlist cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt . cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt cat postgres-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt Accessing remote Postgresql server psql -h 10.10.10.10 -U USERNAME psql -h <host> -U <username> -d <database> ...

DNS Enumeration - Port 53

  #Find the DNS server nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open 10.10.0.0/16 nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 10.10.10.10 #DNS Server Processes Unauthoritative Recursive Queries nmap -Pn -p 53 -sU --script dns-recursion 10.10.10.10 #DNS Server Cache Snooping Remote Information Disclosure nmap -Pn -sU -sV -p 53 --script dns-cache-snoop 10.10.10.10 #DNS Enum via Metasploit auxiliary/gather/enum_dns auxiliary/scanner/dns/dns_amp # DNS Enum nslookup >SERVER 10.10.10.1 # Give the ip address of the server to find its hostname > 10.10.10.10 10.10.10.10.in-addr.arpa name = host02.test.domain. dig axfr host02.test.domain @10.10.10.1 Finding SPF Records -all (Hard Fail) : Strict rejection of emails from unauthorized servers. ~all (Soft Fail) : Flag or mark emails from unauthorized servers as suspicious. +all (Allow All) : Allows emails from any server, effectively disabling SPF checks...