Warning
For informational and educational purposes only.
Hint
Click 🔙 to get back.
Author: ManiFast
Exploit - код для уязвимости
Payload - устанавливает соединение, выполняет скрипты)
Sigles - Самостоятельный файл (объединяет два модуля)
Stagers - Устанавливает связь с атакующим и загружает Stager
Stages - Выполняет основное действие: похищение паролей, загрузка backdoor'а и тд
Post - запускается после успешного проникновения (кейлоггер, скачивает файлы)
Encoder - маскировка от антивирусов
NOP - заполняет пустоту в исполняемых файлах
Auxiliary - модули для сканирование сети анализа трафика
—-
systemctl start pstgresql
start database
Open in command:
sudo msfdb init && msfconsole
msfconsole
sudo msfdb init
check database
Update:
msfupdate
Конфиг (там где пароли)
/usr/share/metasploit-framework/config
db_status
show what DB (DataBase) is turn on
db_disconect
disconnect DB
db_connect -y <path>
</usr/share/metasploit-framework/config/database.yml> connect DB with path
help
workspace
show list of tabeles (projects)
workspace -a <name>
add new table
workspace -d <name>
delete table
workspace -D
delete all
workspace <name>
switch to table
db_import <path>
import tables .xml (from nmap scans)
db_export <path>
hosts
show all hosts: ip, MAC and type OC
hosts -S <word>
find in hosts
services
show all services (from .xls files, show all open ports)
services -S
find in services
notes
more info from scaning ports (results)
vulns
list of vulnerability (уязвимость)
loot
save dump hash memory (I dnt know)
analyze
analyze DB for all ip
search type:<exploit> <find>
search exploits
search type:auxiliary ms17
use auxiliary/<exploit-path>
use
use auxiliary/scanner/smb/smb_ms17_010
In Metasploit:
show options
show advanced
info
RPORT - port wich exploit will attack
RHOSTS - target ip (must be set)
set rhosts <ip>
- set target ip
U can set rhosts in start, without every time set into exploit
[+] - vulnerable
[*] - No
You can use fitches like this:
Start Metasploit
use auxiliary/gather/search_email_collector
open
show options
help
help db_nmap
help
db_nmap -A <ip> -v
(-v see result)
db_nmap -A 192.168.0.106 -v
- You can type just name of module, you coudn't type all it path.
- You may not ask command "show options" just write "options"
Ports | path | name | sense |
80 | auxiliary/dos/https/wordpress_xmlrpc_dos | ||
auxiliary/scanner/http/http_version | http version | HTTP Version Detection | |
135 | Read and do commaands | ||
137 | Searching info in other PC's | ||
139 | Remote control | ||
445 | auxiliary/scanner/msb/msb_ms17_010 | MS17 | Shared files |
3389 | auxiliary/scanner/rdp/ms12_020_check | oRDP | |
2001 | auxiliary/dos/http/monkey_headers | ||
3128 | auxiliary/dos/http/squid_range_dos | ||
8080 | auxiliary/dos/http/cable_haunt_websocket_dos | ||
More about ports:
Port 21: FTP
Port 22: SSH
Port 25: SMTP
Port 53: DNS
Port 80: HTTP
Port 443: HTTPS
Port 110: POP3
Port 143: IMAP
Port 139: NetBIOS
Port 445: SMB
Port 3389: RDP
Port 3306: MySQL
Port 5432: PostgreSQL
Port 1521: Oracle
Port 1433: Microsoft SQL Server
Port 9300: Elasticsearch
Port 6379: Redis
Port 8080: Tomcat
Port 8000: Nginx
Port 7001: Apache
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
42/tcp filtered nameserver
53/tcp open domain
69/tcp filtered tftp
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
161/tcp filtered snmp
162/tcp filtered snmptrap
179/tcp filtered bgp
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1028/tcp filtered unknown
1080/tcp filtered socks
1214/tcp filtered fasttrack
1241/tcp filtered nessus
2077/tcp open unknown
2078/tcp open unknown
2082/tcp open infowave
2083/tcp open radsec
2086/tcp open gnunet
2087/tcp open eli
2095/tcp open nbx-ser
2096/tcp open nbx-dir
3127/tcp filtered unknown
3128/tcp filtered squid-http
3306/tcp open mysql
5554/tcp filtered sgi-esphttp
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6777/tcp filtered unknown
7007/tcp filtered afs3-bos
9996/tcp filtered unknown
22816/tcp open unknown
51180/tcp filtered unknown
42/udp open|filtered nameserver
53/udp open domain?
69/udp open|filtered tftp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
|_snmp-hh3c-logins: TIMEOUT
|_snmp-win32-shares: TIMEOUT
162/udp open|filtered snmptrap
1701/udp open|filtered L2TP
Features of auxiliary:
auxiliary/scanner/portscan/tcp - a tcp port scan (set THREADS 50)
TCP/UDP Port Finder metasploit:
https://www.adminsub.net/tcp-udp-port-finder/
NMAP - scananig all ports and do pings
nmap - опции адрес
--reason
what recive nmap from remote system
-p 0-65535
or -p-
scanning all ports
--min-rate
if server not answer go next after ...miliseconds
-oX <path>
save to file
-A
for find OC
-iL
scan ports from txt file
-o
write output in txt file
-v
show more info in live
-Pn
for firewall
-sV
more information about ports
T0-5
like speed, the higher the more aggressive
About speed
The following example increases the scan speed with the timing template -T5,
which instructs Nmap to execute a fast scan (called “insanely fast”) with
only 0,3 seconds delay to reply. This scan may not return accurate results.
Available templates are template names are
paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).
if open port:
_http-generator:
find port with access in web site
5000/tcp open tcpwrapped syn-ack ttl 64
Good sites:
for searching ip https://www.nslookup.io/domains/
tldr nmap
more about scripts and features https://linuxhint.com/scan-all-ports-nmap/
examples of vulnerabilityes https://linuxhint.com/30-nmap-examples/
You can use scripts like:
sudo nmap --script-args=unsafe=1 -T5 <ip>
This show only ports
There are several types of scans classified by categories auth, broadcast, default. Discovery,
dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
example:
sudo nmap -sV -A <ip>
sudo nmap -p <port> <ip> --script vuln
nmap -p- -sV <ip>
nmap -p- --min-rate 5000 -sV <ip>
sudo nmap -A --reason <ip> -oX <path>.xml
sudo nmap -A --reason -v 192.168.0.106 -p 0-54535 -oX /home/manifast/Desktop/scan.xml
sudo nmap -A -T4 -v <ip>
sudo nmap -sC -sV <ip>
sudo nmap -A -sV -Pn -v -p- <ip>
DOCS: https://docs.metasploit.com/docs/pentesting/metasploit-guide-smb.html
I dont know how you can be such a pervert to use this piece ...
Scanner web-content
Show hidden paths, files and adresses in url
n
go to next directory
a
stop scanning (save stage)
r
save statistics of scanning
-X
extansion (.php, .html)
-o
file where to save
without -X search all extansions
Examples of using DIRB:
dirb http://nwcom.info/ -o ~/Desktop/DIRB_scan.txt
dirb <url>/directory
simple test
dirb <url> -X .html
testing files with suffics '.html'
dirb <url> /usr/share/dirb/wordlists/vulns/apache.txt
testing with list of words from file 'apache.txt'
dirb <url>/secure_url
simple test with SSL
openVAS scanner for vulnerability
sudo apt update
&& sudo apt upgrade -y
before
sudo apt-get install gvm* -y
install
sudo gvm-setup
settle down app, and save password in file
gvm-check-setup
check that all download
sudo gv-start
start
sudo gvm-stop
stop
sudo runuser -u _gvm -- gvmd --user=<login> --new-password=<password>
change password
sudo runuser -u _gvm -- gvmd --create-user=admin2 --new-password=<password
create/reset password
Write http from output to browther, with file password
sudo systemctl status redis-server
check DB
sudo systemctl status redis-server@openvas.service
sudo gvm-feed-update
- update
sudo greenbone-feed-sync --type GVMD_DATA
sudo greenbone-feed-sync --type CERT
Sniffers - тюхать
SCRCPY Framework using for remote controle and emilate touches with output live divese
dont forget turn on usb connection in VBox if u use -d, (USB/Wireless)
site for help find ip https://www.shodan.io/ in search "android debug bridge"
adb devices
show all devices
adb connect <ip>:<port>
connecting
scrcpy -St
cocntroll (Screen hide, touches)
scrcpy -d
(use usb)
scrcpy -e
(use TCP/IP device)
adb kill-server
kill port, if failed to connect
adb start-server <port 5555>
adb tcpip <port 9999>
create port
adb forward --list serial "" local "" remote ""
?
adb logcat
? View device log
adb get-state
Prints: offline | bootloader | device
GHOST Framework using for fast remote connecting to divece and share files and do screenshots
after ghost if connction successeful better use SCRCPY Framework :D
connect <ip>
help
Install:
git clone https://github.com/EntySec/Ghost.git
cd Ghost
chmod +x setup.py
if u catch an error type:
pip3 install --upgrade pip
pip3 install setuptools
and added this line on top of setup.py "#!/usr/bin/python3"
ghost
MacChanger using for generate fake MAC adress.
sudo macchanger -A <eth0>
set random MAC
sudo macchanger -a <eth0>
set fake MAC
sudo macchanger -r <eth0>
set fully random MAC
The error message "[ERROR] Could not change MAC: interface up or insufficient permissions:
Device or resource bus" means that you are trying to change the MAC address of an interface
that is already up, or that you do not have the necessary permissions to change the MAC address.
To fix this error, you can try the following:
Check to make sure that the interface is not up. You can do this by running the following command:
ifconfig
If the interface is up, you will see a line that starts with "eth0" or "wlan0".
The "UP" flag will be set to "1" if the interface is up.
If the interface is up, you can try to bring it down by running the following command:
ifdown eth0
Replace "eth0" with the name of your interface.
Once the interface is down, you can try to change the MAC address with macchanger:
sudo macchanger -A wlan0
And check:
sudo macchanger -s wlan0
path locate proxychains
sudo vim /etc/proxychains4.conf
Dont run as root, can catch errors with firefox
If doesnt working try:
sign as root or non root
Reboot tor services
service tor start/restart/status
Or check solution in other book " > LAN > config of interfaces"
Change IP
git clone https://github.com/FDX100/Auto_Tor_IP_changer.git
python3 install.py
python3 autoTOR.py
60
100
sudo apt install koadic
install
info
info what port and what ip
run
run script and copy link to paste in cmd in Windows promt
wifite
basic version
cd wifite2/
python3 Wifite.py
--kill
kill conflickted proceses
-mac
automatic change mac adress
python3 Wifite.py --kill -mac
Usuing for scan wifi and overload users from wlan
airmon-ng check kill
kill not using proccess
airmon-ng start wlan0
enable monitor mode
airodump-ng wlan0
monitoring
airodump-ng --bssid <MAC> --channel <CH> -w <path> <LAN type>
listen certain LAN
airodump-ng --bssid 84:D8:1B:61:C1:2C --channel 11 -w /home/manifast/Desktop/wifi wlan0
airodump-ng --bssid 84:D8:1B:61:C1:2C --channel 11 wlan0
airodump-ng -c 3 -w amaliya --bssid 04:95:E6:57:DC:91 wlan0
You can press Tab for highlight points
aireplay-ng --deauth <count 0 - all time or 1-100 > -a [rounters's MAC] -c <STATION> <LAN type>
set down
aireplay-ng --deauth 30 -a 84:D8:1B:61:C1:2C -c 70:BB:E9:E2:D3:53 wlan0
aireplay-ng --deauth 0 -a 84:D8:1B:61:C1:2C wlan0
aireplay-ng -0 0 -a wlan0<MAC>
use --help for more !
Calculate hendshake:
aircrack-ng <> -w <path>
aircrack-ng QWERTY-01.cap -w /usr/share/wordlists/wifi_rockyou.txt
Sort only words > 8:
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > wifi_rockyou.txt
You remain invisible on the web
Quite a good tool for searching by nickname. Therefore, to work with it, we will need to enter only one command.
pip3 install maigret
App for scanning ip addresses in your ethernet bridge (сетевой мост).
Active/passive ARP reconnaissance tool
Pre-installed
sudo netdiscover -i eth0
sudo netdiscover -r 192.168.0.0/16
Using for find right password from list of passwords and hash of zip's password
john --wordlist=<path of passwords> <hash of password>
Using for hashinging zip password, f.x from zip give file hash of password
zip2john <path> > <file.txt>
Using like alternative for command nmap -p <port> <ip> --script vuln
nikto -h <ip>
enum4linux -n $IP
nmblookup -A $IP
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
Analyze compiled code.
Ghidra is a software reverse engineering (SRE) framework, includes a suite of full-featured, analysis tools that enable users to analyze compiled code.
sudo apt install ghidra
Using for showing all info of file (meta). For ex. find name of creator.
sudo apt-get install exiftool
- install
exiftool <file path>
start
Using for download all file from site.
sudo apt-get install metagoofil
- install
metagoofil -d <site> -l 10 -n 10 -t <.type> -o <save path>
start, -l limit, download files limit, -t type of file, -s where save.
example:
metagoofil -d it-black.ru -l 10 -n 10 -t pdf,dox,xml,xls,docx -o /home/manifast/Desktop/
tipes:
pdf,dox,xml,xls,docx,php,png,jpg,zip,rar,7z,wav,psd
Find info about nickname in sites
sudo apt install sherlock
install
Find emails in domen.
theHarvester is used to gather open source intelligence (OSINT) on a company or
domain.
theHarvester -d <domain> -l <count> -b <search> -f <save path>
theHarvester -d mail.ru -l 500 -b google -f /home/manifast/Desktop/file
example
-d
domain (source)
anubis, baidu, bing, binaryedge, bingapi, bufferoverun,
censys, certspotter, crtsh, dnsdumpster, duckduckgo,
fullhunt, github-code, google, hackertarget, hunter, intelx,
linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools,
projectdiscovery, qwant, rapiddns, rocketreach,
securityTrails, spyse, sublist3r, threatcrowd, threatminer,
trello, twitter, urlscan, virustotal, yahoo, zoomeye
-l
limit
-b
searching site
-f
file name
Start Metasploit
use auxiliary/gather/search_email_collector
open
show options
help
set domain <dns> <search>
set domain mipt.ru search_google
Use for find login page or enother info
(SQL) Structured Query Language
is a standardized programming language that is used to manage
relational databases and perform various operations on the data in them.
(PII) Highlighting Personally Identifiable Information, across SQL Server.
What is the 2021 OWASP Top 10 classification for this vulnerability?
Thx:
https://null-byte.wonderhowto.com/how-to/
All blogers who explain it.
Do u like it ? Star repo and share it with your friends!)