Hey, KEEP CALM and hack away…
读完了 Metasploit Penetration Testers Guide。总结下来,工具类书籍,有些过时,例如列举的 msfpayload 工具已经被 msfvenom 取代。不过读完之后对于 Metasploit 的整体结构有了更深的认识,并且有一些高级话题如 Meterpreter Script 和导入外部漏洞利用代码到 Metasploit 等。像我一样的初学者还是值得一读,读的过程中一定要不断实践尝试,才能发现工具的最新使用方式。
Table of Contents Intelligence Gathering Passive Information Gathering Whois Lookup NetCraft NSLookup Active Information Gathering Nmap Ipidseq Scan Running Nmap from MSFconsole Port Scan in MSF Targeted Scanning Server Message Block Scanning Microsoft SQL Servers SSH Server Scanning FTP Scanning Simple Network Management Protocol Sweeping Vulnerability Scanning The Basic Vulnerability Scan Specialty Vulnerability Scanners Validating…
Table of Contents Bypassing Network Access Control Bypassing MAC Filtering Set Up Tools Required Set Up Detail Bypassing Network Access Control Bypassing MAC Filtering You have physical access to the facility. And have found yourself an operational VoIP phone (or whatever that has an MAC address to connect to the internal network) and it\’s MAC…
Table of Contents Command History Set Up Recon Nmap Smbclient Gpp-decrypt Foothold GetUserSPNs.py JohnTheRipper Psexec.py Final Words What is Kerberos? How Does It Work? Mitigations References Command History Nmap – found ports open, pretty much confirmed that this is a AD DC – effective – valuable smbclient – found share folders – effective – valuable…
Table of Contents Command History Set Up Recon Masscan Nmap Check out the Website Gobuster The Login Page Burp Suite SQL Injection Probe Sqlmap Side Notes: How Sqlmap Works Foothold MySQL Database WinPEAs Sqlmap Dump All Info Powershell Code Execution PHP File Solution Final Thoughts References Command History masscan – found several service ports -…
Table of Contents Command History Set Up Recon Masscan Check Out Website Gobuster Manual Explore Foothold Manual Enumeration MySQL Linenum LinPEAs Go Back and Review SSH Brute Force JohnTheRipper Final Thoughts References Command History masscan – found open port 22, 80 – effective nmap – scan for services – effective gobuster – found three hidden…
Table of Contents General Linux Metasploit Port Forwarding Sed Less SSH SSH Tunnel Bash NetCat Nmap Wget PHP File Upload Script and Web Server Tcpdump Windows Burp Suite General Put GIF8; on top of payload to make it a GIT image file type. Linux Metasploit Import xml to database. nmap -Pn -sS -A -oX Subnet1…
Table of Contents MySQL Enumeration Manual SQL Injection Sqlmap Foothold Sqlmap Mysqldump MSSQL Enumeration Mssql_ping Mssql_enum Mssql_enum_logins Mssql_schemadump Brute Forcing Mssql_login Jtr_mssql_fast Foothold Mssqlclient.py Mssql_payload Lateral Movement Mssql_hashdump XP_cmdshell Privilege Escalation Mssql_escalate_dbowner Mssql_escalate_execute_as MySQL Enumeration Manual SQL Injection If some search field is vulnerable to injection. Use below techniques # in burp suite check the…
Basicly speaking, LDAP is a network protocol that can be used to talk to Active Directory. In Windows Servers, LDAP can be integrated as a feature along side AD, to add authentication/authorization scalability to the entire system. It’s so big a topic, I won’t write about it. Here are some good references to read about…
Table of Contents Command History Set Up Recon Masscan Nmap Rpcclient Smbclient Enum4linux Nmap Read More Ldapsearch Sambe on 139,445 Rpc DNS on 53 Kerberos on 88 Evil-winrm Foothold Privilege Escalation Manual Enumeration PowerView.ps1 Go Back to Check the Command List Crack the LDAP Encoded Thing Evil-winrm Some Assessment Final Thoughts References Command History Reference…