Follow

Basic Networking Tools

Show IP configuration:
# ip a lw

Change IP/MAC address:
# ip link set dev eth0 down
# macchanger -m 23:05:13:37:42:21 eth0
# ip link set dev eth0 up

Static IP address configuration:
# ip addr add 10.5.23.42/24 dev eth0

DNS lookup:
# dig compass-security.com

Reverse DNS lookup:
# dig -x 10.5.23.42

Information Gathering

Find owner/contact of domain or IP address:
# whois compass-security.com

Get nameservers and test for DNS zone transfer:
# dig example.com ns
# dig example.com axfr @n1.example.com

Get hostnames from CT logs: Search for
%.compass-security.com on crt.sh.

Or using an nmap script:
# nmap -sn -Pn compass-security.com
–script hostmap-crtsh

TLS Tools

Create self-signed certificate:
# openssl req -x509 -newkey rsa:2048
-keyout key.pem -out cert.pem -nodes
-subj “/CN=example.org/”

Start TLS Server:
# ncat –ssl -l -p 1337 –ssl-cert
cert.pem –ssl-key key.pem

Connect to TLS service:
# ncat –ssl 10.5.23.42 1337

Connect to TLS service using openssl:
# openssl s_client -connect
10.5.23.42:1337

Show certificate details:
# openssl s_client -connect
10.5.23.42:1337 | openssl x509 -text

Test TLS server certificate and ciphers:
# sslyze –regular 10.5.23.42:443

TCP to TLS proxy:
# socat TCP-LISTEN:2305,fork,reuseaddr
ssl:example.com:443

Online TLS tests:
ssllabs.com, hardenize.com

HP TOOLz 👇🌟🌟👇

Useful tcpdump options:

-i interface: Interface or any for all
-n: Disable name and port resolution
-A: Print in ASCII
-XX: Print in hex and ASCII
-w file: Write output PCAP file
-r file: Read PCAP file

Vulnerability DBs and Exploits

Exploit search (local copy of the Exploit-DB):
# searchsploit apache

Show exploit file path and copy it into clipboard:
# searchsploit -p 40142

Online vulnerability and exploit databases:

cvedetails.com, exploit-db.com,
packetstormsecurity.com

Cracking

Try SSH passwords from a wordlist:
# ncrack -p 22 –user root -P
./passwords.txt 10.5.23.0/24

Determine hash type:
# hashid 869d[…]bd88

Show example hash types for hashcat:
# hashcat –example-hashes

Crack hashes (e.g. 5600 for NetNTLMv2 type):
# hashcat -m 5600 -a 0 hash.txt
/path/to/wordlists/*

Crack hashes using John the Ripper:
# john hashes.txt

Windows Privilege Escalation

Copy PowerUp.ps1 from GitHub “PowerShellMafia/
PowerSploit” into PowerShell to
bypass ExecutionPolicy and execute Invoke-
AllChecks. Use the abuse functions.

Add a new local admin:
C:\> net user backdoor P@ssw0rd23
C:\> net localgroup Administrators
backdoor /add

Scan for network shares:
# smbmap.py –host-file smbhosts.txt –
u Administrator -p PasswordOrHash

Windows Credentials Gathering

Start Mimikatz and create log file:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log

Read lsass.exe process dump:
# sekurlsa::minidump lsass.dmp
Dump lsass.exe in taskmgr or procdump.

Show passwords/hashes of logged in users:
# sekurlsa::logonpasswords

Backup SYSTEM & SAM hive:
C:\>reg save HKLM\SYSTEM system.hiv
C:\>reg save HKLM\SAM sam.hiv

Extract hashes using Mimikatz:
# lsadump::sam /system:system.hiv
/sam:sam.hiv

Active Directory

Use SharpHound to gather information and import
into Bloodhound to analyze

Download PingCastle from pingcastle.com and
generate Report

Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.