Basic #Linux Networking Tools
Show IP configuration:
# ip a lw
Change IP/MAC address:
# ip link set dev eth0 down
# macchanger -m 23:05:13:37:42:21 eth0
# ip link set dev eth0 up
Static IP address configuration:
# ip addr add 10.5.23.42/24 dev eth0
DNS lookup:
# dig compass-security.com
Reverse DNS lookup:
# dig -x 10.5.23.42
Information Gathering
Find owner/contact of domain or IP address:
# whois compass-security.com
Get nameservers and test for DNS zone transfer:
# dig example.com ns
# dig example.com axfr @n1.example.com
Get hostnames from CT logs: Search for
%.compass-security.com on https://crt.sh.
Or using an nmap script:
# nmap -sn -Pn compass-security.com
–script hostmap-crtsh
TLS Tools
Create self-signed certificate:
# openssl req -x509 -newkey rsa:2048
-keyout key.pem -out cert.pem -nodes
-subj “/CN=example.org/”
Start TLS Server:
# ncat –ssl -l -p 1337 –ssl-cert
cert.pem –ssl-key key.pem
Connect to TLS service:
# ncat –ssl 10.5.23.42 1337
Connect to TLS service using openssl:
# openssl s_client -connect
10.5.23.42:1337
Cracking
Try SSH passwords from a wordlist:
# ncrack -p 22 –user root -P
./passwords.txt 10.5.23.0/24
Determine hash type:
# hashid 869d[…]bd88
Show example hash types for hashcat:
# hashcat –example-hashes
Crack hashes (e.g. 5600 for NetNTLMv2 type):
# hashcat -m 5600 -a 0 hash.txt
/path/to/wordlists/*
Crack hashes using John the Ripper:
# john hashes.txt
Windows Privilege Escalation
Copy PowerUp.ps1 from GitHub “PowerShellMafia/
PowerSploit” into PowerShell to
bypass ExecutionPolicy and execute Invoke-
AllChecks. Use the abuse functions.
Add a new local admin:
C:\> net user backdoor P@ssw0rd23
C:\> net localgroup Administrators
backdoor /add
Scan for network shares:
# smbmap.py –host-file smbhosts.txt –
u Administrator -p PasswordOrHash
Active Directory
Use SharpHound to gather information and import
into Bloodhound to analyze
Download PingCastle from pingcastle.com and
generate Report
Pass the hash