- #metasploit postgres database commands
- sudo apt-get install postgresql
- sudo -u postgres createuser --superuser $USER
- sudo -u postgres psql
- postgres=# \password username
- postgres=# createdb metasploit - (run inside of postgres)
- #metasploit database commands
- load db_mysql
- db_create root:mydbpass@localhost/metasploit
- db_connect root:mydbpass@localhost/metasploit
- db_destroy root:mydbpass@localhost/metasploit
- db_add_host - Add one or more hosts to the database
- db_add_note - Add a note to host
- db_add_port - Add a port to host
- db_autopwn - Automatically exploit everything
- db_hosts - List all hosts in the database
- db_import_nessus_nbe - Import a Nessus scan result file (NBE)
- db_import_nmap_xml - Import a Nmap scan results file (-oX)
- db_nmap - Executes nmap and records the output automatically
- db_notes - List all notes in the database
- db_services - List all services in the database
- db_vulns - List all vulnerabilities in the database
- #start remote procedure call daemon for armitages
- msfrpcd -f -U msf -P test -t Basic
- will start the msfrpcd with the user msf, password test, SSL listener, on the default port 5555
- #nessus metasploit commands
- msf > load nessus
- msf > nessus_help
- msf > nessus_connect dook:s3cr3t@192.168.1.100
- msf > nessus_policy_list
- msf > nessus_scan_new 1 pwnage 192.168.1.161 (where 1 is policy number)
- msf > nessus_scan_status
- msf > nessus_report_list
- msf > nessus_report_get 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f
- msf > hosts -c address,vulns
- msf > vulns
- #nmap TCP Scans
- #basics
- -sS (TCP SYN scan)
- -sT (TCP connect scan)
- -sU (UDP scans)
- - sV (Version Detection)
- -sY (SCTP INIT scan)
- -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
- Null scan (-sN)
- FIN scan (-sF)
- Xmas scan (-sX)
- -sA (TCP ACK scan)
- -sW (TCP Window scan)
- -sM (TCP Maimon scan)
- --scanflags URGACKPSHRSTSYNFIN (Custom TCP scan) - any combination of URG, ACK, PSH, RST, SYN, and FIN.
- -sZ (SCTP COOKIE ECHO scan)
- -sI [:] (idle scan)
- -sO (IP protocol scan) (TCP, ICMP, IGMP, etc.)
- -b (FTP bounce scan) (ARG::@:. )
- -O (OS Detection)
- -p XX (check only this port XX - portnumber))
- #details
- -sS (TCP SYN scan) stealthy differentiation between the open, closed, and filtered states.
- -sT (TCP connect scan) connect system call uses Berkeley Sockets API obtain status info
- -sU (UDP scans) DNS, SNMP, and DHCP combine with a TCP scan type such as SYN scan (-sS)
- ---- data-length option can be used to send a fixed-length random payload to every port.
- ---- Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
- -sY (SCTP INIT scan) TCP and UDP, + multi-homing and multi-streaming
- ---- used for SS7/SIGTRAN
- ---- quickly unobtrusive and stealthy
- -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
- ---- add --scanflags for more options
- ---- exploit a in the TCP RFC
- Null scan (-sN)
- ---- Does not set any bits (TCP flag header is 0)
- FIN scan (-sF)
- ---- Sets just the TCP FIN bit.
- Xmas scan (-sX)
- ---- Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
- -sA (TCP ACK scan)
- ---- never determines open|filtered ports
- ---- map out firewall rulesets
- -sW (TCP Window scan)
- ---- differentiate open ports from closed ones
- ---- examining the TCP Window field of the RST packets returned
- ---- lists the port as open or closed
- -sM (TCP Maimon scan)
- ---- same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK
- --scanflags (Custom TCP scan)
- ---- allows you to design your own scan by specifying arbitrary TCP flags
- ---- can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier.
- ---- any combination of URG, ACK, PSH, RST, SYN, and FIN.
- ---- For example, --scanflags URGACKPSHRSTSYNFIN sets everything
- -sZ (SCTP COOKIE ECHO scan)
- ---- more advanced SCTP scan
- ---- not as obvious a port scan than an INIT scan
- ---- non-stateful firewall rulesets blocking INIT chunks, but not COOKIE ECHO chunks
- -sI [:] (idle scan)
- ---- allows for a truly blind TCP port scan of the target
- ---- zombie host must be up and meet certain criteria
- ---- more info in TCP Idle Scan (-sI)
- -sO (IP protocol scan)
- ---- determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target
- ---- cycles through IP protocol numbers rather than TCP or UDP port numbers
- -b (FTP bounce scan)
- ---- detect proxy FTP connections
- ---- It takes an argument of the form :@:.
- ---- is the name or IP address of a vulnerable FTP server.
- ---- you may omit :, will use (user: anonymous password:-wwwuser@)
- ---- the default FTP port (21) on is used if is ommited
- #Wireless commands for airdump, airmon and airbase
- airmon-ng start
- will create an interface mon<#>
- airodump-ng mon<#>
- start watching stations
- use: TAB - enable scrolling
- use: a - to view only clients or ap+cleitns or aps only
- airbase-ng -bssid "##:##:##:emulate-bssid" --essid "SSID NAME" -c -P
- ---- start fake AP with bssid-x, essid-x on spesific interface, accept all requests
- add -F filename -- to capture packets into a pcap file
- KarmetaSploit
- airbase-ng -P -C 30 -e "Free WiFi" -v mon0 >logfile.txt
- starts airbase
- creates insterface at0
- option - log into a file
- will need tail the logfile to see output
- ifconfig at0 up 192.168.2.1 netmask 255.255.255.0
- brings up at0 with an IP address
- dhcpd3 -cf /etc/dhcpd3/dhcpd.conf at0
- starts dhcp server with at0 as the router
- ps aux |grep dhcp
- checks status of dhcp server
- tail /var/log/messages -f
- monitors dhcp server issuing ip addresses
- tcpdump -i at0 -vv -w file.txt
- dump at0 into a file
- tcpdump -r filename.txt <- to read the file
- msf> resource karma.rc
- Sample WEP Keys
- 5E119462A69F05C758D06A323D
- 6a2a357543595634595d6a3e3542693c
- 6f68686f777363616e64616c6f7573
- DHCP setup for capture mode - DHCPD.CONF:
- ddns-update-style ad-hoc;
- default-lease-time 600;
- max-lease-time 7200;
- subnet 192.168.2.128 netmask 255.255.255.128 {
- option subnet-mask 255.255.255.128;
- option broadcast-address 192.168.2.255;
- option routers 192.168.2.129;
- option domain-name-servers 4.2.2.2;
- option domain-name-servers 128.8.5.2;
- range 192.168.2.130 192.168.2.140;
- }
- script to get the capture and forward started
- WPA Cracking:
- airmon-ng start wlan1 3
- start monitor
- 3 - is the channel (optional)
- airodump-ng -C 3 --bssid $AP -w capturefile mon0
- Start the dump into a capture file - capturefile
- aireplay-ng -0 1 -a $AP -c $VIC mon0
- Start the deathentication of a client
- -0 death attack with one death request
- -c is the mac to deauth
- other aireplay-ng attacks in the MAN file
- cowpatty -r capturefile.pcap -f /path/to/passwordlist -2 -s "AP name"
- start the cawpatty password recovery from a wordlist
- cowpatty -r capturefile.pcap -d /path/to/hashfile -s "AP name"
- start cracking the file with rainbow table option
- aircrack-ng -w /path/to/passwordlist capturefile.pcap
- start aircrack with a password file
- Passwords
- dump windows hashes
- # bkhive systemhive keyfile
- dump the hive into a keyfile
- (win7) systemhive = c:\windows\system32\config\system
- # samdump2 samhive keyfile > hashes.txt
- dump hashes into a hashes.txt file
- (win7) systemhive = c:\windows\system32\config\sam
- truecrack
- tool to test for weak truecrypt passwords
- # truecrack -v -t /dev/device-or-volume -w /path/to/wordlist
- you can use either device or file volume
- Disk operations and forensics
- Disk Imaging - disk to image dump
- # ./dd_rescue /dev/ /location/image.img
- # tsk_recover -a /locations/image.img /location/where-to-store-files