Steinz Security

We are going to Install Arch Linux from Scratch Download Arch ISO from official website Use it via VirutalBox or VMware - give around 2GB of ram & 16gb of disk space Start the VM #Check Internet Access ping archlinux.org #Set Time & Date timedatectl set-ntp true Creating a Partition #Check the partitions fdisk -l #Create partition using cfdisk cfdisk #Create a partition, allocate space & select it as bootable --> Create --> exit #you can choose to create a swap space if required to hibernate.  #Creating File System, i choose /dev/sda2 as that's where i am looking to install the file system mkfs.ext4 /dev/sda2 #Creating Swap Memory mkswap /dev/sda1 #Mount the drives mount /dev/sda2 /mnt swapon /dev/sda1 Installing Required Tools pacman -Sy pacman -S archlinux-keyring pacstrap -i /mnt base base-devel linux-lts linux-firmware dhcpcd vim nano iputils netctl networkmanager grub Adding drive UUID to fstab genfstab -U /mnt >> /mnt/etc/fstab cat /mnt/etc/fstab arch-

 Commands for easy file transfer  tar I guess tar compress is better than zip #Compress tar -czvf filename.tar file.txt #Decompress tar -xvf compressed.tar 7z #Compress/archive the file 7z a filename.7z file.txt #Compress as a zip archive - zip, gzip, bzip2 7z a -tzip filename.zip file.txt #Extract the contents of 7z 7z e filename.7z zip #Compress zip filename.zip file.txt zip -9 filename.zip file.txt #Compress recursively zip –m filename.zip file.txt -r #Decompress unzip filename.zip Base64 Linux #encode base64 filename.txt cat filename.txt | base64 > file #Decode base64 -d filename.txt Windows #Encode certutil.exe -encode .\b.zip output.txt #Decode certutil.exe -decode .\a.txt output.zip Copying Large Files from Linux via Terminal tar -czvf filename.tar file.txt zip -9 filename.zip file.txt cat file.txt | base64 > new #copy the base64 encoded content to clipboard manually or by using below command xclip -sel clip new #save the contents to a new file and

LDAP - Port 389 or LDAP SSL on Port 636 Nmap Scan map -n -sV --script "ldap* and not brute" -p389,636,3268,3269 10.10.10.10 nmap -sC -Pn -p389,636,3268,3269 10.10.10.10 #DUMP Everything from LDAP - Anonymous ldeep ldap -a -d STEINS.local -s ldap://10.10.10.10 all dump #Dump as an Authenticated User ldeep ldap -u Administrator -p 'password' -d steins.local -s ldap://10.0.0.1 all dump Basic LDAP Search Commands #Get FULL Domain Name and it's contexts ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts #Dump accessible data from ldap ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt #Dumping passwords using LDAP: ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)"

  TCPDUMP Usage tcpdump is by default installed on most of the linux machine, you can run it by "sudo tcpdump" • Protocol : ether, ip, ip6, arp, rarp, tcp, udp: protocol type • Type : host [host]: Only give me packets to or from that host net [network]: Only packets for a given network port [portnum]: Only packets for that port portrange [start-end]: Only packets in that range of ports • Direction : src: Only give me packets from that host or port dst : Only give me packets to that host • Use "and" or "or" to combine these together • Use "not" to negate -n Host IP addresses and port numbers instead of names -i interface Sniff on a particular interface (-D lists interfaces) -v Be verbose (show TTL, IP ID, Total Length, IP options, and so on) -w Dump packets to a file (use -r to read file later) -x Print hex -X Print hex and ASCII -A Print ASCII #View the traffic from all interfaces on host 10.10.10.10 or port 443 sudo tcpdump -s 0 -i any host 10.1

  Use the below script to create wordlists : can be used to create usernames for detecting domain users Give a list of users as input, it will append alphabets (A-Z) to all the username (before and after) better to use it with Seclists

nmap Scanning nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 #make sure to check for vulnerable versions Bruteforcing Postgres Creds #Using Metasploit use auxiliary/scanner/postgres/postgres_login #using Hydra hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres Default Username & Passwords: ● postgres : postgres ● postgres : password ● postgres : admin ● admin : admin ● admin : password root : root #or for a better wordlist cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt . cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt cat postgres-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt Accessing remote Postgresql server psql -h 10.10.10.10 -U USERNAME psql -h <host> -U <username> -d <database>

  #Find the DNS server nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open 10.10.0.0/16 nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 10.10.10.10 #DNS Server Processes Unauthoritative Recursive Queries nmap -Pn -p 53 -sU --script dns-recursion 10.10.10.10 #DNS Server Cache Snooping Remote Information Disclosure nmap -Pn -sU -sV -p 53 --script dns-cache-snoop 10.10.10.10 #DNS Enum via Metasploit auxiliary/gather/enum_dns auxiliary/scanner/dns/dns_amp # DNS Enum nslookup >SERVER 10.10.10.1 # Give the ip address of the server to find its hostname > 10.10.10.10 10.10.10.10.in-addr.arpa name = host02.test.domain. dig axfr host02.test.domain @10.10.10.1 #Find the Domain Name of the DC ldapsearch -x -h "10.10.10.1" -s base #Find some info or creds ldapsearch -LLL -x -H ldap://DOMAIN.FQDN.COM -b '' -s base '(objectclass=*)' Dns Enum via DIG dig @[server] [name] [type] Dig -t SRV _g