Learning how to get organized and put things in the proper place. I suspect that I’ll come back and add things like naming conventions. But this is what I got so far for organizing the information gathered during a pen test, in a directory.
As few nmap scans as possible, and name them after the network or if there is something else that makes sense. So the files may be named 192.168.10.10.gnnmap and so on.
Ping files are named the same way, but are prefixed with ping-
enum files are for enumerating a domain controller. These are prefixed with enum- and end with -dc
Services are IP addresses and the file is named with the service-host
All data is immediately removed and encrypted off the machine and deleted as soon as reasonably possible.
57 total views, no views today
A couple posts down, I was parsing the nslookup command to get hostnames. Even easier, use the host command. The hostname seems to be the fifth string after spaces, so using cut, it might look something like:
host <ip> | cut -d " " -f5
But there will be a period at the end, so just clean that up. Next is to get the IP and the hostname in some easy format, like colon or pipe delimited.
69 total views, no views today
Sometimes you gotta run a command lots of times. So let a loop do it. Here’s one example:
for ip in $(cat ips.txt); do
nslookup $ip >> nslookups.txt
This will take a file of IP addresses (ips.txt) and run nslookup on each IP and output the results to nslookups.txt. Or just remove the >> nslookups.txt if you want the output to the screen.
67 total views, no views today
So today I had to convert IP addresses to hostnames. Seems easy enough, just use nslookup. But I had more than 400 IPs that needed to be converted. Ugh. So we need to do a little parsing.
First, take the IP addresses and get the host information. Let’s script this.
for ip in $(cat ips.txt); do
nslookup $ip >> nslookups.txt
This will do an nslookup for each of the IPs in the ips.txt file. Great! Now we need to parse it. This should be pretty easy to just look for “name=” except sometimes, there isn’t a hostname and then “name=” doesn’t appear. So instead we look for something else that is always in there, regardless of whether there is a hostname. It seems the string “arpa” matches this. So the next step is to find that and then cut the hostname, or something that doesn’t look like a hostname if there isn’t one.
grep arpa nslookups.txt | cut -d " " -f3 > hostnames.txt
When this finishes, the hostnames.txt file will have one string per line, either the hostname or the word “can’t”. At this point, do a find/replace for “can’t” and make it blank (since there isn’t a hostname for that IP).
Now you have two files, one with all the IPs and one with the hostnames. Put them in two Excel columns and match them up. There is one more problem here that I haven’t found a good solution for yet. Some of the IPs may have more than one hostname. So when you match up the columns in Excel, you’ll likely have more hostnames than IPs. Unfortunately the only solution I have so far is to read through the nslookups.txt file, find the entries with more than one hostname and then manually fix this in the Excel file. It takes a little bit of time, but definitely better than running nslookup manually hundreds of times.
133 total views, no views today
Had a little bit of trouble figuring it out, so adding the format that I found here:
# wfuzz -c -z file,/usr/files/userfile -z file,/usr/files/passfile –ntlm FUZZ:FUZ2Z https:///
In a nutshell, the -z coincides with the “FUZZ”. Each subsequent payload/FUZZ combination points to the FUZ2Z or FUZ3Z and so on.
121 total views, no views today
defaults write com.apple.screencapture location ~/Pictures/
166 total views, no views today
Since this is a reference for when I forget:
export PATH=$PATH:<whatever else to add to the path>
163 total views, no views today
- Save as foo.c
- Compile gcc foo.c -o foo
- sudo chmod u+s foo
131 total views, 1 views today
Once sshdroid (https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en) is installed on a rooted device, start zipping around, like in /data/user/0/<packagename>/shared_prefs
But to log on, first might need to turn off “Enable root” in sshdroid. But after logging in to: ssh root@<ip> -p 2222 then simply su.
173 total views, no views today
ADB, the Android Debugging Bridge. If you want it to connect to Android > 4.2.2, or in other words, anything from this century, you can’t use anything less than ADB 1.0.31. By default, mobisec comes with 1.0.29, so even if the device is rooted, the device appears to be offline.
To upgrade adb: First download android-sdk-linux, from here: https://developer.android.com/studio/index.html near the bottom where is says “Just the tools” Once you download, unzip and all that, cd into android-sdk-linux and run: tools/android update sdk –no-ui
To get 32-bit adb: http://askubuntu.com/questions/710426/android-sdk-on-ubuntu-32bit, as of this writing, it resulted in version 1.0.32 of adb.
Installing Drozer: (Drozer site) Need the .apk for the device, and the platform. Both are available at the Drozer page. Start up the agent on the device, and it should be running on tcp:31415, then do the port forwarding in the platform. If the device and the platform connect, all good, and fire away!
Extra Drozer Modules: https://github.com/mwrlabs/drozer-modules
Drozer User’s Guide:
If we get:
mobisec@mobisec:~$ adb devices
List of devices attached
8753afe5 no permissions
Then stop and start the server with sudo.
Another good resource: https://securitycafe.ro/2015/07/08/mobile-penetration-testing-using-drozer/
Video overview by the developer: https://www.concise-courses.com/infosec/drozer/
154 total views, no views today