Web Enumeration
Can be used to identify and exploit SQL injection vulnerabilities against various database engines
What is sqlmap?
For the John the Ripper tool, cracked passwords are stored in this file.
What is john.pot?
This command tells us what other commands/binaries we're allowed to run as sudo without a password
What is sudo -l?
Penetration testers can use this Metasploit Framework program to create malicious stand-alone payload files
What is msfvenom?
A file with this special permission always executes as the user who owns the file, regardless of the user passing the command.
What is SUID?
This type of XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way
What is reflected XSS?
Automated injection of stolen username and password pairs in to login forms
What is credential stuffing?
This level of exploit for priv esc can leave the system in an unstable state, which is why you should only run them as a last resort!
What are kernel exploits?
This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside the framework; it lets you configure Metasploit to wait for inbound connections from compromised targets. When it receives a connection, it pushes back a Metasploit payload to run on the target
What is exploit/multi/handler?
The following command is used for what:
strings /dev/mem -n10 | grep -i PASS
What is finding in memory passwords?
A unique, secret, unpredictable value that is generated by a server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client
What is a cross-site request forgery (CSRF) token?
This technique is the opposite from when we know a user name and want to brute-force the password of that account; in this instance, we have a lot of usernames and only one password we want to try
What is password spraying?
With this native Linux utility, after specifying the passwd and the shadow file, will spit out a passwd file where it replaces all of the x's that are place holders with the actual password hashes
What is "unshadow"?
This command in Metasploit with the -l option (for list) will give an inventory of the connections it is managing for us between compromised systems and our machine
What is "sessions" (sessions -l)?
Cron jobs are an avenue for potential privilege escalation. But be wary, if you use this command without any arguments, it will erase all current cronjob listings in the crontab.
What is "crontab"?
Additionally, using the crontab command will cause a log in the cron log!!!!!!
A web security vulnerability that allows an attacker to execute arbitrary operating system commands on the server that is running an application, and typically fully compromise the application and all its data
What is OS command injection?
When using the Hydra GUI, leaving the port for a specified protocol set as "0" does this...
What is uses the default port for each given protocol
An attribute of an NFS share that means that a folder is sharable, can be mounted, and we can access it as root
What is "no_root_squash"?
We can use this Meterpreter feature to potentially elevate privileges, blend in with our environment better, or bind to a more stable service.
What is migrate processes?
If I am expecting output of a command or action to my screen in Metasploit and it's not there, I should look here instead.
What is "cat /root/.msf6/loot/"
Loot/ - is everything that you acquire throughout the operation, such as screen captures and hashes
This technique is a way of bypassing blacklisting for file type validation
What is obfuscating file extensions?
#EXAMPLES:
.pHp instead of .php
Provide multiple extensions: exploit.php.jpg
Add trailing characters: exploit.php.
Using URL encoding: exploit%2Ephp
This Linux tool can be used to trim your dictionary file to the password requirements of the target. It reads passwords in and prints those which meet the requirements
Hint- Used in our Hydra lab!
What is pw-inspector?
Process privileges traditionally associated with the superuser are divided into these distinct units; more secure than using SUIDs
What are Capabilities (found with getcap)?
Msfconsole is written in ruby, so you may need these types of characters for certain commands (especially on Windows targets!)
What are escape characters?
This Metasploit module sub-directory contains pads to be placed in the various exploits or payloads so the payload sizes are consistent, allowing the correct memory jump locations to be utilized
What is "NOOP"?