Attack the services running on the webserver. Like FTP, POP3, the mailserver. Sometimes the MySQL DB listens on port 3306. You could bruteforce the file server and upload malware. Or see if there is a flaw in the service you are targeting itself that can be exploited with a buffer overflow or what have you. This is why it is important to enumerate the type of service you are dealing with and the version. One such technique involves banner grabbing with the FTP service to get the version and such. Once you know the version you can look for vulnerabilities on exploit-db and similar sites. Or download the exact same thing run it locally and bang on it/reverse engineer until you find something.
Nexpose and Metasploit are really good at server side security testing.
The following users say it would be alright if the author of this
post didn't die in a fire!
#!/bin/bash
function main()
{ printf "\nThis script enumerates system information and appends it to a textfile.\n"
printf "\nThese items will be enumerated:
1. User IDs and login history.
2. OS details and mounted disks.
3. Network status and information.
4. Running processes.\n\n"
read -p 'Continue? Y/n : ' choice2
if [[ $choice2 == 'y' ]]; then
enum
else
echo "Aborted"
exit 1
fi
}
function enum()
{ printf "\n\nPlease provide a path to which the output will be saved. I.e /tmp/output.txt\n"
read -p 'Path? : ' outfile
echo "+-+-+-+-+" | tee -a $outfile 1>&2
echo "|L|O|G|S|" | tee -a $outfile 1>&2
echo "+-+-+-+-+" | tee -a $outfile 1>&2
printf "\n\nUser IDs\n" | tee -a $outfile 1>&2
whoami | tee -a $outfile 1>&2
printf "\n\n" | tee -a $outfile 1>&2
id | tee -a $outfile 1>&2
printf "\n\n" | tee -a $outfile 1>&2
last | tee -a $outfile 1>&2
sleep 0.5 && clear
printf "\n\nOS details and mounted disks\n\n" | tee -a $outfile 1>&2
uname -a | tee -a $outfile 1>&2
printf "\n\n" | tee -a $outfile 1>&2
df -h | tee -a $outfile 1>&2
sleep 0.5 && clear
printf "\n\nNetwork status & info\n\n" | tee -a $outfile 1>&2
ifconfig -a | tee -a $outfile 1>&2
printf "\n\n" | tee -a $outfile 1>&2
arp -a | tee -a $outfile 1>&2
printf "\n\n" | tee -a $outfile 1>&2
netstat -atp | tee -a $outfile 1>&2
sleep 0.5 && clear
printf "\n\nProcess info\n\n" | tee -a $outfile 1>&2
ps -d -f | tee -a $outfile 1>&2
sleep 0.5 && clear
echo "Done, output saved to $outfile"
exit 1
}
if [[ "$EUID" -ne 0 ]]; then
echo "It is recommended that this script is run as root"
printf "\nRunning it without super user privilege will affect the results\n"
read -p 'Continue without root? Y/n : ' choice1
if [[ $choice1 == 'y' ]]; then
main
else
echo "Aborted"
exit 1
fi
else
main
fi
I am building a bash multi tool in effect. I will be combing features i have in some other bash scripts so that it will be useful, not only for sysadmin stuff but for OffSec purposes as well.
I will be including features from RootHelper and KernMan, see below for those scripts.
#!/bin/bash
function usage()
{ printf "%b \a\n\nRoothelper will aid in the process of privilege escalation on a Linux system you compromised by fetching a number of enumeration
and exploit suggestion scripts. Below is a quick overview of the available options.
The 'Help' option displays this informational message.
The 'Download' option fetches the relevant files and places them in the /tmp/ directory.
The option 'Download and unzip' downloads all files and extracts the contents of zip archives to their individual subdirectories respectively, please
note; if the 'mkdir' command is unavailable however, the operation will not succeed and the 'Download' option should be used instead
The 'Clean up' option removes all downloaded files and 'Quit' exits roothelper.\n "
}
# Download and unzip
function dzip()
{ echo "Downloading and extracting scripts..."
`wget -O /tmp/ExploitSuggest.py http://www.securitysift.com/download/linuxprivchecker.py`
`wget -O /tmp/LinEnum.zip https://github.com/rebootuser/LinEnum/archive/master.zip`
`wget -O /tmp/ExploitSuggest_perl.zip https://github.com/PenturaLabs/Linux_Exploit_Suggester/archive/master.zip`
`wget -O /tmp/unixprivesc.zip https://github.com/pentestmonkey/unix-privesc-check/archive/1_x.zip`
`wget -O /tmp/firmwalker.zip https://github.com/craigz28/firmwalker/archive/master.zip`
for zip in *.zip
do
dirname=`echo $zip | sed 's/\.zip$//'`
if mkdir $dirname
then
if cd $dirname
then
unzip ../$zip
cd ..
rm -f $zip
else
echo "Could not unpack $zip - cd failed"
fi
else
echo "Could not unpack $zip - mkdir failed"
fi
done
}
dir="/tmp/"
usage
printf "%b" "\a\n\nTo use roothelper please select an option below.:\n"
PS3='Please enter your choice: '
options=("Help" "Download" "Download and unzip" "Clean up" "Quit")
select opt in "${options[@]}"
do
case $opt in
"Help")
usage
printf "%b \n"
;;
"Download")
echo "Downloading scripts to /tmp/"
`wget -O /tmp/ExploitSuggest.py http://www.securitysift.com/download/linuxprivchecker.py`
`wget -O /tmp/LinEnum.zip https://github.com/rebootuser/LinEnum/archive/master.zip`
`wget -O /tmp/ExploitSuggest_perl.zip https://github.com/PenturaLabs/Linux_Exploit_Suggester/archive/master.zip`
`wget -O /tmp/unixprivesc.zip https://github.com/pentestmonkey/unix-privesc-check/archive/1_x.zip`
`wget -O /tmp/firmwalker.zip https://github.com/craigz28/firmwalker/archive/master.zip`
printf "%b \n"
;;
"Download and unzip")
dzip
printf "%b \n"
;;
"Clean up")
echo "Removing downloaded files"
find $dir/* -exec rm {} \;
printf "%b \n"
;;
"Quit")
break
;;
*) echo invalid option;;
esac
done
#!/bin/bash
if [[ "$EUID" -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
function logo()
{ echo " _____ _____ "
echo "| | |___ ___ ___| |___ ___ "
echo "| -| -_| _| | | | | .'| |"
echo "|__|__|___|_| |_|_|_|_|_|__,|_|_|"
printf "\nKernMan - Kernel Management Assistant.\n"
}
logo
function usage()
{ printf "\nKernMan is a script written for the purpuse of simplyfying Kernel Managenemt.
Select the option 'List' to display all installed kernels. Select the option 'Purge' to display
all kernels that can be removed and subsequently do so\n\n"
}
PS3='Please enter your choice: '
options=("Usage" "List" "Purge" "Quit")
select opt in "${options[@]}"
do
case $opt in
"Usage")
usage
;;
"List")
dpkg -l linux-image-\* | grep ^ii
;;
"Purge")
kernelver=$(uname -r | sed -r 's/-[a-z]+//')
dpkg -l linux-{image,headers}-"[0-9]*" | awk '/ii/{print $2}' | grep -ve $kernelver
printf "\nThese items will be deleted.\n"
read -p 'Continue? Y/n ' choice
if [[ $choice == "y" ]]; then
sudo apt-get purge $(dpkg -l linux-{image,headers}-"[0-9]*" | awk '/ii/{print $2}' | grep -ve "$(uname -r | sed -r 's/-[a-z]+//')")
else
echo "Aborted"
break
exit 1
fi
;;
"Quit")
break
;;
*) echo invalid option;;
esac
done
The scripts are up on my github as well.
https://github.com/NullArrayPost last edited by Sophie at 2017-01-31T15:01:25.800871+00:00
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-26 at 5:51 AM UTC
in
Busted My Back
-SpectraL
coward
[the spuriously bluish-lilac bushman]
Soak in a steaming hot bath for 30 minutes, then put a heating pad on it for a couple of hours. Take two generic Tylonol with codeine in it every 3-4 hours. Call me in the morning.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-26 at 3:56 AM UTC
in
Busted My Back
Back pain is a real pain in the back. I get it sometimes but it seems random so I don't know how to address it. I just sort of deal with it I guess. I suppose things like stretching and being active can certainly help prevent such pains.
Interestingly I began to develop some back pains from my old mattress, and have been sleeping on my couch for the last 6 months and they've gone away. I even have a brand new mattress and box spring but have grown so accustomed to my couch that I just keep sleeping there. Now my empty bed only gets used for unmentionables.
The following users say it would be alright if the author of this
post didn't die in a fire!
its so funny that you must spend hours every day listening to these things
The following users say it would be alright if the author of this
post didn't die in a fire!
I've seen people posting about this bullshit for a while but this is the first time I looked it up. So gang stalking just means schizophrenia? Kinda disappointing, I was hoping for some kind urban actual gang activity like the knockout game or something.
The following users say it would be alright if the author of this
post didn't die in a fire!
But she's drinking diet pepsi guys!
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-20 at 9:50 PM UTC
in
What is this?
Re-reading your post, are you suggesting that Sprint is doing MITM proxy to those addresses? I don't think so, that would break HTTPS. Also If the address was unreachable and you were hitting a last hop somewhere in ISP land I think there would be some indication, you wouldn't be able to 'GET' anything. I suppose you could ping it to be certain and see what it responds with.
It's CalDSL, not Sprint (unless they are somehow affiliated). And those addresses are going to be an assortment of their customers.
192.0.10.213 for example is a "PowerBeam 5AC 400" which is Ubiquity brand and looks like a commercial router. Residential routers should have saner defaults that don't open themselves to the Internet, but you never know. Ubiquity and Windows server would suggest to me it's commercial space, probably what they have allocated for customer that bought a static IP.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-20 at 8:19 PM UTC
in
What is this?
My guess is it's an embedded http server used by some popular ISP on their modems, which explains a relative homogeneity of them (there are fewer embedded HTTP servers in the world than normal HTTP servers). So what you're hitting are probably residential modems or routers, as the screenshots suggests. Why is it called "WebProxy"? Well in some sense all CGI servers are proxies in that they don't hold application logic, they just shuttle it from a socket to a script, and then from the script back to the socket so it could be that. Or someone could have just picked a name out of a hat.
It's worth mentioning the Server header can lie, it's not unheard of to obfuscate or omit it, there's nothing that actually hinges on it so you can put whatever in there.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-19 at 3:06 AM UTC
in
What is this?
As for what it's used for whois is always handy:
$ whois 192.0.10.1
...
NetRange: 192.0.8.0 - 192.0.15.255
CIDR: 192.0.8.0/21
NetName: ZINNIA
NetHandle: NET-192-0-8-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS4323, AS6939
Organization: CalDSL (ZINNI-1)
RegDate: 2012-11-05
Updated: 2015-04-05
Comment: Zinnia Networks Inc dba CalDSL
Ref: https://whois.arin.net/rest/net/NET-192-0-8-0-1
OrgName: CalDSL
OrgId: ZINNI-1
Address: 1660 W Linne Road, Suite H
City: Tracy
StateProv: CA
PostalCode: 95377
Country: US
RegDate: 2004-08-02
Updated: 2012-11-30
Ref: https://whois.arin.net/rest/org/ZINNI-1
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-19 at 2:53 AM UTC
in
What is this?
192.0.0.0/16 (192.0.*.*) is public internet space, so it could be anyone, likely not Sprint. 192.168.0.0/16 is the private space (among others).
Though sometimes ISPs will use private space the way you are thinking. Your uplink will route you to it as it just pushes the request through the default route and it just so happens there's a machine with that address between you and the Internet. Even though it's their LAN you are able to route to it, of course you could also use the same LAN space, just the default route wouldn't be hit and traffic wouldn't get routed out to the ISP side.
I wouldn't expect that on the 192.168.0.0/16 space though, it would be on 10.0.0.0/8 or 172.whatever.
Post last edited by Merlin at 2017-01-19T02:56:46.683799+00:00
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-18 at 2:40 PM UTC
in
ultimate desguised
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-17 at 4:58 PM UTC
in
Video Editing Software
I use Kdenlive for video editing in Linux. You might also give Blender a try. I've never used its video editing capabilities, but I've heard good things.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-14 at 7:28 PM UTC
in
Rioting next week
^What a fucking surprise. Cops treat people who hate cops and riot like shit. What a motherfucking surprise.
The following users say it would be alright if the author of this
post didn't die in a fire!
AngryOnion
Big Wig
[the nightly self-effacing broadsheet]
Anything more complicated than this makes my head hurt.
10 CLS
20 PRINT "Hello, world!"
30 PRINT "I'm learning about commands in BASIC."
40 PRINT "This text is being printed via the PRINT command."
50 PRINT "On the next line, I'll use CLS."
60 CLS "Now the next word would be PRINT."
70 PRINT "Finally, on line 80, I'll use END."
80 END "And return to PRINT"
90 PRINT "Now my program is over."
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-07 at 8:39 AM UTC
in
FBI owned yet again.
Originally posted by SBTlauien
Well, we can't legally hack back in retaliation.
I dont believe this is true. People say the second amendment is the right to bear firearms, but in reality (and many who do not live in reality disagree with me here) it pertains to the right to bear arms in an extremely general sense. Basically its meaning should be taken constitutionally as a leveling of the playing field. So in any warfare the playing field should be equal between citizens and oppressors. I take this to mean that cyber-arms are protected under this amendment. Perhaps the Federal Courts wont agree, but those courts themselves are the exact thing this amendment was created to protect us against. So fuck it man, if the FBI is oppressing you, you have a constitutional duty to fight back with whatever arms you have.
Why did a black van just pull into my driveway?
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-07 at 1:54 AM UTC
in
FBI owned yet again.
-SpectraL
coward
[the spuriously bluish-lilac bushman]
That's not the way it works. You can be illegally hacked, but you're not permitted to hack back in retaliation. Fair is fair.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-06 at 5:51 AM UTC
in
Q̇uick Ċ Q̇uestion
aldra
JIDF Controlled Opposition
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-05 at 2:12 AM UTC
in
Q̇uick Ċ Q̇uestion
^that, argv is conceptually an array of strings, the arguments passed when the program was invoked. Strings are type *char (pointer to an (array of) char) so an array of them is referenced by type char**. If you want the first arg passed to your program you use argv[1], which is a string. As for getting it into something you can pass to setsockopt() you can't just pass the arg since, as mentioned, it's a string. `AF_INET` is just an integer that has some meaning to the socket library. You need to parse your arg list and figure out what each arg means yourself (you can't do it dynamically because the relationship between the string "AF_INET" and the constant is lost in compilation). Something like (not tested):
int main(int argc, char ** argv) {
// Default to AF_INET
int AF = AF_INET;
char *IPv6_FLAG = "--AF_INET6";
for (int i=0; i<argc; i++) {
if (!strcmp(argv[i], IPv6_FLAG)) {
AF = AF_INET6;
}
}
socket_fd = socket(AF, SOCK_STREAM, 0);
}
Post last edited by Lanny at 2017-01-05T08:51:10.120481+00:00
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-01-05 at 1:12 AM UTC
in
Q̇uick Ċ Q̇uestion
Oh according to this that would only get you the first char from the string, so you'd only get "A" out of "AF_INET".
https://www.gamedev.net/topic/585035-double-pointer-to-argv/The way you did it, argv[1] is the correct way to reference the whole string. When you create a socket I don't know if AF_INET is really a string that can be used the way you want.
The following users say it would be alright if the author of this
post didn't die in a fire!
The following users say it would be alright if the author of this post didn't die in a fire!
