Netwars
Gather OS version per HTTP request. User-Agent can be a sign:
Ref https://stackoverflow.com/questions/228256/operating-system-from-user-agent-http-header
// Match user agent string with operating systems
Windows 3.11 => Win16,
Windows 95 => (Windows 95)|(Win95)|(Windows_95),
Windows 98 => (Windows 98)|(Win98),
Windows 2000 => (Windows NT 5.0)|(Windows 2000),
Windows XP => (Windows NT 5.1)|(Windows XP),
Windows Server 2003 => (Windows NT 5.2),
Windows Vista => (Windows NT 6.0),
Windows 7 => (Windows NT 6.1),
Windows 8 => (Windows NT 6.2),
Windows 10 => (Windows NT 10.0),
Windows NT 4.0 => (Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT),
Windows ME => Windows ME,
Open BSD => OpenBSD,
Sun OS => SunOS,
Linux => (Linux)|(X11),
Mac OS => (Mac_PowerPC)|(Macintosh),
QNX => QNX,
BeOS => BeOS,
OS/2 => OS/2,
Search Bot=>(nuhk)|(Googlebot)|(Yammybot)|(Openbot)|(Slurp)|(MSNBot)|(Ask Jeeves/Teoma)|(ia_archiver)
Windows admin account default RID (Relative Identifier) is 500
Command to see: wmic useraccount get name,sid
Windows: Get pertinent information about a single specific process
wmic.exe process where ProcessId=1234 get /format:list
Good reference about windows hashes: https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
Example of different Hashes
#MD4
ec388dd78999dfc7cf4632465693b6bf
#MD5
900150983cd24fb0d6963f7d28e17f72
#bcrypt
$2b$10$sjjB1iCiMpUPc7cCivPQge9aG/B1zrY.somXQPuql6dvheq8VhVyC
#LM Hash/NTLM
bill:FA91C4FD28A2D257AAD3B435B51404EE:FF2A43841C84518A18795AB6E3C8A62E:::
#LM
299BD128C1101FD6
#NT Hash or NTLM
B4B9B02E6F09A9BD760F388B67351E2B
#NTLMv1 or Net-NTLMv1
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
#NTLMv2 or Net-NTLMv2
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
#SHA-1
A9993E364706816ABA3E25717850C26C9CD0D89D
#SHA-256
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
#SHA-512
DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F
Following LM hash means the server is using an empty password for user, but can also mean it doesn't use LM:
aad3b435b51404eeaad3b435b51404ee
Use id <username>
to see what groups a user is under.
Use jq to find value attached to item from a json file.
sudo jq -r '.LastName' ~/Bob-info.json
Identify hash by id from /etc/shadow
$0 - DES
$1 - MD5
$2a - Blowfish
$5 - SHA-256
$6 - SHA-512
To ignore standard error messages use 2>/dev/null
. It sends STDERR (the error messages) to /dev/null, which ignores the errors, so the command prints only STDOUT (the standard output).
Example use:
find / -name flag 2>/dev/null
Search all files with setuid set
sudo find / -perm -4000 2>/dev/null
or
sudo find / -perm -u=s 2>/dev/null
Run ps command on a docker container
docker exec -it <CONTAINER name> ps -ef
Use Wiresharks manual to figure out what vendor owns a mac address (Give first three bytes)
grep -i '00:1b:e9' /usr/share/wireshark/manuf
Find default ports of IRC via /etc/services
grep ^irc /etc/services
List of Cisco password types
Ref https://learningnetwork.cisco.com/s/article/cisco-routers-password-types
#Type 0
Not be encrypted
enable password cisco123
#Type 4
SHA-256
enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts
#Type 5
MD5
enable secret 5 00271A5307542A02D22842
#Type 7
Vigenere cipher
#Type 8
PBKDF2-SHA-256
enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.
#Type 9
scrypt
enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE
Last updated
Was this helpful?