Netwars

Last updated 4 years ago

Was this helpful?

Netwars

Gather OS version per HTTP request. User-Agent can be a sign:

Ref

// Match user agent string with operating systems
Windows 3.11 => Win16,
Windows 95 => (Windows 95)|(Win95)|(Windows_95),
Windows 98 => (Windows 98)|(Win98),
Windows 2000 => (Windows NT 5.0)|(Windows 2000),
Windows XP => (Windows NT 5.1)|(Windows XP),
Windows Server 2003 => (Windows NT 5.2),
Windows Vista => (Windows NT 6.0),
Windows 7 => (Windows NT 6.1),
Windows 8 => (Windows NT 6.2),
Windows 10 => (Windows NT 10.0),
Windows NT 4.0 => (Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT),
Windows ME => Windows ME,
Open BSD => OpenBSD,
Sun OS => SunOS,
Linux => (Linux)|(X11),
Mac OS => (Mac_PowerPC)|(Macintosh),
QNX => QNX,
BeOS => BeOS,
OS/2 => OS/2,
Search Bot=>(nuhk)|(Googlebot)|(Yammybot)|(Openbot)|(Slurp)|(MSNBot)|(Ask Jeeves/Teoma)|(ia_archiver)

Windows admin account default RID (Relative Identifier) is 500

Command to see: wmic useraccount get name,sid

Windows: Get pertinent information about a single specific process

wmic.exe process where ProcessId=1234 get /format:list

Example of different Hashes

#MD4
ec388dd78999dfc7cf4632465693b6bf

#MD5
900150983cd24fb0d6963f7d28e17f72

#bcrypt
$2b$10$sjjB1iCiMpUPc7cCivPQge9aG/B1zrY.somXQPuql6dvheq8VhVyC

#LM Hash/NTLM
bill:FA91C4FD28A2D257AAD3B435B51404EE:FF2A43841C84518A18795AB6E3C8A62E:::

#LM
299BD128C1101FD6

#NT Hash or NTLM
B4B9B02E6F09A9BD760F388B67351E2B

#NTLMv1 or Net-NTLMv1
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

#NTLMv2 or Net-NTLMv2
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

#SHA-1
A9993E364706816ABA3E25717850C26C9CD0D89D

#SHA-256
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

#SHA-512
DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F

Following LM hash means the server is using an empty password for user, but can also mean it doesn't use LM: aad3b435b51404eeaad3b435b51404ee

Use id <username> to see what groups a user is under.

Use jq to find value attached to item from a json file.

sudo jq -r '.LastName' ~/Bob-info.json

Identify hash by id from /etc/shadow

$0 - DES
$1 - MD5
$2a - Blowfish
$5 - SHA-256
$6 - SHA-512

To ignore standard error messages use 2>/dev/null . It sends STDERR (the error messages) to /dev/null, which ignores the errors, so the command prints only STDOUT (the standard output).

Example use: find / -name flag 2>/dev/null

Search all files with setuid set

sudo find / -perm -4000 2>/dev/null
or
sudo find / -perm -u=s 2>/dev/null

Run ps command on a docker container

docker exec -it <CONTAINER name> ps -ef

Use Wiresharks manual to figure out what vendor owns a mac address (Give first three bytes)

grep -i '00:1b:e9' /usr/share/wireshark/manuf

Find default ports of IRC via /etc/services

grep ^irc /etc/services

List of Cisco password types

#Type 0
Not be encrypted
enable password cisco123

#Type 4
SHA-256
enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts

#Type 5
MD5
enable secret 5 00271A5307542A02D22842

#Type 7
Vigenere cipher

#Type 8
PBKDF2-SHA-256
enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.

#Type 9
scrypt
enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE

PreviousHTML Injection - XSS

Last updated 4 years ago

Was this helpful?

Gather OS version per HTTP request. User-Agent can be a sign:

Ref

// Match user agent string with operating systems
Windows 3.11 => Win16,
Windows 95 => (Windows 95)|(Win95)|(Windows_95),
Windows 98 => (Windows 98)|(Win98),
Windows 2000 => (Windows NT 5.0)|(Windows 2000),
Windows XP => (Windows NT 5.1)|(Windows XP),
Windows Server 2003 => (Windows NT 5.2),
Windows Vista => (Windows NT 6.0),
Windows 7 => (Windows NT 6.1),
Windows 8 => (Windows NT 6.2),
Windows 10 => (Windows NT 10.0),
Windows NT 4.0 => (Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT),
Windows ME => Windows ME,
Open BSD => OpenBSD,
Sun OS => SunOS,
Linux => (Linux)|(X11),
Mac OS => (Mac_PowerPC)|(Macintosh),
QNX => QNX,
BeOS => BeOS,
OS/2 => OS/2,
Search Bot=>(nuhk)|(Googlebot)|(Yammybot)|(Openbot)|(Slurp)|(MSNBot)|(Ask Jeeves/Teoma)|(ia_archiver)

Windows admin account default RID (Relative Identifier) is 500

Command to see: wmic useraccount get name,sid

Windows: Get pertinent information about a single specific process

wmic.exe process where ProcessId=1234 get /format:list

Good reference about windows hashes:

Example of different Hashes

#MD4
ec388dd78999dfc7cf4632465693b6bf

#MD5
900150983cd24fb0d6963f7d28e17f72

#bcrypt
$2b$10$sjjB1iCiMpUPc7cCivPQge9aG/B1zrY.somXQPuql6dvheq8VhVyC

#LM Hash/NTLM
bill:FA91C4FD28A2D257AAD3B435B51404EE:FF2A43841C84518A18795AB6E3C8A62E:::

#LM
299BD128C1101FD6

#NT Hash or NTLM
B4B9B02E6F09A9BD760F388B67351E2B

#NTLMv1 or Net-NTLMv1
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

#NTLMv2 or Net-NTLMv2
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

#SHA-1
A9993E364706816ABA3E25717850C26C9CD0D89D

#SHA-256
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

#SHA-512
DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F

Following LM hash means the server is using an empty password for user, but can also mean it doesn't use LM: aad3b435b51404eeaad3b435b51404ee

Use id <username> to see what groups a user is under.

Use jq to find value attached to item from a json file.

sudo jq -r '.LastName' ~/Bob-info.json

Identify hash by id from /etc/shadow

$0 - DES
$1 - MD5
$2a - Blowfish
$5 - SHA-256
$6 - SHA-512

To ignore standard error messages use 2>/dev/null . It sends STDERR (the error messages) to /dev/null, which ignores the errors, so the command prints only STDOUT (the standard output).

Example use: find / -name flag 2>/dev/null

Search all files with setuid set

sudo find / -perm -4000 2>/dev/null
or
sudo find / -perm -u=s 2>/dev/null

Run ps command on a docker container

docker exec -it <CONTAINER name> ps -ef

Use Wiresharks manual to figure out what vendor owns a mac address (Give first three bytes)

grep -i '00:1b:e9' /usr/share/wireshark/manuf

Find default ports of IRC via /etc/services

grep ^irc /etc/services

List of Cisco password types

Ref

#Type 0
Not be encrypted
enable password cisco123

#Type 4
SHA-256
enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts

#Type 5
MD5
enable secret 5 00271A5307542A02D22842

#Type 7
Vigenere cipher

#Type 8
PBKDF2-SHA-256
enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.

#Type 9
scrypt
enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE