Updates loot.md (4a27513f) · Commits · for microsoft in general / xbox / tunip3 / security

SUMMARY.md

+2 −2

Original line number	Diff line number	Diff line
		@@ -73,8 +73,8 @@
		* [Escaping Restricted Shell](escaping_restricted_shell.md)
		* [Bypassing antivirus](bypassing_antivirus.md)
		* [Loot](loot.md)
		* [Loot windows - For credentials and other stuff](loot_windows_-_for_credentials_and_other_stuff.md)
		* [TCP-dumps on pwnd machines](tcp-dumps_on_pwnd_machines.md)
		* [Loot Windows](loot_windows_-_for_credentials_and_other_stuff.md)
		* [Loot Linux](tcp-dumps_on_pwnd_machines.md)
		* [Persistence](persistence.md)
		* [Cover your tracks](clean_up.md)
		* Password cracking

loot.md

+7 −0

Original line number	Diff line number	Diff line
		# Loot

		After you have gained access to a machine you must loot it. This is useful in order to be able to pivot into other machine.

		If you are on a network with other machines that you still haven't owned, it might be useful to take a tcp-dump from the machine you have owned. So that you can inspect the traffic between that machine and the other machines on the network. This might be helpful when attacking the other machines.

		So after we have exploited a machine we want to use that machine to learn as much about the network as possible. To be able to map the entire network. We want to know about switches, firewalls, routers, other computers, server, etc. We want to know what ports are open, their operating systems.

		We can start getting an understanding of the network by taking a tcp-dump.

loot_windows_-_for_credentials_and_other_stuff.md

+1 −1

Original line number	Diff line number	Diff line
		# Loot
		# Loot Windows


		## Meterpreter

tcp-dumps_on_pwnd_machines.md

+23 −20

Original line number	Diff line number	Diff line
		# TCP-Dumps on pwnd machines

		# Loot Linux

		## Passwords and hashes

		First grab the passwd and shadow file.

		```bash
		cat /etc/passwd
		cat /etc/shadow
		```

		We can crack the password using `john the ripper` like this:

		```
		unshadow passwd shadow > unshadowed.txt
		john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
		```


		## Tcp-dump



		Fast command:
		@@ -65,7 +86,7 @@ tcpdump tcp -w file.pcap

		## Sniffing for passwords

		Once we have dumped some of the traffic we can insert it into metasploit and run psnuffle on it. It can sniff passwords and usernames from pop3, imap, ftp, and HTTP GET. This is a really easy way to find usernames and passwords from traffic that you have already dumped, or are in the process of dumping.
		Once we have dumped some of the traffic we can insert it into metasploit and run `psnuffle` on it. It can sniff passwords and usernames from pop3, imap, ftp, and HTTP GET. This is a really easy way to find usernames and passwords from traffic that you have already dumped, or are in the process of dumping.

		```
		use auxiliary/sniffer/psnuffle
		@@ -74,24 +95,6 @@ use auxiliary/sniffer/psnuffle
		https://www.offensive-security.com/metasploit-unleashed/password-sniffing/


		## Windows

		On windows you can use

		````
		netsh trace help
		```. It works on Windows 7 and Windows Server 2008 and newer.

		Using metasploit you can also do packetcaptures with the command

		```
		run packetrecorder -li
		And then choose a interface.
		run packetrecorder -i 2
		```

		https://www.hackthis.co.uk/articles/no-wireshark-no-tcpdump-no-problem


		## References