Pentest VM Setup

Vmware Hataları

• Hyper-v hatası verirse

  • Core isolation devre dışı bırak

  • Windows özellikleri aç kapadan hyper-v disable et.

  • gpedit.msc Bilgisayar Yapılandırması→ Yönetim Şablonları → Sistem → Cihaz Koruyucu -> Sanallaştırma tabanlı güvenlik -> Disabled

Root User

Her komutun başına sudo eklemekten sıkıldıysan kullanabilirsin.

sudo su
passwd
reboot

Klavye

nano /etc/default/keyboard
reboot

Sunum Modu

Scriptlerin yarıda kesilmesinden sıkıldıysan sunum modunu açabilirsin böylece hiçbir zaman uyku moduna girmeyecek.

Rockyou.txt Dosyası

Brute-force denemelerinde sıkça kullanılan bu wordlisti aşağıdaki komut ile çıkartıyoruz.

gzip -d /usr/share/wordlists/rockyou.txt.gz

Update

Bütün araçları ve işletim sistemini güncellemek için aşağıdaki komutu kullanabiliriz.

export DEBIAN_FRONTEND=noninteractive
apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean && apt clean

Tools

Bu blogdaki bütün anlatılan toolları aşağıdaki şekilde yükleyebilirsin.

# Tools
apt install -y apktool assetfinder beef-xss bloodhound-ce-python code coercer dirsearch enum4linux-ng evolution feroxbuster ghidra git-cola gospider jq keepass2 micro python3-wsgidav pyenv remmina rlwrap sliver terminator thunderbird wifiphisher

# Library
apt install -y font-manager docker.io docker-compose gdb golang-go npm hcxdumptool hcxtools kali-wallpapers-all krb5-user libbz2-dev liblzma-dev libpcap-dev libreadline-dev libreoffice libreoffice-gtk4 libsqlite3-dev libssl-dev snmp-mibs-downloader tk-dev xrdp

# Saat senkronizasyonu
timedatectl set-ntp true

# Pyenv
pyenv install 3.11
pyenv install 2.7
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc
echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc
echo 'eval "$(pyenv init - zsh)"' >> ~/.zshrc
source ~/.zshrc

# Pipx
pipx install shcheck mitmproxy git-dumper updog uro apkleaks reflutter adidnsdump
pipx install git+https://github.com/blacklanternsecurity/MANSPIDER
pipx install git+https://github.com/Pennyw0rth/NetExec
pipx upgrade-all
pipx ensurepath

# Project Discovery
rm /usr/bin/httpx
echo 'export PATH="$HOME/go/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
go install github.com/projectdiscovery/pdtm/cmd/pdtm@latest
pdtm -ia
pdtm -ua
pdtm -up
source ~/.zshrc
nuclei -ut
code -r /root/.config/subfinder/provider-config.yaml

# GO
go install github.com/tomnomnom/anew@latest
go install github.com/tomnomnom/gf@latest
go install github.com/tomnomnom/qsreplace@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/sensepost/gowitness@latest
go install github.com/bitquark/shortscan/cmd/shortscan@latest
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/ropnop/kerbrute@latest
go install github.com/hakluke/hakrawler@latest
go install github.com/hahwul/dalfox/v2@latest
go install github.com/ndelphit/apkurlgrep@latest

# GF
echo 'source /root/go/pkg/mod/github.com/tomnomnom/gf@v0.0.0-20200618134122-dcd4c361f9f5/gf-completion.zsh' >> ~/.zshrc
mkdir ~/.gf
cp -r /root/go/pkg/mod/github.com/tomnomnom/gf@v0.0.0-20200618134122-dcd4c361f9f5/examples/*.json ~/.gf
git clone https://github.com/1ndianl33t/Gf-Patterns
mv /root/Desktop/Gf-Patterns/*.json ~/.gf
rm -r Gf-Patterns

Terminal

• Default Application > Terminal > Terminator

• Terminator > Profiles > General > Show titlebar

• Terminator > Profiles > Background -> Solid Color

• Terminator > Profiles > Scrolling > Infinite Scrollback

• Keybinings > Page Up ve Page Down

Gerekli Dosyalar

mkdir tools
cd tools
git clone https://github.com/urbanadventurer/username-anarchy.git
git clone https://github.com/Ridter/noPac.git
git clone https://github.com/cube0x0/CVE-2021-1675.git
git clone https://github.com/ly4k/PetitPotam.git
git clone https://github.com/dirkjanm/PKINITtools
git clone https://github.com/ticarpi/jwt_tool.git
git clone https://github.com/Greenwolf/ntlm_theft
git clone https://github.com/dirkjanm/krbrelayx.git
git clone https://github.com/HavocFramework/Havoc.git
git clone https://github.com/fox-it/cve-2019-1040-scanner.git
git clone https://github.com/Wh04m1001/DFSCoerce.git

cd ..
mkdir server
cd server
wget -q https://github.com/tylerdotrar/SigmaPotato/releases/latest/download/SigmaPotato.exe
wget -q https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
wget -q https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe
wget -q https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/Rubeus.exe
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_proxy_0.7.2-alpha_windows_amd64.zip
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_proxy_0.7.2-alpha_linux_amd64.tar.gz
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_agent_0.7.2-alpha_linux_amd64.tar.gz
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_agent_0.7.2-alpha_windows_amd64.zip
wget -q https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_windows_amd64.gz
wget -q https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_linux_amd64.gz
wget -q https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc.exe
wget -q https://github.com/ParrotSec/mimikatz/raw/refs/heads/master/x64/mimikatz.exe
wget -q https://github.com/BloodHoundAD/SharpHound/releases/download/v2.5.7/SharpHound-v2.5.7-debug.zip
wget -q https://github.com/antonioCoco/RunasCs/releases/latest/download/RunasCs.zip
wget -q https://github.com/besimorhino/powercat/raw/refs/heads/master/powercat.ps1
wget -q https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.6/LaZagne.exe
wget -q https://github.com/PowerShellMafia/PowerSploit/raw/refs/heads/master/Recon/PowerView.ps1
wget -q https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker/raw/refs/heads/main/dpipe.sh
wget -q https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/raw/refs/heads/main/exploit-1.c -O dpipe1.c
wget -q https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/raw/refs/heads/main/exploit-2.c -O dpipe2.c
wget -q https://github.com/worawit/CVE-2021-3156/raw/refs/heads/main/exploit_nss.py -O sudo_lpe.py
wget -q https://github.com/flozz/p0wny-shell/raw/refs/heads/master/shell.php -O powny.php
wget -q https://github.com/YasserREED/screen-v4.5.0-priv-escalate/raw/refs/heads/main/full-exploit.sh -O screen_remote.sh
wget -q https://github.com/YasserREED/screen-v4.5.0-priv-escalate/raw/refs/heads/main/exploit.sh -O screen_local.sh
wget -q https://github.com/ly4k/PwnKit/raw/refs/heads/main/PwnKit
wget -q https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
wget -q https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Tmux

cd
git clone https://github.com/gpakosz/.tmux.git
ln -s -f .tmux/.tmux.conf
cp .tmux/.tmux.conf.local .
code -r .tmux.conf.local

set -g history-limit 9999999
set -g mouse on
set -gu prefix2
unbind C-a

set -g @plugin 'tmux-plugins/tmux-logging'
set -g @plugin 'tmux-plugins/tmux-copycat'
set -g @plugin 'tmux-plugins/tmux-yank'


tmux kill-server
tmux ls
tmux new -s session1
tmux a -t session1

mouse + y # Kopyalama

CTRL b + d # Ayrılma
CTRL b + w # Listeleme
CTRL b + c # Yeni Windows
ctrl b + m # Mouse mode

CTRL B + - # Yatay Bolme
CTRL B + _ # Dikey Bolme
CTRL B + z # Bolmeye Odaklan
CTRL B + ! # Bolmeyi Pencere Yap

ctrl B + / # Search
ctrl B + alt + shift + p

Powerlevel10k

git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ~/powerlevel10k
echo 'source ~/powerlevel10k/powerlevel10k.zsh-theme' >>~/.zshrc

# Font-viewer
wget https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Regular.ttf
wget https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Bold.ttf
wget https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Italic.ttf
wget https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Bold%20Italic.ttf

p10k configure
wget https://raw.githubusercontent.com/romkatv/powerlevel10k/refs/heads/master/config/p10k-classic.zsh -O ~/.p10k.zsh

code -r /root/.p10k.zsh
# POWERLEVEL9K_LEFT_PROMPT_ELEMENTS context time ip vpn_ip dir newline prompt_char
# POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS
typeset -g POWERLEVEL9K_TIME_FORMAT='%D{%d-%m-%Y %H:%M}'
typeset -g POWERLEVEL9K_IP_CONTENT_EXPANSION='$P9K_IP_IP'
# POWERLEVEL9K_MULTILINE_FIRST_PROMPT_SUFFIX
# POWERLEVEL9K_VPN_IP_CONTENT_EXPANSION
# POWERLEVEL9K_VPN_IP_SHOW_ALL


source ~/.zshrc

Bloodhound

cd tools
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
rm bloodhound-cli-linux-amd64.tar.gz

# Image yükleme
./bloodhound-cli install
# Parola gösterme
./bloodhound-cli config
# Güncelleme
./bloodhound-cli update
# Login
http://127.0.0.1:8080/ui/login

# Servisi durdurur container kalır
./bloodhound-cli containers stop
# Servisleri başlatır
./bloodhound-cli containers start
# Servisi ve Containerı siler
./bloodhound-cli containers down
# Bir daha container başlatır
./bloodhound-cli containers up
# Image'ları siler
./bloodhound-cli uninstall

code -r /root/.config/bloodhound/docker-compose.yml
# ports:
# - 0.0.0.0:8080:8080

Servisler

systemctl list-units --type=service

systemctl stop docker.socket
systemctl stop docker.service
systemctl disable docker.socket
systemctl disable docker.service
systemctl stop containerd

SSH ve RDP Server

Root kullanıcısını ssh ile bağlanabilmemizi sağlar.

micro /etc/ssh/sshd_config
#PermitRootLogin yes
#PasswordAuthentication yes

systemctl enable ssh
systemctl start ssh

systemctl enable xrdp
systemctl start xrdp

Delete History

rm -f ~/.zsh_history && kill -9 $$

Burp Plugins

• Logger++ (Daha iyi history)

• Active Scan++ (Fazladan Active Scan)

• Backslash Powered Scanner (Daha fazla Active Scan)

• Extensibility Helper (Bcheck Ekleme)

• Software Vulnerability Scanner (CVE Araması)

• Retire.js (Outdated JS paketlerini tarar)

• UUID Detector (UUIDv1 Kullanımı)

• Exiftool Scanner (Metadata Gösterir)

• JS Miner (JS içinde Secret Tarar)

• Error Message Checks (Detaylı hata mesajı bulur)

• Content Type Converter (Post data tiplerini değiştirir)

• 403 Bypasser (Access Control bypass)

• 429 Bypasser (Rate limit bypass)

• Authorize (Yetkilendirme zafiyetleri)

• JWT Editor (JWT bulma)

• JSON Web Tokens (JWT bulma)

• JWT Scanner (JWT zafiyeteri tarar)

• Param Miner (Gizli parametreleri bulur) (Genelde web cache zafiyetleri)

• HTTP Request Smuggler (HTTP Desycn Zafiyetlerini tarar)

• Turbo Intruder (Aşırı Hızlı İstek Atma) (Genelde race condition zafiyetleri)

Browser Plugins

• Wappalyzer

• Foxyproxy

Logger++ Columns

• Method + Status + Host + Path + Query + Extension + Parameter + Reflected Param + Request Type + Response Content Type + Response Length