Pentest VM Setup

Root User

Her komutun başına sudo eklemekten sıkıldıysan kullanabilirsin.

sudo su
passwd
reboot

Klavye

nano /etc/default/keyboard
reboot

Sunum Modu

Scriptlerin yarıda kesilmesinden sıkıldıysan sunum modunu açabilirsin böylece hiçbir zaman uyku moduna girmeyecek.

Rockyou.txt Dosyası

Brute-force denemelerinde sıkça kullanılan bu wordlisti aşağıdaki komut ile çıkartıyoruz.

gzip -d /usr/share/wordlists/rockyou.txt.gz

Update

Bütün araçları ve işletim sistemini güncellemek için aşağıdaki komutu kullanabiliriz.

export DEBIAN_FRONTEND=noninteractive
apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean && apt clean
reboot

Tools

Bu blogdaki bütün anlatılan toolları aşağıdaki şekilde yükleyebilirsin.

apt install -y apktool assetfinder beef-xss bloodhound.py dirsearch dnscat2-client dnscat2-server docker.io enum4linux-ng evolution feroxbuster gdb ghidra git-cola golang-go gospider jq keepass2 build-essential libbz2-dev libffi-dev liblzma-dev libncurses-dev libpcap-dev libreadline-dev libreoffice libreoffice-gtk4 libreoffice-gtk4 libsqlite3-dev libssl-dev zlib1g-dev tk-dev mingw-w64 pipx python3-wsgidav remmina rlwrap sliver snmp-mibs-downloader terminator thunderbird wafw00f xclip xrdp zaproxy zenmap micro kali-wallpapers-all hcxdumptool hcxtools wifiphisher


sliver > armory install all

pipx ensurepath
pipx install shcheck mitmproxy git-dumper updog uro apkleaks reflutter adidnsdump
pipx install git+https://github.com/blacklanternsecurity/MANSPIDER
pipx install git+https://github.com/Pennyw0rth/NetExec

echo 'export PATH="$HOME/go/bin:$PATH"' >> ~/.zshrc

go install github.com/projectdiscovery/pdtm/cmd/pdtm@latest
pdtm -ia
pdtm -ua
pdtm -up
nuclei -ut
micro /root/.config/subfinder/provider-config.yaml
rm /usr/bin/httpx


go install github.com/tomnomnom/anew@latest
go install github.com/tomnomnom/gf@latest
go install github.com/tomnomnom/qsreplace@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/sensepost/gowitness@latest
go install github.com/bitquark/shortscan/cmd/shortscan@latest
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/ropnop/kerbrute@latest
go install github.com/hakluke/hakrawler@latest
go install github.com/hahwul/dalfox/v2@latest
go install github.com/ndelphit/apkurlgrep@latest

echo 'source /root/go/pkg/mod/github.com/tomnomnom/gf@v0.0.0-20200618134122-dcd4c361f9f5/gf-completion.zsh' >> ~/.zshrc


mkdir ~/.gf
cp -r /root/go/pkg/mod/github.com/tomnomnom/gf@v0.0.0-20200618134122-dcd4c361f9f5/examples/*.json ~/.gf
git clone https://github.com/1ndianl33t/Gf-Patterns
mv /root/Desktop/Gf-Patterns/*.json ~/.gf
rm -r Gf-Patterns

source ~/.zshrc

Burp Pro: https://portswigger.net/burp/releases#professional

Foxyproxy: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Wapplyzer: https://addons.mozilla.org/tr/firefox/addon/wappalyzer/

Default Applications

• Default terminal -> terminator

Pyenv

Birden fazla python versiyonu kullanmak isterseniz pyenv aracını kullanabilirsiniz.

curl https://pyenv.run | bash

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc
echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc
echo 'eval "$(pyenv init -)"' >> ~/.zshrc
exec $SHELL

# Kullanım
pyenv versions
pyenv install 2.7.18
pyenv install 3.11
pyenv local 3.11
pyenv global 3.11
pyenv global system

Gerekli Dosyalar

mkdir tools
cd tools
git clone https://github.com/urbanadventurer/username-anarchy.git
git clone https://github.com/Ridter/noPac.git
git clone https://github.com/cube0x0/CVE-2021-1675.git
git clone https://github.com/topotam/PetitPotam.git
git clone https://github.com/dirkjanm/PKINITtools
git clone https://github.com/ticarpi/jwt_tool.git
git clone https://github.com/Greenwolf/ntlm_theft
git clone https://github.com/dirkjanm/krbrelayx.git
git clone https://github.com/HavocFramework/Havoc.git


cd ..
mkdir server
cd server

wget https://github.com/tylerdotrar/SigmaPotato/releases/latest/download/SigmaPotato.exe
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/Rubeus.exe
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_proxy_0.7.2-alpha_windows_amd64.zip
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_proxy_0.7.2-alpha_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_agent_0.7.2-alpha_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_agent_0.7.2-alpha_windows_amd64.zip
wget https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_windows_amd64.gz
wget https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_linux_amd64.gz
wget https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc.exe
wget https://github.com/ParrotSec/mimikatz/raw/refs/heads/master/x64/mimikatz.exe
wget https://github.com/BloodHoundAD/SharpHound/releases/download/v2.5.7/SharpHound-v2.5.7-debug.zip
wget https://github.com/antonioCoco/RunasCs/releases/latest/download/RunasCs.zip
wget https://github.com/besimorhino/powercat/raw/refs/heads/master/powercat.ps1
wget https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.6/LaZagne.exe
wget https://github.com/PowerShellMafia/PowerSploit/raw/refs/heads/master/Recon/PowerView.ps1
wget https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker/raw/refs/heads/main/dpipe.sh
wget https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/raw/refs/heads/main/exploit-1.c -O dpipe1.c
wget https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/raw/refs/heads/main/exploit-2.c -O dpipe2.c
wget https://github.com/worawit/CVE-2021-3156/raw/refs/heads/main/exploit_nss.py -O sudo_lpe.py
wget https://github.com/flozz/p0wny-shell/raw/refs/heads/master/shell.php -O powny.php
wget https://github.com/YasserREED/screen-v4.5.0-priv-escalate/raw/refs/heads/main/full-exploit.sh -O screen_remote.sh
wget https://github.com/YasserREED/screen-v4.5.0-priv-escalate/raw/refs/heads/main/exploit.sh -O screen_local.sh
wget https://github.com/ly4k/PwnKit/raw/refs/heads/main/PwnKit
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

Burp Extensions

• Param Miner

• JSON Web Tokens

• Active Scan++

• Retire.js

• Authorize

• Turbo Intruder

• JS Miner

• J2EEScan

• Content Type Converter

• 403 Bypasser

• JS Link Finder

• Software Vulnerability Scanner

• HTTP Request Smuggler

• Hackvertor

• Logger++

• JWT Editor

• Bypass WAF

• INQL

• CO2

• Reflected Paramaters

• Java Deserialization Scanner

• Backslash Powered Scanner

• Upload Scanner

• Software Version Reporter

• SSL Scanner

• NoSQLi Scanner

• Error Message Checks

• CORS

• IIS Tilde

• Freddy Deserialization Scanner

• ExifTool Scanner

• UUID Detector

Bloodhound Community

# Bloodhound CE icin bunla tariyoruz
git clone https://github.com/dirkjanm/BloodHound.py.git
cd BloodHound.py
git checkout bloodhound-ce
pyenv local 3.11
pip install .


sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "bookworm") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
apt install docker-compose-plugin -y


# Bloodhound CE
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
rm bloodhound-cli-linux-amd64.tar.gz

./bloodhound-cli install
./bloodhound-cli config
./bloodhound-cli containers stop
./bloodhound-cli containers start
./bloodhound-cli containers down
./bloodhound-cli update

# Eğer externaldan erişmek istiyorsak ports kısımını aşağıdaki gibi yap (87.satır)
# - 0.0.0.0:8080:8080
micro docker-compose.yml

#admin:random
http://127.0.0.1:8080/ui/login

Tmux + OhMyZSH

cd
git clone https://github.com/gpakosz/.tmux.git
ln -s -f .tmux/.tmux.conf
cp .tmux/.tmux.conf.local .
micro .tmux.conf.local

set -g history-limit 9999999
set -g mouse on
set -gu prefix2
unbind C-a

set -g @plugin 'tmux-plugins/tmux-logging'
set -g @plugin 'tmux-plugins/tmux-copycat'
set -g @plugin 'tmux-plugins/tmux-yank'



tmux kill-server

tmux ls
tmux new -s session1
tmux a -t session1

mouse + y # Kopyalama

CTRL b + d # Ayrılma
CTRL b + w # Listeleme
CTRL b + c # Yeni Windows
ctrl b + m # Mouse mode

CTRL B + - # Yatay Bolme
CTRL B + _ # Dikey Bolme
CTRL B + z # Bolmeye Odaklan
CTRL B + ! # Bolmeyi Pencere Yap

ctrl B + / # Search
ctrl B + alt + shift + p

SSH Server

Root kullanıcısını ssh ile bağlanabilmemizi sağlar.

sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
service ssh restart

service xrdp restart

Delete History

rm -f ~/.zsh_history && kill -9 $$